You know what's odd? My father in law works for the home office, and when I was there over the holidays I noticed that a LOT of his bulbs have been replaced with CF bulbs. It would have happened in the span of a month. So apparently the way that Wal-Mart is going to do this is simply mandate that ALL employess buy CF bulbs and use them in their homes. That should pretty quickly reach their goal eh? Nice.
Right click the shortcut and prepend the following:
C:\WINDOWS\system32\runas.exe/savecred/user:administrator
The first time you run the app it'll prompt you for the admin password (in an UGLY ass dos box) after that it'll run with no prompting. Honestly, this isn't rocket science. Not quite as slick as suid, but it works. Until you change the admin password of course.
I take care of a couple hundred machines and the FIRST thing I did when I was hired was to set up an automatic install. It's a pretty tiny investment when you think about it. I didn't even do the standard hard drive cloning, I did it the HARD way and scripted a full XP install, which then hooks into automatic application install after XP is done. This is BASIC stuff. I can't believe the outright negligence of an IT department that doesn't have some sort of restore process.
Is slipshod security practices within a company. Sure security breaches are pretty damn scary, but I've worked with some PRETTY big company who had some pretty lousy security practices, and should know better. I recently worked with a HUGE payroll company to outsource my employer's payroll to them. The task fell to me to export all the data from our existing payroll system, perform some data hygene, and send it to this payroll company in delimeted format.
They suggested that I simply attach the.tab files to an email and email them on over. I balked a that suggestion. We've got full names, DOB, SSN, address, tax information, bank account numbers, the WORKS! They wanted me to transmit the files in the clear to their email where who knows how long this info will sit in their outlook inbox, and how MANY people will see it. I made some rather more secure suggestions, but in the end we settled on password protected.zip files hosted on a password protected webpage. Pretty feeble security if you ask me, but WORLDS better than what they wanted.
I guess the point I'm trying to make is most companies don't give a SHIT about your data. They'll play along and act like they do, but implementing proper internal security practices is HARD and EXPENSIVE. This law is a step in the right direction, but it simply isn't enough.
On the topic of CRON. Why is windows task scheduler so utterly worthless? I mean come ON! This is the finest software company on earth and they can't write a decent task scheduler? Why is it that all my tasks stop working when I follow proper security guidelines and change my password? Oh, it's because each task is stored with the password of the user who runs the task? I see. So you can run tasks as other users. Brilliant! 'course it means that every time my password changes (3 months) I have to step down the list of 15 or so scheduled tasks and clickety click with my mouse to put in the new password. Sheesh. What utter crap.
Ability to partition your hard drive is important. I've seen brand new PCs coming out with 120+Gb HDs with a single windows-already-installed partition. This is utterly idiot. All stuff (system, apps, data) packed together in C:\.
Heh, HP is REALLY bad about partitioning a drive to not use its full capacity. So let's say you've got a 120GB hard drive, well they'll partition off 80GB of it for a windows drive and the balance of your disk is left unpartitioned. In your case it might be a _good_ thing, since you want another partition. I however can just envision all those home users out there who wonder why their 120 GB hard drive filled up with g0at pr0n so dang fast.
The trick is, to work _smart_ not hard. I'm a one man IS department with around 150 workstations spread out over one home office and 84 or so branch offices. We cover something like 7 states at present and increase branch offices at the rate of 4 per year. When I first took over, there were MANY weekends spent working. I had to set up a Win2k AD as well as DHCP server and DNS server. Had to clean up the incredibly disorganized file shares. Login scripts, restore scripts, GPO's, ect. However, I've put in the work now, and it's paying off. Most of my day to day calls are on the order of "reboot and try again". The really tough ones deal with hardware failures, and I have to make a road trip or find a local tech who will fix it.
The trick is that we are knowledge workers. We get paid to think. So Think of a way you can do your job more efficciently. It seems to me that you're getting all caught up in the management side of it, and you want to manage processes and such. Well, it sure would be nice if it worked like that in the real world, but when you're a one man operation...it simply doesn't. You've got to get out there and do what it takes to keep the users happy, and most of all, keep them off your back! Save those management seminars for when you've got a couple people under you. I say one motivated nerd can do a LOT more than you think. No need to hire a staff just yet...
Hmmm, I don't know what you're doing with your XP boxes, but in my experience the number one cause of boot failures in XP is bad hard drives. I don't know what other admins do, but I've got a custom XP installation that strips out and disables all the band-aid crap like system restore and all that garbage. Installs only the apps that are needed for our environment, and my users are NOT admins, so they don't install any new (cr)apps. A full install in my office is all of about 10 apps (office, Irfanview, Acrobat reader, SAV corporate, ect.) and that's IT. My machines give me no trouble other than hardware trouble. I guess, that's one good argument for keeping it as simple as possible.
"There are, however, steps that can be taken to reduce rogue
behaviour," said Callens. "Firstly, regularly change system passwords that
employ both letters and numerals..."
WTD? How does this stop people from dragging & dropping to a USB based camera? One would assume that if your company is SO concerned about valuable information walking out the door, you'd have a sane permissions policy i.e. only allow the users access to the infomration they need. Changing the passwords (while a good security policy) has zero effect on stemming the tide of data walking out the door via USB camera. They have access to the data...they'll NEED that new password if you change it.
This reminds me of when all the email viruses started getting sophisticated and all the IT parrots just spouted off random crap that sounded good "Don't open emails from someone you don't know". When all the worms were already spoofing the from address. It seems that no one takes time to think logically about these things, they just spout off some key phrases they've heard on Digital Duo and call it good.
The Wifey is a big fan of wally world. Her dad is a middle level manager there, and they've been pretty good to him financially. I however see how they treat most of their people so I an a little more critical. I've been trying to train her to simply ignore any of the ant-theft alarms and keep walking to her car. She's been a little slow in picking it up though.
Most people in the area will stop and turn around and actually search out a greeter to search their bags. Nuts to that I say. One of these times I'll break into a run when I hear the alarm.
"But sir, why did you run when the alarm went off. If you have nothing to hide ther is no reason for you to run"
"Sorry man, I'm on this REALLY strict excercise program...I gotta run 4 times a day, and it was time to run. It's like that Michalangelo sleep thing, you can't miss a cylce."
heh heh heh.
some spyware installs with "legit" apps MOST seems to come in through the browser through one of the following:
1: users clicking yes blindly
Ugh, this is so incredibly true that it makes me ill. On more than one occasion I've been helping a coworker with a given problem and a yes/no OK/Cancel dialog box will come up...Even non web based ones...and he'll jump right over and click "OK" or "Yes" and I'll go
"Wait, what the hell was that box?"
"Ummm I don't know, I just closed it"
"Well what did it say?"
"I don't know, I just wanted it to go away"
Invariably it ends up that the dialog is something vital in the solution to his problem. I can certainly see that you could pop up a web dialog box that says "CLick Yes and we'll install spyware on your PC that will monitor your surfing, slow your PC to a crawl and kill your dog" and many many people would just click on through.
FWIW, at least one fairly recent version of Symantec Corp edition (10.0 as I recall) had a severe bug that would cause the scan engine to eat up 99% of the CPU most of the time. I'd assume that the home versions and the corporate version share a common code base, and only differ in the widget set (Standard windows gray for the corp and annoying-as-hell-giant-round-plasticky-windows-XP- themed widgets for the home users). The bug is fixed with 10.0.1, which is the latest version.
It's not like it matters anyway, SAV is the LAST line of defense in our anti-virus scheme. I can only think of one or two instances where we actually had a virus in the office. They all get caught at the mail server nowadays.
Wow! all this talk about photo editors and no mention of Irfanview? Irfanview is simply the BEST lightweight photo tool on Windows. Batch conversion/rename, crop, resize, Photoshop filter support, ect, ect, ect. You're not going to create a FARK.com photoshop contest entry with it, but I only have to fire up the GIMP a couple times a month. And the pricetag? Zero. Free as in beer my friend. Hell, I run it under WINE at home, because it's so damn good. I'm quite fond of the Gimp, and ImageMagick does what I need it to do from the commandline ( abhor its TK'ish UI ), but Irfanview is the best balance I've found.
Yeah, not to mention the fact that _every_ _single_ package you're going to install via synaptic will install the exact same way. You've got this framework that contains all the install processes. Check a box, hit install and you're done.
How many install frameworks does Windows have? MSI, InnoSetup, InstallShield, WISE setup, ect, ect, ect. Each with its own dialog boxes, visual style, and install steps. And you can't choose what framework to use, you're at the mercy of the manufacturer.
As always I think that issues like this are overblown. Any modern distro is going to have one consistent tool that will allow you to install software with a minimal amount of pain. However, everyone likes to cite examples from 4 years ago to prove their point. "Man, Linux is so hard to install software, you have to UUDecode the tarball from usenet, making sure to grab all the parts, then you have to untar it and then you have to chase down all the dependancies and then..."
Heh, now of course all the windows fanboys will point and snort and shout and say. "no no that's what you did! That's what you did! You used an example from 5 years ago! Everyone is swtiched over to MSI now, no one uses installshield or WISE setup anymore. Installshield is _so_ 2000." To this, I preemptively respond "Bzzzt! Wrong again skippy! I'd say it's about 50% MSI and 50% others. You've got some pretty big names still on non-MSI install platforms. Adobe immediately springs to mind."
Back in my dotcom days, we had a guy who did this. They called everyone into the conference room before lunch, did the old chop to the neck to about half our workforce (10 or so guys) before lunch. This guy GOES to lunch, and then comes back and keeps working! We were like "Dude, you know you don't work here anymore right? Why don't you just leave?"
He ended up working late and then "helping out" by emptying his trash can. I suspect he smuggled something out in it. Hell I wouldn't have cared if he'd just grabbed the crap off his desk and walked out...not like we had any managers left at our office. They all got the old chopperoo too!
Yeah, that office got fun REAL quick. All our managers were 1,500 miles away!
SANDisk Cruizer Mini. It's taken no less than 3 rides in the washer! I've long since lost the cap, and there's something rattling around in there, I've used it as an emergency screwdriver a few times, but by God it still works! I had a Lexar Jumpdrive go bad on me in less than 4 months before I got this one.
Quite OT, but I've often wondered if I could pry off this cover and dip this sucker in one of those cans of rubber like you'd dip the handles of your tools. A couple of coats of that and this thing would be damn near indestructible! It would only be vulnerable at the USB connector end.
"Did I mention we were just a regular office of about 30 people with a sum total of 3 IT workers?"
Holy flirking shnit! a ratio of 1 IT worker for every 10 employees? Man, that job must be cake! Where I work it's more like 1.5:300. Me and a part timer for 100+ locations and 300+ computers. Needless to say, one learns very quickly to work smarter. (Translation: Don't use IE)
Man, I don't know if you guys are the assles variety of nerds or what. I don't sit on my wallet, I sit on my ass, and my wallet isn't anywhere NEAR where my ass touches the seat. Maybe you guys need to pull up your pants.
Similar situation, except the bit about disenfecting spyware.
Throw yourself up a Squid proxy, get rid of IE excpet for sites that MUST have it, and there you go! It's been months since I saw any spyware, and that was on the guy who takes his laptop hither and yon.
The tools are out there to solve all these problems, but unfortunately sometimes the money/know how/patience to implement them isn't there.
Man, how many flavors of windows are there? It'll take a couple of hands to add them all up....
Lesseee there's XP Home, XP Pro, XP Tablet, XP Media Edition, Professional x64 edition, Server 2003, Server 2003 Small Business server, Server 2003 Advanced Data Center edition, and on and on and on. Pot, kettle, black?
Heck yeah!
Dueling disgusting photos is what friends do best!
BTW, tinyurl works great for stuff like this. One friend of mine burned me so badly that I wrote a perl script to strip off all image attachments, and scale them down to 10x10 for previewing before I opened them. It doesn't take too many times of seeing goatse, tubgirl, and their ilk to make it worth the effort.
Slashdot Mirror
This reminds me of an audio sketch I heard on suckitdown.org the other day....
http://www.suckitdown.org/?p=24
You know what's odd? My father in law works for the home office, and when I was there over the holidays I noticed that a LOT of his bulbs have been replaced with CF bulbs. It would have happened in the span of a month. So apparently the way that Wal-Mart is going to do this is simply mandate that ALL employess buy CF bulbs and use them in their homes. That should pretty quickly reach their goal eh? Nice.
Right click the shortcut and prepend the following:
/savecred /user:administrator
C:\WINDOWS\system32\runas.exe
The first time you run the app it'll prompt you for the admin password (in an UGLY ass dos box) after that it'll run with no prompting. Honestly, this isn't rocket science. Not quite as slick as suid, but it works. Until you change the admin password of course.
I take care of a couple hundred machines and the FIRST thing I did when I was hired was to set up an automatic install. It's a pretty tiny investment when you think about it. I didn't even do the standard hard drive cloning, I did it the HARD way and scripted a full XP install, which then hooks into automatic application install after XP is done. This is BASIC stuff. I can't believe the outright negligence of an IT department that doesn't have some sort of restore process.
Is slipshod security practices within a company. Sure security breaches are pretty damn scary, but I've worked with some PRETTY big company who had some pretty lousy security practices, and should know better. I recently worked with a HUGE payroll company to outsource my employer's payroll to them. The task fell to me to export all the data from our existing payroll system, perform some data hygene, and send it to this payroll company in delimeted format.
.tab files to an email and email them on over. I balked a that suggestion. We've got full names, DOB, SSN, address, tax information, bank account numbers, the WORKS! They wanted me to transmit the files in the clear to their email where who knows how long this info will sit in their outlook inbox, and how MANY people will see it. I made some rather more secure suggestions, but in the end we settled on password protected .zip files hosted on a password protected webpage. Pretty feeble security if you ask me, but WORLDS better than what they wanted.
They suggested that I simply attach the
I guess the point I'm trying to make is most companies don't give a SHIT about your data. They'll play along and act like they do, but implementing proper internal security practices is HARD and EXPENSIVE. This law is a step in the right direction, but it simply isn't enough.
It's like a cult up here at work. They all are ADDICTED to the antibacterial gel! It's a sickness I tells ya!
On the topic of CRON. Why is windows task scheduler so utterly worthless? I mean come ON! This is the finest software company on earth and they can't write a decent task scheduler? Why is it that all my tasks stop working when I follow proper security guidelines and change my password? Oh, it's because each task is stored with the password of the user who runs the task? I see. So you can run tasks as other users. Brilliant! 'course it means that every time my password changes (3 months) I have to step down the list of 15 or so scheduled tasks and clickety click with my mouse to put in the new password. Sheesh. What utter crap.
Ability to partition your hard drive is important. I've seen brand new PCs coming out with 120+Gb HDs with a single windows-already-installed partition. This is utterly idiot. All stuff (system, apps, data) packed together in C:\.
Heh, HP is REALLY bad about partitioning a drive to not use its full capacity. So let's say you've got a 120GB hard drive, well they'll partition off 80GB of it for a windows drive and the balance of your disk is left unpartitioned. In your case it might be a _good_ thing, since you want another partition. I however can just envision all those home users out there who wonder why their 120 GB hard drive filled up with g0at pr0n so dang fast.
The trick is, to work _smart_ not hard. I'm a one man IS department with around 150 workstations spread out over one home office and 84 or so branch offices. We cover something like 7 states at present and increase branch offices at the rate of 4 per year.
When I first took over, there were MANY weekends spent working. I had to set up a Win2k AD as well as DHCP server and DNS server. Had to clean up the incredibly disorganized file shares. Login scripts, restore scripts, GPO's, ect. However, I've put in the work now, and it's paying off. Most of my day to day calls are on the order of "reboot and try again". The really tough ones deal with hardware failures, and I have to make a road trip or find a local tech who will fix it.
The trick is that we are knowledge workers. We get paid to think. So Think of a way you can do your job more efficciently.
It seems to me that you're getting all caught up in the management side of it, and you want to manage processes and such. Well, it sure would be nice if it worked like that in the real world, but when you're a one man operation...it simply doesn't. You've got to get out there and do what it takes to keep the users happy, and most of all, keep them off your back! Save those management seminars for when you've got a couple people under you.
I say one motivated nerd can do a LOT more than you think. No need to hire a staff just yet...
Hmmm, I don't know what you're doing with your XP boxes, but in my experience the number one cause of boot failures in XP is bad hard drives. I don't know what other admins do, but I've got a custom XP installation that strips out and disables all the band-aid crap like system restore and all that garbage. Installs only the apps that are needed for our environment, and my users are NOT admins, so they don't install any new (cr)apps. A full install in my office is all of about 10 apps (office, Irfanview, Acrobat reader, SAV corporate, ect.) and that's IT. My machines give me no trouble other than hardware trouble. I guess, that's one good argument for keeping it as simple as possible.
WTD? How does this stop people from dragging & dropping to a USB based camera? One would assume that if your company is SO concerned about valuable information walking out the door, you'd have a sane permissions policy i.e. only allow the users access to the infomration they need. Changing the passwords (while a good security policy) has zero effect on stemming the tide of data walking out the door via USB camera. They have access to the data...they'll NEED that new password if you change it.
This reminds me of when all the email viruses started getting sophisticated and all the IT parrots just spouted off random crap that sounded good "Don't open emails from someone you don't know". When all the worms were already spoofing the from address. It seems that no one takes time to think logically about these things, they just spout off some key phrases they've heard on Digital Duo and call it good.
The Wifey is a big fan of wally world. Her dad is a middle level manager there, and they've been pretty good to him financially. I however see how they treat most of their people so I an a little more critical. I've been trying to train her to simply ignore any of the ant-theft alarms and keep walking to her car. She's been a little slow in picking it up though.
Most people in the area will stop and turn around and actually search out a greeter to search their bags. Nuts to that I say. One of these times I'll break into a run when I hear the alarm.
"But sir, why did you run when the alarm went off. If you have nothing to hide ther is no reason for you to run"
"Sorry man, I'm on this REALLY strict excercise program...I gotta run 4 times a day, and it was time to run. It's like that Michalangelo sleep thing, you can't miss a cylce."
heh heh heh.
Ugh, this is so incredibly true that it makes me ill. On more than one occasion I've been helping a coworker with a given problem and a yes/no OK/Cancel dialog box will come up...Even non web based ones...and he'll jump right over and click "OK" or "Yes" and I'll go
"Wait, what the hell was that box?"
"Ummm I don't know, I just closed it"
"Well what did it say?"
"I don't know, I just wanted it to go away"
Invariably it ends up that the dialog is something vital in the solution to his problem. I can certainly see that you could pop up a web dialog box that says "CLick Yes and we'll install spyware on your PC that will monitor your surfing, slow your PC to a crawl and kill your dog" and many many people would just click on through.
FWIW, at least one fairly recent version of Symantec Corp edition (10.0 as I recall) had a severe bug that would cause the scan engine to eat up 99% of the CPU most of the time. I'd assume that the home versions and the corporate version share a common code base, and only differ in the widget set (Standard windows gray for the corp and annoying-as-hell-giant-round-plasticky-windows-XP- themed widgets for the home users). The bug is fixed with 10.0.1, which is the latest version.
It's not like it matters anyway, SAV is the LAST line of defense in our anti-virus scheme. I can only think of one or two instances where we actually had a virus in the office. They all get caught at the mail server nowadays.
Wow! all this talk about photo editors and no mention of Irfanview? Irfanview is simply the BEST lightweight photo tool on Windows. Batch conversion/rename, crop, resize, Photoshop filter support, ect, ect, ect. You're not going to create a FARK.com photoshop contest entry with it, but I only have to fire up the GIMP a couple times a month. And the pricetag? Zero. Free as in beer my friend. Hell, I run it under WINE at home, because it's so damn good. I'm quite fond of the Gimp, and ImageMagick does what I need it to do from the commandline ( abhor its TK'ish UI ), but Irfanview is the best balance I've found.
http://www.irfanview.com/
Yeah, not to mention the fact that _every_ _single_ package you're going to install via synaptic will install the exact same way. You've got this framework that contains all the install processes. Check a box, hit install and you're done.
How many install frameworks does Windows have? MSI, InnoSetup, InstallShield, WISE setup, ect, ect, ect. Each with its own dialog boxes, visual style, and install steps. And you can't choose what framework to use, you're at the mercy of the manufacturer.
As always I think that issues like this are overblown. Any modern distro is going to have one consistent tool that will allow you to install software with a minimal amount of pain. However, everyone likes to cite examples from 4 years ago to prove their point. "Man, Linux is so hard to install software, you have to UUDecode the tarball from usenet, making sure to grab all the parts, then you have to untar it and then you have to chase down all the dependancies and then..."
Heh, now of course all the windows fanboys will point and snort and shout and say.
"no no that's what you did! That's what you did! You used an example from 5 years ago! Everyone is swtiched over to MSI now, no one uses installshield or WISE setup anymore. Installshield is _so_ 2000."
To this, I preemptively respond
"Bzzzt! Wrong again skippy! I'd say it's about 50% MSI and 50% others. You've got some pretty big names still on non-MSI install platforms. Adobe immediately springs to mind."
Back in my dotcom days, we had a guy who did this. They called everyone into the conference room before lunch, did the old chop to the neck to about half our workforce (10 or so guys) before lunch. This guy GOES to lunch, and then comes back and keeps working!
We were like "Dude, you know you don't work here anymore right? Why don't you just leave?"
He ended up working late and then "helping out" by emptying his trash can. I suspect he smuggled something out in it. Hell I wouldn't have cared if he'd just grabbed the crap off his desk and walked out...not like we had any managers left at our office. They all got the old chopperoo too!
Yeah, that office got fun REAL quick. All our managers were 1,500 miles away!
SANDisk Cruizer Mini. It's taken no less than 3 rides in the washer! I've long since lost the cap, and there's something rattling around in there, I've used it as an emergency screwdriver a few times, but by God it still works! I had a Lexar Jumpdrive go bad on me in less than 4 months before I got this one. Quite OT, but I've often wondered if I could pry off this cover and dip this sucker in one of those cans of rubber like you'd dip the handles of your tools. A couple of coats of that and this thing would be damn near indestructible! It would only be vulnerable at the USB connector end.
"Did I mention we were just a regular office of about 30 people with a sum total of 3 IT workers?"
Holy flirking shnit! a ratio of 1 IT worker for every 10 employees? Man, that job must be cake! Where I work it's more like 1.5:300. Me and a part timer for 100+ locations and 300+ computers. Needless to say, one learns very quickly to work smarter. (Translation: Don't use IE)
Nope. More like This Guy
Man, I don't know if you guys are the assles variety of nerds or what. I don't sit on my wallet, I sit on my ass, and my wallet isn't anywhere NEAR where my ass touches the seat. Maybe you guys need to pull up your pants.
Similar situation, except the bit about disenfecting spyware.
Throw yourself up a Squid proxy, get rid of IE excpet for sites that MUST have it, and there you go! It's been months since I saw any spyware, and that was on the guy who takes his laptop hither and yon.
The tools are out there to solve all these problems, but unfortunately sometimes the money/know how/patience to implement them isn't there.
I think you're thinking of the immaculate reception a fine bit of Steelers lore. Hmmmm, wait I'm on slashdot, they don't do chicks OR sports. Damn.
Man, how many flavors of windows are there? It'll take a couple of hands to add them all up....
Lesseee there's XP Home, XP Pro, XP Tablet, XP Media Edition, Professional x64 edition, Server 2003, Server 2003 Small Business server, Server 2003 Advanced Data Center edition, and on and on and on. Pot, kettle, black?
Heck yeah! Dueling disgusting photos is what friends do best! BTW, tinyurl works great for stuff like this. One friend of mine burned me so badly that I wrote a perl script to strip off all image attachments, and scale them down to 10x10 for previewing before I opened them. It doesn't take too many times of seeing goatse, tubgirl, and their ilk to make it worth the effort.