GilmerFreePress.net

G-TechNote™: Windows 10 Shaves Off Gigabytes With Selective System File Compression

With the Windows 8.1 Update, Microsoft shrank the Windows 8.1 install footprint to make it suitable for low-cost tablets with just 16GB of permanent storage, a reduction from the 32GB generally required for Windows 8. Windows 10 will shrink the disk footprint further, potentially freeing as much as 6.6GB of space on OEM preinstalls.

Microsoft describes two sources of savings. The first is the re-use of a time-honored technique that fell out of fashion as hard drives grew larger and larger: per-file compression.

The NTFS filesystem used in Windows has long allowed individual files and folders to be compressed, reducing their on-disk size at the expense of a small processor overhead when reading them. With spinning disks getting so large as to feel almost unlimited, per-file compression felt like a relic from a bygone age by the mid-2000s. But with the rise of solid state storage and ultra-cheap devices with just a handful of gigabytes available, per-file compression has gained a new lease on life.

When installing Windows 10 from scratch, it will assess the system’s performance to figure out if the system processor is fast enough that it can decompress system files without any noticeable performance impact. If it’s fast enough (and it’s hard to imagine a system built in the last decade that wouldn’t be fast enough, though Microsoft doesn’t appear to have disclosed the exact requirements) then a selection of system files will be stored compressed on disk. Store apps are also eligible for compression.

The Gilmer Free Press


To enable high performance decompression, Microsoft has added a number of new compression algorithms to the NTFS filesystem that are designed for compressing executable files. These all appear to be variants of algorithms already well used and tested in other Windows software; three are variants of the “Xpress” algorithm used for hibernation files, Windows Updates, and the Windows Imaging Format (WIM) files used by the Windows installer. The fourth algorithm, LZX, is used in Microsoft’s CAB archives, and it’s also an option for WIM. The different algorithms each offer different size/space trade-offs. These join the LZNT1 algorithm that’s more suitable for general data compression.

In total, Microsoft reckons that compression can save 1.5GB on 32-bit systems and 2.6GB on 64-bit ones. These savings extend to Windows 10 for Phones, too.

The second set of savings come from eliminating something that takes up a ton of disk space: the recovery image. OEM systems have a hidden partition containing a fresh image that’s used for system recovery. At a bare minimum this will usually take about 4GB of space; with a ton of pre-installed software (or just sloppy sizing), it can take much more. With Windows 10, the entire thing is eliminated.

This isn’t Microsoft’s first attempt to reduce the space required for recovery. Windows 8.1 Update introduced a clever space-saving technique to save the recovery partition space; instead of duplicating the recovery files onto the working Windows install (and thereby doubling the amount of space required), the working install just contained pointers to the files on the recovery partition. This is what enabled the use of 16GB drives. However, the technique was complicated to administer and setup, so Microsoft has gone back to the drawing board in Windows 10.

Windows 10’s recovery will simply use the system files from the working operating system. Windows already knows which files belong to Windows and which ones don’t; to reset the PC, it simply needs to delete everything that isn’t Windows and restore the registry and other settings files to sensible defaults.

The savings from eliminating the restore image won’t apply to Windows 10 on phones, because they already use a similar mechanism for their reset process.

As well as reducing the disk footprint, this should make restoring faster, because it will remove the need to download security updates and operating system patches after recovery: the Windows system files used for recovery will already be the up-to-date patched versions. This addresses one of the biggest problems with recovery partitions: they’re essentially unserviceable, and every time a system is restored using one, it becomes immediately susceptible to security flaws.

We do wonder if it will offer the same robustness as a recovery partition, however. Although deleting system32 is harder to do than it used to be—much to the chagrin of 4chan trolls everywhere—the in-use operating system files still feel more immediately vulnerable to damage or destruction at the hands of malicious or broken software.

Windows 10 will still be able to recover from such scenarios, provided that you make recovery media of your own.

The only sticking point, currently, is those 16GB Windows 8.1 Update machines using its clever space-saving recovery image technique. To ensure that a failed upgrade can be safely rolled back, upgrading those machines to Windows 10 requires enough space for both operating systems to exist side-by-side. Microsoft isn’t yet sure how to handle these machines, but it’s apparently evaluating “a couple of options” to allow them to upgrade.

~~  Peter Bright   ~~

G-TechNote™: Windows 10 Shaves Off Gigabytes With Selective System File Compression

With the Windows 8.1 Update, Microsoft shrank the Windows 8.1 install footprint to make it suitable for low-cost tablets with just 16GB of permanent storage, a reduction from the 32GB generally required for Windows 8. Windows 10 will shrink the disk footprint further, potentially freeing as much as 6.6GB of space on OEM preinstalls.

Microsoft describes two sources of savings. The first is the re-use of a time-honored technique that fell out of fashion as hard drives grew larger and larger: per-file compression.

The NTFS filesystem used in Windows has long allowed individual files and folders to be compressed, reducing their on-disk size at the expense of a small processor overhead when reading them. With spinning disks getting so large as to feel almost unlimited, per-file compression felt like a relic from a bygone age by the mid-2000s. But with the rise of solid state storage and ultra-cheap devices with just a handful of gigabytes available, per-file compression has gained a new lease on life.

When installing Windows 10 from scratch, it will assess the system’s performance to figure out if the system processor is fast enough that it can decompress system files without any noticeable performance impact. If it’s fast enough (and it’s hard to imagine a system built in the last decade that wouldn’t be fast enough, though Microsoft doesn’t appear to have disclosed the exact requirements) then a selection of system files will be stored compressed on disk. Store apps are also eligible for compression.

The Gilmer Free Press


To enable high performance decompression, Microsoft has added a number of new compression algorithms to the NTFS filesystem that are designed for compressing executable files. These all appear to be variants of algorithms already well used and tested in other Windows software; three are variants of the “Xpress” algorithm used for hibernation files, Windows Updates, and the Windows Imaging Format (WIM) files used by the Windows installer. The fourth algorithm, LZX, is used in Microsoft’s CAB archives, and it’s also an option for WIM. The different algorithms each offer different size/space trade-offs. These join the LZNT1 algorithm that’s more suitable for general data compression.

In total, Microsoft reckons that compression can save 1.5GB on 32-bit systems and 2.6GB on 64-bit ones. These savings extend to Windows 10 for Phones, too.

The second set of savings come from eliminating something that takes up a ton of disk space: the recovery image. OEM systems have a hidden partition containing a fresh image that’s used for system recovery. At a bare minimum this will usually take about 4GB of space; with a ton of pre-installed software (or just sloppy sizing), it can take much more. With Windows 10, the entire thing is eliminated.

This isn’t Microsoft’s first attempt to reduce the space required for recovery. Windows 8.1 Update introduced a clever space-saving technique to save the recovery partition space; instead of duplicating the recovery files onto the working Windows install (and thereby doubling the amount of space required), the working install just contained pointers to the files on the recovery partition. This is what enabled the use of 16GB drives. However, the technique was complicated to administer and setup, so Microsoft has gone back to the drawing board in Windows 10.

Windows 10’s recovery will simply use the system files from the working operating system. Windows already knows which files belong to Windows and which ones don’t; to reset the PC, it simply needs to delete everything that isn’t Windows and restore the registry and other settings files to sensible defaults.

The savings from eliminating the restore image won’t apply to Windows 10 on phones, because they already use a similar mechanism for their reset process.

As well as reducing the disk footprint, this should make restoring faster, because it will remove the need to download security updates and operating system patches after recovery: the Windows system files used for recovery will already be the up-to-date patched versions. This addresses one of the biggest problems with recovery partitions: they’re essentially unserviceable, and every time a system is restored using one, it becomes immediately susceptible to security flaws.

We do wonder if it will offer the same robustness as a recovery partition, however. Although deleting system32 is harder to do than it used to be—much to the chagrin of 4chan trolls everywhere—the in-use operating system files still feel more immediately vulnerable to damage or destruction at the hands of malicious or broken software.

Windows 10 will still be able to recover from such scenarios, provided that you make recovery media of your own.

The only sticking point, currently, is those 16GB Windows 8.1 Update machines using its clever space-saving recovery image technique. To ensure that a failed upgrade can be safely rolled back, upgrading those machines to Windows 10 requires enough space for both operating systems to exist side-by-side. Microsoft isn’t yet sure how to handle these machines, but it’s apparently evaluating “a couple of options” to allow them to upgrade.

~~  Peter Bright   ~~

G-TechNote™: Bogus SSL Certificate for Windows Live Could Allow Man-in-the-Middle Hacks

Microsoft is scrambling to block a fraudulent HTTPS certificate that was issued for one of the company’s Windows Live Web addresses lest it be used by attackers to mount convincing man-in-the-middle attacks.

The phony Transport Layer Security/Secure Sockets Layer certificate was issued for “live.fi” and “www.live.fi”, which are addresses Microsoft reserves for its Windows Live services. The sensitive credential has already been revoked by Comodo, the browser-trusted certificate authority that issued it. But given the ease of defeating the current SSL revocation regimen, attackers may still be able to maliciously use the certificate against unsuspecting end users.

“The purpose of this advisory is to notify customers that an SSL digital certificate was improperly issued,“ Microsoft officials warned late Monday. “This SSL certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Microsoft web properties. It cannot be used to issue other certificates, impersonate other domains, or sign code.“

The race to kill all trust in the live.fi certificate is the latest event to underscore the problems with the SSL system, which remains the Internet’s de facto method for encrypting sensitive Web traffic and proving the authenticity of servers used for e-mail, banking, and shopping. As security researcher Moxie Marlinspike demonstrated in 2009, revocation lists browsers use to check the validity of TLS certificates are easily defeated. That’s because the online certificate status protocol and an earlier database known as certificate revocation lists trigger what’s known as a “soft fail” rather than a more secure but also harder-to-tolerate “hard fail.“ As a result, when an Internet outage makes a revocation list unavailable, most browsers will treat an unvalidated certificate as trusted. Attackers using a CA-issued counterfeit certificate to mount a man-in-the-middle attack can capitalize on this flaw by suppressing revocation response before it reaches a targeted end user.

The Gilmer Free Press

That means the only sure way to block an improperly issued certificate is for each browser maker to hard-code the revocation into an update. Windows 8 and 8.1 come with an automatic updater of revoked certificates. As the name suggests, the mechanism downloads revoked certificates without requiring users to take any action. An automatic updater is available for Windows 7, Windows Server 2008, and Windows Server 2008 R2, but users are required to install it first. Those using Windows Server 2003, and people who don’t have the automatic updater installed, are advised to check this link for an update that can be manually installed.

Google and Mozilla, makers of the Chrome and Firefox browsers, respectively, are likely to issue updates in the next day or two. E-mails sent to officials with both organizations went unanswered as this post was being prepared. Comodo officials also didn’t respond to a request for comment.


Easy to issue, hard to kill

The precise circumstances that allowed the fraudulent live.fi certificate to be issued aren’t clear, but Microsoft’s advisory suggested the forgery was the result of someone obtaining an e-mail address that’s typically reserved for website operators to demonstrate their control of a given domain.

“A certificate was improperly issued due to a misconfigured privileged email account on the live.fi domain,“ Microsoft officials wrote. “An email account was able to be registered for the live.fi domain using a privileged username, which was subsequently used to request an unauthorized certificate for that domain.“

This Comodo Web page says such e-mail addresses include those with the words admin, administrator, postmaster, hostmaster, and webmaster immediately to the left of the @ and the domain name for which the certificate is being applied. All it takes for someone to receive a domain-validated TLS certificate is to apply for one using such an address. Comodo will respond with an e-mail that contains a unique validation code and link. Clicking such a link is all the proof Comodo and many other certificate authorities require for proof the applicant is the legitimate owner of the domain.

The ease in obtaining such certificates, and the difficulty in killing them off once they’re issued, are potent reminders of the continued insecurity of one of the Internet’s most important security mechanisms. Until browser makers declare this credential dead, people visiting any Windows Live domain should remain extra vigilant.

G-TechNote™: Windows 10 Says “Hello” to Logging in with Your Face and the End of Passwords

Windows 10 will let you log in to your PC, tablet, phone, or even website with nothing more than your finger or face by using a pair of new features called Windows Hello and codename “Passport.“

Windows Hello is a new integrated biometric system for passwordless authentication on Windows devices. Windows 10 users will be able to log in using their faces, their fingerprints—already common on many laptops—or their eyeballs, using iris recognition. The system will support automatic sign-in simply by sitting in front of the PC, Kinect-style.

The goal is to obviate the need for passwords, which continue to be a weak link in computer security. Weak passwords and passwords shared across multiple systems continue to expose people and sites to attack, and biometrics are increasingly being promoted as the solution to this problem.


The same infrastructure for passwordless logins will also be available to third-party developers using a new framework that Microsoft has codenamed Passport. This will open up the same system of biometric logins to applications, networks, and perhaps most importantly of all, websites.

Microsoft announced in February that it was joining the Fast IDentity Online (FIDO) Alliance. FIDO’s specifications provide a standard way for sites to support biometric, passwordless authentication. The same authentication hardware that will be usable with Hello will also be usable with FIDO.

One of the sensitivities around biometric systems is the storage of biometric data. In common with other systems such as Apple’s Touch ID, Hello and Passport store all biometric data locally on the system, never transmitting it across the network. The biometric authentication is handled entirely on the PC. It’s used to unlock cryptographic data that is then used for securely logging in to remote sites using the well-known principles of asymmetric cryptography.

As with so many Windows features, Windows Hello and Passport are both dependent on having appropriate hardware. Face and iris recognition will need special cameras that have only started to show up on shipping systems; they require infrared illumination and detection to ensure that they can’t be trivially faked out using photographs. The Intel RealSense 3D Camera, found on a handful of new PCs, is the first hardware on the market that has this support. Conventional webcams won’t do the job.

While fingerprint readers are more common, they’re still typically found on enterprise-oriented machines rather than consumer ones. And presently, not a single Windows Phone ships with a fingerprint reader, even though Windows 10 on phones will also support Hello and Passport. Wider availability of this hardware will be invaluable in improving password security, and it appears that Windows 10 will be providing the necessary software support to make this technology mainstream. We just hope that the OEMs do their part and build biometric devices into more systems.

Click Below for More...

Page 224 of 227 pages « First  <  222 223 224 225 226 >  Last »


The Gilmer Free Press

Copyright MMVIII-MMXVII The Gilmer Free Press. All Rights Reserved