--On Sunday, November 04, 2007 13:25:01 -0800 "Thor (Hammer of God)"
<thor (at) hammerofgod (dot) com [email concealed]> wrote:
>
> In that regard, I'm of the opinion that our OS's are and can be properly
> configured with a little bit of education as they now stand. If this
> MAC trojan is successful, it's our fault as admins and users, not
> Apple's fault at this point.

I disagree. Here's why. When you try to install a program on OS X, you
are prompted for *your* password. Nowhere does it warn you that this is an
administrator level access. I think that's a mistake on Apple's part (and
many other OSes as well) in that the average joe user won't understand the
implications of typing in *his* password.

Now, if Joe is especially sharp, he might question *why* he has to type in
his password again when he's already logged in, but, unless he's been
learning the OS, he's not going to make the connection that he's about to
authorize privileged access to the file system.

Unix, IMNSHO, handles this the right way. You try to run something that
requires root access, it refuses to run it *and* tells you that you need to
be root to do it. Unfortunately, some of the GUIs are now obscuring this
knowledge by simply prompting for the password, but at least they tell you
it's the *root* password and not yours.

I totally agree with you that we need to educate users, but OS designers
shouldn't be making it harder by blurring the lines between user and admin.
Good security doesn't make it harder to do things, but it *does* make it
obvious when something you're about to do has implications well beyond your
normal access.

--
Paul Schmehl (pauls (at) utdallas (dot) edu [email concealed])
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

[ reply ]