And this is your internet on drugs bandwidth meters:

Cartoon originally published by Toles for The Washington Post.
[source]

Richard Stallman: legendary founder of the Free Software Foundation, purveyor of the GPL, defender of open source. And – as of today – expert FUD manipulator.

Obviously someone was seriously pissed off at the abundance of (largely positive) press coverage Bill Gates has been receiving as he stepped down from his final roles at Microsoft.. and it appears Mr. Stallman just couldn’t bear to let the man he hates more than any other step down without getting that last word in.

In an article by Richard Stallman published on BBC today, Stallman pulled back no punches bashing not only Bill Gates, Microsoft, and makers of proprietary software everywhere but also took the incredibly cheap shot of accusing the Bill & Melinda Gates Foundation of working to ruin the very countries they’re trying to help:

Gates’ philanthropy for health care for poor countries has won some people’s good opinion. The LA Times reported that his foundation spends five to 10% of its money annually and invests the rest, sometimes in companies it suggests cause environmental degradation and illness in the same poor countries.

Never mind the fact that those are unsubstantiated rumors following money trails several-hundred pockets deep – what does the Bill & Melinda Gates Foundation have to do with Free Software? Is Stallman so desperate to make Mr. Gates out to be the bad guy that he’d sink this low?

Stallman, one of first people to accuse people of spreading FUD to further their opinions, doesn’t stop there:

Gates is personally identified with it, due to his infamous open letter which rebuked microcomputer users for sharing copies of his software.

It said, in effect, "If you don’t let me keep you divided and helpless, I won’t write the software and you won’t have any. Surrender to me, or you’re lost!"

Here Stallman is referring to Gates’ now-famous letter asking people illegally copying, distributing, and using Altair Basic to stop. Stallman somehow neglects to mention that – regardless of whether morally acceptable or not – Microsoft had the legal right to demand payment in exchange for their software. Ignore for a second whether or not Bill Gates and Microsoft were in the right or in the wrong to ask for payment in exchange for their work – is Richard Stallman seriously suggesting that it’s right to illegally obtain copyrighted software?

It’s one thing to say that Gates should never have charged for his software and another to say that it’s OK to use it without paying. Gates chose to ask for money, users (as Richard Stallman himself has advocated on many occasions in the past) should be looking for an alternative if they don’t want to front the cash.

Who Richard Stallman thinks he’s kidding, we don’t know. But he’s obviously crossed that line that shouldn’t be crossed; apparently desperate enough to stop Microsoft the minute he senses an opening… even if it means spreading FUD, making pointless accusations, and generally talking nonsense to get his point across. This isn’t any way for a respected figure in the open source community to act, especially not when it comes to someone who has – whether Stallman likes it or not – contributed as much to the tech community as Bill Gates has.

It would seem that between the way Gmail saves and retrieves sessions, existing sessions are authenticated, and views are cached there are one or more loopholes that allow data from a different account (that has nothing to do with yours) to be served instead of the correct data.

I don’t know why, but here’s the how:

• Firefox 3 opened to Gmail on Ubuntu.
• Session accidentally reset with ctrl+alt+bkspc
• Upon reboot & restarting of Firefox, Firefox requested the URIs that were previously open before the crash, partially loading data from local cache and the rest dynamically from the web (because of the AJAX portions of the Gmail interface).

The result:

• Gmail loaded up the email account of a user I’d never contacted before, never heard of, and never knew existed.
• I could see the front page of this user’s inbox, including the people he’d recently contacted, the brief summary of all messages, the total number of messages in the inbox, the number of unread messages in other folders, the dates of all correspondences, and a number of contacts (again, none that I have had contact with) in the sidebar.
• The number of remaining Gmail invites, the amount of space used, and other status values also reflected this mysterious individual’s account.
• I couldn’t browse deeper than the main page of the inbox. Emails couldn’t be opened, nothing past the first 50 correspondences could be seen, and I couldn’t switch to another folder.
• Attempts to do any of the above resulted in Gmail’s “Oops… the system encountered a problem (#102) – Retrying in XXs… <Retry Now>”

Parts of the Gmail interface contained values pertaining to my own account (for instance, the online status indicator) while others referred to this other individual’s account instead.

It’s very bizarre. I don’t know if it can be readily reproduced, but I’d imagine if you forced an exit of Firefox 3 and kept on firing it back up at some point or another you’d see similar behavior. Of course, a deeper analysis of what data Firefox 3 requests from Gmail’s servers verses what’s served from the local session cache may yield further information that could possibly be used to actively take advantage of this data leak.

It seems that Firefox requests a cached session complete with cookies and all from the Gmail URI, which in turn loads the Gmail javascript files that are responsible for retrieving the data associated with a particular email account via AJAX. At this point, either the session key is associated with another account and so Gmail retrieves the information assumming the session to be properly authenticated or else the expired session somehow causes Gmail to get data from elsewhere…

Screenshots of this behavior:

Gmail displaying the other user’s information:

Searching for this user in my own account yields no results:

As we’ve previously mentioned, NeoSmart Technologies is a big proponent of Full Disclosure. We’ve contacted the security department at Google and will post their reply if/when it’s available. We’ve also taken what we feel are the appropriate steps in this case with regards to the screenshots above in terms of what’s been made visible and what’s been blanked out for privacy concerns.

Update

The Google Security Team sent a reply to our inquiry. According to them, this behavior might be caused by broken ISP proxying, pending further investigation. This post will be further updated as soon as new information becomes available.

Update

Google has confirmed that was the result of an ISP caching/proxing problem, and that it’s been known to happen. It seems some ISPs are over zealous in their caching attempts (probably to save some money) - and you can add Cyberia to that list. Much thanks to Chris Evans of the Google Security Team for his feedback on the issue and prompt responses - that’s the way security is supposed to be handled!

Ever since Steve Jobs first unveiled the next version of OS X, dubbed “Snow Leopard,” the internet has been abuzz with excitement and wondering about the supposed “evolutionary” qualities of OS X 10.6. One of the most-hyped improvements is the promised revamp of the SMP capabilities of OS X, with a “breakthrough” in SMP performance.

The codename for the technology behind the SMP improvements in OS X Snow Leopard has been named “Grand Central,” which Apple describes best:

“Grand Central,” a new set of technologies built into Snow Leopard, brings unrivaled support for multicore systems to Mac OS X. More cores, not faster clock speeds, drive performance increases in today’s processors. Grand Central takes full advantage by making all of Mac OS X multicore aware and optimizing it for allocating tasks across multiple cores and processors. Grand Central also makes it much easier for developers to create programs that squeeze every last drop of power from multicore systems.

Our guess is that these SMP “breakthroughs” are going to be delivered in two blows:

1. Improvements to the OS X kernel intended to boost multi-threading & multi-tasking performance and better-distribute the loads across multiple CPU cores more intelligently.
2. Provide an SDK (perhaps as improvements to XCode) that allows developers to more-easily write multi-threaded code, handle forking, and provide load-balancing features on a per-core basis.

The first feature is what’s exciting – we believe there’s a good chance Apple will be using some form of FreeBSD’s ULE scheduler or the other in OS X.

There isn’t much info available on what scheduler(s) OS X is currently using as of 10.5 (the only question we could find on the topic remains unanswered). But OS X has its roots firmly planted in the *nix world, and it’s possible to make some educated guesses on the topic. The XNU Kernel that OS X uses is a mesh of the Mach Kernel and large portions of the FreeBSD project, and OS X uses the Mach kernel’s scheduler – or at least it did back when OS X was first launched.

The FreeBSD project has long been working on alternative scheduler intended to replace the default and aging 4BSD scheduler: the ULE scheduler. ULE is now scheduled to become the default scheduler in the upcoming FreeBSD 7.1 release. ULE has shown significant improvements in multi-core environments, and was designed from the ground up to provide increased SMP scalability. Most importantly is ULE’s overhauled support for per-processor queuing of tasks and the ability to set CPU affinity per-processor-per-thread.

If Apple were to implement a form of the ULE scheduler in OS X 10.6, Snow Leopard would be a formidable OS indeed. Using ULE guarantees huge performance benefits for multi-threaded applications, and would help address the second point listed above: the SMT affinity options provided in ULE would make creating an SDK intended to allow developers to use multiple cores efficiently and evenly quite easy. OS X has always been close to the FreeBSD project, and something like this is a natural fit for an OS looking for improvements to SMP/SMT performance.

Of course any time Apple offers a feature, it has a twist of its own. In this case, it’s OpenCL – a technology Apple says will allow developers to use the GPU as a number-crunching processor right from the usual code without much effort. This lies squarely in ULE’s playing field, since the ULE scheduler was designed with full support for load-balancing and threading across processors of varying performance, clock speeds, and fortés - which isn’t something that other schedulers can do, and would make OpenCL simply a matter of interfacing with the ULE scheduler and add the GPU to the list of CPU cores available for the ULE thread scheduler to take advantage of.

The bottom line is, the history of OS X and the XNU Kernel, the features promised in Snow Leopard, and the design and architecture of the ULE scheduler all point to a high likelihood of Apple using a redesigned thread scheduler that is either an implementation of the ULE scheduler or at least based around it in OS X 10.6. And if this is the case, OS X 10.6 will be one heck of a powerhorse.

Further Reading

• The ULE Thread Scheduer
• Introduction to ULE
• Early benchmarks of the ULE scheduler
• Architecture of the XNU kernel
• Advanced Synchronization in OS X

Memory usage: Several new technologies work together to reduce the amount of memory used by Firefox 3 over a web browsing session. Memory cycles are broken and collected by an automated cycle collector, a new memory allocator reduces fragmentation, hundreds of leaks have been fixed, and caching strategies have been tuned.

We’re sorry to have to break it to you, but if you thought it was too good to be true you were right. Firefox still uses a lot of memory – way too much memory for a web browser.

We haven’t seen it reach 1GiB+ like we have with previous versions, but it’s quite normal for Firefox 3 to be sucking up ~300MiB of memory right off the bat, without a memory leak (the difference between memory leaks and normal memory abusage is that in a memory leak you’ll see the memory usage keep increasing the longer the browser is open/in-use).

This is a screenshot of Firefox’s memory usage after just a half hour or so with only a couple of HTML-only tabs open. This particular screenshot was taken on Linux where Firefox is using the shared GTK libraries – on our Windows PCs, it’s normal to find Firefox 3 taking up ~350MiB or so on both XP and Vista.

The sad thing is that isn’t caused by one of the memory leaks that plagued previous versions of Firefox. It’s Firefox 3 is supposed to take up that much memory – at least, that’s our assumption given how we’ve never seen it take up less.

Firefox 3 has a number of memory-hogging features added to the mix that are probably at least partially responsible for the absolutely gargantuan memory footprint. For example, Firefox now uses an SQL engine to keep track of your history and bookmarks, amongst other things. While that particular feature is powered by SQL-lite, which should – in theory – not take up too much memory, we’re at a loss to explain what else is wasting memory left, right, and center in the world’s most-popular open source web browser.

Things like full-text on-the-fly searching of the web cache for when you type text in the address bar certainly have an impact as well – that’s a lot of stuff to keep in memory at one time. But Opera 9.5 does the same with a lot less memory, so obviously Firefox 3 is doing something wrong.

It’s a shame that Firefox 3 is on the verge of a release and is so terribly unfit to run on any machine – Windows, Linux, or OS X – with less than at least a couple of gigabytes of memory.

Whether or not MinWin is the very same kernel that went into Vista or not is officially unknown at the moment; but what we do know is that Shipping Seven is either one huge fake, or else that the Windows core programmers at Microsoft are so stupid that they don’t know the first thing about coding, kernels, operating systems and compilers.

The post at Shipping Seven is littered from beginning to end with fallacies, lies, and incorrect deductions that anyone with even the most basic coding skills would know better than to ever post, especially not when attempting to pass it off as the work of some of the more talented coders out there.

Here are some of the more-glaring factual errors in the post that completely strip Shipping Seven of any authenticity or authority it may have on the topic of Windows 7:

How many times has the Ubuntu or Mac OS X kernel been rewritten?

Correction: OS X is powered by a rewrite of the XNU kernel which is a modified version of the Mach kernel which, in turn, is a complete rewrite of the original BSD kernel. And, of course, Ubuntu isn’t an OS in and of itself, rather it’s just a distribution of Linux.

While it can be argued that not every developer at Microsoft is expected to have intimate knowledge of the inner-workings of other operating systems, no one in their right mind would believe that the Windows kernel programmers don’t even know what kernels their strongest competitors are currently using.

We spent a boatload of time during Windows Vista making everything ‘componentizable’ - So that we could (by creating some xml files that our build process uses) create a boatload of different versions of Vista (and Server 2008).

….

You already have MinWin - It is the core system components that Windows Vista needs to function; everything else on the system depends directly or indirectly on it. It is the last thing you could (theoretically) uninstall.

So, if you really really want it, you can get it, I suppose - you probably could (using the command line) uninstall almost every single Windows Vista system component, including the user interface. I don’t know what the hell you’d do with just a kernel and a kernel loader on your machine, though.

Assuming you can get past the way that the post was written (with references like “using the command line” which indicate a general lack of knowledge about computers in general; treating the command line as if it were a “god mode” that can be used to do just about anything), there’s still the matter of factual inaccuracies - and inconsistencies in the article itself.

You can’t change/modify/revert pre-build settings by running commands in the command line. Components that are integrated at compile time simply cannot be removed by running a bunch of commands afterwards - especially not from within the resulting OS itself.

Anyone that’s ever manually compiled a Linux kernel knows this. You can’t strip ext3 support from the kernel after it’s already built any more than you can add Reiser4 support to the kernel without re-building it. As a matter of fact, anyone who’s built anything at all should know this - the same rules apply to any other program as well. For example, you can’t remove PHP support from Apache if you’ve compiled mod_php directly into the binaries.

Shipping Seven is a big, fat fraud. It’s written by someone with only the most basic knowledge of computers, zero knowledge of coding concepts, and absolutely no experience with kernels and operating systems. Shipping Seven is most likely written by the equivalent of script kiddy, eagerly awaiting the first leaked builds of Windows 7 to appease an inner itch - most likely all the while lamenting his lack of involvement in the Longhorn beta. It isn’t worth the time it takes to read, and definitely doesn’t deserve even the questionable authority it now has on the topic.

You’ve got to hand it to the Facebook team though, they have scaling and uptime perfected down to an art. For instance, when servers are due for updates, the maintenance is performed in a staggered manner, updating one set of servers at a time as attested to by the unavailability of certain Facebook accounts while others can still be accessed.

If your account is on one of he servers being serviced/maintained/upgraded, you’ll see a message like this:

If you have another account or a friend nearby, it’s quite likely that a different login attempt will work just fine.

In our opinion, the latest wave of downtime for Facebook accounts is due to the upcoming “major overhaul” to the way Facebook profiles and pages are displayed and interacted with… at least, we hope that’s the reason; because it would royally suck if Facebook were to go the way of some other once-popular services that became victims of their own popularity and lack of scalability.

The entire 8.x line has been of sub-par quality to date (8.3 and 8.4 in particular, which seem to crash randomly on a large percentage of Vista machines), hopefully the 8.5 release can provide a much-needed boost in terms of quality and stability.

It’s obviously too early to tell if the 8.5 releases addresses these issues, which are not listed in the release notes, but it’s possible that some of the causes of the problem have been resolved as a result of one or more of the bugfixes in this version.

One of the first thing Computer Science teachers drill into the heads of their students is that it’s important to map everything out beforehand. Design the algorithm. Draw the UML diagrams. Decide the entire flow of data and the relationships between everything before you even touch the IDE. While this is integral advice for anything above a small-complexity project, there is an exception: if you have a gut feeling, follow it.

For instance, the other day I sat down to write a simulator for a MIPS datacache, with different replacement policies. “Ideally,” the planning procedure would have involved designing the sequence diagram, a flowchart detailing the method used by the cache to determine expired entries, and generally-speaking a lot of time down the hole just visualizing what happens beforehand.

While mulling things over for a minute or two in my head to gather my thoughts, I found myself scribbling three phrases on the PostIt note in front of me:

• Access times -> FIFO
• Access times defined by unique tag
• Reading memory == dequeue item

These were spur-of-the-moment analyses of the caching procedure. Just thinking about the caching methodology brought these ideas to mind, with no particular “thinking through” of type. Looking back at them, I couldn’t (instantaneously) recall why I felt that access times should be removed FIFO from the data structure on read, but I figured it must have made sense on some subconscious level and plowed ahead right into the code.

In the end, the code worked, the project was done far quicker than originally imagined, and I had time to kill post this article.

Any good programmer you talk to will have a similar experience to share. The only reason I trusted my instinct in the first place on this matter (keeping in mind that the implementation of “random” algorithms can be a huge timesink if they don’t actually work) was because trusting my coding instincts has generally proved to be the right thing in the past - this is simply the most recent example.

Of course, every once in a while an impromptu idea may not be perfect; indeed, it’s possible that they’re fatally flawed. Whether it’s because the problem itself wasn’t initially understood or simply a matter of arriving to the wrong (hasty) conclusion, mistakes can (and have) occur. But it’s important to bear in mind the ratio of brilliant ideas to failures - most good programmers I’ve spoken to reaffirm that it’s a very workable hit-miss ratio.

Certainly programming by instinct has its drawbacks. For instance, these “strokes of brilliance” make up the majority of what we refer to - in retrospect - as quick and dirty solutions. There’s a time and a place for using them; and being unable to figure that part out can end up hurting you and your program. Typically speaking, using the first thought that occurs to you when structuring your program (what classes, how they interact with one another, etc.) isn’t such a good idea. Things like this need to be refined non-stop (until you get that warm, fuzzy feeling when you look at your code and quick solutions won’t help you there.

It’s usually within individual functions when you need to get something done based on the state of one or more other objects that instincts prove handy. To put it another way: when the code you’re working needs some measure of creativity and out-of-the-box thinking, don’t ever pass up on a gut feeling. Programming gives experience and insight, much of it subconscious. Patterns and ideas may leap out at you in ways that aren’t immediately obvious, but even if we don’t fully comprehend how the ideas came into existence it doesn’t mean they don’t have a substantial amount of intricate logic and supporting foundation to back them.

The next time an idea flashes into existence, like the proverbial lightbulb flickering on above your head, take a minute to appreciate its glow. Realize that you’re lucky to have such inexplicable moments, and trust them to take you and your code to the next level.

We’ve long felt that Gmail’s approach was not befitting of the Web 2.0 service with all its sky-blue shades and flashy appearance - and now it seems that Google’s felt that way too.

Here’s the new loading interface… Subtle, simple, and effective:

(Click image to see more changes)
  

After all, first impressions are everything!

• A cell-phone-wielding shopper enters the shopping plaza.
• Path Intelligence monitors mounted throughout the plaza detect that a new mobile phone is in the vicinity and log its IMEI code.
• As the shopper moves around the mall, his or her movements are continuously triangulated by the multiple Path Intelligence units, allowing movements to be mapped and saved for later analysis.

The good news: it’s totally private, there isn’t any (automated) way to map a particular record in the Path Intelligence logs to an actual person. The resulting logs can be analyzed for shopping patterns (where people go after visiting a certain store, peak hours of traffic, most popular regions, etc.) later on, providing valuable intelligence and allowing for improvements.

The bad news: The Path Intelligence logs — in-conjunction with other monitoring techniques such as cashier timestamps, credit card log, video surveillance, etc. — can result in the identification of the persons associated with logged behavior in the system; posing a real and tangible privacy/Big Brother concern.

The weird news: Everything in the above scenario can be directly mapped to an exact counterpart in the current web-tracking solutions in use:

• Shopper -> Visitor to a site
• Mall/Shopping Plaza -> Website
• IMEI code -> IP Address (unique, but not personally identifying on its own)
• Path Intelligence -> One of the many web-statistics companies

Everything from the tracking techniques used to the information gathered to the way its analyzed and used is directly taken from the way cyber traffic has been logged and analyzed for years. After all, why not?

Web monitoring solutions have proven to be reliable metrics for understanding the userbase of any given site; and more importantly, the number one tool to improving conversion rates and increasing the visits-to-sales ratio. If there are technologies that have proven invaluable to boosting the online commerce economy, it makes sense for people to attempt to apply these same methods to everyday life in the real world as well.

It’s somewhat of an epiphany to consider the amount of information available in cyberspace and how easy it is to obtain and analyze when compared to the physical world we live in. The quantity, quality, and pervasiveness of the data available to online far exceeds anything in the real world, and the use that it can be put to are truly amazing - and scary when extended to our normal lives.

Imagine for an instance the typical data available to a website owner enlisted with one or more of the web statistics services and just how useful such knowledge would be in the real world:

• Referrals. Who came from where, how people came across your store, and what they’re most interested in.
• Popularity Ranking. Know what stores in each mall are the most popular, down to the last customer. Find out exactly what sections of each store get the most attention (then compare it with sections are currently getting the most sales and try to maximize sales in those departments).
• Shopper Characteristics. As the Times article explains, the IMEI number can be traced back to the country the shopper comes from. In high-tourist areas (think New York, Las Vegas, London, Chicago, etc.) this kind of intelligence can provide great insight…

Basically, the real world is starting catch up with the online one (not the other way around, folks!), and there’s a lot it has to learn and a lot it has to benefit.

The problem with Express Gate isn’t that it’s Linux nor that it’s there - it’s the rather more-mysterious question of why it’s there in the first place. If ASUS had thought to make use of this Linux distribution to provide data recovery & diagnostics services, offer advanced BIOS configuration and updating options, or one of the infinite other creative ideas that one can manage with a light and fully-configurable OS that ships embedded with the motherboard, perhaps then we could see a use for it.

Instead, ASUS has opted to ship Express Gate with a Firefox-based web-browser and Skype (out of all things). Again, it’s not a matter of having something against either Firefox or Skype; but just the general lack of context for their being there. These days, a web browser is a means to an end. You don’t use it to browse the web, you use it to interact with the web. A web browser on a Live CD-like Linux installation isn’t as useful nor as productive as the web browser sitting on the desktop of your main OS, be it Windows or Linux.

ASUS’s major selling point is that Splashtop takes 5-seconds to load at most. If you stop and think about, it’s only impressive because it’s being taken out of context. 5 seconds is fast, but just how often do you need quick access to Skype and your computer isn’t already on? Most of us turn our PCs on and off once a day at most - and there are many that prefer to hibernate, standby, or just leave it on indefinitely.

While a “5-second desktop environment” is a highly-desirable feature, a “5-second basic desktop environment without the programs, applications and documents you need” isn’t.

At the end of the day, ASUS has an idea that has a lot of potential but isn’t being directed correctly. That spare desktop has a lot of room for usefulness and productivity, but a primitive web-surfing environment just isn’t one of them. Until Express Gate features a more-compelling feature set, it’s just another one of those PR initiatives. By “more-compelling” we mean “more exclusive” with applications and products that just won’t work as well on your usual OS (like the BIOS management and system recovery options we listed above), otherwise there isn’t any incentive to forgo the extra 10 seconds it takes to get into your real OS.

Express Gate was originally used as a way to get people to spend the extra cash for the higher-level motherboards costing a couple of hundred bucks extra, and now it’s being used to get people to choose ASUS over similarly-featured contenders. That wouldn’t normally be a problem - after all, extra features is always a great reason to choose one board over another - except in this case, it’s just fluff.

All that being said, it certainly is great to see that Linux has finally reached a level of prevalence where major motherboard manufacturers will consider making it a part and parcel of every board they sell - a kind of perverse play on all the anti-trust violations Microsoft has been accused of by convincing OEMs to ship all PCs with Windows from the get-go. And it’s important not to forget the role ASUS has played in bringing Linux to the masses in the past year - from the brilliantly-viral Eee to Express Gate, Asus has definitely done a lion’s share of work in making Linux as common-place as the PC itself. Hopefully future revisions of Express Gate can find a better use for Splashtop Linux and warrant a kinder review.

iReboot isn’t by any means a major application, but it’s gathered a pretty strong following over the months, mostly by people interested in boosting productivity (or increasing laziness) to the max. But there was one flaw in iReboot that made all the hard work we put into making it as unobtrusive and minimalistic as possible almost meaningless: if you had UAC enabled, iReboot will not run automatically at startup, no matter what you do.

This behavior comes as a result of the architecture that Microsoft used to secure Windows Vista, which doesn’t allow for applications requiring admin approval to run at startup. It doesn’t matter what your application does or if you absolutely trust it beyond the shadow of the doubt, Windows Vista simply won’t let an application that runs in elevated privileges mode to launch at startup - end of story.

Users of iReboot were quick to point out that this is a major drawback that made it almost useless - after all, it’s far less productive to have to manually run an application when you want to reboot than it is to wait for that startup screen to appear and select the OS you want. So we set about finding a solution.

We’ve just released iReboot 1.1, a UAC-free implementation that doesn’t require admin approval, elevation, etc. past the initial installation. And, yes, it does run automatically at startup too!

The Gory Details (feel free to skip below to the download links!)

In order for iReboot to be of any use, we had to get around Microsoft’s UAC limitations. For iReboot, it was of the absolute importance that it run at startup, and that it be allowed system access from normal user accounts. On Windows XP - where everyone runs as an Administrator and there are no annoying UAC prompts - it was a non-issue. But on Windows Vista, the new architectural requirements for running applications in elevated privilege modes made it near impossible.

While digging around for possible solutions, it became clear that the only possible fix would be to split iReboot into two parts. One would run in the background as a service, running under the SYSTEM or LOCAL SERVICE accounts and having privileged access to the OS without requiring admin approval or UAC elevation, and with the second half running as an unprivileged userspace client program which interacts with the service backend to get stuff done.

The resulting application has an installer - which requires admin privileges, of course - which installs and launches the background service. The background service has full permission to do what we need to get operating system XXXX to be the default option for the next boot, but - in line with the Windows Service Model - cannot be interacted with by end users.

The installer also adds a normal UI application which sits in the taskbar (from where end-users may interact with and use iReboot) and communicates with the backend service via a custom API which must not require the execution of any privileged code. The service can do whatever it wants (well, whatever we want it to do, but lets not get picky here!), but the client program must only perform actions which normal, unprivileged users have permission to execute.

By using a standard inter-process communication API we avoided the need for any special actions on behalf of the client application, effectively separating logic (residing and executing on the backend service, free from the many limitations of UAC) and presentation/design (the client application, bound to obey UAC’s every wish).

The Bottom Line

Anyone running Windows XP or Windows Vista - with or without UAC and/or admin approval mode enabled - can now run iReboot at startup and use it to boot into whatever OS they like (in conjunction with EasyBCD, of course!).

But getting this far wasn’t easy. With Windows Vista, what should have been 100 lines of code maximum ended up being a dozen times longer, split across two different processes, and requiring way too much man-hours to write the most minimalist and to-the-point piece of software we’ve released to date.

Perhaps most importantly though, is the fact that Windows Vista’s newly-implemented security limitations are artificial at best, easy to code around, and only there to give the impression of security. Any program that UAC blocks from starting up "for good security reasons" can be coded to work around these limitations with (relative) ease. The "architectural redesign" of Vista’s security framework isn’t so much a rebuilt system as much as it is a makeover, intended to give the false impression of a more secure OS.

With the current Windows Vista security models, Microsoft can claim that Vista blocks system-modification tools from running at startup; but the truth is, there are still many ways to get them to run. At the end of day, our experience with iReboot and Vista’s security implementations brings us to the sad conclusion that with Windows Vista, Microsoft has made ISVs’ jobs more complicated without actually providing any any further protection for end users from malware authors - which certainly isn’t the best way of going about this task.

Anyway, the fruits of our efforts:

Download iReboot 1.1 (248 KiB)

[support] [donate] [changelog]

The "good news" is, if you’re on Windows Vista SP1 x86, DEP doesn’t get in the way as often. And for when it does, Windows Vista x86 lets you disable DEP and continue along on your merry way. But Windows Vista x64 isn’t as forgiving - even after you use a program like EasyBCD to disable DEP entirely, you can’t stop hardware-based DEP or exempt software from the protection list on 64-bit operating systems.

Adobe has yet to provide an official (or even an unofficial) response on the matter; but seeing as Adobe hasn’t properly touched the Audition code-base since buying out Cool Edit Pro, it’s probably safe to assume we won’t be seeing an update anytime too soon. (for instance, Adobe Audition 3.0, released in Sep. of 2007, still doesn’t have that omnipresent 3.0.1 patch out yet).

A program’s executable code is split into multiple sections depending on what’s stored in it and what it’s used for. Some of these sections are marked as "no-execute" in the extended x86 instruction set. However, an incorrectly-written program will either incorrectly try to run code that shouldn’t be executed or else mistakenly mark executable code as "no-execute" - both of which will cause DEP to interfere and get Windows to kill the process.

The interesting thing here is - why didn’t Windows Vista RTM cause DEP to fire as well? After all, if Adobe Audition is attempting to execute portions of its code that shouldn’t be touched, Windows should block the attempt SP1 or not.

One possible explanation is that Adobe Audition is attempting to run code from a core Windows library, but it’s accessing the code in a non-standard way that breaks when that library has been updated or modified. Or perhaps its determining the entrypoint for a library file dynamically, and something about Windows Vista SP1 makes it start at the wrong place.

Either way, it seems you shouldn’t be using Windows Vista x64 SP1 if you depend on audio or video encoding to make a living. The sad thing is, 64-bit operating systems were often touted as "the answer" to encoders’ needs, between the slightly-optimized processing of encoder instructions and the ability to support 4GiB+ of memory; yet here we are at square zero once more.

Update (April 21st, 2008)

Reader Mike B. wrote in letting us know that x86 versions of Windows Vista SP1 do not trigger a DEP alert at all, so it seems this is a problem exclusive to Vista x64 machines running SP1. If you are using Windows Vista SP1 x86, you shouldn’t have to worry about this issue. Thanks, Mike!

What are the most common causes of notebook sleep issues?

• A process running on the system does not allow the system to enter sleep mode.
• A hardware interrupt, such as some peripheral devices for example.
• An unstable driver which does not properly support sleep states or is just buggy.

I’ve owned several notebooks over the years, and almost every one of them have had an issue with sleep mode in one way or another, and over time I’ve learned a certain "practice" which ensures that sleep mode generally works when I close the lid of my computer…

1. Make sure that all of the latest updates are installed for your operating system (Windows Update on Microsoft Windows, Software Update on Mac OS X, your favorite package manager on Linux).
2. Close any running programs on the system (and exit any programs which are running in the notification area which is next to the clock on Windows systems).
3. Unplug all external devices (USB, FireWire, etc.) This includes your external keyboard and mouse if you’re using one, your printer, and whatever else you have plugged in. And no, your USB-powered rocket launcher isn’t an exception, even though it is really cool.
4. Use the "Sleep" option in your operating system to put the computer to sleep instead of the lid (Start > Turn Off Computer > Sleep on Windows XP, Apple menu > Sleep on Mac OS X).
5. Once the computer has gone to sleep, close the lid.

You’re probably wondering why it’s not a good idea to always rely on the lid of your computer to put it to sleep, and the answer is fairly simple. Notebooks have a sensor or switch which detects the position of the display (lid) and when the lid is closed to a certain degree it should trigger sleep mode… only that’s not always the case.

Some notebooks take up to one minute to fully go into sleep mode, and general habits have shown that you’re more likely to close the lid and immediately tuck your computer into its carrying case, which means you’re moving the computer around in mid-air before the hard drive head has gotten a chance to park, which could cause damage to the hard drive (and your valuable data). By using the operating systems "sleep" function and waiting for the signal that your computer is snoozing away (whether it be a flashing power light or a pulsating sleep light), you give the computer a chance to park the hard disk head and enter sleep mode correctly.

Mind you, some notebooks with older NVIDIA drivers on Windows Vista may cause your computer to go into a perpetual coma every time it falls asleep. If your notebook manufacturer hasn’t provided you with a newer graphics driver, I’d recommend consulting a sleep therapist LaptopVideo2Go.com, which has all of the latest NVIDIA drivers and modified INF files for installing them on any NVIDIA graphics card.