Linked by Thom Holwerda on Mon 19th Mar 2007 00:29 UTC, submitted by vicious1
Privacy, Security, Encryption "In response to Jeff Jones' Monthly Security Scorecard I did some research on Secunia and made some statistics to answer his. Jeff's Scorecard is quite minimal in my opinion and as pointed out by some of the comments, is missing some interesting facts. These facts include the outstanding advisories, for example, and of course the amont of software installed. Since Linux installs a lot more software the numbers are a bit skewed; however, even if I only take the numbers from Secunia with regard to advisories, vulnerabilites fixed, etc., things still look quite different then on Jeff's charts."
Thread beginning with comment 222492
To view parent comment, click here.
To read all comments associated with this story, please click here.
lemur2
Member since:
2007-02-17

{ You think UAC is bad then what about Ubuntu? They prompt for logged in user's password? Why can't a rogue software show me the same prompt and steal my password? IMHO UAC is better than the password prompting approach of Ubuntu. }

How is the "rogue software" going to get execute permissions on a local Linux machine?

It is only the Windows NTFS and FAT filesystems that lack execute permissions. Linux distributions typically will not allow you to have a root filesystem that does not support execute permissions.

It is only the Windows kernel that will happily run an executable file that has not had any local user explicitly give it permission to run.

It is only Windows systems that will allow a rootkit to be installed via the simple act of putting a CD in the drive.

UAC is an exceedingly poor substitute for proper security execute permissions that are lacking in the Windows filesystems.

Edited 2007-03-19 09:27

Reply Parent Score: 5

BluenoseJake Member since:
2005-08-11

"UAC is an exceedingly poor substitute for proper security execute permissions that are lacking in the Windows filesystems. "

Uh, You are partially correct, FAT does not have File permissions, but NTFS has proper permissions, with inheritance and fine-grained control. To get the same sort of permissions on Linux, you must use SELinux. UAC is not there to fix file permissions, it's there to fix the ever-present problem as everyone running as admin.

Reply Parent Score: 3

Xaero_Vincent Member since:
2006-08-18

Yea NTFS offers file permissions in the form of ACLs. Linux filesystems support secure file permissions but are more sane with only three options: group, user, and read/write/execute permissions.

I use SELinux on the Fedora-based distro I'm running along with sudo/gksudo, NoExecute security, buffer overflow/stack protected GCC, etc.

Except for SUSE, RedHat/Fedora, hardened Gentoo or Debian, most distros are unfortuantly lacking in pre-emptive security department.

Reply Parent Score: 2

kaiwai Member since:
2005-07-06

Technically, they're not actually running as admin, IIRC they're running in "Power User" mode, and UAC merely elevates their privilages when required - simpilar to sudo.

I don't have a problem with the idea, the problem I have is with the way it has been implemented - completely blanking the screen, only have 'continue' rather than demanding a password - because its almost a certaintity that an end user will get annoyed and simply become 'continue button' happy and when they are faced with a genuine security issue, they would have missed it in the haste of just 'getting rid of the damn message'.

Reply Parent Score: 2