Sorry for the delay - many balls in the air... On Thu, Apr 18, 2013 at 5:11 AM, Ben Scott <[email protected]> wrote: > On Thu, Apr 18, 2013 at 12:53 AM, Kurt Buff <[email protected]> wrote: >>>> Not that they're equivalent in power, but that each kind of account >>>> can do and has access is different and equally valuable. >>> >>> For the typical home user, which is what that comic is focused >>> on[1], not so much. >>> >>>> Root/Administrator is valuable because it can subvert the protections >>>> on, or directly access, the data that end-user accounts have, and >>>> end-user accounts because that's the actual money/IP resides. >>> >>> And for a home PC *THERE IS ONLY ONE USER*. >>> >>> [1] Note what's in the bubbles around the edges. >> >> Yes, I noted the bubbles. But a), even for home users, while there >> might be only one user, there should be *at least* n+1 users, where n >> is the number of individuals who actually use the machine, plus an >> administrator account ... > > You're still steadfastly refusing to go near the point. > > But, the multi-user at home question is a valid one, and involves a > previously unstated assumption on both your part and mine. I've been > assuming dedicated personal hardware, because I know Randall has no > children, is unmarried, and referred to his laptop, which is a > dedicated personal machine. So, my assumption is n=1. With that in > mind: > > Your statement about how an admin account can access the data of > other user accounts goes directly to the heart of the problem Munroe > is describing: The only other user account is Randall's. The only > data is the data in Randall's user account. > > This doesn't make the admin account worthless, because breaking into > the admin account would enable breaking into Randall's user account. > But it does mean breaking into the one is roughly equivalent to > breaking into the other, in either direction. A lot of > people/security design treats the admin account a uniquely high-value > asset, even in this scenario, which is a fallacy. And this scenario > may well be the most common scenario, although I lack the data to make > that determination.
No, I don't agree here. Breaking into one account is definitely not the rough equivalent of breaking into the other, or at least it shouldn't be. Each must be protected (in many, but not all of, the same ways), and each should be used only in ways that are germane to its function. The user account shouldn't be used for anything but user-type activities, not admin-type activities, and vice versa. >> ... given all of those bubbles, the end user >> is in a threat-rich environment, so must exercise the vigilance >> techniques I and others have described/prescribed, if they care about >> their data, privacy and finances. > > "True but unremarkable". Specifically: Not anything have to do with > the comic. You keep launching into this list of unrelated techniques > like it has anything to do with the discussion. > > I could talk about DoD personnel security requirements, but it > wouldn't be particularly pertinent. I think it has everything to do with the comic, or at least my understanding of the comic. What I'm reading from it is that he's using poor web browsing techniques, and not protecting his personal data via the mechanisms I've outlined, including different IDs and passwords (and even different browsers) for different web sites, etc. Perhaps you have a different understanding of the meaning of that comic - if so, please provide me with illumination. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
