OSNews

what I meant with that was citing where I got it from :o

I wouldn't get too excited about this..

Many Linux distro's STILL maintain a 15 minute sudo timeout (apparently ubuntu is one of them), which means any program (virus or otherwise), can sit there and wait until there's an open sudo session available, and then get admin privs without a password. Some linux distro's are still calling that a feature unfortunately (so they are no better then Microsoft).

But yeah, its about time Microsoft fixed this stupidity. UAC is certainly a good thing, but that broken behavior would have made it as insecure as Windows XP. Good to see they stopped playing politics and caved in.

Btw, at least they did a 180degrees... I wouldn't say its a marketing ploy though (not sure where the author came up with that BS from).

Either way, I don't care as long as its fixed.

And not only that, but with some distros (perhaps most notably Ubuntu), anyone with physical access to your computer can gain root-level access without any effort at all, by selecting "recovery mode" from the bootloader prompt.

Not quite the same thing, I realize, but still an example of an easily fixable security flaw that remains untouched.

As long as you are not using file/disk encryption, anyone with physical access can have full access to your data stored on that device. Adding a "feel-good" security as you propose does not enhance security at all.

Anyone expending the effort to select "recovery mode" is going to be prepared with a liveCD also. I'd actually skip to step two and just use the liveCD or trusty flashdrive in my pocket; why use your distro in recovery mode when I can use my distro in "all your disk are belonging to us" mode.

I see it the same way with wireless routers. People say; but if I hid my SSID then I'm cutting out the skript kiddies because it's too much effort to see my SSID. (.. in the first packet detected by kismet, airodump and nearly any other tool that anyone looking at other's wireless networks are already going to be using)

Actually, Ubuntu's decisions regarding security are one of the reasons it's not the distro of choice for many security concious geeks. You can either lock down Ubuntu and have the popular brand name installed or you can use a distro that believe in security-by-default even if that causes a little more learning for the end user. I don't mean to say that Ubuntu is not a great introductory distribution.. it's just not what some are going to stay with once they get comfortable enough to try other liveCD.

Big deal - you can reset the admin password on just about anything (Windows, Linux, or MacOS X) if you happen to have a boot CD handy. An Ubuntu LiveCD will do the job nicely, as would a WinPE boot CD, or a Mac OS X install CD.

The only way to prevent someone with physical access to your machine from getting root-level access is to use whole-disk encryption.

By the way, as with the recovery console on Windows XP, most Linux distributions require you to enter the root password before you can use recovery mode. It's just Ubuntu that doesn't, because it doesn't have a root password.

Reset my admin passwords? Truecrypt; no you can't.

Downside is that I can't use liveCD tools to fix issues in Windows that can't be fixed from inside it (I've a Flash v6 plugin that can't be deleted off the platter). I'm ok with it though, the benefits of encrypted disks outweigh the few hassles on the technician side.

Never understood why they changed UAC in the first place. It was supposed to be annoying, supposed to teach people better security. Just because they're complaining doesn't mean you have to appease them.

You know, it's not necessarily Microsoft's job, but seeing as they do control the market, they probably should put out more of an effort to really explain to people why things like this are necessary, and why people are going to have to fix over ten years of bad security habits. If the common user understood better, they'd probably complain less at least.

It was supposed to teach developers to write there software within Microsoft's specifications by annoying the end users enough that they would put pressure on the third party developers.

Badly planned and implemented from start to end if they still claim that providing benefit to the end user is the goal of the product.

Honestly, your comment isn't substantive enough to comment on, so we just downmod it. Consider it my own kindness to even bother replying to you now.

Running XP without a full time AV ? Just shows how dopey some people can be....

The claimed it was a feature implemented that way on purpose. They now claim it's "something we where going to fix anyway" only because they got embarrassed in the media.

It's not that hard to change - all you have to do is:

sudo passwd

It's actually one of the first things I do after an Ubuntu install.

My first addition; ssh
My first change after that addition; disallow root login through ssh config and passwd (-d is it?)

I agree. Teams within Microsoft revisit decisions on a regular basis, and I bet the large internet feedback prompted them to make this (relatively trivial) change. To be honest, all that's required to adjust this behavior is a single line in an XML manifest file.

I don't know if that's actually what happened.. but I'm just saying that people do evaluate feedback and take action sometimes .