Picture from here

A few months ago my home server lost all of my MP3′s from a share.  I was freaking out thinking some process had magically deleted them.  Then I noticed the partition was missing.   I spent a few days banging my head against the wall trying to recover the data and nothing helped.   Since I’m a listener of Security Now, I attempted to use Spin Rite on the drive, even this didn’t help it.   I was freaking out.

I set aside the drive and re-addressed it yesterday.  A friend of mine had a copy of Partition Doctor 3.5 and we ran it against my drive.   In a matter of minutes we managed to get the drive back up and all of the MP3′s were there.   Neither my wife and I were too anxious to go through the 2-3 week ripping process we did last time when we re-ripped at a higher bit rate.

This is not a promotion, I get no money from the links you click, if however you do have an issue with a lost windows partition, try Partition Doctor’s demo version and it will show you if it can be recovered.

I ran across this article by way of Slashdot.  A teacher had punished a student for handing out live linux distrubution discs, for those that aren’t familar with a liveCD, it allows you to boot your computer off of CD and test drive linux without modifying your hard drive.  You can remove the CD and reboot and be back to using windows or whatever in no time. This teacher wrote the head of this particular linux group and stated:

I am sure you strongly believe in what you are doing but I cannot either support your efforts or allow them to happen in my classroom. At this point, I am not sure what you are doing is legal. No software is free and spreading that misconception is harmful. These children look up to adults for guidance and discipline. I will research this as time allows and I want to assure you, if you are doing anything illegal, I will pursue charges as the law allows.

and also:

This is a world where Windows runs on virtually every computer and putting on a carnival show for an operating system is not helping these children at all. I am sure if you contacted Microsoft, they would be more than happy to supply you with copies of an older verison of Windows and that way, your computers would actually be of service to those receiving them..

Now the person at the Helios distribution had some key things in response (these are snippets):

First off, if there was even the slightest chance that I was doing something illegal, it would not have been done. To think that I would involve my kids in my “illegal” activities is an insult far beyond outrage.

linux is superior to MS windows in so many ways, they are too numerous to mention here…I am weary of enumerating them. Unlike Microsoft who meters their “improvements” and then shovels them to you every five years or so for purchase; Linux releases their improvements upon their completion. We receive the newest and the best of the system when it is tested to be usable and stable

The most disturbing part of this resides in the fact that the AISD purchases millions of dollars of Microsoft Software in a year’s time when that money could be better spent on educating our children. A dedicated School Teacher would recognize that fact and lobby for the change to Free Open Source Software and let the money formally spent on MS bindware be used on our kids.

Now I do recommend you read the original article, but I do think this shows the ignorance of the teachers in our systems. Some people try to tell me when my child arrives that home schooling is a worse option then sending the kid to public or private schools.   I know I went through similar issues like this with my teachers, sometimes it was on english, other times it was on history.   Teachers won’t admit they are wrong and will continue to spew the same crap to students year after year.  They feel they must be the ones in the right otherwise they wouldn’t be the teacher.

I’m stopping now before I bust into a complete rant – read the original article and let me know what you think.

Maximum PC recently ran an article titled 50 Skills Every Real Geek Should Have, I wanted to go through and see how I ranked in their skill list.   Let’s find out.

1. Name the Connectors – yes I was able to :)

2. Run your essential apps on a USB stick – no I don’t do this, I could – I just prefer to run everything in the cloud or on my N810 – which is with me most of the time.

3. Straighten Pins on a CPU – I have done this too many times

4. Know the 13 basic HTML Tags – well I kinda know most of them – I use freaking wordpress I hardly need to use HTML and when I do I look it up and hav ethe answer in seconds.   Though I do know quite a few by heart that aren’t listed in the basic 13.

5.  Get through to executive customer service – hey I read the consumerist.

6.  Beat quake in 60 minutes – maybe at one point in time, but I’m not big on FPS games.

7.  Build a Hackintosh – I know how, I just don’t the components that seem to work, and I’m a cheap bastard that won’t buy parts just to run OSX - I’ll stick with ubuntu as my alternative OS.

8.  Watch TV Online legally – um that’s how I watch 100% of my TV these days.

9.  Get around a content filter from a public computer – yes I know how, I’ve helped friends at other companies, it’s not worth it to do it at my own job though.

10. Recite Pi to 23 decimal places – nope – I have no inclination to ever learn either.

11. Replace the controller board on a hard drive – hey I did that once, it’s not a skill that comes up at parties though.

12.  Benchmark your computer – really?  Is this even on this list? Yes, I was doing this before I fully understood what the benchmarks meant on my 386 DX40.

13. Decorate your room with only printer paper – am I physically in the skill set to be able to do this?  Yes I am – would I?  No.  I’m more likely to decorate with NES cartridges.

14. Securely erase your data so it can’t be recovered – yes I am capable – it would be easier if you encrypted it first though.

15.  Get into a windows computer if you don’t have a password – yes I’ve done this quite a few times.

16.  Hide data from anyone – yes encryption, hidden volumes, stegnography (which I got bored with in 2001) – I am capable of doing all that – I’m more likely ot share my data then hide it though.

17. Explain what e=mc2 means – yes I would like the e=MC2 with a side of fries please – yes I am capable, but refuse to put in the details here since I want to make it through this list.

18.  Abstain from buying extended warranties – I may have bought one, once – it was on something i thoguht it fall apart though – so it’s all good.

19.  Use photoshop or gimp – yes I am capable.

20. Use a DSLR in full manual mode – I can – I’m just lazy and prefer it to do the work.

21. Mooch your neighbors wi-fi – my neighbor doesn’t have wi-fi but I’m ready to mooch when they do.

22. Protext your wi-fi – Wep2 currently – For a while I had mac filtering, I hated to keep getting mac addresses from visitors though.

23. Create an animated spray in Valve games – um – I don’t think I’ve played a single one for more then 5 minutes….so this one is a no.

24.  Setup RAID – yes I’ve done this a few times over the years for my home network.  Now implement Iscsi raid across multiple computers – that’s a challenge.

25. Calculate a Pitchers ERA – no I don’t know how – but I know google will give me the answer quicker then I can calculate it.

26. Run two Operating Systems – um I dual boot currently……

27. Install a hard drive in laptop – done before and some day I’ll do it again.

28. Pull off an elaborate prank – I think have the skill set and knowledge – I just never have – unless stealing street signs as a teenager counts.

29.  Rocket jump with a macro – um – I said I don’t really do FPS games – so no I can’t do this.

30.  Wire your home with ethernet – um every place I’ve lived with my wife we have had wired ethernet – we even used RG58 at one point.

31.  Know the 6 most important linux commands – yes I get command not found when I’m not thinking and run them in windows.

31. Rip your CDs to Flac – we did this for awhile then went back to MP3

32.  Stream Music, Movies, Pictures to any TV in the house – I’ve done this before – now we just carry our laptops around – shrug.

33.  Install and configure a VM – yes I’ve done this for literally years (maybe even a decade by now)

34.  Run multiple monitors – yes I use to dual monitor and run SWG on two different ones at the same time – I’m sad I know.

35. Run hacked firmware on a router – yes liek the rest of hte world I have a hacked linksys router /yawn.

36.  Pick a lock – I’m not good at it, but I’ve done it a couple times.

37.  Tell the difference between Dr. Pepper and Mr. Pibb – it’s been awhile but I think I could.

38.  Avoid DRM on everything – well streaming video legally that they talked about above seems to contradict this one doesn’t it.   However all my local video, music, picutres, and ebooks are DRM free.

39. Download a flash video and reformat it – yes I’ve done this – youtube videos locally stored on the N810 ftw.

40.  Get around in DOS – I grew up and DOS and resisted windows for a long time – so let’s just say yes.

41. Rip a DVD to h.264 – yes been there done that.

42.  Overclock your PC – yes I’ve done this my pride and joy was overclocking my AMD 133 mhz 486 to 160 MHZ – and it benchmarked and ran like a pentium 133 for half the cost.

43.  Use remote desktop – it’s part of my job – so yes.

44. Debate the merits of a star destroyer vs. the enterprise – yes, and the star destroyer would win.

45. Buld your own computer – built too many to actually count – I’m serious to – I worked at a small PC store and we sold hundreds – thousands of machines – so I cna build my own.

In irony they don’t seem to actually have 50 things on their list – so I think most geeks should know how to count also.

People in the security world were all pretty sure that users never paid attention to dialog boxes.   Ars Technica printed information about a study performed North Carolina State University that proves that the security professionals were correct.  Most users only want to get rid of the immediate annoyance and don’t read what is happening on their screens.

We already know most people don’t read their end user license agreements – but come on.  How many fake windows dialog banner ads do you need to load and have bad things happen to your computer before you learn.   Unlike other childhood cause and effect lessons, we don’t lear clicking the button is bad like the stove is hot when we get burned.   There is a mantra I’ve always enjoyed, “If Stupidity Can’t Hurt, Then It Should Cost”.   I’m rather happy that most users that click and click and click to punch the monkey or get rid of fake banners hads more then likely spend hundreds of dollars keeping their computer in running order after the spyware has had a field day.   I do feel sorry for their family members that have to fix it for free though……

For More information click the link below (Ars Technica)

Fake popup study sadly confirms most users are idiots

It’s been a long time since I’ve beeen excited about a new browser.  Theoretically I’ve never been excited about a new browser that was announced.   I remember being excited when AOL resurrected Netscape – but that turned into a flaming pile of poo and Netscape lost dominance being THE browser to use.   Like many users at that time frame I used Internet Explorer 5 and at the time it was best of breed, then a new challenger arose.

The Mozilla foundation announced they were taking the open source bits of the Netscape browser and making a new slimmer browser called Firebird.  Because of issues of legal and copyright, Firebird was renamed to Firefox.   I’ve been using this browser since Firebird and I have had no reason to move to a different primary browser.   I’ve tried Flock and Safari, there hasn’t been a sticky reason to keep using those over Firefox.   I was excited, kind of, of the release of Firefox version 3.   But that wasn’t a new and different browser, it was more of the same.

With last nights announcement of Google’s New Chrome Browser, but they put up a nice little web comic that explains the features it offers.   The security, privacy, performance enhancements alone make this a must watch for browser.  WHen it is actually released later today, we’ll see how I feel then.

UPDATE:

Found a site that has some Chrome screenshots you may enjoy.

Picture from here

Most Mac Users, and especially Mac support people think they know more they honestly do.  They think the PC is beneath them, but at the same time don’t understand their own operating system.  They don’t understand the command, and think everything works the same way as it did back in System 7.  When ever they need something done that’s a bit ocmplex or requires command link work they talk to people with unix experience.

This is just a rant and to be fair – Windows only users are stupid and ignorant, Alternative OS users are elitist.   Does that even the odds?

Picture taken from here

Yesterday I was talking with my thirteen year old brother.  He told me about how he was going to setup a website for this girl he knows.   He was going to configure it so you couldn’t take the images off the page and use them somewhere else.    I explained that it truly couldn’t be done.

To get into a quick side note, if you have images on your site and I want to copy them, don’t bother it’s trivial.  I will just pull them out of my browser cache and viola – there I have your images.  Just because you thought you were “Uber Cool” because you used JavaScript to disable right clicking and saving the images doesn’t mean your images are secure.   If you go even more “l33t” and try to use a flash slideshow program attempting to lock it down further, a quick screen shoot and a copy paste into MS Paint will still get me that image if it’s so cool I must have it for my personal collection or to display on my website.  Anything that can be seen or heard will always be open attack in one form or another – smell and touch we will eventually come for you.

The main question in the title stands, if you can’t bypass it is it secure?  The answer should always be no – there is no unbreakable form of security.  Given enough time and effort any security in the world can bypassed. Given enough exposure at Defcon and unlimited hot pockets anything is vulnerable. Just because you, yourself can’t not fathom a way to bypass the security you have put into place doesn’t mean that it’s the top of the line.   There is always someone smarter then you.  Even if you are the industry expert in cryptography and think you are secure because of some great password system you came up with, doesn’t mean your system can’t be infiltrated from a physical attack.

Let’s go into a real world example

I’m someone who doesn’t really use the deadbolt in my house (my wife does for anyone getting ideas).  Why don’t I?  It’s passive self assurance against an attack that’s improbable.  Locks can be picked fairly easily, either through skill or the advent of “bumping”; this makes locks for all intents and purposes useless right?  Well not quite, to pick a lock it takes effort time and exposure to being caught (yes even in the case of using a bump key which isn’t nearly as noticeable).  A lock is a good first round barrier to keep people out as a casual deterrent.   If a door is lock most people won’t progress much further.  For some reason even mild deterrents will keep most people honest.  This doesn’t mean that you house is secure.

If I was going to rob your house, I’m not going in the front door.  Ironically no one puts deadbolts on their back doors.  So if I’m going to pick a lock (I’m too lazy and I would more likely kick the door in anyways) I would immediately be picking your back door instead of your front door.   Does this mean putting a deadbolt on your back door will make you secure?  No actually I’m more likely to go in through a window in the back or side of your house.   Do you have a security alarm?  Well that’s another deterrent, but still doesn’t really buy you security.   If I’ve targeted you and you have something I really want I would just sit in the bushes outside your window and watch you enter in your key code.

So now you’ve put bars on all of your windows, put your alarm code number pad in a place that can’t be seen from a window, put deadbolts on your back door, put door jams on all your doors to make them resistant to being kicked in, so now your secure right?  Well do you have a garage door opener?  For a fairly cheap price I could use a scanner to get the frequency that allows me to open your garage door.   You go away for the weekend I can open your garage door, pull inside, close the garage door and then proceed to ransack all your expensive tools and possibly gain entry to the house if I want to risk the alarm.   Your neighbors aren’t likely to notice that if I pull in at 1 AM.

If you are interesting you can be targeted, it’s all the matter of effort someone wants to put into an attack.  Most people don’t have a security mind set so they assume they are secure because it will keep them out.  Unfortunately it doesn’t work that way.   Security, especially home security requires a little bit of trust in what effort your fellow man doesn’t exceed the effort it takes to steal your stuff.

I’ll give one more example:

When I start work at my new job they were talking about the screensaver policy at work which was fifteen minutes.  It was a written policy but they planned to put in a windows policy to enforce it.   I stated that such policies are hard to enforce since software to emulate random key presses are easy to get (I used one in my previous job so I could watch movies on flights without hitting the keyboard myself).  You would think that I just gave nuclear launch codes to the Russians – I kind of defeated his logic with a trivial bypass.

Wisdom in security is gained when you realize that all you can really do is best effort.  Nothing is truly secure, nor will it ever be.  Trust while being the anti-thesis of security plays an important role.  You place safeguards into effect up to and past the amount of trust you have in the users accessing whatever you are trying to protect.  With each safeguard that goes into place the likelihood of being attacked drops, that doesn’t mean it’s secure, it just means you have mitigated some of the risk.  Once people start to understand this wisdom and the logic behind it, they will actually be more secure, the irony of it all.

It’s not because I’m older or more knowledgeable, it’s because I have wisdom when it comes to security.   Even for things I don’t know how to compromise I know attack vectors and likely targets.   I can’t crack high end computers or pick digital locks, but I know how I would attack them, which gives me an area for how I can defend them.  I don’t need to know how to break or bypass something to know it’s insecure.  Like I’ve said it’s a matter of knowing everything that can be built up can be torn down.

I received an Iron Key unit to see evaluate and see how it would integrate into our environment.   I can say I was skeptical and didn’t think it would have amounted to much, encrypted flash drive that we’ve all seen from a dozen vendors.   I was not too worried about if there was an actual encryption chip on the device as much as functionality.  I had expected this device to perform as well as all the other devices in the same vein.  I was however, pleasantly surprised.

While I can say that for the most part this will work identically to other devices you may use that support encryption, the one thing that allows this to stand out is how it acts for user privileged access.  For a custom desktop setup we are working on it would not allow a user to have administrative access to the computer.  The lack of administrative access caused the software that came with our standard Lexar thumbdrives to not be able to work in encrypted software vault mode.   It code still do standard file encryption, but you wouldn’t be able to have an encrypted partition.

The Ironkey however worked just fine in this configuration.  It was able to decompress the data and look at the data as it was a normal partition.  Since this functionality is a must have it exceeded expectations.

Let’s take a look at the packaged software:

When you first insert the drive this is what you see.   You can notice that it creates two drive letters (E and F on my computer).  The first drive letter is unencrypted and only has the software unlocking program on it.   If you click on the second partition Windows asks you to put a disk in the drive.   So it’s not truly mounted nor readable.

After you run the software on the first partition, you can notice the second drive now states “IronKey Secure Files”.  At this point the partition is unencrytped and ready to read.

This is the first screen you see when you put in the flash drive (and you have auto-run enabled).   If you do not have auto-run enabled you can start this from the first partition.   The interface is straight forward and unassuming, perfect for someone like me.

After two wrong passwords this is the error message that pops up.  If the password is entered in ten times incorrectly the drive will be permenantly locked and the data will no longer be able to be retreived.

When you are successful with entering in your passphrase this is the interface the software presents.  You have four options from this screen.  The secure files option just brings up the encrypted partition, which is the same thing you can do by going to “My Computer”.   The secure backup allows you to make back-ups of your encrypted partition.   The settings option allows you to amek device changes.  Finally the lock drive option re-encrypts the contents and logs you out of the software taking you back to the first screen.

The first screen of the secure backup utility prompts you for the location of your Ironkey you wish to backup (I’m assuming this is in case you are using multiple Ironkey’s at once).   It also allows you choose the location to save teh backup to.

The second secure backup screen is as unassuming as the first.   It allows you to browse to the back-up and restore it directly to your IronKey that you have plugged in.

I can say, when I open a settings screen I would have thought there would have been more options then this.  The first preference on give you the option reformat the drive.

The lost and found screen allows you to display a simple message that pops up on the unecrypted login.  If some soul find your drive they can then send it back to you.  The real question is if they will burn through the ten password attempts before they do.

The last option is solely for changing the passphrase that you use to unlock your Ironkey stick.  It is simple and precise.

If you need a device that allows full encryption and that is functional when you do not have administrative access to the computer it’s used on this is it.   I will say I’m not too happy that they haven’t the OSX or Linux clients that they have been working on, but they state on their site that they will be forthcoming.

If your interested in picking one up from Amazon here are some links for you:

IronKey 1GB Secure Hardware-Encrypted Flash Drive

IronKey 2GB Secure Hardware-Encrypted Flash Drive

IronKey 4GB Secure Hardware-Encrypted Flash Drive

So last night I did try to turn my laptop into a hackintosh, and it didn’t turn out so well.  After installation I seemed to have an issue with my video not working (ironic that it works for the installation screens).  I futzed with it for awhile and since have given up on it.    I’m willing to work around issues and change my methodogy to do something becuase I’m not using it the way it’s supposed to be used (part of the mantra of everything I do – My old home network used to have 16 PC’s on it).  I can only go so far in futzing before it’s more a nuisance and get’s in the way of getting things done.

After following the Kalway steps that should have enabled to work, I relented and went back to Ubuntu Hardy Heron 64 Bit – a fresh install (plus the addition of 2 GB of ram) has mad it more “peppy” then it was before.   I guess my next step will be working on getting VMware working so I can get the couple windows programs (Finale) that I want to work with running on my laptop.   One great thing about a fresh install is that Ubuntu detected my wireless NIC right away – that took a couple hours to get working when I first installed Gutsy Gibbon.

Xie had been having issues with Vista and we salavaged her data and loaded Ubuntu on her laptop as well.  She remarked to me that it seemed to simple.   I explained how complex do you need your operating system to appear?  We’ll see how it goes with her, if she likes it, and if she’ll stick with it.   She has become a bit more like me in the belief of the cloud computing dream and as long as the browser functions as well she’ll learn to work around everything else.

I can say that I did have mixed feeling migrating to OSX since I wouldn’t be able to test Gnome Conduit anymore (except the N810 port), which would make it alot harder for me to work on documentation.   Regardless it seems I’m now a linux for life type of guy, though it’s not like I don’t have an XP desktop 5 feet away from me, a 2k3 server in a basement, a first gen mac mini in the next room hooked to the TV, and my work assigned Mac Book Air next to this laptop.   Maybe since the N810 is linux based I should have done a BSD on this laptop?   I do think I’m very comfortable switching between OS’s and machines.

So most you know that I was running Ubuntu Hardy Heron, but during some patching I hit some data corruption that caused my laptop to go all screwy.  The first thing I noticed was the touchpad stopped working.   Um….ok.   Then I was getting errors on boot up, more or less when I logged in some packages kept crashing and wouldn’t restart.   Upon trying to fix and reinstall packages I managed to loose gnome and then I couldn’t do anything.

I did manage to get into the laptop last night with a Hardy Heron live DVD, after getting i I setup an FTP server and managed to save everything I cared about in my home directory.  With this migration and the thought that I’m going to have to reinstall Linux anyways (yes I could sit down for more hours and repair the ubuntu installation, but I’m originally a windows guy I’ve saved my data it’s quicker at this point to format/reinstall),  that I would try to get OSX working on my laptop.   I have heard with the Intel GMA video driver there is some mouse artifact issues, but I didn’t notice any problems when I booted up the install DVD (this was when I was trying to decide my course of action and before I saved the data).  Since I’ve read that the wifi works now, and the toushpad and audio should work, I don’t really give a care to the fact that the built in web cam might not work.

I’ve been using my work Mac Air most the time at home and figured it is time to take a plunge to try to go more OSX based.  I’m going to try to dual boot between OSX and Ubuntu, but I think that’s mostly to stick around for gnome conduit since that’s the only unique app worth me sticking around for.   I do have it running on my n810 and I’ll still have linux on there, so I’m it’s not like I’m running.  It’s like I’m experimenting around.

So after I’m done I’ll let you know how successful I am.

Recently at work there was a security incident where a worker was tricked into loading malware on their machine.   I was asked if your desktop antivirus solution fully protected us against this.  While I’m sure most people that read my articles are aware of the answer I gave I thought I would share it with you (some parts have been rewritten from the original email)

While our desktop antivirus solution does detect malware, spyware and virii vectors into the machine, the vendor needs to release definitions to make sure it can detect it.  Due to the fact that we don’t have the name of the spyware in question I can’t verify whether the vendor has the definitions loaded to detect this particular piece of software.  The problem with spyware and malware in general is the fast moving vector in which it changes code, when the code the definition was written for changes even slightly usually they won’t be able to detect it.

Our desktop solution does include heuristics to detect malicious activity done by a software program, but this only goes so far.   Researchers and malicious code writers have even turned this into a game – http://www.infoworld.com/article/08/04/28/Security-vendors-slam-Defcon-virus-contest_1.html.

Without knowing all the steps included I think that the vendor did not have the definitions for this particular attack.  Not only would it have to bypass the desktop virus scanners, it would have had to bypass the web filters if it came via a web page, the mail servers scanners if it came in via e-mail, also possibly any network scanners andmail gateway scanners that we may utilize.

Protecting from malicious software will always be a moving target that there will never be 100% protection against.  There are things that can be done to minimize it’s effects:

1.  Layered security – scanning at the desktop, proxies, mail servers, mail gateways, and virus and IDS at network level – these can help detect known attack vectors and suspicious activity.

2. Vista – not something some people want to hear, but from a Windows perspective with the UAC (User Access Controls) it makes it more difficult for malware to get a foot hold into the operating system.   This is much more effective on machines where the users do not have administrative rights to their machines.  While machines with Linux and OSX operating systems are essentially immune to virii ( there is more virii added to Windows AV Definition files in a week then have ever been discovered for these operating systems) there are not immune to all malicious software.

3. Machine policies – group policies initiatives that lock down the machine lower the surface area that this malware can attack.   Requiring users to only go to trusted sites and disabling unsigned active-X controls go a long way to minimizing these type of attacks from vectors outside of the just e-mail concerns.

4.  User education – the more educated a user is, and the more conscious of the possible repercussions of their actions the less this type of attack happens.

While even all of these will never have 100% coverage combined gives the desktops the best chance of detecting these types of threats.

I’m a geek.   There is no doubt or question about that.   We’ve established this now, let’s move forward.   I had a great idea today.  I was going to hook up a bluetooth adapter to my windows file server at home and make a blue tooth file server at home.   I also wanted to be uber geeky and send a welcome message via blue tooth to any new blue tooth devices that came within range.

However.

It seems that no one has really made a bluetooth file server.   If I had access to such a server I could browse it from my Nokia N810 (yes I know I can already browse via TCP/IP – go back to where I said I’m geek), I could also pull pictures automatically off my cell phone when it was in range, and then have those pictures automatically upload to Flickr.   I could sync new ring tones on my cell.   But it seems that no one has really built a blue tooth file server, at least not on windows.

I know this idea may seem farfetched, but I can find out how to tether a cell phone to my dog that will send me me GPS updates via twitter and google maps data in a ton of different places (all for 30.00 a month).  I can have my plants send me an SMS message when they need watering.   I can build my own electric induction field to charge my cell phone battery.   To install a bluetooth file server on windows – I must be insane, or so the google return stats tell me.

I know the full geek out there would drop down and write a new bluetooth stack via assembler and crosscompile it via a web interface so it was cross platform, I however am not that geek.

I think I may have to go crawl under a rock now until I can figure out how to get my cupboard to twitter it’s down to it’s last pop tart.

Going further into my reviews of kiosk systems we acquired the Surferquest system here at work.   Unlike my piece on SteadyState I’m not going to have a bunch of screen shots to show you this time.   However I will give you my analysis and what I’ve found out.

The Surferquest system is an off the shelf software with minimal customization.  We ordered an evaluation unit and I was tasked to try it out.   I can say for our needs as a company that requires centralized management and control of machines in our environment that the Surferquest system was not quite a correct fit for us.

In our environment we don’t normally place a machine on our network until it is fully tested and verified secure, but this product is pretty much useless until it has a network connection.   I had to contact support and they gave me an unlock code that would allow me to make changes to installed software.  The unlock code lasted only 24 hours, but they sent me a utility later on that would allow me generate unlock codes for myself.

Almost all of the customization that can be done is performed remotely by Surferquest.  This means if there is a major application change that needs to be completed you need to contact them.   Do you wish to customization your login screen?  You must contact them or upload the images to their server.    You can not perform these changes locally on the box or locally within your environment.  Wish to change the active desktop they used?  Same steps apply as changing the login screen.

Restrictions applied to the software:

Disable Windows Updates
Remove from Start Menu:
My Music
My Pictures
Favorites
Recent Documents
Frequently Used Programs
Recent Network Docs
Network Places
Help
Run
My Documents
Configure Programs
Disable Windows Keys
Lock Taskbar
Disable Control Panel
Disable Balloon Tips
Remove OEM Link
Disable Task Manager
Disable Registry
Disable Find Files with F3 in Explorer
Prevents Control Panel, Printers, and Network and Dial-up Connections from running, and removes the corresponding menu items.
Removes Shut Down from the Start menu and disables the Shut Down button in the Windows Security dialog box.
Disable System Restore
Clears Recent Documents on Exit
Disable access to Recent Network Documents
CTRL key disabled

As you can see, though they use a different product to achieve the same goal, it has similar technology to the Microsoft Steadystate product I reviewed in part 3.

You can put the software within you domain, but the software will still be phoning home to the Surferquest company. While I’m positive that there is nothing sensitive being pushed across, like any company that you would have do remote assistance make sure you trust them in case of any possible data leakage.  The official answer is that it only sends out IP address information and the last time connected.  You can view this information on the stat web page they provide you

If the drive in the unit should fail or there is a hardware issue in need of support, no software is supplied.   You must receive new hardware from the vendor and return your old unit.  They state that turn around time is usually 24 hours.   Any remote management or patching must be performed by the vendor and is done via remote monitoring software that they have access to.    The software is caused Netsupport and it sneaks out your firewall on port 22 – now all you admins that left it open for SSH can feel silly (actually that’s how the firewall support team snuck out the corporate firewall there and back to their home computers when I worked at Symantec on that team).

Quick Notes

• Idle timeouts can be configured, but they default at 10 minutes.
• They use the Deep Freeze product to maintain their disk image
• When we received the unit PXE booting was enabled (and we didn’t have a BIOS password – they stated this was a mistake)
• The unit we received had PowerDVD installed, ironically no DVD drive (another oversight they admit)
• Unlock Steadystate there is no method for restricting USB drive usage

Box the unit shipped in

Front of the unit

Top of the unit

Rear of the unit

If you deploying this in your environment you need to make certain you can accept the security and loss of control you have over this unit compared to other machine in your environment.   I see this fitting more in the public space kiosk scenarios suchs as libraries or hotels.   Because they do lack the centralized control that you would normally deploy in corporate environments I say give this one a pass or at least look hard at what you are trying to accomplish.   For the public space this is a great product, extremely low maintenance, the ability to monetize but charging a fee (customized through the stat page),  and extremely well versed and fast techinical support.   If you want to deploy an Internet Cafe in your area this is the product for you.

The Kiosk Series:

The Kiosk Series – Part One – Choices For Your Environment

The Kiosk Series – Part Two – Management Considerations For Your Environment

The Kiosk Series – Part Three – Microsoft SteadyState vs Group Policies

A couple days ago I asked the blogosphere should I get an N810 and like the blogosphere normally answers I got nothing back. That’s fine, I’m used to talking to myself on my blog.  However I decided that I would give it a go.   I knew that if things didn’t work out I would return it.   It arrived last night and I thought I would describe what I went through.   It is also interesting that this morning from the blogosphere I got a comment on my article that was crossposted to my vox blog (hey I’m sorry vox users get weird characters).

Hyphn on vox asked:

Nice article. I’m in a similar situation to yourself. I’ve got a Palm TX and an Nokia 770 (& N95 8GB).

I use the N95 8GB for all of my music and podcasts (it automatically downloads them over the air). I have a Palm Infrared keyboard for my TX, which is nice, but the problem is that you just can’t really see the screen when you are out in bright sunshine. – Is the N810 screen readable in bright sunshine?

The N770 is ok, but it’s a bit slow and the lack of a keyboard (of any description) is a killer…. Not sure I can justify the extra 280GBP for another device thought…. (?)

So I’m going to cover this comment in this article.

I’ve never had a keyboard for the TX, I’m a fast on screen keyboard typer.  I knew however when my wife tried out the N800 it wasn’t for me since I’m more active online these days, the keyboard would be essential.  I never really wrote long blog articles on the TX so this is a hope for the N810.  I tried it the N810 outside today and in bright clear sky direct sunlight the screen was washed out but readable.  So I think the transreflective coating they advertise does work as designed.    For thoughts on whether the device is worth money, well I’m going to be writing about the device for the next couple weeks or so, what I find, how I make things work, and some things that people may not know because they are not widely published.   Hopefully yhis will help you make a sound decision.

New Toy

So everyone now knows I have an N810, I also added an 8 GB micro SD card (with mini SD converter card so it would fit).   Xie ‘anthia still feels that I’m going to feel cramped on space.   I unpacked the device last night and imeediatly had it flashed to the newest OS 2008 revision, curse the mobile ubuntu team for not having the port finished and ready to go.   I then paired it with my phone and installed everything that seemed interesting.

After trying to uninstall somethign I discovered that I had the rare N810 bug that sets the internal card read only and corrupts the data.   At this point I reflashed the device, formatted the internal memory card (virtual ram made it so I had to reflash before I hear any comments), and started over.   I had spent so much time installing software on the previous run that I wasn’t going to go through all of that again in one sitting.  Let’s however looked at what I did do.

I went through and chose a theme to my liking, I cleaned out the bundled maps and documentation.  I removed the demo music, video, and images.   I removed the map application and the welcome application.  In essence I stripped down the device as far as possible befoer starting over.    I didn’t need those things, and for map GPS data I plan on using maemo mapper, so I’ll get to that in a future blog article.

So what did I install?

Seeing as I have some guidance from Xie ‘lanthia on what is good and what is not so good, I followed her lead on some of my applications.  The first thing I installed was Pidgin, if you are unfamilar with Pidgin think of it as an IM product similar to Trillian.  It allows you to connect to many other IM networks at once.   The included chat progam bundled with the N810 really is good for gtalk, but what if I wanted more.   Pidgin right now is configured to connect to the following IM networks (some I rarely use) – Gtalk, AIM, MSN, Yahoo, and Myspace Chat.   Also I installed Skype, thought I would mention it here while I was talking about IM.   So the N810 allows me to connect six instant messenger networks at the same time.   I’m all about ubuiquitous internet communication, especially when I can talk or broadcast across everywhere from a single point.

Pidgin Screenshot from maemo.org

Next I needed a media player.   I had read that the Canola2 would subscribe to podcasts as well as scrobble tracks to last.fm (last.fm connectivity is important from me in this device’s grand future).   However there seemed to be a bug in Canola2 that wouldn’t allow either copying and pasting a url in to the subscription field, and it wouldn’t allow me to use the function keys, so that ment no forward slashes.   Essentially the data entry for podcasts is broken.    Well this thing is going to keep me from carrying an Ipod around so I wanted some way that was simple to get podcasts on to my unit.  I found a way, but I wouldn’t use simple to be an accurate description, I used the Gpodder podcatcher to handle pulling down podcasts.

Conola2 Screenshot from maemo.org

gPodder Screenshot from maemo.org

The thing that drove me nuts over Gpodder was the fact that I had no easy way to add subscriptions.  Sure they tell you just point to a directory.opml online, but goodluck finding one.  I think I spent an hour on this before I found an article that explained that I could setup subscription in Itunes, export the opml file, put it on my N810, and then subscribe to the correct feeds in Gpodder once I opened the opml file there.   *WHEW*.   Then it seems that gpodder isn’t a fast and responsive application if you attempt to queu two or more songs it hardly moves, so load your subscriptions one at a time for the best response.  I limited it downloading one podcast at a time but that didn’t make much difference.   The last problem with Gpodder was that it doesn’t (rarely) save the podcast in it’s naming scheme, it downloaded most of my podcasts in a 34598745893475.mp3 style format.   These aren’t bob’s podcasts, except for one or two they are all from twit or revision3.   I can say gpodder will work since it will be a set it and let it do it’s thing overnight application, I wouldn’t however recommend living in it.

The next thing I installed was rdesktop.  This allows you to use the windows remote desktop function, so last night I was able to access my Windows 2k3 server from my N810.   The responsiveness was adequate and I can definetly see myself utilizing this.   I use RDP quite often and I think this is a life saver.   If you want to know how to setup and see screenshots, I just found this article on another blog (I figured it out myself).

The last thing I installed before fighting Gpodder to sync my podcasts for the next day was Maemo Wordpy this application is a blogging client (wonder what I want that for).  It allows me to post directly to my wordpress blog, like the test post I did last night before I reflashed the device.  It works, it’s a bit complex and you have to jump to different tabs for more options for you post but it works.  I had to however disable my myspace crossing plugin on my blog because I was getting duplicate post issues.   Wordpy still allows me to post a notification or blog post across about a dozen services (well my blog does all that work).   Wordpy does however support Blogger if WordPress isn’t you cup of tea.

Maemo Wordpy Screenshot from maemo.org

Some of the side things that I discovered last night.

• I can pull pictures directly off my phone, before I had to use esoteric software on windows or ubuntu to get them off via USB, with the N810 it just works via bluetooth (I have a RZR since I’m a cheap bastard and take the free phone).
• The Samba implementation on the N810 allows you to see hidden windows shares by default – good for me, bad for windows.
• Too many large files or directories in a share will absolutely lock up the N810′s file manager.
• The keyboard get’s easier to use the more you force yourself into it, with more training I may not need another bluetooth keyboard for “serious” writing
• Exchange Webmail works in the browser

Tonight’s goals (after I do some automotive repair unrelated to the N810) is to get a mail client working that I like (I’m leaning toward IMAP versus POP3, we’ll see how that goes.   I would also like to get a decent media player that can scrobble my songs to last.fm (who knows it might be great to find one that supports last.fm and pandora).  I did have some problems getting online via my cell phone so I’m probably going to following Xie’s article on how to set it up to properly use t-mobile as an internet connection.   I’m sure I’ll have some other information for you also.

Sometimes things aren’t obvious for being obsolete in the world of computers.  If you a Windows user it’s compeltely obvious that you are using an older version of windows immediately when you start using it.   Whether the signs are when you sit down and see Windows 98 striped across the start menu or the older version of Internet Explorer 5.0 that starts up, you catch these things and it is noticeable.  The same thing also holds true for Linux, but this is more of aesthetic issues that become apparent, usually graphic issues that are sorted out on newer versions you catch on the older ones.

But what about OS X?

My sister has been having a problem with her ipod nano she got for christmas.   Itunes wouldn’t recognize it, she would have to upgrade itunes.  Fair enough.   Well itunes won’t load on her Operating System, which was OS X 10.3.2.   Ironically the latest version of Itunes works on windows 98 and will work with the Nano.    10.3.2 is newer then Windows 98, but yet still is forcing the upgrade on the OS X users.  Normally I wouldn’t really have a problem with this, I’m also not a nuanced Mac user.   I can’t however tell graphically an immediate difference (once the machine is booted) between my sisters 10.3.2 desktop and my 10.5.1 desktop on my Mac Air.

Do people just one day stop writing code that should graphically look the same from OSX desktop to the OSX desktop?

I’m just confused I guess.   Mac is supposed to just work, then please just work.

I’m upgrading my sister’s computer to 10.4, then she should be able to the load the proper itunes and be able to sync her ipod.    It’s just annoying.    I’m not scared of other operating systems, I fixed a networking problem she had for months that my “computer genius” step-father had tried to correct but couldn’t do anything “because it’s a mac”.   I knew there was a reason I don’t talk to that side of the family.   Currently my “regular” computing devices include – XP Desktop for work, Mac Air Book 10.5 for work, Hardy Heron Laptop for myself,  XP desktop for home games and movies, Windows 2k3 server for home.    My micro OS’s include Maemo on my soon to be delivered n810 and Palm OS and my TX.

At work I’m a main person to say that Mac is not built for the enterprise, they have poorly designed business software when it comes to managing a mixed environment.    Now the argument back is that Microsoft should make tools to manage Macs, I believe for acceptance in the full enterprise that needs to be reversed.   Apple needs to roll over backwards fitting itself in, I mean I have an easier time working with Linux in an enterprise environment then Mac.    The ironic thing is I never heard anyone ever say “Linux just works”.

For my stepfather that is scared of alternative Operating Systems, like the big scary Mac.  It took my wife and I a total of 15 minutes in which she used her N810 tethered via bluetooth to her phone to google the questions I asked her.  She fed me back the information after she filtered it and bang – working networking.

If your not willing to work out of your comfort zone and approach new things, you will never grow.   This means no matter how you look on the outside and what your resume says about you, like sitting down at the 10.3.2 desktop and not noticing anything different, you still need to be upgraded or replaced.   At this point you are no longer truly useful except for some obscure things and can not compete in modern thought.

To get an n810 or not is the question.   A few days ago I wrote a couple blog posts from my wife’s new n810.   I have some reservations about the keyboard for “power writing”, but that can be handled by a seperate bluetooth keyboard.   I think that’s not an issue.

Would I use it instead of a laptop – kind of.    Right now through work I have a Mac Book Air for my mobile device.   It’s great, it’s light, it does most of what i need it to do (what it can’t do would require linux or windows so it’s forgiven).    The one thing I run into with the air is the same thing I run into with my normal laptop, accessibility.   For normal computer use they are highly accessible, but if I do make it to HOPE this year or other travel venues it would be MUCH better to not bring a full laptop (if I do take an 810 to HOPE I’ll be accessing the internet through an encrypted Hamachi VPN tunnel to home and using a proxy there to access the Internet – no clear text information is going to be slipping by me – I can deal with the speed hit that will cause).

It’s much easier to have a bluetooth keyboard and an N810 to haul around to these places more so then a full laptop.   WIth a full laptop I need to worry about power (n810 has better battery life), privacy due to larger screen size,  finding a place to sit versus standing and using the n810.    These things are all things that go through my head while debating this purchase.

So yes the N810 would make me more mobile, and be more convenient.   I know for me (extreme power user) it won’t replace a computer or laptop, but for some people (like my sister) I could see this as a 100% computer replacement.   Too much geekery for me it seems.   So then we open up the question, could I live for a week with just the N810?

The N810 isn’t really designed for offline use.    If it has an internet connection that’s great.  I would be able to do most my blogposting and status updates via email so when I hit wifi I could sync up and go.   In alot ways I think this is enough.   To check this I need to menally compare it to my my Palm TX.

I’m not sure that the N810 will fully replace my Palm TX (then again no one said I couldn’t keep it).  WIth my palm TX I use it as an email platform, a web access device, a centralized syncing device, and an ebook reader.   Anything else I use it for is mostly games so that’s not really an issue – IM has always been painful on it do to .

Since the N810 does not have heavy document handling and I don’t think the resolution is quite right for ebook reading (the two thing I think I would keep my TX for)  it does have better web page filtering (my blog almost breaks the TX).   I would also be able to do IM since I wouldn’t be forced to stay on the IM screen like I do on the TX.   Email should be equal or better on the N810 versus the TX, Web Browsing would be better, and IM would be better.   The occasional full need to document editing and e-book reading would mean the TX could sit on the bottom of my bag (and a bluetooth keyboard would work with it – two devices one keyboard).

So theoretically I could replace my laptop about 90-95% with the two devices.   With having a much smaller footproint and ease of use in carrying these devices with me.   Having the N810 would mean that I no longer have to carry an iPod around since it would handle my podcast playing – bonus to the fact that it will auto scrobble to last.fm something that I have never gone working to a level I liked with an iPod and linux.

Movies however I’ll probably still use my palm TX – I can play full divx movies on it without having to re-encode them.   Bonus to me.    This will also have the side effect of saving me battery life on the N810 if the TX is with me.   I don’t watch movies too often on the go though.

Through hackery I would be able to sync my calender on google with my N810 – something that never worked right on the TX.   I would be able to compose music on the N810 (yes it can compose music).   Someone is also working on an instrument tuner – which is something I was going to buy this summer – so I’ll save 30.00 there.     I was going to buy an iPod, but with the 10 GB I can max out on the N810 and the fact that I only really use an ipod for podcasts would mostly make that that a non issue  – so a savings of 150.00 – so far I’ve saved myself 180.00 on stuff I would probably buy this summer.

There is an NES emulator (that works better on then on the TX) and a GBA emulator – this should save me from carrying around my GBA (which I ironically use more then my DS).   I also play RPG’s so the slight frame drop won’t really effect me.    I can use skype which really isn’t to much of an issue for me since I mostly would call my wife and we have free phone calles between us.   With utterz I can use my phone to “call in” blog posts.

I would be able to start geo caching with the N810 built in GPS, I’ve watned a gps for a long time, not for driving directions since I can look at a map easily and I’m able to figure out where I am.   My wife is sometimes jealous of my innate directional sense.   Usually I get way to lost sometimes by actually reading a map, wrongly at that.   I could get a cheap GPS for 90.00 – but that would take my total electronic purchases to 270.00.   We are approaching the N810 price.   (We actually match it if you figure out it would handle my gaming needs – but I already own those devices)

I like the N810′s keyboard versus the N800′s touch screen which my wife tried out first, but it still a small small keyboard and I have bigger fingers then her.   I can enter information quickly enough for a mobile device I can whip out real quick – and 500% faster then I can do on my phones keypad.     If I utilize bookmarks and saved password this should help limit my typing.   The less need I have on this the better.    Once again if I’m going to write a long blog post like this one is becoming i would have to have a bluetooth keyboard.

My tmobile internet connection is very slow on my cellphone, but being able to stop by any mcdonalds or burger king for quick internet access kind of alleviates that concern.   Granted wifi coverage isn’t ubiquitous but it’s common enough that I think I would be fine.

I’m probably going to decide tonight to get one.   Working through this post has helped alot.   I think I started with the fact that this would replace my palm TX, and going through that thought process I don’t think it would.   I think it will however handle the fact if I’m gone for a week or two away from a computer (though I can fathom two weeks away from a regular computer) that I could be just fine in a solely mobile solution without a laptop.    Using the host mode hack on the N810 coupled with the card reader program on the Palm TX means I’ll be able to utilize the Palm TX as a removable storage space on the N810 if I need it with normal SD cards instead of needing a thumb drive that would drain the N810′s power quicker.    This would allow me to throw another 8 GB and make the card switch out very easy for me.

I’ll keep everyone updated on what I decide.

Granted some programs are cross platform, like I use Firefox 3.0 on everything now.  But for the most part I can be with each operating system and work with it’s unique flow.   Sometimes I get privately annoyed that a tool is available for one OS or another, but that gets put aside quickly as I loko for the the right solution for me platform.

Because of this approach I am really looking forward to cloud computing and ubiquitous web interfaces.   I’m not sure the back end matters at all any more as much as it does when the functions are there to get the job done.

One of the programs that management wants us to look at for our kiosk implementation is Microsoft Steadystate which is Microsoft‘s all in one wizard create a kiosk solution.

I’m not entirely convinced on the scenario that there is things in which you can do with this, that active directory is not more suited for.   So while we work through this document we’ll be exploring the options of SteadyState and comparing it to group policies that you can push down to a computer or user account from a central location.

This is the start page of Microsoft SteadyState from here there are 6 things you can do:

1. Set Computer Restrictions

2. Schedule Software Updates

3. Protect the Hard Disk

4. Add a New User

5. Export a User

6. Import a User

This is the “Set Computer Restrictions” page.  This is broken down to different sections and show you how limiting the computer settings are in group polices that can be applied to this state.   While there are still further windows computer policies you can apply to the machine especially if you wish to conform to your companies security plan, we’ll stick with Microsoft’s options for now.

Privacy Settings:

1. Do not display user names in the Log On to Windows dialog box

Group Policy equivalent:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Do Not Display last user name in login screen

2. Prevent locked or roaming profiles that cannot be found on the computer from logging on

Group Policy Equivalent:

Disable interactive logon for all accounts except the approved accounts for use with the kiosk machine

Registry Equivalent:

“Computer Configuration\User Settings\Administrative Templates\System\User Profiles\Log users off when roaming profile fails”

[HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\System\ProfileErrorAction]

3. Do not cache copies of locked or roaming profiles for users who have previously logged on to this computer -

Group Policy Equivalent:

Disable interactive logon for all accounts except the approved accounts for use with the kiosk machine

Registry Equivalent:

[HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\System\DeleteRoamingCache]

Security Settings:

1. Remove the Administrator user name from the Welcome Screen

Group Policy Equivalent:

The XP Welcome screen is automatically changed to the classic logon screen after a computer is joined to a domain – no policy change is needed unless this has been adjusted.

Registry equivalent:

[HKEY_LOCAL_MACHINE\SOFTWARE\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Administrator]

2. Remove the Shut Down and Turn Off options from the Log On to Windows and the Welcome Screen

Group Policy Equivalent:

Policy:Disable Logoff on the Start Menu
Description:Removes the "Logoff" button from the Start menu and prevents
users from adding the Logoff button to the Start menu.
Registry Value:"StartMenuLogoff"

Policy:Disable and remove the Turn Off Computer button
Description:Removes the "Turn Off Computer" button from the Start Menu and
prevents shutting down Windows using the standard shutdown user interface.
Registry Value:"NoClose"

3. Do not allow Windows to compute and store passwords using LAN Manager Hash values

Group Policy Equivalent:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Do not store LAN Manager hash value on next password change

4. Do not store user names or passwords used to log on to Windows Live ID or the domain

Group Policy Equivalent:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow storage of credentials or .NET Passports for network Authentication

By disabling interactive logins for all users accept the kiosk user acount – this isn’t an issue

5. Prevent users from creating folders and files on the drive c:\

Security configured on the drive to give the kiosk only read access to information it needs should handle this.

6. Prevent users from opening Microsoft Office documents from within Internet Explorer

Registry Equivalents:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Excel.Sheet.5\BrowserFlags]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Excel.Sheet.8\BrowserFlags]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSProject.Project.8\BrowserFlags]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PowerPoint.Show.8\BrowserFlags]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.6\BrowserFlags]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.8\BrowserFlags]

7. Prevent write access to USB storage devices

Registry Equivalent:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect]

Other Settings:

1. Turn off the Welcome Screen

Group Policy Equivalent:

The XP Welcome screen is automatically changed to the classic logon screen after a computer is joined to a domain – no policy change is needed unless this has been adjusted.

If you notice the Microsoft does have some understanding of using machines with this configuration applied to them in a Domain environment since they provide the not “In a Domain managed environment the Domain Group Policy supersedes any settings made here.”

This is the Schedule Software updates screen.  From you can configure the interval in which you update the Windows Operatings and auxillary programs.  For updating windows a SteadyState computer supports Microsoft Update, Windows update or WindowServer Update Services.

The supported security program updates are limited the only programs that have native support are Computer Associates eTrust 7.0, McAfee VirusScan, and TrendMicro 7.0.  You have the option of creating a custom script to handle any other program updates you may need.   In a domain environment this can easily be handled by central update servers such as SMS and AV servers.

Windows disk protection allows the user to install any programs they want or download whatever they wish, but the hard drive will just wipe out the data.  I can’t seem to find a registry or policy equivalent that allows this, so it seems that this is one main benefit of steady state.

The “Add a New User” screen only allows you to create local users which doesn’t really help you in a secure domain based enviroment.   It will however check you domain’s password policy’s that you may have pushed down to the machine via group policy.  If you do use this wizard to create accounts be aware that user policies from the domain can not be applied.

The first screen of User Settings is the “General” tab.   Here we get into some more unique settings to the SteadyState product.   While it has the function to prevent the user from making permanent changes the most interesting thing is the log off options,  The ability to add a maximum amount of use time or an idle time is done by the use of two helper applications that are installed with SteadyState.   Being able to always display the session countdown allows the user to see how much time they have left before the log off procedure is invoked.   Restart computer after log off allows the Windows Disk Protection to kick in and reset the machine back to a clean state.   While this is nice, the same option could be invoked by creating a log-off script.

The User Settings \ Windows Restrictions tab allows you to hide drives, set default restriction levels and takes the start menu restrictions straight out of the security policy.  This is simple to replicate with a domain group policy.

Screen 2 of Windows Restrictions

Screen 3 of Windows Restrictions

Screen 4 of Windows Restrictions

Feature restrictions are more policies that have been taken straight out of the local security policy (domain policy manager).

Screen 2 of Feature Restrictions

Screen 3 of Feature Restrictions

Screen 4 of Feature Restrictions

While SteadyState allows you to block certain programs, locally installed antivirus can normally do this.  Normally you wouldn’t want this in a kiosk environment.  A better scenario is using group policies to allow only the programs you specify to run.  Using the SteadyState scenario if someone ran a rogue application off their USB drive (if you’ve given them access) or renamed an EXE that was blocked that doesn’t need registry access, well I doubt that SteadyState could do anything to stop this.

Importing users is done via a normal windows save/open dialogue box.   It loads files done with a supported *.ssu extenstion.

Exporting is done in a proprietary *.ssu file extension once again using the standard windows open / save dialogue box.

Can I recommend SteadyState?

For 90% of what it does I wouldn’t use SteadyState at all but would personally rely on centrally controlled and maintained group policies within a domain environement.   What does shine though is the Windows Drive Protection and the helper utilities that handle logoff  timers – though with the idle time out I would more likely just use a script I controlled which could be invoked by the screensaver kicking in.

I didn’t go through each of the group policies under the user restrictions since it’s almost verbatim down the list under the policy management.  If you have any questions on a setting to restrict without using the SteadyState feel free to ask.   The biggest disadvantage to SteadyState is the fact that it uses local accounts that can’t be managed remotely with ease.   Being at a company where everything is done to avoid using local accounts I can say this is bad mojo.

I may use the the drive protection and timeout applications, we’ll see when this project is truly finished.

Reference Links:

Windows SteadyState Worldwide page

Windows SteadyState Readme File

Windows SteadyState Technical FAQ

Windows SteadyState Handbook

The Desktop Files: Shared Computing with Windows SteadyState

The Kiosk Series:

The Kiosk Series – Part One – Choices For Your Environment

The Kiosk Series – Part Two – Management Considerations For Your Environment

Kiosk Options

When discussing kiosk system we need to discuss the scope, security issues, and functionality requirements that we must maintain to achieve a successful deployment.   There are many types of kiosk systems that we can implement within the Company network.   The solutions we are going to describe in this document are based on product literature that we have received after scope is finalized actual product testing will be done so we can verify that all the features work as described and will function within the deployed environment.

For the sake of categorization the following options were identified as possible for use within a kiosk environment.   This list is not meant to be all encompassing but rather a list of desired features that we feel can be accomplished from the products we are looking at.

·    Internal Websites – company Designated
·    External Websites – Completely open from a kiosk standpoint
·    SSL VPN – For access to the internal network
·    Citrix – for terminal server capabilities
·    Printing – locally attached print
·    Sound – for hearing active embedded media
·    USB Mounting – for USB memory sticks
·    Run Apps Locally (Read Only) – from either the memory stick or kiosk directly
·    Run Apps Locally (Read / Write) – from either the memory stick or kiosk directly
·    Write to USB Memory Stick – from kiosk
·    Access to User Documents
·    No Login – completely is designed to start being used without login
·    Boiler Plate Website – standard start page
·    Full application list
·    Internal – Authentication
·    External – No Authentication
·    Browser Plug-ins – for enhanced compatibility
·    Restricted To Certain Web Sites – Company Designated

Kiosk mode systems come in a variety of shapes, sizes, and functions.   To help narrow the design gap for our needs we have devised eight categories in which we can work around design structures for:

·    Full web only access kiosk on the company guest network
·    Limited web access on the company guest network with a locked down browser
·    Full web only access kiosk on the internal network
·    Limited web access on the internal network with a locked down browser
·    Limited seat with security controls on the company guest network
·    Limited seat with security controls on the internal network
·    Full seat with security controls on the company guest network
·    Full seat open use office solution – internal network
·    Full seat with security Controls open use office on the internal network

Each solution has its own benefits and concerns for deployment.  We will be going over these one by one to analyze and work with company to implement the correct and desired solution.  The analysis will include which functions identified above can be implemented, target placement, target users, benefits and disadvantages of each solutions, and possible security concerns.

Full web only access kiosk on the company guest network:

Description: This would be a fully open web kiosk with an address bar located at the top with the web browser being the only application available to the end user.  All functions must be done within the browser.

Possible targeted functions:

·    Internal Websites – via SSL VPN
·    External Websites –
·    SSL VPN
·    Citrix – via SSL VPN
·    Printing – locally attached print
·    Sound – for hearing active embedded media
·    Access to My Docs – Via SSL VPN
·    No Login – completely is designed to start being used without login
·    Boiler Plate Website – standard start page
·    External – No Authentication
·    Browser Plug-ins – for enhanced compatibility

Target placement:

·    Public areas where guests are most likely

Target users:

·    Visitors
·    Visiting Contractors
·    Local Contractors
·    Company Employees

Benefits:

·    Allows users access to information at placement points
·    User will not have access to the local computer beyond the web browser

Disadvantages:

·    All functions must be performed must be performed within a browser
·    Won’t be able to perform other application tasks

Security concerns:

·    If a user leaves an authenticated session up there will be a time delay before the profile resets, risking possible exposure of private data or company data if the SSL VPN was used.
·    Unsigned Active-X controls could cause issues and it would be recommended denying unsigned Active-X controls.

Limited web access on the company guest network with a locked down browser:

Description: This solution can be configured with or without an address bar allowing the option to restrict this to certain web sites.   Active X would be disabled.

Possible targeted functions:

·    External Websites
·    Printing
·    Sound
·    No Login
·    Boiler Plate Website External – No Authentication
·    Restricted To Certain Web Sites

Target placement:

·    Public areas where guests are most likely

Target users:

·    Visitors
·    Visiting Contractors
·    Local Contractors
·    Company Employees

Benefits:

·    Tighter Security Controls
·    Limited Risk Exposure
·    Option of controlling where the users can go via the browser

Disadvantages:

·    SSL VPN will not work if active-x controls are disabled
·    All functions must be performed must be performed within a browser
·    Won’t be able to perform other application tasks
·    With no SSL-VPN – no access to internal company data

Security concerns:

·    If a user leaves an authenticated session up there will be a time delay before the profile resets, risking possible exposure of private data.

Full web only access kiosk on the internal network:

Description: While not recommended this is being offered as an option for choice.  It has the same features as the Full web only access kiosk on the company guest network, but would require user authentication due to the network access it has.

Possible targeted functions:

·    Internal Websites
·    External Websites
·    Citrix
·    Printing
·    Sound
·    Access to My Docs
·    Boiler Plate Website
·    Internal
·    Browser Plug-ins

Target placement:

·    Public sites within company buildings that are not commonly visited by the large amounts of visitors at once.  This would be to limit the amount of time that authenticated data is available if a user walks away from the kiosk.
·    Would not be recommended at location that the general public has access to

Target users:

·    Local Contractors
·    Company Employees

Benefits:

·    Company employees would be able to access their Webmail from anywhere these are placed
·    Company employees would be able to access a terminal server session from anywhere these are placed

Disadvantages:

·    All functions must be performed must be performed within a browser
·    Won’t be able to perform other application tasks

Security concerns:

·    Possible information leakage due to open Webmail or terminal server session.
·    Unsigned Active-X controls could cause issues and it would be recommended denying unsigned Active-X controls.

Limited web access on the internal network with a locked down browser:

Description: While not recommended this is being offered as an option for choice.  It has the same features as the limited access kiosk on the company guest network, but would require user authentication due to the network access it has.

Possible targeted functions:

·    External Websites
·    Printing
·    Sound
·    No Login
·    Boiler Plate Website External – No Authentication
·    Restricted To Certain Web Sites

Target placement:

·    Public sites within company buildings that are not commonly visited by the large amounts of visitors at once.  This would be to limit the amount of time that authenticated data is available if a user walks away from the kiosk.
·    Would not be recommended at location that the general public has access to

Target users:

·    Local Contractors
·    Company Employees

Benefits:

·    Company employees would be able to access their Webmail from anywhere these are placed
·    Company employees would be able to access a terminal server session from anywhere these are placed
·    Tighter Security Controls
·    Limited Risk Exposure
·    Option of controlling where the users can go via the browser

Disadvantages:

·    All functions must be performed must be performed within a browser
·    Won’t be able to perform other application tasks
·    Some sites won’t work due to Active-X being disabled

Security concerns:

·    Possible information leakage due to open Webmail or terminal server session.

Limited seat with security controls on the company guest network:

Description: This would be a scenario where we would have an open standard windows desktop for the user to access.  It would allow only certain applications to run but will give the user access to a portable memory stick for use.

Possible targeted functions:

·    Internal Websites – via SSL VPN
·    External Websites
·    SSL VPN
·    Citrix – via SSL VPN
·    Printing
·    Sound
·    Access to My Docs – Via SSL VPN
·    No Login
·    Boiler Plate Website
·    External
·    Browser Plug-ins
·    USB Mounting
·    Write to USB Memory Stick
·    No Login
·    Boiler Plate Website
·    Browser Plug-ins
·    Restricted To Certain Web Sites – company Designated

Target placement:

·    Public open use office space

Target users:

·    Visiting Contractors
·    Local Contractors
·    Company Employees

Benefits:

·    Allows users access to information at placement points
·    Access to certain designated applications
·    Controlled environment

Disadvantages:

·    Won’t be able to perform non designated application tasks

Security concerns:

·    Possible information leakage due to open Webmail or SSL VPN session.
·    Unsigned Active-X controls could cause issues and it would be recommended denying unsigned Active-X controls.
·    Possible application vulnerabilities could compromise the unit

Limited seat with security controls on the internal network:

Description: Same as the limited seat on the company guest network but designed for internal GRC employees.   Smart card access would be recommended and roaming profiles blocked.

Possible targeted functions:

·    Internal Websites
·    External Websites
·    Citrix
·    Printing
·    Sound
·    Access to My Docs
·    Boiler Plate Website
·    Browser Plug-ins
·    USB Mounting
·    Write to USB Memory Stick
·    Boiler Plate Website
·    Internal – Authentication
·    Browser Plug-ins
·    Restricted To Certain Web Sites – company Designated

Target placement:

·    Public open use office space

Target users:

·    Local Contractors
·    Company Employees

Benefits:

·    Allows users access to information at placement points
·    Access to certain designated applications
·    Controlled environment

Disadvantages:

·    Won’t be able to perform non designated application tasks
·    Large threat to data being exposed

Security concerns:

·    Unsigned Active-X controls could cause issues and it would be recommended denying unsigned Active-X controls.
·    Possible information leakage due to be on the open internal network
·    Large data exposure footprint
·    Possible application vulnerabilities could compromise the unit

Full seat with security controls on the company guest network:

Description: This option would give users to the same standard applications as their normal desktop.   The hard drive would not be written to for data storage.  Roaming profiles would be blocked.  These seat would also have full security controls applied to it.

Possible targeted functions:

·    Internal Websites
·    External Websites
·    SSL VPN
·    Citrix
·    Printing
·    Sound
·    USB Mounting
·    Run Apps Locally (Read Only)
·    Run Apps Locally (Read / Write)
·    Write to USB Memory Stick
·    Access to My Docs
·    No Login – completely is designed to start being used without login
·    Boiler Plate Website
·    Full Application Suite
·    External – No Authentication
·    Browser Plug-ins
·    Restricted To Certain Web Sites – company Designated

Target placement:

·    Public open use office space

Target users:

·    Local Contractors
·    company Employees

Benefits:

·    Users are able to function as they would at their desks
·    Allows users access to information at placement points

Disadvantages:

·    No login requirements
·    Possible data exposure

Security concerns:

·    Unsigned Active-X controls could cause issues and it would be recommended denying unsigned Active-X controls.
·    Possible information leakage due to open Webmail or SSL VPN session.

Full seat open use office solution on the internal network:

Description: Standard full seat for user to use on the internal network located at open access points for any user to access.  Security settinga would be applied and user profile data removed upon log out.   It is recommended to require smart card access to these units.

Possible targeted functions:

·    Internal Websites
·    External Websites
·    Citrix
·    Printing
·    Sound
·    USB Mounting
·    Run Apps Locally (Read Only)
·    Run Apps Locally (Read / Write)
·    Write to USB Memory Stick
·    Access to My Docs
·    Boiler Plate Website
·    Full Application Suite
·    Internal Authentication
·    Browser Plug-ins

Target placement:

·    Public open use office space

Target users:

·    Local Contractors
·    Company Employees

Benefits:

·    Users are able to function as they would at their desks
·    Allows users access to information at placement points

Disadvantages:

·    Requires smart card
·    No access to local profiles

Security concerns:

·    Possible information leakage due to open sessions.