Slashdot Mirror
Windows XP SP2 Impressions
A roundup of concerns and problems with Windows XP SP2 from the early adopters: Many, many users are reporting problems with SP2 limiting outbound TCP/IP connections. This appears to be nailing anyone who makes heavy network use of their machine, including especially users running P2P applications. A Microsoft blog rounds up some reports, as does SANS. Microsoft has objected to people helping them distribute SP2.
Your list of 'impressions' is nothing but bad things people are saying. Any links to the other views?
If not, simply change the title to "Bad things popping up with SP2" or something to that effect.
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
this is slashdot after all, the place where biased reporting has been invented
this place should be called sheepdot
I know you were just trying to be funny (and cost MSFT bandwidth, heh); but for people who didn't get the joke, note that you only need to get the MD5-checksum from a trusted source, not an entire download.
Please elaborate on how, exactly, are they shooting themselves in the foot?
As for not rolling out SP2 on the desktops that's the only smart way for large organizations to handle large updates like this. My employer isn't rolling SP2 out anytime soon. Why? Because we need to test it to make sure that the applications we can not do our jobs without still work, and so that the IT staff has time to learn what changes SP2 has that they are going to have to support.
I don't like Windows, and I dispise Microsoft as a corporation, but blanket "they fucked themselves this time" without anything to back it up is pointless and useless FUD.
Boobies never hurt anyone. - Sherry Glaser.
I have a view. It hasnt caused a problem on any machine in my office, and I can only say that my personal machine at least "feels" more responsive.
Look, this is slashdot. They aren't going to be objective. For years the whine has been "MSFT default security is teh suck". MS releases a service pack that locks the boxes down reasonably well. Now that's something to complain about: "my kazaa is teh broked!"
Limiting outbound TCP connections to something sane make sense. Let the extreme P2P kiddies relax the rules manually. On the majority of desktops (not SERVERS) out there, an inordinate amount of outbound traffic is a sign of something bad, like a backdoored spam relay or the machine has been taken over as a DDoS drone.
SP2 crashed a lot of machines that were already exploited. Good. They were already broken. Now those guys can go to Best Buy, who will format and reinstall for them, juice them up with SP2, and there's one less source of SPAM/DDoS/Worms/stupidness.
IMO, SP2 was a huge step in the right direction, and confirmation to me that MSFT is doing more than paying lip service to security.
Of course, this is slashdot, and everything they do is wrong.
It's worth noting that I've never borked a windows box installing a service pack, all the way back to win 95. On the other hand, I've lost track of how much time I've spent cleaning up after typing "emerge -uD world". I thought I'd mention that so I can ensure I'll be modded troll. It's true, though, I swear it.
I don't need no instructions to know how to rock!!!!
...even if it isn't true.
Ya'll complain that Microsoft doesn't care about security, but when they release a MASSIVE security patch, you try to find (and if that fails, fabricate) any and all tiny inconveniences it causes.
As others here have pointed out, it doesn't block ALL outbound TCP connections, just incomplete ones. Would it kill an editor to come out and say for once that "Microsoft did a pretty good job here."?
And no, I'm not new here.
"Ask not what your country can do for you." --John F. Kennedy
Other than that it's fine; I turned off the firewall; I'm already NAT'd and have limited ports of entry anyway.
The nice thing about the firewall is that every program that isn't signed that wants to become a server (listen on a port) has to get your permission first. That makes it more likely that you'll catch a malicious program like spyware before it starts sending your browsing activities off to the deep dark jungle of the internet.
Your standard off-the-shelf router from BestBuy won't do that for you.
Unless you run something equivalent like ZoneAlarm, I would suggest you turn it back on.
Normally I wouldn't expect MS to allow you to configure something like this, but if you think about it, if there were a user option to turn it off, then it probably wouldn't be that difficult for a trojan to turn it off. Especially since so many people run with admin privs.
It shouldn't be surprising that any enterprise-level organization would wait for some period of time before deploying something like this - that's been going on forever.
For example, we found on Win2k SP4 that Hummingbird was failing to make a constant connection on some installs with a VIA chipset. As a result, we delayed the rollout until we had a solid solution to the issue.
Any company that chooses to apply patches and service packs without relying on outside experience and independent testing - they're just begging for trouble. It's hard to sympathize with that...
Of course. But Microsoft warned everyone that SP2 was more concerned with security than it was with compatibility. The fact that some custome written software breaks should not be a surprise to anyone.
Boobies never hurt anyone. - Sherry Glaser.
Security by definition must limit functionality. The best you can hope for is that the functionality limited is less valuable than the security gained.
Microsoft management has finally realized that in order to avoid the gigantic fiascos of the past year's worms, they have to limit some functionality. My guess is Microsoft engineers have been telling their management this for a long time, and finally, they were heard.
M: Is our product secure?
E: The only way to improve security is at the expense of features.
M: No way. Features sell the product.
M: We need to patch this security hole.
E: The only way to improve security is at the expense of features.
M: I still can't accept this.
M: Please, dear god, do ANYTHING to fix these security problems!
E: The only way to improve security is at the expense of features.
M: All right, all right! Do it!
Can you blame them? Untrusted sources and all that?
Vintage computer games and RPG books available. Email me if you're interested.
I'd hardly call having to go to a control panel and explicitly opening an (incoming) port "nailing" anyone. It's the right thing to do.
Microsoft did this well. The firewall has some nice options (like the ability to open ports only for the local network) and is very easy to use. Nobody got "nailed."
Best Buy can have you arrested
SP2 will make Windows more secure. SP2 is a huge improvement in the security arena for Windows. Despite what many poster have said about the TCP/IP outbound limit, it is a good thing. When a new worm tries to propagate it tries tons and tons of IPs in a short period of time which most of them won't be work either because the node is not on, firewalled, nothing assigned to that IP, etc. but Windows recognizes these fast attempts to "broken" IPs and then enforces a limit on them. This would truly slow down past worms.
Now this is the new differentiating factor. Windows has improved security enough to where it is a smaller comparison point when comparing it to Linux/BSD. The new big comparison point (besides price) is the ability to turn things off such as outbound limit rates and such. If Linux had widespread worms as Windows does it would be a good thing for the TCP/IP stack to limit "broken" outbound connections by default, but the key here is you would be able to turn it off.
But with MS updates you are guessing. Sure an update may fix a bug but what else have they done?
It is not that I fear patches being badly done, the SSH/SSL stuff had recently 2 patches right behind each other, but that I fear the "features" they added.
Remember this update really gives you a different product that behaves differently.
So a simple rule is to always first test a patch/update on a test setup. Then you test it for a length of time in scale with the size/complexity of the patch/update. I would suggest that SP2 is somewhere between a version upgrade and an OS rollout.
All I can say about SP2 is, thank god I am a unix guy. Yeehaw!
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Let's wait until we have some real data, as in definitive reports that particular applications break.
I hate to play Devil's Advocate, but DUH... look at this from Microsoft's perspective. Having non-Microsoft sources distributing SP2 has two huge negative aspects for them:
1) Unthrottled Rollout
Having P2P'ers flooding the patch to "everyone-and-their-monkey's-uncle" destroys any potential throttle control that Microsoft might have had. Microsoft's initial plan was to trickle the rollout of SP2 out at only 25,000 downloads a day, exclusively via Windows Update. This is extremely practical due to the scope of the patch -- it makes a lot of sense for them to control the release in case a catastrophic show-stopper pops up, and also to allow developers some extra update time.
2) P2P Security Liability
Let's face it, Microsoft has a right to have their skivvies in a knot over people downloading any Windows patches from 3rd party sources. The infamous "Average Joe" (they guy who opens email viruses twice a week) isn't going to do an MD5 checksum comparison on a patch from a P2P net before running it -- who's to prevent someone from hacking up their own little "SP2" cocktail exe and distributing it? Ultimately the shit would hit the fan and Microsoft would take it in the face.
Even those who do check MD5 digits on a P2P-downloaded patch need a trusted source for the correct checksum... again, Microsoft doesn't want to be liable. Sure, it could be argued that Microsoft could provide the MD5 checksum themselves, but then "Average Joe XP User" would never check it anyway because "Microsoft says it's ok, so it must be safe!"
-----
"Cogito Eggo Sum: I think, therefore, waffle."
This guy drives me nuts. I can't stand FUD and lies.
I'm talking about the "shields up" thing. It claims if you're in "stealth mode" then your machine is invisible. This is idiotic.
Dropping incoming packets doesnt make you "invisible". If you were "invisible" and I tried to ping you, I'd get a "destination unreachable" error. If I get timeouts, I know you're there and dropping my packets. If you replied to my pings with "destination unreahables" you might trick me, unless I noticed that the destination unreachable messages were coming from the IP I was pinging (duh!).
It's as false as the "your machine is broadcasting an IP!" popups.
Fuck him and his crusade to break the internet by trying to convince people there's something to be gained by dropping incoming packets, instead of responding with a proper RST packet or ICMP message.
Linux folks, set your default firewall properties to DENY, and not DROP. It doesn't make you vulnerable, it doesn't allow SYN floods (which attack by spawning multiple server threads on a local port - an application vulnerability not a TCP/IP one).
It doesn't "hide" you from scanners, as he claims.
It doesn't prevent DDoS attacks, if I have enough bandwidth to clog your downstream, it doesnt matter what you do with all the crap I flood you with.
Actually, heh, he is doing a spin on the old "your machine is broadcasting an IP address" scam:
Many Internet connection IP addresses are associated with a DNS machine name. (But yours is not.) The presence of "Reverse DNS", which allows the machine name to be retrieved from the IP address, can represent a privacy and possible security concern for Internet consumers since it may uniquely and persistently identify your Internet account -- and therefore you -- and may disclose other information, such as your geographic location.
Uhhh, I can get that from the numeric IP, who cares about the reverse DNS. Do the RIAA do reverse DNS lookups when they launch all those suits against IPs?
This machine does have a static IP and proper DNS, so I dont know why his tool says it doesnt. Though, I don't really care.
I don't need no instructions to know how to rock!!!!
It's worth noting that I've never borked a windows box installing a service pack, all the way back to win 95.
It's been a while so I might have the numbers wrong...NT 4 SP4 was issued to fix NTFS which was horribly crippled by NT 4 SP3. I suffered through that. What did I learn from it...test ALL patches, just like they tell you in any network class. I have been using XPSP2 since pre RC1 and have liked it thus far. I put it on the internal boxes in one department yesterday and have had no complaints yet. I will continue a slow and steady roll out over the next couple of weeks. But yes the bad thing can happen but having adminned MS and Unix since 96 I have only seen it once.
One of my old friends from when I used to work at MS said to me, and I quote "With SP2 DCOM apps are fucked". The whole outgoing TCP connections limitation is going to cause a lot of issues w/ distributed apps using DCOM and other such things.
This space for rent.
It only asks permission to LISTEN (open ports for listening). So all phone-home applications are ignored by the firewall.
So, while the builtin is WAY better than nothing, everyone should really install a third party one that controls all access on application basis.
Let the extreme P2P kiddies relax the rules manually. On the majority of desktops (not SERVERS) out there, an inordinate amount of outbound traffic is a sign of something bad, like a backdoored spam relay or the machine has been taken over as a DDoS drone.
What is stopping the DDos software from relaxing the rules itself?
Could it be because nmap IS an attack tool?
A gun in the hands of a policeman generally helps our society be a safer place. The gun in the hands of a criminal generally does the opposite.
It's simple, nmap is just like a gun. One key difference - the Geek Lobby is nowhere near as organized or influential as the NRA.
The living have better things to do than to continue hating the dead.
Exactly what about SP2 makes moving to Linux unrealistic? SP2 is a needed up date to an already good OS but its not some sort of revolution, and not something that I can see that would prevent someone from using Linux if indeed they really wanted to 'move beyond Windows.' Incidentally, when I wanted to try something new, I built a machine out of used parts and ran linux and windows, and I still do, so once again, what about SP2 precludes using Linux?
"I use a Mac because I'm just better than you are."
It's worth noting that I've never borked a windows box installing a service pack, all the way back to win 95. On the other hand, I've lost track of how much time I've spent cleaning up after typing "emerge -uD world". I thought I'd mention that so I can ensure I'll be modded troll. It's true, though, I swear it.
/etc files. If you make any config changes, that's a big no-no..
.. =)
Perhaps your sysadmin skills are lacking. I've never had an issue with using 'emerge --pretend -uD world' to see what will be changed, looking at the release notes for the new versions, and emerging the things I should upgrade. Not only that, but I imagine you're one of those people who like to auto-merge the
The fact that a M$ service pack (which replaces M$ only software) can blow up some systems up here and there (one of the reasons why they added system restore points to service pack installations) just gives you an idea of how hard it is to maintain the Windows operating environment. I feel sorry for the M$ developers that have to deal with dll hell and have to worry about retaining ancient compatability with old libraries..
They should allow an 'expert' SP install that lets you pick and choose what portions of the service pack you'd like to install. *shrug* I'm just a control freak
Just when you make it idiotproof, some idiot builds a better idiot.
You really only hear on the news about the cars that crashed the people who were injured and killed. You rarely hear about the thousands or millions who managed to drive to and from work safely.
I think it's the same here. Sure there might be people who think SP2 did the best thing for their computer ever. But I imagine it's either... "it didn't break anything", or the range from "slowed me down" to "crashed everything".
Sure, I'm interested to know how many people had more problems, but I'm much more interested to hear what problems there were.
You mean unprofesional like spelling Microsoft with a dollar sign (M$) like you did in this post?
;-)
Let ye without sin cast the first stone....you might end up breaking a window or something.
Quidquid latine dictum sit, altum viditur
Your opinions are suspect, however, and the validity of your information is uncertain. As I mentioned on a previous occasion, I wonder if you are a MS employee working to offer favorable comments about MS and unfavorable comments about FOOS. Who knows?
Not everyone who says something good about Microsoft if some kind of schill or plant. Microsoft is a big company. They do some things right, they do some things wrong. Personally, I believe that the harm they do greatly outweighs the good, but others are entitled to their own opinions without being insulted because they express them.
-All that is gold does not glitter - Tolkien
www.ra
Typical linux user response, "you're an idiot." Blaming the user for running this command which the handbook (as in RTFM) says to do is hypocritical. Blame microsoft when some fucktard installs gator, but blame the user when portage screws things up.
I use emerge -p for doing this too, and I'm very cautious because I've read how this command can bork your system. And unless I've manually changed one of those config files myself, I don't know what they all mean or what the differences will make when etc-update changes them. I've heard dispatchconf takes care of this though. But my point is that he did what the manual said, and it borked the system.
Having been network administrator at my living group in college, I have to mention the merits of fyodor's rather awesome tool. nmap has saved my ass a number of times, locating owned boxes, spotting shitty firewall setups, etc.
On some occasions, I've used ARP poisoning on an owned box to figure out who's responsible. More often than not, it's a box at another university that was owned as well. Which is usually pretty obvious, thanks to nmap.
And now that nmap picks up versioning information, I can scan my entire living group and make note of anyone who's running something abysmally old, too. Quite frankly, it kicks ass, because it allows me to address problems that I would have had a bitch hard time figuring out without it.
As far as nefarious uses go... if people want to use the tool for bad, they're going to do so anyhow. From a *nix box at their disposal. Like any normal person. Also, if they're using the tool for bad, unless they're using the zombie scan feature, it's not all that anonymous, so... it's not something you want to do from your personal box, then.
All in all, I think this was a poor move by msft, nerfing raw sockets like this. They've trashed one of the good features in WinXP, and I think people are going to care.
As for those of you who think you know what the tools is for, I urge you to think a bit harder.
Sure, you can scan the entire internet doing version scanning on port 80 looking for vulnerable IIS boxes, but there is still fallout from the last virus epidemic doing that. Or you can use nmap to assess your own vulnerabilities and help prevent dozens of hours dealing with idiots who don't read security related emails.
Many, many users are reporting problems with SP2 limiting outbound TCP/IP connections. This appears to be nailing anyone who makes heavy network use of their machine, including especially users running P2P applications.
This is what is supposed to happen, the firewall is turned on now by default, and from a security standpoint this is a good thing.
Microsoft famously get criticised for slack security and when they try to do something about it they get it even worse.
I wouldn't mind so much but this is a tech website yet the poster wrote this up in a way that made the concept of a firewall as something alien.
People may well be having problems I don't know but it sounds like what is happening is that the less clueful are running an app, getting asked if they want to unblock it and don't know waht to do. Pretty soon they will learn what it all means and life will continue pretty much as normal.
How about M$ spending some money to develop an installer that does that for you?
If you're shooting for the lowest common denominator like Windows does, you need to understand that 'mom & pop' are your 'lowest' and don't have a clue how to turn a firewall or virus checker off. Do it for them to prevent problems.
Seems like something they should have figured out about a decade ago...
There are two types of people in the world: Those who crave closure
49% of REPORTERS!
That could in reality be 2% of the entire installed base.
Saying "49% of the people that installed it are have troubles" is the biggest piece of FUD evar.
MS has NOTHING on you guys in the lies, lies and more lies dept.
Microsoft has the wrong end of the stick here. Rather than trying to reduce the number of ways that PCs can become infected, they're trying to reduce the damage that malicious software can cause. They've done this before, and tripped up... they modified Outlook so that programs couldn't as easily get to the Outlook address book... and what happened? Well, what happens when you want to sync your PDA?
Before they spend ONE MORE DAY on this kind of kludge to limit the utility of the OS, they need to deal with the FIRST stage of the infection. They need to remove the dangerous coupling between programs through the Microsoft HTML control, so that you don't have every program that registers a handler... even for *local* file access... suddenly becoming a potential attack point.
"XP runs everything with administrator privileges" that statement is retarded.
You also need administrator privilages to use raw sockets on XP.
did you forget to take your meds?
This seems to me like "automate it because lusers don't know better" dogma. While that does apply in situations such as applying periodical security patches or updating anti-virus software, which should be automated, it can't be applied in this case.
Find me 3rd party firewall or anti-virus software that can be turned off by an installer program, and I'll bet you it could be turned off just as easily by a virus. It would defeat the purpose of having such software. Many applications will bring up a "do you want to save changes" when there's a modified document open. Would it be better for the installer to force the app to close and lose unsaved changes? I think not.
I would agree that the installer should include an on-screen warning to close all programs, turn of AV and firewalls, and not to install over a beta version. Such a warning would probably get a lot more people to do it right, and if they didn't know how to do some of those things, to hold off installing until they figure out how. Doing it for them, however, wouldn't work, and if attempted, would probably create many more problems than it would prevent.
GET THEM INSIDE THE VAULT!
It's been a while so I might have the numbers wrong...NT 4 SP4 was issued to fix NTFS which was horribly crippled by NT 4 SP3. I suffered through that.
Um, I got news for you: NT4 was released around 1996. The service pack in question was released prior to the year 2000. The product you're speaking of isn't available for sale, isn't current, and isn't even officially supported any longer. We're more than halfway through the year 2004. Isn't it time people quit judging the quality of Microsoft software by what happened almost ten years ago? Would it be fair if I judged Linux's fitness for a particular task based upon a bad experience I had with the 1.x kernel back in 1997? No, but I constantly hear Slashdotters harp about how awful Win95/NT4 was and how nice Linux kernel 2.4/2.6 is when Linux clearly has the benefit of several more years of development under its belt. If you're going to castigate Microsoft for something, castigate current products by comparing them with current alternatives. Doing anything else is comparing apples to oranges.
If such stuff came from Microsoft, it'd be called FUD, but since it comes from Linux lovers on Slashdot, it gets modded +1 Insightful. What a way to be fair and unbiased, huh?
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
Contrast the following two comments from your response:
Perhaps your sysadmin skills are lacking. I've never had an issue with using 'emerge --pretend -uD world' to see what will be changed,
and
The fact that a M$ service pack (which replaces M$ only software) can blow up some systems up here and there (one of the reasons why they added system restore points to service pack installations) just gives you an idea of how hard it is to maintain the Windows operating environment.
So, if someone messes up a Linux "service pack" application, they're an idiot and Linux shares no blame, but if they muck up a Windows box, Microsoft is totally to blame. Yup, that makes all the sense in the world...if you're a Linux zealot.
I feel sorry for the M$ developers that have to deal with dll hell and have to worry about retaining ancient compatability with old libraries..
I'll remember that next time I can't get an RPM to install due to dependency hell. That's just so much more fun than DLL hell, isn't it? Sure, I can mitigate that with apt-get and Synaptic package manager, but likewise Windows DLL hell hasn't existed in a long, long time due to built-in Windows DLL version control. Again, you're judging current Microsoft products based upon what they were producing almost ten years ago. Clearly have no idea whatsoever about how much improved Microsoft's current product line is. Perhaps you should research the things you're criticizing before you criticize them.
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
Age of Microsoft: 29 years
7 years as a percentage of Microsoft's age: 24%
Age of Linux: 13 years
7 years as a percentage of Linux's age: 54%
Ewige Blumenkraft.
We're more than halfway through the year 2004. Isn't it time people quit judging the quality of Microsoft software by what happened almost ten years ago?
Don't peruse the post...read for comprehension. The person posted that they were holding off on applying the service pack because it might break stuff and I said I had been doing this for ten years and could only produce one example and all I took from it was that you should test first. I did not say "don't apply the service pack" read the post you will also notice I have been running XPSP2 since its' beta. Don't call me Linux lover either I use the tools for which I am paid Linux is only one.