This week, I'd like to wrap up my look at the controversial full raw-sockets topic by providing Microsoft's perspective. But first, I want to correct an error that appeared in last week's column. I misquoted Steve Gibson when I said "Consider the current Code Red Worm that is sweeping across the Internet." This should have read "Sircam" not "Code Red." My apologies to Steve and to readers for this error.

Microsoft contacted me last Thursday about the raw sockets matter, explaining that its decision not to speak with me earlier had been a miscommunication. So Friday morning, I discussed raw sockets, Windows XP, and Steve Gibson with Steve Lipner, manager of the Microsoft Security Response Center.

"Look, we think that the Denial of Service \[DoS\] attacks are a really reprehensible thing," Lipner told me. "But Gibson is focusing on a specific mechanism for initiating these attacks, one that doesn't make a lot of difference." Lipner explained that raw sockets, which are fully implemented in Windows 2000, UNIX, and the upcoming XP release, are a general-purpose API used for low-level networking applications. XP uses raw sockets for Internet Connection Sharing (ICS) and IP Security (IPSec), the security protocol used for VPN connections such as Remote Desktop, among other things.

"We actually use the IP-spoofing technology in raw sockets that Gibson is worried about to enable ICS," Lipner told me. "That's how it works. Pulling out raw sockets would cause more security concerns than it would fix."

Lipner pointed out that Microsoft is working on more fundamental concerns, including how to protect a Windows machine from intrusion in the first place and how to prevent malicious code from running if an intruder compromises a system. The company has solutions for each instance, although the malicious code prevention aspect is more fully formed at this point.

To protect XP users from intrusion, Microsoft says that XP's built-in Internet Connection Firewall (ICF), which the OS enables by default on all XP machines connected to the Internet, is the first line of defense. Indeed, I tested this defense with Steve Gibson's excellent "Shields Up" utility, and XP passed with flying colors (in fact, the program told me that it couldn't even detect a computer attached to my IP address). And Microsoft is investing heavily in various security measures for its other Internet products, such as Outlook Express and Outlook, which the company is upgrading with attachment-protection technologies.

But human error is difficult to combat. As Gibson pointed out in our conversation last week, most machines involved in the DoS attack on his site were infected when their owners downloaded and ran a Trojan program they found on USENET. To combat this kind of problem, Microsoft is working on an interesting XP feature called Software Restriction Policies, which I had never heard about. Even Microsoft isn't sure how it will implement the feature in the final XP release.

You can start Software Restriction Policies through the Microsoft Management Console (MMC) Local Security Settings snap-in or manage the policies globally in an enterprise. Software Restriction Policies restricts applications, folders, and users so that they can't affect anything outside of the appropriate environment. What constitutes an appropriate environment, of course, is subject to debate and is the reason that this feature likely will require some sort of update through Windows Update when XP ships in October. In the meantime, you can use the feature in XP Release Candidate 1 (RC1) to manually set up rules to prevent malicious code from damaging your system. I hope to have more information about this topic when details are available. (If you're running XP RC1 or newer, load Help & Support, then search for Software Restriction Policies for some limited information.)

Laptop of the Month: IBM ThinkPad A21m
This month's laptop is the IBM ThinkPad A21m, a desktop replacement with a near-perfect keyboard. The unit I received sported a standard 1024 x 768 resolution on its 14" screen, although IBM offers a 15" model with 1600 x 1200 resolution. Maybe I'm getting old, but I prefer the 1024 x 768 display: It's easy to read, and the icons and text aren't so small that they're unusable. I can't imagine wanting to use a higher resolution on a notebook computer.

In any event, the ThinkPad A21m is a true desktop replacement, weighing 7.2 pounds, with a titanium composite cover to protect the screen. The unit has a fairly complete set of ports, with parallel, modem, networking, serial, VGA, combination keyboard/mouse, S-video in/out, and two PC cards, but it sports only one USB port, which is odd for a machine of this size. The laptop is too big to lug around at trade shows (which I did), but if only occasional travel is your forte, there are far less-worthy options than this well-built box.

But the best thing about the ThinkPad is its keyboard, which is as good—and apparently as big—as any desktop keyboard I've used. The only problem is the awkward placement of the Function (Fn) key, which you use to initiate certain seldom-used commands. IBM places this key in the lower-left corner of the keyboard, where the Ctrl key usually sits. As a result, I kept hitting the Fn key when I intended to do a Copy (Ctrl+C) or Paste (Ctrl+P) operation, which was irritating. Still, the keyboard is this unit's strong point and something you need to consider if you'll be spending much time on such a device.

Like all ThinkPads, the A21m uses a pointing stick rather than the more common trackpad. Pointing sticks are more precise, and IBM has incorporated a couple of extra buttons near the wrist rests, which let you pull or push the pointing stick to facilitate scrolling in Web pages and Microsoft Word documents.

The unit I received came with a whopping 30GB hard disk, a DVD drive, and a CD-ROM drive. You can use two optical disks simultaneously (one is fixed), or swap out the second (front-mounted) optical drive for a second battery. But a single battery provides enough juice to watch a 90-minute DVD movie, which I did recently on the way home from New York. If you're going to use one of the portable big boys, you might as well enjoy it.

This week, I'd like to wrap up my look at the controversial full raw-sockets topic by providing Microsoft's perspective. But first, I want to correct an error that appeared in last week's column. I misquoted Steve Gibson when I said "Consider the current Code Red Worm that is sweeping across the Internet." This should have read "Sircam" not "Code Red." My apologies to Steve and to readers for this error.

Microsoft contacted me last Thursday about the raw sockets matter, explaining that its decision not to speak with me earlier had been a miscommunication. So Friday morning, I discussed raw sockets, Windows XP, and Steve Gibson with Steve Lipner, manager of the Microsoft Security Response Center.

"Look, we think that the Denial of Service \[DoS\] attacks are a really reprehensible thing," Lipner told me. "But Gibson is focusing on a specific mechanism for initiating these attacks, one that doesn't make a lot of difference." Lipner explained that raw sockets, which are fully implemented in Windows 2000, UNIX, and the upcoming XP release, are a general-purpose API used for low-level networking applications. XP uses raw sockets for Internet Connection Sharing (ICS) and IP Security (IPSec), the security protocol used for VPN connections such as Remote Desktop, among other things.

"We actually use the IP-spoofing technology in raw sockets that Gibson is worried about to enable ICS," Lipner told me. "That's how it works. Pulling out raw sockets would cause more security concerns than it would fix."

Lipner pointed out that Microsoft is working on more fundamental concerns, including how to protect a Windows machine from intrusion in the first place and how to prevent malicious code from running if an intruder compromises a system. The company has solutions for each instance, although the malicious code prevention aspect is more fully formed at this point.

To protect XP users from intrusion, Microsoft says that XP's built-in Internet Connection Firewall (ICF), which the OS enables by default on all XP machines connected to the Internet, is the first line of defense. Indeed, I tested this defense with Steve Gibson's excellent "Shields Up" utility, and XP passed with flying colors (in fact, the program told me that it couldn't even detect a computer attached to my IP address). And Microsoft is investing heavily in various security measures for its other Internet products, such as Outlook Express and Outlook, which the company is upgrading with attachment-protection technologies.

But human error is difficult to combat. As Gibson pointed out in our conversation last week, most machines involved in the DoS attack on his site were infected when their owners downloaded and ran a Trojan program they found on USENET. To combat this kind of problem, Microsoft is working on an interesting XP feature called Software Restriction Policies, which I had never heard about. Even Microsoft isn't sure how it will implement the feature in the final XP release.

You can start Software Restriction Policies through the Microsoft Management Console (MMC) Local Security Settings snap-in or manage the policies globally in an enterprise. Software Restriction Policies restricts applications, folders, and users so that they can't affect anything outside of the appropriate environment. What constitutes an appropriate environment, of course, is subject to debate and is the reason that this feature likely will require some sort of update through Windows Update when XP ships in October. In the meantime, you can use the feature in XP Release Candidate 1 (RC1) to manually set up rules to prevent malicious code from damaging your system. I hope to have more information about this topic when details are available. (If you're running XP RC1 or newer, load Help & Support, then search for Software Restriction Policies for some limited information.)

Laptop of the Month: IBM ThinkPad A21m
This month's laptop is the IBM ThinkPad A21m, a desktop replacement with a near-perfect keyboard. The unit I received sported a standard 1024 x 768 resolution on its 14" screen, although IBM offers a 15" model with 1600 x 1200 resolution. Maybe I'm getting old, but I prefer the 1024 x 768 display: It's easy to read, and the icons and text aren't so small that they're unusable. I can't imagine wanting to use a higher resolution on a notebook computer.

In any event, the ThinkPad A21m is a true desktop replacement, weighing 7.2 pounds, with a titanium composite cover to protect the screen. The unit has a fairly complete set of ports, with parallel, modem, networking, serial, VGA, combination keyboard/mouse, S-video in/out, and two PC cards, but it sports only one USB port, which is odd for a machine of this size. The laptop is too big to lug around at trade shows (which I did), but if only occasional travel is your forte, there are far less-worthy options than this well-built box.

But the best thing about the ThinkPad is its keyboard, which is as good—and apparently as big—as any desktop keyboard I've used. The only problem is the awkward placement of the Function (Fn) key, which you use to initiate certain seldom-used commands. IBM places this key in the lower-left corner of the keyboard, where the Ctrl key usually sits. As a result, I kept hitting the Fn key when I intended to do a Copy (Ctrl+C) or Paste (Ctrl+P) operation, which was irritating. Still, the keyboard is this unit's strong point and something you need to consider if you'll be spending much time on such a device.

Like all ThinkPads, the A21m uses a pointing stick rather than the more common trackpad. Pointing sticks are more precise, and IBM has incorporated a couple of extra buttons near the wrist rests, which let you pull or push the pointing stick to facilitate scrolling in Web pages and Microsoft Word documents.

The unit I received came with a whopping 30GB hard disk, a DVD drive, and a CD-ROM drive. You can use two optical disks simultaneously (one is fixed), or swap out the second (front-mounted) optical drive for a second battery. But a single battery provides enough juice to watch a 90-minute DVD movie, which I did recently on the way home from New York. If you're going to use one of the portable big boys, you might as well enjoy it.