Adventures in DRM land: Sony

[keith]

Well, they're your users, so you should know. But I'm amazed.
Who are these poeple? Why do they believe that running MS-Win
as root is in any sense safe? Far better OSes (Tops-20, Multics, MVS,
Unix) would never make this claim.

Those OSs have professionals paid the big-bux to install and
maintain their applications. The normal Windows user is lucky to have a
semi-consious helpless desk to ask for help when things get really bad.
Right or wrong, these are very different markets with very different
expectations.

True enough. But as Keith pointed out, some of the same considerations
apply. Doubly so, because both ends of the support call are costing the
corp money.

Which is likely why one decides to "go nekkid" and hope the anti-virus,
firewall, spam-filters, and spyware filters work. ...another reason for
more MIPS. ;-)

Yes, this is pretty bad. It wouldn't be hard to get the user to give a
pwd at install. H3ll, even Slackware text scripts do this.

Didn't Windows used to demand a PW at install? It sure doesn't now.

Properly configured software should be installable and runnable a
ordinary users -- just point to a user writeable directory for the
install. But yes, it is an inconsistant mess.

Is is fair to expect every user to be able to figure out the mess? Should
there be an IT type sitting there holding every secretary's hand? ...ok,
that wasn't fair. There aren't any secretaries. Worker-bees have to do
that work too. They should be fully trained system admins too?

Those who do not learn from the mistakes of others will have the
opportunity to learn these lessons at their own cost.

....and the alternative is? <Not using windows doesn't count as an answer>

 

[Robert Redelmeier]

Oh they know.

Well, they're your users, so you should know. But I'm amazed.
Who are these poeple? Why do they believe that running MS-Win
as root is in any sense safe? Far better OSes (Tops-20, Multics, MVS,
Unix) would never make this claim.

Dell et.al. has nothing to do with corporate systems and their setup.

True enough. But as Keith pointed out, some of the same
considerations apply. Doubly so, because both ends of the
support call are costing the corp money.

As for M$, there have been several default installation
results and the most common one, if you give a specific
user name during install is to create a user with name
"administrator" with no password... not blame M$ for that?

Yes, this is pretty bad. It wouldn't be hard to get the
user to give a pwd at install. H3ll, even Slackware text
scripts do this.

Sorry - "too much trouble"... and it can make a real mess
if they do it wrongly, e.g. install Firefox and forget to
run it once as an administrator; with other software it's
the other way around.

Properly configured software should be installable and
runnable a ordinary users -- just point to a user writeable
directory for the install. But yes, it is an inconsistant mess.

Show or walk them through it themselves - nothing works<shrug>
They don't want to - they want to do it their way... with the
minimum of disturbance to their usage, which is usually risky.

Those who do not learn from the mistakes of others will
have the opportunity to learn these lessons at their own cost.

-- Robert

 

[Robert Redelmeier]

I held out as long as I thought I could (talked the boss up to a
T42p . ...not quite the same display resolution, but a 2GHz PM
(vs. 850MHz PIII) and 2GB (vs. 512MB). It's ok. ;-)

Sounds reasonable.

When security gets in the way of productivity, it's not
productivity that gets left behind these days.

Interesting. My corp has taken exactly the opposite tack.
And I would say we have less to protect.

Interestingly I don't get root priveleges on my AIX machine, but
*own* the laptop. Perhaps they've decided it's not controllable.
Dunno, but I'd likely use a "user" ID if it were mandated. I just
don't like the constant loging out/in in windows. At least SU
works in *ix.

So many things are faster in Unix and Linux-like systems.

Morton salt.

As in "When it rains, it pours?"

I guess maybe! What a huge step backwards that was.
I'd rather manually edit config.sys and autoexec.bat.

Sure. Even the mess of /etc/foo_config and ~./foorc is
better than that warren of a registry hive.

-- Robert

 

[Robert Redelmeier]

Those OSs have professionals paid the big-bux to install
and maintain their applications. The normal Windows user
is lucky to have a semi-consious helpless desk to ask for
help when things get really bad. Right or wrong, these
are very different markets with very different expectations.

Precisely. Even with the high priced help, they still need
user isolation. So because it's a teensy bit complicated,
MS-Windows needs it less?

Which is likely why one decides to "go nekkid" and hope the
anti-virus, firewall, spam-filters, and spyware filters work.
...another reason for more MIPS. ;-)

Sure. But in the end, you pay for everything. User isolation might
cost a bit up front, but it saves later. At least, that's what the
high priced help decided long ago. Why do we now believe otherwise?
've never seen any serious discussion.

Didn't Windows used to demand a PW at install? It sure doesn't now.

I'm no MS expert. I don't recall any except for DUN.

Is is fair to expect every user to be able to figure out the mess?

No, that's what IT is for. They ought to know apps or be able to
find out. A simple list of commonly used apps and install notes.

...and the alternative is? <Not using windows doesn't count as an answer>

If you're stuck on MS-Windows, then you need to learn _more_ about
computing principles than if you have a safer system. Just because
GUIs are attractive an easy to start-to-use does not mean they are
any easier in the long run. There still are the same tasks, and the
learning curve is just delayed.

-- Robert

 

[Keith]

Precisely. Even with the high priced help, they still need
user isolation. So because it's a teensy bit complicated,
MS-Windows needs it less?

Needs? No, but it ain't going to get it. To do so would make the
client end of client-server unmanageable. ...back to mainframes.

Sure. But in the end, you pay for everything. User isolation might
cost a bit up front, but it saves later. At least, that's what the
high priced help decided long ago. Why do we now believe otherwise?
've never seen any serious discussion.

That discussion was had. Desktops won because the users demanded
them. Mainframes and management (any way you look at the term)
lost. The various virii may make some want to reengage in that
discussion, but the cow already kicked over the lantern.

I'm no MS expert. I don't recall any except for DUN.

I though NT4 (?) required one to enter a password on install.
Maybe a null password was allowed, but at least it was entered as a

No, that's what IT is for. They ought to know apps or be able to
find out. A simple list of commonly used apps and install notes.

No one is going to pay for that many support personell. We have
*some* applications that can be automatically loaded from a server,
but only very commonly used applications. The user is on their own
for anything remotely "wierd". Try programming when your only
editor is Notepad, or perhaps Word.

If you're stuck on MS-Windows, then you need to learn _more_ about
computing principles than if you have a safer system. Just because
GUIs are attractive an easy to start-to-use does not mean they are
any easier in the long run. There still are the same tasks, and the
learning curve is just delayed.

I'm not stuck on Windows. The IT folks are. I'd rather put Linux
on my laptop, but that's not a supported configuration and I'm even
further out on a limb. Any support (likely even if it's on the Win
side) then gets billed to my boss (who has no budget for such
nonsense). Frankly, I'm scared to even put it on the laptop since
I have no way of taking an image of the disk to play.

 

[Robert Redelmeier]

(e-mail address removed) says...

Needs? No, but it ain't going to get it. To do so
would make the client end of client-server unmanageable.

The client is manageable now???

...back to mainframes.

That's the general thrust where I work.

That discussion was had. Desktops won because the users demanded
them. Mainframes and management (any way you look at the term)
lost. The various virii may make some want to reengage in that
discussion, but the cow already kicked over the lantern.

Barns can be rebuilt After enough damage, a case can be made.

No one is going to pay for that many support personell.

What many? This is a simple experience database. A couple of
guys for a couple of weeks in a PC lab with a dozen machines,
reimaging over lunch They should be able to do ~100 packages.

Try programming when your only editor is Notepad, or
perhaps Word.

Ack! Give me `vim` anyday.

I'm not stuck on Windows. The IT folks are. I'd rather put
Linux on my laptop, but that's not a supported configuration
and I'm even further out on a limb. Any support (likely even
if it's on the Win side) then gets billed to my boss (who has
no budget for such nonsense). Frankly, I'm scared to even put
it on the laptop since I have no way of taking an image of the
disk to play.

Install a spare HD and play on it. External USB if the
sThinkpad won't take an internal.

-- Robert

 

[Keith]

The client is manageable now???

Nope. My point is that if the resources were dedicated that you
believe is *necessary*, we'd go back to mainframes. As long as
mere users have control of the computer it will continue to be
unmanaged. Users will *not* give up control, ergo...

That's the general thrust where I work.

Too expensive (did *I* say that? . I think we only have one
application that we need a mainframe for and that's not very
important since I forgot my VM password five years ago. We were
moved off because of the *cost* of systems management. Mainframe
disk space is 1000x the cost of laptop space and likely 10 times
that of AFS space.

Barns can be rebuilt After enough damage, a case can be made.

Maybe, but users aren't going to give up control to the glass house
easily. It took years for them to wrestle the AIX root passwords
away from mere users.

What many? This is a simple experience database. A couple of
guys for a couple of weeks in a PC lab with a dozen machines,
reimaging over lunch They should be able to do ~100 packages.

Huh? That's what we have now and its a mess. These people
actually don't do a bad job, but the systems are only half there
when delivered. Then all the usefull stuff and configuration
starts.

Ack! Give me `vim` anyday.

;-) I tend to use VE on AIX, but prefer other editors on Win.
That's the point, editors are personal, as in "Personal Computer".

Install a spare HD and play on it. External USB if the
sThinkpad won't take an internal.

It'll take an internal, but I'm not about to plunk cash down for a
system I don't own. If I could borrow one for a week, I'd simple
image this one to another disk and then install Linux, once I was
sure the new image was bootable. I'm not really up for another
round of "find/install/configure that app".

BTW, have you seen the "Microsoft" We-FYP, pronounced WE-fip, (We
Feel Your Pain) movie? I thought it quite funny this morning when
a colleage sent it to me just as I sent off my last post. ;-)

 

[George Macdonald]

Well, they're your users, so you should know. But I'm amazed.
Who are these poeple? Why do they believe that running MS-Win
as root is in any sense safe? Far better OSes (Tops-20, Multics, MVS,
Unix) would never make this claim.

Oh, it covers the gamut - from those who are too important to be told how
to do things, thru those who own home computers and are "experts", to those
who have to have Ctrl/Alt/Del written on a stick-up. The last are not a
problem though in that respect but have other issues/

Properly configured software should be installable and
runnable a ordinary users -- just point to a user writeable
directory for the install. But yes, it is an inconsistant mess.

Yeah well Mozilla badly needs to do something about Firefox install, though
they probably want to keep it as OS neutral as possible and Windows has its
err, quirks... and the default privileges are not well thought out or
presented.

Those who do not learn from the mistakes of others will
have the opportunity to learn these lessons at their own cost.

I really can't go into too much detail here but yes, it's scarey.

 

[Robert Redelmeier]

Oh, it covers the gamut - from those who are too important to
be told how to do things, thru those who own home computers
and are "experts", to those who have to have Ctrl/Alt/Del
written on a stick-up. The last are not a problem though
in that respect but have other issues/

When you stop learning, you die. Many of your users seem
to be in that category.

as possible and Windows has its err, quirks... and the
default privileges are not well thought out or presented.

Entirely true. I hear Longhorn is going to have better ACLs
over C:\Program Files.

-- Robert

 

[Robert Redelmeier]

Nope. My point is that if the resources were dedicated
that you believe is *necessary*, we'd go back to mainframes.

No, I'm not arguing that at all.

As long as mere users have control of the computer it will
continue to be unmanaged. Users will *not* give up control,
ergo...

Running as a user account isn't giving up control so long
as I also keep the root passwd. Do you think I run my personal
Linux machines as root? I could, but I'm not that stupid.

Maybe, but users aren't going to give up control to the
glass house easily. It took years for them to wrestle the
AIX root passwords away from mere users.

Ah, but users managers might give up control much easier.

Huh? That's what we have now and its a mess. These people
actually don't do a bad job, but the systems are only
half there when delivered. Then all the usefull stuff and
configuration starts.

Yes, this customization takes time. But there should be
some cheat-sheets to help you.

It'll take an internal, but I'm not about to plunk cash down
for a system I don't own.

You can't just have your admin order one under "petty cash"?
2.5" IDE HDs aren't expensive.

BTW, have you seen the "Microsoft" We-FYP, pronounced WE-fip,
(We Feel Your Pain) movie? I thought it quite funny this
morning when a colleage sent it to me just as I sent off
my last post. ;-)

Nope, not yet. Do you have a link?

-- Robert

 

[Del Cecchi]

When you stop learning, you die. Many of your users seem
to be in that category.

not necessarily. Some are just not inclined to waste their time learning
the intricacies of Windows and such. I have plenty to learn yet but
details of Windows is pretty far down the list, along with how to make
test models and code delay rules.

 

[George Macdonald]

Needs? No, but it ain't going to get it. To do so would make the
client end of client-server unmanageable. ...back to mainframes.


That discussion was had. Desktops won because the users demanded
them. Mainframes and management (any way you look at the term)
lost. The various virii may make some want to reengage in that
discussion, but the cow already kicked over the lantern.

And one of the reasons desktops won is because people don't want their
compute environment "managed" by IT... and in many cases won't even listen
to valuable advice. They just want it fixed when it's "broken".

I though NT4 (?) required one to enter a password on install.
Maybe a null password was allowed, but at least it was entered as a


No one is going to pay for that many support personell. We have
*some* applications that can be automatically loaded from a server,
but only very commonly used applications. The user is on their own
for anything remotely "wierd". Try programming when your only
editor is Notepad, or perhaps Word.

I like Textpad as a general editor for PC.

I'm not stuck on Windows. The IT folks are. I'd rather put Linux
on my laptop, but that's not a supported configuration and I'm even
further out on a limb. Any support (likely even if it's on the Win
side) then gets billed to my boss (who has no budget for such
nonsense). Frankly, I'm scared to even put it on the laptop since
I have no way of taking an image of the disk to play.

Yeah, if you have a WinXP with no install CD and the install image in a
hidden partition, I can't see using a boot manager - in fact I accidentally
installed a boot manager on a brand new Thinkpad a while back and it ****ed
the hidden partition layout. Long story but after much sweat, I got it
back... and yes I felt like a chump but the Access IBM button seems to
send a return key in its sequence and BootitNG doesn't seem to ignore
type-ahead.:-(

BTW for taking an image, you really need to run the Create Recovery disk
(CD or DVD) if you have no install CD. Other options are to use the "image
option of BootitNG (trialware free DL) or BartPE (very useful way to
create/run WinXP from a bootable CD/DVD) to back up the installation to a
CD/DVD .ISO for later burning.

 

[George Macdonald]

not necessarily. Some are just not inclined to waste their time learning
the intricacies of Windows and such. I have plenty to learn yet but
details of Windows is pretty far down the list, along with how to make
test models and code delay rules.

Quite a few are developing code, so it kinda follows that it'd be in their
interest to learn a few intricacies. For others, repeatedly making the
same pig-headed mistakes over and over and ignoring advice whether it be
from M$ or not begs for a change of umm approach.

Trouble is that I seem to do all my "learning" about Windows in panic mode,
when it just bit my ass... *again*. Worth noting the number of Web
Sites which "support" Windows now and some even charging real $$ to get you
an answer... right or wrong.

 

[Robert Redelmeier]

not necessarily. Some are just not inclined to waste
their time learning the intricacies of Windows and such.
I have plenty to learn yet but details of Windows is pretty
far down the list,

Likewise. I don't want to waste neurons on MS-arcania.
But you have to learn something, and should choose useful
ideas and concepts.

I would think knowing the big secure mainframe & unix
machines all have user isolation, and that this was possible
(but not default) on MS-Win would be a useful fact if you
were concerned about PC security.

-- Robert

 

[Keith]

No, I'm not arguing that at all.

I thought you advocated that users only have user access and that
root access be controlled. SOmeone has to control that access.
....and be there when I want to install &frammis.

Running as a user account isn't giving up control so long
as I also keep the root passwd. Do you think I run my personal
Linux machines as root? I could, but I'm not that stupid.

You can easily SU to root when needed, or log into another account
while not logging out of your account. Win makes this ugly, at
best.

Ah, but users managers might give up control much easier.

Ah, that's the "beauty" of distributed computers. PHBs are users
too. ;-)

Yes, this customization takes time. But there should be
some cheat-sheets to help you.

Cheat sheets? *Manuals*, and every package is different. Each
seems to treat the system (often including security) entirely
differently.

You can't just have your admin order one under "petty cash"?
2.5" IDE HDs aren't expensive.

Shirley you jest! I have to buy my own batteries for my company
supplied mouse and telephone headset.

Nope, not yet. Do you have a link?

No, it was sent as an attachmant. It is quite on-topic though. ;-)

 

[Keith]

And one of the reasons desktops won is because people don't want their
compute environment "managed" by IT... and in many cases won't even listen
to valuable advice. They just want it fixed when it's "broken".

Precisely my point. Windows makes it unmanageable though. I'd
much prefer Linux, but have little choice. Ok, some have gotten
"everything" to work under Wine, but I'm not about to invest that
kind of time in fiddling. Windows fiddling is bad enough.

 

[Keith]

Quite a few are developing code, so it kinda follows that it'd be in their
interest to learn a few intricacies.

*Very* few (as a percentage) Win users are developing code. Indeed
I try my best not to. ...to many other things I'm paid to do.

For others, repeatedly making the
same pig-headed mistakes over and over and ignoring advice whether it be
from M$ or not begs for a change of umm approach.

I've been bitten by one worm and that was a *dumb* mistake, though
it looked like the ("rejected") email I opened was from a known
person. Yes, the IT people scrubbed my machine after I got booted
from the intranet (the bastards didn't tell my why I was booted, or
even that I was booted, so lost two days there).

Trouble is that I seem to do all my "learning" about Windows in panic mode,
when it just bit my ass... *again*. Worth noting the number of Web
Sites which "support" Windows now and some even charging real $$ to get you
an answer... right or wrong.

What a marketing plan!

 

[Robert Redelmeier]

I thought you advocated that users only have user access and
that root access be controlled. SOmeone has to control that
access. ...and be there when I want to install &frammis.

No, I advocate users having both user and admin access to
their PCs, but learning that user access is sufficient for
most everyday tasks and gives them meaningful protection.
Taking away root is a control-phreak issue.

You can easily SU to root when needed, or log into another
account while not logging out of your account. Win makes
this ugly, at best.

I use both, and switching user under MS-WinXP isn't horrible.

Ah, that's the "beauty" of distributed computers. PHBs are
users too. ;-)

Yes, but their use corresponds to Etch-a-Sketch
They can be persuaded to go locked-down.

Cheat sheets? *Manuals*, and every package is different.
Each seems to treat the system (often including security)
entirely differently.

Many are. But install notes for the common corp image
should be available.

Shirley you jest! I have to buy my own batteries for my
company supplied mouse and telephone headset.

Euww! Turning in used pencil stubs is proven to cost the
corp far more in lost productivity than the materials savings.
All our admins have corp-pay credit cards. There's some abuse
(& auditing) but the losses are less than the lost productivity
by going clamped-down.

No, it was sent as an attachmant. It is quite on-topic
though. ;-)

I think it's "We share your pain".

-- Robert

 

[Del Cecchi]

Shirley you jest! I have to buy my own batteries for my company
supplied mouse and telephone headset.

Wow, your part of the company is really cheap. Stationary stores has
common batteries in Rochester. They deliver them right to your office.
And many admins stock the more unusual ones, like an HP11 takes. Or
there is alway Buy on Demand or whatever it is called.

 

[Tony Hill]

Precisely my point. Windows makes it unmanageable though. I'd
much prefer Linux, but have little choice. Ok, some have gotten
"everything" to work under Wine, but I'm not about to invest that
kind of time in fiddling. Windows fiddling is bad enough.

Some days I do kind of wonder just which fiddling is worse. Just last
night I managed to get hit by a whole whackload of spyware on my
Windows box (brought on by my own stupidity late at night). After
several hours of working and running numerous anti-spyware tools I
*STILL* have something buried in Windows Explorer that I can't quick
track down. My firewall is able to block it's attempts to contact
remote servers to do it's damage, but I'm having a heck of a time
tracking down the actual root cause of this.

The number of hidden and undocumented nonsense in the registry is
frightening to say the least.

On the flip side I spent several hours over the weekend trying
(unsuccessfully) to upgrade MySQL on my Linux media player box to the
latest version (complete with the latest bug fixes/security patches).
The new version is installed but my database is mostly hosed.
Fortunately nothing too important was lost, and it might still be
recoverable the next time I have a couple hours to work on it.