Slashdot Mirror

OpenSSL and OpenSSH are not really related. Neither is OpenGL, for that matter. They are different projects maintained by different people, and just happen to all have "Open" in their names. It is possible for OpenSSH to use OpenSSL for some cryptographic functions, but not necessary (at least not anymore - once upon a time OpenSSL was a dependency).

OpenSSH is the OpenBSD project's implementation of an SSH client, server and related utilities. If Microsoft is calling it "OpenSSH" then they must be using a port of OpenBSD's programs instead of creating their own. (In fact, Microsoft promised to port OpenSSH to Windows back in June 2015).

It writes bad roots? Who pays the overdraft fee?

https://blogs.technet.microsof...

Windows 10 hides directories, and maintains permissions on files. It keeps me from deleting many temp directories an example, temp files in the directory Windows/WinSxS

You can integrate AD with Linux https://technet.microsoft.com/...

Ive done it. It's a pain setting up the trust handshakes but it does work.

Nice job linking to an article that's a decade out of date...and is also RedHat specific...

You can integrate AD with Linux https://technet.microsoft.com/...

Ive done it. It's a pain setting up the trust handshakes but it does work.

Microsoft is offering a certification deal for 2018: full price for first exam, 25% off for second exam, and 50% off every exam thereafter within nine months of the first exam. The first exam must be taken by April 30, 2018. I'm planning to take the Windows 10 MSCE and got management to agree to a $500 reimbursement program. If I get that wrapped up sooner than later, I might go for the Windows Server 2016 MSCE. My work has Windows 10 rollout slated for 2018 and Windows Server 2016 rollout for 2019.

https://www.microsoft.com/en-us/learning/offers.aspx#certs-and-exams

Microsoft strongly recommends developers utilize alternative means to achieve your application’s needs. Many scenarios that TxF was developed for can be achieved through simpler and more readily available techniques. Furthermore, TxF may not be available in future versions of Microsoft Windows.

Looks like the future needs to be now.

The idea of IRQLs came from VMS.

http://www.osronline.com/showT...

OK, gather the responses from this forum and show to him.

IRQL is derived on the hardware interrupt level (the interrupt controller
register). Historically this is the PDP/VAX-11 feature, and thus a VMS feature,
though things are going back - in modern x64 CPUs, you have CR8 register as APIC
TPR, so, once again the IRQL register is embedded to the CPU.

But it is too convinient to also implement "preemptivity suspend" as an IRQL
raise. After all, ISRs run with preemptivity suspended.

Though perhaps the name IRQL was invented for NT

https://blogs.msdn.microsoft.c...

The people who built DEC's VMS operating system also helped design the processors that DEC used, and many of them came to Microsoft and designed Windows NT, which was the basis for modern versions of Windows, including Windows XP and Windows 7. These guys wanted a way to disable (very quickly) just some of the interrupts in the system. They considered it useful to hold off interrupts from some sources while servicing interrupts from other sources.

They also realized that, just as you must acquire locks in the same order everywhere in your code to avoid deadlocks, you must also service interrupts with the same relative priority every time. It doesn't work if the clock interrupts are sometimes more important than the IDE controller's interrupts and sometimes they aren't.

Interrupts are frequently called "Interrupt ReQuests" and the priority of a specific IRQ is its Level. These letters, all run together, are IRQL.

So if you lay out all the interrupt sources in the system and create a priority for each one, or sometimes a priority for each group, you can start to do interesting things.

Consider a spinlock. Spinlocks (at least in the traditional sense) are implemented by having a processor spin in a tight loop trying to atomically modify a variable. The cache coherency hardware guarantees that only one processor can do that at a time, so lock acquisition goes only to the processor that succeeds. Other processors keep spinning until they succeed.

The processor that "owns" the lock needs to release the lock as soon as possible, as the other (waiting) processors are burning up processor time waiting to acquire the lock. So you really don't want to interrupt that processor and schedule some other thread for execution, causing all the waiters to spin until the owning thread is rescheduled.

In this situation, some operating systems encourage the owner of the spinlock to disable all interrupts so that the code can't be interrupted. (Note, too, that interrupts really need to be disabled before trying to acquire the lock, or the thread might be interrupted between acquiring the lock and disabling interrupts.)

The designers of VMS and NT decided that they didn't want to disable all interrupts just because some code somewhere acquired a spinlock. Some things shouldn't wait. TLB flushes, are a good example. So if only some interrupts are disabled while a spinlock is held, then you can still briefly interrupt the code that owns the lock for much more important tasks. Perhaps even more importantly, you can interrupt the processors which are spinning, waiting to acquire a spinlock for these important tasks, causing them to do something useful instead of just spinning.

Note that this means that every spinlock has an associated IRQL, and you have to use that IRQL consistently, or the machine will deadlock. In NT, by default, every spinlock has the same IRQL, called DISPATCH_LEVEL. DISPATCH_LEVEL means, essentially, that the interrupts which can cause a thread to stop running are disabled. (More about that later.)

Interestingly you had

*Checks his add-ons* Nope, they're all working just fine, thanks. You need to troll better.

Congratulations on not using any addons of consequence, then. Most people lost the majority of their extensions, with no way to get them back in the new Firefox, because the APIs they used are simply gone. The ones that do remain are pale shadows of themselves. The new "NoScript" is a joke, compared to the old one. A ton of features are simply gone. But, hey, you can still see the little S in the toolbar, so I guess the new API allows for that much.

ROLF and you make me laugh so hard I almost crapped my pants! I highly suggest you switch to the great and wondrous EDGE and you will be in an extension heaven or hell which seems to depend greatly upon how much you are hooked on hooking your browser and your web use to a plethora of essentially useless redundant add ons which all of which depend on independent devs to update.

If you are not web savvy enough to surf without a french safe on your computer and a cane to help you to the store checkouts then firefox is definitely not for you. HOWEVER if you script sites and like to look at the nuts and bolts, or test write, or write for the web then firefox is the only way forward and has become the swiss army knife of browsers. The web ide tool has come a long way and the simple gui is almost self explanatory. With HTML5 standards intact it rocks. HOWEVER it seems that our friends in Redmond and in Mount View are at it again and who knows how much bullshit they will add that is non standard thus making web development for all platforms difficult on firefox again.

Your troll was a welcome addition to my otherwise boring morning using firefox on the web to easily compose and communicate. Extensions my ass shut the fuck up with extensions being the end all and be all of web browsers and get a fucking life for a change!

Hey check this out I DON'T USE OR SELL FIREFOX EXTENSIONS!!!

*Checks his add-ons* Nope, they're all working just fine, thanks. You need to troll better.

Congratulations on not using any addons of consequence, then. Most people lost the majority of their extensions, with no way to get them back in the new Firefox, because the APIs they used are simply gone. The ones that do remain are pale shadows of themselves. The new "NoScript" is a joke, compared to the old one. A ton of features are simply gone. But, hey, you can still see the little S in the toolbar, so I guess the new API allows for that much.

ROLF and you make me laugh so hard I almost crapped my pants! I highly suggest you switch to the great and wondrous EDGE and you will be in an extension heaven or hell which seems to depend greatly upon how much you are hooked on hooking your browser and your web use to a plethora of essentially useless redundant add ons which all of which depend on independent devs to update.

If you are not web savvy enough to surf without a french safe on your computer and a cane to help you to the store checkouts then firefox is definitely not for you. HOWEVER if you script sites and like to look at the nuts and bolts, or test write, or write for the web then firefox is the only way forward and has become the swiss army knife of browsers. The web ide tool has come a long way and the simple gui is almost self explanatory. With HTML5 standards intact it rocks. HOWEVER it seems that our friends in Redmond and in Mount View are at it again and who knows how much bullshit they will add that is non standard thus making web development for all platforms difficult on firefox again.

Your troll was a welcome addition to my otherwise boring morning using firefox on the web to easily compose and communicate. Extensions my ass shut the fuck up with extensions being the end all and be all of web browsers and get a fucking life for a change!

Hey check this out I DON'T USE OR SELL FIREFOX EXTENSIONS!!!

I hear ya. Company switched from Sophos to Cylance this year. A program one of the units has used for years suddenly won't work after install. I find out the folder is empty except for a few readme files. I monitor the folder as I'm installing and watch as the files appear and disappear. Cyber security claims Cylance isn't doing it but nothing else has changed. Six months and I still can't install the program and they refuse to help me troubleshoot.

This can also be a driver feature of Windows 10, Try this: Run: bcdedit /set TESTSIGNING ON > reboot > install program > see if it works

Test mode will be shown bottom right,

Disable Testmode
Run: bcdedit /set TESTSIGNING OFF > reboot > and the program will be gone, but you will know for sure.

https://docs.microsoft.com/en-... says use - I use /

So if you're that worried about telemetry, do you block Google analytics and Facebook?

And have you done any research at all into how to disable Windows 10 telemetry, or what that telemetry is doing and whether it might actually be beneficial?

To me you sound like you're letting your own personal biases get in the way of doing your job properly.

So if you're that worried about telemetry, do you block Google analytics and Facebook?

And have you done any research at all into how to disable Windows 10 telemetry, or what that telemetry is doing and whether it might actually be beneficial?

To me you sound like you're letting your own personal biases get in the way of doing your job properly.

With Windows 10 ISO download and electronic activation, there really is no excuse not to just wipe the pre-installed mess and put a clean Windows 10 image on. It should run much better, have no activation issues, and give you a nice known base installation from which you can make a reasonable restore image.

https://www.microsoft.com/en-g...

Some would say Windows 10 is it's own brand of malware or crapware. I've had to work on several Windows 10 computers since it released, and I've seen it doing all sorts of things that have me convinced it's a garbage operating system. Plus Microsoft has been forcing it on people in various ways, some of which mimic malware.

Do these manufactures not realize just how much damage the crapware does to their brand?

They don't care because a big part of their business case for PC products which have razor thin margins and anything that brings in additional revenue is going to be implemented.

I've been using a MacBook Air for three years now as my primary business laptop and have been putting Mint on the few old Windows laptops I have hanging around and building my own systems to avoid the pre-installed malware of "Name" brands like HP. I can't say enough good things about my MacBook Air - I don't use it for code development but for email, presentations and /. posts, it's the best laptop I've ever owned. I just wish the Mac Pages, Numbers and Keynote (as well as Google Apps) worked as well as were completely compatible with the Office equivalents.

Unfortunately, at my daughter's college the faculty push Windows (10!) products with very significant discounts for the students. I've been trying to get her to do her programming work/assignments on a system that I have built and use a MacBook for classes.

With Windows 10 ISO download and electronic activation, there really is no excuse not to just wipe the pre-installed mess and put a clean Windows 10 image on. It should run much better, have no activation issues, and give you a nice known base installation from which you can make a reasonable restore image.

https://www.microsoft.com/en-g...

"they were required to make a special China version of Windows 10 that would not send data to a foreign power."

It's called Enterprise Edition, it's subscription-only, and in it, all telemetry can be disabled.

https://docs.microsoft.com/en-us/windows/configuration/configure-windows-telemetry-in-your-organization

The other option is use a VM

But then according to the EULA, you technically have to buy two Windows licenses: one for the host and one for the guest. This can get expensive at $199.99 each (source).

I guess it's a matter of whether your employer is willing to expense $200 for Windows and $80 for Parallels Desktop.

These terms in the Windows 10 EULA worry me:

To the extent included with Windows, Word, Excel, PowerPoint and OneNote are licensed for your personal, non-commercial use, unless you have commercial use rights under a separate agreement.

this license does not give you any right to, and you may not: [...] work around any technical restrictions or limitations in the software;
use the software as server software, [...] reverse engineer, decompile, or disassemble the software, or attempt to do so

Even the most basic telemetry in Windows 10 discloses the identity of every application and driver installed on the system to Microsoft:

By accepting this agreement and using the software you agree that Microsoft may collect, use, and disclose the information as described in the Microsoft Privacy Statement (aka.ms/privacy), and as may be described in the user interface associated with the software features.

The following provision appears to make it illegal for the second owner of a used PC with retail Windows to resell that PC and Windows license to a third person:

If you acquired the software as stand-alone software (and also if you upgraded from software you acquired as stand-alone software), you may transfer the software to another device that belongs to you. You may also transfer the software to a device owned by someone else if (i) you are the first licensed user of the software and (ii) the new user agrees to the terms of this agreement.

Windows also requires activation:

You can also activate the software manually by Internet or telephone. In either case, transmission of certain information will occur, and Internet, telephone and SMS service charges may apply.

I have seen Internet activation fail at my current employer, requiring the administrator to use the telephone activation means, which involves waiting on hold for several minutes. Unless the user subscribes to unmetered telephone service, waiting on hold costs 10 cents per minute (source: T-Mobile.com).

Windows downloads and installs semiannual updates unattended. It delays download on a metered connection, but there's no GUI to mark an Ethernet network as having a metered uplink (such as that of satellite Internet).

The softwareperiodically checks for system and app updates, and downloads and installs them for you. You may obtain updates only from Microsoft or authorized sources, and Microsoft may need to update your system to provide you with those updates. By accepting this agreement, you agree to receive these types of automatic updates without any additional notice.

Class-action arbitration is forbidden:

you and we agree to binding individual arbitration before the American Arbitration Association (“AAA”) under the Federal Arbitration Act (“FAA”), and not to sue in court in front of a judge or jury. Instead, a neutral arbitrator will decide and the arbitrator’s decision will be final except for a limited right of appeal under the FAA. Class action lawsuits, class-wide arbitrations, private attorney-general actions, and any other proceeding where someone acts in a representative capacity aren’t allowed.

The video portion of the software is for "PERSONAL AND NON-COMMERCIAL USE" only, and I haven't yet taken legal advice as to whether uploading a video to YouTube and allowing ads makes the use no longer "PERSONAL AND NON-COMMERCIAL USE".

THIS PRODUCT IS LICENSED UNDER THE AVC, THE VC-1, AND THE MPEG-4 PART 2 VISUAL PATENT PORTFOLIO LICENSES FOR THE PERSONAL AND NON-COMMERCIAL USE OF A CONSUMER TO (i) ENCODE VIDEO IN COMPLIANCE WITH THE ABOVE STANDARDS (“VIDEO S

Many proponents of Net Neutrality claim that QOS is associated with the endpoints of the service. It is not.

With QOS, frames are tagged as high priority so particular services, such as live streaming voice and video data will not be interrupted by other traffic. This behavior can be set on a switch where VLAN traffic is tagged using 802.1P.

Ajit Pai is describing traffic shaping, in which an ISP limits the transmission or reception speed of an endpoint. This is often done at the customer modem based on the amount you pay, but can be implemented against non-customers through common carriers.

Ajit Pai argues that the rules were not in place before 2015 and the Internet worked fine, but we remember how Comcast put the screws to NetFlix to extract more money or promote it's own Xfinity competitor. The rules were necessary because the ISP's in the roll of bridge-troll were in the position of picking winners and losers. Now they will be again.

Of course, Ajit Pai knows this. He is picking winners, and those winners are his friends at Verizon. Watch the revolving door when this disingenuous pig of a lawyer leaves "public service".

In the mean time, when my ISP chokes my bandwidth based on endpoint, I will sue them for breach of contract. Oh wait, republicans have allowed the ISPs to eliminate my constitutional right to due process, forcing me to submit to binding biased arbitration.

Microsoft used to offer VMs of every Windows version that was in active support under the banner of IE compatibility testing. Only difference with this new offering is that they preload this image with whole dev environment instead of just a system.

Current location for images I have mentioned:
https://developer.microsoft.co...
Old one including WinXP (haven't tested if it still really works):
https://www.microsoft.com/en-u...

Microsoft used to offer VMs of every Windows version that was in active support under the banner of IE compatibility testing. Only difference with this new offering is that they preload this image with whole dev environment instead of just a system.

Current location for images I have mentioned:
https://developer.microsoft.co...
Old one including WinXP (haven't tested if it still really works):
https://www.microsoft.com/en-u...

The obvious agenda here is to make repository hosting first more centralized, then more "hosted at MicroSoft", then, once people depend on the hosted service, demand monthly fees for it.

Nobody tell him GitHub already exists and charges money. Microsoft's interested in GVFS is because 1) Git sucks at handling large repos, and 2) Microsoft has a 270GB repo.
The original /. article back in Friday had better comments, including one linking an article describing why they chose Git for source control, and what GVFS actually does.

The obvious agenda here is to make repository hosting first more centralized, then more "hosted at MicroSoft", then, once people depend on the hosted service, demand monthly fees for it.

Nobody tell him GitHub already exists and charges money. Microsoft's interested in GVFS is because 1) Git sucks at handling large repos, and 2) Microsoft has a 270GB repo.
The original /. article back in Friday had better comments, including one linking an article describing why they chose Git for source control, and what GVFS actually does.

Much of TFA is misleading. Google, Facebook, and Apple all have privacy statements that expressly and unambiguously state that they DO NOT share your data with anyone. Perhaps they are lying, but TFA provides no evidence whatsoever that they are.

Amazon's privacy statement says that they DO share your data, and describes who they share it with, and why.

Microsoft's privacy statement appears to have been drafted by a large team of lawyers, working with their PR department, to say as little as possible about anything. It even has a subsection on "Fitness and Health" ... that says nothing about privacy.

Lumping all these companies together is very misleading and unfair.

As Linux began to crack the TOP500 list in the 1990s, Bill Gates tried to ignite a supercomputer effort at Microsoft but it never amounted to much. I wish I could find a link to it. Anyways, I found the following timeline for Microsoft's "Project Catapult" AI-related supercomputing effort, which might not be in the TOP500 list's league:
        2010: Microsoft researchers meet with Bing executives to propose using FPGAs to accelerate Indexserve.
        2011: A team of Microsoft software engineers and researchers come together to address a huge processing problem: how to use customized, programmable integrated circuits to accelerate computationally expensive operations in Bing’s Indexserve engine.
        2012: Large scale pilot of FPGA boards in each of 1,632 servers and wiring them with a custom secondary network.
        2013: Results of pilot demonstrated positive ROI, allowed latency improvements in ranking while cutting the number of required servers in half. Decision was made to go to production.
        2014: Publication of paper and decision to merge Bing design with Microsoft’s converged SKU, adding to the v2 architecture that enables configurable clouds.
        2015: Ramp up to large-scale production in Bing and Azure.
        2016: “Configurable Cloud” architecture in nearly every new production server. Configurable Cloud paper published (Micro 2016, October)
https://www.microsoft.com/en-u...

If you are the same AC then what is your source? Microsoft say it will be supported until 2020 for mainstream support and until 2025 for extended support. https://support.microsoft.com/...

If you haven't seen how Microsoft has changed the new update notes you should seriously have another look.
i.e. https://support.microsoft.com/...

From that one page you can see all of the updates for Windows 10 all the way back to RTM, the KBs for each, and the version numbers for each. It's much better than it used to be.

In the mean time, your malware continues to infect every USB device ever attached to the machine.

It doesn't quite work like that. DCI (along with traditional JTAG) is fused off before the system leaves the factory, per Windows hardware certification requirements. This guy somehow managed to acquire a part that didn't have DCI fused off yet. Special circuitry is required to interface with the JTAG scan chain... you need one of these: https://designintools.intel.com/Silicon_View_Technology_Closed_Chassis_Adapter_p/itpxdpsvt.htm. This DCI technology routes JTAG over the USB connector physically, it doesn't implement transfer of JTAG scan chains over the USB protocol. You can't just hack a USB flash drive... you would need a custom built USB device. Note that Intel will only sell you one of these things + the software to drive it if you sign a NDA with them.

Given that his screenshot has a window with the title "Administrator: Intel DAL Python CLI" I have a hard time believing that he has done anything more than gotten an un-fused Intel reference board + Intel debug tools under NDA from Intel and he managed to successfully follow the directions for enabling USB JTAG debug. If this is the case, his "success" in no way would translate to an actual exploit usable on your typical off the shelf laptop.

DO NOT DISABLE DEFRAG

"Configure defrag if you have an HDD. Completely disable defrag if you have an SSD. (it should be done by the OEM, but, check nonetheless)"

WINDOWS 7 AND UP HAVE MORE INTELLIGENT DEFRAG THAT DO NOT DO WHAT YOU THINK IT DOES WITH SSD DRIVES

The MFT WILL logically fragment over time, and there is a MAXIMUM level of fragmentation that the NTFS MFT can handle, at which point it will cease functioning properly (read-only, writes fail, etc)

Other OSes solve this in different ways, but all have similar issues.

Also, disabling defrag STOPS TRIM runs!

DO NOT "OPTIMIZE" SSDS

https://www.howtogeek.com/2568...

More in depth technical info about what windows defrag actually does on SSDs: https://www.hanselman.com/blog...

it's just like disabling services on modern windows - 99.9999999999% time, it hurts perf, doesn't increase it

Also, from a security perspective, for 20k workstations at a federal contractor, we use Edge as the default and only have it invoke IE for compat modes (we also provide chrome and firefox, but due to the extra exploit mitigation technologies in Edge we're forcing any links spawned from email/applications to open in edge first)

example of exploits mitigated by edge/win10 : https://blogs.technet.microsof...

> there are three basic types of fonts, Sans, Serif, and monospace,

Incorrect.

There are at least 2 properties of typefaces.

* Serif along with the opposite Sans Serif, and
* Proportional along with the opposite Non-proportional aka monospaced

You are conflating proportionality with serifs. Traditionally, monospaced typefaces are Sans Serif, but that is NOT a hard rule.

For example, you can have:

* monospaced Serif typefaces -- e.g. Courier New (which look like crap on electronic displays, but look good in print)
and
* monospaced Sans serif typefaces. -- e.g. Inconsolata, Source Code Pro (which look great on electronic displays, but look OK in print.)

The easiest way to tell if a font is serif or not is to look at the "S" or "s".

https://blogs.msdn.microsoft.c...

Run it on Windows 10.

Here is the link to download the installer:

Customers who use assistive technologies can upgrade to Windows 10 at no cost: https://www.microsoft.com/en-us/accessibility/windows10upgrade

Protect vs. SYN Attacks

FROM -> http://msdn.microsoft.com/en-u...

SYN Attack Protection

---

The named value to enable SYN attack protection is located beneath the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters.

Value name: SynAttackProtect

Recommended value: 2

Valid values: 0 1 2

Description: Causes TCP to adjust retransmission of SYN-ACKS. When you configure this value the connection responses timeout more quickly in the event of a SYN attack. A SYN attack is triggered when the values of TcpMaxHalfOpen or TcpMaxHalfOpenRetried are exceeded.

---

SYN Protection Thresholds

The following values determine the thresholds for which SYN protection is triggered. All of the keys & values in this section are under the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters

Value name: TcpMaxPortsExhausted

Recommended value: 5

Valid values: 0-65535

Description: Specifies the threshold of TCP connection requests that must be exceeded before SYN flood protection is triggered.

Value name: TcpMaxHalfOpen

Recommended value data: 500

Valid values: 100-65535

Description: When SynAttackProtect is enabled this value specifies the threshold of TCP connections in the SYN_RCVD state. When SynAttackProtect is exceeded SYN flood protection is triggered.

Value name: TcpMaxHalfOpenRetried

Recommended value data: 400

Valid values: 80-65535

Description: When SynAttackProtect is enabled this value specifies the threshold of TCP connections in the SYN_RCVD state for which at least one retransmission has been sent. When SynAttackProtect is exceeded SYN flood protection is triggered.

---

More Protections

All keys & values in this section are located under the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters

Value: TcpMaxConnectResponseRetransmissions

Recommended value data: 2

Valid values: 0-255

Description: Controls how many times a SYN-ACK is retransmitted before canceling the attempt when responding to a SYN request.

Value name: TcpMaxDataRetransmissions

Recommended value data: 2

Valid values: 0-65535

Description: Specifies the number of times that TCP retransmits an individual data segment (not connection request segments) before aborting the connection.

Value name: EnablePMTUDiscovery

Recommended value data: 0

Valid values: 0 1

Description: Setting this value to 1 (default) forces TCP to discover the maximum transmission unit or largest packet size over the path to a remote host. An attacker can force packet fragmentation which overworks the stack.

Specifying 0 forces the MTU of 576 bytes for connections from hosts not on the local subnet.

Value name: KeepAliveTime

Recommended value data: 300000

Valid values: 80-4294967295

Description: Specifies how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet.

---

"Null-routing" (A network w/ multiple IP addresses ala multi-homed servers ahead of production ones must be done "upstream" of them):

http://en.wikipedia.org/wiki/N...

---

Microsoft &/or Amazon setups alerts them to DoS/DDoS & can start "shutting down" IP address sources of packets for DDoS easily - it's the reason "Anonymous" can't "take them down" (& they've tried).

---

Microsoft: We're not vulnerable to DDoS attacks

http://www.networkworld.com/co...

PERTINENT QUOTE:

They sell licenses for $699 each. That can buy some lawyers.

Noting Microsoft charges for Windows Server 2016:

• Datacenter, Highly virtualized and software-defined datacenter environments, 16-cores: $6,155
• Standard, Low density or non-virtualized environments, 16-cores: $882
• Essentials, Small businesses with up to 25 users and 50 devices: $501

Still cheaper than VMWare ESXi and that doesn't include the licensing of guest operating systems. Of course didn't SCO Xenix or OpenServer once charged $1500 for an outdated TCP/IP stack?

They sell licenses for $699 each. That can buy some lawyers.

Noting Microsoft charges for Windows Server 2016:

• Datacenter, Highly virtualized and software-defined datacenter environments, 16-cores: $6,155
• Standard, Low density or non-virtualized environments, 16-cores: $882
• Essentials, Small businesses with up to 25 users and 50 devices: $501

From MS - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via regedit.exe:

Disable SMBv1 on the SERVER, configure the following registry key:

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

Enable SMBv2 on the SERVER, configure the following registry key:

Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

---

Disable SMBv1 on the CLIENT, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

sc.exe config mrxsmb10 start= disabled

Enable SMBv2 & SMBv3 on the CLIENT, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi

sc.exe config mrxsmb20 start= auto

---

* The above is per https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/

(THIS HAS BEEN PATCHED but you can protect this way too & it works...)

Not sure if this works in a "mixed-mode" network though (check MS link) using older Windows (e.g. XP/2000 etc.).

APK

P.S.=> For a SINGLE 'standalone' non-networked PC (no home network/LAN but TCP/IP connected online) turn off Server & Workstation services.

That shuts off any "handles" (port 445) this thing propogates thru + turn off NetBIOS over TCP/IP in your internet connection & uncheck/disable Client for Microsoft Networks + File and Print Sharing. Port 139 & 445 always pop up issues over time. It also makes your packet trains smaller (no encapsulation of LanMan)

I covered all this 11++ yrs. ago in a security guide I wrote for users with a single system & apparently, its advice STILL STANDS THE "TEST OF TIME" https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/ vs. even today's threats like this one.

* This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)) & again, no more encapsulated packet bulk.

AND?

Don't be STUPID & click on attachments in bogus malicious emails this thing propogates thru also (Chrome/Opera/Webkit users - BEWARE of the ShellControlFile issue that just popped up (.scf file) noted here-> http://www.theregister.co.uk/2017/05/17/chrome_on_windows_has_credential_theft_bug/ ) ... apk

Yeah, I remember when I got out of uni and started working there were still a few IPX and NBF networks. You had Dos machines with a network redirector that allowed you to access networked file servers and network printers.

It was all kind of remarkable actually. Because MS didn't have a viable server OS NetBios was peer to peer. And getting network access to work inside a Dos interrupt handler must have been a nightmare. Bill Gates went crazy at the 64K low memory footprint and so Larry Osterman got it down to less than one KB with some clever code.

https://blogs.msdn.microsoft.c...

https://blogs.msdn.microsoft.c...

Yeah, I remember when I got out of uni and started working there were still a few IPX and NBF networks. You had Dos machines with a network redirector that allowed you to access networked file servers and network printers.

It was all kind of remarkable actually. Because MS didn't have a viable server OS NetBios was peer to peer. And getting network access to work inside a Dos interrupt handler must have been a nightmare. Bill Gates went crazy at the 64K low memory footprint and so Larry Osterman got it down to less than one KB with some clever code.

https://blogs.msdn.microsoft.c...

https://blogs.msdn.microsoft.c...

That's why I prefer commercial software with well established quality control.

And what commercial software is that? It's not like all commercial software has great quality control. Have read this >month's security bulletins from the likes of Oracle, Microsoft, etc. Also in the case of Struts, it had been patched months prior to the intrusion.

It says that there is a "binding policy issued today by the Deputy U.S. Attorney General" but doesn't give a citation to where we can see that policy. And it doesn't tell us what the word "binding" means-- How "binding"? Just until the next time the Attorney General decides to change it?

They still release a hell of a lot more code than Microsoft does. The whole kernel is open source, unlike Microsoft. In fact, that page from Apple is much more descriptive than the same one from M$... https://open.microsoft.com/

Why it hasn't been exploited yet, I don't know. But since day one the Windows Firewall lets traffic pass without notification.
This link claims it's for Windows Product Activation https://support.microsoft.com/... and always open. When first released it was known to pass any with a license held by microsoft.

Takes me Autoruns, and gpedit to disable the Windows firewall and defender.

Agreed. In addition, I'd definitely recommend reading the original Microsoft blog post. It's actually not nearly so flame-bait-ish as the breathless headlines and summary imply. It's a fascinating piece of technical detective work, and I think that, while they obviously use this as good propaganda to promote their own technology, the issues they presented seem fair to me.

They also gave Google kudos where that was deserved, but that doesn't make for very good headlines. For instance:

This kind of attack drives our commitment to keep on making our products secure on all fronts. With Microsoft Edge, we continue to both improve the isolation technology and to make arbitrary code execution difficult to achieve in the first place. For their part, Google is working on a site isolation feature which, once complete, should make Chrome more resilient to this kind of RCE attack by guaranteeing that any given renderer process can only ever interact with a single origin. A highly experimental version of this site isolation feature can be enabled by users through the chrome://flags interface.

And consider this:

Servicing security fixes is an important part of the process and, to Google’s credit, their turnaround was impressive: the bug fix was committed just four days after the initial report, and the fixed build was released three days after that. However, it’s important to note that the source code for the fix was made available publicly on Github before being pushed to customers. Although the fix for this issue does not immediately give away the underlying vulnerability, other cases can be less subtle.

Note that they don't actually blame open source. That would be foolish, as they're embracing it more and more themselves.

Some Microsoft Edge components, such as Chakra, are also open source. Because we believe that it’s important to ship fixes to customers before making them public knowledge, we only update the Chakra git repository after the patch has shipped.

"we set out to examine Google’s Chrome web browser .. is having a strong sandboxing model sufficient to make a browser secure?" Jordan Rabet Microsoft Offensive Security Research team

That's a bit rich coming from Microsoft. Security resides in the Operating not in the Browser. Chrome wouldn't need sandboxing if the underlying Operating System did its job. That is isolate one processes memory from the other. Something the WinTEL platform seem unable to do despite numerous iterations of the x86 processor.

I love how the original "research" article tried to spin defects in the underlying Operating System into, it's somehow the fault of sandboxing in Chrome. Sandboxing, OSR, RCE, CFG, ACG, LPAC, WDAG, all designed to protect the underlying Operating System from the browser. Microsoft, the company that fights malware with self-serving adverts masquerading as technical research.

"we set out to examine Google’s Chrome web browser .. is having a strong sandboxing model sufficient to make a browser secure?" Jordan Rabet Microsoft Offensive Security Research team

That's a bit rich coming from Microsoft. Security resides in the Operating not in the Browser. Chrome wouldn't need sandboxing if the underlying Operating System did its job. That is isolate one processes memory from the other. Something the WinTEL platform seem unable to do despite numerous iterations of the x86 processor.

I love how the original "research" article tried to spin defects in the underlying Operating System into, it's somehow the fault of sandboxing in Chrome. Sandboxing, OSR, RCE, CFG, ACG, LPAC, WDAG, all designed to protect the underlying Operating System from the browser. Microsoft, the company that fights malware with self-serving adverts masquerading as technical research.

I hear ya, but honestly I'd probably do the same thing as Google. Making every feature optional means that you will eventually have some dialog box with 100 checkboxes on it and an intractable test matrix. And the checkbox is the mating call of the loser.

It's bad enough that you have to verify that the cupcakes are always visible on every combination of browser and screen size, but to also have to try it with every other combination of option being on and off?

Plus, making things uber-customizable means that no two users will have the same experience, making support a hassle, and leading to confusion when a user ends up trying to use somebody else's device.

Sure, there are valid reasons for checkboxes, but a trivial feature like the cupcakes probably isn't one of them.

dom

While a dual Xeon 256GB machine is not the "standard" desktop, nor even the "standard" workstation (maybe the dual CPU part), it is definitely worth pointing out that you can fit way more metal into a box, more practically than before.

But also- the summary is a lie. Here's Microsoft's page for the Surface Book 2, which the summary touts as "desktop brains":

https://www.microsoft.com/en-u...

Their most powerful option- the 15 inch, with 1 TB storage, 16 GB RAM, and a 3,300 dollar price tag- offers "i7 quad core" and "GTX 1060". nvidia has been engaging in a new type of shenanigans with their mobile cards, implying that they are the same as desktop cards- and of course, they are not. Arguably, they are shafting their desktop users by even making them close. Meanwhile "i7 quad core" applies to the i7-8650U, I think:

https://www.cpubenchmark.net/c...

What's the "i7" desktop equivalent? Well, it's got 6 cores, and I think:

https://www.cpubenchmark.net/c...

With like triple the whatever-goodness-numbers is appropriate.

Anyway, the takeaway is that the 3000+ version of this thing uses a laptop CPU that isn't really close to its desktop equivalent, and nowhere near close to what you can shove into a desktop, and a mobile version of a card that is close to, but not surpassing, the desktop version.

Disclaimer: I am no expert. I am basing this on this summary.

Absolutely yes to the PC because the attack targets wifi client devices rather than access points. (Actually, your android phone is a higher risk.) Having said that, your advice for Windows 10 is ensure you have October 2017 updates installed. For most people, run winver from the search box and version 15063.674 or above is patched). (here is the relevant MS page - sadly it looks like device drivers should also be updated.)

Yes to the router, because using 802.11r "fast roaming" or using the router as a repeater may expose you - but the risk is vastly lower as the router is a lot less likely to be vulnerable.. (Most home users don't use repeater configuration or fast roaming as they only have one access point.) It's possible that disabling repeater and fast roaming will be a work around for attacks against your router (APN).

Summary: Worry about your Android phone, other devices, PC, and other client devices first. If you have a typical single router set up, do check your router vendor for new firmware, but focus on your client devices. Normal people with normal Windows 10 installs merely need to use windows update.

We will continue to press our case in court that the Electronic Communications Privacy Act (ECPA) – a law enacted decades before there was such a thing as cloud computing – was never intended to reach within other countries’ borders.

... We challenged the warrant that resulted in this ligation because we believed U.S. search warrants shouldn’t reach over borders to seize the emails of people who live outside the United States and whose emails are stored outside the United States.

This is really important not only for international privacy but also for US business profits from international sources (which is a major reason for Microsoft being on the right side of the issue).