The review is good it is a pity it skips the chapter on Chiropractic care. There results are mixed, especially for lower back pain.
As for why these are popular.... alternative medicine providers offer a much higher level of customer service and focus on customer satisfaction. They work hard to make sure their patients are happy with the treatment regimen and spend time with them.
See my other posts in this thread. You want a lock down system you don't buy generic hardware. You buy generic hardware you gave up on a lock down system. So I think we agree.
As for reporting back, that's where the router issue comes in. But I don't see kids doing hardware bypasses. The kids that know how to do that already have a computer.
Sorry for the delayed response, this slashdot notification ended up in the junk folder for some reason (most of them go through fine).
You example of web browsing is unusual because I would that a very processor and memory intensive task. You often have twice wrapped virtual environments with multimedia content. Have you looked at browser requirements lately?
But more importantly to the thread, under your scenario why would they even want to install Vista? The original point was about Vista being not good because it doesn't run on a wide range of hardware. Email and porn work fine under XP.
Most unions have little interest in keeping bad employees providing firing is not used as a way to reduce head count in general. If you had a board consisting of say 3 union members, 3 managers and 1 exec which tried cases of misconduct the union would not object particularly if the firing just opened up a new line slot.
JAMF will know if it's not reporting in, because the system is booted from CD or DVD.
How does the administrator distinguish that from the system being off at home? JAMF doesn't know if the computer was booted from CD.
Kid A goes home uses the system admin gets a report Kid B goes home boots from CD uses the system, admin gets no report Kid C goes home doesn't use the system Kid D has reconfigured/System/Library/LaunchDaemons/com.jamfsoftware.task.* to launch only when he executes a script.
How does the admin tell Kid B from Kid C from Kid D?
This isn't a game of trying to make it impossible to hack the system. Just to know when it's been done, and JAMF (and other monitoring software) can easily do that.
So far you haven't presented anyway it can know that. And looking at their website it seems to assume a pretty friendly environment. I can swap/etc/jamf.conf in and out using dozens of programs which legitimately have setuid. Moreover using SE features I can prohibt jamf from seeing what is going on.
I don't even own this software, I haven't had a chance to see how flaws and I'm already noticing problems. Like is operating at the Darwin and not the SE level and/or kernel level.
So no, I don't see how you would know. Maybe the reason you think it is working so well is because you are getting bogus reports from hacked jamf.
Which car company pays an average fully loaded cost of $75/hr? I don't know many autoworkers making that kind of money. Anyway I'll agree to say $48 as an average, and yes that is high. And again the auto companies could have offered a options/stock & wages mix to get concessions on things like layoffs. That's how bad management compounded the problems with an aggressive union.
But lets be clear, it is not the unions which decided to stop innovating It is not the unions that pushed a policy of built in obsolescence It is not the unions which decided to drive down quality It is not the unions which had bad warranty policies It is not the unions which indebted the companies while paying high dividends
The unions would have been and still would be thrilled with an innovative auto industry, using employee ownership.
Once the student is in as root they alter the admin software. Software can't tell if it is running on virtual or physical hardware without a TPM chip. That is why they were invented. Moreover JAMF isn't going to see things like a CD Booted OS. I don't know the details of JAMF but do you really think something this simple is going to hold up?
IBM, Microsoft, Intel... didn't invent a custom chip, CPU, OS solution to provide moderate security (still relatively easy to beat with specialized equipment as IBM is always quick to say) because 3rd party software does the job.
As for "this is education" that is one of the worst. They have: unlimited time, strong incentives, lots of communication with each other, are going through a rebellious stage, and have all sorts of outside resources to assist in circumvention.
Root can alter the open firmware password. Also it can be done via hardware pretty easily. Open firmware will stop someone in a monitored environment he doesn't have one of those.
The iPod was incredible. But Apple has gone from 10-2% to 8% PC marketshare (and in terms of profits better than 50%). The first company to real make that kind of a comeback. That came from vision and the ability to get the whole company working together i.e. leadership. Visionary leaders are rare.
I'm with you, I think he's fooling himself. I've written a computer designed to allow someone to use the system but still hide data from someone with physical access and a screw driver from being able to copy it (for about 2 days) and that system was very very custom. No way could it run any piece of software what-so-ever we didn't custom compile for it.
You are forgetting unlimited physical access with privacy. This isn't a school lab or library where the kids can't do an hour long take over. Deep freeze, anti-executable.. work well as long as the software is installed or not crippled.
I agree with everything you wrote. Good advice and a realistic perspective. Macs remote reimaging form open firmware, you could have a website + instructions and just give the kids the URL.
2.) If your goal is teaching computer science, Macs (and to a slightly lesser degree, Windows PCs) are NOT the way to go. Both MS and Apple hide the workings of a computer from the user to a degree that makes it almost useless for this purpose. Kids( and teachers for that matter) will not learn how computers work through osmosis. Of course it is fairly unrealistic to expect US public/private schools to put linux in the classroom but one can dream.
OSX architecture may hide things, as you say. Darwin on the other hand is a BSD. Pretty much everything you wanted to do with Linux in a curriculum you can do with the Mac macports. Don't get me wrong, I think kids would learn way more from say at 10th grade having to reimage to a Linux from scratch and work it up to the point it runs Open Office but I can't see most HS computer level teachers being able to teach that. Really any modern OS, Linux included sucks for understanding computers, they are just too complicated. A virtual OS built on top of a Lisp is much better. Getting the stupid thing to be able to do eval((3+4) * 6) will take some deep understanding.
Macs don't have BIOSes at all they have OpenFirmware which is way cooler (it has some built in servers for example). Yes, you can put a password in the OpenFirmware and that will prevent it from booting from anything but the harddrive and prevent things like single user mode.
But.... root has write to OpenFirmware so one hole anywhere in any app which is installed and game over. Also, there are other ways to compromise open firmware by screwing with the hardware.
I responded to some of those others on this thread. The problem is your are monitoring a system in hostile hands where the hacker has unlimited physical access.
I think you are missing the point. Kaseya and most tools are designed around letting administrators access systems where the person on the other end is cooperating. He's dealing with the situation where the person on the other end is not necessary cooperating.
I agree Kaseya solves the cable/phone company not allowing incoming connections problem. But that's only one problem. Lets start with some scenarios for Kaseya (and do they even make a Mac client):
1) Computer is off. 2) Computer is on but unplugged from ethernet 3) Service is disabled so client is not running 4) Kaseya IP/port is blocked on home router (intentionally) 5) Kaseya (if it uses DNS) is remapped via (c:\System32\Drivers\Etc on windows or/etc/hosts to say 127.0.0.1)
etc...
How is he going to tell which of these is going on? All he gets is no ability to monitor the system.
Even if I were to grant that the kids have to have the system on and be connected then he could be facing Kaseya client is running on a VM or chrooted environment and can't see the actual hardware, just the visualized hardware. Remember they have unlimited physical access. This is a completely compromised machine from a security standpoint.
Some of what he is aiming for can be done using trusted computing (but again that doesn't exist for Mac). But then he is talking much more expensive machines. And then either the machines are completely locked down, which means high administrative costs or its pretty easy to carve off an environment the main OS can't see.
Going back to mac for a second, we aren't talking about anything terrible tricky here. -s on boot and the kids are in single user mode on the macbook.
Now normally in a company this wouldn't be such a big deal. But these are teenagers which means one of them will know how to do this and he'll tell everyother kid via myspace. You can secure school computers in the school, at the home forget it. Best to just admit it can't be done and move on. Particularly since what he is trying to secure them against is stuff they can do easily dozens of other ways.
That solves the connection problem. But it doesn't let him distinguish between:
1) computer is off 2) computer is not on the internet 3) outgoing port is blocked on computer 4) outgoing port is blocked on home router 5) signal is redirected (to say 127.0.0.1)....
I'm not sure what your monitoring is designed for, but it wouldn't seem to solve his issue.
You don't stand a chance. The kids have physical access and you need to be able to run mainstream software. That means any knowledgeable kid can get administrative access in a heartbeat . Then 11+ year olds will tell each other how. You are done. As for remote monitor, they are on their home routers. They phone / cable company firewall is not going going to accept a TCP/IP connection you establish which means you can't do it.
The first thing you need to do is get realistic expectations or start constructed a much more secure system, which is not going to be a macbook you are talking encrypted drives, TPM chips, access keys on some pager which need to be plugged in for the system to work.... trusted computing group website.
Schools aren't going to pay for that sort of stuff. What you do is you set expectations reasonably, lock the system down badly, filter the minimum and have an easy way to re-image and that's it.
No it isn't damning. American companies go under all the time. The years between the 1st and 2nd Chrysler bailouts were devastating for American manufacturing. As for "screwing" the creditors they got paid not screwed. The credit swap was to their advantage.
To show what you want to show about unions you would need to show that in similar industries union employment did far worse than non unions. And given the wage differential that might still not be enough from an NPV standpoint for the employees.
What the government did was act the way creditors do in a bankruptcy.
The review is good it is a pity it skips the chapter on Chiropractic care. There results are mixed, especially for lower back pain.
As for why these are popular.... alternative medicine providers offer a much higher level of customer service and focus on customer satisfaction. They work hard to make sure their patients are happy with the treatment regimen and spend time with them.
See my other posts in this thread. You want a lock down system you don't buy generic hardware. You buy generic hardware you gave up on a lock down system. So I think we agree.
As for reporting back, that's where the router issue comes in. But I don't see kids doing hardware bypasses. The kids that know how to do that already have a computer.
Sorry for the delayed response, this slashdot notification ended up in the junk folder for some reason (most of them go through fine).
You example of web browsing is unusual because I would that a very processor and memory intensive task. You often have twice wrapped virtual environments with multimedia content. Have you looked at browser requirements lately?
But more importantly to the thread, under your scenario why would they even want to install Vista? The original point was about Vista being not good because it doesn't run on a wide range of hardware. Email and porn work fine under XP.
Most unions have little interest in keeping bad employees providing firing is not used as a way to reduce head count in general. If you had a board consisting of say 3 union members, 3 managers and 1 exec which tried cases of misconduct the union would not object particularly if the firing just opened up a new line slot.
Again work with the union not against it.
How does the administrator distinguish that from the system being off at home? JAMF doesn't know if the computer was booted from CD.
Kid A goes home uses the system admin gets a report /System/Library/LaunchDaemons/com.jamfsoftware.task.*
Kid B goes home boots from CD uses the system, admin gets no report
Kid C goes home doesn't use the system
Kid D has reconfigured
to launch only when he executes a script.
How does the admin tell Kid B from Kid C from Kid D?
So far you haven't presented anyway it can know that. And looking at their website it seems to assume a pretty friendly environment. I can swap /etc/jamf.conf in and out using dozens of programs which legitimately have setuid. Moreover using SE features I can prohibt jamf from seeing what is going on.
I don't even own this software, I haven't had a chance to see how flaws and I'm already noticing problems. Like is operating at the Darwin and not the SE level and/or kernel level.
So no, I don't see how you would know. Maybe the reason you think it is working so well is because you are getting bogus reports from hacked jamf.
Which car company pays an average fully loaded cost of $75/hr? I don't know many autoworkers making that kind of money. Anyway I'll agree to say $48 as an average, and yes that is high. And again the auto companies could have offered a options/stock & wages mix to get concessions on things like layoffs. That's how bad management compounded the problems with an aggressive union.
But lets be clear, it is not the unions which decided to stop innovating
It is not the unions that pushed a policy of built in obsolescence
It is not the unions which decided to drive down quality
It is not the unions which had bad warranty policies
It is not the unions which indebted the companies while paying high dividends
The unions would have been and still would be thrilled with an innovative auto industry, using employee ownership.
Once the student is in as root they alter the admin software. Software can't tell if it is running on virtual or physical hardware without a TPM chip. That is why they were invented. Moreover JAMF isn't going to see things like a CD Booted OS. I don't know the details of JAMF but do you really think something this simple is going to hold up?
IBM, Microsoft, Intel... didn't invent a custom chip, CPU, OS solution to provide moderate security (still relatively easy to beat with specialized equipment as IBM is always quick to say) because 3rd party software does the job.
As for "this is education" that is one of the worst. They have: unlimited time, strong incentives, lots of communication with each other, are going through a rebellious stage, and have all sorts of outside resources to assist in circumvention.
Root can alter the open firmware password. Also it can be done via hardware pretty easily. Open firmware will stop someone in a monitored environment he doesn't have one of those.
The advantage of tight integration over loose integration (Microsoft model) is what Apple is selling. It is the their core product.
The iPod was incredible. But Apple has gone from 10-2% to 8% PC marketshare (and in terms of profits better than 50%). The first company to real make that kind of a comeback. That came from vision and the ability to get the whole company working together i.e. leadership. Visionary leaders are rare.
How?
1) Take laptop home
2) Set home router to not accept connection from MAC address of school computer
3) Do what I want
That isn't hard.
And (2) can be replaced with
2') Go somewhere there isn't internet access.
I'm with you, I think he's fooling himself. I've written a computer designed to allow someone to use the system but still hide data from someone with physical access and a screw driver from being able to copy it (for about 2 days) and that system was very very custom. No way could it run any piece of software what-so-ever we didn't custom compile for it.
How would you know?
You are forgetting unlimited physical access with privacy. This isn't a school lab or library where the kids can't do an hour long take over. Deep freeze, anti-executable.. work well as long as the software is installed or not crippled.
How do you get those logs and how do you get the right ones on a compromised system?
I agree with everything you wrote. Good advice and a realistic perspective. Macs remote reimaging form open firmware, you could have a website + instructions and just give the kids the URL.
OSX architecture may hide things, as you say. Darwin on the other hand is a BSD. Pretty much everything you wanted to do with Linux in a curriculum you can do with the Mac macports. Don't get me wrong, I think kids would learn way more from say at 10th grade having to reimage to a Linux from scratch and work it up to the point it runs Open Office but I can't see most HS computer level teachers being able to teach that.
Really any modern OS, Linux included sucks for understanding computers, they are just too complicated. A virtual OS built on top of a Lisp is much better. Getting the stupid thing to be able to do eval((3+4) * 6) will take some deep understanding.
Macs don't have BIOSes at all they have OpenFirmware which is way cooler (it has some built in servers for example). Yes, you can put a password in the OpenFirmware and that will prevent it from booting from anything but the harddrive and prevent things like single user mode.
But.... root has write to OpenFirmware so one hole anywhere in any app which is installed and game over. Also, there are other ways to compromise open firmware by screwing with the hardware.
The problem is the knowledgeable will tell all of his friends and a "how to" will be on myspace within a week.
I responded to some of those others on this thread. The problem is your are monitoring a system in hostile hands where the hacker has unlimited physical access.
Take your macbook and hold command-s during boot. Tell me how secure the system feels now.
For windows/Linux users: that is the "reboot to single user mode command".
I think you are missing the point. Kaseya and most tools are designed around letting administrators access systems where the person on the other end is cooperating. He's dealing with the situation where the person on the other end is not necessary cooperating.
I agree Kaseya solves the cable/phone company not allowing incoming connections problem. But that's only one problem. Lets start with some scenarios for Kaseya (and do they even make a Mac client):
1) Computer is off. /etc/hosts to say 127.0.0.1)
2) Computer is on but unplugged from ethernet
3) Service is disabled so client is not running
4) Kaseya IP/port is blocked on home router (intentionally)
5) Kaseya (if it uses DNS) is remapped via (c:\System32\Drivers\Etc on windows or
etc...
How is he going to tell which of these is going on? All he gets is no ability to monitor the system.
Even if I were to grant that the kids have to have the system on and be connected then he could be facing Kaseya client is running on a VM or chrooted environment and can't see the actual hardware, just the visualized hardware. Remember they have unlimited physical access. This is a completely compromised machine from a security standpoint.
Some of what he is aiming for can be done using trusted computing (but again that doesn't exist for Mac). But then he is talking much more expensive machines. And then either the machines are completely locked down, which means high administrative costs or its pretty easy to carve off an environment the main OS can't see.
Going back to mac for a second, we aren't talking about anything terrible tricky here. -s on boot and the kids are in single user mode on the macbook.
Now normally in a company this wouldn't be such a big deal. But these are teenagers which means one of them will know how to do this and he'll tell everyother kid via myspace. You can secure school computers in the school, at the home forget it. Best to just admit it can't be done and move on. Particularly since what he is trying to secure them against is stuff they can do easily dozens of other ways.
That solves the connection problem. But it doesn't let him distinguish between:
1) computer is off ....
2) computer is not on the internet
3) outgoing port is blocked on computer
4) outgoing port is blocked on home router
5) signal is redirected (to say 127.0.0.1)
I'm not sure what your monitoring is designed for, but it wouldn't seem to solve his issue.
Panasonic makes a line of notebooks designed for light abuse: tough book
or nasty treatement.
You don't stand a chance. The kids have physical access and you need to be able to run mainstream software. That means any knowledgeable kid can get administrative access in a heartbeat . Then 11+ year olds will tell each other how. You are done. As for remote monitor, they are on their home routers. They phone / cable company firewall is not going going to accept a TCP/IP connection you establish which means you can't do it.
The first thing you need to do is get realistic expectations or start constructed a much more secure system, which is not going to be a macbook you are talking encrypted drives, TPM chips, access keys on some pager which need to be plugged in for the system to work.... trusted computing group website.
Schools aren't going to pay for that sort of stuff. What you do is you set expectations reasonably, lock the system down badly, filter the minimum and have an easy way to re-image and that's it.
No it isn't damning. American companies go under all the time. The years between the 1st and 2nd Chrysler bailouts were devastating for American manufacturing. As for "screwing" the creditors they got paid not screwed. The credit swap was to their advantage.
To show what you want to show about unions you would need to show that in similar industries union employment did far worse than non unions. And given the wage differential that might still not be enough from an NPV standpoint for the employees.
What the government did was act the way creditors do in a bankruptcy.