'SP2' a Must For XP Users (from the Washington Post)

washingtonpost.com

'SP2' a Must For XP Users

By Rob Pegoraro
The Washington Post
Sunday, August 15, 2004; Page F01

To get an idea of how Windows got to be such a mess, think of it as a
house that was built on an island in the middle of a lake, deep in the
countryside.

Because you're so isolated, you don't need to worry about keeping
strangers out -- your security rests on being physically separate from
the rest of the world.

So it doesn't matter that the windows can only be latched shut with
great difficulty, that locks were picked to match the decor (no ugly
deadbolts here!) and there's an extra key hidden under the doormat.

Now take that house and move it into the city. Shopping or socializing
no longer requires a long drive; all the distractions you might want are
right outside. But there are a few burglars in town, and they all know
how easy your house is to break into.

In this case, security means making sure that nobody can get in the
house unless you open the door yourself. You need to hire a good locksmith.

With a new update called Service Pack 2 for Windows XP, Microsoft is
trying to perform the same repairs, making software once built for
isolated desks safe on the crowded, bustling Internet.

Service Pack 2, "SP2" for short, is Microsoft's most important release
since XP itself. It aims to stop viruses, worms, browser hijackings and
worse by including security features that people had to add and adjust
on their own. (Users of Windows 2000, Millennium Edition, 98 and 95 will
still need to do that, since Microsoft has no plans for a comparable
update of those systems.)

The most important part of SP2 is an new firewall program to stop
break-ins by network worms such as Blaster. Unlike XP's earlier
firewall, this one is turned on automatically and protects every
connection on a computer -- even if you already have another firewall
active. It also watches what your programs do; if one wants to open its
own channel of communication with the Internet, you'll need to approve
this action.

The need to make this choice for potentially dozens of programs, even
Microsoft's own, can be a drag, but the decision should be fairly
simple: If you recognize and trust the program, it should be safe to
"unblock" its access. But if you've never heard of it, keep blocking it
unless things stop working.

Automatic system updates are just as important in Service Pack 2. The
first time you boot up a computer after installing SP2, a can't-miss,
full-screen alert asks you to allow Windows to download and install
Microsoft's security updates automatically.

A new Security Center control panel provides quick access to firewall
and automatic-update settings, and it checks for active, up-to-date
anti-virus software. Though anti-virus protection is essential to
Windows security, SP2 doesn't include any; you must install your own.

As part of SP2, the Internet Explorer Web browser now -- finally! --
blocks unsolicited pop-ups. This overdue step eliminates many intrusive
ads (yes, The Post's Web site runs its share) but also stops hostile Web
sites from tricking users into downloading unwanted programs by
barraging them with pop-ups.

To police browser-hijacking attempts, IE now restricts the ability of
Web sites to push "ActiveX" programs on visitors; the default choice is
to decline an ActiveX program, and you can reject all future
installations from a Web site with two clicks. ActiveX should be retired
-- this inherently insecure Microsoft technology grants a Web site
unrestricted access to your computer -- but these changes should at
least make a hijacker's job tougher.

When you use Internet Explorer to download new software, Windows will
ask if you're sure you want to run each of these programs, even if
that's days after its download.

Because of these and other security fixes, I did sometimes have to
reload a "download now" page to convince IE that I really wanted the
file -- a small price for a safer browser, albeit one still behind such
competitors as Mozilla Firefox in its capabilities.

The Outlook Express e-mail program, meanwhile, no longer allows any
access to programs sent as file attachments. Hiding a program inside a
compressed "zip" file won't work either -- you can decompress the
archive, but Windows won't let you run its contents.

This may frustrate users who send greeting cards and other little
programs in e-mail. I don't care. The cost of mail-borne viruses is too
high, and Microsoft did the right thing in placing security over
convenience. (Imagine if it had made this trade-off four years ago.)

Many non-program attachments, such as Microsoft Word documents and MP3
audio files, also require a second click to confirm that you really want
to open them. (Pictures didn't require that extra step.)

Outlook Express also stops the display of Web images in messages, a
common trick spammers use to see who opens their junk.

Service Pack 2 does include one bonus feature that isn't strictly
security-related; it now lists the signal strengths of each available
WiFi wireless connection, an obvious feature that Microsoft inexplicably
left out before.

Beyond these visible changes, Service Pack 2 folds in numerous
alterations to the inner plumbing of Windows. Such unneeded features as
the Messenger Service, which spammers exploited to broadcast
official-looking pop-up ads, are now shut off, and others are exposed
only to a local network. With SP2's firewall shut off, however, I did
find that it left two network ports open for no apparent reason.

People running computers equipped with 64-bit processors get extra
protection against "buffer overflow" errors, a common tactic used to
sneak hostile programs onto a computer. Service Pack 2 can tell these
chips to enforce "no execute" rules that prevent a program from running
in a block of memory that isn't specifically reserved for use by programs.

Despite all the surgery Service Pack 2 conducts in the guts of Windows,
all four of my installations worked. A Dell desktop needed 30 minutes;
two others took closer to an hour, and an older IBM desktop needed two
hours, counting the time needed to start from scratch after a first
install was halted by a mysterious reboot. The only program I found that
did not function afterward was a specialized networking utility.

Many of SP2's Internet features, such as its control over downloads and
attachments, don't work in other Web and mail programs, but developers
of those can add support for them.

Service Pack 2 still can't save gullible users from themselves, though.
And since it continues to grant people "administrator" access to a
computer, any one mistake can take down the entire machine.

This leaves Windows XP at a continued disadvantage compared with such
competitors as Linux or Mac OS X. (Programmers call the idea of giving a
user no more power than needed for the job "the principle of least
privilege"; the same logic comes into play every time a parent gives a
kid a $20 bill, not $50, before sending him out to pick up a pizza for
dinner.)

Service Pack 2 is a free update, but it's not easy to get -- yet. A
266-megabyte download is available at Microsoft's site
(go.microsoft.com/?LinkID=806688), while users with automatic updates
enabled will have a smaller version sent to their PCs over the coming
weeks. Around the end of the month, SP2 will be available on CD-ROM; to
Microsoft's credit, it will ship these CDs at no charge.

Computer manufacturers should be able to add this update to their
systems within a month or so, Microsoft says. I would like to suggest
that any firm that isn't pre-installing SP2 by November has no business
selling home computers at all.

Individual Windows users bear the same responsibility: If you run XP,
you need to install SP2. Period. Loading a system update this big is
never risk-free, but the far bigger risk is to keep stumbling along with
an unpatched copy of Windows XP. Ask a computer-savvy friend to install
it if you must. But don't wait for the viruses and worms to stop coming.
They won't.

Living with technology, or trying to? E-mail Rob Pegoraro at .

© 2004 The Washington Post Company

Interesting article. How about posting just the URL next time?
--
Ted Zieglar
formerly "Rocket J. Squirrel"


"Sparky" wrote in message
et...
washingtonpost.com

'SP2' a Must For XP Users

By Rob Pegoraro
The Washington Post
Sunday, August 15, 2004; Page F01

To get an idea of how Windows got to be such a mess, think of it as a
house that was built on an island in the middle of a lake, deep in the
countryside.

Because you're so isolated, you don't need to worry about keeping
strangers out -- your security rests on being physically separate from
the rest of the world.

So it doesn't matter that the windows can only be latched shut with
great difficulty, that locks were picked to match the decor (no ugly
deadbolts here!) and there's an extra key hidden under the doormat.

Now take that house and move it into the city. Shopping or socializing
no longer requires a long drive; all the distractions you might want are
right outside. But there are a few burglars in town, and they all know
how easy your house is to break into.

In this case, security means making sure that nobody can get in the
house unless you open the door yourself. You need to hire a good
locksmith.

With a new update called Service Pack 2 for Windows XP, Microsoft is
trying to perform the same repairs, making software once built for
isolated desks safe on the crowded, bustling Internet.

Service Pack 2, "SP2" for short, is Microsoft's most important release
since XP itself. It aims to stop viruses, worms, browser hijackings and
worse by including security features that people had to add and adjust
on their own. (Users of Windows 2000, Millennium Edition, 98 and 95 will
still need to do that, since Microsoft has no plans for a comparable
update of those systems.)

The most important part of SP2 is an new firewall program to stop
break-ins by network worms such as Blaster. Unlike XP's earlier
firewall, this one is turned on automatically and protects every
connection on a computer -- even if you already have another firewall
active. It also watches what your programs do; if one wants to open its
own channel of communication with the Internet, you'll need to approve
this action.

The need to make this choice for potentially dozens of programs, even
Microsoft's own, can be a drag, but the decision should be fairly
simple: If you recognize and trust the program, it should be safe to
"unblock" its access. But if you've never heard of it, keep blocking it
unless things stop working.

Automatic system updates are just as important in Service Pack 2. The
first time you boot up a computer after installing SP2, a can't-miss,
full-screen alert asks you to allow Windows to download and install
Microsoft's security updates automatically.

A new Security Center control panel provides quick access to firewall
and automatic-update settings, and it checks for active, up-to-date
anti-virus software. Though anti-virus protection is essential to
Windows security, SP2 doesn't include any; you must install your own.

As part of SP2, the Internet Explorer Web browser now -- finally! --
blocks unsolicited pop-ups. This overdue step eliminates many intrusive
ads (yes, The Post's Web site runs its share) but also stops hostile Web
sites from tricking users into downloading unwanted programs by
barraging them with pop-ups.

To police browser-hijacking attempts, IE now restricts the ability of
Web sites to push "ActiveX" programs on visitors; the default choice is
to decline an ActiveX program, and you can reject all future
installations from a Web site with two clicks. ActiveX should be retired
-- this inherently insecure Microsoft technology grants a Web site
unrestricted access to your computer -- but these changes should at
least make a hijacker's job tougher.

When you use Internet Explorer to download new software, Windows will
ask if you're sure you want to run each of these programs, even if
that's days after its download.

Because of these and other security fixes, I did sometimes have to
reload a "download now" page to convince IE that I really wanted the
file -- a small price for a safer browser, albeit one still behind such
competitors as Mozilla Firefox in its capabilities.

The Outlook Express e-mail program, meanwhile, no longer allows any
access to programs sent as file attachments. Hiding a program inside a
compressed "zip" file won't work either -- you can decompress the
archive, but Windows won't let you run its contents.

This may frustrate users who send greeting cards and other little
programs in e-mail. I don't care. The cost of mail-borne viruses is too
high, and Microsoft did the right thing in placing security over
convenience. (Imagine if it had made this trade-off four years ago.)

Many non-program attachments, such as Microsoft Word documents and MP3
audio files, also require a second click to confirm that you really want
to open them. (Pictures didn't require that extra step.)

Outlook Express also stops the display of Web images in messages, a
common trick spammers use to see who opens their junk.

Service Pack 2 does include one bonus feature that isn't strictly
security-related; it now lists the signal strengths of each available
WiFi wireless connection, an obvious feature that Microsoft inexplicably
left out before.

Beyond these visible changes, Service Pack 2 folds in numerous
alterations to the inner plumbing of Windows. Such unneeded features as
the Messenger Service, which spammers exploited to broadcast
official-looking pop-up ads, are now shut off, and others are exposed
only to a local network. With SP2's firewall shut off, however, I did
find that it left two network ports open for no apparent reason.

People running computers equipped with 64-bit processors get extra
protection against "buffer overflow" errors, a common tactic used to
sneak hostile programs onto a computer. Service Pack 2 can tell these
chips to enforce "no execute" rules that prevent a program from running
in a block of memory that isn't specifically reserved for use by programs.

Despite all the surgery Service Pack 2 conducts in the guts of Windows,
all four of my installations worked. A Dell desktop needed 30 minutes;
two others took closer to an hour, and an older IBM desktop needed two
hours, counting the time needed to start from scratch after a first
install was halted by a mysterious reboot. The only program I found that
did not function afterward was a specialized networking utility.

Many of SP2's Internet features, such as its control over downloads and
attachments, don't work in other Web and mail programs, but developers
of those can add support for them.

Service Pack 2 still can't save gullible users from themselves, though.
And since it continues to grant people "administrator" access to a
computer, any one mistake can take down the entire machine.

This leaves Windows XP at a continued disadvantage compared with such
competitors as Linux or Mac OS X. (Programmers call the idea of giving a
user no more power than needed for the job "the principle of least
privilege"; the same logic comes into play every time a parent gives a
kid a $20 bill, not $50, before sending him out to pick up a pizza for
dinner.)

Service Pack 2 is a free update, but it's not easy to get -- yet. A
266-megabyte download is available at Microsoft's site
(go.microsoft.com/?LinkID=806688), while users with automatic updates
enabled will have a smaller version sent to their PCs over the coming
weeks. Around the end of the month, SP2 will be available on CD-ROM; to
Microsoft's credit, it will ship these CDs at no charge.

Computer manufacturers should be able to add this update to their
systems within a month or so, Microsoft says. I would like to suggest
that any firm that isn't pre-installing SP2 by November has no business
selling home computers at all.

Individual Windows users bear the same responsibility: If you run XP,
you need to install SP2. Period. Loading a system update this big is
never risk-free, but the far bigger risk is to keep stumbling along with
an unpatched copy of Windows XP. Ask a computer-savvy friend to install
it if you must. But don't wait for the viruses and worms to stop coming.
They won't.

Living with technology, or trying to? E-mail Rob Pegoraro at .

© 2004 The Washington Post Company

Ted Zieglar aka "Rocky" wrote:
Interesting article. How about posting just the URL next time?

I understand where you're coming from with the "just the URL" request,
Ted, but this might have been an intentional decision on the OP's part.

I've had problems with articles and URLs from the Washington Post in the
past. First, the URL often doesn't work unless you read the article
*the same day* it was published on line. Second, you often have to
register ("It's Free!") and log-in to read the Washington Post's on-line
articles.

I'm not saying it's this way for *all* articles the Post publishes this
way; it certainly isn't.

But it's also true that the Post makes it harder to read on-line
articles, especialy ones other than the current day, than just about any
other on-line paper I deal with on a more-or-less regular basis.

Bob Pownall

But what about this?
http://zdnet.com.com/2100-1104_2-5311280.html

I think I'll pass for now.


Corse

You're right, of course. Many online newspapers require prior registration.
--
Ted Zieglar
formerly "Rocket J. Squirrel"


"Bob Pownall" wrote in message
...
Ted Zieglar aka "Rocky" wrote:
Interesting article. How about posting just the URL next time?

I understand where you're coming from with the "just the URL" request,
Ted, but this might have been an intentional decision on the OP's part.

I've had problems with articles and URLs from the Washington Post in the
past. First, the URL often doesn't work unless you read the article
*the same day* it was published on line. Second, you often have to
register ("It's Free!") and log-in to read the Washington Post's on-line
articles.

I'm not saying it's this way for *all* articles the Post publishes this
way; it certainly isn't.

But it's also true that the Post makes it harder to read on-line
articles, especialy ones other than the current day, than just about any
other on-line paper I deal with on a more-or-less regular basis.

Bob Pownall

Bob Pownall wrote:

Ted Zieglar aka "Rocky" wrote:
Interesting article. How about posting just the URL next time?

I understand where you're coming from with the "just the URL" request,
Ted, but this might have been an intentional decision on the OP's part.

I've had problems with articles and URLs from the Washington Post in the
past. First, the URL often doesn't work unless you read the article
*the same day* it was published on line. Second, you often have to
register ("It's Free!") and log-in to read the Washington Post's on-line
articles.

I'm not saying it's this way for *all* articles the Post publishes this
way; it certainly isn't.

But it's also true that the Post makes it harder to read on-line
articles, especialy ones other than the current day, than just about any
other on-line paper I deal with on a more-or-less regular basis.

While not disputing that, Bob, there is a little trick to these
"technology" articles, that let me find them without a bit of
trouble in one click just now. [Click on the "Technology" link
in the left hand menu - it gets you a direct route to a lot of
current [up to 14 days] and some special [an April WiFi set of
articles] stuff.]

The release of SP2 prompted the WP to print a spate of
SP2-related articles in its regular Sunday Business Section's
weekly look at computer technology.

They are the afore said "SP2 is a Must ..." article at:

http://www.washingtonpost.com/wp-dyn...2004Aug14.html

"What a Tangled Web I Wove
Computer Naivete Cost Me a Bundle And a Bit of Sanity", by a WP
staffer on her trials and tribulations that resulted from not
installing a firewall or using her AV program, at:

http://www.washingtonpost.com/wp-dyn...2004Aug14.html

"A Digital Doctor Treats Computer Contamination", by one of the
WP's IT contractors who ended up getting the WP staffer's machine
back into working condition, at:

http://www.washingtonpost.com/wp-dyn...2004Aug14.html

"Take Care to Guard Your Windows
Free Firewalls, Patches, Anti-Virus and Anti-Spyware Software
Enhance Security", a "special to the WP" article, at:

http://www.washingtonpost.com/wp-dyn...2004Aug14.html

"Skepticism Is the Message for E-Mail
Avoid Attachments That Come With Spam", another "special to the
SP" article, at:

http://www.washingtonpost.com/wp-dyn...2004Aug14.html

"Computer Users Need a Good Backup Plan", yet another "special to
the WP" article in this SP2-instigated spate, at:

http://www.washingtonpost.com/wp-dyn...2004Aug14.html

All of the info in these articles will be pretty much old "I told
you so" stuff to a lot of people here. But personally, I
downloaded all of these articles and printed them out. Now I can
make copies of them for those computer newbie friends of mine of
the "why do I need a firewall program [AV program, to screen my
email with a skeptical eye, to back up stuff] school of
computing. Mebbe if they won't listen to me they'll heed these
articles - particularly that "What a Tangled Web ..." one. ;-

Yes, if you haven't registered with the Post [I have, it's one of
my local papers, I subscribe to it, so don't mind being
registered], they have increased the amount of demographic info
they ask you before allowing you in. But it is just that,
demographics - nothing of a personal nature that you can't tell
them anything you want to. You don't get on an email mailing
list. I let them set the cookie.

Past technology stuff for a given period is always available at
the main page, from the "Technology" link on the left hand menu.
Articles *always* carry the annnnn-yyyymmmdd format, with date
based on the first edition, done the previous evening - thus
these Sunday articles are all dated 2004Aug14. They will be free
access for 14 days, then you get into charges for archival
access.
--
OJ III
[Email to Yahoo address may be burned before reading.
Lower and crunch the sig and you'll net me at comcast.]

Ogden Johnson III

Bob Pownall

Second, you often have to
register ("It's Free!") and log-in to read the Washington Post's on-line
articles.

Yes, if you haven't registered with the Post [I have, it's one of
my local papers, I subscribe to it, so don't mind being
registered], they have increased the amount of demographic info
they ask you before allowing you in.

Going off-topic here, but I find it a little disturbing that a paying
subscriber to the print edition is required to register to read the on-line
version. After all, you are a paying customer. They say they want your
demographics to tailor their advertising for their on-line edition.

I asked my local paper about this policy (Minneapolis Star Tribune) and they
couldn't explain why a paying customer should have to register to read the same
content on-line. In any event, they don't require the demographics for the
print edition and in fact, have this information about me (name, address, phone
number, etc.) because I subscribe to their paper.

I don't know about the Wash. Post's registration questions but to register for
the StarTribune they ask a ton of questions, so many that I simply won't do it.


--
"When you argue with a fool be sure he is not similarly occupied."

See how the pros get their power!
http://www.powrwrap.com/press.htm

And those are only the ones that MS is admitting to for now.
What a few weeks and that list will very likely "bloom".
So, same here.
We are going to sit this one out for a while.


"Corse" wrote in message
m...
But what about this?
http://zdnet.com.com/2100-1104_2-5311280.html

I think I'll pass for now.


Corse

"Alan S. Wales" wrote in message
...
Ogden Johnson III

Bob Pownall

Second, you often have to
register ("It's Free!") and log-in to read the Washington Post's on-line
articles.

Yes, if you haven't registered with the Post [I have, it's one of
my local papers, I subscribe to it, so don't mind being
registered], they have increased the amount of demographic info
they ask you before allowing you in.

Going off-topic here, but I find it a little disturbing that a paying
subscriber to the print edition is required to register to read the
on-line
version. After all, you are a paying customer. They say they want your
demographics to tailor their advertising for their on-line edition.

I asked my local paper about this policy (Minneapolis Star Tribune) and
they
couldn't explain why a paying customer should have to register to read the
same
content on-line. In any event, they don't require the demographics for the
print edition and in fact, have this information about me (name, address,
phone
number, etc.) because I subscribe to their paper.

I don't know about the Wash. Post's registration questions but to register
for
the StarTribune they ask a ton of questions, so many that I simply won't
do it.


snip


Going further off-subject....

Generally speaking, newspapers are slowly dying in their print form and are
desperate to transition over to the needs of a time-starved 30-second
attention span web culture.

They're in a bind for revenue as circulations (again, generally) suffer
while they must continue to increase ad rates and justify doing so to
advertisers. I'd imagine that's a tough gig right now.

So they're in a spot: they have to try to retain their print subscribers
while finding a way to make their web-based versions generate revenue and
profits. One way of doing that short of requiring web users to actually PAY
for the online editions is to make readers register - information which I
assume they ultimately use to charge their online advertisers some
standardized rate.

Not everyone can be the Wall Street Journal online and count on a paying web
subscriber base.


Stew

The WP article has a little too much hype for me, and not enough reality.
Unfortunately, many of the technology writers for mainstream newspapers do not
have the time to pursue technology issues in depth, being under deadline to
produce articles daily and often also responsible for economic and business
aspects of computer technology news. I'd far rather rely on CNET, Ziff-Davis,
and CMP printed and on-line publications for evaluations of new operating
systems... Ben Myers