Slashdot Mirror
Windows XP SP2 Impressions
A roundup of concerns and problems with Windows XP SP2 from the early adopters: Many, many users are reporting problems with SP2 limiting outbound TCP/IP connections. This appears to be nailing anyone who makes heavy network use of their machine, including especially users running P2P applications. A Microsoft blog rounds up some reports, as does SANS. Microsoft has objected to people helping them distribute SP2.
Your list of 'impressions' is nothing but bad things people are saying. Any links to the other views?
If not, simply change the title to "Bad things popping up with SP2" or something to that effect.
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
I've had no problems yet to report; the only thing that pissed me off is it reinstalled windows messenger after I had already uninstalled it.
Other than that it's fine; I turned off the firewall; I'm already NAT'd and have limited ports of entry anyway.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Just so there isn't a bunch of FUD being spread, the limit is on INCOMPLETE outbound connections. There is no limit on COMPLETED connections. This should only affect network scanners such as nmap.
XP SP2: Are P2P, Port Scanning, and Port-Opening Programs Slower?
Check for the error code!
By design SP2 limits the number of simultaneous incomplete outbound TCP connection attempts. Who cares? This mostly stops trojans.
Run the event checker as described in the article above. You'll prove to yourself that you don't have a problem.
... you can disable it with this.
Of course Microsoft does not want people to distribute sp2. Any number of backdoors or things of the like may be added at any step along the way. The safe way is obviously straight from Microsoft.
You'd know if you check the MD5 sum. ('course you have to get the MD5 sum from a trusted location, and it's unclear if there was one in this instance)
I read through some of the "reviews" linked through a MS employee's? blog. They were mostly people saying that the install went well but they have minor issues with it (ie slow downs).
Personally I have installed it and have been using it since I learned of its release on Slashdot a couple weeks ago. It's nothing impressive for me but I didn't notice any slow downs.
I griped about my personal issues with the updated "features" and the nagging it causes.
YMMV.
I have had no problems since RC 1. I for one applaud Microsoft for turning the firewall on by default and creating a central security control panel for all users to use and understand.
Such as Norton or whatever, be aware that if XP's firewall is turned on (as it gets turned on by default in SP2) you won't be able to hit the 'net on that PC.
-Markvs
46. The Hobo smiles, his eyes glaze over, and he burps. "Beware the man who has lived longer than the Wasteland."
There are numerous unconfirmed reports coming primarily from the nmap mailing list that SP2 has removed support for raw sockets. However the ping and tracert utilities, both of which use raw sockets, still seem to function correctly. Perhaps only signed executables can use the raw sockets interface?
While the reason is valid, I don't see anything about if/how this is user configurable. It would be nice if you could actively turn this off, and/or grant certain programs (doom3, kazaa lite, iTunes, etc.) to have "unlimited" access.
Then again, this is all conjecture, because I haven't installed it yet and don't know if this actually is possible. Someone care to comment?
The BBC has a pretty good article about it, entitled "Concerns over key Windows update". Seems like there are plenty of things going wrong..
CHANGES DUE IN SP2
Pop-up ads blocked
Revamped firewall on by default
Outlook Express, Internet Explorer and Windows Messenger warn about attachments
Origins of downloaded files logged
Web graphics in e-mail no longer loaded by default Some spyware blocked
Users regularly reminded about Windows Updates
Security Center brings together information about anti-virus, updates and firewall
Protection against buffer over-runs
Windows Messenger Service turned off by default
The "Origins of downloaded files logged" feature troubles me a little. What do they mean by "downloaded files"? Do HTML files count as "downloaded files"? What do they want to keep track of and log my downloaded files? How will they know if I use another browser and download files using that instead of IE? What about the other files I download through File sharing applications?
What log "origins of downloaded files" at all? Does it improve security in any way? If they were logging keys/certificates of software updates (to AV software for example), it would make a little sense (but not a whole lot, it shouldn't concern the OS at all), but this feature sounds a heck lot more like a Big Brother OS thing, something like IE tracking all websites visited in a hidden+undeletable folder for the suits.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
So they added a firewall which asks you if a program can access the Internet, but allows all the Microsoft ET-Phone-Home software to bypass its own firewall, thereby giving all non-Microsoft software a built-in disadvantage to not being released by the monopoly.
Interestingly, this means that worms and malware authors need only make themselves appear to be Microsoft software (if Microsoft can bypass its own firewall, the credentials will be reverse engineered) in order to continue to spam from zombie boxes without informing the user.
Secure Computing, yay!
Shareaza has found some solutions and are discussing them.
An Education is the Font of All Liberty
I would say that a lot of OS distributors shoot themselves in the foot on a rollout. At least this upgrade is free and basically transparent for most people.
I remember when most people would wait for a RedHat build after a X.0 rollout. I remember when MacOS X would require you to pay for upgrades, and I remember when IT departments were deploying patches for known exploits and got burned in the ass when a worm was released.
Just another example of how the world works in different ways.
What new functionality is added to this feature in Windows XP Service Pack 2?
Restricted traffic over raw sockets
A very small number of Windows applications make use of raw IP sockets, which provide an industry- standard way for applications to create TCP/IP packets with fewer integrity and security checks by the TCP/IP stack. The Windows implementation of TCP/IP still supports receiving traffic on raw IP sockets. However, the ability to send traffic over raw sockets has been restricted in two ways:
TCP data cannot be sent over raw sockets.
UDP datagrams with invalid source addresses cannot be sent over raw sockets. The IP source address for any outgoing UDP datagram must exist on a network interface or the datagram is dropped.
I bet his "I told you so" rant will be entertaining.
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
... yet the articles that are linked are mainly positive.
Odd.
The limit is enfored if a previous connection attempt to a host has failed.
There is no limit if connection if the connection attempt was sucessful.
Licences have no effect.
There is no limit on the number of connections.
You will probably reach the memory limit of your system before you reach the maximum number of connections that XP can support.
This was from the HTBugTraq mailing list a few days ago.
To: NTBUGTRAQ at LISTSERV.NTBUGTRAQ.COM
Subject: XP SP2 - Statement of the NTBugtraq list
Ok, so I feel like I need to do this, hopefully its understandable.
1. XP SP2 is the most significant security effort Microsoft has ever produced. Granted, it may not be a "silver bullet", or solve all problems, but it is significant in so many ways that we as a security community cannot fail to acknowledge it. I admire "discoverers" as much as the next, but before XP SP2 can be written off it will take many, many, vulnerability announcements.
a) IMO, this is the first time that Microsoft has put security over existing, and frequently used, features.
b) IMO, this is the first time that Microsoft has accepted the fact that their choice is going to lead to "some" incompatibilities.
c) IMO, this is the first time that Microsoft has taken a stand against ISV who are definitely making money out of some features they (MS) made available to them.
2. I, at least, as NTBugtraq Editor, believe we, as the NTBugtraq community, need to stand behind Microsoft's efforts. That means we need to continue to endorse XP SP2 despite what problems have arisen or may arise (within obvious reason.) The media is only going to state the problems. They cannot appreciate, nor do they believe their customers are willing to pay for, stories about XP SP2 successes.
So, I want to hear from you, every one of you, regarding XP SP2 success or failure. Obviously, I want those stories in as much detail as you can provide.
There are, no doubt, some (many?) applications which will not be compatible with XP SP2. I say they represent Vendors who are not prepared to accept the responsibilities we've always felt they should have as reasonably security-minded Vendors. They've had lots of time to figure out how to make their apps compatible, and have *chosen* not to.
I offer any Vendor who feels Microsoft left them "in the lurch", regarding their problems with XP SP2. a forum to express their problems.
Equally, I offer all NTBugtraq subscribers a place to state the problems they are encountering with an ISV application.
It is extremely important for corporate environments to get XP SP2 deployed to all home systems running XP. Let's make sure the media has the right information.
Cheers, Russ - NTBugtraq Editor
Check Here for a fix.
There's both a downloadable patch as well as manual instructions for patching by hand for the ultra-paranoid.
I just installed SP2! N....o........P....r....o....b....l....e....m....s ........H....e....y........E....v....e....r....y.. ..t....h....i....n....g........i....s........g.... o....i....n....g........s....o........s....l....o. ...w.......-Connection Refused-
I LIKE TOAST!!!
Please elaborate on how, exactly, are they shooting themselves in the foot?
As for not rolling out SP2 on the desktops that's the only smart way for large organizations to handle large updates like this. My employer isn't rolling SP2 out anytime soon. Why? Because we need to test it to make sure that the applications we can not do our jobs without still work, and so that the IT staff has time to learn what changes SP2 has that they are going to have to support.
I don't like Windows, and I dispise Microsoft as a corporation, but blanket "they fucked themselves this time" without anything to back it up is pointless and useless FUD.
Boobies never hurt anyone. - Sherry Glaser.
I have a view. It hasnt caused a problem on any machine in my office, and I can only say that my personal machine at least "feels" more responsive.
Look, this is slashdot. They aren't going to be objective. For years the whine has been "MSFT default security is teh suck". MS releases a service pack that locks the boxes down reasonably well. Now that's something to complain about: "my kazaa is teh broked!"
Limiting outbound TCP connections to something sane make sense. Let the extreme P2P kiddies relax the rules manually. On the majority of desktops (not SERVERS) out there, an inordinate amount of outbound traffic is a sign of something bad, like a backdoored spam relay or the machine has been taken over as a DDoS drone.
SP2 crashed a lot of machines that were already exploited. Good. They were already broken. Now those guys can go to Best Buy, who will format and reinstall for them, juice them up with SP2, and there's one less source of SPAM/DDoS/Worms/stupidness.
IMO, SP2 was a huge step in the right direction, and confirmation to me that MSFT is doing more than paying lip service to security.
Of course, this is slashdot, and everything they do is wrong.
It's worth noting that I've never borked a windows box installing a service pack, all the way back to win 95. On the other hand, I've lost track of how much time I've spent cleaning up after typing "emerge -uD world". I thought I'd mention that so I can ensure I'll be modded troll. It's true, though, I swear it.
I don't need no instructions to know how to rock!!!!
Said article mentions that "..But the overall reports about SP2 were broadly positive." How is it that there are plenty of things going wrong?
I've done the XP SP2 upgrade myself just fine.
...even if it isn't true.
Ya'll complain that Microsoft doesn't care about security, but when they release a MASSIVE security patch, you try to find (and if that fails, fabricate) any and all tiny inconveniences it causes.
As others here have pointed out, it doesn't block ALL outbound TCP connections, just incomplete ones. Would it kill an editor to come out and say for once that "Microsoft did a pretty good job here."?
And no, I'm not new here.
"Ask not what your country can do for you." --John F. Kennedy
This made the rounds on NTBugTraq.
= 1& A2=ind0408&L=ntbugtraq&F=P&S=&P=28 86
http://www.ntbugtraq.com/default.asp?pid=36&sid
- Things truely do seem to be snappy. I am not sure where to attribute this, but it is welcome.
- My notebook has wireless which had the annoying habit of showing that there wasn't a wireless connection (the disconnected red x) coming out of hibernation even though it was fully operational. That appears to be fixed.
- I was afraid that the firewall would prove to be annoying, but it actually works pretty well. When I load ICQ, Activestate Komodo, or other applications that try and used blocked ports, it pops up asking if I want to unblock things. The old SP1 firewall didn't do this.
- IE's popup blocker is pretty slick. It will show a little dropdown area above the current page asking about the popup, if it should be displayed, etc. Neat. I do wish Firefox would do this instead of the small icon in the lower right of Firefox's window. It isn't enough to make me stop using Firefox, though.
Now, for the stuff I find annoying.- Their Windows Security Alerts interface isn't compatible with my corporate Norton I have from my work place. It isn't a big whoop, but I am surprised they don't work together.
- Some of my folder settings have changed. I am not sure why, but Microsoft feels the status bar shouldn't be on by default. To hit this point home, it changed it back to disabled after the install. Come on.....
- Along those lines, they decided to mess with my sound scheme. I normally turn all of that off, but sure enough after reboot it is back in all its glory!
- A lot of the wireless stuff has been funneled into wizards, need to find a way to turn that stuff off.
- IE and PNG is still pretty broken. Alpha doesn't work, and that problem where the colors are slightly off of what they actually are is still there. You would have thought that they would have addressed some of that stuff!
There you go, a user's point of view. Take it for what it's worth....Bryan R.
The price of freedom is eternal vigilance, or $12.50 as seen on eBay.....
Goto Control Panel->Admin Tools->Service and set the security service to manual.
It shouldn't be surprising that any enterprise-level organization would wait for some period of time before deploying something like this - that's been going on forever.
For example, we found on Win2k SP4 that Hummingbird was failing to make a constant connection on some installs with a VIA chipset. As a result, we delayed the rollout until we had a solid solution to the issue.
Any company that chooses to apply patches and service packs without relying on outside experience and independent testing - they're just begging for trouble. It's hard to sympathize with that...
Of course. But Microsoft warned everyone that SP2 was more concerned with security than it was with compatibility. The fact that some custome written software breaks should not be a surprise to anyone.
Boobies never hurt anyone. - Sherry Glaser.
I'll give you my impression, because mine is positive. I've not noticed the limited tcp connection problem, the firewall works and doesn't completely suck (as basic as it may be), and overall stability is pretty good. The anti-virus reminder thing is obnoxious, which is probably good for the average user. The wireless network stuff screwed up my wep settings, but the wireless config tool is a huge improvement. I haven't used IE on that machine yet, but I didn't use it before, so I wouldn't know what to say is improved. I am planning on stress testing it this weekend before setting it up on a few other machines. I've seen one sp1-related crash not happen in sp2, so something is different. It has not broken any of my applications and I do use p2p programs daily (though only shareaza, bittorrent, and direct connect). I've criticized MS many times before regarding Windows XP, but I do believe they've made some steps in the right direction, and despite the SP2 problems, MS did specifically warn that SP2 will break programs.
And you can still get secure, by running this tiny app.
SP2 has been fine for me, but it's turned slashdot puke yellow!
It must be a Microsoft conspiracy.
Somewhere, something incredible is waiting to be known. -- Carl Sagan
When 49% of installers have problems, the bad reviews tend to crop up. I submitted a story about how 30% of installers reported "minor problems", like non-Microsoft browser incompatibility (the other 20% presumaably had major problems). So this story is actually spinning the SP2 problems more blandly than half its users would say themselves.
--
make install -not war
Security by definition must limit functionality. The best you can hope for is that the functionality limited is less valuable than the security gained.
Microsoft management has finally realized that in order to avoid the gigantic fiascos of the past year's worms, they have to limit some functionality. My guess is Microsoft engineers have been telling their management this for a long time, and finally, they were heard.
M: Is our product secure?
E: The only way to improve security is at the expense of features.
M: No way. Features sell the product.
M: We need to patch this security hole.
E: The only way to improve security is at the expense of features.
M: I still can't accept this.
M: Please, dear god, do ANYTHING to fix these security problems!
E: The only way to improve security is at the expense of features.
M: All right, all right! Do it!
Well the OpenGL tooltip bug is fixed. That makes me very happy. Prior to SP2, if you had an OpenGL app open, tooltips did not refresh correctly, often displaying a previous tip. A fix apparently exsited for a while but MS wasn't distributing it easily until SP2.
Bluetooth seems more reliable than the implemention that was shipped from Belkin with my USB bluetooth device. It does seem to have fewer services though. For instance, there is no way to send a contact to Outlook from my phone or vice versa.
Can you blame them? Untrusted sources and all that?
Vintage computer games and RPG books available. Email me if you're interested.
I'd hardly call having to go to a control panel and explicitly opening an (incoming) port "nailing" anyone. It's the right thing to do.
Microsoft did this well. The firewall has some nice options (like the ability to open ports only for the local network) and is very easy to use. Nobody got "nailed."
Best Buy can have you arrested
1. Open up the Windows Security Center 2. Click "Change the way Security Center alerts me" 3. Uncheck ALL of the Alert settings 4. Click OK 5. Close the Security Center window (tray icon should now be gone)
SP2 will make Windows more secure. SP2 is a huge improvement in the security arena for Windows. Despite what many poster have said about the TCP/IP outbound limit, it is a good thing. When a new worm tries to propagate it tries tons and tons of IPs in a short period of time which most of them won't be work either because the node is not on, firewalled, nothing assigned to that IP, etc. but Windows recognizes these fast attempts to "broken" IPs and then enforces a limit on them. This would truly slow down past worms.
Now this is the new differentiating factor. Windows has improved security enough to where it is a smaller comparison point when comparing it to Linux/BSD. The new big comparison point (besides price) is the ability to turn things off such as outbound limit rates and such. If Linux had widespread worms as Windows does it would be a good thing for the TCP/IP stack to limit "broken" outbound connections by default, but the key here is you would be able to turn it off.
/ points at Microsoft icon....
I have not experienced absolutely any problem with SP2, perhaps with the exception of the terribly long install time -- it took 1-2 hours on my relatively fast machine (the backing up of files is not fast at all).
For the normal "Joe Average" user there won't be too much of a difference -- a simple reboot and the system looks just the same. IE has the pop-up blocker, which has a semi-intuitive way of adding a sites to the white-list and is a bit imperfect, IMHO (if the pop-up displays a page which has a different URL than the originating page, then the "normal" user will be confused why adding the URL of the originating site doesn't work and the pop-up still doesn't display... this is the case even for subdomains of the same principal domain).
The firewall is pretty nice, the default being to ask when some program is trying to access "the internet". BitTorrent works very fine with me and I haven't had any problems with IM programs.
So, overall, after 2 days of SP2 experience, I can only recommend it to people who still use XP.
Doomie
I'd like to see these guys do an Windows XP impression.
Norman Cook's Ode to Sl
But with MS updates you are guessing. Sure an update may fix a bug but what else have they done?
It is not that I fear patches being badly done, the SSH/SSL stuff had recently 2 patches right behind each other, but that I fear the "features" they added.
Remember this update really gives you a different product that behaves differently.
So a simple rule is to always first test a patch/update on a test setup. Then you test it for a length of time in scale with the size/complexity of the patch/update. I would suggest that SP2 is somewhere between a version upgrade and an OS rollout.
All I can say about SP2 is, thank god I am a unix guy. Yeehaw!
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Let's wait until we have some real data, as in definitive reports that particular applications break.
I hate to play Devil's Advocate, but DUH... look at this from Microsoft's perspective. Having non-Microsoft sources distributing SP2 has two huge negative aspects for them:
1) Unthrottled Rollout
Having P2P'ers flooding the patch to "everyone-and-their-monkey's-uncle" destroys any potential throttle control that Microsoft might have had. Microsoft's initial plan was to trickle the rollout of SP2 out at only 25,000 downloads a day, exclusively via Windows Update. This is extremely practical due to the scope of the patch -- it makes a lot of sense for them to control the release in case a catastrophic show-stopper pops up, and also to allow developers some extra update time.
2) P2P Security Liability
Let's face it, Microsoft has a right to have their skivvies in a knot over people downloading any Windows patches from 3rd party sources. The infamous "Average Joe" (they guy who opens email viruses twice a week) isn't going to do an MD5 checksum comparison on a patch from a P2P net before running it -- who's to prevent someone from hacking up their own little "SP2" cocktail exe and distributing it? Ultimately the shit would hit the fan and Microsoft would take it in the face.
Even those who do check MD5 digits on a P2P-downloaded patch need a trusted source for the correct checksum... again, Microsoft doesn't want to be liable. Sure, it could be argued that Microsoft could provide the MD5 checksum themselves, but then "Average Joe XP User" would never check it anyway because "Microsoft says it's ok, so it must be safe!"
-----
"Cogito Eggo Sum: I think, therefore, waffle."
Or, better yet, I thought I'd mention that mentioning that I would be modded "troll" would actually ensure that I would be modded "+5, Insightful". :)
How clever of you! :)
One of my old friends from when I used to work at MS said to me, and I quote "With SP2 DCOM apps are fucked". The whole outgoing TCP connections limitation is going to cause a lot of issues w/ distributed apps using DCOM and other such things.
This space for rent.
as compared to originating from a floppy/cd/network. This way it warns you that it may not be from a trusted source. I think I've seen this elsewhere - Win 2003 maybe?
I don't think it is so much of a tinfoil-hat thing, as one more layer of warnings against installing applications off the internet.
Most slashdotters know about the safety, or lack therof, of things on the internet. Grandmama may not.
> How is it that there are plenty of things going wrong?
From the article: "Although 43% said the SP2 installation had gone without a hitch, 49% of those contributing had problems ranging from minor to severe. A few contributors said they had to completely rebuild a system before they could get the update to work."
Let the extreme P2P kiddies relax the rules manually. On the majority of desktops (not SERVERS) out there, an inordinate amount of outbound traffic is a sign of something bad, like a backdoored spam relay or the machine has been taken over as a DDoS drone.
What is stopping the DDos software from relaxing the rules itself?
MS was aware of that problem and did put out a guide titled "Deploying Windows Firewall Settings for MS Windows XP with Service Pack 2". One option for the computers connected in a Windows domain setup is to implement a group policy to disable or modify the new firewall settings across the domain.
1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
Could it be because nmap IS an attack tool?
A gun in the hands of a policeman generally helps our society be a safer place. The gun in the hands of a criminal generally does the opposite.
It's simple, nmap is just like a gun. One key difference - the Geek Lobby is nowhere near as organized or influential as the NRA.
The living have better things to do than to continue hating the dead.
I enjoyed this comment posted way down on the linked page.
--
SP2 destroyed my midget porn collection and made me so gay I moved to San Francisco.
Posted by: phil kaplan at August 12, 2004 12:07 PM
--
I'm sure we'll be seeing a lot more people moving to SF now as everyone installs SP2.
LOL!
Exactly what about SP2 makes moving to Linux unrealistic? SP2 is a needed up date to an already good OS but its not some sort of revolution, and not something that I can see that would prevent someone from using Linux if indeed they really wanted to 'move beyond Windows.' Incidentally, when I wanted to try something new, I built a machine out of used parts and ran linux and windows, and I still do, so once again, what about SP2 precludes using Linux?
"I use a Mac because I'm just better than you are."
I bet most of that can be chalked up to simple carelessness in installation. Simple things that people should do, but may often not, is closing all applications, temporarily disabling the on-access scanning of their anti-virus software, and also temporarily turning off a 3rd-party software firewall if possible. Worst of all is the crazy people who try to install it over an SP2 beta. They should have the good sense to uninstall the beta service pack first and go back to the SP1 they had before, then install SP2.
GET THEM INSIDE THE VAULT!
I have an eMachines M6805.
Athlon64 3000+ laptop.
I Ghosted my machine, running XP Pro w/SP1.
Slipstreamed SP2 into my XP Pro Upgrade CD.
Restored from OEM CDs.
Upgraded to XP Pro SP2, and then the problems started.
-Star Wars Galaxies locks up when I launch it.
-Only the FN+F1 and FN+F2 keys work, the rest lock up the system.
-Unplugging USB devices (other than thumbdrives when I stop them) or the power supply lock up the system.
-On shutdown or hibernate, it stops at the end, right where it should power off, and hangs.
The kicker - I emailed eMachines tech support.
I apologize but we can only support the original software that was preloaded on the system. Upgrading the Operating System is already considered as third party software so any type of support will have to come from Microsoft. There is a possibility that the hardware is causing conflicts with the new Operating System and that you may need updated drivers for the devices installed on the computer.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Here's a good impression:
I installed SP2 on three systems, and it worked flawlessly on all three. On my main system before SP2, XP would not allow me to install my SATA driver. I installed the SATA driver when I installed the OS, but once the OS was loaded, it referred to my SATA device as an "unknown device". Attempts to load the correct driver only caused the system to not boot.
I've been living with no driver officially installed for the device, which basically means that all the caching and performance increases that one would normally have (DMA, write caching, etc) for their hard drive were not activated on mine. Now with SP2, it let me install the driver and it booted fine without any problems. As a result, my computer runs twice as fast on almost every application and about 20 times faster when using virtual disk drivers (www.jetico.com) for container file encryption.
Their security center which monitors antivirus, firewalls, and automatic updates, as well as their HUGE automatic update selection box on startup are all good things too. I worked at a helpdesk for 6 months and 90% of the problems were users who had automatic updates turned off or set to install on notification (which they never selected).
Overall I've been very happy with it.
-=Lothsahn=-
All these people are supposed to be reporting major problems, yet the links point to sites with mostly positive reviews. Not to mention, I've been running SP2 since RC2 with not a single problem whatsoever.
:)
Slashdot and its juvenile broken window graphic just wanted a FUD article to meet the daily quota for the garish-looking IT section.
It's worth noting that I've never borked a windows box installing a service pack, all the way back to win 95. On the other hand, I've lost track of how much time I've spent cleaning up after typing "emerge -uD world". I thought I'd mention that so I can ensure I'll be modded troll. It's true, though, I swear it.
/etc files. If you make any config changes, that's a big no-no..
.. =)
Perhaps your sysadmin skills are lacking. I've never had an issue with using 'emerge --pretend -uD world' to see what will be changed, looking at the release notes for the new versions, and emerging the things I should upgrade. Not only that, but I imagine you're one of those people who like to auto-merge the
The fact that a M$ service pack (which replaces M$ only software) can blow up some systems up here and there (one of the reasons why they added system restore points to service pack installations) just gives you an idea of how hard it is to maintain the Windows operating environment. I feel sorry for the M$ developers that have to deal with dll hell and have to worry about retaining ancient compatability with old libraries..
They should allow an 'expert' SP install that lets you pick and choose what portions of the service pack you'd like to install. *shrug* I'm just a control freak
Just when you make it idiotproof, some idiot builds a better idiot.
You really only hear on the news about the cars that crashed the people who were injured and killed. You rarely hear about the thousands or millions who managed to drive to and from work safely.
I think it's the same here. Sure there might be people who think SP2 did the best thing for their computer ever. But I imagine it's either... "it didn't break anything", or the range from "slowed me down" to "crashed everything".
Sure, I'm interested to know how many people had more problems, but I'm much more interested to hear what problems there were.
And don't forget that people who can't send in reports after applying XP SP2 are too, to some extend, self-selecting.
Exactly. In linux that would require a root password to let the user know something like that is being altered. So far, I don't see how these measures will protect the user from malicious software they download.
Before SP2, windows was a broken door. Now it's a broken door with a "do not enter" sign.
XP SP2 breaks nmap
Your opinions are suspect, however, and the validity of your information is uncertain. As I mentioned on a previous occasion, I wonder if you are a MS employee working to offer favorable comments about MS and unfavorable comments about FOOS. Who knows?
Not everyone who says something good about Microsoft if some kind of schill or plant. Microsoft is a big company. They do some things right, they do some things wrong. Personally, I believe that the harm they do greatly outweighs the good, but others are entitled to their own opinions without being insulted because they express them.
-All that is gold does not glitter - Tolkien
www.ra
Typical linux user response, "you're an idiot." Blaming the user for running this command which the handbook (as in RTFM) says to do is hypocritical. Blame microsoft when some fucktard installs gator, but blame the user when portage screws things up.
I use emerge -p for doing this too, and I'm very cautious because I've read how this command can bork your system. And unless I've manually changed one of those config files myself, I don't know what they all mean or what the differences will make when etc-update changes them. I've heard dispatchconf takes care of this though. But my point is that he did what the manual said, and it borked the system.
Something can be overall workable even with a slew of minor issues. Windows has a history of this.
A better example is my Linux (Debian and SuSE) environments. I am very happy with them even though there are plenty of bits and pieces I'd like to see improved / fixed.
I thought it was stained glass, too, or some semiprecious stones... thought it looked nice, actually, like some old jewelry.
But after reading the comment, I popped it into photoshop and blew it up... it's definitely broken glass. Probably if you were surfing at 800x600 or less, or on a mac where the screen is brighter, it'd be pretty obvious.
How hard would it have been to enclose that URL with the ?
& A2=ind0408&L=ntbugtraq&F=P&S=&P=28 86
http://www.ntbugtraq.com/default.asp?pid=36&sid=1
My other car is first.
Many, many users are reporting problems with SP2 limiting outbound TCP/IP connections. This appears to be nailing anyone who makes heavy network use of their machine, including especially users running P2P applications.
This is what is supposed to happen, the firewall is turned on now by default, and from a security standpoint this is a good thing.
Microsoft famously get criticised for slack security and when they try to do something about it they get it even worse.
I wouldn't mind so much but this is a tech website yet the poster wrote this up in a way that made the concept of a firewall as something alien.
People may well be having problems I don't know but it sounds like what is happening is that the less clueful are running an app, getting asked if they want to unblock it and don't know waht to do. Pretty soon they will learn what it all means and life will continue pretty much as normal.
Anyone else have this problem or know how to fix it?
Other than that, it seems fine. Some good new options (and by new I mean newly copied from Mozilla) in Internet Explorer.
"Luck is the residue of design" -- Branch Rickey
FWIW,
/noexecute to /execute in boot.ini. Problem solved.
n xp pro/maintain/sp2mempr.mspx
SP2 breaks Aladdin hardlock drivers on AMD64 machines but not Athlon XP. It has to do with Hardware DEP in the AMD64 chips. I changed
http://www.ealaddin.com/hardlock/default.asp
http://www.microsoft.com/technet/prodtechnol/wi
How about M$ spending some money to develop an installer that does that for you?
If you're shooting for the lowest common denominator like Windows does, you need to understand that 'mom & pop' are your 'lowest' and don't have a clue how to turn a firewall or virus checker off. Do it for them to prevent problems.
Seems like something they should have figured out about a decade ago...
There are two types of people in the world: Those who crave closure
From the article:
How do I resolve these issues?
Stop the application that is responsible for the failing connection attempts.
Me: "Mr. Goodwrench, my car makes this horrible knocking noise and it will only go 40 miles per hour. What do I do?"
Mr. Goodwrench: "Stop driving the car."
Read my keyboard review.
I have had problems already with the 10 socket limitation. Is there a way to disable this limitation, or must I revert back to SP1?
-fb Everything not expressly forbidden is now mandatory.
http://www.lvllord.de/4226fix/4226fix-en.htm That link won't work directly with the slashdot referrer, but click on a few links to take you to a patcher that will patch tcpip.sys to whatever amount of connections you want (use /l= on commandline).
49% of REPORTERS!
That could in reality be 2% of the entire installed base.
Saying "49% of the people that installed it are have troubles" is the biggest piece of FUD evar.
MS has NOTHING on you guys in the lies, lies and more lies dept.
I hope to have a patch restoring functionality within a couple days, but a workaround is available now. Try adding the --win_norawsock option to your Nmap command-line. That tells Nmap to avoid raw sockets and use the workaround that Nmap uses for systems like Win98 that never supported raw sockets in the first place. Several people have confirmed that Nmap works again for them now, as long as they use that option.
While I commend Microsoft for some of the real security improvements in SP2, limiting raw sockets like this is misguided and harmful. As this workaround shows, there are still plenty of loopholes for sending packets. If that continues, worms and virii will simply use the same techniques. Alternatively, if MS continues to cripple Windows until security scanners can't function, Windows users lose as well. While they won't be able to scan their own systems and networks for vulnerabilities, attackers on superior systems will suffer from no such limitations.
MS should focus on security the system against compromise in the first place (through more timely patching, limiting services available by default, code auditing, privilege separation, etc.) rather than crippling the system for legitimate users. Linux and *BSD offer full raw sockets, and yet they haven't become the haven for viruses and worm propagation that Windows has.
-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner
Control Panel -> Add/Remove Programs -> Windows Components -> Networking Services -> Peer-to-Peer "Enable Peer-to-Peer Networking Services."
Photoshop 5.5 won't work with SP2 - at least not for me. Just sits there on the startup screen.
Many of these functions are new for SP2, for example the InetFWAuthorizedApplications interrface has a method to add a new application as "Authorized." Similar APIs allow the opening of ports, etc. (And most of these say Client: Requires Windows XP SP2. which indicates they were newly added.
Here's my question: What's to prevent programs from simply adding themselves as authorized and opening the ports they need? After all, if the Firewall control panel applet can do it, can't any other program? And since many, many XP users run all the time in the "Adminstrator" group, can this somehow be blocked?
Is it time for Microsoft to make a new "Super Administrator" level and start putting certain critical things (like changing the firewall) as needing that security level?
Now I need to write a program to see if my XP box won't indicate if I authorized myself and open up a port....
Best Buy can have you arrested
Microsoft has the wrong end of the stick here. Rather than trying to reduce the number of ways that PCs can become infected, they're trying to reduce the damage that malicious software can cause. They've done this before, and tripped up... they modified Outlook so that programs couldn't as easily get to the Outlook address book... and what happened? Well, what happens when you want to sync your PDA?
Before they spend ONE MORE DAY on this kind of kludge to limit the utility of the OS, they need to deal with the FIRST stage of the infection. They need to remove the dangerous coupling between programs through the Microsoft HTML control, so that you don't have every program that registers a handler... even for *local* file access... suddenly becoming a potential attack point.
The problem is - Windows doesn't need to be a Linux killer, it just needs to be "good enough" to keep people from looking for a new solution. I look forward to Linux having a much greated share of the desktop market, and I'm sure that one day it will. It just feels better to run. But in the mean time, if people have fewer compelling reasons to switch, they're not going to switch just for the hell of it. Linux needs to be a Windows killer.
I have no use for windows firewall, being offline,
but sp2 turned my whole network into bubblegum with its rate-limiting tcpip.sys bug. A lot of expensive paperweights, here.
-I like my women like I like my tea: green-
This seems to me like "automate it because lusers don't know better" dogma. While that does apply in situations such as applying periodical security patches or updating anti-virus software, which should be automated, it can't be applied in this case.
Find me 3rd party firewall or anti-virus software that can be turned off by an installer program, and I'll bet you it could be turned off just as easily by a virus. It would defeat the purpose of having such software. Many applications will bring up a "do you want to save changes" when there's a modified document open. Would it be better for the installer to force the app to close and lose unsaved changes? I think not.
I would agree that the installer should include an on-screen warning to close all programs, turn of AV and firewalls, and not to install over a beta version. Such a warning would probably get a lot more people to do it right, and if they didn't know how to do some of those things, to hold off installing until they figure out how. Doing it for them, however, wouldn't work, and if attempted, would probably create many more problems than it would prevent.
GET THEM INSIDE THE VAULT!
It's been a while so I might have the numbers wrong...NT 4 SP4 was issued to fix NTFS which was horribly crippled by NT 4 SP3. I suffered through that.
Um, I got news for you: NT4 was released around 1996. The service pack in question was released prior to the year 2000. The product you're speaking of isn't available for sale, isn't current, and isn't even officially supported any longer. We're more than halfway through the year 2004. Isn't it time people quit judging the quality of Microsoft software by what happened almost ten years ago? Would it be fair if I judged Linux's fitness for a particular task based upon a bad experience I had with the 1.x kernel back in 1997? No, but I constantly hear Slashdotters harp about how awful Win95/NT4 was and how nice Linux kernel 2.4/2.6 is when Linux clearly has the benefit of several more years of development under its belt. If you're going to castigate Microsoft for something, castigate current products by comparing them with current alternatives. Doing anything else is comparing apples to oranges.
If such stuff came from Microsoft, it'd be called FUD, but since it comes from Linux lovers on Slashdot, it gets modded +1 Insightful. What a way to be fair and unbiased, huh?
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
Nope. Didn't read the article? Its not even about blocking or unblocking a port at your firewall.
Its about two things, raw sockets go bye-bye, and TCP/IP stack based limits to simultaneous outbound connections:
"The Windows implementation of TCP/IP still supports receiving traffic on raw IP sockets. However, the ability to send traffic over raw sockets has been restricted in two ways:
*TCP data cannot be sent over raw sockets.
*UDP datagrams with invalid source addresses cannot be sent over raw sockets. The IP source address for any outgoing UDP datagram must exist on a network interface or the datagram is dropped."
Also, "The TCP/IP stack now limits the number of simultaneous incomplete outbound TCP connection attempts."
Please note that this last is *not* the firewall, but the TCP/IP stack.
Ha, ha, obnoxious Microsoft apologist. When *your* software starts failing under your spiffy new Microsoft patch, come back and tell us all about it, OK?
--
make install -not war
Contrast the following two comments from your response:
Perhaps your sysadmin skills are lacking. I've never had an issue with using 'emerge --pretend -uD world' to see what will be changed,
and
The fact that a M$ service pack (which replaces M$ only software) can blow up some systems up here and there (one of the reasons why they added system restore points to service pack installations) just gives you an idea of how hard it is to maintain the Windows operating environment.
So, if someone messes up a Linux "service pack" application, they're an idiot and Linux shares no blame, but if they muck up a Windows box, Microsoft is totally to blame. Yup, that makes all the sense in the world...if you're a Linux zealot.
I feel sorry for the M$ developers that have to deal with dll hell and have to worry about retaining ancient compatability with old libraries..
I'll remember that next time I can't get an RPM to install due to dependency hell. That's just so much more fun than DLL hell, isn't it? Sure, I can mitigate that with apt-get and Synaptic package manager, but likewise Windows DLL hell hasn't existed in a long, long time due to built-in Windows DLL version control. Again, you're judging current Microsoft products based upon what they were producing almost ten years ago. Clearly have no idea whatsoever about how much improved Microsoft's current product line is. Perhaps you should research the things you're criticizing before you criticize them.
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
...not at all, it's not like everybody has more than one working machine in case one of them is screwed(and I can hardly see them going to the nearest cafe for the report; most likely they'll have their system restored, curse loudly, but it'll be too late for them to want to do anything). Judging by previous articles, that can be quite a few...
Psst. File Traders. Yes, you. Get some old Pentium machines (you can get these for free, since people can't run new games on them and are throwing them away - Pentium2 300 works fine), take memory from several of these, and concentrate it all on one machine so it has some 128MB of it. Then install a silent power source and a big, silent hard disk, install Debian GNU/Linux, VNC, xterm, all the fonts and sshd.
Now you have a silent server machine, which can run several P2P clients at once (Gtk-Gnutella (for Gnutella) and Lopster (for OpenNap) in the VNC, Mldonkey (for eDonkey) from console (use nohup) with the Web Interface, and BitTorrent (btlaunchmany.py) in a "screen" session), Leafnode for newsgroups caching (so you don't need to keep on checking your news server daily), and if you install Samba you can mount your download dirs as network shares from Windows.
There's even a program which automatically downloads pictures from Usenet News and shows them in a web gallery (automatically parsing the original messages to add initial keywords, of course) but that's still in early alpha and not publicly available (it can't handle multipart binaries yet, and yenc decoding in pure Python is pretty slow - but it's getting there).
Just remember to firewall the machine from the Internet to keep out uninvited guests, and only open those ports that you actually need.
And you never need to worry about connection limits again ;).
The only thing it can't really run is Freenet - that darn bunny eats memory more than Ryo-Ohki eats carrots :(.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
yeah, Linux is secure in this regard only because it limits raw socket connections to root. If XP Home had such a concept (don't forget this is for home users), then they could restrict it in the same way.
As it happens, this only applies to "puts limits on outbound incomplete TCP connections" which is like preventing you from getting killed in a traffic accident by ensuring you can only drive 1 car at a time.
I know, I read them too. Those are mostly technical folks who know what they're talking about. I also read the ones on Microsoft Blog, though. Here's a good example:
I think this just proves that idiots and beta software don't mix. =)
GET THEM INSIDE THE VAULT!
So, if someone messes up a Linux "service pack" application, they're an idiot and Linux shares no blame, but if they muck up a Windows box, Microsoft is totally to blame. Yup, that makes all the sense in the world...if you're a Linux zealot.
Way to quote me out of context.. The parent was complaining about 'emerge -uD world' killing his system. I said he was a lousy sys admin for not checking what he was installing; a precautious (good) sys admin will only upgrade what is needed reguardless of what platform you're administrating.
Microsoft should be blamed for faulty service pack installations as they don't allow you to pick and choose (as far as I know) which portions of the service pack you'd like to use. (If they do, then.. I'll bite my tongue and retract that statement.) If I don't want to cap my incomplete TCP sessions (for whatever reason), then I won't install that particular update.
If you're worried about RPM dependency hell, go download rpmfind (or use the two other solutions you suggested in your post). My statements are based off of the general bloaty-ness of the OS. Do we really need progman.exe, mplay32.exe, grpconv.exe, etc.. in the latest releases of Windows XP? Do we really need Windows 95 compatability 9 years later? Like I said, if I were a OS developer at Microsoft, I'd be pissed off that I have to keep all of that stuff from 10+ years ago in my final product. Hopefully Longhorn will have most of that stuff trimmed down...
Just when you make it idiotproof, some idiot builds a better idiot.
We're more than halfway through the year 2004. Isn't it time people quit judging the quality of Microsoft software by what happened almost ten years ago?
Don't peruse the post...read for comprehension. The person posted that they were holding off on applying the service pack because it might break stuff and I said I had been doing this for ten years and could only produce one example and all I took from it was that you should test first. I did not say "don't apply the service pack" read the post you will also notice I have been running XPSP2 since its' beta. Don't call me Linux lover either I use the tools for which I am paid Linux is only one.
That does not solve the problem. That is the number of connections, not number of incomplete connections, completely different. Please mod parent down.
I.O.U One Sig.