Hi. On Mon 2003-02-03 at 01:07:41 +0200, [EMAIL PROTECTED] wrote: > FemmeFatale wrote: > > > >My b/f is a windows MCSE. Fine. In windows you run as root anyway. > >Even on 2k I run as an Admin. > > > >Now he says he sees no diff from that to running as Root in linux.
That's quite correct. So, for the same reasons that running as root on
Linux is not a great idea, doing the same on Windows is not either.
(I tried really hard to avoid saying "is equally stupid" ;-)
> >I can't give him any better argument for not doing so other than its
> >insecure (he doesn't care about that on a home compy)
So he does not care that running some downloaded program may screw up
his whole system. And if he got lucky it contains some backdoor that
runs some attack and and he does not care getting cut off by his ISP
(who may decide to prevent the attack and ask questions later).
Security is not only about keeping your files safe, but mainly about
keeping control over your computer (which also keeps your files safe).
And no, that is not some theoretical issue. He should know that by
now, considering all the worms and stuff that has been covered in the
main press in the meantime.
And security comes in layers. Even if you have some firewall in place,
that protects against most of the known exploits, having an additional
protection, if a new one comes out, surely does not hurt.
> >& that you can reall botch Xwindow. Botching that doesn't faze him
> >either cause he'll just reinstall anyway.
Well, given someone who doesn't care about who controls his computer
and neither does value his time ("just reinstall"), there is really
not much to argue for not running as root.
It's like trying to convince someone who doesn't care about his life
to fasten his seat-belts before driving.
[...]
> If he has that much of a Windows mentality, tell him that logging on as
> root can corrupt the registry, then watch the blood drain from his face ;-)
:-)
> More seriously, one reason why I barred myself from being root after
> more than two glasses of raki is that one typing mistake can kill your
> system.
Well, even without raki, I consider protecting me from myself a good
idea. :)
> Like you think you're in /mnt/windows/My\ Documents\Downloads
> and you want to delete a bunch of junk directories with names like
> ???sefdljvn5+5, ???fdsre8344 etc., so you type "rm -Rf ./?*" Just
> after you hit Enter you realise that (a) you were in /usr and (b) "?" is
> a regular expression.
Minor nitpit: You mean shell pattern / globbing. Most shells don't
understand regular expressions. If it was a regular expression, "?"
would make the "/" optional and "*" would repeat that 0-n times, so
".", "./", ".//", ".///", etc. would match.
Btw, at least bash and tcsh support a nice feature. When your cursor
is at the end of the pattern, press "^X-*" (that is: press and hold
CTRL and press x, then let go of CTRL, press * - that is: SHIFT-8 for
american keyboard, I think). This will expand the pattern in-line and
you can see without hitting return, which files match.
I never use rm together with patterns without this trick anymore and
never have deleted a file accidently since then (quite some years...).
> Maybe you could just ask him why he should bother to run as root?
Agreed. That is probably the better argument. You have at least
security and common (UNIX) practice on your side, make him argue what
*good* reasons he has (and no, laziness is not a good reason).
[...]
> Still, if he wants to break his computer, that's his business. If
> it's your computer he's running, just change the root password and
> don't tell him what it is.
Was about saying the same. ;-)
Another point regarding his ignorance regarding security is: If he has
to access your computer (file sharing, login, whatever...), consider
his computer untrusted (i.e. owned by some script kiddie) and apply
appropriate (tight) access restrictions accordingly.
Make him use different passwords for your computer, if he has an
account for it (because the password for his computer has to be
considered to be already logged by some script kiddie). And so on.
In other words: imply his machine as untrusted as you would if it
operated by some malicious stranger - because maybe it is, and he
doesn't seem to care enough.
Bye,
Benjamin.
msg117949/pgp00000.pgp
Description: PGP signature
