Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Protecting Home Computers From Guests?

Posted by timothy on from the quick-name-an-os-that's-never-been-compromised dept.

An anonymous reader writes "We frequently have guests in our home who ask to use our computer for various reasons such as checking their email or showing us websites. We are happy to oblige, but the problem is many of these guests have high risk computing habits and have more than once infested one of our computers with malware, despite having antivirus and the usual computer security precautions. We have tried using a Linux boot CD but usually get funny looks or confused users. We've thought about buying an iPad for guests to use, but decided it wasn't right to knowingly let others use a computing platform that may have been compromised. What tips do you have to overcome this problem, technologically or otherwise?"

33 of 572 comments (clear)

  1. Guest wifi... by Anonymous Coward · · Score: 5, Insightful

    I think they call it guest wifi and byod.

    1. Re:Guest wifi... by Anonymous Coward · · Score: 4, Insightful

      Uhhhh, a guest account with limited privileges, maybe?

    2. Re:Guest wifi... by immaterial · · Score: 5, Informative

      Windows may be a problem here, but the built-in guest account on OS X is perfect for this purpose. Enable it, and guests can log in the guest account (no password), which acts like a standard user account (they have full access to the browser and any other globally-installed apps) except that at logout, the entire account is wiped clean. Since your guests don't have administrator access to your computer they can't mess up anything outside the guest account, and anything they do inside that account is automatically cleaned up for you when they're done.

  2. Malware eh? by i_ate_god · · Score: 5, Funny

    > We are happy to oblige, but the problem is many of these guests have high risk computing habits and have more than once infested one of our computers with malware,

    Really? It's not that they started typing something into your browser and the browser history showed off all the sick and twisted porn you watch? :P

    --
    I'm god, but it's a bit of a drag really...
    1. Re:Malware eh? by Nadaka · · Score: 5, Funny

      of course not, by the time they get to the computer in the sex dungeon, they know what kind of stuff I am into.

  3. Linux Boot by Sylak · · Score: 5, Insightful

    Have a dedicated Linux boot just for them, and if they give you funny looks tell them too bad.

    1. Re:Linux Boot by Phillip2 · · Score: 5, Interesting

      I've had lots of visitors in my house, of various ages, various skills levels. Most of them managed to get a browser open on linux, then it all works from there.

      Other way is to use a VM, with a snapshot, so you can just revert it when you have finished.

    2. Re:Linux Boot by RabidReindeer · · Score: 4, Funny

      You could even have it just boot straight into Firefox. No-one would even know it was Linux.

      Just tell them that it's the new version of Windows.

      And when they decide that the GUI is all F-d up compared to what they're used to, they'll figure yup, it's a new version of Windows all right.

    3. Re:Linux Boot by viperidaenz · · Score: 4, Funny

      And when she has trouble, all she needs to do it call down to the basement.

  4. Virtual Machine by FiveLights · · Score: 5, Insightful

    Set up a VM in Virtual Box for them to use. Take a snapshot of when it was healthy and new and just revert to that each time someone wants to use it. Even paying for a Windows install for the VM would be cheaper than an iPad.

    1. Re:Virtual Machine by Erioll · · Score: 5, Informative

      I agree. Fullscreen the VM, and they'll probably never even know that they weren't using your "actual" PC.

    2. Re:Virtual Machine by steveg · · Score: 4, Informative

      Why go to all the trouble of reverting the snapshot?

      Just set the disk to "non-persistent" and nothing they do will modify the system. Each time the VM is restarted it's back to its default state.

      I don't have any experience with VirtualBox, but with VMware include a line something like this in the .vmx file:

      ide0:0.mode = "independent-nonpersistent"

      When you want to make changes, shut down the VM and change that line to:

      ide0:0.mode = "persistent"

      then change it back when it's the way you want it.

      I'm sure VirtualBox has something similar.

      --
      Ignorance killed the cat. Curiosity was framed.
    3. Re:Virtual Machine by dissy · · Score: 4, Informative

      For VirtualBox, the method I use is slightly different but gives similar results in the end.
      This must be done from the command line with the vboxmanage.exe tool, I'm not aware of a GUI way to do it.

      I have a 'template' VM with fully setup windows and configured how I want it.
      Then I make a new 'guest' VM (from scratch) and copy the template disk image to a new name (cloned, from virtual media manager), from template.vdi to guestbox.vdi, and then I use a command line tool to set the new disk image immutable, so it can not be changed again.

      vboxmanage modifyhd whereever/guestbox.vdi --type immutable

      Then point the guest vm to the guestbox.vdi image under settings -> storage.

      Each time the VM boots, disk writes go into a seperate copy-on-write file, which gets deleted once the VM is powered down. A "revert" action takes as long as a delete command unlinking an inode.

      When I need to make updates, I do that in my template vm, then copy over the vdi setting it immutable again. Copy the new guest image over the old one, and the VM is updated.

  5. NoScript by MetalliQaZ · · Score: 4, Interesting

    It's a Firefox addon. Check it out. Also Adblock Plus. With those two installed and running, things get a lot safer. Of course, NoScript requires a bit of savvy to be able to browse the web correctly. You might have to help. Otherwise, tell them to bring their own darn laptop.

    --
    "Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
    1. Re:NoScript by acariquara · · Score: 4, Insightful

      Except that NoScript does not protect anyone from downloading "hi_I_saw_you_wanna_fuck.jpg.scr.pif.exe.bat.com"

      --
      Dear aunt, let's set so double the killer delete select all
  6. Seriously? by morcego · · Score: 4, Funny

    The moment your computer becomes public (however limited that "public" is), it is a goner. It is like asking how to secure your computer after it was compromised.

    I don't even let my visitor plug into the same network my main computers are, and have both a separated WiFi network and a separated ethernet segment for them (1 port only in the guest room), that I treat as a DMZ. Ok, I'm paranoid, but still.

    Maybe use removable HDs, and keep one for your own use, and swap it for an entirely different one (which you can restore from a Ghost image or something) for your guests. As in PHYSICALLY disconnecting your HDs when they are going to use.

    Otherwise, it is like using band-aids to stop a leaking dam.

    --
    morcego
    1. Re:Seriously? by Anonymous Coward · · Score: 5, Funny

      I don't even tell people where I live.

  7. Virtual Machine by Anonymous Coward · · Score: 5, Insightful

    Something like VirtualBox or VMWare that supports snapshots. Install an OS into the virtual machine and set some firewall rules to keep it from accessing anything else on your network. When they ask to use your computer, launch the virtual machine and set it to full screen. They won't know the difference. When they're done, revert to snapshot.

  8. Chromebook? by Anonymous Coward · · Score: 5, Interesting

    Sound like a good use for a Chromebook.

    1. Re:Chromebook? by DeDmeTe · · Score: 4, Insightful

      Amen to that. That's what friends and the kid's friends get handed when they ask to "check their email and Facebook". It works.

      --
      -Guns kill people like spoons made Rosie O'Donnell fat-
  9. Re:Locked down guest account? by kilfarsnar · · Score: 4, Interesting

    Seconded. I say locked down guest account, or live CD. The VM idea isn't bad either.

    --
    "What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
  10. Know what I'd do. . . by Anonymous Coward · · Score: 5, Funny

    Get smarter guests

  11. Boot to the guest account by AlphaBit · · Score: 5, Informative

    The media PC in my living room boots directly into the Guest account. Under the guest account I can USE almost all the programs I have installed seamlessly. There are some minor issues with software updates, XBOX controllers, and a complete inability to configure network settings, but that's about it. If I need to do anything that requires more rights I can deal with the UAC prompts that show up or simply log out and back in as an admin.

    I know it's not flawless but I still feel pretty comfortable letting my tech savvy (e.g. dangerous) friends stay over unattended. It wouldn't hold up to anyone seriously determined to break the security but they have access to the physical machine and can't really be stopped anyway.

  12. Just say no by Bill_the_Engineer · · Score: 4, Interesting

    Most of the new WiFi routers offer guest networks. Set one up and tell them to bring their own device. With the number of people with smartphones, I don't really see a legitimate need to set up guest computers.

    --
    These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
  13. Re:Hey, I'm lazy too! by gagol · · Score: 4, Informative

    Solutions evolve with time, in order for Google to index relevant pages, we have to create content. That is happening as we speak!

    --
    Tomorrow is another day...
  14. Chromium OS by briancox2 · · Score: 4, Interesting

    Dual boot into it. Problem solved. Everyone loves Chrome. And it's like a rock.

    --
    We should learn what we need to know about issues, before we decide what we need to feel about them.
  15. Re:Locked down guest account? by sexconker · · Score: 4, Insightful

    And put it in its own separate guest network, which is logically isolated from your own stuff by a firewall, maybe run a print server too (people often want to print boarding passes)...
    As for funny looks, a browser is a browser and i've never had any problems giving someone a linux livecd, it has both firefox and chrome and most people are perfectly familiar with these applications.

    Why go to the trouble of a separate network?
    The odds of even the most retarded of users inadvertently fucking anything beyond the one machine they're touching is absurdly low, unless you're running outdated shit on your network. Remote exploits are remote exploits, and you should protect each device regardless or whether or not you trust the rest of the network.

    If someone is so fuck-up prone that you think your proper boxen could be fucked by some schlub lolcatting around on the same network, you should be more worried about them tripping in your house and suing you.

  16. Re:Linux Boot + PRINTER by xxxJonBoyxxx · · Score: 4, Insightful

    >> Printing boarding passes? How quaintly retro!

    I think you'll find that the same guests who want to borrow your computer are also the same ones who won't be able to get boarding passes on their phone.

  17. Guest account on a Mac is perfect for this by DavidinAla · · Score: 4, Informative

    If you have a Mac, there's a standard user account called Guest. This account has privileges to do normal user things, but can't install apps or make other changes to the computer. (And the account has no access to other users' data.) No matter what the guest user does in that account, it can't hurt you —and the entire Guest account is in a fresh state each time you log in to it. It's designed exactly for something such as this, and it works very, very well in real use.

  18. Re:Linux Boot + PRINTER by QuasiEvil · · Score: 5, Insightful

    I consider myself to usually be on the bleeding edge of technology, but phone-based boarding passes are right out. I've never had a piece of paper run out of power, but I've had my phone die halfway through the travel day for reasons unknown (turned into a little toaster and burned through its battery - presumably the radio got in a weird state) and have had it stolen while traveling. I keep two boarding passes, typically - one folded in my pocket, and one in my carry-on. If I lose one, I just grab the other one.

    And yes, most of the time when my guests want to borrow a machine, it's because they need a printer for boarding passes.

  19. Re:Locked down guest account? by wierd_w · · Score: 5, Interesting

    There was a time in the distant past that I built a "very special" win9x machine for this very purpose.

    Yes, I can read your mind. "Win9x? Are you fucking serious? Turn in your geek card right now!" Yadda, yadda.

    Just hear me out.

    Win9x, because it relies on realmode dos interrupt disk handlers, can be loaded from a preboot environment ram only block device. Such as that provided by Memdisk, from the syslinux tool set.

    Essentially, you have a disk image file on a bootable EXT2 volume (nothing ever gets written on it, so it doesn't need a journal.) With the syslinux bootloader on the MBR. It is the default boot device.

    On boot, syslinux starts, loads the memdisk block device driver, and copies the win9x image into ram, it patches int15 to report a different max size of installed XMS, then executes the "mbr" of the ram block device.

    BOOM. Win9x in a ramdisk.

    You can use a drivespace compressed image to achieve maximum data density for the consumed block of memory. Drivespace3 with ultrapack on gets almost 2:1 packing on normal program and file data. You can get a *lot* of stuff inside a 512mb image file.

    Throw in a reasonably recent firefox, courtesy of KernelEx (an open source kernel resource extender for win9x, which allows a good deal of 2k and XP native applications to run, including FF10, and a modern flashplayer with ABP and noscript.) And a good software firewall, turn off all filesahring services, and essentially lock down the 9x system as far as possible, and you have exactly what your horrible family member and or aquaintence wants: a familiar user environment that they can walk all over.

    It also has what you want: pull the plug, and it is magically fresh, clean, shiny and new again as soon as you power it on.

    9x doesn't know how to deal with EXT filesystems, so the physical HDD is never exposed to your user.

    The only major problems are 9x's abhorrent 2gb RAM limit, and its abysmal network safety rating, coupled with its rather dated hardware base. (Plus the difficulty of getting a 9x install up and running smoothly with all the perks a normal user could want, without breaking it, on a teensy weensie volume.)

    On the plus side, being 100% in RAM on a reasonably modern hardware platform, it is fast as fuck. The test systems I built had Office97, firefox 10, flashplayer10, the WEP, a pirate copy of zonealarm pro, photoshop7, media player 10, KernelEx, and a few other odds and ends on it, with 50mb of "free" space left on the compressed volume to serve as browsing cache space. It was snappy as hell.

    I have only done this a few times as just a lesson in self-punishment/"let's see what kind of frankenstein's monster we can build out of retro parts!" Type exercise, but the finished product is incredibly hard to kill, and keep dead. Bluescreens of death? Caught a nasty worm in the 10 seconds it was on the net? Power it off, power it back on. Good as new.

    Gives a whole new meaning to "zombie workstation".

    I have a celeron POS I am contemplating doing this to actually. I would prefer ramdisked win2k or better though, but I don't know of a way to boot the OS out of a block device after NTLDR starts, and before control is passed to NTOSKRNL. Maybe a hacked FreeLDR from reactos would work though.

  20. Re:Linux Boot + PRINTER by arth1 · · Score: 4, Funny

    How do you know what seat you're in ?

    I look down. If I see my legs, that's the seat I'm in.

  21. iPad's cost money... by Gription · · Score: 4, Interesting

    If you are running Windows then with any luck you are running Win 7 Pro. If you have the Home version you can upgrade with the "Anytime upgrade" bit.
    With Win 7 Pro you can install XP Mode which is an XP virtual machine. Set up a guest user and set that to autorun the XP Mode VM in full screen. Once it is setup make a copy of the VHD as a backup. They can hose it up all they want and when they are done just delete the VHD and copy in the fresh copy from the backup.