One for Robert

[hyperpape]

"Windows is currently the most secure mainstream OS. I mean, we can’t stand _using_ it, but that doesn’t change the facts." --the grucq (exploits merchant, opsec expert).

[DrStraw]

"Windows is currently the most secure mainstream OS. I mean, we can’t stand _using_ it, but that doesn’t change the facts." --the grucq (exploits merchant, opsec expert).

Secure as in you cannot escape from it once it has you in its clutches.

[RobertJasiek]

Windows and Linux can be configured the most securely. The degree of security depends on the Windows version. Windows 10 creates the subproblem to consider privacy violations by Windows itself. For out-of-the-box use, iOS might be the most secure in practice for careless users, however, other attack vectors, such as social engineering or state hackers breaking encryption thanks to too short pass codes, remain. The best security combines remote backups with separation from the internet.

[longshanks]

"Windows is currently the most secure mainstream OS. I mean, we can’t stand _using_ it, but that doesn’t change the facts." --the grucq (exploits merchant, opsec expert).

Most secure mainstream OS? This could be argued (Windows 10 is certainly the most secure *Windows* OS) though I'd like to see the rationale for it being strongest overall as it's weaker in many aspects such as privacy (thanks Cortana!).

Most secure non-mainstream OS? Nope. Not by a long way.

[Bill Spight]

Windows 10 creates the subproblem to consider privacy violations by Windows itself.

I love Big Brother.

[RobertJasiek]

being strongest

There is no such thing as an OS always having the same security. It always depends on how it is configured and used.

[longshanks]

Windows 10 creates the subproblem to consider privacy violations by Windows itself.

I love Big Brother.

Get yourself a Smartphone or just move to the UK then

[longshanks]

being strongest

There is no such thing as an OS always having the same security. It always depends on how it is configured and used.

Some OSes come in different flavours. For e.g. Debian doesn't come very secure out of the box as it's general purpose (and some of its defaults are odd -- no firewall rules, all home directories readable by every user, sub-optimal config of for things like ssh etc.). Tails however, is a security-focused version of Debian. All of this is agreeing with what you wrote above. It's just the distro maintainer is doing the configuring for you. You can still come along and wreak it (install Flash, Java, change good defaults to bad ones..) but you have to be determined. Whereas with non-secure defaults you have to harden -- which people generally don't know how to do or know that they even need to do.

OpenBSD is an OS that is designed from the ground up with security in mind first. One remote exploit in ten years? Windows 10 might well be the most secure mainstream OS, but let's see how the CVEs tally at the end of 2016.. I know which one I want controlling my lift

[hyperpape]

As I get older, my sense of what's "now" spreads out. This talk was from 2012, so it's Windows 7, maybe 8 days. Pre-cortana and all that. And he mentions Linux critically before mentioning Windows but never mentions any of the BSD families.

Anyway, here's the presentation (http://www.slideshare.net/grugq/opsec-for-hackers). It just jumped out at me because I remember people being incredulous that Robert is very concerned about security, but used Windows.

[Bantari]

I think that "security" is a very wide subject, and we need to specify what exactly it means in this context. Below are a few examples of what I am talking about:

- prevention of targeted hacking
- prevention of adware, malware, and viruses
- data safety and persistence
- overall system stability
- etc.

In each of the cases "security" means something slightly different, and the system might have to be configured differently depending on what we mean. Some configurations which might help one issue, might damage another one, so it is important we know what we want. For example, data persistence can be helped by off-site storage (cloud?) but this might lower the hacking resilience.

Generally, I would not trust Windows very much, Win10 or any other flavor. Not because it is so bad necessarily (I think Win10 is OK for a Win OS) - but because it is by far the most popular platform, and so most hacking, addware, malware, and viruses will be targeted at it, and the most effort will be done to circumvent any security on it. Its just common sense - the most bang for the buck! Why target a 2% system if you can target a 90% system? Win10 is still relatively new, so it might be secure now, but just give it some time...

So, which kind of security do we mean? Or all of it?

[Bantari]

Secure as in you cannot escape from it once it has you in its clutches.

Heh... There is more truth to that than most people think.

As a gamer, I desperately tried to avoid Windows for years.
But finally, I had to give in and buy me a Win laptop. <head hanging in shame>

[RobertJasiek]

Bantari, percentage of tried attacks means very little. What matters is frequency of successful attacks for a given OS, configuration and use. E.g., a very frequent kind of attack is email attachments. By, e.g., never automatically or manually opening any attachment, zero such attacks are successful.

[sybob]

Bantari, percentage of tried attacks means very little. What matters is frequency of successful attacks for a given OS, configuration and use. E.g., a very frequent kind of attack is email attachments. By, e.g., never automatically or manually opening any attachment, zero such attacks are successful.

Humans are still the biggest risk factor.

[Bantari]

Bantari, percentage of tried attacks means very little. What matters is frequency of successful attacks for a given OS, configuration and use.

You misunderstood. I was not talking about percentages of attack, although this is certainly part of it as a logical consequence.

My point was this:
Windows users are the biggest target. Therefore, the most time and the most resources are invested in breaching Windows security. Therefore, its security is breached the most. Therefore, it is by definition a less secure system - even if in feature-by-feature comparison it might hold its own. This is all I am saying.

Or, in other words, there are not as many viruses written for Ubuntu as there are for Windows. And this will hold in the future indefinitely, I think.

E.g., a very frequent kind of attack is email attachments. By, e.g., never automatically or manually opening any attachment, zero such attacks are successful.

This is a trivial example, not sure what you wish to illustrate.
By the same token you can say that you can avoid absolutely all attacks if you never turn your computer on.

[Fedya]

(They should, of course, just guess "correcthorsebatterystaple" for his password.)