Andy Smith's Blog

The thing is that I ran into problems which were so annoying I switched back. For typing code and all, it's not required to be administrator. For remotely debugging you have to be, sadly enough. And for doing all kinds of things I had to jump through hoops to get things done, it got really annoying. Perhaps I'm not the average developer, so what I say is not true for a lot of others, however I found it not that great.

Then I thought: what if I keep running as administrator, what is the possibility of being vulnerable? I use firefox, no IE, I've disabled script in IE for internet sites for the occasions IE is used as a viewer. I don't open any attachments. I use outlook 2003 which strips off any attachments which are vulnerable, I don't run cracks/illegal software etc. Every byte coming into the network is virusscanned.

There is not a big chance of getting vulnerable and even if I run as a joe sixpack user: because of the flaws in the shell, I'm just as vulnerable as an administrator. Meaning: I have to jump through serious hoops for a lot of stuff I do to not run as administrator (and not be able to remotely debug asp.net sites etc. (we use a central devserver)) and still am vulnerable as if I were administrator.

Of course, everyone should make the choice based on facts and reasoning and if the choice is: administrator, it has consequences: you have to be serious about security, but that's not that hard :) as it's common sense.

If I just had to hammer out code on a single machine, I'd probably run as a normal user too (not sure, probably), however for me that's not an option. I also would like to add what I also said in G. Andrew's thread: don't think you're safe when you run as normal user. You're not.

This run as an administrator thing is way overblown. I run at the administrator on my laptop when I do development on it. I have never had the first problem with an application that I have developed for a customer. I know what the issues are, I know where my problem points are. I know what to do and what not to do. This is an overblown development issue. My applications are not required to run as the Administrator. I wish Andrew and others would just get over it.

BTW, I don't write pretty picture web applications. I write business applications including web apps, winforms apps, and Windows Services.

Wally

In the psychology world, I believe this is called negative reinforcement. By running as Admin and never having any problems, you are reinforced to continue the bad habit. I'm guilty of it. Switching to a non-Admin account and having lots of troubles with applications is further negative reinforcement :-\

"I have never had the first problem with an application that I have developed for a customer."

"I wish Andrew and others would just get over it."

Such convincing arguments, Wally. I'm glad to hear you've never had any problems. Doesn't mean you won't ever, nor does it mean you've never caused a problem for a customer. You just may not have heard about it.

While you're telling me to get over it, perhaps you should tell Michael Howard, Keith Brown, and a number of other folks who are smarter than me, and better at security to "get over it". I'm sure they'll appreciate the advice. ;-)

Guys,

It's very much a startup but I've started to catalog the applications I've struggled with and fixes where appropriate.

It's gonna be a long task but one I think is worth it to put the pressure on the commercial software developers to write apps that at least follow the Windows design guidelines.

I've been coding these things for 15 years now and and have been involved in so many implementations that have required security "fixes" on the workstation so that the code runs properly - hence the starting of the website to manage it.

Only my two-cents but if anyone wants to help by sending infor on problem apps and fixes then feel free.

cheers,

g