I mean, you'd think they could figure out a way to, you know... add and index to your database file (PST)...
In addition to that, another annoyance is the plugin integration with OWA (or whatever they are calling it these days... outlook on the web or something?). At the very least, this is confusing since Bing maps is one of the default OWA plugins and a lot of sigs contain address info... so you get this ribbon at the top of your e-mail asking you if you want to look up the address on Bing Maps, but the plugin doesn't exist anywhere on your system... it exists in OWA...
Well, here's the deal. The office space is small enough (2 floors of a downtown skyscraper) that I regularly see most of it. I am pretty connected with what users are doing.
Sometimes the solution is not so much technical and is more on the social side.
The answer to your question is: Yes. If an HR or Accounting (or any) person in the office decided to attach a wireless device that listens, it would have an available connection to the Internet (assuming it used port 80 or 443).
BUT, I would be aware of it pretty quickly. We are not the police. We are the IT department. We don't set or enforce policy for users. After talking to them about the potential risks, it would be up to their group leader or the operations committee to tell them they can't do it. We would, of course inform that decision, but unless the device is causing a disruption, we generally let users do what they want in that byod space.
I think that if you take the time to explain the importance of something and relate it to something they care about (like not getting their important files held ransom, for example) they will listen. It is just about making it easy to understand.
Now, I have personally met users who are willfully ignorant. I think they are the minority though.
We have a byod wifi network for any non-approved wireless devices.
The network is completely separate from the LAN and normal WIFI network and is subject to some bandwidth throttling.
A user can plug in a device to the network, but I do monitor the DHCP logs. This hasn't been a real problem since we gave the users a sandbox to play in though.
I think that one way to deal with this would be in the browser.
Currently, EV certs will turn the address bar green or have some other indication above and beyond the normal "lock" icon.
Perhaps we need to have a different color or indication for each kind of cert.
Also, perhaps have a warning in the browser if the last known certificate is from a different CA and/or has a different validation level from the certificate currently being presented by the same domain.
Other than that, I am not sure what could be done on the server side of things. The system is meant to be free and open... which, by definition, means it is going to be abused.
You are right, but only if you are running as a standard user. Most home users run under an admin account. In this case, running without UAC means that anything that is executed under your account, with or without your knowledge, will be silently elevated to the highest possible permission level.
So, it is especially dangerous to run as admin without UAC. It means that any exploit that manages to make it past your other counter-measures are guaranteed to have the highest privilege level.
Not only use it, but it happens to be a core element of our network structure.
I used to be one of those people who disabled UAC immediately. In the Vista days it was bad, no doubt. It has come a long way since then.
I also was the kind of person who would immediately disable SELinux on CentOS boxes until I took the time to learn it and then it was really pretty simple and now I have stronger systems because I run with it enabled.
I admin a small network of about 150 Windows devices and all of our users are high-end CAD and have multiple monitors. We also allow writing to USB but disallow programs from running from removable drives.
We have *never* had issues like what the GP described.
However, the GP is correct about the "all or nothing" aspect of UAC. Because of this, we use a 3rd party product called DefendPoint (formerly Privilege Guard) which allows us to set domain-wide policy on what can be elevated and by whom. For example, we have a custom written "AppStore" which we allow to run elevated without prompting. This allows our users to install pre-approved applications and updates without the need for me to install it for them.
In the early days of UAC on Vista, you are right, it was a pain. But things have gotten much better since then. Microsoft has improved UAC and app writers are more aware of UAC and design their software around it.
UAC is actually a clever feature, imo and it is invaluable from an network admin perspective because it allows on-the-fly privilege escalation much like sudo. Yes, I know you can use runas or the Explorer context menu, but the automatic prompting is nice.
All of my own family members whose Windows boxen I take care of have UAC set and run as a standard user. They have instructions to call me when they see the UAC prompt. Guess what? I rarely get calls about this.
The fact is, Microsoft is already in a lot of cars. I have taken road trips in cars with a Microsoft system and it seemed fine.
The only thing that concerns me with "the cloud" being in a car is the added expense of maintaining a data link... I am sure it is "free" for some amount of time, but who wants to pay $50+/month to run Office apps ON THEIR CAR DASHBOARD?
I am sure that Azure will allow for all kinds of cool things, (I mean, if you haven't taken a look at powerbi.com you will be blown away at how easy Microsoft has made cloud-based analytics.) but that just seems like complete overkill for a car.
Of course, the attacker would have to be pretty clever, have a lot of knowledge about the system and know how to put it all together. But making your printed log illegible is effectively the same thing as erasing your print.
Probably easier to just stop the process by which the log text is being sent to the printer.
I am seeing a lot of the "shitlord" word going around recently... perhaps I am just noticing it more. But it still has a novelty factor that makes me chuckle every time I see it used.
I kind of think that you are on the right track though.
Once a refrigerator is able to accurately identify all of the contents (through a combination of UPC scanning, weight, smell and size/shape), you would gain some real value:
- No opening the door to waste energy - Textual or visual representations of what is inside - Recipe suggestions based on contents - Caloric and other stats of the contents - Shopping list suggestions based on eating habits - Identification for the source of "that smell" - Temperature regulation to make sure your head of lettuce doesn't freeze and your milk is ice cold - Alerts on items you might be low on, sent at a time of day when you might already be in transit
Slashdot Mirror
THIS!
I mean, you'd think they could figure out a way to, you know... add and index to your database file (PST)...
In addition to that, another annoyance is the plugin integration with OWA (or whatever they are calling it these days... outlook on the web or something?). At the very least, this is confusing since Bing maps is one of the default OWA plugins and a lot of sigs contain address info... so you get this ribbon at the top of your e-mail asking you if you want to look up the address on Bing Maps, but the plugin doesn't exist anywhere on your system... it exists in OWA...
Well, here's the deal. The office space is small enough (2 floors of a downtown skyscraper) that I regularly see most of it. I am pretty connected with what users are doing.
Sometimes the solution is not so much technical and is more on the social side.
The answer to your question is: Yes. If an HR or Accounting (or any) person in the office decided to attach a wireless device that listens, it would have an available connection to the Internet (assuming it used port 80 or 443).
BUT, I would be aware of it pretty quickly. We are not the police. We are the IT department. We don't set or enforce policy for users. After talking to them about the potential risks, it would be up to their group leader or the operations committee to tell them they can't do it. We would, of course inform that decision, but unless the device is causing a disruption, we generally let users do what they want in that byod space.
Ok, you are right. abuse is not the definition of "free and open".
What I meant to say was that free and open systems tend to be abused. Think public restrooms...
I just don't buy into this 100%
I think that if you take the time to explain the importance of something and relate it to something they care about (like not getting their important files held ransom, for example) they will listen. It is just about making it easy to understand.
Now, I have personally met users who are willfully ignorant. I think they are the minority though.
We have a byod wifi network for any non-approved wireless devices.
The network is completely separate from the LAN and normal WIFI network and is subject to some bandwidth throttling.
A user can plug in a device to the network, but I do monitor the DHCP logs. This hasn't been a real problem since we gave the users a sandbox to play in though.
I think that one way to deal with this would be in the browser.
Currently, EV certs will turn the address bar green or have some other indication above and beyond the normal "lock" icon.
Perhaps we need to have a different color or indication for each kind of cert.
Also, perhaps have a warning in the browser if the last known certificate is from a different CA and/or has a different validation level from the certificate currently being presented by the same domain.
Other than that, I am not sure what could be done on the server side of things. The system is meant to be free and open... which, by definition, means it is going to be abused.
You are right, but only if you are running as a standard user. Most home users run under an admin account. In this case, running without UAC means that anything that is executed under your account, with or without your knowledge, will be silently elevated to the highest possible permission level.
So, it is especially dangerous to run as admin without UAC. It means that any exploit that manages to make it past your other counter-measures are guaranteed to have the highest privilege level.
Not only use it, but it happens to be a core element of our network structure.
I used to be one of those people who disabled UAC immediately. In the Vista days it was bad, no doubt. It has come a long way since then.
I also was the kind of person who would immediately disable SELinux on CentOS boxes until I took the time to learn it and then it was really pretty simple and now I have stronger systems because I run with it enabled.
Yeah, something is not right here.
I admin a small network of about 150 Windows devices and all of our users are high-end CAD and have multiple monitors. We also allow writing to USB but disallow programs from running from removable drives.
We have *never* had issues like what the GP described.
However, the GP is correct about the "all or nothing" aspect of UAC. Because of this, we use a 3rd party product called DefendPoint (formerly Privilege Guard) which allows us to set domain-wide policy on what can be elevated and by whom. For example, we have a custom written "AppStore" which we allow to run elevated without prompting. This allows our users to install pre-approved applications and updates without the need for me to install it for them.
I feel like you're doing it wrong.
In the early days of UAC on Vista, you are right, it was a pain. But things have gotten much better since then. Microsoft has improved UAC and app writers are more aware of UAC and design their software around it.
UAC is actually a clever feature, imo and it is invaluable from an network admin perspective because it allows on-the-fly privilege escalation much like sudo. Yes, I know you can use runas or the Explorer context menu, but the automatic prompting is nice.
All of my own family members whose Windows boxen I take care of have UAC set and run as a standard user. They have instructions to call me when they see the UAC prompt. Guess what? I rarely get calls about this.
Stagnation is the great killer.
Much like fear...
I must not fear. Fear is the mind-killer. Fear is the little-death that brings total obliteration.
That is sort of what I was thinking.
The fact is, Microsoft is already in a lot of cars. I have taken road trips in cars with a Microsoft system and it seemed fine.
The only thing that concerns me with "the cloud" being in a car is the added expense of maintaining a data link... I am sure it is "free" for some amount of time, but who wants to pay $50+/month to run Office apps ON THEIR CAR DASHBOARD?
I am sure that Azure will allow for all kinds of cool things, (I mean, if you haven't taken a look at powerbi.com you will be blown away at how easy Microsoft has made cloud-based analytics.) but that just seems like complete overkill for a car.
Why would you disable UAC?
Do you log in to your Linux boxes as root and do everything as a super user? Why would you do that on Windows?
Well... we got to the bottom of that one.
Thanks ;)
Now see, I had you pegged as a grumpy old man with an onion on his belt. The façade has cracked slightly and I see the awe and wonder. Nice.
That was my second thought.
when I read that summary is: How do we know that *this* time the data was handled correctly?
I am sure that the original researchers thought they were handling the data correctly too....
This is what I was getting at.
Of course, the attacker would have to be pretty clever, have a lot of knowledge about the system and know how to put it all together. But making your printed log illegible is effectively the same thing as erasing your print.
Probably easier to just stop the process by which the log text is being sent to the printer.
Can you control the roller in a line printer?
If so, couldn't you just tell the printer to back up a line before printing the new line?
I am seeing a lot of the "shitlord" word going around recently... perhaps I am just noticing it more. But it still has a novelty factor that makes me chuckle every time I see it used.
Thanks ;)
Ok, one question, probably stupid.
Is 1ms latency even physically possible if the 2 nodes are on opposite sides of the world?
Or are they talking about "within the same city" kind of network?
Also... 5G? Over-the-air? Wireless is not my first thought for medium when I think of low latency...
Yeah, I wonder if all the extra electronics draw more power over time than just opening the door a couple of times a day.
I am sure that is going to be the case with a big-ass-monitor, especially if it is left on all the time.
Well, pre-processed stuff might have UPC codes...
I kind of think that you are on the right track though.
Once a refrigerator is able to accurately identify all of the contents (through a combination of UPC scanning, weight, smell and size/shape), you would gain some real value:
- No opening the door to waste energy
- Textual or visual representations of what is inside
- Recipe suggestions based on contents
- Caloric and other stats of the contents
- Shopping list suggestions based on eating habits
- Identification for the source of "that smell"
- Temperature regulation to make sure your head of lettuce doesn't freeze and your milk is ice cold
- Alerts on items you might be low on, sent at a time of day when you might already be in transit
I, for one, welcome our new IoT overlords.
The funny thing is, I rely on my oven clock more than any other clock, even my smart phone.
The oven clock is the one that gets me to work on time and tells me when to go to bed.
It's a small apartment...
I think we can simplify things a little bit here and just use RFC 1149.
RFC 2549 and RFC 6214 do not add anything new to the technology and just add to the complexity.