WHO IS GENEALOGY.COM TO DICTATE SECURITY POLICY ON MY COMPUTER?!?!?!
Genealogy.com's decision to "HARD CODE" the administrator group
requirement COUNTERS EVERY SECURITY PRACTICE, policy, and belief I've
learned in my 10 years of Network and Systems Administration. I've
managed world-wide and nation-wide networks for the U.S. Government.
We bought FTM 2005 for the whole family to use.
Your policy requires me to allow ANYONE IN THE WORLD access to
EVERY bit of data on the computer. THIS IS WRONG!!!!!
Requiring the user to execute FTM with administrative rights allows
"hackers" the opportunity to come in from the internet via a port
opened by FTM and gain access to the computer WITH administrative
privileges. THIS ALSO CONTRAVENES THE SECURITY PRACTICES ESPOUSED BY
Microsoft, Symantec, McAfee, and almost every other software and
hardware company in the world.
The Web Page:
http://gen.custhelp.com/cgi-bin/gen.cfg ... MQ**&p_li=
"Critical Components are missing"
STATES:
Family Tree Maker 2005 is designed to run in a profile that is a member
of the Administrator group in Windows. If you are using a profile in
any other group, consult your Windows documentation for assistance in
creating an Administrator profile. Use Family Tree Maker in that
profile.
I should be able to allow my family and friends access to FTM 2005
WITHOUT giving them access to administrative privileges that would
permit them to corrupt the operating system and registry on the
computer.
Geneology.com needs to SEND FTM 2005 users the updated version of FTM
2005 - where I set security policy on my computer.
OR
send me the patch (hotfix - service pack - repair code) to correct
this EGREGIOUS security hole in in FTM 2005.
Thank you
Norseman
FTM 2005 = BAD SECURITY PRACTICE
Moderator: MOD_nyhetsgrupper
-
mickg
Re: FTM 2005 = BAD SECURITY PRACTICE
Norseman wrote:
BTW WHY ARE YOU SHOUTING and MULTI POSTING?
MickG
WHO IS GENEALOGY.COM TO DICTATE SECURITY POLICY ON MY COMPUTER?!?!?!
Genealogy.com's decision to "HARD CODE" the administrator group
requirement COUNTERS EVERY SECURITY PRACTICE, policy, and belief I've
learned in my 10 years of Network and Systems Administration. I've
managed world-wide and nation-wide networks for the U.S. Government.
We bought FTM 2005 for the whole family to use.
Your policy requires me to allow ANYONE IN THE WORLD access to
EVERY bit of data on the computer. THIS IS WRONG!!!!!
Requiring the user to execute FTM with administrative rights allows
"hackers" the opportunity to come in from the internet via a port
opened by FTM and gain access to the computer WITH administrative
privileges. THIS ALSO CONTRAVENES THE SECURITY PRACTICES ESPOUSED BY
Microsoft, Symantec, McAfee, and almost every other software and
hardware company in the world.
The Web Page:
http://gen.custhelp.com/cgi-bin/gen.cfg ... MQ**&p_li=
"Critical Components are missing"
STATES:
Family Tree Maker 2005 is designed to run in a profile that is a member
of the Administrator group in Windows. If you are using a profile in
any other group, consult your Windows documentation for assistance in
creating an Administrator profile. Use Family Tree Maker in that
profile.
I should be able to allow my family and friends access to FTM 2005
WITHOUT giving them access to administrative privileges that would
permit them to corrupt the operating system and registry on the
computer.
Geneology.com needs to SEND FTM 2005 users the updated version of FTM
2005 - where I set security policy on my computer.
OR
send me the patch (hotfix - service pack - repair code) to correct
this EGREGIOUS security hole in in FTM 2005.
Thank you
Norseman
Reply posted in soc.genealogy.britain.
BTW WHY ARE YOU SHOUTING and MULTI POSTING?
MickG
-
Dave Hinz
Re: FTM 2005 = BAD SECURITY PRACTICE
On 22 Dec 2004 09:08:35 -0800, Norseman <[email protected]> wrote:
You seem...tense...
What is the "administrator group requirement" in this context, please?
Surely they're only making you log in as administrator to _install_
the application. I mean, it would be dangerously insane to require
admin rights to _run_ the program, so that can't be what you're
saying, right?
Sounds like you're saying runtime, in which case I'd agree if it
is in fact true.
Well, that's as much a windows architecture problem as anything else,
but yeah, it's an exploit waiting to happen if it is as you say.
Any bug in the network handling of FTM at that port could be exploited,
to allow the attacker to run processes at the authority level of the
user, which means admin rights for everybody. @WHEEE@
OK, that is absoultely a show-stopper. As someone who also makes a
living in the system administration/software/security world, it's
irresponsible to write an app in such a way.
Yes. They need to fix this problem. Even though most joe-user types
don't have a clue that they are always logging in as administrator,
that also explains why most joe-user types have a system infested with
viruses and spyware. While Windows' security model is far from
perfect, the minimum precaution of "don't log in as admin unless you
have to _administer the system_" is at least a decent precaution to
take. If FTM takes away even that safety-net, it's a good reason to
avoid it.
Is there an updated version where this is fixed?
Legacy is an excellent option and doesn't require you to emasculate your
system's security to run it. PAF is another good one. Vote with your
wallet, and tell 'em why you won't give 'em any more money.
As a stopgap, at a minimum you should firewall off that port so the
vulnerability is plugged, but that doesn't fix the local users
all needing to be admin problem.
Dave Hinz
WHO IS GENEALOGY.COM TO DICTATE SECURITY POLICY ON MY COMPUTER?!?!?!
You seem...tense...
Genealogy.com's decision to "HARD CODE" the administrator group
requirement COUNTERS EVERY SECURITY PRACTICE, policy, and belief I've
learned in my 10 years of Network and Systems Administration.
What is the "administrator group requirement" in this context, please?
Surely they're only making you log in as administrator to _install_
the application. I mean, it would be dangerously insane to require
admin rights to _run_ the program, so that can't be what you're
saying, right?
Your policy requires me to allow ANYONE IN THE WORLD access to
EVERY bit of data on the computer. THIS IS WRONG!!!!!
Sounds like you're saying runtime, in which case I'd agree if it
is in fact true.
Requiring the user to execute FTM with administrative rights allows
"hackers" the opportunity to come in from the internet via a port
opened by FTM and gain access to the computer WITH administrative
privileges.
Well, that's as much a windows architecture problem as anything else,
but yeah, it's an exploit waiting to happen if it is as you say.
Any bug in the network handling of FTM at that port could be exploited,
to allow the attacker to run processes at the authority level of the
user, which means admin rights for everybody. @WHEEE@
The Web Page:
STATES:
Family Tree Maker 2005 is designed to run in a profile that is a member
of the Administrator group in Windows. If you are using a profile in
any other group, consult your Windows documentation for assistance in
creating an Administrator profile. Use Family Tree Maker in that
profile.
OK, that is absoultely a show-stopper. As someone who also makes a
living in the system administration/software/security world, it's
irresponsible to write an app in such a way.
I should be able to allow my family and friends access to FTM 2005
WITHOUT giving them access to administrative privileges that would
permit them to corrupt the operating system and registry on the
computer.
Yes. They need to fix this problem. Even though most joe-user types
don't have a clue that they are always logging in as administrator,
that also explains why most joe-user types have a system infested with
viruses and spyware. While Windows' security model is far from
perfect, the minimum precaution of "don't log in as admin unless you
have to _administer the system_" is at least a decent precaution to
take. If FTM takes away even that safety-net, it's a good reason to
avoid it.
Geneology.com needs to SEND FTM 2005 users the updated version of FTM
2005 - where I set security policy on my computer.
Is there an updated version where this is fixed?
send me the patch (hotfix - service pack - repair code) to correct
this EGREGIOUS security hole in in FTM 2005.
Legacy is an excellent option and doesn't require you to emasculate your
system's security to run it. PAF is another good one. Vote with your
wallet, and tell 'em why you won't give 'em any more money.
As a stopgap, at a minimum you should firewall off that port so the
vulnerability is plugged, but that doesn't fix the local users
all needing to be admin problem.
Dave Hinz
-
Joe Matthews
Re: FTM 2005 = BAD SECURITY PRACTICE
Well, a LOT of programs require that you log on as an admin when you
'install'. That is only so that all profiles will have access to the
program. That does not give permission for anyone, anywhere, to have access
to all programs.
If you don't wish to have anyone else to have access, do what I did. Log on
without 'admin' access, install the program. If you normally log on as
admin, then reboot, log on as admin, and create a 'shortcut' to the program.
I actually created a new 'user profile' and then deleted it when done the
install.
When I start up FTM, immediately after the install, my firewall asks if I
want FTM to have access to the net, and I say 'no' and click the
'everytime' box. Now, FTM does not have access to the net.
If you are worried about the fact the FTM automatically tries to log on and
check for updates (as do many programs - i.e. Adobe reader) simply go to
FILE/PREFERENCE/GENERAL and click on 'automatically check for updates when
connected to the web'.
If you are worried about hackers when using FTM, simply right click on the
icon for Inet in your systray and disable it.
Enjoy
--
Joe Matthews
Sechelt, BC
Canada
"Dave Hinz" <[email protected]> wrote in message
news:[email protected]...
'install'. That is only so that all profiles will have access to the
program. That does not give permission for anyone, anywhere, to have access
to all programs.
If you don't wish to have anyone else to have access, do what I did. Log on
without 'admin' access, install the program. If you normally log on as
admin, then reboot, log on as admin, and create a 'shortcut' to the program.
I actually created a new 'user profile' and then deleted it when done the
install.
When I start up FTM, immediately after the install, my firewall asks if I
want FTM to have access to the net, and I say 'no' and click the
'everytime' box. Now, FTM does not have access to the net.
If you are worried about the fact the FTM automatically tries to log on and
check for updates (as do many programs - i.e. Adobe reader) simply go to
FILE/PREFERENCE/GENERAL and click on 'automatically check for updates when
connected to the web'.
If you are worried about hackers when using FTM, simply right click on the
icon for Inet in your systray and disable it.
Enjoy
--
Joe Matthews
Sechelt, BC
Canada
"Dave Hinz" <[email protected]> wrote in message
news:[email protected]...
On 22 Dec 2004 09:08:35 -0800, Norseman <[email protected]> wrote:
WHO IS GENEALOGY.COM TO DICTATE SECURITY POLICY ON MY COMPUTER?!?!?!
You seem...tense...
-
Dave Hinz
Re: FTM 2005 = BAD SECURITY PRACTICE
On Wed, 22 Dec 2004 19:58:00 GMT, Joe Matthews <[email protected]> wrote:
Right, that's acceptable practice for valid reasons.
Right.
I think what the shouting-viking-dude is saying is that that won't work,
the runtime user has to be in the admin group as well.
That's a good start.
Well, sounds like a lot of crippling of features in order to get FTM to
not do what it shouldn't be designed to do in the first place. I'd like
some clarification from some FTM representative and/or apologist as to
the apparent need for horrid security practices to run their product.
Well, a LOT of programs require that you log on as an admin when you
'install'.
Right, that's acceptable practice for valid reasons.
That is only so that all profiles will have access to the
program. That does not give permission for anyone, anywhere, to have access
to all programs.
Right.
If you don't wish to have anyone else to have access, do what I did. Log on
without 'admin' access, install the program. If you normally log on as
admin, then reboot, log on as admin, and create a 'shortcut' to the program.
I actually created a new 'user profile' and then deleted it when done the
install.
I think what the shouting-viking-dude is saying is that that won't work,
the runtime user has to be in the admin group as well.
When I start up FTM, immediately after the install, my firewall asks if I
want FTM to have access to the net, and I say 'no' and click the
'everytime' box. Now, FTM does not have access to the net.
That's a good start.
If you are worried about hackers when using FTM, simply right click on the
icon for Inet in your systray and disable it.
Well, sounds like a lot of crippling of features in order to get FTM to
not do what it shouldn't be designed to do in the first place. I'd like
some clarification from some FTM representative and/or apologist as to
the apparent need for horrid security practices to run their product.
-
mickg
Re: FTM 2005 = BAD SECURITY PRACTICE
Dave Hinz wrote:
MickG
On Wed, 22 Dec 2004 19:58:00 GMT, Joe Matthews <[email protected]> wrote:
Well, a LOT of programs require that you log on as an admin when you
'install'.
Right, that's acceptable practice for valid reasons.
That is only so that all profiles will have access to the
program. That does not give permission for anyone, anywhere, to have access
to all programs.
Right.
If you don't wish to have anyone else to have access, do what I did. Log on
without 'admin' access, install the program. If you normally log on as
admin, then reboot, log on as admin, and create a 'shortcut' to the program.
I actually created a new 'user profile' and then deleted it when done the
install.
I think what the shouting-viking-dude is saying is that that won't work,
the runtime user has to be in the admin group as well.
When I start up FTM, immediately after the install, my firewall asks if I
want FTM to have access to the net, and I say 'no' and click the
'everytime' box. Now, FTM does not have access to the net.
That's a good start.
If you are worried about hackers when using FTM, simply right click on the
icon for Inet in your systray and disable it.
Well, sounds like a lot of crippling of features in order to get FTM to
not do what it shouldn't be designed to do in the first place. I'd like
some clarification from some FTM representative and/or apologist as to
the apparent need for horrid security practices to run their product.
Yeah All what ^ he said!
MickG