this post was submitted on 09 Jun 2024
103 points (95.6% liked)

No Stupid Questions

35808 readers
2375 users here now

No such thing. Ask away!

!nostupidquestions is a community dedicated to being helpful and answering each others' questions on various topics.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)


Rule 1- All posts must be legitimate questions. All post titles must include a question.

All posts must be legitimate questions, and all post titles must include a question. Questions that are joke or trolling questions, memes, song lyrics as title, etc. are not allowed here. See Rule 6 for all exceptions.



Rule 2- Your question subject cannot be illegal or NSFW material.

Your question subject cannot be illegal or NSFW material. You will be warned first, banned second.



Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.



Rule 4- No self promotion or upvote-farming of any kind.

That's it.



Rule 5- No baiting or sealioning or promoting an agenda.

Questions which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.



Rule 6- Regarding META posts and joke questions.

Provided it is about the community itself, you may post non-question posts using the [META] tag on your post title.

On fridays, you are allowed to post meme and troll questions, on the condition that it's in text format only, and conforms with our other rules. These posts MUST include the [NSQ Friday] tag in their title.

If you post a serious question on friday and are looking only for legitimate answers, then please include the [Serious] tag on your post. Irrelevant replies will then be removed by moderators.



Rule 7- You can't intentionally annoy, mock, or harass other members.

If you intentionally annoy, mock, harass, or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.



Rule 8- All comments should try to stay relevant to their parent content.



Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.



Rule 10- Majority of bots aren't allowed to participate here.



Credits

Our breathtaking icon was bestowed upon us by @Cevilia!

The greatest banner of all time: by @TheOneWithTheHair!

founded 1 year ago
MODERATORS
 

I get that there won't be any security updates. So any problem found can be exploited. But how high is the chance for problems for an average user if you say, only browse some safe websites? If you have a pc you don't really care much about, without any personal information? It feels like the danger is more theoretical than what will actually happen.

Or... are there any examples of people (not corpos) getting wrecked in the past by an eol OS?

you are viewing a single comment's thread
view the rest of the comments
[–] jet@hackertalks.com 71 points 5 months ago (4 children)

https://www.youtube.com/watch?v=6uSVVCmOH5w

XP ... Exploited in 2 minutes

When you stop getting updates, that's okay if you're isolated, and not talking to any networks. But if you're on the network at all, you're falling behind the ecosystem. You stopped evolving, you're static target, everybody knows your door code etc etc etc

This is why you can see ancient machines running industrial machinery totally isolated, but you'd never see one attached to a network

[–] slazer2au@lemmy.world 19 points 5 months ago (6 children)

This is kinda a bad argument as a regular user will not connect to the internet like this. You have a router or a carrier will have a CGN in front of your PC.

[–] vividspecter@lemm.ee 18 points 5 months ago* (last edited 5 months ago) (1 children)

You have a router or a carrier will have a CGN in front of your PC.

Many are using ipv6 these days, so no CGNAT used. Potentially with some level of protection (particularly in the mobile case), but there isn't a 100% guarantee.

[–] slazer2au@lemmy.world 0 points 5 months ago (1 children)

But you are still going to have some form of statefull firewall, where this video the firewall was deliberately disabled.

[–] Crashumbc@lemmy.world 11 points 5 months ago

This is like saying I can leave my front door unlocked because we have a neighborhood watch...

[–] lemmyng@lemmy.ca 11 points 5 months ago* (last edited 5 months ago) (2 children)

The number of users connecting their PC ~~forfeit~~ directly to the modem or purposefully disabling all protections because they're too lazy is higher than you think.

[–] agressivelyPassive@feddit.de 4 points 5 months ago

I would suspect, hardly anyone who knows how to do that is stupid enough to do it.

Most modems/ISP routers are relatively secure by default.

[–] slazer2au@lemmy.world 3 points 5 months ago

Carrier operated modems are run in NAT mode so a home PC will get a RFC1918 IP address not public routable ones

[–] jet@hackertalks.com 11 points 5 months ago

I think the common use case is telephones. Attaching your old cell phone to a random open Wi-Fi network is pretty common

But this is just a demonstration, it's still applies to using the internet, interacting with the network is the danger. Not how you interact with it. Browsing websites can send exploit payloads to your outdated software.

[–] undefined@links.hackliberty.org 2 points 4 months ago (1 children)

How is CGN going to stop you from downloading some exploit? CGN as well as NAT might have some level of security but it’s by no means a firewall or anti-exploit framework.

[–] slazer2au@lemmy.world 1 points 4 months ago

You didn't watch the video. Give it a watch then you will understand why I said that.

[–] Brkdncr@lemmy.world 1 points 5 months ago

Not ipv6. Sometimes it’s just routed to you depending on your router.

[–] Drummyralf@lemmy.world 8 points 5 months ago* (last edited 5 months ago) (2 children)

I guess that's where I have a limited understanding of how Internet and maybe even exploits works: how would people even find my machine? There is little to no incentive, unlike with a corporation. They must know where my door is to even use the keys.

Can you just sort of do a brute force scan of all machines currently on the internet? Seems unlikely. In my mind, you can only access a machine if you have some idea about it's whereabouts, either physically or digitally. But then again, I have no knowledge about these kinds of things.

[–] jet@hackertalks.com 25 points 5 months ago (1 children)

The internet is cheap, like amazingly cheap. Connecting to every possible computer on the internet is something people do regularly, every minute.

Even if your computer was not directly accessible, the fact that it's talking on the network is exploitable. There'll be known payloads, known buffer overflows, known software packages, that can be targeted just by you browsing the web. Advertisement networks or a common delivery mechanism, websites get exploited, somebody send you a link, random messages going to your phone, going to your messenger, going to your email, anything that your computer processes can be a delivery payload mechanism.

There is no Safeway to run outdated software on the network at all in any capacity.

[–] Drummyralf@lemmy.world 9 points 5 months ago (1 children)

Thanks for the thorough explanation! Interesting stuff, the examples really helped me see the many different ways an attack could work.

[–] Serinus@lemmy.world 3 points 5 months ago (1 children)

Anyone who has services open to the internet sees constant attacks in their log files. I bet I could pull some attacks right now that are less than twenty minutes old.

fail2ban is a common software on Linux that helps defend against these attacks. When someone fails to log into your service three times, it bans their IP permanently. It's generally issuing many bans a day.

They absolutely do scan every IP.

[–] callcc@lemmy.world 3 points 5 months ago* (last edited 5 months ago) (1 children)

It's debated whether software like fail2ban actually helps or if it just makes attacks visible that would anyways fail if you have up to date software. Oftentimes, defensive software adds attack-surface because it adds more software that can be targeted by attackers.

Fail2ban might help with protecting against exploiting of bad passwords though.

[–] jet@hackertalks.com 2 points 5 months ago (1 children)

Tar pitting, rate limiting, banning failed attempts, are all critical security measures. If you let somebody try passwords, login attempts, with infinite speed, allow people to brute force your systems, you will get exploited

Even if you don't get exploited, you can get asymmetrically DOSed. It takes a lot of compute power to deal with an authentication attempt, and not much compute power to put in a failed request

[–] callcc@lemmy.world 2 points 5 months ago (1 children)

I totally agree about rate limiting, mostly against bad passwords that you are not in control of. But banning failed attempts is mostly not interesting if you ask me. It feels like the right thing to do, but IP addresses can change and other measures are better.

[–] jet@hackertalks.com 1 points 5 months ago

I agree. No ban should be permanent, just increasingly larger timeouts. If it's a legitimate user they'll have some other channel to reach out to to unban the IP

[–] Manifish_Destiny@lemmy.world 9 points 5 months ago

Check out shodan.io Search your own IP. There are plenty of state actor tools that do the same thing. vulnerable systems are targeted because they're vulnerable, not because there's a payout. Most of the time you'd just automate the attacks with something like msfconsole and a ruby script.

[–] RightHandOfIkaros@lemmy.world 8 points 5 months ago (1 children)

As a side note, a really old, slow computer can be very useful as a sacrificial piece of hardware for network security.

[–] jet@hackertalks.com 3 points 5 months ago

My network has a Honeypot built in the internal side. Honey pots are really useful!

[–] SSUPII@sopuli.xyz -3 points 5 months ago* (last edited 5 months ago) (1 children)
[–] jet@hackertalks.com 11 points 5 months ago* (last edited 5 months ago)

Not proven faked, your video author chose a different set of parameters to test.

I.e. using a nat, Using sp2

It's a different test.

But in any circumstance, the original video is illustrative, of the dangers running outdated software