Ten years later, Windows XP still dominates the Web

Linux does have limited supported lifespans. That said, they don't try to coerce the user with threats of vulnerability. Neither do they coerce software vendors, hardware manufacturers, and the vendors of external devices to stop supporting the older versions, including removing drivers, artificial application incompatibility, etc. Only Microsoft tries to manipulate the entire industry to support their planned obsolescense.

 

Does the home version of Win7 or WinXP have the same security features that the ultimate version has? If not, why not?

 

I should have been clearer, administrative tools such as Applocker are obviously "price points" and something that they charge for. They're also not super useful for accessible tools for an average user so it's somewhat understandable but that's not really relevant.

EDIT: The "They" in that quote was referring to open source developers of linux etc - the ones who came up with ideas like ASLR.

What I was referring to were the specific mitigations shared between nix and Windows, namely techniques like least privilege, multiple users, ASLR/DEP - ideas that were long standing in *nix OS.

My point is not to say "Oh, Microsoft isn't trying to make money" all features are a way to make money. My point was only to say that these features were seen long before money entered the picture purely because they're effective.

 

Home versions have/and will typically lack SRP. With that said, they hypocritically claim that its a "business feature". Considering that the vulnerable components -which are useless in a home environment -are packaged with all versions and any meaningful security tool is only made available in the much more expensive version, shows how much security is being is used as a carrot by the industry.

OS security shouldn't be priced higher, it should be a part of a sound design and not a reason to punish people financially due to a vendors bad implementation.

Patching is the sibling of blacklisting security technologies. Both remediate problems after its too late. Both add too much bloat and waste so much time for the user while providing much more inferior security than if an isolation approach was used.

We are already paying for the updates albeit in an indirect manner. I definitely agree with the bolded statement. Blind supporters of the corporation rather than the product would disagree, hailing every shiny, new piece of bloatware as the finest invention yet. Microsoft's OS has always had compatibility as its main advantage, security however, is NOT their strong point and never will be which is ok because fortuneately there are other means to adequately address this. However claiming that - "oh wow, their new security initiative is awesome with the latest Windows (fill in the blank) !", is laughable and irrelevant. The age of an OS has nothing to do with how well it could withstand an attack as we have seen over and over and from anecdotes from Rmus.

The reason for this state of affairs is twofold:
1) A more secure os design would require substantial reprogramming which would predictably be incompatibile with today's software - They would perceive this as a huge loss of revenue and they would also view a more inherently secure OS, as something that has little return on investment for them personally.

2) They've built a great business model by having an insecure architecture, through forced obsolescence and by also by opening the doors for stagnant security vendors like Symantec who bleed the average Joe dry while giving them archaic means of defence.

 

And you can add CloneRanger and noone_particular, and probably others...

But a bit of clarification is needed.

We are using 3rd party products and have policies in place that catch a malicious payload that would otherwise exploit a vulnerability (unpatched) present in the Operating System (OS), no matter the version of the OS.

The point being raised by many in this thread is that for the best security, one needs to update to the newest version of the OS.

I gave one example in a previous post showing that this isn't necessarily so -- I can't find the post, so I'll give an excerpt from my notes:

Chastising users for using an antiquated OS:

Example of infecting the latest OS:

_______________________________________________________​

Following the security scene, two facts become evident:

FACT: people become infected no matter the version of Windows used.

FACT: people remain secure and uninfected no matter the version of Windows used.​

----
rich

 

There's also the point trying to be made that the latest O/S, for example Windows 7, is, in its default setup state and by virtue of its inherent technology, more secure than an older O/S, for example XP in its default state. Given equal scenarios of threat exposure, the newer O/S has a better chance of withstanding the attempted incursion of exploits than the older one.

Of course, as has already been stated by some, including myself, an older O/S can be kept as perfectly (as perfect as possibe) secure, or more so, as a newer O/S with the right tools (security applications), knowledge and mindset.

 

No. Any security class is going to tell you that the OS is where security has to start and a good one will tell you that the OS is where the security has to end. A modern OS will use modern techniques.

In regards to
1) Not really. First of all, we don't know what the NT Kernel looks like, we don't know how much would have to be done to "make it secure" but I doubt all too much - MS has made a lot of moves to secure it with Vista by shrinking the size and adding kernel patching.

2) Again, not really. MS does not profit from being insecure, their server OS loses to linux every single time because of this (and other factors) and Patch Guard directly conflicts with AV companies so I don't think they're exactly in bed together.

As for patching, it's something like blacklisting, I would agree there. Both have their purposes - blacklists and patches are very helpful for dealing with "known entities" ie: a known malware/ exploit, which shouldn't be belittled.


@Rmus,

You can slap on 3rd party software all you like, you can do it on any Windows version. The difference is that if you're throwing it onto a 10 year old OS your foundation is going to be a lot weaker - your programs won't be able to taken advantage of the vastly improved security of the latest operating systems. It is attempting to make up for incredible lack of technology with 3rd party replacements and overzealous policy just to get up to what's already built into the latest modern operating systems. It is "secure enough" but purely from an academic standpoint it's fairly poor security.

I'm not saying "Everyone's got to buy the latest Windows" because for a lot of people that means buying a new machine (I was using XP until just over a year ago because I just didn't want to spend the money on a new machine) and improved security isn't necessarily enough to spend money on especially because security is only perceivable when it's actively breached.

With the current threat landscape I think you can "secure" XP to the point where you'd be fine.

Windows users, any user really, will always be infected when targeted. It's all just a matter of slowing the hackers down - forcing them to play by your rules - and the latest OS's simply do a better job of this. To deny this is to deny years of research.

This is what I'm saying. With XP you can be "Secure Enough" for the present threat landscape and with lots of 3rd party applications, policies, and a bit more than "common" sense.

With the latest OS's that's not really necessary. There are lots of great tools provided by default.

 

i agree
im still using Winxp sp2 for years with 0 infection..
how they use the computer matters..

But i have made a lot of infections purposefully

 

@Hungry Man
An excellent security class is going to tell you that security begins with the user habits and ends with a good admin with sound policies. Modernity equates to improved security but it does not necessarily equate to the 'best' security model.

You can slap on all the modern techniques onto a modern OS all you like, you can do it on the latest and greatest Windows version. The difference is that you're throwing it onto the same foundation (albeit 'improved') that is weak to begin with - your users won't be able to take advantage of the vastly improved security of the latest operating systems if they choose to disable UAC. It is attempting to make up for the default use of an admin account on a default-permit system and the lack of a default-deny technology that was already built into the previous OS (but limited to certain editions only unless you use registry tweaks or a tool like PGS) and which are available in 3rd-party tools since quite some time ago. It is 'secure enough' if users do not disable UAC and let UAC remain at it's default settings or better still set it to the highest settings (although not really secure enough compared to a 'true' LUA)...it is 'secure enough' if DEP, SEHOP and ASLR was enabled by default for all programs, it is 'secure enough' if program developers adhere and make use of these built-in security technology, it is 'secure enough' if users do not just download and click on 'next-next-next' any executable they find on the web, but purely from what-I-see-is-happening-in-real-life-usage standpoint, it's fairly poor security. To reiterate my point: You can slap on all the modern techniques onto a modern OS all you like - BUT it still doesn't make up for the use of a default use of an admin account (even in Admin-Approval Mode) on a default-permit system.

It's all just a matter of slowing the hackers down - forcing them to play by your rules - and the default-deny ideology/system/practice simply do a better job of this. To deny this is to deny years of research. To deny this is also to deny years of experience.

With the modern OS, you can be "Secure Enough" for the present threat landscape and with lots of built-in security technologies. With XP (or any OS, regardless of it's age/modernity), it doesn't take 'lots of 3rd-party applications' to achieve a default-deny system, either use what's available to the OS (e.g. LUA+SRP) or if you don't have it/simply do not trust SRP (since it's implemented in usermode unlike Applocker), use a 3rd-party tool (just 1 is enough). As for common sense, that is needed (esp. if you're the admin)- more or less shouldn't be in the equation regardless of the modernity of an OS.



P.S. I'm a built-in security fan too but I love the default-deny even more.

 

Geez... This topic is like a broken record.
It seems to me that some people here are using the "any OS can be secure with the proper policies/software" argument as an excuse to cling to Windows XP for as long as possible. Don't get me wrong, I like Windows XP a lot and I find it to be an excellent operating system (the second best the company has produced, next to Win7), but I think many of you are not seeing this in the practical sense. Sure any version of Windows can be very secure with the right tools, there is no denying that, but that's just it - anything can be better with a little help. You can use that argument for just about anything. It's an easy way out. Any woman can look prettier with the proper makeup, clothing, lighting, Photoshop (if it's a photo). Any car can be faster with the proper tuning. The question is how does the subject/object perform on its own, without additional enhancements. This is where Windows 7 outperformes Windows XP. On its own and/or with its default configuration it is the more secure OS. Is there a way to bypass UAC? Yes, there is. So what? Not all malware code uses such a method. Granted, that might be because Windows 7 isn't the dominating OS yet and the bad guys haven't focused on it, but even when they do not every piece of malware will be using the vulnerability. I'm getting sick of people dismissing features/products just because they fail against a certain threat and are not perfect. Just because some light virtualization applications fail against TDSS does it mean they are useless? Of course not. It's just another layer of protection. UAC is not a panacea but it's a nice feature to reduce the risk of infection. Keeping it on has very little drawbacks (annoyances for the user) whereas the benefit is much more significant. In other words UAC offers quite a lot for what it asks in return. That's a good thing.
Speaking of layered protection, that's what Service Packs and security updates are. While the OS might be quite foritfied with the proper policies and applications in place, it's not a bad idea to have it patched. It's just another layer of protection that has no process, services, drivers and requires no additional resources. It's just there, for free, so to say. All it requires is a few minutes a month to download and install the updates, and to reboot afterwards. Also a good trade-off in my book.
Again, just because a system is patched doesn't mean it'll remain uninfected but it helps in reducing the risk. After all, layered protection is considered a good thing around here, isn't it?

Also, it looks like many of you look at things through the eyes of an advanced user. That's fine and all, but it's kind of pointless, because the vast majority of computer users out there aren't experts. They don't know about the more advanced technologies, methods and techniques to help protect their system. They don't know about AppLocker, they don't know about SRP, they don't know about anti-exectuables. And even if they did, they couldn't be bothered with such things. It's too complicated for them. They use whatever is easiest, which at the moment is blacklisting - anti-virus/malware software. And rightfully so - the given antivirus program alerts the user of a dangerous file/website, the user reacts by deleting/blocking it, done. Not the most effefective concept but certainly the easiest one to understand, as the program does the work, not the user.
Again, you keep looking it from the point of view of the computer expert (or at least the quite advanced user), but that's just it - it's not the experts that need the help and better security by default, it's average users that need it. As you already said it - you can make any system secure with the proper tools. But even if you didn't, and you left it wide open, you would still be smart enough to avoid many of the threats. You will know not to trust files from P2P networks, you will know not to run suspicious executables without scanning them first, etc. Even without your arsenal of security tools you still have a much better chance of remaining uninfected than the average Joe. It's him who needs all the help he can get, not the experts.

And actually, that "age of OS means nothing in terms of risk of infection" argument goes both ways. I can get infected regardless of the age of the OS I'm using? OK, fine, then I might as well use the OS that offers the best performance, features and convenience/interface. And that is Windows 7. The convenience/interface thing could be considered a bit subjective but then again, I was a die-hard XP user and didn't like the new interface, but I gave it a chance and now I actually prefer it.

 

I'd say it's not an excuse. If you know how to secure it, then why not run it?

Yup. But none of those average users are reading this thread. They don't even know or care that Wilders Security Forums exist. So maybe it would be more pointless to talk to people that aren't listening. And in an exercise in futility I will address those unsophisticated users: It doesn't matter what operating system you run, if you don't educate yourself how to secure it then you cannot be secure. You may be less likely to get owned by using newer or obscure OSs, but that's not security. It's just playing the odds.

 

+1
Not too many regulars here are using their first-ever computer (gotten for Christmas, maybe?). While there are obviously huge differences in the levels of expertise among us, how many of us are running whatever OS in its out-of-the-box default setup? Darned few, I'd bet.

 

Yup, and Windows 8 improves upon this scenario further with things like system-wide SmartScreen to prevent infection via Fake AV's (Scenario Part 1) and using UEFI's Secure Boot to prevent rootkit-type infections (Scenario Part 2) from booting and killing AV's.

Security is a cat and mouse game and you have 2 choices.
1. Live in a fortress and enjoy very limited freedom
2. Try and keep ahead of the race by using the latest software, and enjoy more freedom.
Or to word it differently:
1. Barricade yourself in layers of 3rd party software and take the resource hit to your system, but virtually NEVER get infected.
2. Use next to nothing other than what the latest OS gives you (very limited resource hit), enjoy high system performance but keep upgrading and updating to stay ahead of the game. (Though admittedly people don't upgrade OS for security, that's just a positive side effect of upgrading).

This thread can simply be summarized with: some of us prefer the former, and some of us prefer the latter, deal with it!

 

lol (I disagree >_> duh but still)

 

Wrong motive. Some of us won't be told by a multi-billion corporation that they're letting their flawed and insecure design become even more vulnerable and that it's time to part with more money to replace something that works fine so we can be slightly less insecure. We use what fills our needs. The difference is that we're deciding that for ourselves instead of allowing MS to dictate it to us. None of us have suggested this approach for the average user. The average user doesn't custom build their own PC either. More than a few here do.

With default-permit and relying on AVs, it's very much a cat and mouse game. As for a fortress limiting your freedom, when the fortress is built to match your needs, you're not limited. You alone can modify it or allow what you want when you want, not malware, not MS, not another user, just you. As for the resource hit, show me an AV that performs less disk accessing, uses less disk space, memory, or system resources than a properly implemented default-deny package. Mine uses 3 running processes that rarely use more than 5% of the processor and less than 15MB of memory. There's a big difference between layered security and a pile of security apps.

I have no problem with anyone elses preferences, but some here either can't stand or can't grasp the idea that it isn't necessary to have the latest and greatest in order to be secure. Like you said, deal with it!

 

It's just the difference between "Secure Enough" from a user standpoint and "Security" from an academic standpoint. If I disable ASLR on Windows 7 I won't get hacked with ASLR exploits because the current threat landscape assumes all users leave it default - you'd be targeting a ridiculous minority. But by disabling ASLR I also open myself up to many many more exploits.

So I could go without ASLR on Windows and be "Secure Enough" but overall it's weak "Security."

That's how I see it.

 

I disagree. I don't think it is a case of "clinging to XP" at all. While I don't think anyone can argue that Windows 7 with no extra security measures in place is more secure than XP with no security measures in place - this doesn't tell the whole story. Despite Windows 7 being more secure, there is still the need for extra security mesaures to better protect it. It is certainly not the case whereby you need extra security software on XP and nothing extra on Windows 7. (Personally, I use Windows 7 with no extra security measures and UAC disabled, which is not a configuration I would recommend - but I if was still runnning XP I would do the same).

With that being that case I see nothing wrong with users sticking with XP rather moving on to Windows 7. Sure, Windows 7 is better, but on the other hand XP is still a very good operating system.

 

I realize the following article is about a year and a half old but if Microsoft is letting companies downgrade to XP until the year 2020, there must be a reason they extended the time frame.

http://www.computerworld.com/s/arti...xtends_Windows_XP_downgrade_rights_until_2020

If Windows 7 is going to be supported until 2020, I think companies that have finally migrated to Windows 7 are not going to rush getting Windows 8. Is Windows 8 going to turn into another Vista?

 

Windows 8 will probably mirror Vista in a lot of ways. Radically different UI, improvements to performance and security, and too much of a change for the average consumer.

 

It's not an excuse...it's a direct answer in reply to those who challenge the 'security of older OS' by using the statements like the "latest OS is much more secure with all the modern technologies"and the "latest OS outperforms prior OS as on it's own and/or with its default configuration it is the more secure OS". That kind of argument is used as a way to so-call "mock" the security level that users of older OS have in comparison (by 'default') - when in fact, the topic of security (esp. around here) does not evolve around merely the 'default' settings. I find that inconsiderate since you're looking at security from only 1 angle while dismissing the rest. It's plain obvious that with newer OS comes newer, better, improved security technologies used by default (damn, those here using the older OS need not need to be reminded of this by now) but that does not somehow 'magically' make it much more 'superior' than older OS if other factors are counted into the picture. That's the point these people want to point out...security does not need to be reliant only on what's 'built-in' to Windows or whether patches are available.

Don't get me wrong, I like Windows 7 a lot and I find it to be an excellent operating system (that is why I'm using it and while I do prefer Win7, I don't really give a ranking as each has its own pros and cons) but I think some of us here are not seeing this in the practical sense. Sure the latest version of Windows can be very secure with the right modern 'built-in technologies' , there is no denying that, but that's just it - anything can be better with a little help. You can use that argument for just about anything. (esp. with the 'newer is better' argument) That's an easy way out too.

Let's be real here...it's a moot point discussing such a question when in reality we all know that the newer subject/object will most likely perform 'better' on it's own, given that the additional enhancements are 'built-in' to the core. To use your analogy, the objective is to say that any woman can look prettier even if she is not using the latest, newest or most expensive makeup brand, clothing. As for photos, any woman can look prettier even without hiring for professional lighting used in modelling or photo-shooting sessions. And mind you, beauty is in the eyes of the beholder...

Is there a way to bypass the security implemented by 3rd-party tools? Yes, there is. So what? Not all malware code uses such a method. Granted, that might be because the tools used are not the dominating ones (compared to AVs which are more widely used) and the bad guys probably haven't focused on it, but even when they do, not every piece of malware will be using the vulnerability. I'm getting sick of people dismissing features/products just because they are '3rd-party' and 'not built-in', fail against a certain threat (and without patches) and are not perfect.

I'm an advocate of keeping the UAC on at the highest settings or if not, at least it's default settings...or if you can't do that, just do not disable it. The benefits are indeed significant but let's not kid ourselves...keeping it on does 'annoy' quite a number of users. That is seen even among security-conscious folks on this very forum. Contradictory to its purpose but that's the reality. It's not easy to change people's mindset...but if they're fine with the way they are, who are we to insist and force upon them our ideology/belief?

Layered protections is indeed good but it''s up to individuals to decide which layers are necessary to them. Some would agree that it'd be better to have it patched, especially more so when it does not cost you any $$$ (well, essentially you have already 'paid' for it if you're using a legit Windows), slowdown (that's up to individuals to judge) or incompatibilities with older software (I know about Program Compatibility Assistant). That is primarily 1 of the reasons why I keep my OS updated (when I choose to do so...not the other way round). Nevertheless, bear in mind that patching is a solution to current known problems....and not everyone would subscribe to the idea/agree that 'it's not a bad idea'. In fact, Marcus Ranum, would disagree and call it a 'dumb idea'. Look under "#3) Penetrate and Patch" here:

The Six Dumbest Ideas in Computer Security:
http://www.ranum.com/security/computer_security/editorials/dumb/index.html

Also have a look here:
The Tale of Wise Master Sun and the Prince's Patching Policy
http://www.ranum.com/security/computer_security/editorials/master-tzu/index.html

When the computer users aren't experts (and it's not their fault imo), it's up to those who know better to help them out. Tell them a thing or 2 (while 'educating users' doesn't work all the time and tends to fail, at least in my experience, it doesn't hurt to give it a try just to inject a bit more what-should-be-common-sense into their brains). If that does not work or you simply don't wish to do so, help them set up the system instead. They don't need to know advanced stuff in order to be 'secure', in fact a change to using a LUA account would increase their security levels more so than UAC does. What makes you think that changing them to a newer OS would be the best solution? What makes you think that they would benefit from the 'built-in' technologies especially more so when these non-experts computer users who don't know any better (how would they possibly know the benefits of UAC, right?) choose to disable UAC due to "Oh hell, Shut that thing up. It annoys me" moments. It doesn't take a genius to figure out how to disable UAC.

Common misconception I see on this thread: Using an older OS doesn't necessarily equate to using an arsenal of security tools. Security isn't just about tools or technologies....it involves what I call "the human element" (whether you like it or not is a different issue altogether).

Might as well? You forgot a few factors: Compatibility with software and existing hardware, Time taken to do the upgrade process, etc etc but most importantly the monetary factor. The $$$ factor is the biggest issue for home users on a tight budget and even more so of an issue in businesses/corporations/organizations. They have to take these factors into account - whether the security/performance/features benefits outweigh the costs (monetary and the other factors). Sometimes, the trade-off is not worth the value given the usage/needs...

Same here. But that doesn't give me the right to belittle the security of those using the older OS.

 

Oh no ... don't say that ...

 

What the hell are you talking about? Microsoft isn't forcing anyone to upgrade. If anything it's the opposite - they are allowing users to keep on using Windows XP and still be patched. The only thing I can think of that even comes close to "forcing" the users is IE9 not being available on Windows XP but that's more of an encouragement. Nobody is forced to do anything. I think you're being overly dramatic.

I'm looking at things from one angle only? If we assume I really am, then so are many other users here (including yourself).
Nobody says default settings are enough and that users should use the OS with them. And actually it does make it superior in a way. The end result might be the same - virtually impenetrable protection, however, the newer OS would offer the user more ways to achieve that or make that goal a bit more easlily achieved.

Wow, you had to resort to using my words because you couldn't think of your own?
Still, I'll play along. I can't exactly see your point with this one though. Are you assuming that I'm all for using only built-in stuff and never using 3rd party software? If you are assuming this, you're wrong. I'm not at all against 3rd party security software, I even use it myself.

This sarcasm doesn't really make you look more intelligent. Quite the contrary.
Once again I feel the need to clarify things: I am not against 3rd party tools. I never said that. Maybe this time it'll get through to you.

Wait. What?
You mean to tell me that users users here are prepared to setup a (rather) sophisticated and layered security but are annoyed by UAC? Users can spend even hours setting up rules, policies, applications and what not, but a few UAC prompts tick them off? Are you freaking kidding me?!?
And why not just disable UAC? Wasn't it nothing special and unnecessary for the experts who are going to secure their systems with the help of other applications anyway?
And what is the problem with 1-2 UAC popups a day for average users? Perhaps even less. Very few products actually requre admin rights, and those are generally rarely used (advanced) tools and/or redundand crap like registry cleaners and the like. If a user has the patience to wait a few/several minutes for his cleaning/optimization program to complete, then that user HAS TO have a few seconds to click a few UAC prompts.

Yes, idealism is adorable. Realism is something else. I do agree that there are too many crappy products out there that just weren't designed correctly to begin with. However, there is no perfect code. One can think it through and try to design it to be as secure as possible. Still, the bigger and more complicated the program/product the more difficult it is to design it so that it is impenetrable, and yet stable, light, etc. Especially in the case of Windows. It's not a YouTube downloader or something small. It's an operating system for crying out loud. It contains quite a bit of code.

I didn't say that changing the OS would be the best solution. Still, sometimes users do not need to know better in order to benefit from a feature. ASLR is an example. Having a 64-bit Windows Vista/7 would also add Kernel Patch Protection and mandatory driver signing, which are more features that just work without the user having to to do or know anything.
As far as UAC is concerned, if I should happen to recommend to switch to a newer OS, I may also explicitly say not to disable UAC and provide a link to an article of mine in which I describe the feature (provided the recommendation concerns a fellow countryman). That's all I could do really. If the user still decides to disable UAC, that would be his/her problem.

Really?!? You want to include the human factor now? In that case let me put it this way. If additional methods for securing an OS (built-in or 3rd party, policies, applications, WHATEVER...) make the age of an OS irrelevant, then the human factor would make any additional method for securing an OS irrelevant.

Yes, of course there are factors like that. It's very possible that a switch would turn out to be completely unnecessary. I'm not disputing that. However, that applies to companies, not home users.
Compatiblity with software and/or hardware is usually a very minor problem. Few applications work on XP but fail on later versions, and those are usually not mainstream. Same thing goes for the hardware.
I meant all this if the user can afford the price and time. Plenty of "if's" are being thrown around, so I decided to do one as well.

I sinecerely hope you're not implying that I belittle older operating systems. If you do, then you really need to start reading the posts more thoroughly and use your brain actively during.

 

Whew- no one can say this forum is boring.

I LOVE LOVE LOVE this quote. I think it might summarize the last 20 posts I made in this forum. Don't be surprised if it becomes my new signature (credit given of course).

 

I didn't exactly mean to refer to "you" specifically when I typed my post. "You" here refers to anyone who tried to make it sound like using older OS was a sure-fire way to insecurity. I was simply referring to it in a general manner. Still, from your posts, it did seem like you were arguing for the stance that default settings in newer OS "make it superior in a way" (which I'd agree to a certain extent it is) but as if 'using XP with 3rd-party tools' pales in comparison (which I'd disagree with). Perhaps I misunderstood your message for my posts were only to counter-argue that. Sorry if I had hurt you unintentionally.

Chill dude. The only reason I used your words (the way I did with HungryMan too if you noticed) is to actually let you see that the same manner of argument/writing can be said 'for' using older OS with 3rd-party tools...and definitely not because I couldn't think of my own (I still have my brains and intellect in tact, thank you for doubting it). Don't mind my rudeness (for this short while) but I couldn't care less if you're using only built-in stuff or 3rd-party security software (to argue which method is 'superior' is pointless...it's up to individual). My only interest was to say that Vista/7 isn't necessarily more 'secure' for everyone compared to older OS simply because of the built-in improvements it brings...yes I do believe in all those security enhancements mind you (I freaking use them too) but that does not mean the lack of these security features in older OS makes them 'hopeless' in terms of security. That was and will continue to be my objective in posting on this thread.

Yes, I did use sarcasm (my fault) but the intent was only to show that the same style of argument can be used in support of those using older OS. I don't need to prove my intelligence to anyone over here. This is not the place to show "who's smarter" or "who has higher IQ". Anyway, it's good to know that you're not against 3rd party tools...because at least I know we sure do agree on 1 thing at the very least.

Excuse me. We share the same feelings towards UAC...I've got nothing much against it. All I'm saying is that much of the security benefits that comes along with Vista/7 would be 'lost' once UAC is disabled (and which quite a number of users out there do). And nope, I'm not "kidding you"...there do exists users who wouldn't mind spending "hours setting up rules, policies, applications and what not, but a few UAC prompts tick them off". While we might find it odd (let me remind you that I'm a UAC, LUA proponent), who's to judge if their way/decision to securing their PC is wrong? Again, security is up to the individual.

While it's true that idealism and realism are 2 different things, that does not mean they're entirely separate from each other. In fact, if you ask me, 1 complements the other. Idealism stems from the mind/thoughts - we all have principles, values, and goals don't we? That itself in turn is part of realism. Do not confuse 'idealism' with 'perfectionism'. Just because you're admitting to real life as it is presently does not mean you should stop 'idealizing' - after all, to shape our thoughts might help to shape the world/future...and change is nature.

Again, perhaps you're missing my point. ASLR, KPP are all great (well, KPP presents a bit of problem for some security software but that's another topic) but the lack of them does not necessarily make the older OS inherently insecure. At least, that's my view...

As for UAC, I repeat myself...I share the same attitude towards it as you do. Mind sharing the link to your article?

It's not about 1 factor making the other 'irrelevant". It's about this: not all methods/factors are 'relevant' to an individuals approach to security. There's a difference between the 2. I hope you see where I'm coming from. Let me state that I believe in the concept of security as both real and psychological...and that the 'real' does not overpower the 'psychological'.

Mainstream/minor problem or not, that's not my point. The point is these issues exist. Not all users can afford the price/time/effort/whatever. In that case, would you agree that I wasn't wrong to say what I've said? I 'threw' in a statement based on what I've seen...

No...I didn't imply that. As for using my brains, I'd appreciate if you stop touching on the subject for I'm not mentally incapable.

 

I think that the original mean of the thread is lost. The mean, IMO, is: a lot of people is going to use and to enjoy XP SP3 safe, and have not reason or wish to switch. Stop. Other users feel safer, faster or more useful 7. GUI preferences are subjective, vulnerabilities and exploits exist for XP and for 7, security, by third part softwares or by system are available for both.