<Congratulations, you have unlocked the “I’m gonna have to lecture you with a super-long post” achievement!>
You still are missing the point, and, after that irrelevant “But Windows 7 is not bulletproof” blurb, you are now trying to use a second straw man to make it look like my beef with XP has to do with having to personally support it as a developer. So I guess I’ll have to address this first.
Just to be clear, if I was that annoyed at how XP makes my life harder as a developer, I’d have dropped support for it in Rufus in a heartbeat. But instead, as indicated in the small paragraph that prompted all this discussion, I chose to trouble myself with continuing to sign Rufus using 2 sets of digital signatures (instead of just the SHA-256 one) to continue to help security-conscious XP users. Granted, there’s not much I can do about SHA-1 collisions, but provided that they are still some time away, continuing to provide an SHA-1 signature, for systems that only understand SHA-1 signatures, is still much better, security-wise, than not providing one at all. As a matter of fact, doing what is “right” in term of security, instead of doing what ones feels like, is pretty much the point I am going to make, and my whole issue with you; there’s no such thing as freedom of action when it comes to ensuring that users have the best security they possibly can. You should not compromise, as you are doing, when trying to ensure the safety of all OS users and as a valued member of this community, you are doing a great disservice to it by trying to imply that it is still okay to use XP (which, I can guarantee, is the takeway people will get from your posts).
You are also (in effect with a 3rd straw man) trying to pretend that my message is just about reiterating that XP support has ended (“XP is dead”, i.e. your “memento mori”), where it is everything but. My main statement was only ever about safety, and I shouldn’t have to point to you that the corollary elements I get to mention, such as the fact that, as a “dead” OS, XP has ceased to receive system vulnerability fixes, or that because of the need for developers to add extra paths in their code in order to support XP (and, in case you it needs to be explained, my real concern here is for browser developers, such as Chrome or Firefox ones, rather than myself, as browsers are usually the first line of defence against malware) we logically get more software that can be exploited, only serve to further demonstrate why XP can only logically be construed as a major security liability right now, that people should attempt to move away from.
With this being said then let me get straight to the core of the matter, which is something I believe I had already tried to make clear in other threads where we discussed XP:
By using XP in a connected fashion in this day and age, when there exist much safer (including free ones) and viable (Last time I checked, WINE on Linux was doing a good job at running XP apps) alternatives, you not only are putting yourself, but, more importantly others, at risk.
And now we get to the part where I’m going to use yet another car analogy. And while I have to skew my analogy in the process (which is what all analogies do anyway – there’s hardly ever one where the transposition factor is 100%), I’m going to go for the “If I can't make people remember anything from what I'm saying this whole spiel, let’s at least make them remember this”.
Henceforth, let me introduce you to a car that is relatively well known in UK and Ireland, but probably not that much outside of these countries, called the Reliant Robin, to state that: using Windows XP in 2016 is pretty much like using a Reliant Robin. And the reason is probably best illustrated with this little video:
Exhibit A
So, how does this analogy apply to XP?
Well, first of all, what we have here is an obvious design flaw (or conscious design decision if you want to put it that way – doesn’t matter) in the system that cannot easily be patched, and that certainly will not be addressed by the manufacturer at this stage. But, more importantly, this flaw is something that not only puts the user of the vehicle at a very real risk, as shown in the video, and, more importantly, also puts other users of the public road network at risk. Even if you are fully conscious of the tendency of the car to roll over (i.e. are security conscious when using XP), and taking counter measures, it only takes a turn which you didn’t anticipate, or a moment of inattention in a curve, to roll over the car, possibly onto incoming traffic.
So not only are you putting yourself at risk, from using a vehicle that (at least in the case of XP – remember I mentioned that the transposition factor would not be 100%), its manufacturer has repeatedly indicated should no longer be used, but you are endangering others.
And this is one of the regular battle security people have to fight when it comes to collective resources that can be compromised: the “I should be able to do whatever I choose” argument that fails to account for other people using the resource.
Now, let me leave this slightly contrived analogy, to clarify exactly what I mean.
Have you ever considered that it’s very much possible to theorize that, what you tried to bring people’s attention to (increase in the rate of malware penetration for newer than XP platforms between 2012 and 2014), could actually have a lot to do with people, no doubt encouraged by straw men arguments like the one you also linked to (“why should I upgrade to newer Windows when Microsoft continues to issue more and more security patches for these OSes and they’re everything but bulletproof”), continuing to use XP in a connected fashion. As you are plainly aware, the spread of malware requires vectors, and the more vectors you initially have, the most likely you are to be able to penetrate even more systems.
So, if we consider that, starting from the data we have for Q4 2012, and the logic that tells us a system where critical vulnerabilities are left unpatched is not going to evolve in the best direction security-wise — regardless of a dwindling market share, XP platforms are likely to be a lot easier to compromise today than they were in 2012. From this, we can envision that, as far as malware people are concerned, XP platforms are easy to penetrate targets, either by “drive by” or malicious download. And thus, because people have been encouraged to keep using XP way longer than they should have, if, say, you have market share that went from 20% to 10%, but in the same time suddenly gained a drive by infection rate that is much higher than this reduction rate, you will now be sitting on a larger park of infected machines in your botnet (reminder – most malware these days will attempt to communicate with a server), which you can use as vector of infection... including for Windows 7 and 8 machines. Of course, these may not be as easy to penetrate as XP ones, but with a larger park, you may still see an increase. And once you get a greater foothold with those, the infection trend is likely to go up rather than down, regardless of how active the OS manufacturer is with system vulnerabilities.
Oh, and since I’m going to try to be pre-emptively feature complete in my argumentative here, so that I don’t have to deal with replies that attempt to distract from the central point (more on this below), let me address a few things as an aside, especially as they very much apply, even if you disagree with the argument that XP is directly tied to the increase of infection rate for later Windows machine, which I’ll be the first to say is mere unprovable conjecture at this stage:
1. It doesn’t matter if you use the latest Chrome, Firefox or latest AV on XP when every single one of these applications relies on Windows system DLLs where vulnerabilities such as buffer overflows or missing sanitization are left unpatched. As long as your application doesn’t come with a complete OS replacement layer, and as opposed to OS that are still receiving updates, you will be left vulnerable because of these unmaintained OS libraries.
2. You may try to put forth the argument that, because of the end of support, most XP machines will be run by individual and run isolated on a home network and are therefore, even if infected, unlikely to do much harm, as would be the case for a corporate network (which of course should have tried to weed out unsupported OSes some time ago). What you’d fail to take into account however is that one way infected botnets are being used is to try to infect web servers, when 0-days vulnerabilities get exposed (there are many server vulnerabilities that get disclosed over the course of a year) before the server admin gets a chance to patch them. Of course, since there are a lot of web servers on the internet, and a lot of them will have some mitigation techniques to cut off requests from individual clients that are poking around too inquisitively, the more machines you have on your botnet, the higher the chance to compromise a web server. And if you happen to compromise a machine that serves Windows executables (or serves any web page really, as drive-by exploits are not uncommon), congratulations, by being able to exploit a few more “easy” targets, you have suddenly increased the rate of infection for all Internet users. Oh, and with the SHA-1 signature thing, if you broke into a server that distributes signed .exe’s, you may just have found an even greater opportunity to infect security-conscious Vista and XP users, as even a valid signature there might not be enough to provide confidence that what was just downloaded isn’t malicious.
Now, I know it’s a long blurb already, but I can’t pass out a renewed attempt at inserting yet another straw man with your final “reducing the trust you can have into the MS guys” statement. I thought I had been clear already that it’s not because a system, which isn’t the one being discussed, evolves in a poor direction security wise, that it has any positive incidence on a system for which we have conclusive evidence hinting at its security being worse by a much greater factor.
So, to get back to the old car analogy, unless you are actively alerting users of such systems to move to something more secure, what you are effectively doing is letting a friend, which you know has a car with a braking system that is no longer maintained and has been getting worn out past safe levels, or even letting a drunk friend, drive in state where they shouldn’t.
And, sure, they may not have paid much heed to advice about these issues for the past couple of year, and, maybe they don’t seem to have gotten into any trouble so far (except I doubt XP people who got infected will post in this forum to report), but if you value both your friends and the other drivers on the road, at the very least, you have a duty not to keep silent. The probability of something happening is simply too great to just stand there and state: “Nah, you can drive, you’ll be grand...”
Thus, no matter how you are trying to (mis)lead the discussion here, let me say this: I don’t think it is okay for a respected member of this forum to tell people who use a much unsafe OS (compared to alternatives they can move to, especially as we have to assume that people visiting a forum dedicated to booting are likely to be competent enough to transition to Linux, should they wish to) that they should feel entitled to do so. Instead, in the absence of indication that people are using XP in a disconnected fashion, I would expect you to be one of the first person to remind them that they should really consider moving to another OS, as well as remind Vista users that, with EOL coming soon, they should have a migration strategy ready.
Or, since I really can't tell you what to do, at the very least, as a person who I surmise has enough expertise to understand security matters, I would expect you not to try to shut down the message of someone who is only trying to perform what I just stated above (regardless of how annoyed you may be of hearing the message). Considering how much effort you tried put in diminishing my message, I can therefore only assume that your goal is to promote the opposite, with the much detrimental effect that this will effectively reduce everyone’s safety.
Oh, and since this is a very long post, which of course brings a lot more stuff you can try to cherry pick on, to distract from the central point, then let me make my central point abundantly clear. If you want to refute something in this post, then at the very least, I expect you to address the points highlighted below, as everything stated above is merely a reformulation or expansion of these:
- Windows XP is currently a very real security liability, and this state will only get worse.
- Because of this, XP users are putting their and, more importantly, other people’s safety at risk.
- It is therefore not okay to tell XP users that they should feel entitled to continue to use XP, if they are going to do so in a connected fashion (which, in the absence of information indicating otherwise, is what we should assume in a security-focused context). On the contrary, it is the duty of security minded people to remind XP users that they should move to a more secure OS, as well as remind Vista users that they should also prepare an exit strategy, as they will be in a similar situation soon.
- Let me also add this just in case (which may also help clarify the connected/unconnected above): outside of custom in-house corporate applications (that can usually be transitioned to a private subnet that is separate from the internet and will actively be monitored by an IT dept), I have seen very little evidence of users being tied to an XP platform because of applications, especially in manner that requires internet connectivity.
So, are you just going to continue to imply that, when we have worrying usage statistics regarding Internet connected XP machines, almost 2 years after users should have migrated, trying to move people away from XP, on account of security concerns, is something you just can't stand for?