Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Counseling not to use Windows (was Re: Anonymoussurfing my ass\!)
From: full-disclosure () lists netsys com (Schmehl, Paul L)
Date: Mon, 15 Jul 2002 14:59:59 -0500

Comments inline.

Paul Schmehl (pauls () utdallas edu)
Supervisor of Support Services
The University of Texas at Dallas
AVIEN Founding Member

-----Original Message-----
From: David F. Skoll [mailto:dfs () roaringpenguin com] 
Sent: Monday, July 15, 2002 2:10 PM
To: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Counseling not to use Windows 
(was Re: Anonymoussurfing my ass\!)

Sorry to pick on your example but an extension merly indicates what 
kind of data is in the file.

Not under Windows as it is configured by 99.99% of end-users. 
 If you name a file "foo.txt", very different things happen 
if you click on the file than if you click on the exact same 
file named "foo.exe".

That depends on how the admins configure things. :-)  Here at UTD, for
example, it isn't possible to execute a VBS file unless you know what
you're doing.  It's also possible to restrict the executables that a
user can run, using group policies.

A .txt extension suggests that a user might want to
hand the file to a program that'll treat the file as plain ASCII, 
similarly an .exe extension suggests that a user might want to give 
the file some memory and time slices and treat it as a 
program in it's 
own right. You could load the .exe into notepad, and you 
could execute 
the .txt file.

Again, for 99.99% of end users, such fine points are 
irrelevant.  To them, clicking on an .exe runs the program.  
Windows even "helpfully" hides the extension by default.

And you think they will do *better* at this in *nix?  You've pinpointed
the problem, but missed the solution.  The problem is the *users* who
are ignorant and chose to remain that way.  The solution is for the
*conscientious* admins to understand that truth and find ways to defend
the enterprise *anyway*.

That is true when it comes to memory protection, but what 
you're talking about is filesystem protection, and Linux 
doesn't "pretend" anything -- it enforces it.  I believe it 
is possible under some versions of Windows to allow read 
access but not execute access to files and directories, but 
again, 99% of end-users don't know this and don't configure it.

Your ignorance of Windows is showing.  It is possible, under all
"modern" versions of Windows (not the 9x variety) to get as granular as
this (at the directory or file level):

Full Control
Traverse Folder / Execute File
List Folder /Read Data
Read Attributes
Read Extend Attributes
Create Files / Write Data
Create Folders / Append Data
Write Attributes
Write Extended Attributes
Take Ownership

It isn't the OS that's the problem.  It's the manufacturer's choices of
default settings and the ignorance of the users (and admins in many
cases.)  Isn't this precisely the same problem on *nix?  Give me an
ignorant user on a default install of *nix and I'll give you a hacked
box in a few minutes (except perhaps OpenBSD, which is one of the few
that ship "secure" out of the box.)

Please don't misunderstand - I am NOT saying Windows is a good as or as
secure as Unix.  Given the choice, I'll take OpenBSD.  But the *real*
problem isn't software, it's humans.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]