Microsoft Lists SP2 Incompatibilities 539
thejuggler writes "ZDNET has a story about how the new XP SP2 causes conflicts with over 50 applications and causes problems with others including some of Microsoft's own products. The 'glitch' as they are calling it seems to be that the Windows firewall system is turned on by default and blocks unsolicited connections to your computer. You have to unblock certain ports as your applications require to make the apps work again. They are calling this a glitch, but I thought we wanted everything blocked by default so we would have to choose what was unblocked?" The BBC has a story as well.
SP2 incompatible (Score:5, Interesting)
Re:SP2 incompatible (Score:5, Insightful)
Re:SP2 incompatible (Score:4, Informative)
Did you have Windows Update update your drivers at the same time as it installed the service pack?
Re:SP2 incompatible (Score:5, Funny)
Re:SP2 incompatible (Score:5, Informative)
I was able to get around it with DVD Idle Pro [dvdidle.com].
It makes it work even with the macrovision protection.
LK
Re:SP2 incompatible (Score:4, Insightful)
MS has been moving away [joelonsoftware.com] from their mantra of absolute reverse compatability. That's said, since that's one thing at which the used to be very good. Still, if SP2 uncovered a bug in someone else's software, that's not SP2's fault; you have to know whose bug it was.
Re:SP2 incompatible (Score:3, Funny)
You can't just change a law, on a whim, without the consent of the people! What are you, a fucking Nazi?
Re:SP2 incompatible (Score:4, Funny)
Re:SP2 incompatible (Score:3, Insightful)
Re:SP2 incompatible (Score:4, Interesting)
Oh but that's ILLEGAL. Please tell me why it's illegal to play a DVD i bought on a computer i bought. Thanks.
News Flash: Firewall Blocks Inbound Traffic (Score:5, Insightful)
Any firewall can break any piece of software if it requires a port that is blocked.
Re:News Flash: Firewall Blocks Inbound Traffic (Score:5, Interesting)
What I think is the "real" issue here is that customers that have installed SP2 simply don't have a clue about what a firewall is, what it does, and how to use it. The problem is also no doubt being exacerbated by programs that needlessly try to access the network.
But I always take the time to say "shame on you" to programs that needlessly try to access the network when their primary function has absolutely nothing to do with networking, ESPECIALLY when their networking options are turned "off".
Re:News Flash: Firewall Blocks Inbound Traffic (Score:5, Interesting)
Re:News Flash: Firewall Blocks Inbound Traffic (Score:4, Funny)
Probably for the same reason that when I ran Doom 3 the spooler service suddenly popped up requesting access to my network. Suffice to say, I went WTF?? :)
Re:News Flash: Firewall Blocks Inbound Traffic (Score:5, Insightful)
You nailed it. (Score:5, Insightful)
I still firmly believe that a person needs a bit of an education before using a personal computer of any sort, especially one with internet access. For their own safety, if not for the safety of others. This isn't the sort of thing that can be remedied by making UI's more intuitive or friendly. Some things you just need to know. For example, everyone should know: what the Internet is; that not everyone on it is trustworthy, and most importantly to READ BEFORE YOU CLICK.
Ignorant (and often gullible) users are too easy to manipulate; 90% of the time it is they who succumb to the shenanigans of fraudsters and virus-writers. For their own sake they need an education, Lord knows the worst of them don't have any common sense.
And indeed, every user should know how to operate a basic firewall. It's an easy thing to explain, especially at the level of allowing or disallowing programs access to the 'net. I've taught several people how to use ZoneAlarm or McAffee Firewall. Most people understand it pretty quickly.
Perhaps if the education can be integrated into the UI somehow (error/warning/question dialog boxes with more pedestrian language and more explanation), we might make some headway against the exploitation of ignorant users.
Re:You nailed it. (Score:4, Interesting)
For example, everyone should know: what the Internet is; that not everyone on it is trustworthy, and most importantly to READ BEFORE YOU CLICK.
My 7 year old daughter knows to do this - I have taught her that if any box appears on the computer to read the message, and if she doesn't understand it or know why the message appears, to ask me. As an example, a while ago she was trying to play a game (probably from the BBC web-site). After a few minutes she came and told me the game wouldn't work - it turned out everytime she clicked on it, she got the standard IE "do you want to run this, blah blah, may cause damage to your computer", so she clicked Cancel (not wanting the computer to be damaged...). After 4 or 5 goes round this she decided it was time to ask for help.
Why is this so difficult to get into other peoples heads?
Re:You nailed it. (Score:5, Funny)
Your daughter is an exceptional case, having obviously inherited her parents' genius.
The average cable modem user is far below the intelligence of a normal seven-year-old girl.
Be proud of your daughter!
Re:You nailed it. (Score:3, Insightful)
think about it.
Mac OSX manages this just fine (Score:5, Interesting)
At present if you want other ports to open, other than these default services, you have to open the ports manually. however I would imagine this coupled action is handled by some .plist xml configuration file. So its probably possible for an application to add its own services to the sharing menu and have them coupled to the firewall if you turn the service on.
On my mac I do manually block the incoming and outgoing license manager ports for MS Office. If you dont and want to share the app on your laptop and desktop then you will lose any open edited docuements if you inadvertently plug them into the same network. I wonder if this lic manager is the reason why MS gave the firewall the ability for apps to open ports in the firewall and to have outbound connections?
OOPS I just found a security issue on the mac! (Score:3, Interesting)
This is the same security issue (not a security hole per se) that microsoft was being critisized for. That is a rogue program can open and close ports on the firewall.
here, try it yourself. the following patch will add a port setting called x-windows to your fire wall and open up ports in the 6000 range.
Dang, the l
Re:OOPS I just found a security issue on the mac! (Score:4, Informative)
You must have either authenticated that application before you opened it, or have some weird configuration of OS X.
Re: (Score:3, Informative)
/Library/Prefereces permissions (Score:4, Interesting)
clueless parent poster (Score:5, Informative)
Re:clueless parent poster (Score:5, Funny)
Anonymous Coward wins. Fatality.
Re:Mac OSX manages this just fine (Score:5, Insightful)
A computer does _not_ need a firewall - it is configured correctly, all those nasty services with security holes in aren't even listening to the internet-facing interface (because you've got it configured correctly). There's no advantage in having a firewall over having the services configured correctly.
The *only* reason to have a firewall is that if you make a mistake and accidentally open a service you didn't intend to, the firewall is there as a failsafe. If you link the firewall and service controls together so you only have to press one button to enable a service you remove this advantage and there is again no reason to ahve a firewall.
Rather than running hundreds of services you don't need and then blocking them, it would be far better to have a unified way of telling all services which interface to bind to - to the end user this would appear like a firewall configurator anyway.
And if you must insist on prompting the user each time Doom 3 opens a listening network port then tie it in with the IP stack properly and prompt the user when it actually opens the port.
To me, the concept of using a personal firewall as your primary method of security is a kludge - if you need one then your machine's configuration is fundamentally broken and that's where you should be applying security.
Security and firewall misconceptions (Score:3, Insightful)
The *only* reason to have a firewall is that if you make a mistake and accidentally open a service you didn't intend to
Wrong. Suppose there is an issue in the IP stack itself? The machine can still be knocked over - a la early NT 4.0 - by crafted packets even if no services are listening. Can you see where a firewall might help?
the firewall is there as a failsafe
Yes, it is. There is a concept called "multi-level security"; you should look into it. Essentially the machine is protected by mult
Re:Security and firewall misconceptions (Score:3, Insightful)
Re:Mac OSX manages this just fine (Score:5, Interesting)
No
firewalls can also be used to get some sort of acl functionality out of them (you might want to enable ssh access to only a few known ip's on the internet), can do packet inspection, perform rate limiting tasks, prevent DoS attacks
Right, because how many Windows personal firewall users are going to be doing that? I haven't seen Microsoft's offering but I'd be quite supprised if it could be configured any mroe specifically than "block this port" and "open that port".
protect the internet from _your_ machine should some malware be running
IMHO blocking outbound traffic from personal firewalls is of dubious use at best - once the machine has been compromised the malware can quite happilly disable your firewall (a number of viruses are known to disable ZoneAlarm automagically) or look at the firewall rules to see which port it can make connections on.
Running a firewall to block outbound traffic only seems sane if it's a completely separate device since once the device running the firewall is in a position to send malicious data the security of the firewall should already be considered void. As far as I can tell, all it does it provides a false sense of security, which is a very bad thing.
Re:Mac OSX manages this just fine (Score:3, Interesting)
So now we're suddenly talking about Microsoft's firewall only? Well, I haven't seen it either, but I'm pretty sure there's a personal firewall available somewhere that can do at least some of these things. Configuring your OS/services well still doesn't protect you from
Re:Mac OSX manages this just fine (Score:4, Interesting)
Depends what sort of DoS you're getting - I don't really see a firewall as a solution to any of them though:
- SYN flood: this problem was solved years ago through the introduction of SYN cookies - anyone who isn't using SYN cookies these days has no business allowing anyone connect to them anyway.
- Bandwidth flood: A firewall ain't gonna help you here - even if you're blocking the packets, they have already traversed your (reasonably low bandwidth) internet connection... The only thing that's going to help here is to block the packets on the ISP side of the connection.
- Slashdotting (i.e. many concurrent connections - may be legitimate connections but they're gonna kill your server anyway): Most services will let you limit the number of connections they will serve at the same time - a firewall is not the answer (unless it's on the ISP side of your internet connection).
IMHO having a firewall running is useful even if only to provide an extra stumbling block for malware.
It's a stop-gap solution - when 99% of computers block outbound traffic by default the malware will all automatically work around the firewalling. Malware is a very fast evolving problem, just like spam - simple stuff like this will only have an effect for a very limited amount of time. I think it's exceptionally bad that it will produce a false sense of security, and the very protocols that worms will be using are likely to be open anyway since they're protocols that people need to use.
Ok, how about a home network then? Many people use one Windows computer using "internet access sharing" to enable other computers to connect to the internet. In this case the internet-connected computer running a personal firewall would be a seperate device and could defend itself (and the internet) much better against the internal compromised machine.
I wouldn't suggest that a firewall is useless in this situation, however I was talking about personal firewalls and would argue that once you start protecting a whole network instead of a single machine you can nolonger consider it a "personal" firewall.
Explanation is in order (Score:3, Interesting)
Control: Even though I have broadband, I want control over what applications connect in and out. When a popup box appears, I am immediately informed what part of Windows or program is trying to access the outside world. I start the PF by locking everything, then clicking yes to everything I want to access the Internet and no to the others (making quick rules
Which defeats the whole purpose (Score:4, Interesting)
I once had to install Windows 2000 on a box, and as Loki would have it, I had no Zone Alarm or Sygate Personal Firewall on a CD at hand. Just as Joe Average would.
So I could go download it somewhere else, or I could do a scapegoat installation just to download a firewall. I chose to just sacrifice an install to the gods of Hacking. I _knew_ I'd get hacked, but that was OK, since I'd reformat immediately after anyway. (Takes less time than whining on
(And I'm not disappointed. It takes less than a minute to get my uplink bandwidth saturated with mysterious outbound packets.)
Still, it will serve to illustrate what happens after you get your machine 0wn3d by some l337 skr1p7 kiddi3.
So I decide to play with it a bit longer, and see what happens with a firewall and an 0wn3d machine.
I start the newly downloaded and installed Sygate Personal Firewall, and immediately it pops up a window telling me the name of the application _and_ what's it trying to do. I block it, and that's that. No more outbound packets. I can tell struggles long and hard to send crap, but it can't. Both its inbound and outbound pipes have been sealed shut.
I can now toy with that machine as long as I wish, trying to disinfect it. Again, which is what Joe Average would want. If it's _not_ a sacrificial install, but some machine where his resume and a few gigs of other important data is, Joe will not want it reformatted.
I can even surf the net looking for information on the trojan, safe in the knowledge that it's blocked. No need to pull out the network cable.
Whereas you tell me that Apple would have allowed it to open its own ports, as it damn pleases. Inbound or outbound, whatever. And not even told me about it.
Well, gee. Sorry, that's not the kind of security I'm looking for. Dumbing down a firewall to the point where it doesn't actually block anything, in the name of "user-friendliness" is _not_ the way to go.
Comment removed (Score:4, Interesting)
those apps were broken, and the assumptions wrong (Score:5, Insightful)
it was NOT OKAY for microsoft to assume blithly that users are all dunderheads who can't be educated, can't take responsibility, and can't be trusted to make choices.
the only thing broken is not the 50-odd apps, but the corporate vision of M$. they need to deal with the facts: it is not "the Connected Internet with each user a Member Of The Community" any more; everything is interconnected and bad boys can roam the streets unseen and unbidden in Electron Town; and, finally, welcome to the 21st Century, M$, please read the rules this time.
if you want a really good firewall, consider either tiny firewall or zone alarm, both much more friendly and complete, and free as well as licensed/supported versions of both availiable for download any time you want.
Re:those apps were broken, and the assumptions wro (Score:5, Insightful)
This is not an assumption, it is a conlusion (and one shared by anyone who has ever spent time trying to support end users). Most users are dunderheads, won't take responsibility, don't want to be educated and can't be trusted to make good choices.
Not all, mind you, but certainly most.
Why block above 1024? (Score:3, Insightful)
Inbound and outbound port management is really too much for technophobes. I usually set up a simple firewall and open up everything after 1025. They dont get hit by trojans and their apps work. If they do network printing, sharing, etc I just make e
Most notable incompatibility on the list (Score:5, Funny)
More incompatibilities... (Score:5, Funny)
Those poor hackers...
Guess who got FP on the broken apps list? (Score:4, Funny)
lol.
The sad thing is.. (Score:5, Insightful)
Not likely (Score:5, Insightful)
It would be more likely that application authors will start including tools in their installation wizards for opening ports the application needs.
The sad thing is, any app could easily get passed the firewall with a bit of social engineering. I saw a popup on a Windows machine infected with some ad/spyware today. The window started an automatic download (and thus, on Windows, install) of some app. The page showed a picture of the security warning dialog and told the user to just click Yes. Which is actually what most users will do, because they don't know any better, because nobody has taught them.
Re:Not likely (Score:5, Informative)
I'm a developer (open-source), and I use windows. I've had no (and I repeat: no) reason to leave. My windows installs are secure enough for me to not worry about anything. The software installs fine and works well. My multimedia works perfectly, and all my games run natively and with hardware acceleration. My machine runs apache, ssh, mysql, cvs, you name it. Multi-monitor support, hardware-accelerated GUI, everything.
I know you can do all that stuff on other platforms, but that's not the point. I can do it on Windows, so why should I change?
Not all Windows users are lazy or naive... some have found a very useable operating system that lets them do EXACTLY what they want, with no fussing.
And your last point is mooted by SP2 - the only way you can run that program is if you download and run it yourself, which can be done on ANY OPERATING SYSTEM. The auto-installs on IE are now a thing of the past (they're not auto any more, and require lots of clicking to start, with lots of big, red "X"s everywhere.)
I'm not trying to be argumentative, but I keep seeing this "windows users are all stupid, and windows is useless crap" rubbish everywhere, and it's starting to get slightly annoying :)
Re:The sad thing is.. (Score:3, Interesting)
I'm sure a simple update to add "if (connection.ip != INADDR_LOOPBACK)" to the firewall code. Frankly, I'm surprised it wasn't already in there.
forgot to mention Intel Landesk (Score:3, Interesting)
Not a big deal... (Score:5, Insightful)
The vast majority of PC problems these days are rooted in the fact that most users are lazy, and don't want to be bothered with details. Perhaps they can read tax forms, but a simple Windows dialog? Forget it.
If users can't muster up more than an ounce of effort to secure their PC, they shouldn't be using one. Just as a driver needs to make sure their car is roadworthy, PC users need to be sure that their systems have at least some rudimentary method of protection. It's just not that hard, and it's not too much to ask.
If computer users can't manage to get their heads around simple dialogs (which SP2 questions pretty much are), they deserve the trouble they get... perhaps them being offline would reduce the spam & DDoS zombies.
I suppose wishing those people offline is a fantasy, but it certainly would help reduce the idiot factor on the net.
Re:Not a big deal... (Score:4, Interesting)
Software Firewall? (Score:4, Insightful)
One problem... (Score:5, Insightful)
One word for you. (Score:5, Funny)
Laptops.
(Here are some more words: like you, I use a hardware firewall for my home/office, but when I'm at the coffeeshop with my laptop, it's kinda hard to lug all that routing gear around.)
(And here are even more words for you: concrete, bouncy, superfluous, carrot, foobly, upwards. Not sure about foobly, though.)
As the Register article stated on this topic.. (Score:5, Insightful)
Microsoft folds and implements some security features which inevitably break things... then everybody gets upset.
You can't have it both ways.
Re:As the Register article stated on this topic.. (Score:4, Informative)
http://www.theregister.co.uk/2004/08/12/winxp_s
Re:As the Register article stated on this topic.. (Score:4, Informative)
Re:As the Register article stated on this topic.. (Score:3, Insightful)
First, you're dismissing the (rather large I bet) group of people who don't want it both ways. For instance, huge numbers of computers are already protected to some degree by corporate firewalls and home routers and similar such things. Now when these people
It's not THAT bad... (Score:4, Insightful)
Re: (Score:3, Insightful)
in other news... (Score:5, Funny)
Default Port Blocking is wrong when... (Score:3, Interesting)
Re:Default Port Blocking is wrong when... (Score:4, Interesting)
Re:Default Port Blocking is wrong when... (Score:4, Interesting)
Most of us conscientious 'app vendors' have been diligently studying the various release candidates coming out of Redmond.
Before beating on the ISVs make sure you check out a legitimate bug [microsoft.com] in SP2. This particular bug wasn't present in RC2 and has caused a good few slashdot-friendly vendors some undue heartache (notably PuTTY [greenend.org.uk]).
Yes, there are vendors out there who ought to have been more prepared, but MS certainly needs to take a good deal of responsibility for these current issues.
SP2 firewall. (Score:5, Informative)
More Bad than Good (Score:5, Insightful)
Given this dialog:How many users are going to click "Yes"? You think it is stupid if a user clicks "Yes" but do you know how stupid is it to allow the user the option to click "Yes" and ruin their computer?? Now change "Ruin your computer?" to "An application has request traffic on port 139. Open it?"
This is a simplified example yet this is whats happening. A firewall is supposed to stop network traffic inbound or outbound that isn't accounted. Allowing the user to sidestep this easily is as handy as asking if they want to ruin their computer: Yes or No. Even with the improved features I'm still going to get calls from Mom saying something complained it wanted access so she clicked "Yes" to get it to shut up. Expecting users to be savy enough to patrol their computers got MS into this mess with SP 2. Now people are suddenly going to be wise??? Something doesn't add up.
I am not knocking SP2 since there are great things going on here but as the old saying goes: Security is a process. SP2 still "enables" users to screw up their computers with a few more hoops to jump through. I would rather have my parents have to jump through a few more hoops before they hang their computer with all of the wonderful "rope" MS gives them but I'm still very bothered its easy to hang themselves.
Simply put, in my opinion Zone Alarm is right and SP2 is wrong. The firewall is there to stop unwarrented traffic not to conviently prompt you to disable it.
microsoft bashing (Score:4, Insightful)
Sounds like people are trying to find as much fault in Microsoft as possible. It looks like most of these aren't even problems but are something that Microsoft bashers can use to fuel their fires. As I'm sure many posts have already pointed out by the time I post this, a lot of these problems are just because of closed ports.
Designed for newbies (Score:4, Interesting)
My mother doesn't know what a firewall is, nevermind how to switch it on.
Those who know what it is, and how to configure it, will be able to open the required ports or allow the required programs access to those ports.
The clueless might not be able to use some programs, but if that means viruses and worms will not spread as much as before then it's something I think we all can live with.
not broken (Score:3, Interesting)
(i.e. "broken"!)
Non story (Score:3, Insightful)
The 'glitches' listed on the KB articles would be affected by any end user firewall, or hardware firewall on the market. To bash MS for this is counter productive. They have done the right thing in enabling it by default. If you want to run a server, you ought to be smart enough to figure out how to configure your firewall. If not, then its better for the net as a whole, you are the type of person still spreading Code Red.
Are you feeling lucky, punk? (Score:5, Funny)
I'm sure there's going to be at least a dozen knuckleheads out of 3000+ who do DL the update. Those are the same one's who call the Help Desk saying, "Hello, I think I just got a virus. (pause) Yeah, I received an email that had an attachment that I didn't recognize so I double-clicked it to find out what it was. (pause) Ok, I'll shut it down and wait for a tech. Thanks. (click)" Unfortunately, that is an actual conversation I heard over the cube wall...
I'm so glad I work on the UNIX side of IT!
Think maybe they could do some dupe checking? (Score:3, Insightful)
Lets see... just for this application, through putting the version in it's own field, in the same field as the application name, and misspelling it a couple different ways, (and varying the version unnecessarilly) they've managed to list two seperate versions of the application (8.6.1 and 9.1) and somehow come up with 6 seperate entries... I think the list is shorter than y'all think...
Re:Think maybe they could do some dupe checking? (Score:3, Funny)
Even more interesting (Score:5, Informative)
See if you can find your favoirite bug on this list!
Scary quote (Score:4, Interesting)
It just fills you with confidence in their network security qualifications, doesn't it? I'm sure their audience won't be too confused (even most online gamers know the difference between "port number" and "number of ports"), but that just makes it even stranger that they hired a technical writer who can't make that distinction clearly.
Re:Scary quote (Score:3, Interesting)
Oh, and one more thing. (Score:5, Insightful)
The whole Service Pack 2 thing here on Slashdot has gone way out of control. You have to stop bashing Microsoft for every single thing they do. This time they tried their best. Yes, it might not work 100%, yes some things will break, but this is the nature of a firewall, and it's definatly the nature of Microsoft. Would you rather Microsoft hadn't released SP2? I don't think so.
Also, to those of you wise enough to know if you'll have compatability issues, don't install SP2. It's clearly not for you. This is aimed at the average Joe user who browses the Internet, and checks his e-mail. It's designed to stop low level attacks instead of causing the next Blaster. Just because you are a Geek or a Linux guru does not give you the right to bash this, because it is not for you. There's a reason you're using Linux, right? Better security, etc? Stick with it.
And the final point, a lot of you are complaining about how the average user knows no better than Microsoft, and can't defend themselves against simple spyware. Then for God's sake, please go out and help these people! You wouldn't believe the number of people who come to me to fix their laptops about various problems (mostly spyware and viruses), and I always educate them on the matter. I don't just fix it for them, I make sure they understand exactly what they did wrong, and how never to repeat it. And to those of you who believe that they should be ditching Windows XP for Linux... forget it. It's not for them. They'll have no reason to switch over. You're preaching to the wrong choir. Talk to those who you know will be interested rather than the average user.
Firewall == stumbling block (Score:3, Informative)
After I overcame my initial nausea we spent a few minutes on the firewall device and determined that its outside port was dead. I offered him a free (as in beer) FreeBSD (free) system to do this job - a nice, easy kill, and it gets me the run of another BSD box with a static IP.
The firewall thing on the PC was a bigger problem - not so good interface, user deeply confused by the idea that some addresses aren't globally routeable, further amazed that some devices can change these RFC1918 addresses to globally routeable numbers, and utterly boggled by the concept of being able to *see* what your computer is doing on the network.
Bottom line? This guy has no business doing anything other than pulling cables and plugging stuff into a network that provides DHCP and he *knows* this is the case.
I predict job growth in the 'digitician' field - the PC guru that comes around is going to become a real live job, instead of a friend or relative you impose upon for help. I, luckily, have avoided 98% of this work by becoming an inscrutable BSD prophet and would have avoided this one as well, were it not for the interior designer roaming around the office with her thong peeping out at regular intervals.
what I want to see is 3 lists... (Score:3, Insightful)
A list of applications broken by the NX features on X86-64 (which I am not affected by)
and A list of applications broken by other things
Re:what I want to see is 3 lists... (Score:3, Informative)
And guess where ZoneAlarm 4.5 sticks it's stuff into? You gotta go pretty low-level to intercept packets.
And in case of Gunbound, it's actually the Gunbound's anti-hacking system ('GameGuard') that causes the bluescreen. I think it also goes to poke something WAY low-lev
Bah (Score:3, Insightful)
I installed it as Beta on my work machine and haven't had any issues with it affecting my access to critical applications. Anytime something new attempts to access the net a dialog pops up and asks what it should do. This is the same behavior that Zone Alarm does, and that's what I would hope to see.
I can still work, I'm able to use Remote Desktop and VPN into work from home.
Either you want Microsoft to be security minded and patch holes, or you want it to be easier to use and less secure. Pick one, you can't have both.
Comment removed (Score:5, Interesting)
My Problem with SP2 (Score:3, Interesting)
Did you expect anything different? (Score:3, Insightful)
Whether the closed source nature of Windows and Windows applications encourages this kind of slovenly programming is not the real issue here. The real issue dates right back to the early days, and the difference between mini- and microcomputers.
Unix was conceived from the outset as a minicomputer OS. That meant it had to have at least some awareness of multiple users -- some of whom might be dangerous, whether due to malice or incompetence. Privilege separation was built in from the outset; with just one, special user account able to do absolutely anything, including bring the system down irretrievably. This purposely was never blocked.
MS-DOS was conceived from the outset as a microcomputer OS -- it was once a CP/M clone. A computer running DOS would have a single user, and not be connected electrically to anything else -- except maybe a minicomputer, via an RS-232 serial link; and requiring a particular program to send data to and accept data from the port, and when that program is not running, nothing happening on the port can affect what the computer is doing. Therefore, there was no need for privilege separation; that one user could effectively be given root privileges. Or almost
Advance a few years and we have networks. Unix -- thanks to the ingenious concept of treating everything as a file -- gains the ability to treat storage devices and peripherals attached to other network nodes as its own. MS-DOS PCs are generally connected to communal file and printer servers -- effectively, using the network as an alternate hard disk / printer interface. This functionality has just been bodged in, a little at a time, as and when necessary.
Now remember that Linux and Mac OS X are both based on Unix -- which was already a fully fledged, network-aware system -- while Windows is based on MS-DOS, which began as an "island" system without giving the user full manual override ability. In other words, someone could cause Windows to run a program without the user even being aware of it, much less able to do anything about it.
Once you factor in a huge influx of clueless users -- and I'm talking tipp-ex on the screen, broken the coffee cup holder, adding up the spreadsheet with a calculator type cluelessness -- this becomes a recipe for disaster. For Windows to reach the point of total unusability was inevitable, and -- this sticks in my craw a bit -- it's a testament to Microsoft's hard work and determination that it's actually taken up to now for this to happen.
Re:The Noobie Argument (Score:3, Insightful)
as things stand right now, i don't see how ease of use and security can possibly go together. what is needed is user education, but the vast majority of users 'just want it to work' and refuse education.
Re:The Noobie Argument (Score:4, Insightful)
Now, like a responsible company should, they've taken the drastic step of enabling a firewall on Windows by default. And, like any slashdot FUD loving crowd would, slashdot is blaming microsoft because a list of 50 third party apps won't run if some ports aren't opened on a firewall.
I'm happy with SP2, very happy at the extra secuirity, especially enabling the NX bit on my A64.
A port is just an integer (Score:5, Insightful)
There's a common misconception that the ports above 1024 are somehow "safer" than the lower-numbered ports. As far as an attacker is concerned any tcp port is as good as any other if there's a service listening on it.
Re:The Noobie Argument (Score:5, Insightful)
Na, just kidding. You're completely right. There comes a time when the average user has to spend 20 minutes giving a shit about his computer and learn some basic fundamentals. At some point in time, people, in general, did the same thing for their cars. Old ladies will get their oil changed every 3000 miles yet your average user doesn't know it's bad to click yes to "do you wish to install spyware?"
I've had it with people asking me to help them out with their computers. I feel like a plumber who gets the question "hey, I just clogged my toilet by taking a huge dump, how do I fix it?" everywhere he goes. It's not the ignorance I mind, it's the indifference about computer fundamentals that leads to someone else fixing it. If people don't want to learn that "techno mumbo jumbo" then don't use a computer. If I said to the police officer "what the hell, blinker? Break? Steering away from pedistrians? What is this auto mumbo jumbo?" I don't think he'd understand.
Re:The Noobie Argument (Score:3, Funny)
We have people here who work on computers for 8 hrs a day who I swear haven't ever touched a computer before. Despite my pleading with the HR department they still don't bother checking people's computer literacy before hiring them and it shows in the fault logs, badly. I swear - if I
Re:The Noobie Argument (Score:3, Insightful)
1. Click Start, click Run, type wscui.cpl in the Open box, and then click OK.
Whatever happend to click start, click on the control panel, then click on the icon...?
I fear the easiest solution for most will just be clicking the disable box next to the firewall service.
Re:Time for change? (Score:4, Interesting)
Re:Time for change? (Score:3)
Re:Time for change? (Score:4, Interesting)
Realistically, how is a Linux distro like Gentoo a real "alternative" at all, for the average PC user wanting a "workstation OS" that runs all of their purchased "off the shelf" software packages??
Just as one little example, a good friend of mine recently wiped Windows XP off his Dell Latitude laptop and replaced it with the latest Gentoo Linux distro. He could only stand it for about 3 days before deciding it just made his laptop *less functional* than it was worth, and went back to XP.
It's not that he dislikes Linux! He thinks it's great! (So do I, for that matter.) It's just that Linux is based on a *server-centric* OS (Unix), and all the attempts to reconstruct it as a desktop workstation OS with user-friendly GUI are less than fully realized.
I'm all for competition, but as much as some people want it to be, I don't think Linux is really the direct competition for Windows XP right now. If anything, it's poised more as a sensible alternative for something like Windows 2000 or 2003 Server.....
If you want a Unix type OS done right as a workstation, I think Apple already pulled it off better than anyone else -- but that's getting into a whole new hardware AND software investment.
Re:hmm... (Score:3, Insightful)
Re:hmm... (Score:5, Insightful)
And they have nothing to do with the actual code in the Service Pack (I've been running it fine since it was released on Winbeta).
If you took time to read the article, you'd find that the applications would work fine if you disabled the Windows Firewall. The applications fail because SP2 enables a firewall by default, and these applications do not work without an open port.
Anyone who tries to agree with the anti-microsoft FUD in the article above must be some kind of luddite or a really blinkered linux zealot.
Enabling a firewall by default in Windows is the greatest thing Redmond has ever done to try and make up for the horror's they've unleashed on the people of the world. Trying to spread even more FUD with the objective to stop people from applying this service pack is madness.
Re:hmm... (Score:3, Insightful)
Enabling a firewall by default in Windows is the greatest thing Redmond has ever done
Only problem with it - they made it nine years later than ought to.
Re:hmm... (Score:3, Interesting)
Trillian and Warlords:Battlecry III were the only apps with this "problem" to date. For some reason they're bypassing some Windows API's and directly executing code from memory they're not supposed to. This isn't Microsofts fault either - I love watching Windows and my CPU working together to ensure code that runs
Re:Transition (Score:5, Insightful)
Re:Transition (Score:3, Insightful)
As for your comment on these programs having been this way for "years and years", that is somewhat disingenuous. These features may have only been around as long as the internet h
Re:Like we didn't see this coming... (Score:4, Interesting)
This is all well and good.
Now you install a Firewall, perhaps one bundled with your Linux distro.
Suddenly, Mozilla doesn't work anymore! You can't browse the internet!
Is this the fault of your Linux distributor? Why are people saying that Windows is useless because the new firewall *blocks* traffic unless you open the right ports? Why aren't people saying the same for Linux, when Linux works *exactly* the same way?
Or do you just like to spread anti-MS FUD so you can get karma on slashdot?
Re:Like we didn't see this coming... (Score:4, Interesting)
As Mr FUD is suggesting, Windows users won't configure the firewall at install time (which is why those apps don't work). To be fair we'll also assume that you won't configure your linux firewall at install time.
Any good firewall will block outgoing traffic just as well as it blocks ingoing traffic, by default. The new windows firewall in SP2 blocks outgoing traffic (the SP1 version of the firewall was inbound blocking only).
So, without configuration, you'll find all those linux distros you've listed share this same problem - when you install an unconfigured (all ports closed 2-way) firewall on them, some applications will break.
You can't go and say that it's a "non-existent" problem, because you have to assume that any user who can't configure a firewall under Windows couldn't do it under Linux either. What we're really seeing here is Windows moving closer to Linux's security methodology - secure by default. So the problems mentioned in the article are directly applicable to any Linux distro that is secure by default - yet people are hanging it on MS despite this.
Re:QA anyone? (Score:5, Informative)
The same applications would all stop working if you installed any firewall, hardware or software, router or ZoneAlarm.
This has nothing to do with QA testing - obviously if you enable a firewall, some apps are going to stop working.
Why on earth is it microsofts QA departments fault that you can't FTP if your FTP port isn't open on your firewall?
If you think that it really is MS's fault after actually reading the article - then yes, you should be shot. Twice. Darwin save us all.
Re:I GOT A GREASED UP YODA DOLL SHOVED UP MY ASS! (Score:3, Funny)