Among normal companies where computers and software are tools for achieving some other goal, it is extremely rare to have admin rights. I'm talking about banks, telecommunications companies, etc. For these firms you either have to use special management software to install software, or you have to request that IT come out and do it.
I disagree. I've worked at multiple (non-technocentric) Fortune 500 companies where all users have administrative rights to their computers. Why? Because they don't want to hire enough IT staff to do things properly. Users whine and generate support workload far more when they can't install their home printer, or their online poker client (or whatever they might want to put on there) than they do if you just let them do what they want. If you go so far as to tell them they're not allowed to install anything, congratulations! You've officially created a Career Limiting Event. I've worked at places where there was no Acceptable Use Policy because of the costs (both in wages and employee turnover) of enforcing one. (The turnover comes when some poor helpdesk drone doesn't realize that they're speaking to the Vice President Of Things That Begin With H On Alternate Tuesdays, reminds them that what they're doing is against the AUP, and subsequently get fired. Gotta love at-will employment; you can be fired for any reason or no reason at all.)
Think I'm exaggerating? Why do you think I don't have those jobs anymore?
Sadly, the GP's set of experiences and opinions is hardly unique.
I myself have been employed at several places where if they could have chained me to the desk, they would have. The only reason that they didn't is because those pesky laws regarding wage and working conditions kept them from doing it.
The US isn't run by the federal government. It's run by the people who get the government elected.
"The strong do what they have the power to do, the weak accept what they have to accept"; I think this is why you need to have strong police because otherwise some citizens will become strong, and the weak will have to accept what they say
There's a problem with this in today's world, however. The strong control the police. That particular ship has long since sailed. The strong are attempting to increase the power of the police because that in turn increases their power.
You CAN have effective police and respect the privacy of law-abiding citizens. Matter of fact, when it's put that way, it seems redundant. I don't know where you got the idea that privacy is expendable if it ensures our freedom; we've given up some freedom in the process. Kind of like a roots-type supercharger: it uses power to generate a greater amount of power. But in this case, it uses freedom and generates a smaller amount of freedom in return. In addition, this freedom is unreliable; we're relying on the government to be able to find its ass with both hands, a flashlight, a road map, and a giant blinking sign on their back that says "ASS BELOW."
Given those circumstances, I feel no guilt at telling the government to go get a fucking warrant if they want to invade my privacy. There's a process here; we can't just toss it out because of "terrists". Free clue folks, terrorism existed long before 2001 and it will exist for a long time to come. If we make ourselves less free, we're the terrorists, not them.
This is, of course, assuming that you WANT your government to treat everyone like a criminal.
I'd prefer that they didn't. If they want my DNA or my fingerprints, they can bloody well get a warrant signed by a judge. If they can't get that, then the Constitution protects my privacy. Bloody annoying, that Fourth Amendment. Requiring that "due process" and all. After all, law enforcement is entitled to be autocratic and lazy and just demand whatever they want on a pretext.
Pretty soon they'll want to put black boxes in your car.. oh wait, we already have those. Then they'll want to video tape you for the sole reason that you've driven down a street.. oh, we've got those too. Then they'll want to know about every phone call you make whether you've been accused of a crime or not.. oh, wait, we just found out about that one this week.
Amazingly enough, there are people who think a police state is a GOOD thing. I like to call those people "idiots" and would like to extend the police state to regulating their ability to breed, telling them it's to prevent terrorism. Fixes the problem neatly and ironically.
More like "paid attention". Leaving aside the rampant corruption and greed that makes our puported representative democracy a sad farce, remember that the people don't elect the president, the electoral college does.
The members of the electoral college are under no obligation to vote the same way a majority of their constituents voted. The fact that they almost always has doesn't change anything.
You seem to be operating under the delusion that basic good online security practices for end-users require knowledge of UDP ports. You seem fixated, actually.
Again, Google will provide the "good/bad" information they need, and clicking OK or No will be all the action they require.
The level of knowledge I'm alluding to is not "ignition timing", it's "don't hit the bus full of nuns and children" or "you should stop for a red light" or "don't drive into a lake".
Ignition timing isn't all that complicated anyway.
And I'd say the society is only as smart as its stupidest component.
It tells me "SvcHost.exe is trying to access the internet". This is all the information that is provided. You tell me, should I allow it?
Depends on what you find on Google. I don't know off the top of my head.
A novice user won't know what it means.
If they make the attempt to learn, soon they won't be a novice.
If they do have a problem, it will happen days later, and they won't connect it to the prompt.
At which point they run a virus/spyware scan, assuming their residtent antivirus hasn't caught it already.
Asking them to do something other than click OK, is, in my opinion, hopelessly unrealistic.
So long as you have the attitude that they can't possibly figure anything out on their own, and they can't even be asked to do so for fear of the sky falling, then yes, you're right. However, if people who are novices are encouraged to learn, they will. Or they won't, at which point the rest of us who AREN'T stupid will have to take steps to protect ourselves. (My definition of a stupid person is someone who knows they're ignorant and either doesn't care or makes an active effort NOT to learn.)
You'd like them to put that into Google. If they do they'll get a wealth of pages; some will mention virusses, some will not. Depending which they read, they'll click OK, or not, or worry about it, or not. Either way, the actual results of clicking OK will be as above, clicking "block" will almost certainly break something the user didn't want broken.
So there's no possibility that someone might actually make the right choice given enough information? That's kind of cynical.
I've got considerable knowledge in this area. Compared to the average user, I am an expert. Without Googling I already know for sure that ServiceHost.exe accessing the internet could be my weather-report-fetching widget, half a dozen other legitimate parts of my operating system doing network stuff, or any of 20+ virusses and Trojans phoning home for attack instructions. Again, you tell me: Do I click OK?
You tell me, you're the expert:) I'd also be interested to know how you'd like to improve the situation. You're very good at tearing apart others' suggestions, but I'd like to hear some of yours.
Or, systems will be designed that don't rely on users knowing stuff; particularly stuff it is not possible for even the knowledgeable expert users to know.
Ah, there we go. Why should I have to put up with a dumber system because people can't be bothered to learn the most basic information about using their computer safely? Not to mention the more we dumb down the systems, the less useful they are.
While you throw up your hands and say there is no solution except an unrealistic, and in this case, insufficient one, others will continue looking for better solutions.
Such as?
For example, on an already-compromised system, preventing the spread of malware by blocking outbound traffic in software on that same system (which, if you'll recall, is what this article is about) is obviously futile.
This I agree with; software firewalls do have their limitations, but they're better than nothing.
No amount of user education will make it a less stupid aproach, and focussing on user-education will prevent you from realizing you need to attack the problem in other ways (prevention beforehand, and off-system detection & isolation, for example).
Why are "user education" and "prevention/detection/isolation" mutually exclusive? We need all of those.
People are not going to stop using computers. In fact, more and more people are using computers all the time. Because more and more people "know what they are do
Do you even read the posts you're replying to? The messages provided by Norton (and I'm told, ZoneAlarm) do not provide the information needed to make the decision. Not even to someone who has all the background knowledge they need.
So they don't tell you which program or.dll is trying to access the network? Plugging that into Google will get you what you need.
You think average users knowing details about networking protocols before they check the weather online is like having a drivers license before driving.
Yes. Knowing the dangers and responsibilities involved in both cases is vital to keeping yourself and others safe.
It doesn't really matter though; it's not going to happen. Saying the only solution to network security issues is for average users to have detailed knowlege of networks before they use computers is just another way of saying there is no solution.
No, it's saying there IS a solution, but it's extremely challenging. And plugging a string into Google is hardly the same as having detailed knowledge of a network or network protocols. One of the results will say "this is spyware" or "this is a virus", in which case it should be blocked. Not rocket science, and certianly not beyond most people.
Given the current state of security software though, even having the background knowledge isn't enough.
You could have fooled me, I've never had spyware or a virus on my machines. I don't do anything special beyond run an antivirus and do a spyware scan once in a while, and while I'm fairly knowledgeable, I'm not an expert.
Any solution will have to include both a structural (hardware/firmware/software) component and a meatware component (users knowing wtf they're doing). Something's gotta give eventually; either users will learn the basics or people will stop using computers.
I used to have a job running a Cell Saver for a third party company during surgical procedures. It does provide a great benefit to the patient (as they're getting their own blood products back almost immediately, frequently while still partially oxygenated) WHEN USED PROPERLY. Most of the time it didn't eliminate the need for transfusion (especially in trauma cases, or abdominal aortic aneurysm cases which made up about 50% of our work) but frequently the blood would have to be discarded due to procedural contraindications, ie the surgical team (read as: the surgeon) would not follow the instructions given by the technician (namely, me.) I literally had one doctor suck up stomach contents into the cell saver reservoir and then be irate when I refused to process it. Another time, written instructions on an emergency reservoir setup (to be used in cases where it's needed immediately for an emergency surgical procedure, before the technician can arrive at the hospital) were not followed (in this case, the wall suction was set to "full" which destroys red blood cells and can lead to an increased risk of heart attack and/or stroke among other potentially fatal complications) leading to nearly 3 liters of suctioned material being discarded. The cutter complained to the cheif surgeon, who complained to the head of surgical services, and after a protracted investigation, it was determined that it was the right choice. Nevertheless, the same mistake was made multiple times at the same hospital after that, and despite my having made the right choice in insisting the material be discarded, that surgeon refused to allow me to be in the room while he operated after that. (Yay for surgeon arrogance; even when he's wrong, he's right.)
My point is that the cell saver is not a panacea for transfused blood. We did use it on several Jehovah's Witnesses; apparently there is some thought that if the circuit of blood is not broken (ie the suctioned material is constantly processed and immediately transfused) then there is no breach of their belief system.
"Snap out of it!" "Man up, Nancy!" "Quit whining!"
Not an especially constructive method of treatment. It's kind of hard to do that when your brain chemicals won't let you (if your problem is, in fact, organic, which this treatment seems to be targeted towards).
When you say corporate environment what do you mean? A small business? ( 30 people) A medium business ~100-500 users or a large business (1000+ users). I have worked in a wide variety of environments both full time and as a consultant. Every place I have worked the desktops have been secured. They are generally managed from a central place (even NT4 allowed this). Active Directory is even more fine grained and easier to use. So I wouldn't say most corporate environments are running as Admin. They know its not a good idea and take steps to make it secure.
I've worked at multiple Fortune 500 companies and in each case every end user in the place was an administrator. There are several problems with securing desktops in this environment:
1) Managing PCs from a central location is complex (both in terms of equipment and personnel) and, more importantly, expensive as a result. My experience is, the bigger the company, the cheaper it is. 2) End users don't like it when their computers are secured. They bitch and whine about not being able to install software, not being able to connect to open hotspots, blah blah blah. Frequently there are viable workarounds but they don't want to hear about them. 3) More importantly, people who can have you fired REALLY don't like it when they're told what they can and cannot do with their computers. Suggesting a new "secured PC" policy is frequently a career-limiting event.
What it boils down to is that secured PCs are inconvenient, and given the choice between secure and convenient, with the power to force a decision by virtue of job title (NOT intelligence), corporate end users will pick convenient every time.
Of course, problems caused by inappropriate administrator access are still your fault.
There's a reason I don't work at those places any more.
Joe average wants to check the weather report online without knowing what a UDP port is, and that's "not OK" with you?
In my opinion, and within the scope of this discussion, yes.
He's "stupid" because he clicks OK
If he does so without even reading it, yes.
To be not-stupid, in your estimation, he should spend several weeks in an intensive course on computers and networking.
The basics of how to protect your system from most (not all) firewall-involved problems can be taught in about 5 minutes. I hate to beat the dead horse, but we don't let people drive cars without licenses; I really don't think this is too much to ask people to do, even if we can't make it mandatory.
Then, when the prompt pops up asking him if "MeaninglessName.dll" should be allowed to access the network, he can spend a couple hours tracking down what "MeaninglessName.dll" is, so he'll know it's part of some networking library, and is just passing on the request of some higher level program the security system doesn't have the name of.
5 minutes with Google can answer that question 99% of the time.
At this point he will fully understand that he doesn't know enough about the network request being made to decide if it is legit, and can, from an informed position, cross his fingers, blindly hit ok, and get on with his life.
Then he really is stupid; he's been given the information he needs to make the decision, and he's decided to ignore it and make the same decision he would have made without that information. You can lead a horse to water...
Needless to say, I don't expect YOU to improve the situation anytime ever.
Sorry, but defining the problem and trying to find a solution is how things start to get fixed. The solution here IMHO will inevitably include the end users smartening up.
Some of the rest of us may try to build systems that operate in the real world, rather than blaming users for being stupid because they don't care about problems they shouldn't have to care about, and couldn't solve if they did.
Why shouldn't they have to care about them? I shouldn't have to know to look before I cross the street (since the rules are set up so that people are supposed to stop for pedestrians) but I do it anyway. And I also know that if people fired a synapse occasionally they could fix a lot of problems that they don't do anything but bitch about.
I think you mean "dependant on outbound connections" but your point is valid. I'll qualify that: With all the security holes and legacy code piled on top of legacy code, complicated by the fact that it's way too easy to run as administrator on an XP machine (and in fact that's the default for most corporate environments) XP/Vista needs that extra layer of protection to compensate for the problems that Linux doesn't have. With a Linux machine, the threats are much more likely to come from outside than from spyware/other crap on the machine.
And if you have the technical knowledge to turn on that functionality, then IMHO you're not who we're talking about here. We're talking about accomodating people who just blindly click "OK" on any popup.. is that really behavior that should be rewarded?
The user cares and understands why ZoneAlarm is there: he does not want his system infected. The problem is that the user does not know the internal workings of their applications or OS, and thus are not in the position to really judge which connections are good and which are bad.
Whose fault is that? More importantly, how do we fix it? I don't have a definitive answer to that, but I know that it DEFINITELY does not involve lowering security to accomodate the ignorant.
This is where ZoneAlarm errs: the user should not HAVE to know which IP addresses and port numbers are bad. Heck, as a techie, even I dont even want to have to know -- I have more interesting things to do. There are obviously patterns which allows us to judge roughly which connections to block. But ZoneAlarm should detect those patterns (heck, maybe even by quering a zonealarm.com server or your-techie-nephew.com for info), and tell the user what he DOES want to know: the probability the connection is dangerous.
Let's start by encouraging the great unwashed to actually READ the damn popup before they click OK, and try to get it through their skull that "not program you use = no clicky OK." Not really all that advanced a concept.
It also wouldn't hurt if applications could inform the user and ask for a retry if the firewall blocks the connection. The firewall should then of course also support that in a user-friendly way, instead of browsing through a zillion settings.
Correct me if I'm wrong, as I haven't actually used the product (my experience is mostly with the XP SP2 firewall), but isn't that exactly what it does? The popup basically means "This traffic from this application is new, I've blocked it for now, is it OK to unblock it?"
The firewall should then of course also support that in a user-friendly way, instead of browsing through a zillion settings.
Uh, I don't think "Yes" or "No" qualifies as a zillion settings:)
Whose the more moronic, the moron, or the moron who knows the first one is a moron, but depends on him for security decisions anyway?
It's a stupid situation all around, but like it or not, the morons with the CxO job titles make these decisions and the IT folks are stuck with trying to make it work. You could argue that the IT folks are morons for allowing the situation to continue, but for some reason they're not stupid enough to lose their jobs by trying to override the boss.
Prompts to ask whether certain traffic should be allowed are not are idiotic if the person you are asking doesn't know. Most users don't know, care, want to know, or wish to have to care what a UDP port is.
Exactly my point. It's not OK for them not to know. They've been given the tools to educate themselves or be educated, and they've chosen not to take advantage of those situations.
The point I was trying to make was that the solution to the problem is definitely not removing a security feature because people are stupid. The solution involves people becoming less stupid.
Needless to say, the problem will not improve anytime soon.
Slashdot Mirror
Would you like your money back?
Think I'm exaggerating? Why do you think I don't have those jobs anymore?
What's that? They're not the entire industry? I'm sure they'll fix that.
I'm not trying to make a judgement on the content (MS DRM being good or bad), just the tone sounded kinda "slick" and "marketese" to me.
Is it just me or does this post sound like "marketing shill" to anyone else?
Sadly, the GP's set of experiences and opinions is hardly unique.
I myself have been employed at several places where if they could have chained me to the desk, they would have. The only reason that they didn't is because those pesky laws regarding wage and working conditions kept them from doing it.
The US isn't run by the federal government. It's run by the people who get the government elected.
You CAN have effective police and respect the privacy of law-abiding citizens. Matter of fact, when it's put that way, it seems redundant. I don't know where you got the idea that privacy is expendable if it ensures our freedom; we've given up some freedom in the process. Kind of like a roots-type supercharger: it uses power to generate a greater amount of power. But in this case, it uses freedom and generates a smaller amount of freedom in return. In addition, this freedom is unreliable; we're relying on the government to be able to find its ass with both hands, a flashlight, a road map, and a giant blinking sign on their back that says "ASS BELOW."
Given those circumstances, I feel no guilt at telling the government to go get a fucking warrant if they want to invade my privacy. There's a process here; we can't just toss it out because of "terrists". Free clue folks, terrorism existed long before 2001 and it will exist for a long time to come. If we make ourselves less free, we're the terrorists, not them.
This is, of course, assuming that you WANT your government to treat everyone like a criminal.
I'd prefer that they didn't. If they want my DNA or my fingerprints, they can bloody well get a warrant signed by a judge. If they can't get that, then the Constitution protects my privacy. Bloody annoying, that Fourth Amendment. Requiring that "due process" and all. After all, law enforcement is entitled to be autocratic and lazy and just demand whatever they want on a pretext.
Pretty soon they'll want to put black boxes in your car.. oh wait, we already have those. Then they'll want to video tape you for the sole reason that you've driven down a street.. oh, we've got those too. Then they'll want to know about every phone call you make whether you've been accused of a crime or not.. oh, wait, we just found out about that one this week.
Amazingly enough, there are people who think a police state is a GOOD thing. I like to call those people "idiots" and would like to extend the police state to regulating their ability to breed, telling them it's to prevent terrorism. Fixes the problem neatly and ironically.
More like "paid attention". Leaving aside the rampant corruption and greed that makes our puported representative democracy a sad farce, remember that the people don't elect the president, the electoral college does.
The members of the electoral college are under no obligation to vote the same way a majority of their constituents voted. The fact that they almost always has doesn't change anything.
Seriously, the Right keeps propagating the stereotype of the "whiny Liberal". Seems the Right is no stranger to the snivel either.
You seem to be operating under the delusion that basic good online security practices for end-users require knowledge of UDP ports. You seem fixated, actually.
Again, Google will provide the "good/bad" information they need, and clicking OK or No will be all the action they require.
UDP doesn't enter into it at that level.
The level of knowledge I'm alluding to is not "ignition timing", it's "don't hit the bus full of nuns and children" or "you should stop for a red light" or "don't drive into a lake".
Ignition timing isn't all that complicated anyway.
And I'd say the society is only as smart as its stupidest component.
Fuck that.
Depends on what you find on Google. I don't know off the top of my head.
If they make the attempt to learn, soon they won't be a novice.
At which point they run a virus/spyware scan, assuming their residtent antivirus hasn't caught it already.
So long as you have the attitude that they can't possibly figure anything out on their own, and they can't even be asked to do so for fear of the sky falling, then yes, you're right. However, if people who are novices are encouraged to learn, they will. Or they won't, at which point the rest of us who AREN'T stupid will have to take steps to protect ourselves. (My definition of a stupid person is someone who knows they're ignorant and either doesn't care or makes an active effort NOT to learn.)
So there's no possibility that someone might actually make the right choice given enough information? That's kind of cynical.
You tell me, you're the expert :)
I'd also be interested to know how you'd like to improve the situation. You're very good at tearing apart others' suggestions, but I'd like to hear some of yours.
Ah, there we go. Why should I have to put up with a dumber system because people can't be bothered to learn the most basic information about using their computer safely? Not to mention the more we dumb down the systems, the less useful they are.
Such as?
This I agree with; software firewalls do have their limitations, but they're better than nothing.
Why are "user education" and "prevention/detection/isolation" mutually exclusive? We need all of those.
Any solution will have to include both a structural (hardware/firmware/software) component and a meatware component (users knowing wtf they're doing). Something's gotta give eventually; either users will learn the basics or people will stop using computers.
I used to have a job running a Cell Saver for a third party company during surgical procedures. It does provide a great benefit to the patient (as they're getting their own blood products back almost immediately, frequently while still partially oxygenated) WHEN USED PROPERLY. Most of the time it didn't eliminate the need for transfusion (especially in trauma cases, or abdominal aortic aneurysm cases which made up about 50% of our work) but frequently the blood would have to be discarded due to procedural contraindications, ie the surgical team (read as: the surgeon) would not follow the instructions given by the technician (namely, me.) I literally had one doctor suck up stomach contents into the cell saver reservoir and then be irate when I refused to process it. Another time, written instructions on an emergency reservoir setup (to be used in cases where it's needed immediately for an emergency surgical procedure, before the technician can arrive at the hospital) were not followed (in this case, the wall suction was set to "full" which destroys red blood cells and can lead to an increased risk of heart attack and/or stroke among other potentially fatal complications) leading to nearly 3 liters of suctioned material being discarded. The cutter complained to the cheif surgeon, who complained to the head of surgical services, and after a protracted investigation, it was determined that it was the right choice. Nevertheless, the same mistake was made multiple times at the same hospital after that, and despite my having made the right choice in insisting the material be discarded, that surgeon refused to allow me to be in the room while he operated after that. (Yay for surgeon arrogance; even when he's wrong, he's right.)
My point is that the cell saver is not a panacea for transfused blood. We did use it on several Jehovah's Witnesses; apparently there is some thought that if the circuit of blood is not broken (ie the suctioned material is constantly processed and immediately transfused) then there is no breach of their belief system.
"Snap out of it!" "Man up, Nancy!" "Quit whining!"
Not an especially constructive method of treatment. It's kind of hard to do that when your brain chemicals won't let you (if your problem is, in fact, organic, which this treatment seems to be targeted towards).
Did anyone else watch that and NOT think "Bobby Ewing in the shower?"
That being said, if they pull it off, it'll be a monumental acheivement.
1) Managing PCs from a central location is complex (both in terms of equipment and personnel) and, more importantly, expensive as a result. My experience is, the bigger the company, the cheaper it is.
2) End users don't like it when their computers are secured. They bitch and whine about not being able to install software, not being able to connect to open hotspots, blah blah blah. Frequently there are viable workarounds but they don't want to hear about them.
3) More importantly, people who can have you fired REALLY don't like it when they're told what they can and cannot do with their computers. Suggesting a new "secured PC" policy is frequently a career-limiting event.
What it boils down to is that secured PCs are inconvenient, and given the choice between secure and convenient, with the power to force a decision by virtue of job title (NOT intelligence), corporate end users will pick convenient every time.
Of course, problems caused by inappropriate administrator access are still your fault.
There's a reason I don't work at those places any more.
When it comes to maintaining security on their computers, which is what we're talking about, yes, yes, yes, yes, and yes.
Becoming a brain surgeon and learning some basic rules about firewalls (#1 being READ THE FUCKING POPUP) are very different things.
I think you mean "dependant on outbound connections" but your point is valid. I'll qualify that: With all the security holes and legacy code piled on top of legacy code, complicated by the fact that it's way too easy to run as administrator on an XP machine (and in fact that's the default for most corporate environments) XP/Vista needs that extra layer of protection to compensate for the problems that Linux doesn't have. With a Linux machine, the threats are much more likely to come from outside than from spyware/other crap on the machine.
And if you have the technical knowledge to turn on that functionality, then IMHO you're not who we're talking about here. We're talking about accomodating people who just blindly click "OK" on any popup.. is that really behavior that should be rewarded?
The point I was trying to make was that the solution to the problem is definitely not removing a security feature because people are stupid. The solution involves people becoming less stupid.
Needless to say, the problem will not improve anytime soon.