webshots

There’s a 61% chance the Adobe software you run at work is out of date

Dave Farquhar security , , , , , ,

I read this week that 61% of Adobe Reader installations in workplaces is out of date.

That’s very bad. Very, very bad. Because Adobe Reader is trivially easy to exploit, and there’s more sensitive information to steal on corporate PCs than there is on home PCs.

Read more

Another entry from the Clueless Dept.

Dave Farquhar General , , , , , , , , , , ,

Someone else who needs to buy a clue. I normally don’t have a problem with John Dvorak, and frequently I actually like his stuff. He’s not as clueless as some people make him out to be. Dvorak’s not as smart as he thinks he is, but one thing I’ve noticed about his critics is that they usually aren’t as smart as they think they are either.
Dvorak’s most recent Modest Proposal is that we fire all the technology ignorami out there and then, essentially, throw away corporate standards, let end-users run anything they bloody well want, and basically make them administrators of their own machines.

I’ve got a real problem with that. Case point: One of my employer’s executives recently brought in his home PC and insisted we get it running with remote access. Only one problem with that: He has Windows XP Home. XP Home’s networking is deliberately crippled, so businesses don’t try to save money by buying it. A sleazy move, but a reality we have to live with. We got it to work somewhat, but not to his satisfaction. He’s mad, but mostly because he doesn’t have any idea what changes went on under the hood in XP and doesn’t know he’s asking the impossible. But he’s perfectly competent using Word, Excel, PowerPoint and Outlook. He’s also very comfortable ripping his CDs to MP3 format–he’s got one of the largest MP3 collections in the company. He’s competent technologically. But he has no business with admin rights on his computer.

The same goes for a lot of our users. The record I’ve found for the most spyware-related files installed on a work PC is 87. These aren’t the technical ignorami who are installing this garbage. It’s the people who know how to use their stuff, but they love shareware and freeware. Maybe some of it helps them get their work done. But these people are the first to complain when their system crashes inexplicably. And I’m expected to keep not only the corporate standard apps like M$ Office running, but I’m also expected to support RealPlayer, Webshots, Go!Zilla, Gator, WinAmp, RealJukebox, AOL, and other programs that run ripshod all over the system and frequently break one another (or the apps I’m supposed to support).

If the users were completely responsible for keeping their systems running, that would be one thing. But install all that stuff on one computer and try to keep it running. You won’t have enough time to do your job.

Dvorak argues that people like me should solely be concerned with keeping the network working. That’s fine, but what about when some Luddite decides to ditch all modern apps and bring in an IBM PS/2 running DOS 5.0 and compatible versions of Lotus 1-2-3 and WordPerfect and dBASE? Unless there’s already an Ethernet card in that machine, I won’t be able to network it. And the person who decides a Macintosh SE/30 running System 6.0.8 is where it’s at will have a very difficult time getting on the network and won’t be able to exchange data with anyone else either.

Those scenarios are a bit ridiculous, but I’ve had users who would have done that if they could have. And someone wanting to run XP Home absolutely is not ridiculous, nor uncommon. If my job is to network every known operating system and make those users able to work together in this anarchy, my job has just become impossible.

As much as I would love for people to use Linux in my workplace and something other than Word and Outlook, the anarchy Dvorak is proposing is completely unworkable. It’s many orders of magnitude worse than the current situation.

This is just wrong too. Yes, New Englanders, I know about heartbreak. I’m from Kansas City. At least your Red Sox have posted more than one winning record in the past 10 years.

Anyway, not only are the Royals’ glory years over, they’ve forgotten where their glory years came from. They’ve once again denied Mark Gubicza entry into their Hall of Fame. Who? In the late 1980s, Mark Gubicza was the Royals’ second-best pitcher, behind Bret Saberhagen. Injuries did him in the same as Saberhagen (only a little sooner) but he’s still among their career leaders in wins and strikeouts.

And after spending 13 seasons in a Royals’ uniform, the Royals had a chance to trade Gubicza for hard-hitting DH Chili Davis. But you don’t trade a guy who’s poured his heart and soul into the team for 13 years and stayed completely and totally loyal to it no matter how much it hurt, right? Gubicza said yes. Gubicza went to the GM and told him that if he could make the Royals a better team by trading him, to trade him.

Chili Davis hit 30 home runs for the Royals in 1997. Then he bolted for the Yankees.

Meanwhile, Gubicza blew out his arm for good and the Angels released him. He pitched two games for them.

It takes a great man to tell the team he loves that the best thing he can do for them is to get traded for someone who can help the team more. That was Mark Gubicza. They don’t make ’em like him anymore.

But even more importantly, the immortal Charley Lau was once again denied entry. Who’s he? He was a journeyman catcher who spent his entire career as a backup and whose career batting average was .255, but that was because he had about zero natural ability. He was a genius with the bat, which was how he managed to hit .255. More importantly, Lau was the Royals’ hitting coach in the early 1970s. He spotted some skinny guy who was playing third base because Paul Schaal couldn’t play third base on artificial turf and their first choice to replace him, Frank White, couldn’t play third base at all. This skinny blond fielded just fine, but he was hitting terribly. Lau asked him what he was doing over the All-Star break. The kid said he was going fishing with Buck Martinez. Lau put his foot down. He told him he was going to stay in Kansas City and learn how to hit.

“He changed my stance. I had been standing up there like Carl Yastrzemski, but the next thing I knew I looked like Joe Rudi,” the kid recalled. But he started hitting. By the end of the year, he’d pulled his average up to a very respectable .282.

Soon Lau had every player on the Royals standing at the plate like Joe Rudi, and taking the top hand off the bat after contact with the ball. And the Royals created a mini-dynasty in the American League Western Division.

What was the name of that kid, anyway?

George Brett.

If it hadn’t been for Charley Lau, George Brett would have been nothing. The Royals probably would have never won anything. And they probably wouldn’t be in Kansas City anymore either. Who puts up with 30 years of losing, besides Cubs fans?

Charley Lau belongs in their Hall of Fame. Even if nobody besides George Brett and me remembers who he was.

Webshots and Weatherbug, away with you!

Dave Farquhar War Stories, Windows ,

The bane of the NT administrator’s existence banished. I had a problem last week with a user who was complaining about lockups. I went and looked at the system, and it turned out not to be lockups at all–the system was running out of CPU cycles, so it appeared to lock up, but if you let it sit long enough, it would recover. The system had so many user-installed toys, such as Webshots and Weatherbug and RealAudio and RealJukebox, that it didn’t have enough punch left to do real work. I disabled the toys, to many objections, and told the user to call me if the system had any more problems. I told her that yeah, the way I set up computers is drab and boring and utilitarian, but they work.
Supposedly Windows NT won’t allow regular users to install software. In reality, they can install a lot.

Here’s the trick. Open regedt32 (not regedit) and navigate to HKLMSoftwareMicrosoftWindowsCurrentVersionRun. Go to Security. The All Users group has special access. Change that to read-only access.

We did that at work on one machine, then logged in with a non-priveliged account, and we must have been the first people in history who had problems installing Webshots and Weatherbug.
Some programs may install anyway, though they fail to write the run key. But in order for them to start up, the user will have to drag the executable to their personal startup group. Most of the users who install this garbage don’t know how to do that.
Hard drive first aid. I had an external Mac SCSI hard drive that was acting up. I was able to get it to run once, for about 5 minutes. From then on, when you powered up, it would just seek incessantly. Stiction, I hoped–though it’s unusual for stiction to set in while a drive is actually running. I shut it down and let it rest. No improvement.

My normal cure for stiction is to blow-dry it to heat it up above operating temperature to loosen the oil. Lacking a blow dryer, I resorted to something I really don’t like to do. Well, since this was a Mac peripheral, I didn’t really care. And I made a pretty big show of it. I held the drive about six inches off the floor. “I’m gonna do it!” I said. My coworkers looked up. I released the drive, sending it hurtling to the floor. The force of the impact knocked the front of the enclosure loose.

“You’re recalibrating it?” someone asked.

I grinned, picked up the drive, snapped the front cover back on, and plugged it in. The drive ran. I copied the data off to another drive. It was a bit slow–this isn’t a healthy drive–but it copied. And the drive ran all day, to my amazement.

Incoming links: http://gsw.edu/~oiit/techsupp/software.html

01/19/2001

Dave Farquhar General , , , ,

Software of the day: SecurePC, from www.citadel.com . I spent most of yesterday evaluating it. The biggest thing it does that system policies won’t do is prevent the installation of software–in other words, it makes NT live up to the hype it’s had forever. I tried installing about 20 or so programs, using different methods to try to get around it, and I couldn’t. The setup programs either gave bogus error messages, told me installing software had been disabled, died outright, or crashed. In one instance, the setup program started, asked some questions, then told me installing software had been disabled. Nice.

The only things it won’t block are standalone programs, such as Steve Gibson’s self-contained gems, that don’t require any installation. But I’m not so concerned about those. For one, they’re rare. For two, they usually don’t conflict with anything because they don’t venture outside themselves. Their only danger is that they might be virus-infected, but that’s why we install always-on virus protection and push virus definitions.

The goal is to be able to set up PCs for use in the field, get them working right, then lock them down so as to keep people from breaking them by installing AOL and Webshots and every piece of beta software under the sun and break it.

SecurePC will do a few things system policies will as well, and its user interface is much nicer than Microsoft’s Poledit. Poledit will allow finer control of the control panels, so SecurePC doesn’t totally replace it, but the combination of the two will let you really lock a machine down. And frankly, even Windows 95 is pretty reliable as long as it’s running on good hardware and the user doesn’t mess with it.

But SecurePC is obviously targeting companies used to paying someone $100 an hour or more to fix PCs, because it runs $99. A 10-pack of the network version is $550. That’s a bargain for a company, but this would be incredibly useful in public computer labs in schools, libraries and churches, who frequently can’t afford that. It’s a shame. Hey, if it were priced lower I’ll bet some people would even buy it for home use. I have one friend who could really use it–it’d keep his 20-year-old brother from messing up his PC.

Tyrannical Security. This kind of software is a draconian measure, but what people all too often forget is that when a PC is sitting on a desk at work, it ceases to be a PC. It’s a CC–corporate computer, not personal computer. It’s a corporate asset, set up the way the corporation dictates. If the corporation says no screen savers, no Webshots, no stupid Yahoo news ticker, no RealAudio, then that’s law. Problem is, that’s impossible to enforce with the tools that come with Windows. But a third-party product to enforce them is a Godsend. Computer toys eat memory and CPU cycles, slowing it down and thus hurting productivity, and many of these toys are so poorly written as to make Microsoft look like a model of stability. Personally, I can’t wait for the day when Real Networks goes out of business. So these programs go in, break stuff, and then there’s lost productivity while waiting for the tech to arrive, then still more while an overworked tech tries to fix it. If we were to buy 1,000 copies of some security program that works and roll it out to everyone on our network, I’d be willing to bet it would pay for itself in three months.

The number of the day: 146. I use the Al Gore method of taking IQ tests. I keep taking them over and over again until I like the results. They say the 135-145 range looks like a genius to most people; the 145-165 range is a true genius. I’m accused of being a genius frequently enough that I’m probably at least a 135.

So since I climbed 22 points in a day, I can assume I’ll climb another 22 points today if I take another one, which will put me at 168–high genius level. Then I can take another one tomorrow, gain another 22 points, and apply for Mensa membership.

Or I can forget about it and get on with life. I think I like that idea better.