Lock the CPU in something; disable booting from floppy, CD or USB; or simply remove the devices.
Other ways: BladeServer and clients. All you've got at your terminal is a box that takes keyboard, mouse and video. No local drives. Its doubtful Kinko's would have this, but thats just another way to block the ability to install unauthorized software.
"...in the list of allowed programs put something like secret.exe - then copy poledit onto a floppy disk and rename the poledit.exe file to secret.exe. Now, you CAN run poledit, but only you know what is the allowed fake name."
Ahh, but if you use POLEDIT to lock it down to only allow *approved* applications to be run, they wouldn't even be able to run secret.exe
IIRC, NS didn't bother contacting the original (read: rightful) owner of the domain before transferring to Cohen. As such, NS *is* responsible.
To put it another way: You drop your car off at a mechanic. Someone comes in claiming to be you and wants to pick up the car. A second mechanic doesn't bother verifying the identity of the person picking up the car & hands over the keys. Wouldn't the shop be at least partially responsible to make restitution?
Your original post suggesting to not let anyone but admin install things (that fixes it!) is laughable.
Ok wisenhiemer, explain how anyone other than admin can install software on a system that's been locked down via hardware, software, and physically blocking access to the floppy & CD drives.
But, is this possible to do this via an imbedded file in a webpage? If not, couldn't one simply block either VB or the resulting.EXE,.COM,.BAT, etc from ever being run?
I'd be careful calling people sloppy if you aren't sure what safeguards they had in place.
I'd say its safe to assume that Kinko's didn't have anything in place to prevent this.
It seems a little absurd to expect someone to walk around and physically inspect every cord on every computer several times a day. Do you do this for any/all computers you're in charge of?
True, but if they took basic preventative measures like securing the CPU in such a way that the keyboard/mouse cables were inaccessible as well as software policies to prevent unauthorized installations or running unauthorized applications, then this wouldn't have occurred.
And as such, their lack of preventative measures can be labeled sloppy.
I really didn't have to check the systems to see if anyone put a hw logger on. The rooms the PCs were in were monitored by video camera (unfortunately, only after someone lifted procs and RAM from 6 systems). With the exception of the 'library', the room the systems were in was locked when not in use and only I, IT, and the cleaning staff had key.
The systems were locked down to prevent any unauthorized software installs. The software client agent's uninstaller was removed from add/remove, the program was hidden from taskmanager as well as from the systray. The client agent kept in constant contact with the server agent. If the system went down for any reason, I was notified and could trot over to investigate. For those in other states, a quick call to that site's IT manager got it looked into.
I put case locks on each PC to prevent further hardware shrinkage. I put BIOS passwords to prevent unauthorized access to BIOS. Bypassing or resetting required a jumper to be moved on the mobo -- if the jumper wasn't on a particular set of pins, you couldn't reset the pw even if you managed to get into the BIOS, and since the case locks were installed this would only be possible by breaking the case.
Once I took over, classroom uptime seriously increased. After I left the company I was told by a former coworker that the IT dept let the systems fall apart.
First of all, blocking ability to install doesn't mean jack if they still have the ability to run any application they want. Locked down the shell pretty good with poledit?(hah!)
[quote] Only run allowed Windows applications--if you really want to control what users have access to, this is for you! You add (one at a time) the applications that allowable, and all others won't run... it's not clear, however, how you add an application--none are listed, by default, and there's no browse button. Besides, if an application doesn't show up in the Start Menu, and you've turned off access to the Run command, and perhaps to some of the drives (using TweakUI), is anyone really going to access other applications? [/quote]
In other words, they can be restricted to not have the ability to click any file and run anything they want.
No, it won't. But POLEDIT is merely used to lock down the OS. POLEDIT will keep users from installing ANY unapproved software. Whether its from CD, disk, USBkey, etc.
Getting off on a tangent: Altiris' software is cool in that you take a baseline using it from your standard install (all hardware *must* be identical for Altiris' softwre to work). You install whatever application(s) you need and use the Altiris software again. It compares the baseline with the new snapshot (ALL registry entries as well as file changes on the disk) and creates a 100% self-contained install package that only places the reg changes and file changes.
You can then build jobs and blast software packages to PCs individually. You can even schedule these after using the main package to reload the base image. As long as there aren't BIOS passwords, the process is totally automated.
If you have physical access to a Windows box, pretty much anything goes, software included.
Now, I don't know if you're being serious or if you're just ignorant about Windows PCs.
Yes, they're not 100% secure. But, there are ways to limit access based on the type of userid.
Even if they weren't NT-based PCs, POLEDIT can be used to keep users from installing *anything*, changing the look/feel of the system, etc.
Combine this with Altiris' Lab Management Suite (formerly LabExpert; An application that allows you to reload all your PCs in a matter of minutes, and remotely) and you'll be able to keep the systems "pure".
In addition to our 'library', I also supported our internal classrooms. I would reload all of the PCs every weekend using LabExpert - those in my city, in San Jose, Dallas, and Atlanta. Never had a single problem.
Easy. Put the CPU in a locked drawer or cabinet, put the keyboard and mouse cables through something that prevents the user from being able to pull them out. Not only would this prevent installing a hardware keylogger, this would also keep the users from being able to put anything in the disk drive or CD tray.
Where MY PCs were, they were in a 'library' of sorts at my company. Someone (the admin) was *always* in the room when the 'library' was open.
When I worked in support, I was responsible for publicly available PCs. The first thing I did when I took over supporting these was to set policies in place BLOCKING the ability to install ANYTHING by anyone other than the administrator.
Whoever was doing support for Kinko's didn't do their job.
Same goes for any other publicly available PCs. Slap policy editor on the system and lock down the ability to install any additional applications, as well as the ability to change the look of the computer. How fscking hard is that to understand?
Failure to do so leads to incidents like this, as well as makes it easier for someone to install pirated software, pr0n, etc. on your systems.
"With what we found, practically anyone in the country -- from a teenager on up -- could produce these smart cards that could allow someone to vote as many times as they like," Mr. Stubblefield said
Ahh, yes. But if DirecTV has their way, posessing equipment to program SmartCards will be illegal.
Is it just me or is 2001:0700:0700:0003:0290:27ff:fea2:477b much harder to remember than 209.174.99.125?
Yup. Much easier to remember the current scheme than it is to remember what basically looks like a friggin' MAC address.
Heck, I can't remember my MAC address 2 minutes after looking it up.
Two questions:
1) Why are they going this route? I mean, they're only using alpha characters A through F, right? Wouldn't they get more addresses by simply adding another four octets? It seems like it'd be easier to remember 198.163.192.99.147.80.112.6 than that listed in the article..
2) What would be come of 127.0.0.1?
Someone with good math, pipe in and give the formula for the proposed IPv6 vs. the current scheme with four additional octets?
So, I'm wondering if users of RoadRunner, owned by Time Warner Cable, are somehow being granted a "pardon" as well by our associates at the RIAA for using TW's services.
I certainly hope so.:-D
Its good to know that no one on RR was a target of subpoenas! I wonder if this could be used as a marketing ploy...
Also, no where does the article say anything about having to give your SSN and CC#, nor do they provide a link to any such site. Anyone duped into providing this information is a fool.
"A U.N. group is working toward establishment of an international system to register and regulate civilian possession of firearms, according to a former congressman....."
Slashdot Mirror
Easy.
Lock the CPU in something; disable booting from floppy, CD or USB; or simply remove the devices.
Other ways: BladeServer and clients. All you've got at your terminal is a box that takes keyboard, mouse and video. No local drives. Its doubtful Kinko's would have this, but thats just another way to block the ability to install unauthorized software.
"...in the list of allowed programs put something like secret.exe - then copy poledit onto a floppy disk and rename the poledit.exe file to secret.exe. Now, you CAN run poledit, but only you know what is the allowed fake name."
Ahh, but if you use POLEDIT to lock it down to only allow *approved* applications to be run, they wouldn't even be able to run secret.exe
Under different circumstances, I'd be inclined to agree, but in this case, I'd say NS is not responsible.
How do you figure? They didn't bother to verify the change in ownership.
IIRC, NS didn't bother contacting the original (read: rightful) owner of the domain before transferring to Cohen. As such, NS *is* responsible.
To put it another way: You drop your car off at a mechanic. Someone comes in claiming to be you and wants to pick up the car. A second mechanic doesn't bother verifying the identity of the person picking up the car & hands over the keys. Wouldn't the shop be at least partially responsible to make restitution?
Your original post suggesting to not let anyone but admin install things (that fixes it!) is laughable.
Ok wisenhiemer, explain how anyone other than admin can install software on a system that's been locked down via hardware, software, and physically blocking access to the floppy & CD drives.
Hmm. Interesting. I wasn't aware of that.
.EXE, .COM, .BAT, etc from ever being run?
But, is this possible to do this via an imbedded file in a webpage? If not, couldn't one simply block either VB or the resulting
I'd be careful calling people sloppy if you aren't sure what safeguards they had in place.
I'd say its safe to assume that Kinko's didn't have anything in place to prevent this.
It seems a little absurd to expect someone to walk around and physically inspect every cord on every computer several times a day. Do you do this for any/all computers you're in charge of?
True, but if they took basic preventative measures like securing the CPU in such a way that the keyboard/mouse cables were inaccessible as well as software policies to prevent unauthorized installations or running unauthorized applications, then this wouldn't have occurred.
And as such, their lack of preventative measures can be labeled sloppy.
I really didn't have to check the systems to see if anyone put a hw logger on. The rooms the PCs were in were monitored by video camera (unfortunately, only after someone lifted procs and RAM from 6 systems). With the exception of the 'library', the room the systems were in was locked when not in use and only I, IT, and the cleaning staff had key.
The systems were locked down to prevent any unauthorized software installs. The software client agent's uninstaller was removed from add/remove, the program was hidden from taskmanager as well as from the systray. The client agent kept in constant contact with the server agent. If the system went down for any reason, I was notified and could trot over to investigate. For those in other states, a quick call to that site's IT manager got it looked into.
I put case locks on each PC to prevent further hardware shrinkage. I put BIOS passwords to prevent unauthorized access to BIOS. Bypassing or resetting required a jumper to be moved on the mobo -- if the jumper wasn't on a particular set of pins, you couldn't reset the pw even if you managed to get into the BIOS, and since the case locks were installed this would only be possible by breaking the case.
Once I took over, classroom uptime seriously increased. After I left the company I was told by a former coworker that the IT dept let the systems fall apart.
Ahh, but some PCs require a jumper to be moved to reset the BIOS password.
And you can get case locks pretty much anywhere.
I guess what I meant was, one can elevate any user account to Administrator pretty quick on an NT box.
:D
Ahh, yes. But even NT-based systems have the ability to have policies set in place.
The truth is, no system is 100% secure.. Unless its unplugged, powered off, the case is locked and encased in 6" of cement.
Even then, some C4 will circumvent that.
First of all, blocking ability to install doesn't mean jack if they still have the ability to run any application they want. Locked down the shell pretty good with poledit?(hah!)
Apparently, you've never used POLEDIT.
Taken from http://www.zisman.ca/poledit/:
[quote]
Only run allowed Windows applications--if you really want to control what users have access to, this is for you! You add (one at a time) the applications that allowable, and all others won't run... it's not clear, however, how you add an application--none are listed, by default, and there's no browse button. Besides, if an application doesn't show up in the Start Menu, and you've turned off access to the Run command, and perhaps to some of the drives (using TweakUI), is anyone really going to access other applications?
[/quote]
In other words, they can be restricted to not have the ability to click any file and run anything they want.
No, it won't. But POLEDIT is merely used to lock down the OS. POLEDIT will keep users from installing ANY unapproved software. Whether its from CD, disk, USBkey, etc.
Getting off on a tangent: Altiris' software is cool in that you take a baseline using it from your standard install (all hardware *must* be identical for Altiris' softwre to work). You install whatever application(s) you need and use the Altiris software again. It compares the baseline with the new snapshot (ALL registry entries as well as file changes on the disk) and creates a 100% self-contained install package that only places the reg changes and file changes.
You can then build jobs and blast software packages to PCs individually. You can even schedule these after using the main package to reload the base image. As long as there aren't BIOS passwords, the process is totally automated.
If you have physical access to a Windows box, pretty much anything goes, software included.
Now, I don't know if you're being serious or if you're just ignorant about Windows PCs.
Yes, they're not 100% secure. But, there are ways to limit access based on the type of userid.
Even if they weren't NT-based PCs, POLEDIT can be used to keep users from installing *anything*, changing the look/feel of the system, etc.
Combine this with Altiris' Lab Management Suite (formerly LabExpert; An application that allows you to reload all your PCs in a matter of minutes, and remotely) and you'll be able to keep the systems "pure".
In addition to our 'library', I also supported our internal classrooms. I would reload all of the PCs every weekend using LabExpert - those in my city, in San Jose, Dallas, and Atlanta. Never had a single problem.
Easy. Put the CPU in a locked drawer or cabinet, put the keyboard and mouse cables through something that prevents the user from being able to pull them out. Not only would this prevent installing a hardware keylogger, this would also keep the users from being able to put anything in the disk drive or CD tray.
Where MY PCs were, they were in a 'library' of sorts at my company. Someone (the admin) was *always* in the room when the 'library' was open.
Even if they were running Win98 system, POLEDIT (if properly configured) would block the ability to do crap like this.
When I worked in support, I was responsible for publicly available PCs. The first thing I did when I took over supporting these was to set policies in place BLOCKING the ability to install ANYTHING by anyone other than the administrator.
Whoever was doing support for Kinko's didn't do their job.
Same goes for any other publicly available PCs. Slap policy editor on the system and lock down the ability to install any additional applications, as well as the ability to change the look of the computer. How fscking hard is that to understand?
Failure to do so leads to incidents like this, as well as makes it easier for someone to install pirated software, pr0n, etc. on your systems.
Q: So, how does it feel to be a corporate tool, working for a company that's despised world-over?
A: Great. I really enjoy helping to make examples of grandparents and poor college students.
Q: You don't have a soul, do you?
A: Nope. I had to sell it to get this gig. But when the Four Horsmen ride again, I get a little stretch of Hell to call my own.
"With what we found, practically anyone in the country -- from a teenager on up -- could produce these smart cards that could allow someone to vote as many times as they like," Mr. Stubblefield said
Ahh, yes. But if DirecTV has their way, posessing equipment to program SmartCards will be illegal.
That's just wrong.
Is it just me or is 2001:0700:0700:0003:0290:27ff:fea2:477b much harder to remember than 209.174.99.125?
Yup. Much easier to remember the current scheme than it is to remember what basically looks like a friggin' MAC address.
Heck, I can't remember my MAC address 2 minutes after looking it up.
Two questions:
1) Why are they going this route? I mean, they're only using alpha characters A through F, right? Wouldn't they get more addresses by simply adding another four octets? It seems like it'd be easier to remember 198.163.192.99.147.80.112.6 than that listed in the article..
2) What would be come of 127.0.0.1?
Someone with good math, pipe in and give the formula for the proposed IPv6 vs. the current scheme with four additional octets?
Damn! Hadn't considered that..
[Hides under desk]
So, I'm wondering if users of RoadRunner, owned by Time Warner Cable, are somehow being granted a "pardon" as well by our associates at the RIAA for using TW's services.
:-D
I certainly hope so.
Its good to know that no one on RR was a target of subpoenas! I wonder if this could be used as a marketing ploy...
..No mention of it ANYWHERE on their site.
I smell a hoax - and CNN fell for it.
Also, no where does the article say anything about having to give your SSN and CC#, nor do they provide a link to any such site. Anyone duped into providing this information is a fool.
Everyone needs to RTFA before commenting, really.
I'd like to know how you get away with not giving your SSN to a doctor's office or your insurance company.
Good luck to you.
I'd be interested in knowing how this unravels. Care to note it in your Journal?
Off-topic.
No doubt, you saw this?
"A U.N. group is working toward establishment of an international system to register and regulate civilian possession of firearms, according to a former congressman....."