enxz

No, if the port is open it will respond. You don't 'stealth' open ports. ex: You can't stealth port 80 with your apache service. You can't stealth port 80 with your Chrome service. The OS does not make the distinction. Any security in terms of isolating traffic is at the application layer. And then you get to DNS and DHCP etc, various listening ports that also defeat this purpose. Either way, this is mostly for LAN attacks where the attacker is attempting to acclimate themselves to the local network. Even if stealthed ports worked the way people believe they do (and they don't). That's the whole "hide me from attackers" thing. Attacks like these only exist on corporate networks for the most part. You gain LAN access and then query the local domain for other hosts using nmap scans. Knowledge of IPs is irrelevant, the gateway has them (of course) and you're scanning that. I've done this to map a network, it's very helpful. For users your attack is far far far more likely to occur at a compromised webpage, where stealth ports will very obviously have literally no effect whatsoever, even if they *did* work the way people believe they do. This is wayyyy off topic though lol I mostly just wanted to point out this issue as a side note to the real problem - that people think XP can be secure. That said, I mostly was killing time on a long and very boring bus ride. It's been very nice talking, but I think we can all just agree to disagree, as always . See you next time I stumble across here with some time on my hands, perhaps.

You still don't get it. You need an open port, inbound, to connect. That means you aren't invisible. If you care enough, just google around for "stealth port marketing gimmick" and you'll see that some firewalls no longer support stealth mode even. But cases like this, where users are following marketing without understanding how a port works, are perfect examples of why advice should always be given very very carefully.

submix, I obviously know that stealth is for incoming and you still don't get what it does. All a stealth port is is a closed port that doesn't send a signal back or sends an ICMP timeout signal back. It's just a closed port in the end. So either all of your ports are closed and you are "invisible" or all of your ports are closed except for some and you are no longer invisible, whether 99% of them are 'stealthed' or not. It's very simple. You can google for more. tl;dr: The only way stealth ports keep you invisible is if you close every single port. If you close every single port you're going to have a fun time trying to connect to the internet, as you've already seen since when you stealthed your 80 you ended up blocking traffic. So now you're left with a system that has all ports 'stealthed' (closed with a lack of response) and one port (more, in reality) open, completely defeating any 'hidden' attribute it may have given you. Your screenshots will show exactly what I'm saying. You've just misinterpreted the results. @bphipt, Multiple users have argued that XP is more secure than 8, or at least that' show it's come off. But even still, a 'locked down' XP is just a misunderstanding of how programs are secured. ex: You can say "Oh, I've sandboxed program Y" but unless you understand the sandbox, it's meaningless. Sandboxing is enforced by the kernel, at best, which means that weakness in the kernel means weakness in the sandbox. Without understanding how those weaknesses manifest one can not simply say "I'm more secure because I used a sandbox" - you need to know quite a lot more. I am not a fan on Windows 8 or really MS as a company. At no point have I said that they aren't profit driven. I've said that they will make less money if they are not secure, and that their security team has done solid work. So let me put it this way: XP users can not be safe. XP users can be lucky. @jaclaz, People should be very careful about stating opinions in ways that seem like they're stating facts. Yes, this conversation is truly more of the same. No doubt about it, that last topic is quite similar.

submix, You've misunderstood stealth ports. If you had to enable those ports, is your computer invisible right now or not? It's that simple - right now, with you taking inbound connections, is your computer invisible? The answer is no - a stealth port is a closed port, and if your ports were closed you would not be seeing this text right now. I have no interest in discussing stealthed ports, it was debunked years ago and there's plenty on that. My dog in this fight is that users can come to forums looking for advice, as was done here, and what they'll receive is "oh you're secure". That endangers them. People can have their finances crippled by advice like that. I also don't even run Windows outside of for development so I find it funny I'm being called a fanboy. As for whether I'm a self appointed expert, whatever, doesn't matter. What I know is that I have education and experience. What I know is that I've hacked systems (legally, I don't do anything blackhat), defended systems, broken complex software, written complex programs, etc. I'd say that doesn't make me a novice, whether I'm an expert or not, and I'm certainly quite qualified to discuss these things. And if you truly hate my posts so much, that's a shame, but you should try to ignore them if they bother you. @Dencorso, Hello again. I would never deprive a user of access to a system. I don't believe in locking users out of their systems - to me that only means they'll find some way around it, leaving the security gained from such a technique totally lost. I do believe there is a software solution to most security problems, though. Nothing so far is very close, unfortunately. While users can certainly cause infections right now, and we can all agree this is a problem, I don't believe it's the users fault. That's the only difference here. That said - if a user visits a website on Windows XP compared to 7 or 8, an attack has to be considerably more complex on 8 than on previous versions. If you look at exploit development guides (like on corelan.be) you'll see how simple basic attacks are. Then they add DEP, and it gets a bit harder. Then they add ASLR and suddenly the tutorials have to get a lot more theoretical, because there's no consistent way around ASLR when implemented properly - the tutorials will only show against improper implementations because only those can be attacked without further vulnerabilities. But I think all I really wanted to get across is that I stumbled onto msfn again and saw advice that I consider dangerous. I consider it dangerous, and I think maybe others should question whether they should be giving advice on these matters. I personally would not want to feel responsible when someone got infected due to my advice.

Well, that's certainly an interesting theory if you attribute it to the NSA. I've wondered if they do that myself, and I hope to one day figure it out if I ever do move to MS's security team.

Flasche, sorry, that first post was meant for submix, not you. The Linux kernel is a free open source piece of software. Yet decade old vulnerabilities are still found once in a while. It happens. It is not their number one priority. But they have poured millions into it. I know Microsoft security developers and they're very good, they do their best, and that's what they're paid to do.

Flasche, Flash modules may be loaded in Word, I don't know about that. But Word also has EPM as I recall. I also doubt it's particularly hard to disable it, and also consider that almost every user has Flash installed anyways, regardless of XP or Windows 7/8. This is a single program on the system, it does not remove all security from the system. Your theory on why they push new OS's is incorrect. Yes, they like money. But they don't make money by having an insecure OS, it has hurt them for years, especially on the server end of things. There is no one saying "Hey how do we get really secure but still be exploitable?" Literally no one ever has said this, because the idea of being 100% secure is just inane to begin with. P.S. I apologize for the formatting. I am on an incredibly slow and wavering connection, certain features aren't working great for me right now.

Hey, I have no real reason to cite my statements. I don't care if people question whether I've gone to school for CS or not, or what work I've done. You can choose not to believe me. In terms of other experts, I know of no certification that teaches anything important in this context. I've only seen one ever that has you exploit a service using homegrown exploits. If anyone wants to come in here and say they know more than me and discuss things, by all means. Stealth mode is useless. A port must be closed to be stealthed. A closed port is still secure. Any open port means you are no longer invisible. So either every port is closed, and stealth does nothing. Or one or more ports are open, and stealth does nothing. It is a marketing gimmick and is very easy to dismantle logically. While I may choose to move to MS at some point, as I admire their security team, I have no interest in NSA work (I am ethically opposed to that type of work). I work for a private company with absolutely no dog in this fight.

I'm well aware of what PEBCAK is. It only exists due to software flaws. Flash is not a huge gaping hole. It is software. It is exposed through Internet Explorer. Not using Internet Explorer means Flash will not be exploitable. The irony of calling Flash a gaping hole and then using XP should not be lost on anyone. Whereas Flash makes use of modern mitigation techniques and sandboxing XP has virtually no mitigation techniques (DEP is not even fully implemented across all binaries) and no sandboxing and terrible privilege control and a horribly insecure kernel base etc etc etc. I think people here have been talking about some nonexistent 'FUD campaign' by Microsoft. I can not tell you how wrong you are to believe such a thing. People want other people to be secure. We are trying to tell you "This product is not secure" not because we want to tell you what to do with your lives, but because we are experts and you are not, and because of this we feel the responsibility to inform. To me, it's like you have a bunch of doctors telling you not to smoke cigarettes, but people don't like being told what to do, so they call it FUD and smoke because no one's going to tell them how to live their lives. Run XP just understand that people with serious backgrounds in this field and educations and experience are telling you you aren't inseucre, and you should be humble enough to accept that you probably don't know more than they do about it. And the 'you' is not any single person here. And it's not even limited to this forum. It's incredibly wide spread, all this "I'll run it as long as I Want, they don't control me" - no one cares about controlling you, they want to help.

PEBCAK is a failure of software. If a user downloads a malicious binary and executes it it is a failure of the security of the system for not protecting them. Just because a software solution that does this is not in existence right now does not change where the responsibility lies. Yes, if Flash is not on XP and Flash is on 8 then 8 is vulnerable to what Flash is vulnerable to, assuming the user uses IE. If Flash is installed on both, it is far more secure on 8, where ASLR exists (and flash uses high entropy ASLR and force ASLR) among many other techniques.

PEBCAK only exists because software is currently not good enough to handle security for users. The data being normalized is fine. That changes nothing - what' simportant is that Windows 7 is more popular, and therefor something like IE 9 is more popular. Look at the most recent attacks on IE, they ignore older versions even though the older versions are vulnerable. Even if the percentage of users is normalized it's critical to understand that certain things will be attacked on Windows 7 becuase it's more popular. Flash is attack surface, there is no denying that. It's also heavily sandboxed. With EPM it can't write to the system or read it, it can't attack the user through Word I'm not sure what you mean by that. The sandbox is not perfect. It's just helpful. Flash on Windows 8 is far more secure than Flash on XP.

Security is much more than PEBCAK. That is something people think, but it's not true. Security is a software problem and there is/ will be a software solution. In terms of infection rates, they're also not super relevant. Consider that I could create an operating system with absolutely 0 security methods, only a root user, no firewall, nothing but exposed services - but no one would attack it because it would be a single system and no one would know about it. Windows 7 outnumbers XP by quite a bit and attackers are slowly moving towards more targeted watering hole attacks, often on IE since they attack industries. That does not make 7 less secure than XP, not by a longshot. It makes it more often targeted. A botnet is certainly hacking - you can get remote code execution in an process and drop your rootkit. AV can sometimes remove them, but only if they know of them first. Some botnets go years without being detected. Am I *the* authority? No. But I have a background in computer science and computer security. I have developed actual real world exploits, and I have a pretty significant understanding of how an attack works on a very technical level. So I'm qualified to talk about this and explain these things. Flash on Windows 8 does not make it less secure. That only applies to IE, and it's heavily sandboxed if you enable EPM. Regardless, Flash does not undo all of the security techniques implemented in 8. Yes, if you want true security you will run Linux and not Windows. But users here are telling others that they can be secure on XP. The best they can be is lucky, not secure.

This is an incredibly simplistic view of how attacks work as well as an attackers motivations. And the idea that attackers don't care about someone because they aren't rich or whatever is flat out incorrect, what they do is collect computers for botnets. The more computers the more they make. Every system helps. There is millions in this. I don't see why people here are giving security advice when they think every security researcher saying "get off XP" is just some Microsoft shill. You're endangering users who don't know better... stop. I've read a couple other posts on here today with people flat out not understanding things like ASLR and then going "Hey, they're saying we need ASLR but they're just spreading FUD". I'm not looking to start some big convo like last time, but really, this is security, and advice should not be given when you don't have any authority in the matter. That goes for way more users than just you or even just this forum. The short story is that if you are giving security advice when you don't know anything about computer security you are harming other people. I don't care if your system is vulnerable, don't tell someone else how to keep theirs vulnerable too when they come to you for help. P.S. Stealth mode is a gimmick and literally irrelevant in every way to security.

Only less educated in a specific field. I don't rate a human being on their ability to perform risk assessment, I don't think someone is stupid for not understanding security, and everyone has their fields of expertise. I'm sure many members here are much more informed in some areas than I am. I don't really think it's offensive to make the leap from "the majority of people in the field think X so the minority people who disagree with X are likely not informed". Naturally that doesn't hold true often, but security isn't guesswork, there's quite a bit of education and research behind those opinions. I wouldn't call my statements apodictic but synthetic. I can break down facts and assumptions. Fact 1: Exploiting software takes work. Fact 2: Windows XP lacks many mitigation techniques available to Windows Vista, 7, and 8. I hold the above to be self evident. It's simply a fact that proper ASLR dosen't exist on Windows, as well as other mitigation techniques. IT is simply a fact that exploiting software takes work. Assumption 1: The more work an exploit takes the less likely software is to be exploited, given the same rewards. Attackers tend to take the path of least resistance. Support for Assumption 1: This is logical. If you want to get from A to B you take the shortest route. Attackers are largely motivated by money, and the more time they spend on a single attack more work it is to get the same amount of money. Assumption 2: Mitigation techniques raise the costs of attack. Support for Assumption 2: Using ASLR as an example. Attackers who exploit flaws in code will often rely on the address of some area of a virtual address space. This is in order to bypass Data Execution Prevention using a technique called Return Oriented Programming (ROP). ROP works by using a programs own code to execute attackers commands, an attacker returns into code at a specific address and executes it. Without the address an attacker has to spend more time, and more work, in order to find usable code for their attack. The workarounds can often make attacks less reliable (meaning an attacker only manages to infect a percentage of vulnerable users, while simply DOSing others) and therefor less profitable. Assumption 3: Attackers want to make money Support for Assumption 3: The vast majority of attacks are generally aimed at monetizing systems somehow. If you're any good you can easily pull in half a million per year. Most malware we see in the wild is about trying to make money in some way, and there is a significant market behind these attacks, with exploits being sold for tens of thousands of dollars, sometimes hundreds. Conclusion - synthesis: Mitigation techniques hurt attackers bottom lines. If attackers want to make money, and they make more money when they can increase the attacks per time spent on exploit, and mitigation techniques increase the time spent on exploits, then mitigation techniques hurt attackers profits. Attackers want to make money, so they will go for systems that they can monetize quickly and easily. Now, we have to define what security is. This is the tricky part, because people often don't agree on this. Many people define security by the current threat landscape: am I safe against the malware that is out there today? Other people define security by the perceived future landscape: am I safe against the malware that we'll be seeing tomorrow? Others define it by the chance of attack: am I likely to be attacked? is my OS uncommon enough to keep me safe? I personally define security by the level of effort required to get into a machine. Historically, this has made the most sense, as the threat landscape of the future tends to follow research - ROP was shown in research before it was used in the wild (and it is incredibly common now). So, if we define security by the level of effort required, we have to somehow measure that effort. This is somewhat difficult, but if we take assumption 2 to be true (https://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx?Redirected=true and other evidence that ASLR is effective) than we can at least state that the effort to exploit a system with ASLR is greater in some cases (where an attacker relies on knowing an address, which is very common) "more" difficult. How much more difficult? That's hard to say, because it is not possible to give an exploit agnostic answer. But there is going to be effort involved, whether it's large or small. Now, evidence that it's large is there. Attackers have moved their attacks to software that doesn't use ASLR, and their attacks that are on software that uses ASLR tend to be much more complex, sometimes requiring browser plugins and the like to work. But evidence that it isn't large is there as well, at least on earlier iterations of ASLR on Windows, like 7 and below, where information leaks were not patched properly (on 8 they are gone as the PDF earlier shows). So that's how synthesis works. Unfortunately, certain assumptions (like defining security) are weak, and are the sources of the greatest contention. Thankfully, for the sake of this argument, all of those definitions of security support the synthesis as both current and future attacks are likely to use ROP, and therefor rely on hardcoded addresses, and XP still holds a significant user base. I can further extend the synthesis to include patches, but it should be clear that, if developing an exploit takes work, and if someone else has already done the work, it takes less work to attack that system.

They are definitely related. They don't really merit much explanation, if you read and understand them it's really clear. For example, ASLR has improved from Vista to 8 by significantly increasing entropy on 32bit programs - reading the paper I linked explains how critical that is. Understanding the weaknesses of ASLR, like low entropy, no bruteforce detection, and the like is important to understanding how it makes attacks more difficult. I linked to quite a few papers on the subjects, they are all definitely relevant. http://media.blackhat.com/bh-us-12/Briefings/M_Miller/BH_US_12_Miller_Exploit_Mitigation_Slides.pdf I linked to the above back on page 2, but it got little response. Described in it is improvements to ASLR entropy - something the paper on effectiveness discusses in greater detail. Unfortunately not ever paper is going to be broken down like that, not all research comes with a pretty picture. Which of these is it that people take issue with?