I get that there won’t be any security updates. So any problem found can be exploited. But how high is the chance for problems for an average user if you say, only browse some safe websites? If you have a pc you don’t really care much about, without any personal information? It feels like the danger is more theoretical than what will actually happen.

Or… are there any examples of people (not corpos) getting wrecked in the past by an eol OS?

  • jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    37
    arrow-down
    1
    ·
    5 months ago

    https://www.youtube.com/watch?v=6uSVVCmOH5w

    XP … Exploited in 2 minutes

    When you stop getting updates, that’s okay if you’re isolated, and not talking to any networks. But if you’re on the network at all, you’re falling behind the ecosystem. You stopped evolving, you’re static target, everybody knows your door code etc etc etc

    This is why you can see ancient machines running industrial machinery totally isolated, but you’d never see one attached to a network

    • slazer2au@lemmy.world
      link
      fedilink
      English
      arrow-up
      12
      arrow-down
      1
      ·
      5 months ago

      This is kinda a bad argument as a regular user will not connect to the internet like this. You have a router or a carrier will have a CGN in front of your PC.

      • vividspecter@lemm.ee
        link
        fedilink
        arrow-up
        5
        ·
        edit-2
        5 months ago

        You have a router or a carrier will have a CGN in front of your PC.

        Many are using ipv6 these days, so no CGNAT used. Potentially with some level of protection (particularly in the mobile case), but there isn’t a 100% guarantee.

        • slazer2au@lemmy.world
          link
          fedilink
          English
          arrow-up
          0
          ·
          5 months ago

          But you are still going to have some form of statefull firewall, where this video the firewall was deliberately disabled.

          • Crashumbc@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            5 months ago

            This is like saying I can leave my front door unlocked because we have a neighborhood watch…

      • jet@hackertalks.com
        link
        fedilink
        English
        arrow-up
        4
        ·
        5 months ago

        I think the common use case is telephones. Attaching your old cell phone to a random open Wi-Fi network is pretty common

        But this is just a demonstration, it’s still applies to using the internet, interacting with the network is the danger. Not how you interact with it. Browsing websites can send exploit payloads to your outdated software.

      • Skull giver@popplesburger.hilciferous.nl
        link
        fedilink
        arrow-up
        3
        ·
        5 months ago

        The Nintendo Switch documentation recommends you forward all ports to the Switch in case of network problems. Literally all of them. If your DHCP lease for both your PC and your Switch expires, you may just accidentally disable your firewall this way. Nintendos’s documentation is absolutely insane to even suggest that, but well-intentioned consumers don’t know that.

        Then there’s the NAT problem: though I haven’t heard of stories using it in the wild, many if not most consumer routers allow websites to bypass the firewall. In some cases, this only allows access to a subset of ports on your computer, in others it’ll expose every port on every device in your network (TCP/UDP). This attack is known as “NAT slipstreaming” and very few routers will allow you to disable the H.323 and SIP ALG to prevent this problem. This isn’t a problem on IPv6, luckily.

        If you do have this option, and don’t use SIP or H.323 video calling, you should definitely turn those ALGs off.

          • Skull giver@popplesburger.hilciferous.nl
            link
            fedilink
            arrow-up
            0
            ·
            5 months ago

            At least UPnP can be turned off easily (if it’s not off by default already). ALGs are more… problematic.

            The worst part is that ALGs will bypass the firewall rules by default, making NAT (or at least the stupid hacks to keep NAT working) a security risk.

      • Prison Mike@links.hackliberty.org
        link
        fedilink
        arrow-up
        2
        ·
        5 months ago

        How is CGN going to stop you from downloading some exploit? CGN as well as NAT might have some level of security but it’s by no means a firewall or anti-exploit framework.

      • lemmyng@lemmy.ca
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        5 months ago

        The number of users connecting their PC forfeit directly to the modem or purposefully disabling all protections because they’re too lazy is higher than you think.

        • slazer2au@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          5 months ago

          Carrier operated modems are run in NAT mode so a home PC will get a RFC1918 IP address not public routable ones

        • AggressivelyPassive@feddit.de
          link
          fedilink
          arrow-up
          1
          arrow-down
          1
          ·
          5 months ago

          I would suspect, hardly anyone who knows how to do that is stupid enough to do it.

          Most modems/ISP routers are relatively secure by default.

    • Hucklebee@lemmy.worldOP
      link
      fedilink
      arrow-up
      6
      ·
      edit-2
      5 months ago

      I guess that’s where I have a limited understanding of how Internet and maybe even exploits works: how would people even find my machine? There is little to no incentive, unlike with a corporation. They must know where my door is to even use the keys.

      Can you just sort of do a brute force scan of all machines currently on the internet? Seems unlikely. In my mind, you can only access a machine if you have some idea about it’s whereabouts, either physically or digitally. But then again, I have no knowledge about these kinds of things.

      • jet@hackertalks.com
        link
        fedilink
        English
        arrow-up
        11
        ·
        5 months ago

        The internet is cheap, like amazingly cheap. Connecting to every possible computer on the internet is something people do regularly, every minute.

        Even if your computer was not directly accessible, the fact that it’s talking on the network is exploitable. There’ll be known payloads, known buffer overflows, known software packages, that can be targeted just by you browsing the web. Advertisement networks or a common delivery mechanism, websites get exploited, somebody send you a link, random messages going to your phone, going to your messenger, going to your email, anything that your computer processes can be a delivery payload mechanism.

        There is no Safeway to run outdated software on the network at all in any capacity.

        • Hucklebee@lemmy.worldOP
          link
          fedilink
          arrow-up
          5
          ·
          5 months ago

          Thanks for the thorough explanation! Interesting stuff, the examples really helped me see the many different ways an attack could work.

          • Serinus@lemmy.world
            link
            fedilink
            arrow-up
            0
            ·
            5 months ago

            Anyone who has services open to the internet sees constant attacks in their log files. I bet I could pull some attacks right now that are less than twenty minutes old.

            fail2ban is a common software on Linux that helps defend against these attacks. When someone fails to log into your service three times, it bans their IP permanently. It’s generally issuing many bans a day.

            They absolutely do scan every IP.

            • callcc@lemmy.world
              link
              fedilink
              arrow-up
              0
              ·
              edit-2
              5 months ago

              It’s debated whether software like fail2ban actually helps or if it just makes attacks visible that would anyways fail if you have up to date software. Oftentimes, defensive software adds attack-surface because it adds more software that can be targeted by attackers.

              Fail2ban might help with protecting against exploiting of bad passwords though.

              • jet@hackertalks.com
                link
                fedilink
                English
                arrow-up
                0
                ·
                5 months ago

                Tar pitting, rate limiting, banning failed attempts, are all critical security measures. If you let somebody try passwords, login attempts, with infinite speed, allow people to brute force your systems, you will get exploited

                Even if you don’t get exploited, you can get asymmetrically DOSed. It takes a lot of compute power to deal with an authentication attempt, and not much compute power to put in a failed request

                • callcc@lemmy.world
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  5 months ago

                  I totally agree about rate limiting, mostly against bad passwords that you are not in control of. But banning failed attempts is mostly not interesting if you ask me. It feels like the right thing to do, but IP addresses can change and other measures are better.

      • Manifish_Destiny@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        5 months ago

        Check out shodan.io Search your own IP. There are plenty of state actor tools that do the same thing. vulnerable systems are targeted because they’re vulnerable, not because there’s a payout. Most of the time you’d just automate the attacks with something like msfconsole and a ruby script.

      • jet@hackertalks.com
        link
        fedilink
        English
        arrow-up
        2
        ·
        5 months ago

        My network has a Honeypot built in the internal side. Honey pots are really useful!

      • jet@hackertalks.com
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        5 months ago

        Not proven faked, your video author chose a different set of parameters to test.

        I.e. using a nat, Using sp2

        It’s a different test.

        But in any circumstance, the original video is illustrative, of the dangers running outdated software

  • englislanguage@lemmy.sdf.org
    link
    fedilink
    arrow-up
    19
    ·
    5 months ago

    It seems like part of your thinking is: Why would a criminal invest effort to attack an average John Doe? The answer is: With a popular (widely used) operating system, the effort goes close to zero. Attacks can be automated, so they will be. Also, even if they are not interested in your data, they will be interested in other benefits they gain from controlling your computer:

    • Computing power e.g. for Bitcoin mining
    • Your internet connection to attack other computers via yours, taking your computer to hide their identity and location. This is commonly done as DDOS for blackmailing businesses or silencing websites. Or for sending spam or fake reviews.
    • Your identity. If they can get your name, they can order stuff on your name, which will get you a bad credit score or even criminal charges (identity theft)
    • Access to your local network. Many devices are easier to hack via local network access than from the internet. A criminal who took control of your computer could for example take over your “smart” appliances or WiFi printer.
  • cmeu@lemmy.world
    link
    fedilink
    arrow-up
    15
    ·
    5 months ago

    Practice good hygiene and it’ll be fine The trouble is that modern apps are forced to adopt features which depend on the new OS. Your old one will be incompatible, on purpose

    The security aspect is secondary to the monetary growth and recuperation of investment in the new OS.

    They spent all those monies to make it “AI” betting that you will eat it up and pay up. Now there will be significant pressure for them to “increase adoption” or someone gets fired

  • Björn Tantau@swg-empire.de
    link
    fedilink
    arrow-up
    12
    ·
    5 months ago

    Ransomware usually doesn’t care whether it’s hitting a corporation or a real user. Even a “safe” website might serve unsafe ads. I have seen that a thousand times. It was just harmless history stealing in my case. But depending on what bugs will be found in the future it could be desastrous. And nobody at the ad network would see it because they would be using updated software.

    So, it is only theoretical until it is not. Then it is too late.

    • limerod@reddthat.com
      link
      fedilink
      arrow-up
      0
      ·
      5 months ago

      Can you elaborate more about this “harmless history stealing” bit and how did you find it? Also, was the OS outdated in your case?

      Like a sane person I use a system wide adblocker (Adguard) and unlock-origin in firefox. I also disable 3rd party iframes by default to reduce the crap being loaded by default on all my devices.

  • scutiger@lemmy.world
    link
    fedilink
    arrow-up
    9
    ·
    5 months ago

    Sure, if you’re actually being safe and following good security practices, the risk is low, but the average user does not follow all the best practices.

  • Lung@lemmy.world
    link
    fedilink
    arrow-up
    8
    arrow-down
    1
    ·
    5 months ago

    Really annoys me that Apple has a policy of no more updates after 7 years (or when they change the CPU architecture enough) — that’s hardcore planned obsolescence & I think it made their hardware quality worse over time (in addition to being unrepairable)

    Super lame. While I’m ranting, their trade in program is a scam that doesn’t pay out almost ever. And otherwise they will “recycle it for free” making money Im sure

    So yeah I’m pretty sure the era of MacBook superiority is over & imma buy a considerably higher spec System 76 laptop instead which comes with a repair bible for pretty much every scenario and is upgradeable

    • GregorGizeh@lemmy.zip
      link
      fedilink
      arrow-up
      3
      ·
      edit-2
      5 months ago

      I am not using apple products myself any more, but 7 years of guaranteed support seems very reasonable, especially when our dumb ass economy runs on constant consumption and growth. They could just as easily make their devices break a week after the legally required warranty period is over, and you’d have to buy another

      • aasatru@kbin.earth
        link
        fedilink
        arrow-up
        1
        ·
        5 months ago

        It’s not reasonable, but it is understandable. This is why FOSS is the only viable alternative for sustainable computing.

      • Lung@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        5 months ago

        No but you see, there’s no reason a newer osx can’t run on their older hardware most of the time. You can install new windows on an old laptop if it has the specs. It’s not like they lost the drivers or whatever. It’s a choice they made, cutting off users from security updates & newer apps & leaving them with a vulnerable device

      • FarraigePlaisteach@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        5 months ago

        Seeming reasonable in the context of the madness of constant growth is still not reasonable. I get what you mean, but we need to demand better of the ultra powerful if we want to see better in our lifetime.

  • NaibofTabr@infosec.pub
    link
    fedilink
    English
    arrow-up
    5
    ·
    edit-2
    5 months ago

    There is a lot of crap crawling around on the internet that will infect any vulnerable machine it finds, completely automatically. There’s no human behind it trying to hack you specifically on purpose. A fair amount of it is orphaned - the original creator doesn’t have any control over it anymore. It’s just spreading on the network through anything it can infect.

    If you connect a vulnerable machine to the network, it will get infected by something and end up continuing to spread this kind of crap.

  • Skull giver@popplesburger.hilciferous.nl
    link
    fedilink
    arrow-up
    4
    ·
    5 months ago

    Assuming “safe sites” means “websites that don’t use ads and don’t require a recent browser”: very little, as long as you have your firewall on. Setting up a domain whitelist like that and making those websites work with shims for every source of third party code is a pain, though.

    If your PC gets hacked it’ll probably become part of a botnet and DDoS websites, even if you don’t have anything you care about on there. Don’t be a dick, don’t let your PC become part of a botnet.

    People get wrecked all the time because everything from news websites to social media will load third party scripts at some point. If you use an offline email program, you’ll receive emails containing the same shit. Attachments from people you know who got hacked are a common way to get hacked.

    The biggest risk for using outdated operating systems with modern computer use isn’t necessarily getting hacked directly, like Windows XP used to suffer from, but the tools you use no longer producing updates for your OS. No software company is going to maintain a Windows XP version of their latest tool and go through all the steps for securing it when they need to build the sandboxing and memory protection code themselves, while modern operating systems have that stuff built in. Letting competitors use newer and better tooling to get their software out quicker is a risk, and very little recent tooling bothers to support Windows 7.

    You won’t magically get hacked by simply having an old computer in your network, but doing stuff people actually like to do on computers is a quick way to get hacked. This is why DOS and Win9x systems are still running factories and why XP is still usable for running X-ray machines; it’s okay if you lock down the code that can be run tightly enough.

  • rickdg@lemmy.world
    link
    fedilink
    arrow-up
    3
    ·
    5 months ago

    The average user starts on their usual websites and doesn’t even remember clicking on a link that leads elsewhere.

  • slazer2au@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    5 months ago

    only browse some safe websites

    Drive-by downloads exist. They can come from “safe sites” via an ad network and if you are running an EOL OS, chances are you are running an EOL web browser with some well known remote code exploit

    • AggressivelyPassive@feddit.de
      link
      fedilink
      arrow-up
      2
      ·
      5 months ago

      Show me a single person that uses these tools exclusively and does not care about updating their machine.

      And even then: ssh does have vulnerabilities. Email clients also usually render HTML, which means they have a browser engine under the hood.