Slashdot Mirror

Google bought Motorola Mobility. Now instead of being unhappy that they have to pay a patent fee for online video, they stand to make a boatload of money off of Motorola's H.264 patents and/or use these patents to settle other patent lawsuits. Is it much of a surprise that they haven't dropped H.264 support in Chrome?

As an SPLA provider I can confirm there IS a win7 license available under SPLA.

Huh, maybe you should let Joe Matz, VP of Worldwide Licensing and Pricing at Microsoft know, since he says, "However, it is important to note that SPLA does not support delivery of Windows 7 as a hosted client."

He also mentions, "We are actively engaged with OnLive with the hope of bringing them into a properly licensed scenario, and we are committed to seeing this issue is resolved," which implies that OnLive is not currently properly licensed.

from your post i could make some assumptions to the environment that you have seen it used.. but i don't like taking stabs into the wind.. but i will say we do not have issues like you have described and what i see other people having. mainly because we do not even attempted to use a single tool for all jobs.

Exchange's lights shine as a work group server. while yes Exchange can handle all the functions of a general MTA it isn't good at it.. Sendmail is much much better, same with filtering spam and viruses out of incoming and out going messages.. we use Sendmail SA CAV to proxy/buffer/clean all incoming mail and also to handle external delivery of messages. our exchange infrastructure does not see the outside world except for mobile devices and OWA. we get all of the benefits of exchanges work group functions and integration without most of the headaches you read about.

in fact the only problem we have had in recent memory has to do with incoming message X- headers:
http://blogs.technet.com/b/exchange/archive/2009/04/06/3407221.aspx

lucky we where not adversely effected by it - but we did add it to our considerations for the next upgrade/roll-out

HyperV has many more dependencies than other virtualization stuff.

For example,.if your host and management client are not in the same AD domain but you want to use MMC to remote manage a HyperV host (say you do not want to allow multiple people to remote desktop to the host), to configure the permissions and other stuff you often have to download and run an _unsupported_ tool: http://archive.msdn.microsoft.com/HVRemote

Or wade through 5 pages of stuff:
http://blogs.technet.com/b/jhoward/archive/2008/03/28/part-1-hyper-v-remote-management-you-do-not-have-the-requested-permission-to-complete-this-task-contact-the-administrator-of-the-authorization-policy-for-the-computer-computername.aspx

And even so, it often still doesn't work, e.g. the added firewall rules might not work for some stupid reason and you have to turn off the firewalls completely.

In contrast with VMware you need a lot few number of ports opened to do remote management, and you normally won't have problems getting remote management. In fact it's almost a "given" that you'd be mainly using remote management.

HyperV may also not work so well if you're not running Linux guests. Recently a colleague had a problem with a Linux guest- some (ICMP echo) frames/packets were being sent but not others (ARP replies)! I solved it by restarting the hyper-v virtual switch. Perhaps that HyperV server was not updated. Whatever it is, even vmware GSX server years ago caused me fewer problems than HyperV.

The Microsoft-created features protected by the patents infringed by the Nook and Nook Color tablet are core to the user experience. For example, the patents we asserted today protect innovations that:
* Give people easy ways to navigate through information provided by their device apps via a separate control window with tabs;
* Enable display of a webpage’s content before the background image is received, allowing users to interact with the page faster;
* Allow apps to superimpose download status on top of the downloading content;
* Permit users to easily select text in a document and adjust that selection; and
* Provide users the ability to annotate text without changing the underlying document.

Microsoft obviously thinks this is pretty advanced stuff. Adjust a text selection? Annotate a document? Tabbed controls? Woah. No wonder they want $30 per device (more than the cost of licensing WP7!).

"In Windows Server 8, the recommended application model is to run on Server Core using PowerShell for local management tasks and then deliver a rich GUI administration tool capable of running remotely on a Windows client."

http://blogs.technet.com/b/server-cloud/archive/2012/01/11/windows-server-8-server-applications-and-the-minimal-server-interface.aspx

In other words, it sounds a lot like where Novell was in the mid-1990s and where *nix has been forever. The server will no longer be a workstation. The server is the server and the admin tools reside elsewhere.

I am not happy about this given the cluster fuck that is Server Core and the sub-par command line that they have delivered with it in 2008 R2. As long as they get their act together and provide the full set of MMC tools, it will be fine. Knowing Microsoft the server team will be different from the team developing the management apps. Half of the tools will work from GUI and the other half will require doing it from the console. Of course they won't do something simple like SSH, so we are going to have to have OOB management, or direct physical access.

In all seriousness though, there are serious flaws to this line of thought. Who the hell wants to work on file system ACLs from the command line? Who wants to setup user accounts and security groups from the command line? There certain basic admin tasks where having a GUI, and features like auto-complete are a godsend. Now granted, for large scale user adds or modifications you should be scripting them. But for one off adds, or looking at the resultant set of policy for complex ACLs with a lot of inheritance, the idea of doing it from the command line just sucks.

DEP is nearly worthless without ASLR. (and vice-versa) See:
http://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx

As for your "ASLR and DEP bypass", it's not bypassing ASLR. It's taking advantage of a vendor's product (Java) that doesn't opt in to ASLR. But you don't need to be at the mercy of your vendors. You can force DEP and ASLR to be on with EMET:
http://www.microsoft.com/download/en/details.aspx?id=1677

If you're still on XP, then you get none of that protection.

Does current time code even have the sufficient smarts currently to handle specific countries CHANGING their TZ on a particular date?

Yes. Linux/Unix has a long history of tracking timezone changes for specific countries, states, provinces, etc. It's called the Olsen Timzone Database. It was recently taken over by IANA, and is hosted here http://www.iana.org/time-zones

They are discussing this specific issue here:
http://mm.icann.org/pipermail/tz/2011-December/008458.html

This makes me wonder. Are people going to be paid/charged interest for a non-existing 12-30-11 there?

It depends. I work for a time and attendance company as software developer, so I have some insight. Basically, this is handled just like a DST change, but for a much longer period.

Many timekeeping systems (hardware and software alike) just keep track of "local time". Some have the ability to keep a list of DST changes that need to be applied at specific times, and some use NTP or other protocols to sync their clocks and pickup timezone changes that way. While these systems handle "spring-forward" changes ok, they are usually flawed in the way they handle "fall-back". If someone clocks in or out DURING the fall-back period, there is no way to tell if they get an extra hour or not, because there is no recorded distinction between the two times that are both called the same thing. The good thing about DST is that the change usually happens in the middle of the night, which minimizes the number of manual corrections that have to be made.

The solution to all of this, of course, is recording time as UTC and converting it for proper display depending on context. Some systems out there caught on early, but really this idea is just now making its way into the market. This is where the timezone database is very valuable. Windows also has a timezone database (different than the Olsen DB), but Microsoft only pushes it out every few months (via windows update), so it is often behind in various parts of the world. Microsoft timezone info here: http://blogs.technet.com/b/dst2007

Since Samoa and Tokelau are skipping a day, this is a "spring-forward" scenario - which is very easy to calculate. It is highly unlikely that they will have issues with paying an extra day (or charging an extra day's interest), as long as they consider the change like any other DST change. I would think that this is big news there, so anyone with custom code will probably be aware of the situation and make the correction.

Of course, if you have a bank account in another country, they are going to say a big "screw you" to your request to be charged one day's less interest just because your homeland is skipping a day. :)

So because I only linked one source, it must be the ONLY one?

How about this one from 2008? https://msevents.microsoft.com/CUI/EventDetail.aspx?culture=en-US&EventID=1032393979&CountryCode=US

Or this one from last year? http://blogs.technet.com/b/msrc/archive/2010/09/30/q-amp-a-from-the-september-2010-out-of-band-security-release-webcast.aspx

Or this one from waaay back in 2006? http://blogs.technet.com/b/msrc/archive/2006/09/26/459194.aspx

And someone other than Microsoft: http://isc.sans.edu/diary.html?storyid=8062

And someone else: http://my.opera.com/wikipedian/blog/2011/09/28/for-reasons-unknown-microsoft-has-released

And someone else: http://www.dataprotectioncenter.com/antivirus/sunbelt/microsoft-will-do-out-of-band-patch-for-lnk-vulnerability/

Need I go on?

So because I only linked one source, it must be the ONLY one?

How about this one from 2008? https://msevents.microsoft.com/CUI/EventDetail.aspx?culture=en-US&EventID=1032393979&CountryCode=US

Or this one from last year? http://blogs.technet.com/b/msrc/archive/2010/09/30/q-amp-a-from-the-september-2010-out-of-band-security-release-webcast.aspx

Or this one from waaay back in 2006? http://blogs.technet.com/b/msrc/archive/2006/09/26/459194.aspx

And someone other than Microsoft: http://isc.sans.edu/diary.html?storyid=8062

And someone else: http://my.opera.com/wikipedian/blog/2011/09/28/for-reasons-unknown-microsoft-has-released

And someone else: http://www.dataprotectioncenter.com/antivirus/sunbelt/microsoft-will-do-out-of-band-patch-for-lnk-vulnerability/

Need I go on?

Out-of-band doesn't have a "specific" meaning, though, that's kind of the point. In your workplace, it may mean one thing, however in this context the meaning is different. It means something else entirely when you talk about network protocols, for example.

However, if you're still sure you're correct, rather than posting about it on slashdot, you might want to tell Microsoft themselves that they're using the wrong term: http://blogs.technet.com/b/msrc/archive/2011/12/28/advanced-notification-for-out-of-band-release-to-address-security-advisory-2659883.aspx

Today we’re providing advance notification for an out-of-band security update to address the publicly disclosed issue described in Security Advisory 2659883. The release is scheduled for tomorrow, December 29, at approximately 10 a.m. PST.

Microsoft (Dec. 21, 2011): As we look at all of the new ways we tell our consumer stories â" from product momentum disclosures, to exciting events like our Big Windows Phone, to a range of consumer connection points like Facebook, Twitter, Microsoft.com and our retail stores â" it feels like the right time to make this transition.

Apple (Dec. 16, 2008): Apple is reaching more people in more ways than ever before, so like many companies, trade shows have become a very minor part of how Apple reaches its customers. The increasing popularity of Apple's Retail Stores, which more than 3.5 million people visit every week, and the Apple.com website enable Apple to directly reach more than a hundred million customers around the world in innovative new ways.

Not just Chen, but also Russinovich :)

You might want to read up on that :)

Because the address space on 64-bit Windows is much larger than 4GB, something I’ll describe shortly, Windows can give 32-bit processes the maximum 4GB that they can address and use the rest for the operating system’s virtual memory.

One way is using the get-winevent cmdlet from powershell. http://blogs.technet.com/b/heyscriptingguy/archive/2011/11/14/use-custom-views-from-windows-event-viewer-in-powershell.aspx.

Dunno about windows recovery console however.

Cygwin and Msys are basically pointless. Windows already has a native UNIX subsystem

Unfortunately, MS announced back in 2005 that the current release was going to be the last. It's been reported that Windows 8 does not contain the necessary components for it to run any more.

I've used SFU a little, and found it to be more lacking than cygwin in support for standard command line type stuff. I have doubts whether you could get kmail to work correctly with it, but I could be wrong. I don't have a Windows machine with me at the moment.

Hyper V is the virtualization software where enabling remote management requires you to either
a) use an unsupported utility to enable remote management: http://archive.msdn.microsoft.com/HVRemote
or
b) Go through a multipage web article: http://blogs.technet.com/b/jhoward/archive/2008/03/28/part-1-hyper-v-remote-management-you-do-not-have-the-requested-permission-to-complete-this-task-contact-the-administrator-of-the-authorization-policy-for-the-computer-computername.aspx
or
c) spend way too much time mucking around.

After all that don't be surprised if remote management still doesn't always work, or some little change somewhere could break it.

In contrast, with VMware it mostly just works (I'm not too fond of the recent remote consoles but it's still better than HyperV).

If you've figured out an easy reliable way to get Hyper V remote management to work do let me know. Some people at work are complaining that it stopped working for them.

Note that in the Microsoft's Live@EDU infrastructure, we utilize nerarline 7.2K SATA drives and we see a 5% annual failure rate (AFR), while in MSIT we leverage nearline 7.2K SAS drives and we see a 2.75% AFR there link

I know from more than a decade of experience that real world enterprise SAS/FC/SCSI AFR is ~1.5%. AFR and drive rebuild time also affect the likelyhood of catastrophic data loss. Plus failing drives are by far the greatest cause of unplanned downtime in my environment, overshadowing software faults by ~10x over the last 5 years for downtime caused. Drives that just fail are no big deal, it's the ones that start to fail and puke all over the bus that cause issues, fewer failures means fewer chances to screw up the bus and cause downtime.

Bullshit, enterprise class drives have from 1/2 to 1/3rd the AFR of consumer drives. Data from Google, Microsoft, and other large scale providers proves this out. NL SATA is about 2/3rds the AFR of common SATA according to Microsofts numbers from the hosted Exchange for education group.

I believe you are the one spouting BS. Please cite a reference for this. The Google paper clearly says they are using consumer grade drives and not enterprise grade drives. http://static.googleusercontent.com/external_content/untrusted_dlcp/labs.google.com/en/us/papers/disk_failures.pdf

The Microsoft study you referred to says that consumer class disks were not failing any faster than enterprise disks. http://blogs.technet.com/b/exchange/archive/2011/01/07/robert-s-rules-of-exchange-storage-planning-and-testing.aspx http://h20195.www2.hp.com/V2/GetPDF.aspx/4AA2-1309ENW.pdf

(10.9 Gb of which is in that crappy WinSxS directory)

I think Windows actually over reports the size of that due to all the linking in there. About WinSxS.

Well, with MS going after manufacturers, not Google and asserting patents like

â Give people easy ways to navigate through information provided by their device apps via a separate control window with tabs;

â Enable display of a webpageâ(TM)s content before the background image is received, allowing users to interact with the page faster;

â Allow apps to superimpose download status on top of the downloading content;

â Permit users to easily select text in a document and adjust that selection; and

â Provide users the ability to annotate text without changing the underlying document.

I wouldn't be surprised if they started harassing Ubuntu phones producers if/when it becomes popular enough to threaten wp8.

MS is still the only one of these big three to have a committed interest in long-term research

MS does research? For real? I thought all they did was buy startups and competitors, some of which had done research in the past, or are winding down R+D after the purchase.

Please don't confuse research grants from the bill gates charitable foundation with "MS does long term research".

Why not visit Microsoft Research and see for yourself?

Also check out the Microsoft Garage

You may not like Microsoft but it's hard to deny that they do more research than, say, Symantec or Dell.

...I imagine a lot of the patents would be the absurd type...

I will reply to myself just to add that none of what I said should be considered to be in defense of patents. The absurd patents to which I referred are the trivial user interface ideas; the kind of idea that you decide upon with the toss of a coin. "Should we make that colour red or blue? Let's make it blue and patent it".

Microsoft have disclosed some of their Android patents in the past as being of this type when they sued Barnes & Nobel. (Yes, it was after trying to negotiate a deal, so my original point still stands). The worst of the patents was "Permit users to easily select text in a document and adjust that selection"! I haven't read the patent, but I really hope that it has some novel user interface idea, because the title of the patent makes it look like the most extremely absurd patent.

The problem is that it is very difficult to write the rules to quantify just what should or should not be considered reasonable to be patented. The easy solution is to make it law that every time a patent is rejected in court, the individual authors listed on the patent get punched in the face. Admit it, you know you want that.

Point 1 - The premise that we are entering a "Post-PC" era requires some evidence to back the theory. TFA didn't provide anything, other than a reference to Newegg pulling out of their IPO in May 2011. And even with that statement, Kevin Purdy says, "What happened? The internal factors are unknown." That does not provide sufficient data to support his premise. Shame on you, Kevin Purdy, for your sensationalism.

Point 2 - Newegg.com sells a great deal more than just PC parts. Even if Kevin Purdy's apocalypse were to occur, Newegg has a great deal of other business to support their profits margins. Last time I checked, you can buy phones, tablets and ultrathin laptops from Newegg.com.

Point 3 - There is sufficient evidence that we are, in fact, in the midst of a PC expansion. Nvidia just made the claim that PC sales will overtake consoles by 2014, Microsoft believes in the prominence of the PC, Michael Dell comments on his predictions, Epic thinks the PC has been 2nd fiddle to the console for too long, and MaximumPC has an article showing the results of a Baird survey relevant to the issue.

Will some people buy phones, tablets and laptops (ultrathin or otherwise) instead of a PC? They have been for years, why would that change now?

Will the PC market dry up and force PC Enthusiasts into a world of non-replaceable component devices, where we will be forced to feed on the scraps of outdated machines? Doubtful. I point to the Audiophile market as a comparative case study, where you can spend an incredible amount of money on components that some might argue have been replaced by smaller and better integrated devices. I suspect the home built PC market will survive phones, tablets and ultrathin laptops, just as it survived Dell, Gateway, Micron, Acer, et al.

It's possible, albeit transitory. You can do it either the easy way, or if you wanna have fun doing it, the hard way.

It's possible, albeit transitory. You can do it either the easy way, or if you wanna have fun doing it, the hard way.

Linux is great, but it misses many of those features - for example, how do you connect to a remote PC with bash and run your commands there? Oh, you can't. With PowerShell you can easily do that.

One way to remotely execute a program (gkrellm) on another host, this example assumes you're using passwordless authentication via public key:

ssh -X USER@192.168.1.100 -p 2222 gkrellm


Using PowerScript:

$wsman = new-pssession -computername -port -authentication default -credential $cred
$output = invoke-command -session $wsman -scriptblock {get-process}
remove-pssession -session $wsman (not required)

You got marked troll, and it's deserved. But better that someone else explain - MS never used a BSD stack. They licensed the Spider Systems STREAMS stack which was a wholly separate implementation (for one, it was STREAMS which BSD, AFAIK has never implemented).

Those of us who are old enough remember the "portions copyright the regents of the University of California Berkeley" (or words to that effect) that used to be part of the Windows legal declarations from 95 onward. It has been considered common knowledge that their pre-Vista TCP/IP stack was taken from BSD, as was their FTP executable. If you're going to claim otherwise, you should offer some citations please.

However, my understanding is that MS did eventually roll their own stack, iirc it was for XP.

Nope, the "from the ground up" rewrite was for Vista, although they had previously partially rewritten the stack for Win 2K and for XP I believe. And there were definitely a number of bugs in that new Vista stack - here's one example. But if you were paying attention back during the interminable Vista beta process, you would've remembered the noise about those old TCP/IP vulnerabilities, solved long ago, that Microsoft re-introduced with their new stack.

This reminds me of the Windows 7 Fault Tolerant Heap. When the OS detects frequent crashes of a program it may 'shim' the memory management operations (malloc/free) to prevent future crashes. This can, for instance, prevent a crash when a program references recently free'd memory; the OS will deliberately leak that memory and the program keeps on spinning. Double frees can also be automatically mitigated. The heuristics involved will actually analyze the results of these efforts and back out the 'shims' if necessary.

not intended for use in a nuclear installation

Despite Hyper-V performing better[1] than VMware Server (VMware server is free) in some benchmarks , I'd still prefer VMware till Hyper-V improves its virtualization so that it works with Linux better WITHOUT having to install their probably still crappy (but not crap enough to reject) virtualization drivers.

Microsoft should also fix/improve the "remote management" bit for Hyper-V too.

Currently you practically have to use an unsupported tool ( http://archive.msdn.microsoft.com/HVRemote ) to try to get remote management working, and it still doesn't always work.

The alternative to that tool is consulting a 5 part series on some blog: http://blogs.technet.com/b/jhoward/archive/2008/03/28/part-1-hyper-v-remote-management-you-do-not-have-the-requested-permission-to-complete-this-task-contact-the-administrator-of-the-authorization-policy-for-the-computer-computername.aspx

With VMware remote management is practically already installed as part of installing VMware. No real big issue.

Sure you probably don't get the "Windows Domain" credentials stuff with VMware, but I don't have great confidence of successfully doing anything sophisticated in that area and still have hyper-v remote management work. Supposedly you "add this user to a group and give that group the permissions" and well it still didn't work, I still had to add specific user permissions. Maybe it takes time before it starts working (AD policy propagates), but if that's the case, I don't have time for that, nor time to waste on it _when_ it stops working for whatever reason.

So for these and other reasons if there are no other requirements (e.g. political reasons) , it'll be vmware and I'd just let the hardware take care of the 10% performance difference (Windows Server Enterprise licenses cost money too, so go Linux and spend more on hardware). If you're using virtual machines and that 10% is make or break you're doing it wrong anyway.

No need to worry. Reports around the web are contradictory to this article, all say it's extremely unlikely that an attacker could gain access to your machine using this vulnerability. You're more likely to get blue-screened.

http://blogs.technet.com/b/srd/archive/2011/07/12/ms11-053-vulnerability-in-the-bluetooth-stack-could-allow-remote-code-execution.aspx
https://threatpost.com/en_us/blogs/microsoft-fixes-critical-windows-bluetooth-bug-july-patch-tuesday-071211

What's more, you'd have to be sharing your bluetooth id AND the attacker would have to be within range of your signal.

The registry, & what driver does this rootkit use? hello_tt.sys.

That said?

So - How do you stop drivers (or services) from Recovery Console?? Especially bootup from Windows Install Media on CD/DVD since it is READ ONLY???

Well - ListSvc to see it, & disable command to stop it (since it protects the bogus bootsector this rootkit/botnet combination uses in "blended-threat" tech).

Then, Fixmbr to blowout & clean the bootsector (makes it gone in rootkit portion)...

As to the rest, IF ANY, since it can "haul in" other malwares? ProcessExplorer.exe!

(Especially this since it can kill what "std. tools" in antivirus/antispyware usually cannot, in UNKNOWN THREATS vs. their signatures databases (or even heuristics, which typically are not set "on" or "to the max" in most tools of that nature typically)).

* Between the RC & ProcessExplorer? You can tackle this rootkit/botnet & most anything really, from Ring 0/RPL 0/kernelmode threats (like hello_tty.sys) & Ring 3/RPL 3/Usermode threats too, & "WIN", everytime!

APK

P.S.=> Proofs thereof vs. this adhominem attack off topic b.s. from you troll, as is your FAIL usual vs. myself:

"The windows registry DOES have NOTHING to do with this, you fucking retard. And nothing you've posted has proved that it did." - by Anonymous Coward on Monday July 04, @12:56AM (#36650188)

LMAO: See above, & my proofs below... & "eat your words, now flavored with the 'bitter taste of YOUR defeat'" (you defeating yourself thru stupidity).

---

"And quit posting links to posts that YOU posted and claiming that I posted them." - by Anonymous Coward on Monday July 04, @12:56AM (#36650188)

The links I post are not from you, FAR FROM IT (you make TOO MANY ERRORS)... I post links that prove my point, that this rootkit/botnet uses a driver to protect itself (it's bogus bootsector, specifically). See below...

---

"You're too dumb to even get basic computing skills such as copy-and-paste right, and hyperlinks." - by Anonymous Coward on Monday July 04, @12:56AM (#36650188)

Yea, well... I don't "fuckup" majorly as YOU DID FIRST, HERE:

http://it.slashdot.org/comments.pl?sid=2285348&cid=36629266

AND, again later, here

http://it.slashdot.org/comments.pl?sid=2285348&cid=36630024

(That is, when you TRIED @ LEAST FOR ONCE, to be on topic & didn't realize this thing uses a driver as well as the bootsector (which my technique solves), and that the registry houses driver load information (which my technique solves)).

---

"Do us a favor and kill yourself." - by Anonymous Coward on Monday July 04, @12:56AM (#36650188)

No (how's that suit you? I don't take orders from "off-topic trolls" such as yourself, especially massively ERRONEOUS ones like you!)

LMAO, again - See above, & these proofs below:

---

http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx

PERTINENT QUOTE/EXCERPT:

"now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys)"
---

... apk

Proof thereof below on WHY those 3 commands (listsvc, disable, fixmbr) WILL work, because this rootkit uses a protective driver:

---

http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx

PERTINENT QUOTE/EXCERPT:

"now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way Ã" by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys)"

---

(Doing a listsvc /? or disable /? shows their paramter switches for their commandlines)

* ... & there you are!

APK

P.S.=> Assuming this IS the "indestructable rootkit" that came out 2 days ago in the news that is... &, I am PRETTY SURE it is (big news is why)

Proof thereof below on WHY those 3 commands (listsvc, disable, fixmbr) WILL work, because this rootkit uses a protective driver:

---

http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx

PERTINENT QUOTE/EXCERPT:

"now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way Ã" by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys)"

---

(Doing a listsvc /? or disable /? shows their paramter switches for their commandlines)

* ... & there you are!

APK

P.S.=> Assuming this IS the "indestructable rootkit" that came out 2 days ago in the news that is... &, I am PRETTY SURE it is (big news is why) ... apk

Proof thereof below on WHY those 3 commands (listsvc, disable, fixmbr) WILL work, because this rootkit uses a protective driver:

---

http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx

PERTINENT QUOTE/EXCERPT:

"now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way Ã" by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys)"

---

(Doing a listsvc /? or disable /? shows their paramter switches for their commandlines)

* ... & there you are!

APK

P.S.=> Assuming this IS the "indestructable rootkit" that came out 2 days ago in the news that is... &, I am PRETTY SURE it is (big news is why)

... apk

Proof thereof below on WHY those 3 commands (listsvc, disable, fixmbr) WILL work, because this rootkit uses a protective driver:

---

http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx

PERTINENT QUOTE/EXCERPT:

"now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way Ã" by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys)"

---

(Doing a listsvc /? or disable /? shows their paramter switches for their commandlines)

* ... & there you are!

APK

P.S.=> Assuming this IS the "indestructable rootkit" that came out 2 days ago in the news that is... &, I am PRETTY SURE it is (big news is why)

... apk

Proof thereof below on WHY those 3 commands (listsvc, disable, fixmbr) WILL work, because this rootkit uses a protective driver:

---

http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx

PERTINENT QUOTE/EXCERPT:

"now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way Ã" by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys)"

---

(Doing a listsvc /? or disable /? shows their paramter switches for their commandlines)

* ... & there you are!

APK

P.S.=> Assuming this IS the "indestructable rootkit" that came out 2 days ago in the news that is... &, I am PRETTY SURE it is (big news is why)

... apk

Proof thereof below on WHY those 3 commands (listsvc, disable, fixmbr) WILL work, because this rootkit uses a protective driver:

---

http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx

PERTINENT QUOTE/EXCERPT:

"now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way Ã" by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys)"

---

(Doing a listsvc /? or disable /? shows their paramter switches for their commandlines)

* ... & there you are!

APK

P.S.=> Assuming this IS the "indestructable rootkit" that came out 2 days ago in the news that is... &, I am PRETTY SURE it is (big news is why)

... apk

Proof thereof below on WHY those 3 commands (listsvc, disable, fixmbr) WILL work, because this rootkit uses a protective driver:

---

http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx

PERTINENT QUOTE/EXCERPT:

"now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way Ã" by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys)"

---

(Doing a listsvc /? or disable /? shows their paramter switches for their commandlines)

* ... & there you are!

APK

P.S.=> Assuming this IS the "indestructable rootkit" that came out 2 days ago in the news that is... &, I am PRETTY SURE it is (big news is why)

... apk

Proof thereof below on WHY those 3 commands (listsvc, disable, fixmbr) WILL work, because this rootkit uses a protective driver:

---

http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx

PERTINENT QUOTE/EXCERPT:

"now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way Ã" by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys)"

---

(Doing a listsvc /? or disable /? shows their paramter switches for their commandlines)

* ... & there you are!

APK

P.S.=> Assuming this IS the "indestructable rootkit" that came out 2 days ago in the news that is... &, I am PRETTY SURE it is (big news is why)

... apk

Plus I've had Microsoft hosted Exchange for almost 2 years now and can't remember a single outage.

I call bullshit. I have had BPOS with my company for almost a year and have experienced several outages (I am keeping track because this was upper managments call against the advice of IT):

22 June 2011
http://www.networkworld.com/community/blog/microsoft-confirms-bpos-cloud-outage
http://www.theregister.co.uk/2011/06/23/bpos_outage/

10-13 May 2011
http://www.katacinta.net/cinta/microsoft-online-outage-may-10/
http://www.techworld.com.au/article/386384/outage_hits_hosted_exchange_customers/
http://www.infoworld.com/d/cloud-computing/hosted-exchange-customers-hit-service-outages-981
http://www.computerworld.com/s/article/9216697/Microsoft_explains_recent_hosted_e_mail_outages

6 March 2011:
http://social.technet.microsoft.com/Forums/en-US/onlineservicesexchange/thread/7017abf4-a9d9-4c08-85ac-f66912124493/
19 October 2010
http://social.technet.microsoft.com/Forums/en-US/onlineservicesannouncements/thread/e72e8707-7457-4737-b246-2598769e54cf/
3 & 7 September 2010 & 23 Aug 2010
http://www.zdnet.com/blog/microsoft/microsoft-bpos-down-for-90-minutes-second-outage-in-a-month/7302
http://mcpmag.com/articles/2010/09/10/microsoft-reports-major-bpos-outages-slas-affected.aspx
http://blogs.technet.com/b/msonline/archive/2010/09/08/meeting-your-and-our-own-expectations.aspx
http://www.zdnet.com/blog/microsoft/microsoft-apologizes-for-spate-of-recent-online-services-outages/7337

That update was released in February and Microsoft released some numbers earlier this month on what happened after that. So...um...yeah. Probably the closest the world will come to hearing Redmond admit that Autorun was un chien méchant.

Can & will "blow this rootkit away" easily enough. Every Windows installation media in 2000/XP/Server 2003 have it & are NTFS5 version filesystem ready. Fixmbr command "rewrites the bootsector" but this rootkit has a protective driver that just overwrites it again (or blocks access to it). That's where listsvc comes in with disable.

listsvc - shows services AND DRIVERS load states @ bootup
disable - turns off services & drivers (after you find this rootkit's offending protective driver - it probably won't have a descriptive field filled in, so should be easier to spot as std. ones usually do (@ most/worst case, you google for the driver(s) in question to disable it)

See - IF you dig deep enough in the article's sources, you find this pertinent quote/excerpt that describes this rootkit's mechanics:

---

http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx

PERTINENT QUOTE/EXCERPT:

"now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way Ã" by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys)"

---

So, that's WHY you need to use listsvc, & disable, alongside fixmbr to remove this thing...

(listsvc /? + disable /? show the help/man page for these commands so you can understand how to use them further in cases like this one... they're easy & simple to use!)

* This rootkits an "interesting case", because it's basically what's called a "blended threat" in the security world vs. malware-in-general, in that it uses BOTH bootsector originated rootkit tech, AND memory resident Ring 0/RPL 0/kernel mode driver based protection...

APK

P.S.=> And, there you go: "Here endeth the lesson..."

... apk

Can & will "blow this rootkit away" easily enough. Every Windows installation media in 2000/XP/Server 2003 have it & are NTFS5 version filesystem ready. Fixmbr command "rewrites the bootsector" but this rootkit has a protective driver that just overwrites it again (or blocks access to it). That's where listsvc comes in with disable.

listsvc - shows services AND DRIVERS load states @ bootup
disable - turns off services & drivers (after you find this rootkit's offending protective driver - it probably won't have a descriptive field filled in, so should be easier to spot as std. ones usually do (@ most/worst case, you google for the driver(s) in question to disable it)

See - IF you dig deep enough in the article's sources, you find this pertinent quote/excerpt that describes this rootkit's mechanics:

---

http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx

PERTINENT QUOTE/EXCERPT:

"now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way Ã" by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys)"

---

So, that's WHY you need to use listsvc, & disable, alongside fixmbr to remove this thing...

(listsvc /? + disable /? show the help/man page for these commands so you can understand how to use them further in cases like this one... they're easy & simple to use!)

* This rootkits an "interesting case", because it's basically what's called a "blended threat" in the security world vs. malware-in-general, in that it uses BOTH bootsector originated rootkit tech, AND memory resident Ring 0/RPL 0 driver based protection...

APK

P.S.=> And, there you go: "Here endeth the lesson..."

... apk

That'll clear the bootsector (good job, I've been using RC's commands to 'knockout' rootkits for years too per -> )You need to use RC's:

LISTSVC - shows all drivers names & states
DISABLE - stops services AND drivers

commands to finish it off, & this SHOULD do it!

(That's because it uses a driver - issues listsvc & it will show all driver names. Then use DISABLE to stop said BAD MBR bootsector protecting driver from loading, period!)

Proof thererof on WHY those 2 commands should work, hopefully & that this thing uses a protective driver:

---

http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx

PERTINENT QUOTE/EXCERPT:

"now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way â" by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys)"

---

(Doing a listsvc /? or disable /? shows their paramter switches for their commandlines)

* ... & there you are!

APK

P.S.=> I've been using Recovery Console's (RC) commands for ages, since early Windows 2000 days for PC Security, & I list using it like mad for removal of even rootkits here:

http://www.proprofs.com/forums/index.php?showtopic=14264 & especially vs. rootkits as shown in that malware removal guide I wrote back in 2008 (first I wrote was 2001 for NeoWin & NTCompatible here http://www.neowin.net/news/apk-a-to-z-internet-speedup--security-text ).

RC/Recovery Console's great - it works & especially vs. rootkits

(& is pretty much as easy to use as DOS was. Very similar!)

So, you're correct on RC's FIXMBR being able to "blowout" a bootsector virus, but this one's trickier because of the driver being resident protecting the "BAD MBR"!

However - this SHOULD work to make SURE it's "blown out" & completely by not only cleaning the bootsector, but also disabling this bogus driver from loading too, if needed (sounds like it is needed - I only skimmed the articles, too late here for me to stay up reading more...)

So, since I must call it an evening? Well... if you guys find out anything else, like it's been modified even more to stop those commands of LISTSVC/DISABLE from running? Let me know... thanks, I'll catch it in the a.m. with coffee!

... apk

Actually Stuxnet has been analyzed pretty well and would have attacked Windows XP, Windows Vista, and Windows 7 - no autoplay required. Remember the purpose of placing a USB key in one of these machines is to copy data from / to it because the machines aren't networked and the data has to be analyzed. In this case, a couple of zero day vulnerabilities were utilized that caused Windows to get infected by just opening the folder. Mark Russinovich did a nice, digestible 3 part write up on it that starts here: http://blogs.technet.com/b/markrussinovich/archive/2011/03/30/3416253.aspx.

So when Sony installs software on your computer that enables them to remotely connect to it and issue commands as the administrator, that's good.

No, that would be quite horrible.

However, as far as I'm aware, the XCP software did not allow SONY or anybody else to remotely connect to the machine.

Just to make sure you understand me correctly:
I'll state right here that what it did do is still highly undesirable and I do believe that those responsible should have been held accountable to the full extent of the law as it applies to several practices among which for the GPL violations.

I'll also state right here that I stated no opinions on the current LulzSec stuff. You can dig through my comment history to find one where I mentioned that the hacks were not some "largest public penetration test" but that the hacks were mostly for 'teh lulz'. I'd be honored if 'LulzSec' decided on that name based on that comment, but I highly doubt it ;)
( For what it's worth, I do think it's bordering on the juvenile, and I'm not of the belief that SONY 'deserves' to be hacked any more than I believe anybody's insufficiently protected house deserves to be robbed. I also think, however, that SONY could both have prevented this and reacted more adequately, and certainly should lay the blame largely with themselves. )

Back to the beef of this thread, though... the assertion that it isn't a 'hack' and the secondary assertion that it isn't a 'rootkit'.

My memory on this is rusty, however, and wikipedia of course only provides a summary (summary: it's a rootkit!) and cites a source which you then have to follow up several chains and finding the correct locations to some broken links to find any actual information at e.g. Mark Russinovich's research.
http://blogs.technet.com/b/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx
http://blogs.technet.com/b/markrussinovich/archive/2005/11/04/more-on-sony-dangerous-decloaking-patch-eulas-and-phoning-home.aspx

From that research (again as far as I can tell and I admit that it fits my memory so there may be some selective bias), it appears there were technically two behaviors:
1. It hid itself from the user and most of the system.
2. It 'phoned home', to look for updated album art.

With that in mind, I'll skip to your last question:

You also seem to have an interesting definition of 'rootkit'. Since I only know the real definition, could you kindly elaborate on yours?

Certainly. From the wikipedia article to which you linked:

A rootkit is software that 1. enables continued privileged access to a computer while 2. actively hiding its presence from administrators by subverting standard operating system functionality or other applications

I added the numbers there because they help me explain.

Part 2, "actively hiding its presence", is certainly in effect. No question there.

However, both parts 2 and 1 are required in order to fit the rootkit definition.

And while the software 'phones home' to check for new album art and subsequently doesn't do anything with it, it does not "enable continued privileged access to a computer".

As such, it's not a rootkit.

Now, mind you, the subsequently released removal tool had a serious flaw in it that could indeed lead to privileged access.
http://freedom-to-tinker.com/blog/felten/sonys-web-based-uninstaller-opens-big-security-hole-sony-recall-discs
This,

So when Sony installs software on your computer that enables them to remotely connect to it and issue commands as the administrator, that's good.

No, that would be quite horrible.

However, as far as I'm aware, the XCP software did not allow SONY or anybody else to remotely connect to the machine.

Just to make sure you understand me correctly:
I'll state right here that what it did do is still highly undesirable and I do believe that those responsible should have been held accountable to the full extent of the law as it applies to several practices among which for the GPL violations.

I'll also state right here that I stated no opinions on the current LulzSec stuff. You can dig through my comment history to find one where I mentioned that the hacks were not some "largest public penetration test" but that the hacks were mostly for 'teh lulz'. I'd be honored if 'LulzSec' decided on that name based on that comment, but I highly doubt it ;)
( For what it's worth, I do think it's bordering on the juvenile, and I'm not of the belief that SONY 'deserves' to be hacked any more than I believe anybody's insufficiently protected house deserves to be robbed. I also think, however, that SONY could both have prevented this and reacted more adequately, and certainly should lay the blame largely with themselves. )

Back to the beef of this thread, though... the assertion that it isn't a 'hack' and the secondary assertion that it isn't a 'rootkit'.

My memory on this is rusty, however, and wikipedia of course only provides a summary (summary: it's a rootkit!) and cites a source which you then have to follow up several chains and finding the correct locations to some broken links to find any actual information at e.g. Mark Russinovich's research.
http://blogs.technet.com/b/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx
http://blogs.technet.com/b/markrussinovich/archive/2005/11/04/more-on-sony-dangerous-decloaking-patch-eulas-and-phoning-home.aspx

From that research (again as far as I can tell and I admit that it fits my memory so there may be some selective bias), it appears there were technically two behaviors:
1. It hid itself from the user and most of the system.
2. It 'phoned home', to look for updated album art.

With that in mind, I'll skip to your last question:

You also seem to have an interesting definition of 'rootkit'. Since I only know the real definition, could you kindly elaborate on yours?

Certainly. From the wikipedia article to which you linked:

A rootkit is software that 1. enables continued privileged access to a computer while 2. actively hiding its presence from administrators by subverting standard operating system functionality or other applications

I added the numbers there because they help me explain.

Part 2, "actively hiding its presence", is certainly in effect. No question there.

However, both parts 2 and 1 are required in order to fit the rootkit definition.

And while the software 'phones home' to check for new album art and subsequently doesn't do anything with it, it does not "enable continued privileged access to a computer".

As such, it's not a rootkit.

Now, mind you, the subsequently released removal tool had a serious flaw in it that could indeed lead to privileged access.
http://freedom-to-tinker.com/blog/felten/sonys-web-based-uninstaller-opens-big-security-hole-sony-recall-discs
This,

Mark Russinovich (http://en.wikipedia.org/wiki/Mark_Russinovich) seemed to think it was a rootkit.
Here is his detailed analysis - http://blogs.technet.com/b/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx

Real developers use available APIs instead of cluster fucking 35 different versions of shit and different libraries into their OS for fun (like Linux).

Do you really think there isn't a "cluster fucking 35 different versions of shit and different libraries" on your windows box?

If you really believe that, I would like to invite you to check out %windir%\WinSxS; it is part of a mechanism designed to resolve traditional Windows DLL hell but can become VERY bloated over time It's where system libraries are actually stored and then are linked to from other directories. Due to the past DLL hell, it is rare that anything ever gets deleted from WinSxS in order to prevent DLL hell by inadvertantly deleting a library that might be marked by the registry as unused, but is actually relied upon by a seldom-used app. So, what happens is as you install and upgrade your various applications, system drivers, and whatnot, a ton of files often get written to in WinSxS when installers don't check for dependencies - how many times have applications forced installs of components you know are already in place? Why does this happen? Because all too many release engineers don't understand system administration, how the OS works at the low level, so they don't know how to check for preexisting components. Why is this? Because hiring managers are all too focused on specific tool (Rational Clearcase and Clearquest, Installshield, Visual Studio, Ant, Eclipse, or a specific language, etc) and not on what really matters, i.e., system administration, coordinate development and QA, manage the build platform and a build a clean net, etc. Too much emphasis is based on knowing a specific application, rather than the process and ability to learn a tool quickly. Individual tools are relatively easy to learn very quickly; system administration and basic scripting skills are relatively difficult to pick up quickly. I never focused on learning all the tools out there; I learned the individual tools as I needed to, so my installers were always rock-solid because I knew the requirements for the underlying system, and my installers didn't force unnecessary component updates which bloat a system.

So, your Windows vs. Linux argument is kind of moot; you may not realize it, but even though you might not see libfoo.so.0.2.1, libfoo,so.0.2.1 and libfoo.so.0.4.1 (and a symlink from libfoo.so.0.4.0 to libfoo.so.0.4.1 since it's compatible and the install creator decided to save you space but not break your system in the process) in /usr/lib on Windows, but if you have installed and over time upgraded various applications you easily have 5 to 10 different copies of various libraries - often identical versions, cluttering up WinSxS.

Check these out:

http://www.ghacks.net/2010/07/24/the-winsxs-folder-explained/
http://blogs.technet.com/b/askcore/archive/2008/09/17/what-is-the-winsxs-directory-in-windows-2008-and-windows-vista-and-why-is-it-so-large.aspx

Unix-based systems are easy to clean, maintain, and if you do break /usr/lib, very easy to fix in comparison to Windows. Now tell me - after reading those articles, if you have the Unix experience you claim to have, after learning how Windows deals with various library versions, which system is better and more logical? Don't get me wrong; Microsoft has done a fantastic job making Windows a hell of a lot more stable than it used to be, but this "fix" is still a major hack which doesn't fix the root problem: shitty release engineers not developing and adequately testing installers until they're rock solid.To work around install developer incompetence, we have come to a point where WinSxS may contain gigabytes' worth of old cruft that is no longer used on a Windows box.