[openbeos] Re: . or no .
- From: "Donovan Schulteis" <deej@xxxxxxxxxxxx>
- To: openbeos@xxxxxxxxxxxxx
- Date: Mon, 13 May 2002 02:31:09 -0400
> > Something that I'd keep in mind regarding issues like this
> > is that it's easier for an experienced security-minded
> > individual to take the "." out than for a newb to put it
> > in.
Yeah, and leave holes in the "uninitiated's" systems - just like
Windows users, right? ;)
> > Little things like this make users say things like, "it
> > just _works_".
>
> Yeah, that's the BeOS spirit. :)
>
> Since BeOS isn't currently a multiuser system
> attacks are more likely to be remote ones,
> in which case the path exploit is less likely, I should
> think.
I would think that you wouldn't want to put something in knowing when
something else is added (multiuser) that you'll have to remove it and
confuse all those users who's paths aren't correct anymore.
Plus, your thinking is flawed. The . in the path allows someone to
remotely execute applications they place before the system ones, just
as easily as they would sitting at the machine. Or allow a hacker to
run a different program than the one you "think" you are running.
Imagine me hacking into your OBOS box, and then replacing your ls with
a script to first run a keystroke recorder - for passwords, storing
this info in some obscure file somewhere - and then run the system ls -
and you'd never even know unless you were looking for it.
> Anyway, this is a desktop OS, and it's not a UNIX,
> so we don't necessarily have to make the exact same
> design decisions, as long as we make sound ones.
That sort of thinking will get us in a bad spot (IMHO). It's a desktop
system yes. But so is XP - MS's "most secure" yet - full of holes.
Multiuser and security must be there, at some point, if you expect
people to connect OBOS systems to broadband connections where script
kiddies can have 24x7 access trying to hack in. Don't make it any
easier by implementing known UNIX vulnerabilities from the getgo.
MHO :)
Deej
Other related posts:
