Security Poll take 2

[oiaohm]

Here I go again this time the right way. Think from this post from microsoft this might have to be taken a little more serious.
http://www.vnunet.com/vnunet/news/21394 ... n-security

Last Post from me about this was.
http://www.reactos.com/forum/viewtopic.php?t=811
Yes the poll there is a complete stuff up and I am completely reponsable for it.
At the last Secuirty I detailed a bit of my idea.

This time with longhorm come with security allong the same line.

This will leave reactos in the cold ie Linux has security Windows has security Mac OS has security and Reactos does not.

I think we need to get a Security Blue Print Created. Reason provides something to work towards.

My basic starting points to a Blue Print.

Add a filesystem to reactos that has the means of having Security features enabled(this does not have to be NTFS)
Cover How the security system will be interface by normal users.
Plan the placement of any required linkin points of a Security system.

Basicly I want to know how you want to interface this includes installing programs with a Secuirty system?
How much control you want?
What lazy options do you want?
If admin user should be made a non login account. Ie you cannot login as admin instead you have to login as a normal user and enter the admin/or your password(if admin allowed) before carrying out admin actions?
What features should a normal user be able to be allowed to change without admin rights?
What features should a normal user never be allowed to change without admin rights?

If you poll the lowest there is no reason to post I want no security. Reason this does not help with creation of a plan to create one.

Note I most likely will not code this my experence with the reactos source is most likely not good enough to do most of it. I am more a debuger than a coder.

This is the reason for creating a guide to do this. Will let people work on there own section while working towards the end goal.

[Gasmann]

May sound stupid, but the reason why I voted for 1 in the previous poll was that I don't want to miss support to install ReactOS on fat
See here: http://reactos.com/forum/viewtopic.php?t=713

Sorry about it, yes you're right ReactOS needs some security. I think it could even be better than the security of Windows.
The idea about not letting the admin log in sounds good, but there should again be a way to allow it for those users who want to. But I would say it could be disallowed by default to login as admin.

[Bond007s]

I have tried to explain that in the ReiserFS discussion that FAT support does not have to be lost. Have you ever used Windows installation that allows an installation on FAT or NTFS. NTFS is of course the default. So I was attempting to say that the default should be something like ReiserFS which supports almost all the NTFS file permissions. If used, security is enabled. If not(Fat used instead), well it is a security hole. However, I believe that once a stable release is made, and ReactOS is maturing fast then Security should definately be of foremost concern.

[Lucio Diaz]

No wonder that users want security, but they wont (nor i would) trade usability and easy of use (and recovery) for security. I see many linux users here, one of the main reasons i dont play well with linux is its hiper-paranoid security setings. HELL it is MY computer, i am accessing it fisically, and i can not boot from a linux CD and change the files of another distribution in my own computer!.

I have been using DOS, then windows 95 and 98 and then windows XP for nearly 15 years, I dont have antivirus, i only run a firewall (and i download quite a lot of programs from internet), and in my whole experience i only had a virus twice once nowing i was introducing it almost 15 years ago... (that old stoned virus but i REALLY wanted to play Pirates even if the disk was infected) and the other in my laptop (this emule... i knew i was at risk and had an antivirus running that time), i had spyware once (well apart of windows of course jeje) and got rid easily with the help of google.

In 15 years not a single intrusion in my system, only twice a virus and once spyware. For me the effort to play with diferent users and having to log as root to do simple tasks (just cause i did wrong and created a folder as root and have to change it back to user ownership) is enough pain to stay away from linux compared to this three incidents. So, lets have security but with USABILITY AND EASY OF USE. Lets recognice it, we are here cause we ARE computer freaks, i can hardly explain my mother how to use Microsoft Office so DONT make me explain her how to su-.

With best regards,
Lucio Diaz.

[LordMicr0n]

erm...
can you please post your internal IP please ....
just want 2 check how secure you are lol
i mean windows is something you play games at.
Linux is something you can work with .

[elektrik]

erm...
can you please post your internal IP please ....
just want 2 check how secure you are lol
i mean windows is something you play games at.
Linux is something you can work with .
_________________
don't buy "windows Longhorn" !
http://www.againsttcpa.com/

So....Why are you even on the ReactOS forums if your attitude is "windows is something you play games at."?

[Stead]

erm...
can you please post your internal IP please ....
just want 2 check how secure you are lol
i mean windows is something you play games at.
Linux is something you can work with .

right, uh, why are you here? this may surprise you, but many of the worlds largest businesses (p.s. they don't play games) use windows..surprised?

Also, internal IP? what on earth does that mean?

anyway, on topic, i feel security is an issue, just not yet, driver compatability i feel is the most important, then application compatability along with security.

[oiaohm]

Yes I use linux. Yes I know linux is hiper-paranoid from a windows point of view. From a Linux point of view it works really works.

4 24 hour servers 2 windows 2 linux both got hit. The windows systems were completely screwup. Linux triped alarms and was able to shutdown before to much damage was done.

Now you missed a big section OS X based on freebsd. Users don't see the security but its there and working.

Also not all linuxs are built the same it a cop out not to provide not thing about how to do it. Ubuntu Linux users don't see much of the security only have to re enter there password before they can install programs. They don't even have to know its there.

su in linux is runas in windows(same feature two different names) some version of windows alias su to runas.

Windows security will be harder to build due to microsoft not providing every program that a user normally require. Simple to use linux distros provide every program that a user requires and all the security setup so everything works with secuirty.

Question does MSI provide information to setup secuirty.

[jro]

I don't like Linux especially ubuntu distros. I hate to type sudo and my password all the time for every little thing. I fell like I should be able to do whatever I need to do without getting password promts like it is in windows. There has to be a better way to do security then that. It's true most businesses run windows. I worked for a few big companies which handle sensative data all day and run very insecure windows machines on what they feel are secure networks. I dont see linux anywhere unless I run it myself

[LordMicr0n]

right, uh, why are you here?

Because of the future of ReactOS, some day you can run Linux, MAC, BeOS, and Windows - apps on it. i can hardly wait

this may surprise you, but many of the worlds largest businesses (p.s. they don't play games) use windows..surprised?

actually no, because the most admins are 2 stupid to configure a Unix server without calling the "support hotline"

Also, internal IP? what on earth does that mean?

yeah ... my bad english ... i'm sorry ...

[Lucio Diaz]

First you will have to deal with the telephone company proxy then with my router ...then no services/servers offered in my computer (IRC and emule sometimes and little more), then a firewall that only accept outgoing conections (or inbound conections from authorithed programs), then i dont use IE...

Taking on me wont be so easy

Best regards,

Lucio Diaz.

[oiaohm]

I should be able to do whatever I need to do without getting password promts.

How much? Would you expect people to take.

I am trying to get answers. Would you expect 1 extra so default login is not a problem.

The Problem is email is sent to a user. User saves attachment and runs program. Due to this being 0 day no virus signature exists or its a new back door program. Note no amounts of firewalls rounters or anything will help you against this attack so you are down to the last line the system secuirty when this line fails your system is lost.

I would expect everyone here not to be that stupid.

Now security is attempt to protect from user being stupid or at least give them a second or third chance to get it right.

sudoing is one methrod of locking. yes user is allowed to access sections of the system using allowed programs. Notice the word allowed programs. Since configuration programs are runing at as a different user to the current user. Any other program run by current user does not have rights to do damage to the system so a virus can only destory the account not everyone on the system.

So person does not like password for configure what if ubuntu poped up a warning instead would this be handlable. Adding configuration tools would require permissions to be set.

Windows currently is one giant mess. We have programs that will not run in a limited account. So we require a tool to fix programs like this. Ie they should all run in the reactos limited account. We have the defaut users being Complete admins. Ie every program you run can destroy the system. Windows rebooting is require to change everything but every home machine will reboot at some point so virus or backdoor program can hang around for a reboot is not a problem. So windows has no security at all defaut setup. The question is how we do it without hurting people to much. Ie provide good security with as little pain as able and how far should we go.

Since I am a linux user I am trying to find out how much windows users will take. How much has to be admin changable on taste.

[jro]

I'm no expert, but there must be better ways to handle security. So Linux pops up password boxes. What if it was a simple "Are you sure?" box where they can click yes instead of typing a pass? The user still has the final word on what runs, and it's less annoying.

A more advanced way would be to run each program in it's own virtual environment, so even if it were a virus it wouldn't affect the main system...but that's probably too far out for ReactOS at this point.

[Elledan]

I'm no expert, but there must be better ways to handle security. So Linux pops up password boxes. What if it was a simple "Are you sure?" box where they can click yes instead of typing a pass? The user still has the final word on what runs, and it's less annoying.

Asking for the password is a way to ensure that the same user who logged in is still sitting behind the computer, and not someone else with possibly harmful intentions.

[Luemmel]

I'm no expert, but there must be better ways to handle security. So Linux pops up password boxes. What if it was a simple "Are you sure?" box where they can click yes instead of typing a pass? The user still has the final word on what runs, and it's less annoying.

Asking for the password is a way to ensure that the same user who logged in is still sitting behind the computer, and not someone else with possibly harmful intentions.

besides that: clicks on "yes" buttons can easily be emulated by any virus
there have already been exploits for firefox which do exactly that

if the question is "security or comfort?" i would choose security in most cases
if it's "security or features" i would ask "which features?"
i understand people who say "i have a secure linux now i need an free OS that runs my 2-3 windows programs"
but perhaps others don't like dual boot...