145 posts • joined Monday 26th November 2007 14:24 GMT
Why in the name of all that is holy...
...when encrypted memory sticks are widely available?
1. Quenta Silmarillion would make a good TV series, not a film.
2. My understanding is that the films will only cover the events of The Hobbit, but split into two films like Hermione Granger and the Camping Trip of Doom. The "bridge" idea was a crummy one because being the lovable lunatic he was, Tolkien had sketched out the intervening period in sufficient detail that there's not really room to fit an "original" story in there.
Which is more likely?
Everyone on Gatwick Security has a single figure IQ
Everyone on Gatwick Security knows damned well it's stupid, but are terrified that if they don't follow management's instructions to the letter they'll get fired
I don't quite understand why everyone here is plumping for the former. It's all very well to decry people as "jobsworths", but if you really do risk losing your job if you don't enforce a stupid decision, who's going to throw their job away in this manner?
Found it, eventually.
I've checked through the link and the linked PDF and can't find any reference to this.
No. Why do you imagine I am?
The solution with "need admin access" people is two accounts. FredBloggs and FBAdmin. FBAdmin is either a local account on the box or a domain account that is a member of no groups beyond Domain Users and a group called "Local Access Only" which has deny privs on all shared libraries, printers etc.
Fred therefore _has_ to use the FredBloggs domain user account to access network resources. He can use FBAdmin, possibly via runas, when he needs to do admin-y things. He cannot claim he doesn't have full control of his box because he does, just not when wearing his network user hat. You will of course need to use Group Policy to control the local admin group so that FBAdmin can't add FredBloggs to the local admins group...
You justify this by saying it's not about not trusting him to run his own computer, but _protecting_ him against zero-day malware attacks.
Developers running as local admin all the time are a menace - it's this practice which is responsible for half their crap not working properly for limited users once they release it. Definitely should have the FredBloggs/FBAdmin setup. If it doesn't run as FredBloggs you haven't got it working yet.
Very badly run corporate network...
...where it's possible for users to turn off the AV. Are some of you idiots out there _still_ giving users local admin?
that can be dealt with by uninstalling the patch.
Over-egging the pudding...
...on the one hand, desktop OS updates are a breeze with SMS/SCCM/WSUS, and I very seldom see issues with machines struggling after patches.
Servers are a PITA because you can guarantee a reboot will be needed, and that needs scheduling. And while with them not coming back up is no more likely than with desktops, it's considerably more of an issue.
..."properly setup PC" would mean autorun turned off and user having minimum possible permissions. No Net Localgroup Administrators "Authenticated Users" /add going on! (Yes, I have seen this.)
But they can still infect their user profile. Fake AV is very good at doing this to limited users. AV is, IMO, still a useful tool in ensuring that the user training + properly setup PC etc. prevention method is working.
...and it's worth unpacking. One answer is "Redmond Stupid". But that's not, I think, actually it. Look at the corporate offerings - domains are expected to be the norm, and the only accounts which are automatically in the Administrators group are Administrator and Domain Admins. Not all the domain user accounts. Yes, lots of places stick Domain Users or (God help us) "Authenticated Users" into the group, but that's because they're run by lazy idiots. Leave the defaults set by MS, and domain users will only have standard user rights and permissions.
Home machines are really the issue, and there it's historical. XP Home may have evolved from NT4.0 Workstation, but it replaced Win 9x/ME, which did not have this concept of computer administrators and users, evolving ultimately from a single user isolated computer OS model - MS-DOS. Microsoft have, I think, been too scared to force the concept onto the great unwashed. Therefore the installer creates one account by default, and it's an administrator. This gives the user the access he was "used" to under older OSes, without confusing him with the concept of multiple accounts (most home user PCs log in automatically and have no password on the one account anyway).
From what I know of Microsoft, there's probably been a battle on at Redmond ever since 2001, between the engineers wanting Windows to create two accounts, insist on a password for the Administrator account, and recommending the user use the limited user account, and the marketing people insisting this was too complicated and would lose them market share - of course, the latter group is aided and abetted by application developers who actually write stuff that expects write access to HKLM, %programfiles% and %allusersprofile% just to run. Corporate shops can fix these stupid apps; home users usually can't. Nevertheless, these are getting fewer and I find very few people compain now when I set them up securely.
But to be fair...
...this happens on a proportion of machines every time you take one package off and put another on, regardless of whether either package was free.
Virii is not the plural of virus. If there were a Latin word "virius" (note the second i) its plural would be virii, but there is no such word. Nor is the plural "viri", because it's not a second declension masculine noun; it's a neuter mass noun and has no plural in Latin. The plural is therefore "viruses". "Virii" is an attempt to pretend one understands classical plurals but actually indicates one is utterly ignorant of them.
Best anti-malware code there is...
net localgroup administrators <myaccount> /remove
net user localadmin <securepassword> /add
net localgroup administrators localadmin /add
shutdown -r -t 0
Job's a goodun.
And do you know a single OS that does this? If I log into a Linux box, and open a terminal window as root, then walk away, is there any difference? People whinge about UAC enough as it is. At least it's applying the principle of least privilege even if you've logged in as admin.
How about non-admin accounts that have access to sensitive data on commercial networks? If JimBloggs has access to \\SecureServer\EmployeeSexualDeviancyRecords, and JimBloggs walks away without locking the PC, then any moron can read \\SecureServer\EmployeeSexualDeviancyRecords. Is that also crap? Should every attempt to access anything require a password?
There is a balance between security and usability - the most secure PC has no keyboard, no mouse, no monitor and no network port.
[i]If[/i] your account is a member of the local admins then no password is required. If you are not, then one is. I do wish people would actually show they have passing knowledge of the technology before posting shit on these comments pages.
Installations - that's what Runas is for. Or log in as admin, install, then log out and back in with your limited user account. If the thing has particular locations and registry keys it needs write access to, then use "runas /user:administrator regedit" to set the necessary extra write permissions. Job done. Yes, there are still a few badly written apps that still won't work; again, runas is your friend. Only evelate what must be elevated.
Because of course..
...it would be totally impossible to incorporate Linux malware the same way.
I strongly suspect it can't. As you point out earlier, nearly all these attacks rely on being able to get admin on the box - I achieved more in preventing virus outbreaks when I killed off user admin rights at my place than I've ever done by installing AV software.
The biggest idiots in this whole game are system admins who use various application compatibility excuses to give users local admin. It's the only way these big outbreaks that take organisations down can really occur. It's an admins job to find a way to make the software work - or to have the balls to say "this is a crock of shit, is badly written, and is incompatible with our security policies" if it really is impossible. Not to use the "chmod 777" approach... By default, only the local administrator account and the Domain Admins group have administrators membership on a domain PC, and you should keep it that way.
If management insist on a "admin privs or your job" approach, then send, print and keep an email detailing the risks, so when the shit hits the fan you can point out that you told them so.
And in Windows too these days...
...unless you've turned UAC off because it was "annoying". OK, no password required if you're running as admin, but that would put you in the same camp as a Linux user running as root.
As far as I'm concerned...
..they're all shit. Inevitably; because you're trying to do things on a tiny screen with a wanky little stylusy thing. It's all Sirus Cybernetics Corporation stuff - the satisfaction gained from getting it to work serves to hide the fact that it doesn't do anything useful.
Want to know how much time you've spent typing in a few words with a stylus which would have taken a few seconds on a computer? There's an app for that.
[braces self for flood of posts about how marvellous they are]
Amazing how many commentards
haven't noticed that this is a complete non-story. Windows Server 2003 with no SP is not supported. XP pre SP2 is not supported. Vista with no SP is not supported. This is business as usual. MS only ever supports the current and previous SP for any length of time.
For the hard of thinking:
VISTA IS STILL SUPPORTED BY MS
You just have to service pack it, if for some arcane reason you haven't already done so.
I'm not sure who has the lowest IQ here - the reporter of this non-story, the headline writer who got it completely wrong, or the commentards who can't read for meaning. Minus several million out of ten for intelligence, all.
User running as Admin (BAD BAD BAD BAD BAD but too many shops do it so they can put all the stuff that should be in startup scripts or managed properly in login scripts and so they can talk users through doing *anything*), directed to dodgy site which downloads .exe. .exe sets registry keys to copy new atapi.sys on next boot, just as if a windows update or service pack had done it. There's a writeup here http://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html on how TDSS does it. I've found this on two or three machines where some support company from Hell thinks that the output from 'net localgroup administrators" should include the line "NT Authority\Authenticated Users" (I kid you not, bunch of fuckwits.
Read the feckin' abstract, and you'll realise that there is a clear distinction between the outcomes of the study (which are pretty concrete and quantified) and hypothesising over the mechanism (which btw does not form part of the paper).
I don't know wether your understanding of the scientific method and how to read abstracts or your grasp of the English language is the more appalling.
They call that "beer"
it's not drunk by "old men" but by "discerning drinkers". as opposed to the cold yellow fizzy piss aka "beer for people who don't like beer".
%age increases in risk are meaningless without knowing the actual numbers. Reading the abstract, we see that the risk of pancreatic cancer was found to be 1 in 432 over 14 years. Without knowing the proportion of the sample who did drink large quantities of soft drinks, we don't know whether that's the risk for drinkers or for non-drinkers, or (most likely) a combination based on the proportion of drinkers. However, taking a worst case scenario, that this is the risk amongst non drinkers, then an increase of .8% risk as found would increase the number of cases from 140 to 252, which means a risk of 1 in 240. Put another way, an extra 110 cases in a population of 60,524 could be expected if all of them suddenly started drinking lots of pop.
Hardly "2 cans = death", but don't let the actual numbers get in the way of a story.
...no-one banging on about how unstable the XP/W2K3/Vista/Win7 kernel is is actually posting any evidence or even anecdote that it is. I use both and IME they [i]are[/i] stable. There seems to be a flippant assumption that it isn't because of course it's teh eevil Micro$haft.
Most of my W2K3 servers only get rebooted when I have to patch them. The only exceptions are the terminal servers, but given the shite people insist on me installing on them, I'm not surprised.
I do remember when the W2K source code was leaked. Outside of a few people who were determined to see what they wanted to see, I seem to recall that the general response was favourable. MS coders are not idiots, but they're often constrained by stupidity further up the adminisphere at MS.
And I use Windows for a number of reasons, but not one of them is the availability of 3rd party drivers. AC at 11.17 is talking classic drivel.
To be fair...
...analysis of crash dumps (admittedly done by MS) shows that most (over 95% IIRC) of them are caused by buggy 3rd party drivers - not an issue MacOS has to face.
Given that I've had about half a dozen BSODs in the 30 months I've had a Vista box, and I only reboot it after patching, and all the BSODs were indeed nVidia related, I would say that my experience of the Vista kernel is that it is very stable indeed.
Under the bonnet, Vista and W7 are that similar that I imagine most W7 apps will run on Vista without even thinking about it.
...printer deployment via GPO to machines or users. Particularly nice that it can be done from printer management without working through the myriad GPO settings to find the right one.
But where, still, is the native support for mounting an ISO and create ISO images from folders and files? The code for the former must exist because VMs in Virual PC can use an ISO as a CD drive! Should we just be grateful that we can now natively create a CD from an ISO?
Stuff that; they shouldn't be able to install anything. Make them users and nothing more. No user should have an account that can write to %systemroot% or %programfiles% or anything under HKLM in registry. That's your job as an admin, as is making software which assumes the user has more rights than that work for standard users. It always can be.
DATs should not rely on logon scripts; that's what the AV vendors' management suites are for. Ditto Windows updates - turn it off and use SMS or WSUS. That way you have control over what goes on.
Word does not run executables. If you double-click the attachment *from the email*, then you will run the executable rather than open it. The malware fakes the document opening. Lots of people open attachments by double-clicking them straight from the attachments window. Nothing to do with retarded WP software.
Obviously if the attachment is saved and an attempt is made to open it in a WP program, it will either fail to find it altogether (because it doesn't have a document file extension), or fail to open it because the file format isn't recognised by the WP.
So the answer to your question is "nobody, no, not even Microsoft".
#Fail & Ted
A Windows NT 4.0 domain* is not the same thing as an active directory. Nor, technically, is a W2K or W2K3 domain, but that's nitpicking in this context.
*Yes, they are still in use. Last time I tarted around with Samba it was emulating at that level. Yes, I do know it's moved on, I just haven't fannied around with the version which talks AD yet.
A correction or two - Both Scottish and English culture, language and so on are derived from a mixture of Ancient British, Anglo-Saxon and Norman. There is also Gaelic in parts of Scotland.
Scotland has three languages - English, Scots (closely related to English, the language Rabbie Burns wrote in) and Gaelic (related to Irish and considerably more unpronouncable than Welsh).
Cornwall is considered by some of its inhabitants to be seperate from English, having maintained a Celtic language (related to Breton and slightly more distantly to Welsh) until fairly recent times (that's the early 19th century to us) which has been reinvented and revived, and has been in use by a small group of enthusiasts for the last 100.
- Geek's Guide to Britain BT Tower is just a relic? Wrong: It relays 18,000hrs of telly daily
- Product Round-up Smartwatch face off: Pebble, MetaWatch and new hi-tech timepieces
- Geek's Guide to Britain The bunker at the end of the world - in Essex
- Review: Sony Xperia SP
- Dell's PC-on-a-stick landing in July: report