PDA

View Full Version : Companies struggle as Safari pops up on networks


MacBytes
Apr 6, 2008, 02:07 PM
http://www.macbytes.com/images/bytessig.gif (http://www.macbytes.com)

Category: Apple Software
Link: Companies struggle as Safari pops up on networks (http://www.macbytes.com/link.php?sid=20080406150747)
Description:: Apple's update push has network admins riled: Awesome!

Posted on MacBytes.com (http://www.macbytes.com)
Approved by Mudbug

ogee
Apr 6, 2008, 02:21 PM
"This is not good; this is a security risk," he says. "We're a bank."


Hum, Why is the admin allowing users to install software then? Where I work, only users with windows admin rights can install software, us normal users can not do so.

TheSpecialist
Apr 6, 2008, 02:26 PM
Hmm the dumb thing is that that is a bank, and Safari got installed trough Software Update, means they have iTunes installed (or Quicktime). Now what the hell do these programs do on bank computers?

Fools:D

clayj
Apr 6, 2008, 02:30 PM
Hmm the dumb thing is that that is a bank, and Safari got installed trough Software Update, means they have iTunes installed (or Quicktime). Now what the hell do these programs do on bank computers?

Fools:DI guess you guys are missing the point that there is a huge difference between installing an application like iTunes or Quicktime, which has a very specific purpose, and a web browser like Safari, which provides a much larger amount of functionality.

As someone who has to work on user machines on a daily basis, I can tell you that many companies do allow their employees to install almost anything they want from an application perspective. But they usually demand that their users use a particular web browser, if for no other reason than to simplify supportability issues.

It was a mistake for Apple to bundle Safari in with the Apple Software Update. A lot more IT admins are going to start blocking iTunes and Quicktime from being used, if for no other reason than to prevent users from accidentally upgrading their web browser to Safari.

Peace
Apr 6, 2008, 02:32 PM
Another question one might ask is why do these IT people consider Safari a security risk when they are already using the most vulnerable browser on the market.

Eraserhead
Apr 6, 2008, 03:00 PM
Hum, Why is the admin allowing users to install software then? Where I work, only users with windows admin rights can install software, us normal users can not do so.

It seems very foolish to allow users to install just any application they want. They shouldn't have had the privileges to install Safari to be honest.

clevin
Apr 6, 2008, 03:12 PM
After blaming everybody else, admit apple is making bad PR mistakes.

No need for me to remind you guys, just because windows have been troubled by too many malwares, windows users are VERY sensitive to these type of things.

Not to mention the quick discover of 2 security holes (still unpatched?) of windows version of safari.

Windows side is a cruel world, people aren't that forgiven.

sparkleytone
Apr 6, 2008, 03:22 PM
As someone who has to work on user machines on a daily basis, I can tell you that many companies do allow their employees to install almost anything they want from an application perspective. But they usually demand that their users use a particular web browser, if for no other reason than to simplify supportability issues.

So they can continue to use whatever browser is required. From everything I have read, the Safari installation does not change the default browser setting.

Eraserhead
Apr 6, 2008, 03:31 PM
After blaming everybody else, admit apple is making bad PR mistakes.

Maybe, this certainly isn't the way forward from a business perspective. But I still think its pretty bad the user in a company is allowed to install their own apps anyway, especially if they aren't updates, as that can easily lead to spyware. I wouldn't use a bank who allowed their employees to install new applications without permission from IT.

steveza
Apr 6, 2008, 03:41 PM
A major feature of Windows security is the ability to control user machines with policies. The problem with Safari compared to IE is that it doesn't apply Windows policies and therefore creates a security risk. For example I would use policies to force users to connect to to the Internet via a proxy server that filters and monitors web usage. If they had Safari they could change their settings to avoid this restriction.

However as stated by others in this thread I would also prevent users from installing stuff like iTunes in the first place.

Sly
Apr 6, 2008, 04:33 PM
So if these users have iTunes installed then it probably means they are using it with their iPods too. Hmm portable hard drive - Bank computer system, no security threat there then :confused:

BongoBanger
Apr 6, 2008, 04:46 PM
We had people who installed iTunes on their PCs. I said 'had' because most of them were fired.

cohibadad
Apr 6, 2008, 06:40 PM
After blaming everybody else, admit apple is making bad PR mistakes.

Clevin is big on getting everyone to admit something. Admit Apple is making bad PR mistakes. Admit the MBA was hacked. I'll admit some people are morons and there is no pleasing everyone so why even try. I'll also admit that most IT departments are so bonded to Microsoft that any deviation drives them to conniption fits.

rjflyn
Apr 6, 2008, 07:05 PM
I'm sorry but only an A$$ clown of an IT admin would allow anyone at a bank download/install anything. If I were a customer at that bank I think I would be moving my money someplace else. What would a bank have Itunes on their computers for anyway. No your tellers don't need to be listening to music, not that way anyway, thats what a radio is for. Shoot I work in a hospital and you can't believe how locked down things are.

Rj

clevin
Apr 6, 2008, 07:29 PM
Clevin is big on getting everyone to admit something. Admit Apple is making bad PR mistakes. Admit the MBA was hacked. I'll admit some people are morons and there is no pleasing everyone so why even try. I'll also admit that most IT departments are so bonded to Microsoft that any deviation drives them to conniption fits.

Its more civil, as I always do, discuss a topic within limit of that very topic. Targeting the topic, rather than targeting the person. If you want to jumbo everything to analyze me, sorry, I don't do personal attacks. enjoy yourself.

Nermal
Apr 6, 2008, 07:37 PM
I haven't installed Safari for Windows through Software Update but I have installed it manually. One of the questions it asks is "Do you want to install Bonjour?" and it's enabled by default. Are you still asked when using Software Update? If not, does it automatically get installed? I'd be paranoid if Software Update is automatically installing software which is bound to increase network traffic.

As for offering Safari in the first place, I believe that while it's good to have a one-click installation, it should be opt-in rather than opt-out. Apple should also have a centrally-controlled policy option that allows administrators to disable Software Update.

enigmatut
Apr 6, 2008, 09:44 PM
Having worked for a software company I'll advocate slightly for Apple in this case. It seems pretty clear that they made a business decision to try to expose more people (ie, the bazillions of iTunes users) to a new-ish product (Safari for Win) by showing the option to install it during a regularly-scheduled software update. I see no sin in this. The user can simply uncheck the box and not install Safari. Obviously many Windows users were unfamiliar with Safari and/or didn't know if it was a necessary component of iTunes and/or just plain click "Ok" to the software update anytime it pops up. Also understandable; but I contend that it remains the user's responsibility to control what is and isn't installed on their computer (or that, by proxy, the IT department of that user's company). If you choose not to read the description of what it is you are installing, or if your company doesn't dis-allow installing a specific app (like Safari) then you can't really hold a company (like Apple) responsible for making it possible to install that software.

Apple has not forced anyone to install Safari, nor have they sneakily allowed it to install without the user's knowledge. The only thing they might have done to make the process more "idiot-proof" would be to add some sort of pop-up reading "Are you SURE you want to install Safari?" And it's entirely possible that such a pop-up was considered, but then deemed overkill. If this is REALLY such a problem (and I suspect it's not) I suppose Apple could add such a pop-up validator for the next release, but while it would appease those "burned" by the Safari install it will also annoy the heck out of others :rolleyes:
So it comes back to the age-old truth: you're damned if you do and damned if you don't :D

cohibadad
Apr 6, 2008, 10:21 PM
The user can simply uncheck the box and not install Safari.

There are indepth discussions about this otherwhere on this forum. I chose to install Safari on all my Windows boxes before it was available on Software Update so I can't confirm this: apparently if you uncheck the box it will repeatedly remind you to install Safari unless you do something else to disable the reminder. I think if it was a simple uncheck most would be satisfied but having it harrass you until you reflexively install Safari to make it go away crosses a line.

nagromme
Apr 6, 2008, 11:20 PM
apparently if you uncheck the box it will repeatedly remind you to install Safari unless you do something else to disable the reminder. I think if it was a simple uncheck most would be satisfied but having it harrass you until you reflexively install Safari to make it go away crosses a line.

I haven't heard that. I don't think it badgers you until you install. If it does that's pretty crazy!

I think the complaint people have is simply that you have to uncheck the box at all. The box should be unchecked by default.

It may grate on some people to call any Apple mistake "small," but this does seem like one of the small ones! Still worth learning a lesson for the future though.

solvs
Apr 7, 2008, 12:56 AM
With the most recent update, it asks but you can tell it not to ask anymore.

And yeah, you have to have admin rights, so I'm also wondering why anyone who isn't locking down their users PCs is complaining if it's such a security risk (ignoring the giant security risk that is still IE, which I also suspect many are still using IE 6).

John.B
Apr 7, 2008, 01:04 AM
A major feature of Windows security is the ability to control user machines with policies. The problem with Safari compared to IE is that it doesn't apply Windows policies and therefore creates a security risk. For example I would use policies to force users to connect to to the Internet via a proxy server that filters and monitors web usage. If they had Safari they could change their settings to avoid this restriction.
Uh, the solution to that is to only allow proxy connections through the internet. This is simple to implement. Then the only way out (with IE, Firefox, Safari, etc.) is through the proxy. If you didn't then even IE users with admin privileges could bypass the proxy with regedit.

I'm with the previous poster, the real spyware risk is with IE not Firefox or Safari.

gerardrj
Apr 7, 2008, 02:11 AM
A major feature of Windows security is the ability to control user machines with policies. The problem with Safari compared to IE is that it doesn't apply Windows policies and therefore creates a security risk. For example I would use policies to force users to connect to to the Internet via a proxy server that filters and monitors web usage. If they had Safari they could change their settings to avoid this restriction.

However as stated by others in this thread I would also prevent users from installing stuff like iTunes in the first place.

If you are attempting to enforce network access path rules via an operating system then you should be fired. You control network access in the network.
As the previous poster mentioned, you disable direct access to the web and force all traffic through a proxy server. There's no client or server setup, you enable transparent forwarding of all web traffic through a proxy.
There's no way admins, execs or hackers can get around it. You can't install another application and get around the proxy either.

ewoods
Apr 7, 2008, 02:33 AM
Everyone's picking on poor Cody. As someone who works in the IT department of a credit union, I have to step in here. Our host system (the banking software we use) REQUIRES users to have admin privileges in order for our branches to connect to our host server using a proprietary VPN system. It's not an ideal situation but the software works great, the vendor is reputable and has a long list of clients, and really, it's not that big of a deal. We remove all removable storage drives, disable USB ports through the BIOS and then password protect it, strip out files from emails, lock down internet access, etc. So even though users have permission to install software, it's almost impossible to get installation files onto the computer to install in the first place. But for smaller IT departments with less resources, this could be a serious problem.

For comparison, consider that Cody's bank has eight branches in three cities and the credit union I work for has twenty-four branches in eight cities. We're three times the size of them and including myself, there are five people in my IT department and two of them are developers. Considering that it took him, "the better part of a week" to remove Safari from a mere 30 computers, I wouldn't be suprised if Cody was the ONLY IT employee working at Soy Capital Bank and Trust, and I imagine he barely has the time or the resources to keep his computers up and running, let alone lock them down.

Point being, you have to take things into perspective. Just because he uses the word "Bank" doesn't mean he works for Bank of America with hundreds of IT employees and money flowing out of their ears. If you work for a company whose computers are locked down, good for you. Not everyone can afford IT employees who even know how to do that and the ones who can don't always listen to their IT employees. It took me four years to convince my board of directors that a proxy server was worth the money...

BongoBanger
Apr 7, 2008, 03:24 AM
The only people at fault here are the system admins. As has been mentioned, downloading executable files should be blocked from any corporate network. This isn't Apple's fault because iTunes shouldn't be on these PCs in the first place.

solvs
Apr 7, 2008, 03:36 AM
I wouldn't be suprised if Cody was the ONLY IT employee working at Soy Capital Bank and Trust
If that's the case, especially if they have end users who have admin rights who aren't in IT, then they need more IT employees. They're worried Safari might be a risk. Meanwhile, if they're using IE6, it's a little disingenuous to be so worried, no? Especially if they tell the employees not to install things like QT/iTunes, and/or specifically tell them to not use Safari. Which they should if they don't want them to be using it. Also, if it gets installed and the user never uses it, there's no security threat. And IE and FF also have security threats, why the lack of concern there?

Eraserhead
Apr 7, 2008, 03:49 AM
It's not an ideal situation but the software works great, the vendor is reputable and has a long list of clients, and really, it's not that big of a deal.

What happens if an employee downloads free screensaver software (that contains malware)? Or opens an email with software containing a keyboard logger?

I would have thought this was an especially large issue given that you are a bank.

neonblue2
Apr 7, 2008, 05:32 AM
What confuses me is this is Windows where you must be careful in what you do. For some reason they aren't.

Come over to the Mac world where whenever I tell my parents (average users with no real technical knowledge) to do something, they read everything. It's good that they do but if I need them to do something, and I know everything's fine and safe, it can get annoying.

edesignuk
Apr 7, 2008, 05:37 AM
Hmm the dumb thing is that that is a bank, and Safari got installed trough Software Update, means they have iTunes installed (or Quicktime). Now what the hell do these programs do on bank computers?

Fools:DiTunes is genuinely used. We use it as our fund/sales managers use it for podcasts relating to business news programmes.

But yeah, users shouldn't be able to install or update their own software, end of story.

MarcelV
Apr 7, 2008, 06:34 AM
I am not sure if I understand the uproar. Here's an example, when Sun provides an update for Java runtime, it always installs the Google Toolbar. I have to manually uninstall it if I forget to uncheck it. But I don't hear too much from system admins on that.

I am not trying to defend Apple. My personal opinion is that it should show in Software Update, but unchecked, and leave the install up to the user. But Apple is not the only one.

What I have noticed, is that in our helpdesk department, Windows oriented (not going into OS debates), all Apple software is considered causing instability on Windows. And this is not the first helpdesk department I have met with that judgement. The perception is that Apple is anti-Windows, and therefore the attitude towards Apple software, even if it were not causing issues, is negative. What if users like it, and desktops would be replaced by Macs? While that is not corporate feasible, the cost is too high, the feeling of a lot of admins is that it may go that way. And a new skill set is needed, a skill set they don't have.

solvs
Apr 7, 2008, 06:40 AM
I am not sure if I understand the uproar. Here's an example, when Sun provides an update for Java runtime, it always installs the Google Toolbar. I have to manually uninstall it if I forget to uncheck it. But I don't hear too much from system admins on that.
For some reason, people expect more from Apple, while at the same time expecting less.

I am not trying to defend Apple. My personal opinion is that it should show in Software Update, but unchecked, and leave the install up to the user. But Apple is not the only one.
No, they aren't, and I suspect unlike those other companies Apple will disable it in future updates because they sometimes listen to their customers and complaints.

What if users like it, and desktops would be replaced by Macs?
That's what we do at my job. I prefer going from Mac to Mac, but sometimes go from PC to Mac. I hate going from PC to PC, it's the worst IMO, but sometimes I have to do that too.

BongoBanger
Apr 7, 2008, 06:45 AM
What happens if an employee downloads free screensaver software (that contains malware)? Or opens an email with software containing a keyboard logger?

Where I work they get fired for breaching IT security policy. It's possible but highly unlikely any phishing e-mails get through and we're told to be careful what we open.

steveza
Apr 7, 2008, 06:55 AM
Uh, the solution to that is to only allow proxy connections through the internet. This is simple to implement. Then the only way out (with IE, Firefox, Safari, etc.) is through the proxy. If you didn't then even IE users with admin privileges could bypass the proxy with regedit.

I'm with the previous poster, the real spyware risk is with IE not Firefox or Safari.

If you are attempting to enforce network access path rules via an operating system then you should be fired. You control network access in the network.
As the previous poster mentioned, you disable direct access to the web and force all traffic through a proxy server. There's no client or server setup, you enable transparent forwarding of all web traffic through a proxy.
There's no way admins, execs or hackers can get around it. You can't install another application and get around the proxy either.Steady on chaps :eek:. I never said I was implementing network security at the OS level. Internet access is via proxy only, however when you have a network that covers most of the planet a single proxy configuration isn't appropriate. Different servers supply various levels of access and policies are used to direct users to the appropriate proxy for their country/business unit/job role/whatever. The fact is that only IE can make use of these settings so any other browser is a risk.

The point that I was actually making is that with the correct policies in place this is a non-issue because users cannot install software unless an administrator lets them.

Rodimus Prime
Apr 7, 2008, 07:19 AM
No, they aren't, and I suspect unlike those other companies Apple will disable it in future updates because they sometimes listen to their customers and complaints.



Who knows. Took apple long enough to remove the stupid add to upgrade to quick time pro every single time you used it. I hated it to much I went about finding a way to let quick time player work in WMP. Life was so much better not having to deal with it.

On my windows box. Apple updates drives me nuts because it keep trying to force safari on my windows desktop which I think is still a beta browser at best on windows.

solvs
Apr 7, 2008, 07:37 AM
Who knows.
I said sometimes. And it used to bug you all the time. They stopped doing that because people complained. Eventually. I don't know, I just set my clock ahead and back and it never happened again. I use QT Pro anyway now because of FCP, it comes with it.

If enough people complain, they'll probably change it. I don't see Java or Adobe doing that with their products. Both used to even hide the options to disable the Toolbars. After people complained, all they did was make them less hidden, but still on by default. With Safari, I set it not to ask me anymore, and it doesn't. I use Media Player Classic on my PC with everything anyway, but still have iTunes and QT Pro for Windows for exporting.

ewoods
Apr 7, 2008, 11:30 AM
This isn't Apple's fault because iTunes shouldn't be on these PCs in the first place.

Right... And if I'm a hacker, it's not MY fault I was able to break into your computer. You should have been using a better firewall, right? What if it wasn't just Safari? What if it was a program that scanned your hard drive and sent a report of your files back to Apple? Would you still be ok with it?

Clearly you don't work in IT. When the CEO comes to you and demands that you install iTunes on his laptop and refuses to listen to reason, do you quit your decent-paying and hard-to-find job on a matter of principle or do you install iTunes for him? Unfortunately it's a choice a lot of IT guys have to make.

Eraserhead
Apr 7, 2008, 11:32 AM
Clearly you don't work in IT. When the CEO comes to you and demands that you install iTunes on his laptop and refuses to listen to reason

Obviously you install iTunes, and as other posters have said that is OK, however the thing is that the IT guy should be installing iTunes, so that when it tries to install Safari it shouldn't let him.

Kan-O-Z
Apr 7, 2008, 11:36 AM
I'm not trying to dodge the blame away from Apple but seriously folks, we all need to look at the bigger picture. Why are the employees at a bank able to install software...especially at a place where security is such a big deal? Yes we can all blame Apple but then we can blame a thousand other companies as well. If you visit Hotmail or Yahoo and there are search bars you can download or freeware being advertised, are these companies at fault too? I mean the employee could just click something even unintentionally and install some malware on his/her machine.

As I stated the big question is why are these employees allowed to install software. Sure Apple could back track and remove Safari but you know what, it doesn't make the Bank any more secure!

Kan-O-Z

ewoods
Apr 7, 2008, 11:38 AM
What happens if an employee downloads free screensaver software (that contains malware)? Or opens an email with software containing a keyboard logger?

And how would they download free screensaver software (that contains malware) when internet browsing is locked down? How would an email containing a keyboard logger get through when email security is adequate? In my nine years at the company we've never found a single piece of unauthorized software on a computer because we take extensive measures to prevent it.

My point was that some companies don't have the resources to take those measures, and the ones that do don't always allow their IT departments to do their job properly. I've dealt with several branch managers and even an executive who were angry because we wouldn't allow them to check their Hotmail account at work. Fortunately, both the president and the CEO are on our side, but not every IT department is so lucky.

Kan-O-Z
Apr 7, 2008, 11:41 AM
Here is an analogy for those of you that are pissed at Apple rather than the Bank or the employer:

Lets say for example you live in a house and your house doesn't have a lock on it. Lets say one day a dude named Apple came into your house and dropped off a package without you knowing. Now everyone is mad at Apple as to how dare he do that without knocking and telling the people living in the house that 'We are dropping off a package in your house'! No one seems to be mad at the fact that your house doesn't have a LOCK!!!!

Let's all get mad at Apple and maybe they'll stop doing it. Then will you be happy? Will you be happy when one day someone really bad comes into your house and destroys it? How about installing that LOCK and stop being pissed at Apple!!!!!

Wake up and see the bigger problem!

Kan-O-Z

BongoBanger
Apr 7, 2008, 11:46 AM
Right... And if I'm a hacker, it's not MY fault I was able to break into your computer. You should have been using a better firewall, right? What if it wasn't just Safari? What if it was a program that scanned your hard drive and sent a report of your files back to Apple? Would you still be ok with it?

See my later post.

Clearly you don't work in IT. When the CEO comes to you and demands that you install iTunes on his laptop and refuses to listen to reason, do you quit your decent-paying and hard-to-find job on a matter of principle or do you install iTunes for him? Unfortunately it's a choice a lot of IT guys have to make.

Our CEO is governed by the same IT policy everyone else is. We have these people called 'non executive directors' who ensure we have 'corporate governance'.

Clearly you don't work in a large organisation.

Baron58
Apr 7, 2008, 11:57 AM
Apple pushing out Safari is stupid and bad.

Apple pushing out iTunes as an 'update' if you ONLY have QuickTime installed is stupid and bad.

That said....

Considering that it took him, "the better part of a week" to remove Safari from a mere 30 computers, I wouldn't be suprised if Cody was the ONLY IT employee working at Soy Capital Bank and Trust, and I imagine he barely has the time or the resources to keep his computers up and running, let alone lock them down.

Then Cody is a dumbass.

On your Active Directory server, go to Administrative Tools --> Group Policy Management

Create a new Group Policy Object called 'Deny Safari'
Right-click/Edit the new GPO; go to User Configuration --> Administrative Templates --> System
Double-click on 'Don't Run Specified Windows Applications'
Click 'Enable'
Click 'Show'
Click 'Add', and enter safari.exe
Click OK
Click OK
Click OK
Close the GPO
Apply the GPO to the entire domain.


Problem SOLVED. Repeat process for iTunes, and anything else you need to keep people from running. (If you're a good admin, you'll have already denied access to the 'Run...' command on the Start menu, so that loophole is closed as well.)

Wanna go medieval on them? add this to the login script:
del /F /Q %programfiles%\iTunes
del /F /Q %programfiles%\Safari
del /F /Q %programfiles%\Apple*
del /F /Q %userprofile%\Start Menu\Programs\iTunes
del /F /Q %userprofile%\Start Menu\Programs\Safari
del /F /Q %userprofile%\Start Menu\Programs\Apple*

There are no excuses. If you're running a business with windows machines, you need an AD server. No AD server = dumbass. The Group Policy Management snap-in is a free download update from MS. Not having that = dumbass. No login script = dumbass.

Don't get me wrong - I HATE Windows as an OS, I hate MS as a company. But what I hate even more is Windows admins who don't know how to do their damn job. I run a network for a ~200-user business with offices at 4 sites in 2 states. I use every tool in the MS toolbox, plus Citrix, to have a textbook, locked-the-eff-down network to keep order instead of chaos. Running around wringing your hands and manually uninstalling Safari means you're incompetent.

ewoods
Apr 7, 2008, 11:57 AM
How about installing that LOCK and stop being pissed at Apple!!!!!

Now let's say you're a single mother with four kids and a minimum wage job and you have to choose between feeding your kids or buying a lock PLUS the tools to install that lock. And what if you don't have the skill to install it and can't afford to have someone do it for you?

You're analogy is decent and for the most part I agree with you. But NOT ALL ORGANIZATIONS ARE THE SAME. If the bank in questions can't afford the tools to maintain a locked-down environment (or possibly a capable network admin) then they have to make due without a lock. I suspect Cody is doing the best he can with the resources he has.

ewoods
Apr 7, 2008, 12:03 PM
Clearly you don't work in a large organisation.

You're absolutely correct. I don't work in a large organization. I work in a small organization and Soy Capital Bank and Trust is a third the size of us, so they're not a large organization either. In fact, small businesses account for nearly half of America's overall employment (http://www.whitehouse.gov/infocus/smallbusiness), so I suspect that MANY people have never heard of "Corporate Governance."

newappleboy
Apr 7, 2008, 12:15 PM
I work for IT in a company where everything is pretty locked down. No browsers can run but IE (version 6 for the most part) and no programs can be installed without admin rights...for the most part. Can I install iTunes? Heck no. Can I install any of the 9 million toolbars there are out there on the internet? You betcha! Toolbars are built differently, as are some screensavers and malware and so on, and they don't follow the same guidelines as a general .exe file that you run and install.

This causes a problem all the time with pop-up blockers and homepages changing that are supposed to be internal sites only. Do we blame google/yahoo/hotmail for making a toolbar that does these things? Not even a little bit. We blame the user for not paying attention and installing it. Lack of knowledge or resources does not make you immune to blame. That bank may not have the IT resources of a large corporation, but that doesn't mean things that happen to them are not at all their fault. Stuff like that will happen. You can't just say "we don't have the resources for security, so we're gonna blame everyone that does anything we consider not-secure". That's stupid and bad business.

riscy
Apr 7, 2008, 12:19 PM
Look into PortableApps (http://portableapps.com/), and run loads of software off a thumb drive/USB eg FireFox :)

There is loads of software you can use.

Hum, Why is the admin allowing users to install software then? Where I work, only users with windows admin rights can install software, us normal users can not do so.

newappleboy
Apr 7, 2008, 12:29 PM
Look into PortableApps (http://portableapps.com/), and run loads of software off a thumb drive/USB eg FireFox :)

There is loads of software you can use.

I actually have this, but programs like Firefox still won't work due to the proxy setup of the network. Steps can be taken to prevent the kind of problems they're having. As one poster showed, there are commands in the GPO that can be setup to deny access to Safari or iTunes entirely. How competent is their IT? Even if he's the only one, half a week to uninstall 30 copies of Safari? Even if it took 15 minutes each to uninstall (which it doesn't), that's only one day to remove it. Assuming of course he has to do it indivually and not all at once across the network. That leaves more than enough time to research and/or implement a way to prevent it from happening again. I wish I could get an IT job where I had that kind of time and non-need to know this stuff upfront.

Kan-O-Z
Apr 7, 2008, 12:41 PM
Now let's say you're a single mother with four kids and a minimum wage job and you have to choose between feeding your kids or buying a lock PLUS the tools to install that lock. And what if you don't have the skill to install it and can't afford to have someone do it for you?

You're analogy is decent and for the most part I agree with you. But NOT ALL ORGANIZATIONS ARE THE SAME. If the bank in questions can't afford the tools to maintain a locked-down environment (or possibly a capable network admin) then they have to make due without a lock. I suspect Cody is doing the best he can with the resources he has.

I understand what you're saying but we are talking about a business here right. On top of that a bank where security should be top priority. Setting up the network correctly requires a competent admin, not lots of tools and installation costs. You would think a bank would be able to hire a competent admin. Everywhere I have worked, I have not been able to install anything. Sometimes I like to chat on IM and can't even do that (unless I use one of the web based services) !

As I stated before, even after this Cody guy goes and uninstalls all the Safari's, the bank is NOT ANYMORE SECURE. It's just a matter of time until they get infected with malware, spyware, viruses and worms. Good luck to them. I'm not the type that can sleep tight at night leaving my house and cars unlocked. Using this bank is the equivalent to that. If I had money there, I would be moving to a real bank in a hurry.

Kan-O-Z

riscy
Apr 7, 2008, 01:11 PM
I am behind a really draconian proxy and PortableApps works for me - but as you say, it depends on the IT guys and the IT guys here are not very savvy.

I actually have this, but programs like Firefox still won't work due to the proxy setup of the network. Steps can be taken to prevent the kind of problems they're having. As one poster showed, there are commands in the GPO that can be setup to deny access to Safari or iTunes entirely. How competent is their IT? Even if he's the only one, half a week to uninstall 30 copies of Safari? Even if it took 15 minutes each to uninstall (which it doesn't), that's only one day to remove it. Assuming of course he has to do it indivually and not all at once across the network. That leaves more than enough time to research and/or implement a way to prevent it from happening again. I wish I could get an IT job where I had that kind of time and non-need to know this stuff upfront.

Rodimus Prime
Apr 7, 2008, 06:47 PM
I said sometimes. And it used to bug you all the time. They stopped doing that because people complained. Eventually. I don't know, I just set my clock ahead and back and it never happened again. I use QT Pro anyway now because of FCP, it comes with it.

If enough people complain, they'll probably change it. I don't see Java or Adobe doing that with their products. Both used to even hide the options to disable the Toolbars. After people complained, all they did was make them less hidden, but still on by default. With Safari, I set it not to ask me anymore, and it doesn't. I use Media Player Classic on my PC with everything anyway, but still have iTunes and QT Pro for Windows for exporting.


It stopped about the time iTunes came out for windows. Some time before that I could not put up with it and also just put a pirated verson on quick time pro on my computer for one reason and one reason ONLY. NO STUPID UPGRADE MESSAGE.

Reason my current version of quick time is not pro is because there is no upgrade message. If there was I more than likely would just pirate it so I would not have to see it. I would use zero of the features. I know a lot of other people who did that as well. Just to get read of the update message.

crees!
Apr 7, 2008, 08:23 PM
A major feature of Windows security is the ability to control user machines with policies. The problem with Safari compared to IE is that it doesn't apply Windows policies and therefore creates a security risk. For example I would use policies to force users to connect to to the Internet via a proxy server that filters and monitors web usage. If they had Safari they could change their settings to avoid this restriction.

How's this done?

Baron58
Apr 7, 2008, 08:27 PM
How's this done?

Group Policy. It's a feature of Windows Server 2000 and 2003 (*much* improved in 2003) that gives you amazing control over machines and users in your local Windows domain. See my post above for an example.

stevegmu
Apr 7, 2008, 09:17 PM
A major feature of Windows security is the ability to control user machines with policies. The problem with Safari compared to IE is that it doesn't apply Windows policies and therefore creates a security risk. For example I would use policies to force users to connect to to the Internet via a proxy server that filters and monitors web usage. If they had Safari they could change their settings to avoid this restriction.

However as stated by others in this thread I would also prevent users from installing stuff like iTunes in the first place.

Have you ever heard of Remote Desktop? I downloaded it to play around with it, and it gives total control of all macs on a network to an administrator.

http://www.apple.com/remotedesktop/

Baron58
Apr 7, 2008, 10:47 PM
Have you ever heard of Remote Desktop? I downloaded it to play around with it, and it gives total control of all macs on a network to an administrator.

http://www.apple.com/remotedesktop/

NOT the same thing, and yes, I have "heard" of it: I used to manage an all-Mac company of 100+ machines, and used Remote Desktop heavily. It's totally different that the 'control' that we're talking about.

Group Policy "control" is about setting policies that control what computers/users can or cannot do.

I have policies that:

control all the Explorer view preferences, such as "always show file extensions"
set and enforce desktop wallpaper
set and enforce which programs can and cannot run
set and enforce how I want the 'Start Menu' configured
remove crap from the Start Menu that I don't want to be there (like "My Pictures", "My Music", etc.)
set and enforce all Internet Explorer settings, including the homepage, warning messages, cache settings, how long to retain visited sites and cookies, etc.
set all preferences in Word/Excel/Powerpoint/Outlook
restrict access to local devices
restrict access to local drives
connect to network printers depending on (a) who you are, (b) what machine you're logged into, and (c) which office you're in.
connect to shared volumes based on the same criteria as above
...and pretty much any other system preference.


That way, you get a standard, clean desktop environment that you can't dick up. All the settings and controls do not interfere with you doing your job - I make sure that you have everything that you need, and nothing you don't.

Remote-controlling a user's desktop is for providing assistance when they need it, NOT for system management.

thejadedmonkey
Apr 7, 2008, 10:59 PM
Imagine if Microsoft prompted you to install IE7 every time it checked for updates for MS Office 08. You, the unsuspecting user clicked "update", and then one sunny thursday morning, you notice that IE7 is in your dock.

Now, how does it feel?

I don't understand how anyone could even try to defend Apple on this bone-headed move.

Baron58
Apr 7, 2008, 11:24 PM
Imagine if Microsoft prompted you to install IE7 every time it checked for updates for MS Office 08. You, the unsuspecting user clicked "update", and then one sunny thursday morning, you notice that IE7 is in your dock.

Now, how does it feel?



Don't have to imagine. IE7 is now a required/high priority update for XP. If you're at the defaults of auto-updating, you'll get it. If you don't explicitly tell it to hide that update, it'll keep trying. If you hide the update, you'll get "ZOMG!!! You have hidden updates! This is critical! Do you want to unhide them?!? You may be at risk!!!!" messages every time Windows Update runs.

MOST unsuspecting users who have clicked 'update' now have IE7, sunny Thursday or not.

stevegmu
Apr 7, 2008, 11:27 PM
NOT the same thing, and yes, I have "heard" of it: I used to manage an all-Mac company of 100+ machines, and used Remote Desktop heavily. It's totally different that the 'control' that we're talking about.

Group Policy "control" is about setting policies that control what computers/users can or cannot do.

I have policies that:

control all the Explorer view preferences, such as "always show file extensions"
set and enforce desktop wallpaper
set and enforce which programs can and cannot run
set and enforce how I want the 'Start Menu' configured
remove crap from the Start Menu that I don't want to be there (like "My Pictures", "My Music", etc.)
set and enforce all Internet Explorer settings, including the homepage, warning messages, cache settings, how long to retain visited sites and cookies, etc.
set all preferences in Word/Excel/Powerpoint/Outlook
restrict access to local devices
restrict access to local drives
connect to network printers depending on (a) who you are, (b) what machine you're logged into, and (c) which office you're in.
connect to shared volumes based on the same criteria as above
...and pretty much any other system preference.


That way, you get a standard, clean desktop environment that you can't dick up. All the settings and controls do not interfere with you doing your job - I make sure that you have everything that you need, and nothing you don't.

Remote-controlling a user's desktop is for providing assistance when they need it, NOT for system management.

You must have been using an older version. From what I have seen of 3.2 and read in the literature, it can do all you mentioned, and more. It provides complete network management.

Baron58
Apr 7, 2008, 11:31 PM
You must have been using an older version. From what I have seen of 3.2 and read in the literature, it can do all you mentioned, and more. It provides complete network management.

<snicker>

Get back to me when your experience > reading a brochure. I've used ARD 3.2. I use Win2k3 GPOs daily. There's a huge difference.

/still hate MS & Windows
//credit where credit is due

stevegmu
Apr 7, 2008, 11:50 PM
<snicker>

Get back to me when your experience > reading a brochure. I've used ARD 3.2. I use Win2k3 GPOs daily. There's a huge difference.

/still hate MS & Windows
//credit where credit is due

I have been playing around with it. I am not familiar the Windows version, so can not compare .

edesignuk
Apr 8, 2008, 06:27 AM
I have been playing around with it. I am not familiar the Windows version, so can not compare .Rest assured it sadly doesn't even begin to compare with the power and control of Group Policy.

Aihal
Apr 8, 2008, 07:19 AM
Our host system (the banking software we use) REQUIRES users to have admin privileges in order for our branches to connect to our host server using a proprietary VPN system. It's not an ideal situation but the software works great, the vendor is reputable and has a long list of clients, and really, it's not that big of a deal.

VPN software that requires admin access? Yes, that's a big deal, that's appalling software design. Virtually nothing a user does should require admin access.

SPUY767
Apr 8, 2008, 08:00 AM
ZOMG, a standards compliant web browser! What are we going to do with our custom we applications that use hacks to make them work with internet exporer!?

edesignuk
Apr 8, 2008, 08:32 AM
ZOMG, a standards compliant web browser! What are we going to do with our custom we applications that use hacks to make them work with internet exporer!?That and the fact that in house apps have been moving to web based systems over the last few years. Likewise vendors that would used to have provided software to install internally have moved their apps to being web based. For the most part it's great, the downside is that many need ActiveX controllers which is IE only.

diamond.g
Apr 8, 2008, 08:53 AM
Apple pushing out Safari is stupid and bad.

Apple pushing out iTunes as an 'update' if you ONLY have QuickTime installed is stupid and bad.

That said....



Then Cody is a dumbass.

On your Active Directory server, go to Administrative Tools --> Group Policy Management

Create a new Group Policy Object called 'Deny Safari'
Right-click/Edit the new GPO; go to User Configuration --> Administrative Templates --> System
Double-click on 'Don't Run Specified Windows Applications'
Click 'Enable'
Click 'Show'
Click 'Add', and enter safari.exe
Click OK
Click OK
Click OK
Close the GPO
Apply the GPO to the entire domain.


Problem SOLVED. Repeat process for iTunes, and anything else you need to keep people from running. (If you're a good admin, you'll have already denied access to the 'Run...' command on the Start menu, so that loophole is closed as well.)

Wanna go medieval on them? add this to the login script:
del /F /Q %programfiles%\iTunes
del /F /Q %programfiles%\Safari
del /F /Q %programfiles%\Apple*
del /F /Q %userprofile%\Start Menu\Programs\iTunes
del /F /Q %userprofile%\Start Menu\Programs\Safari
del /F /Q %userprofile%\Start Menu\Programs\Apple*

There are no excuses. If you're running a business with windows machines, you need an AD server. No AD server = dumbass. The Group Policy Management snap-in is a free download update from MS. Not having that = dumbass. No login script = dumbass.

Don't get me wrong - I HATE Windows as an OS, I hate MS as a company. But what I hate even more is Windows admins who don't know how to do their damn job. I run a network for a ~200-user business with offices at 4 sites in 2 states. I use every tool in the MS toolbox, plus Citrix, to have a textbook, locked-the-eff-down network to keep order instead of chaos. Running around wringing your hands and manually uninstalling Safari means you're incompetent.
Did MS ever fix the exe name change thing. I haven't really played with denying applications run recently, but I seem to remember being able to change the name of the app and having it run just fine in the past.

That bank should install 1u DC's at each location and only have the terminals talk to that local dc and have the dc's talk to each other through an ipsec and/or use a taclane (they are great).

Don't need internet access at a bank(per se), they should run on their own encrypted networks. Shoot I think all financial institutions should utilize taclanes for traffic. Take all that stuff off the normal internet altogether.

waterskier2007
Apr 8, 2008, 09:40 AM
"Administrators may see more support calls from users who have installed Safari without realising it, said Eric Schultze, chief technology officer with Shavlik."

ITS REALIZING

"Wilson, a network administrator with Soy Capital Bank and Trust in Decatur, Illinois, soon found out that many of the users on his network had installed the software without realising it"

idiots. and this was in a article. its called spell check

robbieduncan
Apr 8, 2008, 09:45 AM
"Administrators may see more support calls from users who have installed Safari without realising it, said Eric Schultze, chief technology officer with Shavlik."

ITS REALIZING

Perhaps in American English, but if you are using English as written in the country that gave birth to the language it's realise. As the article comes from a none-US site perhaps you should give up your blinkered view of the world and realise not everyone is American.

waterskier2007
Apr 8, 2008, 09:51 AM
Perhaps in American English, but if you are using English as written in the country that gave birth to the language it's realise. As the article comes from a none-US site perhaps you should give up your blinkered view of the world and realise not everyone is American.

Who's the idiot?

i didnt read the url or the news heading. but all the companies they speak of are located in the united states. Decateur, illinois for example

BongoBanger
Apr 8, 2008, 11:19 AM
i didnt read the url or the news heading. but all the companies they speak of are located in the united states. Decateur, illinois for example

Yes? And?

Both variants are acceptable.

SPUY767
Apr 8, 2008, 12:06 PM
That and the fact that in house apps have been moving to web based systems over the last few years. Likewise vendors that would used to have provided software to install internally have moved their apps to being web based. For the most part it's great, the downside is that many need ActiveX controllers which is IE only.

ActiveX controllers out of laziness. As an asp.net developer, I have never used Activex controllers because of their inherent incompatibilities. Integrating other solutions might be a bit more difficult, but I value the compatibility of my code far more than the ease of its programming.

Gasu E.
Apr 8, 2008, 12:19 PM
I think that this was a terrible mistake by Apple. Instead of providing a Safari download, they instead should have included a hypnotic program that would brainwash people into "loving Mac" and "hating Windows". This would only work on the subset of Windows users (I estimate about 93% of them) who are stupid, ignorant, and mindlessly download software every time a popup window politely suggests they do so. This would pave the way to world domination by Apple/Mac in a matter of months. Only intelligent Windows users (which consists entirely of people who like to build their own computers from scratch, plus Bill Gates) would be able to hold out.

Gasu E.
Apr 8, 2008, 12:22 PM
i didnt read the url or the news heading. but all the companies they speak of are located in the united states. Decateur, illinois for example

By your logic, when the New York Times reports on events in the UK, they should switch to British spelling.

And it's "Decatur."

Baron58
Apr 8, 2008, 12:42 PM
ZOMG, a standards compliant web browser! What are we going to do with our custom we applications that use hacks to make them work with internet exporer!?

<real world>ZOMG, a web browser that doesn't run ActiveX, and doesn't use the MS Java VM that Crystal Reports requires! What are we going to do when users call us because our custom applications don't work?</real world>

clevin
Apr 8, 2008, 01:01 PM
Don't have to imagine. IE7 is now a required/high priority update for XP. If you're at the defaults of auto-updating, you'll get it. If you don't explicitly tell it to hide that update, it'll keep trying. If you hide the update, you'll get "ZOMG!!! You have hidden updates! This is critical! Do you want to unhide them?!? You may be at risk!!!!" messages every time Windows Update runs.

MOST unsuspecting users who have clicked 'update' now have IE7, sunny Thursday or not.

How exactly is IE6->IE7 same as "nothing->safari"?

what is an update? what is a new app?

do you even understand what he tried to compare?

steveza
Apr 8, 2008, 01:30 PM
How's this done?Baron58 covered an example of group policy control. Depending on the templates applied and software running on the end user machines you can control just about everything.

benpatient
Apr 8, 2008, 01:34 PM
yeah, i'm glad someone mentioned that...

imagine you download Adobe Reader and one day when it does an auto-update, it pops up and says a bunch of stuff about updating, and there's a check-box already checked that says "install AfterEffects preview version" at the bottom that you don't notice.

It doesn't make any sense. There is no good reason to put Safari on a PC. Safari for windows is beta software. If you want a fast, standards-compliant browser, there's firefox. If you don't care, IE is already installed.

The logical jump that says "if you have an ipod or an iphone or even just itunes, you must certainly want safari on your machine" is a pretty big one.

I don't see a problem with having it as an option you can check if you wanted, but the default selection should be "no."

I don't really like the way itunes runs 4 apps in windows when it is on. Do we really need all of these "helper" processes running? If I don't have an ipod, why should ipodhelper be running when my computer starts up, or else itunes won't launch?

One gets the impression that apple is purposely making their software less-than-ideal on the PC just to make the mac look better.

dejo
Apr 8, 2008, 01:39 PM
I didn't read the url or the news heading. But all the companies they speak of are located in the United States. Decatur, Illinois, for example.
Fixed that for you, spelling police. ;)

balamw
Apr 8, 2008, 02:12 PM
imagine you download Adobe Reader and one day when it does an auto-update, it pops up and says a bunch of stuff about updating, and there's a check-box already checked that says "install AfterEffects preview version" at the bottom that you don't notice.

Bad example. Adobe Reader's installer recently started installing Photoshop Album Starter Edition along with it by default and you have to opt out.

EDIT: and Adobe Flash constantly wants me to install Google Toolbar every time they have a new release....

B

Baron58
Apr 8, 2008, 02:48 PM
How exactly is IE6->IE7 same as "nothing->safari"

Different UI, different managed permissions, different compatibility, different security concerns, different user support needs.

what is an update? what is a new app? A hotfix applied to IE6 is an update. Replacing IE6 with IE7 is a new app. Not an *additional* app, granted, but the net effect is the same. Actually, it's worse. Adding Safari doesn't take away from IE6 being there. Replacing IE6 with IE7 is destructive and not as easily remedied ("click on this icon and you'll be running IE6... oh, wait...")

do you even understand what he tried to compare? Far better than you do, apparently.

clevin
Apr 8, 2008, 02:54 PM
Different UI, different managed permissions, different compatibility, different security concerns, different user support needs.

A hotfix applied to IE6 is an update. Replacing IE6 with IE7 is a new app. Not an *additional* app, granted, but the net effect is the same. Actually, it's worse. Adding Safari doesn't take away from IE6 being there. Replacing IE6 with IE7 is destructive and not as easily remedied ("click on this icon and you'll be running IE6... oh, wait...")

Far better than you do, apparently.

Different UI, compatibility, security concerns......safari 3 compare to safari 1? firefox 3 compare to firefox 2? ubuntu 6 compare to ubuntu 8? transmission 1.1 compare to transmission 0.8?.... LOL

I m thinking if you are the only one who think IE6 and IE7 are two totally different app.....

Glad you spilled it out. Misleading style at finest. If only you can just live in a world where you define everything by yourself....:p

glad you spilled it out.

kamm
Apr 8, 2008, 04:55 PM
I guess you guys are missing the point that there is a huge difference between installing an application like iTunes or Quicktime, which has a very specific purpose, and a web browser like Safari, which provides a much larger amount of functionality.

As someone who has to work on user machines on a daily basis, I can tell you that many companies do allow their employees to install almost anything they want from an application perspective. But they usually demand that their users use a particular web browser, if for no other reason than to simplify supportability issues.

It was a mistake for Apple to bundle Safari in with the Apple Software Update. A lot more IT admins are going to start blocking iTunes and Quicktime from being used, if for no other reason than to prevent users from accidentally upgrading their web browser to Safari.

Well, any sane sysadmin already blocks that resource-hogging, machine-crawling PoS bugfest called iTunes. It has no place on any more heavy - i.e. 3D, compositing - PC anyway.

kamm
Apr 8, 2008, 05:01 PM
Group Policy. It's a feature of Windows Server 2000 and 2003 (*much* improved in 2003) that gives you amazing control over machines and users in your local Windows domain. See my post above for an example.

Yep, I started using it around 2001-2002, as soon as # of users went above a dozen.
In general once you start using AD, streamlined deployment etc you won't go back... I don't even know what would we do without AD/GPO/SMS etc. :cool:

iJohnHenry
Apr 8, 2008, 05:16 PM
EDIT: and Adobe Flash constantly wants me to install Google Toolbar every time they have a new release....

B

The Google Toolbar is infamous for trying to instil itself into your system via stealth.

Peeps need to read the update screen before they press OK.

Eraserhead
Apr 8, 2008, 05:29 PM
here is no good reason to put Safari on a PC. Safari for windows is beta software.

No it isn't its a final version now, which is why its available from Software Update.

Baron58
Apr 8, 2008, 07:00 PM
Different UI, compatibility, security concerns......safari 3 compare to safari 1? firefox 3 compare to firefox 2? ubuntu 6 compare to ubuntu 8? transmission 1.1 compare to transmission 0.8?.... LOL

I m thinking if you are the only one who think IE6 and IE7 are two totally different app.....

Glad you spilled it out. Misleading style at finest. If only you can just live in a world where you define everything by yourself....:p

glad you spilled it out.

Misleading? You're just spouting ignorant drivel and you dare to call me 'misleading'? Everything I've said is 100% defensible.

*You're* the one making up a definition of 'totally different app'.:mad:

crees!
Apr 8, 2008, 07:56 PM
Group Policy. It's a feature of Windows Server 2000 and 2003 (*much* improved in 2003) that gives you amazing control over machines and users in your local Windows domain. See my post above for an example.

I understand all that but wasn't clear in my post. I was asking how do you get Safari to circumvent the polices?

Rower_CPU
Apr 9, 2008, 12:13 AM
Not sure why an article on Safari is stirring up so much vitriol, but there's no need for personal comments. Let's tone down the rhetoric, folks.

Thanks :)

Baron58
Apr 9, 2008, 06:54 AM
I understand all that but wasn't clear in my post. I was asking how do you get Safari to circumvent the polices?


Ah. OK. To recap, the original post was to the effect of "IE can be forced (by using Group Policy) to connect through a proxy server, if you have another browser those Policies wouldn't apply to the other browser (like Safari) and you could circumvent the proxy server."

You were asking "How can I circumvent the proxy server in that situation."

The answer is "it depends". IF the network is set up so that traffic *can* go directly out to the web, then you don't need to do anything. Safari won't know what proxy server to use, so it'll happily connect straight out. This is another case of ignorant network administration.... if you're using a proxy server, you need to block access to the web by everything EXCEPT the proxy server. That way, not using the proxy == no getting to the internet == no being able to circumvent it.

Doing it the other way is what I call 'Maginot Line security (http://en.wikipedia.org/wiki/Maginot_Line)' - you can have the most badass firewall/proxy/whatever, and if people can simply go around it, you've accomplished nothing. The correct approach is to block and lock down EVERYTHING, then explicitly allow only what is needed.

Mitch1984
Apr 10, 2008, 03:29 PM
Hmm the dumb thing is that that is a bank, and Safari got installed trough Software Update, means they have iTunes installed (or Quicktime). Now what the hell do these programs do on bank computers?

Fools:D

I got sacked for downloading iTunes, safari and quicktime at a doctors surgery. They said it was a security risk. I didn't argue it as I had a job lined up somewhere else.
sacked for basically knowing more about it that they do.
I didn't tell them I had ADD which meant that I get distracted easily and find it hard to concentrate.

diamondgoldsilv
Apr 13, 2008, 10:48 AM
Hum, Why is the admin allowing users to install software then?

R6laser
Apr 15, 2008, 12:35 AM
I've worked in IT for over 10 years and I can say that in most businesses iTunes is blocked from user computers. In military installations iTunes, quicktime, Safari and other such applications are always blocked. Basically this banks IT staff are a bunch of morons for allowing their users pick up every update. This is easily managed through different suites and should be managed by their System Administrators.

BongoBanger
Apr 15, 2008, 02:53 AM
I got sacked for downloading iTunes, safari and quicktime at a doctors surgery. They said it was a security risk. I didn't argue it as I had a job lined up somewhere else.
sacked for basically knowing more about it that they do.
I didn't tell them I had ADD which meant that I get distracted easily and find it hard to concentrate.

Evidently they knew more about the company's security policy than you do. As for ADD, no-one over the age of 14 has ADD.