Computer security bullshit

[IanMac]

Seems to me that computer security is another area with plenty BS.

'Internet security suite' packages which provide no more protection than standard AV software but cost three times as much and cause all kinds of trouble.

Claims that upgrading to Windows 10 will make your computer more secure, when the stats show that Windows 10 has had MORE security issues than Windows 7.

The notion that putting punctuation in passwords and changing passwords frequently would make things secure has persisted for many years. It has finally been busted with a mathematical proof that making the password even slightly longer makes more difference than punctuation. Yet, there are still loads of systems that enforce this. Once the BS has become folklore it's very hard to make it go away.

The current drive to make all websites use HTTPS smells suspiciously like BS too. The only thing that HTTPS protects against is man-in-the-middle attacks, yet that class of exploit hardly seems to figure at all in security stats. The vulns behind the really major hackings are all on the server or the client computer, where HTTPS offers NO protection at all. Fixing these real vulns is hard work for the programmers, which is why a BS solution is put forward instead.

Granted that HTTPS has a valid purpose in ensuring that sensitive data can't be viewed by data carriers. Applying it to all websites is ridiculous though, and will do nothing at all to mitigate the common security problems. It could be said that most BS operates on this principle of taking an item that has a valid use in some circumstances, and applying it in situations where it does not. Solar roadways are a case in point. The Batteriser is another, since switchmode step-up converters are a useful device in the right place. But, not here.

[f4eru]

Hello,

Some valid concerns !
The "antivirus" are mainly snake oil, and bad snake oil !

The current drive to make all websites use HTTPS smells suspiciously like BS too. The only thing that HTTPS protects against is man-in-the-middle attacks, yet that class of exploit hardly seems to figure at all in security stats

Nope. HTTPS also protects against eavesdroping under it's many many forms.
For example, if ever you use wifi, everybody nearby can receive your data, and the encryption and/or the passwords seem to be quite weak.
Also, a lot of state actors record absolutely every possible traffic, even for later decryption, so very strong transport encryption is necessary.

I recommend some 33c3 videos :
https://media.ccc.de/c/33c3

Look at "Security nightmares" ( available in English translation)

[Fungus]

Also, a lot of state actors record absolutely every possible traffic, even for later decryption, so very strong transport encryption is necessary.

How do you know the "state actors" aren't running the certificate authorities and passing out false certificates? Have you even checked the source code of your web browsers?

Back on topic: There's no way to debunk all that stuff because a large part of the problem is the users. It's not in Dave's field of expertise anyway, so.  Find a different blogger.

[wraper]

Only man in the middle, you say? Even if your PC is not infected, your router quiet likely is and could capture all of your passwords, for example. Not to say don't even dare using public wifi, your home wifi does not have much of protection either. Also infected router could redirect you to malicious website, without HTTPS you would not even have an idea about it.

[wraper]

For example youtube (if it was not encripted), someone steals your password which is the same as your gmail. Then steals all of your money from paypal account, even if it had a different password by restoring the password by using your email. Or steals, say, your eevblog password which was the same as on some other more important website. Most of the users are pretty clueless anyway. Also some governments are really interested about what you watch, and you may be prosecuted.

[slicendice]

HTTPS is very important, for the reasons it was stated here already.

About the Security suites...you need:

1. A good firewall that is configured properly
2. A good antivirus software that detects as much as possible with as little false positives as possible.

3. for really dumb web surfers, a lot of protection from malicious sites etc.

I find security suites very useful, because they have all security features in one product. But of course all this means the suite has to work properly on the OS you are using it on. On Windows 10 they don't work reliably.

On Windows 10 I only use Windows firewall and Windows Defender. No problems so far. I even use a third party (Paid) virus scanner to offline deep scan my whole system periodically, no found threats so far.

About passwords: For each added char in total available chars you increase the security a bit, but not much. But as stated before, adding one more character to the password length increases the security a lot.

And yes changing the password every now and then increases overall security in the long run, you never know when your password has been compromised/bruteforced. It is however more important to have different password for every site than changing the password all the time.

If one login gets compromised the rest will stay intact.

[madires]

Despite those internet security suites are meant to secure your PC they are also causing security problems. The latest one is Kaspersky screwing up checking SSL certs ( https://bugs.chromium.org/p/project-zero/issues/detail?id=978 ). And it should be clear that AV only protects you from known malware. You can do a lot without spending money when you know how malware commonly tries to enter your network or PC. For web browsers remove flash and java plugins, and use a no-script plugin to block java script (whitelist sites you need). And use a limited user account for web browsing, never an admin one.

[IanMac]

For example youtube (if it was not encripted), someone steals your password which is the same as your gmail. Then steals all of your money from paypal account, even if it had a different password by restoring the password by using your email.

No offence intended, but your reply underlines the very problem Dave talks of, that BS becomes so embedded in the public consciousness that it becomes hard to convince people of its incorrectness.

HTTPS encrypts the password at the browser, only for it to be automatically decrypted back to plaintext at the webserver.  The vast majority of password thefts occur when a server is compromised. The remainder happen when the user's computer acquires malware. You don't need to take my word on that, just check any site that collects intrusion stats.

Passwords should be hashed with a site-specific salt, which prevents them from being used on other sites even if they are stolen. Although, any kind of hash would be better than encryption. The hashed password is only vulnerable to malware in the browser. At all other times it is secure. 

By contrast, the HTTPS-encrypted (but unhashed) password is vulnerable at all of the places where theft most frequently occurs. That, and the stolen password will work on other sites where the same user/password combo have been used. 

Telling webmasters to use HTTPS to protect passwords is wrong advice. Like telling your GF she can't get pregnant if she takes a cold shower, wrong advice is dangerous because it leads to proper precautions being omitted.

Despite those internet security suites are meant to secure your PC they are also causing security problems. The latest one is Kaspersky screwing up checking SSL certs ( https://bugs.chromium.org/p/project-zero/issues/detail?id=978 ). And it should be clear that AV only protects you from known malware. You can do a lot without spending money when you know how malware commonly tries to enter your network or PC. For web browsers remove flash and java plugins, and use a no-script plugin to block java script (whitelist sites you need). And use a limited user account for web browsing, never an admin one.

+1 for that. 

[wraper]

LOL, so you are saying that HTTPS is unprotecting the password? Do you understand that encryption in the middle and how passwords are stored on the server are 2 separate things?

[IanMac]

LOL, so you are saying that HTTPS is unprotecting the password? Do you understand that encryption in the middle and how passwords are stored on the server are 2 separate things?

No, I said that HTTPS does not protect the password. Just as taking a cold shower does not prevent pregnancy. The problem lies in believing that it will.

They are not two separate things. The error is made at the client end, when the password is sent unhashed.

[slicendice]

And use a limited user account for web browsing, never an admin one.

I would like to add to that, NEVER use an Admin account for anything else than Administration. For this very reason there was a myth saying that Linux is more secure than Windows, when the real reason for Linux being more secure has only to do with how you are logged in while doing common stuff like browsing the web or running applications.

In Linux we never run as ROOT unless we absolutely must. In Windows on the other hand every default user added is an Admin, unless specifically changed in settings. This is a security problem, common for home users, while for companies with AD and proper security policies configured, this is no issue.

In administrated networks, there is only ONE master Admin with an insanely long and complex password which should be stored in a safe, the rest of the Admins are actually power users with higher privilege for specific tasks, and everything else has only access to specific apps, folders and tasks that has nothing to do with administration.

In these networks the master password is only retrieved from the safe when absolutely needed and it is changed after use and the new password is put back in the safe.

[wraper]

LOL, so you are saying that HTTPS is unprotecting the password? Do you understand that encryption in the middle and how passwords are stored on the server are 2 separate things?

No, I said that HTTPS does not protect the password. Just as taking a cold shower does not prevent pregnancy. The problem lies in believing that it will.

[slicendice]

LOL, so you are saying that HTTPS is unprotecting the password? Do you understand that encryption in the middle and how passwords are stored on the server are 2 separate things?

No, I said that HTTPS does not protect the password. Just as taking a cold shower does not prevent pregnancy. The problem lies in believing that it will.

 

[IanMac]

Seems like I need to spell this out.. The issue is that if a password is sent unhashed with HTTPS, then as soon as it arrives on the server it is automatically converted back to plaintext. If malware is resident on the server, say a CMS vuln having been exploited to inject a Trojan, then it is too late to apply protection because... GOTCHA! the malware has the password. 

If the password has been properly hashed before sending, that would not arise.

[iaeen]

The notion that putting punctuation in passwords and changing passwords frequently would make things secure has persisted for many years. It has finally been busted with a mathematical proof that making the password even slightly longer makes more difference than punctuation. Yet, there are still loads of systems that enforce this. Once the BS has become folklore it's very hard to make it go away.

Basic probability: for any given password length, you are less likely to guess the password if the character set is larger.

Sure, given an already reasonably large character set, adding an extra character to the set will probably do less than adding a character to the length of the password, but that does NOT prove that adding characters to the set is useless.

[wraper]

For example youtube (if it was not encripted), someone steals your password which is the same as your gmail. Then steals all of your money from paypal account, even if it had a different password by restoring the password by using your email.

No offence intended, but your reply underlines the very problem Dave talks of, that BS becomes so embedded in the public consciousness that it becomes hard to convince people of its incorrectness.

Just so you to understand. Youtube password is really the same as gmail, same account. And usually all it takes for the hacker to hack all of your stuff is like getting into your email and then reset the password on everything else. I always feel uneasy if need to login via non encrypted connection while using wifi in the airport. Your hashing on the client side won't protect you a tiny bit in this case.
EDIT: Attacker don't even need to steal your password. Session hijacking is enough.

[slicendice]

If the password has been properly hashed before sending, that would not arise.

So where do you think the hash and salt are located?

[iaeen]

Seems like I need to spell this out.. The issue is that if a password is sent unhashed with HTTPS, then as soon as it arrives on the server it is automatically converted back to plaintext. If malware is resident on the server, say a CMS vuln having been exploited to inject a Trojan, then it is too late to apply protection because... GOTCHA! the malware has the password. 

If the password has been properly hashed before sending, that would not arise.

The final hashing has to happen on the server, otherwise the hashed version is just your password.

To put it another way, under your security scheme, what is to stop the attacker from simply using the hashed password they captured to access the server?

[slicendice]

The notion that putting punctuation in passwords and changing passwords frequently would make things secure has persisted for many years. It has finally been busted with a mathematical proof that making the password even slightly longer makes more difference than punctuation. Yet, there are still loads of systems that enforce this. Once the BS has become folklore it's very hard to make it go away.

Basic probability: for any given password length, you are less likely to guess the password if the character set is larger.

Sure, given an already reasonably large character set, adding an extra character to the set will probably do less than adding a character to the length of the password, but that does NOT prove that adding characters to the set is useless.

 

[radar_macgyver]

Here's a quick primer: https://ssd.eff.org/en/module/what-encryption

Using https involves both encryption of in-flight data as well as validating the source using a certificate. Basic TCP/IP and http do not guarantee either. It's been recognized that the certificate infrastructure is, at best, a stop-gap solution that has numerous vulnerabilities, including interference from state actors. Also, it isn't too hard to become a root CA (look up WoSign for a good example of this going wrong), and the entire certificate signing infrastructure depends on trusting the root CAs. One proposed solution is DNSSEC, but there's a lot of change needed before it becomes widespread enough to make a difference.

One could argue that many 'calls for bullshit' are due to perceived financial gain on the part of the bullshitter (in this case, I assume that's the CAs). If that bothers you, use LetsEncrypt.

A benign example of how unsecured http can be used is injecting ads into http pages, as is commonly done at airport "free wifi" APs and shitty hotels. This is, at best, a nuisance, and at worst it can break websites. Far more sinister is being able to inject malicious javascript. While 'man-in-the-middle' sounds like something only a state actor or ISP can do, it's actually quite easy. DNS requests are handled over UDP, so whoever responds quickest to a DNS request 'wins'. I can camp out on your LAN (easy on public APs) and respond to DNS requests for, say, google.com by pointing to myself. I can then read your google cookie (and get the keys to that particular kingdom), inject javascript into the google.com page that I serve to you that can exploit flaws in your browser to grab passwords entered into fields, etc.  Also, note that I did not need your browser to send me a password (hashed, salted, spiced, whatever) to do any of this. None of this is possible after google switched to https.

Finally, without encryption, everything is up for grabs by law enforcement. You might say 'I did nothing wrong, I have nothing to worry about', while forgetting about false positives. Most of what law enforcement looks at is through pattern matching, which can get caught up so easily by the wrong keyword. EEVblog does not use https, so all it takes is for someone posting child porn (as happened recently) for everyone on the forum to come to the attention of law enforcement. I can be certain that some server at the NSA has now flagged me for posting this.

[slicendice]

Very good text there radar_macgyver! 

[IanMac]

To those posting retorts like 'and where do you think the salt is generated' or 'the hash is just your password' I suggest you go study how password hashing is done and why it is done that way, as you clearly do not understand the process.

@radar_macgyver -Nobody is saying that HTTPS shouldn't be used for sensitive data. That is beside the point.

To conflate that with what I said, is like saying that because the Batterizer is junk you should never use any SMPS. Non sequitur.

Though, I fail to see how HTTPS would prevent law enforcement from spotting illegal material on this forum. All law enforcement need to read the material is a HTTPS-capable browser. In fact, it is possible to robotically scrape HTTPS sites without even opening a browser. The standard PHP libs can do that for you.

In suggesting that HTTPS would prevent law enforcement from seeing the material, you have underlined the fundamental issue of BS.
A misapplication of (a perfectly valid) technology to a situation where it does nothing useful, but sounds like it ought to.  Until, that is, you think it through.

[wraper]

Non sequitur.

And I was wondering why this tread reminds me this

[wraper]

Though, I fail to see how HTTPS would prevent law enforcement from spotting illegal material on this forum. All law enforcement need to read the material is a HTTPS-capable browser.

It would prevent them seeing you are accessing that material, in the first place.

In fact, it is possible to robotically scrape HTTPS sites without even opening a browser. The standard PHP libs can do that for you.

BS, if that material is hidden from regular user or there is no open registration, there is no way to know that material is there. Unless they catch someone who tell them about that prohibited material. Or they find it on the confiscated computer.

To conflate that with what I said, is like saying that because the Batterizer is junk you should never use any SMPS. Non sequitur.

Indeed, you made a bold conclusion and then refuted it yourself 

[rs20]

Have you considered that the big, newsworthy hacks are all server/client based, but there's lots of undetected/unreported grassroots packet sniffing/MITMing going on on personal/university/company LANs? If there's some dodgy dude in the corner when I visit a LAN, isn't it quite reasonable for me to want all my web traffic to be over HTTPS, so that the precise content I'm receiving is private to me, and known to be exactly as the server sent (i.e. free of injected JS?). Sure, the actual host I'm talking to isn't private (DNS, and the resulting IP address of the host are a separate issue), but it's infinitely cheaper than operating a tunnel to a VPS somewhere.

Though, I fail to see how HTTPS would prevent law enforcement from spotting illegal material on this forum. All law enforcement need to read the material is a HTTPS-capable browser.

It would prevent them seeing you are accessing that material, in the first place.

This. It also hides what your username is -- if I sniff your connection over HTTP, I can tell that you're IanMac and you posted this message. If I sniff your connection over HTTPS, I can tell that you're accessing the forum something at www.eevblog.com, and by looking at the site, I can tell that someone, somewhere called "IanMac" posted this message, but how would I tie those two facts together? Obviously timing attacks remain an interesting way to figure out what's going on ("this connection created some traffic at the exact instant IanMac's message was posted"), but there's no harm in making the task considerably more difficult for the attacker.

[jc101]

Forced regular password changes are no longer deemed beneficial, the UK National Cyber Security Centre published advice to that effect a year ago.

https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach

The use of https makes it harder for a third party to perform traffic analysis, without it all sorts of handy data is in plaintext so it makes it easy to work out what is going on.  By effectively hiding that information it makes it much harder to work out what is going on.  It's more of a deterrent that anything else, if there are easier pickings around then why expend the time and effort on the more complex ones - unless the end result justifies it.


For info, the UK NCSC is the merging of Communications-Electronics Security Group (CESG), Centre for Cyber Assessment (CCA), Computer Emergency Response Team UK (CERT UK), and the cyber-related responsibilities of the Centre for the Protection of National Infrastructure (CPNI). 

[newbrain]

A couple of nitpicks :

In Windows on the other hand every default user added is an Admin, unless specifically changed in settings.

Not true in Windows 10, and AFAICR since Windows 7. Only the first user added at installation is given administrative rights (you need one, after all...), the following ones will be standard users.

If I sniff your connection over HTTPS, I can tell that you're accessing the forum

In case of eevblog, not even that: only the FQDN is visible, the rest of the URL is encrypted...

[slicendice]

In Windows on the other hand every default user added is an Admin, unless specifically changed in settings.

Not true in Windows 10, and AFAICR since Windows 7. Only the first user added at installation is given administrative rights (you need one, after all...), the following ones will be standard users.

Thanx for the correction, that didn't come out right.

My point is still valid though. I don't know a single Windows user who use other than the Admin account at home, except for a few server admin who knows what theyre doing.

[David Hess]

Also, a lot of state actors record absolutely every possible traffic, even for later decryption, so very strong transport encryption is necessary.

How do you know the "state actors" aren't running the certificate authorities and passing out false certificates? Have you even checked the source code of your web browsers?

If they did this, and it has occasionally happened, then the forged certificate provides undeniable proof that the certificate authority was compromised and it amounts to suicide for the certificate authority as some have found out.  There are applications which check for consistency of certificates and flag suspicious ones.

This is a threat only against individuals who are not sufficiency paranoid.  If it was used for dragnet surveillance, it would be widely known within hours.

A larger threat would be the state actor gaining the private key for the original certificate allowing them to impersonate the site completely but normally only the server has access to that and not the certificate authority.

[newbrain]

In Windows on the other hand every default user added is an Admin, unless specifically changed in settings.

Not true in Windows 10, and AFAICR since Windows 7. Only the first user added at installation is given administrative rights (you need one, after all...), the following ones will be standard users.

Thanx for the correction, that didn't come out right.

My point is still valid though. I don't know a single Windows user who use other than the Admin account at home, except for a few server admin who knows what theyre doing.

Sad but true...
Even at work, a large multinational company, people inR&D are given local admin rights more or less by default.
When I asked to have a separate account for that (I actually need them), I was told it was too costly...after all even Linux users are sudoers by default!

[Halcyon]

Most of what law enforcement looks at is through pattern matching, which can get caught up so easily by the wrong keyword. EEVblog does not use https, so all it takes is for someone posting child porn (as happened recently) for everyone on the forum to come to the attention of law enforcement. I can be certain that some server at the NSA has now flagged me for posting this.

Not at all. Without going into details that aren't publically available, so-called "pattern matching" (and whatever else you read about on Wikipedia) is only a very low-level method. There is MUCH more at play including legislation.

If you're being even somewhat targeted, be it this forum as a whole and it's users or otherwise, an actual human is sitting there going through the material. Law enforcement isn't "guess work", it's about providing evidence and proving things beyond a reasonable doubt. Agencies have far better things to use their resources on than going on a fishing expedition based on the crap that goes around the internet on a daily basis.

(Also no, the NSA probably doesn't give a crap about you.)

[XynxNet]

Agencies have far better things to use their resources on than going on a fishing expedition based on the crap that goes around the internet on a daily basis.

(Also no, the NSA probably doesn't give a crap about you.)

Nevertheless they do the bulk fishing. Whether they will analyze all data (in the future) remains to be seen. Unfortunately than it's to late to do anything about it.
Our only defense is making this bulk data collection as expensive as possible by using (transport) encryption.

[eugenenine]

A couple of nitpicks :

In Windows on the other hand every default user added is an Admin, unless specifically changed in settings.

Not true in Windows 10, and AFAICR since Windows 7. Only the first user added at installation is given administrative rights (you need one, after all...), the following ones will be standard users.

Its a moot point anyway, I've taken the time to make people be non admins and they just run IE so they still get malware.  That was one of the reasons I quit running windows myself.  When IE got integrated all hardening everywhere else became of less use because there was a big huge open back door through the web browser.

[madires]

This. It also hides what your username is -- if I sniff your connection over HTTP, I can tell that you're IanMac and you posted this message. If I sniff your connection over HTTPS, I can tell that you're accessing the forum something at www.eevblog.com, and by looking at the site, I can tell that someone, somewhere called "IanMac" posted this message, but how would I tie those two facts together? Obviously timing attacks remain an interesting way to figure out what's going on ("this connection created some traffic at the exact instant IanMac's message was posted"), but there's no harm in making the task considerably more difficult for the attacker.

Actually you won't see that the client is accessing http://www.eevblog.com since the complete http traffic is encrypted, including the request for an URL. What you see is traffic to a specific IP address. If a server hosts several web sites the user could access any of them without revealing which one. Of course, for a server running just a single web site it's easy to guess the right one. But there is still a problem, it's called DNS. DNS is cleartext. If the user types www.eevblog.com into his browser it resolves the server part of the URL to an IP address. If you sniff that too, you got the web site.

And there are more problems. Several internet security suites and more professional products are running MITM attacks vs. HTTPS to check that traffic too, mostly for malware scanning. I bet a lot of users don't got any idea of this and will never detect it. Another big problem are CAs. Some are lazy or rogue, and law enforcement might have special rights to get valid certs for impersonating some website. CDNs are also a topic. On the other side there are things like DANE which could mitigate some issues.

SSL/TLS, the certs and the CAs are a mess. But this mess is better than no encyption at all, because that would make things much more easy for attackers.

[David Hess]

Several internet security suites and more professional products are running MITM attacks vs. HTTPS to check that traffic too, mostly for malware scanning. I bet a lot of users don't got any idea of this and will never detect it.

This is a special case where a custom root certificate is installed onto the user's computer, hopefully by the company the user works for, allowing the security proxy to create certificates as needed and impersonate HTTPS connections to other sites.  The same software which detects forged certificates would detect this.

Another big problem are CAs. Some are lazy or rogue, and law enforcement might have special rights to get valid certs for impersonating some websites.

If any agency did this on a large scale, then the forged certificates would be detected and provide undeniable proof that the certificate authority in question was compromised with dire results.  This could work against a specific target *if* the target did not monitor for forged certificates which is a trivial exercise.

[Simon]

Sad but true...
Even at work, a large multinational company, people inR&D are given local admin rights more or less by default.
When I asked to have a separate account for that (I actually need them), I was told it was too costly...after all even Linux users are sudoers by default!

Where I work we have a number of R and D and testing computers that have full admin access. Unfortunately some of the software we use does not allow you to use it properly without admin access. Given the amount of trouble this has caused I had to insist on admin access as our IT department is the other side of the country and I have to keep ringing up to deal with computers that are often in containers without Internet access or otherwise need moving so I can get to the phone whilst using them. This is in fact very unwise as the very people using these computers are often our newest recruits and people with no idea really of what they are doing. They are given the machine and told to monitor the equipment and record results.

I think Microsoft try to prevent people from using admin accounts by preventing certain things from working as an administrator. For example the image viewer won't work if you're an administrator and neither will we news viewer or the calculator. This is extremely annoying but when I did try and work out how to create another account I didn't get very far. Windows 10 seem to work great when it first came out but they have now rendered it completely bloody useless.

Regarding passwords and the use of punctuation characters et cetera although in theory, mathematically this adds no extra security it actually does not that I particularly use them. If you are a hacker trying to brute force somebody's password how would you go about it? Presumably you generate every possible combination of characters in the hope of finding the correct one. Now as a hacker would you know that most people don't use punctuation characters in their passwords? Yes of course. So if as a hacker you were writing a program to brute force a password which characters would you go for first? Obviously you would run through all the numbers and letter combinations and then start adding punctuation marks. So if you don't want a longer password then yes adding punctuation would give some benefit but it's not mathematical. However indeed adding characters to passwords exponentially increases the amount of combinations available with or without punctuation marks so it is ultimately safer. The need to continually change passwords is in fact pretty stupid. We have this at work and naturally our passwords are very predictable everybody ends up using the same word with a number that just goes up once every time. So if somebody new your password at any point in time it would not take them long to brute force your new one. Again we have a laptop that goes around the company with the password written on the bottom of it. On another laptop is taken out on committing trips with the username and password take to it in case our technical director who was never used a laptop before doesn't know what it is or forgets. Usual laptop and all related cables are collected up and given to him at the last minute.

[f4eru]

If malware is resident on the server, say a CMS vuln having been exploited to inject a Trojan, then it is too late to apply protection because... GOTCHA! the malware has the password. 

If the password has been properly hashed before sending, that would not arise.

The password hashing needs to be on the siver side.
Client side hashing can be used aditionally for more protection, but does not bring any big security advantage in a web application, because the server side sends the code for hashing, so a server resident malware can modify this code and acess the raw password anyway.

[JiggyNinja]

Seems like I need to spell this out.. The issue is that if a password is sent unhashed with HTTPS, then as soon as it arrives on the server it is automatically converted back to plaintext. If malware is resident on the server, say a CMS vuln having been exploited to inject a Trojan, then it is too late to apply protection because... GOTCHA! the malware has the password. 

If the password has been properly hashed before sending, that would not arise.

How often does that actually happen? Every time I've heard of account breaches it's been when the hackers have made off with a database of already hashed passwords to reverse offline. I understand that there is bias in what gets reported, but I would like to know what really is the dominant method of stealing passwords. The big breaches might get all the attention because they're big and infrequent ("man bites dog" and all that).

[RGB255_0_0]

Sad but true...
Even at work, a large multinational company, people inR&D are given local admin rights more or less by default.
When I asked to have a separate account for that (I actually need them), I was told it was too costly...after all even Linux users are sudoers by default!

Where I work we have a number of R and D and testing computers that have full admin access. Unfortunately some of the software we use does not allow you to use it properly without admin access. Given the amount of trouble this has caused I had to insist on admin access as our IT department is the other side of the country and I have to keep ringing up to deal with computers that are often in containers without Internet access or otherwise need moving so I can get to the phone whilst using them. This is in fact very unwise as the very people using these computers are often our newest recruits and people with no idea really of what they are doing. They are given the machine and told to monitor the equipment and record results.

I think Microsoft try to prevent people from using admin accounts by preventing certain things from working as an administrator. For example the image viewer won't work if you're an administrator and neither will we news viewer or the calculator. This is extremely annoying but when I did try and work out how to create another account I didn't get very far. Windows 10 seem to work great when it first came out but they have now rendered it completely bloody useless.

Regarding passwords and the use of punctuation characters et cetera although in theory, mathematically this adds no extra security it actually does not that I particularly use them. If you are a hacker trying to brute force somebody's password how would you go about it? Presumably you generate every possible combination of characters in the hope of finding the correct one. Now as a hacker would you know that most people don't use punctuation characters in their passwords? Yes of course. So if as a hacker you were writing a program to brute force a password which characters would you go for first? Obviously you would run through all the numbers and letter combinations and then start adding punctuation marks. So if you don't want a longer password then yes adding punctuation would give some benefit but it's not mathematical. However indeed adding characters to passwords exponentially increases the amount of combinations available with or without punctuation marks so it is ultimately safer. The need to continually change passwords is in fact pretty stupid. We have this at work and naturally our passwords are very predictable everybody ends up using the same word with a number that just goes up once every time. So if somebody new your password at any point in time it would not take them long to brute force your new one. Again we have a laptop that goes around the company with the password written on the bottom of it. On another laptop is taken out on committing trips with the username and password take to it in case our technical director who was never used a laptop before doesn't know what it is or forgets. Usual laptop and all related cables are collected up and given to him at the last minute.

Modern apps won't work on the built-in admin account. That's a security feature as they are meant to be sandboxed. Likewise, it's the same if you force UAC off in the registry.

There are ways to install the old Windows 7 image viewer in Windows 10. Same for the calc and even Windows Media Center.

Instead of whinging though, the length of your post implies you spent more energy on that than using Google to learn how 

[slicendice]

I'd say the biggest amount of security breaches happens on the client side, not on the server side. Biggest issue is that many people have no clue what is safe surfing and what is not.

If you get attacked by a JS injection or whatever malware, you are most likely already surfing in dangerous waters. Stay on trusted domains, trusted sites, keep away from unknown hosts, don't click on web links that look suspicious and never ever click on any dodgy looking pop-ups or any pop-ups for that matter, unless you specifically requested the site to give you that window, and you should stay relative safe.

Don't download illegal stuff, or stuff from a site that is not the owner of the content.

The probability of a user being hacked is millions of times greater than a quality server/service being hacked.

If you ever think there is a slight chance that HTTPS is not good enough, you can add a lot of additional security layers to your login procedure to ensure no one can impersonate you nor the server. One added layer as an example would be 2-stage (two-factor) verification.

It is easy to blame servers and security tech to be flawed and the root of the problem when the biggest issue actually is the behavior and under-education of the users.

[Simon]

Sad but true...
Even at work, a large multinational company, people inR&D are given local admin rights more or less by default.
When I asked to have a separate account for that (I actually need them), I was told it was too costly...after all even Linux users are sudoers by default!

Where I work we have a number of R and D and testing computers that have full admin access. Unfortunately some of the software we use does not allow you to use it properly without admin access. Given the amount of trouble this has caused I had to insist on admin access as our IT department is the other side of the country and I have to keep ringing up to deal with computers that are often in containers without Internet access or otherwise need moving so I can get to the phone whilst using them. This is in fact very unwise as the very people using these computers are often our newest recruits and people with no idea really of what they are doing. They are given the machine and told to monitor the equipment and record results.

I think Microsoft try to prevent people from using admin accounts by preventing certain things from working as an administrator. For example the image viewer won't work if you're an administrator and neither will we news viewer or the calculator. This is extremely annoying but when I did try and work out how to create another account I didn't get very far. Windows 10 seem to work great when it first came out but they have now rendered it completely bloody useless.

Regarding passwords and the use of punctuation characters et cetera although in theory, mathematically this adds no extra security it actually does not that I particularly use them. If you are a hacker trying to brute force somebody's password how would you go about it? Presumably you generate every possible combination of characters in the hope of finding the correct one. Now as a hacker would you know that most people don't use punctuation characters in their passwords? Yes of course. So if as a hacker you were writing a program to brute force a password which characters would you go for first? Obviously you would run through all the numbers and letter combinations and then start adding punctuation marks. So if you don't want a longer password then yes adding punctuation would give some benefit but it's not mathematical. However indeed adding characters to passwords exponentially increases the amount of combinations available with or without punctuation marks so it is ultimately safer. The need to continually change passwords is in fact pretty stupid. We have this at work and naturally our passwords are very predictable everybody ends up using the same word with a number that just goes up once every time. So if somebody new your password at any point in time it would not take them long to brute force your new one. Again we have a laptop that goes around the company with the password written on the bottom of it. On another laptop is taken out on committing trips with the username and password take to it in case our technical director who was never used a laptop before doesn't know what it is or forgets. Usual laptop and all related cables are collected up and given to him at the last minute.

Modern apps won't work on the built-in admin account. That's a security feature as they are meant to be sandboxed. Likewise, it's the same if you force UAC off in the registry.

There are ways to install the old Windows 7 image viewer in Windows 10. Same for the calc and even Windows Media Center.

Instead of whinging though, the length of your post implies you spent more energy on that than using Google to learn how 

All of two lines worth, and the topic is security and the usefulness or not of measures taken,

[Lockon Stratos]

If you get attacked by a JS injection or whatever malware, you are most likely already surfing in dangerous waters. Stay on trusted domains, trusted sites, keep away from unknown hosts, don't click on web links that look suspicious and never ever click on any dodgy looking pop-ups or any pop-ups for that matter, unless you specifically requested the site to give you that window, and you should stay relative safe.

Unfortunately no, the ads on the site still could infect your PC... And if someone runs win10 its even worse, the OS itself is a spyware.

[RGB255_0_0]

Sad but true...
Even at work, a large multinational company, people inR&D are given local admin rights more or less by default.
When I asked to have a separate account for that (I actually need them), I was told it was too costly...after all even Linux users are sudoers by default!

Where I work we have a number of R and D and testing computers that have full admin access. Unfortunately some of the software we use does not allow you to use it properly without admin access. Given the amount of trouble this has caused I had to insist on admin access as our IT department is the other side of the country and I have to keep ringing up to deal with computers that are often in containers without Internet access or otherwise need moving so I can get to the phone whilst using them. This is in fact very unwise as the very people using these computers are often our newest recruits and people with no idea really of what they are doing. They are given the machine and told to monitor the equipment and record results.

I think Microsoft try to prevent people from using admin accounts by preventing certain things from working as an administrator. For example the image viewer won't work if you're an administrator and neither will we news viewer or the calculator. This is extremely annoying but when I did try and work out how to create another account I didn't get very far. Windows 10 seem to work great when it first came out but they have now rendered it completely bloody useless.

Regarding passwords and the use of punctuation characters et cetera although in theory, mathematically this adds no extra security it actually does not that I particularly use them. If you are a hacker trying to brute force somebody's password how would you go about it? Presumably you generate every possible combination of characters in the hope of finding the correct one. Now as a hacker would you know that most people don't use punctuation characters in their passwords? Yes of course. So if as a hacker you were writing a program to brute force a password which characters would you go for first? Obviously you would run through all the numbers and letter combinations and then start adding punctuation marks. So if you don't want a longer password then yes adding punctuation would give some benefit but it's not mathematical. However indeed adding characters to passwords exponentially increases the amount of combinations available with or without punctuation marks so it is ultimately safer. The need to continually change passwords is in fact pretty stupid. We have this at work and naturally our passwords are very predictable everybody ends up using the same word with a number that just goes up once every time. So if somebody new your password at any point in time it would not take them long to brute force your new one. Again we have a laptop that goes around the company with the password written on the bottom of it. On another laptop is taken out on committing trips with the username and password take to it in case our technical director who was never used a laptop before doesn't know what it is or forgets. Usual laptop and all related cables are collected up and given to him at the last minute.

Modern apps won't work on the built-in admin account. That's a security feature as they are meant to be sandboxed. Likewise, it's the same if you force UAC off in the registry.

There are ways to install the old Windows 7 image viewer in Windows 10. Same for the calc and even Windows Media Center.

Instead of whinging though, the length of your post implies you spent more energy on that than using Google to learn how 

All of two lines worth, and the topic is security and the usefulness or not of measures taken,

What you encountered (Universal Windows Platform apps) was a security issue. Most obvious one is rogue code being executed to get privileged access to the Windows kernel and memory - the Secure Boot exploit of Surface RT was down to rogue code IIRC and Microsoft went hard on securing it.

[slicendice]

If you get attacked by a JS injection or whatever malware, you are most likely already surfing in dangerous waters. Stay on trusted domains, trusted sites, keep away from unknown hosts, don't click on web links that look suspicious and never ever click on any dodgy looking pop-ups or any pop-ups for that matter, unless you specifically requested the site to give you that window, and you should stay relative safe.

Unfortunately no, the ads on the site still could infect your PC... And if someone runs win10 its even worse, the OS itself is a spyware.

Hahhah, Windows 10 is no spyware, what a load of BS. A bit unstable it is still, and yes MS collects some info from time to time to improve the overall experience, but you, the user must give it permission for it to do so.

How many HTTPS secured and infectious ADS have you experienced lately?

[Nerull]

This thread is a great example of why a lot of people don't like engineers - the tendency to believe that being an expert in one field makes you an expert in every field, fit to make sweeping proclamations which are usually complete bullshit.

If you don't understand computer security, don't give advice on it.

[Nerull]

Seems like I need to spell this out.. The issue is that if a password is sent unhashed with HTTPS, then as soon as it arrives on the server it is automatically converted back to plaintext. If malware is resident on the server, say a CMS vuln having been exploited to inject a Trojan, then it is too late to apply protection because... GOTCHA! the malware has the password. 

If the password has been properly hashed before sending, that would not arise.

How often does that actually happen? Every time I've heard of account breaches it's been when the hackers have made off with a database of already hashed passwords to reverse offline. I understand that there is bias in what gets reported, but I would like to know what really is the dominant method of stealing passwords. The big breaches might get all the attention because they're big and infrequent ("man bites dog" and all that).

There's a popular firefox addon that lets you steal sessions and log into other people's accounts on public wifi, and an android version of the same. Session hijacking does not require stealing passwords, so websites that show a login prompt over HTTPS and then drop to normal HTTP for browsing are still vulnerable.

Malicious routers can be an issue as well. Honeypot hotspots pose as public wifi, and many devices will autoconnect to a wifi network if it has the right name - 'attwifi' is common. Devices such as the wifi pineapple are purpose built for this.

[slicendice]

I don't even remember when was the last time my computer got compromised even a bit. It's many years ago.

What I do remember is that I got an infection that came from a dodgy site I visited on purpose. Sometimes I like to play with those nasty infections in a sandbox environment and show who's the boss  . The malware did not get that far and after around 30 minutes of manual cleaning everything was returned to normal again.

On my main PC with all my important stuff I would not experiment with malware. But as I said this was a sandbox (completely isolated).

[Gary350z]

I would like to add to that, NEVER use an Admin account for anything else than Administration.

Absolutely true, but most people don't know this.

For every computer I ever bought, the instructions did not tell you this. You follow the instructions and it sets you up as the admin. The computer manufacturers (or whoever writes the instructions) are idiots. I've been using home computers for 38 years, and only 4 years ago found out not to use the admin account for everything.

As a side note. I set a friends computer up to use it as a "user account", but he did not like that and switched it back to an admin account.

[Lockon Stratos]

If you get attacked by a JS injection or whatever malware, you are most likely already surfing in dangerous waters. Stay on trusted domains, trusted sites, keep away from unknown hosts, don't click on web links that look suspicious and never ever click on any dodgy looking pop-ups or any pop-ups for that matter, unless you specifically requested the site to give you that window, and you should stay relative safe.

Unfortunately no, the ads on the site still could infect your PC... And if someone runs win10 its even worse, the OS itself is a spyware.

Hahhah, Windows 10 is no spyware, what a load of BS. A bit unstable it is still, and yes MS collects some info from time to time to improve the overall experience, but you, the user must give it permission for it to do so.

How many HTTPS secured and infectious ADS have you experienced lately?

I disabled all telemtry with several tools then i run wireshark, guess what i discovered:
https://dl.dropboxusercontent.com/u/1201829/OCN/wireshark_win10/K%C3%A9pkiv%C3%A1g%C3%A1s2.PNG
Sending data behind my back and resetting some settings quietly to default(on of course) pretty much justifies the spyware classification...
(Before someone jumps on it, i didnt installed any of the crappy updates sincethe fiasco with a certain IE update...)

Regarding ads idk since im running adblock and noscript, but the threat is real:
http://arstechnica.com/security/2016/12/millions-exposed-to-malvertising-that-hid-attack-code-in-banner-pixels/

[kalleboo]

Actually you won't see that the client is accessing http://www.eevblog.com since the complete http traffic is encrypted, including the request for an URL. What you see is traffic to a specific IP address. If a server hosts several web sites the user could access any of them without revealing which one.

With SNI (which is pretty much required in these days of IPv4 crunch and CDNs, if you don't want to pay thousands of dollars), this is no longer true, and the host name is sent in plaintext (the specific file URL is still encrypted)

[madires]

With SNI (which is pretty much required in these days of IPv4 crunch and CDNs, if you don't want to pay thousands of dollars), this is no longer true, and the host name is sent in plaintext (the specific file URL is still encrypted)

I stand corrected. You're right. The TLS setup is in cleartext and the SNI reveals the hostname.

[arekm]

It not always reveal real hostname. There are corner cases that use SNI being cleartext for their benefit. It is sometimes used to circumvent blocking firewalls/censorship.

Signal app (https://whispersystems.org/) uses that for communication. SNI hostname is for example "google.com" but "Host" in http header (that's "hidden under" SSL) is their real server like appserver.mydomain.com. The traffic is then handled by appserver.mydomain.com. It works with most CDNs. If someone want's to block that
it needs to block entire "google.com" traffic.

http://www.pcworld.com/article/3152769/security/encrypted-messaging-app-signal-uses-google-to-bypass-censorship.html
http://www.icir.org/vern/papers/meek-PETS-2015.pdf

[Marco]

IMO computer security is easy. Computers used to browse the web, read email any more complex than scrubbed plain text, with user accessible ports for external storage and web servers should be considered root kitted by default. Design around that and it's hard to go wrong without state agency level attacks.

Use minimum trust, because that is clearly still too much.

[f4eru]

I don't even remember when was the last time my computer got compromised even a bit. It's many years ago.

You have not detected a breach since many years does not mean you didn't have a breach.

[slicendice]

I don't even remember when was the last time my computer got compromised even a bit. It's many years ago.

You have not detected a breach since many years does not mean you didn't have a breach.

Oh you are very wrong, I would notice it immediately. If I have time to react in time once it happens, if it ever happens, is a whole different story. But I will not publicly go into any specifics about security details on my computer, because that would get the hacker one step closer to breaching it. 

[RGB255_0_0]

Oh you are very wrong, I would notice it immediately.

[f4eru]

But I will not publicly go into any specifics about security details on my computer, because that would get the hacker one step closer to breaching it. 

Security through obscurity. Yep. That absolutely works.

[imidis]

I don't know why security is such a touchy subject. So much so I rarely participate in the discussions. There are a lot of holes and issues out there.   

[slicendice]

I don't know why security is such a touchy subject. So much so I rarely participate in the discussions. There are a lot of holes and issues out there.   

You are absolutely right! Great choice!

Falls in same category as religion and politics it seems. Never would have thought! 

[slicendice]

I don't know how accurate this is, but it is interesting. Windows 10 is not on top of the list though being spyware and all. Who would have thought that? 

[slicendice]

Had they spell Ubuntu correctly it could be more appealing.

Great catch! I don't think this chart is far off from the truth though. Android has a lot of security flaws and it makes sense to me that it is on the top of this list.

Trying to find more detailed and accurate info on OS specific(not including 3rd party apps) security test overall.

Either way, a good 2-way firewall and good AV increases security. And security suites with added layers for specific tasks improves the overall security even more. Nothing is perfect though.

[Simon]

the problem is the more flexibility and functionality you want from an OS the more exploits there are. I saw an interesting youtube video about how a spyware can trick an internet browser into sending data back for it so as to stay under the radar using basic windows functionality that is legitimately there for programs to talk to each other and it's undetectable. The best line of defence is to not get infected in the first place.

The chart obviously does not clarify the likelyhood of each exploit being used and if an antivirus was used.

[slicendice]

the problem is the more flexibility and functionality you want from an OS the more exploits there are.

You are absolutely correct. For the Android part I'm pretty certain a lot of security issues has to do with Java. It's know to have a lot of holes, though Android Java is a quite modified version of the Oracle one.

The chart obviously does not clarify the likelyhood of each exploit being used and if an antivirus was used.

No it does not, and that is why I look into finding a proper report.

[f1rmb]

I don't know how accurate this is, but it is interesting. Windows 10 is not on top of the list though being spyware and all. Who would have thought that? 

Had they spell Ubuntu correctly it could be more appealing.

Linux Kernel as an operating system 

[slicendice]

I don't know how accurate this is, but it is interesting. Windows 10 is not on top of the list though being spyware and all. Who would have thought that? 

Had they spell Ubuntu correctly it could be more appealing.

Linux Kernel as an operating system 

I've been building Linux from scratch, there is not much more needed than a bootloader a filesystem and the kernel, the rest is just applications/toolchains to add functionality that has nothing to with an OS and it's purpose.

[f1rmb]

I don't know how accurate this is, but it is interesting. Windows 10 is not on top of the list though being spyware and all. Who would have thought that? 

Had they spell Ubuntu correctly it could be more appealing.

Linux Kernel as an operating system 

I've been building Linux from scratch, there is not much more needed than a bootloader a filesystem and the kernel, the rest is just applications/toolchains to add functionality that has nothing to with an OS and it's purpose.

A *nix kernel isn't an OS, this "chart" mixes oranges and bananas...
I'm still wondering about the purpose of booting a fat/monolitic Linux kernel with *zero* system/user binaries, except to powering up some devices.

Cheers.
---
Daniel

 

[XynxNet]

While there are open bugtrackers for linux/android, I wonder whether we get the same amount of info about bugs in ms or apple software.

[slicendice]

Look up the official definition of an Operating System before saying the Linux kernel is not such. The Linux kernel has all the requirements for an Operating System.

[Brumby]

But I will not publicly go into any specifics about security details on my computer, because that would get the hacker one step closer to breaching it. 

Which is why I never even enter into discussions on the subject.

[slicendice]

While there are open bugtrackers for linux/android, I wonder whether we get the same amount of info about bugs in ms oder apple software.

I doubt the bug/security hole list for Windows and OSX is a comprehensive as for all opensource OSes out there.

[f1rmb]

Look up the official definition of an Operating System before saying the Linux kernel is not such. The Linux kernel has all the requirements for an Operating System.

Yeah sure, few OSI layers are missing here, but who cares ? 

[slicendice]

Look up the official definition of an Operating System before saying the Linux kernel is not such. The Linux kernel has all the requirements for an Operating System.

Yeah sure, few OSI layers are missing here, but who cares ? 

Hahha, I don't care if the OS implements the OSI model or not. As long as it has a scheduler, and can securely orchestrate all the chatter between hardware(or hardware layer), software and user IO (which in some cases are not even needed, depends on the purpose of the OS).

[f1rmb]

Look up the official definition of an Operating System before saying the Linux kernel is not such. The Linux kernel has all the requirements for an Operating System.

Yeah sure, few OSI layers are missing here, but who cares ? 

Hahha, I don't care if the OS implements the OSI model or not. As long as it has a scheduler, and can securely orchestrate all the chatter between hardware(or hardware layer), software and user IO (which in some cases are not even needed, depends on the purpose of the OS).

A scheduler, a task scheduler ? You just said you define the linux kernel alone AS an OS, no software, by any mean. Once you install a single binary somewhere, it starts to be an OS.

Back to the chart you've posted, you take it really personnal, have you made it ? I guess not.
I just found it amusing with the Ubuntu typo, and wrong with the linux kernel entry in the middle.

[slicendice]

No I am not talking about a task scheduler in the sense of some scheduled task you make the OS run some software as a service at a predefined time/interval.

We can make a 6 year study out of this OS talk.

For people who has never written or attempted to write their own OS from scratch, have no clue what a operating system for modern computers today are built of, have no idea how many OS architectures there could possibly exist, have no idea how modern computers work internally at a bit level, and how both the bits and the OS glues it all together, I'd suggest to just keep quiet.

But that is just my opinion. I'm not stopping anyone from making a fool out of them selves.

[madires]

I don't know how accurate this is, but it is interesting. Windows 10 is not on top of the list though being spyware and all. Who would have thought that? 

One has to be careful with those numbers, because it's apples vs. bananas (not oranges) quite often. The linux distributions come with a ton of applications, Windows doesn't. Take firefox for example. For Windows it's a third party application, so any security issues in firefox aren't counted. Ubuntu comes with firefox, so firefox' security issues are added. Another point is how each OS defines a security issue or its severity.

[f1rmb]

No I am not talking about a task scheduler in the sense of some scheduled task you make the OS run some software as a service at a predefined time/interval.

We can make a 6 year study out of this OS talk.

For people who has never written or attempted to write their own OS from scratch, have no clue what a operating system for modern computers today are built of, have no idea how many OS architectures there could possibly exist, have no idea how modern computers work internally at a bit level, and how both the bits and the OS glues it all together, I'd suggest to just keep quiet.

But that is just my opinion. I'm not stopping anyone from making a fool out of them selves.

Young boy...
I just checked few of your posts... It seems you have a really high opinion of yourself, even saying lot of BS.

Welcome to my ignore list.

Have a nice Sunday.
---
Daniel

[slicendice]

I don't know how accurate this is, but it is interesting. Windows 10 is not on top of the list though being spyware and all. Who would have thought that? 

One has to be careful with those numbers, because it's apples vs. bananas (not oranges) quite often. The linux distributions come with a ton of applications, Windows doesn't. Take firefox for example. For Windows it's a third party application, so any security issues in firefox aren't counted. Ubuntu comes with firefox, so firefox' security issues are added. Another point is how each OS defines a security issue or its severity.

Yes you are correct, this is why a proper and detailed report on this would be important.

[slicendice]

Young boy...

Thanks

I just checked few of your posts... It seems you have a really high opinion of yourself, even saying lot of BS.

Great, but what does this have to do with computer security? 

Welcome to my ignore list.

Thanks 

Have a nice Sunday.

Thanks, you too

[Marco]

Security through obscurity. Yep. That absolutely works.

In a system which you personally control it's pretty good. As soon as other people get their hands on it, not so much.

Insecurity is other people.

[RGB255_0_0]

Security through obscurity. Yep. That absolutely works.

In a system which you personally control it's pretty good. As soon as other people get their hands on it, not so much.

Insecurity is other people.

The fallacious statement was that he (slicendice) thinks he would know he'd been hacked.

[bitwelder]

I don't know how accurate this is, but it is interesting. Windows 10 is not on top of the list though being spyware and all. Who would have thought that? 

Had they spell Ubuntu correctly it could be more appealing.

Linux Kernel as an operating system 

Interesting how in this chart Windows is the only OS where each version is separated from the others, while for every other OS all their versions are apparently bundled together.

[FrankBuss]

I don't know how accurate this is, but it is interesting. Windows 10 is not on top of the list though being spyware and all. Who would have thought that? 

Had they spell Ubuntu correctly it could be more appealing.

Linux Kernel as an operating system 

Interesting how in this chart Windows is the only OS where each version is separated from the others, while for every other OS all their versions are apparently bundled together.

Would be interesting to list the individual vulnerabilities and how easy it is to use them. For Linux there were some vulnerabilities known which could be only used if you have shell access to a system, and of course they were fixed fast. And for Windows there were lots of issues that could be exploited over the internet, and some got only fixed really late, if at all.

They cited CVE details. Found it for Android, 523:

https://www.cvedetails.com/product/19997/Google-Android.html?vendor_id=1224

Lots of entries specific to some mobile phones.

Right, Windows 8.1 has 154 entries for 2016:

https://www.cvedetails.com/product/26434/Microsoft-Windows-8.1.html?vendor_id=26

Ok, why didn't they use Windows 10 (172) or Windows 7 (134)? Well, 172 is worse than the 161 from iPhone iOS. I wonder if Microsoft financed this report.

https://www.cvedetails.com/product/17153/Microsoft-Windows-7.html?vendor_id=26
https://www.cvedetails.com/product/32238/Microsoft-Windows-10.html?vendor_id=26

Sum is 460 entries for 2016. Lots of entries usable on any PC.

[kalleboo]

One has to be careful with those numbers, because it's apples vs. bananas (not oranges) quite often. The linux distributions come with a ton of applications, Windows doesn't. Take firefox for example. For Windows it's a third party application, so any security issues in firefox aren't counted. Ubuntu comes with firefox, so firefox' security issues are added. Another point is how each OS defines a security issue or its severity.

Firefox is a bad example since Windows comes with IE Advantage Ubuntu.

[slicendice]

Thanks FrankBuss, that DB looks great. Huge collection! Awesome!

The bar graph I sent agree with the stats found @cvedetails.com