Better effective security with latest version or obsolete versions?

By effective security, I mean that we take into account the attacks that are happening in real life, not the theoretically possible attacks.

 

I don't have any hard data for the purposes of this post, but I could see Win 98 (which has a different architecture than the latest Windows versions) having better effective security than the latest Windows versions (assuming you're not being specifically targeted).

For browsers though, IMHO you have better effective security with the latest versions (plus latest plugin versions too) than with obsolete versions (assuming you're not being specifically targeted).

 

I'd go in a heartbeat with Linux instead of Win 98.

 

I mentioned Win 98 because member noone_particular uses that, I believe.

 

Sometimes security through obscurity can improve overall security but IMO it's not enough by itself. There probably are less attacks on Windows 98 but OTOH I can't run all software that I want since it's not compatible with that OS. What about Windows XP, can it be considered obsolete? Do you feel safer with Windows XP than with 7 or 8? IMO new OSs have more effective security but are also more targeted.

 

Windows XP has closer to the same architecture as the latest Windows versions than Win 98 does, although there were a lot of changes from XP to Vista. IMHO your effective security on Win XP is worse than current Windows versions right now.

Exactly, although I'm using the phrase "effective security" differently than you are.

 

From http://en.wikibooks.org/wiki/Windows_Programming/Windows_System_Architecture:

 

I think it cuts both ways with applications such as browsers. The older versions may have vulnerabilities that are fixed in newer versions. OTOH, the newer versions can have features that the earlier versions didn't, features which could have vulnerabilities of their own.

"Effective security" is the catch-all term here. Using 9X and NT systems for examples, each has a completely different set of vulnerabilities and strengths. Each has a completely different attack surface. Malware that runs as a service for instance is DOA on a 9X system, as are conventional rootkits.

You can't measure effective security by comparing browser or other software versions or the support status of the OS. Each is just one small group of factors in the equation. How well the entire package performs decides how effective your security really is.

 

i'll take new anytime over old when it comes to security.

each Windows OS has increased security with every new version.

 

Here's what I mean by "effective security": Suppose we recruit 2000 people. We randomly assign 1000 people to use a modern auto-updated browser on Windows 98 (if there are any such browsers), and 1000 people to use the same auto-updated browser on Windows 8 (Windows auto updates on). We put the computers behind a competent router. We tell the participants to use their computers at home for one year. We establish some security metric(s) that we'll use for evaluation. The winner can be said to have better effective security with regards to the particular security metric(s) used.

 

For such a comparison to have any meaning, you have to set criteria that both can use and meet. Do both have to use out of the box settings or can the user configure or modify the system as they see fit? On 98 for instance, there are no current browsers that work. Even with KernelEx, I can't go past SeaMonkey 2.0.14 or FF 3.6.22. Updating would have to be optional. In addition, Win 8 has a firewall built in. 98 doesn't. To make it even, the 98 user should be allowed a firewall. If you really want to make it fair, take the router out of the picture and let the OS defend itself from unwanted inbound traffic without another device to help. In order to fairly compare a supported OS to an unsupported OS, the user has to be allowed to provide their own support to make up for the support that MS doesn't provide.

Comparing the operating systems directly is a lot like comparing a rule based firewall to a combined security suite. The tests favor the latter by design. Very few here run any version of Windows with just "out of the box"
apps or configuration.

 

I have a few ideas that might allow a meaningful comparison. It could start with comparing the attack surfaces for the 2 types of operating systems. We should probably define what we want effective security against, in the wild malware, hacker/targeted attacks, government snooping etc.
Possible points of comparison:
Which attack surfaces both have in common, which exist one one but not the other.
What built in measures each has to protect those attack surfaces.
What 3rd party solutions are available for each OS type and how effective they are.
Are these attack surfaces actively exploited, proven vulnerable to real world attacks, or only theoretically exploitable?

 

Depends heavily on what you're up against IMO. Uncommon software and weird security setups make you a narrower target for the usual malware dreck. On the other hand, if someone knows your setup and knows the holes in it (e.g. by reading your posts on Wilders!), being the odd one out won't help you.

Edit: on the privacy front, I'd point out that old software may have known vulnerable crypto routines, insecure settings for SSL connections, buggy random and pseudorandom number generators... Modern software might have NSA backdoors (even the open source stuff), but I'd rather risk that than use older stuff that is known to be cryptographically broken, as a matter of public knowledge, by the NSA *and* everyone else. This is a matter of risk management IMO.

 

Quite true. If you're directly targeted by someone who is good at it, you've got a problem no matter what you're running. IMO, that's a problem with defining security, effective, theoretical, or otherwise. It can't be measured or expressed in any meaningful way without specifying what your adversary is and how long this security is expected to hold up.

As for posting security packages here, that's one reason that I don't post my entire setup or make it a signature. As a signature, an adversary only needs to look at one post to know what they have to deal with. Far easier than fishing bits and pieces out of a couple of thousand posts. That said, anyone who has spoken out against mass surveillance or the NSA should consider themselves a potential target, as should anyone running a Tor relay.

 

Regarding your edit, I wouldn't consider any of the Windows components that perform those functions to be trustworthy. Other than HTTPS and SSL, I don't know what else you could be referring to. After Heartbleed, Open SSL seems like a bad example, but it's compatible with old and new versions of Windows alike. As for the strength of older encryption, Blowfish for example has never been broken. Given a choice between an algorithm that has withstood attack for nearly 20 years and one whose implementation involved the very agency that wants to subvert it, I'll take the first.