This is a split board - You can return to the Split List for other boards.

Is it bad that Microsoft won't be supporting Windows XP by April 2014?

#51SinisterSlayPosted 12/3/2013 1:56:25 PM
MrMonkhouse posted...
arleas posted...
End of support for XP just means no more updates... It doesn't mean the OS grinds to a halt and stops working. If it's fine for what you use it for and you don't mind that there's no more updates/bug fixes, stick with it.


I know that, I'm just concerned about the bugs and exploits that other people will find and use it to their advantage because there's always gonna be a bug or exploit in any kind of software.


As usage declines, you will be pretty safe

Contrary to the popular "obscurity is not security", being obscure does make you less likely of a target.
---
He who stumbles around in darkness with a stick is blind. But he who... sticks out in darkness... is... fluorescent! - Brother Silence
#52Worknofun370Posted 12/3/2013 2:15:59 PM
SinisterSlay posted...


I don't think you understood my previous point, I didn't want to say they don't patch things, I'm saying they don't fix the problem.

There is always going to be vulnerabilities, because the pyramid was built upside down.
The best they can do is find every angle that causes the brakes to fail, and patch that, they can't ever solve the problem with why the brakes fail in the first place, they can't ever turn the pyramid over and build it correct because it would break all legacy applications.


I took what you said at face value. I may have missed it but I haven't really seen you point out that you now mean "fix the problem." When you're talking about vulnerabilities, but I easily could have missed something. That being said, they are fixing the problems.


My issue with the core of your current argument is that it's nothing but assumptions. You're assuming there is some grand deeper issue at play, you're assuming that there are huge fundamental flaws in the design, and you're assuming they can't fix things because it would break legacy applications. You very well may be right on all three... and just as easily could be wrong. This is something that I don't think you'd be able to prove either.

At this point if you still feel the way you do... I'm sure we can finally agree to disagree.

I do recommend you expand your knowledge of the security world a bit. You'll quickly realize that this is how the security world works. Whenever you get something as complex as an OS and major Software Suite... you get lots of vulnerabilities. Such is the nature of the beast. Windows may be targeted more, but does that mean other things are more secure? Or benefit from some security through obscurity?
#53SinisterSlayPosted 12/3/2013 2:41:14 PM
Worknofun370 posted...

I'm actually decently well read on security and viruses.
There is no such thing as security through obscurity.

However,
When terrorists strike, do they go for a city, or for the log cabin in the middle of the woods 1000's of kilometers from civilization.


You are right, it's all assumptions on both sides. It has to be because MS will never release the source code.
I do know however that a good chunk of the vulnerabilities stem from legacy code.
You have to think back. In these modern times, we have the CPU power to verify everything. Most .net applications automatically add integer overflow checks around every variable assignment, even if you don't code them yourself. We have the CPU power to do that now. But that wasn't always the case. We had to cut corners before in the name of performance. We didn't always check the bounds of our data, we didn't check for memory overflows, we didn't check for file tampering.
And think of some of the odd workarounds windows has introduced. UAC is an obvious one for allowing legacy programs to run and allowing the user to still be administrator without giving them admin rights.
Windows now has code so that applications can write to their own folder without permission to do so, Windows automatically links a folder in the users appdata folder and makes this redirection invisible. Just to support legacy programs. But this means a virus can do the same. A virus can write to your windows folder and let windows redirect it to a location a limited user has permission to. Effectively infecting that user.
What about the system file checker. A service running in the background that just checks to see if system files change, and if so, restore them. A neat idea but why are regular users allowed to change system files, why was a tool even necessary? Why are users allowed to be admin? It's just for legacy stuff. In a perfect world, the OS would not allow non admin (root) users to play with OS files. And no application a non admin(root) user runs should be able to change those files. The only vulnerabilities we would see are escalation of privileges which means the virus broke out of the limited user constraints.

If you dump the legacy support, and turn the pyramid over the correct way, the system could be much more secure. But who is really willing to do that? Especially with competitors emerging.
Dumping backwards compatibility now could kill Windows. Corporations are only now settling on Windows 7. Windows 8 will probably never be mass deployed in a business. If Windows 9 were to drop compatibility, corporations with legacy systems will be forced to replace those systems, and will be available to reconsider tying themselves to Microsoft. This is an opening Microsoft works hard to prevent.

Consider, why is it you can run Windows 95 programs in Windows 8? They are entirely different kernels based on entirely different systems. Because the compatibility, the old code from 95, was written into Windows 8. All the old API's are there, they all still have the same bugs, glitches and behaviors as they did back then.
---
He who stumbles around in darkness with a stick is blind. But he who... sticks out in darkness... is... fluorescent! - Brother Silence
#54Worknofun370Posted 12/3/2013 3:06:00 PM
SinisterSlay posted...

No offense intended by anymeans but, I don't really think you're well read. You know more than the average user (that's not saying much) but having worked with some guys who truly are well read, they'd make your head spin. As always, could easily be wrong.

Also, yes... there is no such thing as security through obscurity. Things are not somehow more secure because they're unpopular, but if something is less likely to be targeted there is less chance of vulnerabilities being found, that's where the phrase comes from and why it actually means something.


You are right, it's all assumptions on both sides. It has to be because MS will never release the source code.


No, it's assumptions on your side. You're the one making the claim. I'm not making any assumptions one way or another. I'm just saying you can't prove the claim.

I do know however that a good chunk of the vulnerabilities stem from legacy code


So, you know it because why again? This still sounds like an assumption to me. But, I am certainly not saying it's for sure incorrect.

And think of some of the odd workarounds windows has introduced. UAC is an obvious one for allowing legacy programs to run and allowing the user to still be administrator without giving them admin rights.


You think UAC is an odd work around? It's functionality has been in Linux and OS X well before it came to windows. Why do you think it's odd? It's good user security.

Windows now has code so that applications can write to their own folder without permission to do so, Windows automatically links a folder in the users appdata folder and makes this redirection invisible. Just to support legacy programs. But this means a virus can do the same. A virus can write to your windows folder and let windows redirect it to a location a limited user has permission to. Effectively infecting that user.


Do you have a link to something that supports this claim? Or that it's just to support legacy programs?

I'm honestly curious, I haven't heard about windows allowing applications to write to their own folder without permission. A quick google search didn't turn up much either.


Why are users allowed to be admin? It's just for legacy stuff. In a perfect world, the OS would not allow non admin (root) users to play with OS files. And no application a non admin(root) user runs should be able to change those files. The only vulnerabilities we would see are escalation of privileges which means the virus broke out of the limited user constraints.


UAC makes windows your "perfect world." UAC is sudo (more or less). UAC keeps people from truly being admins, they're just sudo-admins until they click that UAC button. The same thing you just said was an odd fix is the exact thing that nullifies this argument. I do agree that UAC is not nearly as powerful and good as sudo. But at the end of the day is attempting to stop users from being too powerful and borking the system blindly.

Also, if you don't want someone to be an admin, don't set them up as an admin. Problem solved.

Trust me man, we can agree to disagree. We've gotten past the issue of you believing Microsoft doesn't patch vulnerabilities. I don't really care to argue against assumptions.
#55SinisterSlayPosted 12/3/2013 9:58:49 PM
Worknofun370 posted...

No, it's assumptions on your side. You're the one making the claim. I'm not making any assumptions one way or another. I'm just saying you can't prove the claim.

You have no proof either, you have security reports on vulnerabilities patched and MS's word they are patched. MS also gave their word they don't give data to the NSA. Show me patched source code and I'll believe you.


So, you know it because why again? This still sounds like an assumption to me. But, I am certainly not saying it's for sure incorrect.

I gave proof later in my post.



You think UAC is an odd work around? It's functionality has been in Linux and OS X well before it came to windows. Why do you think it's odd? It's good user security.

UAC is a good attempt, Windows 7 sort of ruined it with a default setting making UAC only stop old viruses, but fairly effortless to bypass on new viruses.



Do you have a link to something that supports this claim? Or that it's just to support legacy programs?

I'm honestly curious, I haven't heard about windows allowing applications to write to their own folder without permission. A quick google search didn't turn up much either.

Your looking for the windows virtualstore.
Hard to find a nice google link because its mostly people asking how it works and how to disable it. But its basically fancy operating system linking for legacy programs.
You can find yours located here
C:\Users\Username\AppData\Local\VirtualStore

Files in there are substituted when requested by legacy programs. One of my first projects was compatibility with windows 7. For awhile I was stymied as to why some worked better with UAC turned on until I discovered this folder.
Basically any time a program running in a protected folders (windows, program files) tries to access its own folder (no others, just its own), windows automatically redirects it to that virtualstore which is a folder seperate per user.
This has the neat added benefit of adding multi user configs to programs that never had it. You'll probably find lots of old games in there because the old games kept their save files in the program files folder.
The problem is, you can just add files to the windows folder into this virtualstore and they are now available to that user. That includes infected DLL's and executables. And since the user has full permission to this folder, no UAC message is required.
The good news is this would only affect 1 user as NTFS permissions still protected the original files.



UAC makes windows your "perfect world." UAC is sudo (more or less). UAC keeps people from truly being admins, they're just sudo-admins until they click that UAC button. The same thing you just said was an odd fix is the exact thing that nullifies this argument. I do agree that UAC is not nearly as powerful and good as sudo. But at the end of the day is attempting to stop users from being too powerful and borking the system blindly.

UAC is nice but it's tacked on to the OS. ...... Below more message
---
He who stumbles around in darkness with a stick is blind. But he who... sticks out in darkness... is... fluorescent! - Brother Silence
#56SinisterSlayPosted 12/3/2013 10:09:35 PM(edited)
Which means its trivial to bypass (on windows 7 default). At it's highest setting it actually works pretty good. Viruses have defeated it but UAC on first and second setting do effectively block all legacy viruses that were created before UAC.
But that's off topic, UAC will never be added to Windows XP. XP can never enjoy the added blanket security created by UAC. Instead XP will for a short time more, get band-aids to cover holes in the Swiss cheese operating system. Patching XP was always a losing battle. Users are really not that much more insecure when MS drops support. Most XP security comes from the anti virus, firewalls, and other software security.

MS has done an admirable job trying to plug holes with drive by viruses. And that's good. But social engineering, the most successful form of virus delivery, still effortlessly infects XP if they can convince the user to run it.
---
He who stumbles around in darkness with a stick is blind. But he who... sticks out in darkness... is... fluorescent! - Brother Silence
#57Worknofun370Posted 12/4/2013 7:23:06 AM
SinisterSlay posted...

You have no proof either, you have security reports on vulnerabilities patched and MS's word they are patched. MS also gave their word they don't give data to the NSA. Show me patched source code and I'll believe you.


I'm assuming you've never taken a debate class in your life? I don't need to prove a single thing... The burden of proof is on the person making the claim, not the dissenter.

That being said. The fact that the vulnerability isn't exploitable anymore is more than enough proof they're patching things and I/Secunia aren't just "going off their word."

I
gave proof later in my post.


Uhh... no no you didn't. You talked about .net Which... cool story bro? That's not proof that vulnerabilities are nearly all related to legacy code, that's just the basis for your assumption.


Hard to find a nice google link because its mostly people asking how it works and how to disable it. But its basically fancy operating system linking for legacy programs.



Well, what you just explained is pretty different than what you claimed: "Windows now has code so that applications can write to their own folder without permission to do so"

That being said, I can't really find anything that confirms that claim. While we already aren't writing to their own folder (That's really not important at all though) I don't see anything about it being allowed to write to that folder if you configure that folder so they don't have permissions to do so.

This is clearly to support crappily coded programs/legacy code though, and it's directly related to UAC so it also supports your point of UAC simply being tacked onto the OS - which I do agree that UAC is very lacking when compared to sudo. It's not even in the same league but is just attempting to provide the same type of functionality - but I just can't find anything that says it's doing what you initially claimed. Can you provide a link?