Technofobe

Ran across this one the other day. Had to share. Enjoy.

After some recent searching for a good all purpose media player I ran across VLC. Here is the scoop on this little gem:

• It is multiplatform (Windows, MAC, Linux, Windows CD / PocketPC)
• It is Open Source software which means that it is completely FREE.
• It can play an amazing number of audio and video formats. Here is the feature list.
  
• All of the codecs are built in. This is a great feature because you don't need to go hunting on the internet for the one codec you need to play your file. Basically it just works when you play your file with VLC.
• It can act as a streaming media server. I have not fiddled with this functionality but here is the link to the info. Here is another great informational link on how to stream with VLC.

One of the cool features that may not have a lot of practical uses but is just plain neat nonetheless is the ability to play movies as your desktop background. So you can continue to use your computer while watching a video. I ended up watching more of the video rather than getting any appreciable work done.

What IT related blog would be complete with a post on Star Trek? Well, I don't want to dissappoint so here is mine...

I ran across this Slashdot article about a Finnish Star Trek movie. Apparently a bunch of amature actors and students put together a full length Stat Trek spoof called Star Wrek that is now Finnlands most viewed movie. It is a free download an you can get your copy here. The special effects are impressive (better than some of the first movies). NOTE: This is a Finnish movie so you may need to download the version with english subtitles.

I read about these from the December 2005 Wired article. An avid fan of the origional 1969 Star Trek series has decided to pick up where the origional series left off and is making his own episodes. Apparently, Paramount has agreed to look the other way as long as no profit is made from the episodes. So the new episodes are also free. Here is the New Voyages home page.

These are home grown episodes that appear to be in the realm of The Next Generation. I downloaded a few of these for grins and they are not terrible. Get your free eipsodes here.

Lastly, for more Star Trek information than you can shake a stick at (including other fan productions) out check out this Wikipedia article.

The idea of least privilege is not new. The Unix and Linux world has been on this track for a long time and I believe that this idea is finally getting some traction in the windows environment and none too soon. With all of the malware (viruses, rootkits, spyware/adware) out there restricting normal users should be a requirement for almost everyone.

In the windows world operating with least privilege means that you operate your computer day to day as a restricted user. This means that you are normally logged in under an account that does not have access to install programs, can not change systems settings, and more importantly, has very limited ability to bad things (like install malware)

Don't think you need to do this? Most antivirus and spyware removal products have no defense against the looming rootkit threat. To get an idea of type of threat people are facing check out this interesting eWeek article. Here is a quote excerpted from that article:

"You could say the average end user is a sitting duck," said Jamie Butler, director of engineering at HBGary Inc. and author of FU, one of the first proof-of-concept rootkits.

Self imposed restrictions like the ones I am suggesting here can go a long way to protecting a computer. Most bad software (think rootkits, spyware, and viruses) that try to covertly install on a computer operate at the same security level as the person logged in. So, if a person is logged in as a restricted user the software is not able install or make any changes to the PC. Conversely, if a a user is logged in to their computer is operating as an administrator (as most people are) the malware has full rein to do anything it wants to your PC.

My most recent personal experience with this security method amounts to locking down roughly 100 business desktop and laptop computers for a national contract service company. This has worked wonders. The secured computers are more stable and have remained completely free from malware infections. In addition, the machines that are locked down require less support because fewer things go wrong.

All business computers should be locked down. Almost all companies have some sensitive information stored electronically on their computers and having users logged in as administrators for normal activities is a security breach waiting to happen. Having current antivirus software, spyware detection and removal software, and a firewall is extremely important, however, it is also inadequate without further security measures.

Here is another very interesting eWeek article - Is System Lockdown the Secret Weapon? It talks about locking down computers in a business setting and gives some interesting stats and results that people have had from implementing this security measure.

Armed with this knowledge most people would agree that implementing this type of additional security make sense. The rub here is that there is almost always a trade-off between security and convenience. And restricting the normal users accounts is no exception.


WARNING: Before you restrict yourself you need to know your administrator password. If you restrict your normal account(s) and forget the admin password your will no longer be able to install software on your computer. Proceed here at your own risk.

1. Log in as the administrator
   
2. Click Start | Settings | Control Panel | Administrative Tools (You may need to Switch to Classic View to see this)
3. Open Computer Management and expand System Tools | Local Users and Groups and click on Groups. Your screen should look something like this:
4. Open the Administrators group and remove everyone except for the Administrator user. Here is an example:



5. Open the Power Users group and remove everyone
   
6. Open the Users group and add all of the appropriate users.
   

Here are a couple of the larger inconveniences that you can expect to run into when restricting your user accounts and some helpful information and links on how to operate in a non-admin mode.

Restricted users can not install software.
In order to install software log out and then log back in as the administrator to perform the software installation. When complete log back in as the regular user to enjoy the additional security.

In some cases it may not be necessary to log out of a restricted profile in order to install software. Many programs can be installed by right-clicking on the installation file and choosing the Run As option (in Windows 2000 you must hold down the Shift key while right-clicking in order to see the Run As option). This gives the user the ability to temporarily grant administrative access to the installation program so that it can complete the installation. Windows Vista (the new version of Windows that Microsoft is working on) will have enhanced User Account protection that should make this process easier and more secure. You can read about it here. Here is a screenshot of the Run As... dialog box:


Restricted users can not modify their power settings. This one is fairly annoying and I have personally fielded a lot of questions about this. Here is a link to a registry hack that will allow all users to modify their power settings. NOTE: Please be very careful modifying your registry settings as making mistakes can seriously damage Windows.

For other important things like installing printers, changing the data/time, installing software updates, etc... log in as the administrator, do your business, and log back out.

Also, check out "The Non-Admin blog - running with least privilege on the desktop." This is a valuable site with lots of good information.

AutoPlay is a feature that used to be nice to have, you just insert a CD (or other device) and it will automatically start a program or begin playing music. Given the current security landscape having this feature enabled may no longer be wise as many programs now don't play so nice anymore. (This is how the Sony rootkit gets installed automatically. See some of my previous posts if you don't know what I am talking about or just google "sony rootkit")

Many people may not consider is that it is very simple for someone to simply insert a USB key into a computer and things automatically start happening without any other action. This presents a very easy way for a hacker to steal corporate secrets or personal data from a desktop or laptop without ever touching a keyboard.

Here are some brief instructions for disabling this feature on Windows XP Pro. (If you are using a different OS a google search should quickly yield some instructions.)

1. Click Start | Run | and type in gpedit.msc and click OK
2. Expand Computer Configuration | Administrative Templates | System
3. Find the setting for Turn off Autoplay and open the properties
4. Select Enabled and Choose to Turn off Autoplay on: All drives
5. Next expand User Configuration | Administrative Templates | System
6. Repeat steps 3 and 4

Ok. Now this is some crazy stuff... Apparently Sony will install a rootkit on your computer (without asking and without notification in their EULA), if you insert some of their music CDs in your computer.

Mark Russinovich of Sysinternals figured this one out. Here is what happened in a nutshell: He bought a Van Zant CD that had some copy protection built in. What he did not know at first was that when the CD was inserted it automatically installed a rootkit on his computer without prompting.

Later as Mark was testing some of his software he was surprised to find a rootkit on his computer. Now there are few people around that rival Mark's technical skills in windows. And being the uber techie he methodically isolatedthe infection and traced this back to Sony and a company called First4Internet. Apparently, the rootkit was also not well written and could potentially have a negative impact on the users system. And uninstallation attempts will render your CD ROM useless.

For a very interesting read check out this article that Mark wrote about his discovery process. Also, here is an eWeek opinion article about it. And here is an informative Infoworld article.

It seems that this software may have been shipping on Sony CD's since early in 2005.

• Here is a link to the Sony site that publishes a utility to unhide the software
• Here is a link to a site that is compiling a list of the CDs containing this malware

I don't like the idea that software can get installed on my computer without my knowledge or consent that can potentially have a very negative impact on my system. I can't see how doing this could be good for Sony's music sales. And now that I am aware of this Sony stunt I am less inclined to buy CDs in their traditional retail form as it makes me wonder if this is the kind of thing the other labels might try.

I like iTunes. There is some DRM built in to the service, however, it uses reasonable restrictions (that they disclose) and you can get just about any music through their service for a very fair price ($.99/song). Interestingly the music industry is not happy about Apples success, however. Check out John Dvorak's opinion article about the matter. It is an eye opener.

I haven't blogged in a while, but I could not let this one slip by without saying something...