Wrong. Fastboot hibernates the kernel but not the userland processes. It depends on drivers being capable of quickly re-initializing hw devices, but what it does is it brings up the kernel from a hibernated image and skips most of the usual hardware detection and device initialization.

Really, really stupid advice. System restore has N previous versions of your driver setup. You can reliably go back in time for the operating system but retain any changes to user files. It is stupid to NOT use system restore. Whenever you install a new driver, the system *will* retain the old files, registry settings etc as shadow copies. It is a well-tested and stable way to go back in time with your os.

It is actually quite clever: If the system barks 3 times in a row when trying to start, the operating system *should* infer that something is preventing an orderly startup. In that case, dropping into the recovery console is a perfectly good choice.

NTFS has volume shadow copy on by default for the system drive. It records changes to the *system* (Windows/** and Program Files/**) and lets you roll back those changes without rolling back any user/data files.

So even if you f***** up so royally as to make the system unbootable (e.g. a bad disk driver), the system will boot into the recovery console with a minimal number of known "basic" drivers.

The big problem with Java is that it requires quite a bit of C "glue" code to interface with the underlying operating system. The glue code necessary is often quite complex too, since it has to contend with issues such as the VM rearranging objects (thus glue need to "pin" the objects), garbage collection using a mark-and-sweep (thus the glue code need to make sure objects do not "dissapear" during the call), strange memory layout, multithreading/cpu cache issues etc, etc.

So while from the Java developer things may look simple, copious amount of complex glue code is need with all the traditional opportunities for security bugs.

There are probably more explanations than how the language runtime integrates with the OS, but the comparable .NET Framework seems to fare *a lot* better

ActiveX controls on the web was a stupid idea. Faced with the threat of Java applets, Microsoft decided to take a sound (and efficient) binary standard from the OS and put it on the web. The big problem with ActiveX is that from the OS perspective (at least until Windows 7) it is but binary code executing under the user account.

Imagine a system where you do not have sufficient control over what a process can do (because it is binary code executing directly against the OS), so instead you try to limit who can use what binary code - and under which circumstances. But once the code executes it acts as part of the host process. That actually works until some sneaks in malicious binary code, or - more likely - someone finds a memory corruption bug or finds a way to use the binary code in ways not intended by the developer.

That is putting a lot of trust in 3rd party developers, trusting that they do not have malicious intent and that they are actually competent and that proper quality assurance processes are in place. That turned out to be a stupid thing to trust (contrary to popular belief there has been precious few vulnerabilities in the ActiveX implementation itself - it was always the ActiveX controls -mostly 3rd party - that had vulnerabilities).

However, the idea behind whitelisting ActiveX controls was not new. It had been tried before (albeit not on the 'net), with similar results in terms of vulnerabilities, exploits and system compromises. To this day SUID/setuid is the most stupid intentional security weakness in the *nix security model, simply because - like with ActiveX - the permission structure is otherwise not capable of meeting simple, legitimate requirements.

I believe you may be confusing something here. When there is a vulnerability where a jpeg can "execute arbitrary code" it is *not* intentional. It is usually down to a memory corruption bug (such as buffer overflow), i.e. it is *unintentional*. I don't believe MS has made any image format with intentional capability to execute arbitrary code. If you have information to the contrary, then please cite source.

If you are insinuating that it is only MS who can make mistakes in image processing code, you should tread carefully. Compared to the typical open source libraries (libxml, libtiff, libpng et al) MS has had precious *few* vulnerabilities.

Yes. But if you want to learn the right lessons you must be careful to perform an unbiased analysis. Otherwise your results will have absolutely zero value towards avoiding similar situations in the future. Your petty attempts at laying this at the door of MS is an example of this. If - in your mind - the problem is simply MS, then you are overlooking the real problems. Ask yourself this: Why is it that it is only MS who has not had a *major* bug in their SSL implementation? (hint: MS SDL outlaws the use of the exact C library functions that were behind Heartbleed, so MS actually has a process in place where they analyze previous vulns and improves the guidelines for future development so that they can avoid *similar* mistakes).

Updates Win 8.1 x64 all patches. No problems.

Perspective, please. This seems to be a *very* limited problem and an (as usual) over-zealous Woody Leonhard trying to stir up a controversy.

Infoworld *is* the fox news of tech.

TFA - especially the headline - is grossly misleading click-bait.

The story behind the latest numbers are that Microsoft has taken a write-down on investment in development of the *Surface Mini*. They scrapped that device only days before launch. When you do that, you have to write off all sunk cost on design and development of that product line.

Thus, those accounting numbers say *nothing* about how Surface Pro 3 - or indeed how the Surface line in general is performing in the market. For all we know demand is good but not excellent.

Tablet sales are tanking and PC sales are climbing again. If customers start to view tablets as "not for real work" Surface Pro 3 could be *the* device which is a perfect combination (compromise?) of PC and tablet.

For all the ridicule, Windows 8 does in fact deliver on being both a tablet as well as a PC operating system. The problem was never the tablet part nor the PC part - the main problem (especially with 8.0) was the rather poor integration (and yes, the fact that they tried to funnel desktop users through the "tablet" part to pent up demand for apps and attract developers).

I know this is slashdot, but if you start making claims about what is *not* in the article, could we at least expect you to look for it yourself?

F-Secure saw the communication even before they created a Mi cloud account.

The security company said that it took a brand new smartphone from the box with no prior set-up or cloud connect allowed. It then followed the following steps:

- Inserted SIM card
- Connected to WiFi
- Allowed the GPS location service
- Added a new contact into the phonebook
- Send and received an SMS and MMS message
- Made and received a phone call

"We saw that on startup, the phone sent the telco name to the server api.account.xiaomi.com. It also sent IMEI and phone number to the same server," F-Secure said.

I do not often say this on ./ but you're an idiot!

No, not unless the OEM did *not* follow the specs. If they followed the UEFI specs this should not be possible.

On top op that, it is a specific requirement for "Designed for Windows 8 certification" that the keys cannot be manipulated from the operating system.

The only way to change the key store is through physical (like in at the keyboard) control of the UEFI firmware in the pre-boot "maintenance mode" *or* through a firmware upgrade. Firmware upgrades *must* be signed as well, so no, you can not use that avenue either.

OEMs who designs their system with UEFI will certainly make sure to meet those requirements.

But it is based on Linux, right? Why would it need to be fire-walled off from the Internet when so many Linux servers and appliances are on the Internet?

It was a specific requirement from NFL that the tablets will *only* display stills. The tablets can be used instead of the present fax/photos. They actually have fax machines printing black/white images.

The NFL prohibits use of open tablets and other forms of technological gadgets at the sideline. The reason they give is that the team with the best *players* and team dynamics should win the game, not the team with the best *technology* (the reason why we don't like doping either: We want the best athlete to win, not the athlete with the best doctor).

Today the sideline photos are the only images the coaches and players are allowed to use during the match. The new tablets streamlines the delivery of those photos, nothing more.

The Surface tablets will be locked down with no 3rd party apps, no Internet connection and can only be used to view the same images as is already distributed using the fax devices. Specifically *no video* as that would create an unfair advantage for a team adopting the new tablets over a team which chooses to continue using the fax distribution.

Microsoft patches to IE include patches to vulns in Flash - which is embedded in IE. The increase in vulnerabilities is the result of the horrible Flash code.

The point is that this can be used to trick a root user into issuing what he believes is a safe command. The combination of the text-reinterpreting shell and specially crafted file names combines into a seemingly innocent command ending up allowing the attacker (the creator of the specially crafted file) root access on the system.

It doesn't help that some (on the surface) idempotent commands like find packs a number of dangerous options that can be used to execute shell scripts, commands or remove files.

No. This class of attacks will not work against PowerShell (nor for plain old DOS for that matter). The problem is the combination of text-centric shell scripting and shell expanded wildcards.

So, would you expect Microsoft to hold it's breath while the lawmakers pull their collective behinds together to reign in the runamok NSA? Should they stop doing business while they wait for the political system?