The problem is that many large companies have internal systems that were written back when Microsoft pushed ActiveX as the solution to all the world's problems.
And there's a very simple solution to this, that i've seen in a large corporation here. Upgrade all the clients to IE7/8, and publish links to those legacy applications using Citrix, which runs IE6 ontop of Windows Server 2003. Make sure that IE6 in Citrix can only reach the legacy apps, and not the Internet in general. Problem solved.
Yeah, because forced upgrades also go over so well with this crowd.
This isn't DRM-style remote content removal, it's about support. Microsoft has decided that they will support IE6 until support for XP runs out, which is in 2014 - plenty of time to go. The same will happen with IE7, which will be supported until support for Vista runs out, which IMO is also unnecessary.
I can understand why Microsoft does it and i also understand why large corporations don't like to do upgrades (because they mostly use crappy, unmaintained software written for a single use case by idiot developers that got rich by delivering a shitty product).
IE8 is usuable. It works. It's much more secure than IE6. The only people that haven't upgraded yet need a hard incentive to justify an upgrade to their management - "support runs out" is about the hardest incentive you can get.
IE7 has been out since forever and runs on XP. It's not unreasonable to expect people to upgrade. Even large companies.
I know a few large enterprises here in Switzerland and most of them have upgraded all their clients to IE7 for security purposes. I know one of them publishes IE6 through Citrix for a few legacy apps.
I've seen many compromised Linux machines sending out spam. Especially prevalent in Germany, where 1&1 and similar mass hosters provide hosted very cheap rental of Linux servers.
Of course, the issues are the same as those of compromised Windows systems:
* Not up to date on security patches * Admin doesn't know what he's doing * Using insecure legacy versions of software
The question is what you're expecting a firewall to do.
What the Windows Firewall does by default (in a Public network) is prevent any incoming traffic to open TCP or UDP ports. This works very well and there are few edge cases where a separately hosted Firewall would provide a significant advantage.
What it does not do is prevent any kind of outgoing traffic - you can configure this through policies in a corporate network, to prevent unapproved applications from accessing the network (which also works well), but this can't work on a home computer where the users have local admin rights, as a malicious app can just add the required firewall rules. A separately hosted Firewall doesn't work any better - it can't tell if the SSL Traffic on Port 443 is coming from IE or a malicious application.
That's how you see it, that's how i see it, but it's not how the sales dept or our CEO for that matter will see it. I suspect it's pretty much the same for other companies.
Good teams do good work no matter who they work for.
I'm not that sure about this. I work for an IT contractor, and if you try to do a good job you'll run into a conflict of interest, sooner or later. Typical scenario is that the sales guys from your company want to sell the customer something he doesn't really need - and then you get asked about your opinion on whether he should buy it or not.
a) Stab the customer in the back, telling him he really needs to buy this b) Stab your employer in the back, telling the customer that he doesn't really need it c) Try to give a nonsensical answer that doesn't help the customer d) Refuse to comment e) Tell the customer he doesn't x, and instead should buy y.
Which one is the right choice? Of course you can always construct another option like talking to your sales guys, but this might not work if his bonus is on the line. Techies don't get bonuses, so they don't care about selling stuff.
I usually take option e), because there's always something you should do. But it's not a perfect solution, since you're basically saying your sales guys are incompetent and they should buy something else.
It would be very profitable to chain your workers to the factory floor and have them work 18 hours a day for no money
Yes, but that's illegal. Any company doing this (in the first world, obviously) be forcibly closed down. I don't think ethics figure into the decisions to not doing this.
This may be different in Italy, but we're talking about fines here. These are usually traffic violations. You can pay them on the spot, or you can ask for a bill. This will add an administrative fee (i think around 40CHF) to the list, but has no consequences otherwise.
In either case, you can contest the fine in 30 days. Of course, most traffic fines are below the hourly rate of a lawyer, so contesting them makes no sense, even if you think you're innocent.
While this isn't perfect, such a scheme will prevent anyone except targeted industrial espionage from accessing the information. If you're a small company with no special IP, this is a good-enough approach that keeps support costs low.
Bitlocker has no performance impact, it uses the TPM chip.
Wrong. While Bitlocker utilizes the TPM to ensure a secure boot and automatic unlocking (if so desired), the TPM chip is NOT used to handle the actual encryption/decryption.
BitLocker in Windows 7 will support the new Core i3/i5 AES extensions for faster encryption, though.
In fact, RDP since Windows XP/2003 can use SSL/TLS, but i believe it default to a 56bit RC5 cipher without configuration and/or group policies in effect.
While Bitlocker certainly slows down my laptop a bit (i did benchmarks, about 10%), i can't complain about it being slow.
ThinkPad W500, 4GB RAM, Windows 7 Enterprise x64, OCZ Vertex 120GB with TRIM Firmware.
Our end users mostly have ThinkPads T500, 4GB RAM, Windows 7 Enterprise x64 with the normal 7200 RPM hard drives. They also don't complain about their laptop is slow.
For USB sticks, we do not mandate them to be encrypted. This, of course, shifts all the blame in case of data loss to the end user. Which is fine by me.
TrueCrypt is also much more vulnerable than Bitlocker is, because it does not utilize the TPM. I've never seen corporate laptop/desktop offers that did not feature a TPM.
It's also easier to manage in mid-sized environments than TrueCrypt (think automatic Key + TPM backups to Active Directory).
Erm, there's no new Firewall in Windows 7. It's exactly the same as the one in Vista.
The Homegroup feature is gold, IMO. It offers easy file sharing without the authentication hassles you have on non-domain computers. This is (obviously) meant for a Home setting, not the Office.
Have you ever tried to help your girlfriend on the phone transferring files to another Windows computer using the network? It was downright impossible without the Homegroup features for end-user to get the grasp of that.
Slashdot Mirror
And there's a very simple solution to this, that i've seen in a large corporation here. Upgrade all the clients to IE7/8, and publish links to those legacy applications using Citrix, which runs IE6 ontop of Windows Server 2003. Make sure that IE6 in Citrix can only reach the legacy apps, and not the Internet in general. Problem solved.
This isn't DRM-style remote content removal, it's about support. Microsoft has decided that they will support IE6 until support for XP runs out, which is in 2014 - plenty of time to go. The same will happen with IE7, which will be supported until support for Vista runs out, which IMO is also unnecessary.
I can understand why Microsoft does it and i also understand why large corporations don't like to do upgrades (because they mostly use crappy, unmaintained software written for a single use case by idiot developers that got rich by delivering a shitty product).
IE8 is usuable. It works. It's much more secure than IE6. The only people that haven't upgraded yet need a hard incentive to justify an upgrade to their management - "support runs out" is about the hardest incentive you can get.
IE7 has been out since forever and runs on XP. It's not unreasonable to expect people to upgrade. Even large companies.
I know a few large enterprises here in Switzerland and most of them have upgraded all their clients to IE7 for security purposes. I know one of them publishes IE6 through Citrix for a few legacy apps.
Windows 2000 security updates will cease in Juni/Juli 2010, so you _need_ to upgrade your OS anyway.
It's time to see IE6 go. Unfortunately, Microsoft will support IE6 until support for XP runs out - this model needs to change, badly.
SP3 for XP should've made IE7 mandatory. Unfortunately, the right decisions are not always good for business.
No. HTTPS has the entire HTTP conversation in SSL/TLS. Everything is encrypted, even the query string.
I've seen many compromised Linux machines sending out spam. Especially prevalent in Germany, where 1&1 and similar mass hosters provide hosted very cheap rental of Linux servers.
Of course, the issues are the same as those of compromised Windows systems:
* Not up to date on security patches
* Admin doesn't know what he's doing
* Using insecure legacy versions of software
The question is what you're expecting a firewall to do.
What the Windows Firewall does by default (in a Public network) is prevent any incoming traffic to open TCP or UDP ports. This works very well and there are few edge cases where a separately hosted Firewall would provide a significant advantage.
What it does not do is prevent any kind of outgoing traffic - you can configure this through policies in a corporate network, to prevent unapproved applications from accessing the network (which also works well), but this can't work on a home computer where the users have local admin rights, as a malicious app can just add the required firewall rules. A separately hosted Firewall doesn't work any better - it can't tell if the SSL Traffic on Port 443 is coming from IE or a malicious application.
That's how you see it, that's how i see it, but it's not how the sales dept or our CEO for that matter will see it. I suspect it's pretty much the same for other companies.
I'm not that sure about this. I work for an IT contractor, and if you try to do a good job you'll run into a conflict of interest, sooner or later. Typical scenario is that the sales guys from your company want to sell the customer something he doesn't really need - and then you get asked about your opinion on whether he should buy it or not.
a) Stab the customer in the back, telling him he really needs to buy this
b) Stab your employer in the back, telling the customer that he doesn't really need it
c) Try to give a nonsensical answer that doesn't help the customer
d) Refuse to comment
e) Tell the customer he doesn't x, and instead should buy y.
Which one is the right choice? Of course you can always construct another option like talking to your sales guys, but this might not work if his bonus is on the line. Techies don't get bonuses, so they don't care about selling stuff.
I usually take option e), because there's always something you should do. But it's not a perfect solution, since you're basically saying your sales guys are incompetent and they should buy something else.
The currently known attacks do not affect IE.
However, it is possible and likely that existing attacks could be modified to work on IE8.
That's what they're saying. Yeah, it's Marketing speak, but i've seen worse.
Yes, but that's illegal. Any company doing this (in the first world, obviously) be forcibly closed down. I don't think ethics figure into the decisions to not doing this.
This may be different in Italy, but we're talking about fines here. These are usually traffic violations. You can pay them on the spot, or you can ask for a bill. This will add an administrative fee (i think around 40CHF) to the list, but has no consequences otherwise.
In either case, you can contest the fine in 30 days. Of course, most traffic fines are below the hourly rate of a lawyer, so contesting them makes no sense, even if you think you're innocent.
It's the same here in Switzerland, i never found that unusual.
So, which distributions ship with such an AppArmor profile as a default configuration?
Yep. It's possible.
But do people actually do that? I know i don't.
DEP, which is a Windows feature and not an IE feature, is also active for recent versions of Firefox.
What Firefox lacks though is the sandboxing using a lower-privileged logon (Protected Mode).
No, it's kept in the TPM.
While this isn't perfect, such a scheme will prevent anyone except targeted industrial espionage from accessing the information. If you're a small company with no special IP, this is a good-enough approach that keeps support costs low.
Wrong. While Bitlocker utilizes the TPM to ensure a secure boot and automatic unlocking (if so desired), the TPM chip is NOT used to handle the actual encryption/decryption.
BitLocker in Windows 7 will support the new Core i3/i5 AES extensions for faster encryption, though.
Microsoft recommends using RODCs and BitLocker in branch office servers in insecure locations.
In fact, RDP since Windows XP/2003 can use SSL/TLS, but i believe it default to a 56bit RC5 cipher without configuration and/or group policies in effect.
SSL/TLS was made the default with WS08/Vista.
While Bitlocker certainly slows down my laptop a bit (i did benchmarks, about 10%), i can't complain about it being slow.
ThinkPad W500, 4GB RAM, Windows 7 Enterprise x64, OCZ Vertex 120GB with TRIM Firmware.
Our end users mostly have ThinkPads T500, 4GB RAM, Windows 7 Enterprise x64 with the normal 7200 RPM hard drives. They also don't complain about their laptop is slow.
For USB sticks, we do not mandate them to be encrypted. This, of course, shifts all the blame in case of data loss to the end user. Which is fine by me.
So security is not a big priority in your company it seems, with Windows 2000 security updates ceasing mid-2010.
TrueCrypt is also much more vulnerable than Bitlocker is, because it does not utilize the TPM. I've never seen corporate laptop/desktop offers that did not feature a TPM.
It's also easier to manage in mid-sized environments than TrueCrypt (think automatic Key + TPM backups to Active Directory).
Erm, there's no new Firewall in Windows 7. It's exactly the same as the one in Vista.
The Homegroup feature is gold, IMO. It offers easy file sharing without the authentication hassles you have on non-domain computers. This is (obviously) meant for a Home setting, not the Office.
Have you ever tried to help your girlfriend on the phone transferring files to another Windows computer using the network? It was downright impossible without the Homegroup features for end-user to get the grasp of that.