Forgot your password?
typodupeerror
Security IT

Viewfinity CEO Says Many Computer Users Are Overprivileged (Video) 95

Posted by Roblimo
from the striking-a-balance-between-extremes dept.
This isn't about your place in society, but about user privileges on your computers and computer networks. The more privileges, the more risk of getting hacked and having Bad People do Bad Things to your company's computers, right? So Leonid Shtilman's company, Viewfinity, offers SaaS that helps you grant system privileges in a more granular manner than just allowing "root" and "user" accounts with nothing in between.

This discussion has been archived. No new comments can be posted.

Viewfinity CEO Says Many Computer Users Are Overprivileged (Video)

Comments Filter:
  • Slashvertisment (Score:5, Insightful)

    by Hatta (162192) on Wednesday April 04, 2012 @01:49PM (#39573939) Journal

    Another useless slashvertisement. People don't use the granular permissions that exist already (e.g. ACLs), no one's going to bother with even finer grained control. The problem isn't granularity, it's a completely understandable dislike of spending time managing permissions.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Not just dislike, but cost (in terms of time spent managing it, and time spent with people twiddling their thumbs waiting for someone to give them permission to something they need to do their job). Granularity always comes down to a balance between practicality and security. Lock down the super secret stuff.. apply reasonable rules to the less critical stuff.. throw the office lottery pool list on the wiki.

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        And still... every security model you've seen in SaaS exists on your LAN, too.

        It's not as though we haven't had group membership, directories, user objects, service-level security, and every other imaginable sort of permissions control since... well... forever.

        The only advantage of SaaS is that it's on someone else's infrastructure, which is probably better funded and maintained than your own.

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          Which also just means that you'll be twiddling your thumbs that much longer when you don't have the appropriate permissions to do your job. I find SaaS in general to be a lot like an Apple product. When everything is working right, it's 100x better than any of the alternatives. When something goes wrong, you curse the day you bought it.

          • by Travoltus (110240)

            And when that something that goes wrong is a virus, you will curse the day you were born.

    • Re:Slashvertisment (Score:5, Insightful)

      by lgw (121541) on Wednesday April 04, 2012 @02:19PM (#39574425) Journal

      Plus, this company has just missed the ongoing paradigm shift (hate that phrase - someone have a better one?). End users should have full control over their (untrusted) endpoints, becuase we won't be storing anything important there, and any incoming files will be handled with appropriate suspicion.

      End user endpoints simply need to be outside the "zone of trust" in the modern world, partly because anything a user touches should be assumed to be infected, and partly because it's time to stop caring what device the user likes - traditional PC, thin client, iPad, phone, whatever they like as long as it has a browser for the web-based software and a desktop virtualization client for all the rest.

      • I think I'm going to kill myself with the mains power cord before they take that away from me.

        Sounds like 1984 on ketamine.

        • by Microlith (54737)

          They're already working on it. Apple accomplished it on all iOS devices, and Microsoft looks to do so with ARM devices. Hell many Android devices do as well.

          The user is the enemy, just like the MPAA/RIAA have always said. Now the tech industry is in on the conspiracy as well.

          • by Tassach (137772)

            It's trivial to jailbreak an iOS device or Playstation. It's even more trivial to root an Android device.

            If you make it, someone will figure out how to root/jailbreak it and put the crack on the internet.

            The only reason there hasn't been a bigger backlash against locked platforms is that unlocked platforms are readily available to anyone who cares.

            • It's trivial to jailbreak an iOS device

              Go tell that to the iOS Dev Team. They're having a hell of a time getting the 5.x jailbreaks from the sound of it. I know they did for 5.0.1, but 5.1 is still not there yet.

      • by mounthood (993037)

        Plus, this company has just missed the ongoing paradigm shift (hate that phrase - someone have a better one?). End users should have full control over their (untrusted) endpoints, becuase we won't be storing anything important there, and any incoming files will be handled with appropriate suspicion.

        This is still backwards: The end users files are what's valuable! Almost all security today (accounts + ACLs) is focused on protecting the OS and isolating software. In practice, anything running under a users account can do anything to a users documents, even though security should be the focused on protecting those documents, since they're why the user has a computer in the first place. The cloud idea, where the computer is just a browser or thin-client, might become reality, but it isn't today and histor

      • by Zeromous (668365)

        Just because a manager or someone uses it wrongly does not mean it is a bad term.

        >paradigm shift (hate that phrase - someone have a better one?)

        No. It's a real paradigm shift in how we think about client-server relationships. Sometimes I refer to it as a pendulum, swinging back and forth between client and server lockdown. The same could be said of virtualization being the pendulum swinging back toward centralization after the decentralization party of the 90s.

        Either way, you can still use paradigm

      • by Culture20 (968837)

        Plus, this company has just missed the ongoing paradigm shift (hate that phrase - someone have a better one?). End users should have full control over their (untrusted) endpoints, becuase we won't be storing anything important there, and any incoming files will be handled with appropriate suspicion.

        End user endpoints simply need to be outside the "zone of trust" in the modern world, partly because anything a user touches should be assumed to be infected, and partly because it's time to stop caring what device the user likes - traditional PC, thin client, iPad, phone, whatever they like as long as it has a browser for the web-based software and a desktop virtualization client for all the rest.

        End users should not have full control over their desktops, just like they aren't allowed to bring a cameraphone into the secure-information areas (that's not just a paranoid military rule, lots of companies follow it). If hackers own the end user's workstation because he/she was running a vulnerable browser as admin/root, then they can keylog the user's passwords to get to the data in the "zone of trust". If they've got sensible authentication and are using two-factor, then the bad guys could still watch

    • by TheRaven64 (641858) on Wednesday April 04, 2012 @02:22PM (#39574491) Journal
      There seems to be a bug. I have the 'Ads Disabled' checkbox ticked, but I still see this big ad right in the top-centre of the front page.
    • by Lumpy (12016)

      And in many companies it's because of craptastic software written by idiots that require admin rights to run. Most Vertical market software is a steaming turd that barely runs.

      This garbage is the problem of most corporate IT, One really important program we used at Comcast REQUIRED write access to the Windows OS install location (C;/windows) and it would write to parts of the registry that it had no business writing to, so it needed admin rights there.

      So in essence all users had to run as local admin. A m

    • by goombah99 (560566)

      Another useless slashvertisement. People don't use the granular permissions that exist already (e.g. ACLs), no one's going to bother with even finer grained control. The problem isn't granularity, it's a completely understandable dislike of spending time managing permissions.

      Wow a succinct and insightful first post!

      On my macs I always run with two user accounts one is root and one is standard. I never need to log into the root account because my user account just prompts me for root credentials whenever I'm doing something root-ish. The way the macs do this is not obnoxious so it encourages you to run a standard account.

      I have also used the parental controls on macs at home. These are in principle a very simple subset of user limitations that are easy to adjust. Sadly it h

      • I've also used the mac sandbox. this is pretty darn cool. [...] I don't understand why every app is not in a sandbox these days.

        The last time I checked, the Mac OS X sandbox allowed access to user-specified files, but there was no entitlement allowing scanning all files in a user-specified folder. A program that backs up your files or performs batch operations on all pictures in your camera's memory would not be able to run in such a sandbox.

        • by goombah99 (560566)

          I've also used the mac sandbox. this is pretty darn cool. [...] I don't understand why every app is not in a sandbox these days.

          The last time I checked, the Mac OS X sandbox allowed access to user-specified files, but there was no entitlement allowing scanning all files in a user-specified folder.

          better check again. this has been there for years. From the start I think

          A program that backs up your files or performs batch operations on all pictures in your camera's memory would not be able to run in such a sandbox.

          So you get a dialog box requesting the permissions. You start every app in the sandbox then expand it if you need it. The concept is not unfamiliar: this is how smart phones do it.

          This is also how I tailor my sandboxes. I lock everything down. Then I watch the

  • by Anonymous Coward

    and it asks for the root password when adding a new wifi hotspot.

  • AD (Score:4, Insightful)

    by SJHillman (1966756) on Wednesday April 04, 2012 @01:49PM (#39573947)

    Most of what I'm seeing there we already achieve through Active Directory without any third party solutions. Any company that only implements two levels of permissions (root and user) is either stuck in the 80s or else only has one user.

  • This seems to be an advert for some sort of sorry Windows admin tool. WTF?

  • by rgbrenner (317308) on Wednesday April 04, 2012 @01:57PM (#39574083)

    Your site.. feel free to disagree.. but I think you're making a huge mistake with these ads.

    There has to be some separation between the ads and the content. No one is going to visit a site explicitly to see ads. And if the content becomes the advertising, users will leave.

    I can't think of a single successful site that has advertising as the content. Nytimes, washpost, wsj, digg, ... There's always separation between the content and the ads.

    • by rgbrenner (317308)

      One other thing: if you're doing this just so you can create a video section.. maybe try something a little different. Instead of posts by companies, try covering trade shows, etc.. the videos with timothy that were posted in the beginning I thought were great.

      • 'Trade shows' huh? The only part of trade shows that this demographic wants to see is the stuff in the hotel rooms after the exhibits close.

        • by rgbrenner (317308)

          there are often interesting things to report on at trade shows (CES, Macworld, etc)

          interviews with people have authority on a subject would be good too (like iphone security from someone at ossec..)

    • http://www.classictvads.com/classicindex.shtml [classictvads.com]

      (:-) That site's thing isn't really advertisement. It's *about* ads.

      • by rgbrenner (317308)

        I said successfull... that site has an alexa rank of 2.3m [alexa.com]. Judging from the sites I run, 250k is about 1250-2000 visitors a day. So I can only imagine what 2.3m is in visitors.

    • I can't think of a single successful site that has advertising as the content.

      I don't know about that. eBay, Amazon.com, craigslist... there are quite a few successful sites which consist almost entirely of advertising. The problem is the mixed sites. Advertising is fine in a commercial context, when it's relevant, but it shouldn't intrude where non-commercial context is expected. In particular, no reputable news site should be publishing obviously-biased press releases as if they were stories. It's poor journalism, even for a mere "aggregator".

    • by Zeromous (668365)

      I for one come here for the +5 insightful.

      When +5 insightful is complaining about ads, you can bet it's already jumped the shark.

    • by mounthood (993037)

      There has to be some separation between the ads and the content. No one is going to visit a site explicitly to see ads. And if the content becomes the advertising, users will leave.

      Slashdot should try this (if they must mix advertising with content): Create clearly labeled 'discussions' about a product (like RHEL6) or type of product (like SMB databases or CRMs) and sell companies video/text space in that discussion, and give them 'official' accounts to comment with. Open source advocates or lead developers could also contribute.

      Let the community talk about what works and what sucks, what the open source alternatives are, etc... It would be like product reviews, but technically focuse

  • With the solution being....'Buy our product!'

  • Too many fucking commercials on this Slashdot TV channel. Anyone got a Tivo'd version of Slashdot I can read?

  • by Anonymous Coward

    First and last time watching slashtv.

  • by atriusofbricia (686672) on Wednesday April 04, 2012 @02:00PM (#39574153) Journal

    This is the second one of these non-stories posted in as many days. I, like many people, have been reading and posting to Slashdot for years. I'm starting to wonder exactly why I continue to do so....

    • by keytoe (91531) on Wednesday April 04, 2012 @02:33PM (#39574625) Homepage

      I clicked through looking for a solution to blocking these myself. There doesn't seem to be a way to block them in the user settings that I can see. Anyone had any luck?

      I don't have high hopes since these are pretty obviously revenue generators for the site. It just seems incongruous to offer users a 'block ads' option and then turn around to make these slashvertisements unblockable.

      To be honest, if there were an option to 'block all videos' I'd take that. I dislike this trend of locking information in a format I can't search, skim, read at work, use while also listening to music, etc.

      Sorry for the off topic.

    • by aiken_d (127097)

      Nothing wrong with a little brand destruction in the name of increasing short term revenue, especially if you're looking to make an exit.

      But yeah, I've noticed my visits to slashdot have gone from twice-daily to daily to weekly over the past few months. I'm not even sure how much to ascribe to the slimy mix of content and advertising and how much reflects the general loss of quality and tendency to be days behind CNN rather than days ahead.

    • by Flammon (4726)

      4 Digit UID here with the same sentiment. I've been here for 15 years and boy have things changed. Some for the good but god I miss the days when Rob would post about a WindowMaker app that he wrote and you could download the source and compile it. It was pure geek stuff and the subject of monetization no where to be seen. The geek purity made it great.

      This is the stuff that we used to talk about. http://cmdrtaco.net/linux/ [cmdrtaco.net]

      I read Rob's blog because he talked about stuff that I was into. Linux, X, AfterStep,

  • The days of UID 0 being king and everyone else being a peasant have been over for a long time. Some examples:

    Solaris: Root is a role, not a user.

    Linux: AppArmor and SELinux come into play.

    AIX: Root can be removed and assigned to roles, where UID 0 is just another user.

    BSD: Plenty of ways to limit access via ACLs and other mechanisms.

    OS X: Root has to be explicitly enabled.

    Pretty much, the only reason the concept of root exists these days is a "master override" when one just needs to get something done

  • This "slashdottv" thing is pretty much turning out to be "yourdailyinfomercial".

    Anyone got a good suggestion on how to filter this spam out?

    • Anyone got a good suggestion on how to filter this spam out?

      There's likely to be an 'off' button somewhere on the device you're using. Power down!

  • We're supposed to pay for a product that effectively replaces sudo & user/group privelages?
  • That's why Bill Gates made the Windows so successful. Make things simple, who cares (except geeks) about how you make it as long as it works.
  • ... security to begin with. The problem was no one predicted the internet would become the thing it was and most people are not intelligent enough to be using connected PC's to begin with. It's about the cognitive level of intelligence needed to be using such machines to begin with. It's not hard to keep safe without overbearing security and permissions it's about being intelligent about what kinds of machines with certain data you hook up to the net to begin with.

    Lets remind ourselves that it is usuall

    • What we have here, is a failure to communicate...

      It's not the user.
      Nor is in the internet
      Nor is it the administrator
      Nor is in the OS vendors

      It's a very deep paradigm/vocabulary issue

      The problem IS lack of security.... quick... how can You, in YOUR CHOICE OF ENVIRONMENT tell your OS that you want a program to enforce this set of rules on a program you want to test:

      • read access to itself, and it's install directory
      • read access to all of the system libraries
      • read-write access to a single folder
      • access to a specifi
  • Sure, if he is talking about on a windows machine, but on linux/unix/bsd/osx, this already exists in sudo. If you need "root" privileges for something, you setup a sudo rule for that individual user for running that individual command.
  • I notice an Ad tag on this story. Can I filter so I can't see these anymore? I come here for the content, not the adds. However, to support y'all I don't hide the "official" adds. However, if these slashvertisements keep up, I may have to rethink that.
  • Don't block my access to anything! Also, remove those "safety" things from my table saw!! And "protective eyewear"?? How can I cut when I can't see!? Those come off too.

  • It's an ongoing battle in my agency to fend of user's who want admin rights. It's even harder to remove admin rights from user's who already have it. Particularly on laptops. We have instituted various mechanisms for software installs thru a process but these users are still a pain in the ass.
  • Title: Leonid Shtilman Says Many Computer Users are Overprivileged
    Description: The more privileges, the more risk of getting hacked and having Bad People do Bad Things to your company's computers.

    [00:00] <TITLE>
    "Privilege Management and Application Control Solutions Are Essential security Tools" appears over a stylized view of the interviewee, sitting in what appears to be a food court.
    The SlashdotTV logo bar appears in the bottom and reads "Leonid Shtilman - CEO, Viewfinity"

    [00:02] Leonid>
    My name

  • They way I see it, Viewfinity's CEO not-so-subtly says that people should not have control over their computers, and offers SaaS so that Viewfinity can assert that control.

  • I'll go sorta OT here, but I am fed up with articles, here or elsewhere, that can be summed up as "here, watch this video."

    Thanks for making me ingest content at the speed of the slowest talker in the video, not at my reading speed.

    If you post a video in lieu of text, you just wasted the world's time.

  • Come on slashdot... If i wanted to read stuff like this i would read my email spam folder. I refuse to get sucked into discussing security when this is just blatent pulp advertising. Booo! Hisss!

System checkpoint complete.

Working...