Last Words On Service Pack 2

thejoelpatrol writes "So did Slashdotters call this one? Windows XP SP2 seems not to be so secure after all. A Register reporter goes in depth to find out just how safe a fresh install is. He provides a list of which dangerous ports are left open and which services are left on by default. I guess now we know why Microsoft's security timetable is 10 years." Reader ack154 writes "ZDNet is reporting that many Dell Inspiron users are reporting an extreme performance decrease since installing Windows XP SP2 - decreases as much as from 2.6ghz down to 300mhz. Dell claims no responsibility, claiming it is 'externally loaded software' and they don't support it. In the mean time there has been a fix posted on Dell's forums, which rolls back the processor driver." Finally, Marxist Hacker 42 writes "Amid complaints of too much XP Service Pack 2 coverage on ZD Net, David Berlind writes that Service Pack 2 deserved the scrutiny it got- and charges that it failed to live up to Gates' Trusted Computing Initiative." Finally, Microsoft warns that installing SP2 on a spyware-infested PC is a bad idea.

Performance decreases that exxxxtreme...

...deserve some extra 'X's.

Last Words?

Somehow, I doubt that these are the last words we'll see on the subject....

Re:Last Words?

[skeptikos]

Famous last words: "I'll install SP2!"

Re:Last Words?

[sharkey]

Sure they are. At least, until Taco dupes it tomorrow.

Re:Last Words?

[rd_syringe]

It's a total flamebait article. This sort of article would have gotten modded down if it was a comment. It's just an attempt to bog people down with anti-"M$" links. I could create an article with just as many positive SP2 ariticles--and believe me, the response to SP2 was very positive and not at all this phony letdown that Slashdot is trying to put out to its readers--but it would never get posted on the front page of Slashdot.

The entire summary is inflammatory. "Did Slashdotters call this one?" Well, gee, I'm so surprised that Slashdotters think SP2 is a failure. And then it even links to the widely criticized "Windows Secure In 10 Years, Says MS" article.

I am fully convinced there is a smear campaign going on against Microsoft that goes beyond merely being a pro-Linux site--as in, it is going beyond normal levels of criticism. I suspect it has to do with the fact that this website is corporate-owned, an entity of OSTG which is a company that makes money off of selling OSS and Linux products. The rate of anti-Microsoft articles has increased dramatically with the release of SP2, and headlines/article summaries are often wildly exaggerated or even completely false. If Microsoft owned a tech news site, and the articles it posted were inflammatory and exaggerated in the same way Slashdot's are, you know that Slashdot itself would be all over it with criticism! But Slashdot's misleading "news" is given a pass because a lot of people here have chosen this website as the haven for their frustrations with Microsoft. This place is the Ain't-It-Cool-News for IT nerds.

I'm sure many of you will disagree, and I respect that because I used to like Slashdot too back in the 90s when it was still a good place to find cool science and computer news, but since the corporate buyout, it has been a major source for three major things--anime news, anti-Microsoft news, and OSS project releases. In between those are scattered various articles intended to generate page hits by inciting emotions in the majority viewpoint of Slashdot--anti-capitalist, anti-corporate, left-leaning computer geeks (which makes it all the more amusing that Slashdot is actually corporate-owned, displays large banner ads, and sells subscriptions). That's why we get "More Automated DMCA Lies" articles--as if an automated system was an actual live being that could "lie" to you, when it's really just some automated system that made a mistake--and anti-RIAA, anti-SCO, and anti-copyright articles. We all know the formula for those articles.

Finally, it does not surprise me one bit that this article was posted by michael. Plenty of others have said enough about him. Even Jon Katz's articles were at least genuine in their subject matter. Michael's are almost always a cynical backslap against someone. Let's not forget his all-caps "ANTI-INTEL" troll in the 64-bit chip article, which would have been modded down had it been a normal comment and not an article on the front page.

If you disagree, reply and let me know why you do. But this whole obsessive-compulsive desire to bash and bash and bash Microsoft is just boring me to death. This is supposed to be a LINUX site, remember? Isn't there anything cool going on in OSS lately? I miss the old articles we used to get on Slashdot, and the fascinating discussions that used to take place (as opposed to the karma point games that go on now as everyone plays comedian and makes +5 Funny jokes that aren't funny). Do we really need yet ANOTHER SP2-bashing article?

Re:Last Words?

[Badanov]

You're kidding, right?

An operating system which dominates 90+ percent of computers, yet the writers can't criticize it without it being regarded as flamebait?

Get a grip. MS makes billions of dollars from their products, which happens to cause billions of dollars of damage worldwide. As long as their apparent disregard for security runs rampant over the internet, writers will be crawling up MS's ass to criticize it.

It deserves scrutiny

[ebsf1]

I don't get them moaning that there is too much scrutiny being given to this. It is going to affect 90% + of all the computers in the world.

Re:It deserves scrutiny

[Jugalator]

It is going to affect 90% + of all the computers in the world.

Yup, in one way or another.

At least it shows the MS Quality Assurance team don't use Dell. :-)

Re:It deserves scrutiny

[Mordaximus]

90%?? Your point is well taken, but unless XP SP2 also installs on 2000, ME, 98, 95 and under Wine, you've overestimated it's impact by a longshot.

Re:It deserves scrutiny

[Zaiff+Urgulbunger]

At least it shows the MS Quality Assurance team don't use Dell.

..or, indeed, Windows XP!

Re:It deserves scrutiny

[kfg]

. . .you've overestimated it's impact by a longshot.

That depends a good deal on what is meant by "affect."

KFG

Re:It deserves scrutiny

[Tony-A]

"Microsoft is the guiding force in security."

To paraphrase the Lousiana sherrif out of a Bond movie.
"In which direction?"

any time now...

[dirvish]

Well, just wait 'til Longhorn. It will be way better...in like 12 years, or maybe 14...

Re:any time now...

Laugh it up, but when will the HURD 1.0 be released?

Re:any time now...

[el-spectre]

They're still waiting for someone who wants to use it to be born...

Re:any time now...

[dncsky1530]

Just watching Generation 'e' on NBC and a senoir research from gartner expects people to be using windows XP well into 2010. I was surprises how he also offered no notable reason to upgrade to longhorn simply quoting the features that would also be available for XP. It seems that MS's new pitch may be just 'it's more secure' and for most people that's not worth the big bucks.

Re:any time now...

[Tony-A]

Well, just wait 'til Longhorn.

Meanwhile, back in the Short term.

Microsoft disclaims responsibility for OEM software and:
"Dell does not validate any externally loaded software and can therefore make no representations as to their effectiveness, stability, appropriateness, or safety. Any problems encountered with this kind of software should be addressed to the respective manufacturer."

It appears that the actual support that can be relied on is maybe a hair less than what you get from Fedora Core release candidates.

CPU Driver Problem?

[kevlar]

ZDNet is reporting that many Dell Inspiron users are reporting an extreme performance decrease since installing Windows XP SP2 - decreases as much as from 2.6ghz down to 300mhz. Dell claims no responsibility, claiming it is 'externally loaded software' and they don't support it. In the mean time there has been a fix posted on Dell's forums, which rolls back the processor driver."

Aren't 99% of drivers 3rd party software? The only thing MS does is bundle them together, but I believe that AMD or Intel et al are the ones who actually WRITE the device drivers. And if the performance of a new driver sucks, I'd chock that up to being a shitty driver, versus a shitty Service Pack...

Re:CPU Driver Problem?

[braindead]

CPU driver? CPU driver? What on earth is a CPU driver?

I mean, a driver is something that tells your computer how to talk to some piece of hwardware - say a modem. It maps from a common API (say, the windows API) to the specific API of the device (say, use Int21 with ax=3 to hang up the phone).

Are you saying there's a windows API to the CPU? Something like HWND add(HWN ax, HWN bx) ?
That makes no sense at all.

Someone please explain this to me.

Re:CPU Driver Problem?

[dastrike]

My guess would be that it includes CPU model specific definitions for power management and other features that need to be activated in a certain way by the OS for them to function.

This could also explain that the processor clocks it down as certain power management features do that to the processor.

Re:CPU Driver Problem?

[Kenja]

A CPU driver in this case referes to a system driver that enables the OS to set the clock speed of the CPU for power saving modes.

Re:CPU Driver Problem?

[Kenja]

Granted this is from AMD but its the same stuff.

"AMD Athlon(tm) 64 Processor Driver for Windows XP, Version (exe) 1.1.0.14 - AMD Athlon(tm) 64 Processor Driver for Windows XP allows the system to automatically adjust the CPU speed, voltage and power combination that match the instantaneous user performance need. Download this Setup Installation program (EXE) to automatically update all the files necessary for installation. This package is recommended for users whom desire a graphical user interface for installation. This .EXE driver is a user friendly localized software installation of the driver designed for end-users."

This is followed by a link to a file called CPUDRIVER.EXE, so as strange as it sounds ,there are actual drivers for Windows XP to make use of advanced power features on CPUs.

Re:CPU Driver Problem?

[out_of_ideas]

Like, maybe SP2 makes the laptop think it should always be running at 300 mhz.

Now that's sure to slow down worm spreading. Very clever, don't ya think ?

Re:CPU Driver Problem?

[Compass+Man]

Actually, a "CPU Driver" would probably contain code to handle specialize features of certain CPU's. For example, in order to take full advantage of Hyperthreading, you would need different code to distribute threads between the two virtual processors. Likewise, there could be additional code to take advantage of extended instructions sets like MMX, SSE, 3DNow, etc. At the very least, it could contain information about which features are available in the CPU.

Why I didn't bother...

[gordgekko]

This is why I didn't bother. My XP Pro with SP1 is protected with a firewall, updated virus scanner and Spybot S&D's innoculator. Running Firefox and Thunderbird and anti-spam software doesn't hurt as well.

I might add that the free/OSS I have protecting my machine weighs in considerably less in terms of combined file size then does SP2.

Re:Why I didn't bother...

[Carnildo]

Why I didn't bother:

I'm dual-booting 98SE and Gentoo Linux. '98 predates all the security holes, and Linux doesn't have any worth mentioning.

Re:Why I didn't bother...

[Carnildo]

If 98SE has security holes, please tell me what they are.

Re:Why I didn't bother...

[halowolf]

My XP Pro is protected like yours as well. But I did do the upgrade and didn't suffer many negative effects. I had to turn off the firewall and a few unneeded services that were activated but all in all it wasn't a particularly traumatic experience.

The biggest problem I had was trying to actually get the update through Windows Update. I did set Windows Update to automatically download it (but not install) but that didn't work for 3 whole days after SP2 had been released. So I tried to use Windows Update manually but the Windows Update site was so busy that I was told that I couldn't download it and would have to try again later. That amused me no end for some reason. All in all Windows Update reported i needed 75 Mb of patches, instead downloaded 111 Mb of patches, turned on a crappy firewall and some services that were not worth running.

However I know what I'm doing when it comes to maintaining my Windows box. I have a Linux box too so don't bother telling me to go use Linux instead :)

Re:Why I didn't bother...

[Junior+J.+Junior+III]

Well, there's that bit where, at the login screen, if I don't have an account on the system, I can get root access by hitting Esc...

Re:Why I didn't bother...

[Flower]

Do it yourself.

That isn't feasible. The mass majority of users out there are not going to have the time to become security aware. The curve to getting there is too steep and requires devoting too much time. Somehow, systems out there will have to be redone to have a secure foundation and security measures, like patching, will require automation. This is as true for a corporate system as it is for a home system.

Re:Why I didn't bother...

[gordgekko]

I have to respectfully disagree. The average user can install two pieces of software that will protect them against the vast majority of online threats: a firewall and a virus scanner that updates automatically/scans email.

For an added bonus: Installing Firefox and Thunderbird.

That's it. You're done. The average user installs far more than two/four pieces of software and someone put together a CD of this stuff, all of which is free or OSS, with simple instructions you could teach anyone to harden their computer. Hell, I've taught people who know nothing about computers some basic security. Now they ask me reasonably intelligent questions about what they can do to further protect themselves.

Re:Why I didn't bother...

[gordgekko]

As our overlords in Redmond love to tell us, IE is a part of Windows. Therefore a hole in IE is a hole in Windows.

What about that software that uses IE APIs? Someone may not be running IE but they're still at risk because they are running software that is.

Re:Why I didn't bother...

[Curtman]

If 98SE has security holes, please tell me what they are.

To all moderators:
The correct moderation would be: +1 Funny

Re:Why I didn't bother...

[jwsd]

I would expect a technical site like this would have a more well-informed discussion. This article can be considered another FUD attack against Microsoft. By just listing a bunch of open ports the author thinks as unnecessary, the article declares SP2 unsafe. One of the biggest things in SP2 is to replace all executables serving any ports with code that can handle external malicious attacks robustly, buffer overrun attack etc. To declare SP2 unsafe, the author has to give at least a couple of examples that can crack the new enhanced binaries. But the author didn't have the proper knowledge and didn't do his homework either. He is just too eager to declare SP2 a failure so that other uninformed people can buy his conclusion at face value.

Re:Why I didn't bother...

[drinkypoo]

If you're not intelligent - you did say the average user, right? - you should also install some spyware cleaners to protect you from yourself. Actually, that's not just for people who aren't smart, even people who ARE smart occasionally get something nasty on their computer, especially the ones who don't know jack about computers to begin with - which is most of them. To most people the computer is a tool, not the wonderland that we love to play in. For most people, having to work on their computer is like being alone somewhere unfamiliar at night. If it's your turf you can figure out some way to exist in it; If you're trained in surviving in that kind of place you can generally do okay barring extreme circumstances; but otherwise it can be fucking scary. Don't forget that to most of these people having to use a computer without help is like making the river run in Deliverance and the nerd up the street who can help them is the guy on the porch with the banjo.

Re:Why I didn't bother...

[drinkypoo]

Actually, that's not an accurate representation of the situation. The real problem with Win98 is that it has no system-level security. It only has network-level security (including, mind you, PPTP VPNs.) Thus no matter who you log in as, you are root. There are two purposes for the two windows logons. The basic "Windows Logon" has the purpose of setting your name for basic programs which care. The Windows Networking Logon also sets your user context and after validating your password, will use it for network services.

So basically:

[Sheetrock]

SP2 doesn't patch every possible security flaw for now and forever?

Because I wasn't expecting that it would, but apparently somebody is. Unrealistic expectations also lead to insecure implementation.

Re:So basically:

[dirvish]

Every currently known security flaw would be a good start. Eh?

Re:So basically:

[wobblie]

RTFA. The main gripe is that it doesn't follow braindead simple best security practices (e.g., not leaving services listening on the public net) , not that it doesn't fix all the holes.

Many of microsofts security problems could be fixed by just following best practices, and the built in firewall doesn't do shit.

Re:So basically:

[GigsVT]

MS really is in a bind here.

If they were to close off all those ports, they would risk all the clueless sysadmins screaming on MS forums that SP2 breaks everything, even basic windows sharing facilities.

I think the main point here is that MS has tried to appeal to people by saying that it's easy to be a sysadmin, that anyone can set up a network and run it. Real sysadmins all over the place freaked out, with good reason. They were accused of being set in their ways, etc, etc.

Now all those things that the skillful have said would happen, have happened. Rampant security problems, etc.

Re:So basically:

[SlashdotLemming]

I think the main point here is that MS has tried to appeal to people by saying that it's easy to be a sysadmin, that anyone can set up a network and run it.

Ahh, but it is easy to be a sysadmin and setup a network in the Windows world. Good network? probably not. Secure network? probably not. However, it's going to be good enough for people to get their work done.
I once saw a small company with a terrible network. The configuration was an abomination and security was lax. Everyone in the company drove an SUV or luxury sedan (Mercedes, etc...)

If the bonehead sysasdmin somehow sticks up a firewall and figures out that spyware is bad, then that is golden. Sure they could get hacked and have sensitive data stolen and go into financial ruins, but probably not. They can get robbed or have their building burn down too, but probably not.

Microsoft is good enough. Perfect? Far from it, but good enough. That's why they're the king.

Re:So basically:

[mythosaz]

Ports 135-139 are turned off by default on NON-DOMAIN installs for XP2 at the firewall.

Ports 135-139 are enabled by defailt when joining a domain.

Windows Firewall is managable by DOMAIN POLICY.

Complaining that they're enabled by default is moronic.

Re:So basically:

[eV_x]

"the built in firewall doesn't do shit"

If Microsoft had delievered a completely robust, all encompassing firewall product bundled in SP2, would you then gripe and bitch that was unfair and anticompetitive?

Damned if you do, damned if you don't. It's not strong enough or you're being unfair and bundling.

Whatever, either way, saying "doesn't do shit" is pure BS - it DOES do "shit", it just doesn't do everything YOU want it to do (or what you read that others want it to do).

I don't get it

[WD_40]

I don't get why Microsoft insists on leaving so many services enabled by default. So many of them the average home user will not need, and like the reporter from The Reg said, if a sys admin needs those services, it will be trivial for him to enable them.

Re:I don't get it

[Marxist+Hacker+42]

To some extent the Reg Reporter was just FUDing- if you truly turned off everything that article said to turn off, you'd lose a lot of functionality.

Having said that- I was surprised by his port scan of a SP2 machine, since my own tests at ODOT showed NetBios inaccessible after SP2 install, killing the ability for SMS to see the machine (one of the reasons that I'm NOT allowed to do testing on the real network for SP2).

Re:I don't get it

[Marxist+Hacker+42]

That was the other bit- RPC and DCOM are ON after an SP2 install, because if you actually read the documents from Microsoft, under SP2 there's a whole new accessibility layer built into the DCOM Server that checks the registry to see if this COM component can really be activated by a remote procedure call- and the default setting is "Yes, but authentication required, no anonymous connections." I know this because we've got a lot of DCOM here, and for EACH component we're going to need a separate group policy setting in Active Directory to get it all to run right.

Re:I don't get it

[Cthefuture]

I agree. I don't think he knows what he is talking about. He said services are "listening" and that may be true but the firewall is blocking everything by default.

Today I built a fresh XP machine with SP2. I just scanned that machine with nmap and it showed absolutely nothing open except the VNC port that I specifically configured. The machine doesn't even return pings. I'd say that's a pretty tight default setup.

Re:I don't get it

[AcornWeb]

Yeah, he wants the DHCP service off. Oh wait, what if someone gets a DSL modem and doesn't have a clue about how to set a static address? Guess they have problems/

DNS client service, isn't that for making DNS lookups work? Anyone know?

The WebClient service is used in the .NET framework if you want to get to any website using your .NET app.

The author also wants the firewall to bother the user everytime anything goes in or out. Sorry, you can't do that to users who doesn't understand what those apps are. I just fixed a computer that had had the DHCP client denied access to the DHCP server because the guy who was clicking the buttons didn't know what the app was (and he shouldn't have to!).

First, anyone with physical access to the machine can reconfigure it and possibly destroy important files, whether intentionally or accidentally.

Um, can't anyone with physical access just use a magnet intentionally? I mean granted, I don't think it is a good idea to run as root on Unix, but still! I'm not for having users be Administrator on Windows (and especially against the Administrator having a blank password when you boot up in safe mode), but this guy is making up complaints against Microsoft.

JavaScript is enabled. (We would leave it disabled.)

Uh huh, and have tons of websites break (including GMail and other popular webmail sites).

Conclusion
I'm not a M$ fan by any stretch of the imagination (I use a Mac and highly recommend that other people get one when they ask me), but this isn't an article, just complaining that Microsoft doesn't turn off everything that makes their operating system semi-user friendly.

Good grief, what a bunch of FUD.

Whoa!

[Jugalator]

These news sure struck like lightning from a clear sky!

*phew*

I think I must sit down to recover from the shock.

Oh boy an article from the Register!

Now all I need to do is go down to the grocery store and buy my copy of the Inquiror and I'm all set for news.

Tell me again why people other than rabid Microsoft haters read that garbage?

Of course SP2 isn't completely secure...neither is *gasp* Linux *gasp*. Nothing plugged into the Internet ever will be.

Re:Oh boy an article from the Register!

[rokzy]

I hate the parent kind of comment, but it invariably gets modded insightful.

Just because A is insecure and B is insecure does not mean A and B are equal in terms of security.

*gasp* *gasp* *gasp*

From an Inspiron 9100 owner...

[SoCalChris]

I haven't had ANY decrease in performance. I have had a lot more stability with wireless networking now though.

Easy Windows

[jals]

You Could say that if you disable and enable everything mentioned there, configure your machine so it is secure, you should be OK. But the problem with that is Windows is meant to be the option for the user who doesn't want to be dealing with configuration and settings to get their computer working.

not to be a jerk, but...

[Trailer+Trash]

David Berlind writes that Service Pack 2 deserved the scrutiny it got- and charges that it failed to live up to Gates' Trusted Computing Initiative.

Okay, Mr. Berlind, did you actually fall for that and now you're surprised?

Spyware infestation

[ogewo]

If for some reason you DID load SP2 on a spyware infested computer and it is no longer booting just boot with the "Last known good configuration" option in the F8 boot menu. Uninstall SP2 (you may have to use XP system restore before doing this), remove spyware, reinstall SP2.

Firewall is on by default

[sparks]

Yes, perhaps there are things that could have been done better in SP2, but the simple act of filtering inbound connections is a massive step forward in security for Windows users.

I say it's a "massive step forward" because there are literally MILLIONS of windows machines which are never updated, don't run any firewall software, and which are directly connected to broadband ISPs. The people running these boxes truthfully don't know what they're doing in these matters.

Right now, those poeple have NOTHING. Now at least they will have something, albeit limited. This is a major improvement. Even the old XP internet connection firewall, if it had only been enabled by default, would have prevented Blaster from ever happening.

Of course there are some questionable exceptions in the new firewall default configuration, and no doubt the next generation of worms will take advantage of those - but at least the bar has been raised a little higher.

Re:Firewall is on by default

[Psiren]

I say it's a "massive step forward" because there are literally MILLIONS of windows machines which are never updated, don't run any firewall software, and which are directly connected to broadband ISPs. The people running these boxes truthfully don't know what they're doing in these matters.

So if these machines are not updated, and the owners don't know what they're doing, what makes you think they'll install SP2?

Re:Firewall is on by default

[sparks]

Oh, they won't, no doubt about that.

But I'm anticipating SP2 making it onto new PCs at some point soon.

Spy ware and SP1

[Solidblu]

"Microsoft warns that installing SP2 on a spyware-infested PC is a bad idea."

One word. DUH. If you even install sP1 on a spyware infested computer it can render it unbootable. I've run into atleast 10 machines this week that have had this same problem. I work at a university which is forcing students to install service pack 1. there are a lot of machines that can't even take the service pack because of the spyware the installs just hang or destroy the install on the computer. I feel bad for the students because they have to either format or pay to get thier comptuer fixed. It not thier fault or the universities fault. who would have thought forcing college students to update thier microsoft patches would be a bad idea.

Re:Spy ware and SP1

[evilviper]

It not thier fault or the universities fault.

Perhaps not the first time you notice the problem, but after that, it's the university's fault. It's very easy to tell people to install and run adaware before installing the update...

all in the spirit....and its manifestation...

[3seas]

.... The MS mindset of making people need them has resulted in a widely integrated manifestation of the user frustration function in their software.

Its this same manifestation of the application of doing things in software to "make people need them" that is causing all the security problems.

This security problem is not fixable by this mindset that cause it.

Its like an alcoholic or drug abuser, their mind is geard towards supporting the continuation of its vise. What I call a "self supporting dependancy". And under such conditions, as those who have admitted it and sough help, you have to have external help in order to be lead out of the blindness of the self supporting mindset.

Whos helping MS??? If anyone can?

ZDNet, huh...

[Chris+Mattern]

> [Performance] decreases as much as from 2.6ghz down to 300mhz.

I'm not going to place any faith in benchmarks generated by someone who thinks performance is measured in clock speed.

Chris Mattern

Re:ZDNet, huh...

[Jimmy_B]

...except that in this case, the problem was a broken driver for CPU power-saving which, literally, reduced the CPU's clock speed from 2.6ghz to 300mhz. So in this particular case, it's a valid measurement.

Classic, just classic.

[A_Non_Moose]

FTA,
We look to ZDNet as a beacon of light in IT journalism.

(pauses)

BWAAAHAHAHAHAHAHA!

All I can say to this person, is 'look out for the oncoming train...prolly complete with windows logo and named "longhorn".'

IT journalism, brought to you from the same folks of Military Intelligence.

Hrmm...

[Zygote-IC-]

Finally, Microsoft warns that installing SP2 on a spyware-infested PC is a bad idea.

So basically, you don't want to install it on any computer running a Microsoft operating system that has been using a Microsoft browser or a Microsoft e-mail client.

Huh..I think I'm starting to see a pattern.

Seems like an odd coincidence

[LiquidMind]

"reporting an extreme performance decrease since installing Windows XP SP2 - decreases as much as from 2.6ghz down to 300mhz"

From the MS website regarding minimum requirements for running Windows XP:

PC with 300 megahertz or higher processor clock speed recommended (source)

which seems to be just enough to keep the system running. Coincidence? I think not....

Re:News for Nerds but not for Slashdot Nerds (Part

[Adam9]

Do you actually believe an article that has:
"Microsofties say they were more worried about Linux a few years ago, when it was a truly free program, spreading on its own, from user to user, like a virus."

The author insists on comparing Linux support costs to Windows product costs:

"If the Linux camp simply manages to create an operating system that does roughly what Windows does for roughly the same price, what will be the point?"

The author says the difference between support and the product is "semantics":

"... Red Hat ... charges $799 to $2,499 for each server running Linux. That's not for the software, mind you, but for "maintenance." Semantics aside, you're paying for Linux."

The author also drank some of the SCO Koolaid:
"You might need to buy insurance to protect you against lawsuits over intellectual property rights. (One outfit hawks such policies for $150,000 year.)"

Some other excerpts:
" IBM and Novell are pumping millions of dollars and mountains of brainpower into development of a commodity operating system--they are re-inventing the wheel."

Actually, I could just quote the entire article. I hope Daniel Lyons (author) got paid for his time in writing this press release for Microsoft.

Stop bitching

[maelstrom]

Microsoft at least got some things right in SP2. Personally I usually run Linux. If you don't like it stop fucking whining and install Linux.

Interesting...

[pc486]

"DHCP Client, automatic. Unnecessary on most home machines. Should be disabled by default."

Now, I'm no fan of Microsoft (Windows free for over 5 years now), but this is insane. Evey home user I have ever helped needs a DHCP client so that their computer can get an IP off the university LAN or off their brand-spankin'-new broadband router. To disable the DHCP client means to turn off the interweb for the majority of users. Greene went a little over the top it seems.

Re:Interesting...

[eV_x]

Agreed.

Suggesting that we turn off DHCP with a comment like "Unnecessary on most home machines" shows that someone is not in touch with the rest of the world.

Maybe in L33Td0M you only run static IPs so you can connect by typing in l33T IP addresses instead of machine names, but the rest of the world doesn't know an IP address to save them.

Comments like that show you have no clue, because the world is not full of command prompt users.

Re:Interesting...

[EMR]

And he also goes as far as saying you need to disable the DNS Client.. If you disable that you aren't getting any where on the 'net unless you go by IP address. Sounds like he's talking about an XP computer that is unplugged from the network.. and if that is so, there's no need for any networking services, and no worry about security issues except for viruses from floppies.. but who uses those anymore.

Re:Interesting...

[value_added]

Someone can correct me if I'm wrong, but I believe that unless you're participating in an AD domain, you can indeed disable the DNS client service and still be able to resolve names. You'll lose caching of course, so name resolution will be a bit slower.

These Laws Need Names

[slipnslidemaster]

Please don't mod troll or funny. I'm serious.

I think it's about time that we come up with as a community name for this law:

All the Odd Star Trek movies and Odd Microsoft service packs suck.

In all seriousness, it's service pack TWO!! I didn't load it just because of that and I'm dead serious. One of the guys decided to load it and sure enough, he's reloading his system from scratch. It will take the release of service pack 3 before I consider moving from SP1 and the current crop of hotfixes.

Didn't anyone learn anything from the NT service pack 2 debacle? How about NT service pack 4?? Now I know you are going to say service pack 6a but we all know this is the first time Microsoft uses an "a" and it should have been SP7.

2.6ghz down to 300mhz

[upsidedown_duck]

Security by obesity.

Re:Correction

[Volmarias]

Because it's trying to start a holy war for a few cheap laughs. "WINDOZE SUX!!11LOLOLOLRLR!WTF" Can we collectively get over that now?

What crap

[rabtech]

The writer of the article is full of it and obviously knows nothing about Windows.

He claims that WebClient, DCOM, TCP/IP NetBIOS Helper, Secondary Logon, Remote Desktop Help Session Manager, Remote Access Connection Manager, DNS Client are all on or set to manual and should be disabled. Thanks, but I'd like to be able to use WebDAV, COM/DCOM, share files with a roommate/family member, use remote desktop from work, VPN into work in the first place, and resolve DNS hostnames thanks.

I might also add that he rails on Microsoft not taking advantage of multiuser capability properly then recommends that Secondary Logon be disabled for home users! Without it, Windows can't popup when you try to install a program or run Control Panel and ask for an admin password to proceed... which makes using a non-admin account a pain in the ass.

He also whines about these network drivers being installed:
Client for Microsoft Networks, File and Print Sharing, and the QoS Packet Scheduler

But perhaps he assumes everyone has one and only one PC in their home and has no wish to share files between them (yeah right). Oh, and you'd like to take advantage of QoS for VOIP or bandwidth throttling? Forget it if the driver isn't available.

With "genius" insights like these I certainly wouldn't trust this yahoo to install a toaster oven, let alone an operating system.

I can't believe this got published

[JebusIsLord]

Among this guy's rediculous suggestions, he says users at home have no need for DNS and DHCP client services to be running. How in holy hell are people supposed to get on the net??

I can't believe they published this bullshit.

Register article has a lot of FUD in it

[StonyUK]

While The Register claims it has done an indepth evaluation, they didn't actually test to see if the firewall was blocking non-local subnet access to all the ports used by the services they were complaining about.

If they had, then they would have realised that this is nowhere near the big terrible gaping hole that they are making it out to be.

They also claim that activating a DHCP client is unneeded by most home users. That might have been true 5 years ago, but these days anybody with any kind of home network even if it is just a simple cable or DSL modem will typically need DHCP running. I mean good grief, come on! Even so, I know full well that while you are installing XP it asks you if you want to have your IP settings automatically configured and then DHCP gets turned on.

As for all their complaints about the Zones in IE, speaking as someone who has had to deploy extranet applications to part time casual workers who use their own home PCs to access it, the ability to have a trusted and a non-trusted set of security policies is a blessing.

All in all, I think this article has been poorly researched and written by people who fail to appreciate the bigger picture of what home users may need to do.

12 years? 14?

[Eric_Cartman_South_P]

Well, just wait 'til Longhorn. It will be way better...in like 12 years, or maybe 14...

YOU'RE A TROLL! Longhorn will be out next year.

http://www.apple.com/macosx/tiger/

Oh, you meant Microsoft's version. Yeah, 12 or 14 is about right.

Items worth noting

[elegie]

1. It is likely that many users will be very inexperienced. Making things slightly more difficult for advanced users (i.e. having administrators explicitly enable services) could be better than relying on the expertise of users (i.e. they have to explicitly disable a number of unwanted services.) Perhaps an update could have different install options for users with different levels of expertise.
   
   
2. It is possible to give a false sense of security if the security effects are very blatant while at the same time they mean little. Users might do something careless. Imagine a user who constantly gets alerts about "suspicious activity" on their system and decides to ignore them out of irritation...
   

Slowed Down?

[Jon.Laslow]

I'm currently running on a Toshiba Tecra 8100 (500Mhz, 192MB RAM), and after slipstreaming SP2 on to my Windows CD and doing a clean install it's running faster than ever. On SP1 I had to turn off all of the visual options (drop shadows, ClearType, Themes, etc...) or the thing would run at a crawl. Now I can have everything on and use custom themes without any slowdown.

Re:Slowed Down?

Thanks Bill.

Re:Slowed Down?

I don't see how SP2 could be faster. Microsoft added new bloat compared to SP1. Two new kernel drivers that I can tell, fltmgr.sys and http.sys. Both of those stay in memory. There were also new/existing services enabled, like Windows Security Center, Network Provisioning Service, Application Layer Gateway, Dcom server, Network Provisioning Service, among others. I'm still investigating hidden features that were stolen by Gates and his gang. Here's two: command line ftp no longer has a pipe feature. Before you could type

dir . |more

for long directory output. Or you could type

get filename |more

to read text files. Now its gone. Also about:mozilla no longer works in IE.

Re:Slowed Down?

Thanks Linus.

Re:Slowed Down?

[mike_sucks]

So, the clean install that flushed all of the worms, viruses and sypyware really helped, hey?

And now that you have SP2 installed, it will take longer than evar!11! to get bogged down again.

Yay111!1

Re:Slowed Down?

[Long-EZ]

I don't see how SP2 could be faster. Microsoft added new bloat compared to SP1.

I think the reason it was faster after SP2 might be...

...and doing a clean install

Windoze gets a bad case of registry rot from installing and uninstalling software, and all that spyware in there slows things down a lot, too.

Obvious solution... I gotta see a man about a penguin.

SP2 is actually more funny than secure...

[kosmosik]

I'll repost something I've written today:
#v+
well SP2 is IMHO funny they really haven't added anything useful to it

1] popup blocker - but hey I've got popup blocker in MSIE for like one yer thanks to - http://toolbar.google.com/ - and it comes with google search feture which is uber-cool. I install it on every XP client I touch so OK - popup blocker. how innovative...

2] hardened MSIE - well it is a myth. it is still the same MSIE, nothng changed beneath. still to deeply integrated in system, still with unsecure features like ActiveX - it is just they are turned off by defaut so first thing you will do is reebable thise features since without them nothing works. nice patch... really.

3] NX technology - well it is something but right now it makes no difference as it requires modern hardware and only few chips support that. and I'am (and I'am not alone here) probably not going to change (meaning networks I administer) hardware till it dies... so few more years to go without NX... and also to mention Linux has similar options (executable stack protection) for ages - aviable as patches f.e. PaX. (for kernel) and also few options (like pro-police-gcc) to glibc... and if you need you can recompile everything against those features as it is Open Source... again MS - innovative... really

4] new firewall - well good to see it but it has it's flaws. like it runs in user space, it is worse than other offerings. but still - this is feature I find nice.

what other things left? lets see...

5] new Windows Update - new but it sucks ass like ever. why can't make a decent patching service. it only requires a server and decent GUI for client. I mean jesus I can make such thing myself, just give me specs and some time and I could make it. options I would include:
* decent GUI for configuration with Active Direvtory support tu push configuration to domain
* setup proxy server for updates (f.e. local proxy server to limit bandwith use)
* free local proxy server software for updates. it even could be only on Windows. to have one machine cacheing updates in LAN - jesus it's being done in Linux so easly, I can set up my own updates proxy with Linux in like 3 minutes...
* option to choose which connection can be used for automatic downloads (f.e. I wouldn't like my system to pull updates when I am connected via GPRS mobile modem, but I wouldn't mind when it does when I am on corporate LAN)
* some better handling of applying those patches. maybe just downloading them and waiting (I mean waiting not bothering me to reboot manually) for next boot to apply patches while booting (no files locked)...

what else left "new"... oh the funniest thing! new Security Center applet in Control Panel - a place where you can se that you are "secured" (not to mention that you still can be 0wned) - weeeeeeelll in one thing Micro$oft is brilliant - marketing: people wan't secure Windows, tell them they are secure, show them nice icons telling them that they are secure - people can actually belive it that is in some way brilliant isn't it? too bad it does not work better security for me (and you)...

and also this hype with Longhorn delays due to shifting literally everybody to develop SP2 - what they actually developed? few icons? changed default settings? this requires whole resources of multibilion software gigant? that is pathetic for me... Fedora community alone (backed by Red Hat but still it is different scale than M$) can do amazing things like incorporating advanced MAC security with SELinux in months, and software giant can't make a basic security level with all theirs resources (oh and they do leave things unpatched, or issue things like disable login from URL as a patch, oh and update breaks like every 1 of 10 setups)? and still they say open source model is not superior? mehehehahhwhw... :P~ - this means only good things for Linux, bad things for Micro$oft and sadly bad things for me (us) as we live in a M$ world - consider getting even more probes

Re:SP2 is actually more funny than secure...

[kosmosik]

Well it is not here obviously. Read my posting again then... As for SUS of course it is but it is not free it requires Windows Server... And really this are just details. What with MSIE? It is still buggy like hell and SP2 does not change it... What about services and so on? Windows still leaves to many ports open... What about privilege separation? Windows still encourages users to work on Administrator account and does nothing to prevent such behavior. Add up unsecure MSIE and working on Administrator account and you have same security level as without SP2 -what has changed? Tell me please. As for privilego separation I remember that some applications (even certified as XP compatible) won't run nonadministrative account... See this is exactly opposite to Linux. In Linux some applications won't run from root account. :-)

Re:SP2 is actually more funny than secure...

[Martix]

And they forgot it loads Window Media player 9
as well wonder if it has this line in the EULA as they did for the latest update.

"Digital Rights Management (Security). You agree that in order to protect the integrity of content and software protected by digital rights management ("Secure Content"), Microsoft may provide security related updates to the OS Components that will be automatically downloaded onto your computer. These security related updates may disable your ability to copy and/or play Secure Content and use other software on your computer. If we provide such a security update, we will use reasonable efforts to post notices on a web site explaining the update. "

Thats one of the resons i never udated from Media 7

What place does Window Media 9 play in the operating system to me its just not part of a OS so it should not be there. plus the DRM sucks as well.
what you can do today, you may not tommrow.

They have no rights to do this and you hand over root access to your system for agreeing with the EULA agreement.

My 2 cents worth

I just don't get it...

[eV_x]

So let me get this straight.

Many Slashdotters spends a good portion bashing Microsoft for security. What does Microsoft do? Take a good period of time to try to turn things around and release a secure product (SP2).

Now a few people are saying security problems may still exist or that a few isolated people have had bad experiences with SP2 and people here bash SP2 as a failure?

ARE YOU KIDDING ME? What planet are you guys from? Of course it's not PERFECT you idiots - no OS and application is, no matter how secure you design from the start or whatever overused bullshit line of rhetoric you want to use. mistakes will always be there and improvements will need to be made as the product grows.

Saying slashdotters called it just shows that very few here WANT Microsoft to be secure because then it would take away your favorite hobby of nonsensically bashing an alternative to your OS of choice. You can't ignore the fact that SP2 did make MASSIVE improvements for many millions of people to make them more security aware and that is not a bad thing, even if it is a start.

Sometimes I feel when I read this crap that most people want Windows to remain insecure only for their own selfish reasons and forget there are people on the other end of those machines. Why not praise Microsoft for at least making a step in the right direction? It's this attitude that doesn't help things one bit and only comes off as childish.

And BTW, the Register article had nothing really incriminating against SP2 other than they disagreed with some of the services and firewall features. Yes the WMI hole is there but it requires more than just sitting the box on the internet. Yet many dotheads will assume this means that SP2 is just sitting open like Windows XP was straight out of the box.

Here's a fact:
Put a Windows XP box on the internet and it will get infected with spyware and other crap.

Put an XPSP2 box on the internet and at least you're protected from that crap. Hell people, that's a MAJOR step!

Anyhow, the Register is hardly a worthy news source for unbiased reporting. And the ZDNet guy even said "While this is not a complete list of what makes SP2 worthwhile, SP2 is worthwhile for the majority of Windows XP users". But again, let's be honest here - he's just a guy writing an opinion column, more heart than fact.

Re:I just don't get it...

[aws4y]

The article explains that whil SP2 is a step in the right direction it still does not implement the simplest in security steps. Like disabling NetBIOS connections. Also the woefull practice of relying on the RPC damon for interproces communication. SP2 provides some minor userland utilities that most users don't understand and probly wont know how to use without adressing the underlying problem, winodws is not insecure by programming, its insecure by default.

I think that most of us "in the know" will find that the step was not major, a major step would be to provide a locked down network configuration for XP and not rely on the user turning off services. Rely on the user to enable the services he or she needs, and force all users to run under unprivliged accounts. You are right that *nix is not more secure, its just more secure by default.

Opinion Represented as Fact with a \. Slant...

[mythosaz]

This is normal. This is another in a long line of articles that does little more than say:

L0LZ@Micro$0ft!111!!11oneeleven1!! because your firewall choices and services defaults aren't what I would have picked.

There's still service bloat in XP. There's little doubt about that, but suggesting that you turn off DHCP when 51% of us use broadband? I mean, DHCP only has an effect for people that actually, you know - HAVE A FRICKIN NETWORK CABLE PLUGGED INTO THEM! Can we make an assumption that a pretty fair percentage of people who have network cables plugged into their computer use DHCP? Good lord almighty.

Also, he complains because the service type on most services is set to... ...get this... ...MANUAL. Manual is another word for "not on unless I need it," which is a nice long way of saying "OFF" -- you damned chowderheads.

Sure, XPSP2 isn't perfect, but articles like this, these "If I had made it, I'd have made it stupid!" articles - they're just drivel.

Ok, so...

[jd]

The fix is broken on computers that have already been compromised. Which is probably a fair number of them. This bothers me.

Think about it, for a moment. The firewall is blocking internally-generated connections. Which is fair enough. (Though silently dropping would likely have been safer.) However, to lock the machine up, the TCP stack has got to be taking the error as cause to retransmit the packet.

Why am I so certain that this is what's happening? Because Windows has had some degree of preemption for a while. It's not great, but it works. Sort-of. Lock-ups should be next to impossible on a totally pre-emptive OS, as the locked-up program would simply be interrupted. It'd slow the machine down, slightly, but it wouldn't be fatal.

What we're getting here, though, looks like something fouling up big-time in a non-blockable part of Windows. Odds are pretty good that it's the network code. My suspicion is that the TCP stack and firewall are in an unbreakable infinite loop, with the error generated by the firewall causing the TCP code to resend the packet, ad infinitum.

A lot of people have argued that Microsoft isn't to blame for other people's crappy code. Which is fair enough. But they are very much to blame for their own crappy code. If you're going to have non-blockable code (a VERY bad idea!) then you've got to be damn sure that there are no scenarios in which that code will put itself into a spin-dry cycle.

It seems as though Microsoft merely added firewall code, with absolutely no thought as to the possible impact it could have on the rest of Windows.

Further, if my suspicion is correct (and I'm pretty confident it is), then it should be possible to crash any Windows box remotely. Simply generate a packet that Windows cannot reply to. By forcing the TCP stack and the firewall to fight it out, you'd paralyze the machine.

The correct way to handle this kind of situation is to recognise when a connection is administratively prohibited or impossible, and to not keep retrying. You'd then escape out of the non-blockable code, and pre-emption would allow you to continue as normal.

If you want slightly "smarter" behaviour, then if a process repeatedly keeps retrying a connection or activity that is prohibited, every time it gets woken back up, it should drop in priority, be slept a reasonably long time (in the hope the problem can be cleared by then) or get kicked off the system. ("Three strikes and you're out." logic.)

It should absolutely not be possible for any user process, no matter how badly written, to create a situation in which an uninterruptable infinite loop can develop. Either there needs to be some mechanism to interrupt any loop that might be infinite, OR there needs to be a mechanism for recognising when a loop is running unacceptably long.

It's no use Microsoft whining that customers should clean their computers first. That would be like McAffee arguing that you should clean your computer of viruses before running their software. And how are you supposed to do that, if you've no software installed for detecting and/or cleaning the damn things in the first place?

The only way you can know (for certain) that there's nothing trying to access an unauthorised port is by blocking the ports and seeing what happens when you try to use the computer as normal. And the only way you can then do anything about it is if the computer can cope with that situation in a controlled manner.

Re:Last words on SP2?

[xmas2003]

At the risk of sounding like a Windoze shill, I did see one inaccuracy in the Register article in that there is some egress filtering - this popped up on my first FTP connection (from DOS), my first VPN session, and for Google Compute, it asked about "phoning home" to the Folding@HOME project.

I otherwise agree with most that was written - I totally agree that "less is more" when it comes to security (although there often ends up being hooks for stuff like RPC all over the place) and I couldn't believe it when I saw "Remote Assistance" enabled on my computer by default when I loaded it - WTF!

Reverse FUD

[Nintendork]

Not to mention that the author completely overlooked the default configuration of the open ports. A lot of them are only open to the local subnet, which for 99.9% of the people is a home or small business LAN. Anything coming in from beyond the router is dropped. Smart move. A LOT of people would have been pissed off if their home file sharing stopped working after installing SP2 and they would have just disabled the firewall. In a corporate environment, administrators can lock down all the clients froma central point using group policy. The default configuration combined with powerful administration tools is probably the most secure way they could have done it.

-Lucas

Re:WinXP happiness

[dzarn]

That's not SP2. RDC is off by default in XP, when you turn it on, the firewall opens its port (3389). Just because your admins can't use Group Policy to turn off RDC across the domain doesn't mean SP2 inherently sucks.


his account was magically created on my system and the default policy was to allow him the access to modify all the files on MY HD

DUH. That's the whole purpose of a domain - he logs on with an AD UN, he gets the same permissions on whatever machine. Again, your admins should be using permissions to provide you with protected storage on a central server, NOT on your machine. If you want stuff stored on your machine, safely, then setup your own damn permissions.

Fellow inspiron owner

[gad_zuki!]

My inspiron is acting fine too. A little snappier too.

>So did Slashdotters call this one?

No. They really didn't. Of course SP2 was going to cause *some* problems, but poo-pooing everything MS in a knee-jerk fashion doesn't help anyone and probably is keeping people from installing it, which is a real shame because:

1. Firewall on by default. Power users can easily shut it off. How many Slashdot posts do we have that wish MS did this, but when they do suddenly MS is doing wrong. Yes an admin can shut it off even with an activeX control. Such is the life of running as admin.

2. Nag screens for anti-virus and updates. Much needed.

3. Better wireless interface. The old one wasn't so hot and this is a welcome upgrade.

4. "Drive by installs" are not going to be as common as IE requires an extra step to install/download stuff and blocks pop-ups natively and by default. Man, how many slashdoot posts did we have about "MS should do something about pop-ups and click installs!" Well, they did. Sure, they didnt remove activeX altogether, but no one was expecting that.

5. NX support for AMD 64. Wow.

> Finally, Microsoft warns that installing SP2 on a spyware-infested PC is a bad idea.

No shit. Installing ANYTHING on a spyware infested PC will cause all sorts of problems. Fighting spyware is what SP2 is trying to do. Give it time or at least introduce your friends and co-workers to a little thing called Ad Aware, especially if they'll never switch to FireFox. Face it, many people will never switch and will go to their deathbeds using bundled software.

>So did Slashdotters call this one?

Granted, if you take the negative approach to life 24/7 you will be right every so often or at least subjectively, but I feel these are much needed changes and will help technophobes better use their machines. MS can do things right. Yeah, break out the smelling salts...

Re:All I see is Security Center

[Deathlizard]

there was a ton of changes done all across the board and under the hood, but most of the ones you see are to prevent social problems.

Microsoft as well as Apple and other companies understand more about the average computer user than most other software companies, especially when it comes to these particular rules:

1) 99% of computer users do not know what they are doing
2) People do not read unless they absoletly have to.
3) You must create all user interfaces under the presence of monkey. In other words, if you cant train a monkey to use it then your wasting your time.

The Security center for example, covers all three of these, it basically forces you to read it by prompting non stop, it's easy enough to train a monkey against and even a moron can understand that a big red blinking X covered shield means bad.

Sp2 also brings these concepts to the activeX realm. Spyware becomes almost impossible to install through IE using them most common methods used today. basicially you load a spyware infested page, it then drops down the "oh no this page is downloading activeX" box, forces you to click on it and say download it, Reloads the page again which screws most browser hijacking from occuring because most hijackers don't reload in a browser refresh, then promps you again to make sure you really want to do this.

They know they don't want people downloading this stuff, so they first force you to pay attention and read, then they actually break the #3 rule to purposely make it hard for John Q moron to install the scumware unless he absoletly needs it to survive.

It also has to be noted that the firewall and automatic patching is ON and encouraged to be ON by the security center. regardless of what you think of the firewall it basically stealth's you from the net and it's better than wide open anyday, and if everyone was patching automatically we wouldn't have had half of the infected blaster and sasser systems out there.

SP2 has flaws, basicially a complex virus could easily turn off the firewall, spoof the security center and go insane, but they did some under the hood things to deter rapid spreading and frankly I dont care which operating system your running, If a virus has root, or administrator or whatever is the highest access given by your favorite OS, Your Screwed because it will disable any protection you may have had and hapilly make you and your Net neighbor's life a living hell.

Busy Work

[Ridgelift]

I find it amusing that Windows requires so much babysitting. OS Patching, anti-virus signature updating, anti-spyware scanning, rinse & repeat. And after awhile when entropy has taken too much of a toll on the machine, it's time to back everything up, erase the computer and reinstall the operating system.

It's a computer for crying out loud! Why can't the process be automated so users can do other things?

much more complex....

[jazzman75]

The problems with this service pack are much more complex than what most people and the media are making them. I don't think anyone will disagree that Microsoft has a huge user base, or that they have some flaws in their software.

Implementing major security upgrades, a very necessary thing to do, comes with difficulties. The main problem is trying not to cause problems with too many other applications; else MS would have more issues to deal with. The trick is to balance the fixes with their effect on applications and corporate network configurations where questionable Windows services are most commonly utilized.

Don't get me wrong, I am not trying to defend MS. But I think people need to see that problem this big can only be fixed in stages, else it will create so many problems that no one will install it. The 10% rate of SP2 problems recently cited is a very acceptable rate overall. Had MS locked much more down, we'd most likely be seeing problem rates closer to 50%.

I think we can all think of at least one past experience with a flawed application where the manufacturer went too far and basically destroyed their user base thanks to a fix or update. MS is not going to do that. In addition, end users have to take responsibility for implementing known measures to ensure their system is as secure/virus free as possible. I recently read an article I concur with based on years of working with end users. The article stated that a very high percentage of users do not bother to keep their virus scanners up to date. In addition, at least one company has made a good firewall available for end users to use FREE for one year. Microsoft has had a link to that software for quite some time now. If a user is not doing the minimum known procedures to keep their system secured and virus free, they have no one to blame beside themselves.

Give it time. As Windows grows up, is fixed further, it will slowly become a secure product. The only part of Windows that I'd saw in an unfixable mess is IE, and there are known, easy to obtain alternatives. One can do a lot to plug the security holes now, but they have to get over blaming MS for the problem and take responsibility for their system(s).

Ok, this concludes my rant. Let the flames begin. ;)

Bogus write up by the register

[Zebra_X]

The register generally has very whitty and sharp commentary surrounding many facets of the computing industry. Their review of SP2 however, lacked a reasonable level of objectivity.

The first section of the article goes on to explain how a number of services are left on that "shouldn't be". This is for the most part a subjective rant about services that have traditionally been a source of system compromise. The "Hate On Microsoft" stick was made apparent when the author went so far as to proclaim that the DHCP client service and DNS client service should be off by default, "DHCP Client, automatic. Unnecessary on most home machines. Should be disabled by default. "DNS Client, automatic. Unnecessary on most home machines. Should be disabled by default." that wouldn't be a very useful computer would it? How about hitting up google for an answer to "Why can't I check my mail, browse the web, or do ANYTHING online?" - oh, wait...

Among some of the old favorites that were left on, file and print services made the list. That would be pretty bogus if the system's firewall wasn't turned on by default:

"The new "Windows Firewall" packet filter is turned on by default, finally. However, an exception for Remote Assistance connections is enabled, which is preposterous, although file and printer sharing, and UPnP, are blocked by the firewall as they should be."

Since it's firewalled, it's a non-issue. In fact, most of the article is written as if the system's firewall is not installed. Remote assistance is referenced in almost all of the help documents it would be a pretty bad user experience if you wanted help - but couldn't get it. As far as I can tell there has been no exploit based on this service since the introduction of XP.

Generally speaking unused services should be turned off. The only reasonable way to address this would have been yet another wizard that would ask the user how they use the computer and set services setting accordingly. However, the question of "Is sp2 remotely exploitable out of the box? More to the point is it secure from a network perspective, now and into the future?" The answer to that question is generally yes. Unless there is a nasty buffer overflow of some kind in the firewall (one hasn't been found, not to say it won't) an SP2 box is pretty safe on the network.

Wasn't that the point of SP2?

When evaluating the effectiveness of SP2 the net result needs to be evaluated. Many critics have evaluated the implementation. A lot of people might NOT AGREE with File sharing, RPC, Remote Assistance, or any number of the other services being on by default for that matter, but does it matter from an exploitability perspective? Only if that port is available for remote exploitation -- which is not the case.

Network issues aside, IE and the shell both do a good job of throwing up warning dialogs when the user is about to run an executable. There is also the "Data Execution Prevention" feature that detects when "data" is trying to execute as a program, though for it to work well the hardware has to support non-executable memory regions. Only time will tell how well those measures aid in stopping the propagation of worms.

Recommendations on speeding up XP

[jumex]

I have been having this problem on my Inspiron ever since I installed SP2. I have tried a lot of things, and I highly suggest http://www.blackviper.com/WinXP/servicecfg.htm for tweaking your services settings.
Another way to boost your speed is hanging your Prefetch setting, http://techrepublic.com.com/5100-6270_11-5165773.h tml has a great article on how to do it.
TCPOptimizer http://darkedge.levels4you.com/review.l4y?file=20 also helped speed up my collection a lot.
Another cool tip is fixing Event ID 4226 which limits your connections in SP2, check it out at http://www.lvllord.de/?url=tools#4226patch.
And, of course get the MS TweakUI for XP at http://www.microsoft.com/windowsxp/downloads/power toys/xppowertoys.mspx.
And although they are not freeware I actually bought and really like Registry First Aid http://www.rosecitysoftware.com/reg1aid/ and Registry Compactor http://www.rosecitysoftware.com/RegistryCompactor/ .

I hope you all have as much success as I have with spedding up XP. It is a pain in the butt to do it, but it is worth it in the end.

Re:Recommendations on speeding up XP

[mhollis]

1. Take Windows XP computer up very tall building.
2. 
   Attach very long power cord to computer.
   Start computer
   Gently shove computer, running and attached to long power cord off building.
   Using the formula v = (g/c)(1-e^(-tc)) where the constant c is about 0.394 sec^-1, integrating and solving for initial conditions gives you x=[integral] vdt = (g/c)(t + (1/c)(e^(-tc) -1)), your Windows XP machine will be faster than it ever has been before the long power cord disconnects itself.

New PC + SP2 =Broken Pgm (ECDC5) - Dell shines it.

[jwold]

If you still use Roxio Easy CD Creator 5.x, you will not get to use DirectCD for UDF Packet writing to save directly to CD after SP2 is installed. This program comes with every new Dell Optiplex we bought this year. These Computers are supposed to be Supported with SP2. But 2 calls into Dell T.S. resulted in a "Sorry, too bad" response. They recommend Windows native CD burning, but that ain't UDF.
(We have a need to make saving to CD as simple as a floppy for some elderly folks.)
This one isn't listed on Microsoft's list of SP2 incompatible programs.
Nor is anything mentioned on Roxio's site except people complaining. Roxio is up to version 7 now so you know they say to upgrade, but Dell still ships old v.5 out with new PCs. Go figure

On the contrary

[SilentChris]

For the machines we tested at work, the firewall actually blocked more than was necessary. We were surprised to find the admin share totally invisible even though the computers were on a domain.

Methinks something is borked with this anaylsis. A lot of these services aren't accessible on the boxes I've tested with (both on and off domains).

Security Vs. App Compatibility

[Commykilla]

There are two sets of articles on XP SP2:

1 -- "XP SP2 BREAKS TONS OF APPS!!"

Essentially, Windows is *too* secure and now breaks tons of programs -- so don't install it!

2 -- "XP SP2 IS TOTALLY INSECURE!!"

Too many Windows services are on, which means lots of apps -- including harmful ones -- are still able to run, which means XP SP2 is totally insecure -- so don't install it!

You can't have life both ways. Yes, added security will break *some* apps, but most will still work. Yes, it's not as secure as, say, a OpenBSD installation where you turn on one service at a time -- but end-users aren't expected to go through turning on service by service and tweak firewall settings every time they install a new app!!

By the way, for corporate deployments, most of that stuff (services, firewall, etc) can be administrated through Group Policy, anyway, so the default settings apply much more to home users than corporate ones who can pick and choose what services, firewall settings, etc to allow on their Windows PCs.

Windows XP SP2 treats "password" as a special case

[Spoing]

This is a defect I noticed a few hours ago;

1. Boot up the system and go into an account with admin-level access.
2. Give that admin-level account a password of "password".
3. Leave the system alone till the screensaver kicks in or intentionally 'switch users'.
4. At the login screen, select the admin-level account. It will ask for a password now.
5. Enter in "password" for the password.
6. The login dialog reports that "password" is an incorrect password.
7. (Consider getting out that Knoppix linux boot CD and resetting the password to null. Skip that idea for now.)
8. Select one of the non-admin, not password protected, user accounts to switch to.
9. The non-admin account comes up fine.
10. From the non-admin acount, switch users and select the admin-level account.
11. Enter in "password" for the password.
12. The login dialog accepts "password" and switches to the admin-level desktop.

This is odd. Now, repeat the steps again *after* switching the password from "password" to "test". The results? The login dialog does not report that "test" is an invalid password.

While I am not doing any more debugging of XP for Microsoft (a detail or two might not be 100% correct), what I have seen is enough to make me wince. Microsoft did not test this one well enough.

Note: It may be necessary to have a program running in the admin account to trip up this bug.

DNS Client service - misnamed

[argent]

DNS Client, automatic. Unnecessary on most home machines. Should be disabled by default.

He's too kind.

They should call it the "DNS on crack" service.

The only reason I can see for it existing is for sites where DNS is non-existent or badly broken, so that names pulled out of WINS, browsing, or by casting entrails or yarrow sticks can be used to let some applications run that would otherwise freak out. The problem is that when you do have working DNS it will, occasionally, freak out and return randomly wrong information.

Unless you're at a small business using a misconfigured Windows-based external firewall AND you're not willing to spring for an Active Directory server, turn this baby off and disable it. You'll be glad you did.

From a Compaq Presario owner...

[oogoliegoogolie]

Although I don't have a dell, I noticed the same thing. My wireless connections now work the first time all the time. SP2 improves power management as well. My laptop now comes out of sleep mode every single time in a couple seconds. Pre-SP2 half the time it would reboot or just sit there with a blank screen until I hit the power button.

Dell responsibility

[Flexagon]

As an OEM that sells systems bundled with XP, Dell, I believe, is obligated to support systems whose users apply service packs to the OEM-installed OS. There was some flak about this some time ago when some OEMs simply referred their customers to Microsoft, and I believe that they were reminded that they picked up this obligation as one consequence of their OEM arrangement. This support site page gives the particulars for Dell. In my experience, Dell acts like any other Windows sysadm: they wait until their own internal testing is done before they add it to the list of supported service packs, so that they can simultaneously publish a list of any issues (such as required driver updates). Until then, you take your chances (which have been minimal for me, though I tend to stay in the Latitude line, even for home systems) and rely on the forums. My reading is that Dell isn't done with its testing, and the particular spokesperson is only half right: not supported until their testing is complete and it appears on the above page.

Blame

[glass_window]

And it isn't the stupid^^^dents fault for getting spyware onto their computer in the first place, let alone ensuring it gets removed when it is? It's not like it's a regular thing to have on a well-kept computer. I have a laptop runing XP that has yet to see anything that doesn't belong on it (except MS messenger, but that was before I even got ahold of it, didn't take long to remove it). My wife has a win95 box that is basically on an open broadband connection and as long as it's not left on, I might find myself removing malicious files off of it every two months or so, it's not hard to ctrl+alt+del and make sure you recognize what's running and find a way to kill anything that shouldn't be. Maybe they should make this a lesson in the freshman 101 class or the computer 101 class that nearly every college/university requires?

Intel 845G video driver issue in SP 2

[zerofoo]

I just noticed on a clean install of XP SP2 that the integrated video output from an Intel 845G chipset is corrupted. Removing SP2 corrects the issue.

There are alot of 845 chipesets out there; I wonder if they all have the video issue.

-ted

A cursory inspection of the article yields

[ribond]

This reads a bit like the Republican take on Kerry's record. It's so like accuracy that it can be deceiving. Here's what I saw from just a glance...

Automatic Update is off by default...

...it's a true statement, but their comment goes on to say it should be off... so what is wrong with having it off and prompting users to change state if they want to?

NetMeeting Remote Desktop Sharing, manual. Unnecessary on most home machines. Should be disabled by default.

The service is not enabled... it is in a state where applications that rely on it can start it if its necessary, but that would be performed by the user. Have it not enabled is not a security risk....

Remote Desktop Help Session Manager, manual. Unnecessary on most home machines. Should be disabled by default.

I love this service. I love that it is not enabled by default, but must (as above) be initiated by the user. Again, there is nothing wrong having this service in a state where the user can enable it without confusion...

Secondary Logon, automatic (enables starting processes under alternate credentials). Unnecessary on most home machines. Should be disabled by default.

This service is what allows fast-user-switching (multiple console logons w/out logging out). It is an integral part of the XP ui and absolutely should be enabled.

The chief weakness of a single-user system is that whoever sits at the keyboard is the administrator, or root in UNIX parlance, capable of taking any action he pleases. He can install programs and delete files or wipe out whole directories; he can alter system settings with the same privileges as the owner.

Newsflash -- Windows is not *nix, its user base is not a *nix user base, etc... Excuse the cliche, but "Mom" is not going to login as a "user" then launch setup apps in root/admin context -- this is just not something that "mom" can wrap her head around.

the user decides whether or not to allow provider X or Web site Y to run code on his machine, based on pure guesswork and vague impressions.

For example, Internet Explorer allows a user to choose websites from which potentially dangerous content like JavaScript and ActiveX controls will be trusted. Content from 'untrusted' websites can be assigned reduced privileges.

This approach is wrongheaded from the start.

I'm calling bullshit on this one. Pick -- the end user should be smart enough to work in the user context until he/she needs admin access, then they should go use it for that specific context, etc... but they shouldn't know if they trust a site or not? And by default there is nothing in the "trusted" sites list, so the user is going to be prompted for each download attempt. If they don't like the "zones" idea that's fine, but complaining about the implementaion is different from that implementation being unsafe.

"Empty Temporary Internet Files folder when browser is closed" is not selected. (We would leave it enabled.)
"Installation of desktop items" gets a prompt, and is enabled for trusted sites. (We would require a prompt at all sites.)
The pop-up blocker is enabled, but disabled for trusted sites. (We would leave it enabled.)

More of the same. We get it, you don't like the "zones" thing. There is no difference between what the review wants and what IE already does in this case. There are no trusted sites by default and the user is going to have to go out of his/her way to get some there. If you like reading some activex riddled crap page you should be able to view the site without being bothered every 2 seconds. You have that right.
As a matter of fact, can you imagine the user experience if these setting

Dell employees modded me down! LOL!

[Teahouse]

I guess an opinion by a former customer is dangerous.

windows 98 se

[earthstar]

I say this again!
Why should everyone use the latest OS . aka the win XP and suffer all these problems?
Except a few s/w that work on XP only , 98 does it fine.
what reay ou going to lose out if runnin g a in98 se - patched up system?
Dont tell me " bad looks" - aint like XP feel....thats garb.

plus virus writer these days target XP mainly...98 escapes...example: Blaster.
Think about it.

This article is just dead wrong.

[jabels]

* NetBIOS name service, port 137. This is the WINS (Windows Internet Naming Service) server for a NetBIOS network, and unnecessary on home machines.

This service is off by default in SP2. Believe me on this one, NetBIOS name is a primary source of information for my job, and it's going away slowly as we roll out SP2.

* Error Reporting is on by default. However, there is no reason why a machine should phone home every time it encounters an error. This is better left disabled.

No, this is not better left disabled. Ask the mozilla team how "useless" crash reports are. Automatic crash reporting can very quickly tell a software vendor where crash trends are occurring.

* Automatic Update is off by default. Microsoft would very much like everyone to enable it, and now urges users to do so every time Windows Update is run manually; but it is never a good idea to let a third party decide what software should be installed on your machine, or when. This service should remain off, and users should update Windows manually, though regularly, paying attention to the various update options and their relevance to one's system.

Wasn't this the selling point of SP2? In every SP2 I've seen, this is on by default. This was the same idiotic argument trotted out when XP was first released, and we all saw how effective manual updates are. Remember Blaster? Someone should take this idiot out and shoot him... with a rusty gun. If you don't want software installed automatically, fine. Turn of automatic updates. Bu the idiotic masses MUST have it!

If the past year has proven nothing else, it's that we can't afford to let the Windows masses to have control over their own machines. The paranoid rants of a few slashdotters gave us Blaster, and I really don't think they can be forgiven for that.

Why SP2 sucks!

My biggest gripe with SP2 is that it changes settings you have already made. A proper patch should retain the previous settings you were using wherever possible, but SP2 doesn't.

It automatically, re-enables, MS's worthless firewall, and changes Automatic Update to download and install without any user input regardless of what you had it set for already.

In addition, the security center is an annoying piece of sh!t. I just got done setting up an elementary school lab with 35 new PC's, and once Automatic Update kicks in and downloads SP2, I'm gonna have to make a return trip just to reset every goddamn thing back to the way I had set it.

That is by far my biggest gripe, MS simply doesn't think about computers that are going to be used in a multi-user environment outside of a family room. I feel sorry for school admins across the country who are gonna have to deal with this shit at every school with XP machines. Thankfully, I only have to deal with one school.

I wish OS developers would include a special User account specifically designed for "Students".

Block Windows XP Service Pack 2

[whovian]

This script can be used to remotely block or unblock the delivery of Windows XP Service Pack 2 (SP2) from the Windows Update Web site or via Automatic Updates.

Re:It deserves scrutiny overrated

[Dfiant]

I've got to agree with you, auzy. He seems to lack even rudimentary knowledge of computer security, despite the brief credentials at the bottom.

the author hasn't gone any further than a normal port scan

It's worse than that, actually. He uses netstat as his source of open ports--of course, even if a program is listening and visible through netstat, the firewall still blocks it! He doesn't appear to have used any sort of external source to check for open ports.

I've just recently performed a fresh ("slipstream") install of XP SP2 on my laptop, and my nmap scans and observations of active services are quite different from this article's report. Maybe he upgraded a fresh XP or XP SP1 install?

Honestly, the guy says that services like DHCP and DNS should be disabled by default and that "most home machines" don't need it. I guess he doesn't expect people to read his article from home, then, because without being able to get an IP address lease from an ISP or resolving theregister.co.uk, they aren't going to be able to read it!

Wait a month for the first patch

[EastCoaster]

I never install a service pack right away. I wait awhile for the people to opine on it.

FUD??

[mindflow]

I for one think XP service pack 2 is a good thing. Now really, why is the security issues in service pack 2 so blown up, all earlier service packs has had security issues too?? Service pack 2 is about to make serious changes to the web, simply becaus popup's are blocked. Even Joe Average will have a popup blocker in 6 months time. It makes me wonder if there could be some anti-popup-blocker people spreading a whole lot of FUD about this package? The days of popups might have come to an end, and some people might not like that.

Agree with you

[Donny+Smith]

Excellent post.

I have complained about editorial policy in several of my posts, but (silly me) haven't ever suspected that ownership of Slashdot could have to do with what gets posted here.

I have also complained about low quality FUD troll articles by michael and suggested that articles be moderated, too, so that we can filter out that cheap propaganda that pollutes the site.
Of course, it seems it'd be "complicated" (suddenly it became hard to tinker with /. source code - where is that often lamented upside of the free software), but cheesy color schemas are never in short supply.

This year has been really bad.
I my opinion, some 40% of all articles and 80% of all comments are of miserable quality. Sometimes one has to browse four pages of comments to find 3-4 insightful posts. And as the parent post says, you can't get rid of worthless comments because totally stupid articles get modded insightful or funny.
As articles can't be modded or filtered ("michael filter" anyone?) either, it's becoming quite unbearable.

Sadly, that is the new Slashdot - perhaps it's "If you don't like it - leave!", so I've been thinking if I should still visit Slashdot.org any more or perhaps join one of commercial tech sites with quality articles and forums.

Truly pathetic.

P.S. In past months I've been getting to moderate ONLY anonymous posts - now I have started to suspect that happens because I've voiced my dissatisfaction too many times... Anyone else gets only to moderate only posts by anonymous cowards?

Port 445

[Vlad_the_Inhaler]

The thing that amazes me is that Port 445 has apparently been left open. Switching over to my Firewall screen shows that I block a 445 scan every 10 seconds on average. It is not just one or two IP-Addresses which try it, each Source Address will try 3 times and then move on.
Two machines a minute are saying 'Hello' on 445, 95% of my scans are on that Port and it has been left open. Sheesh.

The other unblocked Port where I often saw scans is 135, but the frequency there has dropped almost to zero recently.

Astroturfer

[gatzke]

This is not a linux site, it is news for nerds, although you may consider it pro-linux. Nerds use MS products too, so we need to know what is going on with everything from linux to XP to Mac to more obscure (dec, sgi / mips, etc).

Smear campaign agains MS? You sound like you could be on the MS payroll, one of those "grassroots" marketing efforts they can fund with the stacks of cash they make sellin you a $1 CD / software package for $300. I have never met a legitimate fan of MS products. People may be ok with MS, but few take it upon themselves to defend MS openly.