Video Viewfinity CEO Says Many Computer Users Are Overprivileged (Video) 95
Video no longer available.
This isn't about your place in society, but about user privileges on your computers and computer networks. The more privileges, the more risk of getting hacked and having Bad People do Bad Things to your company's computers, right? So Leonid Shtilman's company, Viewfinity, offers SaaS that helps you grant system privileges in a more granular manner than just allowing "root" and "user" accounts with nothing in between.
Slashvertisment (Score:5, Insightful)
Another useless slashvertisement. People don't use the granular permissions that exist already (e.g. ACLs), no one's going to bother with even finer grained control. The problem isn't granularity, it's a completely understandable dislike of spending time managing permissions.
Re: (Score:3, Insightful)
Not just dislike, but cost (in terms of time spent managing it, and time spent with people twiddling their thumbs waiting for someone to give them permission to something they need to do their job). Granularity always comes down to a balance between practicality and security. Lock down the super secret stuff.. apply reasonable rules to the less critical stuff.. throw the office lottery pool list on the wiki.
Re: (Score:2, Interesting)
And still... every security model you've seen in SaaS exists on your LAN, too.
It's not as though we haven't had group membership, directories, user objects, service-level security, and every other imaginable sort of permissions control since... well... forever.
The only advantage of SaaS is that it's on someone else's infrastructure, which is probably better funded and maintained than your own.
Re: (Score:2, Interesting)
Which also just means that you'll be twiddling your thumbs that much longer when you don't have the appropriate permissions to do your job. I find SaaS in general to be a lot like an Apple product. When everything is working right, it's 100x better than any of the alternatives. When something goes wrong, you curse the day you bought it.
Re: (Score:2)
And when that something that goes wrong is a virus, you will curse the day you were born.
Re:Slashvertisment (Score:5, Insightful)
Plus, this company has just missed the ongoing paradigm shift (hate that phrase - someone have a better one?). End users should have full control over their (untrusted) endpoints, becuase we won't be storing anything important there, and any incoming files will be handled with appropriate suspicion.
End user endpoints simply need to be outside the "zone of trust" in the modern world, partly because anything a user touches should be assumed to be infected, and partly because it's time to stop caring what device the user likes - traditional PC, thin client, iPad, phone, whatever they like as long as it has a browser for the web-based software and a desktop virtualization client for all the rest.
Re: (Score:2)
I think I'm going to kill myself with the mains power cord before they take that away from me.
Sounds like 1984 on ketamine.
Re: (Score:3)
They're already working on it. Apple accomplished it on all iOS devices, and Microsoft looks to do so with ARM devices. Hell many Android devices do as well.
The user is the enemy, just like the MPAA/RIAA have always said. Now the tech industry is in on the conspiracy as well.
Re: (Score:2)
It's trivial to jailbreak an iOS device or Playstation. It's even more trivial to root an Android device.
If you make it, someone will figure out how to root/jailbreak it and put the crack on the internet.
The only reason there hasn't been a bigger backlash against locked platforms is that unlocked platforms are readily available to anyone who cares.
Re: (Score:2)
Go tell that to the iOS Dev Team. They're having a hell of a time getting the 5.x jailbreaks from the sound of it. I know they did for 5.0.1, but 5.1 is still not there yet.
Re: (Score:2)
Plus, this company has just missed the ongoing paradigm shift (hate that phrase - someone have a better one?). End users should have full control over their (untrusted) endpoints, becuase we won't be storing anything important there, and any incoming files will be handled with appropriate suspicion.
This is still backwards: The end users files are what's valuable! Almost all security today (accounts + ACLs) is focused on protecting the OS and isolating software. In practice, anything running under a users account can do anything to a users documents, even though security should be the focused on protecting those documents, since they're why the user has a computer in the first place. The cloud idea, where the computer is just a browser or thin-client, might become reality, but it isn't today and histor
Re: (Score:3)
Just because a manager or someone uses it wrongly does not mean it is a bad term.
>paradigm shift (hate that phrase - someone have a better one?)
No. It's a real paradigm shift in how we think about client-server relationships. Sometimes I refer to it as a pendulum, swinging back and forth between client and server lockdown. The same could be said of virtualization being the pendulum swinging back toward centralization after the decentralization party of the 90s.
Either way, you can still use paradigm
Re: (Score:3)
Plus, this company has just missed the ongoing paradigm shift (hate that phrase - someone have a better one?). End users should have full control over their (untrusted) endpoints, becuase we won't be storing anything important there, and any incoming files will be handled with appropriate suspicion.
End user endpoints simply need to be outside the "zone of trust" in the modern world, partly because anything a user touches should be assumed to be infected, and partly because it's time to stop caring what device the user likes - traditional PC, thin client, iPad, phone, whatever they like as long as it has a browser for the web-based software and a desktop virtualization client for all the rest.
End users should not have full control over their desktops, just like they aren't allowed to bring a cameraphone into the secure-information areas (that's not just a paranoid military rule, lots of companies follow it). If hackers own the end user's workstation because he/she was running a vulnerable browser as admin/root, then they can keylog the user's passwords to get to the data in the "zone of trust". If they've got sensible authentication and are using two-factor, then the bad guys could still watch
Re:Slashvertisment (Score:5, Funny)
Re: (Score:2)
And in many companies it's because of craptastic software written by idiots that require admin rights to run. Most Vertical market software is a steaming turd that barely runs.
This garbage is the problem of most corporate IT, One really important program we used at Comcast REQUIRED write access to the Windows OS install location (C;/windows) and it would write to parts of the registry that it had no business writing to, so it needed admin rights there.
So in essence all users had to run as local admin. A m
Re: (Score:2)
Another useless slashvertisement. People don't use the granular permissions that exist already (e.g. ACLs), no one's going to bother with even finer grained control. The problem isn't granularity, it's a completely understandable dislike of spending time managing permissions.
Wow a succinct and insightful first post!
On my macs I always run with two user accounts one is root and one is standard. I never need to log into the root account because my user account just prompts me for root credentials whenever I'm doing something root-ish. The way the macs do this is not obnoxious so it encourages you to run a standard account.
I have also used the parental controls on macs at home. These are in principle a very simple subset of user limitations that are easy to adjust. Sadly it h
No opendir() in Mac sandbox (Score:2)
I've also used the mac sandbox. this is pretty darn cool. [...] I don't understand why every app is not in a sandbox these days.
The last time I checked, the Mac OS X sandbox allowed access to user-specified files, but there was no entitlement allowing scanning all files in a user-specified folder. A program that backs up your files or performs batch operations on all pictures in your camera's memory would not be able to run in such a sandbox.
Re: (Score:2)
I've also used the mac sandbox. this is pretty darn cool. [...] I don't understand why every app is not in a sandbox these days.
The last time I checked, the Mac OS X sandbox allowed access to user-specified files, but there was no entitlement allowing scanning all files in a user-specified folder.
better check again. this has been there for years. From the start I think
A program that backs up your files or performs batch operations on all pictures in your camera's memory would not be able to run in such a sandbox.
So you get a dialog box requesting the permissions. You start every app in the sandbox then expand it if you need it. The concept is not unfamiliar: this is how smart phones do it.
This is also how I tailor my sandboxes. I lock everything down. Then I watch the
But then you overdo it... (Score:1)
and it asks for the root password when adding a new wifi hotspot.
Re:But then you overdo it... (Score:5, Funny)
Re: (Score:2)
(And I always wondered why my neighbor's WiFi was named 'password'...)
Re: (Score:2)
His SSID is "password"
AD (Score:4, Insightful)
Most of what I'm seeing there we already achieve through Active Directory without any third party solutions. Any company that only implements two levels of permissions (root and user) is either stuck in the 80s or else only has one user.
Re: (Score:1)
There have been much more granular permissions on Linux and all other Unix-likes for decades as well.
This is very advertisement-centric, that's all.
Re: (Score:2, Informative)
This is very Linux-centric. There have been much more granular permissions on Windows for probably well over a decade.
Most Windows users for the last decade have run as 'root' since it's the default on XP, and there have been much more granular permissions on Unix for decades through group permissions.
Not to mention technologies like SELinux and Apparmor.
Re:Is he not aware of Windows? (Score:5, Informative)
Not quite. Not even Administrator is root. LocalSystem is root.
Re: (Score:2)
No it's not. There is no direct equivalent to root in Windows. The concept of a superuser simply doesn't exist in its security model.
Re: (Score:2)
Most Windows users for the last decade have run as 'root' since it's the default on XP, and there have been much more granular permissions on Unix for decades through group permissions.
Running as admin on Windows doesn't give you access to groups you're not a part of (though you can jump through some hoops to alter permissions on anything if you really want to). Proper group permissions have been in the Windows NT and NTFS codebases since very early days.
Anyhow, XP has not been the latest Windows for most of the past decade. It's been more than 5 years since the latest Windows release had you running as the administrator account by default.
Re: (Score:2)
Running as admin on Windows doesn't give you access to groups you're not a part of
If you can add yourself to a group, you're part of that group for the purpose of any competent security analysis.
Re: (Score:2)
But it's different from Unix root - you can't accidentally change stuff ACLd to a group you don't belong to, which is the vast majority of problems. If you want to stretch the definition (or we're talking about malware payloads, not user error), anyone can add themselves to any group, because every OS will have some sort of priveledge escalation flaw somewhere.
Realistically, if you care about groups, you're in a domain and you're not running as the domain admin.
Re: (Score:2)
This is very Linux-centric
No, it's very UNIX Release 6 centric. It hasn't been true of most modern UNIX and UNIX-like systems for about 20 years.
Sorry, did I click on one of the Slashdot ads? (Score:2)
This seems to be an advert for some sort of sorry Windows admin tool. WTF?
slashdot editors: please read (Score:5, Insightful)
Your site.. feel free to disagree.. but I think you're making a huge mistake with these ads.
There has to be some separation between the ads and the content. No one is going to visit a site explicitly to see ads. And if the content becomes the advertising, users will leave.
I can't think of a single successful site that has advertising as the content. Nytimes, washpost, wsj, digg, ... There's always separation between the content and the ads.
Re: (Score:3)
One other thing: if you're doing this just so you can create a video section.. maybe try something a little different. Instead of posts by companies, try covering trade shows, etc.. the videos with timothy that were posted in the beginning I thought were great.
Re: (Score:2)
'Trade shows' huh? The only part of trade shows that this demographic wants to see is the stuff in the hotel rooms after the exhibits close.
Re: (Score:3)
there are often interesting things to report on at trade shows (CES, Macworld, etc)
interviews with people have authority on a subject would be good too (like iphone security from someone at ossec..)
Re: (Score:2)
http://www.classictvads.com/classicindex.shtml [classictvads.com]
(:-) That site's thing isn't really advertisement. It's *about* ads.
Re: (Score:2)
I said successfull... that site has an alexa rank of 2.3m [alexa.com]. Judging from the sites I run, 250k is about 1250-2000 visitors a day. So I can only imagine what 2.3m is in visitors.
Re: (Score:2)
I can't think of a single successful site that has advertising as the content.
I don't know about that. eBay, Amazon.com, craigslist... there are quite a few successful sites which consist almost entirely of advertising. The problem is the mixed sites. Advertising is fine in a commercial context, when it's relevant, but it shouldn't intrude where non-commercial context is expected. In particular, no reputable news site should be publishing obviously-biased press releases as if they were stories. It's poor journalism, even for a mere "aggregator".
Re: (Score:2)
I for one come here for the +5 insightful.
When +5 insightful is complaining about ads, you can bet it's already jumped the shark.
Re: (Score:2)
There has to be some separation between the ads and the content. No one is going to visit a site explicitly to see ads. And if the content becomes the advertising, users will leave.
Slashdot should try this (if they must mix advertising with content): Create clearly labeled 'discussions' about a product (like RHEL6) or type of product (like SMB databases or CRMs) and sell companies video/text space in that discussion, and give them 'official' accounts to comment with. Open source advocates or lead developers could also contribute.
Let the community talk about what works and what sucks, what the open source alternatives are, etc... It would be like product reviews, but technically focuse
Lol ads (Score:1)
With the solution being....'Buy our product!'
Re: (Score:1)
Like it's any different when we see another scary set of Security Studies, Sponsored by Symantec.
Alliteration intended.
Re: (Score:1)
Yes, but Slashdot doesn't overtly run paid-for ads for Symantec like these Slashvertisement TV segments.
Re: (Score:1)
I'm actually waiting to see that change, actually.
Too Many Fucking Commercials on Slashdot TV (Score:1)
Too many fucking commercials on this Slashdot TV channel. Anyone got a Tivo'd version of Slashdot I can read?
I am an AC (Score:1)
First and last time watching slashtv.
Cruising way past sad.... (Score:4, Insightful)
This is the second one of these non-stories posted in as many days. I, like many people, have been reading and posting to Slashdot for years. I'm starting to wonder exactly why I continue to do so....
Re:Cruising way past sad.... (Score:4, Insightful)
I clicked through looking for a solution to blocking these myself. There doesn't seem to be a way to block them in the user settings that I can see. Anyone had any luck?
I don't have high hopes since these are pretty obviously revenue generators for the site. It just seems incongruous to offer users a 'block ads' option and then turn around to make these slashvertisements unblockable.
To be honest, if there were an option to 'block all videos' I'd take that. I dislike this trend of locking information in a format I can't search, skim, read at work, use while also listening to music, etc.
Sorry for the off topic.
Re:Cruising way past sad.... (Score:4, Insightful)
Re: (Score:3)
Re: (Score:3)
4 Digit UID here with the same sentiment. I've been here for 15 years and boy have things changed. Some for the good but god I miss the days when Rob would post about a WindowMaker app that he wrote and you could download the source and compile it. It was pure geek stuff and the subject of monetization no where to be seen. The geek purity made it great.
This is the stuff that we used to talk about. http://cmdrtaco.net/linux/ [cmdrtaco.net]
I read Rob's blog because he talked about stuff that I was into. Linux, X, AfterStep,
We have long gone past the god/peasant model... (Score:1)
The days of UID 0 being king and everyone else being a peasant have been over for a long time. Some examples:
Solaris: Root is a role, not a user.
Linux: AppArmor and SELinux come into play.
AIX: Root can be removed and assigned to roles, where UID 0 is just another user.
BSD: Plenty of ways to limit access via ACLs and other mechanisms.
OS X: Root has to be explicitly enabled.
Pretty much, the only reason the concept of root exists these days is a "master override" when one just needs to get something done
At least once a day. (Score:2)
This "slashdottv" thing is pretty much turning out to be "yourdailyinfomercial".
Anyone got a good suggestion on how to filter this spam out?
Re: (Score:3)
Anyone got a good suggestion on how to filter this spam out?
There's likely to be an 'off' button somewhere on the device you're using. Power down!
What the hell man (Score:2)
Freedom for the majority people is not bad ! (Score:1)
Problem was never the lack of... (Score:2)
... security to begin with. The problem was no one predicted the internet would become the thing it was and most people are not intelligent enough to be using connected PC's to begin with. It's about the cognitive level of intelligence needed to be using such machines to begin with. It's not hard to keep safe without overbearing security and permissions it's about being intelligent about what kinds of machines with certain data you hook up to the net to begin with.
Lets remind ourselves that it is usuall
You can't even express the correct answer.... (Score:2)
What we have here, is a failure to communicate...
It's not the user.
Nor is in the internet
Nor is it the administrator
Nor is in the OS vendors
It's a very deep paradigm/vocabulary issue
The problem IS lack of security.... quick... how can You, in YOUR CHOICE OF ENVIRONMENT tell your OS that you want a program to enforce this set of rules on a program you want to test:
This already exists and is called sudo (Score:2)
Any way to filter AD tag? (Score:1)
Screw that! (Score:2)
Don't block my access to anything! Also, remove those "safety" things from my table saw!! And "protective eyewear"?? How can I cut when I can't see!? Those come off too.
Non-stop battle (Score:1)
Transcript (Score:1)
Title: Leonid Shtilman Says Many Computer Users are Overprivileged
Description: The more privileges, the more risk of getting hacked and having Bad People do Bad Things to your company's computers.
[00:00] <TITLE>
"Privilege Management and Application Control Solutions Are Essential security Tools" appears over a stylized view of the interviewee, sitting in what appears to be a food court.
The SlashdotTV logo bar appears in the bottom and reads "Leonid Shtilman - CEO, Viewfinity"
[00:02] Leonid>
My name
"We should have access to your computer!" (Score:2)
They way I see it, Viewfinity's CEO not-so-subtly says that people should not have control over their computers, and offers SaaS so that Viewfinity can assert that control.
How fast do YOU read? (Score:2)
I'll go sorta OT here, but I am fed up with articles, here or elsewhere, that can be summed up as "here, watch this video."
Thanks for making me ingest content at the speed of the slowest talker in the video, not at my reading speed.
If you post a video in lieu of text, you just wasted the world's time.
What a leonid of shtil (man) (Score:1)