Slashdot Mirror
Last Words On Service Pack 2
thejoelpatrol writes "So did Slashdotters call this one? Windows XP SP2 seems not to be so secure after all. A Register reporter goes in depth to find out just how safe a fresh install is. He provides a list of which dangerous ports are left open and which services are left on by default. I guess now we know why Microsoft's security timetable is 10 years." Reader ack154 writes "ZDNet is reporting that many Dell Inspiron users are reporting an extreme performance decrease since installing Windows XP SP2 - decreases as much as from 2.6ghz down to 300mhz. Dell claims no responsibility, claiming it is 'externally loaded software' and they don't support it. In the mean time there has been a fix posted on Dell's forums, which rolls back the processor driver." Finally, Marxist Hacker 42 writes "Amid complaints of too much XP Service Pack 2 coverage on ZD Net, David Berlind writes that Service Pack 2 deserved the scrutiny it got- and charges that it failed to live up to Gates' Trusted Computing Initiative." Finally, Microsoft warns that installing SP2 on a spyware-infested PC is a bad idea.
...deserve some extra 'X's.
Somehow, I doubt that these are the last words we'll see on the subject....
I don't get them moaning that there is too much scrutiny being given to this. It is going to affect 90% + of all the computers in the world.
Well, just wait 'til Longhorn. It will be way better...in like 12 years, or maybe 14...
FoundNews.com - get paid to blog.,
ZDNet is reporting that many Dell Inspiron users are reporting an extreme performance decrease since installing Windows XP SP2 - decreases as much as from 2.6ghz down to 300mhz. Dell claims no responsibility, claiming it is 'externally loaded software' and they don't support it. In the mean time there has been a fix posted on Dell's forums, which rolls back the processor driver."
Aren't 99% of drivers 3rd party software? The only thing MS does is bundle them together, but I believe that AMD or Intel et al are the ones who actually WRITE the device drivers. And if the performance of a new driver sucks, I'd chock that up to being a shitty driver, versus a shitty Service Pack...
This is why I didn't bother. My XP Pro with SP1 is protected with a firewall, updated virus scanner and Spybot S&D's innoculator. Running Firefox and Thunderbird and anti-spam software doesn't hurt as well.
I might add that the free/OSS I have protecting my machine weighs in considerably less in terms of combined file size then does SP2.
You want to know who isn't running Firefox 2.x? They spell it "definately" and "rediculous".
Finally, Microsoft warns that installing SP2 on a spyware-infested PC is a bad idea.
This should read, "Installing Microsoft Windows on *ANY* PC is a bad idea."
Sorry couldn't help myself.
Things that i have been disabling as a rule, just like a "normal" procedure after a windows install - are still out there active on default and still need to be disabled. As the article says they are simply not required for home machine (in a vast majority of cases anyway). So what is this major security improvement they speak of if basic things that have been attacked for so long are left open?
Because I wasn't expecting that it would, but apparently somebody is. Unrealistic expectations also lead to insecure implementation.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
Roses are red,
Violets are blue,
This colour scheme sucks,
Have some blue
I don't get why Microsoft insists on leaving so many services enabled by default. So many of them the average home user will not need, and like the reporter from The Reg said, if a sys admin needs those services, it will be trivial for him to enable them.
"With sufficient thrust, pigs fly just fine." -- RFC 1925
These news sure struck like lightning from a clear sky!
*phew*
I think I must sit down to recover from the shock.
Beware: In C++, your friends can see your privates!
Now all I need to do is go down to the grocery store and buy my copy of the Inquiror and I'm all set for news.
Tell me again why people other than rabid Microsoft haters read that garbage?
Of course SP2 isn't completely secure...neither is *gasp* Linux *gasp*. Nothing plugged into the Internet ever will be.
...not added on afterward. As soon as Microsoft realises this, they can placate people with XP SE 2, and work on incorporating security into LongHorn. This isn't a troll, just a plan of action that would make the most sense for them, maximise their inward cashflow, and still keep them on track (somewhat) for a release of LongHorn in 2006.
Find out about the Lexus Rx400h Hybrid!
I haven't had ANY decrease in performance. I have had a lot more stability with wireless networking now though.
You Could say that if you disable and enable everything mentioned there, configure your machine so it is secure, you should be OK. But the problem with that is Windows is meant to be the option for the user who doesn't want to be dealing with configuration and settings to get their computer working.
David Berlind writes that Service Pack 2 deserved the scrutiny it got- and charges that it failed to live up to Gates' Trusted Computing Initiative.
Okay, Mr. Berlind, did you actually fall for that and now you're surprised?
Do you have ESP?
If for some reason you DID load SP2 on a spyware infested computer and it is no longer booting just boot with the "Last known good configuration" option in the F8 boot menu. Uninstall SP2 (you may have to use XP system restore before doing this), remove spyware, reinstall SP2.
Whats the big deal? Seems all they did was add Security Center. No other enhancements I can see.
Is the author correct from a 2.6ghz to a 300 mhz. That seems a bit extreme if not exagerrated.
Yes, perhaps there are things that could have been done better in SP2, but the simple act of filtering inbound connections is a massive step forward in security for Windows users.
I say it's a "massive step forward" because there are literally MILLIONS of windows machines which are never updated, don't run any firewall software, and which are directly connected to broadband ISPs. The people running these boxes truthfully don't know what they're doing in these matters.
Right now, those poeple have NOTHING. Now at least they will have something, albeit limited. This is a major improvement. Even the old XP internet connection firewall, if it had only been enabled by default, would have prevented Blaster from ever happening.
Of course there are some questionable exceptions in the new firewall default configuration, and no doubt the next generation of worms will take advantage of those - but at least the bar has been raised a little higher.
"Microsoft warns that installing SP2 on a spyware-infested PC is a bad idea."
One word. DUH. If you even install sP1 on a spyware infested computer it can render it unbootable. I've run into atleast 10 machines this week that have had this same problem. I work at a university which is forcing students to install service pack 1. there are a lot of machines that can't even take the service pack because of the spyware the installs just hang or destroy the install on the computer. I feel bad for the students because they have to either format or pay to get thier comptuer fixed. It not thier fault or the universities fault. who would have thought forcing college students to update thier microsoft patches would be a bad idea.
At the moment my PC has a faulty DIMM (random crashes). It passes memtest but it is still faulty and the new one hasn't arrived yet. After installing SP2 my system has become much more stable and noticeably faster. And I don't use Windows' firewall for security as I've used Outpost Firewall for a year now.
ive noticed since ive installed, that if im running several programs at once, the system can suddenly become unresponsive altogether. ctrl-alt-delete even takes time to bring up the task manager. i never had this problem before sp2. only some of these programs are using the internet, so i dont see how the new maximum connections policy effects it. has anyone else had these problems (on a non-inspiron)? i was hoping for a better responsive system because i was told that it had recomplied core libraries with a newer version of the MS C complier
Remember what was out there previous to SP2. Sp2 is a major improvement, and just like anything else, there's still room for much more. I will be installing SP2 on every XP computer I can because it may not be the holy grail of computer science, but it's better than not installing it.
M$ spent a LOT of time and money on SP2 trying as hard as possible to make it a quality piece of code. Hell, my 400MHz laptop boots twice as fast w/ SP2 installed and I haven't had one piece of spyware install itself, and I was getting 3-10 a week before. Kudos to the guys at M$ who worked their ass off to make my ancient laptop a viable machine for years to come.
And it IS a Dell.
.... The MS mindset of making people need them has resulted in a widely integrated manifestation of the user frustration function in their software.
Its this same manifestation of the application of doing things in software to "make people need them" that is causing all the security problems.
This security problem is not fixable by this mindset that cause it.
Its like an alcoholic or drug abuser, their mind is geard towards supporting the continuation of its vise. What I call a "self supporting dependancy". And under such conditions, as those who have admitted it and sough help, you have to have external help in order to be lead out of the blindness of the self supporting mindset.
Whos helping MS??? If anyone can?
...and is an indication that MS has finally crammed in all the secure goodness that they could fit into your CPU. The slower it gets, the more secure you are. I think you should be thankful.
> [Performance] decreases as much as from 2.6ghz down to 300mhz.
I'm not going to place any faith in benchmarks generated by someone who thinks performance is measured in clock speed.
Chris Mattern
FTA,
We look to ZDNet as a beacon of light in IT journalism.
(pauses)
BWAAAHAHAHAHAHAHA!
All I can say to this person, is 'look out for the oncoming train...prolly complete with windows logo and named "longhorn".'
IT journalism, brought to you from the same folks of Military Intelligence.
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
In reading the article it almost sounded as though RPC, NetBios, and friends were still accessible under the default configuration. Is this the case or am I misreading the article or is the article incorrect? I was under the impression that the default firewall configuration in XP SP 2 was "accept nothing"?
And if I may make myself expressly clear on this point, this post contains no statements of fact, only a QUESTION.
What has *science* done?!? -- Dr. Weird (ATHF)
Finally, Microsoft warns that installing SP2 on a spyware-infested PC is a bad idea.
So basically, you don't want to install it on any computer running a Microsoft operating system that has been using a Microsoft browser or a Microsoft e-mail client.
Huh..I think I'm starting to see a pattern.
Try killing the process called "WSCNTFY.EXE" and see what happens... oh man it's great fun!
And to think someone wasted their time coding that POS.
"reporting an extreme performance decrease since installing Windows XP SP2 - decreases as much as from 2.6ghz down to 300mhz"
From the MS website regarding minimum requirements for running Windows XP:
PC with 300 megahertz or higher processor clock speed recommended (source)
which seems to be just enough to keep the system running. Coincidence? I think not....
This sig contains repetition and redundancy.
Do you actually believe an article that has:
"Microsofties say they were more worried about Linux a few years ago, when it was a truly free program, spreading on its own, from user to user, like a virus."
The author insists on comparing Linux support costs to Windows product costs:
"If the Linux camp simply manages to create an operating system that does roughly what Windows does for roughly the same price, what will be the point?"
The author says the difference between support and the product is "semantics":
"... Red Hat
The author also drank some of the SCO Koolaid:
"You might need to buy insurance to protect you against lawsuits over intellectual property rights. (One outfit hawks such policies for $150,000 year.)"
Some other excerpts:
" IBM and Novell are pumping millions of dollars and mountains of brainpower into development of a commodity operating system--they are re-inventing the wheel."
Actually, I could just quote the entire article. I hope Daniel Lyons (author) got paid for his time in writing this press release for Microsoft.
Microsoft at least got some things right in SP2. Personally I usually run Linux. If you don't like it stop fucking whining and install Linux.
The more you know, the less you understand.
The friendliest digital photography forums on the net!
"DHCP Client, automatic. Unnecessary on most home machines. Should be disabled by default."
Now, I'm no fan of Microsoft (Windows free for over 5 years now), but this is insane. Evey home user I have ever helped needs a DHCP client so that their computer can get an IP off the university LAN or off their brand-spankin'-new broadband router. To disable the DHCP client means to turn off the interweb for the majority of users. Greene went a little over the top it seems.
Please don't mod troll or funny. I'm serious.
I think it's about time that we come up with as a community name for this law:
All the Odd Star Trek movies and Odd Microsoft service packs suck.
In all seriousness, it's service pack TWO!! I didn't load it just because of that and I'm dead serious. One of the guys decided to load it and sure enough, he's reloading his system from scratch. It will take the release of service pack 3 before I consider moving from SP1 and the current crop of hotfixes.
Didn't anyone learn anything from the NT service pack 2 debacle? How about NT service pack 4?? Now I know you are going to say service pack 6a but we all know this is the first time Microsoft uses an "a" and it should have been SP7.
"What the hell is an aluminum falcon?"
Security by obesity.
-- "Makes Little Debbie look like a pile of puke!" - Moe Szyslak
I once worked in a shop running NT4/IIS/ on an app and installing Service Pak 3 broke everything, so the system admins started calling them Service Pukes....
Athlon 64 3000+ => fine
Dell Inspiron 8600 => fine
Shuttle SN41G2 => fine
Frankenstein P3-933 => fine
Shuttle SN41G2 => fine (yes, I have two of them)
you are a liar!
...Is that much of SP2 is designed to help protect users from themselves. The average Windows user has no idea what a firewall is and thinks a "precision date/time manager" is a pretty neat idea. He might even fall for those popup ads that look like message boxes. In this case, the extra warnings, popup blocking, automatic firewall, etc in SP2 are definitely very helpful.
Also note that many of the "flaws" in SP2 still have to do with users' stupidity. "A program running with admin privileges can make the security center falsely report that the firewall is on" - well duh, but why did you download that program in the first place, and why are you running it as admin?
The article reporter wrote a good security book that I reviewed on /. here, so I know that he preaches shutting off services you're not using proactively, because if there's an exploit that comes out, you won't be affected by it. But this is too much: he says MS should disable DHCP and DNS clients. If you need them, you can turn them on. But I think a lot of Windows users won't know how to do that, and will get frustrated with that level of lockdown. Also he says javascript should be off, but it makes it hard to surf the Web. In his book he says it's safer to use Thunderbird or Mozilla with javascript, which makes more sense. He should have mentioned that in the article.
Anyway, it's a good article; SP-2 is obviously more security talk than reality and it's about time someone looked at it carefully. I just think he overdid the paranoia level a little bit.
Get a grip -- anyone reading this that has worked with a complex software product can tell you that these sorts of upgrades inevitably involve gitches -- even more so where the vendor (Microsoft) isn't able to test all possible operating scenarios (i.e. combinations of vendor hardware and software).
You'd be an idiot to think that with the size of SP2, that it would install on hundreds of millions of different computers without some gitches.
The fact that there is such an easy work around (i.e. driver rollback) says much to the credit of the O/S. How many Linux or other operating system upgrades would allow you to roll back discrete components (e.g. individual drivers, resource managers, etc)?
I do agree that Microsoft could be more aggressive with addressing security issues.
Take a balanced view folks!
Well, since "semantics" deals with the meaning of words, I guess he's right! Too bad Red Hat is FREE, and support is an OPTION. Does Microsoft have that option? Do they even have support? I mean, like a service where they help you, rather than a service where you get to call and wait for someone who is completely incompetant to tell you to reboot? And charge you $19.99 per minute for it?
Everything I need to know about copyrights I learned from Slashdot.
I heard that SP2 enabled the Windows firewall. I don't know if it does or not.
I have a default install of WinXP on my work laptop. SP2 came out from automatic updates and was installed on my machine. Two days later IT sent out a memo not to install it until they had finished testing it. Oops. Oh well. I'll just not say anything.
A coworker and I were messing around at work and he was RDC'ing to a server upstairs. I asked him how often he used RDC and pattered on about my sshd on my home boxen but that I hadn't set up the remote X server. Eventually we both blinked and I asked him if he'd ever tried RDC'ing into another employees system. He shrugged and we decided that he should try to RDC to my computer across the office.
So he did. Now I had SP2 installed (sshhh!) but, amazingly, he was given a login box. When he entered his u/p combo, authenticating through our domain server so as not to deal with local accounts on my machine, he was presented with a box which warned (pph): "The user blahnameblah is currently logged in on system BLAHNAMEBLAH-CPU. If you continue that user will be logged out."
WTH? He's RDC'ing into *MY* system and HE gets the option to kick me out so that he can login? Well... we tested it, it worked. I was logged out and he happily logged in to browse my files. What's more, his account was magically created on my system and the default policy was to allow him the access to modify all the files on MY HD.
Some security... thanks SP2... or whatever.
+++ATHZ 99:5:80
Is this just the most evangelistic computer related story ever? It almost seems like someone is going to great lengths to make this sounds like a huge compiracy?
Who'da thunk all the servers actually have all the articles...
I have updated six machines here at home with Windows XP SP2, two laptops and 4 desktop computers and all is well.
I think the article should say "FUD coming from Slashdot and friends."
Never fully believe what you read on the internet, especially if it's Windows related news stories posted on slashdot and it's linux propagandist affiliates.
I'm laughing at everybody who immedietly installed this SP2 crap on their systems.
Why can't you people wait at least 2 months so stuff like this come out?
I didn't know processors have drivers. I figured that driving the processor was, most fundamentally, what OSs are supposed to do.
"My girlfriend's got sodium laureth sulfate hair."
I didn't bother for the very same reasons you listed. I also didn't bother because SP2 doesn't play well with Athlon 64 CPU's. Microsoft even suggests bypassing the update completely.
I like The Register, I really do. And Thomas Greene's a smart chap. But this article doesn't look right to me at all.
I'll spare you all the effort of reading it with a simple summary: XP has a zillion security-related settings, and Microsoft has been terribly irresponsible by not making the default setting the most secure one in every case.
For example, highlighted issues include:
- many services are "manual" rather than "disabled" (the sky is hardly falling so long as the services aren't running)
- the DHCP and DNS-client services are enabled by default (in particular, the former is actually used by many people)
- the QoS Packet Scheduler is installed by default (...and...?)
- the Windows firewall doesn't do egress filtering (which is an anti-trust case waiting to happen if it did, and a totally inappropriate feature for the overwhelming majority of end-users in any case)
- IE enables meta-refresh and javascript by default
There are some great points in the article (does IE really need 7 settings to control ActiveX?), but they're lost in the hysteria of trying to build a mountain out of molehills.
classification called "Boring" "Obvious" or "we've read it a million times". Personally I'd have given it a "redundant". Believe it or not you don't have to make exactly the same 'joke' in every MS thread, some of us can remember things from the day before.
Yeah yeah, OT
A couple of weeks ago, a friend of mine said that windows 2000 (win2k server at least) cannot utilize more than 256mb of RAM. I found this incredibly hard to swallow, and have yet to find proof of this on the net, so I am incredibly dubious.
None-the-less, can anyone validate/invalidate this assertion??
Will program for karma.
The writer of the article is full of it and obviously knows nothing about Windows.
He claims that WebClient, DCOM, TCP/IP NetBIOS Helper, Secondary Logon, Remote Desktop Help Session Manager, Remote Access Connection Manager, DNS Client are all on or set to manual and should be disabled. Thanks, but I'd like to be able to use WebDAV, COM/DCOM, share files with a roommate/family member, use remote desktop from work, VPN into work in the first place, and resolve DNS hostnames thanks.
I might also add that he rails on Microsoft not taking advantage of multiuser capability properly then recommends that Secondary Logon be disabled for home users! Without it, Windows can't popup when you try to install a program or run Control Panel and ask for an admin password to proceed... which makes using a non-admin account a pain in the ass.
He also whines about these network drivers being installed:
Client for Microsoft Networks, File and Print Sharing, and the QoS Packet Scheduler
But perhaps he assumes everyone has one and only one PC in their home and has no wish to share files between them (yeah right). Oh, and you'd like to take advantage of QoS for VOIP or bandwidth throttling? Forget it if the driver isn't available.
With "genius" insights like these I certainly wouldn't trust this yahoo to install a toaster oven, let alone an operating system.
Natural != (nontoxic || beneficial)
DHCP Client, automatic. Unnecessary on most home machines. Should be disabled by default.
DNS Client, automatic. Unnecessary on most home machines. Should be disabled by default.
---
WHAT? Thank god 51% of us aren't using broadband.
Among this guy's rediculous suggestions, he says users at home have no need for DNS and DHCP client services to be running. How in holy hell are people supposed to get on the net??
I can't believe they published this bullshit.
Jeremy
The sad this is this is hardly news to the tech-savvy, and yet the average PC user will be shocked for all of 5 seconds before they shrug it off. Lets face it, as long as you can stick the CD in the cd-thingamy and make that machine you type things into work again this isn't going to make people like my parents care. It's not features or security MS is capitalising on, its the lazyness of 90% of computer users, and I can't forsee a time that will ever change.
I've said it many times, the stupid people need to have a LIVECD based OS. The simple minded are flooding the net with their useless bullshit.
While The Register claims it has done an indepth evaluation, they didn't actually test to see if the firewall was blocking non-local subnet access to all the ports used by the services they were complaining about.
If they had, then they would have realised that this is nowhere near the big terrible gaping hole that they are making it out to be.
They also claim that activating a DHCP client is unneeded by most home users. That might have been true 5 years ago, but these days anybody with any kind of home network even if it is just a simple cable or DSL modem will typically need DHCP running. I mean good grief, come on! Even so, I know full well that while you are installing XP it asks you if you want to have your IP settings automatically configured and then DHCP gets turned on.
As for all their complaints about the Zones in IE, speaking as someone who has had to deploy extranet applications to part time casual workers who use their own home PCs to access it, the ability to have a trusted and a non-trusted set of security policies is a blessing.
All in all, I think this article has been poorly researched and written by people who fail to appreciate the bigger picture of what home users may need to do.
YOU'RE A TROLL! Longhorn will be out next year.
http://www.apple.com/macosx/tiger/
Oh, you meant Microsoft's version. Yeah, 12 or 14 is about right.
I'm currently running on a Toshiba Tecra 8100 (500Mhz, 192MB RAM), and after slipstreaming SP2 on to my Windows CD and doing a clean install it's running faster than ever. On SP1 I had to turn off all of the visual options (drop shadows, ClearType, Themes, etc...) or the thing would run at a crawl. Now I can have everything on and use custom themes without any slowdown.
I'll repost something I've written today:
:P~ - this means only good things for Linux, bad things for Micro$oft and sadly bad things for me (us) as we live in a M$ world - consider getting even more probes
#v+
well SP2 is IMHO funny they really haven't added anything useful to it
1] popup blocker - but hey I've got popup blocker in MSIE for like one yer thanks to - http://toolbar.google.com/ - and it comes with google search feture which is uber-cool. I install it on every XP client I touch so OK - popup blocker. how innovative...
2] hardened MSIE - well it is a myth. it is still the same MSIE, nothng changed beneath. still to deeply integrated in system, still with unsecure features like ActiveX - it is just they are turned off by defaut so first thing you will do is reebable thise features since without them nothing works. nice patch... really.
3] NX technology - well it is something but right now it makes no difference as it requires modern hardware and only few chips support that. and I'am (and I'am not alone here) probably not going to change (meaning networks I administer) hardware till it dies... so few more years to go without NX... and also to mention Linux has similar options (executable stack protection) for ages - aviable as patches f.e. PaX. (for kernel) and also few options (like pro-police-gcc) to glibc... and if you need you can recompile everything against those features as it is Open Source... again MS - innovative... really
4] new firewall - well good to see it but it has it's flaws. like it runs in user space, it is worse than other offerings. but still - this is feature I find nice.
what other things left? lets see...
5] new Windows Update - new but it sucks ass like ever. why can't make a decent patching service. it only requires a server and decent GUI for client. I mean jesus I can make such thing myself, just give me specs and some time and I could make it. options I would include:
* decent GUI for configuration with Active Direvtory support tu push configuration to domain
* setup proxy server for updates (f.e. local proxy server to limit bandwith use)
* free local proxy server software for updates. it even could be only on Windows. to have one machine cacheing updates in LAN - jesus it's being done in Linux so easly, I can set up my own updates proxy with Linux in like 3 minutes...
* option to choose which connection can be used for automatic downloads (f.e. I wouldn't like my system to pull updates when I am connected via GPRS mobile modem, but I wouldn't mind when it does when I am on corporate LAN)
* some better handling of applying those patches. maybe just downloading them and waiting (I mean waiting not bothering me to reboot manually) for next boot to apply patches while booting (no files locked)...
what else left "new"... oh the funniest thing! new Security Center applet in Control Panel - a place where you can se that you are "secured" (not to mention that you still can be 0wned) - weeeeeeelll in one thing Micro$oft is brilliant - marketing: people wan't secure Windows, tell them they are secure, show them nice icons telling them that they are secure - people can actually belive it that is in some way brilliant isn't it? too bad it does not work better security for me (and you)...
and also this hype with Longhorn delays due to shifting literally everybody to develop SP2 - what they actually developed? few icons? changed default settings? this requires whole resources of multibilion software gigant? that is pathetic for me... Fedora community alone (backed by Red Hat but still it is different scale than M$) can do amazing things like incorporating advanced MAC security with SELinux in months, and software giant can't make a basic security level with all theirs resources (oh and they do leave things unpatched, or issue things like disable login from URL as a patch, oh and update breaks like every 1 of 10 setups)? and still they say open source model is not superior? mehehehahhwhw...
So let me get this straight.
Many Slashdotters spends a good portion bashing Microsoft for security. What does Microsoft do? Take a good period of time to try to turn things around and release a secure product (SP2).
Now a few people are saying security problems may still exist or that a few isolated people have had bad experiences with SP2 and people here bash SP2 as a failure?
ARE YOU KIDDING ME? What planet are you guys from? Of course it's not PERFECT you idiots - no OS and application is, no matter how secure you design from the start or whatever overused bullshit line of rhetoric you want to use. mistakes will always be there and improvements will need to be made as the product grows.
Saying slashdotters called it just shows that very few here WANT Microsoft to be secure because then it would take away your favorite hobby of nonsensically bashing an alternative to your OS of choice. You can't ignore the fact that SP2 did make MASSIVE improvements for many millions of people to make them more security aware and that is not a bad thing, even if it is a start.
Sometimes I feel when I read this crap that most people want Windows to remain insecure only for their own selfish reasons and forget there are people on the other end of those machines. Why not praise Microsoft for at least making a step in the right direction? It's this attitude that doesn't help things one bit and only comes off as childish.
And BTW, the Register article had nothing really incriminating against SP2 other than they disagreed with some of the services and firewall features. Yes the WMI hole is there but it requires more than just sitting the box on the internet. Yet many dotheads will assume this means that SP2 is just sitting open like Windows XP was straight out of the box.
Here's a fact:
Put a Windows XP box on the internet and it will get infected with spyware and other crap.
Put an XPSP2 box on the internet and at least you're protected from that crap. Hell people, that's a MAJOR step!
Anyhow, the Register is hardly a worthy news source for unbiased reporting. And the ZDNet guy even said "While this is not a complete list of what makes SP2 worthwhile, SP2 is worthwhile for the majority of Windows XP users". But again, let's be honest here - he's just a guy writing an opinion column, more heart than fact.
This is normal. This is another in a long line of articles that does little more than say:
...get this... ...MANUAL. Manual is another word for "not on unless I need it," which is a nice long way of saying "OFF" -- you damned chowderheads.
L0LZ@Micro$0ft!111!!11oneeleven1!! because your firewall choices and services defaults aren't what I would have picked.
There's still service bloat in XP. There's little doubt about that, but suggesting that you turn off DHCP when 51% of us use broadband? I mean, DHCP only has an effect for people that actually, you know - HAVE A FRICKIN NETWORK CABLE PLUGGED INTO THEM! Can we make an assumption that a pretty fair percentage of people who have network cables plugged into their computer use DHCP? Good lord almighty.
Also, he complains because the service type on most services is set to...
Sure, XPSP2 isn't perfect, but articles like this, these "If I had made it, I'd have made it stupid!" articles - they're just drivel.
Think about it, for a moment. The firewall is blocking internally-generated connections. Which is fair enough. (Though silently dropping would likely have been safer.) However, to lock the machine up, the TCP stack has got to be taking the error as cause to retransmit the packet.
Why am I so certain that this is what's happening? Because Windows has had some degree of preemption for a while. It's not great, but it works. Sort-of. Lock-ups should be next to impossible on a totally pre-emptive OS, as the locked-up program would simply be interrupted. It'd slow the machine down, slightly, but it wouldn't be fatal.
What we're getting here, though, looks like something fouling up big-time in a non-blockable part of Windows. Odds are pretty good that it's the network code. My suspicion is that the TCP stack and firewall are in an unbreakable infinite loop, with the error generated by the firewall causing the TCP code to resend the packet, ad infinitum.
A lot of people have argued that Microsoft isn't to blame for other people's crappy code. Which is fair enough. But they are very much to blame for their own crappy code. If you're going to have non-blockable code (a VERY bad idea!) then you've got to be damn sure that there are no scenarios in which that code will put itself into a spin-dry cycle.
It seems as though Microsoft merely added firewall code, with absolutely no thought as to the possible impact it could have on the rest of Windows.
Further, if my suspicion is correct (and I'm pretty confident it is), then it should be possible to crash any Windows box remotely. Simply generate a packet that Windows cannot reply to. By forcing the TCP stack and the firewall to fight it out, you'd paralyze the machine.
The correct way to handle this kind of situation is to recognise when a connection is administratively prohibited or impossible, and to not keep retrying. You'd then escape out of the non-blockable code, and pre-emption would allow you to continue as normal.
If you want slightly "smarter" behaviour, then if a process repeatedly keeps retrying a connection or activity that is prohibited, every time it gets woken back up, it should drop in priority, be slept a reasonably long time (in the hope the problem can be cleared by then) or get kicked off the system. ("Three strikes and you're out." logic.)
It should absolutely not be possible for any user process, no matter how badly written, to create a situation in which an uninterruptable infinite loop can develop. Either there needs to be some mechanism to interrupt any loop that might be infinite, OR there needs to be a mechanism for recognising when a loop is running unacceptably long.
It's no use Microsoft whining that customers should clean their computers first. That would be like McAffee arguing that you should clean your computer of viruses before running their software. And how are you supposed to do that, if you've no software installed for detecting and/or cleaning the damn things in the first place?
The only way you can know (for certain) that there's nothing trying to access an unauthorised port is by blocking the ports and seeing what happens when you try to use the computer as normal. And the only way you can then do anything about it is if the computer can cope with that situation in a controlled manner.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I otherwise agree with most that was written - I totally agree that "less is more" when it comes to security (although there often ends up being hooks for stuff like RPC all over the place) and I couldn't believe it when I saw "Remote Assistance" enabled on my computer by default when I loaded it - WTF!
Hulk SMASH Celiac Disease
-Lucas
I let my naive young greek (hey: I'm posting from greece ) colleague experiment with his home machine.
OK, it worked for him, but the bottom line was "my machine runs a bit slower now".
Sigh. Doesn't fix anything anyone with half a brain who is NATed and appropriately Gene Hackman wouldn't be able to fix, and you run even slower.
I'll stick with what I have now. What bothers me is that those "Merchants of Darkness" at Microsoft
will use future service packs as a slippery slimy slope for delivering "Longhorn"....
At the end of the day *their* products will work. But all of ours will be waving their legs in the air as if they'd just received a burst of pyrethroids...
good thing I paid the extra $70 and got XP Professional. it doesnt seem to affect me.
My inspiron is acting fine too. A little snappier too.
>So did Slashdotters call this one?
No. They really didn't. Of course SP2 was going to cause *some* problems, but poo-pooing everything MS in a knee-jerk fashion doesn't help anyone and probably is keeping people from installing it, which is a real shame because:
1. Firewall on by default. Power users can easily shut it off. How many Slashdot posts do we have that wish MS did this, but when they do suddenly MS is doing wrong. Yes an admin can shut it off even with an activeX control. Such is the life of running as admin.
2. Nag screens for anti-virus and updates. Much needed.
3. Better wireless interface. The old one wasn't so hot and this is a welcome upgrade.
4. "Drive by installs" are not going to be as common as IE requires an extra step to install/download stuff and blocks pop-ups natively and by default. Man, how many slashdoot posts did we have about "MS should do something about pop-ups and click installs!" Well, they did. Sure, they didnt remove activeX altogether, but no one was expecting that.
5. NX support for AMD 64. Wow.
> Finally, Microsoft warns that installing SP2 on a spyware-infested PC is a bad idea.
No shit. Installing ANYTHING on a spyware infested PC will cause all sorts of problems. Fighting spyware is what SP2 is trying to do. Give it time or at least introduce your friends and co-workers to a little thing called Ad Aware, especially if they'll never switch to FireFox. Face it, many people will never switch and will go to their deathbeds using bundled software.
>So did Slashdotters call this one?
Granted, if you take the negative approach to life 24/7 you will be right every so often or at least subjectively, but I feel these are much needed changes and will help technophobes better use their machines. MS can do things right. Yeah, break out the smelling salts...
Yeah, I know this is off-topic but I just had to respond. I have 256 megs of PC133 SDRAM with some bad areas. I found the bad areas with Memtest86. Then I allocated them using MmAllocateContiguousMemorySpecifyCache in a driver that runs at boot. I found a nice example driver that I just had to modify slighty. The example I used seems to be the NT example at the bottom here.
Remember, Nessus is your friend.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
Maybe last rites would be more appropriate.
I just took slashdot out of my group of startup tabs. I'm finished with this muck raking yellow-journalism, unprofessional bratty assed site.
I am completely disgusted with the smug gloating, the bitchy 'told-you-so' tone.
(watch as my heartfelt opinion is modded -1 in minutes flat, just because i don't tow the party line here).
wht the hell is wrong with you people? show me one place where people in favor of commercial software act like this about people into free software. you can't, cause they don't. You nitwits didn't call crap- you all automatically parrot the same crap about MS no matter what they do. Even a broken clock is accurate twice every day.
How shameful this all this nastiness is. The only thing slashdot has made clear to me over the years is that the OSS movement has to stoop to these levels, obviously because the software quality can't speak for itself.
So, y'all just have a nice life, you sad, sorry children. I heartily encourage anyone that can see what I'm talking about do the same- say goodby to this pathetic shambles once and for all.
I find it amusing that Windows requires so much babysitting. OS Patching, anti-virus signature updating, anti-spyware scanning, rinse & repeat. And after awhile when entropy has taken too much of a toll on the machine, it's time to back everything up, erase the computer and reinstall the operating system.
It's a computer for crying out loud! Why can't the process be automated so users can do other things?
Ruby on Rails Screencast
The problems with this service pack are much more complex than what most people and the media are making them. I don't think anyone will disagree that Microsoft has a huge user base, or that they have some flaws in their software.
;)
Implementing major security upgrades, a very necessary thing to do, comes with difficulties. The main problem is trying not to cause problems with too many other applications; else MS would have more issues to deal with. The trick is to balance the fixes with their effect on applications and corporate network configurations where questionable Windows services are most commonly utilized.
Don't get me wrong, I am not trying to defend MS. But I think people need to see that problem this big can only be fixed in stages, else it will create so many problems that no one will install it. The 10% rate of SP2 problems recently cited is a very acceptable rate overall. Had MS locked much more down, we'd most likely be seeing problem rates closer to 50%.
I think we can all think of at least one past experience with a flawed application where the manufacturer went too far and basically destroyed their user base thanks to a fix or update. MS is not going to do that. In addition, end users have to take responsibility for implementing known measures to ensure their system is as secure/virus free as possible. I recently read an article I concur with based on years of working with end users. The article stated that a very high percentage of users do not bother to keep their virus scanners up to date. In addition, at least one company has made a good firewall available for end users to use FREE for one year. Microsoft has had a link to that software for quite some time now. If a user is not doing the minimum known procedures to keep their system secured and virus free, they have no one to blame beside themselves.
Give it time. As Windows grows up, is fixed further, it will slowly become a secure product. The only part of Windows that I'd saw in an unfixable mess is IE, and there are known, easy to obtain alternatives. One can do a lot to plug the security holes now, but they have to get over blaming MS for the problem and take responsibility for their system(s).
Ok, this concludes my rant. Let the flames begin.
The register generally has very whitty and sharp commentary surrounding many facets of the computing industry. Their review of SP2 however, lacked a reasonable level of objectivity.
The first section of the article goes on to explain how a number of services are left on that "shouldn't be". This is for the most part a subjective rant about services that have traditionally been a source of system compromise. The "Hate On Microsoft" stick was made apparent when the author went so far as to proclaim that the DHCP client service and DNS client service should be off by default, "DHCP Client, automatic. Unnecessary on most home machines. Should be disabled by default. "DNS Client, automatic. Unnecessary on most home machines. Should be disabled by default." that wouldn't be a very useful computer would it? How about hitting up google for an answer to "Why can't I check my mail, browse the web, or do ANYTHING online?" - oh, wait...
Among some of the old favorites that were left on, file and print services made the list. That would be pretty bogus if the system's firewall wasn't turned on by default:
"The new "Windows Firewall" packet filter is turned on by default, finally. However, an exception for Remote Assistance connections is enabled, which is preposterous, although file and printer sharing, and UPnP, are blocked by the firewall as they should be."
Since it's firewalled, it's a non-issue. In fact, most of the article is written as if the system's firewall is not installed. Remote assistance is referenced in almost all of the help documents it would be a pretty bad user experience if you wanted help - but couldn't get it. As far as I can tell there has been no exploit based on this service since the introduction of XP.
Generally speaking unused services should be turned off. The only reasonable way to address this would have been yet another wizard that would ask the user how they use the computer and set services setting accordingly. However, the question of "Is sp2 remotely exploitable out of the box? More to the point is it secure from a network perspective, now and into the future?" The answer to that question is generally yes. Unless there is a nasty buffer overflow of some kind in the firewall (one hasn't been found, not to say it won't) an SP2 box is pretty safe on the network.
Wasn't that the point of SP2?
When evaluating the effectiveness of SP2 the net result needs to be evaluated. Many critics have evaluated the implementation. A lot of people might NOT AGREE with File sharing, RPC, Remote Assistance, or any number of the other services being on by default for that matter, but does it matter from an exploitability perspective? Only if that port is available for remote exploitation -- which is not the case.
Network issues aside, IE and the shell both do a good job of throwing up warning dialogs when the user is about to run an executable. There is also the "Data Execution Prevention" feature that detects when "data" is trying to execute as a program, though for it to work well the hardware has to support non-executable memory regions. Only time will tell how well those measures aid in stopping the propagation of worms.
> Windows XP SP2 seems not to be so secure after all.
Well, duh, it's a Microsoft product!!! Doesn't anybody listen or read news articles anymore?!?
> Finally, Microsoft warns that installing SP2 on a spyware-infested PC is a bad idea.
Installing any Microsoft product on any computer is a bad idea.
When will people learn? Come on, people, do yourself a favor and install a Linux distro.
I have been having this problem on my Inspiron ever since I installed SP2. I have tried a lot of things, and I highly suggest http://www.blackviper.com/WinXP/servicecfg.htm for tweaking your services settings.h tml has a great article on how to do it.r toys/xppowertoys.mspx./ .
Another way to boost your speed is hanging your Prefetch setting, http://techrepublic.com.com/5100-6270_11-5165773.
TCPOptimizer http://darkedge.levels4you.com/review.l4y?file=20 also helped speed up my collection a lot.
Another cool tip is fixing Event ID 4226 which limits your connections in SP2, check it out at http://www.lvllord.de/?url=tools#4226patch.
And, of course get the MS TweakUI for XP at http://www.microsoft.com/windowsxp/downloads/powe
And although they are not freeware I actually bought and really like Registry First Aid http://www.rosecitysoftware.com/reg1aid/ and Registry Compactor http://www.rosecitysoftware.com/RegistryCompactor
I hope you all have as much success as I have with spedding up XP. It is a pain in the butt to do it, but it is worth it in the end.
"Your 'Gin n'tonic Futon Brain' sure makes you smart!"
"That's 'Positronic-photon Brain', you idiot!"
If you still use Roxio Easy CD Creator 5.x, you will not get to use DirectCD for UDF Packet writing to save directly to CD after SP2 is installed. This program comes with every new Dell Optiplex we bought this year. These Computers are supposed to be Supported with SP2. But 2 calls into Dell T.S. resulted in a "Sorry, too bad" response. They recommend Windows native CD burning, but that ain't UDF.
(We have a need to make saving to CD as simple as a floppy for some elderly folks.)
This one isn't listed on Microsoft's list of SP2 incompatible programs.
Nor is anything mentioned on Roxio's site except people complaining. Roxio is up to version 7 now so you know they say to upgrade, but Dell still ships old v.5 out with new PCs. Go figure
For the machines we tested at work, the firewall actually blocked more than was necessary. We were surprised to find the admin share totally invisible even though the computers were on a domain.
Methinks something is borked with this anaylsis. A lot of these services aren't accessible on the boxes I've tested with (both on and off domains).
> Finally, Microsoft warns that installing SP2 on a spyware-infested PC is a bad idea.
And how did it become spyware-infested? It got that way because you installed a Microsoft OS. I never had this problem with Linux.
There are two sets of articles on XP SP2:
1 -- "XP SP2 BREAKS TONS OF APPS!!"
Essentially, Windows is *too* secure and now breaks tons of programs -- so don't install it!
2 -- "XP SP2 IS TOTALLY INSECURE!!"
Too many Windows services are on, which means lots of apps -- including harmful ones -- are still able to run, which means XP SP2 is totally insecure -- so don't install it!
You can't have life both ways. Yes, added security will break *some* apps, but most will still work. Yes, it's not as secure as, say, a OpenBSD installation where you turn on one service at a time -- but end-users aren't expected to go through turning on service by service and tweak firewall settings every time they install a new app!!
By the way, for corporate deployments, most of that stuff (services, firewall, etc) can be administrated through Group Policy, anyway, so the default settings apply much more to home users than corporate ones who can pick and choose what services, firewall settings, etc to allow on their Windows PCs.
Communism was just a red herring.
This is odd. Now, repeat the steps again *after* switching the password from "password" to "test". The results? The login dialog does not report that "test" is an invalid password.
While I am not doing any more debugging of XP for Microsoft (a detail or two might not be 100% correct), what I have seen is enough to make me wince. Microsoft did not test this one well enough.
Note: It may be necessary to have a program running in the admin account to trip up this bug.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
DNS Client, automatic. Unnecessary on most home machines. Should be disabled by default.
He's too kind.
They should call it the "DNS on crack" service.
The only reason I can see for it existing is for sites where DNS is non-existent or badly broken, so that names pulled out of WINS, browsing, or by casting entrails or yarrow sticks can be used to let some applications run that would otherwise freak out. The problem is that when you do have working DNS it will, occasionally, freak out and return randomly wrong information.
Unless you're at a small business using a misconfigured Windows-based external firewall AND you're not willing to spring for an Active Directory server, turn this baby off and disable it. You'll be glad you did.
All that you speak of is controllable via GPO.. That is how enterprise users handle things...
If your team doesnt know how to do that and you have more then 5 machines on your network.. i would be afraid.. very afraid...
---- Booth was a patriot ----
And seriously, problems with a Dell, what a shock since the tend to try and turn even simple "open" devices into proprietary cash cows (I had a customer with 5 Dimension XPs, all were extremely noisey, I recomended he swap the exhaust fans when we determined they were the source of the noise, but could only order the same replacement from Dell since the power connector was completely non-standard and attached to a non-standard header on the motherboard, no fan detected in BIOS, no boot). Dell always sticks their customers with the old "it's third party so we can't help" crap, so can that really be counted?
ewree
Establishing less-privileged user accounts, even for the machine's owner, is the single most productive step one can take towards reducing the impact of malware. WinXP makes this possible, but, unfortunately, not necessary.
Why would this be true? All a worm needs to propagate is access to a socket (or to the API of your email agent). This is one of the things that makes worms so powerful.
I certainly don't advocate running systems in single-user configurations (I'm a Mac person, and the Mac handles this elegantly, even if it isn't waterproofed yet). However, as a Unix person at heart, the fact that worms can be effective even against services running as "nobody" in chrooted environments --- often even in systrace-style jails --- is one of the most interesting systems-security implications of the malware problem.
What kind of fool would identify himself as a commie?
Although I don't have a dell, I noticed the same thing. My wireless connections now work the first time all the time. SP2 improves power management as well. My laptop now comes out of sleep mode every single time in a couple seconds. Pre-SP2 half the time it would reboot or just sit there with a blank screen until I hit the power button.
You get what you pay for. Dell's mix and match construction almost always means SOME piece of software isn't going to work with your system. Worst researched, worst designed PC products on the market IMHO. They are as cheap as their roots. What a suprose that they have some bug that doesn't work with SP2!
If you want to get a real laptop, buy IMB, or go for Alienware. I've never had a problem with either since I dumped my Dells, and I will never go back.
"Curiosity killed the cat, but for a while I was a suspect."- Steven Wright
As an OEM that sells systems bundled with XP, Dell, I believe, is obligated to support systems whose users apply service packs to the OEM-installed OS. There was some flak about this some time ago when some OEMs simply referred their customers to Microsoft, and I believe that they were reminded that they picked up this obligation as one consequence of their OEM arrangement. This support site page gives the particulars for Dell. In my experience, Dell acts like any other Windows sysadm: they wait until their own internal testing is done before they add it to the list of supported service packs, so that they can simultaneously publish a list of any issues (such as required driver updates). Until then, you take your chances (which have been minimal for me, though I tend to stay in the Latitude line, even for home systems) and rely on the forums. My reading is that Dell isn't done with its testing, and the particular spokesperson is only half right: not supported until their testing is complete and it appears on the above page.
And it isn't the stupid^^^dents fault for getting spyware onto their computer in the first place, let alone ensuring it gets removed when it is? It's not like it's a regular thing to have on a well-kept computer. I have a laptop runing XP that has yet to see anything that doesn't belong on it (except MS messenger, but that was before I even got ahold of it, didn't take long to remove it). My wife has a win95 box that is basically on an open broadband connection and as long as it's not left on, I might find myself removing malicious files off of it every two months or so, it's not hard to ctrl+alt+del and make sure you recognize what's running and find a way to kill anything that shouldn't be. Maybe they should make this a lesson in the freshman 101 class or the computer 101 class that nearly every college/university requires?
Yet Another Insprion Owner.
Didn't see any increase or decrease in performance but OSA9.exe kept pegging at 100% after SP2 was installed. Also I now get errors with Wordpad about registered filetype or some such. I give SP2 6/10 for breaking my laptop and ultimately wasting my time with a reinstall which I'll now probably have to do at some point.
before anyone suggests it, I don't have any viruses or spyware installed and I don't use IE or Outlook. SP2 just broke some things as MS themselves admit.
If you wanna get rich, you know that payback is a bitch
I just noticed on a clean install of XP SP2 that the integrated video output from an Intel 845G chipset is corrupted. Removing SP2 corrects the issue.
There are alot of 845 chipesets out there; I wonder if they all have the video issue.
-ted
I decided to install SP2 on my workstation yesterday and I must say that it was quite secure. This is because it's hard for a hacker to get into a computer that no longer boots...
so why did the Reg test XP Pro?
...when you buy lowest common denominator, mass-market junk because it was the cheapest option and it's what everyone else uses.
I especially love it when the OEMs refuse to provide support or even updated hardware drivers for any OS other than what the machine originally shipped with. Sony is notorious for this, though I don't think even they have stooped so low as to not support customers who ran into problems because they installed a fucking service pack that was strongly recommended by the OS manufacturer.
Then again, anyone who actually believed that Dell commercial that showed hard-working American (ROFL!!!) tech support representatives ready to use independent thought to help solve customer problems deserves what they get.
Listen up, you fools: When it comes time to replace your creaky old, scumware-infested Dell in a a year or two (if you can even put up with it that long), you might consider paying a little more for a Mac-- they don't have scumware problems, and if they have other problems you won't get caught in the finger-pointing crossfire between the hardware maker and the OS maker since it all comes from a single company.
>They recommend Windows native CD burning
Which works pretty well (although not a packet writing host, agreed).
I haven't figured out how to tell Windows the volume size though.
-fb Everything not expressly forbidden is now mandatory.
Does anyone know weather the service pack 2 includes any function to kill stupid worms in real time or throttle fast worm propagation? If it at least has this feature, service pack 2 is valuable to most of the windows users. Most of the worms are stupid (ip scanning, fake source email address, fast propagation ...), OS should be easily
catch them.
--
I'm a farmer in silicon valley. My labtop is my hoe.
The service is not enabled... it is in a state where applications that rely on it can start it if its necessary, but that would be performed by the user. Have it not enabled is not a security risk....
I love this service. I love that it is not enabled by default, but must (as above) be initiated by the user. Again, there is nothing wrong having this service in a state where the user can enable it without confusion...
This service is what allows fast-user-switching (multiple console logons w/out logging out). It is an integral part of the XP ui and absolutely should be enabled.
Newsflash -- Windows is not *nix, its user base is not a *nix user base, etc... Excuse the cliche, but "Mom" is not going to login as a "user" then launch setup apps in root/admin context -- this is just not something that "mom" can wrap her head around.
I'm calling bullshit on this one. Pick -- the end user should be smart enough to work in the user context until he/she needs admin access, then they should go use it for that specific context, etc... but they shouldn't know if they trust a site or not? And by default there is nothing in the "trusted" sites list, so the user is going to be prompted for each download attempt. If they don't like the "zones" idea that's fine, but complaining about the implementaion is different from that implementation being unsafe.
More of the same. We get it, you don't like the "zones" thing. There is no difference between what the review wants and what IE already does in this case. There are no trusted sites by default and the user is going to have to go out of his/her way to get some there. If you like reading some activex riddled crap page you should be able to view the site without being bothered every 2 seconds. You have that right.
As a matter of fact, can you imagine the user experience if these setting
...he says users at home have no need for DNS and DHCP client services to be running. How in holy hell are people supposed to get on the net??
Quiet, you fool! The people dumb enough to follow his instructions are the same idiots who double-click on everything that drops into their inbox! Let them knock themselves off the net, and then it can be OURS again!
Earlier this week I finished work on a ResNet scanning CD for the college that I work for. The CD autoruns, scans for viruses using Stinger, changes some proxy settings, and on Windows XP systems, it installs SP2. I neglected to include a spyware scanning program. All the copies of the CD are already made, and ready to be deployed to students on Tuesday. I'm thinking I should probably create some additional CDs that autorun SpyBot or something.
Anyone else in my situation? What have you done, or wish you had done?
"0101100101? It's just jibberish. *looks in mirror, gasps* 1010011010@!? AHHHHHH!!"
Dell Inspiron users are reporting an extreme performance decrease since installing Windows XP SP2 - decreases as much as from 2.6ghz down to 300mhz.
Hmph... didn't know that the OS could change your clock settings.
I guess an opinion by a former customer is dangerous.
"Curiosity killed the cat, but for a while I was a suspect."- Steven Wright
Why should everyone use the latest OS . aka the win XP and suffer all these problems?
Except a few s/w that work on XP only , 98 does it fine.
what reay ou going to lose out if runnin g a in98 se - patched up system?
Dont tell me " bad looks" - aint like XP feel....thats garb.
plus virus writer these days target XP mainly...98 escapes...example: Blaster.
Think about it.
Why does yahoo do this
Oh, you mean the incremental version that Apple keeps charging you suckers full price for, EVERY year? Yeah.. enjoy ;)
If the past year has proven nothing else, it's that we can't afford to let the Windows masses to have control over their own machines. The paranoid rants of a few slashdotters gave us Blaster, and I really don't think they can be forgiven for that.
Actually, the author is unaware of new measures like stack protection built in, that actually strongly suggests to me that the author hasn't gone any further then a normal port scan, and this isn't a true analysis.. Stack protection would have stopped just about every worm so far in windows (except the shared drives ones in win2k).. Anyway, its a disillusion that worms need ports open to spread. In reality, its really irrelevant if they are open or not due to the forced automatic updates and stack protection, and your biggest risk is stuff like internet explorer.. Basically, I dont believe the author really has much of an insight into computer security at all
I have a Dell i8600 and I did have problems with SP2. When I installed the last public beta of SP2 before it went gold, whenever I pulled the AC cord out while Windows was running, I'd get a STOP error with gv3.sys. Searching on those same Dell forums, I found out I had to update my CPU driver. My original driver was dated sometime in 2002, but a nice and quick upgrade over the net from Microsoft gave me a April 2004 driver that has done away with the STOP errors.
On another note, I don't have any performance problems with SP2. It runs pretty much the same as with just SP1. Then again, I hear lots of stories about Dell computers and I don't give them any weight because I've never experienced any. The forums are interesting to wander through, complete lists of drivers for machines, nothing but a positive experience.
It automatically, re-enables, MS's worthless firewall, and changes Automatic Update to download and install without any user input regardless of what you had it set for already.
In addition, the security center is an annoying piece of sh!t. I just got done setting up an elementary school lab with 35 new PC's, and once Automatic Update kicks in and downloads SP2, I'm gonna have to make a return trip just to reset every goddamn thing back to the way I had set it.
That is by far my biggest gripe, MS simply doesn't think about computers that are going to be used in a multi-user environment outside of a family room. I feel sorry for school admins across the country who are gonna have to deal with this shit at every school with XP machines. Thankfully, I only have to deal with one school.
I wish OS developers would include a special User account specifically designed for "Students".
Exactly what I was thinking.... Slashdot owners didn't "call this one" at all. The overall vibe I got here was generally "this SP2 is going to be great - even though it'll inconvenience some people for a while and break some stuff, because it makes changes that were sorely needed, instead of just doing superficial patches after the fact for specific vulnerabilities".
.... but I found evidence of some strange item still attaching itself to the TCP/IP stack. I figured "Oh well - I'll look that one up later." and applied SP2. It installed fine, and upon reboot - generated a couple error messages related to the exact item I was worried about. On the next reboot, those errors didn't come back - and the malware seemed to be completely gone! I think in this case, the malware was trying to use some method of attaching to the stack that was changed or eliminated in SP2, so my problem was solved for me. I'd say SP2 is definitely not all bad - and seems more secure than what we had before.
But now that it's released and some complaints come forth, Slashdotters want to claim they "told you so"? Nah.... not really.
One of my customers runs XP at home on the family PC, and I've been out there at least 4 times now to clean up viruses and spyware. Despite my best efforts at preventing things from getting in (AVG anti-virus set to auto update every 3 days and Spybot 1.3 set up to immunize the browser, etc.) - nothing has really worked. Basically, they have a household full of teenager girls who know just enough about computers to download all sorts of free offers that sound good on the web, use music sharing programs, and exchange lots of email and instant messages.
This last time out, I cleaned up the system the best I could, and it seemed to be running well again
It only does this if you choose to install the new driver for download on Microsoft's site. This is no something inherent in SP2.
This script can be used to remotely block or unblock the delivery of Windows XP Service Pack 2 (SP2) from the Windows Update Web site or via Automatic Updates.
To-do List: Receive telemarketing call during a tornado warning. Check.
So installed XP SP2 on my laptop and it broke internet explorer as well as dhcp over wireless. So I figure with no internet (since I connect with a wireless connection and most non-geeks would know nothing about static ip addresses) and IE not working that must be as secure as Windows XP can get.
Question everything that you've accepted without thinking.
Checkout 98lite http://www.litepc.com
These guys can strip 98 downto a network enable GUI that fits within 10Mb of disk.
As for the firewall, egress filtering is overkill - plain and simple. I've been annoyed WAY too many times with SW firewalls constantly asking for permissions - and I know what I'm doing. Most home users blindly click Yes anyways (that's why they have the spyware/virus in the first place), so why bother? NAT (which, in effect, is the same as ingress filters) has been accepted as the norm for many SMB networks so why shouldn't it be acceptable for the Windows firewall? If you really want more control, go download ZoneAlarm or something. Even better, get yourself a real firewall and be done with it. SW firewalls in general are a dumb, dumb idea.
Okay...I do agree with their view on limited user accounts. Unfortunately, a lot of Windows software was never designed (or still isn't designed) to support multiple or limited users - so, once again, MS is stuck between being secure by default or breaking things. Since they (presumably) know their user base isn't too keen on having once working apps broken, they chose the lesser of two evils. It's a tough call, and one I'm glad I don't have to make.
As for the Inspiron 1150 problem, Dell should be supporting SP2. It's an official MS update to a supported OS, and Dell is required to support it. If they can't figure out that it's a processor driver, then they're seriously incompetent. SP2 was in beta for quite awhile, and I'm sure Dell had access to it - there's no excuse for them not being ready for it. It strikes me as being ridiculously obvious. (SpeedStep broken? Hmm...lookie here - it looks like there's a new CPU driver. Maybe if we try the known working one?)
I've just recently performed a fresh ("slipstream") install of XP SP2 on my laptop, and my nmap scans and observations of active services are quite different from this article's report. Maybe he upgraded a fresh XP or XP SP1 install?
Honestly, the guy says that services like DHCP and DNS should be disabled by default and that "most home machines" don't need it. I guess he doesn't expect people to read his article from home, then, because without being able to get an IP address lease from an ISP or resolving theregister.co.uk, they aren't going to be able to read it!
This guy missed out the most important feature of SP2: the buffer overflow protection being compiled into all system services.
There are always going to be new buffer overflows found. What SP2 will do is make these unexploitable. If this sort of protection was in XP previously the vulnerability blaster used would not have worked even with the same coding mistake that resulted in an overflow.
I suspect the author would only have been happy if Microsoft had gotten rid of every networking feature of the OS. SP2 while not prociding the super secure magic bullet which the commentators want definitely raises the bar greatly for a default configured workstation.
I never install a service pack right away. I wait awhile for the people to opine on it.
All this XP talk got me thinking about Tiger, and I noticed something on the Tiger site which I thought was pretty cool.
http://www.apple.com/macosx/tiger/safari.html
Check out the top image.
"DHCP Client, automatic. Unnecessary on most home machines. Should be disabled by default." -from the article
ummm i think many home machines use dhcp to connect to the internet. this may be something which should not be disabled. just my thoughts
Here's an interesting question: has Microsoft released new OEM install or full-install CD-ROM's of Windows XP Home Edition or Professional Edition that incorporates all the Service Pack 2 code? I haven't heard of such a release yet....
....that the Register is a purely unbiased web publication that takes a look at all topics it covers with from a purely objective standpoint.
I for one think XP service pack 2 is a good thing. Now really, why is the security issues in service pack 2 so blown up, all earlier service packs has had security issues too?? Service pack 2 is about to make serious changes to the web, simply becaus popup's are blocked. Even Joe Average will have a popup blocker in 6 months time. It makes me wonder if there could be some anti-popup-blocker people spreading a whole lot of FUD about this package? The days of popups might have come to an end, and some people might not like that.
Remi Denis
First, let me say that Thomas C. Greene is one of my favorite writers.
.REG file that implements all Greene's recommendations?
It strikes me that someone who has used something like Black Viper's SP1 Configuration page to tighten up his Windoze box is going to have all of that effort wiped out when he installs SP2.
No one should install SP2 without a checklist like Greene's to go back over his settings and adjust them manually.
Anybody working on a
gewg_
Jason Lopez Aug 19, 2004 newsfactor.com
I do notice when he's talking about 38%, he says "home-based Internet users" but isn't so clear about the 51%, where he just says "users".
I would have sworn that most folks used dial-up from home.
gewg_
I'm glad I'm not the only one that browses the internet by IP only!
The author obviously does the same... since he so strongly recommends against the use of the "DNS Client" service on home machines. Yeah... home machines don't need DNS.
Excellent post.
/. source code - where is that often lamented upside of the free software), but cheesy color schemas are never in short supply.
I have complained about editorial policy in several of my posts, but (silly me) haven't ever suspected that ownership of Slashdot could have to do with what gets posted here.
I have also complained about low quality FUD troll articles by michael and suggested that articles be moderated, too, so that we can filter out that cheap propaganda that pollutes the site.
Of course, it seems it'd be "complicated" (suddenly it became hard to tinker with
This year has been really bad.
I my opinion, some 40% of all articles and 80% of all comments are of miserable quality. Sometimes one has to browse four pages of comments to find 3-4 insightful posts. And as the parent post says, you can't get rid of worthless comments because totally stupid articles get modded insightful or funny.
As articles can't be modded or filtered ("michael filter" anyone?) either, it's becoming quite unbearable.
Sadly, that is the new Slashdot - perhaps it's "If you don't like it - leave!", so I've been thinking if I should still visit Slashdot.org any more or perhaps join one of commercial tech sites with quality articles and forums.
Truly pathetic.
P.S. In past months I've been getting to moderate ONLY anonymous posts - now I have started to suspect that happens because I've voiced my dissatisfaction too many times... Anyone else gets only to moderate only posts by anonymous cowards?
Of course - the article is full of shit.
....
From the article (*) and what I think about it (-):
* DCE endpoint resolution (epmap), port 135.
This is basically the UNIX/BSD/Linux portmap daemon, and unnecessary on home machines.
- unnecessary but not dangerous
* NetBIOS name service, port 137. This is the WINS (Windows Internet Naming Service) server for a NetBIOS network, and unnecessary on home machines.
- so fucking what - ADSL links makes NetBIOS not listen on the Internet network interface - that's the default without SP2
* NetBIOS datagram service, port 138. This is used by the SMB (Server Message Block) browser service, and is unnecessary on home machines.
- bullshit - I have 3 PCs at home and I share data all the time. Besides, the port is closed to outside (the Internet)
* Microsoft-ds (Server Message Block), port 445. SMB can run directly over TCP/IP, without NetBT by using this service, which is unnecessary on home machines.
- yeah, riiight, almost everyone with 2 PCs need it and it's closed on the Internet interface
* NetBIOS Session, port 139. This is used for Windows File and Printer Sharing, unnecessary on most home machines, and extremely dangerous on any machine connected to the Internet unless the owner knows how to run it securely.
- bullshit it's off by default on that network interface and possibly protected by the firewall (I haven't tried SP2 yet)
* Error Reporting is on by default. However, there is no reason why a machine should phone home every time it encounters an error. This is better left disabled.
- that's like, your opionion. if it was off, someone would surely complain about that too
etc..
The thing that amazes me is that Port 445 has apparently been left open. Switching over to my Firewall screen shows that I block a 445 scan every 10 seconds on average. It is not just one or two IP-Addresses which try it, each Source Address will try 3 times and then move on.
Two machines a minute are saying 'Hello' on 445, 95% of my scans are on that Port and it has been left open. Sheesh.
The other unblocked Port where I often saw scans is 135, but the frequency there has dropped almost to zero recently.
Mielipiteet omiani - Opinions personal, facts suspect.
Connecting to a USB piece of hardware screwed up (most of the time, not all, so its not a security thing) on our main development tool at work. So we had to uninstall it (and the app works again now, thank goodness uninstall works).
ahh, I just found the whole DNS thing funny too. Yes you could use it for a MITM attack or something, but honestly, everyone would just reverse the install because they thought their internet was broken and there would be no such thing as wireless hotspots.
Forgot to mention that I believed that the problem with windows has always been very poor internal security (sometimes it has taken Microsoft months on time to fix even the smallest privlage elevation exploits), and its always been my belief that the worm coders have just been too stupid to be capable of coding a decent worm based on already established connections.
I also never expected a worm based on port scanning to take over the planet, but rather believe ones based on sneaking in through established connections are the worse, and they are the hardest to stop because a firewall wont stop them. Melissa was a great example of one. One benefit is that these programs are the ones which stackguarding isn't enabled for by default, and in most cases dont even use buffer overflows.
I said that I thought this article didn't belong on OSnews, and I think its quite unfortunate it ended up on frontpage of slashdot too..
Actually, Windows's DNS client was showed to be very insecure in last Phrack release and probably various other places, so you don't even need to be in the middle to attack. Nevertheless, as you say, I don't expect Windows or any other OS to work fine without its DNS client. To disable the DNS client service, Microsoft would have to make it an on-demand library, per application, as it is on Linux. But they'll lose most of the DNS cache feature.
Remi Denis
But even then, most of his claims are just wrong. DNS and DHCP clients unnecesary to home users? Remote Access Connection manager should be disabled by default? Yeah, right, tell it to my modem and ISP. Here is a real world description for you, pal:
"Routing and Remote Access, disabled. About time." Well, it is disabled in SP1, and so is Telnet. WebClient: unnecessary. Maybe, if you don't need WebDAV folders integration into Explorer shell. Etc, etc...
But second sentence of the article really got me: "We installed XP with the NTFS file system, choosing all of the factory defaults, then patched it with each recommended security update including SP-1 (required), before installing SP2." And I tought point of installing SP2 is to avoid all pre-SP2 patches.
Way to go, please bring us more insightful articles like this.
[*] From this excellent site with *really* informative description of Windows services: http://www.theeldergeek.com/services_guide.htm
fucking wept.
(that's all I have to say about SP2)
This is not a linux site, it is news for nerds, although you may consider it pro-linux. Nerds use MS products too, so we need to know what is going on with everything from linux to XP to Mac to more obscure (dec, sgi / mips, etc).
Smear campaign agains MS? You sound like you could be on the MS payroll, one of those "grassroots" marketing efforts they can fund with the stacks of cash they make sellin you a $1 CD / software package for $300. I have never met a legitimate fan of MS products. People may be ok with MS, but few take it upon themselves to defend MS openly.
I installed SP2 on my Dell 4600 and now no contextual menus. Worked fine on another of my computers and at work.
I'll bite again, shall I? That report which Newham used was funded by Microsoft. Um...
I think there is an strong element as you describe, and that the slashdotters do themselves a diservice by over-stating their case.
With respect to the public good, however, there are problems with the RIAA, MPAA, M$ and the coporate model in general has flaws. It's fine to discuss that, but over-stating your case makes it very easy for your opponents to sideline you.
With more posts such as yours, ideally, slashdot could give more balanced coverage, including the good things M$ has achieved. It's fine to draw attention to anticompetitive M$ tactics and general anti-social behaviour. Let them spread their FUD, but if you FUD back, who do you think people are going to listen to?
We must always remember that M$ is a corporation, and thus is out to make a buck at all costs - that's the formula that corporations operate to. We can't expect M$ to change without a change in corporate culture, it just wouldn't make sense in the real world. So which problem are slashdotters bitching about? How evil company X makes $$$ by using shady practices {Y...}, with the effect of damaging Z? That happens everywhere! That doesn't make it okay, but you should at least realize that it's a cultural problem!
With regards to the RIAA/MPAA, it's hard to have any sympathy for them at all, particularly considering my wife and many friends are musicians and film-makers. I have already noticed the success of their media machine in making people believe their mantra.
In the quest to own everything conceivable, corporations have twisted IP laws so that they can own ideas. They own obscenely long copyrights on cultural bread and butter, such as the song "Happy Birthday" (bet that shareholder's happy). They have pushed patent laws so that they can patent living things, genes, discoveries, algorithms, ideas. This is wealth usurpation, pure and simple.
The prevailing group-think on slashdot, however, is that people feel that they should get something for free anyhow. After all, linux is free, and don't people make money off it anyway? There are, however, problems faced by IP owners. Those very same IP owners (powerful people) are using those problems to extend their wealth (by getting new rules passed, or getting customers to agree to restrictive conditions that they wouldn't have considered before).
The RIAA/MPAA is doing well in this game, and slashdotters don't even realize that they're being out manoeuvred; sitting at home trolling about how evil they are only makes it easier for the RIAA/MPAA to push their agenda. Once mum and dad agree that DRM and similar are culturally necessary to protect the "artists" (well, the record label), then we'll all have DRMed computers... because the market will accept it.
I went to get some music photo copied a few days ago and couldn't. The copy shop had received threatening letters warning not to copy any music. It didn't matter that it was for personal use, or that the music was written in the era of Mozart, or that it was published in 1939. The store owner said I had to buy a new copy from the publisher, because otherwise I'd be stealing profit from the publisher.
The copy shop is the one who had profit stolen from them, and the owner didn't even get it! That's what we're up against people; misinformation turning into a cultural attitude that copying is inherently bad for the economy.
So long as people whine here, the RIAA/MPAA will have a free hand to continue their campaign, until they're a public institution. If only slashdotters saw RIAA/MPAA articles as a chance to discuss solutions to this problem. Perhaps someone clever will come up with some good ideas, and spread them to other slashdotters. If the ideas are good enough, someone will write to their heritage minister (or non-Canadian equivalent), or form a political action group, and _that_ is how you fight the copyright cartel.
Like all pain, suffering is a signal that something isn't right
Oh, that's right, you enjoy trolling the
Exactly - you and your astro-turfing parent (and siblings) have my permission to leave - w00f!
XP's handling of SpeedStep (and similar technologies) absolutely sucks.
It used to be that with Windows 2000, the user could use Intel's SpeedStep applet to exercise extreme control over the CPU's SpeedStep functionality. (Forcing full-speed, forcing minimum speed, etc.)
With XP, Microsoft rolled about half of the SpeedStep control applet into the OS, MINUS the user interface, so that if the SpeedStep control mechanism got stuck on an undesirable setting, the only way was to hack the registry. The old Intel applet can't be used any more, as it conflicts.
XP's suspend features also never worked for me. My Inspiron 8200 wouldn't come back out of suspend from Day 1. On Day 2 I nuked XP and installed Windows 2000, and have been extremely happy with my laptop ever since.
retrorocket.o not found, launch anyway?
>Firewall only filters incoming traffic, totally oblivious to outgoing. (2nd paragraph, last sentence)
Enable firewall. Start Apache, and I get a warning about the app opening a static listening port. Yes, it does not ask about every connection, which is a design decision based on usability. What percentage of users know foo.exe is? For average users this kind of functionality is overkill. To say it does "nothing" for worms and trojans is being pretty disigenious as a port must be accessible to be attacked.
>Popup blocking is WAAAAAYYYY too late
So they should just stop it? Wireless support in Linux is a PITA, should developers give up on that too? You are being illogical.
>Nope, broken. Strike three.
Whoever told you there wouldnt be driver issues after a major upgrade lied to you.
>Must we delineate MS's culpability for the glut of spyware in the first place?
If MS could forsee the spyware issue they would have kill it, as its THEIR asses on the line. Spyware/viruses/worms is making their OS unusable and SP2 is really the service pack that is going to keep people from switching to Apple, assuming it works.
It seems that installing SP2 will make your system incompatible with a huge list of microsoft's software like MS Office, so we can think that it was just a bug, not as if compatibility were lost with OpenOffice or any Linux emulator for win. Post by: lobito151
Many, many broadband ISPs use DHCP to grant IP addresses. What's wrong with it being on? It'll be shut off or otherwise made inactive if you hardcode your IP.
DNS is sort of essential to the internet. Even if this is only a cacheing daemon, it's still valuable.
Wouldn't this make it possible for users to become administrator only when absolutely necessary, instead of all the time?
From the article it says,"The Security Center does little beyond warning users that the firewall is disabled, that automatic updating is disabled, or that antivirus software has not been installed."
There are people who don't even know what a firewall is, let alone what it does. It appears that Microsoft is trying to educate users on security from the non tech-savvy perspective. Once everyone has upgraded to XP SP2, the words,"firewall" and "antivirus" will be as common as words like,"Internet" and "email" to even the least pc literate person.
It's possible that Microsoft will be gradually increasing security measures and awareness as more people get used to the idea of having firewall and anti-virus software.
This could be a problem, though. If Microsoft places too much dependency on firewalls and antivirus software and not enough more secure design, then Windows will continue to be insecure on the inside of the firewall.
for sp2a
I can't believe someone did mod "troll". If you don't trust him, find some comp, and put a fresh new Windows XP on it. Install ad-aware and scan. I did it one time, and soon I figured out that windows came with spyware slipstreamed!
"*ANY* PC", keep in mind, lil boy.
DHCP: (as mentioned above) Outside North America most people, even on broadband, don't have a static IP. In Australia it's available as an option, but you often have to pay extra. (They assume you want to host a server of some description) And what about people on dialup? DNS: (as mentioned above) What's with all this huggy-feely friendly name crap, everybody should be typing in raw IP addresses! *roll eyes* Remote Access Connection Manager: Required to make a dialup connection. Yeah, why just choke their connections downloading the thing, when you can disable them altogether and curb the spam problem!" Brilliant work at the Reg. ;)
SSDP Discovery Service & UPnP: Unfortunately, these are used for the remote control aspects of the XP implementation of Internet Connection Sharing. If they disabled these out of the box then people would lose this functionality. At least the firewall limits it to the local subnet by default.
NetBIOS helper: Required for backwards compatability with Win9x machines, and file/print sharing is restricted (by the firewall again) to the local subnet.
He had some good points about permissions, but that kind of stuff should no news to any of us.
Finally, his IE bitching is irrelevant. It's very easy to switch to Firefox, Mozilla or Opera. IE should be disabled with all security options set to max, so that programs which wrap IE aren't too vulnerable. If you want to go one step further you can set a fake proxy in IE's Connection options and make Windows Update an exception, so that you can still manually check it if required.