Ten years later, Windows XP still dominates the Web

Not sure that there is really a "meaning" to this thread.
An article is linked that says XP dominates with a 46.5% share of global Web traffic, and the OP says he is going to continue to use it.
After that, a bunch of people weighed in with their opinions about whether or not, from a security standpoint, that is a good idea.
I think it's been an interesting thread.
One learns as much about one's fellow forum members on a thread like this as might be gleaned from the technical discussion.

 

Agreed! Technically it strayed ot, but I think in this case it was a good thing, with lots of interesting and meaningful back-and-forth banter

 

We haven't been talking about Windows XP market share in pages lol

 

You're right.
I think 46.5% is high.
It is probably more like 46.2%.

 

If there's any meaning in this thread, it's that different people have different ideas what an OS and a security package should be and what is expected from them. For myself, I feel an OS should be an interface between the user and the hardware and a platform for the users software. Beyond that it should stay out of the way and be quiet. As for the security package, I expect it to keep my system just the way I built it. It should allow only what I told it to allow. Beyond that, it should stay silent unless it detects something I'll want to know about.

I realize that in comparison to what I'm using, the newer hardware has far more processing power and many times the RAM. While this in itself is great, it sickens me that its being used as an excuse to release bloated, resource and memory hungry operating systems and apps, leaving the user just about back where they started. It's no big deal for a new OS to look faster than its predecessor, especially when its installed on much more powerful hardware. 98 looked awfully slow compared to XP too, but look at the difference in the hardware. When you put both on identical hardware that both can fully utilize and then compare them, the results are quite different. IMO, an OS (and the applications) should utilize the hardware, not consume it.

I apologize if I came off harsh in this thread. Ever since XP was the "latest and greatest" I've listened to the same old song thrown my way. I didn't accept it then and don't accept it now. I can't begin to count how many times I've seen "critical vulnerability", then went to find that exploit just to watch it bounce off of my system. It just gets old being told I'm vulnerable when I can go where most of them don't dare and have been doing so for quite a few years.

 

This is odd... not trying to stir the pot but how is your setup quiet? Default deny means more user interaction and if you have to test something before installing there's significant amounts of time where you have to load up a VM or some kidna virtualization software and have a look at the file.

I definitely am all about silent security, which is exactly why I don't like AE.

For XP and 98 if you put them on the same hardware XP is faster. If you do the same with Vista, 7, 8, XP, whatever and put it on a computer with 2GB RAM and a half decent CPU it's the same thing - each will utilize the hardware better than the last (ironically Vista was a bit "too good" at utilizing hardware, which led to slowdown with RAM usage skyrocketting.)

I agree that all software should utilize and not consume. Definitely something I say a lot. People say "Oh I have 4GB of RAM who cares if X uses 2GB" but developers shouldn't use a portion of the markets' hardware as an excuse for not optimizing.

I think it's just the difference between practical and academic security.

 

I like the occasional digression... as in say this thread has legs. (ZZ Top)

 

On a dynamic system, one that's changing constantly, AE or whitelist approaches, especially those that employ a lot of hash rules, can be quite time consuming, but on a fairly static system, this is not the case. Actually, if path rules are deployed throughuot, even a dynamic system doesn't involve a lot of one's time to keep an AE approach updated.

 

Right, true.

 

During the initial setup there's a lot of interaction. Beyond that, it's quiet. During normal usage, the UI for SSM is disconnected and it does not prompt, just silently denies anything not already allowed. The only time there's more interaction is when I want to change something.

Testing on virtual systems is no big deal. I have a virtual clone of my system, save driver changes needed by the virtual hardware. I've got lots of premade images for testing.

I dual boot a stripped and modified 98SE and XP Pro on the original XP hardware. The 98 system is much faster at just about everything. It's not because the XP unit is slow either. I "decrapified" this Dell and tuned it up right after I got it. The XP side of it runs pretty good, but the 98 side is a shocker. It's like an economy car with a V8 under the hood for lack of a better description. With a P4 and 1 or 2 Gigs of RAM, a stripped 98 that's tuned for the better hardware is extremely fast, at least here it is. It's also proving itself to be equally stable and just as capable as the XP system, sometimes better. It's been running an exit node for the last 2 weeks. The XP unit won't hold up as a Tor exit node. With virtualization software, my XP uses the swap file. The 98 unit doesn't. More than anything else, I enjoy working with the unofficial upgrades and seeing this old OS being developed to its real potential. No, it's not for everyone. Not by a long shot. Neither is default-deny. Neither is Linux or BSD. They've all got their place and their own good points. The internet needs them all. Real strength comes from diversity, a fact demonstrated by our food supply. When they're all the same, they're all vulnerable to the same thing. With cyber warfare a real possibility in our future, that's a vulnerability we can't afford.

 

Now, here is a statement after my own heart!

I used to advocate that rather than talking up the statistics of how many millions of people get infected, time would be better spent helping educate someone in our sphere of influence who will listen and follow instructions.

I realized about five years ago that the reason my AE product never alerted to an attempted intrusion was because the security at the perimeter prevented anything from getting to the point where an alert would be triggered.

By security at the perimeter, I mean the firewall and the browser, the two "openings" through which remote code execution exploits attempt to intrude while connected to the internet. I realized that if those were properly configured, the chances of being exploited while on the web were reduced to almost nothing.

As far as I was concerned, it didn't matter what the version of OS was: blocking at the perimeter keeps malware from touching the OS.

Security can be Pretty Simple, I found out!


----
rich

 

I don't know about you but I have a very limited sphere of influence. I don't bother trying to tell a friend "Use XYZ" because they probably don't care and it's not exactly the best conversation topic.

 

I don't teach or preach...these days, about securing one's computer. I learned my lesson, well.

 

Oh, I completely agree!

I learned long ago to avoid making suggestions to those who don't care or want to listen.


Also, I never suggest that a person "use XYZ" without really knowing that person's expertise, how that person's system is set up, and something about that person's computing habits.

With those I do help (ususally by word of mouth), there is one stipulation: if anything we set up as far as policies is violated, then I will no longer stay involved.

That quickly gets rid of the deadbeats!


----
rich

 

I've come to realize through my experiences and others that the moment you touch someone else's computer any and all things that happen to that computer are going to be blamed on you. Install an AV and a month later the system BSODs? Gotta be your fault!

 

How true. It's very rare that I see anything in the SSM logs, and that's usually something of my own doing. Smoothwalls logs are a completely different story. Probably about time to clear them out again.

That's something I need to start doing. I don't mind repeat business, but not the same problems from the same people.

Oh yeah. Memories of Antvir-Avira when they first came out with the rootkit module. It was fine til they updated it and it conflicted with other security apps.

 

Agree. I only meant that that some posts was becoming a religion war.

 

I was never arguing that a "naked" Windows 7 is superiour in terms of security to a Windows XP with proper security applications installed. Of course it is not. My point was that overall Windows 7 should be more secure due to the additional security features. Whether this would be the actual case of course depends on a lot of other things like installed patches and security applications, surfing habits, etc.
In other words: with the same security applications installed Windows 7 should be as good or better than Windows 7. How much better is a matter of debate.

As I said above, the additional security features should make it more secure as a general rule or make the required level of security more easily achievable than on older versions of Windows.

Of course I'm not against 3rd party tools. Quite the contrary. They can be invaluable, as Windows by itself and by default is suitable only for really advanced users, and even then there are risks. I myself use Malware Defender at the moment and love it.

This is true. However this is still an "if". Some/many people do disable UAC but most (I think...) don't.

Just wow! It boggles the mind.

The lack of these features does not make an older OS insecure, it makes it less secure as a general rule.

Well, the article is located here. Be advised that it's in bulgarian so I doubt it would be of much use.
Forum is down for the moment, a protest against SOPA and PIPA. Should be up tomorrow.

Were you right about the trade-off sometimes not being worth it? Yes, you are right about that. At least purely from a security standpoint. When one considers that newer OS have more benefits to offer (should the computer already be good enough to handle them) it could become a good trade-off once again.

 

Anyway guys (& dolls) this has been a hugely educational thread. That's what I love about Wilders, it's just so informative. I have learned so much here. Sometimes I talk to work colleagues about the stuff we discuss here & they are impressed with my knowledge of computer security. Which is weird, because technically I am really a noob. It just goes to show, regardless of our differences, we really are making a difference at Wilders.

 

One thing that wasn't mentioned in this thread is how the different experiences of each of us shaped how we approach OS security, what OS we choose, and what methods or apps we choose to secure it. Mine were quite different than what you described. About 9 years ago, I ran a much more conventional security package plus a few extras. Had dialup internet that gave me a different IP every time which was tied into ID Blaster. When my IP changed, so did all the ID numbers. At the time, I thought I was well protected. Then one night something on my system decides to connect out at 3AM by itself. Whatever it was granted itself internet access thru the firewall using RUNDLL32.exe. There was no rule that allowed it access. The firewall logged a large amount of outbound data that happened to equal the size of an encrypted archive I had at the time, which contained some very controversial and sensitive material. Nothing I used ever found anything malicious on that PC. It's hard to come to any other conclusion besides being directly targeted by something custom made, which apparently deleted itself. I have a very good idea who did it and why but no evidence or any way to prove it. This incident forever changed how I view PC security. I only wish I'd known then what I know now.

 

I know how I've gotten infected every time. Exploit, exploit, social engineering. I wasn't interested in security until long after these.

 

Except for that incident, I've been infected once. Some virus completely crashed NIS one piece at a time. When I got the system back up, it claimed it couldn't remove the virus. That was the end of AVs for me.

 

I used an AV for a while. I realized I just didn't need it. I left UAC off as well because it was a pain and it was just a popup that I'd probably answer "Yes" too anyways.

Defending against the malware out there isn't hard. The majority of it targets users who use very little security (outdated AV) and outdated plugins etc. Simply staying up to date is an easy way to break most attempts at hitting my system.

I'm not really interested in security in terms of securing my own computer. I'm interested in security in terms of security every users computer, a "one size fits all" kinda deal.

 

True. For myself, I don't worry about the normal web malware. As for a package for other users, I've about given up on that. The closest thing to a "one size fits all" that I can come up with is a live CD. After nearly 10 years of dealing with infected PCs, both physically and at support forums, I've grown tired of it. I've come to the conclusion that nothing will really change until Windows gets off of that default-permit design, which isn't going to happen. All of the new security features they add are just the latest chapter in the same repeating story. It works for a while, then the cycle repeats.

 

Default deny is obviously strong but I don't think that it works for novice users. Since the majority of users are "novice" those are the ones I'm most interested in as well as companies from direct attacks.

I don't think default-permit is going anywhere. In terms of execution, definitely not. In terms of capabilities/ application rights... not so much. Integrity levels are as much as we'll ever see I suspect.