undefined | Better HN

0 pointshedora3y ago0 comments

I suspect you are conflating security regulations for Unix users with regulations targeting users of the system.

Why would a regulatory framework care if a Linux box running one process was vulnerable to attacks that involve switching UIDs?

Converse, why would that same regulatory framework not care if users of that network service were able to impersonate each other / access each others’ data?

0 comments

salmo3y ago

Most of the controls are about auditability and data access.

But the control frameworks are silly sometimes. Then add in that they’re enforced by 3rd party auditor consultants looking for any reason to drag it out.

And yeah, I tried to get this past them for a old singleton system to avoid having to buy a bigger non-standard server.

j / k navigate · click thread line to collapse