I really have little sympathy for IT admins who get killed by this stuff, there are a million tools out there to stop this stuff from doing damage way before idiot humans get their hands on it.
I was of the same attitude, until I honestly heard a PHB say 'we cannot use a virus scanner on our email; it might block something that it shouldn't, and that could cost the company thousands of dollars.'
Outlook 2000 with the latest service patches, and Outlook XP/2002 does, in fact, pop up a nifty little 'Program X is trying to access your address book.' and a menu of access types, such as none, this one time, allow for one minute, five minutes, ten minutes, and so on.
Not to mention the religious/ideological indoctrination about which cars to drive, why it's wrong to buy mass market cars, and how those other cars contribute to the downfall of humanity.
Ah, but using the same criteria, the PlayStation2 is a 4096 bit system.
The main GPU is 32 bit, hence it's widely regarded as a 32 bit system. At least, that's my understanding.:-)
Nonetheless, such patterns are much less controlling than a biological addiction instigated by chemicals.
I'll point out here that the dopamine and like chemicals released by your body when you do certain things (and apparently video games can fall under the certain things moniker) are quite addictive.
This reminds me of the 'Buttery Wholesomeness' supplement for HoL; one of the shortest lived RPGs in the world.
One of the weapons featured there was called 'Kitty Kitty Bang Bang' and the illustration was of the cutest little kitten with a vest on, and on the back of the vest was a 'safecracker' style bundle of dynamite with a windup alarmclock; surrounding the kitty were a bunch of 'tick tick tick tick tick' words. It's one of the funniest things I've ever seen. The completely unknowning look on the kitty's face completes it.
Umm...hmmm. If the US constitution grants the right to bear arms, and if crypto is classified as a munitition under US law, then don't you yanks have a constitiutional right to use crypto?
Yup. Ditto. Second. If I wanted to spend time with you, I would. I'm sure you've either made it clear that a) you're available for such things if I so desire or b) you'd do it out of pity. But no thanks.
Oh, and if YOU think that's 'anti-social' or 'a piss-poor attitude' or 'not a team player' than you've got far more problems with social interaction than I ever will.:-)
You confuse redesign with rewrite. Moving wordperfect from assembler to C would be a redesign; a major undertaking. Taking the WordPerfect, say, 6.0 codebase, throwing it out, and rewriting it, in the same language, with your end goal being not to have to reprint the user docs (i.e. nothing changes) just because 'the old code looked poor' would be a rewrite.
That's not a re-write. That's a re-design. A re-write, in Joel's context, is where you're not trying to change anything, but instead, just build a new road to Rome.
A) Don't you hate that?
B) Fair enough.
C) SMS runs as a service on NT, and as a background process on 98. I'm not sure off hand if it's user-killable on 98.
SMS uses a 'I'm told NOT to let this run' model, as opposed to a 'I'm told to ONLY let this run' model. I.e. you need to tell it about all the apps you don't want running. That's why you need to couple it with the NT ability to give them a login to their own boxes that doesn't allow installs; on 98 then can install their email app of choice and go. On NT you can install your email app of choice, restrict it's working hours, and deny them the ability to install their own shizat. That won't prevent things like hotmail, obviously, but that's the content/proxy/firewall's job.
You are correct to point out in every instance that you assume the person is using windows 98. With 2000 professional and XP, though, all of your arguments fall flat, as both operating systems provide for finer security models than the UNIX world generally has, until you hit trusted solaris level 'secure' distributions, or heavily modified versions of Linux/*BSD or what have you. ACLs, security tokens, and what not.
Also, I'll point out that in your tech support example, it's the Microsoft rep that would be correct. It's a given in the world of disaster recovery that a compromised box is restored from system install, then the last KNOWN GOOD (emphasis mine) backups of data, but NEVER the apps.
Here's an example. At my last job, there was a 2K server that was out of IT's perview; it was a dev box that they guarded jealously. Fine. After it got spectacularly hacked, it fell under our purview. But we wern't allowed to reformat and reinstall. Fine.
A bit later, I was doing a routine check for any NIMDA that might have fallen through our three or four layers of defense; shit happens. I wrote an app that looks for 'root.exe' in various places; great for scanning a subnet remotely for the very backdoor that crackers would use to get in. Anywho, I find a root.exe on this box. Do some frantic checking, and realize that this root.exe was placed there by sadmind a very long time ago. Well sheee-it.
Yes, SMS does that. SMS also comes with it's own copy of SQL Server, if you so desire.
You can tell SMS when to allow an app to run, by NT group. So put students in the appropriate groups, and they'll not be able to run software at various times. Make sure they don't have admin rights (you're using some variant of NT, right?) to install their own stuff, and you're good to go. Implement SMS's software auditing so you know if anybody does manage to circumvent, and you're good to go.
Go to www.microsoft.com/office
Click 'downloads'
Click 'Outlook.'
There's the list. Look for things like 'E-mail Security.'
Or just run a damn virus scanner. You lock your doors for a reason.
Oh, and it messed up my test account, but I fixed that with "su, deluser test, rm -rf/home/test, adduser test", and everything's back to normal.
Oh, and for all you 'Linux non-experts' if you do this to an actual user's directory, well, they're not going to be happy. Hope you've got those backups.
The point he was trying to make is that it's not a matter of system security, it's a matter user education. How many 'oh look I installed linux' users are running vulnerable versions of wu-ftpd, bind, lpr, and so on? Lots.
We just used a decent antivirus on the server (as well as a centrally managed one on the desktop, but that's a different story) that was told, outright, to strip attachements with such useless extentions as.scr,.vbs,.js,.bat, and so on, before it even bothered to check for virii. Gosh, nothing ever bothered us after that....
Jupiter, or Jove. But a Roman civic official would speak for either the Emperor, or for the Senate and People of Rome (The famous SPQR) as opposed to a deity.
Outlook 2000 with the latest service patches, and Outlook XP/2002 does, in fact, pop up a nifty little 'Program X is trying to access your address book.' and a menu of access types, such as none, this one time, allow for one minute, five minutes, ten minutes, and so on.
Not to mention the religious/ideological indoctrination about which cars to drive, why it's wrong to buy mass market cars, and how those other cars contribute to the downfall of humanity.
The 'designed for Windows XX' logo means, last time I checked, that it will boot to desktop.
Isn't that the geforce3 with the enhanced version of Giants? I'm looking for a copy.
Ah, but using the same criteria, the PlayStation2 is a 4096 bit system. The main GPU is 32 bit, hence it's widely regarded as a 32 bit system. At least, that's my understanding. :-)
The jaguar was, as I recall, two 32 bit processors.
This reminds me of the 'Buttery Wholesomeness' supplement for HoL; one of the shortest lived RPGs in the world. One of the weapons featured there was called 'Kitty Kitty Bang Bang' and the illustration was of the cutest little kitten with a vest on, and on the back of the vest was a 'safecracker' style bundle of dynamite with a windup alarmclock; surrounding the kitty were a bunch of 'tick tick tick tick tick' words. It's one of the funniest things I've ever seen. The completely unknowning look on the kitty's face completes it.
Umm...hmmm. If the US constitution grants the right to bear arms, and if crypto is classified as a munitition under US law, then don't you yanks have a constitiutional right to use crypto?
Yup. Ditto. Second. If I wanted to spend time with you, I would. I'm sure you've either made it clear that a) you're available for such things if I so desire or b) you'd do it out of pity. But no thanks. Oh, and if YOU think that's 'anti-social' or 'a piss-poor attitude' or 'not a team player' than you've got far more problems with social interaction than I ever will. :-)
You confuse redesign with rewrite. Moving wordperfect from assembler to C would be a redesign; a major undertaking. Taking the WordPerfect, say, 6.0 codebase, throwing it out, and rewriting it, in the same language, with your end goal being not to have to reprint the user docs (i.e. nothing changes) just because 'the old code looked poor' would be a rewrite.
That's not a re-write. That's a re-design. A re-write, in Joel's context, is where you're not trying to change anything, but instead, just build a new road to Rome.
A) Don't you hate that?
B) Fair enough.
C) SMS runs as a service on NT, and as a background process on 98. I'm not sure off hand if it's user-killable on 98. SMS uses a 'I'm told NOT to let this run' model, as opposed to a 'I'm told to ONLY let this run' model. I.e. you need to tell it about all the apps you don't want running. That's why you need to couple it with the NT ability to give them a login to their own boxes that doesn't allow installs; on 98 then can install their email app of choice and go. On NT you can install your email app of choice, restrict it's working hours, and deny them the ability to install their own shizat. That won't prevent things like hotmail, obviously, but that's the content/proxy/firewall's job.
You are correct to point out in every instance that you assume the person is using windows 98. With 2000 professional and XP, though, all of your arguments fall flat, as both operating systems provide for finer security models than the UNIX world generally has, until you hit trusted solaris level 'secure' distributions, or heavily modified versions of Linux/*BSD or what have you. ACLs, security tokens, and what not. Also, I'll point out that in your tech support example, it's the Microsoft rep that would be correct. It's a given in the world of disaster recovery that a compromised box is restored from system install, then the last KNOWN GOOD (emphasis mine) backups of data, but NEVER the apps. Here's an example. At my last job, there was a 2K server that was out of IT's perview; it was a dev box that they guarded jealously. Fine. After it got spectacularly hacked, it fell under our purview. But we wern't allowed to reformat and reinstall. Fine. A bit later, I was doing a routine check for any NIMDA that might have fallen through our three or four layers of defense; shit happens. I wrote an app that looks for 'root.exe' in various places; great for scanning a subnet remotely for the very backdoor that crackers would use to get in. Anywho, I find a root.exe on this box. Do some frantic checking, and realize that this root.exe was placed there by sadmind a very long time ago. Well sheee-it.
Yes, SMS does that. SMS also comes with it's own copy of SQL Server, if you so desire. You can tell SMS when to allow an app to run, by NT group. So put students in the appropriate groups, and they'll not be able to run software at various times. Make sure they don't have admin rights (you're using some variant of NT, right?) to install their own stuff, and you're good to go. Implement SMS's software auditing so you know if anybody does manage to circumvent, and you're good to go.
Go to www.microsoft.com/office Click 'downloads' Click 'Outlook.' There's the list. Look for things like 'E-mail Security.' Or just run a damn virus scanner. You lock your doors for a reason.
We just used a decent antivirus on the server (as well as a centrally managed one on the desktop, but that's a different story) that was told, outright, to strip attachements with such useless extentions as .scr, .vbs, .js, .bat, and so on, before it even bothered to check for virii. Gosh, nothing ever bothered us after that....
Hmm...thanks for the analysis.