enxz

No, if the port is open it will respond. You don't 'stealth' open ports. ex: You can't stealth port 80 with your apache service. You can't stealth port 80 with your Chrome service. The OS does not make the distinction. Any security in terms of isolating traffic is at the application layer. And then you get to DNS and DHCP etc, various listening ports that also defeat this purpose. Either way, this is mostly for LAN attacks where the attacker is attempting to acclimate themselves to the local network. Even if stealthed ports worked the way people believe they do (and they don't). That's the whole "hide me from attackers" thing. Attacks like these only exist on corporate networks for the most part. You gain LAN access and then query the local domain for other hosts using nmap scans. Knowledge of IPs is irrelevant, the gateway has them (of course) and you're scanning that. I've done this to map a network, it's very helpful. For users your attack is far far far more likely to occur at a compromised webpage, where stealth ports will very obviously have literally no effect whatsoever, even if they *did* work the way people believe they do. This is wayyyy off topic though lol I mostly just wanted to point out this issue as a side note to the real problem - that people think XP can be secure. That said, I mostly was killing time on a long and very boring bus ride. It's been very nice talking, but I think we can all just agree to disagree, as always . See you next time I stumble across here with some time on my hands, perhaps.

You still don't get it. You need an open port, inbound, to connect. That means you aren't invisible. If you care enough, just google around for "stealth port marketing gimmick" and you'll see that some firewalls no longer support stealth mode even. But cases like this, where users are following marketing without understanding how a port works, are perfect examples of why advice should always be given very very carefully.

submix, I obviously know that stealth is for incoming and you still don't get what it does. All a stealth port is is a closed port that doesn't send a signal back or sends an ICMP timeout signal back. It's just a closed port in the end. So either all of your ports are closed and you are "invisible" or all of your ports are closed except for some and you are no longer invisible, whether 99% of them are 'stealthed' or not. It's very simple. You can google for more. tl;dr: The only way stealth ports keep you invisible is if you close every single port. If you close every single port you're going to have a fun time trying to connect to the internet, as you've already seen since when you stealthed your 80 you ended up blocking traffic. So now you're left with a system that has all ports 'stealthed' (closed with a lack of response) and one port (more, in reality) open, completely defeating any 'hidden' attribute it may have given you. Your screenshots will show exactly what I'm saying. You've just misinterpreted the results. @bphipt, Multiple users have argued that XP is more secure than 8, or at least that' show it's come off. But even still, a 'locked down' XP is just a misunderstanding of how programs are secured. ex: You can say "Oh, I've sandboxed program Y" but unless you understand the sandbox, it's meaningless. Sandboxing is enforced by the kernel, at best, which means that weakness in the kernel means weakness in the sandbox. Without understanding how those weaknesses manifest one can not simply say "I'm more secure because I used a sandbox" - you need to know quite a lot more. I am not a fan on Windows 8 or really MS as a company. At no point have I said that they aren't profit driven. I've said that they will make less money if they are not secure, and that their security team has done solid work. So let me put it this way: XP users can not be safe. XP users can be lucky. @jaclaz, People should be very careful about stating opinions in ways that seem like they're stating facts. Yes, this conversation is truly more of the same. No doubt about it, that last topic is quite similar.

submix, You've misunderstood stealth ports. If you had to enable those ports, is your computer invisible right now or not? It's that simple - right now, with you taking inbound connections, is your computer invisible? The answer is no - a stealth port is a closed port, and if your ports were closed you would not be seeing this text right now. I have no interest in discussing stealthed ports, it was debunked years ago and there's plenty on that. My dog in this fight is that users can come to forums looking for advice, as was done here, and what they'll receive is "oh you're secure". That endangers them. People can have their finances crippled by advice like that. I also don't even run Windows outside of for development so I find it funny I'm being called a fanboy. As for whether I'm a self appointed expert, whatever, doesn't matter. What I know is that I have education and experience. What I know is that I've hacked systems (legally, I don't do anything blackhat), defended systems, broken complex software, written complex programs, etc. I'd say that doesn't make me a novice, whether I'm an expert or not, and I'm certainly quite qualified to discuss these things. And if you truly hate my posts so much, that's a shame, but you should try to ignore them if they bother you. @Dencorso, Hello again. I would never deprive a user of access to a system. I don't believe in locking users out of their systems - to me that only means they'll find some way around it, leaving the security gained from such a technique totally lost. I do believe there is a software solution to most security problems, though. Nothing so far is very close, unfortunately. While users can certainly cause infections right now, and we can all agree this is a problem, I don't believe it's the users fault. That's the only difference here. That said - if a user visits a website on Windows XP compared to 7 or 8, an attack has to be considerably more complex on 8 than on previous versions. If you look at exploit development guides (like on corelan.be) you'll see how simple basic attacks are. Then they add DEP, and it gets a bit harder. Then they add ASLR and suddenly the tutorials have to get a lot more theoretical, because there's no consistent way around ASLR when implemented properly - the tutorials will only show against improper implementations because only those can be attacked without further vulnerabilities. But I think all I really wanted to get across is that I stumbled onto msfn again and saw advice that I consider dangerous. I consider it dangerous, and I think maybe others should question whether they should be giving advice on these matters. I personally would not want to feel responsible when someone got infected due to my advice.

Well, that's certainly an interesting theory if you attribute it to the NSA. I've wondered if they do that myself, and I hope to one day figure it out if I ever do move to MS's security team.

Flasche, sorry, that first post was meant for submix, not you. The Linux kernel is a free open source piece of software. Yet decade old vulnerabilities are still found once in a while. It happens. It is not their number one priority. But they have poured millions into it. I know Microsoft security developers and they're very good, they do their best, and that's what they're paid to do.

Flasche, Flash modules may be loaded in Word, I don't know about that. But Word also has EPM as I recall. I also doubt it's particularly hard to disable it, and also consider that almost every user has Flash installed anyways, regardless of XP or Windows 7/8. This is a single program on the system, it does not remove all security from the system. Your theory on why they push new OS's is incorrect. Yes, they like money. But they don't make money by having an insecure OS, it has hurt them for years, especially on the server end of things. There is no one saying "Hey how do we get really secure but still be exploitable?" Literally no one ever has said this, because the idea of being 100% secure is just inane to begin with. P.S. I apologize for the formatting. I am on an incredibly slow and wavering connection, certain features aren't working great for me right now.

Hey, I have no real reason to cite my statements. I don't care if people question whether I've gone to school for CS or not, or what work I've done. You can choose not to believe me. In terms of other experts, I know of no certification that teaches anything important in this context. I've only seen one ever that has you exploit a service using homegrown exploits. If anyone wants to come in here and say they know more than me and discuss things, by all means. Stealth mode is useless. A port must be closed to be stealthed. A closed port is still secure. Any open port means you are no longer invisible. So either every port is closed, and stealth does nothing. Or one or more ports are open, and stealth does nothing. It is a marketing gimmick and is very easy to dismantle logically. While I may choose to move to MS at some point, as I admire their security team, I have no interest in NSA work (I am ethically opposed to that type of work). I work for a private company with absolutely no dog in this fight.

I'm well aware of what PEBCAK is. It only exists due to software flaws. Flash is not a huge gaping hole. It is software. It is exposed through Internet Explorer. Not using Internet Explorer means Flash will not be exploitable. The irony of calling Flash a gaping hole and then using XP should not be lost on anyone. Whereas Flash makes use of modern mitigation techniques and sandboxing XP has virtually no mitigation techniques (DEP is not even fully implemented across all binaries) and no sandboxing and terrible privilege control and a horribly insecure kernel base etc etc etc. I think people here have been talking about some nonexistent 'FUD campaign' by Microsoft. I can not tell you how wrong you are to believe such a thing. People want other people to be secure. We are trying to tell you "This product is not secure" not because we want to tell you what to do with your lives, but because we are experts and you are not, and because of this we feel the responsibility to inform. To me, it's like you have a bunch of doctors telling you not to smoke cigarettes, but people don't like being told what to do, so they call it FUD and smoke because no one's going to tell them how to live their lives. Run XP just understand that people with serious backgrounds in this field and educations and experience are telling you you aren't inseucre, and you should be humble enough to accept that you probably don't know more than they do about it. And the 'you' is not any single person here. And it's not even limited to this forum. It's incredibly wide spread, all this "I'll run it as long as I Want, they don't control me" - no one cares about controlling you, they want to help.

PEBCAK is a failure of software. If a user downloads a malicious binary and executes it it is a failure of the security of the system for not protecting them. Just because a software solution that does this is not in existence right now does not change where the responsibility lies. Yes, if Flash is not on XP and Flash is on 8 then 8 is vulnerable to what Flash is vulnerable to, assuming the user uses IE. If Flash is installed on both, it is far more secure on 8, where ASLR exists (and flash uses high entropy ASLR and force ASLR) among many other techniques.

PEBCAK only exists because software is currently not good enough to handle security for users. The data being normalized is fine. That changes nothing - what' simportant is that Windows 7 is more popular, and therefor something like IE 9 is more popular. Look at the most recent attacks on IE, they ignore older versions even though the older versions are vulnerable. Even if the percentage of users is normalized it's critical to understand that certain things will be attacked on Windows 7 becuase it's more popular. Flash is attack surface, there is no denying that. It's also heavily sandboxed. With EPM it can't write to the system or read it, it can't attack the user through Word I'm not sure what you mean by that. The sandbox is not perfect. It's just helpful. Flash on Windows 8 is far more secure than Flash on XP.

Security is much more than PEBCAK. That is something people think, but it's not true. Security is a software problem and there is/ will be a software solution. In terms of infection rates, they're also not super relevant. Consider that I could create an operating system with absolutely 0 security methods, only a root user, no firewall, nothing but exposed services - but no one would attack it because it would be a single system and no one would know about it. Windows 7 outnumbers XP by quite a bit and attackers are slowly moving towards more targeted watering hole attacks, often on IE since they attack industries. That does not make 7 less secure than XP, not by a longshot. It makes it more often targeted. A botnet is certainly hacking - you can get remote code execution in an process and drop your rootkit. AV can sometimes remove them, but only if they know of them first. Some botnets go years without being detected. Am I *the* authority? No. But I have a background in computer science and computer security. I have developed actual real world exploits, and I have a pretty significant understanding of how an attack works on a very technical level. So I'm qualified to talk about this and explain these things. Flash on Windows 8 does not make it less secure. That only applies to IE, and it's heavily sandboxed if you enable EPM. Regardless, Flash does not undo all of the security techniques implemented in 8. Yes, if you want true security you will run Linux and not Windows. But users here are telling others that they can be secure on XP. The best they can be is lucky, not secure.

This is an incredibly simplistic view of how attacks work as well as an attackers motivations. And the idea that attackers don't care about someone because they aren't rich or whatever is flat out incorrect, what they do is collect computers for botnets. The more computers the more they make. Every system helps. There is millions in this. I don't see why people here are giving security advice when they think every security researcher saying "get off XP" is just some Microsoft shill. You're endangering users who don't know better... stop. I've read a couple other posts on here today with people flat out not understanding things like ASLR and then going "Hey, they're saying we need ASLR but they're just spreading FUD". I'm not looking to start some big convo like last time, but really, this is security, and advice should not be given when you don't have any authority in the matter. That goes for way more users than just you or even just this forum. The short story is that if you are giving security advice when you don't know anything about computer security you are harming other people. I don't care if your system is vulnerable, don't tell someone else how to keep theirs vulnerable too when they come to you for help. P.S. Stealth mode is a gimmick and literally irrelevant in every way to security.

Only less educated in a specific field. I don't rate a human being on their ability to perform risk assessment, I don't think someone is stupid for not understanding security, and everyone has their fields of expertise. I'm sure many members here are much more informed in some areas than I am. I don't really think it's offensive to make the leap from "the majority of people in the field think X so the minority people who disagree with X are likely not informed". Naturally that doesn't hold true often, but security isn't guesswork, there's quite a bit of education and research behind those opinions. I wouldn't call my statements apodictic but synthetic. I can break down facts and assumptions. Fact 1: Exploiting software takes work. Fact 2: Windows XP lacks many mitigation techniques available to Windows Vista, 7, and 8. I hold the above to be self evident. It's simply a fact that proper ASLR dosen't exist on Windows, as well as other mitigation techniques. IT is simply a fact that exploiting software takes work. Assumption 1: The more work an exploit takes the less likely software is to be exploited, given the same rewards. Attackers tend to take the path of least resistance. Support for Assumption 1: This is logical. If you want to get from A to B you take the shortest route. Attackers are largely motivated by money, and the more time they spend on a single attack more work it is to get the same amount of money. Assumption 2: Mitigation techniques raise the costs of attack. Support for Assumption 2: Using ASLR as an example. Attackers who exploit flaws in code will often rely on the address of some area of a virtual address space. This is in order to bypass Data Execution Prevention using a technique called Return Oriented Programming (ROP). ROP works by using a programs own code to execute attackers commands, an attacker returns into code at a specific address and executes it. Without the address an attacker has to spend more time, and more work, in order to find usable code for their attack. The workarounds can often make attacks less reliable (meaning an attacker only manages to infect a percentage of vulnerable users, while simply DOSing others) and therefor less profitable. Assumption 3: Attackers want to make money Support for Assumption 3: The vast majority of attacks are generally aimed at monetizing systems somehow. If you're any good you can easily pull in half a million per year. Most malware we see in the wild is about trying to make money in some way, and there is a significant market behind these attacks, with exploits being sold for tens of thousands of dollars, sometimes hundreds. Conclusion - synthesis: Mitigation techniques hurt attackers bottom lines. If attackers want to make money, and they make more money when they can increase the attacks per time spent on exploit, and mitigation techniques increase the time spent on exploits, then mitigation techniques hurt attackers profits. Attackers want to make money, so they will go for systems that they can monetize quickly and easily. Now, we have to define what security is. This is the tricky part, because people often don't agree on this. Many people define security by the current threat landscape: am I safe against the malware that is out there today? Other people define security by the perceived future landscape: am I safe against the malware that we'll be seeing tomorrow? Others define it by the chance of attack: am I likely to be attacked? is my OS uncommon enough to keep me safe? I personally define security by the level of effort required to get into a machine. Historically, this has made the most sense, as the threat landscape of the future tends to follow research - ROP was shown in research before it was used in the wild (and it is incredibly common now). So, if we define security by the level of effort required, we have to somehow measure that effort. This is somewhat difficult, but if we take assumption 2 to be true (https://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx?Redirected=true and other evidence that ASLR is effective) than we can at least state that the effort to exploit a system with ASLR is greater in some cases (where an attacker relies on knowing an address, which is very common) "more" difficult. How much more difficult? That's hard to say, because it is not possible to give an exploit agnostic answer. But there is going to be effort involved, whether it's large or small. Now, evidence that it's large is there. Attackers have moved their attacks to software that doesn't use ASLR, and their attacks that are on software that uses ASLR tend to be much more complex, sometimes requiring browser plugins and the like to work. But evidence that it isn't large is there as well, at least on earlier iterations of ASLR on Windows, like 7 and below, where information leaks were not patched properly (on 8 they are gone as the PDF earlier shows). So that's how synthesis works. Unfortunately, certain assumptions (like defining security) are weak, and are the sources of the greatest contention. Thankfully, for the sake of this argument, all of those definitions of security support the synthesis as both current and future attacks are likely to use ROP, and therefor rely on hardcoded addresses, and XP still holds a significant user base. I can further extend the synthesis to include patches, but it should be clear that, if developing an exploit takes work, and if someone else has already done the work, it takes less work to attack that system.

They are definitely related. They don't really merit much explanation, if you read and understand them it's really clear. For example, ASLR has improved from Vista to 8 by significantly increasing entropy on 32bit programs - reading the paper I linked explains how critical that is. Understanding the weaknesses of ASLR, like low entropy, no bruteforce detection, and the like is important to understanding how it makes attacks more difficult. I linked to quite a few papers on the subjects, they are all definitely relevant. http://media.blackhat.com/bh-us-12/Briefings/M_Miller/BH_US_12_Miller_Exploit_Mitigation_Slides.pdf I linked to the above back on page 2, but it got little response. Described in it is improvements to ASLR entropy - something the paper on effectiveness discusses in greater detail. Unfortunately not ever paper is going to be broken down like that, not all research comes with a pretty picture. Which of these is it that people take issue with?

Actually I consider Linux to be more secure than Windows - at least potentially. It varies by distro. It is in spite of Linus, not because of him. Linux is actually the operating system I secure best, and while I have experience with many operating systems, it's the one I'm assigned to deal with most often. The service, Apache in this case, doesn't matter. ASLR is used in your browser and most other exposed programs... though not on XP (it's used nowhere on XP!) You can read more about the effectiveness of ASLR and its weaknesses, and how Windows has addressed them (especially in 8, like low memory circumstances and against bruteforcing). That's what the papers are for, after all.

I just feel that I'm arguing a lost cause. I have already provided multiple papers, which got little response, and the argument focused instead on other irrelevant things. I think you all have an opinion, and it doesn't seem I'll be changing it. Unfortunately to change it would require a discussion of a level that would require a legitimate understanding of the subject. That isn't meant as an insult, I have no idea who you people are, or what your fields are - I wouldn't expect a historian to argue with me abotu ancient Greece because I simply don't know enough about it, and any complex discussion on it would require all members involved have a background. Again, I've posted multiple papers. You keep saying I haven't posted any "real" evidence - what about those? It feels a lot like confirmation bias. You want papers and hard evidence? On features only available or significantly improved in versions after XP? http://www.stanford.edu/~blp/papers/asrandom.pdf http://msdn.microsoft.com/en-us/library/8dbf701c(VS.80).aspx https://www.usenix.org/legacy/events/sec03/tech/full_papers/cowan/cowan_html/index.html https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/ http://lensfire.in/20398/news/intel-introduces-smep-for-ivy-bridge-a-new-security-feature-80649/ http://technet.microsoft.com/en-us/library/bb456992.aspx and https://en.wikipedia.org/wiki/Shatter_attack https://blogs.technet.com/b/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx?Redirected=true There you go. But good luck understanding them in a method that will be productive to any conversation unless you have experience with low level languages and exploitation, which is what I've been trying to avoid a conversation on. If you read all of those, and you read the corelan.be and know how you'd write your shellcode to bypass those techniques and you still think that XP is more secure, then we can continue the conversation at that level. Without that, yeah, I'm limited in how I can talk to people on the internet about infosec, because I've got to keep the conversation less technical. That's not aimed as an insult, I'm just trying to discuss it in a way that's clear to you and other readers. I'm not 'hinting' it, I'm stating it. It's not an insult, it's more an acknowledgment that my argument will be difficult to state because I have to abstract it significantly. I will try, once more: 1) Exploitation is about cost vs benefit. An attacker has to weigh how much they'll make over how much time it'll take to get in. 2) On XP, because it lacks mitigation techniques that have become commonplace on newer operating systems, the work involved is very little. 3) A compromised computer is generally always able to be monetized. Botnets make criminals hundreds of thousands of dollars, and it doesn't matter if you run XP or 8, the benefit is fairly constant. 4) A patched vulnerability means an attacker needs a new vulnerability. An unpatched vulnerability means the majority of the work is already done for the attacker. The details of the 'work' involved can be found in those articles above. That's really been the subject of contention - I am trying to illustrate just how much work is involved when you have so many mitigation techniques stacked together the way they are. If you don't wish to continue the conversation, that's fine. But the information is presented and I would simply resent it being asserted that I haven't posted evidence - it is there for all to see. I can post even more papers edit; I have just seen charlotte's post. I will edit in a response here. Very true, I did say I wouldn't argue from authority. I'm simply trying to provide merit, but I never expect anyone to take me at my word, especially on the internet. No, I don't work for Microsoft nor any of their subsidiaries. No idea who's required to do what. I don't work for MS, nor would I allow a company to tell me I should blather on about their security if I didn't already agree with their opinions on it - my views are my own, and don't reflect any of the companies I've worked for. Security professional, in my case, means that I have a formal education (computer science and computer security majors) and formal experience in both software development and exploitation. I also have experience defending servers against active attackers, breaking into systems for competitions, etc. I hope that clears that up - no MS here. I understand Firewalls quite well! I have to, to go to competitions like CCDC and kick a** lol you've misunderstood what I've said, and perhaps I was unclear. I know what portrs are needed for HTTP (80, obviously, and 53 for DNS), and I even posted IPTables rules that are common on most hardware Firewalls. Nope, never said all ports must be open, I said that some ports must be open (80, 443, 53, and even 5552/ others potentially) for any traffic to come in, as your system is taking in content (hence a webpage appearing on the screen). The attack on UF was explaining that bein g"smart" or having common sense won't help much, as the majority of attacks are through hacked websites (see Sophos 2011 report, and Google Malware Clarity Report) - Ubuntofurms was hacked, and an attacker controlled content for 6 days - the attacker only wanted to get their passwords, so they didn't throw any drivebys on the site (I never said they did, I said they could and that is all). Really? Because it seems like earlier some people were saying that patches don't magically add security! So you can understand the confusion about that statement. Except I've already expressed that what I'm talking about is security, not performance. And I even explicitly stated that I think AV is not significant to Windows 8's security, so I'm not sure why you'd bring it up once more. Depends on the network configuration. But that's not really important, I don't recommend AVs to people. I only recommend software Firewalls if they don't ahve a router of if they're on a network with multiple systems. Again, not relevant, since I never made claims about AV or Firewalls, I've talked almost exclusively about ASLR / /GS as examples of mitigationt echniques, and I've linked to papers on others. It pushes security back for a subset of attacks that haven't been used in years on desktop users. Where do I say this? What I said is that attackers who go after Windows 8 will have to spend more time on their exploits. As I said above, I am very well aware of how NAT and Firewalls work, I've set them up while actively under attack by teams of hackers, where the slightest flaw in my IPTables rules means we lose. I hope you understand that the "hardware firewall" you're talking about is in fact just software. It's iptables running on the Linux kernel, or potentially a more custom OS/ Firewall like Cisco's stuff. I have considerable experience and understanding of network security. Attackers haven't cared about routers for years. In server environments, that's different, and that's why I've had to spend time on network rules so much. Look at active attacks in the wild... do you see many of them stopped by a NAT? Maybe outbound restrictions will block the stupid ones (those are SO easy to get around, especially on Windows with createremotethread()) but it's not exactly a huge barrier.

Linus is not a security professional. He actually has consistently awful views on security that have caused significant harm to the project. I'm sure his ideas on "security people" are just as warped as his opinions on security (he's called out security professionals who know far more than him on the subject before, and gotten shut down for it- see pwnie awards). Again, I've posted a few papers now. So far no one has responded (except someone mistakenly thought that XP's /GS toolchain was the same as 8's) much, only to me saying that the security community at large agrees with this. The papers contain facts - demonstrable facts. There are many more on the necessity for ASLR. There are many on the SDL that was implemented after XP. I can link you a bunch of them, but then we get to the problem I talked about earlier - they get technical.

Opinions are all you're going to get in the computer security field. You have papers, but they're typically on the effectiveness of attacks and defenses in specific lab scenarios. There are a million of them. I've linked to a few in this topic alone on the effectiveness of techniques only available or improved in Windows 8. Is this not evidence? I've posted a few papers now. Keep in mind that these techniques are not new. ASLR has been around for over a decade, and has been tested and prodded for that time - it's well worn territory. Same with stack cookies. There are many papers (like the ones posted) detailing how they make things harder. My claims of being a researcher are nothing, I'm not going to post my linkedin or something, and I'd have to update it to reflect work experience anyways. I don't expect anyone to go "Oh, he says he's X therefor I should believe Y". What I'm saying is that these opinions are reflected in the security field - ask someone who hacks systems whether a patch for a vulnerability makes things harder, whether XP is easier to hack than Windows 8, etc. You'll get a similar response.

Yes, we only have the word of me, a security professional, and various other security professionals and hackers. Why would IPv6 change the argument? It's an attack vector. I can name attack vectors unique to XP, but that's just listing things. The number of attack vectors isn't enough. If you want proof, you're not getting it. That's how it works. If you want principals of security, those are there, but you're not going to find a 'proof' for something like Kerschoff's principal, or the effectiveness of least privilege. It's really obvious to anyone who actually breaks into systems that XP is a breeze compared to 8. The security community at large knows this.

I don't know 1,000. Closely, maybe a dozen or so who really know how to whip up attacks, definitely more people who at least know how to breach system. Actual blackhats who do illegal attacks, just a few. I have no need to ask them, I was joking with a security researcher about this very conversation earlier, it doesn't really need to be said - they all know that XP is easy to crack. I don't think they'd ever bother having the conversation of whether patches make people more or less secure lol I can't even imagine asking them. You can try not trusting hackers opinions, but that's a bad policy. They often love to talk about security, and they're not going to bother lying, they usually have too much of an ego for that. Definitely not. You can say that IPv6 provides attack surface, and that's it. IPv6 certainly does not define the security of the operating system.

Just as some attacks will only work on XP, some will only work on 8. They share a lot of the same code, but some code from XP is removed, some code in 8 is added (a lot I'd bet). It doesn't really change much.

No problem. Most hackers do it for money, not fun. Any hackers I know who do it for fun love the easy ones too, they'll take down a website with SQL injection and have plenty of fun with it. I wouldn't rely on hackers being disinterested in a system because it's too easy to hack as a security measure.

What doesn't make sense? Ask 1,000 hackers which operating system is easier to hack, they will say XP. I left out the 'k' in 'ask', that's it. I don't know how hackers saying XP is easier to hack is somehow a layer of security.

Imagine it like a castle. You have wall after wall. An attacker needs to break through each wall. Windows 8 has a lot of walls, and breaking through them is harder. Windows XP doesn't have many walls and the ones it does have a lot of cracks in them. CVSS CVE scores aren't based on whether it's a stack or heap overflow, or the mitigation techniques available. They're based on potential impact. So even if an attack is mitigated partially or near entirely by a mitigation technique, an overflow in a critical component is still considered critical. Mitigation techniques also don't always prevent an exploit 100%, so a patch is always necessary, especially because an attacker can chain together vulnerabilities. For example, I could get a heap overflow, but DEP would prevent execution of code. I then use ROP, but ASLR prevents the ROP. I then use an information leak to get ROP. Those are separate vulnerabilities being used. I'm saying more work is involved. That's just a fact. If I want shell in a program it is harder to do on Windows 8 for most vulnerabilities. I have to do all of the work I would do on XP and then I would have to expend further energy bypassing the mitigation techniques. What I'm arguing is that Windows XP is not a secure operating system, that Windows 8+ is a more secure operating system, and that attacking unpatched systems is much easier than attacking patched systems. Saying "Oh, but you can put a router outside an XP box" doesn't really matter. You can do the same with 8. And, on top of that, routers don't add nearly as much security as people seem to think. Neither does being intelligent. Like I pointed out earlier, that test would prove very little. You could just as easily ask 1,000 hackers if it's easier to hack Windows XP or Windows 8 and the vast majority would say "XP, duh". There's a statistic.