XP SP2 Can Slow Down Business Apps

An anonymous reader submits "Mobile PC magazine installed XP SP2 on a bunch of notebooks and benchmarked them, finding that SP2 caused a 9-percent performance reduction in business productivity apps. While a couple of notebooks performed better, the majority took a 3- to 22-percent performance hit." For now, the story is just at the top of the Mobile PC website, but they promise more details in an upcoming issue.

Buffer checks

[JanusFury]

This is probably due to them recompiling a large number of libraries and system components with the buffer checking and other security features they added into the recent versions of Visual C++. If you ask me, it's worth it, just to know that my Windows box has a few less wide open holes to be exploited.

It definitely has proven its worth so far - I may be wrong, but I'm pretty sure the reason SP2 isn't vulnerable to that GDI+ JPEG exploit is that they recompiled GDI+ with buffer checks.

Re:Buffer checks

You know what that means...time to use Linux.

Re:Buffer checks

This is what I read it as: "the reason SP2 isn't vulnerable to that GDI+ JPEG exploit is that they recompiled GDI+ with buffer checks. using namespace slashdot;"

Had to do a double take. Dude, you need a <BR> in your sig.

Re:Buffer checks

[bersl2]

Anybody know what the slowdown is for libsafe?

Re:Buffer checks

[metlin]

...but I'm pretty sure the reason SP2 isn't vulnerable to that GDI+ JPEG exploit is that they recompiled GDI+ with buffer checks.

Correct me if I'm wrong, but shouldn't this have been done right in the beginning itself?

If I were writing any commercial grade code, especially stuff that I know that people would take advantage of, I would sure as hell make sure that I had all my buffer checks in place.

I've heard so much about the programming practices at Microsoft and what not - and yet, ironically, these things keep cropping up so damn bloody often while some operating systems coded by a bunch of loosely connected hackers are way more robust and stable.
Hmm, makes one wonder.

(Heh, funnily OpenBSD site says - Only one remote hole in the default install, in more than 8 years! - I guess it does say a lot).

I do not understand, I would have thought that despite all the shit that MS gets for writing bad code, they would make sure that their code is largely buffer checked. Now, when you have to release stuff from outside to patch up for those, you would obviously be wasting a lot more cycles than if you had done so in the beginning, and well.

Sheesh. They do not do a good job of making software and cause you inconvenience, then they release something to make up for it, and that causes you even more inconvenience.

Hah.

Re:Buffer checks

[JanusFury]

99 buffer checks don't do you any good if one buffer is missing a check, and that one gets exploited.

That's what their compiler modifications are intended to help with, and from my experience, they help. I do agree that it should have been done sooner, though.

Re:Buffer checks

[metlin]

The reason I brought that up was because I was interview by Microsoft last summer at Seattle, and one of the groups that interviewed me was the systems group.

(Funnily, systems wasn't even my area, but still they interviewed me, but that's another story...)

They were of the opinion that since MS is a favourite target of hackers and the like, any MS programmer ought to go to extraordinary lengths to patch any and all buffer checks and foo bar. I was asked to write some piece of code for compiler design and memory management, and the guy kept harping on buffer checks.

I would imagine that with ALL those checks, such things would not be common - but lo! and behold, there they are.

Either they are not doing a good job of doing the whole buffer check thing that the guy harped to me about and it was all hogwash to impress upon you how "important" and "hard" coding in MS is, or there is something seriously wrong with the codebase that SO many exploits turn out everyday.

I can only guess which one it is.

Re:Buffer checks

[NanoGator]

"Correct me if I'm wrong, but shouldn't this have been done right in the beginning itself?"

Depends on which question you're asking.

"I want Windows to run faster, should we be performing buffer checks?"

"I want Windows to be more secure, should we be performing buffer checks?"

This is not a rebuttal to your post, simply pointing out that it's not as black and white as that. Security is important, but usability is what made Microsoft a success.

Re:Buffer checks

So, isn't Linux "commercial grade"? How many Linux distros are compiled with these checks?

Re:Buffer checks

[metlin]

I merely meant that patching up buffer checks into code later on makes the application a lot slower than having checked those in the very beginning - I know this because I've written code for which patches have had to be released (hey, we all learn).

(this may not always be the case, but it is often the case)

So, all that I meant was that while I do want Windows to run faster, it should not be at the expense of security - if it had been taken care of in the beginning, it would have been faster than taking care of it later by releasing a patch which is slower (did that make sense?).

Usability is what made MS a success - in the home desktop market. But when they have entered the enterprise arena, I think a tad bit of responsible coding would be nice.

Mind you, I'm not even anti-MS, I'm merely pointing out what I perceive to be callousness in Microsoft's attitude.

Re:Buffer checks

[aws4y]

Buffer checking is one way to solve the problem.
Another, non intrusive way of doing it is to include kernel level memory protection. On top of that you could add Users, Groups and privileges and not allow every program to have the run of the system.
Buffer Overruns are as old as C and UNIX has built mechanisism to cope with it that do not put the onus on the programmer, since the memory monitoring is done in the kernel, this is also safer in the long run because it means that a program must break memory protection at the kernel level in order to become "root". Too bad microsoft has yet to come up with a mechanism that UNIX people have been using for years.

Re:Buffer checks

[IronChef]

I've heard so much about the programming practices at Microsoft and what not - and yet, ironically, these things keep cropping up so damn bloody often while some operating systems coded by a bunch of loosely connected hackers are way more robust and stable.
Hmm, makes one wonder.

the openbsd people are united by an ideology. Microsoft employees are largely, though not exclusively, united simply by the desire for a paycheck.

I work in a Microsoft facility and let me tell ya, they aren't all smoking what Steve Ballmer is.

Is it any wonder that quality suffers when compared to a project that is a labor of love?

Or maybe my bad attitude is why I am a contractor and not full time there. :)

Re:Buffer checks

there is something seriously wrong with the codebase that SO many exploits turn out everyday.

There probably is, and it's same problem found with virtually all C/C++ code of a certain vintage, Microsoft or not.

Do you think Dennis Ritchie ever gave a shit about checking buffers? How about the millions of coders that copied his style? How about the people that wrote most of UNIX? How about the people that wrote most of Linux distros? Go check the Linux security sites, and you'll get the picture that this was only Job #1 in the last few years.

So, MS wants to hire better hacks than the last round. Big f'ing deal.

Re:Buffer checks

[metlin]

Uh hmm, your argument is flawed for the simple reason that just because Linux has buggy code, does not excuse Microsoft from writing good code.

And comparing Dennis Ritchie's code with today's code is again flawed - hell, why, given my today's knowledge of Physics and Mathematics that I learn by my twelfth grade, I would have been the most intelligent man alive 400 years ago.

You do not compare with what Dennis did or might have done, you make a reality check with how things are today - there is a fair section of crackers who want to exploit systems, and if you are in the business of writing commercial code, you'd better be darned good at making sure your code is good because customers are *paying* you for it.

I have another issue with MS - they concentrate more on releasing things early than checking the code full before releasing. If this were an isolated issue, I would not have a problem - it is not. And MS has had so many years in the market, so many top-notch programmers AND the resources. If you want to compare, look at OpenBSD - that's an example of OpenSource code done right - with one remote exploit in 8 years.

Linux is still in it's infancy, and for all that it's capable of it, it's quite unfair to compare it with the products of a 20 year old behemoth. If you ask me, Linux is doing a fantastic job of being a top notch enterprise systems in such a short time, when compared to Microsoft. And very few of the people behind it actually make any money of it. Does that not say a lot?

Re:Buffer checks

[TheLink]

Uh what are you talking about?

Windows XP has users, groups and privileges, and not every program has the run of the system.

And UNIX is just as vulnerable to buffer overflows as Windows XP. They both are programmed in languages that are prone to such problems.

Re:Buffer checks

[AdamInParadise]

Hey, you! Wake up! This is the 21st century now, not 1988! Those kind of protections were build into the NT kernel since the very beggining (1993 or something), which means win 2k and xp have them.

Regards,

Re:Buffer checks

First off, you seem ignorant of the point that many people did know better than Ritchie, which is why OpenVMS and OS/400 have infinitely better security records than UNIX does.

Second, you're right that (in retrospect) MS probably should have hired those guys instead of the C/UNIX crowd that the unis were producing. Fact is that they didn't though, and irrespective of their monopoly status they got all the same kinds of people and kinds of problems as everyone else.

Finally, it's true they were slower to fix the problems/infrastructure/configuration as some other groups like OpenBSD (which has tons of bugs, just not in the "default install"), so that's a fair assessment. However, flaming them for trying to Do The Right Thing and hire qualified people seems bizarre. Maybe you didn't learn this in college, but millions and millions of lines or source took years to produce and will take years to fix, and it pays to do things right the first time.

Re:Buffer checks

[omicronish]

Either they are not doing a good job of doing the whole buffer check thing that the guy harped to me about and it was all hogwash to impress upon you how "important" and "hard" coding in MS is, or there is something seriously wrong with the codebase that SO many exploits turn out everyday.

I was an intern at Microsoft this past summer, and I believe it's the shear quantity and perhaps complexity of software being written that's resulting in these bugs. They really do emphasize writing secure code now (I don't know how it was like before). I shared an office with two other interns, and during several code reviews another intern was involved with, there would be "did you check parameters here? potential buffer overflow? what if this is NULL?" And it wasn't even important code he was working on.

Re:Buffer checks

[Frankie70]

If I were writing any commercial grade code, especially stuff that I know that people would take advantage of, I would sure as hell make sure that I had all my buffer checks in place.


I am sure that the parent post was talking about the /GS checks & not just regular buffer checks.

Re:Buffer checks

First off, you seem ignorant of the point that many people did know better than Ritchie, which is why OpenVMS and OS/400 have infinitely better security records than UNIX does.


This is a myth, or at least a very disingenous claim. OS/400 and VMS are completely different animals than UNIX meant to run in different environments.

Historically, the vulnerabilities of these systems have not been subjected to the public Internet. Furthermore, only large businesses typically used these systems, and the security industry built around them is quite secretive. This is not necessarily just on purpose, but that specialized knowledge in many areas seems to be lacking on the Internet anyway. Anybody that thinks that the Internet is the be all end all of what information is out there is a complete idiot. Yeah, so OS/400 is not reported on Slashdot.

And yes, I am completely familiar with the fundamental differences in OS/400 that make it nearly invulnerable to typical UNIX/Windows things like stack based buffer overflows. This does not mean it is the impenetrable fortress you seem to think it is. All software has bugs.

Furthermore, the better security of OS/400 is in no small part helped by the hardware architecture. It is part of a complete integrated system. This is much different than the mini/micro world that UNIX and friends grew out of.

Re:Buffer checks

[fermion]

You are probably right, but it is probably more complicated than that. In my experience when dealing with an older code base two things happen. First, certain things are done to increase the efficiency of the code. Some of these things merely hamper legibility and can be left alone. Others are security issues and so, when efficiency is longer the primary concern, some of these optimizations are reworked.

Second, in the old code not all the paths of execution, say for a buffer check of certain class of user input, intersect at the same place. Ideally all paths that accept such input would cross with a well known rule coded in a well known location. When this ideal is not met, a new well known location is created for the rule and all relevant code is rerouted to the that rule, Any other checks are left in place. Such a practice reduces efficiency but improves security.

There are probably also issues like moving certain function up to higher levels of abstraction. They may even have left in code that dynamically checks ranges of memory blocks. All of these are fine for the short term. SP2 is a much needed triage, and we should expect reduction in performance for the next year or so. Maybe even until they get Longhorn out.

Also remember that SP2 includes firewalls and other services for all users. For some users, the firewall is redundant, and that redundancy causes conflicts that will slow computer down significantly. SP2 also has a security monitor which likely uses a non-trivial amount of power.

Re:Buffer checks

[wayne606]

The real way to avoid these sorts of problems is to have a memory architecture that prevents writable pages from being executable, and vice versa. I read somewhere that the IA32 architecture makes this very hard - anybody know the details? Back in the old days we used to use separate instruction and data spaces (i.e. on the PDP-11) ...

Re:Buffer checks

Uh what are you talking about?

Windows XP has users, groups and privileges, and not every program has the run of the system.


Uh, what are you talking about?

As a Windows NT programmer for 10 years I, and many others are fully aware that the Windows security model is more comprehensive and flexible than the POSIX model. This is due to the power of NTFS and the uniform interface of the NT object manager.

However, while this is all dandy, the Windows environment is architected, and third party apps are delivered, that make this entire security system virtually useless. Furthermore, Windows has an aging capability based (policy) system that is now being bested by more modern and truly effective alternatives. It is very difficult to actually maintain Windows NT systems in server or desktop configurations that make use of sane file system and execution policy. To many services need extended system privileges. 99% of NTFS filesystems have uniform perms throughout.

In short, the great security stuff in Windows is wasted on an overall lame implementation of the system.


And UNIX is just as vulnerable to buffer overflows as Windows XP. They both are programmed in languages that are prone to such problems.


It is possible to program in both these OSes with languages other than C. I mention this not only to be an asshole, but also because most security vulnerabilities are found in things other than the kernel.

Re:Buffer checks

(Heh, funnily OpenBSD site says - Only one remote hole in the default install, in more than 8 years! - I guess it does say a lot).

Remember that the default installation of OpenBSD is about equivalent to what you would get if you installed Windows XP with little more than the kernel, command-line interpreter, and a very basic set of tools and services. No GUI, no games, no admin tools, etc. If that were the case, I'd imagine XP would be pretty secure as well.

Re:Buffer checks

[metlin]

I was not trying to flame MS for their past actions - however Microsoft started out with a fairly clean codebase for both Win2k and WinXP. Given that, it seems bad that such vulnerabilities keep coming up.

I do agree that both Win2k and WinXP are a lot more stable than their predecessors. However, you would think that when you are doing something the second time, you would double-check to make sure that you do not make the same mistakes as you did the first time.

I just feel that this is not happening - and any number of factors could be contributing to it (market, economics, manpower, complexity what not) - but that does not mean you do not take the pains to not do it well. I'm sure Microsoft's trying to take as much care as they can to ensure that this does not happen.

However, despite that, these still seem to be happening. Which is what I find quite baffling - there seems to be a fundamental flaw somewhere in there, and that needs to be taken care of. Which is what I mentioned in my initial posting, too.

Re:Buffer checks

[cowbutt]

Immunix for one. Alternatively, taking a slightly different path towards pro-active security measures, Red Hat has recently included exec-shield (as seen previously in Fedora Core 1 onwards) in RHEL3 update 3. FC2 includes SELinux, so that'll probably turn up in RHEL eventually, too.

--

Re:Buffer checks

[Qrlx]

during several code reviews another intern was involved with, there would be "did you check parameters here? potential buffer overflow? what if this is NULL?"

Well, what if it was a potential buffer overflow? In such a piecemeal appraoch to programming, can the intern realistically be expected to know if there's a potential buffer overflow? How should he know how a NULL is handled? Isn't there an operating system that's supposed to do that stuff?

Where's that damn garbage collector???

Disclaimer: I am so far from a security expert that I get email with my real name in my fake email accounts. But what this sounds like is a security blanket, not security.

Security is very fucking hard. That's why I do tech support. Sometimes it's a chore but you can always just break out the ghost disks and wow theim with their "new" computer.

But I have nightmares where I write Win32 apps in FoxPro.

Re:Buffer checks

metlin, think about it from a political angle:

Systems Group believes and knows buffer checks are important. Systems Group keeps losing the argument at the management meeting level. ie, Marketing: "Damn the buffers! We want more speed ahead!" Result, Systems Group takes their turn at new recruits trying to find more team players for their side, irregardless of the department the recruit is headed for.

Welcome to Microsoft (or any large outfit). There's a lot of politics.

IANAPHB, but it's real important to be able to think like one.

Re:Buffer checks

Remember that the default installation of OpenBSD is about equivalent to what you would get if you installed Windows XP with little more than the kernel, command-line interpreter, and a very basic set of tools and services.

Give them some credit, it's a bit more than that. And it includes full and incredibly good documentation. And a compiler. And...

No GUI

You have an option to install X as a part of the initial setup. You don't get KDE or Gnome by default (mostly all X buys you by default is multiple terminals at once), but they're just a pkg_add away.

no games

Then what are these? (all in by default)

adventure arithmetic atc backgammon banner battlestar bcd boggle bs caesar canfield cfscores cribbage factor fish fortune gomoku grdc hack hangman hunt huntd mille monop morse number phantasia pig pom ppt primes quiz rain random robots rot13 sail snake snscore teachgammon tetris trek wargames worm worms wump

no admin tools

Such as?

etc.

$ ls -ld /etc
drwxr-xr-x 17 root wheel 2560 Sep 18 00:24 /etc

No, it's there all right.

Re:Buffer checks

No, the intent wasn't to pimp ASS/400, only point out that some people saw the problems with K&R-style C from Day 1. That whole Manly Man Error Checking is For Wimps thing. Unfortunately for everyone, Microsoft comes from the same Cowboy C Coder culture that Unix does, so while their errors are more tragic, they are hardly unique.

Re:Buffer checks

[metlin]

You are right in saying that MS comes from the same Cowboy C Coder Culture (CCCC, ha!), however MS has had a significant amount of time to grow out of it. If twenty five years later they are still doing the same mistakes they did back then (maybe fewer in number, but equally dangerous), there is something wrong.

Fundamentally, yes, you are right in saying that complexity brings such mistakes. However, that's not an excuse to use it as a crutch to release buggy software.

Re:Buffer checks

[eric76]

Back in the old days we used to use separate instruction and data spaces (i.e. on the PDP-11) ...

I don't know about RT-11 and RSX-11, but on RSTS-11 the I and D space either weren't used at all or were very rarely used.

I talked to one of the RSTS developers about that at a DECUS once. He said that they didn't use I and D space so you could use the MARK N instruction.

I thought that was rather strange because earlier in a room full of people there for the discussion of programming in assembler language, someone asked about the MARK N instruction. The guy leading the discussion asked if anyone in the room had ever used the MARK N instruction. Out of a couple hundred people or so, it appeared that I was the only one there who had ever used the instruction.

Note: For the benefit of the non-PDP-11 people here, the MARK N instruction was an instruction you pushed on the stack when calling a subroutine for one method of handling subroutine linkage. The 'N' was the number of arguments in the list (or more accurately, the number of words used by the arguments). When exiting the subroutine, you would then execute the instruction and it would do the cleanup and exit from the routine cleanly.

If you push the instruction on the stack, you're operating in D space. In the subroutine, when you would attempt to execute the MARK N instruction, the reference would be to I space and you would attempt to execute something other than the MARK N instruction.

Re:Buffer checks

[robhancock]

The traditional IA-32 architecture makes no distinction between "read" and "execute" permissions on memory pages, therefore any page that can be read that can be executed.

There are some hacks that can apparently be done with code segments, etc. to approximate execute permissions, but the real solution is separating the read and execute permissions, which is now possible on newer CPUs like the Athlon 64 and some of the latest/upcoming Pentium 4 chips.

Re:Buffer checks

Correct me if I'm wrong, but shouldn't this have been done right in the beginning itself?

There's buffer checks and there's buffer checks.

You absolutely must check strings coming from external sources before sticking them in a buffer. Failure to do so is an error and an exploit waiting to happen. Done properly, this will prevent all buffer overflows with no unnecessary performance penalty.

What Microsoft has added is extra checks on every single buffer to detect overflows after the fact and halt execution before it can be exploited. In theory, it's actually impossible to do this perfectly, but good enough catches everything in practice. This adds space and time to every function, and is basically just a safety net in case you didn't do your job properly the first time around.

OpenBSD has this (ProPolice), but they have many other general protections as well. More importantly, they are much more careful about getting the first, proper and absolutely necessary buffer checks done in the first place.

Now doing the first type of checks in C in every place that it needs to be done can be tedious and one screw-up ruins everything. In virtually every other language, including C++, it is trivial to avoid this. Interestingly, I believe Microsoft uses C++ a lot internally (see GDI+), while OpenBSD is almost(?) entirely C.

Re:Buffer checks

I rather doubt that W2K was "clean" -- it's probably mostly early/mid-90s era code that was just QAed to hell and back for stability problems. You don't build Windows in a year or two.

It's no secret when MS decided to choose security over bug-for-bug compatibility and speed -- back in 2002, it made the newspaper. You can bet that none of the stuff was touched before then out of fear of breaking something.

Re:Buffer checks

[Eminor]

Sh*t, it's 2004, and they've just now realized that unchecked buffers are bad?

Re:Buffer checks

>usability is what made Microsoft a success.

Yes, Microsoft's world-famous usability. They're the industry standard for usable software! Uh huh! Users loved DOS and Windows 3.1 so much that they threw out their less expensive, harder to use Macintoshes and flocked to the more expensive but easier to use DOS machines. Why use a GUI when you can just get a keyboard template to go over your function keys?

Seriously. Where in the hell did you get that fucked up idea?

Re:Buffer checks

[Eminor]

"I want Windows to be more secure, should we be performing buffer checks?"

This is not a rebuttal to your post, simply pointing out that it's not as black and white as that. Security is important, but usability is what made Microsoft a success.


So shaving off a a fraction of a millisecond results in better usibilty does it?

Re:Buffer checks

[NanoGator]

>Seriously. Where in the hell did you get that fucked up idea?

When Windows 95 came out the days of setting individual apps to use your hardware (like sound cards) were over. You didn't have to memorize a bunch of stupid dos commands. Installation of apps was as simple as putting in the CD and hitting 'ok' a couple of times. All this, and you could build your own machine to boot.

And since when did filtering out automatic-MS-hate make my ideas 'fucked up'? You can't tell me that the surge of computer purchases starting around the mid-90's wasn't because of the launch of Windows 95.

Re:Buffer checks

[rd_syringe]

Correct me if I'm wrong, but shouldn't this have been done right in the beginning itself?

Why isn't there this sort of criticism against Mozilla/Firefox? From the "Confidential" XUL bug to this, I'm more glad than ever that I use Opera.

Re:Buffer checks

[Tim+C]

How should he know how a NULL is handled?

Well, if he wrote the code that needs to handle the null, then he need to know how it should be handled. If he's inexperienced/junior enough to not be able to decide himself, he should speak to someone who can make that decision for him.

Re:Buffer checks

"... like OpenBSD (which has tons of bugs, just not in the "default install") ..."

Then these wouldn't be bugs in OpenBSD now would it? Considering that OpenBSD is a minimalist "default install" distribution with little to no frills, this would be a problem with the third party add-ons ("ports"), which are maintained outside the core code base by persons not directly affiliated, and explicitly not OpenBSD itself.

OpenBSD does have bugs in the default install however. It hubris to assume that any software/OS doesn't. But they patch them as soon as they find them as well as implementing means to minimize or eliminate the harmful side effects of them until such time.

OpenBSD adopted a proactive philosophy to thier bugs on its inception. It split from NetBSD over this very issue. They patch things immediatly because they are broke instead of patching because it's being or may be exploited.

Microsoft went out of it way to accomidate the bugs in third party softwares when it designed Windows, which was simply insane. (Contrast OpenBSD's "if it breaks, it deserved to be broken" attitude.) It has maintained a philosophy of "ease of use" over security at every step of Windows development since, which was not a wise tradeoff. To "Do The Right Thing" now is still following thier pattern of reactionism, only now it's the company's image they are trying to patch.

Even to Joe User, Windows is synonymous with instability (which is normally Joe User's fault) and viruses (also normally Joe User's fault), but he doesn't know enough about computers (or care) to use anything else. But because of his ignorance and sloth, when he goes to upgrade, he will still get another Windows box. If windows is now "secure", he wont even bat an eye at that OS option.

MS is doing damage control in the IT sector. Joe User may provide bread and butter to MS, but IT will consitently hemorage money. But IT wants/needs security and MS simply doesn't provide it. As ease of use improves for GNU/Linux, MS will loose the only edge it ever may have had.

Now, with the frequncy of severe exploits surfacing and CERT warnings getting (inter?)national attention, they are at a point where they must do something substantial. So harping the "Secure by Default" (OpenBSD's moto, I must point out) mantra isn't so much a "Do The Right Thing" descision as it is as desperate PR stunt.

Re:Buffer checks

So let's say you have a 10 million LOC operating system that's written in C and C++ and has a shitload of security holes. Customers are furious.

You also happen to make a profit of $30 billion a year.

What to do?
1) Put 1,000 developers on the task of writing regression tests. All those crazy hacks that keep badly written but immensely popular apps running on XP can still run - just make sure you have a test case for them. Build a cluster of 1,000 screaming fast servers, just to do continuous builds of the application. Of those 1,000 test writers, take maybe 25 of them and put them on advanced regression testing R&D. Invent new ways of regression testing giant projects more efficiently or more effectively. Invent new languages, tools, processes, and formal models for testing code. Have your IT people figure out how to build the ultimate regression testing node.

2) Build or buy (or have customized) the most badass static code inspection tools in the world. Hire a few dozen PhD's to dream up new source code metrics to find the top 25 anti-patterns in your source code, and write algorithms that can find them and bring them to the attention of testers. Hire some bioinformatics people and some SETI@Home people and some data warehousing people just to make sure that you've got people who are looking for knowledge in the data, instead of imagining things that might happen in some imaginary data set that looks nothing like your actual data set (the source code).

3) Have Bill send out a memo that commands the legions to write every damn thing in C# (or an even higher level language) from now on, unless you can get a design review committee to approve use of C, C++, assembly, etc. for a specific part of an app. There should have to be a solid case for "why aren't you using C# for this", with metrics that prove that C# just can't do it (and the C# and CLR groups told you that they can't meet your requirements). Have every service pack you release from now on include or depend on the latest .NET class libraries. Figure out a policy of "when it needs X% of the LOC rewritten before the next release, you have to rewrite the whole thing in C# instead of C++" for each library.

4) Put 100 developers on the task of code reviewing every single line of Internet Explorer for possible security holes. Hire everybody from the OpenBSD group to train your own people on how to do this.

5) Put 500 developers and 100 analysts on the task of fixing security holes as soon as they are known. It should be possible to have a fix (not fully regression tested, but closing the security hole) within 24 hours of hearing about the bug. Offer a decent bounty to any and all security organizations for finding and reporting bugs to you without telling the outside world about them for a minimum of 7 days.

6) Fucking fix fucking awful Windows Update. Use HTTPS for everything. Buy 3 or 4 of the ISVs that offer alternatives to WU, and integrate all of their best ideas. Go way way out of your way to send diffs and save the end-users bandwidth, so they'll actually use the thing. Test the bejeesus out of it, so that the chances of an update breaking the machine are tiny - again, so users will use the thing.

Seems like too much to do? Again... 30 BILLION DOLLARS A YEAR. Even if 1% of this effort pays off, it'd be worth it in the customers you retain.

Re:Buffer checks

Give them some credit, it's a bit more than that. And it includes full and incredibly good documentation. And a compiler. And...

Which I would consider "basic tools." :)

You have an option to install X as a part of the initial setup. You don't get KDE or Gnome by default (mostly all X buys you by default is multiple terminals at once), but they're just a pkg_add away.

This is something I'm unsure of, as I haven't used OpenBSD for a year or two: is Xsrc audited? I'd assume so, but not totally sure.

Then what are these? (all in by default)

OK I slipped up there!

no admin tools

Such as?

I was referring more to the administrative 'wizards' included with NT, such as the MMC plugins for disk management, user management, etc. I should have been more specific on that one.

Re:Buffer checks

[DrSkwid]

Why use a GUI ... ?

good question

Re:Buffer checks

[10101001+10101001]

>>"Correct me if I'm wrong, but shouldn't this have been done right in the beginning itself?"

>Depends on which question you're asking.

>"I want Windows to run faster, should we be performing buffer checks?"

>"I want Windows to be more secure, should we be performing buffer checks?"

How about:

"I want Windows to not do buffer checks so it exploits faster."

Seriously, the actual amount of work to guard against buffer overflows is generally either O(n) (for C strings) or O(1) (for just about anything else). An overhall of strings could make them O(1) for a size increase. And at that point, the performance penalty for doing buffer overflow checks is insanely small (mostly any cache miss you might have for the size of the error checking/reporting code; ie, a lot less than 9% and probably less than 0.1% for most any modern system).

The problem is poor coding. Automatic detection by the language (like with Java, Basic, etc) without error/exception handling leave DoS instead of exploitation. If we can get security through stack protection to the same effect, there's no major reason to switch languages.

In fact, the core thing that needs to be done is the code needs to be fixed. And that means several independent audits. Microsoft can't realistically expect to foister this cost as an upgrade directly, so I have little doubt they're using the knowledge gained from the stack guard protection to track down and fix problems in their new release, Longhorn. I actually hope they succeed. It'd be nice for Microsoft to be a good leader for a change.

Re:Buffer checks

[xombo]

(Heh, funnily OpenBSD site says - Only one remote hole in the default install, in more than 8 years! - I guess it does say a lot).

That's one network hackable hole. I'm sure there have been plenty of holes in the software itself or even holes that could be exploited by software ("viruses" et all) from within the system itself.

Re:Buffer checks

[vidnet]

Only one remote hole in the default install, in more than 8 years.

Isn't the sshd the only thing that runs on a default install?

It's like saying Gentoo Linux has no remote holes at all in the default install, since it lacked networking until I separately installed my wlan drivers.

Re:Buffer checks

[Jugalator]

So shaving off a a fraction of a millisecond results in better usibilty does it?

I think he was talking about the big picture here -- the philosophy at Microsoft in general, not just about this particular thing. I don't know about you, but it's pretty obvious to me that MS has often went for performance instead of security. Why else would they integrate their graphics subsystem with the OS?

Re:Buffer checks

to be fair, that's what I do when in code reviews. I always ask the poor schmuck what happens if I pass in null, empty array etc.

It's nothing to do with security. if they're using lists or trees I ask them if/how they ensure there are no circular references in them, or if there are that they are handled ok.

edge cases are the hard bit, and buffer overruns are what cause crappy C or C++ code to crash all over the place. every C programmer thinks about exactly these things.

Re:Buffer checks

[mindstrm]

As an admin I am a *lot* more worried about exploits that can happen remotely over the network than I am about someone with a local exploit.

Re:Buffer checks

[xombo]

Right but I felt that the parent was using it to justify using *NIX on the desktop, where local exploits are much more likely.

Re:Buffer checks

[sg_oneill]

actually the better record has to do with the fact fk all people use OS/400 / OpenVMS.

Yeah unix had some silly bugs, but that partly cos it was written by a really small team in spare time and became uber-popular despite it never really being intended to , and in an age where hackers where guys who logged in and FIXED your shit.

Re:Buffer checks

[Silverlancer]

I installed it, and uninstalled it 30 minutes later. On my machine it broke InstallShield (couldn't install anything), and Windows Media Player stopped working altogether. System Restore didn't evevn fix media player, and finally install version 10 over the old one managed to fix it.

I don't care how insecure Windows XP is--if it doesn't work, there's no point in it being secure or not. I use Firefox, updated as often as possible, a NAT router, and solid passwords on my admin/hidden Safe Mode admin accounts. And if I need to run a server or something that truly does require speed and security, that's for my Mepis installation to take care of :).

Re:Buffer checks

[Frankie70]

How should he know how a NULL is handled? Isn't there an operating system that's supposed to do that stuff?

Where's that damn garbage collector???


Have you ever coded C or C++ in your life?



But I have nightmares where I write Win32 apps in FoxPro.



I can believe that.

Re:Buffer checks

[dirk]

While you are right it is not fair to compare coding from 20 years ago with that of today, it is also unfair to compare OpenBSD with MS. They are aiming at 2 completely seperate goals, so of course they will be different. OpenBSD has the goal of being as secure as possible. They are extremely good at this. They also do not support many of the newest and greatest things and their usability is pretty bad. MS has the opposite goal. They want to have an incredibly usable OS which supports all the latest and greatest hardware and innovations.

Security and usability are on 2 ends of the same spectrum. If you want usability, you have to give up security and vice versa. MS for years has tried to get as close to usability as they could and they gave up security to do it. They are now trying to strike a balance between the 2. They will never be secure as BSD, because they can't give up all usability like BSD can, because their user base is Joe Average.

Re:Buffer checks

"I have another issue with MS - they concentrate more on releasing things early than checking the code full before releasing."

Wait, that is not the Slashdot party line! Your supposed to complain about how long Microsoft takes to release things, along with how quick OSS programmers are. Oh yes, OSS code is always fully checked, because all the eyes of Argos are looking at it.

Re:Buffer checks

[meliux]

I didn't think OpenBSD could display jpegs?

Re:Buffer checks

[duck_oil]

Of course you were interviewed by the systems group, what else would they be doing?

Re:Buffer checks

College student, eh?

You have much to learn grasshopper.

Re:Buffer checks

[Skrekkur]

hmm It can look alot better for one, and you can be lazy when you're using a GUI, you can use just the mouse for some time if you want. When coming home from school and Im really tired, I like to be able to use mostly my mouse for a while. But some computer system like monitor systems, Rental store systems and others can do with Text-mode graphics and some things you just do alot faster in console. Long live GUI and console/text-mode ;)

Re:Buffer checks

[PhYrE2k2]

Control Panel | System | Advanced (tab) | Data Execution Provention (tab). Note the line at the bottom of a standard P4: Your hardware does not have DEP, however Windows will use software to protect you. Interesting... so not having advanced pre-production processors means that it does _software_ checks on every memory write. Fantastic! That's in addition to buffer checks, it is checking to ensure that the data area and other stack frames are read only! MMM.... slow-tastic!

Re:Buffer checks

[fitten]

Yeah, it's not like other platforms have these type problems as well.

Re:Buffer checks

[cheekyboy]

windows is only slow because of

a) too many messages
b) crap cache system caching things which are pointless
c) so called ram saving techniques which flush out 'speed' saving components out from ram to swap to give more ram for the cache which is filled with crap.
d) badly designed code that does too many things when not needed.

Ever wonder why an XP machine with 512 ram with only say 250 used, still swaps stuff out to swap trying to make more free ram? stupid logic. Why does a swapped out mozilla take 30-50seconds to load back up? does it really take 50seconds to load 40-70meg of swap space into ram on a 20meg/sec HD? Why dont they have multiple types of swap files for different memory types/objects to have faster 'seek/reload' times with out a billion tiny 4kb seeks/reads.

I think we need some cpu hardware engineers to help design techniques for the OS programmers, sometimes hardware geeks think better at a smaller nanosecond time scale, not high level one C++ object usage :)

Re:Buffer checks

>> Where's that damn garbage collector???

> Have you ever coded C or C++ in your life?

Yes; it's called the Boehm garbage collection library and it's *quite* nice. Others are also available.

Re:Buffer checks

[fitten]

Users loved DOS and Windows 3.1 so much that they threw out their less expensive, harder to use Macintoshes and flocked to the more expensive but easier to use DOS machines.

??? This statement must work on the two-falses make a truth principle or something...

Re:Buffer checks

[Junks+Jerzey]

I've heard so much about the programming practices at Microsoft and what not - and yet, ironically, these things keep cropping up so damn bloody often while some operating systems [openbsd.org] coded by a bunch of loosely connected hackers are way more robust and stable.

Three reasons:

1. BSD is a much simpler OS. Remember, Windows isn't just a kernel, but a graphics subsystem, a window management layer, and so on.

2. Windows is very high profile and is what the crazies are targeting with their virii and other attacks. People are actively looking for these exploits under Windows.

3. It isn't at all clear that BSD has fewer application-level exploits than Windows, such as these image decoding overruns. It's not like these newly discovered exploits have been used to attack Windows. They were accidentally discovered by programmers. I'm sure if everyone started going through the source for BSD applications they'd find exploits, too. So this isn't a valid comparison, because there's no data.

Re:Buffer checks

[LO0G]

Because Linux is somehow magically protected from buffer overruns?

Re:Buffer checks

[ChrsJxn]

I disagree. I don't think security and usability are on the same spectrum at all. There is no reason why one has to come at the expense of the other.

However, for a computer to be truly secure, you have to consciously establish that security, which is something beyond most Joe Average users. You could build in basic stuff into an OS, and have it be not any more or less usable than it was before. You could also tweak your Windows settings to give you the most amazingly unusable OS I've ever seen. This is because MS has not really, it seems, gone for usability when developing new iterations of Windows. Instead, it has gone for simplicity, which I would accept as being at the opposite end of the spectrum from security, and which is not the same as usability.

Re:Buffer checks

[bizard]

Security and usability are on 2 ends of the same spectrum. If you want usability, you have to give up security and vice versa. MS for years has tried to get as close to usability as they could and they gave up security to do it.

Although I would agree with you that the two OS have different goals, saying that security and usability are at opposite ends of the same spectrum is totally full of crap. First of all, I don't believe that Microsoft was concentrating on usability, but features. Second, because the two groups concentrated on one thing to the exclusion of all others doesn't mean that usability and security are mutually exclusive.

It takes effort to do good security, and it takes effort to do good usability (and takes time to add new features). If you take the easy route to do one thing, then you do generally compromise the other, but that is due to laziness or lack of time and not to some inherent relationship between the two.

Re:Buffer checks

1. Wow, who would have imagined running a software firewall would take a toll on performance? Im just going to stick with running things which use NO resources. :rolleyes:

2. OpenBSD doesnt even run 1% of the software Windows is able to. Bragging about more secure isnt much of a boast when you trim your abilities so far down.

Not that this is directly a slam against OpenBSD; they have chosen a niche and do great at filling that niche. But Windows wasnt made to be a niche operating system, it was made to be a jack-of-all.

Re:Buffer checks

[wobblie]

Second, you're right that (in retrospect) MS probably should have hired those guys instead of the C/UNIX crowd that the unis were producing.

Well, who the fuck is Dave Cutler then? A unix guy? I thought not.

The bulk of Microsoft's problems aren't due to bad code and can't be fixed by auditing. The majority of their problems are simply shitty, pig-ass-fucking stupid design. Quit blaming the problems on the number of code lines and maybe you'll get somewhere.

Re:Buffer checks

[diegocgteleline.es]

"Cowboy C Coder Culture"? They're going for C# for most of their new code...(confirmed by MS employees at longhornblogs.com etc.)

Re:Buffer checks

[ZosX]

Only one remote hole in the default install, in more than 8 years!

That's pretty good, but what exactly does that mean? OpenBSD isn't exactly ubiquitous like say Windows, FreeBSD or Linux and MacOS X (another BSD flavored OS). Since they code reviewed the kernel code heavily during the beginning of OpenBSD, I think removing or altering many, many lines, is OpenBSD therefore that much more secure?

The reason I ask is that I was working on putting together a small BSD or maybe even Linux based firewall for oh, I dunno, about 4 users. Since a firewall would sit on the edge of the network, security is #1. Would OpenBSD be a more secure solution for such a task than say, just simply using FreeBSD?

Just asking.

zosX

Re:Buffer checks

[PingPongBoy]

...but I'm pretty sure the reason SP2 isn't vulnerable to that GDI+ JPEG exploit is that they recompiled GDI+ with buffer checks.

Correct me if I'm wrong, but shouldn't this have been done right in the beginning itself?

What? And have my 300 MHz Celeron run slow?

Deep down, a 300 MHz Celeron isn't as slow as I thought but it's weirdly slow on the original XP as it is.

BUT - bug fixes shouldn't make software run that much slower, unless Microsoft did a lot of hardcore performance tweaks after compilation. Would that increase the potential for bugs? It would involve lower level coding, which is harder to debug. All the same, one must wonder what could possibly make XP so slow. Earlier versions of Windows was reasonably quick for me even on the 486. Windows XP on 300 MHz shouldn't feel like a mere shade faster than Win95 on a 486 especially when NT on 400 MHz is definitely faster than Win98 on a Pentium 200 MHz.

I always have this feeling that some damping code is used to slow Windows down. XP has more features and is more pleasant to use than NT, but that shouldn't make it that much slower. I just don't get it.

Re:Buffer checks

[Qrlx]

Have you ever coded C or C++ in your life?
Does Hello World count? :)

I should have put the word "intern" in huge bold letters. What I was getting at -- an intern is not a veteran coder, and maybe shouldn't even be worried about the security context of apps (instead he should be focused on just writing functional code.) And the guy doing the code review is probably not a security expert. Unless Microsoft has a shitload of people who REALLY understand security and are going to walk through millions of lines of code, this is just "security theater" (with apologies to Bruce Schneier).

Re:Buffer checks

I think you've got a good point in there, but all your talk of "reactionalism" and "PR Stunts" applies equally well to OpenBSD as it does to Microsoft. The security in BSD4.4 sucked. Theo reacted (strongly) and made a name for himself. The security in Windows2000 sucked, and now MS is doing the same thing. The only difference is the year.

What's really happening is that MS is copying OpenBSD's philosphy wholescale -- agressive progammatic checks, "secure by default" install (compare W2K with W2K3), breaking compatibility when they need to. This should validate the OBSD crowd, but insted they spew bile as usual.

Re:Buffer checks

[m_pll]

it does _software_ checks on every memory write.

No it doesn't. From http://www.microsoft.com/technet/prodtechnol/winxp pro/maintain/sp2mempr.mspx:

Software-enforced DEP performs additional checks on exception handling mechanisms in Windows. If the program's image files are built with Safe Structured Exception Handling (SafeSEH), software-enforced DEP ensures that before an exception is dispatched, the exception handler is registered in the function table located within the image file.

It does some checks but only before an exception is dispatched, and only for binaries built with /SAFESEH switch.

Re:Buffer checks

[jazman_777]

given my today's knowledge of Physics and Mathematics that I learn by my twelfth grade, I would have been the most intelligent man alive 400 years ago.

Learning what other people have figured out is not intelligence, it's education. You'd be more educated, but I hardly think more intelligent.

Re:Buffer checks

[PhYrE2k2]

Some True points, However, all system libraries in SP2 were built with this switch, and hence are slowed.

Re:Buffer checks

[TheNetAvenger]

was not trying to flame MS for their past actions - however Microsoft started out with a fairly clean codebase for both Win2k and WinXP. Given that, it seems bad that such vulnerabilities keep coming up.

Not sure where you get it was a 'clean' code base. Win2k and XP are based on 1992 NT technology. Although NT is a strong OS technology, it was not new in Win2k or XP, far from new.

In fact, this is one of the reason Microsoft waited so long to move their consumer level OSes to the NT base, they wanted more maturity in the NT core technologies.

As for the 'Buffer Checking' debate...
Everyone hear does not either program much or get the concepts of 'just buffer checking'. If Microsoft would have had reliable compiler technology back in 2001 that they have now with the creation of the new Visual Studio and 'managed code' compilers, XP would have been compiled with an extra layer of buffer checking.

Instead, this was left at the coding level, just as it has been in the *nix world for a LONG LONG time.

With the new compiler technologies Microsoft was able to add compiler level checking for many exploits and flaws, hence adding a new layer of protection around the existing XP and 2003 Server code base.

Re:Buffer checks

[irc.goatse.cx+troll]

Except that openbsd has far more exploits, local and remote. The only security you get with OpenBSD is the fact that NOONE wants access to a machine thats made to be hard to use, including hackers. Any OS made by someone with an ego as big as theos is fundamentaly insecure, because its been proven many times that theo would rather keep his ego than admit a fault, which is why the only way to patch most openbsd exploits is by asking the mailinglist about them, as if its not on bugtraq theo wont mention it in a changelog.

Re:Buffer checks

Your zealotry is noble, almost cute - but completely naive and misplaced. You're thinking like I was - seven years ago.

I'm going to feel sorry for you when you get fired from your first commercial software development job because you spend your time writing iron-clad code instead of code that solves the problem that you're being paid to solve.

FYI:

* Open source software has no time limit, no budget and (most importantly) no deliverables. Features may or may not work, nobody really cares.

* Commercial software must deliver features (that are selling points) on fixed costs within a fixed timescale - or the company will eventually go out of business.

Yes, OpenBSD is impressively secure. But it's also impressively unfriendly and not ready for the consumer. In some aspects (eg: new hardware support) it sucks enthusiastically. Because of this, OpenBSD is not even a close competitor to an OS such as Windows XP.

I would argue that it is more difficult to make software usable than it is to make it secure. Because security can always be abstracted to other layers - software security problems can always be patched with hardware solutions (restrict physical access, run a firewall, etc). XP is absolutely secure for a beginner... if you take precautions. But no matter what you do, OpenBSD is still going to be hard to use for a beginner.

And if the most secure piece of software in the world does nothing or is impossible to use, nobody will use it - a contradiction for commercial software since the goal is to sell as many copies as possible. Someone once said: "The 'good enough' is the enemy of the 'excellent'". They were right. And in Windows XP's case, 'good enough' security is all it takes to rule the world.

If that's above your head, think of it another way: Choose between the ultra-hot and beautiful girl (Windows XP) who is extremely outgoing (easy to use), but has an emotional breakdown in her past (insecure) -- or the unattractive girl (OpenBSD) who is slightly withdrawn (difficult to use) but perfectly sane (secure). It's not suprising XP's the most popular girl on the block - and that OpenBSD's boss at the international finance bank thinks she's worth her weight in gold.

Re:Buffer checks

[dirk]

They are not exclusive, but you can't have the top security and top usability at the same time. Take something as simple as email attachments. It is much better from a usability standpoint to be able to just double-click them from within the email and open them. It is harder to have to save them, then go to that directory and run them (and maybe have to mark them as exectuable as well). But providing this level of usability lessens security, as we have seen with the rash of worms going around. The most usable solution is also the least secure solution.

Re:Buffer checks

[glitch23]

"did you check parameters here? potential buffer overflow? what if this is NULL?" And it wasn't even important code he was working on.

Clippy can still be dangerous if he goes unchecked.

Re:Buffer checks

[shibashaba]

Sure, it can be with some stuff from grsecurity or something like Immunix.

Re:Buffer checks

[operagost]

Ever wonder why an XP machine with 512 ram with only say 250 used, still swaps stuff out to swap trying to make more free ram? stupid logic.

1. There is no swap file, just a page file.
2. This is done because it is NOT stupid logic to swap idle programs out of RAM. It WOULD be stupid to leave RAM tied up with programs that haven't done anything for half an hour.

Why does a swapped out mozilla take 30-50seconds to load back up? does it really take 50seconds to load 40-70meg of swap space into ram on a 20meg/sec HD?

That's a Mozilla programming flaw, not a Windows flaw. This has been on Bugzilla a long time.

Why dont they have multiple types of swap files for different memory types/objects to have faster 'seek/reload' times with out a billion tiny 4kb seeks/reads.

Well, I don't think that makes any sense at all. It WOULD make sense to have separate page and swap files, as OpenVMS does, since paging and swapping are very different functions.

Re:Buffer checks

Theo reacted (strongly) and made a name for himself. The security in Windows2000 sucked, and now MS is doing the same thing. The only difference is the year.

Well, as much as I appreciate Theo and his work, I think he was maverick to begin with.

However, MS using OpenBSD (and espousing an appreciation for it) does vindicate us. It's more a matter that it's not just a slogan to sell more copies. What matters is that MS is blurring the line between legitamte design philosophy and a cheap gimmick to save face.

When Theo forked NetBSD, the way in which he did it probably gave him more notoriety than anything. The OpenBSD community isn't concerned with popularity or user base at all. We want security, and if MS is going to talk the talk, they better walk the walk. Making up thier own slogan wouldn't hurt either.

We spew bile towards MS because a) they take freely from the OSS while discrediting it at the same time, b) they literally took our slogan, which seems more like an attempt to hijack reputation than an attempt to make a legitimate change, c) they consitently attempt to hinder futher OSS by trying to throw patents in our path.

We spew bile at MS because they really deserve it for all of the above plus more that I am to tired to list now.

... but insted they spew bile as usual.

And that comment just oozes with maple syrup now doesn't it.

Re:Buffer checks

[TheLink]

I dunno about you, but decent windows administrators can actually secure Windows 2000 and XP systems.

While the default NTFS permissions for W2K are crap (everyone full control!), you can tighten it and it actually still works with most stuff.

Sure there are many badly written apps (many of the new ones are getting better), but you can often provide the necessary permissions to the relevant directories and registry keys. Just use regmon and filemon from Sysinternals.

Furthermore the most exploited vulnerabilities so far appear to be user stupidity and ignorance. It is obvious that many windows users are willing to type the correct password to unzip a password protected zipfile and run the actual worm executable.

None of the popular nonwindows O/Ses protect against this vulnerability except by virtue of being too unfamiliar/difficult for those stupid/ignorant users to use. If these very users start switching enmasse you'd have the same problems.

With the other vulnerabilities there really isn't a big difference between windows and Unix.
Popular/common services running as root/SYSTEM being exploitable by buffer overruns? Check. Dumb users doing everyday stuff while logged in as root/Administrator? Check.

The OP said "Buffer Overruns are as old as C and UNIX has built mechanisism to cope with it that do not put the onus on the programmer,"

I was calling BS on that. What mechanisms does UNIX have that Windows doesn't? _both_ Windows XP SP2 and recent Linux kernels have mechanisms to take advantage of the AMD64 NX features.

Now if the OP said "OpenBSD has mechanisms to cope with that", then perhaps I'd agree. But the phrase "old as C and UNIX has..." was used. OpenBSD is an exception in the UNIX world.

As for your last point, I don't see how it backs up your argument. It sure doesn't highlight any differences of Unix and Windows.

Re:Buffer checks

[tedgyz]

That's why languages like Java and C# are so valuable. When is the last time you heard of a Java buffer overrun? Never?

People bitch about how slow these languages are, but would you rather have a language with built-in safety, or hope that some flock of programmers at MS writes all the buffer checks by hand and hope they get them all. In the end, you end up with slower code that still has the chance of being vulnerable.

C++ should be shot in the head.

Re:Buffer checks

[Progman3K]

>Buffer Overruns are as old as C

Oh no; MUCH older.

As old as assembler, as old as microcode.

Let's not pin this on any one language.

It's all about how you manage resources when you code.

Hell, I could write an app that would bust Windows in .NET, VB, or any other language you care to name, almost any developer could.

Re:Buffer checks

[timts]

it's a debate with long history.

I like one of the following explanations:
1. windows has core tied up with GUI, so if there's any problem with GUI, the core will crash as well.
2. linux doesnot have core tied with GUI, so its GUI sucks.
it makes sense to me.
even you dont always need GUI for server management, but IMHO, GUI speeds things up for user and make things easier to use.

It was to be expected...

[lesterchakyn]

You can't install a really big bunch of fixes and expect Windows to run faster!

It has been always this way

Re:It was to be expected...

[teamhasnoi]

Funny, every update I've installed has made my computer faster, and more reliable.

Then again, I'm running OS X.

Why doesn't MS copy that?

Re:It was to be expected...

[Naffer]

As I recall, they made you PAY for your upgrade!

Re:It was to be expected...

[teamhasnoi]

not since 10.3 ($29) - I'm on 10.3.5. Faster every time.

Of course MS is making users pay each upgrade - with their exploit ridden code, poor programming decisions, and heavy handed activation tactics, inconsistent UI, predatory business practices, FUD-filled marketing and the push to DRM lock in - every user of Windows pays. Through the nose.

I will happily move up to 10.4 when it comes out, and pay for it too. I like supporting a company that fixes exploits before they've been in the wild for months, that introduces features that MS can't touch for years, and provides an OS that doesn't work against me.

Re:It was to be expected...

[Angostura]

Mac fan-boy though I am, I see no reliable evidence of performance improvements between 10.3 and 10.3.5 - though if you have benchmarks, I would be interested.

The subjective belief that a point upgrade improves performance has become so prevalent in the Mac community that 'I've installed it - much snappier!' has become a running joke in many places.

Most likely, any speed-ups are caused by the zapping of old caches, re-prebinding of libraries etc. associated with the installation.

Re:It was to be expected...

(A) As an Apple user, you might want to skip the DRM flames.

(B) It's easy to speed up a dreadfully unoptimized OS. In terms of development cycle, OSX 10.3 is basically NT 3.51. (free, not $29)

Re:It was to be expected...

[Tim+C]

Oh, bull.

with their exploit ridden code

I've been running various versions of Windows for 7 years now, and have not been exploited once. Sure, there are exploits in there, but they only catch the incautious and foolish. Avoiding them is *easy*, with a little computer literacy.

poor programming decisions

I can't comment on that, and nor can you, unless you've been privvy to some of those decisions. I'll agree that some of the *design* decisions are curious to say the least, but that may well have been marketing-driven.

and heavy handed activation tactics

Install XP Pro. Activate - two, maybe three clicks. A year later, after futzing around with my hardware, I need to reactivate. Two, maybe three clicks later, it's reactivated. Total impact to me: 30 seconds? "Heavy handed"? Only if you're constantly swapping hardware around, or trying to use a pirated copy.

inconsistent UI

The *Windows* UI is consistent. *Office*, on the other hand...

predatory business practices

I'll give you that one, but temper it by pointing out that most (large) companies are as predatory as they think they can get away with being. At least MS isn't purposely draining pension funds, or flouting environmental laws, etc.

FUD-filled marketing

I'll give you that one too, but again, there's an awful lot of anti-MS FUD being pushed by sites such as this one. Two wrongs do not make a right.

the push to DRM lock in

I see that as accepting the inevitable. The *IAs are pushing hard for legally-mandated technological restrictions, and rather than wasting time and money on a fight MS might well lose, they're just doing what so many /.ers wish teh *IAs would do - working to embrace a technology-driven change. I dare say that lots of large meetings full of MS big-wigs have taken place, in which they've decided that it's best *for MS* to create the technology, rather than try to fight it. Sure, it'd be nice if they'd fight for our rights, but that's not what corporations are for, unfortunately.

every user of Windows pays. Through the nose.

Well, that's your opinion, but I can't say I see things the same way. All I see is a stable, largely hassle-free OS that gets out of my way and lets me get on with using my PC. Even after 5 years of using Linux, including 2 of using it as my primary OS at work, I couldn't say the same about that. OS X may well be the Second Coming of the perfect OS, but it doesn't run on my hardware.

Re:It was to be expected...

I just want to know how to (after installing SP2) right-click and explore My Network Places without the PC freezing up and having explorer.exe and Doctor Watson both crap their pants.

That would be nice.

Until then, I won't have SP2 installed (again).

This has to do with...

This has to do with a buggy CPU "driver" in SP2, rolling back that driver to the pre-SP1 version should correct the slowdown.

Re:This has to do with...

This is an issue only on CPUs that can slow down their clock speed, as in laptops, desktop Athlon 64s, etc. The cpufreq driver (or whatever it's called on Windows) is broken and apparently does not correctly jack up the clock speed to the maximum when it's needed. So a 2.4 GHz machine may be running at 500 MHz even when demanding tasks need it most.

Re:This has to do with...

Not in all cases. I have a Dell laptop with a Mobile Pentium M processor. I upgraded to the last RC of SP2. If I unplugged the laptop from the AC outlet while it was running it would crash a "gv3.sys" driver. I was looking around the Dell Forums and someone said to just upgrade the CPU driver. I upgraded from the packaged driver dated in 2003 to an April 2004 driver. I unplugged the laptop fine and I can use Speedswitch XP to change my processor speed without any trouble. I hear that the SP2 drivers were written to improve batter performance too. I don't have any experiences to confirm or deny though.

Of course.

[Yolegoman]

Right after installing SP2 for the first time, my internet lagged so bad I had to reinstall Windows Xp. Worked better after that.

I had one p2p program installed, and I had done a thorough scan for spyware before installing SP2. No go.

- Yolego

Re:Of course.

[savagedome]

my internet lagged so bad I had to reinstall Windows Xp. Worked better after that.

Bollocks. Reinstall XP? Did you atleast try removing SP2 to begin with? You could atleast set a system restore point before you do any major upgrade that contains patches and/or including third party drivers.

I am no Windows fan but just trying to make it sensational that you had to reinstall XP from scratch doesn't really do anything. I have installed SP2 pretty much after it was released and have had no problems. (Well, of course some people are going to see glitches considering the size of that damn thing).

And maybe, just maybe, did you think of the possibility that your *P2P* app might be the bugger. Just a thought.

Re:Of course.

[0racle]

Format and reinstall is the only 'fix' most people will listen to, including may 'pros.' Its not that strange, and I've seen people reformat over less. Of course it doesn't help that there are a number of people in the 'know' who will tell you that in order for windows to work you have to format and reinstall at least every 6 months.

Re:Of course.

[Echnin]

Reinstalling Windows every 6 months? I'm usually on a 2 month cycle.

Re:Of course.

[0racle]

Can't figure out how to fix anything?

Re:Of course.

[LnxAddct]

Your making it seem like reinstalling an OS is a big deal... now I haven't used Widows for a bit, but as far as linux goes, if properly set up, all the user's home directory stuff should be on one partition, and anyother system specific stuff should be on another, you can get much more detailed and complex with your partition set up then that, but lets stick with this basic set up for now. Having two or more paritions, you can reinstall an OS almost seamlessly. Does Windows put everything on one partition by default? Or does it at least ask if you want more the one partition? I'm a little confused as why your mad at this guy for saying he reinstalled an OS. And just as I wouldn't trust any infected system after an anti-virus product claims to have cleaned it, I probably wouldn't trust the System Restore feature that you mentioned. Now I don't know how extensive the System Restore is, maybe you can be certain that it really takes care of everything, but I'd feel safer just reinstalling the OS, after all anything that I'd use or need is on a separate partition(of course this is assuming you follow the other assumed procedures involved with binaries, checking md5's if you have them, etc..., if any are for some reason in your home directory).
Regards,
Steve

Re:Of course.

[Echnin]

Why should I? Reformatting is faster and solves more problems.

Re:Of course.

Plus you can remain as ignorant as possible.

Re:Of course.

[Moridineas]

FWIW, the reformat and reinstall is a thing of the past.

Do XP's restore install--it reinstalls the base operating systems (ie, c:\windows) entirely from scratch, but keeps all your apps and doesnt touch c:\documents and settings. This mean you get your desktop and HKEY_CURRENT_USER reg keys...basically everything you want (c:\documents and settings\USER is the same as ~USER on lunix)

Re:Of course.

There's no technical prowess to using Windows.

Get a clue, loser.

Re:Of course.

[Inuchance]

SP2 sets a restore point automatically. I was having some troubles with it (probably with the horribly hacked nature of it, I'm using some "OS X tranformation pack" that pretty much changes around the OS to act like OS X), and so I was getting frequent crashses and the like, and I was able to get rid of SP2 just by going into add/remove programs and removing it from there without any trouble.

Re:Of course.

[NereusRen]

Perhaps you should have looked around a bit for the solution to your problem? Namely, http://www.lvllord.de/. The program at that site will patch your tcpip.sys to change the rate limit, so using bittorrent (or any similar program) won't instantly block out all other tcp/ip conections.

Re:Of course.

Yet you are still confounded by it.

Re:Of course.

[unapersson]

"This mean you get your desktop and HKEY_CURRENT_USER reg keys...basically everything you want (c:\documents and settings\USER is the same as ~USER on lunix)"

I'm afraid Lunix isn't multi-user, why would you need multi-user facilities on a Commodore 64:

http://lng.sourceforge.net/

Re:Of course.

[Methuseus]

I usually reinstall every 3 to 6 months. I have to to get rid of the registry bloat and other miscellaneous unneeded files that I can never find.

Also I usually install trials of programs or games every so often. Invariably the uninstall doesn't remove everything, and once in a while something will cause a persistent error message every time I restart.

Re:Of course.

[Moridineas]

I like spelling it lunix, ala somethingawful. Like the Jeffk Lunix cartoon with a cameo by cliffy b ;) (ill dig up link if you want--its funny;)

Re:Of course.

[Tim+C]

Christ, *why*? I'm just reaching the start of year 2 for this install, and everything is fine...

What do you do to your poor system that hoses it so frequently?

Re:Of course.

[Conor+Turton]

Right after installing SP2 for the first time, my internet lagged so bad I had to reinstall Windows Xp. Worked better after that.

Thankyou for displaying your unbelievable lack of technical competency. The rest of us would've uninstalled SP2.

Re:Of course.

Hmmm, I installed SP2 on an OEM copy of XP Home for my boss and it froze on reboot. The OEM provides a restore disc which copies a compressed image complete with preloaded drivers. I warned about this sort of bullshit before he bought his shiny OEM piece of crud home PeeCee. Motto: fuck pre-imaged OEM software, demand genuine retail install media.

Re:Of course.

[darkmeridian]

Right after installing SP2 for the first time, my internet lagged so bad I had to reinstall Windows Xp. Worked better after that.

Thankyou for displaying your unbelievable lack of technical competency. The rest of us would've uninstalled SP2.

I would have installed Linux.

Did they install, then patch?

I always find that if I slipstream the service packs into the install, I get a faster system than a plain install with them added later.

Re:Did they install, then patch?

Disk fragmentation?

Intentional bloat?

the more 'deflation' in performance for computer hardare, the more people think their computer is 'too slow', and that they need a 'new fast one' (which happens to be sold with a Windows licence).

MS has done is unintentionally or otherwise since Win95 - each new revision is dramatically more bloated, encouraging new computer purchases. If WinXP was as light weight as Win98, there're be far fewer new computer sales. Since WinXP is having a long shelf-life, it'd make sense that a service pack would continue this trend.

Re:Intentional bloat?

[alienw]

If you like Win95 so much, why don't you keep using it? It will still run on most modern hardware with no problems. Oh, wait, you want to take advantage of all the new XP features and have it be as efficient as Win95. Yeah, that will work well.

Re:Intentional bloat?

That might be an argument, except for the fact that Microsoft software has always been smaller and faster than its competitors.

Bill Gates is your classic "micro" programmer, and the company was permeted with his style -- the hack that's faster wins out over the better & safe design every time. (That's how Windows beat OS/2, BTW.)

I think they honestly realized that it really doesn't matter if Word runs 10% slower if it makes the OS more secure. With stock 3Ghz Dells, it doesn't make a bit of difference in terms of sales.

Even so, XP+IE+Office still comes in way under MacOS X/Safari/Office and Linux/OOo/Mozilla in terms of bloat.

Re:Intentional bloat?

I have to disagree with you on that one. I had Win98SE on my machine at home until last week. I have just re-formatted and installed WinXP. After re-installing all of my most commonly-used apps (including the mammoth VisualStudio .NET -- which replaces VisualStudio 6 that I had under 98), I have noticed no perceptible slow-down. I haven't noticed a speed-up either overall, except that the boot-up time is considerably reduced. Overall, the only difference I have noticed is that it crashes less. These are purely subjective observations, of course, but hey, I'm the one using my machine after all.

Re:Intentional bloat?

[cheekyboy]

I reboot back to my backup win2k partition and was blown away how damn FAST it was, and also how little ram on boot it used.

I recommend every one to 'upgrade' to win2k :)

typical microsoft...

[54v4g3]

Typical Microsoft:

1:releases patch/fix
2:people download it
3:it breaks things/slows things down
4:microsoft patches the patch
5:go back to 1


yeah, you get the idea ;)

Re:typical microsoft...

[Sirch]

You really don't get the Profit!!! joke, do you...

That Explains A Lot

[kannibal_klown]

I just installed SP2 on my personal laptop that I use for work. I reformatted it yesterday, and I had a CD with SP2 on it. I figured I would rather just install it off the CD that worry about downloading all of those frigging security updates and what-not.

Anyway, I could have sworn the laptop ran faster before I put SP2 on there. I never bothered to benchmark it, but it seems slugish now. And it's not a weak machine (as far as laptops go). 2.4GHz with 1GB Ram.

I'm not about to undo everything I've done. I've installed way too much, and don't want to worry about breaking those apps by removing the patch.

Oh well. I'll just live with it. It's not my main machine anyway, just something to do some DB work with.

Re:That Explains A Lot

[LnxAddct]

Laptops and SP2 don't mix. The CPU frequency throttling driver is for some reason pushed back to a version prior to SP1 and works horribly. Your computer may be running at 600-700mhz despite what its telling you. It may not feel 4 times slower though because I doubt you often ever need to go above 800mhz in usage despite what the marketing departments will tell you (this may be different in your case if you develop or run a DB engine on it, but I'm referencing the typical home user). But in short, yes it just doesn't feel slow, it is slow. (in case anyone is wondering why an OS would change the CPU speed, its to help extend battery life, i.e. if the laptop is on battery, the processor is typically running at half speed as opposed to full speed when plugged in)
Regards,
Steve

Re:That Explains A Lot

It seems that Slashdot is desperate to publish any story that is negative about SP2. I mean, it really seems to me that MS got it right this time. Security over features and security over performance... isn't this exactly what we have been asking for? I mean, do you really care that the guy down the hall is running Powerpoint 9% slower? Cause all I care about is that he is not hammering my webserver with the latest virus.

Re:That Explains A Lot

[BillTheKatt]

I've got to disagree. I just applied SP2 to my Dell Latitude 640 and was pleasantly surprised. It seems to respond faster than before. Seems to be a lot less disk thrashing. I've got 512 MB but with all the junk I've got on the system it's pretty heavily loaded. Not sure if I put the Intel Speedstep software on there though, I don't use the standard Dell install.

Re:That Explains A Lot

[jo42]

Download and run CPU-Z. It will show you the CPU frequency. Notice that it is running at low speeds when your machine isn't doing anything but pops right back when something is happening. Looks like SP2 really micro-manages the CPU speeds on laptops...

YMMV, FWIW, etc.

Another benchmark test

[Adam9]

Here is another article where they ran different benchmarks on SP2 and SP1. The office productivity test was the one with the biggest difference. The article puts the blame on the new firewall.

They should compare a PC with SP2 and one with SP1 with a third party firewall.

Re:Another benchmark test

[woodhouse]

Or even test it with no software firewall at all - a lot of people have routers these days.

Re:Another benchmark test

[Adam9]

You wouldn't believe the number of people who run two anti-virus programs. I wouldn't put it past them to run two firewalls as well.

Re:Another benchmark test

[null-sRc]

they blame the firewall?

does office so often attempt to connect to the internet that it could cause that big a performance hit on time-outs? :|

that's frightening... what's it trying to do?

Why-

[thewldisntenuff]

was this even posted at all?

This wasn't even a readable story - just a small synopsis of a story that will be featured in Mobile PC mag next month. There could have been plenty more info, but instead we got two paragraphs.....

OTOH, is an average 9% drop in performance even an issue? I mean, 9% in office apps is nothing....Who needs high performance when typing, making spreadsheets, or even a PowerPoint presentation?

This (once again) illustrates the MS push towards security over performance/compatibility

-thewldisntenuff

Re:Why-

[eqkivaro]

I agree. Who gives a shit? When was the last time someone actually upgraded their computer because Word was too slow? Please!

Unless you're playing new games there's no reason to be running anything newer than a Pentium II.

Re:Why-

[metlin]

Although I agree with most of you said, I have a bone to pick with this statement -

OTOH, is an average 9% drop in performance even an issue? I mean, 9% in office apps is nothing....Who needs high performance when typing, making spreadsheets, or even a PowerPoint presentation?

Hmmm, I guess you've never been in a corporate business office, where excel sheets running into hundreds of pages are opened. Or business plans and product specs that run into hundreds of pages are opened.

Why go that far, you've apparently not tried writing a paper in MS Word - I've been trying to get a couple of papers done for a conference deadline coming up on Monday - and my system is so terribly slow that it's unbelievable.

Sure, you can compromise on speed - but why? Why should I, when I don't need to? Had MS done this right from the beginning, the performance hit could have atleast reduced (to say 5%). That is still a significant gain when compared to 10%, which in my opinion is QUITE slow. If you had a latency of 10% in all your networks, you would know what am talking about.

Re:Why-

[TheLink]

"and my system is so terribly slow that it's unbelievable."

What are your system specs?
How much RAM have you got in your system?

Re:Why-

[amorsen]

If you had a latency of 10% in all your networks, you would know what am talking about.

A latency compared to what? Like "oh no, my ethernet latency is now 330us rather than 300us. Better call the network guys so they can fix it"?

Re:Why-

[metlin]

Enough and more (512 MB) - but what I meant was to point out that my system *has* been visibly slower after SP2. For example, when you've multiple instances of Word open, it becomes exponentially slower.

I just meant that slowing down of office applications by 9% is not something insignificant, and it sure as hell hurts some of us.

Re:Why-

[BenjyD]

you've apparently not tried writing a paper in MS Word...

I think I've found the source of your problem: you're using *Word* to write an academic paper. Why would anyone in their right mind do that? Does no one use LaTeX anymore? Even the most Microsofty conferences I've been to accept PDF submissions.

Re:Why-

[mrowlands]

because "insert your favourite game here" runs 9% slower now

Re:Why-

[lawpoop]

Video editing?

Re:Why-

[Snover]

Had MS done this right from the beginning, the performance hit could have atleast reduced (to say 5%).

Uh, no, it would've just been 10% slower from the beginning. The reason it's slower is because they added buffer checks to tons of the libraries. That would be doing it "the right way".

Correct Fixes usually means faster

[Dark+Coder]

Just as we, the lowly programmers, should know this... when building functional blocks on top of lower functional blocks (think pyramid, not spaghetti), we take out the range checking from lower functional blocks as we progress in our development cycle (at least the good programmers do).

Just as my subject line is treated as a rock-steady axiom of Computer Science, particularly of Software Quality and Software Engineering electives, fixes that results in slower codes usually a BIG sign that range checking have been incorporated in repetitive functional loop (no matter how deep inside the loop gets.

Such a pity. A well designed code (i.e., FireFox browser) obviate the need for same range checking in multiple layer of the code.

I'm sorry, it is NOT always this way; maybe for a slipshod programmer, yes. But not in my book.

Re:Correct Fixes usually means faster

[echeslack]

Its not always about performance. If you are removing range checks from all your code you are making it worse (imho). By your logic we shouldn't bother with std::vector or ArrayList or whatever and should just stick with plain old arrays because they are faster. There is a reason that range checking is in there - so that you catch the unexpected case.

Re:Correct Fixes usually means faster

> well designed code (i.e., FireFox browser)

Firefox gets a security-critical upgrade about once a month, so you might want to pick a better example...

Re:XP SP2

[blackholepcs]

I actually am using SP2 and have not found any problems as of yet. Had to shut off the firewall to use a p2p app, but otherwise I can't complain. Yet.

Coral Cache Link

Cached link in case it gets Slashdotted.

I don't mean to feed the trolls...

[RabidChicken]

While I am not apoligizing for the apparent poor programing on Microsoft's part, maybe we should also consider what they would perform like if IE did not block automatic installers or have a passable firewall.

Also, before people post links disproving how secure it is, I already understand but I also understand change comes in babysteps.

Positives and negatives

[Bill_Royle]

I've seen some drag on my system since putting SP2 on, but it's really a double-edged sword.

However, in my experience it's harder now for sites to push ActiveX controls and executables to your PC now, unless you do a bit of tweaking or visit a deliberately malicious site.

Considering the system drag that occurs when the average user installs spyware inadvertently, I'd say the SP2 drag ought to be cancelled out for the time being, as it's a bit harder for spyware to propogate under it.

Re:Positives and negatives

[forgotten_my_nick]

If you could of just installed firefox and not have to worry about them. I installed SP2 and my machines speed was the same but it literally took 15 minutes to get to my desktop at every boot up.

Putty and SP2 (It's a business app, really! ;) )

[realdpk]

Has anyone noticed an increase in how long it takes Putty to start up post-SP2? I thought it was the firewall at first, but I disabled that. It still takes about 5 seconds to launch, where before it was instant.

You might be hitting the socket limit..

[bmajik]

One of the changes in SP2 was a rate limiting / queing behavior for the number of current sockets in the SYN/opening state.

In other words, suppose you have an app which tries to open 30 tcp sockets simultaneously. Some of them will get delayed by the OS.

This is to try and thwart the speed of worms or DDoS programs - which very often try and create a zillion tcp connections that never end up connecting.

Unfortuneately, it has the side effect of hurting some p2p apps (like bittorrent) and some web browsing configurations...especially if you've changed the registry value that sets the # of simultaneous socket connections IE will make to the same site. The default is like 3 or 4, but if you upped it to say, 20, and then hit a site that had 30 images all on the same server... it is likely that some of your http requests will get queued until other connect() attempts complete the handshake.

Does it suck that this is affecting some browser and other scenarios ? Yes. The topic is under discussion internally at microsoft.

The _intent_ was to try and slow down the spread of worms/ddos attacks in the event a machine got compromised....a good goal to have i think anyone would agree..

The implementation, however, does have disadvantages

If you decide to try SP2 again, anytime the connecting socket limit is reached, an very specific/obvious event will be logged in the eventlog. If you are experiencing slower network interactive speeds, try looking in the logs to see if you're hitting it.

One mitigation, by the way, is to have a proxy (i.e. squid) on another machine.. that way your handshakes from IE resolve _Very_ fast and your sockets rapidly go from handshake to connected...thus reducing the likelihood of you hitting the queing behavior.

Re:You might be hitting the socket limit..

[pavera]

I would say the proper way to slow the spread of worms and ddos attacks is to have a secure os, not limit the system's ability to connect... But that is MS way with security... "Oh, executable attachments and word/excel spreadsheets might carry viruses... hmm easy fix, don't let our mail clients receive those attachments anymore, no one sends word docs as attachments anyway"... "Oh, worms and viruses are using our system for ddos attacks.. hmmm ok don't let the computer make more than 5 simultaneous connections, no one needs more than that anyway" The boys in Redmond really have crappy assumptions about what people use computers for most of the time it seems.

Re:You might be hitting the socket limit..

[Talez]

The default is like 3 or 4, but if you upped it to say, 20, and then hit a site that had 30 images all on the same server... it is likely that some of your http requests will get queued until other connect() attempts complete the handshake.

Hey. 1998 called. They want HTTP 1.0 back.

Re:You might be hitting the socket limit..

[Tim+C]

ok don't let the computer make more than 5 simultaneous connections

That's not what it's doing at all, you can still have as many simultaneous connections as you want. What you can't have is more than 20 connections waiting to completely open; any more than 20 get queued until some of those 20 have completed (or failed).

Sure, sucks if you run apps that regularly open up a whole bunch of connections to hosts that may or may not be answering right now, but having checked my logs it's only happened to me a handful of times since I installed SP 2, despite running p2p apps while web browsing or playing online games, so it's really not that big a deal for "normal" users.

Re:Putty and SP2 (It's a business app, really! ;)

[Bill_Royle]

Try right-clicking Putty, then set the compatibility to Win2k. I found some hang with that too, but it responded like normal after the compatibility mode switch was put on.

Re:Which is best?

Oooh, subtle... lol

Not a code change.. a compiler flag change..

[bmajik]

specifically, the /GS flag to the VC++ compiler.

The compiler was modified to support automatic stack overflow checking (i.e. canaries). Server 2003 was compiled with this (and as a result, MANY things that are shared-code problems resulting in exploits on other NT based OSes are either ineffective or DoS attacks on Server 2003).

The idea is that /GS compiled binaries will cause the OS to terminate the app rather then letting code execute. The source code generally doesn't need changes.

So, its a defense in depth tactic. Ideally, there'd be no BO's in code. But there are. Terminating the program with an explanation as to why is better than letting people run code on your box. :)

Re:Not a code change.. a compiler flag change..

[metlin]

Ah! I wasn't aware of that.

So would they be recompiling all their stuff that shows up an exploit with the new compiler, to ensure that BOs don't happen? :)

Given the frequency of exploits that turn up, if MS kept releasing such patches ever so often, that would quite terribly slow down the whole system. On the other hand, like you rightly pointed out, better a slower running program that terminates by popping an explanation than an exploit.

Oh well, the price of slavery ;)

Re:Not a code change.. a compiler flag change..

[darkain]

its not just a command line arge that they added to help with everything tho. for those of you who have Visual Studio 8 Beta, im sure you have ran into this one ALOT, and for those that havnt, take a look at this lil warning message:

warning C4996: 'sprintf' was declared deprecated
C:\Program Files\Microsoft Visual Studio 8\VC\include\stdio.h(285) : see declaration of 'sprintf'

and for anyone that has coded C/C++ for any given amount of time, you have probably come to rely upon such CRT functions as sprintf ALOT. microsoft now makes it a compiler warning to even use said functions, and recomends instead that your applications use safe alternative versions. this, i beleive, is the #1 cause of slowdown within SP2, but at the same time, explains exactly why the JPG exploit didnt effect SP2, wich was completely recompiled on the new CRT.

Re:Not a code change.. a compiler flag change..

[eyeye]

A lot is two words you retard, it is also NOT WRITTEN IN CAPITALS.

Re:Not a code change.. a compiler flag change..

[cortana]

Given the state of software on the platform, it comes as no surprise that Windows programmers make use of functions like sprintf. *ducks, runs*

But seriously, people, use snprintf. The same for all the other unsafe string handling functions in the C library--use the 'n' variant of the function that accepts a maximum buffer length.

You wouldn't use gets to input a string, would you? I hope...

Re:Not a code change.. a compiler flag change..

mental illness alert! harsh behavior

Re:Not a code change.. a compiler flag change..

What's your problem, dude? You need to lay off the caffeine, coke or whatever it is you're doing.

Re:Not a code change.. a compiler flag change..

[lachlan76]

You wouldn't use gets to input a string, would you? I hope...

NEVER underestimate the power of stupidity. You *shouldn't* do it. Someone, somewhere will. Make a function, and someone will use it.

Re:Not a code change.. a compiler flag change..

[StillAnonymous]

"You wouldn't use gets to input a string, would you? I hope..."

This is what I don't understand: Everyone knows that gets() is a disaster waiting to happen, but nobody fixes it! Why even leave it in the state it's in? Change the compiler so that if the function gets() is called, it passes the arguments to the appropriate alternative and includes some sane defaults for the missing extra arguments you'll need. If some ancient code breaks, so be it and it's fairly trivial to fix.

It's not just the programmer's fault for using the problem function, the person/group who wrote the compiler has some responsibility as well.

Re:Not a code change.. a compiler flag change..

[Barlo_Mung_42]

"o would they be recompiling all their stuff that shows up an exploit with the new compiler, to ensure that BOs don't happen?"

They recompiled a large number if files with this for SP2. That is why it is almost 300MB.

Re:Not a code change.. a compiler flag change..

[darkain]

actually, snprintf was marked as unsecure as well in the new CRT. sprintf_s is the replacement for both sprintf and snprintf.

Re:Not a code change.. a compiler flag change..

[darkain]

from the beta MSDN for the new CRT:

The rand_s function writes a pseudorandom integer in the range 0 to UINT_MAX to the input pointer. The rand_s function uses the operating system to generate cryptographically secure random numbers. It does not use the seed generated by the srand function nor does it affect the random number sequence used by rand.

so, as you can see, its not JUST string functions that where updated. i would link to the MSDN online, but i cant seem to find any of the new CRT stuff in the online copy, just in the local copy.

Welcome to Windows upgrades

[coupland]

If you thought SP2 would be a speed upgrade then you also buy the previous lines that Win98, ME, NT4, W2K, XP would make Windows faster than previous versions. Of course these fallacies are based on the assumption that you would install the upgrade on a *newer* PC than their sample set. No Windows update has ever been faster than its predecessors.

Period.

Re:Welcome to Windows upgrades

[Gnavpot]

I have an old P200MMX with 96MB RAM. It has had W95, W98 and now XP installed. Both times I upgraded, I got better performance.

In my experience, newer Windows versions are not that demanding if only they have enough RAM and a fast hard drive (I am actually surprised that XP is faster than W98 with only 96 MB of RAM).

Re:Welcome to Windows upgrades

Do any Linux upgrades run faster than their predocessors, by that logic?

Just asking. "Period."

Re:Welcome to Windows upgrades

[Joe+U]

The Windows NT (aka 2k/xp) line always ran smoother compared to the 95/98 line.

NT also required more memory.

This is the 32 bit NT code vs 16/32 bit mix of 9x. You could get 9x to run in less memory and it would be fast in some areas and slower in others. On the other hand, if you had enough RAM NT would run more concurrent tasks without nearly as much of a slowdown compared to 9x on the same system.

Re:Welcome to Windows upgrades

[Tim+C]

*Distribution* updates, no, I don't believe so. KDE got some updates that made it run faster, but of course that did nothing for the speed of the rest of the system, and it could be argued that they were fixing problems, rather than eking out an extra bit of speed.

New versions of operating systems almost by definition add new features; new features require more code, and more code requires more resourcs to run. The only way more code can run quicker than less, all other things being equal*, is to run it on bigger, faster hardware.

* by that I mean assuming that the old code wasn't horribly inefficient, which can certainly be the case

Re:Welcome to Windows upgrades

[sql*kitten]

If you thought SP2 would be a speed upgrade then you also buy the previous lines that Win98, ME, NT4, W2K, XP would make Windows faster than previous versions.

Actually, on identical hardware (my 1Ghz PIII Dell laptop) XP starts significantly more quickly than Win2K, and resumes from standby more quickly too. Otherwise performance is about the same.

Re:Welcome to Windows upgrades

[40000]

Windows XP is using about 70 MB of RAM (according to task manager) after booting up.
I've seen Windows 98 using around 100 MB once all the network services are installed.
I've also got a box running NT4 service pack 6 (there's no network installed) and it's reporting 16 MB used. NT4 at work is using > 100 MB (and a lot of machines still have 64 MB RAM!
98 is OK until you start using any network or USB stuff.

Re:Welcome to Windows upgrades

[Denyer]

I'd disagree. On mid-era hardware (~500Mhz) I've found 2000 more responsive than 98, assuming a reasonable amount of RAM is initially the case. Architecture does count for a bit.

Re:Welcome to Windows upgrades

[ExoticMandibles]

Wrong.

NT 4.0 was faster than 3.5/3.51, on the same hardware.

Windows 2000 was faster than NT 4.0, on the same hardware.

I was there, I used them, I remember.

These speedups were sometimes achieved by moving away from NT's originally-vaguely-microkernel approach to a more monolithic kernel. For instance, I'm told that for NT 4.0 they moved the display driver into ring 0. This meant fewer ring transitions to blit to the screen, hence, it ran faster, at the cost of robustness (buggy display drivers could now BSOD your machine).

Of course, I expect that most speedups were gained through algorithmic optimization, or fresh approaches to problems. For instance, Linux 2.6 is faster and more responsive than 2.4, even though it does more. Unless you assert that the NT 3.1 code was perfect and could not be optimized (an assertion I suspect you wouldn't make), surely you must allow that their team of bright programmers working year-round on the OS could figure out ways to speed it up.

Please don't make up blind assertions and claim they are fact, "period".

Re:Welcome to Windows upgrades

[vaporland]

for what it is worth, when I upgraded my Apple Powerbook from Jaguar to Panther (400mHz G4) it was like getting a new machine - OS X finally started running very well - and I saw this occur across the board on many systems I upgraded. Also saw one application increase performance 100% after the upgrade - so either 10.2 and earlier were real dogs, or Panther was some kind of genius code . . .

i put XPSP2 on my sister's brand new DELL Dimension 8XXX and it is dying . . .

Re:Welcome to Windows upgrades

[bedessen]

Yes. Microsoft did do a number of significant kernel-level improvements in XP. It's not "just a bunch of eye candy" on top of 2k as the party line would go. Here is a link to the paper Windows XP: Kernel Improvements Create a More Robust, Powerful, and Scalable OS by Russinovich and Solomon. Some of the improvements include: Larger Mapped Files, More Efficient Trimming of the Working Set, Reduced Lock Contention, Push Locks, Fast System Calls, Faster Hibernate and Resume, and Prefetching. Next time someone tells you that "2k is the best, XP is just a bunch of eye candy added on top" tell them to read that article and stop the spread of misinformation.

I wonder

[Treeluvinhippy]

I wonder what this guy has to say about this.

Poll question!

[corsair2112]

If I post an "article" on my 5 megs of webspace provided to me by my ISP denouncing Windows XP saying that installing SP2 will steal my first born and rape my cats, then "create" some benchmarks to prove my point, then submit the article to slashdot, will it make it on the frontpage?

I'll even conclude in the article that running linux will solve world hunger and even do my laundry.

Re:Poll question!

[Stevyn]

Yes it will. And the third post will point out it's a dupe.

Nothing to see here; move along.

Re:Poll question!

[SnprBoB86]

I don't know about world hunger, but apparently Linux can do your laundry:

http://msnbc.msn.com/id/4638886/

Note that Linux can actually only inform you when your laundy is done or when there is availability for you yo do your own laundry. Also note that I have no evidence that CMUs system is Linux based.

So yea....

Re:Poll question!

How does one benchmark cat rape?

Re:Poll question!

[vrt3]

Only if you are Roland Piquepaille or whatever his name is.

Reality check

[Card]

Correct me if I'm wrong, but given today's hardware, is 10-20% slowdown even noticeable to the average user running, say, Word? IIRC, the threshold for user to notice anything meaningful is around 30% in day-to-day operations.

Games are a different beast, but does the user even care if loading a spreadsheet takes an extra second or two?

Re:Reality check

[The+Real+Nem]

Yes it is, the first thing I noticed when I installed SP2 was the speed hit, and that is after I disabled the firewall and that silly alert centre. The second thing I noticed is my machine, which hasn't crashed four about seven months, has crashed four times in the past seven days. I might not have minded the speed hit if I knew that the changes actually went to making my system more stable, not the other way around,./p>

The crashing appears completely random. I assume its some bad drivers (probably linksys, they make some half-fast drivers) but it is hard to tell because the blue screen last all of 1.5 seconds before my machine reboots, hardly enough time to read it. I'm to paranoid to uninstall the service pack because I've had nothing but bad experiences with system restore points.

And before you ask, I didn't really notice a performance decrease in games, just standard office applications.

Re:Reality check

Since you asked for correction, yes, you're wrong. :)

All those bloody little lags in Word and spreadsheets and all else are interruptions in the train of thought. A 10% further slowdown is irritating as hell.

That's *if* you give a damn about what you're doing of course, and your work is hard enough that you have to concentrate. Nail-polishers won't notice.

I'll be surprised if this is just office apps anyway. I'd like to see more benchmarks.

Re:Reality check

[little_fluffy_clouds]

probably linksys, they make some half-fast drivers

half-assed you mean?

Re:Reality check

[a_n_d_e_r_s]

Yes, people actually do.

With 300 miljon people using Windows it actually are about 50 man years of lost time.

Time noone can get back.

Re:Reality check

but it is hard to tell because the blue screen last all of 1.5 seconds before my machine reboots, hardly enough time to read it.

Right click on My Computer, go to Properties, select the Advanced tab, click on Settings in Startup and Recovery, uncheck "Automatically restart" in Startup and Recovery. Then you can also select a bigger memory dump so the issue can be better diagnosed.

If you really want to have some fun after you crash and the dump is written out you can load it up in the debugger: Start->Run->ntsd.exe -z %windir%\system32\memory.dmp. Issuing ".symfix" in the debugger will get you symbols for OS.

For the full effect you'll want to download the (free) debugging tools for windows from MS's website, and then you get the GUI debugger and you can just do a "!analyze" and it'll pretty much tell you what went wrong (the debugger that ships with the OS doesn't have this debugger extension).

Or you can just upload the crash dump to MS, and if you're lucky they may have already seen the issue and have a fix. You shouldn't have to change anything to do this though. Do you run as non-Administrator? If so I think you can login as Administrator and it'll prompt you to upload the crash dumps. Otherwise I assume you've just been unlucky and there's no recommend solution.

Re:Reality check

A 10% slowdown is going to be noticable on any hardware.

The question I'd prefer....

What are the chances that my computer will forget how to work if I put SP2 on it. It's been sitting in my update list for a while, and I havent had the nerve to install it in case it kills windows...

2 things

[slobber]

9% on average on "Business Apps" is to vague too draw any conclusions. Was the slowdown in disk, network, memory, network performance? All of the above?

The slowdown could mean that MS cut some corners and traded speed for security in XPs' pre SP2 version. While fixing security problems they had to perform some extra checks and that dragged performance down. Or, they could've discovered some serious architectural issues with fixing new holes, so they had to do it in a slow and inefficient way due to the fact that their architecture wasn't designed with those checks in mind.

On a side note, I experienced a significant slowdown when running Norton AV that supposedly does a bunch of extra security checks. File and network performance became unbearable at times. It got so bad that I had to ditch NAV so now I am reverting my Windows system every day (I run it under VMWare, Linux is a host system). I found this setup + Zone Alarm to be a better answer to endless Windows security issues.

Re:Putty and SP2 (It's a business app, really! ;)

[dzym]

I had a problem with PuTTY being generally slow and freezing and unfreezing often but I resolved it with a BIOS update to the laptop. (go figure!)

A Better Example

[Dark+Coder]

Yes, I should. But it sure beats 130+ bug fixes per months for IE.

Re:A Better Example

Does it matter? You're arguimg that front-end code should be 100% responsible for security checks, and unless you're running only QMail, that's just not going to work.

Real Reason for range checking in public APIs

[Dark+Coder]

For a non-public APIs, there is no good reason for a range checking on the lower-tier modules for a carefully integrated module stacking. It is superfluous coding.

That is, the 2nd programmer's module calling the 1st programmer's function without consulting the 1st programmers documentation, be that it may: verbal, written, guesture or even smoke signals.

Tight cohesive teamwork is the key... Get it together.

Not Just Apps....

[Mastadex]

Ive recently nuked my Comp and installed a Frash install of XP, with minimal Patches agianst some of the bigger things out there (Blaster, Welchia, Sasser, etc.) so thus far im happy with my holy, unpatched system.

Anyway, When I had service pack 2 installed, my internet speed dropped from its ususal 5Mbit connection down to 1.7Mbit. Ever since The format and reinstall, My internet connection is back to its ususal rates.

In other words, there are more bugs in SP2 then meets the eye!

I think the problem stems from the testing itself

[Gary+Destruction]

Maybe Microsoft needs to determine what the most common software installed on Windows PCs is and even work with software manufactures directly to ensure the greatest compatibility.

Hello morons, turn off DEP

http://support.microsoft.com/default.aspx?kbid=875 352&product=windowsxpsp2

Note the /NoExecute=AlwaysOff option in the article.

Well known cause for much of the slow down some people find with SP2. Of course, this opens you up to morphic/purposefully overwritten code exploits, but such is life.

Re:Hello morons, turn off DEP

[Qrlx]

Hmm.... from the KB article

Currently, the only x86 processors that support No-Execute functionality are the AMD 32/64-bit Opteron and Athlon-64.

Since this doesn't affect Intel, this can't account for all the slow-downs people are expieriencing.

(Not that I bothered to read the article in Mobile PC.)

Re:Hello morons, turn off DEP

[robhancock]

No-execute protection still does something on CPUs not supporting hardware NX, it's just not quite as effective.

Re:Hello morons, turn off DEP

[gl4ss]

it's just slower to do it through other means than the NX.

(i'd assume ms has an other way too. what i'm sure is that there are ways for it that would work on most/all x86, there would be a performance hit though)

anyways, for a normal user it pretty much means just that they'll get the slowdown with xp2 sp2 - they are "morons" with computers, after all.

Re:Hello morons, turn off DEP

[Sir+Lurkalot]

I was wondering when someone would bring this up.

Re:Hello morons, turn off DEP

From the "Data Execution Prevention" settings dialog:

Your computer's processor does not support hardware-based DEP. However, Windows can use DEP software to help prevent some types of attacks.

This software version of DEP is on by default, and will probably cause some loss of performance.

Maybe not faster, but more of the same apps!

[EtherAlchemist]

I found one instance where a fix actually allows you to pirate OTHER software (or at the very least violate otherwise restrictive "one machine at a time" clauses in the EULA).

I installed SP2 and didn't notice any problems at all. Then, I fired up Fireworks which has a little util that sees if other copies using the same license are running on the network (who, me?) and was prompted by Windows telling me that the service had been blocked and did I want to Continue Blocking, Unblock or should it Ask Me Later.

Well, so far, choosing Ask Me Later has enabled (for testing, of course) running multiple copies of single license software when we would not have been able to previously.

Neat! Thanx Bill!

Re:Maybe not faster, but more of the same apps!

[KarmaMB84]

Fireworks is apparently poorly designed :p

Re:Maybe not faster, but more of the same apps!

[Kristoffer+Lunden]

How would that be different from using a software firewall?

Re:Maybe not faster, but more of the same apps!

It wouldn't be, it sounds like that is exactly what is happening. SP2 enables this firewall for you, but is not intended to work for the reason mentioned. Worth pointing out because if you're running XP, and you don't have such a thing in place already, it will do it for you.

so its come to this.

[JVert]

This should actually be posted in the politics corner. I gotta admit ./ is doing a lot better job at playing politics then certain US canidates. Seriously, a service pack to perform maintence and add some very usefull features. What is the general response? "SP2 broke my edonkey and made my girlfriend (online) break up with me." OH OH! now its slower with certain progams because they switched some compile flags that they should have enabled years ago!

Re:so its come to this.

[Barlo_Mung_42]

Well. The security problems that were posted here related to sp2 relies so much on social engineering and user stupidity that they don't really qualify as sp2 issues. So the MS bashing zealots have to find something else. My question is why does it only slow down business apps? The answer of coarse is that it doesn't just slow down business apps, it slows down the whole system to some small degree. But this shows that the author either doesn't know what he is talking about or is pushing an agenda.

Onus is on the QA

Maybe they need to rehire those QA contractors that made W2K so stable (more so than other MSFT O/Ses, but not yet at par with other non-MSFT OSes)

Or maybe its simply a need to relocate the QAs' desk inside from the loading dock bay at Redmond.

Re:Putty and SP2 (It's a business app, really! ;)

I had noticed this, but hadn't made the connection. I just tried your suggestion (2k compat mode), which did not resolve the problem.

I just checked, and I was not running the most recent version of putty (.53 vs .55). Upgrading it to the latest version appears to have fixed the issue.

Re:I think the problem stems from the testing itse

[2mcm]

yes this is good now the "little" ppl who use non micrsoft approved programs (e.g. most GPL) will have heaps of problems.

this would just be another way of MS "hurting" the little users.

Re:Putty and SP2 (It's a business app, really! ;)

[realdpk]

My bad, I thought I had the latest version, but I didn't. Perfect now that I do. Thanks all.

Re:Putty and SP2 (It's a business app, really! ;)

Nope, Putty starts just as fast as before on my system.

Isn't that how it always is

You can either get your ass kicked by gamers for having a slow machine, or by hackers for having an insecure one.

Re:Isn't that how it always is

...or you can buy a Macintosh, and be ignored by gamers AND hackers.

Re:Isn't that how it always is

[Brian+Stretch]

So THAT'S why I've been been clobbering Windows users in UT2004 Onslaught under 64-bit Fedora Core 2 Linux. I thought I was just that good. Shhh, don't tell nobody ;-).

Seriously, I'd been wondering why my Aquamark benchmark scores dropped around 10%. Now I know. Outside of benchmarks I haven't noticed the difference (but I don't use my Windows notebook for gaming). If you run WinXP you should definitely get the SP2 update, just make damn sure you've dewormed your machine first as SP2 has been known to cause previously undetected worm infections to crash the system on startup, especially if you have the good sense to be running an Athlon 64 CPU (has hardware-assisted buffer overrun protection that SP2 enables).

Get to work, proper-way-guy!

[bmajik]

When you finish writing a completely secure OS that runs existing customer applications, Microsoft will buy it from you for any amount of money you want, and then dump windows and make the world a better place.

The world is waiting. Get to work, mr. hot stuff. Please show Microsoft and the whole world how an OS _should_ be written.

The world will continue waiting because no completely secure operating system exists, much less a completely secure operating system that has the features and behaviors that customers have come to expect.

Microsoft is working on fixing the things that let worms/ddos/virii spread. But it is an arms race. MS fixes things of today and yesterday, new attacks are found. 10 years ago nobody knew about 1 byte buffer overruns, but today they are being exploited in 15 year old code, and new code auditing must happen and new fixes made.

A defense in depth strategy that assumes that some layer of your system has a weakness and attempts to mitigate that weakness from being an exploit elsewhere is a good design. The specific implementation here of trying to limit the damage caused by a compromised machine is probalby non-optimal, but it's a start.

Re:Get to work, proper-way-guy!

[pavera]

Except that it amounts almost to unplugging the machine from the net (which I've heard is the only way to secure a windows box...) But anyway, I'm not saying that I can write a completely secure OS, nor that that is an attainable goal. MS has made many decisions where the design of their system creates security problems, and then after the fact their fix is to disable functions instead of fixing them so that the design and implimentation are secure. And I'm not talking about esoteric things no one uses.

Its bizarre that the helpdesk I manage gets 10 calls a week at least from people complaining that they can't open the word doc someone just sent them in email, and we have to walk them through opening up Outlook so that it will let them read the doc, which then opens them up to all the vb scripting worms again, cause MS never fixed the DAMN PROBLEM! They just put a stupid default in the system that everyone overrides, because email without attachments in a law firm is like a car without a steering wheel or pedals.

hmm only 9% performance hit?

[pavera]

I've attempted to install SP2 on three machines now and I'm not trying any more. After the 1st install, the system blue screened, and could not be recovered, had to reinstall from scratch.

The second attempted install got about 2/3rds of the way done and then crashed resulting in an unstable system. The partial install could not be completely removed, and the machine would crash often, another reinstall from scratch.

the third attempted install died in the early stages repeatedly (about 15 seconds after starting the install) and never got past that point.

These were three completely different systems with different software installed, but all ended up with the same result, no SP2 without a complete clean installation of XP first. I'm so disgusted with MSs QA right now, I never plan to install SP2 again, because my time is too valuable to spend entire days rebuilding systems just because they can't write updates to their software.

Hell in Gentoo and Debian I update the entire system with a single command and download hundreds of software packages equalling hundreds of MBs and it all goes smooth as silk, can't MS figure out how to copy files from an update package into the system without blowing it all to hell?

Re:hmm only 9% performance hit?

'Hell in Gentoo and Debian I update the entire system with a single command and download hundreds of software packages equalling hundreds of MBs and it all goes smooth as silk, can't MS figure out how to copy files from an update package into the system without blowing it all to hell?'

Instead of Microsoft redesigning their entire business practice to work around your needs, HOW ABOUT YOU LEARN HOW TO FUCKING USE COMPUTERS YOU FUCKING CLOWNBOAT! I guess the millions of people that have installed SP2 successfully must have docterates in Computer Science because that's the only people intelligent enough to figure out how to do it, or maybe your just too fucking stupid. I vote the latter.

Re:hmm only 9% performance hit?

[pavera]

I'm just double clicking like all the other monkeys...
but whatever

Re:hmm only 9% performance hit?

I'm sure even you can figure out how to click a few buttons and install SP2, but by your own admission you aren't intelligent enough to figure out what is causing THREE seperate PC's to not work after attempting to install SP2. If Windows is anything, it's simple to use. That's why so many brain dead morons are tramping about the internet on their shiny new Dell's. Apparently you're a step below even the brain dead morons.

Congratulations fuckface! Welcome to the internet!!!

Re:hmm only 9% performance hit?

Heh. I've installed SP2 on hundreds of computers with no problems. You have something seriously screwed up there.

Re:hmm only 9% performance hit?

[Qrlx]

You talk a lot for someone who can't be bothered to log in.

Re:hmm only 9% performance hit?

Way to avoid the argument! I'm sure glad you attacked your moniker to that piece of intellectualism there.

Do you even know what you're talking about?!

[bmajik]

Do you understand anything about NT ? Nt already has user separation, priviledge sepration, memory compartmentalization, etc etc.

It's not like buffer overruns on NT are happening in random unpriviledged code an then magically running ring 0.

There are two big issues that make BO's problematic on windows:

1) traditionally, many system processes have run as something equivalent of unix root (Local System, etc). These already have root privs, so any exploit against these that allows code execution is code running as root. This is no different than compromising unix sendmail or any other daemon running as root

2) many users run as local administrator (because some times its hard not to, and some apps are poorly written and require it), so suddenly any buffer overrun is already executing with root priviledges (the current privs of the process)

What built-in mechanism does UNIX have for dealing with buffer overruns? Handing control of the box to script kiddies ?

( i am aware that some unixes have no-exec stacks and other technologies available - XP SP2 has this as well now if your hardware supports it)

"XP SP2 Can Slow Down Business Apps"

[mfivis]

That sounds like an awesome feature, what else can it do?!

And imagine...

[Agilis]

how much productivity you'd gain if only the security features would stop popping up.

WINDOWS

[YrWrstNtmr]

...actually HAS business apps.

What configuration of outlook

[bmajik]

doesn't let you open attached word files ?

I would say i get at least 1 word attachment per day in my work email box.

When i double click on the attachment, a dialog box asks me if im sure i want to open it, given me the option to open, save, or cancel

Now, i haven't opened any word docs with macros lately, but when i open an excel document with macros, i get asked if i want to enable them or not.

This is with Office 2003.

So, what configuration of outlook do you have where trying to open a word document fails?

By the way - you're free to suggest a solution that lets someone embed a pretty functionally complete programming language into an Office document but doesn't let them do anything malicious (and supports existing code written against this system)

The office scripting situation sucks. Featurewise, its very powerful and handy. Powerful enough that you can use it to do bad things. If you shut it off, then people like you bitch that MS disables features instead of fixing problems. If you "fix it" then somebody's script/macro somewhere stops working, and people like you bitch that MS deliberately broke perfectly working code. If you don't fix it, people like you bitch that Microsoft never does anything about security problems.

So what's the right thing to do ?

Re:What configuration of outlook

[pavera]

Why a word doc needs functionality in the first place is questionable to me. Integrating data and code is a seriously poor design choice. No one in our company (5000+ employees) uses any of the VB scripting, and I wouldn't care if MS turned it off all together, I think its a stupid idea. Maybe alot of people use it, but I haven't met any of them.

Outlook XP, and 2000 by default disable access to all .doc, .xls, and .exe files, and you have to go into the options and specifically loosen the security settings to allow access to them. The attachments appear greyed out, and you can't click on them.

Re:What configuration of outlook

Your company sucks. They managed to turn off DOC and XLS attachments, but couldn't figure out how to disable the VB Macro features of those apps?

News Flash!

[Phat_Tony]

XP SP II Can Slow Down Business Aps!

Similar problems have been found with XP SP I, the original XP, along with Windows 2000, 98, ME, CE, 95, and 3.1.

CPU Driver Update

[donweel]

I had this happen to me. SP2 turned my AMD 64 into a slug. I did some looking around and it seems that Microsoft in thier infinite wisdom decided to upgrade your cpu driver in some cases. If you go into the hardware manager and roll back the cpu driver you should be ok. I don't think Microshaft groks AMD.

Re:WINDOWS

[Qrlx]

+5.00.2195 Obvious

According to this..

[bmajik]

http://www.microsoft.com/technet/prodtechnol/offic e/officexp/maintain/xpsec.mspx .doc and .xls are not disabled by default. Perhaps you have the Outlook Security Settings PF setup somewhere with this configuration ?

As far as needing VB programmability in excel - billions of dollars every year are managed by embedded VBA inside of excel spreadsheets. And thats just what i know about one small part of one company.

A response for Godwin

Sure, so if Hitler was doing the wrong thing, we should have corrected him with babysteps.

Maybe sometimes you have to take BIG STEPS and make DRAMATIC CHANGES to correct for MAJOR PROBLEMS -- like the Microsoft monoculture of piss-poor products.

The answer to this is simple....

[Rooked_One]

go buy yourself a copy of windows 2000...

Unless you have a CPU that needs multithreading, there is no reason - besides ..... - that you need XP. And ESPECIALLY if you are reading slashdot, you should be able to work win2k.

Re:The answer to this is simple....

[NanoGator]

XP (pro) supports multithreading, just so ya know. I have a dual proc machine at work running it.

Is there a big screaming reason to need XP? Eh, maybe not. But I really do prefer running it on my laptop. I kind of wish my desktop at home (running 2k currently) was running XP. Not so much because I need it to, but it is a friendlier OS. A lot of my day to day normal boring stuff has been enhanced one way or another through XP.

I sort of agree with your statement, though. I mean, it's not like I'm interested enough in shelling out $150 for the upgrade. But if I did, I know I wouldn't look back. XP definitely had a lot of attention paid to the end user experience. *Sigh* I wish Apple'd make a PC OS that would run my existing apps.

It really sounds like this is the DEP feature.

[samrolken]

It really sounds like this is the Data Execution Protection feature. It's emulation of the NX feature of processors in software, and somewhere on Microsoft's website, I've read that it can slow some applications. There are also instructions for turning this off for the whole system, or just a few apps that seem particularly affected by it.

Re:It really sounds like this is the DEP feature.

[51mon]

Not my area, but I understood DEP was "off by default" in SP2 - yet another suspect default setting from MS I fear. Similar buffer checking features in the Linux kernel (if enabled) usually results in a ~7% performance hit, so I assume that is the issue here.

Re:It really sounds like this is the DEP feature.

[Daniel+Wood]

It is on by default, just not for everything. Only for critical windows compenents, but on none the less. DEP could be a possibility for some of the slowdowns. I found the greatest slowdown was with the new TCP/IP stack and ever since I patched my TCPIP.sys I have not noticed any slowdowns. But then again, you would be hard pressed to notice a 320MHz drop off from a 3.2GHz cpu, so it may just be my warped perceptions or the fresh slipstreamed SP2 install.

http://www.woods.us/sp2 for details on disabling DEP and fixing up a few SP2 problems.

Re:It really sounds like this is the DEP feature.

[51mon]

If you're on a Pentium 4, then DEP won't do much anyway will it?!

Re:It really sounds like this is the DEP feature.

[51mon]

Oops ignore that one... Although if the Intel website ever loads it explanation of Pentium 4 features...... I guess the browser warning telling me to upgrade to an older browser should have given away - page written by moron.

Heaven help you...

[rsilvergun]

if you sys restore to or from SP2. All new files get left there, and Windows still manages to load them. Sys restore's a great way to fix minor problem with Windows files (used it today to get MP3 playback working in WMP again). Don't rely on it for complex stuff. And do not use it if you've got Norton utilities installed. I haven't confirmed this, but I've heard rumors that Norton's speed disk and possibly antivirus corrupt restore points subtely so you can run the restore, but it blows up bad. I'v had many a restore point blow up with only Norton to blame...

So _always_ uninstall SP2 before reverting to a pre-SP2 environment (that includes your friend and mine, the repair install). Trust me, you'll be glad you did. And for God's sake clean your spyware off first. You're doing a major change to the networking system. That's not gonna go over well with Kazaa and friends.

No, Windows beat OS/2 because...

[rsilvergun]

IBM's marketing is the suck. At least their consumer devision's is. Always has been too. I'd guess IBM doesn't really want to bother with the consumer devision (it don't pay too well), but damned if they're gonna leave money on the table.

Also, I seem to remember some backstabbing on Microsoft's part, but I don't remember the details. I think it involved snatching all the good parts of OS/2 and dropping them in NT, then abandoning OS/2. That said, why anyone would run NT 3/4 if OS/2 was an option is beyond me.

Re:No, Windows beat OS/2 because...

[g0qi]

No. Microsoft was developing the API for OS/2 and decided to make it look a lot like Windows. When IBM confronted this, Microsoft admitted that the future was going to be Windows NT, not OS/2.

Re:No, Windows beat OS/2 because...

> I think it involved snatching all the good parts of OS/2 and dropping them in NT

Wrong. OS/2 had and still has a i286-based kernel with no security concepts, while NT was rewritten in portable C for multiuser systems.

> That said, why anyone would run NT 3/4 if OS/2 was an option is beyond me.

OS/2 was not stable as a server. It also required $500 of additional software to act as peer on a NetBios-over-TCP/IP network. That's why we went with NT anyway. The marketing sucked, but so did the product in a lot of ways.

chuckle :)

[bmajik]

actually, the limit defaults to 4 for 1.0, and _2_ for 1.1. Note that the limit of 2 persistant connections is set as a SHOULD condition in the 1.1 original RFC (RFC 2068, section 8.1.4 - practical considerations)

Sheesh, slowdown! That's nothing...

[YE]

...some business apps like Gator even refuse to run!

For the sake of Fairness:

[Cyberllama]

Unsecure software runs faster. All that extra checking things to make sure they're valid and so forth requires processing power. I mean, a login script that just accepts any password entered would require less processing than one that actually checks the data against some other data.

That bad, huh?

[Fallen+Andy]

I have two experiences to relate, neither my own.
You'll see why in a minute.

1. Home user (member of company). That's the same
george as below...
Everything ok, but seems a bit slower

2. The boss of the other company in this office
XP Home. Not much other stuff except NAV, Winzip, WinRar. Installed in 35minutes, debugged in (when are
we going to get it to work George?).

Like most oldsters I automatically go through the ritual of cleansing demons out of machines (so I
checked and NAV said NO, you're a bad boy, you haven't checked the machine). OK. Go check the
machine.

Oops. It frooze (new word for the 21st cent ok?)
real good. Sigh. Three more attempts and yeah verily interrupts weren't. OK, time for memtest86
(nothing wrong with the RAM). When George arrived
back from his meeting with the Dalai Lama yesterday we removed NAV, reinstalled and nope. Same problem. (Sigh). Scanned remotely over the internal net with several anti-vir packages and nope nothing. Checked with AdAware and nope nothing dirty.

In final desperation we decided to placate the Olympian Gods (this is Greece you know - I'm in Athens) and sacrifice another machine in the interests of true scientific experimentation.

Sadly my friend George is an IT virgin and believes in the concept of working from 10.a.m to 4p.m. (this is Greece), so I'll have to wait until
monday to give the next installment of this Soap
Opera. Your's truly on the other hand *lives* in
this office ...

SCREAM SCREAM SCREAM. There is a good reason why
MS are regarded as the bastard offspring of Oedipus's incestous liasion with his mother.

With Linux, you can strip the thing down to boot
loader + kernel + libs and work your way up.

With NT (XP) you are lost lost lost.

I started my programming career *porting* OS's.
Nobody who valued their sanity would ever consider
doing this with an MS product.

If you are foolish enough to consider putting SP2
on your machine, then consider how long it would
take to reconstruct your work environment (you have backups of data don't you?).

Oh. About 4-5 days. Then I have to remember what
patches to apply for everyone elses software, and remember that if you do X before Y, then Z software breaks if the moon is in sagittarius and
(you get the drift?).

Hmm. This is *why* developers love FreeBSD, Linux
etc. I'm going to go and caress my friends Vim, Emacs and co right now. I need to calm down.

Re:That bad, huh?

I have no idea what this post is about. I'm not even sure this is English.

Re:That bad, huh?

[Fallen+Andy]

?? Say what? I'm sorry. Excuse me? Automated worm eh?

Re:I think the problem stems from the testing itse

> Maybe Microsoft needs to determine what the most common
> software installed on Windows PCs is and even work with
> software manufactures directly to ensure the greatest
> compatibility

I can give them a hint: the most common software installed is an office suite by a large company in Redmond.

This is a troll? WTF?

[DeepHurtn!]

'Nuff said!

Defragment C:!

[prandal]

After installing SP2, defragment your hard drive - so many core files are replaced that the system's performance will be even more sub-optimal than usual until you do this.

Re:Defragment C:!

[ticktockticktock]

I thought NTFS was a smarter filesystem than FAT32. It still needs defrags when it isn't low on disk space?

Re:Defragment C:!

[Bayleaf]

I've had that with other service packs as well. To be honest, if I had the time, I would wipe the machine, re-install XP, add the service packs and then re-install the apps. If I had the time...

Re:Defragment C:!

you've got plenty of time,
you're reading slashdot.

Re:Defragment C:!

[prandal]

Hey, you've swallowed the marketing hype!

Re:Defragment C:!

I'm booting off of G: you insensitive bastard!

XP SP2 can give you a serious headache

[Linker3000]

Since installing SP2 on a laptop, the printouts from Treeview Pro (a directory listing program) have had every printed character flipped on its vertical axis - all the letters are in the right place but the wrong way round so - for example, all 'b's look like 'd' - it's readable but makes your brain hurt!!

Does anyone have a weirder SP2 effect?

Re:XP SP2 can give you a serious headache

SP2 has caused slashdot editors to post even more worthless articles bashing Microsoft every chance they get.

Re:XP SP2 can give you a serious headache

[jrumney]

After installing SP2 on my girlfriend's laptop, it would load google.com, but no other websites. Up to date AVG and Spybot S&D on the machine, Firefox and Thunderbird her web and mail programs of choice, there was no malware on the machine I could blame. I spent 3 hours trying to figure out what was wrong, and eventually concluded it must be soemthing to do with TCP packet sizes. I set HKLM/System/CurrentControlSet/Services/TCPIP/Param eters/Interfaces/{wireless card's guid}/MTU to 1452 (it was the first value I tried, 1500 would probably have worked) and it came right.

How average Joe is supposed to figure out problems like that without spending loads of money on expensive computer repairs (who probably couldn't figure it out either), I don't know.

But thanks a lot Google for using a non-standard MTU. It is quite useful being able to search for hints and look at the Google cache when nothing else is working.

Re:XP SP2 can give you a serious headache

[Linker3000]

Make that TreeSIZE professional

Re:XP SP2 can give you a serious headache

[ctid]

I've said it before and I'll say it again: Windows is just not ready for the desktop. Maybe in a few years, but at the moment, it's not quite there yet. It's perfectly OK for a serv.... well, not OK exactly, but more or less adequate... well, not adequate either of course, what with all those security problems, but ...

Hang on, remind me again why people use Windows?

Re:Gay ass ads

[ggy]

Nah, real /.ers doesn't have a girl laying on the couch. And if one would, he sure as hell wouldn't be checking ./!

Firewire preformance cut 50% in SP2

[__david__]

At work we've been benchmarking some 1394 to ATA bridges under XP and suddenly one day they all started running at 1/2 the speed they used to. After some digging around we found that someone had installed SP2 on our test system. We backed it out and the performance doubled (well, it went back to normal)!

So if you use Firewire disks on your computer--watch out...

-David

Re:Firewire preformance cut 50% in SP2

[diegocgteleline.es]

Know issue: http://www.theinquirer.net/?article=17819/a Looks like you need a firmware update ie: no microsoft fault.

Re:2nd post!!

YOU FAIL IT

Re:Gay ass ads

The next Ask Slasshdot:

I have a Woman, what do I do now?

Re:Putty and SP2 (It's a business app, really! ;)

[Baki]

No I haven't noticed. putty runs as ever, as a small app it starts without any noticable delay, also in XP SP2.

In other news...

...Microsoft is claiming their patest patch has resulted in a 9% reduction of successful attacks on Windows machines.

Buggy uxtheme.dll causes a GDI handle leak!

[fakeplastic]

XP2 also ships with a buggy xptheme.dll that causes any MFC application that creates windows with a caption (such as MDI child windows for example) to leak 6 GDI handles (HRGNs) every time a window is created. This bug is causing me some serious problems with one of my MFC apps that uses lots of CWnd-derived windows.

To make matters worse, MS actually fixed this bug with SP1, but have gone and broken it again with SP2! After all that testing they did? Unbelievable.

And, of course, I have no idea how I can officially report this bug to MS, let alone get them to fix it. There is a KB article for the original XP problem at http://support.microsoft.com/?kbid=319740.

There is a workaround - use Classic mode instead of Theme mode - fine for me, but try telling my users they cannot run in Fisher Price mode!

What a royal PITA. My users are screaming for a fix (as my app runs all day long, and as many users use Standby mode, it can stay loaded until the next reboot, leaking bloody handles at a frightening rate!).

Anyone here have any experience reporting problems like this and getting them actioned? I don't know where to start (I have posted the problem to the MFC group).

Re:Buggy uxtheme.dll causes a GDI handle leak!

[BenjyD]

I guess that story a while back about Microsoft's bug-hunting techniques and how bad they were was pretty accurate.
How does that get past automated testing at MS? They always go on about how they test so thoroughly and have thousands of machines running tests constantly.

Re:Buggy uxtheme.dll causes a GDI handle leak!

[fakeplastic]

What I find bizarre is WHY uxtheme.dll cares about MFC apps or how it even knows! I have tried creating windows that don't use the Afx: style class names, etc. but to no avail. It is so frustrating - and if even causes MSVC6 to leak like a sieve!

Re:Buggy uxtheme.dll causes a GDI handle leak!

[BubbleNOP]

Maybe it's Microsoft's subtle way to force people to switch to .NET for their GUI apps.

Note use of SYSMark - Contradicts other article

[lseltzer]

These people (hardcoreware.net) are using SYSMark 04, the article cited in the /. article is using SYSMark 2002. The latter generally found decreases. The 04 test includes a communication test with Outlook, which explains the firewall explanation. But the tests with the general productivity apps in 04 basically show very small differences. Even the browser-based tests later in the article show small differences.

The last few pages are dead links.

It's like OpenBSD vs FreeBSD

[fluor2]

It's like OpenBSD vs FreeBSD

OpenBSD is much slower.

Are we now paying for using the most well-known OS?

Re:I think the problem stems from the testing itse

[Bayleaf]

Perhaps they should have worked with the manufacturers of Outlook, to make sure that mail does not stay in the Outbox until you open up another item.

Well.. it's obvious then.

[mindstrm]

You need to be forced to use a Mac, with OS X, for a week or so.. then we can pull you off and see how you do on windows. You'll likely hate it, as you realize that all the "good UI design" and "ease of use" you thought you knew in windows were really just poor, inefficient approximations of how what Apple has done.

I say this as a heavy unix user, and long time windows user, and previous mac hater.

Apple has it's problems, for sure, but the Windows UI,and overall user experience, though a lot better than it used to be, is still not even a close second.

Re:Well.. it's obvious then.

I spent a year and a half with a G4 powerbook with OS X until the logic board died. I now use a PC and have no complaints. Whatever gets the job done.

I have friend who used a Mac with OS X for almost a month but still didn't like it as much as Windows. And he's a bright guy.

Not everyone likes OS X significantly more than Windows.

I think that's the real issue.

[khasim]

Microsoft will make obviously stupid decisions from a security/stability standpoint in order to increase performance.

Then Microsoft will slap bandaids on the security/stability problems that the created.

And then some people will start bragging about how proficient they are at juggling bandaids on their systems.

Re:I think that's the real issue.

[greenreaper]

Microsoft is a company. Companies get paid to do what people want. When Windows was originally created, code security was not top of the list, but performance was highly important, therefore they optimised for that (integrated graphics system in NT 4, etc). Nowadays security is far more of an issue so they're coding for that. That's just how things work with companies.

Buy a Mac.

[khasim]

"When Windows 95 came out the days of setting individual apps to use your hardware (like sound cards) were over."

Maybe for you. But Apple had already solved that problem.

"You can't tell me that the surge of computer purchases starting around the mid-90's wasn't because of the launch of Windows 95."

You seem to be confusing the marketing push that Microsoft did with some form of technical excellence. The people bought the new PC's because they thought they needed them. That's marketing.

People lined up in the rain at midnight to buy Win95. That's marketing.

Win95 was not any technical advance over the existing (see Apple) technology.

"And since when did filtering out automatic-MS-hate make my ideas 'fucked up'?"

It doesn't. But that's not what you're doing. You seem to be claiming all the computer advances to be a result of Microsoft's efforts. They aren't. Microsoft merely took what was already available, put it into their own product and then hyped that product enough that every idiot out there thought Microsoft had invented something new and wonderful and that they had to have it.

Re:Buy a Mac.

[asland]

Win95 was not any technical advance over the existing (see Apple) technology.

The best Apple offering was still using cooperative multitasking and "locking up" whenever you used a menu. Win95 had preemtive multitasking. It wasn't a new technology, but it was new for the home user.

Re:Buy a Mac.

[Grym]

Maybe for you. But Apple had already solved that problem.

Because Apple, as they still do today, doesn't have to worry about internal, third-party hardware. Hardly a good comparison.

People lined up in the rain at midnight to buy Win95. That's marketing

No, that's bullshit--on your part. Why is it that when people clamor to download a new linux app or distro the Slashdot-hive-mind attributes it to features/performance/usability/security but when people do the same for a "M$" product, it's somehow due to ignorance or deceptive marketing.

I'm no Microsoft fan, but let's be honest, Windows 95 was a real improvement for the PC market. It was the first OS for an x386 machine that didn't require you to hardly ever see a commandline for basic operation. You may not think it was significant with respect to the blessed, do-no-wrong company known as Apple, but most people do. The market obviously confirmed their analysis. I dragged my feet switching from DOS/WIN 3.1 to Windows 95, but even I was impressed with the changes once I switched.

...Microsoft merely took what was already available, put it into their own product and then hyped that product enough that every idiot out there thought Microsoft had invented something new and wonderful and that they had to have it.

Something the Open Source Software community does all the time. Look at GIMP (free photoshop), OpenOffice(free knockoff MS Office) or FreeCiv (exact copy of Civilization II, I think). Somebody has done all of these things before, and oftentimes better. (And NO, it wasn't Apple or Steve Jobbs.) And yet, I like gimp. I like OpenOffice (after it *finally* loads), and I would probably like FreeCiv if I played it. Just because somebody has done something before (On a different hardware platform, no less...), doesn't diminish the good work of someone who emulates the idea in the future.

-Grym

Re:Buy a Mac.

[NanoGator]

"Maybe for you. But Apple had already solved that problem."

Not on PC architecture. Apple would have made a killing if they had written a PC OS. I kmow I'd be happier right now.

"You seem to be confusing the marketing push that Microsoft did with some form of technical excellence... Win95 was not any technical advance over the existing (see Apple) technology."

Nope. I'm not claiming MS invented anything. I'm not claiming Apple didn't beat them to it. It seems you ignored my bit about 'build your own machine to boot'. I was actually thinking of Apple when I wrote that.

" You seem to be claiming all the computer advances to be a result of Microsoft's efforts."

Nope. I claimed that more people bought machines because of MS's efforts. (efforts != inventions, don't you dare try to put more words in my mouth.) We're not really all that divergent in opinion here, actually. Pity you're doing more accusing than asking.

Re:Buy a Mac.

[khasim]

"No, that's bullshit--on your part. Why is it that when people clamor to download a new linux app or distro the Slashdot-hive-mind attributes it to features/performance/usability/security but when people do the same for a "M$" product, it's somehow due to ignorance or deceptive marketing."

Because people looking for a new download for Linux are NOT standing in the rain at midnight hoping to buy it.

That is "marketing". Whether you like it or not.

"I'm no Microsoft fan, but let's be honest, Windows 95 was a real improvement for the PC market."

Yes, and a loaf of bread with a half a pound of shit is an improvement over a loaf of bread with a pound of shit.

Whether it was an improvement for the PC market (owned by Microsoft DOS and Win3.1 at that time) does not matter since it is comparing one Microsoft platform to a newer Microsoft platform.

The issue is whether Microsoft did anything new. They did not. Apple had already done most of that.

"Something the Open Source Software community does all the time."

Hardly. No one hypes the GIMP as revolutionary or anything. Just free (as in beer, as in speech). The same with OpenOffice and all the others.

"Somebody has done all of these things before, and oftentimes better."

Yep. And still, no one is saying or implying in any way that they have not been done before, many times before.

You seem to have a problem with not remembering the initial Win95 ad campaign. My memory isn't that flawed.

Now, look back at the post i was replying to. Pay particular attention to THIS LINE:
"When Windows 95 came out the days of setting individual apps to use your hardware (like sound cards) were over."

Now, do you see anyone posting anything like "When OpenOffice.org was released, the days of non-WYSIWYG word processors were over".

No, you don't. So your "point" is invalid.

Re:Buy a Mac.

[aristotle-dude]

,i>"Not on PC architecture. Apple would have made a killing if they had written a PC OS. I kmow I'd be happier right now."

Not this myth again. Do you remember NeXT and what happened when they ported over to X86?

Who was the head of that company? That's right Steve Jobs. OS X was already tried on Intel given that OSX is basically Open Step 5.x.

I'll give you another example, BeOS. Remember Be Inc. and how much of a success that was when they ported to X86? Oh Wait...

Be Inc. got a settlement from MS for being blocked from the market and oems by MS. Unfortunately for Be Inc. they had already been bought at the scrap sale by Palm so it was too late to continue development of BeOS.

Sorry but MSFT has a virtual lock on the X86 platform and only "free" OSes like linux are able to compete against it. There is also the issue of rampant piracy by PC users.

Re:Buy a Mac.

[operagost]

Not new for me, as I had been using OS/2 for about a year when Windows 95 came out.

I was a late adopter - OS/2 had been 32-bit, with Windows 3.x and DOS program support, since 1992.

Re:Buy a Mac.

[operagost]

It was the first OS for an x386 machine that didn't require you to hardly ever see a commandline for basic operation.

How old are you guys here? Windows NT 3.1 came out in 1993 and 32-bit OS/2 in 1992. No DOS! And no command line, unless you preferred using it, or needed to do something advanced.

Re:Buy a Mac.

[Snaller]

"When Windows 95 came out the days of setting individual apps to use your hardware (like sound cards) were over."

Maybe for you. But Apple had already solved that problem.

Perhaps by copying what the Amiga had done a decade before then...

Re:Putty and SP2 (It's a business app, really! ;)

[HawkingMattress]

no noticeable difference here, really

not a tradeoff

[jeif1k]

It's an either-or choice only with C: buffer overflow checks are expensive in C because of the kinds of constructs the C language provides. In other programming languages, the overhead of buffer overflow checks is negligible for real-world software.

Give him a break...

[thegnu]

...he's grieving.

And for the record, YOU go try and compose a message in Greek sometimes. It's written in cyrillic.

/.: News for Microsoft Haters. FUD that matters

[diegocgteleline.es]

This is a know issue. SP2 in fact runs *faster* in some workloads because of some fixes:
http://support.microsoft.com/?kbid=815227
http://support.microsoft.com/?kbid=328264
http://support.microsoft.com/?kbid=332023
http://support.microsoft.com/?kbid=838884
http://support.microsoft.com/?kbid=811169
http://support.microsoft.com/?kbid=815411
http://support.microsoft.com/?kbid=834937

Fixes like this can be found in any SO changelog, including linux and/or BSDs. Think that Windows XP SP1 has been out for a long time, that windows 2003 (which shares their code base) has been developed and in the development process they must have found some nice & safe improvements.

"News for Microsoft Haters. FUD that matters". I'm a linux user, but seriously, is there chance that editors stop putting fud in the front page?

Here you've some lessons: How about instead of "XP SP2 Can Slow Down Business Apps" you name it "MobilePC detected a SP2 slowdown for bussines apps in their notebooks" or "SP2 bug slowdowns some notebooks" (which is the real issue) or some objetive shit instead of your FUD & subjective crap which tries to imply that there's something wrong with the whole SP2? Sure, Windows sucks, but I love to read news about how much it sucks, not just FUD. Just a wish, I don't collaborate with slashdot so I cant tell people what the content is, but I think your readers will appreciate a raise in the quality of windows posts. Thanks.

Re:/.: News for Microsoft Haters. FUD that matters

[gad_zuki!]

I'm running SP2 on both a custom built tower and my dell laptop and with DEP on for all apps and haven't noticed anything in regards to performance. I get the same doom3 benchmarks everyone else gets with my processors/video card. Things are as snappy (or as unsnappy for the laptop) as usual.

Man, I use linux too, but mostly on the server side. I've helped more than a few people run Red Hat or Mandrake. I love OSX. But this faux outrage MS bashing shit has to stop. For every bullshit bash, my arguments regarding MS's anti-compeititive practices and protocal hijacking sound all the more unconvincing. At this point when I explain to people whats really wrong with MS I can expect the, "you computer people always complain about MS" line. Now toss in the people who think the anti-trust case was just 'government attacking successful Americans' and we're only feeding the flames of ignorance with every petty MS complaint.

• SP2 is one of the few things MS got right:
• Pop-up locker for IE
  
• ActiveX nag windows
  
• ActiveX object manager
  
• Default on firewall
  
• DEP, NX
  
• Better wireless manager
  
• Bunch of minor fixes
  

I dont know about the rest of the people on this board, but I live in the real world. I have friends and relatives who use windows and this is going to help them out a lot. I think the MS pile-on is usually justified, but sometimes its not and its ugly when it isn't.

Re:/.: News for Microsoft Haters. FUD that matters

[m_pll]

Your 3rd link is actually an example of a fix that *decreased* performance, because the old behavior was fast but incorrect.

It's not specific to SP2 though; the change was in the original XP code base as well.

32-bit, yes. 16-bit, no.

[khasim]

"It wasn't a new technology, but it was new for the home user."

Actually, I think the Amiga has pre-emptive multi-tasking.

And Win95's version would not work on 16-bit apps (of which most were at the time of release). All the 16-bit apps were cooperatively multi-tasked together and that chunk was pre-emptive with relation to 32-bit apps.

Re:32-bit, yes. 16-bit, no.

Actually, I think the Amiga has pre-emptive multi-tasking.

Had it since its first release around 1985.

Defrag?

[freakmaster]

just wondering. these service packs replace more or less every file in the operating system. the files/registry might have been fragmented somewhat, or perhaps the newer files weren't all grouped together nicely for quick access. Laptop disks are usually slower than desktops, i believe they only started shipping 7200 RPM disks in the high end laptops recently (and we all know how much difference 7200 rpm drives made when we started getting them in desktops 4-5 years ago). just a theory, but I would have fully defragged sp1 (including registry hives, pagefile etc...), benched, installed sp2, defragged again and benched. probably wouldn't account for all the slowness, i'm sure bufferchecking and sending personal information to mothership take up plenty of resources as well.

Re:Defrag?

Indeed. Drefragmenting is a good idea after a system update like that (and linux/BSD filesystems don't solve the problem either - windows reoders files WRT. its usage, something that linux/BSD filesystems don't do)

What about all the problems

[danger_boy_13]

I have seen that SP2 seems to fix some of the security bugs that Microsoft had in XP (though they had to release fixes quite quickly after SP2's release), but what about all the software that the service pack breaks? Yeah, it slows down the business apps, thy're lucky it doesn't totally cause them to stop working. I understand it is the software company's responsibility to release the updated patches for compatibility, but does it make sense to have to do that? I mean, this is an update to an existing OS, not a whole new environment. I can understand a couple programs with problems with a new update, but with the extensive lists of programs that don't work and programs that change behavior I think there is something wrong here.

SP2 hardware compatibility...

Not that this would be the only issue with SP2, it also broke my MPC190 support and now it wont work even if I uninstall SP2. Fuck you microsoft.

But what about a from-scratch install??

[MtViewGuy]

While it might be understandable that we may have slowdowns of installing Windows XP Service Pack 2 on a current install of Windows XP, what about this scenario: a from-scratch install of Windows XP Home/Professional from a CD-ROM that already has Service Pack 2 code on the installation CD-ROM disc?

I can probably say that a from-scratch install of Windows XP Home/Professional SP2 will probably have very little or none of the performance issues mentioned in the article.

snprintf is not ANSI C89

[tepples]

You wouldn't use gets to input a string, would you? I hope

There's a difference between fgets, a safe alternative to gets that is in ANSI C89, and snprintf, a safe alternative to sprintf that is in ISO C99 but is not in ANSI C89. Not all useful platforms have a conforming C99 compiler. So how can one do the equivalent of snprintf portably?

Buisness app are indeed slowed by SP-2

[Kaffien]

I work at a somewhat large company totaling about 100 er so computers. For the most part I'm the only one who gets to deal with it. On the client end Sp-2 seems to slaughter performance on such programs as sunsystems accounting and daybreak pay roll. anything that uses a database seems horribly slow. I've had to uninstall sp-2 like 7 times in this past week alone because users who had admin access to their box (users don't change pcs at this place) decided that they were a tech and suited to upgrade their computers to sp2. I've also noticed a very noticeable delay after right clicking any icon like say my computer it takes like a minutes (60 whole seconds) for the context menu to appear. I think we'll be sticking with sp1 and focusing on hardware protection as M$ seems to be unable to protect itself adequately.

Not true of OS X

[SuperKendall]

You can't install a really big bunch of fixes and expect Windows to run faster!

When a large bunch of fixes are released for OS X the impact is either better performance, or performance-neutral.

I guess you did say "Windows" though. I just thought I'd point out someone else can actually manage to do this.

Updated recipe

[gkwok]

In this case, the Profit step should be inserted between steps 1 and 2.

And then between steps 2 and 3, 3 and 4, and 4 and 5.

I will repost your statement.

[khasim]

"When Windows 95 came out the days of setting individual apps to use your hardware (like sound cards) were over. You didn't have to memorize a bunch of stupid dos commands. Installation of apps was as simple as putting in the CD and hitting 'ok' a couple of times. All this, and you could build your own machine to boot."

Now, to break it down.

#1. "When Windows 95 came out the days of setting individual apps to use your hardware (like sound cards) were over."

Those days were ALREADY over. Apple had solved it.

#2. "You didn't have to memorize a bunch of stupid dos commands."

Again, Apple.

#3. "Installation of apps was as simple as putting in the CD and hitting 'ok' a couple of times."

Again, Apple.

#4. "All this, and you could build your own machine to boot."

That just doesn't fit with the other items. That's hardware. You say you put that in to rule out Apple, but, back to your first statement in that selection "When Windows 95...".

In which case, what you are ACTUALLY saying is that Microsoft (and Microsoft users) was way behind the current technology.

So it wasn't "When Windows 95 came out the days of setting individual apps to use your hardware..."

It is actually "When Windows 95 came out, Windows users finally had some of the same technological advances of other systems and they had them on the PC architecture."

Well, I can see why you didn't say it that way. I doesn't sound so worshipful of Microsoft and it puts Win95 into the correct perspective from a technological standpoint.

Accuracy. It's a good thing. You should try for it a bit more often.

Re:I will repost your statement.

[NanoGator]

Whoopee, in my original post I didn't clarifiy that I was talking about the PC architecture. Never mind that it was far more prolific than Apple's architecture was, meaning most machines didn't have all that stuff. Never mind that I never once said MS invented any of it or was first to market with it.

"Accuracy. It's a good thing. You should try for it a bit more often."

This coming from a guy who's still harping over my original post even though I clarified it. You're not running with up to date info either, my friend.

Re:Buisness app are indeed slowed by SP-2

[praxis]

You're last statement seems odd to me. What does performance degredation have to do with Microsoft protecting themself adequately? Have you called PSS and tried to identify the cause of the 60 second delay prior to context menus appearing on "My Computer"? I have seen SP2 run on a variety of hardware and driver configurations and have never seen this sort of performance. It might just be a driver which makes assumptions that SP2 invalidates and needs and update.

Re:Buisness app are indeed slowed by SP-2

[diegocgteleline.es]

60 seconds is too much for a context menu. GOd knows what your computers have, it works in everyone's else computer...

OpenBSD??

[ZosX]

Forgive the repost

Only one remote hole in the default install, in more than 8 years!

That's pretty good, but what exactly does that mean? OpenBSD isn't exactly ubiquitous like say Windows, FreeBSD or Linux and MacOS X (another BSD flavored OS). Since they code reviewed the kernel code heavily during the beginning of OpenBSD, I think removing or altering many, many lines, is OpenBSD therefore that much more secure?

The reason I ask is that I was working on putting together a small BSD or maybe even Linux based firewall for oh, I dunno, about 4 users. Since a firewall would sit on the edge of the network, security is #1. Would OpenBSD be a more secure solution for such a task than say, just simply using FreeBSD?

Just asking.

zosX

Re:Buisness app are indeed slowed by SP-2

That reminds me of a recent problem I had with Windows ME. Every system related app would take ages to launch or even display a menu from a right click. It turns out that Norton System Doctor was creating thousands of oem*.inf files in c:\windows\inf. After deleting some 22,000 of them, it ran normally again.

This is necessary, unavoidable, and not bad.

[ZosX]

First of all, as many have mentioned, Microsoft compiled some buffer checking code into the service pack. While this may slow performance slightly, this is a Good Thing (tm). At the risk of this post becoming redundant, it should also be mentioned that Windows is now firewalling incoming connections as well, but I wouldn't really know what exactly it installs because I am running all Win2K and Linux ATM. While the firewall is a very simple port blocking firewall on the incoming side only, it still will take up a few cycles.

Ever since I installed Kerio I've since noticed that even LAN traffic causes the firewall to take up a few percentage points. Considering how ancient this hardware is, it is not really that bad. AV software will also slow down your PC. While it would be nice to not waste so much time having the processor make sure your data is virus free and that your buffers are ok, they will become even more necessary in the future. Imagine how much CPU time 1024 bit encryption at the file system level would take up? There is a distinct tradeoff between performance and security happening, and it seems likely that the trend will continue long into the future as hacking techniques become more sophisticated.

I guess I'll quit rambling now just wanted to say that as you increase security, overhead performance will likely decrease in certain ways.

zosX

Thank you for making my case.

[Dark+Coder]

I said "non-public API" which would equate with your "non-front-end" code.

All front-end code should not have to do range checking prior to calling a published API.

It is unpublished (non-public) API that shouldn't have to do redundant range checking.

Is English your forte? Or are you happy to be an AC?

Give me a freaking break

[billybob]

I've been using Macs since the System 7 days, and have used every single version that has come out since then, including the small point upgrades in OSX. I am very, very familiar with Macs. I like Macs.

But you know what? I also like Windows! *gasp* In fact, I actually like it better. And I used to be a silly mac boy like you, dissing Windows all the time, making a god damn fool out of myself. I know, hard to believe. Am I going to get burned at the stake now?

I didnt even start using Windows much until 2000 came out, vs my ~10 years of experience on macs.

Windows UI is not bad at all. My main computer is a Windows machine, because actually, over time I've grown to like it more than OSX. I'm sure the fact that it's a 3200+ with radeon9600 and 18" LCD has something to do with it. VS my current 700Mhz G3 12" screen ibook. What it really comes down to is, everything I need to do on a computer, I can do just fine on a Windows machine.

I'm NOT saying that everyone should use Windows, or that Windows is better than Mac OS, or that Macs suck, or anything like that. I like Macs and if you do too, that's great. Whatever gets the job done. I'm just saying that your "experiment" wont prove shit.

Disables Kazaa?

[Cryofan]

I have heard it disables Kazaa, BTW

Dear god! a new netcraft dying argument!

I was not trying to flame Linux for their past actions - however Linux started out with a fairly clean codebase for both 2.4.x and 2.6.x. Given that, it seems bad that such vulnerabilities keep coming up.

I do agree that both 2.4.x and 2.6.x are a lot more stable than their predecessors. However, you would think that when you are doing something the second time, you would double-check to make sure that you do not make the same mistakes as you did the first time.

I just feel that this is not happening - and any number of factors could be contributing to it (market, economics, manpower, complexity what not) - but that does not mean you do not take the pains to not do it well. I'm sure linus's trying to take as much care as he can to ensure that this does not happen.

However, despite that, these still seem to be happening. Which is what I find quite baffling - there seems to be a fundamental flaw somewhere in there, and that needs to be taken care of. Which is what I mentioned in my initial posting, too.

I Wouldn't Know...

When I installed the XP SP2 download, it blue-screened on start-up. I tried another download - same thing.

I talked to MS online support - "We've been having a bit of a problem with the downloads, try ordering the CD..." Yeah, right.

Ordered the CD and installed it. Same blue-screen... been through the nonsense, now waiting for a serious anwser.

Now don't be hating Microsoft for your mistake.

[khasim]

"Whoopee, in my original post I didn't clarifiy that I was talking about the PC architecture."

The race is over when the first guy crosses the finish line. Not when the most popular guy crosses.

"Never mind that it was far more prolific than Apple's architecture was, meaning most machines didn't have all that stuff."

The race is over when the first guy crosses the finish line. Not when most of them cross.

"Never mind that I never once said MS invented any of it or was first to market with it."

Now don't be hating Microsoft for your error. Microsoft didn't win the technology race, but they won the marketing one. You just have a bit of trouble telling the two apart.

Re:Now don't be hating Microsoft for your mistake.

[NanoGator]

"The race is over when the first guy crosses the finish line. Not when the most popular guy crosses."

Perhaps. However, we're talking about product sales, not a race. The guy with the most money at the end of the day wins. Is it right? Nah. it's the way it works sometimes. It was quite fortunate for MS that Apple had ideas for them to steal.

" You just have a bit of trouble telling the two apart."

Um, no. What you have trouble understanding is that MS didn't just publish fliers, they actually had to make something. They couldn't copy and paste Apple's stuff, they had to rewrite it. They also had to account for the backwards compatibility of their previous Win 3.1 and DOS apps. On top of all that, it had to run on a plethora of hardware that Macs simply didn't have access to.

Like it or not, MS did a lot of technical work.

So it isn't about the technology?

[khasim]

Strange, it seems that you DID say it was about the technology:
"When Windows 95 came out the days of setting individual apps to use your hardware (like sound cards) were over. ..."

But now:
"However, we're talking about product sales, not a race. ..."

"The guy with the most money at the end of the day wins."

If that was your criteria, then why did you even say anything about Win95 and sound cards? Oh, I see. You're attempting to change your criteria now.

"What you have trouble understanding is that MS didn't just publish fliers, they actually had to make something. ..."

Oh, flip-flopped on technology now? Or did you mean "make" as in "make money" (your latest attempt at switching your criteria)?

"Like it or not, MS did a lot of technical work."

So, you've flip-flopped from money back to technology now? Again, the race is over when the first guy crosses the finish line.

Not bad. Three flip-flops in a post that only had three paragraphs from you.

Re:So it isn't about the technology?

[NanoGator]

"If that was your criteria, then why did you even say anything about Win95 and sound cards? Oh, I see. You're attempting to change your criteria now."

I didn't originally specify that I was talking about PCs. I'm guilty of not being that specific early on, no contest. I can see how you read it that way the first time around due to the error on my part, but now after I have clarified you're still harping on it.

"So, you've flip-flopped from money back to technology now? Again, the race is over when the first guy crosses the finish line."

Heh. Don't you think you're trying a little too hard?