Slashdot Mirror

Protect Against SYN Attacks

FROM -> http://msdn.microsoft.com/en-us/library/ff648853.aspx

A SYN attack exploits a vulnerability in the TCP/IP connection establishment mechanism. To mount a SYN flood attack, an attacker uses a program to send a flood of TCP SYN requests to fill the pending connection queue on the server. This prevents other users from establishing network connections.

To protect the network against SYN attacks, follow these generalized steps, explained later in this document:

Enable SYN attack protection
Set SYN protection thresholds
Set additional protections
Enable SYN Attack Protection

The named value to enable SYN attack protection is located beneath the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters.

Value name: SynAttackProtect

Recommended value: 2

Valid values: 0, 1, 2

Description: Causes TCP to adjust retransmission of SYN-ACKS. When you configure this value the connection responses timeout more quickly in the event of a SYN attack. A SYN attack is triggered when the values of TcpMaxHalfOpen or TcpMaxHalfOpenRetried are exceeded.

Set SYN Protection Thresholds

The following values determine the thresholds for which SYN protection is triggered. All of the keys and values in this section are under the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters

These keys and values are:

Value name: TcpMaxPortsExhausted

Recommended value: 5

Valid values: 0-65535

Description: Specifies the threshold of TCP connection requests that must be exceeded before SYN flood protection is triggered.

Value name: TcpMaxHalfOpen

Recommended value data: 500

Valid values: 100-65535

Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state. When SynAttackProtect is exceeded, SYN flood protection is triggered.

Value name: TcpMaxHalfOpenRetried

Recommended value data: 400

Valid values: 80-65535

Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state for which at least one retransmission has been sent. When SynAttackProtect is exceeded, SYN flood protection is triggered.

Set Additional Protections

All the keys and values in this section are located under the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters. These keys and values are:

Value name: TcpMaxConnectResponseRetransmissions

Recommended value data: 2

Valid values: 0-255

Description: Controls how many times a SYN-ACK is retransmitted before canceling the attempt when responding to a SYN request.

Value name: TcpMaxDataRetransmissions

Recommended value data: 2

Valid values: 0-65535

Description: Specifies the number of times that TCP retransmits an individual data segment (not connection request segments) before aborting the connection.

Value name: EnablePMTUDiscovery

Recommended value data: 0

Valid values: 0, 1

Description: Setting this value to 1 (the default) forces TCP to discover the maximum transmission unit or largest packet size over the path to a remote host. An attacker can force packet fragmentation, which overworks the stack.

Specifying 0 forces the MTU of 576 bytes for connections from hosts not on the local subnet.

Value name: KeepAliveTime

Recommended value data: 300000

Valid values: 80-4294967295

Description: Specifies how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet.

APK

P.S.=> Folks here are also pointing out various hardware/network-side protective measures too, & never over

Protect Against SYN Attacks

FROM -> http://msdn.microsoft.com/en-us/library/ff648853.aspx

A SYN attack exploits a vulnerability in the TCP/IP connection establishment mechanism. To mount a SYN flood attack, an attacker uses a program to send a flood of TCP SYN requests to fill the pending connection queue on the server. This prevents other users from establishing network connections.

To protect the network against SYN attacks, follow these generalized steps, explained later in this document:

Enable SYN attack protection
Set SYN protection thresholds
Set additional protections
Enable SYN Attack Protection

The named value to enable SYN attack protection is located beneath the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters.

Value name: SynAttackProtect

Recommended value: 2

Valid values: 0, 1, 2

Description: Causes TCP to adjust retransmission of SYN-ACKS. When you configure this value the connection responses timeout more quickly in the event of a SYN attack. A SYN attack is triggered when the values of TcpMaxHalfOpen or TcpMaxHalfOpenRetried are exceeded.

Set SYN Protection Thresholds

The following values determine the thresholds for which SYN protection is triggered. All of the keys and values in this section are under the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters

These keys and values are:

Value name: TcpMaxPortsExhausted

Recommended value: 5

Valid values: 0-65535

Description: Specifies the threshold of TCP connection requests that must be exceeded before SYN flood protection is triggered.

Value name: TcpMaxHalfOpen

Recommended value data: 500

Valid values: 100-65535

Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state. When SynAttackProtect is exceeded, SYN flood protection is triggered.

Value name: TcpMaxHalfOpenRetried

Recommended value data: 400

Valid values: 80-65535

Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state for which at least one retransmission has been sent. When SynAttackProtect is exceeded, SYN flood protection is triggered.

Set Additional Protections

All the keys and values in this section are located under the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters. These keys and values are:

Value name: TcpMaxConnectResponseRetransmissions

Recommended value data: 2

Valid values: 0-255

Description: Controls how many times a SYN-ACK is retransmitted before canceling the attempt when responding to a SYN request.

Value name: TcpMaxDataRetransmissions

Recommended value data: 2

Valid values: 0-65535

Description: Specifies the number of times that TCP retransmits an individual data segment (not connection request segments) before aborting the connection.

Value name: EnablePMTUDiscovery

Recommended value data: 0

Valid values: 0, 1

Description: Setting this value to 1 (the default) forces TCP to discover the maximum transmission unit or largest packet size over the path to a remote host. An attacker can force packet fragmentation, which overworks the stack.

Specifying 0 forces the MTU of 576 bytes for connections from hosts not on the local subnet.

Value name: KeepAliveTime

Recommended value data: 300000

Valid values: 80-4294967295

Description: Specifies how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet.

APK

P.S.=> Folks here are also pointing out various hardware/network-side protective measures too, & never over

Protect Against SYN Attacks

FROM -> http://msdn.microsoft.com/en-us/library/ff648853.aspx

A SYN attack exploits a vulnerability in the TCP/IP connection establishment mechanism. To mount a SYN flood attack, an attacker uses a program to send a flood of TCP SYN requests to fill the pending connection queue on the server. This prevents other users from establishing network connections.

To protect the network against SYN attacks, follow these generalized steps, explained later in this document:

Enable SYN attack protection
Set SYN protection thresholds
Set additional protections
Enable SYN Attack Protection

The named value to enable SYN attack protection is located beneath the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters.

Value name: SynAttackProtect

Recommended value: 2

Valid values: 0, 1, 2

Description: Causes TCP to adjust retransmission of SYN-ACKS. When you configure this value the connection responses timeout more quickly in the event of a SYN attack. A SYN attack is triggered when the values of TcpMaxHalfOpen or TcpMaxHalfOpenRetried are exceeded.
Set SYN Protection Thresholds

The following values determine the thresholds for which SYN protection is triggered. All of the keys and values in this section are under the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters

These keys and values are:

Value name: TcpMaxPortsExhausted

Recommended value: 5

Valid values: 0Â-65535

Description: Specifies the threshold of TCP connection requests that must be exceeded before SYN flood protection is triggered.

Value name: TcpMaxHalfOpen

Recommended value data: 500

Valid values: 100Â-65535

Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state. When SynAttackProtect is exceeded, SYN flood protection is triggered.

Value name: TcpMaxHalfOpenRetried

Recommended value data: 400

Valid values: 80Â-65535

Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state for which at least one retransmission has been sent. When SynAttackProtect is exceeded, SYN flood protection is triggered.

Set Additional Protections

All the keys and values in this section are located under the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters. These keys and values are:

Value name: TcpMaxConnectResponseRetransmissions

Recommended value data: 2

Valid values: 0Â-255

Description: Controls how many times a SYN-ACK is retransmitted before canceling the attempt when responding to a SYN request.

Value name: TcpMaxDataRetransmissions

Recommended value data: 2

Valid values: 0Â-65535

Description: Specifies the number of times that TCP retransmits an individual data segment (not connection request segments) before aborting the connection.

Value name: EnablePMTUDiscovery

Recommended value data: 0

Valid values: 0, 1

Description: Setting this value to 1 (the default) forces TCP to discover the maximum transmission unit or largest packet size over the path to a remote host. An attacker can force packet fragmentation, which overworks the stack.

Specifying 0 forces the MTU of 576 bytes for connections from hosts not on the local subnet.

Value name: KeepAliveTime

Recommended value data: 300000

Valid values: 80Â-4294967295

Description: Specifies how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet.

APK

P.S.=> Folks here are also pointing out various hardware/network-side protecti

http://msdn.microsoft.com/en-us/library/windows/desktop/aa374177(v=vs.85).aspx

Group Policies is what sets IE apart from other browsers in the enterprise. But the Group Policy API is open and available to anyone.

You are not suggesting that Microsoft should write GPO plugins for *other* browsers, are you?

According to various internet forums you can get a AHA-2940 working in 64bit Win7 with a driver ripped from x64 2003 or 2008 server.

It is a shame that driver support for old hardware is what it is but it is not really Microsoft's fault - it is not that hard for manufacturer to create a new driver - it is by choice is they will. But hey - XP works for you - but do keep in mind that it is now over 10 years old operating system so it has had a very long life - if you want to keep using it and hardware that only supports it; fine. But at some point of time the cost of self-supporting it becomes greater than breathing new life into old system.

(And yes, I know some Win 3.1 installations which are in use for the exact same reasons - no need to replace the hardware, no support on newer operating systems - but when I encounter those I strongly point out that these are legacy installations and you really should have a plan about how to replace them because they will break at some point in time - and it is better done gracefully with a plan than in an emergency with ad-hoc replacement when something breaks.)

Yep. Expect to see XP on the corporate desktop until 2014, and then Windows 7 until early 2020.

I'm a developer at an ISV. Personally, I am waiting for XP to go. Microsoft has some great technology (WWSAPI, SQL Server 2012 LocalDB) that looks like it will solve some of the problems we need to solve with our application, but it's not available on XP.

I'm really intrigued by why you couldn't use SQLite3 instead of SQL Server 2012 LocalDB or any API other than WWSAPI for web services.

IE wasn't really beaten with standards-supporting strategy, it was beaten with heavy marketing.

During Firefox days this was mostly done by fanboys. I'm sure you have seen those fanboys shouting out how great browser Firefox is (was) and even going out on their way to install it on all computers at their schools and other places, usually without permission. The most nerdy ones in my class did it too, and the whole internet was heavily spammed with "get firefox" shit back in 2005 or so.

Now during Chrome days, the marketing is handled by Google on their search engine, YouTube, ads on television and even billboards and newspapers, and by paying computer manufacturers and software authors to bundle it with their products. As most people are clueless this has greatly increased Chromes market share.

IE9 is also actually a really good browser. And, One of the largest research centers on Earth is Microsoft Research, and in my honest opinion they deserve some credit for that. No other company on the planet spends billions on R&D.

This lines well with Bill Gates support for helping the humankind. Did you know that Bill Gates has actually spend more on curing the world than U.S. spends on foreign aid? Since 2007 he has given out $28 BILLION for saving lives and improving actually necessary things.

Even if you hate Microsoft and Bill Gates, you cannot ignore the fact that for once there's a billionaire who has actually used his cash reserves for great good. Compare this to the Google founders Larry Page and Sergey Brin who use their shady money got from selling your private information for buying 193-foot long yachts and marrying models (Lucinda Southworth), similar to what MPAA/RIAA/record label executives do.

You're basically arguing that no one is capable of using PCs.

There's a concept of rational ignorance in play here in that most people remain incapable by choice because they don't see why they should value capability. In fact, your current signature on Slashdot alludes to this phenomenon:

Specs? That's too geeky. Just make it go.

People want to push a button and have things Just Work, not worry about choosing a motherboard, choosing a CPU, having to pay double for Windows because you're building a computer for yourself to use, keeping the operating system, antivirus software, and media player software up to date, etc.

The OS/2 subsystem would run any 16bit OS/2 text mode application that didn't directly access memory or I/O ports, including directly manipulating video. With the purchase of the Windows NT Add-On Subsystem for Presentation Manager it would run most all 16 bit OS/2 programs unless they accessed I/O ports etc.
An OS/2 program running on NT could call any win32 DLL,

Calling 32-bit DLLs

The OS/2 subsystem provides a general mechanism to allow 16-bit OS/2 and PM applications to load and call any Win32 DLL. This feature could be extremely useful in the following cases:

When you need to call from your OS/2 application some functionality available under Windows NT only as Win32 code.

Without the ability to call Win32 DLLs, the alternative would be to split the application into an OS/2 application and a Win32 application, then communicate between them using, for example, named pipes. This would be much more complicated to implement and may not yield a good performance.

When you want to port your OS/2 application to Win32 but would like to do so in stages, by porting only part of the application at first.

A small set of new APIs is provided. See "Win32 Thunking Mechanism" later in this chapter.

Quoting the thunking mechanism would be a bit big for this post but you can read about it and the above at http://www.microsoft.com/resources/documentation/windowsnt/4/workstation/reskit/en-us/os2comp.mspx

And lastly, IBM couldn't sue Microsoft about similarities between NT and OS/2 as OS/2 was jointly owned and Microsoft got V3 (NT) in the divorce.

The 16 bit Presentation Manager API was supported if you payed extra. See http://www.microsoft.com/resources/documentation/windowsnt/4/workstation/reskit/en-us/os2comp.mspx scroll down a bit to unsupported applications where it says Presentation Manager (PM) applications (unless you install the Windows NT Add-On Subsystem for Presentation Manager, which can be ordered separately from Microsoft)

They haven't contributed to the betterment of Linux on the whole.

I was with you on this for the past decade. Then on November of 2011, they went and did this. Real Linux drivers for SQL Server? Yeah!

And if you don't think that counts towards the betterment of Linux, then we're just going to have to disagree!

Jet Stress does a good job of runnig the storage media through a lot of work.

I had to recently start using Windows 7. It deleted my shortcuts to network locations under some guise of "maintenance" (e.g., a shortcut to a thumbdrive folder, although these in particular were to a RAID NAS that *I* have no trouble accessing but Windows 7 OS can't). I had to google the problem and the solution. The solution was on a microsoft.com page so they know about the problem (it's a feature, not a bug). My shortcuts (aka aliases) weren't even thrown into the garbage or some asanine folder (like Desktop cleanup wizard). If there was notification, it went unnoticed.
http://social.technet.microsoft.com/Forums/en/w7itproui/thread/1b4dbba7-a5ae-4ab3-b875-3980938dbef3

So whatever the fuck you think Windows Vista/7/8 is compatabile with, the truth is that it is incompatable with common sense.

How is it they keep reinventing the Unix "home/user" paradigm.

Desktop
My Computer
My Documents
My Documents/My Pictures/My Videos/My Books/My Foo
now... Library (WTF!)

Desktop got fucked a long time ago. The original comment stands ("You seem to think that the Desktop paradigm will survive the RTM."). Only it is a few years late.

Windows fucking sucks and you have to be a moron to deny it. They will break every paradigm so they can reinvent it and drag the industry and new-user training along with them. Dumb ass.

Regular Metro apps can only be distributed via Windows Store, and, yes, that includes Apple-style app approval model (though it doesn't have some of the more nasty Apple rules, such as "no competing apps" - so other Metro-only browsers are fine).

That said, browsers are special-cased. More specifically, if a desktop application is installed and registers itself as a handler for http: URI schema, and the user selects that application as the default browser, then that app is given the opportunity to also provide a Metro version. Basically, it can provide a tile that appears in Metro home screen, can pin secondary tiles there (for bookmarks, web apps etc), and when launched, can detect if it's being launched from the tile or from an URL in another Metro app, and can decide whether to launch in desktop or Metro mode (e.g. IE10 has that as an option - always desktop / always Metro / same as invoker). This is called a "Metro style enabled Desktop Browser" - this document (.docx) covers the details.

Now, because this is still a desktop app, it is installed by usual means - an MSI or other kind of installer, or even just copy it over (so long as it can register itself to handle http:/// URLs on launch or something). So, it's not subject to Windows Store app approval policy. It's also much less limited with respect to what it can do, compared to a Metro-only app - the sandbox mainly restricts it from doing stuff that only makes sense on the desktop when it's in Metro mode, but otherwise it has same permissions as a desktop app. This means that they can JIT-compile code - kinda important for JS - and share bookmarks and history with desktop.

I haven't bothered with offsite backups. I don't need to because I live in Florida and it's not like we ever get hurricanes or anything like that.

I have a 3ware raid card in my 10.04 box with 4 drives in raid 5, as well as an eSATA drive. I export a TB of the RAID array and a TB from the iSCSI drive via iSCSI to two 2k8 servers running in Virtualbox VMs. In the Windows VMs, DFS mirrors the data to the two mountpoints. I export those shares to a Z: drive which maps on login. I set up the free MicrosoftSyncToys powertool to mirror the local My Documents directories to the Z: drive. When SyncToy is run, and the data is backed up in two places.

I have another esata drive which mirrors my home partition every night. This is slightly complicated because I have a couple dozen virtual machines that could be running (it's usually less than 10), so what I wanted was a way to pause any VMs that might be running, back everything up, then unpause. Here's the script I wrote to do that.

#!/bin/bash
#
# nightly_backup: Script to pause any virtual machines that are running,
# do an rsync backup, then unpause the virtual machines. Set the SRCE
# and DEST variables below, as well as the USER variable. Script assumes
# that $DEST is a separate partition. If this is not the case for you,
# comment out the line _mount_check below.
#
# Sample cron entry:
# 30 04 * * * /usr/local/bin/nightly_backup &>>/var/log/nightly_backup.log
#
# Sample /etc/logrotate.d/nightly_backup file
# /var/log/nightly_backup.log {
# monthly
# missingok
# rotate 4
# compress
# }
#
# --exclude-from file syntax:
# Copy directory but not its contents:
# + Cache/
# - **/Cache/**
#
# Do not copy (file or directory)
# - .gvfs
#
# $Id: nightly_backup,v 1.1 2011/12/03 19:23:15 doodleboy Exp kevin $

PATH=/bin:/usr/bin
USER=doodleboy
SRCE=/home
DEST=/archive
ARGS="-aHS --delete --stats --exclude-from=/usr/local/bin/rsync_exclude"

# Function to pause or resume running virtual machines
_pause-resume() {
ARG=$1
VMS=$(su - $USER -c "vboxmanage --nologo list runningvms")
if [ -n "$VMS" ]; then
printf "$VMS\n" | while read VM; do
VM=${VM%% \{*}
printf "Running $ARG on $VM...\n"
su - $USER -c "vboxmanage --nologo controlvm $VM $ARG"
done
else
printf "No VMs are running.\n"
fi
}

# Abort backup if $DEST partition is not mounted
_mount_check() {
if mount | grep -w "$DEST" &>/dev/null; then
printf "$DEST is mounted. Proceeding with backup.\n"
else
printf "$DEST is not mounted. Aborting backup.\n"
printf "*** $(date): Aborting nightly backup ***\n\n"
exit 1
fi
}

# Start banner
printf "*** $(date): Starting nightly backup ***\n"

# Make sure $DEST is mounted
# Comment out _mount_check if $DEST is not a partition
_mount_check

# Pause virtual machines
_pause-resume pause

# Flush pending writes
sync
sleep 3

#

You can put a piece of paper through a shredder but if the shredder ONLY has that piece of paper and i have the time i can put that paper back together, so does that mean you didn't actually shred it? what we really need is different words here, erased VS erased and possibly recontructable would probably be better descriptions.

What Windows does when you format is erase the Master File Table or MFT. Once the MFT is gone NTFS and the OS above it simply can't find any former files because without a pointer to tell them what and where a file is then it simply doesn't exist. Now of course we all know there are tools that can recover by doing a scan of the actual drive bit by bit (I prefer Recuva myself) but considering the fact that all one has to do is a standard overwrite by zeroes which can be done quite quickly and that even relatively simple encryption would make a file hell to repair on a formatted drive it really doesn't make much sense. I can't comment on the X360 but I do know Win 7 uses encryption for its caches like Readyboost so i don't see why it wouldn't do the same for any GFWL cache as the OS already has an API for encryption that should be pretty trivial to call. Even XP has NTFS file encryption so there really is no reason why they should have it unencrypted and if it turns out this is true someone needs a good firing.

2. The "null hypothesis" applies solely to statistical significance testing, and thus relates only to correlation, never to causality.
3. Hence, any statement with the word "cause" in it can never be a null hypothesis.

Wrong on both counts.

"The null hypothesis typically corresponds to a general or default position. For example, the null hypothesis might be that there is no relationship between two measured phenomena or that a potential treatment has no effect."

Here's some basic statistics review for you: https://www.msu.edu/user/sw/statrev/strv46.htm

"The Null Hypothesis is the hypothesis that there is no relationship between two variables. Establishing that there is a relationship between two variables is the first step in establishing whether there is a causal connection between two variables. "

So in considering causes of temperature fluctuations over a period of time, you must consider all factors: volcanic eruptions, solar radiance, time of year and time of day of measurement, short-term ocean current cycles like El Nino, particulate and CO2 pollution, etc.

So, are you asserting that you've considered every possible cause for every temperature fluctuation? Your assertion of complexity here is *exactly* the problem with taking GCMs, and asserting that they represent science. We already *know* our information is proxied, limited, and full of holes. To take us from a state of incredibly lacking knowledge, then plugging in fudge factors to predict what temperatures will be 50 years from now, much less pinning it mostly on a *single* molecule measured in parts per million sets bullshit detectors off to 11.

By appropriate statistical analysis and physical modeling, it is possible to dissect which factors affected temperature over a given period of time.

No, it simply isn't. Put another way, if we had any sort of ability to do accurate modeling at that level, we'd be able to create a model for the stock market that will tell us, to the nearest hundred, what the Dow Jones Industrial Average will be in 100 years. Humans are arguably *less* complicated than global climate, and you'd never go so far as to assume you could model markets with any sort of reasonable accuracy...or do you?

Sorry, but if you'd read any of the real science, you would know that this is a laughable argument, because it is exactly what climate science predicts.

So you're now asserting climate science predicts a time travel effect, where future CO2 can effect present temperatures?

Review Feynman, and try again :) http://research.microsoft.com/apps/tools/tuva/

What is the security risk? All Gawker gets is whether you were authenticated or not. They don't get access to your account or any of the nonsense FUD being spread around.

Well, you could start with this study for example.

There is such a stack: Open JAUS. JAUS is the Joint Architecture for Unmanned Systems used by many military robotic and unmanned systems. It's somewhat dated, and has a more open-loop approach more suited to teleoperators than fully autonomous systems.

Dealing with the time constraints in robotics rules out some of the approaches used in other software. Microsoft's Robotics Studio was built on a web-like approach, and it was a flop. Game programs tend to be tied to the display refresh rate, which isn't helpful in robotics. In robotic systems, there may be several subsystems with their own cyclic rate and processing delay, and they need to talk to each other. The inputs which have processing delays, like vision systems, produce outputs which represent the situation at some time in the past. Updates to the world model based on multiple sensors must all be synchronized to the time of the observation, not the time the data became available. This matters when you're moving fast. For slow robots, not so much. Many research robots are slow and pause a lot because they don't do this. That was the norm a few years ago, but it's not any more.

Robotic systems tend to need hard real time control. That control can be quite complex, not just a simple servo loop. Inside the more advanced and agile robots, like BigDog, you tend to find QNX, not Linux. (Typical test for a hard real-time OS: hook up a square wave oscillator to an input, and a scope to an output. Put a high-priority program in the system which turns on the output when the input comes on. Watch the input to output delay on the scope. Load up the system with lower-priority tasks. If the input to output delay is ever substantially longer, (more than a few microseconds) the system is not hard real time. The "real time" variants of Linux have trouble getting down to 1ms, and 10ms of jitter is observed. In hard real time systems, 10us is more like it. Servo control in BigDog executes every 1ms, balance every 10ms.) However, as CPUs get faster, the limitations of Linux have become less of an issue.

First, you're wrong. second, you're arguing against a point that nobody was making. Your insecurities are very telling.

O rly?

VS2012 isn't even in public beta yet.

Yes it is. It's even supported for production code. They just don't call it 2012 yet since the RTM date hasn't been set.

Windows 8 is focusing on HTML5 and JavaScript.

Win8 Metro apps can be written in any of: C++, C#/VB, JS (out of the box, third parties can add support to their own languages as well). Of those, I personally find C# to be the most convenient, simply because most Metro APIs are async only (to force developers to never block the UI thread with some expensive call), and C# has nice syntactic sugar for this in form of async/await, whereas in both C++ and JS you have to manually chain callbacks with x.then(y).

No problems? There is no multitasking at least so far as apps are concerned. When they are not in the foreground they are suspended. The only way to make them do anything in the background is through a background agent and there are a hideous set of restrictions on what they can do. I note since the last time I looked at that page that 256MB devices don't even get to run background agents AT ALL. So you can look forward to a range of "budget" WP phones which are totally gimped.

Other OSs achieve better security by DESIGN

Then perhaps you ought to look at the Windows Phone design. Aside from the limited ability to do stuff that each app is constrained by (and the checking of those permissions by the marketplace publishing process) applications are isolated from each other, both in terms of memory access and file system access. What it does lack is full device encryption.

MS Whitepaper on Phone Security

E-mail uses push notifications, you make it sound like it's on a 30 minute polling interval but that's simply not the case - it's nearly instant, certainly every bit as fast as on Android. Twitter does the same thing. Just read the documentation if you don't want to take my word for it. Using polling for any kind of instant messaging is not something you want to do since it's massively inefficient, much better to let the server tell you when there's something new to fetch.

As for porting, what you are describing is the same on every platform. You have an iOS app and want to port it to Android? Better brush up on those Java skills because your ObjC is worthless there. You can theoretically use C/C++ as a lowest common denominator between the two but almost nobody does that except possibly for some very core functionality and then you have to write a ton of platform-specific wrappers for the device-dependent stuff anyway. Oh and the UI, which is probably the most time-consuming single part of your app if you want to get it right.

I will give you this - being the minority platform, WP7 certainly stands more to lose from not sharing a common language with Android/iOS than the other way around. I don't really want WP7 apps that are just least-effort ports of Android apps though, and if you're as concerned about battery life as you say then you should find the thought of porting over a big fat VM just to run a few more apps abhorrent. It's not like porting is that hard, and unlike Android, WP7 is actually fun to code for. I've put one app on the market already and am working on a second. Never could muster up the energy to do that for Android, well not on my spare time anyway, there's just too much pomp and ceremony required to get anything done. I do code for Android at work though, since they're paying me well to put up with it. :)

I'm sure Google has a similar thing going on like Facebook where companies can pay extra $$$ to get unfettered access to the data as part of "we may share your data with interested third parties".

No they absolutely do not: "We do not share personal information with companies, organizations and individuals outside of Google" (Ref: http://www.google.com/policies/privacy/). There is no "we may share your data with third-parties" clause in the Google privacy policy, unlike almost every other company out there. Read the links carefully and you will see that Google has one of the best privacy policies (at least in terms on sharing information with third parties). Also note that some of these companies have way more personal and sensitive information about you that Google.

Disclaimers:
      * I work at Google
      * These are entirely my own views and opinions and do not represent Google's in any way.

So if BIGNUM users complain that http://www.microsoft.com/ is harmful what then?

Citation please? Because everything I've seen on Metro is that pretty much everything that doesn't run on ARM got thrown under a bus and i just don't see how you are gonna get DirectX, an API designed for killer graphics above battery life, to run on your average ARM tablet or even one of the midrange units.

I don't know where you've getting your information on Win8 so far, but it's clearly not the primary sources (i.e. MSDN library & blogs), because the fact that DirectX is available in Metro has been publicly known since Developer Preview release last year, which had both the docs and the SDK.

Anyway, as far as primary sources go: this gives an exhaustive list of supported D3D API surface, and here is a D3D Metro sample. Good enough?

By the way, what makes you think that Direct3D is "designed for killer graphics above battery life"? I mean, sure, it's designed to allow for it - same as OpenGL - but there's nothing inherent in the API design that mandates that. Again, if OpenGL can downscale to ARM, what makes you think D3D can't?

. ARM is low power above all and its IPC is worse than even Atom, much less Bobcat or a normal AMD or Intel CPU, yet they are trying to get devs to swallow they can "write once, use everywhere" when you are talking about arches THAT dissimilar? Are they stoned? Either the ARM version will suck a battery dry so fast it will make your head swim or it'll be using so little of the hardware because it was designed for WOA that it'll be like some fart app on the PC.

So, what exactly is "THAT dissimilar" about the architectures that makes it impossible to write portable apps? Linux world has been managing that just fine. As for battery, the techniques to conserve it are exactly the same on both Intel and ARM, namely - don't run stuff in background unless absolutely needed, let the OS put your app to sleep and out of RAM, and awake it when it's re-activated. Metro is specifically designed for that - apps can be expected to be unloaded at any moment and have to save/restore state transparently, and practically all APIs follow the asynchronous callback model to force programmers to use the reactor pattern rather than polling or doing other stupid (battery-wise) things.

Citation please? Because everything I've seen on Metro is that pretty much everything that doesn't run on ARM got thrown under a bus and i just don't see how you are gonna get DirectX, an API designed for killer graphics above battery life, to run on your average ARM tablet or even one of the midrange units.

I don't know where you've getting your information on Win8 so far, but it's clearly not the primary sources (i.e. MSDN library & blogs), because the fact that DirectX is available in Metro has been publicly known since Developer Preview release last year, which had both the docs and the SDK.

Anyway, as far as primary sources go: this gives an exhaustive list of supported D3D API surface, and here is a D3D Metro sample. Good enough?

By the way, what makes you think that Direct3D is "designed for killer graphics above battery life"? I mean, sure, it's designed to allow for it - same as OpenGL - but there's nothing inherent in the API design that mandates that. Again, if OpenGL can downscale to ARM, what makes you think D3D can't?

. ARM is low power above all and its IPC is worse than even Atom, much less Bobcat or a normal AMD or Intel CPU, yet they are trying to get devs to swallow they can "write once, use everywhere" when you are talking about arches THAT dissimilar? Are they stoned? Either the ARM version will suck a battery dry so fast it will make your head swim or it'll be using so little of the hardware because it was designed for WOA that it'll be like some fart app on the PC.

So, what exactly is "THAT dissimilar" about the architectures that makes it impossible to write portable apps? Linux world has been managing that just fine. As for battery, the techniques to conserve it are exactly the same on both Intel and ARM, namely - don't run stuff in background unless absolutely needed, let the OS put your app to sleep and out of RAM, and awake it when it's re-activated. Metro is specifically designed for that - apps can be expected to be unloaded at any moment and have to save/restore state transparently, and practically all APIs follow the asynchronous callback model to force programmers to use the reactor pattern rather than polling or doing other stupid (battery-wise) things.

Actually scaling is built into win32. Yep baked right in. Doesnt work worth a damn. Because every video card manufacture out there did their drivers differently. So MS wanting to be compatible 'fixed' it. It now does not work very well. As instead of everything being scaled to that it takes into account which font size you are using. MS could 'fix' the problem now. But would break just about every single application out there.

Look up dialog units.
http://msdn.microsoft.com/en-us/library/ms645475(VS.85).aspx

In applicaiton to current circumstances, trying to patch a "multiple desktop" abstraction onto Windows is tehcnically probelematic because the underlying OS is -not- intended to support that modality.

MSDN disagrees with you.

While Microsoft's implementation of multiple desktops is far from perfect it's incorrect to say they didn't intend to support it when the API is both present and clearly documented.

Furthermore, every window on Windows is associated with a desktop. I've yet to see a case where a window appeared on the wrong desktop or the input was handled incorrectly between desktops.

The case is usually related to modal dialogs when attempting, for instance, installations that require UAC approval for drivers and file paths. The desktop 0 will display those regardless of the desktop that started the process. Not happening on other UAC modals though. I'm talking about Sysinternals' Desktops here which are indeed using the MSDN method you exposed.

• ARM licensed technologies for architectures v4, v4T, Thumb, v5TE, and Intel XScale.
• Hitachi SuperH processors SH-3, SH3-DSP, and SH-4.
• MIPS licensed technologies developed by NEC, Toshiba, Philips Semiconductor, Integrated Device Technologies, LSI Logic, and Quantum Effect Design.

In applicaiton to current circumstances, trying to patch a "multiple desktop" abstraction onto Windows is tehcnically probelematic because the underlying OS is -not- intended to support that modality.

MSDN disagrees with you.

While Microsoft's implementation of multiple desktops is far from perfect it's incorrect to say they didn't intend to support it when the API is both present and clearly documented.

Furthermore, every window on Windows is associated with a desktop. I've yet to see a case where a window appeared on the wrong desktop or the input was handled incorrectly between desktops.

http://technet.microsoft.com/en-us/sysinternals/cc817881

Seems to work pretty well and fast in my limited use.

Maybe they use less data because iPhone apps aren't constantly uploading their gps coordinates and downloading ads. If you look at mobile web traffic, iOS beats android. Even when you factor out the iPad.

it's pretty clear from the quality of their products that, for the most part, all they care about is the money. There are bugs in Office that have been there probably more than a decade.

I was also quite annoyed lately as I stumbled upon a bug in Visual Studio 2008 and how it was handled by MS. The bug report was closed as "cannot reproduce", because while it is in VS2008, it could not be reproduced in VS 2010 (!). As if buying and migrating to VS2010 would be a proper bugfix...

Bug report:
https://connect.microsoft.com/VisualStudio/feedback/details/654831/dumpbin-exe-output-not-redirectable-from-within-visual-studio-project-files

That's clever seeing as XP wasn't released until October 25, 2001.

You can add on filesystems into NT-based OS peterhawkins, in fact, it was built to be extensible and take on OTHER filesystems (you also omitted CDFS, & FAT32 in your lists, but no biggie there really):

In fact, here's one example of what I mean, & for Linux ext2:

http://www.google.com/search?q=Ext2IFS_1_11a.exe&btnG=Search&sclient=psy-ab&hl=en&site=&gbv=1&sei=n-5pT9rNO4j50gGD15WwCQ

As far as SSH? PuTTy exists as a decent 3rd party solution, FREE too iirc (last time I used it was in 2009 though), & there are others for Secure FTP (SFTP), see here:

http://www.google.com/search?sclient=psy-ab&hl=en&site=&source=hp&q=%22Windows%22+and+%22SSH%22&btnG=Search&gbv=1&sei=n-5pT9rNO4j50gGD15WwCQ

Same with NFS:

So - If you need *better* NFS support, 3rd party tools exist for it, as well as Microsoft's OWN "services for UNIX" (used to be "OpenNT" iirc, before MS bought 'em out - but, don't quote me on THAT one though).

http://support.microsoft.com/kb/324055

Lastly:

notepad.exe!

* Yes, here I must concede you MAY have a really solid point!

Notepad.exe may not be as nice as some tools are (such as UltraEdit for example & in terms of say, programming languages support for syntax etc./et al) but, it "gets the job done"!

(The only thing I don't like about it is the 'save as type files' defaults ALWAYS to .txt, & that's not always the extension of files I save as here that are indeed, text files (such as a hosts file, has no extension but is indeed, text)).

APK

P.S.=> Thus, You CAN put the very things you mention into Windows, no hassle, & for free (and yes, you can extend its filesystem capabilities easily enough also, per the above example)... apk

Windows Server 2008 R2 runs on the Itanium

There is also an embedded version of Windows 7

Windows Server 2008 R2 runs on the Itanium

There is also an embedded version of Windows 7

That's already how things are, and they plan to use those APIs to implement H.264 decoding to avoid shipping the codec (and paying license fees). The only catch there is that XP does not have that, and won't be getting it. It might be irrelevant in 3-4 more years, but it's certainly very relevant today.

This is not quite true. XP does support DXVA version 1, which allows for some hardware-accelerated decoding, but it is more limited than DXVA 2 which is available in Vista and 7. This page contains details. Specifically, "In DXVA 1, the software decoder must access the API through the video renderer. There is no way to use the DXVA 1 API without calling into the video renderer. This limitation has been removed with DXVA 2." This may be a problem for Firefox depending on what it is doing.

actually, there is specific licensing for virtualized desktops. try looking here http://download.microsoft.com/download/C/6/7/C673E444-6DDD-40B8-B29F-625354F2A8F7/Licensing_Windows_for_Virtual_Desktops_Whitepaper.pdf

And nothing in that white paper actually contradicts what I say - read it :)

See also Webstar: The Java Web Start software caches (stores) the entire application locally on your computer.
Applets operate in a similar fashion and if there is a way to get web start or applets to load entirely by being streamed off the net then that's the bug that needs to be fixed. They always have the initial code downloaded. Sure they might do other things after that, but you're suggesting that they can get around that starting code that begins the exploit, and I don't see anything that says that's how it works. Until you break out of the Web Start/Applet Sand Box java doesn't have a full IO for you to play with.

That kind of post is one way ACs get a bad reputation around here...

All it takes to exploit this is sending a couple of carefully crafted packets. Does not matter how encrypted it is.

No. If NLA with CredSSP is in use then the vulnerability is not exposed. Just read the MS TechNet article. Note that although the TechNet article only describes CredSSP on Windows 6.x kernel operating systems, you can enable CredSSP on WinXP SP3 and install the RDP 7.0 client to achieve safety.

If the RDP port is exposed, and the right packets are sent to trigger the exploit. Game Over.

No. The port must be exposed *and* the RDP service must be enabled, which is not the default configuration. Just read the same link to verify this for yourself.

Currently SSH and VPNs are not known to have this weakness.

VPNs and SSH do have occasional vulnerabilities, and you can find relevant information if you just look for it.

- T

Which makes me doubly pissed that I'd set up a game download overnight last night (my usage is unmetered overnight) and they decided to force an unneeded patch/reboot on me, which fucked up the download. :/

I concur that default does indeed suck, you can do a registry change to disable it though:

http://support.microsoft.com/kb/555444

And yes I use Linux too and realise such pointless hacks aren't necessary :P

Turns out I already had it disabled (it's disabled by default?), but here's how to disable it in Windows XP or via group policy. Here's how to do it in Windows 7 (untested).

Turns out I already had it disabled (it's disabled by default?), but here's how to disable it in Windows XP or via group policy. Here's how to do it in Windows 7 (untested).

Turns out I already had it disabled (it's disabled by default?), but here's how to disable it in Windows XP or via group policy. Here's how to do it in Windows 7 (untested).