Needs a little more commenting, but if you're at all familiar with base apps and the registry, the effects are pretty obvious. I update it periodically.
For point 1, it's a batch file. A couple of commands: net user user/add And then just log on as "user" instead.
For point 2, I get in the registry, under clsid, msifile (or whatever is linked from the.msi type), and change the name of the "open" key to "runas". This triggers the secondary logon service to allow you to log on and run the MSI under alternate credentials. Basically, so someone just has to "run the msi and verify that you want to install it with the password"
Yep. And I keep telling people, but they keep saying "well it doesn't do [security hole-"feature" here]". They simply don't want to learn how a computer is supposed to work. Basically, don't log on as administrator unless you have to do administrative stuff. But they like being able to install random trojans all day. Here's the rules I give to people though. Very very easy:
1, don't log on as local administrator 2, don't install anything unless it's an MSI file 3, fix IE's default security permissions
1. This is how computers are supposed to work. You should NEVER use a web browser in an administrative context. Windows even has a secondary logon service, so you don't have to even log on to the console to change things. 2. You have no idea what setup.exe will do to your system. Most setup.exe files I see (and open source software/linux ports are the BIGGEST offenders here) are totally clueless about multiuser systems, and will put shortcuts in the current user's profile. Even worse, lots the programs themselves will expect full access to every file on the computer. Linux may work this way, but windows is a tad more secure. 3. The default IE permissions are garbage. There's no reason to prompt users to download random executables from any web page that wants them to. Fix that. Toolbar integration is a nice tool, but nobody really uses it. Disable. ActiveX is easy to deal with. Just tell it not to download any activex controls. You can block potentially malicious ones from being run on web pages, but leave them available to the rest of the system.
I have a script that will fix all of these in about two seconds. Most people don't like to use it though. I think the problem is that people like to feel important. They like to play the game, finding the right combination of obscure software to fix various problems (that they create themselves), the right incantations to utter, and the right voodoo to work.
Oh I was just "correcting" him. I don't think that anyone did anything out of line from what I can tell here. The student did what students will do, and the feds did their job. Seems to have worked out fine. Certainly better than Habib-the-Pyro asking for this info and nobody caring.
Well sometimes they base relevant operations outside taxable jurisdictions (sweatshops in china). Other times, they cut deals with local authorities to eliminate tax obligation simply because they move in and make jobs.
Number two reason I have flash blocked and no viewer installed on my system, right there. The number one reason is that it's not standard, so there's no need.
Most people install all sorts of half-working crap. All of you with Trillian probably have no idea how to run a secure system (rule number one - never log on as root/administrator unless you need to do something administrative).
So, ranting aside, here's my list. Might go to more than ten:
1 Windows Media Player 9 2 Media Player Classic custom (includes a bunch of codecs too, packaged in a nice normal MSI) 4 Windows XP Powertoys (most of 'em) 5 WackGet (wget-based HTTP and FTP download manager) 6 Office 2003 7 Miranda IM (custom package with plugins) 8 NoPopIE 9 daemon-tools (virutal image->cd drive driver) 10 uxtheme.dll patch (so I can use free themes)
Here is a list of crap that will never be on one of my systems: flash/shockwave: nonstandard security-hole-ridden garbage. I don't have space to list the ways this annoys me, and I miss nothing of import. anything adobe: All crap. They don't seem to know how to use a window manager, instead making their own slow custom interface. For everything. Trillian: I tried discussing it with the authors, but they don't care about how to make something that works with any speed, or works right on NT. They'd rather spend more time messing up their sloooow custom skinning code (which you can't turn off). Spybot/adaware/et al: I don't get it. You idiots can go on running your web browsers as local administrator and download the latest exploit daily. Personally, I know how to use a computer.
Lots of pretty random advice here from people who seem to like making up work to feel important, but they're missing the point. You're not doing your job right. Your systems are rather critically misconfigured if you let your users log on as administrator, as required to install these things. I bet you do this at home too. And you kids wonder why you're getting your jobs outsourced to india.
The link looks down and someone mentioned something about it too. Might just be my connection here though. Coincidentally enough, I looked it up this afternoon. Unfortunately, I think Houston will have too much cloud cover to see anything.
Actually it asks you for a password when you're installing (unless you create an install script beforehand). If you use a blank password, that's your own fault. Nice bit of FUD though.
So you're saying it's no different from windows except when the local administrator chooses to make it different.
It an application requires you to run it as admin, then the application is not compatible with windows and you're not going to be able to use it. This "but just make yourself administrator" line is BS.
The point is, you only need the elevated permissions in Linux/Unix when you are going to do an administrative function.
If you want to get arcane, you can even set things up so that software installs are done to the local user directory, and don't require admin permissions. That does tend to make installing most of them much more complicated though. And this is different from windows how?
Slashdot Mirror
Anyone have the videos in a standard format?
http://www.jordanmills.com/prunev3.vbs will do number 3. The others aren't handy (they're part of my standard install).
/add
.msi type), and change the name of the "open" key to "runas". This triggers the secondary logon service to allow you to log on and run the MSI under alternate credentials. Basically, so someone just has to "run the msi and verify that you want to install it with the password"
Needs a little more commenting, but if you're at all familiar with base apps and the registry, the effects are pretty obvious. I update it periodically.
For point 1, it's a batch file. A couple of commands:
net user user
And then just log on as "user" instead.
For point 2, I get in the registry, under clsid, msifile (or whatever is linked from the
Yep. And I keep telling people, but they keep saying "well it doesn't do [security hole-"feature" here]". They simply don't want to learn how a computer is supposed to work. Basically, don't log on as administrator unless you have to do administrative stuff. But they like being able to install random trojans all day. Here's the rules I give to people though. Very very easy:
1, don't log on as local administrator
2, don't install anything unless it's an MSI file
3, fix IE's default security permissions
1. This is how computers are supposed to work. You should NEVER use a web browser in an administrative context. Windows even has a secondary logon service, so you don't have to even log on to the console to change things.
2. You have no idea what setup.exe will do to your system. Most setup.exe files I see (and open source software/linux ports are the BIGGEST offenders here) are totally clueless about multiuser systems, and will put shortcuts in the current user's profile. Even worse, lots the programs themselves will expect full access to every file on the computer. Linux may work this way, but windows is a tad more secure.
3. The default IE permissions are garbage. There's no reason to prompt users to download random executables from any web page that wants them to. Fix that. Toolbar integration is a nice tool, but nobody really uses it. Disable. ActiveX is easy to deal with. Just tell it not to download any activex controls. You can block potentially malicious ones from being run on web pages, but leave them available to the rest of the system.
I have a script that will fix all of these in about two seconds. Most people don't like to use it though. I think the problem is that people like to feel important. They like to play the game, finding the right combination of obscure software to fix various problems (that they create themselves), the right incantations to utter, and the right voodoo to work.
Sorry, man, I didn't think you posted here. D'oh!
Oh I was just "correcting" him. I don't think that anyone did anything out of line from what I can tell here. The student did what students will do, and the feds did their job. Seems to have worked out fine. Certainly better than Habib-the-Pyro asking for this info and nobody caring.
Because stuff like that is cool. The tunnel system at my school fascinated me (and many other students).
I believe they're also missing a crime.
Actually, I think the acronym stands for digital restrictions management.
Well sometimes they base relevant operations outside taxable jurisdictions (sweatshops in china). Other times, they cut deals with local authorities to eliminate tax obligation simply because they move in and make jobs.
Someone else took the screenshot. I haev smoothing on.
I have modified my sig for the first time in forever, to honor this.
Oh hell, that's absolutely amazing.
Watching it die. Didn't finish the index, so I decided to let it load one image. 33% and it seems to be decreasing exponentially.
If the content is important, it can go into a standard format. Otherwise it's worthless.
Number two reason I have flash blocked and no viewer installed on my system, right there. The number one reason is that it's not standard, so there's no need.
Most people install all sorts of half-working crap. All of you with Trillian probably have no idea how to run a secure system (rule number one - never log on as root/administrator unless you need to do something administrative).
So, ranting aside, here's my list. Might go to more than ten:
1 Windows Media Player 9
2 Media Player Classic custom (includes a bunch of codecs too, packaged in a nice normal MSI)
4 Windows XP Powertoys (most of 'em)
5 WackGet (wget-based HTTP and FTP download manager)
6 Office 2003
7 Miranda IM (custom package with plugins)
8 NoPopIE
9 daemon-tools (virutal image->cd drive driver)
10 uxtheme.dll patch (so I can use free themes)
Here is a list of crap that will never be on one of my systems:
flash/shockwave: nonstandard security-hole-ridden garbage. I don't have space to list the ways this annoys me, and I miss nothing of import.
anything adobe: All crap. They don't seem to know how to use a window manager, instead making their own slow custom interface. For everything.
Trillian: I tried discussing it with the authors, but they don't care about how to make something that works with any speed, or works right on NT. They'd rather spend more time messing up their sloooow custom skinning code (which you can't turn off).
Spybot/adaware/et al: I don't get it. You idiots can go on running your web browsers as local administrator and download the latest exploit daily. Personally, I know how to use a computer.
One of those little USB memory things might come in handy.
Lots of pretty random advice here from people who seem to like making up work to feel important, but they're missing the point. You're not doing your job right. Your systems are rather critically misconfigured if you let your users log on as administrator, as required to install these things. I bet you do this at home too. And you kids wonder why you're getting your jobs outsourced to india.
The link looks down and someone mentioned something about it too. Might just be my connection here though. Coincidentally enough, I looked it up this afternoon. Unfortunately, I think Houston will have too much cloud cover to see anything.
Actually it asks you for a password when you're installing (unless you create an install script beforehand). If you use a blank password, that's your own fault. Nice bit of FUD though.
Well like the other person said, who said which client is the "right" one? Then, how do you deal with ones like MSN where some log and some don't?
So you're saying it's no different from windows except when the local administrator chooses to make it different.
It an application requires you to run it as admin, then the application is not compatible with windows and you're not going to be able to use it. This "but just make yourself administrator" line is BS.
So don't use windows update. It's garbage any way. I think this is their way of encouraging you to do things the right way.
For a better way to see what updates you're missing, and direct links to the KB to download the fix, use MBSA (microsoft baseline security analyzer).
The point is, you only need the elevated permissions in Linux/Unix when you are going to do an administrative function.
If you want to get arcane, you can even set things up so that software installs are done to the local user directory, and don't require admin permissions. That does tend to make installing most of them much more complicated though.
And this is different from windows how?
It's called fair use. It's an inherent right that doesn't have to be specified. The supreme court has confirmed this.