Throw some cheap RAM on it and also allow it to defrag the hard drive and you'd have the PERFECT card for Windows.
Particularly if it could correctly defrag the system files when the system boots. Yes, I know there are defrag utilities that do so. But my users complain enough about delays. And none of those utilities seem to work, anyway.
== This comment posted using 100% Ubuntu, Edgy Eft.
You're assuming he's had a real job before now....for my [limited] money, running around reviewing opinion polls for various politicos hardly qualifies as such.
From his bio...
"Skinner Layne is Co-Founder and Chief Strategy Officer of NeXplore Technologies, Inc., a Web 2.0 Social Computing company based in Frisco, Texas."
See? He's the CSO of a company that he co-founded. A Web 2.0 Social Computing company, if you must know.
A Web 2.0 Social Computing company that doesn't have its web page listed in Google's search. Which only returns 24 hits anyway.
Does being paid $5 by Mom to babysit your younger brother count as a "first job"?
Post-Modernism has a perfectly clear definition that makes perfect sense. It is, however, too stupid for any words in any language, except maybe Klingon.
:) That's really funny!
The thing is that "postmodern" has a "definition" in art and philosophy the same as the musical genres "rock", "techno", "trance" and "rap" have definitions in music. And they're just as useless when describing technology. We know that "Web 2.0" cannot be "classic rock" because that was created years ago. But it cannot be "new wave" because that is almost as old. "Industrial" has come and gone so that was probably "Web 1.5". Rap is hot right now. Or is it hip-hop? No. "Web 2.0" is definitely "Celtic Fusion Invasion". And now I'll write an article saying that it is.
Web sites can be viewed as "art". But the technology is just technology. Paint brushes were used in "Classical" and "Romantic" and "Postmodern" art. Yet no one is claiming that paint brushes or canvases are "art 2.0" or "Postmodern".
Do websites have a "philosophy"? Is that philosophy shared amongst all Ajax-based sites? No. Ajax is the technology. Technology is not a philosophy.
Skinner Layne is Co-Founder and Chief Strategy Officer of NeXplore Technologies, Inc., a Web 2.0 Social Computing company based in Frisco, Texas. Prior to moving to the Dallas area, Skinner served as Campaign Advisor and Strategist to U.S. Congressman John Boozman, as well as managing and consuluting [sic] several statewide and state legislative races in Arkansas. He was educated at the University of Arkansas, where he was a Chancellor's Scholar, studying Economics, Political Science, and Philosophy. Skinner served as President of the Student Senate and Chairman of the Campus Council during his years at the University.
"Chief Strategy Officer"... when the titles of CEO and COO are already taken, you get to be the "CSO". And do... nothing.
And what idiot lists his "campus council" work in his bio once he's gotten his first job?
And for the ultimate humiliation... do a Google search on "NeXplore Technologies" and see whether their website is in the top 10 hits. After all, they're all about the web 2.0, right?
The Post-Moderns concerned themselves with the demolition of power-relationships, authority-structures, even the architecture of language itself. The results have been decidedly mixed. The nihilism of The Bomb, the ethical bankruptcy of eugenics and similar traffics in human suffering are examples of its negative effects.
Wow. So nuclear science is "post-modern".
No. This is another is the series of crap articles which claim that X is "post modern" because saying so makes you sound cooler and more educated than everyone else.
Post-modernism cannot be defined except by saying what it is not. It is not modern; it is what came after the Enlightenment.
If you cannot define something, you do not understand it. But feel free to claim that technologies are "post modern" because it masks the fact that you don't have a clue what you're talking about.
Beside, when you get paid by the word, you really need something that you can pull a lot of words out of.
If you're not willing to suck cock for money to support your addiction, you aren't addicted.
Anything can be "found" to be "addicting" if you phrase the questions correctly. But instead of "avoiding" other situations or spending time on your "addiction", they need to focus on the actions that an addict will be willing to perform to feed their addiction.
"Consistent with this policy, the United States will preserve its rights, capabilities and freedom of action in space... and deny, if necessary, adversaries the use of space capabilities hostile to U.S. national interests."
So.... if China tries to establish a moon base... we'll attack it?
Satelites can be taken out by ground-based lasers. Any major power planning a war with the US would need to have that capability.
With vulnerable satelites, the next level would be a moon base. There's not much an Earth-based attack can do against a moon base. We're at the bottom of the gravity well.
Despite all the statistical evidence that this does NOT work to PREVENT any "terrorist" acts... they will attempt to use this to intimidate people into voluntarily restricting their actions.
When every search / posting / IM / etc from you is available to elected officials (and may be accidentally "leaked"), they hope that most people will self-censor their activities to only items that would be "appropriate".
Should you ever take a stand against the elected officials, they will have access to your records... but you will not have access to their's. Asymmetrical. And because they are the government, they can release only the information they want from your records. Only the information that shows that you are really a wannabe child molesting, America hating, terrorist loving, Communistic, gay atheist.
It's all about maintaining power and control.
Try a different approach.
on
Oracle Linux?
·
· Score: 5, Insightful
Suppose Oracle supports their own, reduced, version of Linux (with any performance enhancements that they deem necessary). If they "partnered" with a hardware vendor, you'd have a single stop for your database server needs.
You'd get your BIOS updates, OS updates and database updates from a single company that could afford to do the testing so the load on your IT department would be reduced.
You could even order it in a cluster configuration.
But what good is a database server on its own? With a bit more work, you'd be able to buy a webserver box (hardware, OS, Apache, etc) pre-configured to hook into the database server they sold you.
From Oracle's point of view, this would be a great way to get even more of the market and to stop any gains from MySQL or others.
From the corporations' point of view, this would be a great way to reduce IT costs by reducing the load on your internal IT department.
If Oracle does it right, they'd even be able to offer you dial-on-demand DBA services for their products. Why pay 6 figures to hire an Oracle DBA when you can pay 5 figures for a DBA service contract with Oracle?
Why hasn't anybody created a "good" trojan that uses as many common exploits as possible to infect these already infected machines with a port-80 restrictive firewall?
There have been attempts at doing so with worms... but these machines are already pwn3d and reporting into a known channel.
In theory, there is nothing stopping the "researchers" from having the zombies identify their OS's, download any patches, install a personal firewall and automatically updating anti-virus program and then removing the original infection.
Sure, many would be re-created due to the user's ignorance, but this is the only way to "deal" with the zombie problem at the "researcher's" level.
No need for a trojan / worm / virus. They should have sufficient control of the zombies that a script could do it.
There is generally so much ARP and other traffic going on that I've found it's extremely difficult in practice to actually discover such a trend.
ARP should not matter on the firewall.
Anyway, the easiest way is to monitor traffic by IP address, at the firewall, during times when no one should be using the computer with that address. If the machine is doing anything that goes through the firewall at 1 am, you should investigate.
Who's going to spend this time on home network much less a general business environment where system administrators are already overstreached and security administrators are still the CFO's favorite line item veto?
On a home network? Probably no one.
On a business's network, that's completely different. If you leave your network open and are cracked and you lose you credit card numbers, that's between you and the bank. If a business leaves its network open and is cracked and loses YOUR credit card number, they can be sued.
The problem is that not many "network administrators" really know anything about their network or security. There are an almost infinite number of things you can that will take time and money but that will not actually increase the security of your systems.
First they came for the communist terrorists, and I did not speak out-- because I was not a communist terrorist; Then they came for the socialist terrorists, and I did not speak out-- because I was not a socialist terrorist; Then they came for the trade unionist terrorists, and I did not speak out-- because I was not a trade unionist terrorist; Then they came for the Jew terrorists, and I did not speak out-- because I was not a Jew terrorist; Then they came for me-- and there was no one left to speak out for me.
You lose your Rights piece by piece. And each loss is "justified" because, after all, you don't want to support the "enemy", do you? You don't want to be a "traitor", do you?
Fascism begins when the efficiency of the government becomes more important than the Rights of the People.
Without a blacklisting site, greylisting will not be effective TOMORROW.
It's simple for the spammers to re-send their spam floods. The only issue today is that the spam flood will trigger spam traps run by the blacklists. So there's not much reason for the spammers to send the flood again because the people using greylisting will probably also use blacklists.
If the blacklists weren't there, greylisting would be easily bypassed with a second flood.
"Defense in Depth". You have to use multiple layers and multiple approaches and they have to be inter-linked.
* Firstly, because the ignorant end user can trivially raise any program's privileges to root * Secondly, because 99% of the things most malicious code wants to do, don't require root privileges in the first place
The same "logic" can apply to an email telling the "ignorant end user" to buy a hammer and smash the hard drive.
The problem is getting them to do that.
That is the problem. The problem you have not addressed. The problem you have not addressed is how to get the "ignorant end user" to do that.
Simply saying that it can be done is as stupid as saying that an email could persuade an "ignorant end user" to smash his/her computer with a hammer.
Three or four trivial steps (instead of two) still add up to a trivial process overall.
Not when you're talking about spreading a trojan. The more steps needed, the more likely that the "ignorant end user" will do something wrong or remember something about not running untrusted crap on his/her computer.
"Trivial" in this context means: #1. Not doing something such as patching so a worm can infect you.
#2. Doing one stupid thing such as clicking on an attachment you received via email.
The more steps that have to be followed, in a particular order, the less "trivial" it becomes to convince the "ignorant end user" to perform all those steps, in that particular order.
You can keep arguing that this is not so, but the statistics seem to contradict you. And I'm going to go with the statistics on this.
With su you're required to enter the root password every time whereas, with sudo, you're only required to enter the users password and only once for a given period of time.
What the fuck?
No, with "su", you're running as root until you type "exit". There is no time limit or command limit on "su".
As such, a program that injects code into the user's shell can easily skip to root.
What? How? Go ahead. Infect my computer. It's running Edgy so I'm sure there are lots of holes still in it.
Go ahead. Do it.
Oh, you can't? Well I guess that your claims aren't factual.
I know, I've written code to do it. That's without taking advantage of any suid binaries or services running as root or kernel bugs to get root.
Great. The infect my machine. Go ahead.
Writing a program such as that is not difficult. The difficult part is getting it running on my machine. Or anyone else's machine.
Getting root from a trojan running on a user account is not hard.
Then do it.
I'm saying that it is hard. And with Ubuntu, it's practically impossible.
Besides which, who gives a shit about root? A trojan doesn't need root to copy confidential data from a user's home directory.
Don't try to sidetrack this. Your claim was that you can get root, easily. No, you cannot. Here, I'll make it as easy as you're ever going to get. My email address is linked to my 'nym. I'm running a fairly vanilla Edgy on Intel. No anti-virus at all.
It doesn't need root to open a socket and send that information back home.
Yes, it does.
It doesn't need root to modify or delete important files. It doesn't need root to hijack mail programs and send emails as the targetted user. This obsession with root by people who think they understand security is troubling.
I am in that category. You have my email address. You know the OS, mail program and hardware platform.
If you cannot get a trojan on my machine, you cannot do what you've claimed.
Therefore, it is you who does not understand security.
Back to... introduced anyways.
Again, you cannot crack my computer. You do not know what you're talking about.
You're absolutely right that it is easier to get a chump to run an arbitary exe on windows - just fake mail them an attachment and say "this is so funny" and they'll run it. But how much harder is it to get thousands and thousands of people to run a trojan on linux than it is on windows?
Well, you've claimed that it is easy.
Your inability to prove that claim on my machine shows that it is not as easy as you would like others to believe.
Here's a free security clue. Cracking your own machine is nothing. If the crack is not spreading faster than it is being removed, it will "die" in "the wild".
Why do people think "requires admin privileges" is any sort of significant barrier on unmanaged, typically single-user systems ?
Because it is. And I'm posting this from my home machine running Edgy.
The best place to hide is in full view. Or did you miss the whole definition and point of a 'trojan horse' ?
I think you missed the definition.
The code is not "in full view". It is hidden. That way, the user will run the code s/he THINKS is contained in that package, but the real code is something else.
It's trivial. Every time you go 'sudo blah', 'blah' is running as root.
Maybe you don't understand "trivial", either.
Under a single user Windows box, it was trivial. Just clicking on porn.gif(.exe) in Outlook used to be sufficient to run that.exe as admin (which was what most Windows users were running as).
Under Ubuntu, there are more steps. And the user has to specifically type in "sudo blah". The more steps required, the more chance that the user will notice that there is a problem.
So, if 99% of Windows users get themselves infected... but only 1% of Ubuntu users get themselves infected, then, given the same level of knowledge amongst the users, Ubuntu is more secure than Windows.
And that's just from the trojan threat.
Because Ubuntu's default installation has no open ports, it is 100% safe from worms.
And the virus threat is also limited by the restricted rights and the need to type "sudo virus-file" to "install" the virus.
Yes, that is exactly how a new user will work with his/her new PC.
Which is why Microsoft should be focusing their efforts shutting off all open ports on a vanilla installation. Just as Ubuntu does right now.
Once you've connected it and turned it on, the machine should check in and offer to download all the security patches. But it needs to offer to do this PRIOR to any of the ports being opened.
Clicking "OKAY" (repeatedly) during the initial boot/first use should result in as secure and updated a machine as is possible for the home user.
By that "logic", a house with a 10' hole next to the open front door is "less" "secure" than the same house with the front door closed and locked.
No, it is not.
Yes, it would mitigate the risk.
Which is what I said that you had previously taken exception to.
For many government computers, thats still an unacceptable level of risk.
And for others it is an acceptable risk. What is it with you and the pedantic generalizations?
If a buisness/government computer doesn't have good reason for internet access, it shouldn't have it.
Again with the pedantic generalization. Do you have ANY evidence that these workstations are not used to access legitimate web-based resources?
A better solution is to give those people 2 computers, one on the internet and not the internal network, the other reversed.
You even get your pedantic generalizations wrong.
Back in the old days, when computers weren't networked, we still had a virus problem that was spread from computer to computer via floppy disks. Having 2 computers available means "sneaker-net" would be easy. Not to mention that it depends upon ALWAYS getting the cables correct.
Why not just put those extra $$DOLLARS$$ into locking down the desktops, setting up the firewall and monitoring the traffic?
It's not like we don't have all those technologies TODAY. Look up "snort" and SELinux for starters.
An internal network with no access to the internet is more secure than one with.
Since you've opted for pedantic, no, it is not. It is only more "secure" from Internet-based attacks. There is still physical security to be considered.
The most "secure" system is one that has been turned off, encased in cement and dropped into the deepest part of the ocean.
Now, can we possibly get back to a discussion of this specific situation instead of displaying our pedantic generalizations to the world?
Yes, a firewall can be cracked. But because it is a single point of access, it is far easier to monitor/secure than if all the workstations are directly connected to the Internet. Therefore, having a firewall would "mitigate" that "vulnerability".
An August e-mail from acting Undersecretary of Commerce Mark Foulon quoted by the Washington Post said that BIS "had identified several successful attempts to attack unattended BIS workstations during the overnight hours." Last month, reported the Post, Foulon wrote: "It has become clear that Internet access in itself is a vulnerability that we cannot mitigate. We have tried incremental steps and they have proven insufficient."
What the fuck? Aren't they even behind a firewall?
Wouldn't a simple firewall "mitigate" that "vulnerability"?
Throw some cheap RAM on it and also allow it to defrag the hard drive and you'd have the PERFECT card for Windows.
Particularly if it could correctly defrag the system files when the system boots. Yes, I know there are defrag utilities that do so. But my users complain enough about delays. And none of those utilities seem to work, anyway.
==
This comment posted using 100% Ubuntu, Edgy Eft.
From his bio
"Skinner Layne is Co-Founder and Chief Strategy Officer of NeXplore Technologies, Inc., a Web 2.0 Social Computing company based in Frisco, Texas."
See? He's the CSO of a company that he co-founded. A Web 2.0 Social Computing company, if you must know.
A Web 2.0 Social Computing company that doesn't have its web page listed in Google's search. Which only returns 24 hits anyway.
Does being paid $5 by Mom to babysit your younger brother count as a "first job"?
That's really funny!
The thing is that "postmodern" has a "definition" in art and philosophy the same as the musical genres "rock", "techno", "trance" and "rap" have definitions in music. And they're just as useless when describing technology. We know that "Web 2.0" cannot be "classic rock" because that was created years ago. But it cannot be "new wave" because that is almost as old. "Industrial" has come and gone so that was probably "Web 1.5". Rap is hot right now. Or is it hip-hop? No. "Web 2.0" is definitely "Celtic Fusion Invasion". And now I'll write an article saying that it is.
Web sites can be viewed as "art". But the technology is just technology. Paint brushes were used in "Classical" and "Romantic" and "Postmodern" art. Yet no one is claiming that paint brushes or canvases are "art 2.0" or "Postmodern".
Do websites have a "philosophy"? Is that philosophy shared amongst all Ajax-based sites? No. Ajax is the technology. Technology is not a philosophy.
And so forth.
"Chief Strategy Officer"
And what idiot lists his "campus council" work in his bio once he's gotten his first job?
And for the ultimate humiliation
Wow. So nuclear science is "post-modern".
No. This is another is the series of crap articles which claim that X is "post modern" because saying so makes you sound cooler and more educated than everyone else.
If you cannot define something, you do not understand it. But feel free to claim that technologies are "post modern" because it masks the fact that you don't have a clue what you're talking about.
Beside, when you get paid by the word, you really need something that you can pull a lot of words out of.
Then why are most castles and fortifications placed on the highest ground available?
With regards to the Earth, the Moon is "higher ground".
If you're not willing to suck cock for money to support your addiction, you aren't addicted.
Anything can be "found" to be "addicting" if you phrase the questions correctly. But instead of "avoiding" other situations or spending time on your "addiction", they need to focus on the actions that an addict will be willing to perform to feed their addiction.
So
Satelites can be taken out by ground-based lasers. Any major power planning a war with the US would need to have that capability.
With vulnerable satelites, the next level would be a moon base. There's not much an Earth-based attack can do against a moon base. We're at the bottom of the gravity well.
Despite all the statistical evidence that this does NOT work to PREVENT any "terrorist" acts ... they will attempt to use this to intimidate people into voluntarily restricting their actions.
... but you will not have access to their's. Asymmetrical. And because they are the government, they can release only the information they want from your records. Only the information that shows that you are really a wannabe child molesting, America hating, terrorist loving, Communistic, gay atheist.
When every search / posting / IM / etc from you is available to elected officials (and may be accidentally "leaked"), they hope that most people will self-censor their activities to only items that would be "appropriate".
Should you ever take a stand against the elected officials, they will have access to your records
It's all about maintaining power and control.
Suppose Oracle supports their own, reduced, version of Linux (with any performance enhancements that they deem necessary). If they "partnered" with a hardware vendor, you'd have a single stop for your database server needs.
You'd get your BIOS updates, OS updates and database updates from a single company that could afford to do the testing so the load on your IT department would be reduced.
You could even order it in a cluster configuration.
But what good is a database server on its own? With a bit more work, you'd be able to buy a webserver box (hardware, OS, Apache, etc) pre-configured to hook into the database server they sold you.
From Oracle's point of view, this would be a great way to get even more of the market and to stop any gains from MySQL or others.
From the corporations' point of view, this would be a great way to reduce IT costs by reducing the load on your internal IT department.
If Oracle does it right, they'd even be able to offer you dial-on-demand DBA services for their products. Why pay 6 figures to hire an Oracle DBA when you can pay 5 figures for a DBA service contract with Oracle?
There have been attempts at doing so with worms
In theory, there is nothing stopping the "researchers" from having the zombies identify their OS's, download any patches, install a personal firewall and automatically updating anti-virus program and then removing the original infection.
Sure, many would be re-created due to the user's ignorance, but this is the only way to "deal" with the zombie problem at the "researcher's" level.
No need for a trojan / worm / virus. They should have sufficient control of the zombies that a script could do it.
ARP should not matter on the firewall.
Anyway, the easiest way is to monitor traffic by IP address, at the firewall, during times when no one should be using the computer with that address. If the machine is doing anything that goes through the firewall at 1 am, you should investigate.
On a home network? Probably no one.
On a business's network, that's completely different. If you leave your network open and are cracked and you lose you credit card numbers, that's between you and the bank. If a business leaves its network open and is cracked and loses YOUR credit card number, they can be sued.
The problem is that not many "network administrators" really know anything about their network or security. There are an almost infinite number of things you can that will take time and money but that will not actually increase the security of your systems.
Education is the beginning.
Paraphrased and updated:
First they came for the communist terrorists, and I did not speak out--
because I was not a communist terrorist;
Then they came for the socialist terrorists, and I did not speak out--
because I was not a socialist terrorist;
Then they came for the trade unionist terrorists, and I did not speak out--
because I was not a trade unionist terrorist;
Then they came for the Jew terrorists, and I did not speak out--
because I was not a Jew terrorist;
Then they came for me--
and there was no one left to speak out for me.
You lose your Rights piece by piece. And each loss is "justified" because, after all, you don't want to support the "enemy", do you? You don't want to be a "traitor", do you?
Fascism begins when the efficiency of the government becomes more important than the Rights of the People.
Without a blacklisting site, greylisting will not be effective TOMORROW.
It's simple for the spammers to re-send their spam floods. The only issue today is that the spam flood will trigger spam traps run by the blacklists. So there's not much reason for the spammers to send the flood again because the people using greylisting will probably also use blacklists.
If the blacklists weren't there, greylisting would be easily bypassed with a second flood.
"Defense in Depth". You have to use multiple layers and multiple approaches and they have to be inter-linked.
The same "logic" can apply to an email telling the "ignorant end user" to buy a hammer and smash the hard drive.
The problem is getting them to do that.
That is the problem. The problem you have not addressed. The problem you have not addressed is how to get the "ignorant end user" to do that.
Simply saying that it can be done is as stupid as saying that an email could persuade an "ignorant end user" to smash his/her computer with a hammer.
Not when you're talking about spreading a trojan. The more steps needed, the more likely that the "ignorant end user" will do something wrong or remember something about not running untrusted crap on his/her computer.
"Trivial" in this context means:
#1. Not doing something such as patching so a worm can infect you.
#2. Doing one stupid thing such as clicking on an attachment you received via email.
The more steps that have to be followed, in a particular order, the less "trivial" it becomes to convince the "ignorant end user" to perform all those steps, in that particular order.
You can keep arguing that this is not so, but the statistics seem to contradict you. And I'm going to go with the statistics on this.
What the fuck?
No, with "su", you're running as root until you type "exit". There is no time limit or command limit on "su".
What? How? Go ahead. Infect my computer. It's running Edgy so I'm sure there are lots of holes still in it.
Go ahead. Do it.
Oh, you can't? Well I guess that your claims aren't factual.
Great. The infect my machine. Go ahead.
Writing a program such as that is not difficult. The difficult part is getting it running on my machine. Or anyone else's machine.
Then do it.
I'm saying that it is hard. And with Ubuntu, it's practically impossible.
Don't try to sidetrack this. Your claim was that you can get root, easily. No, you cannot. Here, I'll make it as easy as you're ever going to get. My email address is linked to my 'nym. I'm running a fairly vanilla Edgy on Intel. No anti-virus at all.
Yes, it does.
I am in that category. You have my email address. You know the OS, mail program and hardware platform.
If you cannot get a trojan on my machine, you cannot do what you've claimed.
Therefore, it is you who does not understand security.
Again, you cannot crack my computer. You do not know what you're talking about.
Well, you've claimed that it is easy.
Your inability to prove that claim on my machine shows that it is not as easy as you would like others to believe.
Here's a free security clue. Cracking your own machine is nothing. If the crack is not spreading faster than it is being removed, it will "die" in "the wild".
Because it is. And I'm posting this from my home machine running Edgy.
I think you missed the definition.
The code is not "in full view". It is hidden. That way, the user will run the code s/he THINKS is contained in that package, but the real code is something else.
Maybe you don't understand "trivial", either.
Under a single user Windows box, it was trivial. Just clicking on porn.gif(.exe) in Outlook used to be sufficient to run that
Under Ubuntu, there are more steps. And the user has to specifically type in "sudo blah". The more steps required, the more chance that the user will notice that there is a problem.
So, if 99% of Windows users get themselves infected
And that's just from the trojan threat.
Because Ubuntu's default installation has no open ports, it is 100% safe from worms.
And the virus threat is also limited by the restricted rights and the need to type "sudo virus-file" to "install" the virus.
Love is a snowmobile racing across the tundra and then suddenly it flips over, pinning you underneath. At night, the ice weasels come.
- Matt Groening
Simpsons, Futurama, Life in Hell
Spamhaus does not "block" anything. All they do is list the addresses that meet their criteria for listing (yeah, I know that's redundant).
Mail admins can choose to reference that list (or not) and block / flag / delay / whatever based upon it.
I use Spamhaus with SpamAssassin, but I don't block or deny. It just adds to the spam score.
Spamhaus does not block. Spamhaus just lists.
Mail admins block.
ActiveX is a Microsoft technology. Even Microsoft is trying to get away for the security holes they've created with that.
Sometimes, security means not implementing something if it cannot be implemented securely.
Yes, that is exactly how a new user will work with his/her new PC.
Which is why Microsoft should be focusing their efforts shutting off all open ports on a vanilla installation. Just as Ubuntu does right now.
Once you've connected it and turned it on, the machine should check in and offer to download all the security patches. But it needs to offer to do this PRIOR to any of the ports being opened.
Clicking "OKAY" (repeatedly) during the initial boot/first use should result in as secure and updated a machine as is possible for the home user.
How is that possible?
By that "logic", a house with a 10' hole next to the open front door is "less" "secure" than the same house with the front door closed and locked.
No, it is not.
Which is what I said that you had previously taken exception to.
And for others it is an acceptable risk. What is it with you and the pedantic generalizations?
Again with the pedantic generalization. Do you have ANY evidence that these workstations are not used to access legitimate web-based resources?
You even get your pedantic generalizations wrong.
Back in the old days, when computers weren't networked, we still had a virus problem that was spread from computer to computer via floppy disks. Having 2 computers available means "sneaker-net" would be easy. Not to mention that it depends upon ALWAYS getting the cables correct.
Why not just put those extra $$DOLLARS$$ into locking down the desktops, setting up the firewall and monitoring the traffic?
It's not like we don't have all those technologies TODAY. Look up "snort" and SELinux for starters.
Since you've opted for pedantic, no, it is not. It is only more "secure" from Internet-based attacks. There is still physical security to be considered.
The most "secure" system is one that has been turned off, encased in cement and dropped into the deepest part of the ocean.
Now, can we possibly get back to a discussion of this specific situation instead of displaying our pedantic generalizations to the world?
Yes, a firewall can be cracked. But because it is a single point of access, it is far easier to monitor/secure than if all the workstations are directly connected to the Internet. Therefore, having a firewall would "mitigate" that "vulnerability".
What the fuck? Aren't they even behind a firewall?
Wouldn't a simple firewall "mitigate" that "vulnerability"?