Windows Vista and Explicit Congestion Notification

With one of the most popular use for computers being Internet access, changes in Windows Vista, to support improved TCP networking, are significant. I've written about Scalable Networking, which contains 3 identified options - Receive-Side Scaling, TCP AutoTuning, and TCP Offload. Scalable Networking contains changes that are implemented from the client, and only require support from the client equipment.

There are more changes to the Vista TCP stack, though, and some of them require support from equipment outside the client network. Explicit Congestion Notification (ECN) is an option that reduces network problems caused by dropped packets, by letting the routers in the network (which drop packets, when overloaded) warn the client and server that they are approaching overload ("congestion").

Rather than experience packet drop (and require packet retransmission), the client and server can be warned before packet drop is necessary, and voluntarily reduce network use. If the endpoints (client and server) reduce network use, the routers in the network path between the endpoints become less overloaded, and are less likely to drop packets. This reduces network problems, and benefits all members of the network, including other endpoints and routers in other connections. By reducing packet retransmission, ECN can reduce Internet congestion in general.

Used inappropriately, however, ECN can actually increase Internet congestion. All Internet equipment is not ECN friendly, and WikiPedia mentions how enabling ECN might actually cause a problem, rather than preventing one.

Some outdated or buggy network equipment drops packets with the ECN bit set, rather than ignoring the bit[1].

ECN isn't granular - either you enable it, or you don't - and it potentially affects access to all web sites that you wish to visit. It may be more useful in specialised computers, that are intentionally used for high speed communication with specific web sites. It doesn't appear too useful for web surfing in general, right now.

For this reason, Vista is installed with ECN Disabled. If you try ECN Enabled, and you lose access to one web site, you'll have no choice but to Disable ECN, or face loss of access to the web site in question. As network hardware is upgraded, and becomes ECN friendly, enabling ECN will become a more practical option.

If you wish to use ECN, enter in a Vista command window (Run as Admin)

netsh interface tcp set global ecncapability=enabled

If you detect problems, such as lack of access to various web sites, enter similarly

netsh interface tcp set global ecncapability=disabled

>> Top

How To Break A CAPTCHA

A CAPTCHA, or Completely Automated Public Turing test to tell Computers and Humans Apart, is what the many online services like email, forums, and free web site hosts use to prevent their services from being misused. Were it not for CAPTCHAS and similar controls, various known and unknown criminals could otherwise easily setup thousands of email accounts, forum memberships, and personal web sites for themselves, and send millions of bits of email spam, post millions of forum spam messages, and publish millions of spam web sites, all in the amount of time that it will take me to write this article.

So thank heavens for the CAPTCHA (from pioneers like Luis Von Ahn), which protects us from the hacking, porn, and spam that would otherwise overwhelm the Internet.

Oh crap. The Internet is already overwhelmed. Maybe CAPTCHAS, actually, aren't accomplishing a thing - except stopping us, the honest Internet user, from setting up an email account, a forum membership, or a free web site, without raising our blood pressure another 20 points in 10 minutes.

No, CAPTCHAS do not work, Luis. Allegedly.

So, Chuck, how do you break a CAPTCHA? Well, I can think of 3 ways.

1. Expensive high tech automated, CPU intensive, CAPTCHA breaking software. Right. I don't know about you, but my CAPTCHA solving skills are maybe .500 on my best day. How is a computer program going to break CAPTCHAs, reliably?
2. Semi expensive hiring of personnel intensive CAPTCHA breaking staff (workers, supervisors, managers, communications lines, technology??) in third world countries. Staff that does nothing but look at CAPTCHAs, over and over, all day? Is that going to be reliable?
3. Relatively cheap acquiring of volunteer labour, gathered through the Internet, completely ignorant of their role, who just want to look at the dancing pigs. Each volunteer collaborates with 2 or more other volunteers for one CAPTCHA, then is done, and never knows what he just did. Any porn merchant can get all of the volunteers that he needs.

Which is it? Door 1, 2, or 3?

For my money, it's got to be Door 3 - volunteer labour.


»http://video.google.com/googleplayer.swf?docId=-8246463980976635143&hl=en

No, Luis, this isn't allegedly happening.

Hacking, porn, and spam distribution is big business. Hackers, porn merchants, and spammers are making big bucks. Door 3 is the only possibility that makes any business sense. Volunteer labour - that's the trick.

>> Top

Windows Vista and Scalable Networking

Over a year ago, I explored an issue of Windows Vista and its problems with using default networking settings relevant to Windows Scaling. The first known problem with Windows Scaling was an exciting networking option called Receive Window AutoTuning, which became a problem when an older router was in use.

Besides AutoTuning, which is a problem with older routers, there are two additional networking options - TCP Offload ("Chimney") and Receive-side Scaling ("RSS"), which are a similar problem with older networking adapters. If your computer suffers from symptoms similar to the well known MTU setting problem, and you get no relief from disabling RWin AutoTuning, consider disabling TCP Offload and Receive-side Scaling.

In a Vista command window (Run as Admin), enter

netsh interface tcp set global chimney=disabled
netsh interface tcp set global rss=disabled

TCP Chimney Offload takes a portion of the TCP/IP network stack, currently run on your computer as part of the Windows operating system, and runs it in a dedicated processor on a TOE capable network adapter. Less work for the operating system + processing as part of the physical networking adapter = better performance.

Receive-side Scaling allows processing of incoming network traffic to be properly run on a multi-processor computer, by ensuring that all packets from a single TCP network connection are consistently processed by the same processor. All incoming packets for each TCP connection processed by the same processor = packets never getting out of sequence, which can be a problem otherwise with multiple processors. Obviously, you'll need a multiple processor system, to get any benefit here.

Try Internet access with TCP Offload and Receive-side Scaling disabled, and see if network performance improves. If it does, see if you can upgrade or replace your network card with one that is TOE capable, which was stated to cost $25 - $50 earlier this year. Once you have the right network hardware, or if the above change doesn't provide any relief from your symptoms, you can re enable TCP Offload and Receive-side Scaling

netsh interface tcp set global chimney=enable
netsh interface tcp set global rss=enable

If you do see a bandwidth improvement and / or network utilisation drop after enabling chimney and / or rss, restart the system. You may see still more improvement after restarting. Use of proper tools for objective measurement of bandwidth and network utilisation, access to high speed Internet service, and use of high bandwidth network applications like streaming video, will make the success of this change a bit easier to assess.

For more details about this issue, see

• Dana Epps Find your bandwidth in Vista really slow?
• Microsoft The Cable Guy Microsoft Windows Server 2003 Scalable Networking Pack Overview
• Microsoft TechNet New Networking Features in Windows Server 2008 and Windows Vista
• Smallvoid NDIS 6 hardware features that increases network performance

Windows Vista, and Network Location Awareness, With Multiple Network Adapters

Some owners of laptop computers, running Windows Vista, are reporting an inaccurate network status indicator when the computer is first started, and connected to the network.

When a Vista computer is started, the network status indicator - the little globe icon in the tooltray - will indicate "Local Only" status. If you go ahead and start a browser, or other Internet client component, you'll get a connection, but it may be very slow for a while. Eventually, the network status indicator will change to show "Local and Internet", and connectivity will return to normal.

This is a problem with the Network Connectivity Status Indicator (NCSI) component of the Network Location Awareness (NLA) service, and how it determines Internet connectivity when there is no active network traffic. Even if the NLA is able to verify Internet connectivity, when there is more than one network adapter on the computer, NLA can't determine which adapter has connectivity, so NCSI shows all adapters as being connected locally only. This is a problem when connectivity is through a router, and a DNS probe is used to determine connectivity.

Many late model (which is what you would want running Vista, after all) computers have an IEEE 1394 (Firewire) port. Similar in function to USB (but receiving less consumer support), a 1394 Firewire port is supported as a network adapter in many desktop and laptop computers. If your desktop or laptop computer has the problem with "Local Only", and it has only one network adapter, run "IPConfig /all", and examine the log.

If you see an entry for "IEEE 1394", this could be a problem. You can disable this device from the Network wizard (called in Windows XP, "Network Connections"), or using the Device Manager under System Properties, if you don't intend to use a 1394 network. Not a lot of us use (or intend to use) 1394 networking.

Firewire is the best known alternative networking adapter, which is part of what is being called Personal Area Networking (PAN). Two other possibilities include InfraRed and USB.

Microsoft Help and Support: (KB947041): The network connectivity status incorrectly appears as "Local only" on a Windows Server 2008-based or Windows Vista-based computer that has more than one network adapter describes the problem in more detail, and should eventually identify a solution.

>> Top

Online Analysis Of Suspicious Websites

One of the neatest ways to distribute malware nowadays is by serving it from a web site. Why push malware by files to the victims computer - just put the bad stuff on your web site, and entice the victim to surf there. If he does so, intentionally, he's more likely to trust you, and badda bing, download your malware to his computer.

So now, besides malware scanning on your computer, you need malware scanning of any web site that you access. And what better way to do this than by using the power of the web?

• AVG / Exploit Prevention Labs provides LinkScanner, which can be accessed as a browser add-on or queried online. LinkScanner does a live scan on Google, Yahoo and MSN search results, rather than querying a database of previous scan results.
• FireTrust provides SiteHound, which can be accessed as a Firefox or Internet Explorer toolbar.
• McAfee provides Site Advisor, which can be accessed as a Firefox add-on, or queried online. SiteAdvisor has an accumulated database, a web site popularity meter ("nitecruzr.net" shows a 2 of 4 - "some users"), plus does real-time evaluation when requested. They also accept comments from site readers, and from site owners.
• A partnership between top academic institutions, technology industry leaders, and volunteers provides StopBadware.org, which feeds the Google search engine results pages. Google uses the StopBadware database, and accepts input by site owners through Google Webmaster Tools.
• Symantec provides Norton SafeWeb, which appears to be intended as a plugin to a Norton security suite, though it does provide for web based queries. SafeWeb accepts comments from site readers.

So there are choices. Try them, and see which one suits your needs to the best degree.

>> Top