I do not use my administrative account on my windows system. I have created a dummy account for myself. Also, I believe one can run services with non-system level permissions... though you might have to log in with the seperate account for the service to start. I'm not completely sure how we got off the topic of desktop with virus scanners. I imagine many people would agree that *nix systems are more stable and reliable than their windows conterparts. Whether they are as user friendly is a different issue, but not relevent when you are talking about servers. However, when using *nix machines as a desktop it is an issue... making *nix machines more user friendly I imagine would add additional security vulnerabilities. Any system that is properly set up and used will be less vulnerable to security breaches. More or less this was my point from the begining--it's coincidental that my desktop runs windows. Ben Liyanage ben at smartankgroup.com 410.336.2464 -----Original Message----- From: Dan Fried [mailto:dan at creativeconstructs.com] Sent: Sunday, May 29, 2005 8:34 PM To: Ben Liyanage Cc: Mailing List Subject: Re: [Hidden-tech] Windows security (sic) Ben, This isn't quite right because "root" on Windows is fundamentally unlike root on *nix based systems like Linux and Mac OS X. Some of these are rather fine points, but can be important nonetheless. The most prominent difference is usage based. When you get a new Windows machine and create a new account, you do so with "admin" privileges by default. Without these admin privileges you cannot do things like install software, which makes a non-admin based account pretty useless for many people. Unfortunately, because you are always logged in as admin, any software that runs while you are logged in does so with full admin privileges and can install and modify system files. *nix systems, on the other hand, generally default to a user based system and root access is only used when installing something that requires it. Mac OS X is kind of a hybrid system, but it still requires am explicit re-entering of admin priviledged password when installing a modification to a system file. Services are another, technical, way the approaches differ. In Windows, services have to run as system processes. This means that if your system service (say IIS, the web server) is comprimised through a flaw in the software, that process has full system access and the ability to modify system files. On a *nix system, it is not required that running services (or daemons) run as root processes (equivelent to system processes in Windows). A default installation of Apache (the open source web server) on a *nix system, will create a separate process account for Apache that will not have privileges to access anything else, so even if an exoloit for Apache is used, it will not have full root privileges (unless the default settings were ignored by whoever installed Apache). This is part of the reason many of us laugh when Microsoft tries to point out the number of known exploits for Apache as being a sign that IIS is just as secure. This is not to say that *nix is perfect and unbreachable, but a properly set up system will require two exploits to get a root privileges in a *nix system, one for the user process and one to get root access once the process has been comprimised. This brings us to the final security advantage of *nix systems; Diversity. An attack that comprimises a particular version of Apache will then have to deal with one of about a dozen major distributions, running any one of about a dozen kernel versions (just counting recent releases), many of which will have been recompiled with different optimizations and patches by their administrators. A single exploit could only affect a relative handful of machines making automated attacks (like viruses) very difficult. I'm not claiming that Windows is evil and everyone should switch to *nix systems, but there is a fundamental difference in the level of security available. If there were 100 operating systems in the world, all with about the same level of security as Windows, but each with equal market share, we would be much less vulnerable to viruses and spyware. (Of course if all those systems had the security level of *nix, we would be even better off). The biggest problem we have is that because there is such ubiquity in the computing world, viruses can run rampant and spread like wildfire... because virus writers know that a single new virus can affect more than 90% of the systems out there. -Dan Ben Liyanage wrote: > ** Be a Good Dobee and help the group > ** Fill out the survey/skills inventory in the member's area. > ** Remember you must be counted to post . > >This is the way windows virii work as well. You 'get root' by convincing >the user to run your application, thus infecting their computer. To say >that linux machines do not get virus because they dominate the server market >is a little excessive as well. If the average person did not use his >computer at all but instead left it running on his desk he would not get >virii either. > >I'd also say that most people that use linux for their desktop systems are >like me--people with a degree in computer science, and/or a divine >fascination with computers. We are less likely to infect our computers with >virii. > >This brings to mind a blurb that was on one of my old professors door that >went something like this: > >If automobiles were built like a linux machine, the odometers, spedometers, >or any other meter on the dash of the car would be replaced simply by a red >exclamation mark that lit up when something went wrong--an experienced linux >administrator would already know what the problem was. > >-----Original Message----- >From: hidden-discuss-bounces at lists.hidden-tech.net >[mailto:hidden-discuss-bounces at lists.hidden-tech.net]On Behalf Of David >Mertz, Ph.D. >Sent: Saturday, May 28, 2005 9:46 PM >To: Mailing List >Subject: Re: [Hidden-tech] Windows security (sic) > > > ** Be a Good Dobee and help the group > ** Fill out the survey/skills inventory in the member's area. > ** Remember you must be counted to post . > >On May 27, 2005, at 1:50 PM, Mark Bucciarelli wrote: > > >>It also doesn't hold up when you look at the virus counts and compare >>to desktop share: >>- there are about 60,000 viruses known for Windows, 40 or so for the >>Macintosh, and perhaps 40 for Linux. >> >> > >Good points overall Mark. But you vastly overstate the number of >"viruses" for Mac OSX and/or Linux. It certainly comes nowhere close >to 40 for either (Mac Classic had a couple minor ones, it is true). >What gets called a virus on those unix-like systems is always a >"theoretical attack that might work if you can already 'get root', or >if the user cooperates to a high degree with the attack." > >The number of historical "live" viruses for either OSX or Linux is >exactly zero. And the worst attack that could ever conceivably be >developed for either is far less serious than the sort of thing a >Windows machine gets infected with on a daily basis. > >Remember, friends don't let friends run Windows! > >----------------------------------------------------------------------- >mertz@ | The specter of free information is haunting the `Net! All the >gnosis | powers of IP- and crypto-tyranny have entered into an unholy >.cx | alliance...ideas have nothing to lose but their chains. Unite > | against "intellectual property" and anti-privacy regimes! > >_______________________________________________ >Hidden-discuss mailing list - home page: http://www.hidden-tech.net >Hidden-discuss at lists.hidden-tech.net > >You are receiving this because you are on the Hidden-Tech Discussion list. >If you would like to change your list preferences, Go to the Members >page on the Hidden Tech Web site. >http://www.hidden-tech.net/members > >_______________________________________________ >Hidden-discuss mailing list - home page: http://www.hidden-tech.net >Hidden-discuss at lists.hidden-tech.net > >You are receiving this because you are on the Hidden-Tech Discussion list. >If you would like to change your list preferences, Go to the Members >page on the Hidden Tech Web site. >http://www.hidden-tech.net/members > > > > >