From: John Ives (jives_at_cchem.berkeley.edu)
Date: Fri Sep 19 2003 - 14:27:51 PDT
At 01:57 PM 9/19/2003 -0700, Tom Holub wrote:
> > But at the same time it still doesn't support vbs scripts in the same way
> > as windows. So while the gist of your statement is correct that it can
> run
> > scripts, none of the current viruses would work.
>
>That's an argument about being the smaller target population, not an
>argument about how secure the machine is.
>
>I think it's fair to say that both Outlook and Eudora on the Mac could
>be made to run scripts which could propagate viruses, and the main reason
>they are not is because the Mac is a small target population.
I won't argue with this, just like I didn't argue with Eric's assertion.
> > >*The author makes comparisons to Windows users running as
> administrator and
> > >Mac or Linux users running as regular users. Windows users can run as a
> > >normal user too, when the user installs software, Windows will prompt the
> > >user for an administrator password.
> >
> > Actually he compares it to the Administrator account in OSX. The truth of
> > the matter is that the OSX admin still can't do what a Windows Admin
> > can. There is still a hierarchy that places root over admin and it takes
> > root to make many hard core changes to a system. I was only peripherally
> > involved in our tests, but as I remember root isn't enabled by
> > default. Additionally, I seem to remember that at one point we were
> > prompted for an Admin account username/password even though we were admin
> > at the time. This may be a tad inconvenient but it makes good security
> > sense.
>
>This is a level of misdirection, not security. Any administrator can
>run "sudo" to execute any task as root--including modifying /usr/bin files
>or your kernel. If you're an administrative user, you are root for all
>intents and purposes.
Like I said I was only peripherally involved, but having to run an extra
command to do the extra damage is still better than nothing.
> > >*Open source doesn't mean secure. How long have OpenSSH and sendmail been
> > >open source?
> >
> > As Mike has already suggested, there is no such thing as complete and
> > perfect security. Your not going to get it from Open Source, your not
> going
> > to get it from Novell and you certainly are not going to get it from
> > Microsoft. Given the option, I will choose open source/open standards
> over
> > proprietary any day.
>
>I think the idea of open source software being inherently more secure
>is based on faulty assumptions. There is a lot of terrible
>open-source software out there, with no design review or thought given
>to security. Open source software tends to get fixed faster when
>there are problems, but there are just as many vulnerabilities.
Let me back-pedal a couple steps, a better way to express my sentiment is
that given the choice of comparable products I will choose open source any
day. There are certainly instances where proprietary products are better,
or rather better suited for me, but when all else is equal (or
approximately equal) its open-source for me. I use a lot of proprietary
systems (I get paid to), but its all about choosing the write chisel for
the job (and sometimes that job is mine).
>And for that matter, Mac OS X is not open-source.
I'm well aware of that, but much of it is based upon open source, and those
are the same pieces that interest me the most (SAMBA, SSH access, etc). I
know I don't need a Mac for those, I use some of them on Linux (I still
haven't gotten around to BSD, but I will) all the time.
John
-------------------------------------------------
John Ives, GCWN, GSEC
Systems Administrator
College of Chemistry
(510) 643-1033
"If you spend more on coffee than on IT security, Then you will be hacked.
What's more, you deserve to be hacked." - Richard Clarke
Any opinions expressed are my own and not those of the Regents of the
University of California.
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
This archive was generated by hypermail 2.1.5 : Fri Sep 19 2003 - 14:29:04 PDT