I get that there won’t be any security updates. So any problem found can be exploited. But how high is the chance for problems for an average user if you say, only browse some safe websites? If you have a pc you don’t really care much about, without any personal information? It feels like the danger is more theoretical than what will actually happen.
Or… are there any examples of people (not corpos) getting wrecked in the past by an eol OS?
It seems like part of your thinking is: Why would a criminal invest effort to attack an average John Doe? The answer is: With a popular (widely used) operating system, the effort goes close to zero. Attacks can be automated, so they will be. Also, even if they are not interested in your data, they will be interested in other benefits they gain from controlling your computer:
- Computing power e.g. for Bitcoin mining
- Your internet connection to attack other computers via yours, taking your computer to hide their identity and location. This is commonly done as DDOS for blackmailing businesses or silencing websites. Or for sending spam or fake reviews.
- Your identity. If they can get your name, they can order stuff on your name, which will get you a bad credit score or even criminal charges (identity theft)
- Access to your local network. Many devices are easier to hack via local network access than from the internet. A criminal who took control of your computer could for example take over your “smart” appliances or WiFi printer.
https://www.youtube.com/watch?v=6uSVVCmOH5w
XP … Exploited in 2 minutes
When you stop getting updates, that’s okay if you’re isolated, and not talking to any networks. But if you’re on the network at all, you’re falling behind the ecosystem. You stopped evolving, you’re static target, everybody knows your door code etc etc etc
This is why you can see ancient machines running industrial machinery totally isolated, but you’d never see one attached to a network
This is kinda a bad argument as a regular user will not connect to the internet like this. You have a router or a carrier will have a CGN in front of your PC.
You have a router or a carrier will have a CGN in front of your PC.
Many are using ipv6 these days, so no CGNAT used. Potentially with some level of protection (particularly in the mobile case), but there isn’t a 100% guarantee.
But you are still going to have some form of statefull firewall, where this video the firewall was deliberately disabled.
This is like saying I can leave my front door unlocked because we have a neighborhood watch…
I think the common use case is telephones. Attaching your old cell phone to a random open Wi-Fi network is pretty common
But this is just a demonstration, it’s still applies to using the internet, interacting with the network is the danger. Not how you interact with it. Browsing websites can send exploit payloads to your outdated software.
deleted by creator
AGLs and UPnP are fun like that.
deleted by creator
How is CGN going to stop you from downloading some exploit? CGN as well as NAT might have some level of security but it’s by no means a firewall or anti-exploit framework.
You didn’t watch the video. Give it a watch then you will understand why I said that.
Not ipv6. Sometimes it’s just routed to you depending on your router.
I guess that’s where I have a limited understanding of how Internet and maybe even exploits works: how would people even find my machine? There is little to no incentive, unlike with a corporation. They must know where my door is to even use the keys.
Can you just sort of do a brute force scan of all machines currently on the internet? Seems unlikely. In my mind, you can only access a machine if you have some idea about it’s whereabouts, either physically or digitally. But then again, I have no knowledge about these kinds of things.
The internet is cheap, like amazingly cheap. Connecting to every possible computer on the internet is something people do regularly, every minute.
Even if your computer was not directly accessible, the fact that it’s talking on the network is exploitable. There’ll be known payloads, known buffer overflows, known software packages, that can be targeted just by you browsing the web. Advertisement networks or a common delivery mechanism, websites get exploited, somebody send you a link, random messages going to your phone, going to your messenger, going to your email, anything that your computer processes can be a delivery payload mechanism.
There is no Safeway to run outdated software on the network at all in any capacity.
Thanks for the thorough explanation! Interesting stuff, the examples really helped me see the many different ways an attack could work.
Anyone who has services open to the internet sees constant attacks in their log files. I bet I could pull some attacks right now that are less than twenty minutes old.
fail2ban is a common software on Linux that helps defend against these attacks. When someone fails to log into your service three times, it bans their IP permanently. It’s generally issuing many bans a day.
They absolutely do scan every IP.
It’s debated whether software like fail2ban actually helps or if it just makes attacks visible that would anyways fail if you have up to date software. Oftentimes, defensive software adds attack-surface because it adds more software that can be targeted by attackers.
Fail2ban might help with protecting against exploiting of bad passwords though.
Tar pitting, rate limiting, banning failed attempts, are all critical security measures. If you let somebody try passwords, login attempts, with infinite speed, allow people to brute force your systems, you will get exploited
Even if you don’t get exploited, you can get asymmetrically DOSed. It takes a lot of compute power to deal with an authentication attempt, and not much compute power to put in a failed request
I totally agree about rate limiting, mostly against bad passwords that you are not in control of. But banning failed attempts is mostly not interesting if you ask me. It feels like the right thing to do, but IP addresses can change and other measures are better.
That video has been proven faked/staged https://youtu.be/i-mNiFGQVZ8
Not proven faked, your video author chose a different set of parameters to test.
I.e. using a nat, Using sp2
It’s a different test.
But in any circumstance, the original video is illustrative, of the dangers running outdated software
Ransomware usually doesn’t care whether it’s hitting a corporation or a real user. Even a “safe” website might serve unsafe ads. I have seen that a thousand times. It was just harmless history stealing in my case. But depending on what bugs will be found in the future it could be desastrous. And nobody at the ad network would see it because they would be using updated software.
So, it is only theoretical until it is not. Then it is too late.
Can you elaborate more about this “harmless history stealing” bit and how did you find it? Also, was the OS outdated in your case?
Like a sane person I use a system wide adblocker (Adguard) and unlock-origin in firefox. I also disable 3rd party iframes by default to reduce the crap being loaded by default on all my devices.
I meant that thing where it redirects you to another site and makes it impossible to go back to the site you were on.
Hmm, I thought modern day browsers had protection against redirect and history poisoning attacks. Guess not in all.
Was a few years ago.
deleted by creator
only browse some safe websites
Drive-by downloads exist. They can come from “safe sites” via an ad network and if you are running an EOL OS, chances are you are running an EOL web browser with some well known remote code exploit
OP, don’t be stupid. Update your OS.
I do, just wanted to know more about how bad stuff actually would be if you wouldn’t. Asked questions, learned a lot.
Fair enough. My apologies.
Unless it’s to Windows 11. Then stubbornly decline every week that it harasses you until the end of time.
Windows 11 is literally just a reskin of win10, but with added HDR functionality. There’s zero reason not to upgrade.
They almost snuck this dystopian nightmare into it. So yes, don’t trust any future windows upgrades from here on out. Who knows what they still have in it that we didn’t find out with this amount of backlash:
All talk about websites in the comments, but what about using just an email client and maybe ssh, rsync etc.
Show me a single person that uses these tools exclusively and does not care about updating their machine.
And even then: ssh does have vulnerabilities. Email clients also usually render HTML, which means they have a browser engine under the hood.
It’ll probably be fine for a while.
Corporations still run windows XP / 2008 server, even 2003 server in cases. Add long as they are not exposed directly to the internet is fine.
Sure, if you’re actually being safe and following good security practices, the risk is low, but the average user does not follow all the best practices.
Even if the only way to get a computer virus was to literally clap your hands together three times while repeating “I wish to get a computer virus,” some people would get a virus on their computer all time.
