On Sat, Sep 24, 2011 at 09:59:41AM +1000, James Harper wrote:
i never said that linux was immune. I said that it doesn't have the security flaws that allow such compromises.
Yes it does. If you let a user get root/admin on a computer then they can do whatever they want,
yes, and if eat deathcap mushrooms you'll die horribly. don't do that. similarly, don't run untrusted software as root. calling doing stupid things like that a design flaw is like saying it's a design flaw in a gun that if you stick it in your mouth and pull the trigger, you'll almost certainly die. that's not a design flaw, that's an unavoidable ramification of the item functioning properly. the difference between windows and linux in this context is that it's far too easy for malware to get root / admin privs by exploiting one of the many security holes, and (until W7) it was pretty much the default for users to run as admin, or for their "account" (such as it is, MS has seemingly only recently discovered the idea of multiple users and priviledge separation) to have admin privs so everything the user ran automatically had admin privs without even needing to exploit a security hole. the easiness is partly due to software flaws in the various versions of windows and partly due to users doing stupid things....and those stupid things are encouraged by the countless irritating popups saying "are you sure you want to run that?" which desensitise users to security issues and teach them to Just Click Yes every single time. i've been messing around with W7 recently and, while it's vastly superior to previous versions of windows (even to the point that i don't actually hate it :-) it's still bloody annoying. there are constant hassles and obstacles for everything you might want to do, it seems that every program you install or want to run involves some long and tedious digression finding and installing a bunch of other things or creating an account on some service. you can't even play some *single-player* games on it without having to sign up for yet another bloody online service. All this crap trains users to, as i said, Just Click Yes - i.e. "i don't want to have to care about signing up for xbox live (or whatever) - i don't even know or care what it is, i just want to get through this crap ASAP so i can play the game...so click, click, click as quickly as possible". and this is supposed to be easier than apt-get? i don't think so.
and this is the 'flaw' that Microsoft is trying to fix.
lots of people, probably the bulk of our species, are stupid. that's an unfixable flaw. and i doubt very much if Microsoft are 'trying to fix' anything - they've just found a handy excuse to justify attempting to get the same kind of lock-in and control that Apple has over their users.
I think Microsoft's mistake is trying to fix stupidity/gullibility with a patch.
I don't think it's a mistake on Microsoft's part. I think it's a convenient excuse for them to copy Apple's lock-in methods. craig -- craig sanders <cas@taz.net.au> BOFH excuse #157: Incorrect time synchronization