So, why not use a VMWare image connecting to an external Outlook server for "risky" communications? Run a tight internal network for everyday stuff and then an open netowrk for easy access for those special occasions.
I'd love to let me users run whatever they wanted. But then we'd need to tripple the hell-desk staff. Here's what I'd like:
Secretaries should be running bootable knoppix with an automagic mapping to the SAN/NAS. No worry about them downloading crap. Of course, they'd still call 15 times a day wanting to know how to send an Outlook appointment that some people can decline while others cannot. And they'd still accidentaly overwrite or delete the C*Os' proposals.
Devs should be able to run whatever they like. But a lot of them are dangerous. Devs *think* they are admins. Some of them are good and really know the workings of their chosen platform. But they tend to shut down virus protection "so they can compile faster" or install random tools "because they prefer program X over program Y." Just leave the mofo alone and call the hell-desk before you install. Is that so hard?
Engineers are the worst. They really drive our dependance on MS Office. They are the ones doing crazy-mad macros in Word and making PowerPoint jump like it's a fucking Pixar movie. If I had my way, our engineers would never be allowed to use a PC on the network. They'd have to describe what they want to an intern and then let him write it for them...
I kinda work in "the industry" and here's my $0.02:
First, a good setup would involve a completely standard desktop solution. From hardware to software, everything needs to be, pretty much, identical. That install would come with a VMWare player image of the user's standard install with full admin rights to the user. The VMWare image would be for special dev tools or just for those times when a user "has to have admin". This should remain hidden/disabled for 99% of the users. Only unlock it when someone shows they need to have admin for some reason.
Next, you need to have good user controls. The user should not be able to save files on their local drive. Every desktop should have a shortcut to the SAN/NAS. Every doc they create should be placed there. The SAN/NAS would be backed up daily.
The desktop should include a firewall. Only 80 and 443 should be open for outgoing. Incoming should have RDP or VNC open for admins to get in. There should be an icon on the desktop with the computer's name and IP address so that the user does not spend an hour reading the label off the back of the PC.
On the e-mail side. Attachments should not be allowed. Internally, there should be a "dump" directory on the SAN/NAS. Idealy, groups would have their own dump area within that group's directory. The dump directory would be deleted every night prior to backups.
HTML e-mail would be allowed, but images would be stripped.
The network center's setup should be as bulletproof as possible. Every server should run a firewall and only allow what is needed. And then, lock them to the IP address ranges they need to connect to.
Webmail would be blocked at the proxy server. We provide you an e-mail for official use. If you want to get your webmail, forward that to your work addy where we at least get a chance to strip attachments, bugged images, and phishing attempts.
Last but not least, have a good contengency plan. We all know about trojans, phishing, bad attachments and the like. But what's the next internet wildfire? For everything you can think of, there are probably 10 things you can't. Have good backups and at least try to keep a virus on the user's desktop from raping your SAN/NAS. Have a plan for fire and earthquakes/floods. Have a few spare desktops with the standard install already done for when a user borks their setup. Have help files on the desktop for things like setting up outlook and mapping SAN/NAS drives.
Remember that it's all a matter of usability vs. security. I could make the most secure airline in the world. But no one would ever want to fly completely naked and cuffed to their seats.
Here's a little hint: If pirated copies stopped working, people would buy a legal copy. Computers and components cost a lot. Anyone with the extra scap around to build a custom PC would be more than willing to shell out $99 for WinXP Home. And if you bought your PC, then just throw in the restore disc.
I know linux mentality suggests that 99% of the pirates would suddenly up and switch to an alternative. It won't happen.
Grandma will not spend thousands on a new Mac; she'll get the Geek Squad to install Windows.
Mom won't install Ubuntu; she'll drop a Benjamin on WinXP.
Starving college kids will head over the the school bookstore and grab a student copy for next to nothing.
And MS will make it easy. They'll drop prices and offer discounts if you rat out who gave you the copy. They might even release a tool to map out the distribution of license keys to see if they could track the original licensee.
A WinXP killswitch will not boost the download stats for Debian or RedHat. It'll just boost MS 3rd quarter earnings.
Every big company works exactly the same way. Instead of having prima-donna base commanders, the civies have CEOs. Instead of blow-hard group commanders, the civilians have CIOs, CFOs, etc. Instead of incompetent leutennants, you'll be faced with stupid managers.
The biggest difference? You can actually get fired from a civilian company.
Being in the military sucks sometimes. But it sure beats working for a living.
I agree completely. But I'll take it a little further. If you are under 40 right now, don't plan on retiring till you are at least 70. After that, you'll get a good 20 or 30 years to lounge around and tend roses or write code and play with the grandkids.
A lot of the baby boomers are starting to look at retirement. We have to make the change in retirement age now, before they retire. After they retire, you'll have a working minority paying for the majority of Americans to lounge around, take Viagra, and fuck each other all day. And we'll keep paying till they finally die around age 90.
I don't know about you, but I don't plan on paying 60% income tax just so your mom can retire at 62.
Not entirely true. With the recent release of Vista Beta, I decided to try out VM Ware. Well, not really. I'd used VM Ware years before (when it was like $99) and had tried several "free" editions avalable on popular download sites everywhere. Anyway...
So, I go the the VM Ware site and I see that what you really offer is a free "beta" edition of VM Ware Server 5.
So, at some point, it may or may not leave beta. If it does, your keys may or may not expire. What you advertise as "free" is, in fact, a possible ticking bomb on a system.
As an individual, you have the freedom to decide what you put on your website. Aside from a few taboo subjects, you have the freedom to do pretty much whatever you want.
Why should MS be different?
Sure, you can point at artificial market constraints as a reason MS should play nice. But, at the end of the day, you either support freedom in the software marketplace, or you don't.
If you support free software (and individual freedoms), you have to believe that MS should be allowed to publish *their* documentation in whatever format they choose. If the market likes the XPS format, then the market will go that way.
If, however, MS tried to make Acrobat run poorly or not at all, then you'd have a valid complaint.
Remember, by providing documentation in their own format, they are not removing your choice. You are still free to download Acrobat at your leisure.
First, I downloaded the 1.7GB The Natural through Optimum. It took 45 minutes. Next, I unhooked the cable and plugged in FiOS. Downloading the 1.7GB As Good As It Gets movie took . . . wait for it . . . 12 minutes. Twelve minutes!!
There is a third option. PDF may be a registered trademark of Adobe. Or, since most lusers have no idea what a file extension is, MS may have named the save option "save as Acrobat".
One big problem with getting your legal news online is that you get a distorted version of the facts. In this matter, there are three points of view: MS's PoV, Adobe's PoV, and the truth.
Seeing as how MS pulled vice fighting, they were probably in the wrong.
Before you go out and buy something like this, just take an extension cord and a laptop out to the main telco box. Some cable, a screwdriver, and a pair of snips will just about cover what you need.
However, the telcos get really bitchy about you tapping into the box. Be descreet.
Anyway, test the line in the house, then do out to the box and test it there.
I've done it both ways and I have not seen any real difference. Mostly snake oil in my opinion.
Hard does not mean impossible. If you are acquiring mass quantities, then it might be a problem. However, just because something requires a background check and/or a permit does not mean that "the man" is coming down on you.
Many common chemicals are dangerous. A chemical compound should be treated like a firearm. They can maim, disfigure, and kill if used improperly.
>>it would be almost impossible for a kid now to learn and investigate chemistry like Edison did
You can, however simulate just about any reaction in a common chemistry set.
Edison lived in a different time and place. Racism was rampant, sexism was just as bad, and those who spoke out against the local church were often tarred and feathered.
We've lost a lot of good stuff too. TE could have grown and smoked pot. He could have bough morphine over the counter. He could have lived his entire life without ever worrying about identity theft.
Shit changes. Sometimes for the better. Sometimes for the worse.
What a stupid fucking thing to say. The terrorists don't want you to lose the right to program in C. The terrorists don't want you to lose the right to read pr0n in a library.
The terrorists want two things:
1. Everyone to convert to Islam. 2. Muslims following a strict interpretation of Islamic law.
Unless you are willing to do those two things, then the terrorists will always hate you. Unless you do those two things, the terrorists think you should die.
So, don't pride yourself by thinking that a chemist being raided gives OBL a hardon; it doesn't. The only thing that gives those people hardons is reading the obituaries section of the New York Times.
Most people don't know what their requirements are. It's easier to install a switch with port replication just before the firewall. Then, use a sniffer to listen for all protocols for a week.
After that, use the internets and your memory to figure out what people are doing.
However, after all that, you'll find that 99% of people can get what they need over 80 and 443. A few will use FTP or SSH. Of those, none of them are really buisness-related.
We keep a single, unblocked PC in the network operations center. We tell people that if they need an unfiltered connection, come over and use it. Lots of "brains" come over and jump into IRC or newsgroups to work out problems. If they need to be at a specific place when they chat, we have a laptop with a VPN client to get them an unfiltered connection. Just find a spot, plug it into the wall, and call the NOC. 5 minutes later, they are up and running.
We use an packet analyzing firewall. By default, SSH cannot be tunneled through it. I set up an external server and then used PuTTY to try and connect from internal land. Even after reconfiguring everything to run over port 443, PuTTY cannot create a connection.
The firewall does not care what port you are using. It's smart enough to figure out what protocol you are using.
As for the cubicle nazi thing, that's just dumb. My company has limited resources. We have to ensure that those resources are used properly. I don't have time to run down every downloader and slap them on the wrist. I look at the proxy logs and decide if the top 100 sites are work-related or not.
For a long time, the top 100 sites were mostly pr0n. I mean, seriously people. Why are you surfing pr0n at work.
Video.google.com and YouTube and the like are also blocked now. MySpace was blocked long ago. Virtually all of the Fantasy $sport sites are blocked.
When you are at work, you need to be working, not fucking off on Amazon or eBay.
MRTG can create bandwidth charts for individual ports on most Cisco kit. Run it for 24 hours and then drill-down through the gear to find out who the abusers are.
You could also install SNMP on the workstations themselves and track it back that way.
Disable any unused ports and lock active ports to specific MAC addresses to stop the "laptop freeloader" from sucking bits on a rogue PC.
Finally, start blocking all the ports for incoming and outgoing traffic. Open 443 and 80 for outgoing and then wait for people to call. Open ports on a per-user basis. Workers need department head approval. Dept heads need C*O approval.
>>I *REFUSE* to allow Windows machines on my network any direct net access, no exceptions.
Then you are an idiot. Bad admins can fuck any system. Good admins can secure any system. Sure, zero-days do exist, but the vast majority of those are propigated via "click me now" or "open this funny email".
Saying Windows is bad just lumps you in with all the other conspiracy theorists.
>>I don't do multiplayer, and there should be no requirement for single player to have net access.
And there isn't. After the inital download, you can click a button and play offline without ever needing net access agian.
>>So I'm on consoles now for all my gaming.
Good for you. Kiss RTS and good flight sims goodbye. Kiss the mouse/keyboard control for FPS goodbye.
Furthermore, kiss all community expansions goodbye. Compare Morrowind on the PC to Morrowind on the XBox. All the console players missed out on hundreds of gigabytes of community-created goodness.
On top of all that, your 360 and PS3 will just about require net access. The Wii will probably access the interweb as well.
Slashdot Mirror
So, why not use a VMWare image connecting to an external Outlook server for "risky" communications? Run a tight internal network for everyday stuff and then an open netowrk for easy access for those special occasions.
Not a bad idea. Baseline your systems and find out what's normal. Then, if the system starts doing something crazy, have the switch turn off the port.
I'd love to let me users run whatever they wanted. But then we'd need to tripple the hell-desk staff. Here's what I'd like:
Secretaries should be running bootable knoppix with an automagic mapping to the SAN/NAS. No worry about them downloading crap. Of course, they'd still call 15 times a day wanting to know how to send an Outlook appointment that some people can decline while others cannot. And they'd still accidentaly overwrite or delete the C*Os' proposals.
Devs should be able to run whatever they like. But a lot of them are dangerous. Devs *think* they are admins. Some of them are good and really know the workings of their chosen platform. But they tend to shut down virus protection "so they can compile faster" or install random tools "because they prefer program X over program Y." Just leave the mofo alone and call the hell-desk before you install. Is that so hard?
Engineers are the worst. They really drive our dependance on MS Office. They are the ones doing crazy-mad macros in Word and making PowerPoint jump like it's a fucking Pixar movie. If I had my way, our engineers would never be allowed to use a PC on the network. They'd have to describe what they want to an intern and then let him write it for them...
I kinda work in "the industry" and here's my $0.02:
First, a good setup would involve a completely standard desktop solution. From hardware to software, everything needs to be, pretty much, identical. That install would come with a VMWare player image of the user's standard install with full admin rights to the user. The VMWare image would be for special dev tools or just for those times when a user "has to have admin". This should remain hidden/disabled for 99% of the users. Only unlock it when someone shows they need to have admin for some reason.
Next, you need to have good user controls. The user should not be able to save files on their local drive. Every desktop should have a shortcut to the SAN/NAS. Every doc they create should be placed there. The SAN/NAS would be backed up daily.
The desktop should include a firewall. Only 80 and 443 should be open for outgoing. Incoming should have RDP or VNC open for admins to get in. There should be an icon on the desktop with the computer's name and IP address so that the user does not spend an hour reading the label off the back of the PC.
On the e-mail side. Attachments should not be allowed. Internally, there should be a "dump" directory on the SAN/NAS. Idealy, groups would have their own dump area within that group's directory. The dump directory would be deleted every night prior to backups.
HTML e-mail would be allowed, but images would be stripped.
The network center's setup should be as bulletproof as possible. Every server should run a firewall and only allow what is needed. And then, lock them to the IP address ranges they need to connect to.
Webmail would be blocked at the proxy server. We provide you an e-mail for official use. If you want to get your webmail, forward that to your work addy where we at least get a chance to strip attachments, bugged images, and phishing attempts.
Last but not least, have a good contengency plan. We all know about trojans, phishing, bad attachments and the like. But what's the next internet wildfire? For everything you can think of, there are probably 10 things you can't. Have good backups and at least try to keep a virus on the user's desktop from raping your SAN/NAS. Have a plan for fire and earthquakes/floods. Have a few spare desktops with the standard install already done for when a user borks their setup. Have help files on the desktop for things like setting up outlook and mapping SAN/NAS drives.
Remember that it's all a matter of usability vs. security. I could make the most secure airline in the world. But no one would ever want to fly completely naked and cuffed to their seats.
Visual Studio is now free.
/ students/default.mspx
http://msdn.microsoft.com/vstudio/express/
They also have TONS of video and print tutorials.
Office can be had for $150.
http://www.microsoft.com/office/editions/prodinfo
And WinXP is around for between $50 and $150.
So, bare bones, you are looking at $200 to be legal. Or, you can spend a few weeks dealing with waiting for a WGA hack to come out.
Here's a little hint: If pirated copies stopped working, people would buy a legal copy. Computers and components cost a lot. Anyone with the extra scap around to build a custom PC would be more than willing to shell out $99 for WinXP Home. And if you bought your PC, then just throw in the restore disc.
I know linux mentality suggests that 99% of the pirates would suddenly up and switch to an alternative. It won't happen.
Grandma will not spend thousands on a new Mac; she'll get the Geek Squad to install Windows.
Mom won't install Ubuntu; she'll drop a Benjamin on WinXP.
Starving college kids will head over the the school bookstore and grab a student copy for next to nothing.
And MS will make it easy. They'll drop prices and offer discounts if you rat out who gave you the copy. They might even release a tool to map out the distribution of license keys to see if they could track the original licensee.
A WinXP killswitch will not boost the download stats for Debian or RedHat. It'll just boost MS 3rd quarter earnings.
Every big company works exactly the same way. Instead of having prima-donna base commanders, the civies have CEOs. Instead of blow-hard group commanders, the civilians have CIOs, CFOs, etc. Instead of incompetent leutennants, you'll be faced with stupid managers.
The biggest difference? You can actually get fired from a civilian company.
Being in the military sucks sometimes. But it sure beats working for a living.
I agree completely. But I'll take it a little further. If you are under 40 right now, don't plan on retiring till you are at least 70. After that, you'll get a good 20 or 30 years to lounge around and tend roses or write code and play with the grandkids.
A lot of the baby boomers are starting to look at retirement. We have to make the change in retirement age now, before they retire. After they retire, you'll have a working minority paying for the majority of Americans to lounge around, take Viagra, and fuck each other all day. And we'll keep paying till they finally die around age 90.
I don't know about you, but I don't plan on paying 60% income tax just so your mom can retire at 62.
Not entirely true. With the recent release of Vista Beta, I decided to try out VM Ware. Well, not really. I'd used VM Ware years before (when it was like $99) and had tried several "free" editions avalable on popular download sites everywhere. Anyway...
So, I go the the VM Ware site and I see that what you really offer is a free "beta" edition of VM Ware Server 5.
So, at some point, it may or may not leave beta. If it does, your keys may or may not expire. What you advertise as "free" is, in fact, a possible ticking bomb on a system.
As an individual, you have the freedom to decide what you put on your website. Aside from a few taboo subjects, you have the freedom to do pretty much whatever you want.
Why should MS be different?
Sure, you can point at artificial market constraints as a reason MS should play nice. But, at the end of the day, you either support freedom in the software marketplace, or you don't.
If you support free software (and individual freedoms), you have to believe that MS should be allowed to publish *their* documentation in whatever format they choose. If the market likes the XPS format, then the market will go that way.
If, however, MS tried to make Acrobat run poorly or not at all, then you'd have a valid complaint.
Remember, by providing documentation in their own format, they are not removing your choice. You are still free to download Acrobat at your leisure.
Don't snap off your PCI slot. Soon, we'll see modder cases with rails for support the front of the cards.
Or maybe, just maybe, old-school lay-down cases will come back in style.
There is a third option. PDF may be a registered trademark of Adobe. Or, since most lusers have no idea what a file extension is, MS may have named the save option "save as Acrobat".
One big problem with getting your legal news online is that you get a distorted version of the facts. In this matter, there are three points of view: MS's PoV, Adobe's PoV, and the truth.
Seeing as how MS pulled vice fighting, they were probably in the wrong.
Ironicly enough, the user/pass they used to acces his site was:
bugmenot/bugmenot
Before you go out and buy something like this, just take an extension cord and a laptop out to the main telco box. Some cable, a screwdriver, and a pair of snips will just about cover what you need.
However, the telcos get really bitchy about you tapping into the box. Be descreet.
Anyway, test the line in the house, then do out to the box and test it there.
I've done it both ways and I have not seen any real difference. Mostly snake oil in my opinion.
Well, it *is* a powerful solvent. After all, look at the Appalachian Mountains.
>>Many common chemicals are hard to get now days
Hard does not mean impossible. If you are acquiring mass quantities, then it might be a problem. However, just because something requires a background check and/or a permit does not mean that "the man" is coming down on you.
Many common chemicals are dangerous. A chemical compound should be treated like a firearm. They can maim, disfigure, and kill if used improperly.
>>it would be almost impossible for a kid now to learn and investigate chemistry like Edison did
You can, however simulate just about any reaction in a common chemistry set.
http://modelscience.com/
Edison lived in a different time and place. Racism was rampant, sexism was just as bad, and those who spoke out against the local church were often tarred and feathered.
We've lost a lot of good stuff too. TE could have grown and smoked pot. He could have bough morphine over the counter. He could have lived his entire life without ever worrying about identity theft.
Shit changes. Sometimes for the better. Sometimes for the worse.
What a stupid fucking thing to say. The terrorists don't want you to lose the right to program in C. The terrorists don't want you to lose the right to read pr0n in a library.
The terrorists want two things:
1. Everyone to convert to Islam.
2. Muslims following a strict interpretation of Islamic law.
Unless you are willing to do those two things, then the terrorists will always hate you. Unless you do those two things, the terrorists think you should die.
So, don't pride yourself by thinking that a chemist being raided gives OBL a hardon; it doesn't. The only thing that gives those people hardons is reading the obituaries section of the New York Times.
The program comes as an installer. That won't run on our PCs. Normal users lack the admin rights nescessary to install software.
You could try installing it on another PC and copying it over. But, if you needed to write anything in the Windows folder, you'd be out of luck.
Most people don't know what their requirements are. It's easier to install a switch with port replication just before the firewall. Then, use a sniffer to listen for all protocols for a week.
After that, use the internets and your memory to figure out what people are doing.
However, after all that, you'll find that 99% of people can get what they need over 80 and 443. A few will use FTP or SSH. Of those, none of them are really buisness-related.
We keep a single, unblocked PC in the network operations center. We tell people that if they need an unfiltered connection, come over and use it. Lots of "brains" come over and jump into IRC or newsgroups to work out problems. If they need to be at a specific place when they chat, we have a laptop with a VPN client to get them an unfiltered connection. Just find a spot, plug it into the wall, and call the NOC. 5 minutes later, they are up and running.
We use an packet analyzing firewall. By default, SSH cannot be tunneled through it. I set up an external server and then used PuTTY to try and connect from internal land. Even after reconfiguring everything to run over port 443, PuTTY cannot create a connection.
The firewall does not care what port you are using. It's smart enough to figure out what protocol you are using.
As for the cubicle nazi thing, that's just dumb. My company has limited resources. We have to ensure that those resources are used properly. I don't have time to run down every downloader and slap them on the wrist. I look at the proxy logs and decide if the top 100 sites are work-related or not.
For a long time, the top 100 sites were mostly pr0n. I mean, seriously people. Why are you surfing pr0n at work.
Video.google.com and YouTube and the like are also blocked now. MySpace was blocked long ago. Virtually all of the Fantasy $sport sites are blocked.
When you are at work, you need to be working, not fucking off on Amazon or eBay.
MRTG can create bandwidth charts for individual ports on most Cisco kit. Run it for 24 hours and then drill-down through the gear to find out who the abusers are.
You could also install SNMP on the workstations themselves and track it back that way.
Disable any unused ports and lock active ports to specific MAC addresses to stop the "laptop freeloader" from sucking bits on a rogue PC.
Finally, start blocking all the ports for incoming and outgoing traffic. Open 443 and 80 for outgoing and then wait for people to call. Open ports on a per-user basis. Workers need department head approval. Dept heads need C*O approval.
Just about every organization I have consulted for has assigned the shared drives to high drive letters.
Something like S: for global shares, T: for team shares, P: for personal network storage, O: for organizational forms and memos.
Just come up with something that makes sense within your company.
BTW, when I build a PC at home, the first thing I do is move the drives around. I move the CD/DVD to Z: and my USB hard drive to U:.
I knew they were dropping a authentication token somewhere. I just didn't know where.
>>I *REFUSE* to allow Windows machines on my network any direct net access, no exceptions.
Then you are an idiot. Bad admins can fuck any system. Good admins can secure any system. Sure, zero-days do exist, but the vast majority of those are propigated via "click me now" or "open this funny email".
Saying Windows is bad just lumps you in with all the other conspiracy theorists.
>>I don't do multiplayer, and there should be no requirement for single player to have net access.
And there isn't. After the inital download, you can click a button and play offline without ever needing net access agian.
>>So I'm on consoles now for all my gaming.
Good for you. Kiss RTS and good flight sims goodbye. Kiss the mouse/keyboard control for FPS goodbye.
Furthermore, kiss all community expansions goodbye. Compare Morrowind on the PC to Morrowind on the XBox. All the console players missed out on hundreds of gigabytes of community-created goodness.
On top of all that, your 360 and PS3 will just about require net access. The Wii will probably access the interweb as well.