Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 38

Thread: Reducing browser privileges!

  1. #11
    Senior Member
    Join Date
    Sep 2001
    Posts
    118
    Originally posted here by Tiger Shark
    Dad?????
    HAH!

    *snickers*

    No, don't know you; you came after my time. Unless I have some bastard children I don't know about.

    Negative, MsMittens, hogfly, and some of the others of that time period would know who I am.

    'decided to come back in after a bit of an absence to see what's been going on and make a few contributions. Perhaps some really bad jokes, as well.
    Got Root?



    This user powered by Linux.

  2. #12
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Unless I have some bastard children I don't know about.
    It's quite possible that that statement could be reversed.....

    So, your acheivments here were? A quick glimpse at your "most recent" posts seem to imply that you were more heavily involved in the general chit chat more than the security related forums... But I can't be bothered to look any deeper....

    I have always been bothered by people who ask "You don't know who I am, do you?" as if you are the Queen of England..... I usually find that there is a reason for my not knowing....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #13
    Senior Member
    Join Date
    Sep 2001
    Posts
    118
    Most of my contributions were via the old #antionline IRC channel. I never really got involved with the site itself.

    And yeah, you wouldn't really know who I was as I'd more or less stopped what little posting on the site I'd done by the time you showed up, really.

    IRC's more my style, anyway.
    Got Root?



    This user powered by Linux.

  4. #14
    Banned
    Join Date
    May 2003
    Posts
    1,004
    I'll excuse you for not knowing who I am. Ask some of the older people. They'll vouch for my credentials.
    Your comments speak more of your credentials than your old time cronies ever could.

    In my experience, with a properly crafted set of user groups, and judicious application of chgrp, chown, and a proper understanding of how exactly unix file permissions work, the end result is far more secure than Windows ever could be.
    This indicates a clear ignorance on your part of the windows access control system. It is far more expressive than the UNIX system.
    UNIX has two major flaws with its DAC system, first the lack of granularity. Simple RWX permission bits? That can be defined to no more than a single user (who must be the own) and a single group? And what about privilege granularity? There is none! Users all have the same privileges and root can do everything. The second major flaw is the fact that the UNIX security policy is not comprehensive. Root undergoes no privilege or permission checks.

    And if a "Superuser" account is such a bad idea, whyfore does Windows have "Administrator"? That's just a misspelling of "root". *wink*
    Again this shows a simple ignorance of Windows security... neither the Administrator or the SYSTEM accounts are comparable to the root account. All of the Windows accounts privileges and permissions are controlled by the security policy. Root is not addressed by the security policy at all. If I set a file to deny access (ah the deny functionality another beauty of windows) or if I just don't explicitly allow access to the Admin account, the admin cannot access the file. The admin can take ownership of the file and modify the permissions... IF the security policy allows that privilege. Typically it is better to create an SSO account that has things like take ownership to improve administrative granularity.

    Now you see why I had to forbid you from discussing computer security, until you are better educated. It is for your own good really.

    This still does not change the fact that there are a great deal of other companies, and thousands more users out there, that do not take these precautions.
    Their laziness does not reflect back to the vendor if other companies are acting in an appropriate manner.

    That still doesn't address my fundamental point--I want to be able to have multiple accounts running simultaneously. Windows does not allow me to do this.
    Um... if your running applications under different credentials how is this different than having multiple accounts running simultaneously? There is no need to run a full local environment as multiple users.

    I have always been bothered by people who ask "You don't know who I am, do you?" as if you are the Queen of England..... I usually find that there is a reason for my not knowing....
    Pretty much. If the person is so unimpressive that they feel compelled to add value to themselves by the notion that you, yet shouldn't be ignorant of who they are... well it's kind of sad.

    cheers,

    catch

  5. #15
    Senior Member
    Join Date
    Sep 2001
    Posts
    118
    Someone seems to have gotten up on the wrong side o' th' bed this mornin'

    Well, let's see if there's anything in there worth replying to.

    Your comments speak more of your credentials than your old time cronies ever could.
    Respect for your elders, lad.

    This indicates a clear ignorance on your part of the windows access control system. It is far more expressive than the UNIX system.
    UNIX has two major flaws with its DAC system, first the lack of granularity. Simple RWX permission bits? That can be defined to no more than a single user (who must be the own) and a single group? And what about privilege granularity? There is none! Users all have the same privileges and root can do everything. The second major flaw is the fact that the UNIX security policy is not comprehensive. Root undergoes no privilege or permission checks.
    Users can belong to multiple groups, so I see no difficulty here. And I've been trying to figure out what you mean by all users having the same priveleges [ save root ].

    Mostly I think that your attitudes are based on a lack of understanding of how 'nix-based systems work. It's a bit of a paradigm shift from the windows world, and can be confusing at first, I suppose.

    Also, be advised that those members of the 'wheel' group traditionally have root-like powers, but without quite the same level of privelege.

    Your vaunted granularity is really taken care of perfectly adequately by properly set-up groups. It's not the same way that microsoft seems to want to do its thing, but it's worked perfectly well so far on the vast majority of computer systems I've seen, and on the vast majority of networked servers.

    And yes, root gets around all the file restrictions, et al. That's kind of its job.

    Their laziness does not reflect back to the vendor if other companies are acting in an appropriate manner.
    ....except when people look at the statistics of what sorts of systems have been compromised, and note that one particular system seems to be especially disproportionatally prone.

    Um... if your running applications under different credentials how is this different than having multiple accounts running simultaneously? There is no need to run a full local environment as multiple users.
    Because some of us like having multiple people working on a machine. Saves overhead.

    Catch, lad, you really should realize one thing--your way is not necessarily the *only* way. There are other, perfectly viable means of doing things, and diversity ought to be encouraged. Systems of any sort--whether biological, industrial [ car manufacturers, gasoline production ], technological [ computer manufacturers, software designers ] only truly flourish and advance when there is sufficient competition.
    Got Root?



    This user powered by Linux.

  6. #16
    Banned
    Join Date
    May 2003
    Posts
    1,004
    Users can belong to multiple groups, so I see no difficulty here.
    Users can belong to multiple groups... are you familiar with the Harrison, Ruzzo, Ullman conclusions regarding DAC systems from 1976? If so... are the problems they discussed aided or worsened by many overlapping groups?

    Example: (this is taken from a real world system)
    Four subjects (s1, ... s4)
    Four objects (o1, ... o4)

    each object is owned by its related subject (s1 owns o1, etc)

    share o1 with s2(r) & s3(wx) +s1(rwx)
    share o2 with s1(w) & s4(r) +s2(rwx)
    share o3 with s2(rwx) +s3(rwx)
    share o2 with s1(rw) & s3(wx) +s4(rwx)

    What groups do we need?
    Now lets imagine thousands of users and files. Whee.
    This isn't even dealing with more complex permissions like I address later.

    And I've been trying to figure out what you mean by all users having the same priveleges [ save root ].
    Users don't have privileges defined... only permissions... so naturally they all have the same permissions. Coming from a UNIX background you don't understand the difference between the two... because again privileges are never defined in UNIX. (as they are in nearly every other system security policy type)

    Mostly I think that your attitudes are based on a lack of understanding of how 'nix-based systems work. It's a bit of a paradigm shift from the windows world, and can be confusing at first, I suppose.
    Actually myself having originated from a UNIX background (IRIX, TRIX, and HP-UX) I would say that the Windows model is more complex since the Windows security policy is essentially a superset of the UNIX one. Going from Windows to UNIX should be quite simple... though frustrating.

    Your vaunted granularity is really taken care of perfectly adequately by properly set-up groups.
    Really? So how will groups help you set up directory that allows a user to delete files, but not subdirectories while allowing the user to create subdirectories (with a predefined set of rights different than the original directory) but not new files and disallows the user to execute files or traverse the directory and allowing them to read file attributes but not read file security settings?

    And yes, root gets around all the file restrictions, et al. That's kind of its job.
    Exactly, it's root's job to exist as a violation to the system's security policy... the technical definition of this is "A vulnerability." A vulnerability put in place to facilitate lazy administration.

    ....except when people look at the statistics of what sorts of systems have been compromised, and note that one particular system seems to be especially disproportionatally prone.
    Last I checked the statistics of such things were appropriately proportional to scope of their use... also let us not forget UNIX's terrible audit trails.
    Thinking that the number of compromised systems reflects on a system's capabilities is very simple-minded.

    Because some of us like having multiple people working on a machine. Saves overhead.
    Unless you wish to take a step backward 20 years to mainframes... by my calculations users sharing a system results in more machines... at least two... one for each user to actually be physically connected to and then one is shared... or three where two terminals share a single computer.
    Which, by the way is very doable with Windows... how do you think those Windows web hosting systems work? Many clients connect to a single server or server cluster... this can be done via a remote terminal like telnet. Users can manage their files and share computing resources.

    Catch, lad, you really should realize one thing--your way is not necessarily the *only* way. There are other, perfectly viable means of doing things, and diversity ought to be encouraged. Systems of any sort--whether biological, industrial [ car manufacturers, gasoline production ], technological [ computer manufacturers, software designers ] only truly flourish and advance when there is sufficient competition.
    Not when people cling to a system proven to be flawed nearly 30 years ago because it is what they know. Then these same people get ego issues and don't want to admit that it is flawed because that would mean that their efforts and expertise is for naught.

    cheers,

    catch

  7. #17
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Catch, lad


    Kublai:

    Now you have made a couple of mistakes.... You have assumed that because you were here before me you are therefore "superior".... Then you chose to argue with Catch.... Been there... Done that.... My ******* has healed...

    Son.... You do not impress me.... Tell me something I don't know that I am interested in and that might change.... Your 100+ posts don't really make you godlike in my mind.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #18
    Senior Member
    Join Date
    Sep 2001
    Posts
    118
    Originally posted here by Tiger Shark


    Kublai:

    Now you have made a couple of mistakes.... You have assumed that because you were here before me you are therefore "superior".... Then you chose to argue with Catch.... Been there... Done that.... My ******* has healed...

    Son.... You do not impress me.... Tell me something I don't know that I am interested in and that might change.... Your 100+ posts don't really make you godlike in my mind.....
    Never said I was superior...just pointing out that I'm not as clueless as some people seem to think. And I'm wearing my iron underpants, so as not to 'catch' anything unfortunate. I admit it was a wee bit of a mistake to attempt to reason with someone who cannot be reasoned with...ought to have done my research a bit better beforehand. *wink*

    Ah, well. I didn't notice until just now that this is the 'Microsoft Security Discussions' forum...so of course much of my advice won't be welcome. Mea culpa, mea culpa, mea maxima culpa. One ought not debate with a fanatic on their own territory.

    Catch, you've made your point--you're rabidly anti-unix, though for what reason I still cannot fathom. If you wish to seek me out and explain, you're free to do so, though it's easier to find me on IRC than anywhere web-wise. Server's in the PM I sent you before.

    Ciao, folks.
    Got Root?



    This user powered by Linux.

  9. #19
    Banned
    Join Date
    May 2003
    Posts
    1,004
    I am not anti-UNIX... I am just realisitic about sperating system not sure how many times I can say this. Hell I don't even like Windows that much... it is just best for the majority of my uses.

    However the traditional UNIX security policy as anemic and the superuser account is a huge weakness. Even the most harded UNIX diehards understand these points.

    If you think I am incorrect please find one thing wrong with what I have said.

    I can easily be reasoned with, but you have shown me nothing new. I've had conversations about UNIX security more times than I can count... other users at least try to muddy the waters with ISO-15408 references or discussion of CAF, MLS, or SE extensions.

    cheers,

    catch

  10. #20
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Posts
    2,716
    I am not anti-UNIX
    Snicker.
    I came in to the world with nothing. I still have most of it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •