Why Windows XP Is Bad

When Windows 2000 came out, it was expected to be one of the biggest disasters in the history of the computer industry. While W2K was bad, it was marketed by Microsoft as an OS for business users rather than for home users (as Windows NT always was), so ultimately, it didn't affect too many people except the corporate folks who, by that time, had probably already become well accustomed to the lunacy that is NT-based Windows. But Windows XP is marketed as the Windows for general users, and since its release, XP has become the most widespread and damaging computer virus our world has ever seen. Windows XP is perhaps the ultimate meme virus--a virus which spreads by thought and culture rather than by biological or technical exploitation. There is no single event that has ever occurred which has negatively impacted the face of computing so much as the release of Windows XP.

This page endeavors to explain why.


Windows Product Activation

I shouldn't really need to say any more about this; It's self-explanatory. However, given how many people use Windows XP, apparently it's not self-explanatory enough, so I feel the need to elaborate on this somewhat.

When you install Windows XP, a little notice keeps popping up saying "x days left for activation", where x is of course how many days remain before Windows XP will stop working. (You have 30 days from the time you install it.) That Windows XP is deliberately configured to be a ticking time bomb is reason enough not to use it. The fact that you need to register information about your computer to use Windows XP means that I will never, ever install XP on any computer that I own, except for experimental or testing purposes, in which case I will not "activate" it.

What's amazing about WPA is how Microsoft receives praise from people by being so generous as to give you 30 days to activate your OS. This is akin to the generosity exhibited by organized crime groups which are generous enough to provide you 30 days to cave in to their demands before they slaughter your entire family.

UPDATE: The situation was made even worse by the February 2005 revelation that Microsoft was going to disable Internet activation for OEM versions of Windows XP. Microsoft claimed that this was to subvert piracy: "To reduce the illegal trafficking of these OEM product keys".

Let's get a few facts straight, for those who aren't sure what this means. First of all, an "OEM version of Windows XP" means a version of XP that comes preinstalled on a fully-configured computer from an OEM, a company that has its own brand on its PCs, like Dell, Compaq, HP, etc. This is as opposed to a non-OEM version of Windows XP, which would be one that you buy off the shelf as a separate software product, rather than pre-installed on a new computer. This announcement will not apply to non-OEM versions of Windows XP (at least not yet, although Microsoft may decide to change that). It will only apply to people who are re-installing Windows XP on their OEM computers. The computers will ship with Windows XP pre-activated, but if you ever want to reinstall XP (which some people do frequently because it's often easier than troubleshooting problems), this announcement will apply.

So how else can you activate Windows XP? Believe it or not, the only other way is by telephone. You actually need to call a Microsoft telephone number and speak to a customer service rep, who will ask you questions about your copy of Windows XP to determine if it's a legal copy. Stop and read that sentence again if the magnitude of it didn't strike you the first time: Microsoft has adopted apolicy of interrogating its customers to ensure that they in fact bought their copies of Windows XP.

It just keeps getting worse. What's amazing is that people still blindly follow what Microsoft tells them to do. They're actually going to call Microsoft on the telephone and wait to speak to a service rep! I can't even imagine what this means for the many people (like me) who don't have telephone service because they don't want or need a phone in their house.

As sad and damaging as WPA has been, however, in a way it's actually been a good thing for the world, because it's served to limit the spread of Windows. People have discovered that Windows XP simply cannot be used on installations in remote places which have no Internet access and no telephones, such as virtually any computer running in an area that's not municipally zoned. These people, forced to seek other alternatives, have finally discovered non-Windows operating systems and broken the long chain of Windows dependency. Unfortunately this hasn't happened much since most computers now have Internet connections, but it's a start. Now if Microsoft would just start charging several million dollars per Windows license, we could finally divert the world from yet another lemming march and get back to some serious stuff.

Windows XP is not real

Non-NT-based versions of Windows can be booted in real mode, which is the opposite of what Windows used to call 386 enhanced mode. In real mode, programs actually run in your computer's real memory space, instead of having virtual memory spaces (or "virtual machines" as Java programmers like to call them) allocated for them. While virtual mode, protected mode, or whatever you want to call it is useful for everyday multitasking, it's simply absurd to create a commercial operating system that doesn't allow software to directly interface with hardware. Try changing your interrupt vectors or PIT timing in Windows XP. Simple tasks like these, which could be easily done in real mode, become impossible with Windows XP.

Of course, this is all in keeping with the computer industry's laws of economics. If you can't actually use the standard PC functions which have been built into the hardware of every PC made since the original IBM PC came out in 1984, then you must play by Windows XP's rules, writing all your hardware drivers and functions to work with XP, since they won't actually work with the computer itself. Why adhere to standards when you can make your own? That's the question Microsoft has long known the answer to: They don't.

Side note: Windows XP was not actually the first home edition of Windows to not support booting in real mode; The first was Windows Me (Millennium Edition). However, Windows Me was so widely disliked that nobody took it seriously. (It was essentially Windows 98 with a "System Restore" function, newer versions of Windows Media Player and Internet Explorer, a somewhat revamped GUI, and lacking support for real mode.) Windows XP is genuinely regarded as an actual operating system by many people, which is a frightening lapse of human reason.

Services-based architecture

This is probably the single worst thing about both Windows 2000 and Windows XP.

Let's get one thing settled right now: When you're evaluating the security of any computer today, one of the very first things (if not *the* first thing) you check is what TCP ports are open. It doesn't matter if the computer is a server, a workstation, a home computer, or a forgotten system that's only used for printing labels or something like that; open ports create risk. A system that's actively listening for incoming connections and which intends to respond to attempted connections is something you don't want on your network unless you really have to be listening on those ports.

Let's make another thing clear: Windows 98 allows you to not only boot Windows, but even connect to the Internet, without having any open ports. Not one. If you're on a computer with Windows 98 and you're connected to the Internet, but not running any Internet processes or servers, you can open a command prompt and type netstat -a to discover that absolutely nothing shows up. Nothing. No connections, no listening ports. If something *does* show up, it either means that some connections are still waiting to close (this would be the case if anything has a status of "CLOSE_WAIT"), you have some active connections ("ESTABLISHED"), or some program is acting as a server ("LISTENING"). But the point is that if no programs are doing anything, Windows 98 won't have a single port operating. That's good. It means that any incoming TCP connections will be turned away simply because they have nowhere to connect to. It doesn't necessarily make the computer secure, but it's a good start.

Windows 2000 and Windows XP both pretty much require you to run a service called Remote Procedure Call (RPC). RPC is the service that's legendary for being full of holes. It was RPC that ended up being entirely responsible for the infamous Blaster worm that infected countless Windows installations in 2003. RPC is a service, meaning by its very nature, it sits in the computer and listens for other machines that want to connect to it. While this doesn't automatically mean a computer is vulnerable (in fact, to be fair, it wasn't RPC itself that made Blaster possible, but rather the implementation of RPC that Microsoft used in Windows), there's really no reason to be listening for connections this way unless you need to. By any standard, you shouldn't have to be running RPC as a service to use your computer. Windows 98 certainly didn't require it. The basic rule of thumb among almost any security-conscious system admin is: If you're not using a service, turn it off. You'll save system resources and close a potential entry point. Here's the catch: In Windows 2000/XP, turning off RPC is like turning off your entire computer.

One of the biggest reasons why NT-based versions of Windows are so prone to security holes is that instead of actually using normal computer functions, which is what an operating system is supposed to do, Windows 2000, XP, and their ilk think that it's a better idea to set up a server on a computer so that it can essentially use TCP/IP (networking protocols intended for use in transmitting messages to other computers) to send messages to itself. Forget networking with other computers, if you use Windows 2000/XP and turn off RPC, you won't even be able to use your OWN computer. Applications that use the MMC (Microsoft Management Console) won't work, for example, which is particularly hilarious when you consider that the Services control panel used to turn off RPC is itself a MMC window, meaning that if you turn off RPC, you're essentially heading down a one-way street, because you won't be able to use the Services control panel to turn it back on again. Microsoft apparently tries to prevent you from doing this by disabling the "Stop" option for the RPC service, but you can still change the service's status to "Disabled", and if you do this and then reboot, say hello to a crippled Windows installation. (Quick tip if this happens to you: You can turn RPC back on by running Regedit, and checking the HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RpcSs\Start value. It should be set to 4, which is the code for "Disabled"; if you set it back to 2, which means "Automatic" (i.e. it starts automatically when the computer boots) and then reboot, RPC should start working again.)

Try running netstat -a on Windows 2000 or XP. You're almost guaranteed to see several ports listening that shouldn't be. You can probably close some of them, but not all of them, because some of them are needed by Windows. Then try running the Services console and seeing how many "services" Windows has running in the background; a typical Windows 2000/XP install has around 20 running by default! Some of these services can't be stopped because Windows itself depends on them, while others serve important functions that will cripple important parts of your computer's functionality if you disable them. Annoyingly, Windows seems to lump both network services (i.e. programs that actually listen for incoming network connections) and background processes (which, at least in the Unix/Linux world and in general parlance, are properly called "daemons") under the same "Services" umbrella, meaning it can be tough to tell the services that don't create risk from the ones which do. Either way, however, it is utterly foolish that any operating system would base its functionality on running a server just so that it can send messages to itself. Any OS that does this basically ties your hands behind your back, because it creates holes that you just can't plug. Any OS that does this is an OS that should not be used, except maybe as a joke.

Windows XP is a lightning rod for security attacks

A majority of the viruses/adware/spyware/exploits that propagate on the Internet are designed to target Windows XP. This is logical, given that XP is the most commonly-used OS on computers today, but it's also a good reason not to use XP.

On my Windows computers (those which don't run on some variant of BSD or Linux), I still exclusively use Windows 98. You may think it's funny that I'm using an OS that's almost 10 years old, but the reason is simple: Windows 98 does everything an operating system needs to do, and it's actually immune to many of the common attacks that make their rounds on the Internet. An example is the aforementioned Blaster worm, which spreads via an exploit in the RPC service that's used in Windows 2000/XP. Now, while you could protect yourself from Blaster by patching the service it uses, there's a much simpler way to protect yourself: Never install an operating system that uses that service in the first place! I was running several Windows 98-based computers when Blaster spread like wildfire across the Internet, and I never even paid it a moment's notice, simply because my operating system didn't even *HAVE* the RPC service that Blaster exploits. The worm just bounced off my computers harmlessly. It's like the difference between finding a cure for cancer and going back in time to prevent cancer from having ever existed in the first place. One works, but the other is better.

This is not necessarily a defense of "security through obscurity". It is simply the basic observation that since script kids tend to target the most popular software in use, you can avoid some problems by using less popular software. Incidentally, this applies equally to other software, including web browsers, e-mail clients, etc. This is not to say that any software is 100% secure, because none is, but some programs are more secure than others, and this isn't always for technical reasons; sometimes it's simply for sociological reasons.

Windows XP does not implement standardized TCP/IP

Oh, boy. If you like big debates, you'll love this one. Before we get to opinions (and there are lots of opinions on this issue), let's get the basic facts established.

TCP/IP is the basic protocol upon which most Internet transmissions rely. Actually, it's two separate protocols, but the two are used together so frequently that they've sort of morphed into what's often considered one standard. Both protocols have widely-accepted industry standards which most networking professionals consider the guidelines for how TCP/IP is supposed to work. IP is defined and described in RFC 791, while TCP is defined in RFC 793. (Another very important Internet protocol that relies upon IP is ICMP, which is defined in RFC 792.) These documents are widely circulated throughout the Internet, and again, these files are more or less worldwide standards on how the Internet's protocols should work. Widespread acceptance of--and adherence to--these protocols is largely to credit for the global connectivity of the Internet, and the fact that a computer in San Francisco or Sydney can communicate, through the Internet, with a computer in Tokyo or Timbuktu.

Connectivity is a big strength in favor of TCP/IP. However, a big knock against TCP/IP is security: There is very little consideration given to security in any of the aforementioned RFC documents. Security simply wasn't considered at the time the Internet was being developed, because the Internet was never meant to be a household word. It was developed as an experimental project of government and academia, and when you're working on an experiment, your first concern is usually just to get the darn thing working; you worry about making it work well later on, but just getting it to do anything is a step in the right direction. So the researchers and developers who wrote up the Internet standards didn't think much about security. They were thinking mostly about how to make the Internet as open as possible, so that communication would be as easy as possible over the network. They did a pretty good job, as evidenced by the rapid (and mostly successful) adoption of the Internet to the international, intercultural communication network it has become today.

What does all this have to do with Windows XP? Quite simply, how well TCP/IP works depends on how well it's implemented. The RFCs define a standard for what TCP/IP should do, but they don't say much about HOW it should do what it does. Therefore, any real-world implementation of TCP/IP that goes beyond WHAT and starts asking HOW will require some programming. You can make a stand-alone program that uses TCP/IP, or you can implement TCP/IP into the framework of an operating system. Microsoft did exactly the latter; beginning with Windows 95 and continuing with every version of Windows afterward, TCP/IP was natively supported by Microsoft Windows, without the need to install special add-on software to use the Internet protocols. Most people consider this a good thing, as this support for TCP/IP was largely responsible for the mid-90s explosion of popularity in the Internet. If Microsoft hadn't added TCP/IP into Windows, it would have been more complicated to get on the Internet, and the general public would probably have been slower to adopt the Internet.

The problem arises in the details of implementation. TCP/IP is a fairly big standard; if you don't believe me, go ahead and read the RFCs that document it. Not only that, there are also security concerns with it; since TCP/IP wasn't written with security in mind, many people have complained that something needs to be done with the implementation of the protocols to ensure that loopholes in the protocol standards aren't exploited.

A particularly hotly-debated aspect of TCP/IP has been "raw sockets". To fully explain what raw sockets are and how they work is a bit beyond the scope of this page, but suffice it to say that most Internet communication happens in a packaged way. For example, when you send a file over the Internet, there is a size indicator sent along before the actual file send begins to indicate how large the file should be; generally speaking, the size indicator should actually match the size of the file (i.e. there should be no reason to say the file is larger or smaller than it actually is). However, there's no reason why you COULDN'T give a different file size. This might lead to some interesting results, and it probably wouldn't be very useful in most cases, but if you had full control over the Internet traffic stream, it definitely could be done. If raw sockets are enabled, a user can specify exactly what goes into their TCP/IP packets; they could directly control the size field to specify how big every packet is. If raw sockets are not enabled, however, then TCP/IP packets are generated through an automated software routine that automatically specifies the correct size for each packet, and doesn't allow the user to change packet header fields. (This size fixation is only an example; there are several other fields in TCP/IP headers that can be changed as well. If you want to know more, go ahead and read the RFCs for as much technical detail as you want.)

Okay, those are some facts. Let's get to opinions.

One of the most vocal people sounding a warning about implementations of TCP/IP was Steve Gibson, owner and operator of Gibson Research Corporation, a computer software company probably best known for their SpinRite disk diagnosis utility. In particular, Gibson came to pick on raw sockets as a dangerous feature of TCP/IP, writing a strongly-worded page about how implementing raw sockets into Windows XP would create a massive security vulnerability that would leave every computer running Windows XP wide open to many different kinds of attack.

You can get more information about Gibson's concerns on his page, but in any case, when Windows XP first shipped, it did indeed contain support for raw sockets. Gibson was not pleased, and continued to bang the security drum for a good long while, writing essays like "Windows XP will be the DoS Exploitation Tool of Choice for Internet Hackers Everywhere" and "Microsoft Does Not Understand Security".

As time went by, several viruses and worms came and went which exploited security flaws in Windows XP. Notably, the notorious "Blaster" worm was seized upon by Gibson as vindication of his claims: Blaster used raw sockets to spread itself. It's worth noting, however, that although Blaster did indeed use raw sockets, it worked by exploiting a programming flaw in Windows XP; many security commentators concluded that Windows XP itself was the problem, not raw sockets.

The discussion finally came to a head when Service Pack 2 (SP2) was released for Windows XP. SP2 disabled the sending of raw sockets in Windows XP. Apparently, Microsoft had finally decided that enough was enough, and went ahead and disabled part of the TCP/IP functionality in the operating system. This limitation was quickly subverted by the user community, which came up with a workaround that allowed users to use raw sockets again. Microsoft's response was Microsoft Security Bulletin MS05-019, a bulletin accompanied by a patch which, when installed, went ahead and disabled the workaround.

Consider what you've just read for a moment. When Windows XP shipped, it contained flaws that allowed it to be attacked. Microsoft's response was to simply disable functionality in the OS. Rather than attempting to actually fix what was wrong with their own software, Microsoft saw fit to violate the RFCs, the industry-standard specifications which have long defined how the Internet protocols should work, and went ahead and defined its own implementation of TCP/IP. This was already unforgivable; Microsoft has a long history of taking open industry standards and warping them to some kind of Microsoft-controlled pseudo-standard (the Java debacle comes readily to mind, but there are many other examples of this behavior from Redmond). But not only did Microsoft go ahead and enforce their own ideas about what a computer should do, but when users found a way to actually use the functionality of their computers, Microsoft responded by taking away that functionality. Microsoft was fully aware of the user-installed workaround that allowed computers to use raw sockets. Rather than respecting the user's decision to do what they wanted with their computers, Microsoft enforced their own plan for the users.

Predictably, Gibson was happy. With regard to the patch that disabled raw sockets, he noted on his site: "This final move caused a great deal of frantic running around and arm waving from fringe factions of the PC industry who still adamantly refuse to "get it". If these folks still don't "get it" they're never going to. But I am very pleased that Microsoft finally did, and does."

Gibson's remark on "frantic running around and arm waving" was accompanied by a link to this ZDNet article, which contains commentary from "Fyodor", the nick used by the author of the highly popular security-scanning tool Nmap. Fyodor obviously had a lot to say about this whole goings-on, but perhaps his most telling comment was: "Microsoft claims the change is necessary for security. This is funny, since all of the other platforms Nmap supports (eg Mac OS X, Linux, the BSD variants) offer raw sockets and yet they haven't become the wasp nest of spambots, worms and spyware that infest so many Windows boxes." Indeed, Fyodor's underlying point is correct: A host of other operating systems fully support raw sockets, yet they have not been subject to the numerous security flaws that have plagued Windows XP for years. The fact of the matter is clear: Raw sockets are not the problem. Windows XP, and its implementation of its features, is the problem.

As a small side observation: The patch which disabled raw sockets in Windows was only capable of disabling the sending of raw sockets from a Windows XP machine; it could not prevent a Windows XP computer from receiving raw sockets. It would not really be possible to prevent a computer from receiving raw sockets, because when a packet comes in, you can't tell if it was made raw or not. That much is understandable; what doesn't make sense is how this "fix" is supposed to make a computer more secure. Sending a raw packet doesn't hurt a computer; what hurts a computer is when it receives malicious packets. So this so-called fix hasn't actually made computers more secure at all. It's only disabled a part of the computers' functionality. This makes even less sense in light of the true nature of the underground cracker community; the people who create denial-of-service attacks, by and large, are using Linux or some other Unix variant to create their raw packets, not Windows. So not letting the user create raw packets isn't actually doing anything, because those Windows XP machines are still able to receive malware packets, sent by cracker using non-XP operating systems. It seems that this patch has done nothing to augment security, and everything to cripple the functionality of computers.

My main beef with this decision by Microsoft, in case it's not clear by now, is simple: Microsoft is enforcing what it thinks computers should be able to do, and thereby taking control away from users. The point of having a computer is that it does what you tell it to do; instances like this make it seem more like the point of having a computer is so it can do what the manufacturers think it should do. Even if raw sockets were creating a security risk in Windows, Microsoft's response should have been to fix their own broken software, not to trim the capabilities of its software. As an example of a consequence of Microsoft's decision, the aforementioned Nmap tool, which is widely used by security professionals, will no longer work on Windows XP, because Nmap uses raw sockets. Administrators who want to use Nmap now have to switch to Linux or something similar. (As if they needed another reason to do so.) My other complaint stems from the fact that Microsoft doesn't control TCP/IP; the people in charge of the RFCs do. However, Windows is so widely-used that Microsoft has long been able to create de facto standards by simply doing something differently with Windows. Since most people end up doing things that way anyway, it becomes the standard, regardless of what the official standard documents say. This is yet another case of the same thing; the fact that Microsoft can be praised for flagrantly violating industry standards indicates that somebody doesn't "get it".

At the end of it all, though, Gibson is right about one thing: Windows XP is an operating system for people who don't know anything. In his writeup on why he thinks raw sockets are such a big deal, he repeatedly uses the word "consumer" to describe XP. The attitude is basically: Sure, Windows XP is for the consumers, the people who don't know anything about computers. Yeah, they can't be trusted; we'll have to constrict what they can do to make sure they don't hurt themselves. This is exactly the mentality that created the disabling of raw sockets in the first place: The mentality that the user is too stupid to be trusted with any kind of control, and that somebody in Redmond needs to watch over them.

Any operating system with that mentality is an operating system that I won't use. And you shouldn't either.

If you haven't had enough debate by now, go check out Microsoft States Full TCP/IP Too Dangerous, a Slashdot article on this subject. (Slashdot articles almost always have ridiculous amounts of debate on *every* article.)

Automatic Update

Windows Update was not a half-bad idea; Have a link to a central website where you can find and download appropriate patches for your operating system. Fine, although I wish they'd stop putting it right on the Start Menu. But now Windows XP has the concept of Automatic Update. Any OS which even contains the functionality to have the manufacturer install files on your computer without your knowledge or approval must be avoided. Even if this option is disabled by default. Period.

The "desktop cleanup" function

Windows XP comes with a "desktop cleanup" function. This "feature" tracks how often you use the shortcuts on your desktop, and deletes the ones that you don't use much.

Now, this might sound like a cute idea for those people who don't actually know what programs they use, but the idea that your computer should know better than you what programs you want to use is just disturbing. If you want to clean unused items off your desktop, you should do it yourself. Seriously, if the OS is deleting things from your desktop, how long will it be before Windows helpfully thinks it's a great idea to delete files anywhere that haven't been used in a while? "Hey, this info hasn't been used in 60 days, better delete it!" In all seriousness, I haven't heard a lot of people talking about this "feature", so I can't really gauge whether people like it, dislike it, or are neutral toward it, but the mere possiblity that people would actually use such a feature makes me nervous.

To be fair, you can turn off desktop cleanup, but the fact that it even exists within Windows XP is indicative of a software mindset that's dangerous to all levels of users, from power users to end users.

Windows XP does not let you exchange a hard drive

I actually didn't believe this when I first heard it, but it's true: The Windows XP boot process is dependant on several drivers, including the ones for the chipset on the motherboard. While older versions of Windows going back to Windows 95 have had drivers for chipsets, what makes XP different is that it will actually fail to boot if you move a hard drive into a computer with a different motherboard. That's right, XP is so fragile that it can't even tolerate a different chipset. If you use XP, you can say goodbye to the days of Windows 9x when you could exchange hard drives between computers and still have your OS boot afterward.

That an operating system could be so broken baffles me, but if you need proof, you can read about it on Microsoft's site. MS actually has a knowledge base article for this issue, and incredibly, their solution basically boils down to: Use the original computer XP was installed on. Actually, the article advises you to "use the same hardware" in the other computer, but if you bought a new computer, chances are that it won't have the exact same motherboard as your other computer.

Maybe it's just me, but the idea of being chained to one computer forever (or having to burn several gigs of data to discs or transfer them over a network to migrate them to a new computer) doesn't seem appropriate to my way of thinking, when it's possible (using a functional operating system) to simply move the hard drive.


I'm only scratching the surface here; These are just the biggest key points that affect the operating system. Windows XP is such an abomination that you could write a book about what's wrong with it. If you have any suggestions for other important points that ought to be included on this page, let me know.

Back to the main page


This page hosted by Get your own Free Homepage
1