Printable View
HAH!Quote:
*snickers*
No, don't know you; you came after my time. Unless I have some bastard children I don't know about.
Negative, MsMittens, hogfly, and some of the others of that time period would know who I am.
'decided to come back in after a bit of an absence to see what's been going on and make a few contributions. Perhaps some really bad jokes, as well.
It's quite possible that that statement could be reversed..... ;)Quote:
Unless I have some bastard children I don't know about.
So, your acheivments here were? A quick glimpse at your "most recent" posts seem to imply that you were more heavily involved in the general chit chat more than the security related forums... But I can't be bothered to look any deeper....
I have always been bothered by people who ask "You don't know who I am, do you?" as if you are the Queen of England..... I usually find that there is a reason for my not knowing.... ;)
Most of my contributions were via the old #antionline IRC channel. I never really got involved with the site itself.
And yeah, you wouldn't really know who I was as I'd more or less stopped what little posting on the site I'd done by the time you showed up, really.
IRC's more my style, anyway.
Your comments speak more of your credentials than your old time cronies ever could.Quote:
I'll excuse you for not knowing who I am. Ask some of the older people. They'll vouch for my credentials.
This indicates a clear ignorance on your part of the windows access control system. It is far more expressive than the UNIX system.Quote:
In my experience, with a properly crafted set of user groups, and judicious application of chgrp, chown, and a proper understanding of how exactly unix file permissions work, the end result is far more secure than Windows ever could be.
UNIX has two major flaws with its DAC system, first the lack of granularity. Simple RWX permission bits? That can be defined to no more than a single user (who must be the own) and a single group? And what about privilege granularity? There is none! Users all have the same privileges and root can do everything. The second major flaw is the fact that the UNIX security policy is not comprehensive. Root undergoes no privilege or permission checks.
Again this shows a simple ignorance of Windows security... neither the Administrator or the SYSTEM accounts are comparable to the root account. All of the Windows accounts privileges and permissions are controlled by the security policy. Root is not addressed by the security policy at all. If I set a file to deny access (ah the deny functionality another beauty of windows) or if I just don't explicitly allow access to the Admin account, the admin cannot access the file. The admin can take ownership of the file and modify the permissions... IF the security policy allows that privilege. Typically it is better to create an SSO account that has things like take ownership to improve administrative granularity.Quote:
And if a "Superuser" account is such a bad idea, whyfore does Windows have "Administrator"? That's just a misspelling of "root". *wink*
Now you see why I had to forbid you from discussing computer security, until you are better educated. It is for your own good really.
Their laziness does not reflect back to the vendor if other companies are acting in an appropriate manner.Quote:
This still does not change the fact that there are a great deal of other companies, and thousands more users out there, that do not take these precautions.
Um... if your running applications under different credentials how is this different than having multiple accounts running simultaneously? There is no need to run a full local environment as multiple users.Quote:
That still doesn't address my fundamental point--I want to be able to have multiple accounts running simultaneously. Windows does not allow me to do this.
Pretty much. If the person is so unimpressive that they feel compelled to add value to themselves by the notion that you, yet shouldn't be ignorant of who they are... well it's kind of sad.Quote:
I have always been bothered by people who ask "You don't know who I am, do you?" as if you are the Queen of England..... I usually find that there is a reason for my not knowing....
cheers,
catch
Someone seems to have gotten up on the wrong side o' th' bed this mornin'
Well, let's see if there's anything in there worth replying to.
Respect for your elders, lad.Quote:
Your comments speak more of your credentials than your old time cronies ever could.
Users can belong to multiple groups, so I see no difficulty here. And I've been trying to figure out what you mean by all users having the same priveleges [ save root ].Quote:
This indicates a clear ignorance on your part of the windows access control system. It is far more expressive than the UNIX system.
UNIX has two major flaws with its DAC system, first the lack of granularity. Simple RWX permission bits? That can be defined to no more than a single user (who must be the own) and a single group? And what about privilege granularity? There is none! Users all have the same privileges and root can do everything. The second major flaw is the fact that the UNIX security policy is not comprehensive. Root undergoes no privilege or permission checks.
Mostly I think that your attitudes are based on a lack of understanding of how 'nix-based systems work. It's a bit of a paradigm shift from the windows world, and can be confusing at first, I suppose.
Also, be advised that those members of the 'wheel' group traditionally have root-like powers, but without quite the same level of privelege.
Your vaunted granularity is really taken care of perfectly adequately by properly set-up groups. It's not the same way that microsoft seems to want to do its thing, but it's worked perfectly well so far on the vast majority of computer systems I've seen, and on the vast majority of networked servers.
And yes, root gets around all the file restrictions, et al. That's kind of its job.
....except when people look at the statistics of what sorts of systems have been compromised, and note that one particular system seems to be especially disproportionatally prone.Quote:
Their laziness does not reflect back to the vendor if other companies are acting in an appropriate manner.
Because some of us like having multiple people working on a machine. Saves overhead.Quote:
Um... if your running applications under different credentials how is this different than having multiple accounts running simultaneously? There is no need to run a full local environment as multiple users.
Catch, lad, you really should realize one thing--your way is not necessarily the *only* way. There are other, perfectly viable means of doing things, and diversity ought to be encouraged. Systems of any sort--whether biological, industrial [ car manufacturers, gasoline production ], technological [ computer manufacturers, software designers ] only truly flourish and advance when there is sufficient competition.
Users can belong to multiple groups... are you familiar with the Harrison, Ruzzo, Ullman conclusions regarding DAC systems from 1976? If so... are the problems they discussed aided or worsened by many overlapping groups?Quote:
Users can belong to multiple groups, so I see no difficulty here.
Example: (this is taken from a real world system)
Four subjects (s1, ... s4)
Four objects (o1, ... o4)
each object is owned by its related subject (s1 owns o1, etc)
share o1 with s2(r) & s3(wx) +s1(rwx)
share o2 with s1(w) & s4(r) +s2(rwx)
share o3 with s2(rwx) +s3(rwx)
share o2 with s1(rw) & s3(wx) +s4(rwx)
What groups do we need?
Now lets imagine thousands of users and files. Whee.
This isn't even dealing with more complex permissions like I address later.
Users don't have privileges defined... only permissions... so naturally they all have the same permissions. Coming from a UNIX background you don't understand the difference between the two... because again privileges are never defined in UNIX. (as they are in nearly every other system security policy type)Quote:
And I've been trying to figure out what you mean by all users having the same priveleges [ save root ].
Actually myself having originated from a UNIX background (IRIX, TRIX, and HP-UX) I would say that the Windows model is more complex since the Windows security policy is essentially a superset of the UNIX one. Going from Windows to UNIX should be quite simple... though frustrating.Quote:
Mostly I think that your attitudes are based on a lack of understanding of how 'nix-based systems work. It's a bit of a paradigm shift from the windows world, and can be confusing at first, I suppose.
Really? So how will groups help you set up directory that allows a user to delete files, but not subdirectories while allowing the user to create subdirectories (with a predefined set of rights different than the original directory) but not new files and disallows the user to execute files or traverse the directory and allowing them to read file attributes but not read file security settings?Quote:
Your vaunted granularity is really taken care of perfectly adequately by properly set-up groups.
Exactly, it's root's job to exist as a violation to the system's security policy... the technical definition of this is "A vulnerability." A vulnerability put in place to facilitate lazy administration.Quote:
And yes, root gets around all the file restrictions, et al. That's kind of its job.
Last I checked the statistics of such things were appropriately proportional to scope of their use... also let us not forget UNIX's terrible audit trails.Quote:
....except when people look at the statistics of what sorts of systems have been compromised, and note that one particular system seems to be especially disproportionatally prone.
Thinking that the number of compromised systems reflects on a system's capabilities is very simple-minded.
Unless you wish to take a step backward 20 years to mainframes... by my calculations users sharing a system results in more machines... at least two... one for each user to actually be physically connected to and then one is shared... or three where two terminals share a single computer.Quote:
Because some of us like having multiple people working on a machine. Saves overhead.
Which, by the way is very doable with Windows... how do you think those Windows web hosting systems work? Many clients connect to a single server or server cluster... this can be done via a remote terminal like telnet. Users can manage their files and share computing resources.
Not when people cling to a system proven to be flawed nearly 30 years ago because it is what they know. Then these same people get ego issues and don't want to admit that it is flawed because that would mean that their efforts and expertise is for naught.Quote:
Catch, lad, you really should realize one thing--your way is not necessarily the *only* way. There are other, perfectly viable means of doing things, and diversity ought to be encouraged. Systems of any sort--whether biological, industrial [ car manufacturers, gasoline production ], technological [ computer manufacturers, software designers ] only truly flourish and advance when there is sufficient competition.
cheers,
catch
:eek:Quote:
Catch, lad
Kublai:
Now you have made a couple of mistakes.... You have assumed that because you were here before me you are therefore "superior".... Then you chose to argue with Catch.... Been there... Done that.... My ******* has healed... :D
Son.... You do not impress me.... Tell me something I don't know that I am interested in and that might change.... Your 100+ posts don't really make you godlike in my mind.....
Never said I was superior...just pointing out that I'm not as clueless as some people seem to think. And I'm wearing my iron underpants, so as not to 'catch' anything unfortunate. I admit it was a wee bit of a mistake to attempt to reason with someone who cannot be reasoned with...ought to have done my research a bit better beforehand. *wink*Quote:
Originally posted here by Tiger Shark
:eek:
Kublai:
Now you have made a couple of mistakes.... You have assumed that because you were here before me you are therefore "superior".... Then you chose to argue with Catch.... Been there... Done that.... My ******* has healed... :D
Son.... You do not impress me.... Tell me something I don't know that I am interested in and that might change.... Your 100+ posts don't really make you godlike in my mind.....
Ah, well. I didn't notice until just now that this is the 'Microsoft Security Discussions' forum...so of course much of my advice won't be welcome. Mea culpa, mea culpa, mea maxima culpa. One ought not debate with a fanatic on their own territory.
Catch, you've made your point--you're rabidly anti-unix, though for what reason I still cannot fathom. If you wish to seek me out and explain, you're free to do so, though it's easier to find me on IRC than anywhere web-wise. Server's in the PM I sent you before.
Ciao, folks.
I am not anti-UNIX... I am just realisitic about sperating system not sure how many times I can say this. Hell I don't even like Windows that much... it is just best for the majority of my uses.
However the traditional UNIX security policy as anemic and the superuser account is a huge weakness. Even the most harded UNIX diehards understand these points.
If you think I am incorrect please find one thing wrong with what I have said.
I can easily be reasoned with, but you have shown me nothing new. I've had conversations about UNIX security more times than I can count... other users at least try to muddy the waters with ISO-15408 references or discussion of CAF, MLS, or SE extensions.
cheers,
catch
Snicker.Quote:
I am not anti-UNIX
:cool: