It would be easier to defend against these attacks if companies would standardize on techniques. Cisco and HP are two examples I know of that offer different methods for defending DDoS attacks. Cisco has a number of methods not all of which are compatible with each-other. Perhaps more importantly, Cisco's methods almost always require Cisco products for them to work effectively. HP is a little better about standards these days but their methods are still rather solitary to their Procurve platform. Lately HP has made a huge change dropping Cisco support from at least some of their products in favor of standards that will work with the Nortels, Adtrans, and even Netgears of the world. It is a step in the right direction.
It seems simple, if ISPs can restrict traffic so that forging addresses is impossible then filtering DDoS at the ISP level before its aggregated should be easy. Even then, once it is aggregated it would be chunks of traffic which could easily be identified and blocked either temporarily or permanently allowing others to continue as normal.
If you have no way to measure success then you need a new approach. Treating headaches again and again with Advil sure will get rid of the pain, but eventually you're either going to have a stroke and possibly die or you'll experience kidney or liver failure.
If stress of the job is causing the headaches then you need to find a way to cope with the stress or get a new job. Continuing on course is not the correct action, the definition of insanity is doing the same thing over and over expecting a different result.
Countries certainly can control what leaves and enters, except that its not countries that do control the Internet. Instead, private entities like AT&T, MCI, Sprint, or any of the other carriers that peer with other countries should be implementing systems to prevent these kinds of attacks from spreading not just from country to country but internally as well. The technology exists to prevent DDoS attacks, they just need to implement them. Given the number of tax dollars these companies receive I don't think it's out of the question to get them to implement some basic protections while maintaining anonymity.
Even worse, in the case of a multi-national company like AT&T they peer with themselves to cross borders so they are even more to blame for allowing this type of behavior to occur. Of course I'm looking at it from a U.S. perspective. Estonia's infrastructure may be very different but I'd be willing to bet if their neighbors had similar mechanisms in place then this wouldn't be a problem. It works as great PR for a country when they can support this type of technology but perhaps more importantly if everyone is implementing it then you can't be attacked with those methods. Of course that also means you can't attack with such methods but if you're relying on DDoS then you're probably not a military.
Very sad but true, when there is language specifically starting the case people still get it wrong.
The question then goes forward as to whether we should admit defeat and modify the constitution to be reversed since it seems at least the vast majority of politicians believe you can only do what's in the constitution. It is very sad indeed.
You illustrate the real problem with how the constitution is interpreted today. It was never intended to give people rights, it was intended to give the government rights. There is nothing in the constitution which gives the government the right to take away our privacy except under the most extreme of circumstances which we are not under by any stretch. The issue is muddied by congress and the war powers bill that was passed but regardless the government was never explicitly granted the right to spy on its own people. That means it's unconstitutional and it's plain and simple.
As long as my freedom doesn't restrict the freedom of someone else then I should be allowed to do what I want. That is the principle the country was found upon and in my opinion at least is a principle worth sticking to.
In 2005 you can do all of those things except rip commercial DVDs for obvious reasons. You can fast forward through commercials although you can install some plug-ins that will attempt to skip them automatically. A plug-in is obviously acceptable given the nature of it's competition which is 100% modular. HD Quicktime is accomplished with the klite codec pack or alternatively with Quicktime Alternative installed on the system. MCE is not restricted in any way, it can play h.264 or whatever you like including Ogg support.
The web interface may be new to the Vista versions although it's easy enough to integrate the Media Connect service with a web service that you customize yourself. I haven't seen too much demand for this since most people don't feel the need to modify their play-lists remotely which you can do without a web interface.
Recording options are limited by your hardware, not your software, if you have a way to decode 4 heterogeneous video feeds then you sure can record them all.
Transcoding is as simple as a change of recording preference or a simple save as if you're talking after the fact.
Channel listings can be obtained hundreds of different ways with MCE, all depends on which plug-in you wish to use, alternatively you can just use the default which works almost universally.
I'm not sure what kind of video editing you do using a remote, if you're talking about cutting out commercials you can certainly do that. Anything more complex should be done through Media Connect to another machine where you have real tools for editing. It's easy as pie to setup because of the Media Connect service.
In short, Vista MCE with the proper plug-ins does indeed solve all of those problems, you could even make a plug-in for editing using a remote if you were so inclined. The WMP API is readily accessible and very easy to work with in addition to being well documented. We use MCE to record 4 cameras on a documentation simultaneously without a problem. Additionally it starts the recording and stops it based on an external web-service which also serializes the files. It's quite powerful and very extensible despite what you seem to think.
Of course, once the files are written, they are copied to my server and linked in the database so that they are viewed through our Intranet. It took us all of a week to setup from scratch including the required programming.
MCE can do all that right out of the box. You can also link your XBox 360 for an additional front-end. Short on features it is not. Install the klite codec pack and play anything you like.
I don't think many people realize just how well done it was this time around. MCE sucked when it first came out, but the Vista iterations are outstanding until now of course. The DRM blocking channels is ridiculous and will kill a product which would otherwise be great. Of course, this is why choice is a good thing. It's not like you have to scrap all your hardware to go for a MythTV box after the fact. Won't cost a dime, just a weekend project for those that really wish to record HBO. More and more people will move off as additional content is blocked but make no mistake, the solution is not as elegant as the old way so it will take a lot of blocked content to create a tidal wave that will have any impact on product use of MCE.
I think Microsoft lost an opportunity here, content companies are forcing them to support this type of DRM, they should have done something to add value to the product before adding something which clearly reduces the value of it. It would be like car manufacturers removing the radio from all new models because they are a distraction to the driver. If they don't add something else to make up for the lack of radio then no one will buy the vehicle.
You mean like the RPC vulnerability for Microsoft DNS server? A vulnerability that only matters because people are idiots with security and allow management over the Internet without any encryption? The majority of those vulnerabilities mean nothing if you have setup the machines properly. With basic user level access I've yet to see a trojan than can infect a machine mysteriously. All those vulnerabilities require the user to run a piece of code which isn't trusted. So you really didn't answer the question. How do you run an exploit when you're only allowed to run a select list of executables which is managed from a central database that users only have read access to?
Also, if the machine I'm monitoring is a long distance away then I will call someone who is not that far away to check it out for me. It's basic practice, when something goes out of compliance then no amount of control of that machine is going to impact the analysis that my server has of the machine. They would have to know an awful lot about how the system was deployed, at that point it's less of a technical security problem and more of a cultural one. If people are giving out sensitive information, enough to exploit such a system then users need to be educated about social engineering. Besides that it really doesn't matter what the users know since all management is out of their hands. This is why corporations actually like Windows, this monitoring and management is easy as pie, far easier than any implementation I've ever seen on any Linux distro or Unix variant. All the platforms except for seemingly OS X seem to support this stuff, I'm unsure why people would go through the trouble to deploy it when it is as easy as you say to exploit, although there has never been an exploit for a system such as that. When you've gone through that much trouble you will experience mandatory profiles and at best folder redirection which really makes it hard for any malware to spread or even infect one system.
With basic security in place the majority of malware is pointless and meaningless to me. There is a reason none of the machines in the company I manage machines for have any malware beyond that of cookies which are wiped at login. The beautiful aspect is that some cookies I can store centrally such as cookies for the company Intranet so I can always ensure compliance. That word has been a central theme in corporate America since Windows 2000 came out. Compliance Compliance Compliance! It's a pain in the ass and Microsoft has made is more and more complicated these days but they do make it easy to track compliance.
man that sucks, I was on 768k DSL in 97 in rural Vermont then. It was only $50/month too which I paid for with my part-time job landscaping hotels after school.
How are you planning on changing the permissions in the first place? It's a moot point regardless as the MOM agent will detect the machine is out of compliance and alert me allowing me to visit the machine.
Denying access to a tool like regedit would be a pretty basic first step towards securing a desktop, a no brainer. Fortunately it's not a machine policy but a user policy so as admin I can login and still have my full functionality unlike traditional group policy restrictions. Even if the user had access to regedit they wouldn't have the ability to look at the portions of the tree that affect group policy so I still don't see how someone could disable SMS's ability to enforce policy. What am I missing? Where was the user granted permission to make changes to the registry?
I have heard this too, much like the BMW owner who switches cars more often because he can versus the Toyota owner who is usually more sensible so they keep their vehicles longer. Both cars are quite capable of lasting for very long times but different people buy them. I think that has more to do with it. You touched on that fact a little bit with gamers, they are just one group who are known for their impracticality.
At the same time there are those of us who are practical that run Windows and buy BMWs. The 650mhz machine is the main machine for the house and will be for the foreseeable future. I took my old machine and made it a media server so storage limitations of the 650mhz box is not a problem. It's more than sufficient for video playback and anything else they've wanted to do thus far. I'm a power user, whether I had a Mac or PC I'd be using something newer anyways. I've seen those 500mhz Ti laptops and they run OS X very slowly despite the two people that responded to your post. Yes it runs, I'll even admit it runs better than I expect assuming the thing has enough ram which is usually the problem with older machines both Mac and PC.
A 500mhz machine with loads of ram is quite capable of running XP and keep in mind that at the time with the G3, Apple was advertising that it was as fast as a PC processor with twice the clock. That means Windows XP is far less intensive if you believe the advertising. Of course I think we can probably agree its about even. It wasn't until the GHZ mark was reached on the PC side that Apple started getting decimated in performance which took years to recover from even with the G5 breaking about even.
I can agree with your sentiment, of course they don't have cable now anyways as I said they are trying to put money away for the move. They would be fine. I just think a right to privacy is a fundamental principle to live by. Yes he could find a job at McDonalds to get money immediately but in Vermont at least, it's either IBM or you move to another state. Given the current housing market it would take him probably a year to sell his house. In that situation he'd be forced out of his industry until he could move to a new location.
I won't work for a company that does drug testing, I don't mind background checks if you are going to work with sensitive information but I think privacy is very important as I see it eroding everywhere these days.
I didn't mean to give the impression that it was impossible to tighten the budget with kids, merely that it was a lot more difficult than the parent poster led on and that such decisions can have very negative repercussions both on the kids and on the wife. When you have multiple points of view to consider the decision is far more difficult and more often than not results in accepting the loss of privacy.
Given that I am not encumbered in the same way I will stand up loud and try to make sure others who are will not be forced down the wrong path. Of course it's my opinion that its the wrong path. I believe the discussion is debatable for certain circumstances which is why I don't believe it should be outlawed.
I completely agree, drug users are of no concern to anyone in my opinion, I could see a company not wanting to employ a drug abuser. Someone that smokes a little weed on the weekend is not likely to be a bad employee, the chances are so small that drug testing is pointless and only serves as a breach of privacy.
I didn't know Windows users sold their old hardware more than Mac users. Last I checked when it was time for a new computer the old one gets moved to the playroom for the kids or becomes a media center PC or in my case became the common computer for my roommates. It's an Athlon 650 running XP perfectly well. It's 8 years now.
No, there are many differences between OS X and Windows users but this is not one of them.
wow, forget about the family much? Tightening your belt is easy, tightening the diaper budget is not. Some people do not have a choice despite what you seem to think.
My brother-in-law for example is the sole provider for his wife and three kids. They do just fine right now because he has a job that pays well enough. What if that employee decides fingerprinting is now mandatory? What about any number of other tests they can do that are clear violations of privacy? He could either submit and give up his rights, quit and hope he can find another job before the money runs out and his kids go hungry, or he gets fired for not submitting. In two of the three options he is out of a job and in the process of looking for another.
He's in a good situation personally, they've been saving up money to move out this way where jobs are better but there is definite risk involved. They also invested wisely in their house which has gone up tremendously in value. There would still be hard times if he stuck to his principles which are the principles America was founded upon.
For a bank I can see some background checking done, fingerprinting isn't required for that and drug testing is irrelevant for any employer considering your actions at work determine your level of competency. If that work is inconsistent then that is grounds for dismissal. Naturally this rarely happens as the vast vast vast majority of people are not drug abusers.
I look to the Apollo Group and subsequently the University of Phoenix for good hiring practices. They do quite well without drug testing and have many people in their employment across the country. The owner is cool too, I don't even work for the company.
MOM would detect that configuration change, SMS would change it back and force a reboot before anything could be done. Even if you changed the permissions on the registry the current group policy still applies, so regardless the attacker would have to reboot the machine which would SMS would pull the configuration. Last I checked those vulnerabilities only applied to opening untrusted documents on a trusted machine. To if you were going with a whitelist for management which in my mind is far too restrictive then you wouldn't even be able to run regedit as only SMS is allowed to modify the registry, or administrators of course.
I could be wrong but I haven't found any privilege escalation problems with Word 2003/2007, all the security bulletins are for opening documents which the user shouldn't have had access to in the first place. Security is difficult to maintain, but not impossible given enough resources. The same holds true for all the Linux distros out there. It's a universal, local privilege escalation is an issue in every environment, even OpenBSD.
Thank you for correcting me, I hadn't realized I had read it slightly wrong. It's important to be clear in that such things can impact the global temperature and they are just one of many contributions that humans impose on the Earth as a whole.
That is not possible as nothing in Active Directory decides that. I'm talking about DEP which I've never seen an exploit for to date. When you have SMS and MOM in your network you have a considerable amount of control over the desktop. The list of supported software is stored on the central database and would be very difficult for any malware to modify the list to support additional software. Not impossible, but I would say highly unlikely.
If you're talking about Fortres or Deepfreeze then you are correct, I'm talking about the integrated Microsoft approach which is far more difficult considering, if you replace a trusted exe then MOM will instantly alert me and SMS will push out a new copy of the trusted executable. I've yet to see someone break it. I'm sure its not impossible but its not as easy as you make it sound. I can make it even more difficult through the use of Tripwire but I only deploy that on extremely critical servers.
If my security policy disables the ability for the user to execute anything but the trusted apps I have on their machines which I can manage and monitor in real-time via SMS/MOM then no virus or trojan is going to jump anywhere because it will never have a chance to execute. The mechanisms are there, they are no more hidden than a config file in a linux distro. I was also not giving examples of Windows security, I was stating how false the parents claim was that you couldn't do it.
The focus these days is turning that functionality into practical application, something easy enough that home users can manage it themselves. That's what Microsoft is trying to do with the Cancel Allow crap.
I already agreed that it was designed improperly, just the items mentioned by the parent were completely false. With that said Microsoft does provide security templates on their website that anyone can download and easily apply to their computers. Microsoft's install-base is far too large to lock down every feature otherwise new installs would piss people off more than they already do because they have to re-enable file sharing, rpc, remote desktop and whatever other services that would be handy for even a home user.
It's always been the biggest complaint I receive about Linux distros, you have to go through an enablement process before you can plug in your scanner or your brand new printer or webcam. Distros like Ubuntu have made great progress on this front but they are coming at it from the opposite end that Microsoft is. Both camps are heading to the same location where it "Just Works" and is safe
I agree the point was poorly written and they should make an effort to be as clear as possible because of statements like yours.
That said they should have been more up front about what it means that Mars and Pluto are both warming as well. I don't think anyone has ever claimed that global warming is being caused by humans alone, only that humans are making the problem worse. They are making the assumption that you as the reader would understand that there are many causes for everything we see on a global scale such in thick ice in Canada and droughts in Florida.
There is so much evidence overwhelmingly supporting the position that humans are accelerating the natural cycle which is only bad for everyone. We can look forward to increasingly violent storms throughout the world with different parts experiencing it at different times. People tend to get all flustered when they know something is right and it's obviously right and someone is standing there seeing the same things and saying its wrong. It's happened to me a hundred times in meetings as I say the app is written this way to make them operate this way and the users are disagreeing because they don't understand what it is they are seeing despite it being their job to understand it.
It's also happened to me with Turbotax, I go through and do mine, then I sit my sister down and she can't be bothered to read the screen to figure out what she needs to do despite it being very easy and obvious what to do.
Global warming is the same way, there is a ton of evidence for it, there is as of yet no evidence refuting that when all the planes stopped on 9/11 that the earth as a whole didn't drop in temperature. Facts like that make it obvious the level of impact humans have on the earth. If stopping all the planes results in just a 1 degree drop how would stopping all cars effect the temperature?
The FAA and NASA have long been supporters of Unix and Linux so I don't know what you were trying to say with that comment.
No one needs to get into all the new features in Vista, you've obviously not checked it out if you think it is that similar to XP.
With that said you are right in that there is little to push people to the new OS right now. It is not as different as 98 was to 2000 but it is at least as different as 95 was to 98. They took a lot of good ideas they got through the rough times of XP and implemented them properly, they learned from a lot of their mistakes and I'll grant that they made some new ones. Of course they are still working with a monolithic kernel so it will still have service dependency issues and network chatter. Corporate policy decisions like phoning home are not technical issues but they do indeed count against it.
I generally despise all things Apple but I do respect that they don't force you to activate OS X. If they were going to emulate the things Apple did right in OS X they should have included that. Of course there are versions out now which don't phone home which I have ready access to through MSDN so maybe they just wanted it for an added layer for home users.
Cheers to that, I thought the same thing. In my company I have to authorize all the updates which get pushed to all the workstations so such a thing wouldn't work here even if it were possible. WGA is the sole reason I'm always careful come update day, I always have to make sure its not selected, I wish SMS had a hide forever feature like Automatic update does.
huh? I mean seriously, huh? What century are you in?
Windows 2000 and later you can make USB sticks read-only for non-admin users through group policy. System file changes do require the user to intervene, even if the user isn't aware system file changes are logged and have been logged since Windows 2000 "self-healing" became prevalent. With XP SP2 things became more obvious and with Vista things are blatantly obvious when there is a system change as the Allow Cancel dialog pops up.
Seriously, why make a point about the operating system being designed improperly if you're going to support it with completely false evidence. You could at least use real evidence like memory management and service dependency problems in the Windows world. It would be real, it is a poorly designed system but despite that they make it work for the vast majority of users out there.
Linux systems are just as susceptible to trojans of this sort. When the user opens something from an untrusted source and blindly clicks like would be required in Vista then almost anything is possible. There are ways to mitigate the risks on both sides but typical setups will still be quite susceptible.
I'm curious what you think Administrator can't do on a Windows system as well, perhaps you mean they don't make potentially dangerous features readily accessible? Perhaps you mean the protected-mode nature of the kernel preventing flashing of internal firmware which also isn't problem? Add in Powershell and I'm thoroughly confused as to what you think administrative users can't do.
Slashdot Mirror
It would be easier to defend against these attacks if companies would standardize on techniques. Cisco and HP are two examples I know of that offer different methods for defending DDoS attacks. Cisco has a number of methods not all of which are compatible with each-other. Perhaps more importantly, Cisco's methods almost always require Cisco products for them to work effectively. HP is a little better about standards these days but their methods are still rather solitary to their Procurve platform. Lately HP has made a huge change dropping Cisco support from at least some of their products in favor of standards that will work with the Nortels, Adtrans, and even Netgears of the world. It is a step in the right direction.
It seems simple, if ISPs can restrict traffic so that forging addresses is impossible then filtering DDoS at the ISP level before its aggregated should be easy. Even then, once it is aggregated it would be chunks of traffic which could easily be identified and blocked either temporarily or permanently allowing others to continue as normal.
If you have no way to measure success then you need a new approach. Treating headaches again and again with Advil sure will get rid of the pain, but eventually you're either going to have a stroke and possibly die or you'll experience kidney or liver failure.
If stress of the job is causing the headaches then you need to find a way to cope with the stress or get a new job. Continuing on course is not the correct action, the definition of insanity is doing the same thing over and over expecting a different result.
Countries certainly can control what leaves and enters, except that its not countries that do control the Internet. Instead, private entities like AT&T, MCI, Sprint, or any of the other carriers that peer with other countries should be implementing systems to prevent these kinds of attacks from spreading not just from country to country but internally as well. The technology exists to prevent DDoS attacks, they just need to implement them. Given the number of tax dollars these companies receive I don't think it's out of the question to get them to implement some basic protections while maintaining anonymity.
Even worse, in the case of a multi-national company like AT&T they peer with themselves to cross borders so they are even more to blame for allowing this type of behavior to occur. Of course I'm looking at it from a U.S. perspective. Estonia's infrastructure may be very different but I'd be willing to bet if their neighbors had similar mechanisms in place then this wouldn't be a problem. It works as great PR for a country when they can support this type of technology but perhaps more importantly if everyone is implementing it then you can't be attacked with those methods. Of course that also means you can't attack with such methods but if you're relying on DDoS then you're probably not a military.
Very sad but true, when there is language specifically starting the case people still get it wrong.
The question then goes forward as to whether we should admit defeat and modify the constitution to be reversed since it seems at least the vast majority of politicians believe you can only do what's in the constitution. It is very sad indeed.
You illustrate the real problem with how the constitution is interpreted today. It was never intended to give people rights, it was intended to give the government rights. There is nothing in the constitution which gives the government the right to take away our privacy except under the most extreme of circumstances which we are not under by any stretch. The issue is muddied by congress and the war powers bill that was passed but regardless the government was never explicitly granted the right to spy on its own people. That means it's unconstitutional and it's plain and simple.
As long as my freedom doesn't restrict the freedom of someone else then I should be allowed to do what I want. That is the principle the country was found upon and in my opinion at least is a principle worth sticking to.
In 2005 you can do all of those things except rip commercial DVDs for obvious reasons. You can fast forward through commercials although you can install some plug-ins that will attempt to skip them automatically. A plug-in is obviously acceptable given the nature of it's competition which is 100% modular. HD Quicktime is accomplished with the klite codec pack or alternatively with Quicktime Alternative installed on the system. MCE is not restricted in any way, it can play h.264 or whatever you like including Ogg support.
The web interface may be new to the Vista versions although it's easy enough to integrate the Media Connect service with a web service that you customize yourself. I haven't seen too much demand for this since most people don't feel the need to modify their play-lists remotely which you can do without a web interface.
Recording options are limited by your hardware, not your software, if you have a way to decode 4 heterogeneous video feeds then you sure can record them all.
Transcoding is as simple as a change of recording preference or a simple save as if you're talking after the fact.
Channel listings can be obtained hundreds of different ways with MCE, all depends on which plug-in you wish to use, alternatively you can just use the default which works almost universally.
I'm not sure what kind of video editing you do using a remote, if you're talking about cutting out commercials you can certainly do that. Anything more complex should be done through Media Connect to another machine where you have real tools for editing. It's easy as pie to setup because of the Media Connect service.
In short, Vista MCE with the proper plug-ins does indeed solve all of those problems, you could even make a plug-in for editing using a remote if you were so inclined. The WMP API is readily accessible and very easy to work with in addition to being well documented. We use MCE to record 4 cameras on a documentation simultaneously without a problem. Additionally it starts the recording and stops it based on an external web-service which also serializes the files. It's quite powerful and very extensible despite what you seem to think.
Of course, once the files are written, they are copied to my server and linked in the database so that they are viewed through our Intranet. It took us all of a week to setup from scratch including the required programming.
MCE can do all that right out of the box. You can also link your XBox 360 for an additional front-end. Short on features it is not. Install the klite codec pack and play anything you like.
I don't think many people realize just how well done it was this time around. MCE sucked when it first came out, but the Vista iterations are outstanding until now of course. The DRM blocking channels is ridiculous and will kill a product which would otherwise be great. Of course, this is why choice is a good thing. It's not like you have to scrap all your hardware to go for a MythTV box after the fact. Won't cost a dime, just a weekend project for those that really wish to record HBO. More and more people will move off as additional content is blocked but make no mistake, the solution is not as elegant as the old way so it will take a lot of blocked content to create a tidal wave that will have any impact on product use of MCE.
I think Microsoft lost an opportunity here, content companies are forcing them to support this type of DRM, they should have done something to add value to the product before adding something which clearly reduces the value of it. It would be like car manufacturers removing the radio from all new models because they are a distraction to the driver. If they don't add something else to make up for the lack of radio then no one will buy the vehicle.
You mean like the RPC vulnerability for Microsoft DNS server? A vulnerability that only matters because people are idiots with security and allow management over the Internet without any encryption? The majority of those vulnerabilities mean nothing if you have setup the machines properly. With basic user level access I've yet to see a trojan than can infect a machine mysteriously. All those vulnerabilities require the user to run a piece of code which isn't trusted. So you really didn't answer the question. How do you run an exploit when you're only allowed to run a select list of executables which is managed from a central database that users only have read access to?
Also, if the machine I'm monitoring is a long distance away then I will call someone who is not that far away to check it out for me. It's basic practice, when something goes out of compliance then no amount of control of that machine is going to impact the analysis that my server has of the machine. They would have to know an awful lot about how the system was deployed, at that point it's less of a technical security problem and more of a cultural one. If people are giving out sensitive information, enough to exploit such a system then users need to be educated about social engineering. Besides that it really doesn't matter what the users know since all management is out of their hands. This is why corporations actually like Windows, this monitoring and management is easy as pie, far easier than any implementation I've ever seen on any Linux distro or Unix variant. All the platforms except for seemingly OS X seem to support this stuff, I'm unsure why people would go through the trouble to deploy it when it is as easy as you say to exploit, although there has never been an exploit for a system such as that. When you've gone through that much trouble you will experience mandatory profiles and at best folder redirection which really makes it hard for any malware to spread or even infect one system.
With basic security in place the majority of malware is pointless and meaningless to me. There is a reason none of the machines in the company I manage machines for have any malware beyond that of cookies which are wiped at login. The beautiful aspect is that some cookies I can store centrally such as cookies for the company Intranet so I can always ensure compliance. That word has been a central theme in corporate America since Windows 2000 came out. Compliance Compliance Compliance! It's a pain in the ass and Microsoft has made is more and more complicated these days but they do make it easy to track compliance.
man that sucks, I was on 768k DSL in 97 in rural Vermont then. It was only $50/month too which I paid for with my part-time job landscaping hotels after school.
How are you planning on changing the permissions in the first place? It's a moot point regardless as the MOM agent will detect the machine is out of compliance and alert me allowing me to visit the machine.
Denying access to a tool like regedit would be a pretty basic first step towards securing a desktop, a no brainer. Fortunately it's not a machine policy but a user policy so as admin I can login and still have my full functionality unlike traditional group policy restrictions. Even if the user had access to regedit they wouldn't have the ability to look at the portions of the tree that affect group policy so I still don't see how someone could disable SMS's ability to enforce policy. What am I missing? Where was the user granted permission to make changes to the registry?
I have heard this too, much like the BMW owner who switches cars more often because he can versus the Toyota owner who is usually more sensible so they keep their vehicles longer. Both cars are quite capable of lasting for very long times but different people buy them. I think that has more to do with it. You touched on that fact a little bit with gamers, they are just one group who are known for their impracticality.
At the same time there are those of us who are practical that run Windows and buy BMWs. The 650mhz machine is the main machine for the house and will be for the foreseeable future. I took my old machine and made it a media server so storage limitations of the 650mhz box is not a problem. It's more than sufficient for video playback and anything else they've wanted to do thus far. I'm a power user, whether I had a Mac or PC I'd be using something newer anyways. I've seen those 500mhz Ti laptops and they run OS X very slowly despite the two people that responded to your post. Yes it runs, I'll even admit it runs better than I expect assuming the thing has enough ram which is usually the problem with older machines both Mac and PC.
A 500mhz machine with loads of ram is quite capable of running XP and keep in mind that at the time with the G3, Apple was advertising that it was as fast as a PC processor with twice the clock. That means Windows XP is far less intensive if you believe the advertising. Of course I think we can probably agree its about even. It wasn't until the GHZ mark was reached on the PC side that Apple started getting decimated in performance which took years to recover from even with the G5 breaking about even.
I can agree with your sentiment, of course they don't have cable now anyways as I said they are trying to put money away for the move. They would be fine. I just think a right to privacy is a fundamental principle to live by. Yes he could find a job at McDonalds to get money immediately but in Vermont at least, it's either IBM or you move to another state. Given the current housing market it would take him probably a year to sell his house. In that situation he'd be forced out of his industry until he could move to a new location.
I won't work for a company that does drug testing, I don't mind background checks if you are going to work with sensitive information but I think privacy is very important as I see it eroding everywhere these days.
I didn't mean to give the impression that it was impossible to tighten the budget with kids, merely that it was a lot more difficult than the parent poster led on and that such decisions can have very negative repercussions both on the kids and on the wife. When you have multiple points of view to consider the decision is far more difficult and more often than not results in accepting the loss of privacy.
Given that I am not encumbered in the same way I will stand up loud and try to make sure others who are will not be forced down the wrong path. Of course it's my opinion that its the wrong path. I believe the discussion is debatable for certain circumstances which is why I don't believe it should be outlawed.
I completely agree, drug users are of no concern to anyone in my opinion, I could see a company not wanting to employ a drug abuser. Someone that smokes a little weed on the weekend is not likely to be a bad employee, the chances are so small that drug testing is pointless and only serves as a breach of privacy.
I didn't know Windows users sold their old hardware more than Mac users. Last I checked when it was time for a new computer the old one gets moved to the playroom for the kids or becomes a media center PC or in my case became the common computer for my roommates. It's an Athlon 650 running XP perfectly well. It's 8 years now.
No, there are many differences between OS X and Windows users but this is not one of them.
wow, forget about the family much? Tightening your belt is easy, tightening the diaper budget is not. Some people do not have a choice despite what you seem to think.
My brother-in-law for example is the sole provider for his wife and three kids. They do just fine right now because he has a job that pays well enough. What if that employee decides fingerprinting is now mandatory? What about any number of other tests they can do that are clear violations of privacy? He could either submit and give up his rights, quit and hope he can find another job before the money runs out and his kids go hungry, or he gets fired for not submitting. In two of the three options he is out of a job and in the process of looking for another.
He's in a good situation personally, they've been saving up money to move out this way where jobs are better but there is definite risk involved. They also invested wisely in their house which has gone up tremendously in value. There would still be hard times if he stuck to his principles which are the principles America was founded upon.
For a bank I can see some background checking done, fingerprinting isn't required for that and drug testing is irrelevant for any employer considering your actions at work determine your level of competency. If that work is inconsistent then that is grounds for dismissal. Naturally this rarely happens as the vast vast vast majority of people are not drug abusers.
I look to the Apollo Group and subsequently the University of Phoenix for good hiring practices. They do quite well without drug testing and have many people in their employment across the country. The owner is cool too, I don't even work for the company.
MOM would detect that configuration change, SMS would change it back and force a reboot before anything could be done. Even if you changed the permissions on the registry the current group policy still applies, so regardless the attacker would have to reboot the machine which would SMS would pull the configuration. Last I checked those vulnerabilities only applied to opening untrusted documents on a trusted machine. To if you were going with a whitelist for management which in my mind is far too restrictive then you wouldn't even be able to run regedit as only SMS is allowed to modify the registry, or administrators of course.
I could be wrong but I haven't found any privilege escalation problems with Word 2003/2007, all the security bulletins are for opening documents which the user shouldn't have had access to in the first place. Security is difficult to maintain, but not impossible given enough resources. The same holds true for all the Linux distros out there. It's a universal, local privilege escalation is an issue in every environment, even OpenBSD.
Thank you for correcting me, I hadn't realized I had read it slightly wrong. It's important to be clear in that such things can impact the global temperature and they are just one of many contributions that humans impose on the Earth as a whole.
That is not possible as nothing in Active Directory decides that. I'm talking about DEP which I've never seen an exploit for to date. When you have SMS and MOM in your network you have a considerable amount of control over the desktop. The list of supported software is stored on the central database and would be very difficult for any malware to modify the list to support additional software. Not impossible, but I would say highly unlikely.
If you're talking about Fortres or Deepfreeze then you are correct, I'm talking about the integrated Microsoft approach which is far more difficult considering, if you replace a trusted exe then MOM will instantly alert me and SMS will push out a new copy of the trusted executable. I've yet to see someone break it. I'm sure its not impossible but its not as easy as you make it sound. I can make it even more difficult through the use of Tripwire but I only deploy that on extremely critical servers.
If my security policy disables the ability for the user to execute anything but the trusted apps I have on their machines which I can manage and monitor in real-time via SMS/MOM then no virus or trojan is going to jump anywhere because it will never have a chance to execute. The mechanisms are there, they are no more hidden than a config file in a linux distro. I was also not giving examples of Windows security, I was stating how false the parents claim was that you couldn't do it.
The focus these days is turning that functionality into practical application, something easy enough that home users can manage it themselves. That's what Microsoft is trying to do with the Cancel Allow crap.
I already agreed that it was designed improperly, just the items mentioned by the parent were completely false. With that said Microsoft does provide security templates on their website that anyone can download and easily apply to their computers. Microsoft's install-base is far too large to lock down every feature otherwise new installs would piss people off more than they already do because they have to re-enable file sharing, rpc, remote desktop and whatever other services that would be handy for even a home user.
It's always been the biggest complaint I receive about Linux distros, you have to go through an enablement process before you can plug in your scanner or your brand new printer or webcam. Distros like Ubuntu have made great progress on this front but they are coming at it from the opposite end that Microsoft is. Both camps are heading to the same location where it "Just Works" and is safe
Fine, apply one of thousands of custom security templates that Microsoft has on their site, makes it just a double click, accept, reboot.
I agree the point was poorly written and they should make an effort to be as clear as possible because of statements like yours.
That said they should have been more up front about what it means that Mars and Pluto are both warming as well. I don't think anyone has ever claimed that global warming is being caused by humans alone, only that humans are making the problem worse. They are making the assumption that you as the reader would understand that there are many causes for everything we see on a global scale such in thick ice in Canada and droughts in Florida.
There is so much evidence overwhelmingly supporting the position that humans are accelerating the natural cycle which is only bad for everyone. We can look forward to increasingly violent storms throughout the world with different parts experiencing it at different times. People tend to get all flustered when they know something is right and it's obviously right and someone is standing there seeing the same things and saying its wrong. It's happened to me a hundred times in meetings as I say the app is written this way to make them operate this way and the users are disagreeing because they don't understand what it is they are seeing despite it being their job to understand it.
It's also happened to me with Turbotax, I go through and do mine, then I sit my sister down and she can't be bothered to read the screen to figure out what she needs to do despite it being very easy and obvious what to do.
Global warming is the same way, there is a ton of evidence for it, there is as of yet no evidence refuting that when all the planes stopped on 9/11 that the earth as a whole didn't drop in temperature. Facts like that make it obvious the level of impact humans have on the earth. If stopping all the planes results in just a 1 degree drop how would stopping all cars effect the temperature?
The FAA and NASA have long been supporters of Unix and Linux so I don't know what you were trying to say with that comment.
No one needs to get into all the new features in Vista, you've obviously not checked it out if you think it is that similar to XP.
With that said you are right in that there is little to push people to the new OS right now. It is not as different as 98 was to 2000 but it is at least as different as 95 was to 98. They took a lot of good ideas they got through the rough times of XP and implemented them properly, they learned from a lot of their mistakes and I'll grant that they made some new ones. Of course they are still working with a monolithic kernel so it will still have service dependency issues and network chatter. Corporate policy decisions like phoning home are not technical issues but they do indeed count against it.
I generally despise all things Apple but I do respect that they don't force you to activate OS X. If they were going to emulate the things Apple did right in OS X they should have included that. Of course there are versions out now which don't phone home which I have ready access to through MSDN so maybe they just wanted it for an added layer for home users.
Cheers to that, I thought the same thing. In my company I have to authorize all the updates which get pushed to all the workstations so such a thing wouldn't work here even if it were possible. WGA is the sole reason I'm always careful come update day, I always have to make sure its not selected, I wish SMS had a hide forever feature like Automatic update does.
huh? I mean seriously, huh? What century are you in?
Windows 2000 and later you can make USB sticks read-only for non-admin users through group policy. System file changes do require the user to intervene, even if the user isn't aware system file changes are logged and have been logged since Windows 2000 "self-healing" became prevalent. With XP SP2 things became more obvious and with Vista things are blatantly obvious when there is a system change as the Allow Cancel dialog pops up.
Seriously, why make a point about the operating system being designed improperly if you're going to support it with completely false evidence. You could at least use real evidence like memory management and service dependency problems in the Windows world. It would be real, it is a poorly designed system but despite that they make it work for the vast majority of users out there.
Linux systems are just as susceptible to trojans of this sort. When the user opens something from an untrusted source and blindly clicks like would be required in Vista then almost anything is possible. There are ways to mitigate the risks on both sides but typical setups will still be quite susceptible.
I'm curious what you think Administrator can't do on a Windows system as well, perhaps you mean they don't make potentially dangerous features readily accessible? Perhaps you mean the protected-mode nature of the kernel preventing flashing of internal firmware which also isn't problem? Add in Powershell and I'm thoroughly confused as to what you think administrative users can't do.