Are MS Updates for XP really necessary?

[G8YMW]

In my opinion, Win8 is more secure because of its low usage.

If it was a popular OS, I bet the hackers and malware writers would be going after it but being as it is not, the malware writers will be saying "Whats the point?"

Face it XP has around 37% Yum,Yum

Win7 (I could look it up) around 50%

Vista 5% If I'm going after 7, take Vista with it

Win8 5.5% Not worth it

[enxz]

As it's written, the above sentence actually makes no sense. Please do correct and elaborate it.

What doesn't make sense? Ask 1,000 hackers which operating system is easier to hack, they will say XP.

I left out the 'k' in 'ask', that's it.

I don't know how hackers saying XP is easier to hack is somehow a layer of security.

Edited August 3, 2013 by enxz

[dencorso]

Sorry, enxz! I'm not a native speaker, and although I usually can fill the gaps one inadvertently leaves on writing, that missing "k" was too much for me.

I don't know how hackers saying XP is easier to hack is somehow a layer of security.

For those who do it for the kicks (and those use to be the ablest invaders), an easy pwn is of no interest.

[enxz]

No problem.

Most hackers do it for money, not fun. Any hackers I know who do it for fun love the easy ones too, they'll take down a website with SQL injection and have plenty of fun with it. I wouldn't rely on hackers being disinterested in a system because it's too easy to hack as a security measure.

[JorgeA]

Without taking sides in this discussion, I'm wondering what folks think of this report and how it might impact the discussion:

Researchers demo new IPv6 attack against Windows 8 PCs

Although the team tested in against Windows 8 clients, it would work against any PC that helpfully enables IPv6 support by default, which includes many business and all consumer systems using Windows 7 onwards.

--JorgeA

Edited August 4, 2013 by JorgeA

[enxz]

Just as some attacks will only work on XP, some will only work on 8. They share a lot of the same code, but some code from XP is removed, some code in 8 is added (a lot I'd bet). It doesn't really change much.

[jaclaz]

Just as some attacks will only work on XP, some will only work on 8. They share a lot of the same code, but some code from XP is removed, some code in 8 is added (a lot I'd bet). It doesn't really change much.

OK, can we say that specifically, and limited to IPv6 exploits, an OS that DOES NOT have IPv6 is less vulnerable than one that has the IPv6 stack? (while it lasts)

I don' t know 1,000 hackers.

it seems like you do.

Maybe you could do a poll among them and present a proper report (that would be anyway statistical work, not entirely unlikely the experiment dencorso suggested, which would have however provided objective data, as opposed to opinions of people that you shouldn't trust by definition).

@JorgeA, JFYI:

http://www.zdnet.com/blog/networking/ipv6-when-do-you-really-need-to-switch/2444

and double flip :

http://www.zdnet.com/stick-to-limited-ipv6-deployments-businesses-warned-7000003055/

http://ipv6friday.org/blog/2012/08/why-bother-with-ipv6/

jaclaz

Edited August 4, 2013 by jaclaz

[enxz]

I don't know 1,000. Closely, maybe a dozen or so who really know how to whip up attacks, definitely more people who at least know how to breach system. Actual blackhats who do illegal attacks, just a few. I have no need to ask them, I was joking with a security researcher about this very conversation earlier, it doesn't really need to be said - they all know that XP is easy to crack. I don't think they'd ever bother having the conversation of whether patches make people more or less secure lol I can't even imagine asking them.

You can try not trusting hackers opinions, but that's a bad policy. They often love to talk about security, and they're not going to bother lying, they usually have too much of an ego for that.

OK, can we say that specifically, and limited to IPv6 exploits, an OS that DOES NOT have IPv6 is less vulnerable than one that has the IPv6 stack? (while it lasts)

Definitely not. You can say that IPv6 provides attack surface, and that's it. IPv6 certainly does not define the security of the operating system.

Edited August 4, 2013 by enxz

[jaclaz]

I don't know 1,000. Closely, maybe a dozen or so who really know how to whip up attacks, definitely more people who at least know how to breach system. Actual blackhats who do illegal attacks, just a few. I have no need to ask them, I was joking with a security researcher about this very conversation earlier, it doesn't really need to be said - they all know that XP is easy to crack.

Then, you cannot cite 1,000 as source.

You can cite at the most a dozen (+ a handful), and as said - once excluded the good guys or "ethical hackers" - I would not particularly trust the word of someone that "by trade" and for money deceives people compromising their PC's.

Basing your statements on second-hand opinion expressed by a very limited number of unreliable people is not a particularly convincing way to support a thesis.

Definitely not. You can say that IPv6 provides attack surface, and that's it. IPv6 certainly does not define the security of the operating system.

Ah, well.

I thought that a castle with one less door was more secure when it came at ways of access through doors...

jaclaz

[enxz]

Basing your statements on second-hand opinion expressed by a very limited number of unreliable people is not a particularly convincing way to support a thesis.

Yes, we only have the word of me, a security professional, and various other security professionals and hackers.

I thought that a castle with one less door was more secure when it came at ways of access through doors...

Why would IPv6 change the argument? It's an attack vector. I can name attack vectors unique to XP, but that's just listing things. The number of attack vectors isn't enough.

If you want proof, you're not getting it. That's how it works. If you want principals of security, those are there, but you're not going to find a 'proof' for something like Kerschoff's principal, or the effectiveness of least privilege.

It's really obvious to anyone who actually breaks into systems that XP is a breeze compared to 8. The security community at large knows this.

[jaclaz]

Basing your statements on second-hand opinion expressed by a very limited number of unreliable people is not a particularly convincing way to support a thesis.

Yes, we only have the word of me, a security professional, and various other security professionals and hackers.

Well, no.

We have much less than that.

We have your word, and you are merely claiming to be a security professional.

And we have the reported (by you) opinion by various security professionals and hackers.

BTW, being a security professional does not necessarily means that you are infallible.

We are now evaluating a single (i.e. anecdotal) evidence (Charlotte's) against an apodictical one (yours).

Neither are in any way worth anything when it comes to support a scientific theory, data may.

Your opinion is much respected , but it remains an opinion.

And no, a theory being "popular" does not particularly means it is true, JFYI:

Oh, people can come up with statistics to prove anything, Kent. 14% of people know that.

If you want some good reference about the matter, you can use this one:

http://www.techradar.com/news/software/operating-systems/windows-8-1-security-what-s-been-improved-1156705#null

Windows 7 is six times more likely to get infected than Windows 8 and Windows XP is 21 times more likely to be exploited.

And of course, 8.1 is much more secure than Windows 8:

But that was still all defensive reactions; for Windows 8.1 Microsoft is going on the offensive with better malware protection, new ways of checking the security certificates web sites rely on - and with a plan to add encryption and biometric security to every PC.

I just got back my crystal ball from the tuning shop and I can see the similar statement that will be provided in the imminence of the release of Windows 9 :.

But I can also see at fast forward Chris Hallum's nose growing in length.

jaclaz

Edited August 4, 2013 by jaclaz

[enxz]

Opinions are all you're going to get in the computer security field. You have papers, but they're typically on the effectiveness of attacks and defenses in specific lab scenarios. There are a million of them. I've linked to a few in this topic alone on the effectiveness of techniques only available or improved in Windows 8. Is this not evidence? I've posted a few papers now.

Keep in mind that these techniques are not new. ASLR has been around for over a decade, and has been tested and prodded for that time - it's well worn territory. Same with stack cookies. There are many papers (like the ones posted) detailing how they make things harder.

My claims of being a researcher are nothing, I'm not going to post my linkedin or something, and I'd have to update it to reflect work experience anyways. I don't expect anyone to go "Oh, he says he's X therefor I should believe Y". What I'm saying is that these opinions are reflected in the security field - ask someone who hacks systems whether a patch for a vulnerability makes things harder, whether XP is easier to hack than Windows 8, etc. You'll get a similar response.

Edited August 4, 2013 by enxz

[jaclaz]

Yeah, sure, the consensus of the people working in the security field is good enough proof.

Go back in time.

Around 1630.

Ask all the Astronomers about the earth revolving around the sun....

And here is an opinion on security people:

So LSM stays in. No ifs, buts, maybes or anything else. When I see the security people making sane arguments and agreeing on something, that will change. Quite frankly, I expect hell to freeze over before that happens, and pigs will be nesting in trees. But hey, I can hope.

jaclaz

Edited August 4, 2013 by jaclaz

[enxz]

Linus is not a security professional. He actually has consistently awful views on security that have caused significant harm to the project. I'm sure his ideas on "security people" are just as warped as his opinions on security (he's called out security professionals who know far more than him on the subject before, and gotten shut down for it- see pwnie awards).

Again, I've posted a few papers now. So far no one has responded (except someone mistakenly thought that XP's /GS toolchain was the same as 8's) much, only to me saying that the security community at large agrees with this.

The papers contain facts - demonstrable facts. There are many more on the necessity for ASLR. There are many on the SDL that was implemented after XP. I can link you a bunch of them, but then we get to the problem I talked about earlier - they get technical.

[jaclaz]

Linus is not a security professional.

I did not present him as such, I merely cited him, Chris Hallum is also not - AFAIK - a security professional.

However, most probably you are posting in the wrong place.

It is possible that noone here will be able to understand the mindboggingly complexity of the technical papers that you fail to provide, but it is not nice of you highlighting this assumption of yours about the technical inadequacy of the members of this board every two or three posts.

To recap:

• You expressed your opinion, which - as said - is much respected.
• You backed up your take on the subject (over and over) with reported opinions, "general consensus" and other meaningless (scientifically) "fluff", besides the fallacious argument "I am a security professional, hence I know the truth".
• You by now twice or thrice hinted - not so covertly - how this audience is not at a sufficient level of technical knowledge to understand the "real stuff".

There is nothing more to say, your opinion on the higher level of security of both Windows 8 and Windows 8.1 over Windows XP has been duly set on records, you cannot provide further real material (as according to your opinion it won't be understood by the undereducated members of this board), there is no point in going on with this discussion.

jaclaz