Slashdot Mirror

Doesn't this seem the better option if you're able to get your mitts on it?

No Edge, Store/Apps, Cortana, and telemetry (even the extra bits) all stoppable. Essentially a clean desktop edition of Windows 10 that gets all major bug-fixes and security updates without all the extra cruft for a period of 3-5 years (depending on when they choose to integrate the current branch features and release the next LTSB).

Here's a couple links:

http://blogs.technet.com/b/ukt...
http://www.techworld.com/secur...

Now, I've looked around online and people seem to proclaim the end of the world if you would like to use this as a desktop OS: 'Oh you can disable all of that crap yourself and spend hours gutting and tweaking it to suit your needs. LTSB is meant for ATMs and nuclear subs and you won't get any of the new features, why wouldn't you want them? Blah blah blah'... Frankly in techminded circles that sort of reasoning flabbergasts me, it's spouting off of ideology on no basis of reality. (Though you see the same end-of-the-worlders rear their head when you talk about the pros/cons of disabling UAC.)

If you can legally acquire it, I'm really not seeing the downsides as you get many of the little quality of life updates from Win 8/8.1/10 (task manager, DX12, file copy dialogue) without many of the obnoxious ones (lockscreen ads, Candy Crush, 'helpful suggestions'). Not to mention nothing like the 'fall update fiasco' bulldozing your settings whenever MS pleases by providing and presenting an OS in-place upgrade as a normal Windows update.

Remote shells? Yes! But SECURE, Remote shells? They have never had that built-in.

Powershell's remote shell is secure, and that is built-in to Windows.

I just leave my key printed out and taped to the side of my computer, in case I ever need it. But seriously... for the vast majority of users, having it backed up to OneDrive is a great, great thing. I'm talking about the 99% of computer users who don't really know what this stuff is or how it works. For the rest of us, we can always follow the instructions, remove the key from OneDrive and ALSO change it to a new key.

Incidentally, I understand how all of this stuff works, and really don't care, personally. I use Win 10 in a VM for work purposes, and don't store documents there, but I am using a similar feature on my main machine which is OS X. I do store my recovery key in iCloud. If my device was stolen, and they hacked iCloud, or social engineered their way in, they'd get banking information, credit card data, tax returns. I get all that. To me, there's such a minimal risk (the chance of my laptop being stolen is small. The chance of it being stolen by someone with hacking ability even smaller. The chance that someone with all those skills cares about my data is even smaller still) - I just don't care.

This system is just fine for almost everybody. And the few that it isn't good for (not counting corporations who ought to be on Professional or Enterprise, and aren't subject to this system anyway) - they are smart enough (hopefully) to be here, and if they couldn't figure it out on their own, they've now seen 100 people link to 50 different blogs instructing them how to reinstall Windows without a Live account, decrypt and recrypt, remove the key from OneDrive, etc - there's half a dozen ways out of it even if you already had it happen to you and OH KNOWS my key is on OneDrive.

I suppose a non-technical leaning child pornographer may have a problem one day stemming from this. Good.

That's bullshit.

Absolutely true, regarding your statement.

The router botnets are primarily due to morons configuring the devices to have default public admin ports open. Who does that on an internet facing device? Why, apparently Asus, Linksys, D-Lionk, Micronet, Tenda, and TP-Link. Note that they tracked only 40,269 IP addresses belonging to 1,600 ISPs over 4 months. As compared to 100,000+ in windows botnets. (While Simda.AT is not a botnet per se, it can become one easily due to what it does, it was just the first windows action that showed up with a number of infected machines. Oh, and it has 128,000 new infections per month.)

Lastly, let's look at a list of known botnets. All the largest are windows based.

Wordpress is another extremely popular target, and guess what? You can run Wordpress under a whole bunch of different OSes. ... on general-purpose computers it doesn't matter what the OS is if the vulnerabilities lie in the software that was installed on top of the OS.

IMNSHO, Wordpress is a pile of crap. However, Wordpress's primary reason for compromise is to infect large numbers of other computers, most of which are... MS machines.

On appliances, sure, but you can't blame MS for the shit the appliance-manufacturers pull.

If it is built on an MS OS and the OS is the problem, sure I can.

U-turn, perhaps. Embarrassing? More like long overdue. Good engineering is about using the best fit for the task at hand, not about shoving balls into square holes for the sake of politics.

Let me show you something. This is a Microsoft product that runs on Linux (IPython/Jupyter notebooks specifically, that is). It's not even a customized distro, just plain Ubuntu running in Docker containers. And it's not something that runs under the hood, because in notebooks you can run shell commands and access the file system, so it's very much visible that it's Linux. You can literally just do "!uname -a" in the notebook and see for yourself.

So why is it Linux? First, because this is built on top of containers, which have been a Linux feature for quite a while now and had time to mature and stabilize, but is a brand spanking new feature in Windows. And second, because people - data scientists and statisticians - who actually use those notebooks expect a Unix-like system; they have shell scripts and such that they use on their Macs, and they expect all this stuff to more or less just work.

I personally would throw open the entire codebase and monetize your product as a service.

The problem is that it's already a crowded market. And furthermore, Amazon, Google and Microsoft have all discovered it, and now want their slice - and they all already have solid cloud compute platforms to use as a backend; so it's going to get even more crowded in short order.

(Full disclosure: I'm on the MS team that is working on the Azure IPython/Jupyter notebook service that just went live on PyData, which is one piece of that.)

That sounds similar to what happened at Microsoft with the Bedlam DL3 incident.

Proof? I can't find such posts in Mark's blog.

According to this talk

http://blogs.technet.com/b/cdn...

By Steve McConnell who presumably has no skin in the game, Oregon's website was extremely poorly managed. Including using bad coding practices, staff that didn't have proper training and several other problems. McConnell just wonders how anybody could think that the project could work in the first place.

(the talk is very interesting by the way)

So if McConnell is correct in his appraisal of the situation, Oracle is just trying to get itself out of a lawsuit for a grand screw up caused by their own poor judgement.

His first post I can't find in the time I have, is intense as well as much longer.

Here it is.

http://en.m.wikipedia.org/wiki...

TL, DNR: 9 years ago, Sony was root kitting the machines of people who bought their CDs, and living about it.

Mark Russinovich of Sysinternals (at the time) has a very good article on this. You can learn a lot through it, least I did.
http://blogs.technet.com/b/mar...

His first post I can't find in the time I have, is intense as well as much longer.

There's a bit more information available now:

http://blogs.technet.com/b/srd...

And adding to the list, Windows does it as well. It's called Network Connection Status Indicator.

NCSI is designed to respond to changes in network conditions, and examines the status of a network connection in a variety of ways. First it uses an active probe to determine the status. For example, in an active probe NCSI tests connectivity by trying to reach http://www.msftncsi.com/ a simple Web site that exists only to support the functionality of NCSI. Eventually, as other programs begin generating Internet traffic, NCSI switches to a passive monitoring process that assumes responsibility for detecting changes to the network status.

Every time a network configuration event occurs (meaning that something has changed in the network configuration), the NCSI process performs several tests to identify the network's connectivity status. The first step NCSI performs is a DNS query for www.msftncsi.com. The second step is and HTTP get request for http://www.msftncsi.com/ncsi.t.... This file is a plain-text file and contains only the text "Microsoft NCSI." Last it will perform a DNS query for dns.msftncsi.com.

The URLs used by NCSI can be changed via Group Policy, i.e. you can have it check for the presence of some local server, so that it doesn't bug the shit out of users on a network without external connectivity. Several weeks ago, Microsoft was having global DNS troubles, and many users reported seeing the "trouble" icon in the tray even though their internet connection was working just fine; the problem was that msftncsi.com wasn't resolving. Whoops.

First, let me start off with the Notion that All Antivirus sucks. Regardless of the brand, or the Reputation, If you gave me an hour or less and a windows PC with any Antivirus app on the market on it, pay or free, I will give you an infected box. So why does this happen?

1) Hot, Fresh, Just for you! This is not just a slogan you see on McDonalds made to order burgers anymore. Today's Virus Obfuscation techniques are so fast and random, that when you activate an payload dropper (whether it be a Flash, Java, Website, Browser exploit or even a Trojan installer) The Payload that you get will only be statistically seen only once. You and only you will get that version of the virus even though it's using a well known virus kit that would be detected if it was not obfuscated. This technique is the reason why no AV firms detect the Fake antivirus variants or FBI Warnings or cryptolockers of the past even though all of the major codebases were detected by most AV Firms.

2) I'm an Necessary App! People need me to change their search engine, hijack their DNS, spy on them, and pop up ads randomly all over the screen and websites! Read the Slashdot Journal link for some insight on how adware gets on people's PC. Let me make something clear here. Adware is a Virus When a customer comes into my shop and has something like Conduit searchprotect, or Wajam on their machine, I tell them that's a virus because it is. They didn't want it, they got it and it's doing things they don't want. Sounds like a virus to me, yet just about every AV Firm ignores these and lets them gleefully install because they're afraid of getting sued by one of these companies so instead they make guidelines to let them slip through. The first AV I find that reliably removes all Adware as well as viruses without me having to manually remove them or fallback to a removal tool (like ADWCleaner, which is now starting to miss stuff as of late) I will sell in my store.

3) In Soviet Russia, Trojan Exploits You! This Journal link has been on my sig for years now, and is the primary reason why AV doesn't work anymore. This week alone I had no less then three of my customers Directly call Fake Support Scammers because their PC / Printer / Camera didn't work, and they called the phone number on the first link (The Ads) they saw when they searched for "(PC / Printer / Camera) Support" and if you're letting the bad guys in to physically touch your own box you're already screwed and no AV on earth is going to save you.

Right now, I'm telling people three things:

1) Install MSE All AV sucks, The only question is how much do you want to pay for something that sucks. MSE is free, at least blocks most of the ultra bad stuff and doesn't pop up ads of any kind so it's what I install.

2) Install Adblock on all browsers I install Adblock Plus on any machine that leaves the store. if you're going to infect yourself chances are an Ad is going to lead you there. Blocking the ads blocks most of the infection vectors off the bat.

3) Don't Download or Install anything. There is no safe place I can direct people to download files without getting some sort of Adware Virus. This is easier to tell users rather than pay attention to what you download. (See #3 to understand) If they protest, go to your PC, go to ask.com with your adware blocker turned off, type in any program you would think they would download (I use VLC Media player. It never fails to show me adware links) and have them pick the download link, when they get it wrong (chances are they will) download the file and send it to virustotal.com. chances are one of the scanners will detect the Adware dropper from the fake site, Then drill it home about not downloading anything.

4)

Without addressing the correctness of the process, the Microsoft Exchange documentation suggests a SAN certificate for the Exchange servers that includes the public names and internal names on the same certificate. Lync does the same thing.

While this reduces services and split-naming confusion, it also puts your internal naming convention in the public certificate. People do it because MSFT says so. This Exch2007 article (Yes, old, but the first link in google. There are more examples.) says to put the NetBios name in as well: http://blogs.technet.com/b/exc...

It's not even a space issue. MS was saying don't put PST files on the network:
http://blogs.technet.com/b/ask...

Has that guidance even changed since then?

Found a link. Network Stored PST files ... don't do it!
http://blogs.technet.com/b/ask...

Most likely if it was advertised to a "All Windows Machines" collection, then only computers in that collection would have been it.

The task sequence was most likely configured to be mandatory/assigned and thus initiated automatically with little to no intervention.

If that collection included the "unknown computers" collection then if those machines PXE booted and PXE support was enabled, then those could have been hit as well.

The safest way to advertise a task sequence is to the Unknown Computers collection, (or a collection specifically for imaging) and not make the advertisement mandatory. There are reasons to advertise it to a collection with computers, one being that you can re-image a computer without having to remove it from ConfigManager (since you are advertising to UNKNOWN computers). This is really handy especially for the guys doing the re/imaging of computers. Saves a lot of time.

But as we see here, there is a huge danger. You can reduce the threat by advertising the task sequence to only media and PXE.. that prevents it from showing up on production workstation. You can also configure the advertisement to only run on an OS you don't have in production, again, making the advertisement optional rather than mandatory helps too. But there are situations where you do need to have it mandatory so extra caution applies.

I've not worked with deploying a task sequences to running computers, but you can do them where they will copy the users files offline. Then the boot image is downloaded and the system reboots to that and performs the wipe, install, etc. Then once the system is back up, it copies the users files back (for something like xp to 7 upgrades)

SCCM is a great tool, but like any great tool, it can do great bad if you are not careful. Happened to this company a few years ago. http://delimiter.com.au/2012/0...

btw, here are the steps you should follow should you be lucky enough to experience it :)
http://blogs.technet.com/b/system_center_configuration_manager_operating_system_deployment_support_blog/archive/2011/10/27/how-to-remediate-an-incorrectly-deployed-osd-task-sequence-in-system-center-configuration-manager-2007.aspx/

As someone else posted in a sub-comment somewhere, http://blogs.technet.com/b/gla...

As they say, truth is stranger than fiction because fiction has to make sense.

It's true. If you are running 8.1, update 1 is mandatory to keep getting support: http://www.infoworld.com/t/mic...

Microsoft said it themselves here: http://blogs.technet.com/b/gla...

Originally they only gave 30 days to install it, but then they upped that to 120 because of all the compatibility and installation problems (and the few companies running Windows 8 screaming).

Bizzarely, Windows 8.0 users aren't affected in the same way. This affects 8.1 users only. As usual, Windows 7 users can ignore this ongoing fiasco and keep doing productive work.

I was under the impression it would be made available through windows update but it's not really very clear.

http://blogs.technet.com/b/msr...

No, I think the problem is that some people have Windows 8.1 and cannot upgrade to 8.1 Upgrade 1. So they are forced to stay on an OS which will not receive patches.

http://blogs.technet.com/b/gladiatormsft/archive/2014/04/12/information-regarding-the-latest-update-for-windows-8-1.aspx

Since Microsoft wants to ensure that customers benefit from the best support and servicing experience and to coordinate and simplify servicing across both Windows Server 2012 R2, Windows 8.1 RT and Windows 8.1, this update will be considered a new servicing/support baseline. What this means is those users who have elected to install updates manually will have 30 days to install Windows 8.1 Update on Windows 8.1 devices; after this 30-day window - and beginning with the May Patch Tuesday, Windows 8.1 user's devices without the update installed will no longer receive security updates.

MSE will have definitions for a year after the EOL: http://blogs.technet.com/b/mmp...

I think that is a grave mistake on Microsoft's part. It makes people think that they can still run Windows XP securely, just intercepting viruses that match the signatures, instead of patching the underlying vulnerabilities.

I also think continuing to let OEMs install Windows XP until Windows 7 was also a grave mistake. In the short term, it slowed people from fleeing to Linux, especially for the early-model netbooks. In the long term, it has delayed the end of Windows XP by years, making it more painful when people do finally upgrade.

MSE will have definitions for a year after the EOL: http://blogs.technet.com/b/mmp...

Do you have more comedy acts?
You are gifted my friend.. LOL...

Me? That's Microsoft's actual list of reasons...I couldn't possibly make it up!

Check it out: https://blogs.technet.com/b/fi...

(Remove all liquids from the vicinity before clicking...)

MS09-056, found and fixed around 4 years ago. No word on how long it was present before being found, though.

It might have been done through Windows Update.

Not at first, although the signature for Tor v0.2.3.25 used in Sefnit was added later to the Malicious Software Removal Tool that Windows Update regularly pushes out.

He surmises that Microsoft used its Microsoft Security Essentials software to eliminate the programs, a program users must install themselves.

Or he could read Microsoft's own statement, where they say exactly how they eliminated Tor:

October 27, 2013: We modified our signatures to remove the Sefnit-added Tor client service. Signature and remediation are included in all Microsoft security software, including Microsoft Security Essentials, Windows Defender on Windows 8, Microsoft Safety Scanner, Microsoft System Center Endpoint Protection, and Windows Defender Offline.

November 12, 2013: Signature and remediation is included in Malicious Software Removal Tool and delivered through Windows Update/Microsoft Update.

Did some more digging. Here are the details (from http://blogs.technet.com/b/mmpc/archive/2014/01/09/tackling-the-sefnit-botnet-tor-hazard.aspx) :

Cleanup efforts

Since the Sefnit-caused Tor eruption in August, we have worked to curb this risk. In this process, we consulted with Tor project developers to help plan the cleanup. We retroactively remediated machines that had previously been cleaned of Sefnit but still had a Sefnit-added Tor service:

October 27, 2013: We modified our signatures to remove the Sefnit-added Tor client service. Signature and remediation are included in all Microsoft security software, including Microsoft Security Essentials, Windows Defender on Windows 8, Microsoft Safety Scanner, Microsoft System Center Endpoint Protection, and Windows Defender Offline.
November 12, 2013: Signature and remediation is included in Malicious Software Removal Tool and delivered through Windows Update/Microsoft Update.

Upcoming:

MS deletes Firefox, saying it was used to infect millions of computers.

Microsoft only deleted the install used as part of Sefnit. They didn't disable legitimate installs, and they're not out to squash your freedom. From the blog:
http://blogs.technet.com/b/mmpc/archive/2014/01/09/tackling-the-sefnit-botnet-tor-hazard.aspx

The Tor client service left behind on a previously-infected machine may seem harmless at first glance - Tor is a good application used to anonymize traffic and usually poses no threat. Unfortunately, the version installed by Sefnit is v0.2.3.25 – and does not self-update. The latest Tor release build at the time of writing is v0.2.4.20.

I'm not an expert on Windows malware (and I have no need or intention to become one) but from some recent reports, it looks like most Windows malware is of the "drive-by" or "autorun" variety which requires no active user role. The next most popular category is something called "keygen" malware which seems to be some software which generates user activation keys (I don't know since this type of thing is not used in the Mac/Linux world) and this would seem to dupe the user into installing malware in return for allowing him access to his software.
Here's a good rundown I found:
http://blogs.technet.com/b/security/archive/2013/01/07/operating-system-infection-rates-the-most-common-malware-families-on-each-platform.aspx
Glad I don't live in the Windows ecosystem... looks ugly.

The announcement only refers to antimalware updates, not OS updates. So, you still need to move off of XP in April.

https://blogs.technet.com/b/mmpc/archive/2014/01/15/microsoft-antimalware-support-for-windows-xp.aspx?Redirected=true

This (announcement) does not affect the end-of-support date of Windows XP, or the supportability of Windows XP for other Microsoft products, which deliver and apply those signatures.

Powershell was designed to market Windows server, providing something that looks familiar to Unix/Linux admins. It's by no means a replacement for VBScript. (Which is *not* the same thing as VBA.) VBScript, being COM-centric, is uniquely suited to accomplishing all sorts of tasks on Windows. It just happens to be getting "deprecated" as part of Microsoft's overall strategy: They want to attract people to Windows server while converting "civilian" Windows into virtually a kiosk OS.

Sorry, BS. PowerShell is a foundation technology in Windows, unlike VBScript. Since Windows 7, the troubleshooting packs are actually written in PowerShell! The troubleshooting utilities are automatically launched by the system when e.g. network problems occur.

PowerShell is every bit as COM capable as VBScript. PS uses a "unified" type system where multiple object models (COM, .NET, WMI etc) are surfaced as common PS objects.

VBScript is definitively legacy (and deprecated). I will actually wager a bet that there is not a single meaningful VBScript that could not be written shorter and more elegant with PowerShell.

They actually just fixed the SxS bloat with a patch a month or two ago. Link : here.

Secure boot was only recently added in v2.2.

And every (non-Apple) x86-64 PC and PC motherboard since the release of Windows 8 has shipped with Secure Boot.

10s if not 100s of millions of shipped systems predate that by many years such as every Intel Mac, Itanium systems from both Intel and HP, etc.

I thought Intel Macs were just EFI, not UEFI. And according to the FAQ, this distro is designed for x86-64, not Itanium. I understand Windows 7 Service Pack 1 for x86-64 supports UEFI, but did most Windows 7 PCs come with UEFI pre-2.2, or did they come with legacy BIOS?

That's one more reason to stop using RC4, which isn't secure anymore when used with SSL/TLS, such that Microsoft is moving it out of IE11.

"Microsoft today announced the availability of Windows 8.1 for nonprofits. The move is an extension of the company's nod to the nonprofit community with the launch Windows 8. The announcement means eligible nonprofit organizations and public libraries can request Windows 8.1 through Microsoft's software donation program."

Still runnning the same ole engulf-and-assimilate game plan. In this case keeping Linux off the Desktop and getting some free publicity in return. Remember this is the company that acted to sabotage the OLPC project by offering to 'support' the effort but only if they came with Windows.

http://semiaccurate.com/2013/10/21/microsoft-admits-image-net-consumer-negative/

Because they've realized the 'Microsoft' name has such negative connotations in the consumer market, that they don't want CxO's shooting it down based on its name, and one that wasn't directly tied to their Windows environment, since its where they want you to run your Linux VMs "In The Cloud":

  "...we knew that we needed to ensure that Windows is the best platform to run Linux workloads as well as open source components. ..."

http://blogs.technet.com/b/in_the_cloud/archive/2013/07/24/what-s-new-in-2012-r2-enabling-open-source-software.aspx

Well yeah... They are calling server 2012 r2, the Cloud OS, : http://blogs.technet.com/b/in_the_cloud/archive/2013/10/18/today-is-the-ga-for-the-cloud-os.aspx

Yes, and a real fire sale, not the lame one they offered to teachers/professors. I mean, when the "special" price for the Surface RT with the Type Keyboard Cover is $289, I for one will still prefer a Samsung Chromebook.

Until next year http://blogs.technet.com/b/dataplatforminsider/archive/2013/07/17/what-s-new-for-columnstore-indexes-in-sql-server-2014.aspx

See this blog post:
http://blogs.technet.com/b/office_sustained_engineering/archive/2013/09/11/outlook-folder-pane-disappears-after-installing-september-2013-public-update.aspx

Where in this statement from MS does it say "HTML only" NOWHERE. It's almost a figment of your imagination.

There was one sticking point in the collaboration. Google asked us to transition our app to a new coding language – HTML5. This was an odd request since neither YouTube’s iPhone app nor its Android app are built on HTML5. Nevertheless, we dedicated significant engineering resources to examine the possibility. At the end of the day, experts from both companies recognized that building a YouTube app based on HTML5 would be technically difficult and time consuming, which is why we assume YouTube has not yet made the conversion for its iPhone and Android apps.

But they also said this:

With this backdrop, we temporarily took down our full-featured app when Google objected to it last May, and have worked hard to accommodate Google’s requests. We enabled Google’s advertisements, disabled video downloads and eliminated the ability for users to view reserved videos. We did this all at no cost to Google, which one would think would want a YouTube app on Windows Phone that would only serve to bring Google new users and additional revenue.

They make it seem that they were doing Google a favor by complying with Google's TOS.

There was one sticking point in the collaboration. Google asked us to transition our app to a new coding language – HTML5. . . .For this reason, we made a decision this week to publish our non-HTML5 app while committing to work with Google long-term on an app based on HTML5.

Translation: We knew were not complying with Google's wishes anyway but we released a new app.

We’re committed to providing users and creators with a great and consistent YouTube experience across devices, and we’ve been working with Microsoft to build a fully featured YouTube for Windows Phone app, based on HTML5. Unfortunately, Microsoft has not made the browser upgrades necessary to enable a fully-featured YouTube experience, and has instead re-released a YouTube app that violates our Terms of Service. It has been disabled. We value our broad developer community and therefore ask everyone to adhere to the same guidelines.

I don't see HTML5/JS anywhere in that statement only "based on HTML5". MS doesn't say that in their statement either:

There was one sticking point in the collaboration. Google asked us to transition our app to a new coding language – HTML5. This was an odd request since neither YouTube’s iPhone app nor its Android app are built on HTML5. Nevertheless, we dedicated significant engineering resources to examine the possibility. At the end of the day, experts from both companies recognized that building a YouTube app based on HTML5 would be technically difficult and time consuming, which is why we assume YouTube has not yet made the conversion for its iPhone and Android apps.

http://blogs.technet.com/b/blogms/archive/2008/08/20/how-to-subscribe-to-microsoft-newsletters-on-the-microsoft-profile-center.aspx

Then you don't have a very big business.

See list of supported OSes on VMware:
http://www.vmware.com/resources/compatibility/search.php?deviceCategory=software

versus list of supported OSes on HyperV:
http://blogs.technet.com/b/schadinio/archive/2012/06/26/windows-server-2012-hyper-v-list-of-supported-client-os.aspx

Good luck trying to support your business support customers on Mac or older versions of linux or lots of flavors of linux when you use HyperV. Or Windows 95/98/2000.

a) Give away inventory for free at schools etc

They are not for free yet, but they are being sold to schools at discount prices: http://blogs.technet.com/b/microsoft_in_education/archive/2013/06/19/it-s-true-we-re-putting-surface-rt-in-the-hands-of-educators-and-students-schools-and-universities.aspx

I know of people that bought them for 190 euros, for someone that only uses the tablet to browse the web and edit office documents I guess it is a reasonably good deal, but some of them are a bit disappointed with the lack of flexibility of windows rt.

KB2775511 has substantially reduced the CPU load and improved file-sharing performance on one of our heavily-used Windows 2008 R2 file servers.

Microsoft recommends that it be applied to both servers and workstations.

http://blogs.technet.com/b/askpfeplat/archive/2013/03/12/slow-boot-slow-login-sbsl-hotfix-rollup-for-windows-7-and-server-2008-r2-available-today.aspx

But there may be problems with it under some circumstances:

http://blogs.msdn.com/b/winsdk/archive/2013/05/13/roll-up-update-kb-2775511-reports-with-smb-2-0-data-truncation.aspx

Interesting how the hop numbers fit in with the MS news
http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/07/16/responding-to-government-legal-demands-for-customer-data.aspx
"fractions of a percent – of our customers have ever been subject to a government demand related to criminal law or national security."
wrt a massive user base, numbers of computer users and US population size.