Slashdot Mirror
Windows XP SP2 Impressions
A roundup of concerns and problems with Windows XP SP2 from the early adopters: Many, many users are reporting problems with SP2 limiting outbound TCP/IP connections. This appears to be nailing anyone who makes heavy network use of their machine, including especially users running P2P applications. A Microsoft blog rounds up some reports, as does SANS. Microsoft has objected to people helping them distribute SP2.
Of course Microsoft does not want people to distribute sp2. Any number of backdoors or things of the like may be added at any step along the way. The safe way is obviously straight from Microsoft.
You'd know if you check the MD5 sum. ('course you have to get the MD5 sum from a trusted location, and it's unclear if there was one in this instance)
There are numerous unconfirmed reports coming primarily from the nmap mailing list that SP2 has removed support for raw sockets. However the ping and tracert utilities, both of which use raw sockets, still seem to function correctly. Perhaps only signed executables can use the raw sockets interface?
While the reason is valid, I don't see anything about if/how this is user configurable. It would be nice if you could actively turn this off, and/or grant certain programs (doom3, kazaa lite, iTunes, etc.) to have "unlimited" access.
Then again, this is all conjecture, because I haven't installed it yet and don't know if this actually is possible. Someone care to comment?
So they added a firewall which asks you if a program can access the Internet, but allows all the Microsoft ET-Phone-Home software to bypass its own firewall, thereby giving all non-Microsoft software a built-in disadvantage to not being released by the monopoly.
Interestingly, this means that worms and malware authors need only make themselves appear to be Microsoft software (if Microsoft can bypass its own firewall, the credentials will be reverse engineered) in order to continue to spam from zombie boxes without informing the user.
Secure Computing, yay!
I would say that a lot of OS distributors shoot themselves in the foot on a rollout. At least this upgrade is free and basically transparent for most people.
I remember when most people would wait for a RedHat build after a X.0 rollout. I remember when MacOS X would require you to pay for upgrades, and I remember when IT departments were deploying patches for known exploits and got burned in the ass when a worm was released.
Just another example of how the world works in different ways.
Nothing wrong with running messenger if it isn't listening on your public interface. It's useful to send out broadcast messages on the local lan (NET SEND * "SERVER WILL REBOOT IN 5 MINUTES")
I don't need no instructions to know how to rock!!!!
When 49% of installers have problems, the bad reviews tend to crop up. I submitted a story about how 30% of installers reported "minor problems", like non-Microsoft browser incompatibility (the other 20% presumaably had major problems). So this story is actually spinning the SP2 problems more blandly than half its users would say themselves.
--
make install -not war
IMO, SP2 was a huge step in the right direction
I almost feel exactly as you do with one exception: this puts open-source alternatives further behind.
Yes - I've tried linux. I install it about once or twice a year to check up on the status. I'm eager to move beyond Windows. However, after installing SP2, I don't think that is realistic in the foreseeable future. Good job to Microsoft (as much as that pains me)!
Life is the leading cause of death in America.
as compared to originating from a floppy/cd/network. This way it warns you that it may not be from a trusted source. I think I've seen this elsewhere - Win 2003 maybe?
I don't think it is so much of a tinfoil-hat thing, as one more layer of warnings against installing applications off the internet.
Most slashdotters know about the safety, or lack therof, of things on the internet. Grandmama may not.
You're right, you missed my point.
It's non-technical, and not about whether this change is good or bad. Instead my post is about a certain pundit who claimed the sky would fall (more or less) when XP was released due to its raw socket support. He was so strident that he was dismissed as a bit of a crackpot.
It turns out that now, a couple years later, Microsoft actually addressed his concern. It is anticipated that the pundit will have something entertaining to say about it.
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
All these people are supposed to be reporting major problems, yet the links point to sites with mostly positive reviews. Not to mention, I've been running SP2 since RC2 with not a single problem whatsoever.
:)
Slashdot and its juvenile broken window graphic just wanted a FUD article to meet the daily quota for the garish-looking IT section.
XP SP2 breaks nmap
Something can be overall workable even with a slew of minor issues. Windows has a history of this.
A better example is my Linux (Debian and SuSE) environments. I am very happy with them even though there are plenty of bits and pieces I'd like to see improved / fixed.
I have had problems already with the 10 socket limitation. Is there a way to disable this limitation, or must I revert back to SP1?
-fb Everything not expressly forbidden is now mandatory.
http://www.lvllord.de/4226fix/4226fix-en.htm That link won't work directly with the slashdot referrer, but click on a few links to take you to a patcher that will patch tcpip.sys to whatever amount of connections you want (use /l= on commandline).
Control Panel -> Add/Remove Programs -> Windows Components -> Networking Services -> Peer-to-Peer "Enable Peer-to-Peer Networking Services."
Photoshop 5.5 won't work with SP2 - at least not for me. Just sits there on the startup screen.
I've already experienced this "logging" (much to my surprise)... Downloaded an EXE the other day (yes, from a known good source) and clicked it to run... The thing popped up a dialog asking if I wanted to run the file because it's source is not known and might not be trusted, or some verbiage to that effect.
Wah? I thought?
So I clicked a couple more EXE's that were already on my system. Nope, no warning. Copied one over from another machine on my local network. Nope, no warning. Downloaded another EXE. Yep, warning.
I think it could get a tad bit annoying to someone like me that knows what I'm doing, but (a) I think I saw an option to turn it off on the dialog, and (b) it's I think a great idea for someone like my mom, or even the so-called "power users" who just THINK they know what they are doing.
I don't know if that's the logging that's referred to, I haven't done the requisite research to find out. But I suspect it is, and if it is, it strikes me as a good, non-sinister thing.
If a pion (n-) collides with a proton in the woods & noone is there to hear it, does lamdba decay into the source pa
Many of these functions are new for SP2, for example the InetFWAuthorizedApplications interrface has a method to add a new application as "Authorized." Similar APIs allow the opening of ports, etc. (And most of these say Client: Requires Windows XP SP2. which indicates they were newly added.
Here's my question: What's to prevent programs from simply adding themselves as authorized and opening the ports they need? After all, if the Firewall control panel applet can do it, can't any other program? And since many, many XP users run all the time in the "Adminstrator" group, can this somehow be blocked?
Is it time for Microsoft to make a new "Super Administrator" level and start putting certain critical things (like changing the firewall) as needing that security level?
Now I need to write a program to see if my XP box won't indicate if I authorized myself and open up a port....
Best Buy can have you arrested
I have no use for windows firewall, being offline,
but sp2 turned my whole network into bubblegum with its rate-limiting tcpip.sys bug. A lot of expensive paperweights, here.
-I like my women like I like my tea: green-
Psst. File Traders. Yes, you. Get some old Pentium machines (you can get these for free, since people can't run new games on them and are throwing them away - Pentium2 300 works fine), take memory from several of these, and concentrate it all on one machine so it has some 128MB of it. Then install a silent power source and a big, silent hard disk, install Debian GNU/Linux, VNC, xterm, all the fonts and sshd.
Now you have a silent server machine, which can run several P2P clients at once (Gtk-Gnutella (for Gnutella) and Lopster (for OpenNap) in the VNC, Mldonkey (for eDonkey) from console (use nohup) with the Web Interface, and BitTorrent (btlaunchmany.py) in a "screen" session), Leafnode for newsgroups caching (so you don't need to keep on checking your news server daily), and if you install Samba you can mount your download dirs as network shares from Windows.
There's even a program which automatically downloads pictures from Usenet News and shows them in a web gallery (automatically parsing the original messages to add initial keywords, of course) but that's still in early alpha and not publicly available (it can't handle multipart binaries yet, and yenc decoding in pure Python is pretty slow - but it's getting there).
Just remember to firewall the machine from the Internet to keep out uninvited guests, and only open those ports that you actually need.
And you never need to worry about connection limits again ;).
The only thing it can't really run is Freenet - that darn bunny eats memory more than Ryo-Ohki eats carrots :(.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
I know, I read them too. Those are mostly technical folks who know what they're talking about. I also read the ones on Microsoft Blog, though. Here's a good example:
I think this just proves that idiots and beta software don't mix. =)
GET THEM INSIDE THE VAULT!
So, if someone messes up a Linux "service pack" application, they're an idiot and Linux shares no blame, but if they muck up a Windows box, Microsoft is totally to blame. Yup, that makes all the sense in the world...if you're a Linux zealot.
Way to quote me out of context.. The parent was complaining about 'emerge -uD world' killing his system. I said he was a lousy sys admin for not checking what he was installing; a precautious (good) sys admin will only upgrade what is needed reguardless of what platform you're administrating.
Microsoft should be blamed for faulty service pack installations as they don't allow you to pick and choose (as far as I know) which portions of the service pack you'd like to use. (If they do, then.. I'll bite my tongue and retract that statement.) If I don't want to cap my incomplete TCP sessions (for whatever reason), then I won't install that particular update.
If you're worried about RPM dependency hell, go download rpmfind (or use the two other solutions you suggested in your post). My statements are based off of the general bloaty-ness of the OS. Do we really need progman.exe, mplay32.exe, grpconv.exe, etc.. in the latest releases of Windows XP? Do we really need Windows 95 compatability 9 years later? Like I said, if I were a OS developer at Microsoft, I'd be pissed off that I have to keep all of that stuff from 10+ years ago in my final product. Hopefully Longhorn will have most of that stuff trimmed down...
Just when you make it idiotproof, some idiot builds a better idiot.
This may get me in trouble, but please mod parent down, or as flamebait, for it's not a fair assessment of Shield's Up and what its purpose is for.
Steve's stuff about things of a DoS nature are unrelated to Shield's Up. Instead, the Dos stuff comes from his own personal experience of being attacked, and provides information about how it was achieved by the other party, and protected against.
On the DROP/DENY issue, the major purpose is just to slow them down.
If the packets are denied then they will get that response instantaneously, allowing them to scan thousands of ports per second.
If the packets are dropped then they get no reponse. They have to wait 2 or 3 seconds and try that port again, then another wait, and perhaps a third try at that same port.
It is this slowdown effect that is intended and achieved when you DROP the packets.
--
Paul Wilkins