And again, in those studies there is no way to prove that a person that downloaded initally actually purchased later.
Sure there is, just check the receipts.
Really? If I write a book, and no one reads it, it becomes part of our culture? Culture means "shared among a large group of people." Go look it up. You really are a dumb motherfucker aren't you?
You're the one that said all books become part of our culture. So, that dumb motherfucking came from you.
The majority of authors aren't the ones that sell 50 million, and NO author starts off selling that many. They start off having a small fanbase and have other retards that couldn't write a book to save their life say there are "many bad books on the market." You focus soley on those that have made something in their career. You never look at them though when they first start out. The way it is now, the "bigger" authors are helping the smaller one. Because Stephen King can sell 50 million, a publisher will take a risk on a smaller author that hasn't yet built his base.
What precisely is the color of the sky in your little world? Very few publishers are going to take on a smaller author because the publishing industry is about selling books, not "art". They couldn't care less if some unknown author has the next great American novel or not. They're going to give a publishing slot to a known seller, given the choice.
You seem to forget that all those "bad books" on the shelves are there because there ARE people out there that wish to buy them.
Nope, sorry, not true. They're there because some publisher THOUGHT they could sell them. They languish on the shelves for a few weeks and then are sent on to book outlets that you see popping up all over the place. If they don't sell there, they're destroyed. For someone who claims to know the industry, you probably should actually spend some time here before spouting lies everywhere.
They may not be a majority of people, and they never might be. Yet you would say what they enjoy is crap? Go fuck yourself. The system as is gives people a lot of variety, and beauity is in the eye of the beholder... not some pompus ass angry that he didn't get tipped because he likely did a shit job as a waiter.
Wow, you really are one of the dumbest people I've ever talked to.
You say I miss the point, yet it's you and your stupid personal experience that is missing it. It takes a lot of time and effort to become a good writer, and the current system allows people to invest in that time and effort. Your system would totally destroy that. I guess we can go back and have what we did before; rich people paying someone to write or paint, but then only the rich get art. Just how I want our society.
Again, the color of the sky? The system, as setup today, does not encourage artists of any kind. The music industry, the publishing industry and the movie industry are all about making money. There's no "art" involved. If it makes money, AND can be considered "art", so be it...these industries are only interested in the former. They're designed to ripe all of the artistic content out of an artist, "tweak" it for maximum profit and then dumping it on an unsuspecting audience. Under the system proposed by the intelligent people (which is why you don't understand it), artists provide their works directly to the public and the public decides if they want to buy it or not. The artist loses nothing by doing so. By signing with a publisher/label/studio today, they give up their works entirely for a small (VERY SMALL) percentage of profits. You might want to read up on Nine Inch Nails. In particular, pay attention toward the end where they tried to give fans the right to remix THEIR music, but it was blocked by the label that "owned" the music.
Ya, shown time and again by asking people "would you also buy the song or book?" Of course most say they would... most people don't like to admit stealing.
If only it were that simple, but it's not. I'm talking about people who have downloaded items for free (legally, of course) and then purchased a copy or donated to the author.
Right, I'm a clueless twit, because somehow being a waiter and author are even remotely related. Dumbass, they aren't. Your waitering experience is meaningless; you aren't producing anything, you're carrying stuff from point A to point B without dropping it. Big fucking deal. Sorry, but that's nothing like creating a book that actually DOES become part of our culture.
Because every book becomes part of our culture...but, again, you missed the point because you're fucktard. So, I'll type slower: the occupation has nothing to do with it. If you're an author, and you sell 50 million copies of your book, and a million people stole a copy of the book, you're still ahead. If, however, you're not an author, but a fuckwit who put out yet another piece of shit just to sell a piece of shit, then, yes, you're going to care about squeezing every single penny out of every single person who's read your book, regardless of whether they enjoyed it or not. The latter is the model we have today, which explains why there's so many bad books on the market.
Again, you aren't creating anything, or really doing anything at all of importance. You just look really, really stupid comparing being a waiter, which COULD be fulfilled by monkey's in uniforms, with an author or director.
Well, since I haven't been a waiter in over 20 years, your rapier-like attacks on them isn't doing anything except prove that you can't grasp a simple comparison that has nothing to do with occupation.
Well, you lost the hundreds of dollars on the device. Not exactly pocketchange, especially if we're talking about a laptop.
If only there were a method that you could INSURE your laptop against loss or theft...huh, if someone comes up with something like that, they could probably make a mint.
I could do that, but then I'd be lying. Your sentence is the basis of the MPAA & RIAA's claims. Unfortunately, as has been shown time and time again, that's not the case. The only time "most" applies is if you're saying "most people who download music/books/movies also purchase those songs/books/movies".
Oh, and it's interested that you form your opinions because others may have treated you unfairly that it's ok to treat someone else like that. Nice line of reasoning. "My life sucks, so it's ok if it sucks for everyone else too."
You're a daft, clueless twit, but I'll try to make it understandable: I was not basing my opinions of the situation on my experiences, I was RELATING my experiences to the conversation. The point of the conversation was that, yes, SOME people will download books/music/movies/etc illegally and never pay for it. They are in the overwhelming minority. By actively targeting them as the only example of your customers, you are punishing the majority for the actions of the minority. Better to just ignore the minority (as I did with the tippers) so you can concentrate on pleasing the majority who are actual, money-paying customers.
Because lugging around a computer isn't quite as easy as carrying a book? Because if I loose my book, I've only lost one book, but if I lose something like the kindle, i've lost everything?
Again, you missed the point. But, to address your comments: says you. I always have my laptop with me (I purchased a small one specifically for that reason), so your first argument doesn't hold water. Secondly, the point of items like the Kindle is they're the size and weight of a single book, but you can carry hundreds within that format. Finally, if you lose the Kindle, no big whoop: either redownload the book, which these services usually allow, or get a new one and restore from your computer. You haven't lost anything. And, to combat the argument I hear welling up: yes, a Kindle or laptop is an expensive thing to lose. I would think most people would put a lot more effort in ensuring they don't lose it over the amount of effort put into not losing a single book. If they don't, that's their own stupid fault. Me, I've never lost a book, so I'm not worried about losing a laptop.
And they have no authority to determine how I execute mine. I want my books in a digital format so I can read them on my laptop, my PDA, my computer at work, my e-book reader...whatever. If you want to reduce my rights just to read your book, well, sorry I ain't going to buy it and you lose a sale. Only a fool would continue to release their art using "the old ways". I've purchased quite a bit of music and literature that I started out by downloading copies the author published for free on their site. I've then either donated or purchased a print copy, if it was good. If it wasn't, I didn't waste my money. These authors typically sell more copies of their books than those who go through traditional channels, indicating the marketplace is heading in that direction. It's the marketplace that decides how products are sold, not the content producers. We just want to pay them to share in their ideas, why is that a bad thing? Yes, some people are going to take advantage of the situation and never pay for everything. Boo-hooo. When I was a waiter I learned early: some people are never going to tip, but at the end of the night, my average per table was what was most important. With a little bit of work, you can download pretty much any book on the market today, yet books are still being sold everyday. Wonder why that is?
There are certain privileges an application may require that are equivalent to giving admin permission, just because that permission can easily be used to obtain any other permissions that were "missing". There's no point in distinguishing from Admin at that point, that would be pedantry and a waste of bits. There are a variety of these permissions that an application can require before starting.
Then, the app is broken. It violates the security model, it's broken. If an app,as run by a user, needs to modify HKLM, it's broken. If an app needs to write to the system32, as a user, it's broken. It's that simple. All of the sophistry in the world will not change that.
I stated no such thing.
Apologies, it was the original responder who said he had to open up all of HKLM in order to run an app.
On the other hand, if the application's documentation states that it must be run as admin, then the only safe thing to do with the app is either to run as admin, as the docs say you must do, or the application should be thrown away during the evaluation stage, never bought, and not used.
That is precisely the course that must be taken. It should go no further than that. You don't even need to install it, perusal of the docs should be sufficient.
What path gets taken is more of a management decision than a system admin decision. I would plug for throwing the app away, but if the user can justify the need for this app well enough, and no other, they will probably win out over anything IT has to say about this app.
I've never found that to be the case, as I've employed numerous methods to ensure it doesn't happen. In smaller companies, when I was essentially the IT staff, I would "break" it during testing until it didn't work and then recommended a better product. In larger companies, I've gone to our Enterprise Security teams and either had them put the kibosh on it, or let them take responsibility for it. Working in the financial industry does make the latter option a more viable one, but still doable elsewhere. As a last resort, I've isolated the application within a DMZ, made it extremely difficult for the end-users to use the software and then informed management that IT would not be supporting it in any way at all. They were on their own.
Also tweaking out the non-admin user is going to be way out of the parameters of the support agreement associated with the software, and the app breaks in a nasty way (I.E. Data corruption) _AND_ the support agreement is void, there could be negative consequences (punitive action by management) against the system managers who failed to follow simple instructions regarding the "proper" configuration of the application.
The system managers who allowed it to happen in the first place got what they deserved.
Whether or not I or you think the application is of poor design or "broken" is irrelevant.
It's never irrelevant. What you have to choose is relevant is your desire to do your job properly when being forced by pinhead managers to do something that violates every standard in the book.
Bad/insecure/unreliable design, but still "functional", is not the same as being broken.
No, if it violates basic OS standards, it's broken. "functional" is an accident.
If all apps should not need special permissions, and services should have all permissions like in your ideal world, then the OS itself is broken because it allows special privileges to user accounts and interactive applications at all.
No, the OS provides these for "non apps", such as system-level services. Things that are not used in day-to-day operation by an interactive end-user logged into a machine. Developers have found these loopholes and rather than code their apps right, preempt their purpose. Again, not the fault of the OS.
But we don't live in that world, and most apps _DONT_ separate privileges to separate processes.
This appears as if it will work fine, until you realize the application makes a direct call to GetTokenInformation and verifies that the application thread possesses certain security privileges including SE_TCB_NAME before proceeding.
Having that privilege does not require you to be a member of the admins group, it can be granted to any user. It is, however, normally only granted to named accounts used to run a service. Granting it to an interactive user is not only a complete violation of security protocol, it's generally not necessary. It also is not necessary to read or write to all keys to HKLM, which is what you originally stated was the reason for making users admins. If you fail to grasp this, you should not be the one doing the administration of these machines.
Naturally, there are many privileges only open to programs that run with administrative privileges. You break the application, by not running it with the intended permissions.
Applications, no. Services, yes. An application that requires the above priv is broken by default. An app that requires admin rights to simply RUN, is also broken by default. That's not the fault of the OS, it's the fault of shitty devs.
It's fairly naive to think the set of permissions MS assigns to admin users is exactly the set of permissions non-admins won't need.
It's fairly clueless to assume otherwise. Users don't need to install software or hardware. Users don't need to change system-wide settings. Those are tasks for admins, who are assumed to have half a clue. Although, as you've pointed out, that's not always the case.
There are many special features like RAW sockets that are restricted to apps running as admin. The assumption that only designated apps for administering that workstation need these features may not be well founded.
Nope, it's well founded. It's founded in the security standards for the OS. Users don't need to open sockets except in the most extreme of cases, and even then you STILL don't give them admin rights if a tweak of permissions and/or addition of SOME elevated privileges are all that's necessary. You don't leave your whole house unlocked so that the gardener can get into the garage to get the mower.
Even in the UNIX world there are apps which must have root privileges, and there's a fairly elegant setuid scheme I might add, to permit software to run an agent as root, so that only the parts of the application that _need_ special privileges have special privileges.
The reason that's necessary on unix is because it lacks the fine granularity of permissions/privileges of Windows. The reason most unix admins have so much trouble in the Windows world is because they're used to a simplistic security model and the Windows one proves to be too complex for them. Similar functionality can be had on a Windows box, but it's not a good idea simply because it's a security violation. If your app can't run within the security model, then it's broken, pure and simple.
This is much better than conferring special privileges to the USER. Now you see, letting Winzip edit its HKEY_LOCAL_MACHINE\Software\Winzip folder when run as a regular user may open a hole that allows user A to compromise user B's account when user B logs into the workstation and runs Winzip -- which reads settings from that shared place: perhaps a setting including commands to execute while starting winzip.
So, your solution to poorly written software is to suggest putting an even more kludgy solution in effect? And, BTW, it appears you fail to grasp the Unix model as well, as it uses a similar concept to the user context which is what suid circumvents. Users run software, software doesn't run users. Putting restrictions and other kludges around what the software can do is hardly, to use a term you're fond of, elegant.
No, it's stupid because having such an kludge on a web-facing server is stupid. There are rules you follow, and just because you can think of a reason to violate them doesn't make them less stupid...just rationalized.
Phew! Couldn't tell you. I haven't lived in Philly in 16 years and couldn't even tell you what stations exist!:) I was surprised to see in the Wikipedia article that they think there were stations that didn't air it live, but I distinctly remember it happening during the day.
SureTrack: I'll assume you meant SureTrak, the project management software as this conversation revolved around business networks. Now, if you get to use SureTrack at work, good for you! I wish I could bring my train set in!:) But, I digress: there's hundreds of project managment tools on the marketplace, find another. Nonetheless, a quick Google finds admin rights are only needed to establish connections to databases. Are there other reasons?
incidental exposure can be irreparably damaging, depending on what the exposure is to.
There are very few things that are irreparably damaging, and they all require a lot more exposure than "incidental". Catching a half-second shot of a breast is not going to turn a child into a serial killer or even make them mildly anti-social. At BEST, it'll generate some giggles on the school yard the following morning and be forgotten moments later. While home from school, I was one of the "fortunate" few who caught the Bud Dwyer incident, live on the air. It was freaky, but didn't even bring about a nightmare.
But, beyond that, in Europe, one can expect to find hard core pornography on broadcast television, and yet it's only the US where you find the highest incidence of serial killers and sociopaths. I would attribute that to the ridiculous, puritanical, half-assed armchair psychology from people like you who believe such stupid statements like the one italicized above.
but also provided by manufacturer and the only way to do business
Then stop doing business with that manufacturer until they fix their software. Either that, or take it off the network. Or isolate it within a DMZ. Or call the helpdesk day in and day out asking for a resolution to the problem until it's fixed. Or get the higher-ups involved and tell them how they've had money stolen because their network was hacked or....well, you get the idea. Sometimes the only way to get shit fixed is to be a major asshole.
found that said software requires the admin to essentially open up the entire HKLM branch
I find that hard to believe. "Opening up" in terms of this discussion means to grant write access to protected areas of the registry. Are you suggesting that the software from your manufacturer needs to write to, say, the keys for Winzip? I can understand software needing to write to their own HKLM keys (I can understand it, I didn't say I agree with it), but not others. Granting users the ability to write to just those keys and subkeys is no big deal, but granting the ability to write to all of HKLM is a lazy admin not doing his job. Hell, the simplest solution is to fire up regmon, then launch the app and see what it starts poking around in and grant writes to do so. There's absolutely no reason this couldn't be done in less than half an hour, and that's with the person being REALLY thorough.
there are some apps that even then still give a hard time.
Name one. The last time I saw one it was Adobe Type Manager. It wouldn't run without admin privileges when we migrated the one user's machine that needed it from NT to 2000. I was able to use secedit to reset permissions to NT workstation-like and the app ran just fine. It wasn't an ideal solution as it did reduce the machine to NT level for security, but I was able to keep this user from running as an admin. Seeing as the main reason we replaced his machine was the $20k worth of pirated graphic design software he'd installed himself, I could live with it. That was the one and only time I have seen an app that had such an issue. If you have others, I'd like to see them so I know what software to avoid.
Also some IT departments are under staffed for the work load and don't have the time do that or the have the money to hire more people.?
Then the workload needs to decrease. If the team doesn't have enough time to do the job properly, they're doing too much "job".
Well, you wouldn't install multiple versions of IIS on a non-dev machine because that would be stupid. However, if you had three different sites running, on different ports, they'd all be configured from the same locaiton.
In the many years I have been using linux (on two distros)
Wow, two whole distros?
but I'd be very surprised if it had consistently put them in the same place as apache does
Well, that's the thing: Apache doesn't place it, the distro maintainer does. Some put it in/etc, some in/etc/apache/conf, some in/etc/apache2/conf, some in/etc/httpd, some in/etc/httpd/conf, some in/usr/etc, some in/usr/local/etc, some in....
The point about the location of the config file was secondary to the point that there's no consistency in Linux, which results in a lot of new admins having trouble configuring things properly. OTOH, anyone who's setup an IIS box knows where everything is because it's always in the same location.
Of course, also take into account: IIS is much easier to setup
And thus, secure. Your typical httpd.conf from a distro is a thousand lines. Most of them are comments, and half-assed attempts at documentation, but rarely useful unless you already know what you're doing. How many of those config lines are actually necessary to setup an Apache web server to get bare-minimum configuration? With IIS, it's easy: uncheck the ones you don't want, then go through the checklist provided by MS. A locked-down, secure, yet STILL USABLE IIS server can be setup in 10 minutes with someone with even a modicum of a clue. Apache..not so much. If it's a new distro, that 10 minutes will typically be spent just trying to find the httpd.conf because it could be anywhere (yes, I know "slocate httpd.conf", I was making a point).
Of course, that theory holds water only if everyone on the planet can code in the language the software was written in...and can understand that programmer's particular style enough to go through the code. Even then, on a huge project, say Firefox or OpenOffice, I would imagine even the most paranoid person stopped reading through the code looking for hacks at about or around file #1262....
Is it that Microsoft is deliberately making 3rd-party software work less well?
It couldn't POSSIBLY be that the 3rd-party software is crap, is it? I recall a conversation I had with a vendor last year in which they claimed "well, our app actually IS a lot faster using SQL than Oracle. But, that's because MS 'cheats' so their apps run faster on their OS, of course." All I got back was crickets when I asked "couldn't it also be that SQL is designed to work on one platform and is therefore optimized for that platform? Oracle, on the other hand, works on dozens of variations of platforms, hardware, processors, etc and isn't optimized for any of them."
In the age of Google, there is no such thing as an "undocumented API". Since the APIs aren't hidden, there's some developer somewhere who's figured out what it does and how it's used. Having worked with enough development teams, I'd be more inclined to believe that anything that's undocumented has more to do with the typical development statement of "oh, right, we rewrote the whole app...did anyone bother to tell the docs team that we made changes?"
Never attribute to malice that which can be attributed to mismanagement.
MCSEs represent something far worse than that. They represent a severe compartmentalization of skills.
I think you, like a lot of people who do have the paper, over estimate the value of the MCSE. An MCSE is needed for two reasons only: 1) you work for a MS reseller, in which case their reseller cert is dependant on the number of certed people in house or 2) to get past HR drones who need a checklist of what should or shouldn't be on a resume before passing it on to the hiring manager. To the technical professional, an MCSE is the equivalent of "I can turn on a computer" as it covers the VERY basics of what you need to know in order to be a Windows Admin. However, I do know that a lot of noobs treat them as something sacred. It does, however, make it easy to determine who's got a clue and who doesn't: those sans clue have their MCSE nicely framed and hanging on their wall. The rest of us don't even know where ours are.
After twenty years in the IT profession, I'm pretty much going to be forced to take my MCSE mainly because you just can't get a job.
Well, no offence, but it might have more to do with your skills being highly out of date? I've been in this industry a little bit longer and the only people I see having trouble finding work are people who are still mired in the past. Ageing technologies like Unix and mainframe are on the way out of what you need to know these days. My company used to be heavily Unix, but now our 14K desktops and 500k customers are serviced almost exclusively on Windows machines...with uptimes and usability both on an order of magnitude higher. We still have a couple of Unix boxes here and there, mostly to run Oracle Apps for our internal financials...but that's because our few remaining Oracle DBAs are also the ones in charge of the group so they refuse to let go of that stranglehold. Their days are numbered, though, as the Unix side can't provide the kinds of availability numbers we can and the upper-ups are getting tired of hearing the financial systems aren't available so often.
As the article says: there's a shortage of QUALIFIED individuals. There's a big difference between "wants to work in IT" and "qualified to work in IT".
Slashdot Mirror
Well, this was fun yesterday, but you're either a clueless twit or a shill, so I'm done playing with you.
And again, in those studies there is no way to prove that a person that downloaded initally actually purchased later.
Sure there is, just check the receipts.
Really? If I write a book, and no one reads it, it becomes part of our culture? Culture means "shared among a large group of people." Go look it up. You really are a dumb motherfucker aren't you?
You're the one that said all books become part of our culture. So, that dumb motherfucking came from you.
The majority of authors aren't the ones that sell 50 million, and NO author starts off selling that many. They start off having a small fanbase and have other retards that couldn't write a book to save their life say there are "many bad books on the market." You focus soley on those that have made something in their career. You never look at them though when they first start out. The way it is now, the "bigger" authors are helping the smaller one. Because Stephen King can sell 50 million, a publisher will take a risk on a smaller author that hasn't yet built his base.
What precisely is the color of the sky in your little world? Very few publishers are going to take on a smaller author because the publishing industry is about selling books, not "art". They couldn't care less if some unknown author has the next great American novel or not. They're going to give a publishing slot to a known seller, given the choice.
You seem to forget that all those "bad books" on the shelves are there because there ARE people out there that wish to buy them.
Nope, sorry, not true. They're there because some publisher THOUGHT they could sell them. They languish on the shelves for a few weeks and then are sent on to book outlets that you see popping up all over the place. If they don't sell there, they're destroyed. For someone who claims to know the industry, you probably should actually spend some time here before spouting lies everywhere.
They may not be a majority of people, and they never might be. Yet you would say what they enjoy is crap? Go fuck yourself. The system as is gives people a lot of variety, and beauity is in the eye of the beholder... not some pompus ass angry that he didn't get tipped because he likely did a shit job as a waiter.
Wow, you really are one of the dumbest people I've ever talked to.
You say I miss the point, yet it's you and your stupid personal experience that is missing it. It takes a lot of time and effort to become a good writer, and the current system allows people to invest in that time and effort. Your system would totally destroy that. I guess we can go back and have what we did before; rich people paying someone to write or paint, but then only the rich get art. Just how I want our society.
Again, the color of the sky? The system, as setup today, does not encourage artists of any kind. The music industry, the publishing industry and the movie industry are all about making money. There's no "art" involved. If it makes money, AND can be considered "art", so be it...these industries are only interested in the former. They're designed to ripe all of the artistic content out of an artist, "tweak" it for maximum profit and then dumping it on an unsuspecting audience. Under the system proposed by the intelligent people (which is why you don't understand it), artists provide their works directly to the public and the public decides if they want to buy it or not. The artist loses nothing by doing so. By signing with a publisher/label/studio today, they give up their works entirely for a small (VERY SMALL) percentage of profits. You might want to read up on Nine Inch Nails. In particular, pay attention toward the end where they tried to give fans the right to remix THEIR music, but it was blocked by the label that "owned" the music.
Ya, shown time and again by asking people "would you also buy the song or book?" Of course most say they would... most people don't like to admit stealing.
If only it were that simple, but it's not. I'm talking about people who have downloaded items for free (legally, of course) and then purchased a copy or donated to the author.
Right, I'm a clueless twit, because somehow being a waiter and author are even remotely related. Dumbass, they aren't. Your waitering experience is meaningless; you aren't producing anything, you're carrying stuff from point A to point B without dropping it. Big fucking deal. Sorry, but that's nothing like creating a book that actually DOES become part of our culture.
Because every book becomes part of our culture...but, again, you missed the point because you're fucktard. So, I'll type slower: the occupation has nothing to do with it. If you're an author, and you sell 50 million copies of your book, and a million people stole a copy of the book, you're still ahead. If, however, you're not an author, but a fuckwit who put out yet another piece of shit just to sell a piece of shit, then, yes, you're going to care about squeezing every single penny out of every single person who's read your book, regardless of whether they enjoyed it or not. The latter is the model we have today, which explains why there's so many bad books on the market.
Again, you aren't creating anything, or really doing anything at all of importance. You just look really, really stupid comparing being a waiter, which COULD be fulfilled by monkey's in uniforms, with an author or director.
Well, since I haven't been a waiter in over 20 years, your rapier-like attacks on them isn't doing anything except prove that you can't grasp a simple comparison that has nothing to do with occupation.
Well, you lost the hundreds of dollars on the device. Not exactly pocketchange, especially if we're talking about a laptop.
If only there were a method that you could INSURE your laptop against loss or theft...huh, if someone comes up with something like that, they could probably make a mint.
Change "some" to "most" and you'll have a point.
I could do that, but then I'd be lying. Your sentence is the basis of the MPAA & RIAA's claims. Unfortunately, as has been shown time and time again, that's not the case. The only time "most" applies is if you're saying "most people who download music/books/movies also purchase those songs/books/movies".
Oh, and it's interested that you form your opinions because others may have treated you unfairly that it's ok to treat someone else like that. Nice line of reasoning. "My life sucks, so it's ok if it sucks for everyone else too."
You're a daft, clueless twit, but I'll try to make it understandable: I was not basing my opinions of the situation on my experiences, I was RELATING my experiences to the conversation. The point of the conversation was that, yes, SOME people will download books/music/movies/etc illegally and never pay for it. They are in the overwhelming minority. By actively targeting them as the only example of your customers, you are punishing the majority for the actions of the minority. Better to just ignore the minority (as I did with the tippers) so you can concentrate on pleasing the majority who are actual, money-paying customers.
Because lugging around a computer isn't quite as easy as carrying a book? Because if I loose my book, I've only lost one book, but if I lose something like the kindle, i've lost everything?
Again, you missed the point. But, to address your comments: says you. I always have my laptop with me (I purchased a small one specifically for that reason), so your first argument doesn't hold water. Secondly, the point of items like the Kindle is they're the size and weight of a single book, but you can carry hundreds within that format. Finally, if you lose the Kindle, no big whoop: either redownload the book, which these services usually allow, or get a new one and restore from your computer. You haven't lost anything. And, to combat the argument I hear welling up: yes, a Kindle or laptop is an expensive thing to lose. I would think most people would put a lot more effort in ensuring they don't lose it over the amount of effort put into not losing a single book. If they don't, that's their own stupid fault. Me, I've never lost a book, so I'm not worried about losing a laptop.
And they have no authority to determine how I execute mine. I want my books in a digital format so I can read them on my laptop, my PDA, my computer at work, my e-book reader...whatever. If you want to reduce my rights just to read your book, well, sorry I ain't going to buy it and you lose a sale. Only a fool would continue to release their art using "the old ways". I've purchased quite a bit of music and literature that I started out by downloading copies the author published for free on their site. I've then either donated or purchased a print copy, if it was good. If it wasn't, I didn't waste my money. These authors typically sell more copies of their books than those who go through traditional channels, indicating the marketplace is heading in that direction. It's the marketplace that decides how products are sold, not the content producers. We just want to pay them to share in their ideas, why is that a bad thing? Yes, some people are going to take advantage of the situation and never pay for everything. Boo-hooo. When I was a waiter I learned early: some people are never going to tip, but at the end of the night, my average per table was what was most important. With a little bit of work, you can download pretty much any book on the market today, yet books are still being sold everyday. Wonder why that is?
The Constitution can't protect us against people who are willing to give away their privacy.
The Constitution can't protect us against people who are willing to give away OUR privacy.
There, I fixeded it for you. After all, it is OUR information they're giving away.
Try doing that same schedule when you're 35.
:)
I have no trouble doing it at 38, and when my baby arrives in May, I'm anticipating doing it on even less. Perhaps it's what you're eating?
Oh, and no, I never drink coffee and only rarely drink soda.
There are certain privileges an application may require that are equivalent to giving admin permission, just because that permission can easily be used to obtain any other permissions that were "missing". There's no point in distinguishing from Admin at that point, that would be pedantry and a waste of bits. There are a variety of these permissions that an application can require before starting.
Then, the app is broken. It violates the security model, it's broken. If an app,as run by a user, needs to modify HKLM, it's broken. If an app needs to write to the system32, as a user, it's broken. It's that simple. All of the sophistry in the world will not change that.
I stated no such thing.
Apologies, it was the original responder who said he had to open up all of HKLM in order to run an app.
On the other hand, if the application's documentation states that it must be run as admin, then the only safe thing to do with the app is either to run as admin, as the docs say you must do, or the application should be thrown away during the evaluation stage, never bought, and not used.
That is precisely the course that must be taken. It should go no further than that. You don't even need to install it, perusal of the docs should be sufficient. What path gets taken is more of a management decision than a system admin decision. I would plug for throwing the app away, but if the user can justify the need for this app well enough, and no other, they will probably win out over anything IT has to say about this app.
I've never found that to be the case, as I've employed numerous methods to ensure it doesn't happen. In smaller companies, when I was essentially the IT staff, I would "break" it during testing until it didn't work and then recommended a better product. In larger companies, I've gone to our Enterprise Security teams and either had them put the kibosh on it, or let them take responsibility for it. Working in the financial industry does make the latter option a more viable one, but still doable elsewhere. As a last resort, I've isolated the application within a DMZ, made it extremely difficult for the end-users to use the software and then informed management that IT would not be supporting it in any way at all. They were on their own.
Also tweaking out the non-admin user is going to be way out of the parameters of the support agreement associated with the software, and the app breaks in a nasty way (I.E. Data corruption) _AND_ the support agreement is void, there could be negative consequences (punitive action by management) against the system managers who failed to follow simple instructions regarding the "proper" configuration of the application.
The system managers who allowed it to happen in the first place got what they deserved.
Whether or not I or you think the application is of poor design or "broken" is irrelevant.
It's never irrelevant. What you have to choose is relevant is your desire to do your job properly when being forced by pinhead managers to do something that violates every standard in the book.
Bad/insecure/unreliable design, but still "functional", is not the same as being broken.
No, if it violates basic OS standards, it's broken. "functional" is an accident.
If all apps should not need special permissions, and services should have all permissions like in your ideal world, then the OS itself is broken because it allows special privileges to user accounts and interactive applications at all.
No, the OS provides these for "non apps", such as system-level services. Things that are not used in day-to-day operation by an interactive end-user logged into a machine. Developers have found these loopholes and rather than code their apps right, preempt their purpose. Again, not the fault of the OS.
But we don't live in that world, and most apps _DONT_ separate privileges to separate processes.
This appears as if it will work fine, until you realize the application makes a direct call to GetTokenInformation and verifies that the application thread possesses certain security privileges including SE_TCB_NAME before proceeding.
Having that privilege does not require you to be a member of the admins group, it can be granted to any user. It is, however, normally only granted to named accounts used to run a service. Granting it to an interactive user is not only a complete violation of security protocol, it's generally not necessary. It also is not necessary to read or write to all keys to HKLM, which is what you originally stated was the reason for making users admins. If you fail to grasp this, you should not be the one doing the administration of these machines.
Naturally, there are many privileges only open to programs that run with administrative privileges. You break the application, by not running it with the intended permissions.
Applications, no. Services, yes. An application that requires the above priv is broken by default. An app that requires admin rights to simply RUN, is also broken by default. That's not the fault of the OS, it's the fault of shitty devs.
It's fairly naive to think the set of permissions MS assigns to admin users is exactly the set of permissions non-admins won't need.
It's fairly clueless to assume otherwise. Users don't need to install software or hardware. Users don't need to change system-wide settings. Those are tasks for admins, who are assumed to have half a clue. Although, as you've pointed out, that's not always the case.
There are many special features like RAW sockets that are restricted to apps running as admin. The assumption that only designated apps for administering that workstation need these features may not be well founded.
Nope, it's well founded. It's founded in the security standards for the OS. Users don't need to open sockets except in the most extreme of cases, and even then you STILL don't give them admin rights if a tweak of permissions and/or addition of SOME elevated privileges are all that's necessary. You don't leave your whole house unlocked so that the gardener can get into the garage to get the mower.
Even in the UNIX world there are apps which must have root privileges, and there's a fairly elegant setuid scheme I might add, to permit software to run an agent as root, so that only the parts of the application that _need_ special privileges have special privileges.
The reason that's necessary on unix is because it lacks the fine granularity of permissions/privileges of Windows. The reason most unix admins have so much trouble in the Windows world is because they're used to a simplistic security model and the Windows one proves to be too complex for them. Similar functionality can be had on a Windows box, but it's not a good idea simply because it's a security violation. If your app can't run within the security model, then it's broken, pure and simple.
This is much better than conferring special privileges to the USER. Now you see, letting Winzip edit its HKEY_LOCAL_MACHINE\Software\Winzip folder when run as a regular user may open a hole that allows user A to compromise user B's account when user B logs into the workstation and runs Winzip -- which reads settings from that shared place: perhaps a setting including commands to execute while starting winzip.
So, your solution to poorly written software is to suggest putting an even more kludgy solution in effect? And, BTW, it appears you fail to grasp the Unix model as well, as it uses a similar concept to the user context which is what suid circumvents. Users run software, software doesn't run users. Putting restrictions and other kludges around what the software can do is hardly, to use a term you're fond of, elegant.
Wow, is this dumb-ass "Bill Gates wants to own the world" rhetoric still ambling around?
No, it's stupid because having such an kludge on a web-facing server is stupid. There are rules you follow, and just because you can think of a reason to violate them doesn't make them less stupid...just rationalized.
Phew! Couldn't tell you. I haven't lived in Philly in 16 years and couldn't even tell you what stations exist! :) I was surprised to see in the Wikipedia article that they think there were stations that didn't air it live, but I distinctly remember it happening during the day.
SureTrack: I'll assume you meant SureTrak, the project management software as this conversation revolved around business networks. Now, if you get to use SureTrack at work, good for you! I wish I could bring my train set in! :) But, I digress: there's hundreds of project managment tools on the marketplace, find another. Nonetheless, a quick Google finds admin rights are only needed to establish connections to databases. Are there other reasons?
old digitizer software
So, update it...?
incidental exposure can be irreparably damaging, depending on what the exposure is to.
There are very few things that are irreparably damaging, and they all require a lot more exposure than "incidental". Catching a half-second shot of a breast is not going to turn a child into a serial killer or even make them mildly anti-social. At BEST, it'll generate some giggles on the school yard the following morning and be forgotten moments later. While home from school, I was one of the "fortunate" few who caught the Bud Dwyer incident, live on the air. It was freaky, but didn't even bring about a nightmare.
But, beyond that, in Europe, one can expect to find hard core pornography on broadcast television, and yet it's only the US where you find the highest incidence of serial killers and sociopaths. I would attribute that to the ridiculous, puritanical, half-assed armchair psychology from people like you who believe such stupid statements like the one italicized above.
but also provided by manufacturer and the only way to do business
Then stop doing business with that manufacturer until they fix their software. Either that, or take it off the network. Or isolate it within a DMZ. Or call the helpdesk day in and day out asking for a resolution to the problem until it's fixed. Or get the higher-ups involved and tell them how they've had money stolen because their network was hacked or....well, you get the idea. Sometimes the only way to get shit fixed is to be a major asshole.
found that said software requires the admin to essentially open up the entire HKLM branch
I find that hard to believe. "Opening up" in terms of this discussion means to grant write access to protected areas of the registry. Are you suggesting that the software from your manufacturer needs to write to, say, the keys for Winzip? I can understand software needing to write to their own HKLM keys (I can understand it, I didn't say I agree with it), but not others. Granting users the ability to write to just those keys and subkeys is no big deal, but granting the ability to write to all of HKLM is a lazy admin not doing his job. Hell, the simplest solution is to fire up regmon, then launch the app and see what it starts poking around in and grant writes to do so. There's absolutely no reason this couldn't be done in less than half an hour, and that's with the person being REALLY thorough.
there are some apps that even then still give a hard time.
Name one. The last time I saw one it was Adobe Type Manager. It wouldn't run without admin privileges when we migrated the one user's machine that needed it from NT to 2000. I was able to use secedit to reset permissions to NT workstation-like and the app ran just fine. It wasn't an ideal solution as it did reduce the machine to NT level for security, but I was able to keep this user from running as an admin. Seeing as the main reason we replaced his machine was the $20k worth of pirated graphic design software he'd installed himself, I could live with it. That was the one and only time I have seen an app that had such an issue. If you have others, I'd like to see them so I know what software to avoid.
Also some IT departments are under staffed for the work load and don't have the time do that or the have the money to hire more people.?
Then the workload needs to decrease. If the team doesn't have enough time to do the job properly, they're doing too much "job".
Well, you wouldn't install multiple versions of IIS on a non-dev machine because that would be stupid. However, if you had three different sites running, on different ports, they'd all be configured from the same locaiton.
In the many years I have been using linux (on two distros)
/etc, some in /etc/apache/conf, some in /etc/apache2/conf, some in /etc/httpd, some in /etc/httpd/conf, some in /usr/etc, some in /usr/local/etc, some in....
Wow, two whole distros?
but I'd be very surprised if it had consistently put them in the same place as apache does
Well, that's the thing: Apache doesn't place it, the distro maintainer does. Some put it in
The point about the location of the config file was secondary to the point that there's no consistency in Linux, which results in a lot of new admins having trouble configuring things properly. OTOH, anyone who's setup an IIS box knows where everything is because it's always in the same location.
I knew it was too subtle.
Of course, also take into account: IIS is much easier to setup
And thus, secure. Your typical httpd.conf from a distro is a thousand lines. Most of them are comments, and half-assed attempts at documentation, but rarely useful unless you already know what you're doing. How many of those config lines are actually necessary to setup an Apache web server to get bare-minimum configuration? With IIS, it's easy: uncheck the ones you don't want, then go through the checklist provided by MS. A locked-down, secure, yet STILL USABLE IIS server can be setup in 10 minutes with someone with even a modicum of a clue. Apache..not so much. If it's a new distro, that 10 minutes will typically be spent just trying to find the httpd.conf because it could be anywhere (yes, I know "slocate httpd.conf", I was making a point).
No: only if everyone on the planet (who uses that product) trusts someone who knows that language.
Which for most people is still going to be a null set.
Of course, that theory holds water only if everyone on the planet can code in the language the software was written in...and can understand that programmer's particular style enough to go through the code. Even then, on a huge project, say Firefox or OpenOffice, I would imagine even the most paranoid person stopped reading through the code looking for hacks at about or around file #1262....
Is it that Microsoft is deliberately making 3rd-party software work less well?
It couldn't POSSIBLY be that the 3rd-party software is crap, is it? I recall a conversation I had with a vendor last year in which they claimed "well, our app actually IS a lot faster using SQL than Oracle. But, that's because MS 'cheats' so their apps run faster on their OS, of course." All I got back was crickets when I asked "couldn't it also be that SQL is designed to work on one platform and is therefore optimized for that platform? Oracle, on the other hand, works on dozens of variations of platforms, hardware, processors, etc and isn't optimized for any of them."
In the age of Google, there is no such thing as an "undocumented API". Since the APIs aren't hidden, there's some developer somewhere who's figured out what it does and how it's used. Having worked with enough development teams, I'd be more inclined to believe that anything that's undocumented has more to do with the typical development statement of "oh, right, we rewrote the whole app...did anyone bother to tell the docs team that we made changes?"
Never attribute to malice that which can be attributed to mismanagement.
MCSEs represent something far worse than that. They represent a severe compartmentalization of skills.
I think you, like a lot of people who do have the paper, over estimate the value of the MCSE. An MCSE is needed for two reasons only: 1) you work for a MS reseller, in which case their reseller cert is dependant on the number of certed people in house or 2) to get past HR drones who need a checklist of what should or shouldn't be on a resume before passing it on to the hiring manager. To the technical professional, an MCSE is the equivalent of "I can turn on a computer" as it covers the VERY basics of what you need to know in order to be a Windows Admin. However, I do know that a lot of noobs treat them as something sacred. It does, however, make it easy to determine who's got a clue and who doesn't: those sans clue have their MCSE nicely framed and hanging on their wall. The rest of us don't even know where ours are.
After twenty years in the IT profession, I'm pretty much going to be forced to take my MCSE mainly because you just can't get a job.
Well, no offence, but it might have more to do with your skills being highly out of date? I've been in this industry a little bit longer and the only people I see having trouble finding work are people who are still mired in the past. Ageing technologies like Unix and mainframe are on the way out of what you need to know these days. My company used to be heavily Unix, but now our 14K desktops and 500k customers are serviced almost exclusively on Windows machines...with uptimes and usability both on an order of magnitude higher. We still have a couple of Unix boxes here and there, mostly to run Oracle Apps for our internal financials...but that's because our few remaining Oracle DBAs are also the ones in charge of the group so they refuse to let go of that stranglehold. Their days are numbered, though, as the Unix side can't provide the kinds of availability numbers we can and the upper-ups are getting tired of hearing the financial systems aren't available so often.
As the article says: there's a shortage of QUALIFIED individuals. There's a big difference between "wants to work in IT" and "qualified to work in IT".