Generally, I agree with your point. Risk management is a holistic endeavor, and when we forget that, we get hung up on technicalities that don't help us achieve the end goal.
Protecting root access in a system does have some value when it comes to persistence of malware. Malware that is confined to userland is easier to detect and uproot than malware that makes it to a deeper level. Your key point about the safety of data in userland cannot be denied, however. But, it's not like there aren't tools for that -- it's just that people are as annoyed about using them as they are with UAC, etc. Example: Too many people share passwords across multiple systems/services. These same people tend not to use password managers. The use of the latter would go a long way to curtailing the mistake of doing the former. Similarly, very few people who could benefit from it actually bother to use encryption. I think that the bigger problem is that most people don't realize the importance and criticality of their data until it is lost... *ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker>* **Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market…*** On Wed, Apr 17, 2013 at 3:27 PM, Ben Scott <[email protected]> wrote: > On Wed, Apr 17, 2013 at 2:43 PM, Michael B. Smith <[email protected]> > wrote: > > IOW: Security is for the MANAGEMENT of risk and MITIGATION of same. For > real > > world systems, and usage of them, there is no such thing as perfect > security. > > That's true, too, but the point Munroe is trying to make is that a > lot of people lose track of the forest for the trees. They get so > caught up in protecting the computer that they forget why they're > protecting it. > > On my home PC, most of the the software I use is free and > unremarkable. I could rebuild the software configuration from scratch > in a matter of hours. Why do I care about protecting *that*? > > I don't. I want to protect my photos, files, bank account, Facebook > account, etc., etc. All of which are tied into my user account and > who-knows-how-many third-party web sites. They don't much care about > my admin account. > > But a lot of computer security people focus on protecting the system > privileged account. For example, I've gotten into strong arguments > with *nix weenies about how protecting the root account is the most > important thing on a system, and that's the fundamental flaw in > Microsoft Windows, or some such thing. They don't get that the data > in my user account is a lot more valuable than the software install. > They don't get that a worm can propagate from my user account just as > easily. And as I'm the only user of my home PC, I'm not even > protecting other users from me. Yah, I protect the root account, but > only as a means to helping protect the stuff I care about. > > I've had the exact same discussion about Windows and UAC. On this > forum, in fact. If UAC works perfectly, it successfully protects an > admin account on a throw-away home PC with one user. Meanwhile, the > malware is quite content to delete/steal all the user's data from > userland, and then propagate to other PCs, again from userland. It's > mildly useful in helping prevent a reinstall of a bunch of software, > but that's not the high value asset. > > (Protecting system access is rather more relevant in business, where > you've got more than one level of privilege.) > > -- Ben > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
