Linked by Thom Holwerda on Thu 5th Mar 2009 13:27 UTC
Windows For Windows 7, Microsoft has made some changes to User Account Control to counter the criticism that UAC was too intrusive. It didn't take long before several holes were poked in Windows 7's default UAC settings, and now one is left to wonder: is it wise to sacrifice security for (perceived?) usability? Ars has an editorial that deals with this question.
E-mail Print r 8   · Read More · 93 Comment(s)
Thread beginning with comment 351863
To read all comments associated with this story, please click here.
Comment by hraq
by hraq on Thu 5th Mar 2009 19:43 UTC
hraq
Member since:
2005-07-06

"Windows NT has a security model that was at least as advanced as - but probably more advanced than - what UNIX/Linux have to offer."

Said who? Is he a kernel developer? No. Is he a multiplatfrom kernel developer or designer? No

How could he claim that?

Please be logical for once.
Thanks

Reply Score: 0

RE: Comment by hraq
by Thom_Holwerda on Thu 5th Mar 2009 20:02 in reply to "Comment by hraq"
Thom_Holwerda Member since:
2005-06-29

Said who? Is he a kernel developer? No. Is he a multiplatfrom kernel developer or designer? No

How could he claim that?


Windows NT has all the security features UNIX/Linux has - with the added functionality of ACLs. ACLs are way more advanced than anything UNIX/Linux had, but as google_ninja already pointed out a few comments upward, you could easily argue that while UNIX/Linux might have a simpler approach to security, that could still, in the end, be the better option for home users.

ACLs are a tad bit, well, complicated, you see, while UNIX security is pretty straightforward.

Reply Parent Score: 2

RE[2]: Comment by hraq
by Adam S on Thu 5th Mar 2009 20:40 in reply to "RE: Comment by hraq"
Adam S Member since:
2005-04-01

I'm confused. The standard file permissions on UNIX (e.g. 755) are an ACL. Extended ACL bits, like the mask, are also available. Furthermore, SELinux gives you even more granular MAC (mandatory access control) policies.

So how can you say Linux/Unix doesn't have access control?

Reply Parent Score: 1

RE[2]: Comment by hraq
by mrhasbean on Thu 5th Mar 2009 23:37 in reply to "RE: Comment by hraq"
mrhasbean Member since:
2006-04-03

Windows NT has all the security features UNIX/Linux has - with the added functionality of ACLs.


OSX has ACLs, OSX is a *nix...

Reply Parent Score: 1

RE[2]: Comment by hraq
by lemur2 on Fri 6th Mar 2009 00:39 in reply to "RE: Comment by hraq"
lemur2 Member since:
2007-02-17

"Said who? Is he a kernel developer? No. Is he a multiplatfrom kernel developer or designer? No How could he claim that?
Windows NT has all the security features UNIX/Linux has - with the added functionality of ACLs. ACLs are way more advanced than anything UNIX/Linux had, but as google_ninja already pointed out a few comments upward, you could easily argue that while UNIX/Linux might have a simpler approach to security, that could still, in the end, be the better option for home users. ACLs are a tad bit, well, complicated, you see, while UNIX security is pretty straightforward. "

Precisely so.

Since NT was written, however, there have been a number of security-enhanced versions of Linux implemented.

http://en.wikipedia.org/wiki/Selinux
"In free community supported Linux distributions, SELinux is supported in Debian as of the etch release, Ubuntu as of 8.04 Hardy Heron, Fedora since version 2, Hardened Gentoo, and Yellow Dog Linux."

I believe it is supported, but not the default, except in RedHat/Fedora.

There is also AppArmor.
http://en.wikipedia.org/wiki/AppArmor
"AppArmor was first used in Immunix Linux 1998-2003. AppArmor was first made available in SUSE and openSUSE, and was first enabled by default in SUSE Linux Enterprise Server 10 and in openSUSE 10.1. AppArmor was first successfully ported/packaged for Ubuntu in April 2007. AppArmor comes installed default in Ubuntu 7.10 Gutsy Gibbon, and came as a part of the release of Ubuntu 8.04, although it only protects CUPS by default, the user can install new profiles and enforce them."

I think Ubuntu are proceeding along the "AppArmor by default" route:
https://blueprints.launchpad.net/ubuntu/+spec/jaunty-security-defaul...

There is not much point, however, in providing systems like NT's ACLs, SELinux or AppArmor if they aren't applied sensibly.

PS: AppArmor first appeared in Immunix Linux 1998-2003. When exactly was NT written? Sometime aroud the same timeframe, wasn't it?

http://en.wikipedia.org/wiki/Nt_kernel

Edited 2009-03-06 00:49 UTC

Reply Parent Score: 2

Milo_Hoffman Member since:
2005-07-06

FYI... we have a little PEE CEE user revisionist history going on here.

The commercial Unixes (AIX, Solaris,HPUX, IRIX etc) had ACLS before WindowsNT(er OS/2 v3) was a spooge in someones pants at IBM.


And frankly the Unix guys learned what the Windows guys have apparently not learned yet.


FRANKLY ACL'S SUCK.



WHY?

When was the last time you saw a normal user play with the ACL's on a bunch of files in a directory?


I don't know about you but for me the answer is ...I HAVE NEVER seen it happen working in enterprise IT that even a windows admin let alone a normal user ever TOUCHES ACL's. The only people that even try are those that setup the builds/installs, and those that manage NAS storage or something.



Contrast that to UNIX, easy to use permissions system, were just about everyone who reaches something between newbie<>poweruser status has totally mastered, understands and USES file permissions correctly.







Put a combination lock that takes 1000 different codes to lock, and unlock on your door, and no one in the house will bother to lock it when they leave.


Put a lock with one key, and it will probably be locked every time.




Bragging about ACL's just makes you look stupid, because anyone with real world enterprise IT experience knows they are worse than useless in real life and end up being less secure due to complexity.

Reply Parent Score: 1

RE[2]: Comment by hraq
by kaiwai on Sat 7th Mar 2009 01:57 in reply to "RE: Comment by hraq"
kaiwai Member since:
2005-07-06

Said who? Is he a kernel developer? No. Is he a multiplatfrom kernel developer or designer? No

How could he claim that?


Windows NT has all the security features UNIX/Linux has - with the added functionality of ACLs. ACLs are way more advanced than anything UNIX/Linux had, but as google_ninja already pointed out a few comments upward, you could easily argue that while UNIX/Linux might have a simpler approach to security, that could still, in the end, be the better option for home users.

ACLs are a tad bit, well, complicated, you see, while UNIX security is pretty straightforward.


Complexity can be, in itself, a security vulnerability just as over the top ease of use and automation can result in complacency, lack of quality feedback and security problems resulting from services running (and the admin doesn't know about them).

I question how much features many enterprises use because I've seen numerous cases where people have praised Active Directory but very rarely used many if not any of the advanced features in it. Same situation with ACL's, praised to the high ceilings but when the rubber hits the road, how many use them and out of those, how many of those who do use them use them because they have to. Again, complexity can be a security flaw too.

Edited 2009-03-07 01:59 UTC

Reply Parent Score: 2