Not to mention it's financially unsound. When you work someone 60+ hours a week, you've reached the point where it'd be cheaper just to hire another worker. That is, if workers demanded overtime...
In all honesty, I think companies *want* the workers to fail. They want to be able to show a page of your code after 60+ hours of work along side the code created by a team of Indian programmers. After that, it's just a matter of getting you to quit so that they don't have to announce layoffs.
My company does a lot of what you look for. Here's my take:
Fun company-sponsored outings. What a waste. Just because I work with you, does not mean I'd like to spend my spare time at a picnic with you. In fact, after working hours, I want to get as far away from you all as possible.
Unfortunately, these "fun outings" turn into a political nightmare. Unless you volunteer your own time to help set-up, clean-up, or cook, you are seen as someone who hates the company. Unless you show up and play softball or voleyball, you are seen as having no loyalty. You have to sit with people who fired your best friend or smartest worker and smile and drink beer and talk about their fucking kids and listen to them struggle to remember my fucking kids.
And God help you if you or your wife doesn't bring a good side dish.
Rec rooms are okay, but you are looked down upon if you spend too much time there. There are days when my workload is really light. But, I'm still chained to my desk looking busy. Why? Because I've already used my 15 minutes playing ping-pong.
We don't have enforced breaks, but we do have subsidized education and certification. If you take a class over lunch or at the end of the day, bosses are very understanding and ensure you get there on time. Although, you may have to come back after class and burn the midnight oil.
We also have free memberships for a local gym. Almost no one goes. It really is sad to see how people put their work and family before their own personal health. Never quite understanding that, if you are dead at 40, you do your family no good.
We also do casual fridays every now and again. You usually have to drop $5 in a bucket to participate. The money goes towards the next stupid fucking picnic. If you don't participate (my casual *is* buisness casual), everyone thinks you were too poor to afford the $5.
Although, what you could do is automagically have a standard WinXP workstation login on startup. Next, have VMWare in the startup folder so that it begins as soon as the computer logs in. Finally, have VMWare point to a disk image loaded on your server. The employees will then see a full-screen VMWare ready to authenticate on the network and begin their day.
If you really wanted to be fancy, have that image automagically map to a network drive on your SAN/NAS as the D:\ drive. Tell employees to use the D:\ drive to store all work-related documents.
It could work. But you'd be looking at maybe 5 minutes for the morning boot-up. Not to mention all the employees hammering the network for a 2~4gb image at 7am will really thrash the servers.
If you insist on doing this, go a bit further. Activate that WoL crap and autoboot the workstations at staggered times between 6am and 7am.
You have to give him a counter-offer he cannot possibly accept.
Jack, come to our offices and we'll let you and your group play. We'd love to send you a copy, but this is really unoptimized code that only works on our computers. Just let us know a day and we'll have first-class tickets for up to 10 people, a limo, and a hotel for a few days.
Then, set up a media blitz with schoolgirls, freckled-nosed bullies, taped-glasses geeks, and more schoolgirls. Hot ones. Big tits and short skirts. Jack and his stuffy-nosed panel will be met by and accompanied everywhere by these mostly-naked babes. Take some comprimising shots of Jack gettin' his uber-micro on while some hot schoolgirl rubs her tits on the back of his head.
Or, just come up with some other offer that he can't possible accept. Put the ball back in Jack's court.
How do people make the quote bars appear when you are quoting the text of the message you're replying to? Is that an automatic setting somewhere or are there characters you're inserting?
Try using the "blockquote" tag. If you want to be really fancy, nest a "i" tag in there too. Don't forget to close them properly.
Also, if you have the "slashdot" extension for Firefox, you can highlight text and then select "reply to this" from the right-click menu.
Doesn't stop you from having a 2-part bottle. The top 1/3 would be regular formula and the bottom 2/3 would be dangerous liquid. Maybe seperated by a thin layer of hardened wax.
The best thing to do here would be to poison the well. Create a simple script that runs Google searches on random "hot" words.
Se it up as a distributed.net style program and spread it all over the world. Within a few weeks, the top searches would be on words like "bomb" and "incest" and "child porn". Within a few months, Google's search analasys would be worthless. Not only that, but anyone trying to log the data to find a terrorist would be completely swamped.
This could work for phones too. Set up Skype to dial your home phone number when you are at work or asleep. Have your computer read a list of "hot" words into Skype. Watch as the NSA begins to pull out their hair over the millions of hour-long phonecalls talking about bomb-making.
The line you quoted used the term "be found guilty". As you pointed out, people were arrested for talking about committing acts of terrorism.
But will a jury convict them?
You say they didn't have knowledge or materials. However, the Internet is full of bomb recipes. And materials are not hard to find. Just do a late-night raid on a AgriBuisness farm and grab a truckload of fertilizer.
I don't think that anyone can be found guilty for thinking about a crime. But sometimes, thoughts lead to words. If there is a clear progression of the words getting stronger and stronger, then there is a good chance those words will lead to actions.
I seem to remember a program for managing WAP access. I think it's called NOCATAUTH. Anyway, I haven't looked at the specifics, but it seem to me that you could use a WRT-54G (V1-4 or VL) to redirect all network traffic to a specific IP address for the purpose of authentication. Why couldn't you just redirect everyone to that specific IP address?
Now, while a technological measure might be easiest, thing about this from a manager's standpoint. Log all the IP addresses accessed. Log the machine the IP request originated from. Let the originator know that such access is forbidden. Let him/her know that any further attempts to access forbidden IP addresses will be dealt with harshly.
I agree completely. I get really pissed off at people who can't cope. The GP said he didn't like crowds or lines. Well, who the fuck does? It does not mean the GP should have the right to bypass the lines. It does not mean they GP should be allowed to take 500mg of whatever the latest "smash the fuck out of my brain" drug is.
Learn to cope, or die.
It's seriously time to crank up the chlorine levels in the genetic pool.
Not to mention time. I can fly across the country in about, what, 5 hours? Add 2 hours onto the front end and an hour on the back end for airport security and you get about 8 hours.
With a train, you are looking at at least 24 hours. Probably closer to 48 hours.
And I think you'd be hard-pressed to drive across the US in less than 5 days.
As a frequent buisness traveler, the new restrictions aren't than bad. Not having my laptop on the flight stings, but I'll get over it. I look forward to all the charges airlines will be forced to pay when the class-action lawsuit comes down charging them with abusing luggage when they know sensitive electronics are inside.
Wear some loose-fitting clothes. No belt. Shoes should be something you can wear un-laced. Take off your jewlery and watches. Grab a paperback book and eat/drink at the airport resturant.
If people would put a little though into what they wear and carry, it'd all be easier. My last flight to Japan, the lady in front of me had a shit-ton of costume jewlery. She had a belt with a huge buckle. She had shoes with metal shit all over them. And as she passed through the detector, she'd balk as it beeped. Then she'd take off like 2 rings and a necklace and try again. What a fucking waste.
The first new rule they should implement is this: If you cause the detector to beep, you should go to the back of the line.
>>Youth diabetes was basically unheard of in this country before the advent of the food pyramid, which places carbohydrates at the base
I'll not debate you over the fact that HFCS may or may not be bad. But you can't blame obesity on the intake of sugar.
Kids are fat because they take in more calories than they burn. It's that simple. My father walked to school. I rode a bus. My daughter is close enough to walk, so she does.
My father never had a TV till he was 15, I always had a TV in the house. My daughter lives with a TV in, pretty much, every room.
The reason kinds are fat is because of a lack of exercise. Not HFCS.
You could probably get away with using a fake ID for this. Have fun with it too. Have the fake ID say shit like "The Queen's Mum" with an address of "Your Dad's Dungeon".
Here's an even better idea. Contribute to a legal defense fund that will stand up for John Doe whenever the RIAA begins a suit.
The only easy place to quash this tactic is to stop the suit against John Doe. But, since they drop that suit as soon as they have your ISP billing info, it's all over.
I really like the summary judgement idea. You force the lawyers to produce filenames, IP addresses, dates, times, and ISP connection records.
The answer to your problem is quite simple. Every morning, print out a report of the internal IP address that accessed the most content over 80 and 443. Figure out who the workstation belongs to. Go to his desk with his boss, security, and a HR goon. Tell him to get up and leave.
After about 3 days of this, someone getting fired every day for violation of our policy, web traffic absolutely died.
If you have a problem with shared computers, install a webcam. Set it up so that the webcam takes a snap every 5 minutes with a proper date/time stamp at the bottom. When you get your logs, open up the webcam shots and see who was on the PC.
I'd go a step further. I think that every officer should be recorded as long as he or she is on-duty. The tapes should remain on file for at least a year; at most, till any case involving the officer is settled. The tapes should be made by a third party and paid for out of the police budget. If a tape is "lost" or "damaged", then it should be assumed that the officer was in the wrong.
The ACLU has three phrases that everyone should know. "How can I help you, Officer", "I do not consent to this search, Officer", and "I will not speak without my attorney present." Perhaps we should add a third to the list. "This conversation may be recorded to ensure quality of service."
I really think it's shitty that a man can get in trouble for recording something on his own property. However, there must be limits. Should I be allowed to record my bathroom as my babysitter visits? Why or why not? How about my living room while she visits? Should I be allowed to record my property from the outside? What if those cameras also record my neghbord driveway? His front porch? What if I have a camera on my property aimed at my neghbor's daugter's room?
I think I should be allowed to record my property. It's my right. However, I also think I need to be man enough to admit that I'm recording someone. Let your babysitter know that she's being recorded. Anyway...
This whole situation could have been avoided if the man had signs posted that a video survalence system was in use. It would have made his property safer, too. When he was encountered by the officer, he should have let him know he was being recorded. Why? Because, it's what a *man* does. A man has the right to record his property, but he also should have the balls to admit that he is doing so.
Every time MS releases a new ServicePack or OS, I find that I'll have to disable more and more shit to make it work like Win2k.
How about MS disables the service by default. If a user right-clicks on a trackable file (I'm assuming that this won't track changes on updated game executables, my PHP/CSS templates, OpenOffice documents, etc), then have an option to start tracking. If the user selects that, then enable the appropriate services.
Same with the Firewall and FastUserSwitching. When you connect to the internet, have a well-worded dialog box that asks me to enable the firewall service. When I select Switch User from the logoff options, popup a dialog asking if I want to enable that too.
Turn off more shit by default. Don't just enable everything. Seriously, who the fuck needs Remote Registry, Portable Media Serial Number, TCP/IP NetBios, and all that other useless shit? Sure, you might need one or two things, but do you need 55 services starting on a default install?
Build in the functionality. Disable it by default. When the user triggers an event that needs the service, ask him if he really wants to do that. From that point on, leave that service enabled.
Chances are, they'll never know what to look for or where to look. Just put a few fake documents in "My Documents" and show them that. If they have some reason to dig deeper, then you might just be fucked.
However, Customs has a job to do. They need to keep things out that aren't suposed to be here. If you stash Cuban cigars in your pants, you might get caught. If you stash kiddie pr0n on your laptop, you might get caught.
I'm surprised to see this from the 9th, but it really is a "lawful" rulling.
Linksys routers run Linux. Their firewalling capabilities range from a simple everything open to the fully locked IPCHAINS (or is it IPTABLES). Plus, my experience with other routers leaves a lot to be desired.
>>4-6 hours tweaking services? Right. Even when using the list as a reference, it takes at tops 15 minutes to tweak services.
Once you have done the process a few times, it becomes second nature. However, for the first few times, you have to disable a few services and then test your applications to ensure everything works. Can I still browse the network? Does SSL still work? Can I still resolve domain names? Can I still print? Do my games still work? Can I still adjust my video preferences?
All these questions have to be answered after every step. In reality, you should disable a few services and then run the system for a week or so to make sure it's okay.
The first time I ran through this, I read BV's site completely. Couple that with trying to decipher some of the more unusual services and then actually disabling and testing and it can be a weekend job.
>>You also seem to forget that on slower systems the performance boost will be far more noticeable than on a gaming rig. Along the same lines, the time it takes to completely load WinXP into a useable state will decrease. That "10mb" can make a huge difference on a system with low memory - much like the ones they initially shipped WinXP on.
Many of the people running those systems will never even know about disabling services. Chances are, if you really care about performance, you'll care enough to throw in a few sticks of RAM. On low-end systems, RAM is really cheap. I just added a 1GB of pc133 to my mom's computer. I got 512 from a geeky friend who was upgrading for free. The other 512 came from a swap meet and cost about $20.
And no ammount of service tweaking will replace the boost you see from going from 128MB to 1GB of RAM.
Tweaking is fun for geeks. That's what we do. But within the realm of mere mortals, it's a lost art. We'll spend hours to squeeze out a few extra FPS or reduce boot times by a few seconds. We'll install 10k RPM drives in RAID0 to get a few extra MB of transfer. And that's all well and good if your system is already at the top of the heap.
As far as the low end goes, the old adage remains true: you can't make a silk purse out of a sow's ear.
Just after SP2 came out, I found BV's list. I did a clean install with a slipstreamed SP2 disc and counted the processes and memory usage. It was something like 90mb usage and 45 processes in use.
After that, I hammered through the list disabling everything not essential to gaming. A the end, I had 22 processes and 80mb usage.
My primary intent was to clear up unused memory to make gaming more stable and faster. In this, it was a complete failure. Quake3 and other benchmarks showed a neglegable boost; maybe a few FPS.
I didn't do a security scan, but I'm sure OpenPorts would have showed a slightly more closed system. But I really don' think it would have been any more secure.
Tweaking services is really not worth the time/effort when you look at the gains. If you need more performance, a faster proc and memory can be had for maybe $200~$400. If you need more security, install a Linksys router between you and your ISP's modem. Or, you can spend 4~6 hours tweaking services for a 10mb memory boost like I did. Your choice.
>>Crunchy on the outside, soft and chewy on the inside.
So true. Hence the need for good control of the software they run. Good network baselines and port-level switch security are a must also. If you notice something is up, you can investigate. We get PMs when SNMP reports high utilization on a switch. From there, we open the switch's graphs and determine who is doing what. If a user's port is screaming, we disconnect them and go over to see what's up.
>>I agree however, it's useful to be able to take remote control of a user's desktop. Citrix has such a feature built in, called "shadowing a session". Of course, that's in a Citrix environment, not an XP desktop environment.
Most of the VNC systems have this. I can connect using TinyVNC and watch a user.
>>Even open source mail scanning gateways such as Amavisd-new support banned filename extensions. Couple that with ClamAV, and scan all attachments not yet banned, including recursive scanning of compressed archives, and you get quite a bit of security for very little cost. I've seen this solution fare better than commercial ones, which failed because the virus was a ZIP inside a ZIP.
Or they password the ZIP and include the pass in the email. If you allow it, it will be exploited.
>>True... which is why most email clients these days do not display images (and thus invoke the HTTP connection to retrieve that invisible 1px image) by default. This kind of thing can also be prevented by having a web proxy that only allows access to whitelisted sites.
That's crazy. Even I wouldn't reccomend whitelisting. I did some work for a company a while back that blocked everything not in the US. Users would get blocked from everything that didn't end in a.com/net/org. Once I pointed out that someone in Russia can buy a.com, they relaxed a bit.
>>Yes you do, there is no way around that. All you can do is give people access to the minimum amount possible. Beyond that, backups are really your only safety net.
Agreed. Which is why I say no user can write to his own hard drive outside of the "temp" folders and desktop. We get hundreds of calls at first from people not being able to save a doc, but once they understand how to use their mapped "personal" drive (mapped under P:\) and their group's drive (mapped to G:\), they understand.
>>So, no SMB/CIFS/NFS to allow them to actually work with their data on the SAN/NAS? No DNS so they can actually resolve the address of the SAN? No ICMP so that the host actually has a clue when it tries to connect to something that is unreachable?
Sorry, I wasn't layout out the whole plan. Sure, some of that'd be open. But ICMP? Users don't usually need to ping. If they do, an admin can RDP in and do it for him.
>>Don't forget hackers...
I think that if you run the protocols on nonstandard ports and close those on your external firewall, you should be OK. Admins need a remote desktop app to troubleshoot. Nothing is more useless than having a user describe a problem. If they can show you the prob, it can be cleared quickly.
>>That would destroy the reason most people use email these days. Can you imagine how effectively a salesperson or manager is going to be able to do their job, if they can't easily send markting material such as PDF's or PPT's to customers?
Not everyone needs to communicate with a customer. If so, make special arrangements. And no one should be getting ZIPs, RARs, EXEs, and the like. The smart ones begin renaming the extension. So now, no attachments == some security.
>>Why? What makes an image any more of a threat to security than a rich-text email (especially when read with certain well known mail clients... *cough* Outlook *cough*) ?
Images can link to external servers and be used to verify good IP and e-mail addresses. They can also exploit unpatched systems.
>>That usually comes down to implementing sensible file/directory permissions, and the challenging task of educating users to actually save stuff in the right place.
Still, you have to give users read/write to their group folders. That's where the real damage can happen.
Slashdot Mirror
Not to mention it's financially unsound. When you work someone 60+ hours a week, you've reached the point where it'd be cheaper just to hire another worker. That is, if workers demanded overtime...
In all honesty, I think companies *want* the workers to fail. They want to be able to show a page of your code after 60+ hours of work along side the code created by a team of Indian programmers. After that, it's just a matter of getting you to quit so that they don't have to announce layoffs.
My company does a lot of what you look for. Here's my take:
Fun company-sponsored outings. What a waste. Just because I work with you, does not mean I'd like to spend my spare time at a picnic with you. In fact, after working hours, I want to get as far away from you all as possible.
Unfortunately, these "fun outings" turn into a political nightmare. Unless you volunteer your own time to help set-up, clean-up, or cook, you are seen as someone who hates the company. Unless you show up and play softball or voleyball, you are seen as having no loyalty. You have to sit with people who fired your best friend or smartest worker and smile and drink beer and talk about their fucking kids and listen to them struggle to remember my fucking kids.
And God help you if you or your wife doesn't bring a good side dish.
Rec rooms are okay, but you are looked down upon if you spend too much time there. There are days when my workload is really light. But, I'm still chained to my desk looking busy. Why? Because I've already used my 15 minutes playing ping-pong.
We don't have enforced breaks, but we do have subsidized education and certification. If you take a class over lunch or at the end of the day, bosses are very understanding and ensure you get there on time. Although, you may have to come back after class and burn the midnight oil.
We also have free memberships for a local gym. Almost no one goes. It really is sad to see how people put their work and family before their own personal health. Never quite understanding that, if you are dead at 40, you do your family no good.
We also do casual fridays every now and again. You usually have to drop $5 in a bucket to participate. The money goes towards the next stupid fucking picnic. If you don't participate (my casual *is* buisness casual), everyone thinks you were too poor to afford the $5.
Sounds like you want something like Citrix.
Although, what you could do is automagically have a standard WinXP workstation login on startup. Next, have VMWare in the startup folder so that it begins as soon as the computer logs in. Finally, have VMWare point to a disk image loaded on your server. The employees will then see a full-screen VMWare ready to authenticate on the network and begin their day.
If you really wanted to be fancy, have that image automagically map to a network drive on your SAN/NAS as the D:\ drive. Tell employees to use the D:\ drive to store all work-related documents.
It could work. But you'd be looking at maybe 5 minutes for the morning boot-up. Not to mention all the employees hammering the network for a 2~4gb image at 7am will really thrash the servers.
If you insist on doing this, go a bit further. Activate that WoL crap and autoboot the workstations at staggered times between 6am and 7am.
You have to give him a counter-offer he cannot possibly accept.
Jack, come to our offices and we'll let you and your group play. We'd love to send you a copy, but this is really unoptimized code that only works on our computers. Just let us know a day and we'll have first-class tickets for up to 10 people, a limo, and a hotel for a few days.
Then, set up a media blitz with schoolgirls, freckled-nosed bullies, taped-glasses geeks, and more schoolgirls. Hot ones. Big tits and short skirts. Jack and his stuffy-nosed panel will be met by and accompanied everywhere by these mostly-naked babes. Take some comprimising shots of Jack gettin' his uber-micro on while some hot schoolgirl rubs her tits on the back of his head.
Or, just come up with some other offer that he can't possible accept. Put the ball back in Jack's court.
Try using the "blockquote" tag. If you want to be really fancy, nest a "i" tag in there too. Don't forget to close them properly.
Also, if you have the "slashdot" extension for Firefox, you can highlight text and then select "reply to this" from the right-click menu.
Doesn't stop you from having a 2-part bottle. The top 1/3 would be regular formula and the bottom 2/3 would be dangerous liquid. Maybe seperated by a thin layer of hardened wax.
The best thing to do here would be to poison the well. Create a simple script that runs Google searches on random "hot" words.
Se it up as a distributed.net style program and spread it all over the world. Within a few weeks, the top searches would be on words like "bomb" and "incest" and "child porn". Within a few months, Google's search analasys would be worthless. Not only that, but anyone trying to log the data to find a terrorist would be completely swamped.
This could work for phones too. Set up Skype to dial your home phone number when you are at work or asleep. Have your computer read a list of "hot" words into Skype. Watch as the NSA begins to pull out their hair over the millions of hour-long phonecalls talking about bomb-making.
The line you quoted used the term "be found guilty". As you pointed out, people were arrested for talking about committing acts of terrorism.
But will a jury convict them?
You say they didn't have knowledge or materials. However, the Internet is full of bomb recipes. And materials are not hard to find. Just do a late-night raid on a AgriBuisness farm and grab a truckload of fertilizer.
I don't think that anyone can be found guilty for thinking about a crime. But sometimes, thoughts lead to words. If there is a clear progression of the words getting stronger and stronger, then there is a good chance those words will lead to actions.
I seem to remember a program for managing WAP access. I think it's called NOCATAUTH. Anyway, I haven't looked at the specifics, but it seem to me that you could use a WRT-54G (V1-4 or VL) to redirect all network traffic to a specific IP address for the purpose of authentication. Why couldn't you just redirect everyone to that specific IP address?
Now, while a technological measure might be easiest, thing about this from a manager's standpoint. Log all the IP addresses accessed. Log the machine the IP request originated from. Let the originator know that such access is forbidden. Let him/her know that any further attempts to access forbidden IP addresses will be dealt with harshly.
I agree completely. I get really pissed off at people who can't cope. The GP said he didn't like crowds or lines. Well, who the fuck does? It does not mean the GP should have the right to bypass the lines. It does not mean they GP should be allowed to take 500mg of whatever the latest "smash the fuck out of my brain" drug is.
Learn to cope, or die.
It's seriously time to crank up the chlorine levels in the genetic pool.
Not to mention time. I can fly across the country in about, what, 5 hours? Add 2 hours onto the front end and an hour on the back end for airport security and you get about 8 hours.
With a train, you are looking at at least 24 hours. Probably closer to 48 hours.
And I think you'd be hard-pressed to drive across the US in less than 5 days.
As a frequent buisness traveler, the new restrictions aren't than bad. Not having my laptop on the flight stings, but I'll get over it. I look forward to all the charges airlines will be forced to pay when the class-action lawsuit comes down charging them with abusing luggage when they know sensitive electronics are inside.
Wear some loose-fitting clothes. No belt. Shoes should be something you can wear un-laced. Take off your jewlery and watches. Grab a paperback book and eat/drink at the airport resturant.
If people would put a little though into what they wear and carry, it'd all be easier. My last flight to Japan, the lady in front of me had a shit-ton of costume jewlery. She had a belt with a huge buckle. She had shoes with metal shit all over them. And as she passed through the detector, she'd balk as it beeped. Then she'd take off like 2 rings and a necklace and try again. What a fucking waste.
The first new rule they should implement is this: If you cause the detector to beep, you should go to the back of the line.
>>Youth diabetes was basically unheard of in this country before the advent of the food pyramid, which places carbohydrates at the base
I'll not debate you over the fact that HFCS may or may not be bad. But you can't blame obesity on the intake of sugar.
Kids are fat because they take in more calories than they burn. It's that simple. My father walked to school. I rode a bus. My daughter is close enough to walk, so she does.
My father never had a TV till he was 15, I always had a TV in the house. My daughter lives with a TV in, pretty much, every room.
The reason kinds are fat is because of a lack of exercise. Not HFCS.
Meet the new boss
Same as the old boss
You could probably get away with using a fake ID for this. Have fun with it too. Have the fake ID say shit like "The Queen's Mum" with an address of "Your Dad's Dungeon".
Here's an even better idea. Contribute to a legal defense fund that will stand up for John Doe whenever the RIAA begins a suit.
The only easy place to quash this tactic is to stop the suit against John Doe. But, since they drop that suit as soon as they have your ISP billing info, it's all over.
I really like the summary judgement idea. You force the lawyers to produce filenames, IP addresses, dates, times, and ISP connection records.
The answer to your problem is quite simple. Every morning, print out a report of the internal IP address that accessed the most content over 80 and 443. Figure out who the workstation belongs to. Go to his desk with his boss, security, and a HR goon. Tell him to get up and leave.
After about 3 days of this, someone getting fired every day for violation of our policy, web traffic absolutely died.
If you have a problem with shared computers, install a webcam. Set it up so that the webcam takes a snap every 5 minutes with a proper date/time stamp at the bottom. When you get your logs, open up the webcam shots and see who was on the PC.
I'd go a step further. I think that every officer should be recorded as long as he or she is on-duty. The tapes should remain on file for at least a year; at most, till any case involving the officer is settled. The tapes should be made by a third party and paid for out of the police budget. If a tape is "lost" or "damaged", then it should be assumed that the officer was in the wrong.
The ACLU has three phrases that everyone should know. "How can I help you, Officer", "I do not consent to this search, Officer", and "I will not speak without my attorney present." Perhaps we should add a third to the list. "This conversation may be recorded to ensure quality of service."
I really think it's shitty that a man can get in trouble for recording something on his own property. However, there must be limits. Should I be allowed to record my bathroom as my babysitter visits? Why or why not? How about my living room while she visits? Should I be allowed to record my property from the outside? What if those cameras also record my neghbord driveway? His front porch? What if I have a camera on my property aimed at my neghbor's daugter's room?
I think I should be allowed to record my property. It's my right. However, I also think I need to be man enough to admit that I'm recording someone. Let your babysitter know that she's being recorded. Anyway...
This whole situation could have been avoided if the man had signs posted that a video survalence system was in use. It would have made his property safer, too. When he was encountered by the officer, he should have let him know he was being recorded. Why? Because, it's what a *man* does. A man has the right to record his property, but he also should have the balls to admit that he is doing so.
Every time MS releases a new ServicePack or OS, I find that I'll have to disable more and more shit to make it work like Win2k.
How about MS disables the service by default. If a user right-clicks on a trackable file (I'm assuming that this won't track changes on updated game executables, my PHP/CSS templates, OpenOffice documents, etc), then have an option to start tracking. If the user selects that, then enable the appropriate services.
Same with the Firewall and FastUserSwitching. When you connect to the internet, have a well-worded dialog box that asks me to enable the firewall service. When I select Switch User from the logoff options, popup a dialog asking if I want to enable that too.
Turn off more shit by default. Don't just enable everything. Seriously, who the fuck needs Remote Registry, Portable Media Serial Number, TCP/IP NetBios, and all that other useless shit? Sure, you might need one or two things, but do you need 55 services starting on a default install?
Build in the functionality. Disable it by default. When the user triggers an event that needs the service, ask him if he really wants to do that. From that point on, leave that service enabled.
Chances are, they'll never know what to look for or where to look. Just put a few fake documents in "My Documents" and show them that. If they have some reason to dig deeper, then you might just be fucked.
However, Customs has a job to do. They need to keep things out that aren't suposed to be here. If you stash Cuban cigars in your pants, you might get caught. If you stash kiddie pr0n on your laptop, you might get caught.
I'm surprised to see this from the 9th, but it really is a "lawful" rulling.
Linksys routers run Linux. Their firewalling capabilities range from a simple everything open to the fully locked IPCHAINS (or is it IPTABLES). Plus, my experience with other routers leaves a lot to be desired.
>>4-6 hours tweaking services? Right. Even when using the list as a reference, it takes at tops 15 minutes to tweak services.
Once you have done the process a few times, it becomes second nature. However, for the first few times, you have to disable a few services and then test your applications to ensure everything works. Can I still browse the network? Does SSL still work? Can I still resolve domain names? Can I still print? Do my games still work? Can I still adjust my video preferences?
All these questions have to be answered after every step. In reality, you should disable a few services and then run the system for a week or so to make sure it's okay.
The first time I ran through this, I read BV's site completely. Couple that with trying to decipher some of the more unusual services and then actually disabling and testing and it can be a weekend job.
>>You also seem to forget that on slower systems the performance boost will be far more noticeable than on a gaming rig. Along the same lines, the time it takes to completely load WinXP into a useable state will decrease. That "10mb" can make a huge difference on a system with low memory - much like the ones they initially shipped WinXP on.
Many of the people running those systems will never even know about disabling services. Chances are, if you really care about performance, you'll care enough to throw in a few sticks of RAM. On low-end systems, RAM is really cheap. I just added a 1GB of pc133 to my mom's computer. I got 512 from a geeky friend who was upgrading for free. The other 512 came from a swap meet and cost about $20.
And no ammount of service tweaking will replace the boost you see from going from 128MB to 1GB of RAM.
Tweaking is fun for geeks. That's what we do. But within the realm of mere mortals, it's a lost art. We'll spend hours to squeeze out a few extra FPS or reduce boot times by a few seconds. We'll install 10k RPM drives in RAID0 to get a few extra MB of transfer. And that's all well and good if your system is already at the top of the heap.
As far as the low end goes, the old adage remains true: you can't make a silk purse out of a sow's ear.
Just after SP2 came out, I found BV's list. I did a clean install with a slipstreamed SP2 disc and counted the processes and memory usage. It was something like 90mb usage and 45 processes in use.
After that, I hammered through the list disabling everything not essential to gaming. A the end, I had 22 processes and 80mb usage.
My primary intent was to clear up unused memory to make gaming more stable and faster. In this, it was a complete failure. Quake3 and other benchmarks showed a neglegable boost; maybe a few FPS.
I didn't do a security scan, but I'm sure OpenPorts would have showed a slightly more closed system. But I really don' think it would have been any more secure.
Tweaking services is really not worth the time/effort when you look at the gains. If you need more performance, a faster proc and memory can be had for maybe $200~$400. If you need more security, install a Linksys router between you and your ISP's modem. Or, you can spend 4~6 hours tweaking services for a 10mb memory boost like I did. Your choice.
>>Crunchy on the outside, soft and chewy on the inside.
.com/net/org. Once I pointed out that someone in Russia can buy a .com, they relaxed a bit.
So true. Hence the need for good control of the software they run. Good network baselines and port-level switch security are a must also. If you notice something is up, you can investigate. We get PMs when SNMP reports high utilization on a switch. From there, we open the switch's graphs and determine who is doing what. If a user's port is screaming, we disconnect them and go over to see what's up.
>>I agree however, it's useful to be able to take remote control of a user's desktop. Citrix has such a feature built in, called "shadowing a session". Of course, that's in a Citrix environment, not an XP desktop environment.
Most of the VNC systems have this. I can connect using TinyVNC and watch a user.
>>Even open source mail scanning gateways such as Amavisd-new support banned filename extensions. Couple that with ClamAV, and scan all attachments not yet banned, including recursive scanning of compressed archives, and you get quite a bit of security for very little cost. I've seen this solution fare better than commercial ones, which failed because the virus was a ZIP inside a ZIP.
Or they password the ZIP and include the pass in the email. If you allow it, it will be exploited.
>>True... which is why most email clients these days do not display images (and thus invoke the HTTP connection to retrieve that invisible 1px image) by default. This kind of thing can also be prevented by having a web proxy that only allows access to whitelisted sites.
That's crazy. Even I wouldn't reccomend whitelisting. I did some work for a company a while back that blocked everything not in the US. Users would get blocked from everything that didn't end in a
>>Yes you do, there is no way around that. All you can do is give people access to the minimum amount possible. Beyond that, backups are really your only safety net.
Agreed. Which is why I say no user can write to his own hard drive outside of the "temp" folders and desktop. We get hundreds of calls at first from people not being able to save a doc, but once they understand how to use their mapped "personal" drive (mapped under P:\) and their group's drive (mapped to G:\), they understand.
>>So, no SMB/CIFS/NFS to allow them to actually work with their data on the SAN/NAS? No DNS so they can actually resolve the address of the SAN? No ICMP so that the host actually has a clue when it tries to connect to something that is unreachable?
Sorry, I wasn't layout out the whole plan. Sure, some of that'd be open. But ICMP? Users don't usually need to ping. If they do, an admin can RDP in and do it for him.
>>Don't forget hackers...
I think that if you run the protocols on nonstandard ports and close those on your external firewall, you should be OK. Admins need a remote desktop app to troubleshoot. Nothing is more useless than having a user describe a problem. If they can show you the prob, it can be cleared quickly.
>>That would destroy the reason most people use email these days. Can you imagine how effectively a salesperson or manager is going to be able to do their job, if they can't easily send markting material such as PDF's or PPT's to customers?
Not everyone needs to communicate with a customer. If so, make special arrangements. And no one should be getting ZIPs, RARs, EXEs, and the like. The smart ones begin renaming the extension. So now, no attachments == some security.
>>Why? What makes an image any more of a threat to security than a rich-text email (especially when read with certain well known mail clients... *cough* Outlook *cough*) ?
Images can link to external servers and be used to verify good IP and e-mail addresses. They can also exploit unpatched systems.
>>That usually comes down to implementing sensible file/directory permissions, and the challenging task of educating users to actually save stuff in the right place.
Still, you have to give users read/write to their group folders. That's where the real damage can happen.