With Windows 7 released and currently making its way to shelves in time for the holiday season, we’ve taken this opportunity to upgrade our copy of the official Windows System Recovery Discs for compatibility with Windows 7.

If you’re like most PC users, you probably got Windows 7 with a new PC or laptop. And if you’re like 99% of the population, you get your new machines from one of the major manufacturers. Dell, Acer, HP, Toshiba, Lenovo; who all have one thing in common: they don’t give you a real Windows 7 installation disc with your purchase. Instead, they bundle what they call a “recovery disc” (that’s if you’re lucky – otherwise you’ll have a recovery partition instead) with your machine and leave it at that.

It doesn’t matter that you just paid a thousand dollars for a machine that comes with a valid Windows 7 license – your computer manufacturer just don’t want to spend the money (or perhaps take on the responsibility) of giving you a Windows 7 installation DVD to accompany your expensive purchase.

The problem is, with Windows 7, the installation media serves more than one purpose. It’s not just a way to get Windows installed, it’s also the only way of recovering a borked installation. The Windows 7 DVD has a complete “recovery center” that provides you with the option of recovering your system via automated recovery (searches for problems and attempts to fix them automatically), rolling-back to a system restore point, recovering a full PC backup, or accessing a command-line recovery console for advanced recovery purposes.

Thankfully, Microsoft seems to have realized this problem, and have thankfully made a recovery disc for this purpose. It contains the contents of the Windows 7 DVD’s “recovery center,” as we’ve come to refer to it. It cannot be used to install or reinstall Windows 7, and just serves as a Windows PE interface to recovering your PC. Technically, one could re-create this installation media with freely-downloadable media from Microsoft (namely the Microsoft WAIK kit, a multi-gigabyte download); but it’s damn-decent of Microsoft to make this available to Windows’ users who might not be capable of creating such a thing on their own. You can make your own copy from Windows 7 Ultimate Edition, but now you have an easier alternative.

NeoSmart Technologies is hosting a copy of the Windows 7 Recovery Disc for your convenience. It’s a 143 MiB download (165 MiB for the 64-bit version), and in the standard ISO format, ready to burned directly to a CD or DVD. Don’t wait until your PC crashes to download a copy! Download and burn your recovery disc today, so that when the time comes, you’ll be ready!

What it does: The Windows 7 Recovery Disc can be used to access a system recovery menu, giving you options of using System Restore, Complete PC Backup, automated system repair, and a command-line prompt for manual advanced recovery.

What it doesn’t do: You cannot use the Windows 7 Recovery Disc to re-install Windows – it only fixes (not replaces!) Windows.

Why you need it: If you bought your PC from a major retailer, you didn’t get this CD with your hefty purchase.

Download Links

Windows 7 Recovery Disc 32-Bit (x86) Edition

Windows 7 Recovery Disc 64-Bit (x64) Edition

Please note that the above links point to .torrent files. Torrent files are like a shortcut, they tell a download manager on your PC where to download the actual files from. Downloading large & important system files with torrents is highly recommended since torrents are protected against corrupt downloads and tend to be faster when well-shared.

(All torrents are currently being seeded by 100mpbs servers, they should be blazing fast).

You can download the Windows Vista recovery discs from here.

Instructions

1. Download the appropriate .torrent file from above that corresponds to the version of Windows 7 you have installed.
2. Download and run µTorrent.
3. Open the .torrent file you downloaded with µTorrent. (File -> Add Torrent)
4. Select where you want µTorrent to save the 7 Recovery Disc.
5. Wait for it to download.
6. Burn the .iso file that µTorrent downloaded to a CD using these instructions.
7. When you want to use the recovery center, put the CD in your drive and boot from it. This is usually done by pressing F8 at startup, or changing the boot drive order in the BIOS.

Support

Please don’t ask for help below, it’ll get real cluttered real soon! Open a support thread at http://neosmart.net/forums/ and we’ll help you resolve your problem ASAP.

If you’re like most people, the answer is not much. But there are people out there that really care, and with good reason. If you’re the FBI, Oprah Winfrey, or one of the million other celebrities currently on Twitter, you probably don’t want someone out there passing themselves off as yourself while posting fake updates to an account literally millions are watching.

Some people to whom money is not an issue already pay thousands of dollars for meaningless SSL certificates – something tucked away in the corner of your browser window that no one pays much attention to. But imagine if Twitter were to start offering “verified accounts” that have been authenticated as belonging to a particular person or institute… how many of these celebrity accounts would suddenly turn into cash cows for Twitter?

Right now, it looks like that’s what Twitter has in mind. In a recent blog post, Twitter co-founder Biz Stone talks about the upcoming limited release of “verified accounts” in order to curb fraud amongst accounts claiming to belong to celebrities. There is no mention of charging customers for this service, but the way it’s worded, that is pretty much taken for granted as a future step in the process:

The experiment will begin with public officials, public agencies, famous artists, athletes, and other well known individuals at risk of impersonation. We hope to verify more accounts in the future but due to the resources required, verification will begin only with a small set.

And later:

When we do start testing Account Verification, we will be sure to provide ample methods for feedback. Initially, verification will not be tested with businesses. However, we do see an opportunity in that arena so we’ll keep you posted when we have something to share.

That’s not to say this isn’t a good idea though. Has Twitter finally found a way to make some serious cash without alienating its userbase, providing “additional features” no one really needs but can make them plenty of cash from the more high-profile accounts currently on the site? God knows Paris Hilton, et. al. would be willing to pay the cash, while the rest of us rely on word of mouth, links back from official websites, and common sense to give our followers the confidence they need to trust the updates we post.

Follow me on Twitter @mqudsi.

Windows Vista Ultimate Edition’s "Ultimate Extras" have been a constant source of derision and anger from Vista users ever since its release 3 years ago. If the blog posts are to be believed, millions of users purchased Windows Vista Ultimate Edition in the hope that the added-value "Ultimate Extras" package – which was left un-described and of unknown worth at the time – would turn out to be a good investment.

Ultimate Extras are a couple of the minor Ultimate Edition exclusives that Microsoft used as a selling point to get users to purchase the most expensive version of Windows Vista. It was originally marketed as something similar to the ancient "Plus! for Windows" package that was quite popular back in the days of Windows 98; except it never really panned out that way.

Ultimate Extras was something of a hoax for the first couple of years, bringing nothing more than animated wallpaper and extra cards game to the table. Since then a couple of new themes/sounds have been added to the package along with a couple of other lame games – all of which made Vista users feel all the more "tricked" into purchasing a more expensive version of Windows that they, in all honesty, didn’t need.

Well, it looks like Windows 7 will be doing away with the Ultimate Extras though it’s anyone’s guess what the final SKU lineup will look like and what the selling points and feature-sets of each of the editions will stack up to. But here’s to hoping that Microsoft learns from (even more) of its mistakes and provides something of real worth with the more expensive editions of its latest OS offering.

In the article, Ben Goodger, lead Chrome UI developer, states

[Google avoids] cross platform UI toolkits because while they may offer what superficially appears to be a quick path to native looking UI on a variety of target platforms, once you go a bit deeper it turns out to be a bit more problematic.” [... Your applications end up] speaking with a foreign accent.

But there’s something we’re not getting here. Obviously given enough brilliant programmers and a good team lead to keep the different codebases in sync, going with native APIs is the better approach. But the reasons Goodger is offering aren’t very convincing.

The problem is…. Google’s Chrome for Windows doesn’t look native. In fact, it’s about as far from native Win32 as you can get. We had originally explained away the non-win32 looks by assuming it was because Google wanted an interface that was consistent across the different platforms and different at the same time from any of the operating systems native UI toolkits: in line with Google’s vision of turning the browser into an OS, regardless of the platform beneath.

A non-native UI that looks the same on Mac, Windows, and Linux would be the answer to such a browser OS. It would indicate that Chrome is its own product – from the codebase to the user experience – and that to the end user it shouldn’t matter what OS you’re on. And that in the future Google could ship a standalone (OS-free) browser that looks like Chrome and acts like Chrome, regardless of the platform beneath?

Otherwise there is no good explanation for the horrendously-different user interface that comes with Chrome. It requires learning the tips & tricks to a whole new UI, and forgetting a number of “niceties” you may have been accustomed to (such as pressing the ’spacebar’ to OK pop-up dialogs, etc.).

With the preliminary screenshots of Chrome for Mac, the platform Chrome runs on begins to peek through.

Does this mean that Google’s vision of Chrome as its own OS has come to pass – with Google now content to just launch a cross-platform browser without attempting to lull users away from the platforms they’ve come to love?

Whatever the case, it’s sure to be interesting watching and waiting to see what Google has planned for its users. Whether its a cross-platform browser experience that’s different enough to be the same across all platforms while retaining a feel of the platform or if it’s paving the way for the OS to come it’s quite obvious that the gears are now in motion and something big just might happen.

And the two companies that have impressed us with their support? Pubmatic and Assembla – both excellent startups that we highly recommend in their individual fields. Pubmatic is an ad-revenue optimization service that intelligently chooses between different ad providers to maximize your ad impressions and CPM rates. Assembla provides quality hosting of SVN and other services that cover all aspects of the software development cycles for teams & small companies.

A couple of days ago, Kaspersky antivirus began flagging the ad-frames from Pubmatic as possible attempts to download a virus. Kaspersky is, of course, famous for its high false-positive counts (though it’s protection is great, nothing is without its cost). Pubmatic support staff were incredibly quick to respond to our queries, and immediately contacted all the involved parties to resolve the problem in a timely fashion.

As for Assembla – we’d been using their SVN hosting for a couple of years now. It’s thanks to them that we were able to develop software efficiently back before we had our infrastructure and development set up and going. They’ve recently overhauled their accounts system and have suspended free accounts, and they’ve been nothing short of wonderful helping us migrate our data to our own servers (data portability is a sensitive topic these days – but Assembla clearly knows how finicky developers are when it comes to ownership!) and helped us wrap everything up nice and clean.

Thanks to both these great companies for their wonderful customer service and their dedication to their userbase. If you’re looking to outsource your development services or for a better ad management system, there’s no one we recommend more than Assembla and Pubmatic.

But it looks like someone may have been a bit to hasty to pull that switch (perhaps itching to get some of the limelight Microsoft has been receiving for adding OpenID to all Live ID accounts just the day before yesterday)… because whatever it is that Google has released support for, it sure as hell isn’t OpenID, as they even so kindly point out in their OpenID developer documentation (that media outlets certainly won’t be reading):

1. The web application asks the end user to log in by offering a set of log-in options, including Google.
2. The user selects the "Sign in with Google" option.
3. The web application sends a "discovery" request to Google to get information on the Google authentication endpoint. This is a departure from the process outlined in OpenID 1.0. [Emphasis added]
4. Google returns an XRDS document, which contains endpoint address.
5. The web application sends a login authentication request to the Google endpoint address.
6. This action redirects the user to a Google Federated Login page.

As Google points out, this isn’t OpenID. This is something that Google cooked up that resembles OpenID masquerading as OpenID since that’s what people want to see – and that’s what Microsoft announced just the day before.

It’s not just a “departure” from OpenID, it’s a whole new standard.

With OpenID, the user memorizes a web URI, and provides it to the sites he or she would like to sign in to. The site then POSTs an OpenID request to that URI where the OpenID backend server proceeds to perform the requested authentication.

In Google’s version of the OpenID “standard,” users would enter their @gmail.com email addresses in the OpenID login box on OpenID-enabled sites, who would then detect that a Google email was entered. The server then requests permission from Google to use the OpenID standard in the first place by POSTing an XML document to Google’s “OpenID” servers. If Google decides it’ll accept the request from the server, it’ll return an XML document back to the site in question that contains a link to the actual OpenID URI for the email account in question.

This is shown quite clearly in the following image (courtesy of Google, ironically):

As you can see, steps 3 & 4 are not part of OpenID and leave Google’s implementation of OpenID, such as it is, incompatible with everyone else.

Google actually mentions this in passing:

Starting today, we are providing limited access to an API for an OpenID identity provider that is based on the user experience research of the OpenID community. Websites can now allow Google Account users to login to their website by using the OpenID protocol. We hope the continued evolution of both the technical features of OpenID, as well as the improvements in user experience. will lead to a solution that can be widely deployed for federated login. One of the companies using this new service is www.zoho.com.

Eric Sachs, author of the blog post in question, doesn’t actually come out and say, but he does come very close.

Basically, Google has rewritten OpenID. Not only is it not exactly the same as the current OpenID protocol, it’s so different that existing OpenID relying parties won’t be able to use it. Only a handful of “partner sites” have been updated to understand Google’s perverted version of the OpenID standard, and anyone else hoping to authenticate via “OpenID” to Google’s servers will need to do the same.

But OpenID is an open, community-based standard. Stabbing them in the back by creating an incompatible standard “based on” the same technology and masquerading under the same name isn’t the way to go. Google may have the best interests of decentralized authentication in mind, and perhaps even the better protocol to boot; but this is no way to prove a point.

OpenID is on tenterhooks as it is, and cannot withstand any more efforts to splinter its adoption. Never mind the fact that almost all the big names adopting OpenID are joining only as providers and not as relying parties (rendering the whole basis of OpenID useless) – now even the provider side of things is chaos.

Thanks, Google. Good to see you’re still doing the whole “Do no evil” thing, the community really appreciates this kind of approach to improving de facto standards and pushing decentralized authentication!

Despite PC users’ widely-varying taste and preference in operating systems and platforms, gamers need Windows. In fact, one of the biggest reason people around the globe tend to dual-boot is their undying love for gaming and the fact that no other OS out there can boast the wide range of gaming titles and genres available for their platform like Windows can. The traditional choice faced by most non-Windows users has been to either install and dual-boot Windows or bite the built and buy a gaming console – ask us, we would know.

But this is all about to change, thanks to Microsoft’s reckless abandon for one of its few truly-loyal userbases.

When Microsoft first began its frenzied Vista marketing campaign in 2006, one of the points it focused on most and repeated over and over again was just how big of a gaming revolution Windows Vista was. Gaming was a large part of the Vista WOW campaign, but it has since failed to disappoint. But this isn’t an article about Vista, it’s about how Windows is poised to lose its gaming advantage if Microsoft doesn’t get its act together sometime soon.

The problem is that Windows – standalone or in a dual-boot – is quickly becoming the lesser-appealing option when compared to a gaming console… in large part thanks to Microsoft’s ridiculous, biased, and fairly infuriating decisions to release games for Xbox and then for PC.

A major part of the gaming/entertainment Vista PR that went out around the same time as the OS: Microsoft Announces Spectacular Windows Vista Title Lineup. Spectacular? Hardly so. Take a look at the Microsoft Game Studios release history for 2006 and 2007, you’ll find a great disparity between the number of titles MGS released for Windows verses those for the Xbox (360)…

If you ignore expansion packs (the Zoo Tycoon development team seems to love these), you’ll find that Microsoft Game Studios released a total of nineteen titles for the Xbox over these two years, compared to a mind-blowing six titles for the PC over that same period – half of which were either available on the Xbox simultaneously or years before!

But what does Microsoft have to say about the obvious deterioration of the Windows gaming market?

The Windows gaming world continues to evolve, and we believe in the future of that property.

-Shane Kim, Microsoft’s Vice President of Interactive Entertainment

Sorry Mr. Kim, but we find that a bit hard to believe. Mr. Kim’s statement came in response to the recent (shocking) news that Microsoft’s (PC game development) Ensemble Studios – authors of Microsoft’s Age of Empires claim-to-fame hit series – would be shut down for "fiscal reasons."

Obviously Microsoft is in a hard place here, needing to cater to both of the (competing) PC and gaming console markets at the same time. However, due to the serious 3rd-party hardware/platform competition in the gaming console market it seems that Microsoft’s decision has been to give Xbox the priority here.

It’s obviously not Microsoft’s job to develop games for its own platform – technically, all they have to do for either the PC or the Xbox is develop the APIs and provide 3rd party gaming developers with the tools and support they need to make it work. And 3rd party developers have not let anyone down, with astonishing numbers of titles being published for both platforms.

But if Microsoft wants to ensure that its platform retains its current hold on the PC gaming market they’re going to need to do a bit more to convince potential Windows gamers to stick to their platform and not go out and get a gaming console instead. It’s quite a logical choice to focus on Windows here – there are literally millions of Windows users who would be using something else if it wasn’t for Windows’ vice-like grip on the gaming market.

The fact is, PC gamers and console gamers aren’t the same market targets. It won’t kill Microsoft’s Xbox division to treat their Windows gamers with a little bit more respect than they’re currently doing – if not for the users’ sake then for their own.

But no matter what Microsoft Game Studios does or doesn’t do, it can’t actually damage the Windows gaming platform – all it does is create a scenario wherein another OS can work hard and potentially overtake Windows at its own game (pun intended!).

Mac OS and Linux both have a rare opportunity on the horizon – but for it to have any impact on the current PC gaming sector’s dynamics, they’ll have to put a bit more effort into the gaming scene than they’re currently doing. Something that requires this sort of centralized coordination is definitely not one of Linux’s strong suites, so the ball is now squarely in Apple’s playing field, and it’s up to them what they do with it.

Basically, Microsoft needs to watch its step. The incentives for PC gaming are at their lowest levels in years with even real-time strategy games – the PC’s long-standing forte – being developed first for the gaming consoles and then, possibly, for the PC (yes, we’re looking at you, Halo Wars!).

And then there’s Bungie – cross-platform game developers bought up by Microsoft years ago, authors of the internationally-acclaimed “Halo” series, and now released from Microsoft’s reigns with its sights set squarely on developing games for the Mac once more.

At the end of the day, Microsoft’s size is getting the better of itself once more; with its own divisions failing to compete with themselves they way they should. Microsoft needs to pick up on this slow degradation of PC gaming satisfaction and do something to buck the trend, or else they could suffer some serious consequences.

While that’s a stunning number of Vista-only OEM machines running Windows XP, Mr. Kenney seems to have forgotten about those of us that dual-boot. As champions of dual-booters everywhere, we’ve got to put our two cents in here.

If you keep in mind the type of people who would install the Windows Sentinel tool and take part in such a geeky program you’ll realize that it’s not too out there for a good number of these people to be the kind that run multiple operating systems on their machines.

Obviously not all of Windows Sentinel’s (only) three thousand subscribers are included in the numbers above (it’s highly unlikely that even 80% of the 3000 subscribers are using hardware that only comes from the OEM with Windows Vista installed). And of the percentage that are using late-model hardware, a hefty percentage dual-boot.

We don’t have any numbers as far as the number of dual-booters out there, but they’re certainly not few enough to be discounted. Keeping that in mind, it’s rather unprofessional of InfoWorld to claim that 35% of all Vista users will downgrade to Windows XP. Obviously big numbers make for better headlines, but this is the kind of stuff that can damage stocks and ruin jobs – you don’t want that on your conscious, at least, not without good reason.

Not that we’re suffering from any delusions or hallucinations with regards to Windows Vista’s relatively shoddy performance and stability, but you’ll agree that it’s a rather far cry to go from “a lot of people have reservations about upgrading to Windows Vista” to “a lot of people will take the time and effort to remove Vista from a PC and put Windows XP in its stead;” especially keeping in mind that Vista’s been out for two years now and there’s an (unfortunately) increasingly-large number of Vista-only products out there on the market.

More data from InfoWorld and the Windows Sentinel service would certainly be most-welcome in giving a clearer picture of what the actual numbers are and where end-users stand in this OS mess.

And this is your internet on drugs bandwidth meters:

Cartoon originally published by Toles for The Washington Post.
[source]

Richard Stallman: legendary founder of the Free Software Foundation, purveyor of the GPL, defender of open source. And – as of today – expert FUD manipulator.

Obviously someone was seriously pissed off at the abundance of (largely positive) press coverage Bill Gates has been receiving as he stepped down from his final roles at Microsoft.. and it appears Mr. Stallman just couldn’t bear to let the man he hates more than any other step down without getting that last word in.

In an article by Richard Stallman published on BBC today, Stallman pulled back no punches bashing not only Bill Gates, Microsoft, and makers of proprietary software everywhere but also took the incredibly cheap shot of accusing the Bill & Melinda Gates Foundation of working to ruin the very countries they’re trying to help:

Gates’ philanthropy for health care for poor countries has won some people’s good opinion. The LA Times reported that his foundation spends five to 10% of its money annually and invests the rest, sometimes in companies it suggests cause environmental degradation and illness in the same poor countries.

Never mind the fact that those are unsubstantiated rumors following money trails several-hundred pockets deep – what does the Bill & Melinda Gates Foundation have to do with Free Software? Is Stallman so desperate to make Mr. Gates out to be the bad guy that he’d sink this low?

Stallman, one of first people to accuse people of spreading FUD to further their opinions, doesn’t stop there:

Gates is personally identified with it, due to his infamous open letter which rebuked microcomputer users for sharing copies of his software.

It said, in effect, "If you don’t let me keep you divided and helpless, I won’t write the software and you won’t have any. Surrender to me, or you’re lost!"

Here Stallman is referring to Gates’ now-famous letter asking people illegally copying, distributing, and using Altair Basic to stop. Stallman somehow neglects to mention that – regardless of whether morally acceptable or not – Microsoft had the legal right to demand payment in exchange for their software. Ignore for a second whether or not Bill Gates and Microsoft were in the right or in the wrong to ask for payment in exchange for their work – is Richard Stallman seriously suggesting that it’s right to illegally obtain copyrighted software?

It’s one thing to say that Gates should never have charged for his software and another to say that it’s OK to use it without paying. Gates chose to ask for money, users (as Richard Stallman himself has advocated on many occasions in the past) should be looking for an alternative if they don’t want to front the cash.

Who Richard Stallman thinks he’s kidding, we don’t know. But he’s obviously crossed that line that shouldn’t be crossed; apparently desperate enough to stop Microsoft the minute he senses an opening… even if it means spreading FUD, making pointless accusations, and generally talking nonsense to get his point across. This isn’t any way for a respected figure in the open source community to act, especially not when it comes to someone who has – whether Stallman likes it or not – contributed as much to the tech community as Bill Gates has.

It would seem that between the way Gmail saves and retrieves sessions, existing sessions are authenticated, and views are cached there are one or more loopholes that allow data from a different account (that has nothing to do with yours) to be served instead of the correct data.

I don’t know why, but here’s the how:

• Firefox 3 opened to Gmail on Ubuntu.
• Session accidentally reset with ctrl+alt+bkspc
• Upon reboot & restarting of Firefox, Firefox requested the URIs that were previously open before the crash, partially loading data from local cache and the rest dynamically from the web (because of the AJAX portions of the Gmail interface).

The result:

• Gmail loaded up the email account of a user I’d never contacted before, never heard of, and never knew existed.
• I could see the front page of this user’s inbox, including the people he’d recently contacted, the brief summary of all messages, the total number of messages in the inbox, the number of unread messages in other folders, the dates of all correspondences, and a number of contacts (again, none that I have had contact with) in the sidebar.
• The number of remaining Gmail invites, the amount of space used, and other status values also reflected this mysterious individual’s account.
• I couldn’t browse deeper than the main page of the inbox. Emails couldn’t be opened, nothing past the first 50 correspondences could be seen, and I couldn’t switch to another folder.
• Attempts to do any of the above resulted in Gmail’s “Oops… the system encountered a problem (#102) – Retrying in XXs… <Retry Now>”

Parts of the Gmail interface contained values pertaining to my own account (for instance, the online status indicator) while others referred to this other individual’s account instead.

It’s very bizarre. I don’t know if it can be readily reproduced, but I’d imagine if you forced an exit of Firefox 3 and kept on firing it back up at some point or another you’d see similar behavior. Of course, a deeper analysis of what data Firefox 3 requests from Gmail’s servers verses what’s served from the local session cache may yield further information that could possibly be used to actively take advantage of this data leak.

It seems that Firefox requests a cached session complete with cookies and all from the Gmail URI, which in turn loads the Gmail javascript files that are responsible for retrieving the data associated with a particular email account via AJAX. At this point, either the session key is associated with another account and so Gmail retrieves the information assumming the session to be properly authenticated or else the expired session somehow causes Gmail to get data from elsewhere…

Screenshots of this behavior:

Gmail displaying the other user’s information:

Searching for this user in my own account yields no results:

As we’ve previously mentioned, NeoSmart Technologies is a big proponent of Full Disclosure. We’ve contacted the security department at Google and will post their reply if/when it’s available. We’ve also taken what we feel are the appropriate steps in this case with regards to the screenshots above in terms of what’s been made visible and what’s been blanked out for privacy concerns.

Update

The Google Security Team sent a reply to our inquiry. According to them, this behavior might be caused by broken ISP proxying, pending further investigation. This post will be further updated as soon as new information becomes available.

Update

Google has confirmed that was the result of an ISP caching/proxing problem, and that it’s been known to happen. It seems some ISPs are over zealous in their caching attempts (probably to save some money) – and you can add Cyberia to that list. Much thanks to Chris Evans of the Google Security Team for his feedback on the issue and prompt responses – that’s the way security is supposed to be handled!

Whether or not MinWin is the very same kernel that went into Vista or not is officially unknown at the moment; but what we do know is that Shipping Seven is either one huge fake, or else that the Windows core programmers at Microsoft are so stupid that they don’t know the first thing about coding, kernels, operating systems and compilers.

The post at Shipping Seven is littered from beginning to end with fallacies, lies, and incorrect deductions that anyone with even the most basic coding skills would know better than to ever post, especially not when attempting to pass it off as the work of some of the more talented coders out there.

Here are some of the more-glaring factual errors in the post that completely strip Shipping Seven of any authenticity or authority it may have on the topic of Windows 7:

How many times has the Ubuntu or Mac OS X kernel been rewritten?

Correction: OS X is powered by a rewrite of the XNU kernel which is a modified version of the Mach kernel which, in turn, is a complete rewrite of the original BSD kernel. And, of course, Ubuntu isn’t an OS in and of itself, rather it’s just a distribution of Linux.

While it can be argued that not every developer at Microsoft is expected to have intimate knowledge of the inner-workings of other operating systems, no one in their right mind would believe that the Windows kernel programmers don’t even know what kernels their strongest competitors are currently using.

We spent a boatload of time during Windows Vista making everything ‘componentizable’ – So that we could (by creating some xml files that our build process uses) create a boatload of different versions of Vista (and Server 2008).

….

You already have MinWin – It is the core system components that Windows Vista needs to function; everything else on the system depends directly or indirectly on it. It is the last thing you could (theoretically) uninstall.

So, if you really really want it, you can get it, I suppose – you probably could (using the command line) uninstall almost every single Windows Vista system component, including the user interface. I don’t know what the hell you’d do with just a kernel and a kernel loader on your machine, though.

Assuming you can get past the way that the post was written (with references like “using the command line” which indicate a general lack of knowledge about computers in general; treating the command line as if it were a “god mode” that can be used to do just about anything), there’s still the matter of factual inaccuracies – and inconsistencies in the article itself.

You can’t change/modify/revert pre-build settings by running commands in the command line. Components that are integrated at compile time simply cannot be removed by running a bunch of commands afterwards – especially not from within the resulting OS itself.

Anyone that’s ever manually compiled a Linux kernel knows this. You can’t strip ext3 support from the kernel after it’s already built any more than you can add Reiser4 support to the kernel without re-building it. As a matter of fact, anyone who’s built anything at all should know this – the same rules apply to any other program as well. For example, you can’t remove PHP support from Apache if you’ve compiled mod_php directly into the binaries.

Shipping Seven is a big, fat fraud. It’s written by someone with only the most basic knowledge of computers, zero knowledge of coding concepts, and absolutely no experience with kernels and operating systems. Shipping Seven is most likely written by the equivalent of script kiddy, eagerly awaiting the first leaked builds of Windows 7 to appease an inner itch – most likely all the while lamenting his lack of involvement in the Longhorn beta. It isn’t worth the time it takes to read, and definitely doesn’t deserve even the questionable authority it now has on the topic.

We’ve long felt that Gmail’s approach was not befitting of the Web 2.0 service with all its sky-blue shades and flashy appearance – and now it seems that Google’s felt that way too.

Here’s the new loading interface… Subtle, simple, and effective:

(Click image to see more changes)
  

After all, first impressions are everything!

• A cell-phone-wielding shopper enters the shopping plaza.
• Path Intelligence monitors mounted throughout the plaza detect that a new mobile phone is in the vicinity and log its IMEI code.
• As the shopper moves around the mall, his or her movements are continuously triangulated by the multiple Path Intelligence units, allowing movements to be mapped and saved for later analysis.

The good news: it’s totally private, there isn’t any (automated) way to map a particular record in the Path Intelligence logs to an actual person. The resulting logs can be analyzed for shopping patterns (where people go after visiting a certain store, peak hours of traffic, most popular regions, etc.) later on, providing valuable intelligence and allowing for improvements.

The bad news: The Path Intelligence logs — in-conjunction with other monitoring techniques such as cashier timestamps, credit card log, video surveillance, etc. — can result in the identification of the persons associated with logged behavior in the system; posing a real and tangible privacy/Big Brother concern.

The weird news: Everything in the above scenario can be directly mapped to an exact counterpart in the current web-tracking solutions in use:

• Shopper -> Visitor to a site
• Mall/Shopping Plaza -> Website
• IMEI code -> IP Address (unique, but not personally identifying on its own)
• Path Intelligence -> One of the many web-statistics companies

Everything from the tracking techniques used to the information gathered to the way its analyzed and used is directly taken from the way cyber traffic has been logged and analyzed for years. After all, why not?

Web monitoring solutions have proven to be reliable metrics for understanding the userbase of any given site; and more importantly, the number one tool to improving conversion rates and increasing the visits-to-sales ratio. If there are technologies that have proven invaluable to boosting the online commerce economy, it makes sense for people to attempt to apply these same methods to everyday life in the real world as well.

It’s somewhat of an epiphany to consider the amount of information available in cyberspace and how easy it is to obtain and analyze when compared to the physical world we live in. The quantity, quality, and pervasiveness of the data available to online far exceeds anything in the real world, and the use that it can be put to are truly amazing – and scary when extended to our normal lives.

Imagine for an instance the typical data available to a website owner enlisted with one or more of the web statistics services and just how useful such knowledge would be in the real world:

• Referrals. Who came from where, how people came across your store, and what they’re most interested in.
• Popularity Ranking. Know what stores in each mall are the most popular, down to the last customer. Find out exactly what sections of each store get the most attention (then compare it with sections are currently getting the most sales and try to maximize sales in those departments).
• Shopper Characteristics. As the Times article explains, the IMEI number can be traced back to the country the shopper comes from. In high-tourist areas (think New York, Las Vegas, London, Chicago, etc.) this kind of intelligence can provide great insight…

Basically, the real world is starting catch up with the online one (not the other way around, folks!), and there’s a lot it has to learn and a lot it has to benefit.

iReboot isn’t by any means a major application, but it’s gathered a pretty strong following over the months, mostly by people interested in boosting productivity (or increasing laziness) to the max. But there was one flaw in iReboot that made all the hard work we put into making it as unobtrusive and minimalistic as possible almost meaningless: if you had UAC enabled, iReboot will not run automatically at startup, no matter what you do.

This behavior comes as a result of the architecture that Microsoft used to secure Windows Vista, which doesn’t allow for applications requiring admin approval to run at startup. It doesn’t matter what your application does or if you absolutely trust it beyond the shadow of the doubt, Windows Vista simply won’t let an application that runs in elevated privileges mode to launch at startup – end of story.

Users of iReboot were quick to point out that this is a major drawback that made it almost useless – after all, it’s far less productive to have to manually run an application when you want to reboot than it is to wait for that startup screen to appear and select the OS you want. So we set about finding a solution.

We’ve just released iReboot 1.1, a UAC-free implementation that doesn’t require admin approval, elevation, etc. past the initial installation. And, yes, it does run automatically at startup too!

The Gory Details (feel free to skip below to the download links!)

In order for iReboot to be of any use, we had to get around Microsoft’s UAC limitations. For iReboot, it was of the absolute importance that it run at startup, and that it be allowed system access from normal user accounts. On Windows XP – where everyone runs as an Administrator and there are no annoying UAC prompts – it was a non-issue. But on Windows Vista, the new architectural requirements for running applications in elevated privilege modes made it near impossible.

While digging around for possible solutions, it became clear that the only possible fix would be to split iReboot into two parts. One would run in the background as a service, running under the SYSTEM or LOCAL SERVICE accounts and having privileged access to the OS without requiring admin approval or UAC elevation, and with the second half running as an unprivileged userspace client program which interacts with the service backend to get stuff done.

The resulting application has an installer – which requires admin privileges, of course – which installs and launches the background service. The background service has full permission to do what we need to get operating system XXXX to be the default option for the next boot, but – in line with the Windows Service Model – cannot be interacted with by end users.

The installer also adds a normal UI application which sits in the taskbar (from where end-users may interact with and use iReboot) and communicates with the backend service via a custom API which must not require the execution of any privileged code. The service can do whatever it wants (well, whatever we want it to do, but lets not get picky here!), but the client program must only perform actions which normal, unprivileged users have permission to execute.

By using a standard inter-process communication API we avoided the need for any special actions on behalf of the client application, effectively separating logic (residing and executing on the backend service, free from the many limitations of UAC) and presentation/design (the client application, bound to obey UAC’s every wish).

The Bottom Line

Anyone running Windows XP or Windows Vista – with or without UAC and/or admin approval mode enabled – can now run iReboot at startup and use it to boot into whatever OS they like (in conjunction with EasyBCD, of course!).

But getting this far wasn’t easy. With Windows Vista, what should have been 100 lines of code maximum ended up being a dozen times longer, split across two different processes, and requiring way too much man-hours to write the most minimalist and to-the-point piece of software we’ve released to date.

Perhaps most importantly though, is the fact that Windows Vista’s newly-implemented security limitations are artificial at best, easy to code around, and only there to give the impression of security. Any program that UAC blocks from starting up "for good security reasons" can be coded to work around these limitations with (relative) ease. The "architectural redesign" of Vista’s security framework isn’t so much a rebuilt system as much as it is a makeover, intended to give the false impression of a more secure OS.

With the current Windows Vista security models, Microsoft can claim that Vista blocks system-modification tools from running at startup; but the truth is, there are still many ways to get them to run. At the end of day, our experience with iReboot and Vista’s security implementations brings us to the sad conclusion that with Windows Vista, Microsoft has made ISVs’ jobs more complicated without actually providing any any further protection for end users from malware authors – which certainly isn’t the best way of going about this task.

Anyway, the fruits of our efforts:

Download iReboot 1.1 (248 KiB)

[support] [donate] [changelog]