Alienware M14X

Alienware M14x Review: An Ultraportable Gaming Powerhouse

Alienware M14X Review, by Sarah Jacobsson Purewal August 22, 2012

When Dell refreshed its lineup of Alienware gaming laptops earlier this year, it discontinued the littlest of the bunch, the 11-inch Alienware M11x. As a result, the Alienware M14x is now the entry-level Alienware laptop, which Dell recently refreshed with an IvyBridge processor and a new graphics card. Like many more-typical ultraportable laptops, the M14x has a 14-inch screen, but it's chunkier and more powerful than the other computers in its category.

Our review unit, priced at $1454 (as of August 20, 2012), as configured, sports a third-generation Intel Core i7-3610QM processor, 8GB of RAM, a 750GB hard drive, and a discrete Nvidia GeForce GT 650M graphics card. The M14x also features a Killer Wireless-N a/g/n Wi-Fi card with Bluetooth 4.0, a DVD-RW drive, and Alienware's Command Center suite of software (including AlienFX, which allows you to change the lighting scheme). The M14x runs the 64-bit version of Windows 7 Home Premium.

Performance

In PCWorld's WorldBench 7 benchmark tests, the M14x earned a very good mark of 143, meaning that the M14x was 43 percent faster thanour reference model, which carries a second-generation Intel i5-2500K processor, 8GB of RAM, and an Nvidia GeForce GTX 560 Ti graphics card.

These days, competing ultraportables are speedier and more powerful than ever, despite being slim and light. For example, the Acer Aspire S5, a sleek 13.3-inch Ultrabook with a Core i7-3517U processor, rolled up a WorldBench 7 score of 195. However, the Aspire S5, like all Ultrabooks, comes with a speedy solid-state drive that helps it boot faster. In other words, the Aspire S5 boots up and resumes from sleep much more quickly than the M14x does (the S5's startup time in our tests was 12.3 seconds, versus 24.2 seconds for the M14x), but that doesn't mean the Aspire S5 is more powerful overall.

A better way to identify the M14x's computing strength is by assessing its gaming performance. In our Dirt 3 graphics tests, the M14x behaved like a true gaming machine, sustaining frame rates of between 82.8 frames per second (at high quality settings, and 1920-by-1080-pixel resolution) and 186.5 fps (at low quality settings, and 800-by-600-pixel resolution). The Aspire S5, in contrast, topped out at 19.1 fps and 44.5 fps, respectively, at the same settings. These numbers indicate that the M14x is a powerhouse.

The M14x also has very good battery life, considering that it's a gaming machine at heart. In our tests the laptop managed 5 hours, 3 minutes of battery life—not far behind the Aspire S5's 5 hours, 28 minutes.

Design: Chassis, Keyboard, and Trackpad

Though the M14x's specs put it somewhere between an all-purpose laptop and an ultraportable laptop, it's much larger and thicker than an average ultraportable today. The M14x is 1.5 inches thick (whereas most ultraportables are about 0.5 inch thick) and it weighs 6.5 pounds, not counting a 1.3-pound power block. By way of perspective, the 0.7-inch thick Acer Aspire S5 weighs just 3.3 pounds including the power block.

The M14x has the same retro-styling as other laptops in Dell's latest set of Alienware models, with a soft, rubbery black lid, a sturdy chassis, and a unique grille on the front of the machine. The laptop telegraphs its gaming orientation with tons of changeable lights on the keyboard, around the trackpad, through the grille, under the power button, and on the logo beneath the screen. The default lighting color is set to blue.

The M14x packs a backlit, full-size keyboard with regular-style keys. The keys' beveled sides and slightly indented tops make typing on them easy and comfortable. The keyboard incorporates a couple of gamer-friendly features: the S key has four raised dots for quick tactile recognition, and the arrow keys are positioned slightly apart from the rest of the keyboard.

A simple, medium-size trackpad with two discrete buttons sits directly below the keyboard. The trackpad is smooth and accurate, and the soft-touch mouse buttons are easy to press. The trackpad lacks fancy extras such as multitouch support, but true gamers will want to use an external mouse with this laptop in any event.

The M14x has plenty of ports: The left side of the machine has VGA-, HDMI-, and DisplayPort-out ports; a USB 2.0 port; jacks for microphone, headphone, and microphone/headphone (for a headset); and a nine-in-one card reader. On the right side of the computer are two USB 3.0 ports, an ethernet port, a Kensington lock slot, and the slot-loading DVD-RW drive.

Screen and Speakers

The M14x sports a great-looking 14-inch glossy WLED-backlit screen with a native resolution of 1600 by 900 pixels. This bright screen offers excellent contrast, depth, and color accuracy, and is perfect for gaming. Off-axis viewing angles are okay, though you do lose some contrast as you move from side to side. The glossy screen looks great in low and dark lighting, but it can throw back some pretty severe reflections in bright light (especially sunlight).

Video looks and sounds great on the M14x. HD video plays flawlessly, with little to no artifacting or noise even in intense, action-packed scenes. Audio sounds very good through the M14x's Klipsch 2.1 speaker system. The speakers, which are located above the keyboard, produce full, rich sound at an acceptably loud volume.

The Bottom Line

Don't let the Alienware M14x's benchmark specs mislead you--WorldBench 7 puts a lot of weight on small, speedy SSDs, which this laptop doesn't have. Nevertheless, the M14x outperforms any Ultrabook we've seen in screen and graphic quality.

And because the M14x is built for gamers, it has a relatively user-friendly design. Ultrabooks often skimp on quality components in an effort to achieve the lightest, thinnest, and sexiest profile it can. In comparison,the M14x is heavy and bulky, but it's also sturdy, with a keyboard and a trackpad that will stand the test of time, as well as excellent port selection. The M14x also comes at a great price for a gaming-oriented laptop, though upgrade prices are expensive: Doubling the RAM from 8GB to 16GB costs $150, and adding a Blu-ray reader costs $200.

How to Export and Import Android Virtual Devices

Over the last couple of weeks, I have been testing my Android app on different devices. That work is going well. In this note, I'd like to share a couple of things that came out as side effects of that work, including:

1. How to move Android virtual device (AVD)  files from an Android Emulator  to another machine.
2. The set of AVD definitions that I found useful in checking an app on different screen sizes and screen densities.

Knowing how to move AVD files is important for a couple of reasons: (a) if you ever switch machines or do a complete reinstall of your Android environment, it would be good if you could reuse old device definitions rather than having to recreate them; (b) If you are working on a team, it saves a lot of time if there is a shared set of devices that everyone in the team is testing against.

How To Move AVD Files

There are a few things you need to understand about Android virtual device (AVD) files. The first is what they are. Basically, they are files that hold the description of an Android device and what's on that device in the Emulator environment. If you need more information, start with the Android Developers note on "Managing Virtual Devices".

Whether you are working alone or on a team, sooner or later you will want to know how to move your AVD files from one machine to another. Here's what I have learned about that task.

Where do AVD definitions reside on your disk?

To find your avd folder on you machine, check your user directory. For me, with user name "blahti", those locations are:

• Windows 7: \users\blahti\.android
• Windows XP: C:\Documents and Settings\blahti\.android\ on Windows XP
• Linux/Mac: ~/.android

Here's a tip for new Mac users (like me). In the Finder window, you have to use the "Go To Folder" item on the "Go" menu to get to "~/.android".

Steps for moving

Here are the basic steps:

1. Go to the .android folder and pick the avd you want to export.
2. Compress the device.avd folder and the device.ini file.
   (Replace "device" with the name of the device you want to copy. For example: Evo4g.avd, Evo4g.ini.)
3. Copy the compressed files to the new location, usually on a different machine.
4. Extract the files and place them in the user's .android folder.
5. Edit the ini file and make corrections, as needed:
   (a) user name could be different; (b) change slash in path to Windows or Unix slash.

Example ini file contents on a Mac:

target=android-8  path=/Users/bill/.android/avd/Evo4G.avd

Example ini file contents on Windows 7:

target=android-8
path=C:\Users\blahti\.android\avd\Evo4G.avd

Example ini file contents on Windows XP:

  target=android-8  path=C:\Documents and Settings\blahti\.android\avd\Evo4G.avd

Start the AVD Manager under Eclipse and be sure the files are readable. See Figure 1 below.

Figure 1 – Start the AVD Manager in Eclipse

If there is an error, a red X is displayed, as in Figure 2. Highlight the item, and see if the "Repair" button is enabled. Click "Repair" if it is. Or click the "Details" button for more information. In most cases, it will be something wrong with the path in the ini file you just edited. .Always check that first. After you edit a file, click the "Refresh" button to see if your correction worked. Figure 3 shows that all corrections have been accepted.

Figure 2 – AVD Manager shows errors

Figure 3 – AVD Manager shows corrections

To use the new AVD definitions, run the ADB Device Manager. You will need two pieces of information: (a) the diagonal measure for your computer's screen; (b) the actual size of the screen for the Android phone or device.
Click "Start…" and fill in the diagonal screen size.

Figure 4 – Start a Device from the AVD Manager

Here are a few values for diagonal size (the "d" value). If you are testing with other devices, a Google search for your phone name with the word "specs" usually gets you what you want.

HTC Evo 480 x 800, LCD 217, d 4.3
Motorola Droid 3 – 540 x 960, LCD 275, d 4
Motorola Droid – 480 x 854, LCD 265, d 3.7
NexusOne – 480 x 800, LCD 252, d 3.7
LG Optimus S – 320 x 480, LCD 180, d 3.2
HTC Tattoo, 240 x 320, LCD 143, 2.8  – small screen, low density

My Set of Android Virtual Devices For Testing

Here is the set of virtual device definitions that I have been using in my testing. The set includes large and small screen sizes and low, medium, and high density screens.  I have not tried tablets yet.

To get the zip files for these AVD definitions, go to my shared avd folder in Google Docs. When you get there, do not click on the zip files there. Instead right-click with the mouse button (control-click on a Mac). That gets you to a menu with a "Download" link on it.

To use them, just download the zip file and move the files to the right place, as described in the first section of this note. Each of these comes with aDashboard UI Demo app already installed.  To give you an idea of what these different devices look like, here's a screenshot of the six devices running a demo program. Basically, it looks reasonable except on the small screen of the HTC Tattoo.

Figure 5 – Demo program running on different virtual devices

The AVD files encode the device information shown in the previous section. If you add more device definitions and have to calculate the LCD value, here is the formula:

LCD = sqrt (x^2 + y^2) / d

References

I'd like to thank once again the Android community, and particularly the people who support the Android Developers website, for their willingness to share information and help one another. Here are the references I found most useful for this work:

Managing Virtual Devices – an intro article on the Android Developers website. It describes what an AVD file is, what it contains, and how it's used in the Android Emulator.

Supporting Multiple Screens - a good place to start to understand how to deal with the different screen sizes and densities. Once you start testing on multiple devices, you're likely to discover that you have problems. This article and the next one are essential references.

Providing Resources - an article on how you structure your application to handle different devices.

Question at StackOverflow about testing on multiple devices –  I liked the suggestions about which set of devices to choose for a representative set, given the current statistics on actual devices in use.

Screen Sizes and Densities – current data on what devices are in use. This was mentioned in the Stack Overflow note above.

Company claims patent on mobile texts

The New York Times Co. is girding for a legal battle that many larger organizations have avoided.

The Times is leading the defense of a diverse group of companies that use technology they assumed was free: sending text messages with Web links to mobile phones.

The technology was patented by inventor Richard J. Helferich, who filed an outline of how such a system would work with the U.S. Patent and Trademark Office in September 1997. He was granted several patents on the method, giving him the right to sue companies that use it without permission.

Since 2008, his company, Helferich Patent Licensing, has filed 23 suits against companies ranging from Best Buy Co. to the National Basketball Association, claiming they are infringing on his intellectual property.

HPL offers companies the chance to settle by paying a one-time fee of $750,000. Many companies gladly pay, rather than getting bogged down in a court fight that could cost millions. Roughly 100 companies have settled with HPL already, it says, including Apple Inc., The Walt Disney Co. and McDonald's Corp.

'In some ways, it's a tax for being on the Internet.'

- New York Times general counsel Kenneth Richieri

The Times' general counsel, Kenneth Richieri, says he wants to prevent Helferich's patents from becoming a burden on activities that are commonplace in the digital age.

"In some ways, it's a tax for being on the Internet," Richieri said. "Millions and millions of dollars collectively is going out of the pockets of people who earned it to people who, in my opinion, didn't do anything."

If the Times loses, it's likely it will have to pay more than the $750,000 that HPL initially sought to continue using the technology. The Times has used it to alert readers by mobile phone of breaking news or severe weather.

Steven Lisa, a registered patent attorney who represents HPL, would not comment on the specifics of any settlements.

The U.S. patent system is designed to protect inventors and allow them to profit from their ideas. Where would General Electric be without legal protection for Thomas Edison's light bulb? What might have become of AT&T if competitors had been free to copy Alexander Graham Bell's telephone? The patent office views its role as vital to the growth of the U.S. economy, and last year, it issued around 245,000 patents.

HPL's cases, however, fit into a controversial category. Opponents point out that HPL doesn't make products or provide services. They say it simply uses patents to seek licensing fees from others who actually do business. Critics label such companies "patent trolls".

"You really have to wonder what contribution they are making to our economy or our society, or if it's just a drain," said Jason Schultz, director of the Samuelson Law, Technology & Public Policy Clinic at the University of California, Berkeley.

Patent trolling is legal. The patent office doesn't require inventors to put their ideas into action.

In 2011, entities like HPL sued 5,073 companies in the U.S. for infringing on patents that they either got on their own or acquired. That was more than double the number in 2009, according to PatentFreedom, a research organization that offers consulting advice for defendants in patent lawsuits.

PatentFreedom estimates the typical cost of a patent defense is $1 million to $5 million. Taking the low estimate, multiplied by the number of defendants, it sees such suits as a drag on the economy of more than $5 billion a year.

"Law firms are doing very well at this. Operating companies are not," says Daniel McCurdy, the founder of PatentFreedom.

The Times is fighting the case on two fronts: at the U.S. Patent and Trademark Office and in the courts. Beginning late last year, it filed a number of complaints with the patent office on grounds that the government issued the patents incorrectly. The Times' legal team notes, for instance, that Intel Corp. received a similar patent in February 1996, some 18 months before Helferich got his. A few of the complaints have initially been found in the Times' favor, according to the newspaper company's outside counsel, Brian Buroker, although HPL is appealing. The process could take 18 months to complete.

The Times is also fighting the case in the U.S. District Court in Chicago, where it argues HPL already receives licensing fees from cellphone manufacturers for the same technology and therefore shouldn't be allowed to double dip and charge content providers.

The Times is spearheading the defense of a group that also includes CBS Corp., Comcast Corp.'s TV channels Bravo and G4 and J.C. Penney Co., according to court filings. HPL sued The New York Times Co. in July 2010; Bravo, G4 and CBS in October 2011 and J.C. Penney in December 2011.

The technology in dispute has become a key part of the companies' marketing campaigns. CBS texts followers to prompt them to visit its website for exclusive pictures and video to shows such as "Big Brother." Bravo sends messages to viewers' mobile phones to get them to participate in live online chats and polls. J.C. Penney lets shoppers with mobile phones know about sweepstakes and giveaways.

Although the lawsuits were filed separately, the defendants are saving money by sharing strategies and resources instead of fighting the lawsuits on their own. The lawsuit against the Times is scheduled to go through at least the middle of next year.

Some see the case as highlighting the need for patent reform.

Berkeley's Schultz says it should be easier for defendants to force the patent office to re-examine its past decisions on issuing patents, and easier for patents to be struck down in court. That way, patent holders would be less able to make a business out of extracting settlements by using the threat of costly litigation.

Some changes are coming. Last September, President Barack Obama signed into law the first major change in patent law in six decades. It is aimed at streamlining the patent process, reducing costly legal battles and giving the patent office more money to process applications in a timely fashion.

Certain parts of the law won't take effect until March, but a provision that took effect right away has made it more difficult for patent holders to name dozens of defendants in a single suit. That has led to a decreased number of companies sued. PatentFreedom estimates the number of defendants this year will fall to around 3,500.

Believe it! New sports car goes 200 mph, gets 70 mpg

A cheesecake that helps you lose weight. Beer that cleanses your liver. Some things are just too paradoxical to be realistic. But in a world where everything your heart desires involves some kind trade-off, a plucky British automaker is trying to bring us the ultimate in have-your-cake-and-eat-it, too.

After years of stalled efforts, the Trident auto company has announced that they will soon introduce a revolutionary production-ready model called the Iceni Grand Tourer. Packing a 430 hp diesel engine and a top speed of 200 mph, it's a scorcher capable of going from 0 to 60 in 3.7 seconds. Yet it will also boast one of the best fuel efficiency ratings out there, with a combined city and highway rating of about 70 mpg. The popular eco-friendly Toyota Prius hybrid has a rating of 50 mpg.

• Check out: Hybrid and electric supercars (photos)

So not only will it rival your neighbor's Porsche but it'll can also outgreen your treehugging hippie friend's hybrid. And being that it runs on bio-diesel as well, the Iceni GT can be powered using a wide range of fuels from regular diesel to "mineral diesel, bio diesel, palm oil and linseed oil," according to a press release.

I don't know what kind of engineering dream team Trident has assembled, but it's hard to fathom how this is even possible — even with a car that runs on diesel. And though Trident has released some basic specs, they've been coy about what kind of secret sauce they've got running under the hood.

• Check out: Lamborghini SUV supercar may be a game-changer

What we know so far is that the car's relies on a 6.6-liter turbocharged diesel horsetrain that, when combined with Trident's innovative Torque Multiplication system and proprietary transmission technology, delivers 430 bhp and a staggering 950 lbs ft of torque at under 3250 rpm. Roughly speaking, this means that cruising at a constant 70 mph, the specially tuned engine will run at just 980 rpm, produce 700 lbs ft of torque and keep on going for over 2,000 miles with just one full tank of fuel.

For an extra cost, buyers can also upgrade to a 660bhp model that delivers 1050lbs ft of torque.

The Trident will be on display at the Salon Privé 2012, an annual car show held at West London's Syon Park in early September. The company plans to start taking orders shortly after with a starting price of $119,000.

You’re better off in a slum than in the country

Slums — those impoverished, overcrowded and often filthy urban districts — may be bad news for your upward mobility, but you're almost certainly better off than living in the country.

That's according to Charles Kenny, a senior fellow at the Center for Global Development and author of Getting Better, who writes in the September issue of Foreign Policy that urbanization is economic progress.

The reason so many people endure the slums? Because countryside conditions are worse.

He writes:

Start with the simple reason that most people leave the countryside: money. Moving to cities makes economic sense — rich countries are urbanized countries, and rich people are predominantly town and city dwellers. Just 600 cities worldwide account for 60 percent of global economic output, according to the McKinsey Global Institute. Slum dwellers may be at the bottom of the urban heap, but most are better off than their rural counterparts. Although about half the world's population is urban, only a quarter of those living on less than a dollar a day live in urban areas. In Brazil, for example, where the word "poor" conjures images of both Rio's vertiginous favelas and indigenous Amazonian tribes living in rural privation, only 5 percent of the urban population is classified as extremely poor, compared with 25 percent of those living in rural areas.

If you're reading this while sitting in a developed country, this dynamic may be harder to understand — the "country house" certainly has wealthy overtones; a return to one's roots, albeit with a thoroughly padded bank account.

Though slums have improved markedly since the Victorian era, they're still scorned by the public, which frequently calls for them to be cleared. ("Not in my backyard," on a much bigger scale.) Kenny says they shouldn't be. Instead, slums should be supported with services. Because, scrutinizing the data, these people aren't undesirable at all — they're trying to make money just like the wealthier folks working in the downtown business district.

Furore over stipend in pharma college

AHMEDABAD: LM Pharmacy College premises quaked with chaos on Friday as the parents of agitating students joined their wards in protesting against the non-payment of stipend. Students say college authorities have not paid them their stipend for the past one year.

The students said that their counterparts in all other colleges have been getting a monthly stipend of Rs 8,000. There are 80 students pursuing MPharm course at the college. The students pointed out that the grant for the stipend is given by All India Council for Technical Education (AICTE).

The students have been asking the college to deduct their fees from their stipend and pay the remainder of the amount to them. They claim that this has been the norm. However, this time the college has made it compulsory for students to first pay their annual fee. It is on this issue that a stalemate has arisen and there have been no classes over the past month.

On Friday, the parents and students protested against the college's demand that students give an undertaking saying they would not ask for any stipend. They refused to give any such undertaking. The AICTE authorities had told a delegation of students who had recently gone to Delhi to discuss the issue that it was for the college to take up the matter.

The college said that it was discussing the matter with AICTE. A team of officials from the college would take up the matter with the AICTE next month in Delhi.

HC seeks Unitech's reply to telecom firm Uninor's plea

The Delhi High Court today sought Unitech  Ltd's reply to Unitech Wireless (Tamil Nadu) Pvt Ltd's plea against a Company Law Board (CLB) order restraining their joint venture telecom firm from selling its business and assets.

Justice Indermeet Kaur issued notice to Unitech Ltd and sought its response to the plea of Unitech Wireless (Tamil Nadu) Pvt Ltd, a joint venture telecom firm between Norway's Telenor and realty major Unitech group and also known as Uninor, and fixed the matter for hearing on August 28.

Uninor had moved the court against the August 9 order of the CLB, which had stopped it from auctioning its assets. Unitech Ltd, which holds 32.75% stake in joint venture Uninor, had earlier moved the CLB and had sought
stopping of the sale fearing that Norwegian firm Telenor may be the only bidder in auction. The CLB had allowed the plea.

Uninor earlier on August 1 had invited potential bidders to express their interest by August 6 and said its majority owner Telenor was willing to pay Rs 4,190 crore for its 30 million customers and assets in case no other bidder turns up. Unitech Ltd had claimed that the motive behind the asset sale was mala fide and Telenor wanted to "annihilate" the company and take over the assets.

While Telenor wants to scrap the joint venture, Unitech has opposed the move and has said the Norwegian company cannot unilaterally scrap the agreement.

The relation between Telenor and Unitech soured after the Supreme Court in February this year struck down the licenses, terming their allocation as arbitrary and illegal.
    
Uninor's 22 2G telecom licenses  were among the 122 cancelled by the Supreme Court in February.

Are massive ad spends by telecom companies truly justified?

Marketing and advertising has always been a major expense for telecom companies. You switch on to any TV channel and chances are that you'll see one or the other telecom company ad running. The prominent ones are Bharti Airtel, Vodafone Delights, Reliance Communication and Tata Docomo. However, in times when the telecom sector is grappling with one its worst phases ever, are such lavish expenses really warranted?

In last 18 months, the telecom sector has been plagued by the 2G scam and exodus of foreign players from the sector. Moreover, mobile number portability, though beneficial for users, has added to the existing cutthroat competition.    

Jo tera hai, Woh mera hai: Picking up?

Bharti Airtel  , India's largest telecom operator, spent over Rs 11,000 crore and managed to add 3.48 crore subscribers in January 2011 to June 2012 period. What's interesting is that the company's advertisement spends in the June quarter shot up by 22%, but it only managed to add 10% more subscribers, quarter-on-quarter.

* Sub- Subscriber addition (in millions), Ad- Advertisement Expense (Rs in Cr)

 

 

 

 

 

 

 

 

Keeping it simple?

Youth icon Ranbir Kapoor's charm is yet to kick for Tata Docomo. Even though the company has spent close to Rs 400 crore on marketing and advertisement, it has lost nearly 4 million customers in the January 2011 to June 2012 period.

 

 

 

 

 

 

 

What an Idea, Sirji

Idea 's most brilliant idea probably was to cut down on its advertisement spend.  The company managed to add nearly the same number of subscribers as Bharti Airtel and at one-third of market leader's cost in the January 2011 to June 2012 period.

 

 

 

 

 

 

 

Note: Reliance Communication does not mention advertisement costs in its quarterly results. Vodafone is not listed in India, no data available.

How to remove the 10 concurrent TCP connection limit in Windows XP SP2?

Windws XP SP2 introduces a few new twists to TCP/IP in order to babysit users and "reduce the threat" of worms spreading fast without control. In one such attempt, the devs seem to have limited the number of possible TCP connection attempts per second to 10 (from unlimited in SP1). This argumentative feature can possibly affect server and P2P programs that need to open many outbound connections at the same time.

In other words, even though it is not going to stop worm spreading, it's going to delay it a few seconds, limit possible network congestion a bit, and limit the use of your PC to 10 connection attempts per second in the process ! I have no problem with the new default setting limiting outbound connection attempts. Still, users should have the option to easily disable or change this setting. I might be going out on a limb here, but ever since the introduction of Windows XP I can't help thinking that I dislike all the bult-in Windows "wizardry" in a sense that the system also limits user access. That irritating trend to ease the mental load on end users is somewhat insulting, considering that Windows is to make the more "intelligent" choice instead of the end user, as well as limit their access to tuning such settings...
End of rant.

With the new implementation, if a P2P or some other network program attempts to connect to 100 sites at once, it would only be able to connect to 10 per second, so it would take it 10 seconds to reach all 100. In addition, even though the setting was registry editable in XP SP1, it is now only possible to edit by changing it directly in the system file tcpip.sys. To make matters worse, that file is in use, so you also need to be in Safe mode in order to edit it.

Unfortunately there exists no REG-key which could easily be set (would be so nice and easy, right? *smile*). The file TCPIP.SYS in the directory C:\WINDOWS\SYSTEM32\DRIVERS and C:\WINDOWS\SERVICEPACKFILES\I386 has to be changed (system dependend eventually in C:\WINDOWS\SYSTEM32\DLLCACHE, too).

Needed things:
- Windows XP SP2 (from RC2 upwards) or Windows 2003 Server SP1 beta 
- The Patcher 
- a small amount of time

Download the EventID 4226 Patcher Version 2.23d (english) from here.

Instructions:
1. Just download the patcher and execute it. It will automatically find the windows directory and ask, if it should increase/decrease. By default the concurrent connection limit will be lifted to 50.
2. For higher values, please check the help with parameter /?.

3. After a successful patch, the new TCPIP.SYS will be automatically installed. After that, the computer should be restarted.

Regards..

Apache 2.0 Hardening Guide

Technical Reference: Apache 2.0 DMZ Secure Server Install

This document is a guide to installing and hardening an Apache 2.0 web server to common security standards.  It will guide you through practical measures to harden your Apache server, by way of example.

 

Because a web server is often placed at the edge of the network, it is one of the most vulnerable services to attack.  Therefore, it's vital that you follow this guide to ensure that:

 

1)      The opportunity to compromise the web server is limited

2)      Should the web server be compromised, the damage potential to the rest of the network, data, and systems is limited.

1. Prepare the host operating system

 

1.1 Install and secure the host operating system.

 

Follow the hardening guidelines in the The Center for Internet Security.  Hardening the host O/S ensures that, should someone compromise the security of your web server, the amount of damage that they could inflict will be minimized.

 

1.2 Create the directories to hold the Apache files

 

It's important to separate the binaries /bin, docs (/htdocs), and logs (/logs) into separate partitions on the system.  You can choose whatever root you want, but this example will use /opt/apache2 as the root directory for the Apache web server.

 

1.3 Create the host groups for administering and running the server.

 

Create a distinct group for all the users who will have permission to change the configuration, start, and stop the web server.  For example, if you want to call the group "webadmin", create it like this:

 

# groupadd webadmin

 

Create a distinct group for the web server user – no one will actually log into this group, but it will only be used to hold the userid which will run the web server.  For example, if you want to call that group "webserv", create it like this:

 

# groupadd webserv

 

Take note that you should not create a "web developer" group on this host.  Since this is a hardened production host you must not provide web developers login accounts on this system.  Instead, developers should deploy documents and code to the server using your code/content deployment system, such as Kintana's Apps*Integrity.

 

1.4 Create an unprivileged host user id to run the server.

 

Never run the web server as root; if the web server is ever compromised, the attacker will have complete control over the system.  Instead, the best way to reduce your exposure to attack when running a web server is to create a unique unprivileged userid for the server application. The userid nobody is often used for this purpose, but a userid and group that are unique to the web server is a more secure solution.

By default the web server uses privileged  ports (port 80 and 443) and, when configured for secure operation, must have root privileges to open its log files and start the dæmon.  (Therefore, the web server daemon will have to be started as "root", unless you configure it to use a port higher than 1024.)  Once the server's startup tasks are complete, all active instances can run as the unprivileged user.

Use the following command line entries as patterns for creating a group and user for the web server.  Here's an example if you were to use "webserv" as the user:

# useradd -d /opt/apache2/htdocs -g webserv -c "Web Server" webserv

1.5 Lock down the web server account

 

It's important that no one can successfully execute a password guessing attack against this account, so in this step, we'll restrict this account so that no one can log into it.

 

1.5.1 Issue this command to lock the password for the web server account:

 

# passwd –l webserv

 

Password changed.

 

1.5.2 To be sure the account is locked, issue the command:

 

# grep webserv /etc/shadow

 

…a :!: at the beginning of the line indicates that the password is locked.

 

1.5.3 Issue this command to remove the shell for this account:

 

# usermod –s /bin/false webserv

 

1.5.4 To be sure the account is locked, issue the command:

 

# grep webserv /etc/passwd

 

…/bin/false at the end of the line indicates that the shell is set to a non-existent shell.

 

1.5.5 Test the web server account to be sure you can't login.  Issue this command to try to log in:

 

> login webserv

 

2. Download and verify Apache source code

 

By default, web servers return information about the product and version they are running in the Server variable of the HTTP header.  This information can be very useful to hackers, enabling them to target attacks to that specific server.  To prevent that information from being returned from the web server, this step shows you how to modify that header and build your own copy of the web server.

 

Because web servers often host sensitive information, or allow users to log in with plain-text passwords, it's important to encrypt the HTTP traffic.  Therefore, this section will show you how to configure mod_ssl on your web server.

 

Note:  Don't build the web server on your production, hardened host.  Build it on a staging or development server (with identical O/S), and then copy it to your production host.

 

These steps will guide you through downloading Apache source code, validating it, compiling it, and installing it.  We don't recommend use of pre-compiled or DSO versions.  DSO versions may allow a hacker to introduce new "features" without having to recompile the code.

 

If you intend to add other module to your Apache web server installation, repeat the validation steps below for each module you add.

 

2.1 Download the latest version of Apache 2.0

 

Ensure that you retrieve the latest copy, so that you have cumulative bug fixes and security patches.  You can download it from the Apache site.

 

From here, download four files:

 

1) The Apache source code itself, called something like httpd-2.0.45.tar.gz.

2) The PGP keys for the Apache signers: a file named "KEYS"

3) The PGP key for this source distribution, called something like httpd-2.0.45.tar.gz.asc

4) The MD5 checksum for this source distribution, called something like httpd-2.0.45.tar.gz.md5

 

wget http://www.apache.org/dist/httpd/httpd-2.0.45.tar.gz

wget http://www.apache.org/dist/httpd/KEYS

wget http://www.apache.org/dist/httpd/httpd-2.0.45.tar.gz.asc

wget http://www.apache.org/dist/httpd/httpd-2.0.45.tar.gz.md5

 

2.2 Verify PGP signature for the Apache source

 

To ensure that you have an authentic version from the Apache Group, and that it's not been tampered with (remember, there are many mirrors from which you can download the Apache source), you should check the PGP signature.  If you don't have PGP installed on this server, you can validate these files on another machine.

 

a)      If you don't already have them in your PGP keyring, import the public keys from the Apache Group into your keyring:

 

~> pgp –ka KEYS

 

b)      Check the PGP signature:

 

~> pgp httpd_2.0.45.tar.gz

 

…if the signature is correct, you should get something similar to this:

 

-- CUT --

File 'httpd-2.0.45.tar.gz.asc' has signature, but with no text.

Text is assumed to be in file 'httpd-2.0.45.tar.gz'.

Good signature from user "Justin R. Erenkrantz <justin@erenkrantz.com>".

Signature made 2003/03/31 07:49 GMT

 

WARNING:  Because this public key is not certified with a trusted signature, it is not known with high confidence that this public key actually belongs to: "Justin R. Erenkrantz <justin@erenkrantz.com>".

 

The fact that it says, "Good Signature from…" is what we're looking for here.  The WARNING statement indicates that we've not verified this signature with a 3^rd party, which is ok here.

 

2.3 Verify the MD5 checksum for the Apache source.

 

MD5 is a way to validate the integrity of the file itself, much more reliable than checksum and similar methods.  Normally, mismatches in the MD5 checksum from the Apache source are the result of download errors or file corruption.  If you don't have MD5 on your system, you can download it from here.

 

Compare the results of these two commands – visually inspect them to ensure they match (if they don't, download it again):

 

~> pwd

/usr/local/build

 

~> cat httpd-2.0.45.tar.gz.md5

MD5 (httpd-2.0.45.tar.gz) = 1f33e9a2e2de06da190230fa72738d75

 

~> md5 apache_1.3.27.tar.gz

MD5 (httpd-2.0.45.tar.gz) = 1f33e9a2e2de06da190230fa72738d75

 

2.4 Extract the zipped Apache source file.

 

Finally, you need to unzip and untar the source file.

 

~> /pwd

/usr/local/build

 

~> tar xvfz httpd-2.0.45.tar.gz

 

This will create a new directory under your current one, named "httpd-2.0.45".

3. Create SSL certificates

 

SSL support requires an SSL library on your system, such as OpenSSL.  If you're not sure how to find and install it, look at the Apache 1.3 hardening guide.  This section will walk you through configuring your SSL certificate for encrypting your HTTP traffic.  It will help you build a validated certificate and install it on your web server.  We'll add the configured certificates to the Apache configuration in the next step.

 

3.1 Create a key and certificate request for your web server

 

Using OpenSSL, the following command will create a 1024-bit private key named, "private.key" and generate a certificate signing request (CSR).  You need to have the CSR signed by a Certificate Authority (CA) who can validate your identity. When prompted to input information, note the answers in bold print below.  (Answer the prompts with the information relevant for your server, of course).

 

Note:  If you provide a challenge password, you will be unable to start the web server unattended.  We don't recommend providing a challenge password, just leave it blank.

 

~> pwd

/usr/local/build

 

~> openssl req -nodes -newkey rsa:1024 -keyout /usr/local/build/server.key -out /usr/local/build/server.crt

 

Using configuration from /usr/share/ssl/openssl.cnf

Generating a 1024 bit RSA private key

................++++++

.......++++++

writing new private key to 'server.key'

-----

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:US

State or Province Name (full name) [Some-State]:NC        

Locality Name (eg, city) []:RTP

Organization Name (eg, company):XianCo Systems, Inc.

Organizational Unit Name (eg, section) []:InfoSec

Common Name (eg, YOUR name) []:xianshield.xianco.com

Email Address []:webmaster@xianshield.xianco.com

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []: <blank>

An optional company name []: <blank>

 

Most importantly, make sure your "Common Name" above matches the DNS name of your server.  The locale information is less important, but we think it's best to use the locality of the server itself.

 

3.2. Submit CSR for validation/signing by a CA.

 

Next, you need to submit your CSR for signing by a CA.  This will eliminate the "warning dialog" that a browser will pop up when a user accesses your site.  This is because the user's browser has a set of trusted CAs that will prevent you from being notified if the web server's site certificate is signed by a CA you've trusted in your browser already (such as Verisign or DST).  In this example, we will submit the request to your company's CA for signing.  (You can use another CA if you want).

 

Send your request for a certificate to the CA.  Include your name, your web server (Apache, in this case) your OS, and of course, the .csr (certificate signing request).

 

3.3   Rename your certificate files

The names aren't important, they just have to match what's in conf/ssl.conf.  You will receive 2 files from the PKI team.  The first file will be your server certificate (and will probably be named <server name>.cer), the 2^nd file is the certificate chain.  Here, we'll rename them to fit what's specified in conf/ssl.conf.

 

mv "XianCo CA (01-03).cer" ca.crt

mv xianshield.cer server.crt

 

3.4  Copy certificates to your server.

 

Since you received these certs via email, and they're now sitting on your laptop, we need to copy both server.crt and ca.crt to the server.  We'll copy them up to /usr/local/build.  We'll move them both to the appropriate locations under conf/ssl.conf later.

 

scp *.crt xianshield:/usr/local/build/.

           

 

4. Configure and build the Apache Server

 

In this section, we'll configure Apache with SSL and mod_ldap support.  As of Apache V2, these are both included modules, and don't require a separate download.

 

In order to customize Apache to the extent necessary, we need to download the source for the latest version of Apache.  Once that's complete, we'll configure and test it.

 

4.1 Alter the Apache version

 

We want to remove/modify the default HTTP response header parameter for the "Server:" token to hide the identity of our web server.  (You'd be surprised how many vulnerability scanners are looking for specific versions of Apache.)  To do this, we must open a header file (httpd.h) prior to compiling the server.  To do this, edit the ap_release.h file located in ${ApacheSrcDir}/include

 

~> pwd

/usr/local/build/httpd-2.0.45/include

 

~> vi ap_release.h

…

 

#define AP_SERVER_BASEVENDOR "Apache Software Foundation" ß Change this…

#define AP_SERVER_BASEPRODUCT "Apache"                 ß and this

 

These are the lines you want to change; change these to remove references to Apache.  We'll hide the actual version using the ServerTokens directive in the httpd.conf file. 

 

Example:

 

#define SERVER_BASEVENDOR   "Network Services"

#define SERVER_BASEPRODUCT  "Networks, Inc."

 

4.2 Configure Apache software for compilation

 

There are a few standard modules that should be disabled when you set up the Apache web server. 

Modules to disable

Generally, the following modules make it easier to configure/support your web server but also give too much information to attackers.  We recommend that you disable the following default modules for your production server:

 

      info: gives out too much information about your web server to potential attackers.

      status: gives out server stats via web pages

      autoindex: provides directory listings when no index.html file is present

      imap: provides server-side mapping of index files

      include: provides server-side includes (.shtml files)

      userdir: translates URLs to user-specific directories

      auth: you won't need it – you'll set up authentication against LDAP via mod_ldap

Modules to enable

Here are two modules that will provide strong authentication and encryption for your web server.  If you have any protected content on your web server, it's important that you only allow your users to access it over SSL, otherwise your user passwords will be sent in clear text, subject to snooping.

 

      ssl: Encrypts the traffic from the browser to the web server – an important means of protecting login passwords and sensitive data.

      auth_ldap: Allows you to validate passwords against ldap.xianco.com or other LDAP.

A word about LDAP authentication                

It's important that you don't set up your own userid/password store, since it propagates passwords into insecure locations.  Instead, you should modify your configuration to defer authentication to a central store, such as a centrally maintained LDAP.  To authenticate against an LDAP store, you need to compile Apache with support.  In order to use mod_ldap, you'll need LDAP libraries installed on your system.  You can use OpenLDAPor Netscape Directory SDK for the LDAP client libraries.

Configuration commands

Here's how to configure Apache with these options:

 

~> pwd

 

/usr/local/build/httpd-2.0.45

 

~> sudo ./configure –-prefix=/opt/apache2 \

--enable-so \

--enable-ssl \

--with-ldap \

--enable-ldap \

--enable-auth-ldap \

--disable-info \

--disable-status \

--disable-autoindex \

--disable-imap \

--disable-include \

--disable-userdir \

--disable-auth

 

checking for chosen layout... Apache

checking for working mkdir -p... yes

checking build system type... sparc64-unknown-linux-gnu

checking host system type... sparc64-unknown-linux-gnu

checking target system type... sparc64-unknown-linux-gnu

 

Configuring Apache Portable Runtime library ...

…

 

4.3 Compile the Apache server

 

Now that the software is validated and configured, it's time to compile it.  Since you won't have a compiler on your production host, we'll compile and install it on a separate server, then tar/compress it and scp it to your production host.  You'll need to run make using "sudo" so that Apache knows it can use ports < 1000.

 

~> pwd

/usr/local/build/httpd-2.0.45

 

~> sudo make

===> src

make[1]: Entering directory `/usr/local/build/httpd-2.0.45'

make[2]: Entering directory `/usr/local/build/httpd-2.0.45/src'

===> src/regex

sh ./mkh  -p regcomp.c >regcomp.ih

…

 

4.4 Install the Apache server

If you have followed our instructions for securing the host, you will have to unpack the distribution and compile it on a separate host.   To make your server more secure, use a separate disk partition for your web content. Create a unique mount point for this directory -- htdocs is a good name to use, but make it somewhere outside the ServerRoot directory. You'll need to update /etc/vfstab to mount this partition as part of your server's startup process.

Do not use the htdocs directory included in the distribution as your DocumentRoot. This directory contains user documentation that you don't want to make available to the public as it contains information a potential attacker could use to penetrate your system. (The attacker can deduce what kind of web server you're running, and hone his attack accordingly.)  Move these documentation files into your support directory so the webmasters for your site can refer to them as needed.

You'll need to install the Apache server using "sudo" privileges or as root.

 

~> pwd

/usr/local/build/httpd-2.0.45

 

~> sudo make install

===> [mktree: Creating Apache installation tree]

./src/helpers/mkdir.sh /opt/apache2/bin

./src/helpers/mkdir.sh /opt/apache2/libexec

./src/helpers/mkdir.sh /opt/apache2/man/man1

./src/helpers/mkdir.sh /opt/apache2/man/man8

./src/helpers/mkdir.sh /opt/apache2/conf

..

5. Install SSL certificates

Now that the server is installed, we need to copy certificate key, server certificate, and CA chain to Apache's configuration directory.

 

5.1 Set up the Apache certificate directories

 

~> pwd

/opt/apache2/conf

 

~> sudo mkdir ssl.crt ssl.key

 

5.2 Copy the certificate and key to the SSL configuration directory

 

~> sudo cp /usr/local/build/server.crt ./ssl.crt/.

~> sudo cp /usr/local/build/server.key ./ssl.key/.

 

6.  Configure the Apache server

 

Configure the file permissions and runtime settings of the Apache server.  It's important that you place your htdocs, cgi-bin, and logs directories on separately mounted filesystems.

 

6.1 Configure httpd.conf

 

Set the following in your httpd.conf file.  You can also download an example httpd.conf with these settings here.

 

Directive and setting	Description/rationale
ServerSignature Off	Prevents server from giving version info on error pages.
ServerTokens Prod	Prevents server from giving version info in HTTP headers
Listen 80 (remove)	Remove the "Listen" directive – we'll set this directive only in ssl.conf, so that it will only be available over https.
User webserv (or whatever you created in step 2 above)	Ensure that the child processes run as unprivileged user
Group webserv (or whatever you created in step 2 above)	Ensure that the child processes run as unprivileged group
ErrorDocument 404 errors/404.html ErrorDocument 500 errors/500.html etc.	To further obfuscate the web server and version, this will redirect to a page that you should create, rather than using the default Apache pages.
ServerAdmin <hostname>-webmaster@xianco.com	Use a mail alias – never use a person's email address here.
UserDir disabled root	Remove the UserDir line, since we disabled this module.  If you do enable user directories, you'll need this line to protect root's files.
<Directory />     Order Deny, Allow     deny from all </Directory>	Deny access to the root file system.
<Directory /opt/apache2/htdocs">   <LimitExcept GET POST>      deny from all   </LimitExcept>     Options -FollowSymLinks -Includes -Indexes  -MultiViews   AllowOverride None   Order allow,deny   Allow from all </Directory>	LimitExcept prevents TRACE from allowing attackers to find a path through cache or proxy servers.   The "-" before any directive disables that option.   FollowSymLinks allows a user to navigate outside the doc tree, and Indexes will reveal the contents of any directory in your doc tree.   Includes allows .shtmlpages, which use server-side includes (potentially allowing access to the host).  If you really need SSI, use IncludesNoExecinstead.   AllowOverride None will prevent developers from overriding these specifications in other parts of the doc tree.
AddIcon (remove) IndexOptions (remove) AddDescription (remove) ReadmeName (remove) HeaderName (remove) IndexIgnore (remove)	Remove all references to these directives, since we disabled the fancy indexing module.
Alias /manual (remove)	Don't provide any accessible references to the Apache manual, it gives attackers too much info about your server.

 

You should familiarize yourself with the following parameters.  Unless you are running a high-volume web site, you can safely leave the settings at their default values.  If you are running a high-volume web site, you'll want to adjust these directives upward to better withstand denial-of-service attacks. 

 

      StartServers

      MinSpareServers

      MaxSpareServers

      Timeout

      Keepalive

      MaxKeepAliveRequests

      KeepAliveTimeout

      MaxClients

      MaxRequestsPerChild

 

6.2 Configure ssl.conf

 

Set the following in your ssl.conf file.  You can also download an example ssl.conf with these settings here.

 

Directive and setting	Description/rationale
SSLCertificateChainFile/opt/apache2/conf/ssl.crt/ca.crt	(Find this line and uncomment it).  This points to the Certificate Authority file for your chained certificate.

 

6.3 Remove default Apache files

 

It's important to remove default files such as .html files and CGI scripts (yes, even the Apache manual).  This will help obfuscate the server you're running, targetted attacks against your web server.  You'll probably want to build a simple index.html page to place in the htdocs directory, just so you know the web server is working when you start it.

 

~> sudo rm –fr /opt/apache2/htdocs/*

~> sudo rm –fr /opt/apache2/cgi-bin/*

~> sudo rm –fr /opt/apache2/icons

 

To test that your web server is running, you can now place this file in your htdocs directory – it's just a simple index.html file.  Make sure you set the permissions to world-readable.

 

6.4 Set directory and file permissions for the server

 

To protect the directories on your server, it's important that you protect the directories themselves. 

 

      bin is where the executable portion of the Apache web server is.  It should be readable/executable only by members of the webadmin group, but only writable by root.

 

~> sudo chown –R root:webadmin /opt/apache2/bin

~> sudo chmod –R 770 /opt/apache2/bin

 

      conf is where your web server configuration files are and needs to be read/writable only by the webadmin group.

 

~> sudo chown –R root:webadmin /opt/apache2/conf

~> sudo chmod –R 770 /opt/apache2/conf

 

      logs is where your access and error logs will go.  It should be readable only by the webadmin group.

 

~> sudo chown –R root:webadmin /opt/apache2/logs

~> sudo chmod –R 755 /opt/apache2/logs

 

      htdocs is where your HTML files are and needs to be world readable, but writable only by root (you should copy content in from a staging server).

 

~> sudo chown –R root /opt/apache2/htdocs

~> sudo chmod –R 775 /opt/apache2/htdocs

 

      cgi-bin is where your executable scripts are and needs to be world read/executable, but writable only by root (you should copy content in from a staging server).

 

~> sudo chown –R root /opt/apache2/cgi-bin

~> sudo chmod –R 775 /opt/apache2/cgi-bin

 

7. Make final configuration and start server

Lastly, we need to modify the startup configuration for Apache and restart the server.

 

7.1 Modify Apache startup script so that it will notify you when it's restarted.

 

As a failsafe measure, you should notify your webmaster alias any time this server is restarted.  That way, you'll be notified of any unauthorized attempt.

 

Open /opt/apache/bin/apachectl and add something like this to the file:

 

tail /opt/apache2/logs/error_log |

/bin/mail -s 'Apache web server has restarted' <hostname>-webmaster@xianco.com

 

7.2 Test your configuration by starting the server

 

sudo /opt/apache2/bin/apachectl startssl

 

7.3 Keep your web server patched

 

Check web sites for Apache and all modules regularly and apply important patches.

 

Apache web server: http://nagoya.apache.org/dist/httpd/patches/

 

OpenSSL: http://www.openssl.org/source

 

OpenLDAP: http://www.openldap.org/

 

8. Configure authentication against an LDAP directory.

 

In this final section, we'll configure the Apache httpd.conf file so that resources are authenticated against an LDAP server.  This step really can't be run until you've installed the web server.  Once you've got your web server installed, just add the LDAP authentication directives to any directory (or httpd.conf file) where you want password protection with CEC credentials.  Here's an example of protecting a directory named "Internal"

 

<Location "/internal">

     AuthName CEC

     AuthType Basic

     AuthLDAPURL ldap://ldap.xianco.com:389/ou=employees,ou=people,o=xianco.com?uid?sub?(objectclass=xiancoPerson)   

     require valid-user

</Location>