Slashdot Mirror
Ask Slashdot: Protecting Home Computers From Guests?
An anonymous reader writes "We frequently have guests in our home who ask to use our computer for various reasons such as checking their email or showing us websites. We are happy to oblige, but the problem is many of these guests have high risk computing habits and have more than once infested one of our computers with malware, despite having antivirus and the usual computer security precautions. We have tried using a Linux boot CD but usually get funny looks or confused users. We've thought about buying an iPad for guests to use, but decided it wasn't right to knowingly let others use a computing platform that may have been compromised. What tips do you have to overcome this problem, technologically or otherwise?"
I think they call it guest wifi and byod.
> We are happy to oblige, but the problem is many of these guests have high risk computing habits and have more than once infested one of our computers with malware,
Really? It's not that they started typing something into your browser and the browser history showed off all the sick and twisted porn you watch? :P
I'm god, but it's a bit of a drag really...
Have a dedicated Linux boot just for them, and if they give you funny looks tell them too bad.
Set up a VM in Virtual Box for them to use. Take a snapshot of when it was healthy and new and just revert to that each time someone wants to use it. Even paying for a Windows install for the VM would be cheaper than an iPad.
The guests, that is.
It's a Firefox addon. Check it out. Also Adblock Plus. With those two installed and running, things get a lot safer. Of course, NoScript requires a bit of savvy to be able to browse the web correctly. You might have to help. Otherwise, tell them to bring their own darn laptop.
"Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
The moment your computer becomes public (however limited that "public" is), it is a goner. It is like asking how to secure your computer after it was compromised.
I don't even let my visitor plug into the same network my main computers are, and have both a separated WiFi network and a separated ethernet segment for them (1 port only in the guest room), that I treat as a DMZ. Ok, I'm paranoid, but still.
Maybe use removable HDs, and keep one for your own use, and swap it for an entirely different one (which you can restore from a Ghost image or something) for your guests. As in PHYSICALLY disconnecting your HDs when they are going to use.
Otherwise, it is like using band-aids to stop a leaking dam.
morcego
Something like VirtualBox or VMWare that supports snapshots. Install an OS into the virtual machine and set some firewall rules to keep it from accessing anything else on your network. When they ask to use your computer, launch the virtual machine and set it to full screen. They won't know the difference. When they're done, revert to snapshot.
Sound like a good use for a Chromebook.
Seconded. I say locked down guest account, or live CD. The VM idea isn't bad either.
"What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
Setup a windows XP virtual machine. Save a snapshot, or a VDI/VMDK file of a clean hard drive image. When they come, boot up the virtual machine in full screen. When they leave, restore the clean snapshot or clean hard drive image.
Get smarter guests
The media PC in my living room boots directly into the Guest account. Under the guest account I can USE almost all the programs I have installed seamlessly. There are some minor issues with software updates, XBOX controllers, and a complete inability to configure network settings, but that's about it. If I need to do anything that requires more rights I can deal with the UAC prompts that show up or simply log out and back in as an admin.
I know it's not flawless but I still feel pretty comfortable letting my tech savvy (e.g. dangerous) friends stay over unattended. It wouldn't hold up to anyone seriously determined to break the security but they have access to the physical machine and can't really be stopped anyway.
Most of the new WiFi routers offer guest networks. Set one up and tell them to bring their own device. With the number of people with smartphones, I don't really see a legitimate need to set up guest computers.
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
>> Have a dedicated Linux boot just for them, and if they give you funny looks tell them too bad.
This. As long as you can PRINT from it. (Most of the time I loaned "local" computer access it was to let someone print airline boarding passes.)
Also make a couple paper copies of your WiFi creds and encourage them to BYOD.
Change a few words ... many of these guests have high risk driving habits and have more than once driven one of our cars into a phone pole ... and the answer is obvious.
Not convinced? Try this one ...
... many of these guests have high risk sexual behavior habits and have more than once infected one or more of our girl/boy friends ...
Solutions evolve with time, in order for Google to index relevant pages, we have to create content. That is happening as we speak!
Tomorrow is another day...
"We've thought about buying an iPad for guests to use, but decided it wasn't right to knowingly let others use a computing platform that may have been compromised."
Seriously? What have you been reading that gives you bizarre notions like that? The iPad has a number of general shortcomings, most of which are related to its single-user OS and its closed architecture. And I'd hesitate to lend a guest my iPad, but only because – once unlocked for use – it's wide open for the user to poke around (e.g. read my mail, browser history, etc). But in terms of the OS being compromised, an iOS device that hasn't been deliberately jailbroken (by you) is about as safe an internet-access device as you're likely to find, short of custom building a Linux- or BSD-based system yourself.
http://alternatives.rzero.com/
Create an account that does not have the ability to change the operating system, a "user" account for your friends. It won't prevent all problems, but it does cut down on the ability of malware to corrupt you system outside that user's folder.
Let them run Puppy and if they get confused lend them a hand. Usually most people seem to want to check email or some other trivial task. You do want to be certain that your email account does not allow auto sign in while you have company.
Get a cheap computer (i.e. used/refurb), and keep installation media on-hand.
You can optionally install Linux to make it more resistant to stuff.
And put the homepage to something that discourages them from visiting naughty sites.
Dual boot into it. Problem solved. Everyone loves Chrome. And it's like a rock.
We should learn what we need to know about issues, before we decide what we need to feel about them.
I keep a chrome laptop around for this. It's enough for most people, and after logout everything's clean.
I want my Cowboyneal
I am not sure why users give you funny looks with Linux. Is it because things like Flash/Java plug-in/etc. are not installed?
Flash and Java are standard parts of a modern Linux install these days, such as the latest versions of Linux Mint.
Maybe they gave him funny looks because he installed Ubuntu, or worse, Fedora, and they were sudddenly exposed to the horrors of Unity or Gnome3. Just when Linux was really looking like a viable replacement for Windows on the desktop(/laptop) for regular users, Unity and Gnome3 had to rise up and dash that hope forever with their horrible UIs.
If you're willing to buy a $499 iPad just for guests to use, then you'd probably be willing to buy a $249 Chromebook instead. It's a great second laptop, and perfect for guests to use. There's even a "Guest" account they can use, and it clears the data when they are done using it. And it's secure - which you want if your guests have "high risk computing habits."
I understand why you post as AC.
"I have downloaded hundreds and hundreds of records, why would I care if somebody downloads ours?" Robin Pecknold
And put it in its own separate guest network, which is logically isolated from your own stuff by a firewall, maybe run a print server too (people often want to print boarding passes)...
As for funny looks, a browser is a browser and i've never had any problems giving someone a linux livecd, it has both firefox and chrome and most people are perfectly familiar with these applications.
Why go to the trouble of a separate network?
The odds of even the most retarded of users inadvertently fucking anything beyond the one machine they're touching is absurdly low, unless you're running outdated shit on your network. Remote exploits are remote exploits, and you should protect each device regardless or whether or not you trust the rest of the network.
If someone is so fuck-up prone that you think your proper boxen could be fucked by some schlub lolcatting around on the same network, you should be more worried about them tripping in your house and suing you.
>> Printing boarding passes? How quaintly retro!
I think you'll find that the same guests who want to borrow your computer are also the same ones who won't be able to get boarding passes on their phone.
Just put Windows 8 on it. Nobody will be able to figure out how to launch anything besides Bing and Zune.
Table-ized A.I.
If you have a Mac, there's a standard user account called Guest. This account has privileges to do normal user things, but can't install apps or make other changes to the computer. (And the account has no access to other users' data.) No matter what the guest user does in that account, it can't hurt you —and the entire Guest account is in a fresh state each time you log in to it. It's designed exactly for something such as this, and it works very, very well in real use.
These comments suggesting a Linux boot CD, or a Virtual Machine (VMWare , VirtualBox, etc) are all viable solutions if you trust your guest to stay within the environment you give them.
A VM, in my opinion, is really just useless, because the guest can switch away from it too easily and get at your main machine. Then perhaps become confused which browser is which, see your firefox on the desktop, double click and continue away... This is common with guests that are not too computer savvy....
Someone mentioned using a VM with a guest network and router firewall rules?? that's just more useless, the guest is sitting at your main machine. See the point above.
A linux boot CD is much better than a VM, with firewall rules to prevent this booted machine from accessing the local network, but any linux environment gives local access to local drives, so before you know it your (computer savvy guest) is browsing your local hard drive from your standard everyday system you use, and reading all your fine datas. Or if they are a reboot happy user (I've seen that, if the browser gets slow they power off) then that user may reboot when you're out of the room, and they may now boot into your main system and continue along, without you even knowing it, until much much later. You won't know this unless you are watching what they are doing every minute, and I am sure that won't go over well either.
The only way to go here is to have a separate guest network (hardwired or wifi or both) and have your guests BYOD. If you wish to be accommodating when they don't have their own device then you can give them a slow, cheap, small laptop from craigslist or something, and make them use that. Use any hard drive mirroring software to wipe and reinstall the Linux OS on it after they leave, or use a netboot to boot an image from a local server which you have a virgin copy of for the next user. As someone else already said, make sure it can access the printer, guests always want to print something.
I do the above. An old DELL Latitude D600 is the device for my guests. It has a 14" screen, 1 GB RAM, Pentium M 1.6Ghz, a 30GB hard drive, and dual boots Linux Mint or Windows XP so they have a choice if they care. The entire HDD is overwritten from a server image when they are done.
I say all this because I am the type of person that doesn't want anyone sitting at my local machine. I wish to give them full access, freedom to take their time and do what they want, without me watching guard over them to be sure they aren't reading anything of mine. I don't want them to start my Yahoo, or MSN , or read my email, my PC has years of financial data on it, local documents to my Condominium Corporation, letters to family, and the other 50% is ... well... we all know what the Internet is really for ;)
I am not sure why users give you funny looks with Linux.
Sort of the same reason for getting funny looks when you show up at a wedding in shorts and a Bud Lite T-shirt.
XML is a known as a key material required to create SMD: Software of Mass Destruction
I consider myself to usually be on the bleeding edge of technology, but phone-based boarding passes are right out. I've never had a piece of paper run out of power, but I've had my phone die halfway through the travel day for reasons unknown (turned into a little toaster and burned through its battery - presumably the radio got in a weird state) and have had it stolen while traveling. I keep two boarding passes, typically - one folded in my pocket, and one in my carry-on. If I lose one, I just grab the other one.
And yes, most of the time when my guests want to borrow a machine, it's because they need a printer for boarding passes.
a Guest account on windows can't install software, throw chrome/firefox with adblock or IE with a good TPL/adblock list, dont install java and keep it up dated, you could browse the most gross sites on the internet and be fine. you could even go as far as enabling "Only allow signed apps" to run (secpol) and thats a done deal.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
There was a time in the distant past that I built a "very special" win9x machine for this very purpose.
Yes, I can read your mind. "Win9x? Are you fucking serious? Turn in your geek card right now!" Yadda, yadda.
Just hear me out.
Win9x, because it relies on realmode dos interrupt disk handlers, can be loaded from a preboot environment ram only block device. Such as that provided by Memdisk, from the syslinux tool set.
Essentially, you have a disk image file on a bootable EXT2 volume (nothing ever gets written on it, so it doesn't need a journal.) With the syslinux bootloader on the MBR. It is the default boot device.
On boot, syslinux starts, loads the memdisk block device driver, and copies the win9x image into ram, it patches int15 to report a different max size of installed XMS, then executes the "mbr" of the ram block device.
BOOM. Win9x in a ramdisk.
You can use a drivespace compressed image to achieve maximum data density for the consumed block of memory. Drivespace3 with ultrapack on gets almost 2:1 packing on normal program and file data. You can get a *lot* of stuff inside a 512mb image file.
Throw in a reasonably recent firefox, courtesy of KernelEx (an open source kernel resource extender for win9x, which allows a good deal of 2k and XP native applications to run, including FF10, and a modern flashplayer with ABP and noscript.) And a good software firewall, turn off all filesahring services, and essentially lock down the 9x system as far as possible, and you have exactly what your horrible family member and or aquaintence wants: a familiar user environment that they can walk all over.
It also has what you want: pull the plug, and it is magically fresh, clean, shiny and new again as soon as you power it on.
9x doesn't know how to deal with EXT filesystems, so the physical HDD is never exposed to your user.
The only major problems are 9x's abhorrent 2gb RAM limit, and its abysmal network safety rating, coupled with its rather dated hardware base. (Plus the difficulty of getting a 9x install up and running smoothly with all the perks a normal user could want, without breaking it, on a teensy weensie volume.)
On the plus side, being 100% in RAM on a reasonably modern hardware platform, it is fast as fuck. The test systems I built had Office97, firefox 10, flashplayer10, the WEP, a pirate copy of zonealarm pro, photoshop7, media player 10, KernelEx, and a few other odds and ends on it, with 50mb of "free" space left on the compressed volume to serve as browsing cache space. It was snappy as hell.
I have only done this a few times as just a lesson in self-punishment/"let's see what kind of frankenstein's monster we can build out of retro parts!" Type exercise, but the finished product is incredibly hard to kill, and keep dead. Bluescreens of death? Caught a nasty worm in the 10 seconds it was on the net? Power it off, power it back on. Good as new.
Gives a whole new meaning to "zombie workstation".
I have a celeron POS I am contemplating doing this to actually. I would prefer ramdisked win2k or better though, but I don't know of a way to boot the OS out of a block device after NTLDR starts, and before control is passed to NTOSKRNL. Maybe a hacked FreeLDR from reactos would work though.
I made an account with username 'guest' and password 'password'. then just let them log on.
I also had ssh installed. one day the sysadmin at work come to see me and tells me that my laptop had been blocked from the network because it was making a large number of outgoing ssh connections. important lessons were learned.
(some distros offer a locked down password-less guest account. this is a much better idea)
When a guest only needs a boarding pass I offer to print it for them. If they insist on doing it themselves they get to use a Linux guest account. If they can't figure out how to print with that, I again offer to do it for them. I never let guests run Windows, I don't even run it myself very often.
smartphones are all but the norm anymore
Then it appears you disagree with some other Slashdot users who have told me that smartphones are a luxury, not a necessity. The only necessity is an $80/year dumbphone in case of urgencies, and that's only because payphones are being removed. But I'm willing to consider your arguments as to why a smartphone is a necessity.
How do you know what seat you're in ?
I look down. If I see my legs, that's the seat I'm in.
Adding complexity always drives up the possibility of failure... Needless complexity drives down reliability for no good reason.
"We have tried using a Linux boot CD but usually get funny looks or confused users."
So, then, you already solved your problem. Why are you posting to Slashdot?
That is quite an interesting solution!
I just wanted to see if you've ever played with BartPE before?
It's main function is to take a windows xp (or 2k i believe) installation cd, a folder of special packages to include, and optional custom config files (ie network settings) all as input.. and gives you a bootable ISO image as output.
Obviously it's meant to create a boot cd/dvd, but using syslinux similar to how you do, one can boot that ISO directly off a USB flash device as well.
Flash makes it fast, and easy to overwrite the ISO for any system upgrades. No optical media slowdown either.
ISO makes it read only while running from a RAM disk, so is quite fast.
For just running a web browser, it at least gives you a slightly newer kernel and base system to build upon.
Still, I'll have to play around with your method too, as I have some old legacy 95 and 98 boxes at work I need to keep alive for the foreseeable future, where in some of those cases virtualization isn't an option.
(I've managed to virtualize custom ISA cards, but can't say the same for custom PCI cards)
Thank you.
If you are running Windows then with any luck you are running Win 7 Pro. If you have the Home version you can upgrade with the "Anytime upgrade" bit.
With Win 7 Pro you can install XP Mode which is an XP virtual machine. Set up a guest user and set that to autorun the XP Mode VM in full screen. Once it is setup make a copy of the VHD as a backup. They can hose it up all they want and when they are done just delete the VHD and copy in the fresh copy from the backup.