Better effective security with latest version or obsolete versions?

Discussion in 'other security issues & news' started by MrBrian, May 24, 2014.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    By effective security, I mean that we take into account the attacks that are happening in real life, not the theoretically possible attacks.
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I don't have any hard data for the purposes of this post, but I could see Win 98 (which has a different architecture than the latest Windows versions) having better effective security than the latest Windows versions (assuming you're not being specifically targeted).

    For browsers though, IMHO you have better effective security with the latest versions (plus latest plugin versions too) than with obsolete versions (assuming you're not being specifically targeted).
     
  3. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    840
    Location:
    Québec, Canada
    I'd go in a heartbeat with Linux instead of Win 98.
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I mentioned Win 98 because member noone_particular uses that, I believe.
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,078
    Sometimes security through obscurity can improve overall security but IMO it's not enough by itself. There probably are less attacks on Windows 98 but OTOH I can't run all software that I want since it's not compatible with that OS. What about Windows XP, can it be considered obsolete? Do you feel safer with Windows XP than with 7 or 8? IMO new OSs have more effective security but are also more targeted.
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Windows XP has closer to the same architecture as the latest Windows versions than Win 98 does, although there were a lot of changes from XP to Vista. IMHO your effective security on Win XP is worse than current Windows versions right now.

    Exactly, although I'm using the phrase "effective security" differently than you are.
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From http://en.wikibooks.org/wiki/Windows_Programming/Windows_System_Architecture:
     
  8. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I think it cuts both ways with applications such as browsers. The older versions may have vulnerabilities that are fixed in newer versions. OTOH, the newer versions can have features that the earlier versions didn't, features which could have vulnerabilities of their own.

    "Effective security" is the catch-all term here. Using 9X and NT systems for examples, each has a completely different set of vulnerabilities and strengths. Each has a completely different attack surface. Malware that runs as a service for instance is DOA on a 9X system, as are conventional rootkits.

    You can't measure effective security by comparing browser or other software versions or the support status of the OS. Each is just one small group of factors in the equation. How well the entire package performs decides how effective your security really is.
     
  9. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i'll take new anytime over old when it comes to security.

    each Windows OS has increased security with every new version.
     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Here's what I mean by "effective security": Suppose we recruit 2000 people. We randomly assign 1000 people to use a modern auto-updated browser on Windows 98 (if there are any such browsers), and 1000 people to use the same auto-updated browser on Windows 8 (Windows auto updates on). We put the computers behind a competent router. We tell the participants to use their computers at home for one year. We establish some security metric(s) that we'll use for evaluation. The winner can be said to have better effective security with regards to the particular security metric(s) used.
     
  11. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    For such a comparison to have any meaning, you have to set criteria that both can use and meet. Do both have to use out of the box settings or can the user configure or modify the system as they see fit? On 98 for instance, there are no current browsers that work. Even with KernelEx, I can't go past SeaMonkey 2.0.14 or FF 3.6.22. Updating would have to be optional. In addition, Win 8 has a firewall built in. 98 doesn't. To make it even, the 98 user should be allowed a firewall. If you really want to make it fair, take the router out of the picture and let the OS defend itself from unwanted inbound traffic without another device to help. In order to fairly compare a supported OS to an unsupported OS, the user has to be allowed to provide their own support to make up for the support that MS doesn't provide.

    Comparing the operating systems directly is a lot like comparing a rule based firewall to a combined security suite. The tests favor the latter by design. Very few here run any version of Windows with just "out of the box"
    apps or configuration.
     
  12. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I have a few ideas that might allow a meaningful comparison. It could start with comparing the attack surfaces for the 2 types of operating systems. We should probably define what we want effective security against, in the wild malware, hacker/targeted attacks, government snooping etc.
    Possible points of comparison:
    Which attack surfaces both have in common, which exist one one but not the other.
    What built in measures each has to protect those attack surfaces.
    What 3rd party solutions are available for each OS type and how effective they are.
    Are these attack surfaces actively exploited, proven vulnerable to real world attacks, or only theoretically exploitable?
     
  13. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Depends heavily on what you're up against IMO. Uncommon software and weird security setups make you a narrower target for the usual malware dreck. On the other hand, if someone knows your setup and knows the holes in it (e.g. by reading your posts on Wilders!), being the odd one out won't help you.

    Edit: on the privacy front, I'd point out that old software may have known vulnerable crypto routines, insecure settings for SSL connections, buggy random and pseudorandom number generators... Modern software might have NSA backdoors (even the open source stuff), but I'd rather risk that than use older stuff that is known to be cryptographically broken, as a matter of public knowledge, by the NSA *and* everyone else. This is a matter of risk management IMO.
     
  14. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Quite true. If you're directly targeted by someone who is good at it, you've got a problem no matter what you're running. IMO, that's a problem with defining security, effective, theoretical, or otherwise. It can't be measured or expressed in any meaningful way without specifying what your adversary is and how long this security is expected to hold up.

    As for posting security packages here, that's one reason that I don't post my entire setup or make it a signature. As a signature, an adversary only needs to look at one post to know what they have to deal with. Far easier than fishing bits and pieces out of a couple of thousand posts. That said, anyone who has spoken out against mass surveillance or the NSA should consider themselves a potential target, as should anyone running a Tor relay.
     
  15. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Regarding your edit, I wouldn't consider any of the Windows components that perform those functions to be trustworthy. Other than HTTPS and SSL, I don't know what else you could be referring to. After Heartbleed, Open SSL seems like a bad example, but it's compatible with old and new versions of Windows alike. As for the strength of older encryption, Blowfish for example has never been broken. Given a choice between an algorithm that has withstood attack for nearly 20 years and one whose implementation involved the very agency that wants to subvert it, I'll take the first.
     
Loading...
Thread Status:
Not open for further replies.