[Date Prev][Date Next][Subject Prev][Subject Next][
Date Index][
Subject Index]
Re: ERUNT
- Subject: Re: ERUNT
- From: flash flash@xxxxxxxx
- Date: Thu, 19 Dec 2013 22:35:28 +0100
Y'all,
User Account Control (UAC), is not in principle a bad idea. Generally
speaking, if a hacker is able to compromise a system, then either
himself in real time, or his program by proxy, has the same user
privileges as whoever who happens to be logged on. Thus, if you are
logged on with administrator privileges, then a hacker, or his program
by proxy, also has administrator privileges. The idea behind lower
levels of user privilege, users or power users or guests, is that
since they have no authorization to install programs or change program
parameters, any malware which may arrive also has no authorization to
install itself or change any pre-existing program parameters. Whether
Microsoft has implemented this both effectively and intuitively is
another matter; on this, I can pass no judgment, as I have no
experience of Win 7.
There is a fine line between maintaining security and facilitating
work flow. The highest level of security lets the user do no work. On
the other hand, the more the user has access to the underlying
operating system, the more vulnerable the system is to malware. The
trick is to get the balance right.
It is an annoyance if the user cannot even change such things as the
font size in a DOS window, for example, without being confronted by
inscrutable questions from the security mechanism, the answers to
which may have unforeseeable and undesirable consequences for work flow.
My own solution to this tight-rope dance between security and
usability is to employ a 2nd layer of security in addition to the
on-board firewalls and account managers which deliver with both
Windows and OS X. As I have mentioned in other threads to this forum,
a firewall only controls what comes in; it is equally important to
monitor and control what goes out. If a hacker or even the NSA should
succeed in planting malware on a system, it will avail them nothing if
the system cannot make contact with the external server. There are
third-party programs which monitor and control outgoing connections. I
recommend the following: Zone Labs for Windows systems, Little Snitch
for OS X. I operate always in administrator mode, but rigorously
control, by means of these third-party monitoring tools, which
programs contact the Internet.
I can appreciate the frustration of Windows users who feel they must
deactivate much of the Microsoft security provisions in order to get
any work done. For those who find it necessary to deactivate on-board
security mechanisms, I recommend: a) installing outbound filters (Zone
Labs, Little Snitch, or equivalents); b) implementing firewall
protection on the router rather than on the end system; c) maintaining
current backups of the total system state: this allows a clean
rollback in case malware should infest a system.
Note: backups (ERUNT, Tweak, or whatever) should be saved to a
separate hard disc from the boot partition.
Cheers,