MS Blaster 3

[jad]

We have Unix servers at work, which are acting as a big firewall to the internet ...

we work behind the times as far as technology is concerned, and most of our machines still run Win95 some have Win98 ... but some of our latest lab machines were provided with a win2k computer.

now, we've had to purchase a few laptops recently ... mostly so that we could flatter some peoples egos, not for any real work reason.

but the b*st*rds take them home with them and one specific person uses NTL (btw ntl customers you need to patch any windows 2000 or windows XP machines against the DCOM attack) and got himself infected in 60 seconds (time it takes to boot).

he then brought the infected computer inside the building and plugged it onto our network ... and very luckily it didn't infect anything else.

we can't shoot the guy ... he controls our pay checks ... and i'll patch the machine up, no hassle ...

i was very close to using the 'Virus Protection' disks labelled 'Solaris' ... but he didn't seem to like the idea, something to do with accessing the accounts software ... hmmph

but the question is what changes do you think should be made, either inside the company or over the entire world ...

 

[dilettante]

jwenting,

Well, I guess that starts to bring us full-circle back to terminals working from a central, locked-down intelligent device. Telnet isn't enough, but X went too far the other way and brought in a whole series of vulnerabilities of its own. Even Terminal Services/Citrix type "terminals" may be too much and too vulnerable to hacks, attacks, and holes or traps awaiting users (informed or otherwise).

Maybe an answer would be something closer to today's browsers in "rich display" capabilities, then add:

* better client-side form support than offered by HTML,
* with no plug-ins, no client-side script or applet support,
* based on some sort of XML- or SGML-derived markup language,
* and using a session-oriented protocol rather than sessionless HTTP/HTTPS.

Deliver this in a locked down ROM-only package to consumers and business users.

But as you said, some open-source clowns or worse yet commercial ventures would release the thing as software runnable on generic hardware. They'd add plug-in support, local filesystems, bleetcode interpreters, and before you know it we're back to square one.

The Internet is a rough neighborhood. The only answer left is for a return to isolated and/or proprietary networks I suppose. Even then you'll see gateways pop up... deja vu all over again as Master Yogi once said.

Still, even if some people want the whiz-bang version you might be able to sell business or "AOL Annie" on the ROM-based locked down product by appealing to their desire for its relative security. Then again Web TV (now MSN TV) never did have much market penetration and it's already a fairly safe, fairly locked-down client. The same goes for several other attempts at home web terminal appliances, most of which were tied to overpriced ISP contracts over dial-up.

Oh well I give up. It's impossible. ;-)

 

[jad]

the LIMS (laboratory information management system) i'm creating is web based, i.e. platform independant.

if machines go wrong i just format them flat and build again.

only problem with this is i'm not sposed to play with the machines running instruments, cos they make money ... i only go near them when they go really wrong ...

they don't use outlook, they use pegasus mail (or dtmail).
they don't use internet explorer, they use netscape for their browser

i scan mail incoming and all web access goes through a proxy-server with restrictions.

we have group policies, and i've trheatened people with a fresh install of windows 95, or solaris on any home machine they bring in ...

it's only these bloody 'directors' who take their laptops home with them i can't stop.

hmmph, is it only thursday?

 

[GlenJohnson]

Give the boss a palm pilot and tell him it's the smallest computer known to man.


Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us

http://www.johnsoncomputers.us

Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884

"Once the game is over, the king and the pawn return to the same box."

 

[jad]

a star for your emoticon

 

[GlenJohnson]

Thanks, I think I will have one.

Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us

http://www.johnsoncomputers.us

Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884
"Watson, the game is afoot!"

 

[lionelhill]

jad,
you have my sympathy, but look at things from an analyst's point of view. I can't choose my mass spectrometer purely because it happens to come with the same sort of PC as the computing staff can most easily handle - I have to choose it because it does the analytical job (or more likely because it's the only mass spec that falls in the right price bracket). Of course anyone buying equipment that has computers attached should inform their IT staff of what's about to land on them, but unfortunately it is going to land, and that's that.
Of course it's also inconsiderate to site the thing in the wrong place with no network connection. But that can happen accidentally, too. The mass spec turns up and it also needs a helium cylinder, vacuum line, cooling water, special power supply, nitrogen supply... and somehow one of these things turns out not to be possible on the side of the lab where you wanted.
Meanwhile the analyst can easily get squashed between two different IT groups: The local IT experts will naturally (and probably accurately) blame the instrument and its set up for any failure to communicate properly in the local environment. But if the customer insists on the mass spec installation engineer installing it the "local" way, or using locally approved operating system and computer, it'll be on a "well, on your head be it, we don't guaruntee this will work..." basis, because he/she wants to install it the way they know works for their machine.
Such is life.
Good luck!
(oh, and nice to know I'm not the only one with mysterious crashes that only happen at night when there's a queue of samples...)

 

[jad]

it's amazing, you know EXACTLY what it's like working here

where are you based?

some of our 'dying at night' is caused by the 3 phase in this building, they shut down one of the 3 phase circuits once to do some maintenance and found that a couple of the connections were still live cross fed from another circuit ...
another big reason for the crashes is the printing routine. most mass-specs like printing off graphs as they do them, even through the night, but most of them use dodgy printing routines to format the pages. even if you tell it not to print it still calls the routine to process the graphs, unless you talk to their 1 IT guy who knows how to turn them off (but that only fixes about 60% crashes)

I know ... i'm going off topic ...

 

[jad]

anyone heard that the latest patches from microsloth don't fix the RPC problem ...

they've released another set for it ... and there is at least one virus out there that knows about the new flaw ...

Microsoft are quick to point out that the RPC stuff in windows is '... derived from the Open Software Foundation (OSF) RPC
protocol, but with the addition of some Microsoft specific
extensions.'

now we know that the OSF version is secure ...

 

[manarth]

Yeah, I know about the latest patch - I installed it and my system now crashes about 4 times a day. Fortuantely it's only 1 machine and not the entire office.

<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]

 

[cian]

I come from a different end of the scale as a user so I deal with your type of guys quite often.

I defence of the user some of us b*st*rds need PC's/laptops, we need floppy's/CD's and very often we need to connect to the net (internet and company network) from many strange locations! We receive attachments on a regular basis and hope that the senders system or our system has done a virus sweep!
Some of us who are not as knowledgable as you guys may download a virus once in a while but then it's time to do your job.

So it's up to you to make sure the defence is tight and to plug any holes we may create!
Whether it's upgrading to more stable environments or installing the latest security patches that´s up to you to do or to persuade you're boss!

Unforgiving sod ain't i?






- É -

http://www.ssi-developer.net/

 

[jwenting]

cian, you should not create any holes, and any means you could use to create holes should be taken away from you until and unless you can prove to the techies that you can be trusted not to use them.

If that means a machine without modem, network card, floppy drive and CD ROM then so be it.
If that's all you can be trusted with that's all you should get.

 

[Grenage]

And that's exactly how it is here, no CD, no Floppy, nothing

 

[jad]

>I defence of the user some of us b*st*rds need PC's/laptops,
>we need floppy's/CD's and very often we need to connect to
>the net (internet and company network) from many strange
>locations! We receive attachments on a regular basis and hope
>that the senders system or our system has done a virus sweep!
>Some of us who are not as knowledgable as you guys may
>download a virus once in a while but then it's time to do
>your job.

i would object to your need to use floppy disks, data should be stored on the network not on floppies for backup.
i have a cdrom drive in the server, so i can share that if a user _needs_ to get access to data, users _dont_ need access to cdroms, they only install illegal software, or games.
they all have access to the internet, because my system uses the internet (allowing access externally), but it is company policy that people don't download shit^H^H^Htuff from the internet, however this is almost unenforcable.

all of your _NEEDS_ are really just wants at the end of the day ...

it is not my job to fix other peoples screw ups, my job is to write a database system and help people out if they ever need help, which i was told would be rarely (although i guessed different); my job now is changing toner in the copier, and the printers, fixing loose cables, reinstalling dead computers, fixing other peoples helpful stuff, etc. and maybe for about 15 mins a day i can get to work on the database ... suprising that the timelines are getting behind ...

i still reckon the 'universal virsu checker' version 8 will work fine.

 

[sha76]

jad - you may object to people needing to use floppy disks, but some of us really do! I need to receive /send out sensitive data on a regular basis. As yet we are unable to do this via e-mail due to security issues. I agree floppies are unnecessary for back-ups, but they are a viable means of data transfer.
Could I use a floppy disc /cd /internet download to cause damage? Quite probably (with a little research), but then I could, if I so desired, do a fair bit of physical damage to company property too. It all comes down not only to trust, but also to education, your users should all be taught what's safe & what's not.

Sharon

 

[jad]

monkey + book =/= intelligent monkey

 

[GlenJohnson]

Sharon is on the money. A lot of what we admins need to do is educate the users. I've seen many a user have programs that tell them the temprature outside at anytime of day, who didn't realize that if the server of the website gets infected, the user gets infected. First and formost, educate then start slamming the people that don't listen. Create a document that tells people what they can and can't do, include the education in the document, have the users sign it. If they then don't follow the Rules of the Internet Road, then you can start slamming them. My users have found the info we've given them about how to protect themselves not only helpful, they've even appreciated the fact that they can use the education at home to protect there home pc's. My 2 cents. (Sharon, here's a star for some good thoughts.)

Glen A. Johnson
Johnson Computer Consulting

http://www.johnsoncomputers.us

&quot;I only know that I know nothing.&quot;
Socrates (47-399 BC); Greek philosopher

Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884

 

[dilettante]

The types of malware introduced via a floppy disk are rare these days, typically do not spread themselves over networks, and are easily caught using simple virus scanners. Of course there is a good argument for just not taking the chance, and other good reasons why most people shouldn't be able to copy things to removable media and carry them off.

But for some people accepting and sending out data via physical media is necessary. I know of two groups where physical media processing (tapes, CDs, floppies) is done because network security policy prohibits exchanging data any other way! Email is the least secure way to move data over the Internet one can imagine, since it leaves copies of plain-text (well, most attachments are base-64 encoded, whoop-de-doo) sitting at the sending server, the receiving server, and 0 to many relay servers - potentially anywhere in the world. And look at all of the nasties that get in through email right now. Funny how a lot of users view email as some secure, point-to-point service when it is anything but!

The use of proxy servers weakens many other data exchange mechanisms in a similar manner.

About the only safe way to move sensitive data requires encryption/decryption at the very endpoints, the sending and receiving client systems. But oops! Now we're back to needing trusted, educated end users, both within and outside our own organizations.

One answer might be public digital courier services. Something like a mail/UPS/FedEx kind of thing, but all electronic, for moving big hunks of data instead of &quot;How's the weather&quot; messages. Perhaps accessible only through encrypting client software. These types of services are scarce since the dot-com bust, and almost nobody seems to make use of the ones remaining.

But how can &quot;net admin&quot; types take away all non-IP networks, close up all IP ports to/from the outside world, refuse to operate Internet-visible FTP or better servers, and take away all removable media devices? Sorry, but the IT folks are responsible for providing a service, not a lack of service. The challenge is doing this securely and cost-effectively, and that challenge is yours not the user's.

It's kind of funny to hear some of my older clients express a longing for the openness of those &quot;evil, glass-house, mainframe days.&quot; The perception now is that their LAN people are only interested in making their own jobs as easy as possible. I think some work needs to be done before the resentment flows too far up the management chain. Educating users is a good 1st step. The questions then are where to begin and how to make it successful. Just a tip: don't ask for any budget to do it with.

 

[cian]

I do certainly need a floppy and a cd-row drive, and need to use it very often. But they are only small points.
(our data IS all stored on servers not on the hardrive)

If that means a machine without modem, network card, floppy drive and CD ROM then so be it.
If that's all you can be trusted with that's all you should get.

Ooh, harsh cutback. How can they know what I can be trusted with? And that's besides the point because if I need a modem then I need it, that's it. And in my job I do need it!

The &quot;holes&quot; are not created intentionally, take away my means to create holes then you take away a vital tool in my job. Maybe if a better system is used there would be no risk of holes!!
I just view it differently, we create problems and the teckies have to fix it, others create problems on a daily basis that I have to fix, it's part of the job! Such is life




- É -

http://www.ssi-developer.net/

 

[manarth]

A techies job isn't simply to act as an 'enabler' or to fix your problems - the reason security policies come into place is to protect the more critical data: important business stuff held on the servers and databases.

To most companies, keeping this data safe is top priority; above giving internet access to staff, allowing floppy disks, etc.

The lockdown isn't to prevent you damaging your laptop - it's to prevent your laptop damaging the servers.

<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]

 

[sha76]

I could easily live without my CD drive. I could cope without the internet, although that may, at times, decrease my efficiency. However, without my floppy drive or network card there'd be a whole lot less critical data stored, not that this would be a problem, seeing as how there'd be no way to run reports & queries on it!
I use this data every day, I am quite aware of how important it is and I'm not about to jeopordise it. Infact I have signed documents to that effect, but, as cian pointed out we all need certain tools to do our jobs. Do you stop a maintenance guy for a gas company from using a jackhammer incase he goes through the gas main? No, because then he can't do his job.
To a certain extent I believe that a techie does have to be an enabler, if I'm doing a job that the company consider important enough to pay me for then it's equally important that I'm given the necessary tools to complete it. Providing there is a mutual respect between myself and the techie then this should never be an issue. Problems only arise when this respect is missing.

Sharon