Slashdot Mirror
Ask Slashdot: Protecting Home Computers From Guests?
An anonymous reader writes "We frequently have guests in our home who ask to use our computer for various reasons such as checking their email or showing us websites. We are happy to oblige, but the problem is many of these guests have high risk computing habits and have more than once infested one of our computers with malware, despite having antivirus and the usual computer security precautions. We have tried using a Linux boot CD but usually get funny looks or confused users. We've thought about buying an iPad for guests to use, but decided it wasn't right to knowingly let others use a computing platform that may have been compromised. What tips do you have to overcome this problem, technologically or otherwise?"
I think they call it guest wifi and byod.
> We are happy to oblige, but the problem is many of these guests have high risk computing habits and have more than once infested one of our computers with malware,
Really? It's not that they started typing something into your browser and the browser history showed off all the sick and twisted porn you watch? :P
I'm god, but it's a bit of a drag really...
Have a dedicated Linux boot just for them, and if they give you funny looks tell them too bad.
Don't let them use your computers. Done.
Guest chromebook seems like one good option -- probably rather harder to compromise, and lets guests surf/etc...
Set up a VM in Virtual Box for them to use. Take a snapshot of when it was healthy and new and just revert to that each time someone wants to use it. Even paying for a Windows install for the VM would be cheaper than an iPad.
The guests, that is.
You can set up a PC image with your favorite virtualization system, then run that full screen and have guests use it. They get an environment they're familiar with and you can have the emulator set up not to save any changes to the hard drive image it's running from, so when they leave you can reset it and get back to a known safe state.
It's a Firefox addon. Check it out. Also Adblock Plus. With those two installed and running, things get a lot safer. Of course, NoScript requires a bit of savvy to be able to browse the web correctly. You might have to help. Otherwise, tell them to bring their own darn laptop.
"Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
The moment your computer becomes public (however limited that "public" is), it is a goner. It is like asking how to secure your computer after it was compromised.
I don't even let my visitor plug into the same network my main computers are, and have both a separated WiFi network and a separated ethernet segment for them (1 port only in the guest room), that I treat as a DMZ. Ok, I'm paranoid, but still.
Maybe use removable HDs, and keep one for your own use, and swap it for an entirely different one (which you can restore from a Ghost image or something) for your guests. As in PHYSICALLY disconnecting your HDs when they are going to use.
Otherwise, it is like using band-aids to stop a leaking dam.
morcego
Something like VirtualBox or VMWare that supports snapshots. Install an OS into the virtual machine and set some firewall rules to keep it from accessing anything else on your network. When they ask to use your computer, launch the virtual machine and set it to full screen. They won't know the difference. When they're done, revert to snapshot.
Install a freeware (or not if you prefer) virtualization application, create a non-persistent snapshot, and when the guest needs it, boot it an make full screen.
When they leave, revert to the pristine state, and store until needed again.
Seems fairly easy, and ensures you lose any crud they pick up in their IntarWebz(tm) travels.
Sound like a good use for a Chromebook.
Set up a new virtual machine (KVM say) when the guest comes, so it's like they're using a brand new installation (Windoze if you must). When they're done, wipe the container, and set up another one next time you need it. Or even keep a spare hard drive around for a non-virtualized PC. Reformat it completely and install OS on it for each visit.
Seconded. I say locked down guest account, or live CD. The VM idea isn't bad either.
"What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
Setup a windows XP virtual machine. Save a snapshot, or a VDI/VMDK file of a clean hard drive image. When they come, boot up the virtual machine in full screen. When they leave, restore the clean snapshot or clean hard drive image.
Get smarter guests
Just create an ad-hoc guest account with limited rights. That way they can't really screw up things. Once the guest has left the premises, remove the account. You don't even have to log out yourself if someone just needs the access for five minutes, just switch users.
A step further: Build a virtual machine with a e.g. your basic Linux distro or Windows XP, create a snapshot of it in it's "fresh" state, and set it up to talk only directly to the Internet without any access to your local network. You can achieve this with Virtualbox at least. Let your guest access the virtual machine. When the guest leaves, just revert it to the snapshot state.
It's trivial nowadays to get an OS running on a VM. You can easily backup the virtual drive as well, so that restoring it to its clean state is equally as easy.
Use two routers. The turn wi-fi on both. Give the password to the outer router to your guests and ask them to BYOC, bring your own computers. Use the second router, the inner one, to run your home network. Close all the ports and be very secure on the second router. Tell your guests your PC has a virus and so you don't want others connecting to it or using it till you get some help to disinfect it.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
The media PC in my living room boots directly into the Guest account. Under the guest account I can USE almost all the programs I have installed seamlessly. There are some minor issues with software updates, XBOX controllers, and a complete inability to configure network settings, but that's about it. If I need to do anything that requires more rights I can deal with the UAC prompts that show up or simply log out and back in as an admin.
I know it's not flawless but I still feel pretty comfortable letting my tech savvy (e.g. dangerous) friends stay over unattended. It wouldn't hold up to anyone seriously determined to break the security but they have access to the physical machine and can't really be stopped anyway.
Just install Linux -- like Mint or Fuduntu
http://www.linuxmint.com/
http://www.fuduntu.org/
set up a restricted "guest" account
with chrome and Firefox on the desktop
problem solved
"I don't pitch OpenSUSE Linux to my friends, i let Microsoft do it for me
Most of the new WiFi routers offer guest networks. Set one up and tell them to bring their own device. With the number of people with smartphones, I don't really see a legitimate need to set up guest computers.
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
>> Have a dedicated Linux boot just for them, and if they give you funny looks tell them too bad.
This. As long as you can PRINT from it. (Most of the time I loaned "local" computer access it was to let someone print airline boarding passes.)
Also make a couple paper copies of your WiFi creds and encourage them to BYOD.
Have a multi-tier network, with multiple nested NAT/Firewall layers. (One NAT/Firewall/Router connects as a client to another.) Bonus points for DD-WRT with the SPI firewall enabled. The idea is, your guest talks to your broadband network, but not to your other computers who are all hiding behind a NAT/Firewall/Router. Thus, when the guest is compromised, it doesn't create a wormhole into your private network.
Second, get a cheap windows box (is there such a thing?). Get a Linux boot disk. I use an old Fedora install disk and boot into rescue mode. Get an external harddrive. Run ntfsclone. Make a mirror copy of the windows computer's disks. Restore back after the guest leaves. It's, like, trivial....
Alternative: Buy a chromebook. Tell them it's the latest fad. (It is!) Problem solved.
"it wasn't right to knowingly let others use a computing platform that may have been compromised."
Then why are you letting them use ANY computer? There is no platform where you can say 100% that it has not been compromised.
By far the iPad would be the least likely to be infected by anything, and require the least maintenance. I can't understand your rationale for not going this route at all.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Really? If their Web habits are ~that~ sketchy then you don't even want them using your Internet connection. Seriously! They could be downloading copyrighted material or even worse things that you don't want anywhere near your ISPs records.
Tell them no, and make them bring their own damn 3G/4G device hooked to an account that they own if they simply must access the net while they're hanging out.
And put it in its own separate guest network, which is logically isolated from your own stuff by a firewall, maybe run a print server too (people often want to print boarding passes)...
As for funny looks, a browser is a browser and i've never had any problems giving someone a linux livecd, it has both firefox and chrome and most people are perfectly familiar with these applications.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
I have a cheap fon router which provides two wireless networks. One for my family and one non-encrypted.
The non-encrypted network normally requires a logon, but some IP addresses can be excluded from that requirement. You might choose to exclude all requirements so that your guests get straight access.
You also get to rate-limit the connection too.
If you run a connection and leave it turned on you get free logon to other peoples fon hotspots too - and there are thousands in the UK.
http://corp.fon.com/how-it-works
blog.sam.liddicott.com
Just use a Linux distro - problems solved. Create a guest account that automatically wipes every time you log out.
Custom electronics and digital signage for your business: www.evcircuits.com
No one touches my computing equipment, period. If you MUST use my machine you are getting a Linux Live Cd. If you dont like, it, use someone else's resources.
Good-bye
This!
Tomorrow is another day...
Change a few words ... many of these guests have high risk driving habits and have more than once driven one of our cars into a phone pole ... and the answer is obvious.
Not convinced? Try this one ...
... many of these guests have high risk sexual behavior habits and have more than once infected one or more of our girl/boy friends ...
Anyone who stays at my house has to help slop the hogs and clean out the barn. You can play with the computer afterward.
Problem solved.
Have gnu, will travel.
With Windows inside the VirtualBox. Once the guests leave, revert the VirtualBox image.
With a little work, you can make a "guest" login that launches VirtualBox and can't do anything else.
On the other hand, it might be enough to make a "guest" account, and just run a script that cleans out /home/guest after the users leave:
/home/guest /whatever/guest /home
# remove all trace of guest directory
rm -fr
# set up clean copy again
cp -pr
If you are using Linux Mint with MATE, your guests should be able to cope with the desktop. If you are using an "improved" desktop like GNOME Shell or Ubuntu Unity, stick with the VirtualBox running Windows.
lf(1): it's like ls(1) but sorts filenames by extension, tersely
I would go even a step further than my subject line suggests and create a guest account and lock it down as much as you can. Turn off all the browser features as well.
A guest shouldn't be doing anything except for browsing the web and checking web based email. Turning the browsers security settings on "high" (which would generally mean disabling scripting, cookies, etc) will keep them from doing too much there.
Also, as I said above, let them use the guest account and lock it down tight. You didn't mention which version of Windows you are running, but if it's fairly new you could use the Local Security Policy MMC and prevent them from running applications.
This on top of your standard AV and the other precautions that I'm assuming you are talking about should do it.
Virtual machine.
Proverbs 21:19
You may want to do some very light reading on priviledges for your platform of choice. Install your OS, create a guest account and set up the desktop with a browser and some apps that might be needed, then dial back the access so thatt he guest account can't install anything. That's all there is to it. If they complain, throw them out of the house.
Solutions evolve with time, in order for Google to index relevant pages, we have to create content. That is happening as we speak!
Tomorrow is another day...
"We've thought about buying an iPad for guests to use, but decided it wasn't right to knowingly let others use a computing platform that may have been compromised."
Seriously? What have you been reading that gives you bizarre notions like that? The iPad has a number of general shortcomings, most of which are related to its single-user OS and its closed architecture. And I'd hesitate to lend a guest my iPad, but only because – once unlocked for use – it's wide open for the user to poke around (e.g. read my mail, browser history, etc). But in terms of the OS being compromised, an iOS device that hasn't been deliberately jailbroken (by you) is about as safe an internet-access device as you're likely to find, short of custom building a Linux- or BSD-based system yourself.
http://alternatives.rzero.com/
Create an account that does not have the ability to change the operating system, a "user" account for your friends. It won't prevent all problems, but it does cut down on the ability of malware to corrupt you system outside that user's folder.
Windows XP with Steadystate
http://en.wikipedia.org/wiki/Windows_SteadyState
Let them run Puppy and if they get confused lend them a hand. Usually most people seem to want to check email or some other trivial task. You do want to be certain that your email account does not allow auto sign in while you have company.
Get a cheap computer (i.e. used/refurb), and keep installation media on-hand.
You can optionally install Linux to make it more resistant to stuff.
And put the homepage to something that discourages them from visiting naughty sites.
Dual boot into it. Problem solved. Everyone loves Chrome. And it's like a rock.
We should learn what we need to know about issues, before we decide what we need to feel about them.
Might be a MMS, they're getting fairly common as a delivery option and smartphones are all but the norm anymore.
I keep a chrome laptop around for this. It's enough for most people, and after logout everything's clean.
I want my Cowboyneal
My two cents...
Keep an extra media bay or hard drive for a notebook that lets you just remove your hard drive and stick another in. .iso or other backup from which to do a restore.
Take your regular hard drive and put it away when you've got guests coming over. let anyone use your notebook with this alternate media to boot and run from. Just keep a
At the end of the night, just reimage the alternate media and put it back on a shelf.
Put your drive / boot media back in and you've got your machine back. No worries...
You do have to tie up a drive and / or drive carrier or media bay, and may need to pay a license for the OS if you don't plan to use Linux.
-- Sam
Run backups before they arrive, and run restore after they leave. Plus your machine gets backed up which you probably needed to do anyway.
I am not sure why users give you funny looks with Linux. Is it because things like Flash/Java plug-in/etc. are not installed?
Flash and Java are standard parts of a modern Linux install these days, such as the latest versions of Linux Mint.
Maybe they gave him funny looks because he installed Ubuntu, or worse, Fedora, and they were sudddenly exposed to the horrors of Unity or Gnome3. Just when Linux was really looking like a viable replacement for Windows on the desktop(/laptop) for regular users, Unity and Gnome3 had to rise up and dash that hope forever with their horrible UIs.
If you're willing to buy a $499 iPad just for guests to use, then you'd probably be willing to buy a $249 Chromebook instead. It's a great second laptop, and perfect for guests to use. There's even a "Guest" account they can use, and it clears the data when they are done using it. And it's secure - which you want if your guests have "high risk computing habits."
I understand why you post as AC.
"I have downloaded hundreds and hundreds of records, why would I care if somebody downloads ours?" Robin Pecknold
Extra computer, different network/workgroup/domain, different room. Who would "share" one's own machine with anyone?
If you have a Mac, just enable the Guest account and fast user switching. Log into the Guest account for them and they can do pretty much whatever they want. When they are done and the account is logged out, everything is deleted. Poof, all their bad habits are gone. The guest account on Mac OS X is created on the fly. It does not exist until you log in and ceases to exist when you log out. For this reason it has been referred to as the porn account. As long as your other accounts have passwords and they should, you will have no issues with letting someone go hog wild in a guest account session. You can even restrict the account further if you enable Parental controls and only allow certain applications to launch. So you can restrict them from Terminal, finder window and such. Pretty much only give them web browser and nothing else.
And put it in its own separate guest network, which is logically isolated from your own stuff by a firewall, maybe run a print server too (people often want to print boarding passes)...
As for funny looks, a browser is a browser and i've never had any problems giving someone a linux livecd, it has both firefox and chrome and most people are perfectly familiar with these applications.
Why go to the trouble of a separate network?
The odds of even the most retarded of users inadvertently fucking anything beyond the one machine they're touching is absurdly low, unless you're running outdated shit on your network. Remote exploits are remote exploits, and you should protect each device regardless or whether or not you trust the rest of the network.
If someone is so fuck-up prone that you think your proper boxen could be fucked by some schlub lolcatting around on the same network, you should be more worried about them tripping in your house and suing you.
... but sometimes there are commercial solutions that fit a specific problem quite well - I'd use deep-freeze, a piece of windows software. I briefly attended a school that had it on their computer lab computers - effectively the computer is reset every time you restart it. It keeps a second partition sitting around with your save point or something like that. Guests are generally non-malicious so probably won't disable the software.
"We've thought about buying an iPad for guests to use, but decided it wasn't right to knowingly let others use a computing platform that may have been compromised."
So you won't get an iPad for guests because you don't like Apple's philosophy of the platform?
Or ??????
You were mistaken. Which is odd, since memory shouldn't be a problem for you
>> Printing boarding passes? How quaintly retro!
I think you'll find that the same guests who want to borrow your computer are also the same ones who won't be able to get boarding passes on their phone.
Build youreself a "guest" VM with browser of choice and script protection.
Just put Windows 8 on it. Nobody will be able to figure out how to launch anything besides Bing and Zune.
Table-ized A.I.
If you have a Mac, there's a standard user account called Guest. This account has privileges to do normal user things, but can't install apps or make other changes to the computer. (And the account has no access to other users' data.) No matter what the guest user does in that account, it can't hurt you —and the entire Guest account is in a fresh state each time you log in to it. It's designed exactly for something such as this, and it works very, very well in real use.
These comments suggesting a Linux boot CD, or a Virtual Machine (VMWare , VirtualBox, etc) are all viable solutions if you trust your guest to stay within the environment you give them.
A VM, in my opinion, is really just useless, because the guest can switch away from it too easily and get at your main machine. Then perhaps become confused which browser is which, see your firefox on the desktop, double click and continue away... This is common with guests that are not too computer savvy....
Someone mentioned using a VM with a guest network and router firewall rules?? that's just more useless, the guest is sitting at your main machine. See the point above.
A linux boot CD is much better than a VM, with firewall rules to prevent this booted machine from accessing the local network, but any linux environment gives local access to local drives, so before you know it your (computer savvy guest) is browsing your local hard drive from your standard everyday system you use, and reading all your fine datas. Or if they are a reboot happy user (I've seen that, if the browser gets slow they power off) then that user may reboot when you're out of the room, and they may now boot into your main system and continue along, without you even knowing it, until much much later. You won't know this unless you are watching what they are doing every minute, and I am sure that won't go over well either.
The only way to go here is to have a separate guest network (hardwired or wifi or both) and have your guests BYOD. If you wish to be accommodating when they don't have their own device then you can give them a slow, cheap, small laptop from craigslist or something, and make them use that. Use any hard drive mirroring software to wipe and reinstall the Linux OS on it after they leave, or use a netboot to boot an image from a local server which you have a virgin copy of for the next user. As someone else already said, make sure it can access the printer, guests always want to print something.
I do the above. An old DELL Latitude D600 is the device for my guests. It has a 14" screen, 1 GB RAM, Pentium M 1.6Ghz, a 30GB hard drive, and dual boots Linux Mint or Windows XP so they have a choice if they care. The entire HDD is overwritten from a server image when they are done.
I say all this because I am the type of person that doesn't want anyone sitting at my local machine. I wish to give them full access, freedom to take their time and do what they want, without me watching guard over them to be sure they aren't reading anything of mine. I don't want them to start my Yahoo, or MSN , or read my email, my PC has years of financial data on it, local documents to my Condominium Corporation, letters to family, and the other 50% is ... well... we all know what the Internet is really for ;)
I am not sure why users give you funny looks with Linux.
Sort of the same reason for getting funny looks when you show up at a wedding in shorts and a Bud Lite T-shirt.
XML is a known as a key material required to create SMD: Software of Mass Destruction
99% of the printes just work out of the box on linux.
Or equivalent other thin linux distro. I assume they really only need web access.
I consider myself to usually be on the bleeding edge of technology, but phone-based boarding passes are right out. I've never had a piece of paper run out of power, but I've had my phone die halfway through the travel day for reasons unknown (turned into a little toaster and burned through its battery - presumably the radio got in a weird state) and have had it stolen while traveling. I keep two boarding passes, typically - one folded in my pocket, and one in my carry-on. If I lose one, I just grab the other one.
And yes, most of the time when my guests want to borrow a machine, it's because they need a printer for boarding passes.
Especially if it has Bart PE instead of Linux.
Just because they are guest doesn't mean you have to let them use your computer. Do you let them use your toothbrush also?
This is a really stupid question. All the answers you need are a easy search away. Why are we answering questions for complete noobs? There is a million of websites like that already.
Be seeing you...
a Guest account on windows can't install software, throw chrome/firefox with adblock or IE with a good TPL/adblock list, dont install java and keep it up dated, you could browse the most gross sites on the internet and be fine. you could even go as far as enabling "Only allow signed apps" to run (secpol) and thats a done deal.
why not install a VM, making it act as a sandbox ? And there are options to not make it read-only, so it goes back to a pristine state everytime it starts up. The one issue is that the guests have to willingly stay in the VM, there's nothing preventing them from alt-tabbing out of it.
Other than that:
- a guest account with no admin rights;
- a cheap tablet that you restore to factory default between guests, with a dummy account that has no credit card liked to it for activation
- even a net/notebook or PC which you re-image between guests. there's plenty of free imaging software.
The Cloud - because you don't care if your apps and data are up in the air.
Buy a really cheap computer, bare bones systems are a few hundred dollars, probably cheaper than an ipad. Install windows/browsers/antivirus/etc and create a backup image. After every use, kick the format button.
One way is to just make a guest account.
But if someone wants admin rights to install a game or something, you can use Faronics Deep Freeze or Fortres Grand Clean Slate to ensure that no changes to the Windows filesystem survive reboots or even log-offs.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Comment removed based on user account deletion
I certainly wouldn't expect that if I was staying over at a friend's house, I could have ubiquitous unsupervised access to using their home computer - why would I? I might expect that they would let me log in to print something or to check my email while they were there, but hang out on it and install sketchy software while my friend wasn't around? Why would you let your friends do that? Put a password on it, don't tell them the password, let them use their own computer. (Alternatively, if you're worried that they're going to install sketchy things while you *are* watching them, then you're as much of an idiot as they are if you just sit and watch them do it.)
There was a time in the distant past that I built a "very special" win9x machine for this very purpose.
Yes, I can read your mind. "Win9x? Are you fucking serious? Turn in your geek card right now!" Yadda, yadda.
Just hear me out.
Win9x, because it relies on realmode dos interrupt disk handlers, can be loaded from a preboot environment ram only block device. Such as that provided by Memdisk, from the syslinux tool set.
Essentially, you have a disk image file on a bootable EXT2 volume (nothing ever gets written on it, so it doesn't need a journal.) With the syslinux bootloader on the MBR. It is the default boot device.
On boot, syslinux starts, loads the memdisk block device driver, and copies the win9x image into ram, it patches int15 to report a different max size of installed XMS, then executes the "mbr" of the ram block device.
BOOM. Win9x in a ramdisk.
You can use a drivespace compressed image to achieve maximum data density for the consumed block of memory. Drivespace3 with ultrapack on gets almost 2:1 packing on normal program and file data. You can get a *lot* of stuff inside a 512mb image file.
Throw in a reasonably recent firefox, courtesy of KernelEx (an open source kernel resource extender for win9x, which allows a good deal of 2k and XP native applications to run, including FF10, and a modern flashplayer with ABP and noscript.) And a good software firewall, turn off all filesahring services, and essentially lock down the 9x system as far as possible, and you have exactly what your horrible family member and or aquaintence wants: a familiar user environment that they can walk all over.
It also has what you want: pull the plug, and it is magically fresh, clean, shiny and new again as soon as you power it on.
9x doesn't know how to deal with EXT filesystems, so the physical HDD is never exposed to your user.
The only major problems are 9x's abhorrent 2gb RAM limit, and its abysmal network safety rating, coupled with its rather dated hardware base. (Plus the difficulty of getting a 9x install up and running smoothly with all the perks a normal user could want, without breaking it, on a teensy weensie volume.)
On the plus side, being 100% in RAM on a reasonably modern hardware platform, it is fast as fuck. The test systems I built had Office97, firefox 10, flashplayer10, the WEP, a pirate copy of zonealarm pro, photoshop7, media player 10, KernelEx, and a few other odds and ends on it, with 50mb of "free" space left on the compressed volume to serve as browsing cache space. It was snappy as hell.
I have only done this a few times as just a lesson in self-punishment/"let's see what kind of frankenstein's monster we can build out of retro parts!" Type exercise, but the finished product is incredibly hard to kill, and keep dead. Bluescreens of death? Caught a nasty worm in the 10 seconds it was on the net? Power it off, power it back on. Good as new.
Gives a whole new meaning to "zombie workstation".
I have a celeron POS I am contemplating doing this to actually. I would prefer ramdisked win2k or better though, but I don't know of a way to boot the OS out of a block device after NTLDR starts, and before control is passed to NTOSKRNL. Maybe a hacked FreeLDR from reactos would work though.
Some routers have guest accounts. Get one of those routers and not allow sharing under the guest account. If you do not have one of those routers, then make sure you have account passwords on all of your computers. This way you do not have to worry about them getting access to your computers. Finally make sure you have a good firewall.
Sorry, but my house, my rules, my OS.
Besides, please explain to me how you get "odd" looks from someone who wants to check a homepage or his webmail? Some little bits might look different, but browsers are all alike, across plattforms. That's the whole idea behind it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Comment removed based on user account deletion
Surprised no one mentioned that Macs have a guest account that can be enabled and will wipe out whatever is created by the user in the filesystem after logout.
Find friends who have more brain cells than fingers.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Text message ? What a fad.
The last time I've flown (from France to Hong Kong and back, last year), my passport was my boarding pass!
(I understand that you don't need a passport for domestic flight.)
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
I made an account with username 'guest' and password 'password'. then just let them log on.
I also had ssh installed. one day the sysadmin at work come to see me and tells me that my laptop had been blocked from the network because it was making a large number of outgoing ssh connections. important lessons were learned.
(some distros offer a locked down password-less guest account. this is a much better idea)
If saying, "no," isn't an option, try these suggestions.
One option might be to set up a laptop with some sort of reversion/reimaging software. If you're into Windows, try something like DeepFreeze. This is probably the least labor-intensive option. You just need to un-freeze it, in a clean state, to do software and OS updates before re-freezing it again. The user has full control over the computer (as much as you want, anyway) and is simply reset to the pre-defined state upon reboot. The DeepFreeze software, I believe, can also leave some areas unlocked so changes there can persist through a reboot, if desired.
Another option might be to set up a laptop to PXE boot and get a read-only image to boot from. Configure all changes to be saved to local media until you decide to wipe it clean. This requires some network infrastructure to set up as well as keeping the custom boot image up-to-date.
Yet another option would be offer up an "unlocked" laptop but drop it on a "protected" VLAN with heavy internet filtering. Again, there's some network infrastructure to set up as well as some likely subscription fees for filtering software/hardware at the gateway. The bonus here is that, if you have any (now or later), kids' computers can be placed on that VLAN without too much worry on your part. It also protects the rest of your computer equipment from being attached from the inside of your LAN by a compromised device since it'll be on a totally separate "untrusted" VLAN. This isn't exclusive to the other options presented here, either, and can be used in combination.
You could also just bite the bullet and simply re-image the laptop every time someone uses it. Again, if you're into Windows, you could easily set up Windows Server with WDS and capture a customized WIM image so it'll have all the apps you want installed from the get-go. Other options exist for Linux and Mac.
One last option I can think of involves an Android tablet that can be re-imaged back to stock form easily. Samsung units are good about this with the ODIN tool and a USB connection. Just connect the device to the computer, select the appropriate image in the ODIN utility, and it's back to factory-fresh form in a matter of minutes.
My sources are unreliable, but their information is fascinating. -- Ashleigh Brilliant
I have a secure Win 7 PC and a secure Wi-fi b/g/n - if they want to browse, they're welcome to use the coffee shops at the end of the block.
Besides, visitors shouldn't be staying indoors.
-- Tigger warning: This post may contain tiggers! --
Sure, what do you call the boxes that connect to your server?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Printing boarding passes? How quaintly retro! The last few times i've flown, the boarding pass has been sent to my phone as a text message.
It possible in Tel Aviv. You'll upset them though.
Go to India or Pakistan and you won't get into the terminal without pieces of paper.
Text message ? What a fad.
The last time I've flown (from France to Hong Kong and back, last year), my passport was my boarding pass!
(I understand that you don't need a passport for domestic flight.)
How do you know what seat you're in ? What if someone's in your seat?
Was this Cathay or Scare France?
Best Buy has laptops for about 250, which are good enough for web work. Just make the backup CDs and refresh it when they fuck it up. Or use Norton Ghost to image it
Fullscreen firefox and change the fullscreen hotkey. That's enough for me :-)
A blog I run for the wealth
Wait, this is Slashdot. "Guests" implies "friends". You are obviously in the wrong place.
I create a non-Administrator account right on my main system and delete it when they leave. Been doing this since XP SP3, with zero infections.
... with a bootable SD card that will wipe the hard drive and re-image it with the OS. It takes a while to write the whole hard drive, so this is a per-day thing, rather than a per-user thing. Eventually I plan to move to a virtualized system where I can "fake wipe" the hard drive more instantly, and even give each user their own VM.
now we need to go OSS in diesel cars
Maybe there isn't even a usenet group for it yet .
Rule 35.
Is it just my observation, or are there way too many stupid people in the world?
When a guest only needs a boarding pass I offer to print it for them. If they insist on doing it themselves they get to use a Linux guest account. If they can't figure out how to print with that, I again offer to do it for them. I never let guests run Windows, I don't even run it myself very often.
Sorry, but my home office has become a portal to an alternate universe and as such is being guarded by a pair of Narns!
I killed da wabbit -Elmer Fudd
I consider myself to usually be on the bleeding edge of technology, but phone-based boarding passes are right out. I've never had a piece of paper run out of power, but I've had my phone die halfway through the travel day for reasons unknown (turned into a little toaster and burned through its battery - presumably the radio got in a weird state) and have had it stolen while traveling. I keep two boarding passes, typically - one folded in my pocket, and one in my carry-on. If I lose one, I just grab the other one.
I just carry a USB charger battery pack in my travel bag and if my phone battery dies, it's easy to plug it in and charge it up - they charge slowly but are effective. I used to fight over the 2 outlets in the boarding zone during long layovers so I could keep my phone charged (carrying a 1->3 outlet adapter helps!), but now I just use the battery pack - I can get around 1.5 full charges out of the 5000mA charger (and that includes powering my phone during the several hours it takes to recharge fully)
Everyone has different "feelings" about other people using their computer. I see my computer as an extension of myself because it contains my job and so much of my life.
Anyone who uses my computer only ever does so for a very short time and only under my constant supervision.
Maybe it's because I don't run A/V and I disable UAC as I find them annoying as hell. My computers have never had an infection or been compromised ... because I'm not retarded with how I use my computer.
My advice is to setup an open and isolated AP and tell people to BYOD. You can do this with a dual-channel router or by throwing dd-wrt on any compatible router you can find on eBay for $20.
If you *must* let people onto your PC, put them in a sandboxed, non-persistent VM and set it to full screen. Make the VM "let me back into the host system" combination something that they'll never press.
That'll be 50 quid, says your local Michael O'Leary.
Well I only fly on real airlines.
I setup the shared computer with Linux and problems went away. As long as they had a web browser that covered most of their computing needs. One of my roommates even commented she liked it better after I switched because of how much faster the computer became. If guests are persnickety about OS, they can bring their own device. After all, you are doing them the favor by providing them with anything.
I would suggest installing Deep Freeze Have it unfrozen when you yourself are using it. Freeze it before your guest uses it, Then one simple reboot and every single thing is back to how it was when it was frozen. Then just unfreeze for you to continue using it as a normal computer. We use this program on our WiFi Cafe computers after getting very tired of having to 'repair' the software about once a fortnight to clear various plug-ins, add-ons, programs etc that the users were installing. With Deep Freeze we have just set all the options as we need, then freeze it. No cookies left, no temp internet files, any virus or installed programs or anything is obliterated on reboot. Works great.
smartphones are all but the norm anymore
Then it appears you disagree with some other Slashdot users who have told me that smartphones are a luxury, not a necessity. The only necessity is an $80/year dumbphone in case of urgencies, and that's only because payphones are being removed. But I'm willing to consider your arguments as to why a smartphone is a necessity.
Get a thin client such as an HP t610 and use Enhanced Write Filtering to protect from any changes.
You can set a system baseline and lock it down with EWF. Once locked down, any file calls from the operating system or software are intercepted and redirected to RAM. No changes are made to non-volatile memory. Once powered down, the system expunges all changes and reverts to the baseline you set.
Hmmm...
How do you know what seat you're in ?
First come first served, I guess. At least that's how it was when I traveled via Greyhound bus.
You have nothing that needs interoperability with your work that can't be handled by Linux.
Does that mean WINE has stopped being terrible at handling games
Icebike said "your work". Compared to the general population of people who would need to borrow a home computer for a while, very few people develop or review video games for a living. If that is your job, icebike's comment was probably not addressed to you.
If I want to use a kiosk at my local airport to print my boarding pass, I need to scan the ticket barcode.
What can I do about friends who borrow my car but always bring it back with fresh dents and scratches and new unsettling engine noises?
How do you know what seat you're in ?
I look down. If I see my legs, that's the seat I'm in.
Who doesn't have a smartphone/tablet these days to do such things?!
There are at least five cases I can think of. Minors aren't old enough to hold a job and buy a smartphone or tablet, or they may not be allowed to carry it to school and back based on the school district's policy on storage of electronic devices in student lockers. Typing without a Bluetooth keyboard isn't so easy on a smartphone or tablet. Nor is printing. Nor are SWF sites or sites that detect the user agent and error out: "This web site is not available for mobile devices. Please visit this web site using a computer."
With the number of people with smartphones, I don't really see a legitimate need to set up guest computers.
If someone came up with a plausible explanation of why he didn't have a smartphone, or why a smartphone wasn't suitable for a particular thing he wanted to do, how would you reply? Please see the five scenarios in my previous comment.
If you MUST use my machine you are getting a Linux Live Cd.
That's fine; I've used Linux before. Have you got CUPS working on your live CD? Or could you otherwise help me print a boarding pass?
I have MY PC.. Always locked, and nobody gets to use it. Wife, kids, etc.. Doesn't matter. That being said...
I have several core2duo's setup for the wife and kids for minecraft/office/internet. After setting them up, I resized the partition space so I could keep a clean image on the hard drive (in a separate, non-accessible partition by windows formatted ext3) Whenever their PC's get so nasty with malware that it's barely usable, I boot off a USB stick with clonezilla on it, then restore the base OS/Apps image.
Takes less than 15 minutes to do a restore.
On another note... Watch out for chrome's "Logged in user" I left my daughter logged in with one of my accounts on her PC. She visited the app store and installed a bunch of junk, which when I log into another PC guess what? It's on there, even the nasty stuff.
...and the problem is multiplied like by a bazillion. Linux is a perfect solution except for all those kids games like Freddy Fish and when they get older, Call of Duty etc. I learned to fear my children much more than the People's Republic of Crafty Hackers. After awhile you pretty much get resigned to it and end up teaching them how to do the internets the right way. And you'll still have to re-image every so often.
"He's using a quantum encryption scheme! That'll take hours to break!"
You can have a "CD imge" (i.e. a read only boot image) stored on an SSD, and boot a live Linux distro that way. It does all the same stuff (e.g. creating a temporary read/write union filesystem based on a readonly file system), but just way faster because it would be reading from an SSD instead of a CD.
Also if you have a lot of ram, you can load the whole OS to RAM. It takes a bit longer to load, but is ultimately faster during use. This loading process should go much faster from an SSD, but maybe you won't even need this option if you have an SSD.
I am pretty sure you can also do this with windows also, but I've never done it, so I can't give any first hand experience.
Another option would be network booting. I am not sure it would go much faster than a CD, (certainly slower than an HD or SSD) , but it might be cheaper because you wouldn't need to buy an SSD, HD, or CDROM.
Yes, TSA scans your boarding pass barcode, if it is a mobile boarding pass on a smartphone.
lxc-start-ephemeral won't protect you (yet) if they decide to chmod +x and then run a local-escalation rootkit, but some day it will. And who remembers to chmod +x the rootkit anyway? I never remember. And without the local escalation I'm fucked, because I always forget to type "sudo."
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
It might be overkill for the OP's situation, but here's an interesting solution:
http://www.thogan.com/blog/windows-xp-vista-7-iscsi-boot
What OS are we even talking about? I'd you're talking about Windows you can enable the guest account. If you're afraid of getting a virus that attacks the built in Guest account it's not a problem to create a standard user account and give it whatever name you want to. If you're running Windows 8 you could even add their Microsoft Account to the machine and then remove it when they leave. Are you letting your guests run as Admin? You shouldn't even be allowing your self to run as Admin. Every OS that I can imagine you would be running at home (besides iOS) wallows for creating accounts that don't have permissions to install anything.
Just launch them a browser in Sandboxie and you'll be fine. The free version is all you would need. When the browser closes it will take everything with it.
http://soylentnews.org/~tibman
1) Make a guest account, lock it the f*ck down, and you're done. Limited executables (Firefox + NoScript), good antivirus/firewall, yadda yadda. If you have a Mac this is even better as most people who are average Windows users won't get far off the trail and Linux users will generally be safer users as it is.
2) They don't have their own laptops? Their own smartphones? How frequently are they using your computers in lue of their own devices? If you need to Ask Slashdot then you have a bigger problem than what can be solved here, or your lying about this being your house and guests (underground internet café? Is that a thing?). Seriously, your friends and family should know better and, if they don't, educate them instead of attempting to just "hope" that you can lock it down.
How does the old adage go? The only time a computer is safe is when it's unplugged, in a safe, buried underground, with armed guards outside. And it's still probably not safe.
some of us don't want easily hackable cellphones used to track credentials of any kind.
Adding complexity always drives up the possibility of failure... Needless complexity drives down reliability for no good reason.
The same as with children, watch what they're doing!
I have one friend who is notorious for surfing "questionable" web sites while visiting friends. I simply tell him "nothing but YouTube and Facebook", and watch from the couch to make sure he complies. Sitting and watching someone Facebook isn't particularly fun, but it beats the heck out of having to reinstall a system.
I do not fail; I succeed at finding out what does not work.
We already deduced that, from your other (stated) behaviors.
HSJ$$*&#^!#+++ATH0
NO CARRIER
...but being windows, well, there's plenty of ways for Bad Things to happen. But it's been good enough for me, knock on wood, so far.
Never let a lack of data get in the way of a good rant.
Don't mount your other partitions in the /etc/fstab, and configure your file manager to not show unmounted partitions or automount them ; that should be enough. /etc/sudoers) if you wish to keep a weak user password but not having it give root privileges. If you're still concerned about your data, well you can try to really lock down the automounting feature (or don't install an environment that has it in the first place) but you're going down a weird path already.
Disable sudo (in
Enable the Guest account in Windows 7/Vista. It is disabled by default, but is very airtight - nothing can infect the machine from there. Don't forget to run with UAC on. Set Firefox browser to erase all history/cookies on exit.
I've been running like this for years without a single hick up. It protects my machine, my files and my privacy. Also protects the guest's privacy by auto-erasing all browser history.
Macs (OS X) come with a built-in Guest account that automatically wipes itself after the person logs out. Problem Solved?
"We have tried using a Linux boot CD but usually get funny looks or confused users."
So, then, you already solved your problem. Why are you posting to Slashdot?
1) Get smarter friends
2) Linux or even MacOS box and tell them to live with it
3) Deep Freeze
4) VM with snapshots/non persistant storage
That is quite an interesting solution!
I just wanted to see if you've ever played with BartPE before?
It's main function is to take a windows xp (or 2k i believe) installation cd, a folder of special packages to include, and optional custom config files (ie network settings) all as input.. and gives you a bootable ISO image as output.
Obviously it's meant to create a boot cd/dvd, but using syslinux similar to how you do, one can boot that ISO directly off a USB flash device as well.
Flash makes it fast, and easy to overwrite the ISO for any system upgrades. No optical media slowdown either.
ISO makes it read only while running from a RAM disk, so is quite fast.
For just running a web browser, it at least gives you a slightly newer kernel and base system to build upon.
Still, I'll have to play around with your method too, as I have some old legacy 95 and 98 boxes at work I need to keep alive for the foreseeable future, where in some of those cases virtualization isn't an option.
(I've managed to virtualize custom ISA cards, but can't say the same for custom PCI cards)
Thank you.
this is slashdot, so the most verified response should be "develop your inner sociopath to resemble most of us, this should solve the problem of guests"
Just use a VM of whatever OS you choose. Keep the base snapshot patched to current levels, and after someone has used it restore said snapshot.
Or have a separate guest SSID for wireless and tell them to bring their own damn computer :)
Firefox and Chrome look the same no matter the OS. Adding a large icon for the browser and download folder is everything most web users need to work in Linux.
If you are running Windows then with any luck you are running Win 7 Pro. If you have the Home version you can upgrade with the "Anytime upgrade" bit.
With Win 7 Pro you can install XP Mode which is an XP virtual machine. Set up a guest user and set that to autorun the XP Mode VM in full screen. Once it is setup make a copy of the VHD as a backup. They can hose it up all they want and when they are done just delete the VHD and copy in the fresh copy from the backup.
You can print to file on a flash card and then insert the flash card into my printer that accepts such things. I suppose you could counter with 'well what if there is no USB driver for the flash reader', or 'does the Live CD support your NIC?'.
Good-bye
You have to support legacy 9x systems? Ouch.
Here's a few other tidbits to help then. :D
Your legacy systems are highly unlikely to have healthy IDE HDDS after this long in service, and getting replacements is not likely to be possible in another 5 years.
If you use this "preboot ramdisk" method, you can use a poor man's SSD, like a CF->IDE adaptor. the limited speed (often painfully slow. My CF adaptor is limited to PIO4 tranfers! Gerk!) And limited writelife of this super bargain basement solution are mostly overcome by the read once, write never nature of this setup. The adaptors themselves are cheap. If you don't want to dish out the $$ for CF modules, you actually *can* chain an SDHC->CF adaptor to the IDE interface, and use dirt cheap SD cards. (These solutions are very popular with embedded systems where rugged and cheap are both required. Tradeoff is speed. Boot up time will be painful, but once up, will be a speed demon.)
That would let your industrial install 9x systems live for a *very* long time, and would put a lot less wear on the system's PSU.
Since you are booting them via syslinux, you can have a great many fully configured disk images stored on the media. A commodity 32gb SDCard could hold 64 fully configured image configurations, and present a list on bootup! (Even more if you use win95B, or win98 first edition, which can live in 256mb and 384mb images, respectively. Tested!)
For ease of maintenance, I strongly suggest a uniform workstation hardware base, so that you can use one system as the testbed, build images from it, and deploy them everywhere else. Possbly use a startup script to change the network IDs to avoid collisions on the fly.
Ideally, once all set up, this is a "set and forget" solution. However, the tradeoff is in prepping suitable images, which isn't a trivial exercise.
Set up a thin client for guests, then they will not ask for computer access again.
There was an unknown error in the submission.
Not unless they have access to fdisk, which you can remove from the image.
Format.com will only work on msdos(fat16/fat32) partitions. Windows 95/98 will not even try to mount a non-DOS partition. HDDs are treated quite differently from unformatted or "other system" formatted floppies or removable disks. Quite literally, the only tool that can touch the ext2 volume is fdisk.
Remove it from the image, problem solved.
First dump Windows. Then install Linux. (it is just a matter of time for you too) Go from there. As you discover Linux, make notes on which apps do what. Then make a cheat sheets for guests to use. Have them use a guest account.
I would have a hard time believing that anyone is such a good computer user that they never have issues with Windows. It is just impossible to stay 100% clean all the time.
Thanks for the tips. I'm definitely very interested in ram disk-ing them, and going read-only for normal operations.
I actually do use IDE to CF adapters already, although just as a direct HD replacement for the C: drive. Some of the DOS systems can't address disks(well, partitions) larger than 2gb anyway.
In one case the 98 system drives a 6 foot vinyl cutter machine, and the data files are created in a client program on an XP desktop. But the cutter software and drivers work with a custom PCI card that, along with a serial port, tell the machine what to do. I can't get either the core software or drivers to work under 2k or newer.
I currently use a CF card (plenty of backup cards in the desk next to it) for the C drive, which I can reimage to a bad or new card (bad as in windows broke itself, or someone broke windows)
D: is a spinny disk still.
98 USB support is pretty crappy, but I use that none the less to transfer files to it. (a different driver for each brand flash drive, really?) but have always wanted to try and get a network link up to the file server, even if read only and one way. I've been putting it off until I had a better setup for the whole thing to implement anyway, and this certainly qualifies.
Also, three of our five surface mount assembly lines have pcb screen printer machines still on DOS.
These guys use a couple ISA IO cards to drive the actual hardware. This I've managed to virtualize using a usb2isa adapter and virtualbox. Which also let me add networking support through the host, and all running on modern hardware with a linux kernel as the host.
After going the CF as C: route for awhile, it was still annoying using the on-board software to create machine programs when the nice GUI app was so much easier to use.
Now a CIFS mount puts a file server folder on the host pc, which is mounted as a drive letter under the VM, with the C: drive being a copy-on-write setup (I posted about that method earlier up in the thread)
I even have a 95 computer driving an xray machine (for detecting defects in mosfet chips) where the software has the most stupid thing I've ever seen in my life, making it a pain to moderalize.
The software doesn't use real timing loops, but hard coded 'for' loops of a fixed length, and uses this for bit-banging purposes on the serial control lines.
The CPU must be an Intel Pentium (one), and must be between 75mhz and 120mhz.
Any faster, or slower, and the timing loops are off too far for it to communicate with the machine properly.
The thing was already an old install when I got there, with no backups of course, misplaced serial keys, and the company that made it is no longer in business.
I'm completely at a loss what to do on this thing to avoid using the existing install, or virtualize it in any way to keep the timing proper.
So far I've resorted to a clonezilla backup image which was converted into a restore cd.
Drop the cd in, reboot, hit enter two or three times and wait a minute. When it's done restoring it reboots back to windows.
Apparently they have to do this at least once a month (but at least no longer eats up my time!)
On one hand, these things are quite the pain in the side to have to keep running.
On the other, most of these things are so expensive it's actually pretty cost effective to spend numerous hours of my time with such bandaid solutions.
At this point the easier and faster it is for the operators to do a restore, the better!
Mom? is that you?
-- Sig under construction...
Webconverger (http://www.webconverger.com/) is a livecd and USB stick bootable linux distribution for kiosk applications, which also puts it in the same territory as ChromeOS for guest access, only it will work out of the box on a wider range of hardware.
By design, it gives the user a tightly locked down, full screen Firefox browser, and nothing else, but it's somewhat configurable and even supports printing (http://webconverger.org/printing/). Out of the box, it supports the Flash and Google Talk Voice/Video plugins, so most if not all websites will work out of the box, and the user can even do voice calling and Google+ hangouts.
The with the exception of the couple of proprietary browser plugins mentioned above, the software appears to be entirely open source, and they offer a free version, subscription service to customize and manage it for you, or source code if you are comfortable getting your hands dirty. Overall, this looks like one of the easiest ways to provide a safe, controlled environment for your guests, locking them into a browser window where they can do what they want, but nothing will be saved. Given the plethora of cloud apps out there to serve as as substitutes for local apps, with a little creativity, this should be all anyone who doesn't bring their own computer will need.
Get a live cd and a computer without a hard drive for guests. Power cycle it when you switch guests. Problem solved. If they want to save something they can stick their own usb device in and infect it all they want. They just have to take that usb device with them when they're done.
Slick!
Here's some advice to help save time.
These volumes are small, and you want to use drivespace to cram as much into them as you can. Consider using a dos 6.22 diskette image (or boot cd) with the old dos version of drivespace to initially partition and format the base volume you will later image. This will let you create the compressed volume file very early in the setup process, saving you a very lengthly compression operation later. Drivespace and drivespace3 volumes can ONLY be FAT16 for the host. A Dos6.22 partition, format, and drivespace compress cycle ensures a suitable foundation to install on. You DON'T need a full dos 6.22 install.
Boot the dos 6.22 boot disk, partition and format the volume with the /s argument, then drivespace it. Copy any cdrom dos drivers and the dos 6.22 mscdex.exe to the compressed bootable volume.
Make sure the partition type is CHS and not LBA.
Pop in the install CD for whatever flavor of 9x you are going to use. It will happily install onto the dos6.22 drvspace packed volume, and pack as it installs seamlessly.
When it finishes, the install process automatically upgrades the volume to drivespace3 format, and updates the drvspace.bin and dblspace.bin drivers on the root for you. Easy peasy.
Configure the system, install drivers, etc. Set the swap file to either be OFF, or on the spinny disk.
Run compression agent, set to "ultrapack all files", click OK, then go do something else for about an hour or two, while it crushes everything down.
Defragment the system.
Shut it down, then image the partition.
Build the EXT2 boot medium, put memdisk and the image file on, set it all up, and feel good about yourself.
I've seen that a few people that had never seen linux before managed to download and run knoppix from a CD to troubleshoot and solve various hardware of MS Windows file problems without spending much time or getting very confused. The UI is far closer to what they are used to than MS Windows 8 is.
I run a Linux desktop with multiple logins and just create a new one for guests to use on the fly. That account is then deleted and the data scrubbed when they're done. Sometimes that's a student living with us for a few months, sometimes a one day photo viewing session.
As for Windows, creating a restore point and creating a fresh non-privileged account for them to use then deleting the user and/or running system restore back to that save point should suffice in most cases.
- Michael T. Babcock (Yes, I blog)
Oh yeah,
For the Xray driving win95 machine:
Take your existing image, and push it to a temporary physical volume. Defragment it and pair it down.
Use something like partition magic to shrink it down to a suitable size.
Use that image for the ramdisk. If you can't shrink it small enough, bite your knuckles, and install win95 pluspack. This will give you drivespace3. (Uninstall desktop themes afterward.) Compress the volume, (it *will* take all day.) Then defragment. Use the drivespace3 managment program to resize the CVF. Make it as small as possible. Shut down, then partition magic it to shrink it up, then use that.
If you are so unfortunate as to have a fat32 volume and not fat16, (and as such can't use drivespace to squash it), you have to MANUALLY build a fat16 bootable volume, copy all the files into it, doctor msdos.sys to be the proper kind, and hope for the best.
Something like a Wyse V90 on ebay; 79-99$
embedded windows with a read only file system
Mom? is that you?
Yup, your mom's karma on Slashdot is high enough to get a karma-bonus when posting...
XML is a known as a key material required to create SMD: Software of Mass Destruction
Seriously, let 'em boot off a CD, do their internetness, and let it all go away after reboot. If you have guests that are sufficiently malicious as to scrub through your hard disk from a live Linux environment, you've got plenty of other issues right behind it. If you're simply looking to fix stupid, then grab a Live CD boot off it, and let it exist that way. Unless there's a particular need, don't complicate things.
Anyone can use a Kindle.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Any Mac can have a Guest account enabled that gets nuked again when the guest logs out. We do this all the time. When a guest arrives without their own machine they are welcome to use the Guest account on the MacMini that's plugged into the TV. We can use the FastUser Switching to flick it back to my, or my wife's account, as needed, without logging the guest out, but when they leave we just log them out and voila - the Guest account is wiped.
I used to have a better sig than this, but I got tired of it
I've had pretty good luck running Deep Freeze in cases like this.
With deep freeze, you set up your computer up into the ideal state you want it and then "freeze" it. Users can use the system to their heart's desire, and then you can restore it to the ideal state by rebooting the box.
wikipedia article about it: http://en.wikipedia.org/wiki/Deep_Freeze_(software)
Product website: http://www.faronics.com/products/deep-freeze/
Navicula hydraulica plena anguilarum est. Omnes castelli tuus nostri sunt. Ed elli avea del cul fatto trombetta.
Init 3. If they can use the computer from that state, you know they are clever enough to be let loose doing whatever they want.
When guests have gone, init 5.
What the hell are with all of these complicated answers? Virtual Machines? Snapshots? Linux installs just for guests? Two routers? Shit, this is not that hard. BOTH WINDOWS AND UBUNTU FOR EXAMPLE ALREADY SUPPORT A GUEST ACCOUNT OUT OF THE BOX WHICH HAS NO ADMIN ACCESS. THAT IS A PERFECT SOLUTION FOR THIS.
If Mac or your favorite flavor of Linux don't have a "guest account" feature, then just make an account named "guest" that doesn't have admin access. If you're worried that the account alone is compromised, then delete the account and re-create it (or just delete everything under its home folder).
You get funny looks with an Linux boot CD but not when you hand them an iPad? Maybe you should look funny at your "friends".
Go with the Linux boot CD (or better: USB stick). If your friends really can't use Firefox or Chrome in Linux than they're just too stupid to breathe.
I too sometimes look down and see your legs. WTF is going on?
You can't handle the truth.
I've not used DeepFreeze personally, but I've read about it. From what I've heard, If you want to make changes you boot the system to get a clean state, and then "thaw" it. Then any changes you make will be permanent. You reboot to get back into a frozen state.
It seems to me that using DeepFreeze probably requires doing manual updates every once in a while, but it's not as onerous as making a whole new disk image.
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
If the live CD is set up to not mount your harddisk, and if it has a guest account without root privilege, then only malware that does privilege escalation (becoming root) after exploiting a bug can do damage.
Now I'm not a real security expert at all, but I think if the live CD is paranoid enough to not have any harddisk kernel modules, have SELinux on in "setenforce 1" mode, and if the live CD is burned to a DVD-R instead of DVD-RW then I think you'd be quite safe.
Seeing as Linux is used for a lot of different tasks, I believe (but I'm not certain) that there are several distros especially *for* this purpose; hardened Linux distros for computer forensics, penetration testing etc.
A quick look at distrowatch.com shows (N.B. I haven't tested any of these, my family are not computer criminals AFAIK):
Now if your guests are not only hardened computer criminals but also very old, consider the extreme user-friendlyness of the Italian project "ELDY":
..slightly.. )
http://www.eldy.eu/
I haven't tried it yet, but I respect their philosophy: "when you were a baby, they taught you how to walk and cycle. Now that you're grown up and they are getting senile and feeble in the head, you can teach them computer use. Do your best to try, anyway". (I paraphrase
To be, or not to be: isn't that quite logical, Slashdot Beta?
Oh the insecurity... ;-)
Please stay with MS Windows!
Link: http://newstechnica.com/2008/11/09/ask-jack/ (probably NSFW)
To be, or not to be: isn't that quite logical, Slashdot Beta?
Your guests are stopping by a visit before going directly to the airport, and didn't think of printing the boarding passes before hand? Or they don't have a printer? You have some dumb friends.
Vote monkeys into Congress. They are cheaper and more trustworthy.
Install some virtualization software e.g. VirtualBox and install whatever OS your guests like. Then clone the image for each guest to use, and delete it after that.
You can buy a used, but perfectly usable and cheap windows XP/7 laptop from your local Craigslist or ebay. Re-image it regularly.
If you're running with zfs, just take a snapshot of the file system before handing over the system. When they're done, roll back to your snapshot. Both take seconds to perform. There may be other filesystems that can do this, but this is the one I'm familiar with and it works extremely well and doesn't require any virtual machine layer.
insert the flash card into my printer that accepts such things
I wasn't aware that such printers existed. Is it USB or SD, so that I have something to type into Yandex or Google?
This is what I would do - crude, but it should work: Install Linux on your system, then some VM - I prefer VirtualBox, personally. Then install Windows in a VM, with all the things you want there. Shut it down, and make a clone/backup or whatever; this is for when you want to clean out your guest Windows. Now, you can let your guests play with Windows, and when they muck it up, you restore it from backup to a know, clean state.
But in that case, presumably, they would use their parents', or their parents would buy them one.
So are you claiming that a laptop for a child is a necessity, not a luxury? This appears to directly contradict what I was told in the last article about Alan Kay and the iPad: kids deserve to have a limited-function tablet, not even a beater laptop. And how do you expect the child to have the laptop with him if the school forbids storing laptops in student lockers or carrying them on school buses?
Ubuntu has a guest account that gives limited priveleges and doesn't require a password. It never ceases to amaze me all the BS people put up with to keep using windows, perhaps you shold dual boot and leave Ubuntu as the default so if a guest boots up a PC they get a Ubuntu Guest account unless they know the magic keystroke combo to switch to windows.
Guests shouldn't need to install software anyhow, that's something you'd do on your own machine, not someone else's.
"The Most Fun Possible on 4 wheels" is at SunBuggy in Las Vegas
Use ubuntu, create a guest account, install windows in virtualbox, clean the virtual machine at each login, data can be saved using a shared folter. When you have switched to unix way of thinking, all this becomes so simple.
For the person that wrote "Windows may be a problem here..." Windows also has a "guest" login that can be enabled very easily if needed Linux for most average folks is beyond their ability to install let alone use. Many of the newer routers have a "guest" option, enable it! Finally, common sense, keep everything up to date on your computer NO MATTER WHAT OS and have the proper software installed to protect it!
Create a VM and run it in fullscreen mode.
Aside from pressing the key combo that cancels fullscreen mode (CTRL+ALT+Enter for VMware), there is nothing that a normal web/email user can do to tell the difference. Just create a snapshot before the guests arrive and revert to it after they leave.
This used to be possible with the free VMware player---don't know if that's changed or not. The paid VMware Workstation product definitely can do it, or an equivalent product from their competitors.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
Well yes, in an ideal world every host would be able to stand on its own as if connected directly to the internet...
However, there are all manner of terribly insecure services and devices out there that are simply unsuitable for exposure to the public internet, and such things are still being released even today so they can hardly be called dated.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
I keep two boarding passes, typically - one folded in my pocket, and one in my carry-on. If I lose one, I just grab the other one.
You worry too much about boarding passes. If you happen to lose one it takes about 60 seconds to get a replacement at the nearest airline kiosk or at the gate.
I always use my phone. If something happens, I have my ID and can quickly get a paper pass. That hardly ever happens.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Or perhaps your friends are from out of town, are visiting at the end of their trip before going home, and were either staying with you or couldn't/didn't print the boarding pass at their hotel. IIRC, the airlines don't let you print a boarding pass more than 24 hours prior to scheduled departure.
PXE boot gPXE, to load your Linux/Windows off of iSCSI from a central NAS/SAN. Other than the NAS which anyone this technical probably already has you don't need any special hardware. Just a DHCP server that has a next-server option, and some onboard NICs that support PXE booting.
If your iSCSI target is something like ZFS snapshots/rollbacks are easy. "you want to use the computer? Sure!" Just roll it back to an auto snapshot after they are done. Big plus if you have multiple desktops, as you can do one OS install and clone/boot on multiple hosts.
Windows seems to be hit or miss on which hardware it can boot its root drive via gPXE on, but I have done it before. Linux is a breeze of course... If performance is a concern you can always have your OS locally on HDD and the guest OS via PXE.
Has a full array of card readers on the front, Epson RX595. I also have a HP 1102W LaserJet for mobiles/AirPrint. The whole system was designed by me to NOT rely on workstations to function.
Good-bye
If something is both "the norm" and a luxury, then it would be polite to accommodate someone who can't afford luxury, wouldn't it?
or Mac OS X which even has a guest account preconfigured. Best of it: The guest account gets completely wiped at logout.
It is just one more example on how M$ screws us all. Because Windows could provide guest accounts as well.
If they find something before visiting me, they don't need to use my computer to share it with me
That's sort of what I meant. I was confused.
And if your phone can't have printer drivers, can't view flash, and can't run a browser with a desktop user agent string... you need a better phone.
Are you referring to Android? I thought Adobe was no longer making Flash Player available on Google Play Store, and I thought Chrome for Android no longer supported Flash Player. So someone would have to download Firefox, turn on "Unknown sources", and install Flash Player from an APK.
DeepFreeze is awesome. Buddy of mine once owned a cyber-cafe. He allowed administrator access on all his PCs. His customers, who were pretty much all young males between the ages of 15 and 25, (no risk from that demographic, no), were free to install whatever games or hideously infected viral crap they wished. After they were done abusing their rented PC, my buddy would simply poke the reset button, and the machine would boot back to its pristine state.