Re: I often wonder....
Sorry to put a dampener on your Linux position, but it doesn't matter how good the OS is (and UNIX-like OSs have some important differences from Windows), these protections are quite easy to disable, and this happens frequently in the name of 'maintainability'.
I have been a UNIX admin., system integrator and troubleshooter for over 40 years. In that time, the skill level of your average system administrator has gone down as time has passed. And this is not just the mainstream. Back when it was a niche profession, people normally only got into it if they were really interested. If they were interested, most would want to be as good as they could.
I laughed out loud at the comment above for the 'system ("sleep(1)")'. I have seen call out to shell commands for trivial reasons from inside a compiled program so frequently that I was surprised it caught me the way it did.
IMHO, the profession started changing in the '80s and 90's, when 'computing' and 'IT' started being seen as a sexy and well paid profession. People came to it to earn money, and as a result often saw it as just a job. The result? People who weren't really invested in doing the best job possible, whether it was designing systems, writing the software or looking after them.
But I feel that the vulnerability to ransom-ware attacks is principally a design issue, because today's architects are yesterday's 'just-a-job' programmers and system admins. They're driven often by cost to just think about ease of access and maintainability, so design environments such that data stored on shares is often not sufficiently segregated or controlled by the protections that are already built in to all mainstream OSs, and often domains are far larger, or have too many trusts to other domains, than is conducive to secure operations. Things may change now, but there's a lot of technical debt.
This means that if a miscreant gets access with the relevant privilege, they can tear through the whole environment with staggering speed, with few barriers to stop them, often being able to do significant damage to widely accessible data from non-privileged accounts. This can be the case for data accessed in network shares even from Linux or other systems.
We need new thinking, segregating data and controlling access in line with least-privilege principals. We need to move away from "Hey, I can administer the whole environment from this one domain account". For the most sensitive data, we need significant control of what data can be seen by whom and from where. Segregation will not stop this type of attack, but will limit it.
I'm not actually sure whether this will align with "Zero Trust" (I'm still trying to make sense of the many different interpretations of this), but where we are now is almost the worst of all worlds.
Biting the hand that feeds IT
