Ask Slashdot: Protecting Home Computers From Guests? 572
An anonymous reader writes "We frequently have guests in our home who ask to use our computer for various reasons such as checking their email or showing us websites. We are happy to oblige, but the problem is many of these guests have high risk computing habits and have more than once infested one of our computers with malware, despite having antivirus and the usual computer security precautions. We have tried using a Linux boot CD but usually get funny looks or confused users. We've thought about buying an iPad for guests to use, but decided it wasn't right to knowingly let others use a computing platform that may have been compromised. What tips do you have to overcome this problem, technologically or otherwise?"
NoScript (Score:5, Interesting)
It's a Firefox addon. Check it out. Also Adblock Plus. With those two installed and running, things get a lot safer. Of course, NoScript requires a bit of savvy to be able to browse the web correctly. You might have to help. Otherwise, tell them to bring their own darn laptop.
Chromebook? (Score:5, Interesting)
Sound like a good use for a Chromebook.
Re:Locked down guest account? (Score:5, Interesting)
Just say no (Score:5, Interesting)
Re:Linux Boot (Score:5, Interesting)
I've had lots of visitors in my house, of various ages, various skills levels. Most of them managed to get a browser open on linux, then it all works from there.
Other way is to use a VM, with a snapshot, so you can just revert it when you have finished.
Puppy Slacko 5.5 (Score:4, Interesting)
Let them run Puppy and if they get confused lend them a hand. Usually most people seem to want to check email or some other trivial task. You do want to be certain that your email account does not allow auto sign in while you have company.
Chromium OS (Score:4, Interesting)
Re:Guest account on a Mac is perfect for this (Score:3, Interesting)
Re:Locked down guest account? (Score:5, Interesting)
There was a time in the distant past that I built a "very special" win9x machine for this very purpose.
Yes, I can read your mind. "Win9x? Are you fucking serious? Turn in your geek card right now!" Yadda, yadda.
Just hear me out.
Win9x, because it relies on realmode dos interrupt disk handlers, can be loaded from a preboot environment ram only block device. Such as that provided by Memdisk, from the syslinux tool set.
Essentially, you have a disk image file on a bootable EXT2 volume (nothing ever gets written on it, so it doesn't need a journal.) With the syslinux bootloader on the MBR. It is the default boot device.
On boot, syslinux starts, loads the memdisk block device driver, and copies the win9x image into ram, it patches int15 to report a different max size of installed XMS, then executes the "mbr" of the ram block device.
BOOM. Win9x in a ramdisk.
You can use a drivespace compressed image to achieve maximum data density for the consumed block of memory. Drivespace3 with ultrapack on gets almost 2:1 packing on normal program and file data. You can get a *lot* of stuff inside a 512mb image file.
Throw in a reasonably recent firefox, courtesy of KernelEx (an open source kernel resource extender for win9x, which allows a good deal of 2k and XP native applications to run, including FF10, and a modern flashplayer with ABP and noscript.) And a good software firewall, turn off all filesahring services, and essentially lock down the 9x system as far as possible, and you have exactly what your horrible family member and or aquaintence wants: a familiar user environment that they can walk all over.
It also has what you want: pull the plug, and it is magically fresh, clean, shiny and new again as soon as you power it on.
9x doesn't know how to deal with EXT filesystems, so the physical HDD is never exposed to your user.
The only major problems are 9x's abhorrent 2gb RAM limit, and its abysmal network safety rating, coupled with its rather dated hardware base. (Plus the difficulty of getting a 9x install up and running smoothly with all the perks a normal user could want, without breaking it, on a teensy weensie volume.)
On the plus side, being 100% in RAM on a reasonably modern hardware platform, it is fast as fuck. The test systems I built had Office97, firefox 10, flashplayer10, the WEP, a pirate copy of zonealarm pro, photoshop7, media player 10, KernelEx, and a few other odds and ends on it, with 50mb of "free" space left on the compressed volume to serve as browsing cache space. It was snappy as hell.
I have only done this a few times as just a lesson in self-punishment/"let's see what kind of frankenstein's monster we can build out of retro parts!" Type exercise, but the finished product is incredibly hard to kill, and keep dead. Bluescreens of death? Caught a nasty worm in the 10 seconds it was on the net? Power it off, power it back on. Good as new.
Gives a whole new meaning to "zombie workstation".
I have a celeron POS I am contemplating doing this to actually. I would prefer ramdisked win2k or better though, but I don't know of a way to boot the OS out of a block device after NTLDR starts, and before control is passed to NTOSKRNL. Maybe a hacked FreeLDR from reactos would work though.
Re:Linux Boot + PRINTER (Score:4, Interesting)
Re:Locked down guest account? (Score:4, Interesting)
That is quite an interesting solution!
I just wanted to see if you've ever played with BartPE before?
It's main function is to take a windows xp (or 2k i believe) installation cd, a folder of special packages to include, and optional custom config files (ie network settings) all as input.. and gives you a bootable ISO image as output.
Obviously it's meant to create a boot cd/dvd, but using syslinux similar to how you do, one can boot that ISO directly off a USB flash device as well.
Flash makes it fast, and easy to overwrite the ISO for any system upgrades. No optical media slowdown either.
ISO makes it read only while running from a RAM disk, so is quite fast.
For just running a web browser, it at least gives you a slightly newer kernel and base system to build upon.
Still, I'll have to play around with your method too, as I have some old legacy 95 and 98 boxes at work I need to keep alive for the foreseeable future, where in some of those cases virtualization isn't an option.
(I've managed to virtualize custom ISA cards, but can't say the same for custom PCI cards)
Thank you.
iPad's cost money... (Score:5, Interesting)
With Win 7 Pro you can install XP Mode which is an XP virtual machine. Set up a guest user and set that to autorun the XP Mode VM in full screen. Once it is setup make a copy of the VHD as a backup. They can hose it up all they want and when they are done just delete the VHD and copy in the fresh copy from the backup.