Slashdot Mirror
Microsoft Lists SP2 Incompatibilities
thejuggler writes "ZDNET has a story about how the new XP SP2 causes conflicts with over 50 applications and causes problems with others including some of Microsoft's own products. The 'glitch' as they are calling it seems to be that the Windows firewall system is turned on by default and blocks unsolicited connections to your computer. You have to unblock certain ports as your applications require to make the apps work again. They are calling this a glitch, but I thought we wanted everything blocked by default so we would have to choose what was unblocked?" The BBC has a story as well.
I've not seen it mentioned anywhere, so maybe it's just a drive incompatibility issue, but when I installed SP2 RC1, I could no longer play DVDs - I would receive an error telling me that the TV OUT on my card must be disabled first. I rolled back to SP1 and bingo, everything would play fine again.
I snickered when I saw that list earlier today. Most of them are broken due to closed ports. Duh. Why not list every application that requires certain ports be open?
Any firewall can break any piece of software if it requires a port that is blocked.
Windows XP
wouldn't they have found this "glitches" earlier by the SP2 beta testers..?
"They are calling this a glitch, but I thought we wanted everything blocked by default so we would have to choose what was unblocked?"
Yes, so this is a transition. You'd expect issues because there is change.
Change from what? Now that's another story.
Change to what? Much more interesting story...
if windows lacks one thing it is not unavailability of alternatives. Only 50.. pfft
did you forget to take your meds?
from the microsoft compatability list Nero Bruning ROM 5.5.6 Ahead i always wanted to brun some cd's for myself
I think it would be quicker if Microsoft would just list Microsoft XP Service Pack 2's compatabilities. This list would be shorter and that is the truth.
Looks like the Doctors at Microsoft have the hands examining their own balls with this one... get it? shoot me now
"For some programs the list of instructions involves finding and opening ports used by programs to make sure they can communicate via the web.
For average users, these instructions could prove formidably complicated."
Has MS just lost it?
Lord knows CodeWarriors IDE activation is flumoxed by sp2... Dave
Sounds like the MS solution is much the same. I feel much safer since I have no firewall, but it sure is a pain if you want to do a CIFS share or use IIS at all. You have to deal with opening every port "by hand".
I'm not really a network guy but I can get things to work. I would think that the average (naive) Windows user will never figure out how to configure something like this.
They're forgetting about all the worms, trojans, and viruses that are going to need to be rewritten to exploit new backdoors in the OS.
:(
Those poor hackers...
This doesn't surprise me one bit. We all knew that it was going to cause problems for some programs. The funny part to all this that there are a lot of MS programs on the list, as well as almost ever well known Anti_virus and Firewall program.
Everyone has a photographic memory, some just don't have film.
"Star Trek StarFleet Command III"
lol.
even though Microsoft is doing the "Right Thing", a majority of average (Below average?) users will complain until MS is forced to set the firewall to disabled by default. It's sad, but true.
Looking for hardware (Currently need: Large Etch-a-Sketch) Have one? See my journal!
Intel Landesk (an MS SMS competitor) also has issues when SP2 is installed. But why would MS care about that? According to them everyone should be using SMS.
Consensus is good, but informed dictatorship is better
I'm not entirely happy with the popup blocker they've included, as it doesn't seem to be that configurable. However, the idea of blocking unsolicited ports is by no means a bad thing.
The vast majority of PC problems these days are rooted in the fact that most users are lazy, and don't want to be bothered with details. Perhaps they can read tax forms, but a simple Windows dialog? Forget it.
If users can't muster up more than an ounce of effort to secure their PC, they shouldn't be using one. Just as a driver needs to make sure their car is roadworthy, PC users need to be sure that their systems have at least some rudimentary method of protection. It's just not that hard, and it's not too much to ask.
If computer users can't manage to get their heads around simple dialogs (which SP2 questions pretty much are), they deserve the trouble they get... perhaps them being offline would reduce the spam & DDoS zombies.
I suppose wishing those people offline is a fantasy, but it certainly would help reduce the idiot factor on the net.
Don't worry, all the bugs will be worked out... ...in Service Pack 3.
Do any of you actually use Windows Firewall anyhow? I've got no compatibility issues whatsoever because I'm using a hardware firewall in the first place, meaning SP2's default firewall was turned off rather quickly.
Nothing disturbs me more than blind loyalism towards some unrealistic and over-idealistic notion of one's nationality.
... people have spent years complaining about Microsoft security, Microsoft don't change anything because they claim it will break stuff.
Microsoft folds and implements some security features which inevitably break things... then everybody gets upset.
You can't have it both ways.
is there a way to install gentoo other than typing every command by hand?
Until someone logs into your network behind your firewall with an infected machine... If you ever have LAN parties or have a wireless network, you're exposed. Null
Seriously, this is an optional service pack. It hasn't really been out long enough to consider seriously deploying it on critical machines. Just give some time for the apps to catch up and sometime in the future this will be a non-issue. On the other hand, shame on the developers for not testing their apps with the release canidates to work out any bugs.
...who wonders why their firewall/network stack architecture would require an inbound port to be open for an application to work (unless it's a server program)? I know that under *nix systems there is the Loopback device (lo) for "sudo" network traffic that is only ment to be from the localhost to the localhost. Does MS Windows not have this? If they have this, why would they block traffic on it by default?
And if some programs need the ports open to the internet to work, isn't just a indication that the firewall is not tracking connection states, thus not recognizing a inbound packet as a response from communications initialized from the localhost?
Someone please explain to me how the Windows network stack/firewall could seem so broken???
Space for rent, inquire within
microsoft corp of redmond,wa has filed an antitrust injunction against microsoft corp, also of redmond,wa for deploying 'service pack 2' - a cumulitive update for windows xp users, which has been shown to be incompatible with microsoft's visual studio and outlook.
Good! at long last all those applications that want to phone home are getting busted. WTF is an application doing opening ports on the localhost anyway?
Your just decide to implement a 100% turnaround in how your OS policy worked before (without making a big deal of it, of course...I'm sure it was documented somewhere). This is almost akin to "Oh yeah, and XP only reads DOS partitions now...er again...er yeah, just like you wanted!". This blunder is complicated by MS applications not always documenting what ports they are using because that's proprietary information and of course you can always buy the product and ask the licensed technical support.
Often wrong but never in doubt.
I am Jack9.
Everyone knows me.
for those of you that installed it, like I did, do you feel serviced or packed. Thanks Bill.
BTW, at least it uninstalls clean. I think.
nos laetus epulor qui would domito nos
about this is : # A Web server such as Internet Information Services (IIS) # Remote Desktop those will be blocked. Microsoft servers will be blocked by Microsoft software solutions. I'm super inticed to update my system now
~~par
At the top of the list was visual studio .net. Are you kidding me? Their new software "concept" that's going to revolutionize can't be created using a computer running sp2? Does this mean .net is inheriently insecure, or just this remote dcom debugging? I'm ignorant on what that is so my point won't be to spread FUD about .net, just to say "what the shit?"
.net guys to make a patch for sp2. Even if they made a patch, they should have put it in sp2 as an option. It seems like poor management to surpise people that even their own software won't work with sp2.
It seems to me that when a company spends this much time working on a service pack they can't yell down the hall for the
I still commend microsoft for closing those old holes and throwing perfect compatibilty in the wind in this case. Sometimes you just got to bite the bullet and focus on new security. Hell, look at OSX. IIRC, photoshop didn't work initially with OSX, but apple had to balls to let OSX create the demand.
Now that last statement may sound contradictory, but notice that apple doesn't control adobe where as microsoft controls microsoft.
If I don't know how to open up ports on a firewall or even what a firewall is, how the hell am I going to know figure out how to install Gentoo?!?!?
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
Then again maybe I mis-read it, not impossible at all after spending just a few seconds exposed to the IT section blinding colors.
The revolution will not be televised.
These same (below) average users are the kinds of saps that are locked into Microsoft platforms merely because they are too lazy, naive, or both to use a different platform. If Microsoft says that the firewall will be enabled by default, the users will deal with it, because they don't have a choice.
It would be more likely that application authors will start including tools in their installation wizards for opening ports the application needs.
The sad thing is, any app could easily get passed the firewall with a bit of social engineering. I saw a popup on a Windows machine infected with some ad/spyware today. The window started an automatic download (and thus, on Windows, install) of some app. The page showed a picture of the security warning dialog and told the user to just click Yes. Which is actually what most users will do, because they don't know any better, because nobody has taught them.
I'm curious, did RedHat do any QA testing with RHEL3 before releasing it this way?
And would they even know if 50 applicaitons broke and, if so, which ones?
Just imagine the list of software that would be on its incompatibility list.
"I use a Mac because I'm just better than you are."
No more starcraft??? I can't live without starcraft. :) I will stick back to linux and winex... It goes faster and better in winex anyway...
Sourdia Rulez
You know what happens when SP2 blocks a connection via the firewall? It let's you know. It also let's you take the option of unblocking the program straight away. I had this problem with X-Wing Alliance and Unreal Tournament 2004. When no servers came up, I thought it was my connection, but a quick-alt tab reveals that Windows has a pop-up that actually informs you that it's blocked the game/application. So, don't be too quick to bash. Turning the firewall on by default is a good idea. I mean, why don't you go bash ZoneAlarm or a similar firewall app? It blocks all access by default, and "learns" as you use your computer more, and that's all the SP2 firewall is trying to do.
What is this a MSDN forum? No M$ bashing tonight? Well let me throw the first stone then...
Obviously if the Windows architecture was better designed overall (including application design guidelines) there would not be such incompatibilities. My linux applications do not break down if I have iptables up.... then again, the SP2 firewall is stateful (at least according to this... so the issues cannot be egress connections.
yeah...this is kinda lame.
Sounds like people are trying to find as much fault in Microsoft as possible. It looks like most of these aren't even problems but are something that Microsoft bashers can use to fuel their fires. As I'm sure many posts have already pointed out by the time I post this, a lot of these problems are just because of closed ports.
I'm sorry, but I'd almost have to call your post a "troll" - even though you're not necessarily wrong about everything you said....
Realistically, how is a Linux distro like Gentoo a real "alternative" at all, for the average PC user wanting a "workstation OS" that runs all of their purchased "off the shelf" software packages??
Just as one little example, a good friend of mine recently wiped Windows XP off his Dell Latitude laptop and replaced it with the latest Gentoo Linux distro. He could only stand it for about 3 days before deciding it just made his laptop *less functional* than it was worth, and went back to XP.
It's not that he dislikes Linux! He thinks it's great! (So do I, for that matter.) It's just that Linux is based on a *server-centric* OS (Unix), and all the attempts to reconstruct it as a desktop workstation OS with user-friendly GUI are less than fully realized.
I'm all for competition, but as much as some people want it to be, I don't think Linux is really the direct competition for Windows XP right now. If anything, it's poised more as a sensible alternative for something like Windows 2000 or 2003 Server.....
If you want a Unix type OS done right as a workstation, I think Apple already pulled it off better than anyone else -- but that's getting into a whole new hardware AND software investment.
Microsoft finally implements it but does so it in a manner which blocks everything having to do with, including normal usage of, the products of EVERYONE EXCEPT MICROSOFT.
Dude, did you even read the list of problem apps? Many of the programs on it are from, uh, MICROSOFT.
Look at the list, notice all those MICROSOFT products on it? Good, now shut up and go back to your hole.
>even if you buy something like Norton Internet Security it will tell prompt you to set up every program the first time it is run.
The instructions don't say "Sometimes, when Windows Firewall blocks a program the first time..."
If you choose to block it, its not going to ask the next time the firewall blocks it. So technically, MS statement is correct.
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
EVERYONE EXCEPT MICROSOFT.
Not exactly true, you'll see some Microsoft products (Office, Outlook) listed on there as well.
Because Microsoft implemented it badly???
Let's say your neighbor has this big ugly tree hanging over your property. And occationally for years you ask him to do something about it. And then one day he comes out with a chainsaw and cuts down the tree in such a way that it falls into the side of your house, destroying a wall. When you complain to him about this, he says "What? I only did what you asked me to!". How do you feel?
Awww, look. What a novel idea for a Slashdot post, in a MS bashing article of all places!
I am shocked! Shocked, I tell you!
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
Perhaps Windows Firewall is intelligent enough to remember that it just told you about this 3 seconds ago.
Take a look at the list of 'broken' apps, go read what a firewall does, then look at the list again. Firewalls break things that are used to having unrestricted access. Thats a fact of life so get used to it. Changing security settings in an OS breaks things, get used to it. People can whine all the want about how they're favorite game is broken by SP2 but the blame lies with the developer of that game, not MS, they shouldn't have made a game that handled network connections in such a sloppy manner.
"I use a Mac because I'm just better than you are."
Turning on the firewall by default is a design for newbies, and rightly so.
My mother doesn't know what a firewall is, nevermind how to switch it on.
Those who know what it is, and how to configure it, will be able to open the required ports or allow the required programs access to those ports.
The clueless might not be able to use some programs, but if that means viruses and worms will not spread as much as before then it's something I think we all can live with.
Seems to be a hell of a lot.
(i.e. "broken"!)
So, everyone is whinging that the firewall included with XP SP2 is WORKING?
The 'glitches' listed on the KB articles would be affected by any end user firewall, or hardware firewall on the market. To bash MS for this is counter productive. They have done the right thing in enabling it by default. If you want to run a server, you ought to be smart enough to figure out how to configure your firewall. If not, then its better for the net as a whole, you are the type of person still spreading Code Red.
IIRC, Microsoft did the same thing with a service pack for NT 4, adding new features that broke existing systems. Didn't they learn? Why isn't the service pack limited to fixes? Why couldn't they throw the firewall in an Option Pack? At least I know I'll never use XP again.
Or follow the freaking instructions to turn of the firewall...
/.er, but really, don't you think you're being just a little too cynical about this?
Really, I hate MS as much as the next
...turn their firewall off and use a NAT router.
You're using her as bait, Master!
How dare they?
O.K. So I didn't read it closely, but this is /., come on. I don't need knowledge to spout an opinion I didn't have 49 seconds ago.
At present if you want other ports to open, other than these default services, you have to open the ports manually. however I would imagine this coupled action is handled by some .plist xml configuration file. So its probably possible for an application to add its own services to the sharing menu and have them coupled to the firewall if you turn the service on.
On my mac I do manually block the incoming and outgoing license manager ports for MS Office. If you dont and want to share the app on your laptop and desktop then you will lose any open edited docuements if you inadvertently plug them into the same network. I wonder if this lic manager is the reason why MS gave the firewall the ability for apps to open ports in the firewall and to have outbound connections?
Some drink at the fountain of knowledge. Others just gargle.
The company I work for issued a statement telling the employees NOT to "upgrade" their computers because of the incompatibilities.
I'm sure there's going to be at least a dozen knuckleheads out of 3000+ who do DL the update. Those are the same one's who call the Help Desk saying, "Hello, I think I just got a virus. (pause) Yeah, I received an email that had an attachment that I didn't recognize so I double-clicked it to find out what it was. (pause) Ok, I'll shut it down and wait for a tech. Thanks. (click)" Unfortunately, that is an actual conversation I heard over the cube wall...
I'm so glad I work on the UNIX side of IT!
You didn't seem to read the article -
All the problems listed have nothing to do with SP2.
The programs listed don't work because SP2 enables a firewall.
Even if you could get those applications to run under Gentoo, if you applied a firewall, they would also stop working.
Should Gentoo publish a list including all those applications (and all the rest!), publicly admitting that they do not work under Gentoo when an unconfigured firewall is enabled? If not, perhaps you shouldn't be so fast to put the boot into MS.
At least Microsoft went to the effort of advising their customers. That's what is commonly referred to as good customer service.
I am government man, come from the government. The government has sent me. -- G.I.R.
Lets see... just for this application, through putting the version in it's own field, in the same field as the application name, and misspelling it a couple different ways, (and varying the version unnecessarilly) they've managed to list two seperate versions of the application (8.6.1 and 9.1) and somehow come up with 6 seperate entries... I think the list is shorter than y'all think...
"Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
See if you can find your favoirite bug on this list!
Best Buy can have you arrested
.. or it's been my complete ignorance of XP knowledge. For some strange reason, during SP2 installation, the installer would complain about atapi.sys being in use, and it couldn't backup the file. I figured "okay, probably an issue with a drive or virtual drive on my system". So, I uninstalled Daemon Tools/Nero/ Alcohol 120% (all of which use those virtual drives for emulation) and it still gave me the same error. Even in safe mode, windows refuses to give access to this file, citing that it's currently in use.
So, if you use any of the above mentioned programs, beware. This update will probably not bode well with the virtual devices on the system. You do have the option to skip the file, and continue the SP2 installation. It did go off without a hitch - besides finding that MSOBMAIN.DLL(read: M$ XP activation utility), is apparently corrupted and now i've got 16kb of bad sectors on my disk. Hearing two CLUNKS followed by my drive spinning up, isn't something I was welcoming during a service pack installation.
Although, SP2 does speed up explorer a little bit, and I've disabled all the annoying fud from the security center. It runs pretty good. No complaints.
Not looking for karma here, just warning you guys of a potential conflict if you're planning on rolling this out on your home machine. I don't think D-Tools/Nero/Alcohol 120% is used too often in a corporate environment.
- Windows is known to have poor security - it's all over the internet
- Windows costs money and the licensing scheme is designed to enslave the user
- Microsoft is a known liar - even under oath. What are they hiding from their users?
If you run a Windows OS and you've ever had your system crippled by a virus/worm/trojan, then there is only one thing to say... That's what you get for running a Windows OS.If you run a Windows OS and have never been troubled by viruses/trojans/worms, then, it's only a matter of time.
Did you know:
- Linux has better security - it's all over the internet
- Linux is free. Free to download, run on millions of computers, keep and give away. The license guarantees it.
Download Linux here. See some screenshots of Linux here.Take control of your computer today!
It just fills you with confidence in their network security qualifications, doesn't it? I'm sure their audience won't be too confused (even most online gamers know the difference between "port number" and "number of ports"), but that just makes it even stranger that they hired a technical writer who can't make that distinction clearly.
Comment removed based on user account deletion
If you choose to block it, its not going to ask the next time the firewall blocks it.
But then it wouldn't be when Windows Firewall blocks a program the first time
RTFA please.
The same applications would all stop working if you installed any firewall, hardware or software, router or ZoneAlarm.
This has nothing to do with QA testing - obviously if you enable a firewall, some apps are going to stop working.
Why on earth is it microsofts QA departments fault that you can't FTP if your FTP port isn't open on your firewall?
If you think that it really is MS's fault after actually reading the article - then yes, you should be shot. Twice. Darwin save us all.
I am government man, come from the government. The government has sent me. -- G.I.R.
ISPs will take the brunt of this issue on the phones. Once SP2 is released, ISPs will be innondated with calls asking why their software doesnt work. And believe me, those answering the phones will be annoyed. As a former ISP tech, I have had to deal with the MyDoom, the SQL worm, and all the huge viruses that hit two years ago. Luckally, there have not been any major virii released since September of 2002. However, the first person the people call is always the ISP, its not because they dont know whom to call, but because they know they can get advice for free.
The whole Service Pack 2 thing here on Slashdot has gone way out of control. You have to stop bashing Microsoft for every single thing they do. This time they tried their best. Yes, it might not work 100%, yes some things will break, but this is the nature of a firewall, and it's definatly the nature of Microsoft. Would you rather Microsoft hadn't released SP2? I don't think so.
Also, to those of you wise enough to know if you'll have compatability issues, don't install SP2. It's clearly not for you. This is aimed at the average Joe user who browses the Internet, and checks his e-mail. It's designed to stop low level attacks instead of causing the next Blaster. Just because you are a Geek or a Linux guru does not give you the right to bash this, because it is not for you. There's a reason you're using Linux, right? Better security, etc? Stick with it.
And the final point, a lot of you are complaining about how the average user knows no better than Microsoft, and can't defend themselves against simple spyware. Then for God's sake, please go out and help these people! You wouldn't believe the number of people who come to me to fix their laptops about various problems (mostly spyware and viruses), and I always educate them on the matter. I don't just fix it for them, I make sure they understand exactly what they did wrong, and how never to repeat it. And to those of you who believe that they should be ditching Windows XP for Linux... forget it. It's not for them. They'll have no reason to switch over. You're preaching to the wrong choir. Talk to those who you know will be interested rather than the average user.
Grow up and catch a clue.
I've had these problems with the Windows firewall ever since I activated on the advice of a newspaper column several years ago (to stop random pop-ups). Finally I get a little attention in the help files at Microsoft, but I always find simply disabling the firewall for the few minutes I needed that specific service to be easiest and most effective, praying that my McAfee firewall covered the rest... But this brings up another issue: it appears to me that very few aspects of this SP are original: a window to organize security functions that all already existed, a pop-up blocker: something that was easily available with most ISPs or Google Toolbar, and a firewall (that already existed) turned on by default. How much of this 250mb update is actually original, and why did it cause such a delay?
Man this really got to me. I followed the ms suggested fix for allowing remote debugging after sp2 in vs.net 2003 and despite the strange screenshots in the msdn article that didn't even match with the dialog windows i was seeing in sp2, I followed all the steps. Still no go, and I had to uininstall sp2 for the time being. While I might have missed something, this doesn't appear to be a simple issue of unblocking the correct ports.
small flowers crack concrete
I would bet that the majority of people bashing MS due to problems with SP2 have spent untold hours manually configuring the firewall on their Hello Kitty modded Linux box! The truth is, SP2 blocks ports by default. Which is what it is supposed to do. The only thing MS could have done better was integrate port opening into their 'Made for Windows XP' cash cow. Hopefully they have already thought of this! If not, off to the Patent Office I go... Please don't get offended, but I get sort of irked that people bash MS because they (the bashers, not MS) have discovered linux. Linux is great, but I doubt my Grandmother could get it to work on her antiquated PC.
This is just silly.
/.).
MS will never do right. Granted, they do have a history of poor design (in relation to security) to contend with, but given the popularity (which some would argue, leads to greater responsibility) should leave a larger margin of "error" that is ill-afforded given current reports/reviews/opinions (especially on
People complain about the lack of supposed (and any supposed free/commercial - non-enterprise firewall has the same problem) security that allows certain applications out based on user-input in an annoying pop-up.
Next, the supposed "incompatibility" of applications that have been designed to automatically assume that certain ports will be publically available throughout the lifespan of the specific product line (and, yes, MS is just as responsible) which further leads to increased customer disatisfaction.
Basically, the idea here is that MS will never, ever, do anything right. In my opinion, based on increased customer base and/or expectations, it is absolutely impossible for MS to possibly meet 90-100% of the supposed customer expectations (even less with the more "tech-savvy") if such "high-standards" are continually expected, or even worse, demanded of any company.
And yes, to make myself further unpopular, no Linux distro, given the same popular numbers (especially among the a-typical user base that MS shares) would ever expect similar or less than the exact same complaints that MS receives regarding current or future improvements to their OS. These continues reports/articles of problems with SP2 are starting to get repetitive. I think people need to get over the fact they the OS does not offer much in the way of advanced user support, but this user base does not account for over 80% of the users out there. In a corporate environment, Windows is the best solution (not for EVERY service) for desktop support, and anyone that has experience in this area and says otherwise has not utilized it to it's full potential.
I sat with a guy today who had the Start Button Virus on his PC. He had some whacky firewall utility that also controlled which programs could execute and a real live Microsoft DSL router between him and the outside world.
After I overcame my initial nausea we spent a few minutes on the firewall device and determined that its outside port was dead. I offered him a free (as in beer) FreeBSD (free) system to do this job - a nice, easy kill, and it gets me the run of another BSD box with a static IP.
The firewall thing on the PC was a bigger problem - not so good interface, user deeply confused by the idea that some addresses aren't globally routeable, further amazed that some devices can change these RFC1918 addresses to globally routeable numbers, and utterly boggled by the concept of being able to *see* what your computer is doing on the network.
Bottom line? This guy has no business doing anything other than pulling cables and plugging stuff into a network that provides DHCP and he *knows* this is the case.
I predict job growth in the 'digitician' field - the PC guru that comes around is going to become a real live job, instead of a friend or relative you impose upon for help. I, luckily, have avoided 98% of this work by becoming an inscrutable BSD prophet and would have avoided this one as well, were it not for the interior designer roaming around the office with her thong peeping out at regular intervals.
I am very easy to get along with, but I don't have time to waste being nice to people who are being stupid. -Theo
Installshield is listed? And SP2 is suppose to be a good thing?
Holy freakin crap!
Why dont' they just make the list just one entry that says...
EVERYTHING
At least it would be more honest.
OH, I forgot, we're talking about Microsoft, silly me.
Steve's Computer Service, Hobbs, NM
it is NOT OKAY to open up a machine in root (as windows is) to the world for the sake of an application doing something the user may or may not know about in the background. it was NOT OKAY to maintain for lo these many years that the backdoors of ActiveX and DirectX to kernel functions to be open for all and sundry just because it made pretty things happen in demos.
it was NOT OKAY for microsoft to assume blithly that users are all dunderheads who can't be educated, can't take responsibility, and can't be trusted to make choices.
the only thing broken is not the 50-odd apps, but the corporate vision of M$. they need to deal with the facts: it is not "the Connected Internet with each user a Member Of The Community" any more; everything is interconnected and bad boys can roam the streets unseen and unbidden in Electron Town; and, finally, welcome to the 21st Century, M$, please read the rules this time.
if you want a really good firewall, consider either tiny firewall or zone alarm, both much more friendly and complete, and free as well as licensed/supported versions of both availiable for download any time you want.
if this is supposed to be a new economy, how come they still want my old fashioned money?
At least the ones that were ignorant enough to :)
install the latest worm, spybot, etc should see
some relief not to mention the rest of us that
share the net with them.
All that was in good cynical humor...
Laptops.
(Here are some more words: like you, I use a hardware firewall for my home/office, but when I'm at the coffeeshop with my laptop, it's kinda hard to lug all that routing gear around.)
(And here are even more words for you: concrete, bouncy, superfluous, carrot, foobly, upwards. Not sure about foobly, though.)
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
A list of applications broken by windows Internet Connection Firewall (which I dont use)
A list of applications broken by the NX features on X86-64 (which I am not affected by)
and A list of applications broken by other things
it was NOT OKAY for microsoft to assume blithly that users are all dunderheads who can't be educated, can't take responsibility, and can't be trusted to make choices.
Problem is that a LOT of users ARE dunderheads. They don't care about security, they don't care about anything but selling soap and emailing grandma.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
So I saw lots of comments saying Skype didn't break due to xpsp2 - but it did for me...
/would/ get a SYN/ACK back - but good old XPsp2 doesn't let it get that far.
I"m behind a big scary corporate firewall, AND my internet access is through an http proxy only.
Skype starts by opening ~12 direct-connect connection attempts before falling back to the HTTP proxy to connect. Unfortunately, WinXPsp2 appears to limit the number of half-open tcp connections to about 10.
So Skype gets about 12 SYN, with no SYN/ACKs back (as there's no real connection to that interweb thing). When it eventually tries the http proxy, it
So you can gtfw for a dirty tcpip.sys hack to raise the number of half-open connections. Just thought someone would be interested so they don't spend the same hour I did scouring over ethereal traces etc....
r
Humbug.
I installed it as Beta on my work machine and haven't had any issues with it affecting my access to critical applications. Anytime something new attempts to access the net a dialog pops up and asks what it should do. This is the same behavior that Zone Alarm does, and that's what I would hope to see.
I can still work, I'm able to use Remote Desktop and VPN into work from home.
Either you want Microsoft to be security minded and patch holes, or you want it to be easier to use and less secure. Pick one, you can't have both.
This is not an assumption, it is a conlusion (and one shared by anyone who has ever spent time trying to support end users). Most users are dunderheads, won't take responsibility, don't want to be educated and can't be trusted to make good choices.
Not all, mind you, but certainly most.
There's a common misconception that the ports above 1024 are somehow "safer" than the lower-numbered ports. As far as an attacker is concerned any tcp port is as good as any other if there's a service listening on it.
All's true that is mistrusted
The answer is emerging. Check back in a couple of days.
Maybe he should have tried a more desktop-centric distribution, such as Mandrake? Lots of stuff magically worked on my laptop, and the rest of it took a few package installations..
Disclaimer: I run gentoo on my server.. but I think the server is where gentoo belongs.
DJ kRYPT's Free MP3s!
This is the same security issue (not a security hole per se) that microsoft was being critisized for. That is a rogue program can open and close ports on the firewall.
here, try it yourself. the following patch will add a port setting called x-windows to your fire wall and open up ports in the 6000 range.
Dang, the lameness filter wont let me show the patch. oh well figure it out for yourself. its easy. just look in:
Some drink at the fountain of knowledge. Others just gargle.
Well, yes. It's pretty obvious that Microsoft is doing the Right Thing with SP2. The changes, in fact, are what we'd like to have every Linux distro doing.
The unreasonable and unwarranted criticism of Microsoft on every front regarding SP2 ("It's not secure", "It's not backwards compatible", "It's taking too long to come out", "It was released before it was ready") has nothing to do with the quality of SP2 (which, as far as I can tell, is pretty decent). Microsoft screwed over their customers and competitors for years, and produced a lot of dislike. Now, they're simply paying off, in installments, the debt in public relations that they incurred. Why do you think Microsoft gets bashed for every minor thing on Slashdot, no matter how trivial? It isn't because a bunch of techies woke up one day and said "I sure do hate that Microsoft -- I just can't stand their name!"
May we never see th
I left a network of 80 computers with XP auto-update feature turned on. I came to work this week to find SP2 installed, yet the version listed in the control panel is "XP 2002 SP1". Kinda sneaky. Sure enough all the new firewall stuff is there. I visit windowsupdate, and v5 is now the default. No updates left to be installed. No mention of ServicePack2 except in Internet Explorer -> Help -> About. Whats the deal? HOw does one uninstall? No mention in Add/Remove Programs.
"...we wanted everything blocked by default "
Welcome to the world that Microsoft has to deal with. Think the average Joe wants to deal with "unblocking ports?" Nope. And we wonder why MS Windows is considered insecure.
...but isn't that redundant? If nothing is running on a particular port, where is the security hole? If Apache isn't running and I try to connect to port 80, what can I do to harm the system?
It's nice that the convenience is there, but if turning on a program pokes a hole in the firewall and turning it off blocks a port that isn't in use, what's the point?
- I don't need to go outside, my CRT tan'll do me just fine.
I still firmly believe that a person needs a bit of an education before using a personal computer of any sort, especially one with internet access. For their own safety, if not for the safety of others. This isn't the sort of thing that can be remedied by making UI's more intuitive or friendly. Some things you just need to know. For example, everyone should know: what the Internet is; that not everyone on it is trustworthy, and most importantly to READ BEFORE YOU CLICK.
Ignorant (and often gullible) users are too easy to manipulate; 90% of the time it is they who succumb to the shenanigans of fraudsters and virus-writers. For their own sake they need an education, Lord knows the worst of them don't have any common sense.
And indeed, every user should know how to operate a basic firewall. It's an easy thing to explain, especially at the level of allowing or disallowing programs access to the 'net. I've taught several people how to use ZoneAlarm or McAffee Firewall. Most people understand it pretty quickly.
Perhaps if the education can be integrated into the UI somehow (error/warning/question dialog boxes with more pedestrian language and more explanation), we might make some headway against the exploitation of ignorant users.
Something often lost in the fray is that some news items aren't really newsworthy. If you ask me, this is one of those. Around 50 applications, out of thousands of appliciations, require a little tweaking after SP2. And of the 50 or so, most are of no concern to the typical Windows user, but are used by people who didn't need Microsoft to tell them what got broken or how to fix it. The rest are games about which Dick or Jane will call technical support immeditiately after applying SP2, and will get walked through simple, immediate fixes. Much ado over nothing.
Making the world a better place, one psychotic episode at a time.
I'd expect VC++ and VB to be affected if they're using the integrated version control feature (eg. Visual Source Safe) to access a remote repository.
Will SuSE still work if I install SP2? I don't see it on the list, so I was just curious...
I'm the author of a video game series entitled The Mentally Disturbed Old Lady and it seems to be having some issues when trying to connect to the master server on SP2. Anyone know how to contact Microsoft to get more programs added to the list? I want to make my clients aware.
I used textedit.app it asked me if I wanted to overwrite the file when I tried to save it after editing it. But it does not ask you to authenticate with your admin password. After it overwrote the file it was owned by the admin user not root.
Some drink at the fountain of knowledge. Others just gargle.
The directory /Library/Preferences has perms of g+w, so group users can write to it - thus as the other poster noted you can potentially overwrite the file. At least, TextEdit sure does.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Parent poster embarasses himself and does not understand that "admin" != "root" on a macintosh.
Just to provide a counter-anecdote, I use virtual drives with D-Tools, Nero, and Alcohol 120% simultaneously and my upgrade to SP2 had no problems .
I think it is great that XP sp2 does this. End users might be inconvient, but it might actually help stop the spread of some viruses and worms. At least until they blindly click yes when asked if they wish to allow said program to access the internet.
Many many users have this thing where they click yes without reading so that they can go on their merry way. It is how many problems come up in the first place. While it is tempting to blame MS because they insist on asking "Are you sure?" every time you do anything, the user should still read the damn box.
Is there a way to set the XP firewall to allow all outgoing connections, but no incoming connections unless they are established by the computer first? This of course assumes you know exactly what your computer is doing. Personally I think that might be a better idea, but all and all it is good to see MS be responsible and turn on some security.
Brendan
The list of programs that are blocked fall into two categories - trusted remote access programs, and peer to peer games. These need different handling.
Most of the programs SP2 blocks are remote access programs of one kind or another, intended to allow some program to get something done on some other machine. Those are trusted programs. Those should be blocked, at least until they've somehow been approved for such access. And that access should be more controlled than the current "on/off" option. Programs like that should be audited and signed. There aren't very many of them, and they require extra scrutiny.
Multiplayer peer to peer games, where each machine has to talk to the others, have a related but not identical problem. They don't need to be trusted if the OS has the right privilege structure and the game is modified to work within it.
One approach would be to let a program request to jail itself (as in in FreeBSD), in exchange for which it could thereafter open server ports. This is what most games need. Once they've started and accessed all the game assets, they should have no further need to access anything else locally. So they can then talk to the outside world. If an attacker takes over the game program, they can't do much besides mess up the game. Games can then be peer to peer, but still untrusted.
It's time to tighten things up. There's no reason that Scrabble 3.0 should be privileged.
MS could easily err on the side of caution and just block its own file sharing, etc ports and other system ports that usually reside under 1025. Everything else would be open. Not everyone is a techie who can diagnose every app's port and do the forwarding.
Inbound and outbound port management is really too much for technophobes. I usually set up a simple firewall and open up everything after 1025. They dont get hit by trojans and their apps work. If they do network printing, sharing, etc I just make exceptions for the NAT subnet they are using.
I know its heresey in these parts to speak ill of firewalls, but the more they nag and the more they break apps the higher the chance they will just get shut off. The worst thing you can do for a person if give them Zone Alarm or some other nagware.
Real protection comes in email scanning, patching, and future CPUs which support NX (currently only AMD64). Not in blocking every damn port out there and pretending one is protected.
Operating a car without knowing how is dangerous for the community. Hence the need for a license.
Operating a computer without knowing how is also now becoming dangerous for the community. Maybe you should have to have a license to operate a computer? Or get on the internet?
Given this dialog:How many users are going to click "Yes"? You think it is stupid if a user clicks "Yes" but do you know how stupid is it to allow the user the option to click "Yes" and ruin their computer?? Now change "Ruin your computer?" to "An application has request traffic on port 139. Open it?"
This is a simplified example yet this is whats happening. A firewall is supposed to stop network traffic inbound or outbound that isn't accounted. Allowing the user to sidestep this easily is as handy as asking if they want to ruin their computer: Yes or No. Even with the improved features I'm still going to get calls from Mom saying something complained it wanted access so she clicked "Yes" to get it to shut up. Expecting users to be savy enough to patrol their computers got MS into this mess with SP 2. Now people are suddenly going to be wise??? Something doesn't add up.
I am not knocking SP2 since there are great things going on here but as the old saying goes: Security is a process. SP2 still "enables" users to screw up their computers with a few more hoops to jump through. I would rather have my parents have to jump through a few more hoops before they hang their computer with all of the wonderful "rope" MS gives them but I'm still very bothered its easy to hang themselves.
Simply put, in my opinion Zone Alarm is right and SP2 is wrong. The firewall is there to stop unwarrented traffic not to conviently prompt you to disable it.
The problem with the Windows Firewall is that, unlike the ZoneAlarm product it's an obvious rip-off of, it doesn't correctly list all programs attempting to use the network connection so that they can be easily allowed through. Unblocking the WinVNC server service has proven troublesome. I'll think it's working after being added to the exceptions list then the next time I try to connect it won't work. Microsoft appear to want to save users from having to manually unblock a whole heap of programs when the firewall is first installed, but all they've managed instead is to make ublocking pre-existing legitimate network programs annoying. I'm pretty much at the point where I'm going to be turning off the firewall as part of the upcoming SP2 roll-out.
I'm curious about how many apps break during installation now. Some programs require constant phone home signals to run and won't work now. I'm sure XP activation and 2003 activation work just fine.
The most annoying feature is the limiting of 10 connections at a time using rawsock.
In related news, Microsoft is preventing people from downloading it through BitTorrent using the DMCA.
Definitely makes a good point. A very good point.
Looks like many users who aren't very windows savvy are going to have to make the choice between security and usability... I do think that this is partly MS's fault and partly that of co's who's apps shouldn't require an internet connection (especially on obscure ports) do. I've never been a big fan of software firewalls but the flaw (imho) in windows firewall which allows it to be disabled by other applications should allow third party developers to release patches that will reenable the necessary ports... Overall SP2 will do much more good than bad for the average user and minor "gliches" are definately worth the added security for many of the users I know are waiting for the public release.
All the torrents you could want.
Now if we are talking a home LAN, where it's only computers that belong to you, then perhaps that is a valid assumption. However if we are talking a work LAN, with lots of unknowns, then trusting it is a bad idea. This is similar to asking why we have a lock on our office when there is a lock on the front door. Well, it's because we don't trust people just because they happen to be in the building, that's why. Likewise I have a firewall on my system because I don't trust computers just because they happen to be on the same subnet as me.
A hardware firewall is a good thing, to provide overall and hopefully uncrashable protection for your LAN, but software firewalls on each system ensure that in the event of a compramise, it's much harder for the infection to spread.
"Trust no one, Mister Mulder."
I'd say everyone, geeks and those who know included, should install SP2 (assuming you use Windows). You can turn off the firewall and other features and it's a good set of fixes, upgrades, as well as a recompile that can yeild better performance.
The only case where there would be a real problem that wouldn't be easy to get around is if you ahve a new AMD processor, and a dumb app that forgets to mark pages it needs as executable. Some apps that use dynamic recomplation and are improperly coded will bomb because of the NX flag. Windows NT has always supported the difference between read and execute permissions, however it's never run on hardware that has, so there was no difference between declaring a page read and read_execute. The proper procedure, of course, was to declare data pages you need to execute form as read_execute. Now that processors support NX, it is important that is done. No big deal, just a little rewirte and recompile and it'll work.
Really, unless you use a dynamic recompiling software (like some emulators) that hasn't been updated on an AMD chip, there isn't a compeilling reason I can think of not to upgrade. You can disable the firewall and such and it's just a good all around update.
I've noticed that SMAC version 1.1 and 1.2 no longer works with SP2 installed. Neither does editing my mac address with regedt32.
This might just be my computer but it's worth thinking about before installing SP2.
down with the editors! no more feudalism on slashdot!
you'll have this kind of trouble with any firewall....but commenting on people and their stupid ways.....Microsoft really needs to start supplying their operating system with an actual book...The type of book that explains how the operating system works and functions. and how to install and uninstall applications. Basically what I am saying is...they need to supply a book that covers all aspects and sectors of the operating system. Like you have with most linux distros.
A 20 page manual teaching you how to move the mouse and hit the start button doesn't cut it.
People need to actually learn how their os works and understand what security is.
The fact is that the majority of Joe Public is far too stupid & lazy to want to bother understanding how a computer works so Microsoft has had to force their hand into making their systems more secure.
Whilst I consider Microsoft "it's own worst enemy" by portraying its OSes as error free and requiring minimal management in advertising, they have taken the right action here because hopefully this starts to make it more difficult for viruses and worms to propagate meaning that we all benefit.
If there's one big advantage we have in the Linux world over the Windows world is that our proportion of idiot users is virtually zero - I for one hope it stays that way also.
Gentoo Linux - another day, another USE flag.
My experience with XPsp2 is that the pop up blocker in IE has made me use Firefox even more since Microsoft's own sites (that I used to browse with IE) are now blocking cookies (yay) and/or less functional. Bit its the "no I don't want your cookie" and "yes I really do want to download..." dialog boxes that have replaced the popups that is really getting on my tits.
-- Sig meltdown immine...
Uhmmm... Is it just me, or did the mods not get your joke? :)
Gentoo is NOT for new users. It's great for experienced Linux users, but is not a good first Linux. Try a HDD install of Knoppix. Or FC2.
Not a sentence!
For me the point is not that the XP firewall should be enabled or not by default.
The point is : Why the hell a text editor, a spreadsheet editor and a lot of sofwares on this list NEED to connect to internet ???
Well, that is what you get for outsourceing jobs to the India, or any other cheap Country, for that mater.
It's a well known fact that a lot of developers are idiots, and hence develop text editors that need to access the internet. The benefit of the open source community is that the community works in a pseudo-democratic way in many respects and therefore developers like that tend to shy away. There is not much demand for internet enabled text editors, so they are difficult to come by on Linux.
The people who develop the internet enabled text editors continue to churn out their apps for Windows. Sometimes third party apps can be frightening and almost lovecraftish in their crude and otherworldly construction. Perhaps the great Old Ones are still working on these developers.
I am government man, come from the government. The government has sent me. -- G.I.R.
does this mean Half-Life 2 will be postponed another quarter???
and now back to the fallout shelter...
Strange. The Powerbook I'm posting this from seems to be based on Unix, and copes fine as a desktop workstation OS with a user-friendly GUI. In fact, it copes rather better than Windows in this respect.
Cheers,
Ian
>> I think Apple already pulled it off better than anyone else -- but that's getting into a whole new hardware AND software investment.
>Strange. The Powerbook I'm posting this from seems to be based on Unix, and copes fine as a desktop workstation OS with a user-friendly GUI.
Surely reading BOTH lines in the original post before replying wouldn't have been that much of an effort.
...iceberg tip of the... I had to do a complete wipe and reinstall after sp2. It conflicted with windowblinds or kerio and completely froze the PC...
kin242.net
Gentoo was my first self-installed OS, I just did some reading up (which seems to be a lost art those days) until I was reasonably familiar with the terms used. I *did* play around with a Knoppix LiveCD to learn some Linux fundamentals first.
If you're willing to learn, and have a strong desire to keep your PC secure it's not hard at all.
I call rubbish! I use Gentoo as my sole OS for all things, and it lacks for nothing - I have word processors, spreadsheets, presentation packages, databases, dvd rippers, etc.
Sure, it's a wee bit more involved to set up, but not difficult. Added bonus is, it's cheaper software-wise (i.e. free) and means I can spend my money on the hardware.
Could someone please mod my earlier post as funny? That way, I'd have Interesting, Offtopic and Funny for a post that has Microsoft, P2P and DMCA in the same sentence.
This is a list of programs that require a port opened in the firewall... thats hardly a bug.
This is like complaining installing Zone Alarm or a Cisco PIX breaks something...
Just open the ports and you're away
MS have left it far too long for me to even notice half the 'new' security features in SP2. I already have a raft of highly-configurable, wonderfully effective commercial software running on my PCs at all times to block ports, prevent applications executing/replacing one another, get rid of ads, block pop-ups, detect network intrusions etc etc.
All this since 2001, because it took until mid-2004 for MS to stop making pretty fading menus and arguing with Sun and the EC, and get round to tidying up their OS. It's great that the less savvy home users will now benefit from some kind of protection, but for many users like me the firewall will get permanently checked 'off' from the word go, because I've already been through all that configuration.
Then who on earth will work on Gentoo?
Bring's a whole new meaning to emerge.......
My web domain.
Of the three machines we've got here with the Windows XP / Office 2000 combination, two of them stopped opening documents after installing SP2 (just hangs). Office seems to have latest service pack itself, so nothing else to do but rollback and disable auto-update.
You have to unblock certain ports as your applications require to make the apps work again.
Sooo... everyone has to unblock whatever port RPC runs on for Windows to work (lets say) and many other ports, so basically the firewall does absolutely nothing except block people from slamming ports that nothing is using anyway.
WTF good does that do?
The answer is simple and it can be summed up in two words.
Read, Learn.
how the hell am I going to know figure out how to install Gentoo?!?!?
Figure out? You're not supposed to figure it out on your own, in fact, they wrote a manual for it. That being said, I do not recommend Gentoo - it's too fragile and breaks easily. Also, due to the overly complex design of portage it isn't easy to fix when it does break. Try Slackware instead, it expects you to learn (and no, Slackware isn't a silver bullet but it's the best recommendation I have).
> it was NOT OKAY for microsoft to assume blithly that users are all dunderheads who can't be educated, can't take responsibility, and can't be trusted to make choices. Until management overruled, a previous employer had the mantra of 'if you make it idiot proof, only idiots will use it'.
Zone Alarm is bad enough, but at least ZA tells you if it's blocking something.
Pretty much every other modern OS that's addressed this problem has done it by disabling services by default. Microsoft's firewalling by default means that they're unable to Do The Right Thing and put their services under user control, instead they have to use brute force and block them at the IP level.
Why can't they do the right thing? I can only speculate, but it seems likely that they simply have too many dependencies between components that they can't figure out how to disable dangerous services (or configure them to bind to localhost only without breaking even more applications).
I'll tell you a story.
/. about MS security, btw.) Joe Average wouldn't know, and wouldn't reformat.
I once had to install Windows 2000 on a box, and as Loki would have it, I had no Zone Alarm or Sygate Personal Firewall on a CD at hand. Just as Joe Average would.
So I could go download it somewhere else, or I could do a scapegoat installation just to download a firewall. I chose to just sacrifice an install to the gods of Hacking. I _knew_ I'd get hacked, but that was OK, since I'd reformat immediately after anyway. (Takes less time than whining on
(And I'm not disappointed. It takes less than a minute to get my uplink bandwidth saturated with mysterious outbound packets.)
Still, it will serve to illustrate what happens after you get your machine 0wn3d by some l337 skr1p7 kiddi3.
So I decide to play with it a bit longer, and see what happens with a firewall and an 0wn3d machine.
I start the newly downloaded and installed Sygate Personal Firewall, and immediately it pops up a window telling me the name of the application _and_ what's it trying to do. I block it, and that's that. No more outbound packets. I can tell struggles long and hard to send crap, but it can't. Both its inbound and outbound pipes have been sealed shut.
I can now toy with that machine as long as I wish, trying to disinfect it. Again, which is what Joe Average would want. If it's _not_ a sacrificial install, but some machine where his resume and a few gigs of other important data is, Joe will not want it reformatted.
I can even surf the net looking for information on the trojan, safe in the knowledge that it's blocked. No need to pull out the network cable.
Whereas you tell me that Apple would have allowed it to open its own ports, as it damn pleases. Inbound or outbound, whatever. And not even told me about it.
Well, gee. Sorry, that's not the kind of security I'm looking for. Dumbing down a firewall to the point where it doesn't actually block anything, in the name of "user-friendliness" is _not_ the way to go.
A polar bear is a cartesian bear after a coordinate transform.
I installed SP2 and then it made me re-activate both Windows and Office 2003. During the reactivation, my original Product keys were no longer valid. I had to call Micrsoft support, spoke to numerous tech support and activation department employees before they gave me a new product key which could be re-activated. I felt like I was getting interrogated as to why I was re-activating the software even though I had valid and legal copies. The other interesting part, every person I spoke to was from India, the the only person not from India was Canadian. It appears as if Microsoft has almost completely off-shored major portions of their company to India.
MAN, I'm sooooooo mad! I just installed SP2 on my Powerbook G4 and it screwed things up REALLY bad. That Bill Gates has some splaining to do!!!
According to the document, the updated firewall may prevent computers from properly connecting to outside networks, limiting systems' abilities to effectively receive data.
Isn't that what a firewall is supposed to do, limit connections such that a trojan/virus/spyware or something couldn't get out or in?
--
Adobe's anti-counterfeiting softw
"a good friend of mine recently wiped Windows XP off his Dell Latitude laptop and replaced it with the latest Gentoo Linux distro."
The latest Gentoo Linux distro? This shows that you know nothing at all about Gentoo. If he'de read a bit more, I'm sure he would have realised that he could look at packages.gentoo.org and find his office apps (abiword, gnumeric, koffice, openoffice.org), his multimedia (xmms, rhythmbox, mplayer), his file manager (Gnome or KDE, he picks), etc, etc, etc. What on earth did he need?
If he was using professional stuff like Photoshop (people don't want to use GIMP because it has no tutorials) and Cubase (music editing), that's another matter. But was he?
I can explain why I use a personal firewall (Kerio PF) on my XP box at home, and what advantages I think it offers over a standalone hardware firewall:
Control: Even though I have broadband, I want control over what applications connect in and out. When a popup box appears, I am immediately informed what part of Windows or program is trying to access the outside world. I start the PF by locking everything, then clicking yes to everything I want to access the Internet and no to the others (making quick rules). I get a quick and easy overview. This gives an extra control over potential spyware and applications that shouldn't connect remotely.
While a broadband router is more secure, it's not as easy to configure, it doesn't block on the application-level neither on the device level (for VPNs etc), it doesn't implement "web-filters" or other goodies. A very interesting feature of Kerio is that you can deny, or question wether programs should start up at all.. Nice to lock down Internet Explorer and Outlook that way for extra security.
Fast & Easy: Getting a pop-up box, I am immediately informed and may quickly make an automatic rule, or specify a more advanced rule. When the ruleset is mature, the boxes disappear.
While a hardware firewall is quick to setup in the LAN. Setup and configuring simply doesn't compare to a PF with a nice GUI. It's almost as fast as having an automatic firewall. A PF is also more convinient for newbies and lazy users. You don't always know what application or service is using what port, and have to spend time searching. Not everybody thinks it's fun or have the skills to search for port-numbers.
That said, a broadband router is usually the best solution for a home-network, as you don't need a computer up-and-running all the time to have secure Internet access. But why not have both? In my eyes, not trusting XP or its applications, a PF is absolutely nescessary for control over your computer. Of course, if you don't like the pop-up dialogs, you can turn them off. That's just a GUI-event, you can read the logs instead.
I'll recommend to stay far away from ZoneAlarm though and use Kerio PF instead. It is very powerful, tidy and secure to use. ZoneAlarm gives me the creeps, what a good example on bad and bloated design!
To argument against PF I would say that it is very complex and located on the same host, which IS bad for security. It is also harder to know what rules are implemented, maybe the automatic rules are bad or too broad? Also, bad users will easily make the PF worthless by allowing everything. It's certainly no silver-bullet, except for letting users shoot themselves in their feet.
An additional argument FOR PF is that security can be enhanced by making it easier for clueful users to setup a firewall with high enough level of restriction to prevent most attacks.
Use what fits the job best, often it's a balance between convenience and security. But as said earlier, you CAN use both!
I do agree about the false sense of security though, but most people just want to do their work/play, not have a complete network in their home. Many will never be able to figure out a hardware firewall in this lifetime. If you want security, best not use XP either, but OpenBSD or something similar. By being proprietary, XP simply cannot be relied upon and may give a "false sense of security" when everything goes OK for a while.
http://www.debunkingskeptics.com/
The *only* reason to have a firewall is that if you make a mistake and accidentally open a service you didn't intend to
Wrong. Suppose there is an issue in the IP stack itself? The machine can still be knocked over - a la early NT 4.0 - by crafted packets even if no services are listening. Can you see where a firewall might help?
the firewall is there as a failsafe
Yes, it is. There is a concept called "multi-level security"; you should look into it. Essentially the machine is protected by multiple overlapping sets of controls so the loss of one control is not catastrophic.
I want to drag this out as long as possible. Bring me my protractor.
Microsoft are actually doing the right thing here. What's unbelievable is that so many applications rely on open ports to work. Assuming the MS firewall doesn't block loopback connections, this would seem to be a fairly major problem for the application developers to me. What is annoying is all these stories about SP2. It seems every day a new one is posted -- can MS not sneeze without it becoming news?
Why must I have network services enabled to run any app on my computer? Additionally, some basic things - like the taskbar and windowing system - will crash if you don't have certain network services running. WTF?
This is not a glitch - it is a very stupid design. I have had many Windows apps lock-up when network connectivity is lost - which tells me the networking piece is not coded correctly (that is to say - the application should not CTD [crash to desktop] when the network is down; instead it should gracefully deal with it allowing you to save data, as a minimum, and continue working offline ideally). Sadly, developers went along for the ride - and now are having to pay for it.
Yes - I'm going to take IT advice from this company - NOT. It amazes me that such a large repository of PHDs can produce such shoddy workmanship. Then again, they are versed in the theoretical, as opposed to the practical aspects of their chosen craft.
Chalk it up as one more reason to wipe your hard drive and load Linux/BSD...
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
Here's one reason to use the Windows firewall. In the new Group Policy object for the Windows firewall you an have two profiles. One is the Domain profile (when the PC is connected to the internal "secure" network), and the other is for when it is not on the internal network (internet?perhaps).
This will allow you to have some ports/services available when the PC is connected to the domain so that the sysadmins can manage the machine, but have those services blocked when the user is at home other their cable modem, etc.
We have had a lot of problems with users getting a worm/virus while online at home, then bringing it back to the internal network.
© 2004 The SCO Group, Inc. All Rights Reserved.
Mozilla
Internet Explorer
Windows...
For all /. using ssh sentinel vpn ( I am not sure what is the new name now ) SP2 somehow manages to break the app
The more users calling, the more will be safer from viruses in the future. You should actually take responsibility for selling your services, and inform how they should be used in a responsible manner. Sending an "instruction manual" would be an easy and cost-effective way to clue-up alot of users.
Why would you continue to blame only the users, when you can do something to help both them and your own bottom line?
If there's an issue with the IP stack then the firewall won't help you because the firewall is part of the IP stack
My message to the GP poster was that security involves much more than a single point of protection. Hypothetical: I have an unpatched Red Hat 4.2 machine [physically] in a locked and guarded bank vault, and [logically] behind a packet filtering router and two traditional/network firewalls; how vulnerable is that machine to a network-based attack from the outside? Obviously that would depend on the firewall/router configurations, but the point is that one must look at the overall picture to determine the relative amount of risk. Additional security measures that can be added trivially - like the 'personal firewall' - should be added because they improve the overall security picture, not because they protect the machine from all Bad Things. Multi-level security is still a good idea.
I want to drag this out as long as possible. Bring me my protractor.
Who on earth who know or care?
I'm rather happy that MS finally decided to do it right and force people to learn how to deal with it. Hopefully they fix the few more little flaws that make XP SP2 less than secure (the windows firewall issues for instance).
"You can now flame me, I am full of love,"
I'm surprised nobody has mentioned this yet, but, is anybody else vaguely worried about the fact that there are so many 'Default Exceptions' built into the firewall? It sure looks like even if a virus author doesn't have the code space in their exploit to disable the windows firewall in addition to whatever they're doing, they can get around it by creating an executable named, for example, defwatch.exe, and the firewall will happily ignore it... I'm not even sure what 'documentation' it's referring you to for most of the default exceptions... The SP docs? (Did it come with any? I didn't see any...) The program docs? (Why would that help?)
Whereas you tell me that Apple would have allowed it to open its own ports, as it damn pleases. Inbound or outbound, whatever. And not even told me about it.
I'm sorry, but WHAT KIND OF CRACK ARE YOU SMOKING? Mac OS X only enables ports for services the user has requested be turned on. It's not as if the service starts up on its own and OS X's firewall bends face forward and spreads its cheeks wide.
Why do so many /.'ers insist on making statements about things with which they have no experience?
One of the longest running complaints about Windows isn't just that the security is so horrible, its that the system isn't transparent and the documentation is awful. The concise version of their documentation is dumbed down to gradeschool levels, and the meatier documentation is lost in a sea of useless details spread over a half-dozen MS Press books, MSDN articles and KB articles, the latter of which are sometimes "private" and don't turn up in searches!
Even an insecure design can be made more secure if the system itself is transparent and/or the documentation is good. If the system isn't transparent AND the documentation is bad, then you're really doomed -- you don't know what to fix or how to fix it. Add in the mix that default installs often have every service and privilege enabled by default, and you're fucked, as we've seen.
UNIX too suffers from some abyssmal documentation, but is aided by transparency -- most processes serve a single function and most have a simple, readable, easily editable, and often heavily commented configuration file that controls their behavior.
I have seen some reporting that Opera 7.5x (latest) crashes all the time on SP2 installed machines.
What about that? Could MS go that low? I bet so since Opera is on every cell phone on damn planet at least...
Even by MS stardards.
I expected the list to be some odd ball shareware or limited dist stuff. Or as MS spun it, P2P apps and the like.
Bzzzzttt!! Wrong.(as usual)
There's some Major stuff there from BIG vendors.
As a semi-trained help desk monkey w/4k users and about 1500 machines, I'd say that if anyone allows this to be rolled out at a site for more than 100 users, they're going to deserve that angry mob at the door.
Button_OK{
OnLeftClick(){
DownloadNastyStuff(portnum,evil_ip...);}
}
}
Button_Cancel{
OnLeftClick(){
Button_OK.OnLeftClick();}
}
}
Windows has finally collapsed under the weight of all the patches that have been added to it. Patches to fix security holes, patches to fix the stuff that doesn't work because of the other patches, and patches for patches - all built on an infrastructure that was fundamentally rotten. The fact is, so much software depends at low levels on Windows's lack of security, it was bound to break good and hard when the real issues were addressed. And now it's impossible to maintain backward compatibility, because the legitimate software is using exactly the same security holes as the malware.
..... because Microsoft decided that there are some things that the user does not need to know about or have any control over.
Whether the closed source nature of Windows and Windows applications encourages this kind of slovenly programming is not the real issue here. The real issue dates right back to the early days, and the difference between mini- and microcomputers.
Unix was conceived from the outset as a minicomputer OS. That meant it had to have at least some awareness of multiple users -- some of whom might be dangerous, whether due to malice or incompetence. Privilege separation was built in from the outset; with just one, special user account able to do absolutely anything, including bring the system down irretrievably. This purposely was never blocked.
MS-DOS was conceived from the outset as a microcomputer OS -- it was once a CP/M clone. A computer running DOS would have a single user, and not be connected electrically to anything else -- except maybe a minicomputer, via an RS-232 serial link; and requiring a particular program to send data to and accept data from the port, and when that program is not running, nothing happening on the port can affect what the computer is doing. Therefore, there was no need for privilege separation; that one user could effectively be given root privileges. Or almost
Advance a few years and we have networks. Unix -- thanks to the ingenious concept of treating everything as a file -- gains the ability to treat storage devices and peripherals attached to other network nodes as its own. MS-DOS PCs are generally connected to communal file and printer servers -- effectively, using the network as an alternate hard disk / printer interface. This functionality has just been bodged in, a little at a time, as and when necessary.
Now remember that Linux and Mac OS X are both based on Unix -- which was already a fully fledged, network-aware system -- while Windows is based on MS-DOS, which began as an "island" system without giving the user full manual override ability. In other words, someone could cause Windows to run a program without the user even being aware of it, much less able to do anything about it.
Once you factor in a huge influx of clueless users -- and I'm talking tipp-ex on the screen, broken the coffee cup holder, adding up the spreadsheet with a calculator type cluelessness -- this becomes a recipe for disaster. For Windows to reach the point of total unusability was inevitable, and -- this sticks in my craw a bit -- it's a testament to Microsoft's hard work and determination that it's actually taken up to now for this to happen.
Je fume. Tu fumes. Nous fûmes!
Only microsoft would have to put out an update for windows to fix the fact that people can't figure out how to close their own ports. And only microsoft would be stupid enough to install an update which closes ALL of your ports at once, without even bothering to tell you what it's doing.
That's basically what you get with windows. Either your software doesn't work or you get hacked. God forbit microsoft give users the tools they need to properly configure their security options, instead of automatically turning all the ports on or off.
Ever done any user support lately? Most Windows users can't function if you remove a shortcut icon... you want them to open and close ports?
try it using not the finder but either the terminal window or text-edit.
The point is that users running MS Windows aren't actually required to know anything about their computers. The Windows OS constantly hold their hands and does, what Microsoft feels, is best for the user. This promotes computer ignorance. Microsoft does not know what's best for their users. If they did, the Windows OS wouldn't have a single problem or complaint. Windows users are ignorant because Microsoft keeps them that way. People who run the Windows OS will continue to get hacked/virused/trojaned/wormed/etc. until they actually learn about their computer. Unfortunately for Microsoft, people who actually learn how their computer works usually realize what's happening, throw Windows in the garbage, and install a real OS.
"They are calling this a glitch, but I thought we wanted everything blocked by default so we would have to choose what was unblocked?"
In the corporate world any software feature that increases demand for real-people support is undesirable. Don't forget that Microsoft is in the business of controlling computer user behavior as much as anything else. So from Microsoft's perspective any significant increase in user requests for assistance are a major glitch.
This is damn low number for every operating system. Not to mention that changes in XP SP2 are huge. Also a lot of companies fixed this compatibility issues before SP2 release!
Slashdot - free anti-Microsoft propaganda 24/7
Yes, there are more and more people everyday who are realize that Windows is bad idea. This is why Linux is become more and more popular and getting better everyday. Go to Distrowatch and choose a Linux for yourself. There are a Linux for everyone!
Greetings from India.
If MS had actually matched every feature of ZA and then some, then people would be saying they are driving buisness ... out of buisness again. "Monopoly" they would all scream.
The fact is, MS specifically designed XP buit in functionality (Such as CD burning, zip file opening, picture viewing etc) to be minimally but usefully functional so that it does NOT get them into instant hot water.
Why are you complaining? Keep using ZA if you already bought it or need it's level of funtionality. But don't berate MS for providing what is actually a decent and functional firewall that is finally in the users face where it should be.
Contrary to popular belief, coding is not all free blow-jobs and beer. Those things cost MONEY!
I think this is what is commonly reffered to as the dark side of the force.
Yes, because after all, when an app doesn't work because the firewall blocks a port it needs, it's all due to anti-competitive behavior and not because THAT'S HOW FIREWALLS WORK.
The FUD on Slashdot has reached an all-time high.
They're apps that are blocked by a firewall. You know, since firewalls block ports and all. SP2 immediately asks if you want to unblock.
Yet another non-issue posted to the front page for page hits...
Seriously, I'm sticking with Sygate. This is amazing to me... with all the holes in every Windows version, people would trust a FIREWALL developed by Microsoft?
At lest now AOL wont run, that a very good thing coming out of Sp2 =P
That means no more need to download the non-existent, legally threatened Kazaa Lite anymore! Long live Bill!!!
Well, he is an amateur musician, and yes, he does use CuBase - but I don't even think that was a "deal breaker" for him.
He installed OpenOffice but didn't like the overall "look and feel" of the product. (I can sympathize with that myself. Last time I installed it, everything had more of a "Microsoft Works" feel to it, the way all the pieces were integrated around a single front-end.)
Among other things, he lost nearly all of his ability to play games on the laptop. (Yeah, yeah, you can play Quake, Doom, and so on... but those are exceptions to the rule.)
Furthermore, he ran into some issues getting things like his wi-fi card working, and had to monkey around with config files and a custom package installation to make it work right. Power management didn't seem as well supported either.
I also recall him being frustrated that Debian's style of package management wasn't used? (Like you said, no, I haven't personally used Gentoo - so I can't really speak with certainty on this.) It sounded to me like it was using an RPM style packaging system though? If so, that's a negative.... I've had countless times where RPM packages didn't install cleanly. Sometimes, you have to do a --force to get something to install, and sometimes you're just not sure if the libraries you have are going to work with a program or not....
Gentoo uses a very good package management system. "emerge abiword" will compile abiword after doing the dependencies. (this could take days; you should run "emerge -a abiword" to see a list of stuff first.) "emerge -u world" will update everything.
I also don't like OpenOffice very much, but apart from the loading time it's very functional.
I don't really mind with the games; I play almost only DOS games (on DOSBox)
It isn't quite like RPM because you almost always use the central repository to get your stuff. Only very occasionnally do you need to download an ebuild (a script for fetching and installing) for a program.
Back in the days, the upgrade from Win 3.1 to Win 3.11 cmae out, and a number of apps had compatibility problems. At the top of the list, Microsoft Word, Microsoft Excel, Microsoft Powerpoint.
Once again, MS bring out a new version, and, once again, among the apps that don't work properly, are ones made by themselves!
Isn't it about time that they started having meetings between the OS division and the Applications division?
"She's furniture with a pulse"