Beta
×

### Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

# Viewfinity CEO Says Many Computer Users Are Overprivileged (Video)

#### Roblimo posted more than 2 years ago | from the striking-a-balance-between-extremes dept.

95

This isn't about your place in society, but about user privileges on your computers and computer networks. The more privileges, the more risk of getting hacked and having Bad People do Bad Things to your company's computers, right? So Leonid Shtilman's company, Viewfinity, offers SaaS that helps you grant system privileges in a more granular manner than just allowing "root" and "user" accounts with nothing in between.

cancel ×

### Slashvertisment (5, Insightful)

#### Hatta (162192) | more than 2 years ago | (#39573939)

Another useless slashvertisement. People don't use the granular permissions that exist already (e.g. ACLs), no one's going to bother with even finer grained control. The problem isn't granularity, it's a completely understandable dislike of spending time managing permissions.

### Re:Slashvertisment (3, Insightful)

#### Anonymous Coward | more than 2 years ago | (#39574257)

Not just dislike, but cost (in terms of time spent managing it, and time spent with people twiddling their thumbs waiting for someone to give them permission to something they need to do their job). Granularity always comes down to a balance between practicality and security. Lock down the super secret stuff.. apply reasonable rules to the less critical stuff.. throw the office lottery pool list on the wiki.

### Re:Slashvertisment (2, Interesting)

#### Anonymous Coward | more than 2 years ago | (#39574521)

And still... every security model you've seen in SaaS exists on your LAN, too.

It's not as though we haven't had group membership, directories, user objects, service-level security, and every other imaginable sort of permissions control since... well... forever.

The only advantage of SaaS is that it's on someone else's infrastructure, which is probably better funded and maintained than your own.

### Re:Slashvertisment (2, Interesting)

#### Anonymous Coward | more than 2 years ago | (#39574577)

Which also just means that you'll be twiddling your thumbs that much longer when you don't have the appropriate permissions to do your job. I find SaaS in general to be a lot like an Apple product. When everything is working right, it's 100x better than any of the alternatives. When something goes wrong, you curse the day you bought it.

### Re:Slashvertisment (1)

#### Travoltus (110240) | more than 2 years ago | (#39579961)

And when that something that goes wrong is a virus, you will curse the day you were born.

### Re:Slashvertisment (0)

#### Anonymous Coward | more than 2 years ago | (#39581009)

That's a problem with the human organizational structure, not the technology.

If stuff is being locked down that shouldn't, then blame the security staff or compliance people who demanded it be that way. Obviously their perceptions do not align with yours.

Responding to your complaint that it takes too long to get permissions allocated, I would ask the question of why do users constantly need to have their permissions changed? Usually that's something you would need to do occasionally, not all the time, and when a change is needed, you know ahead of time that you need to be given the permission so that the change has time to be reviewed and then applied.

Example would be a new DBA being on boarded to the company - we put him in the appropriate security groups in AD before he even shows up (account is inactive of course, until he sits down at his desk on day 1). Or somebody who is transitioning from a developer role to a sysadmin role - a notice is given to the company (say, a week in advance) which is plenty of time to reconfigure user permissions.

### Re:Slashvertisment (4, Insightful)

#### lgw (121541) | more than 2 years ago | (#39574425)

Plus, this company has just missed the ongoing paradigm shift (hate that phrase - someone have a better one?). End users should have full control over their (untrusted) endpoints, becuase we won't be storing anything important there, and any incoming files will be handled with appropriate suspicion.

End user endpoints simply need to be outside the "zone of trust" in the modern world, partly because anything a user touches should be assumed to be infected, and partly because it's time to stop caring what device the user likes - traditional PC, thin client, iPad, phone, whatever they like as long as it has a browser for the web-based software and a desktop virtualization client for all the rest.

### Re:Slashvertisment (1)

#### ColdWetDog (752185) | more than 2 years ago | (#39574597)

I think I'm going to kill myself with the mains power cord before they take that away from me.

Sounds like 1984 on ketamine.

### Re:Slashvertisment (2)

#### Microlith (54737) | more than 2 years ago | (#39575033)

They're already working on it. Apple accomplished it on all iOS devices, and Microsoft looks to do so with ARM devices. Hell many Android devices do as well.

The user is the enemy, just like the MPAA/RIAA have always said. Now the tech industry is in on the conspiracy as well.

### Re:Slashvertisment (1)

#### Tassach (137772) | more than 2 years ago | (#39576157)

It's trivial to jailbreak an iOS device or Playstation. It's even more trivial to root an Android device.

If you make it, someone will figure out how to root/jailbreak it and put the crack on the internet.

The only reason there hasn't been a bigger backlash against locked platforms is that unlocked platforms are readily available to anyone who cares.

### Re:Slashvertisment (1)

#### Aqualung812 (959532) | more than 2 years ago | (#39584679)

It's trivial to jailbreak an iOS device

Go tell that to the iOS Dev Team. They're having a hell of a time getting the 5.x jailbreaks from the sound of it. I know they did for 5.0.1, but 5.1 is still not there yet.

### Re:Slashvertisment (1)

#### mounthood (993037) | more than 2 years ago | (#39576579)

Plus, this company has just missed the ongoing paradigm shift (hate that phrase - someone have a better one?). End users should have full control over their (untrusted) endpoints, becuase we won't be storing anything important there, and any incoming files will be handled with appropriate suspicion.

This is still backwards: The end users files are what's valuable! Almost all security today (accounts + ACLs) is focused on protecting the OS and isolating software. In practice, anything running under a users account can do anything to a users documents, even though security should be the focused on protecting those documents, since they're why the user has a computer in the first place. The cloud idea, where the computer is just a browser or thin-client, might become reality, but it isn't today and history shows the opposite trend: smart phones and tablets are not replacing computers at work.

AppArmor [wikipedia.org] and UAC [wikipedia.org] are both attempts to restrain software in an automated way, and both are hard to use for the end user. We should be empowering the user to protect their documents (I don't have that answer), instead of moving the information in those documents to a new location and thinking the new place is somehow safer; store information in the cloud and viruses will start using the cloud apis.

Also, FUCK THESE SLASHVERTISMENTS!

### Re:Slashvertisment (2)

#### Zeromous (668365) | more than 2 years ago | (#39576661)

Just because a manager or someone uses it wrongly does not mean it is a bad term.

>paradigm shift (hate that phrase - someone have a better one?)

No. It's a real paradigm shift in how we think about client-server relationships. Sometimes I refer to it as a pendulum, swinging back and forth between client and server lockdown. The same could be said of virtualization being the pendulum swinging back toward centralization after the decentralization party of the 90s.

Either way, you can still use paradigm shift and not sound like a moron. Just, you know, be careful to not overstate :D

### Re:Slashvertisment (2)

#### Culture20 (968837) | more than 2 years ago | (#39578443)

Plus, this company has just missed the ongoing paradigm shift (hate that phrase - someone have a better one?). End users should have full control over their (untrusted) endpoints, becuase we won't be storing anything important there, and any incoming files will be handled with appropriate suspicion.

End user endpoints simply need to be outside the "zone of trust" in the modern world, partly because anything a user touches should be assumed to be infected, and partly because it's time to stop caring what device the user likes - traditional PC, thin client, iPad, phone, whatever they like as long as it has a browser for the web-based software and a desktop virtualization client for all the rest.

End users should not have full control over their desktops, just like they aren't allowed to bring a cameraphone into the secure-information areas (that's not just a paranoid military rule, lots of companies follow it). If hackers own the end user's workstation because he/she was running a vulnerable browser as admin/root, then they can keylog the user's passwords to get to the data in the "zone of trust". If they've got sensible authentication and are using two-factor, then the bad guys could still watch the screen in real time or take screen shots.

Bottom line is that if "anything a user touches should be assumed to be infected" then that means anything a user touches shouldn't be allowed to connect.

### Re:Slashvertisment (5, Funny)

#### TheRaven64 (641858) | more than 2 years ago | (#39574491)

There seems to be a bug. I have the 'Ads Disabled' checkbox ticked, but I still see this big ad right in the top-centre of the front page.

### Re:Slashvertisment (1)

#### Lumpy (12016) | more than 2 years ago | (#39575019)

And in many companies it's because of craptastic software written by idiots that require admin rights to run. Most Vertical market software is a steaming turd that barely runs.

This garbage is the problem of most corporate IT, One really important program we used at Comcast REQUIRED write access to the Windows OS install location (C;/windows) and it would write to parts of the registry that it had no business writing to, so it needed admin rights there.

So in essence all users had to run as local admin. A major bad thing to do.

### Re: Apps requiring admin rights (0)

#### Anonymous Coward | more than 2 years ago | (#39580649)

Usually because the author never did a proper rewrite after Windows 9x.
Or there's some semi-trivial thing that's "well-secured" for uncertain reasons
At one job I had, there was a weather station connected via serial port.
Automatically required admin rights, since NT doesn't let mere users muck about with important peripherals like the serial port...

If this were for Linux, I'd be asking "So did you ever hear about groups?"

### Re:Slashvertisment (0)

#### Anonymous Coward | more than 2 years ago | (#39575145)

I have no problems with slashvertisements. We'd all like to think /. is immune to the changes of the web, but we all know that's an illusion. Seen CmdrTaco around here recently...???

Anyways, like I said, I have no problem with slashvertisements. Except they don't use HTML5, and I don't use Adobe Flash on any of my systems.

### Re:Slashvertisment (1)

#### goombah99 (560566) | more than 2 years ago | (#39575165)

Another useless slashvertisement. People don't use the granular permissions that exist already (e.g. ACLs), no one's going to bother with even finer grained control. The problem isn't granularity, it's a completely understandable dislike of spending time managing permissions.

Wow a succinct and insightful first post!

On my macs I always run with two user accounts one is root and one is standard. I never need to log into the root account because my user account just prompts me for root credentials whenever I'm doing something root-ish. The way the macs do this is not obnoxious so it encourages you to run a standard account.

I've also used the mac sandbox. this is pretty darn cool. I wish it was better documented, but you can sort of guess the right syntax from all the examples. I don't understand why every app is not in a sandbox these days. The apple sandbox is magical because you don't even realize it is there. It should be a default that when you launch any downloaded app that the first time it exceeds a tight sandbox, the OS should tell you about its requests.

### No opendir() in Mac sandbox (1)

#### tepples (727027) | more than 2 years ago | (#39578855)

I've also used the mac sandbox. this is pretty darn cool. [...] I don't understand why every app is not in a sandbox these days.

The last time I checked, the Mac OS X sandbox allowed access to user-specified files, but there was no entitlement allowing scanning all files in a user-specified folder. A program that backs up your files or performs batch operations on all pictures in your camera's memory would not be able to run in such a sandbox.

### Re:No opendir() in Mac sandbox (1)

#### goombah99 (560566) | more than 2 years ago | (#39581539)

I've also used the mac sandbox. this is pretty darn cool. [...] I don't understand why every app is not in a sandbox these days.

The last time I checked, the Mac OS X sandbox allowed access to user-specified files, but there was no entitlement allowing scanning all files in a user-specified folder.

better check again. this has been there for years. From the start I think

A program that backs up your files or performs batch operations on all pictures in your camera's memory would not be able to run in such a sandbox.

So you get a dialog box requesting the permissions. You start every app in the sandbox then expand it if you need it. The concept is not unfamiliar: this is how smart phones do it.

This is also how I tailor my sandboxes. I lock everything down. Then I watch the console messages while I launch the app. I see it trying to access things and being denies. I open up those. After a while it runs in a minimal authority. Now that's pretty clumsy. You could automate this in principle.

### Re:Slashvertisment (0)

#### Anonymous Coward | more than 2 years ago | (#39583255)

I never need to log into the root account because my user account just prompts me for root credentials whenever I'm doing something root-ish.

How would you differentiate between a real dialog and a fake one that is trying to scam you for the passwords? What if I had an app that needed root access to do some important system level task but instead of letting the OS increase priviledge & deal with it, the app just put up an identical dialog in which a user would type the password. The vast majority of OSX users I know blindly type the password without ever questioning whether the dialog should be even present in the first place.

Atleast on Windows I know how to differentiate. Since the UAC popup runs in a seperate window session (session 0) I can easily check whether its a real or fake dialog.

Sad that OSX and Linux crowd is so far behind such basics. But to be fair, UNIX security was disastrous to begin with while NT was designed with a superior ACL & object/token design. Today though, many of these features can be bolted on through ugly hacks that the NSA created under SE Linux.

### Re:Slashvertisment (0)

#### Anonymous Coward | more than 2 years ago | (#39575257)

Another useless slashvertisement. People don't use the granular permissions that exist already (e.g. ACLs), no one's going to bother with even finer grained control. The problem isn't granularity, it's a completely understandable dislike of spending time managing permissions.

Wait, wait. YOU'RE saying the problem with systems today is usability, not lack of features, source code, or freedoms (TM). You're going to be very unpopular around these parts.

### Re:But then you overdo it... (5, Funny)

#### DickBreath (207180) | more than 2 years ago | (#39574119)

That's okay to require use of the root password. I never forget my root password because on my WiFi I make the root password also be the broadcast SSID. Problem solved.

### Re:But then you overdo it... (1)

#### RenderSeven (938535) | more than 2 years ago | (#39574705)

Thats perversely brilliant! No one stupid enough to do that knows how to change their SSID!

(And I always wondered why my neighbor's WiFi was named 'password'...)

### Re:But then you overdo it... (0)

#### Anonymous Coward | more than 2 years ago | (#39574841)

Who says he changed the SSID?

### Re:But then you overdo it... (0)

#### Anonymous Coward | more than 2 years ago | (#39576571)

A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools. - Douglas Adams

#### SJHillman (1966756) | more than 2 years ago | (#39573947)

Most of what I'm seeing there we already achieve through Active Directory without any third party solutions. Any company that only implements two levels of permissions (root and user) is either stuck in the 80s or else only has one user.

#### Anonymous Coward | more than 2 years ago | (#39573951)

Wow Nice Slashvertisement!

### Is he not aware of Windows? (-1, Flamebait)

#### Anonymous Coward | more than 2 years ago | (#39573963)

"... allowing "root" and "user" accounts with nothing in between ..."

This is very Linux-centric. There have been much more granular permissions on Windows for probably well over a decade.

### Re:Is he not aware of Windows? (1)

#### Anonymous Coward | more than 2 years ago | (#39574139)

There have been much more granular permissions on Linux and all other Unix-likes for decades as well.

### Re:Is he not aware of Windows? (2, Informative)

#### Anonymous Coward | more than 2 years ago | (#39574183)

This is very Linux-centric. There have been much more granular permissions on Windows for probably well over a decade.

Most Windows users for the last decade have run as 'root' since it's the default on XP, and there have been much more granular permissions on Unix for decades through group permissions.

Not to mention technologies like SELinux and Apparmor.

### Re:Is he not aware of Windows? (4, Informative)

#### sqlrob (173498) | more than 2 years ago | (#39574265)

Not quite. Not even Administrator is root. LocalSystem is root.

### Re:Is he not aware of Windows? (-1)

#### Anonymous Coward | more than 2 years ago | (#39574919)

Not quite. Not even Administrator is root. LocalSystem is root.

A difference that makes no difference to malware that wants to pwn your Windows box.

### Re:Is he not aware of Windows? (1)

#### drsmithy (35869) | more than 2 years ago | (#39576529)

Not quite. Not even Administrator is root. LocalSystem is root.

No it's not. There is no direct equivalent to root in Windows. The concept of a superuser simply doesn't exist in its security model.

### Re:Is he not aware of Windows? (0)

#### Anonymous Coward | more than 2 years ago | (#39581045)

SYSTEM is pretty damn close. That's the user account the core services run at, like the FS and RAID daemons, any that didn't get pulled back into the kernel for performance.

### Re:Is he not aware of Windows? (1)

#### lgw (121541) | more than 2 years ago | (#39574563)

Most Windows users for the last decade have run as 'root' since it's the default on XP, and there have been much more granular permissions on Unix for decades through group permissions.

Running as admin on Windows doesn't give you access to groups you're not a part of (though you can jump through some hoops to alter permissions on anything if you really want to). Proper group permissions have been in the Windows NT and NTFS codebases since very early days.

Anyhow, XP has not been the latest Windows for most of the past decade. It's been more than 5 years since the latest Windows release had you running as the administrator account by default.

### Re:Is he not aware of Windows? (0)

#### Anonymous Coward | more than 2 years ago | (#39574647)

Anyhow, XP has not been the latest Windows for most of the past decade

90% of the Windows machines I see are still running XP. I was surprised today when I visited a customer site and saw them running Windows 7 on one of their PCs... the other thirty or so that I saw were all XP.

### Re:Is he not aware of Windows? (1)

#### tepples (727027) | more than 2 years ago | (#39578871)

If you can add yourself to a group, you're part of that group for the purpose of any competent security analysis.

### Re:Is he not aware of Windows? (1)

#### lgw (121541) | more than 2 years ago | (#39579687)

But it's different from Unix root - you can't accidentally change stuff ACLd to a group you don't belong to, which is the vast majority of problems. If you want to stretch the definition (or we're talking about malware payloads, not user error), anyone can add themselves to any group, because every OS will have some sort of priveledge escalation flaw somewhere.

Realistically, if you care about groups, you're in a domain and you're not running as the domain admin.

### Re:Is he not aware of Windows? (1)

#### TheRaven64 (641858) | more than 2 years ago | (#39574503)

This is very Linux-centric

No, it's very UNIX Release 6 centric. It hasn't been true of most modern UNIX and UNIX-like systems for about 20 years.

### Re:Is he not aware of Windows? (0)

#### Anonymous Coward | more than 2 years ago | (#39583333)

How the hell do you call it "UNIX like" when its nowhere close to UNIX design? the shitty unix rwx 'security' is the most brain dead model anyone has ever come up with. Even the creators of unix admit it is a horrible design.

### root and user? (-1)

#### Anonymous Coward | more than 2 years ago | (#39573975)

root and user accounts are typical for crappy unix security model

### Re:root and user? (0)

#### Anonymous Coward | more than 2 years ago | (#39574043)

root and user accounts are typical for crappy unix security model

And no mention in your post of group permissions...? There is a bit more flexibility at the most basic levels and has been for many years.

### Sorry, did I click on one of the Slashdot ads? (2)

#### tphb (181551) | more than 2 years ago | (#39574031)

This seems to be an advert for some sort of sorry Windows admin tool. WTF?

### mod 0p (-1)

#### rgbrenner (317308) | more than 2 years ago | (#39574083)

Your site.. feel free to disagree.. but I think you're making a huge mistake with these ads.

There has to be some separation between the ads and the content. No one is going to visit a site explicitly to see ads. And if the content becomes the advertising, users will leave.

I can't think of a single successful site that has advertising as the content. Nytimes, washpost, wsj, digg, ... There's always separation between the content and the ads.

#### rgbrenner (317308) | more than 2 years ago | (#39574157)

One other thing: if you're doing this just so you can create a video section.. maybe try something a little different. Instead of posts by companies, try covering trade shows, etc.. the videos with timothy that were posted in the beginning I thought were great.

#### ColdWetDog (752185) | more than 2 years ago | (#39574631)

'Trade shows' huh? The only part of trade shows that this demographic wants to see is the stuff in the hotel rooms after the exhibits close.

#### rgbrenner (317308) | more than 2 years ago | (#39574811)

there are often interesting things to report on at trade shows (CES, Macworld, etc)

interviews with people have authority on a subject would be good too (like iphone security from someone at ossec..)

#### Anonymous Coward | more than 2 years ago | (#39574835)

Drunk, fat, unkempt guys eating Doritos and passing out in front of their laptop? Oh, you know me too well.

#### rgbrenner (317308) | more than 2 years ago | (#39574739)

I said successfull... that site has an alexa rank of 2.3m [alexa.com] . Judging from the sites I run, 250k is about 1250-2000 visitors a day. So I can only imagine what 2.3m is in visitors.

#### Anonymous Coward | more than 2 years ago | (#39574401)

ppl are doin well, bitchin about them slashvertisements.
every click into the comment section is another pageview...
tv. is just as shallow as the other content provided on here "lately".
no wonder he jumped ship.

#### JesseMcDonald (536341) | more than 2 years ago | (#39575111)

I can't think of a single successful site that has advertising as the content.

I don't know about that. eBay, Amazon.com, craigslist... there are quite a few successful sites which consist almost entirely of advertising. The problem is the mixed sites. Advertising is fine in a commercial context, when it's relevant, but it shouldn't intrude where non-commercial context is expected. In particular, no reputable news site should be publishing obviously-biased press releases as if they were stories. It's poor journalism, even for a mere "aggregator".

#### Zeromous (668365) | more than 2 years ago | (#39576695)

I for one come here for the +5 insightful.

#### mounthood (993037) | more than 2 years ago | (#39577123)

There has to be some separation between the ads and the content. No one is going to visit a site explicitly to see ads. And if the content becomes the advertising, users will leave.

Slashdot should try this (if they must mix advertising with content): Create clearly labeled 'discussions' about a product (like RHEL6) or type of product (like SMB databases or CRMs) and sell companies video/text space in that discussion, and give them 'official' accounts to comment with. Open source advocates or lead developers could also contribute.

Let the community talk about what works and what sucks, what the open source alternatives are, etc... It would be like product reviews, but technically focused and including competing products. Slashdot users would get the insight of their peers. Companies would get honest feedback from their users.

Finally, this system would encourage technical discussions. The more technical the topic, the more narrowly focused, the better and more useful the discussion. If the editors make a generic 'discussion' of "Windows vs. Linux", it'll be vacuous and useless. But if the 'discussion' is "Postgres or SQL Server for a new public forum website?" we'll get people talking about character encodings and replication options.

#### Desler (1608317) | more than 2 years ago | (#39574097)

With the solution being....'Buy our product!'

#### PessimysticRaven (1864010) | more than 2 years ago | (#39574137)

Like it's any different when we see another scary set of Security Studies, Sponsored by Symantec.
Alliteration intended.

#### Desler (1608317) | more than 2 years ago | (#39574167)

Yes, but Slashdot doesn't overtly run paid-for ads for Symantec like these Slashvertisement TV segments.

#### PessimysticRaven (1864010) | more than 2 years ago | (#39574179)

I'm actually waiting to see that change, actually.

### Too Many Fucking Commercials on Slashdot TV (1)

#### Anonymous Coward | more than 2 years ago | (#39574121)

Too many fucking commercials on this Slashdot TV channel. Anyone got a Tivo'd version of Slashdot I can read?

### I am an AC (1)

#### Anonymous Coward | more than 2 years ago | (#39574129)

First and last time watching slashtv.

### Cruising way past sad.... (3, Insightful)

#### atriusofbricia (686672) | more than 2 years ago | (#39574153)

This is the second one of these non-stories posted in as many days. I, like many people, have been reading and posting to Slashdot for years. I'm starting to wonder exactly why I continue to do so....

### Re:Cruising way past sad.... (3, Insightful)

#### keytoe (91531) | more than 2 years ago | (#39574625)

I clicked through looking for a solution to blocking these myself. There doesn't seem to be a way to block them in the user settings that I can see. Anyone had any luck?

I don't have high hopes since these are pretty obviously revenue generators for the site. It just seems incongruous to offer users a 'block ads' option and then turn around to make these slashvertisements unblockable.

To be honest, if there were an option to 'block all videos' I'd take that. I dislike this trend of locking information in a format I can't search, skim, read at work, use while also listening to music, etc.

Sorry for the off topic.

### Re:Cruising way past sad.... (3, Insightful)

#### FunPika (1551249) | more than 2 years ago | (#39576743)

The biggest offender appears to be Roblimo, and I never see anything of value from him, so I exclude him in my options (I only noticed this story because I looked at the front page on a computer I wasn't logged into).

### Re:Cruising way past sad.... (0)

#### Anonymous Coward | more than 2 years ago | (#39582493)

i like you funpika. Thiet ke web [vndemo.info]

### Re:Cruising way past sad.... (2)

#### aiken_d (127097) | more than 2 years ago | (#39574693)

Nothing wrong with a little brand destruction in the name of increasing short term revenue, especially if you're looking to make an exit.

But yeah, I've noticed my visits to slashdot have gone from twice-daily to daily to weekly over the past few months. I'm not even sure how much to ascribe to the slimy mix of content and advertising and how much reflects the general loss of quality and tendency to be days behind CNN rather than days ahead.

### Re:Cruising way past sad.... (2)

#### Flammon (4726) | more than 2 years ago | (#39579785)

4 Digit UID here with the same sentiment. I've been here for 15 years and boy have things changed. Some for the good but god I miss the days when Rob would post about a WindowMaker app that he wrote and you could download the source and compile it. It was pure geek stuff and the subject of monetization no where to be seen. The geek purity made it great.

This is the stuff that we used to talk about. http://cmdrtaco.net/linux/ [cmdrtaco.net]

I read Rob's blog because he talked about stuff that I was into. Linux, X, AfterStep, the Internet, programming and I have a feeling that Rob really wanted to keep it that way but as site ownership slipped away, he no longer had control and the direction changed.

Maybe it's time to look for a new "Slashdot". This one has been infected by the Profit virus which has no known cures.

### We have long gone past the god/peasant model... (1)

#### mlts (1038732) | more than 2 years ago | (#39574199)

The days of UID 0 being king and everyone else being a peasant have been over for a long time. Some examples:

Solaris: Root is a role, not a user.

Linux: AppArmor and SELinux come into play.

AIX: Root can be removed and assigned to roles, where UID 0 is just another user.

BSD: Plenty of ways to limit access via ACLs and other mechanisms.

OS X: Root has to be explicitly enabled.

Pretty much, the only reason the concept of root exists these days is a "master override" when one just needs to get something done without roles/ACLs/et. al. coming into the picture, such as doing hardware configurations, or booting from recovery media. Almost all new operating systems tend to not allow the user to run as root unless it is explicitly enabled.

### Re:We have long gone past the god/peasant model... (0)

#### Anonymous Coward | more than 2 years ago | (#39574251)

What are you talking about? root IS my user!

/bofh

### Re:We have long gone past the god/peasant model... (0)

#### Anonymous Coward | more than 2 years ago | (#39574291)

The days of UID 0 being king and everyone else being a peasant have been over for a long time.

So you're saying that I'm not King of Slashdot, even though I'm UID 0? Let me guess, the 7-digit crowd staged a coup or something.

### At least once a day. (1)

#### idontgno (624372) | more than 2 years ago | (#39574203)

This "slashdottv" thing is pretty much turning out to be "yourdailyinfomercial".

Anyone got a good suggestion on how to filter this spam out?

### Re:At least once a day. (2)

#### ColdWetDog (752185) | more than 2 years ago | (#39574659)

Anyone got a good suggestion on how to filter this spam out?

There's likely to be an 'off' button somewhere on the device you're using. Power down!

### decode ring shit? yawn. I like rocket science (-1)

#### Anonymous Coward | more than 2 years ago | (#39574225)

God says...
C:\LoseThos\www.losethos.com\text\BIBLE.TXT

lf, and for his
house, and shall kill the bullock of the sin offering which is for
himself: 16:12 And he shall take a censer full of burning coals of
fire from off the altar before the LORD, and his hands full of sweet
incense beaten small, and bring it within the vail: 16:13 And he shall
put the incense upon the fire before the LORD, that the cloud of the
incense may cover the mercy seat that is upon the testimony, that he
die not: 16:14 And he shall take of the blood of the bullock, and
sprinkle

### Of course,the underprivileged don't have computers (0)

#### Anonymous Coward | more than 2 years ago | (#39574325)

quod erat demonstrandum

### What the hell man (2)

#### atari2600a (1892574) | more than 2 years ago | (#39574355)

We're supposed to pay for a product that effectively replaces sudo & user/group privelages?

### and many CEOS (0)

#### Anonymous Coward | more than 2 years ago | (#39574427)

and many CEO'S mouths are over privileged and we should remove there ability to speak ...like htis guy. LAST i checked after i reach a certain age i can think and do what i want within hte law. IN fact i can break laws if i want to pay consequences. WOW isn't freedom great!
THIS shit for brains ceo wants control and ot make you think its ok to be controlled.

FIGHT CONTROL.....

### Freedom for the majority people is not bad ! (1)

#### slashdottoy (2594611) | more than 2 years ago | (#39574429)

That's why Bill Gates made the Windows so successful. Make things simple, who cares (except geeks) about how you make it as long as it works.

### Problem was never the lack of... (1)

#### blahplusplus (757119) | more than 2 years ago | (#39574509)

... security to begin with. The problem was no one predicted the internet would become the thing it was and most people are not intelligent enough to be using connected PC's to begin with. It's about the cognitive level of intelligence needed to be using such machines to begin with. It's not hard to keep safe without overbearing security and permissions it's about being intelligent about what kinds of machines with certain data you hook up to the net to begin with.

Lets remind ourselves that it is usually the users themselves that get into trouble by downloading or running things they shouldn't be. And many hackers would naturally "socially hack" people rather then 'hack things the hard way'. Security is only as good as the people who use your machines anyway. The idea that it "Users are too privileged" is a farce.

### You can't even express the correct answer.... (1)

#### ka9dgx (72702) | more than 2 years ago | (#39591885)

What we have here, is a failure to communicate...

It's not the user.
Nor is in the internet
Nor is in the OS vendors

It's a very deep paradigm/vocabulary issue

The problem IS lack of security.... quick... how can You, in YOUR CHOICE OF ENVIRONMENT tell your OS that you want a program to enforce this set of rules on a program you want to test:

• access to a specific set of windows in the gui (if any)
• and nothing else?

If you can even begin to fulfill this list of un-restrictions, you're probably approaching it in terms of a locked down user account, which is exactly the problem. This list of un-restrictions is otherwise known as a capabilities list, and should be assigned on the basis of the needs of the moment, not some static definition.

If you can't even express the correct answer, you'll never get it right.

### I think CEOs are overprivileged (0)

#### Anonymous Coward | more than 2 years ago | (#39574555)

There, I said it.

### This already exists and is called sudo (1)

#### Fallen Kell (165468) | more than 2 years ago | (#39574593)

Sure, if he is talking about on a windows machine, but on linux/unix/bsd/osx, this already exists in sudo. If you need "root" privileges for something, you setup a sudo rule for that individual user for running that individual command.

### Re:This already exists and is called sudo (0)

#### Anonymous Coward | more than 2 years ago | (#39583309)

Are you trying to be funny? NT has had a superior security model than *anything* UNIX has ever had. But hey you are a moron with zero understanding of kernel design so maybe I should feed you some troll propaganda rather than facts.

rwx.. seriously? LOL.. welcome to timesharing systems in 1970. Oh wait.. we don't suck now.. the NSA dumped this huge pile of broken unusable shit called SE Linux & Apparmour. We're so better than NT now.. right ? right? *crickets*..

### Any way to filter AD tag? (1)

#### Formorian (1111751) | more than 2 years ago | (#39574695)

I notice an Ad tag on this story. Can I filter so I can't see these anymore? I come here for the content, not the adds. However, to support y'all I don't hide the "official" adds. However, if these slashvertisements keep up, I may have to rethink that.

### Screw that! (1)

#### erroneus (253617) | more than 2 years ago | (#39574827)

Don't block my access to anything! Also, remove those "safety" things from my table saw!! And "protective eyewear"?? How can I cut when I can't see!? Those come off too.

### Non-stop battle (1)

#### jweller13 (1148823) | more than 2 years ago | (#39575077)

It's an ongoing battle in my agency to fend of user's who want admin rights. It's even harder to remove admin rights from user's who already have it. Particularly on laptops. We have instituted various mechanisms for software installs thru a process but these users are still a pain in the ass.

### Transcript (0)

#### QuasiSteve (2042606) | more than 2 years ago | (#39575183)

Title: Leonid Shtilman Says Many Computer Users are Overprivileged
Description: The more privileges, the more risk of getting hacked and having Bad People do Bad Things to your company's computers.

[00:00] <TITLE>
"Privilege Management and Application Control Solutions Are Essential security Tools" appears over a stylized view of the interviewee, sitting in what appears to be a food court.
The SlashdotTV logo bar appears in the bottom and reads "Leonid Shtilman - CEO, Viewfinity"

[00:02] Leonid>
My name is Leonid Shtilman, and I'm CEO of Viewfinity.
Viewfinity as a company started 4 years ago, and the main business is providing security solution as Software-as-a-Service.
What kind of security solution?
It's management of privileges of end users.
By privileges we mean, by the end point are you administrator, are you standard users, or, shortly, what you can do and what you can not do on your personal computer or, in the case of administrators of servers, what you can do as administrator of server.

[00:43] <TITLE>
The SlashdotTV logo bar fades in and out of view, reading "You have a new product coming out / Can you tell us a little about it?"

[00:44] Leonid>
The problem with privileges is that if you want to do it granularly - I mean that you say "You are not administrator but I will allow you to certain functions as administrator" - the problem is how to manage those requests.
One person, let's call it developer say "I cannot live without full administrative privileges", our software is telling him "You can live as standard users, but we will allow you, as administrator, to use your Visual Studio" or "... we can allow you, as administrator, to use another tool."
But generally speaking, we don't want you will be master of the universe and you will do whatever with you computer.
Why?
Because it's dangerous.
So this account, somebody can get more important and most sensitive corporative servers, and this is our main business.
The business how to manage enormous amount of requests to have administrative rights for this or for another purpose.

[01:52] <TITLE>

[01:52] Leonid>
I can give you an example:
Usually end users are standard users let's say, in a bank.
And then some of them is going to travel to conference, like this one.
In this case he needs to print, he cannot print; because he is standard user he cannot install printer.
Or "I need to use particular website with ActiveX on it", you can not use it because you're standard user.
So for business is how to have still secure environment but not to disturb business.
This is what we are all about.
Not to disturb business process, but still stay secure.

[02:35] <TITLE>
The SlashdotTV logo bar fades in and out of view, reading "What benefits does your product give specifically to software developers?"

[02:36] Leonid>
So, actually, it's two benefit.
One benefit is for the managers of this group of developers.
The managers will be sure if they will use our software that the environment is secure, they will not afraid of, what is called sometimes, 'insider', that insider will do some damage.
So it is a protection of organization from developers.
Another benefit is that with our software, developers can actually .. they can develop any software which requires administrative rights without thinking twice because this software will be later managed with our package, package of Viewfinity.
So Viewfinity will take care who can use this software, who will be blocked from using this software, and so on.
So it's more freedom for developers, and more secure environment for the managers of development team.

[03:38] <TITLE>
The SlashdotTV logo bar fades in and out of view, reading "One last question - From a top-level perspective, what is the number one security problem?"

[03:39] Leonid>
I think that the most top problem is that majority of real attacks are done with software developed by hacktivists or by cyber terrorists, which is not part, and will never be part, of the signature of anti-virus.
Actually the software which is doing the real attacks was just compiled.
So by definition, it cannot be known for the anti-virus.
So the major challenge is how to minimize those attacks.
There is several ways how you can do it, and there are several levels of security.
We are one of the companies who are providing partial, not full, solution to this challenge.
For instance, if this attack is done with the requirement to have admin rights for the attackers, we will help to prevent such attack.
So we will prevent to do real damage to the computer environment.
At the same time, some of these are attacks are done with another software which is not requiring admin rights.
In this case, another level of security will be needed, and this is not what we provide at this point.

#### sick_soul (794596) | more than 2 years ago | (#39576877)

They way I see it, Viewfinity's CEO not-so-subtly says that people should not have control over their computers, and offers SaaS so that Viewfinity can assert that control.

### How fast do YOU read? (1)

#### theoriginalturtle (248717) | more than 2 years ago | (#39578065)

I'll go sorta OT here, but I am fed up with articles, here or elsewhere, that can be summed up as "here, watch this video."

Thanks for making me ingest content at the speed of the slowest talker in the video, not at my reading speed.

If you post a video in lieu of text, you just wasted the world's time.

### What a leonid of shtil (man) (1)

#### WombleGoneBad (2591287) | more than 2 years ago | (#39579069)

Come on slashdot... If i wanted to read stuff like this i would read my email spam folder. I refuse to get sucked into discussing security when this is just blatent pulp advertising. Booo! Hisss!

### You should start labelling them as ads (0)

#### Anonymous Coward | more than 2 years ago | (#39579935)

We know you need to keep the revenue coming in, and people don't begrudge you that. But this is the second time I've seen a story and slowly realized "This is just an ad. Did I miss something? Nope, it looks just like any other story."

It's this kind of thing that makes people lose trust in you, and then they stop coming.

### Back to the Future (0)

#### Anonymous Coward | more than 2 years ago | (#39586351)

Granular controls on root/admin logins have been around for years, (Solaris & others).
IT pro's know it, even I know it.

# Slashdot: News for Nerds

"I don't believe in sweeping social change being manifested by one person, unless he has an atomic weapon." -- Howard Chaykin

Need an Account?

# Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

• b
• i
• p
• br
• a
• ol
• ul
• li
• dl
• dt
• dd
• em
• strong
• tt
• blockquote
• div
• quote
• ecode

### "ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>