__/ [ John Bailo ] on Monday 15 May 2006 03:04 \__
> Roy Culley wrote:
>> I surf the web as most PC users do. I never worry about what sites I
>> visit. Yet security advisory after security advisory for Windows flaws
>> state disable activeX or only visit trusted sites! What the fuck is a
>> trusted site?
> Windows security for Internet is designed around "zones" -- so there is
> Local Zone, Intranet Zone, Internet Zone. Basically you can assign levels
> of trust (low, medium, high) to specific sites.
This does not justify the concept. A trusted site should have nothing to
do with security. Paternal control is a whole different animal. Content
which was properly peer-reviewed (e.g. Wikipedia) is another.
>> Take email attachments. I receive them like anyone else. Do they cause
>> me harm? No. Even if I choose to save the attachment it isn't going to
>> run unless I explicitly allow it.
> But say it's a .vbs (VB script) and you are tricked into clicking on it?
> Or if it is an ActiveX object, which is essentially a Windows application
> that you download from a web site -- it can have all sorts of access, since
> it/you are running at admin level.
This is not a proper excuse. Roy Culley makes a valid and good point.
Windows has made the Internet dangerous, at least in the conceptual-level.
Not only has surfing become dangerous to its user (take Netcraft toolbar
as proof), but the whole community suffers. A net citizenship wherein one
citizen is allows to have spam spewed passively (affecting _everyone_) is
worrisome, to say the least.
>> My question is: why does Windows make using your computer on the
>> Internet so dangerous?
> Because the GUI runs at Ring 0. You the user, have ultimate privilege,
> and programs can run "as you" and basically run commands as if you were
> sitting there and typing them in.
This remains inexcusable. The main point is not being being addressed.
>> The answer is: Windows is insecure by design. Bandaid solutions are
>> the best they can oofer for many exploits.
> Windows was never designed for the Internet. It was designed for corporate
> networks and WANs that were insulated with their own firewalls and other
> levels of security. There was no design consideration for an independent
> node, directly connecting to the Internet. The MS design model is one of
> cells within cells of trust and relationships. That is the NT security
> model, where an admin of one domain brokers trust between other domains and
> individuals (one Microsoft document went so far as to describe it as the
> sort of relationships that drug dealers have with their higher ups and each
> other! Cutting the product down to the final end user!)
That being the case, Windows should not be distributed for use over the
Internet. Firewalls don't cut the deal. If a new O/S gets built from
scratch to accommodate for a multi-use, secure model, that will be a
different scenario. At present, neither XP not Vista are ready for the
Net. They call it "people-ready" in TV ads, but it is by no means secure
Roy S. Schestowitz | Reversi for free: http://othellomaster.com
http://Schestowitz.com | SuSE GNU/Linux ¦ PGP-Key: 0x74572E8E
7:00am up 17 days 13:57, 12 users, load average: 0.44, 0.62, 0.68
http://iuron.com - help build a non-profit search engine