97 posts • joined 3 Aug 2012
Had a good read through the Linux Foundation website and while the idea looks very interesting and somewhat promising... is it sufficient? Obviously while it's key to know your way around the OS I do find that it's the configuration of various key services which are not always up to par.
Which really brings us to the big question; should the certification go beyond the core OS and also test against default and in addition commonly used services? sshd? snmp? mrtg? iptables? logrotate? To name a few. Go a little further even and set up and optimize httpd for specific requirements. Or even a Mail Exchange with POP3/IMAP services along with database et al.
Additionally, while it's definitely important to know your way around the CLI and the local man pages I have never believed in setting up systems fully without documentation. I actually spend more time reading documentations than actually configuring my Linux boxes because I am insanely OCD when it comes to at the very least reviewing every single configurable parameter there is for a service which I am required to set up. For Apache for instance every single module is reviewed and if I do not deem it as being necessary it gets commented out. But it's hard to do without being in front of the Apache Wiki since I cannot always remember what each one of the hundred or so Apache modules do.
So it really isn't just about memorization... but also about having good habits. I actually spend very little time in front of the terminal because I simply find it more effective to download the required config files onto my workstation and edit them there where more often than not I have a browser running in the background with the documentation open for the service in question. When all is said and done save the files, upload them back onto the server, quickly terminal in to restart the service. And done.
The side-effect of that is that I'm not necessarily the fastest in getting the job done. Far from it. But I pride myself in getting the job done well. Having said that I do have a keen interest in acquiring this certification because studying for it will most certainly fill in a few small gaps here in and there.
I've never touched RAID on Linux, for instance. Because I'm spoilt and always have the privilege of working with hardware RAID controllers on my servers. So yeah. Stuff like this which I have never thought of bothering with in the past I'm now interested in playing with because who knows, it might come in handy in the future. And while I will still be reading my documentations as per normal if I am ever required to commit to a live installation, at least I'll have some prior experience.
Re: Update management
In all honesty I have actually never ever encountered problems rolling out Flash updates via GPO as long as you update version after version (missing out on a couple of versions can cause problems). Acrobat on the other hand is one royal pain in the arse.
If you download a 10.1.3* setup file of Acrobat for example you will actually notice that said setup file actually contains a 10.0 MSI followed by a 10.1 MSP and a 10.1.1 MSP and a 10.1.3 MSP. Or some such. Seriously. WTF? Then having to create an administrative install of this fucking unnecessary mess because Fuckobe haven't the slightest fucking clue on how to keep their base installers up-to-date. And forget about rolling out the MSP's individually. Almost never works. So every single time there's an update... extract setup, extract MSI to admin install, extract all the MSP's, run the Acrobat Customization Wizard for the 74th time to make sure nothing broke the MST... DEPLOY.
No such problems with Foxit.
*I probably made those version numbers up but you get the idea. It's been a while since I had to deal with this excuse of an application.
Using Foxit myself... and while I do appreciate not having to update the software every other week it does also make me worry at times. Hah.
Re: flame on
I've been playing with RHEL 7 since the first public beta and have just finished migrating all of my servers from RHEL 6.5 to 7.0 (I typically try and coincide hardware and OS upgrades so these were all clean installs on fresh hardware). So far so good.
Having said that, yeah, RHEL moving to systemd was quite an annoyance. Admittedly I haven't actually run into any systemd-specific issues yet and half of my gripes really boil down to me having been deeply rooted into playing with init scripts while the other half being the well-documented nature of the systemd devs (after Linus went on a big rant against one of said devs quite a number of other individuals also expressed their displeasure with the way the systemd maintainers handle bugs).
The only issues I've had with RHEL 7.0 to date were all installer related. Anaconda kept crashing at random and the interface with its nonsensical tab order was aggravating to navigate keyboard-only (especially when choosing NOT to have your partitions automatically created for you). Which really does suck as I typically do not have a mouse on hand when working on my RHEL systems. At times the installer would initialize not detecting one or more of my network interfaces. Other times it would simply crash when navigating from one menu to another.
Really. Here's a piece of advice to anyone installing RHEL 7.0; get out of the installer ASAP. Go in, partition your arrays, and get out (sticking to the standard minimal install). Which is what I usually do but I do at times like to also quickly get my hostname, network interfaces and clock configured.
Annoyingly the RHEL 7.0 installer also seems to omit some options which I am quite adamant were in the RHEL 6.x installers. You no longer have the option of configuring a boot-loader password during install and neither are you asked whether or not you want your clock to be UTC. Minor issues but annoying nonetheless as it just adds onto the number of config files I need to dig into post-install.
Once I'm out of the bloody installer though it's all smiles. Happy to have finally moved onto newer revisions of numerous packages. It really is frustrating when you're left out on new and useful features because you're a number of versions behind... and I really try to stick with the standard/optional RHEL packages on my mission critical systems in order to ensure hassle-free updates.
Re: Am I safe?
Running the hash through a number of search engines yields plenty of results (many of which from 2012) so my guess is that you're quite safe.
Re: Aren't they regulated as a bank these days? Or does that just apply to their Paypal racket?
Paypal? Regulated like a bank? HAHAHAHAHA. Wishful thinking.
Yes, I'm serious. Paypal themselves very openly abuse the very fact that they "aren't a bank" and thus cannot be regulated as one within the vast majority of countries they operate in.
It is interesting however because when it comes to matters which strictly benefit Paypal (i.e. them requesting for copies of your national ID) they suddenly behave all "oh we must have this information as we're a "financial institution"". But the very moment your Paypal account is frozen for whatever arbitrary reason deemed fit by Paypal then the tone swiftly swings to "we are not a bank and thus the only legal document which matters is *our* TOS and fuck all".
Yeah. Fuck you too Paypal.
Re: Pretty easy
Hah. Anyone else remember the days from the Windows 95-98 era when applications costing upwards of 20 bucks would claim to "INCREASE YOUR COMPUTERS MEMORY!!!11!1!" (read: increase the size of the Windows page file which anyone could do from "Control Panel" -> "System".)
Re: Lots of last-minuters out there.
From my experience even most small companies with staff who primarily use their systems for mail and web browsing have long upgraded from XP. Don't forget that these are typically companies with no fulltime administrator where the company owner simply buys off-the-shelf with whatever operating system said systems happen to have on them during the time of purchase.
Hence any such user who has purchased a system over the past seven years should already have Windows Vista installed (and believe me when I say that despite Vista's issues a lot of regular users simply didn't care as that's what the computer came with).
Re: I don't believe it...
Some months ago I saw a photo on Reddit of a lost notebook someone had found. Fella tried to boot the system up and was greeted with the lovely sight of the Windows Vista smartcard logon screen...
...along with a US DoD Property notice.
Does that answer your question? :P
Quite worth reading the rest of the LKML thread...
...as it seems that quite a few others are miffed at the systemd maintainers as well.
This is rather mean.
I mean at least Microsoft gave everyone years of advance notice with respect to Windows XP's impending End-of-Live. Even then, though, it's technically still possible to use the Operating System.
If I were one of Juniper's customers and all of my kit suddenly died with zero advance notice what-so-ever I'd be rather miffed. Especially so if the fail-over routers were also old and thus also affected.
Routers especially tend to last rather long and for most part if you're utilizing nothing beyond core routing functionality it's not uncommon to be able to get away with not patching the router for years. I've seen tons of Cisco routers in the wild running on ancient versions of IOS. But hey, if it works, why not? Imagine if every single Cisco router in excess of five years old suddenly "deactivated" overnight... half the internet would probably collapse.
My reaction: Finally!!! Wait... god damnit!
"Finally!!!" because such a facility is awesome and couldn't come sooner.
"god damnit!" because considering this nugget of brilliance is only going to be released on Fedora later this year there is simply no way of it coming to RHEL 7.
(Small team here so it does help tremendously in the "update management" department if we simply stick to what's available on the standard RHEL repositories... especially since Redhat does an astonishingly good job (in our experience) in ensuring that patches don't end up borking our live servers (and of course replace RHEL with CentOS for our less mission-critical servers)).
Re: The same-old same-old
My sole purpose for logging in after reading this article was to make a comment about the unions along with the striking resemblance of this case to that of "New Jersey versus Tesla" but I guess that's been settled already.
Having said that however I do feel that I need to make a further mention that unions are nothing but a complete waste of oxygen. Their only purpose seem to be... well... how should I put this...
What's that old American saying again? "How many workers does it take to change a street light (bulb)?"
Abacus? That's a little mean... no?
I mean yeah it might be a tad bit old...
...but at least it doesn't suffer from security vulnerabilities.
Re: 850,000 Bitcoins worth hundreds of millions of dollars
Except that a very recent leak revealed that MtGox had over 950,000 Bitcoins?
Considering MtGox's "trustworthiness" then (oh who am I kidding, this is the same MtGox which had parsed usernames and passwords in plaintext through URL's when the site first launched) I wouldn't be surprised if MtGox DDoS'd themselves in order to portray a false image of MtGox being the victim.
Apparently "five passengers booked on the flight did not board and their luggage was consequently removed" and "it has also been confirmed that two passengers were travelling on stolen passports."
While not evidence of foul play, it is suspicious.
Condolences to all.
Re: Woo hoo! Phishing opportunities galore!
I actually thought that Microsoft's popup did 100% resemble a phishing dialog.
Things are sure to become quite interesting in the near future.
All that's left to say is... Yipieee!
Re: Symantec and McAfee (among others) have not responded
Yeah. This is the same Symantec that has for quite some time now refused to participate in AV-Comparatives while just about everyone else has no issue with said participation.
That in itself should already be setting off alarm bells.
This however is just another reason for anyone to avoid Symantec at all cost.
Considering VL Windows 7 SKU's are no longer available...
We over here purchased a hundred Windows 8 licenses not long ago...
...to install Windows 7.
Re: Wouldn't have happened if merchant accepted PayPal
What would have happened instead is that I would have walked out of the shop empty-handed because PayPal would have locked, suspended or otherwise denied me access to my funds in my account the name of "my safety" and whatever other colossal Godzilla dung.
Kinda a small little bit of detail missing eh Mr Marcie?
Double-U Tee Eff?
In the first place shouldn't HP be providing us with servers with non-broken firmware?
And if said firmware is broken shouldn't it be HP's responsibility to mend it at no additional cost?
Admittedly it has been a while since any firmware on any server has given me any major headaches. Having said that however we did shift away from HP ProLiant (to the delight of just about everyone in our company) many years back and we are now Dell PowerEdge exclusive.
I guess the one benefit I see of this is that it's now a lot easier for me to convince my clients to stay clear from HP. While it is quite rare for there to be critical firmware bugs three years after release it is always nice to get small performance bumps from time to time through firmware optimization.
Had this update in our repository within five minutes of receiving this particular advisory.
Have to say though... considering that Patch Tuesday is a week away this must've been pretty damned urgent for Adobe to release an out-of-cycle patch. Most of the time we'd be waiting another week. Or two. Or three.
...where I'm from I can certainly see this attack working extremely well.
The vast majority of ISP's here simply authenticate users by checking against the MAC address of their router/modem. To the ISP it's one less thing for the user to screw up and hence one less issue for the user to create and subsequently call the ISP to complain about.
It also makes it easier for everyone when a given user chooses to change their router/modem. Simply call the ISP up, give them the new MAC address (which more often than not is printed somewhere very obvious on the appliance), and let DHCP take care of the rest.
And as already mentioned, just about everyone isn't interested beyond getting their router up and running and as such most users will not notice much of a difference pre/post factory reset. Sure, WiFi might stop working... but they'll probably just try to log into their router with the default credentials which they never bothered change in the first place to set WiFi up again and all's well in this world again. In their view at least.
What a laugh and interesting read the comments in this article are.
Wasn't going to comment on this article originally. I now feel the urge however to mention that this is one of the big reasons I read The Register. The comments section in articles are often filled with both insightful and outright humorous posts which can go on to make my day.
I've long had an interest in reading up on disaster-related incidents of various types and there was at least one story linked which I hadn't had heard before. Thank you for that, Dan Paul.
(One of the original reasons for my interest was from back when I was a rather young chap when I noticed that everyone keeps banging on about how everything nuclear is the root of all evil. Yeah, radiation can be bad. We get it. It's stupid however that even the smallest of incidents involving any form of radiation often over-shadows much larger incidents of other types. I, for one, have noticed that while just about everyone has heard of Chernobyl almost no-one I know is aware of the massive chemical incident in Bhopal. And the two incidents weren't exactly far off from one another.)
This bit though made me spend the next half hour cleaning my monitor;
Daniel B.: "Indeed, all radioactive stuff has explicit labels like the all-known fan-shaped one and "MATERIAL RADIOACTIVO" stamped on it."
I like crisps: "or MATERIAL......SCORCHIO!!!!"
And now for a suitable icon...
Re: "unless a BOFH opens a email containing rigged PDFs from a vulnerable server"
You'd be surprised.
Some months ago a friend of mine had made an urgent request for me to pop by her office to take a look at their failing Microsoft Exchange 6.5 on Server 2003. Apparently their outsourced IT "support" (and I use the word "support" rather loosely here) were too incompetent to solve the problem.
Anyhow. Dropped by her office. Asked for her to log into the server. My jaw hit the ground when I saw the desktop and then hit the core of the earth when I navigated "All Programs".
Chrome? Check. Firefox? Check. Thunderbird? Check. Adobe Flash? Check. Adobe Reader? Check. Silverlight? Check. Nero? Check. Antivirus definitions dated 2009? Check. Firewalls disabled? Check. And I could go on forever, frankly.
And this was on their corporate Exchange server.
I had, admittedly, performed a similar cockup many years ago.
While moving our firewall policies from one GPO to another I had forgotten to disable the destination GPO first before applying the new firewall rules. And because the base policy was to block all inbound and outbound connections by default (and also because I was rather slow in setting the new firewall rules up) quite a number of systems inherited the new GPO before it was fully configured and were thus left in a state where traffic in both directions were being blocked.
Fixing that wasn't fun as I couldn't automatically force all the affected workstations to acquire a new policy since I had successfully bricked their network connections.
Lesson learned though is that I now set up new GPO's as very-freaking-disabled, configure them, export to test environment, test, and then enable them if all goes well in test.
For Microsoft to have made a similar cockup though... hahaha.
Re: so far so good
I'm personally surprised that no one has commented on their use of NetSol in the first place.
Now I do admit that I haven't visited NetSol's site in years (and still refuse to even in the name of fact finding) but last I checked NetSol was still charging ludicrous mark-ups on domain name registrations claiming "superior support" over their competitors as justification of said ludicrous mark-up.
If my other half (who is not IT savvy at all) is able to figure out on her own (and with ease) how to register a domain name and then forward said domain name to her blog then I think we can do without NetSol's claimed "superior support" and just go with a more affordable (and reliable) alternative.
Re: Why bash IE? This would be a non-issue if you configured your browser proper.
Are those facts or merely your personal opinions? I do not typically stay on top of which browsers have suffered the most security vulnerabilities but doing a quick search online reveals a number of articles showing that there was at least one year where both Chrome and Firefox had over two times more high risk vulnerabilities than Internet Explorer. Each.
Internet Explorer was an absolutely crap browser all the way till 9. Which was decent. But with 10 Microsoft has certainly gotten their act together. I used to use Firefox during the earlier days of IE until the release of IE9 as Firefox dev seems to have suffered a number of quality assurance problems during that time (plenty of crashes, infinite loops, memory leaks, and et cetera). Things have gotten better for Firefox recently, however. Just like how Microsoft has improved Internet Explorer.
My only criticism of Internet Explorer (or Microsoft, really) is that from 9 onwards it is no longer provided to users of Windows XP. I actually aggressively recommend Firefox to Windows XP users. For those on 7 however I simply say "well, it's really down to your personal preference".
Why bash IE? This would be a non-issue if you configured your browser proper.
I'm probably going to down-voted quite a fair bit for saying this, but lets be honest here... your choice of an "alternate" browser doesn't suddenly make you "all so security savvy". What matters is how you browser is configured along with your browsing habits.
Based on Microsoft's advisory I'm pretty much unaffected by this vulnerability. My standard Internet Explorer configuration involves custom security zones configured with ActiveX very disabled, many other features I do not require also disabled, all default IE plugins disabled and Internet Explorer running in enhanced security mode (which forces 64 bit, ASLR and et cetera).
As already mentioned every browser encounters security vulnerabilities and bashing Internet Explorer exclusivity every time Microsoft releases a security advisory is childish. I could even go as far to say that Internet Explorer is actually FAR more customizable than Chrome from its user interface from a security perspective (primarily due to the decent amount of options offered when customizing a security zone though quite a few other security related options can also be found in the Advanced tab).
This perpetual Internet Explorer bashing is slowly becoming old.
No mention of Obsidian?
While Myst was and still is an astonishing game lets not once again forget about the existence of an equally as astonishing masterpiece named Obsidian (by Rocket Science Games).
Let me point out however that this company was appropriately named. Obsidian is infinitely more difficult than Myst. It took me months before I reached the FIFTH CD (yes, there were five CD's in total) and I eventually gave up. I have been gaming for 20 years now (with much experience in puzzle/adventure games) and Obsidian is the only game I have given up on (and I'm quite stubborn when it comes to not going online for walkthroughs as I enjoy the satisfaction of completing a seriously difficult game on my own).
Personally I did not find Myst difficult at all (completed it in about five hours a few months back and the last time I touched the game was in 1994). Myst had its plus points in many other areas however which have already been mentioned in the article.
Take my word though. If you enjoyed Myst... play Obsidian. It has an astonishing story. An absolutely unreal environment with concepts and ideas which are truly unique to this game. And its puzzles... my lord. Your problem solving skills and patience will be pushed to their absolute limits.
Trust me on this.
Have said it before and will say it again...
...thank Intel for delaying 22nm E5/E7 Xeon's.
If you consider the fact that servers need to last a good many years it does make one hell of a difference in power and cooling costs when you compare 22nm versus 32nm. And even as we speak right now Intel's 22nm E5 Xeon parts are STILL not out.
Yes, I'm aware that they'll hit the market in Q3, but the fact is this delay has caused us to pretty much eradicate all server upgrades over the past 15 months. And I know I'm not the only one.
After all the primary benefit for me to upgrade my servers is to reduce power and cooling costs. Performance is a plus point, sure, but it's a secondary benefit for most part.
Re: but experts say it is likely that they wouldn't have to serve any prison time at all
Of course... since the mishandling was not of US government information.
Re: Somewhat annoyed (Attn: rcorrect)
Back when I used to use Chrome (don't anymore for obvious reasons) I actually found a way around this (along with getting rid of the bloody annoying "New Tab" page in Chrome). I'm not sure if this still works, though. Give it a shot if you've got some time to spare.
In the registry and in HKCU navigate to "Software\Policies\Google\Chrome" (you will likely need to create these appropriate keys) and create a string named "IncognitoModeAvailability" and give it a value of "2".
"0" means "Available", "1" means "Disabled" and "2" means "Forced".
I discovered this as this feature was made available in the Chrome GPO Administrative Template. You will notice that it's impossible to "Always Force" Incognito in Chrome otherwise. Obviously, as it clears all cookies and browsing history and et cetera. And no cookies means no ad revenue for Google. For most part. This registry value (normally applied through the Chrome GPO Administrative Template) was obviously added as a way for Google to "please" enterprise administrators while keeping it out of sight of most other users.
Also, when using Incognito, the "New Tab" page is replaced with an Incognito notice and thus eliminates the "New Tab" page altogether.
Now, I'm aware that it's possible to add a command line argument to a Chrome shortcut to launch Chrome in Incognito. It's a half-arsed solution though as your Chrome shortcut isn't called when you open a link from your E-Mail client, for example.
BE WARNED however that Chrome is notorious for maintaining "browsing history" in its various caches and databases even after you have cleared it and even when using Incognito. As I no longer have Chrome installed I can't provide you with the details. However, visit any webpage in Chrome, clear your browsing history, and grep your local Chrome directory within your Windows user profile with the name of the site you've just visited. You'll get what I mean.
Again, I'm not sure if any of this has been "fixed" since I last used the browser. But you get my point.
Google shafting its "customers" again, you say?
*twiddles with thumbs*
Wonder how good the MK802 would be as an alternative, though.
This has been part of the Japanese corporate culture for a long, long time now.
It is quite rare for a Japanese corporation to fire or otherwise lay off an employee and they instead resort to either boring you to death or making life such a misery with the hope that you will one day cave in and voluntarily hand in your resignation.
It doesn't just end there, either. Many Japanese companies practice "retraining" (or what most of us would call "reformative training") where employees are sent for "additional training" whenever mistakes (even trivial ones) are made on the job.
Many Japanese I know openly admit that they'd never return to Japan if they'd have to work there. It can be that bad... worse still if you happen to be female.
Interestingly though I did have one friend who was more than happy to be entertain himself on the job and he continued to draw his not-very-low salary for years until he managed to find a better package elsewhere. Such instances are supposed to be rare, however.
You know what? Screw you too, Google!
Glad I've ceased using any of your crap.
No more Gmail. No more Google. And DEFINITELY no more Chrome. Don't need any of your spyware-laden junk installed on any of my computers anymore.
I still recall about a year ago I had stopped using Chrome (kept it installed, however) in favour of Internet Explorer (lets ignore my choice of browser for now, eh). A week or two later I actually received a popup from Chrome while using Internet Explorer along the lines of "Chrome has been updated! Would you like to try it again?"... Seriously?
It was then when I decided to do some digging around and subsequently realized just how much junk a Chrome installation injects into ones computer. Windows services? Check. Scheduled tasks? Check. Internet Explorer plugins? Check.
WHY DOES GOOGLE CHROME NEED TO INSTALL INTERNET EXPLORER PLUGINS? OH WAIT, I KNOW! So it can continue to monitor how much I use IE versus its excuse of a web browser.
And you know what else? Screw all the Google apologists too.
Re: Level of craps not given: All of them.
"Its worse then crap its crap painted over with crap where the painter thinks that the crap on top of the crap is going to make the crap look better to people."
Just... LOL. Thank you for that, this made my day. Have an upvote.
Windows 8/8.1... it is THAT bad.
Some weeks ago I had some time to spend and figured that it would probably be a good time for me to increase my level of familiarization with Windows 8 (or 8.1, rather). I had used the operating system briefly from time to time but I wanted to set it up from scratch and use it on my own for a bit.
Since the preview was already available by then and easily accessible too (since there was no requirement to register to acquire a copy)... off I went.
Now I have to point out that I went into this exercise with a very open mind. I continuously told myself "well, it can't be THAT bad now can it" all the way from when I was downloading the preview to installation. Boy was I wrong. So very, very wrong.
First off; let me begin by saying that the start screen isn't actually that bad. Once you've uninstalled all those bloody useless default apps (which can be easily and quickly accomplished) you can actually turn the start screen into a rather pleasant interface from where you can access commonly used applications and folders. And yup, the fact that you can actually create shortcuts of folders on the start screen helps a lot.
My problems begin surface once you move away from the start screen, however.
What Microsoft really should have done was take Windows 7, leave the entire interface as-is, add the start screen and increase support for tablets and call it a day. But nooo... they had to screw around with what already worked. The Task Manager for instance doesn't offer the same amount of detail (additional columns to select and view) in its process list compared to Windows 7... which is annoying.
Then comes the fact that even when you've decided to put the start screen away it still tends to make unexpected reappearances from time to time. If for example you go to the "classic" desktop and go to Control Panel and Network Center and subsequently click on "Manage Wireless Networks" you're given a bloody start screen view of all available wireless networks rather than the good old fashioned wireless network profile manager.
And while we're on the topic of the new wireless network "manager"... you can NOT remove a wireless network profile unless you are within range of that wireless network. What? And yes, this is verified. The only way to remove a wireless network profile when out of range of said network is through Command Prompt.
Even the start screen itself isn't exactly intuitive (namely its default apps). At one point I accidentally opened the Mail app. It asked me to enter an E-Mail login to link my Windows account to a Microsoft Live account, or some such. I did not want this. So I clicked on "Cancel" (one of two available buttons, the other being "Next") and was greeted with an error stating "You must enter an E-Mail address". Clicking on "Next" gave me the same error. WTF? There was no obvious way to get out of this screen other than to Alt-F4.
Such blatantly careless interface design decisions make me want to puke. Just what it's like for users who are unaware of the various Windows keyboard shortcuts is beyond me.
I could really go on forever about just how bad and unpolished Windows 8/8.1 is but I think I've already made my point. All this would be maybe even 1% understandable if the operating system was absolutely fan-fucking-tastic on a tablet but even those who own Windows 8 tablets aren't exactly satisfied.
Google being Google.
Business as usual.
Re: Convenient for its user when that part of the phone is sensitive
Ooohh, aaahh. And ahead of western imperialist pigs!
Re: Hands up who trusts Trusteer.
"It should be part of your information security management strategy." In my organization, yes. At home, no. And even in my organization it is as you mentioned "PART" of the strategy... and not a very sizable one at it. Lee has already sufficiently pointed out some of the pitfalls of antivirus solutions (my personal complaint would be resource usage, especially if real-time file system scanning is enabled).
Extremely tight group policy restrictions (SRP/Applocker) on their own go an extremely long way in preventing most unwanted applications from running with hardly any performance penalty. And these days if something is sufficiently sophisticated to bypass any such restrictions (through a zero day vulnerability, for instance) then chances are it is going to be equally as proficient in bypassing an antivirus solution.
Yes, websites can be compromised to deliver malicious content. Happens all the time. If such content is delivered merely as an executable, it won't run due to SRP. If as a PDF/DOC/XLS/... chances are it would have to make use of a zero day and it must not count on JS in Acrobat (disabled) or any form of Macro (also disabled). Again, see point above with respect to zero day vulnerabilities.
Is my solution 100% airtight? No, it isn't. No solution is. I do employ a good many layers of security however (including antivirus, but with limitations) in order to make it as difficult as possible for any of my systems to be compromised by any form of malware. The key here is to prevent being compromised by "common" forms of malware. Targeted attacks are a separate story altogether.
Is antivirus 100% useless? No, it isn't. I still recommend antivirus products to home users and companies. Especially so companies with no dedicated IT security resources (personnel to maintain policies, audit said policies, perform rapid updates of deployed applications, and et cetera). Even for companies with dedicated IT security resources antivirus CAN have its place as an additional layer of checks.
Have firm policies in place. Restrict everything that isn't required. Run strictly as user. Limit the number of resources/applications (and plugins, if applicable) to the absolute bare minimum. Keep your software as up to date as possible. And you're likely 99% ahead of the vast majority of malware writers already who really prefer to target the masses rather than worry about the few who know what they are doing.
(P.S. I'm not claiming to know it all. But I'm writing based on experience. Again, I will never claim that my systems are 100% airtight and I will always welcome someone to proof to me that what I am doing is absolutely wrong/absurd. This is ultimately what security is about. Learn and keep learning.)
Re: Lee D
I'm assuming here your bank doesn't force JRE down your throat then?
Still seems to be quite the "in" thing for a good many financial institutions.
Re: Hands up who trusts Trusteer.
Good to know I'm not the only one. I don't even install Antivirus. My installations have become increasingly bare over the years. Less to maintain. Less to update. Less to exploit.
Even Ad Blockers have become a big no-no for me. Much prefer something which is easily auditable such as this simple little host file; http://someonewhocares.org/hosts/
Re: The average enterprise has more than 50 versions of Java installed across its PCs and servers
LOL. I quite literally spat on my monitor when I read that. LOL.
Am I the only one who thinks this is all just a massive distraction?
It seems to me that all this moaning about with respect to Third Party Cookies is nothing but a colossal distraction to keep everyone's attention away from the countless other methods which can be employed to track a given user.
If I recall correctly there has been ways to track through plugins, for instance. Adobe Flash comes to mind though Adobe "might" have "addressed" it by now.
Also, read up on EFF's Panopticlick. It's a worthwhile site to check out if you haven't already. I found it quite interesting at least and wouldn't be all too surprised if similar methods are already (at least partially) employed in order increase tracking efficiency.
Also, doesn't Safari already block Third Party Cookies?
While I was fiddling around with a temporary OS X installation I decided to check Safari out and realized that Third Party Cookies were disabled by default in its preferences. This was a clean installation too. I might be wrong here but I'm quite confident that this is the case.
Now of course one might argue that Safari's "market share" isn't exactly up there (not on desktops at least) and even the most die-hard Apple fans I've come across outright refuse to use it for any purpose other than to download another browser but it still has to account for *something*.
Re: Entrope Aaannd...
And do you honestly believe that with the level of corruption which exists within the Indian government that such "lawful interception" will remain "lawful"? I wouldn't be all too surprised if criminal gangs are able to bribe their way into receiving whatever information they deem the government is able to access.
And who knows what they'll be able to do with whatever they're able to retrieve.
...here goes the only reason to ever use BlackBerry straight out of the window.
Re: Who thought it was a good idea...
Some baboon who wanted to report to upper management; "See! I've streamlined support!!!!!11!ONE!1!"
Re: They still don't get it
Hah. Every time I see a website with such a ridiculous password limit I simply assume that the developers weren't bright enough to hash the password and at the same time decided; "Hey look! Lets show how awesome we are by making the database more efficient by setting our password field to varchar(8)!"
On a more serious note though; anyone who has even the slightest clue in basic security knows that passphrases really are the way forward.
Inevitable XKCD reference: http://xkcd.com/936/
Re: Windows 8.1: 'It's good for enterprises, too,' says Redmond
Richard Gadsden: Thanks for your reply!
Actually, most hardware vendors (at least where I'm located) do sell PC's without Windows OEM licenses to enterprise customers. For non-enterprise customers it's a separate story altogether, though.
Also, with respect to being able to use Enterprise even after SA expires... according to Microsoft's Volume Licensing Brief; "Volume Licensing customers with Software Assurance may migrate from a lower edition to a higher edition software product while maintaining their Software Assurance coverage on a given product."
The phrase "while maintaining their Software Assurance coverage on a given product" has me worried. Am I misunderstanding something?
- Review Is it an iPad? Is it a MacBook Air? No, it's a Surface Pro 3
- Hello, police, El Reg here. Are we a bunch of terrorists now?
- Microsoft refuses to nip 'Windows 9' unzip lip slip
- Netflix swallows yet another bitter pill, inks peering deal with TWC
- Special Report Roll up for El Reg's 3G/4G MONOPOLY DATA PUB CRAWL