Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Comment Re:Not just Google (Score 1) 543

This isn't shocking. IT is not a career based on soft skills. When you're early in your IT career you don't think about it much but the day will come where it can become a problem if your career isn't switched to "soft skills" (aka management). IT is about what you've done in the last year and/or whether your chosen skills continue to be pertinent in the IT marketplace. When was the last time you saw a posting for say Microsoft's COM? Was all the rage in say 1996. As individuals get married and have kids their ability to keep up with what's "vogue" goes south. It's just a fact of life. All you 25 somethings might say "It will never happen to me, I'll keep up with 'X' forever!" but to quote the late John Lennon of "The Beatles" fame, "Life is what happens while you're busy making other plans."

Comment Re:Almost but not quite enough (Score 1) 420

To my knowledge Microsoft doesn't provide the source to psexec & DropMyRights either. The only reason I'm proselytizing what I've written is because it has a user friendly installer.

psexec & DropMyRights assume you're familiar with the command line.

Use the command line tools if you prefer.

Other than that, the end result of what you get from MS' tools and mine do not defer.

-M

PS: FYI, it's not a plugin.

Comment Re:Ignorance on users part (including IT people) (Score 1) 420

They're command line tools... your average user knows squat about the command line.

Allso, as I pointed out in my original post, many an IT professional that I've pointed them out to "doesn't get it".

The crux of what I've done is the installer. It creates shortcuts and labels them "SecureIE" & "SecureFirefox". As they say, a picture is worth a thousand words. A turnkey solution increases user adoption by a very wide margin. I remember when I tried via IM to get a friend to use the command line tools and create shortcuts, I realized as I struggled to get them working that he wasn't putting a space between the .EXE being executed and the first argument, in the shortcut. What's obvious to me isn't obvious to others. Again, this is why the installer is a big deal.

Lastly, the command line tools have a dependency on the Win32 console runtime. If you create shortcuts and use them, there's a momentary flash. If you use these with average users (I'm not /. people) it changes what they're used to seeing and may cause them to reject what you've done since their experience changes. "What's that flash? What's that mean? Is something bad happening? You sure this won't do something bad?"

Again, I was motivated to do this based on my own personal experiences with evangelizing the command line tools.

-M

PS: As for the command line tools, psexec & DropMyRights -- Google them.

Comment Re:Ignorance on users part (including IT people) (Score 1) 420

Mark Russinovich's tool, psexec, allows you to do it with the "-l" switch and DropMyRights:

http://technet.microsoft.com/en-us/library/bb456992.aspx

The issue is that Microsoft never exposed a tool for *average* (note emphasis on AVERAGE) end users to leverage the power CreateRestrictedToken affords.

Currently, when creating a shortcut you can through its Advanced properties have Windows prompt you to change your user credentials but when SP2 came out Microsoft should have added a way to strip admin rights. A no brainer imho and *trivial* to implement.

-M

Comment Re:Ignorance on users part (including IT people) (Score 1) 420

There are many factors at play, including among them in house politics at Microsoft. In particular the fact that they don't have a central figure with the ability to dictate security policy among their product groups. A security czar if you will. Imagine if there was the equivalent of a Steve Jobs inside of Microsoft but the only thing he was worried about was security *THEN* shyt would get done.

Otherwise you have one too many individuals with "security" in their title with no ability to dictate policy in products. Developers inside of Microsoft are pressured by managers to make product deadlines so MS can show growth to the stockholders (hint: none of them are thinking about security) and the end result is nothing progressive, creative and user friendly on the security front gets done. This Dilbert strip eludes to what I'm talking about:

http://flickr.com/photos/fucuyama/3002208273/

What's more you have individuals like the guys on ZDNet's Security blog who love to post about the latest flaws in applications, whether they be QuickTime or Microsoft Office but never point out that many of these issues can be severely mitigated by not running with administrative credentials.

The "principle of least privilege" gives you the most bang for the buck when it comes to security yet Microsoft has been woefully bad at empowering Windows XP desktop users which lead to Windows' reputation of being insecure. Many security issues that are specific to an application, whether it's IE, Office, QuickTime, Adobe's PDF reader, etc., etc. become way less interesting when you remove administrative rights.

That's why there's 300,000 viruses in the Windows universe and like 7 on Mac OS X. Because Mac OS X has never had people running with administrative rights.

Vista with UAC is a big step in the right direction. Windows 7 presumably will cache the fact that you've approved an installer to do something and let it run its course up until the process (associated with the installer) terminates. This would eliminate prompting users multiple times and annoying the hell out of them.

-M

Comment Almost but not quite enough (Score 0) 420

DropMyRights is one of two tools you can get off Microsoft's site to remove administrative rights when launching applications.

However, the biggest problem with both is that they are command line tools and your average Windows user knows jack about the Windows command line. Yes, this is /. but think of your Aunt Alice, Uncle Joe, Cousin Bob - "command line" is a quick way to immediately lose an average user.

What's more, getting people to actually read the Washingtonpost article and implement what it is saying is like pulling teeth. My experience is, it just doesn't happen. Even with IT people.

Secondly, DropMyRights is linked to the Win32 console runtime which causes a momentary flash as an application is launched (Windows displays a console window momentarily). It's very minor given the gains (in the case of DropMyRights) but average people have creative imaginations and they might dismiss a tool for the most *trivial reason* if their experience changes.

For all these reasons I wrote a small utility RemoveAdmin that does the same thing:

http://www.download.com/RemoveAdmin/3000-2381_4-10824971.html?tag=lst-1&cdlPid=10835515

EXCEPT my installer creates shortcuts for IE & FireFox - turnkey solution is critical here, you have to break down the typical resistances with average users. The installer labels the shortcuts "SecureIE" and "SecureFirefox".

In addition removeAdmin.exe isn't linked to the Win32 console runtime so you don't see a flash as an application is launched.

-M

Comment Ignorance on users part (including IT people) (Score 4, Interesting) 420

It's a combination of ignorant users and ignorant IT people. I've never seen a single IT person use "runas" (impersonation), ACLs on the Windows file system or registry or and this is the damning one, a command line utility that allows you to selectively strip administrative rights on applications as you use them thatâ(TM)s been on Microsoftâ(TM)s site for years (after I pointed it out to them).

There was a reason once upon a time Microsoft chose to release Windows XP in such a way as to have users running with administrative rights. A reason that is extremely weak now - many people were upgrading to Windows XP from Windows 9x/ME and Microsoft didn't want to incur the support cost (or their partners) of having lots of applications stop working. Among them is the popular WinAmp. It used ancient APIs for its configuration file, WINAMP.INI, that stored global preferential data (as opposed to per user) in C:\WINDOWS\WINAMP.INI. If you didn't have administrative rights, it would just hang when you fired it up. Google Desktop when first released would *NOT* work on a non-administrative desktop. The list of offending applications goes on and on, e.g., a friend of mine had oceanic navigation software that insisted running with admin rights.

However, it turns out there is a programmatic mechanism in place in every copy of Windows XP (and Windows 2000) that allows you to strip administrative rights when you launch a process. Microsoft never exposed users to this ability for reasons that to this day are unclear to me. The magic API in question is CreateRestrictedToken.

But what really was an eye opener to me is when I would point out a tool on Microsoft's site to strip out administrative rights when you run a program. Namely, years ago you could have made the situation tenable in the case of apps like WinAmp and Google Desktop by yes, logging onto your desktop as an administrator but launching most Internet facing application without administrative rights but hereâ(TM)s the clincher *AND NOT CHANGING USERS* . In fact, I've been doing this for years.

Nonetheless I observed an incredible amount of laziness on IT professionals when I pointed out these capabilities. Laziness, apathy and the usual suspect of insecurity ("Don't tell me what to do, I know what I'm doing"). Yes, that's right, you manage a CISCO PIX firewall, you must be a security guru all around and follow best practices.

So given my former life as a Windows software developer I took it upon myself to create a turn key installer that at least protects Jane & Joe Average called *RemoveAdmin*:

http://www.download.com/RemoveAdmin/3000-2381_4-10824971.html?tag=lst-1&cdlPid=10835515

RemoveAdmin is a utility to strip administrative rights off apps as they're launched under Windows XP and Windows 2000 where unfortunately 99.9% of home users run with administrative rights.

The default RemoveAdmin installer creates shortcuts for IE and Firefox but if you analyze the shortcut, you see IE and Firefox are passed as an argument to the removeAdmin.exe program.

You can trivially setup another shortcut for Opera and/or any other Internet facing application... as you should since you can't trust foreign computer systems you connect to.

Itâ(TM)s version 0.1 since I havenâ(TM)t created a FAQ and thereâ(TM)s the situation that if you have multiple administrative SIDs it wonâ(TM)t work (not the case for most people). I need to fix that, create a FAQ and also offer to adjust the ACLs on the Startup folder to tighten security such that when combined with RemoveAdmin, breaching your system on account of your browsing becomes because crazy hard.

Comment Welcome to software development (Score 1) 262

"However, I'm very unmotivated both because of the work that I do, which is boring, and because the organization I work for is highly political, disorganized, and lacks accountability."

Big reasons I no longer do it.

The other reason is maintenance. Most "software development" is dealing with crap laid down by others who moved on years prior. If not within the company, then mentally.

Frankly, software development is severely overrated. Getting a CS degree and going off to do it is sort of like watching some episode of Nova dealing with some science topic lending some interest to whatever scientific branch that is involved but then when you get that chemistry degree you realize a monkey could work at a lab eventually (think Darwin).

Likewise, creating some "neato" web page isn't exactly indicative of what software development is like in the real world. Sure web development is not the only kind of software development but it sure is the majority nowadays.

-M

Slashdot Top Deals

Chairman of the Bored.

Working...