I get that there won’t be any security updates. So any problem found can be exploited. But how high is the chance for problems for an average user if you say, only browse some safe websites? If you have a pc you don’t really care much about, without any personal information? It feels like the danger is more theoretical than what will actually happen.

Or… are there any examples of people (not corpos) getting wrecked in the past by an eol OS?

  • jet@hackertalks.comEnglish
    5·
    4 months ago

    https://www.youtube.com/watch?v=6uSVVCmOH5w

    XP … Exploited in 2 minutes

    When you stop getting updates, that’s okay if you’re isolated, and not talking to any networks. But if you’re on the network at all, you’re falling behind the ecosystem. You stopped evolving, you’re static target, everybody knows your door code etc etc etc

    This is why you can see ancient machines running industrial machinery totally isolated, but you’d never see one attached to a network

    • Hucklebee@lemmy.worldOP
      0·
      4 months ago

      I guess that’s where I have a limited understanding of how Internet and maybe even exploits works: how would people even find my machine? There is little to no incentive, unlike with a corporation. They must know where my door is to even use the keys.

      Can you just sort of do a brute force scan of all machines currently on the internet? Seems unlikely. In my mind, you can only access a machine if you have some idea about it’s whereabouts, either physically or digitally. But then again, I have no knowledge about these kinds of things.

      • Manifish_Destiny@lemmy.world
        2·
        4 months ago

        Check out shodan.io Search your own IP. There are plenty of state actor tools that do the same thing. vulnerable systems are targeted because they’re vulnerable, not because there’s a payout. Most of the time you’d just automate the attacks with something like msfconsole and a ruby script.

      • jet@hackertalks.comEnglish
        1·
        4 months ago

        The internet is cheap, like amazingly cheap. Connecting to every possible computer on the internet is something people do regularly, every minute.

        Even if your computer was not directly accessible, the fact that it’s talking on the network is exploitable. There’ll be known payloads, known buffer overflows, known software packages, that can be targeted just by you browsing the web. Advertisement networks or a common delivery mechanism, websites get exploited, somebody send you a link, random messages going to your phone, going to your messenger, going to your email, anything that your computer processes can be a delivery payload mechanism.

        There is no Safeway to run outdated software on the network at all in any capacity.

        • Hucklebee@lemmy.worldOP
          1·
          4 months ago

          Thanks for the thorough explanation! Interesting stuff, the examples really helped me see the many different ways an attack could work.

    • slazer2au@lemmy.worldEnglish
      11·
      4 months ago

      This is kinda a bad argument as a regular user will not connect to the internet like this. You have a router or a carrier will have a CGN in front of your PC.

      • undefined@links.hackliberty.org
        2·
        3 months ago

        How is CGN going to stop you from downloading some exploit? CGN as well as NAT might have some level of security but it’s by no means a firewall or anti-exploit framework.

      • vividspecter@lemm.ee
        2·
        4 months ago

        You have a router or a carrier will have a CGN in front of your PC.

        Many are using ipv6 these days, so no CGNAT used. Potentially with some level of protection (particularly in the mobile case), but there isn’t a 100% guarantee.

        • slazer2au@lemmy.worldEnglish
          0·
          4 months ago

          But you are still going to have some form of statefull firewall, where this video the firewall was deliberately disabled.

          • Crashumbc@lemmy.worldEnglish
            2·
            4 months ago

            This is like saying I can leave my front door unlocked because we have a neighborhood watch…

      • lemmyng@lemmy.caEnglish
        1·
        4 months ago

        The number of users connecting their PC forfeit directly to the modem or purposefully disabling all protections because they’re too lazy is higher than you think.

        • slazer2au@lemmy.worldEnglish
          1·
          4 months ago

          Carrier operated modems are run in NAT mode so a home PC will get a RFC1918 IP address not public routable ones

        • AggressivelyPassive@feddit.de
          01·
          4 months ago

          I would suspect, hardly anyone who knows how to do that is stupid enough to do it.

          Most modems/ISP routers are relatively secure by default.

      • jet@hackertalks.comEnglish
        1·
        4 months ago

        I think the common use case is telephones. Attaching your old cell phone to a random open Wi-Fi network is pretty common

        But this is just a demonstration, it’s still applies to using the internet, interacting with the network is the danger. Not how you interact with it. Browsing websites can send exploit payloads to your outdated software.

      • jet@hackertalks.comEnglish
        1·
        4 months ago

        Not proven faked, your video author chose a different set of parameters to test.

        I.e. using a nat, Using sp2

        It’s a different test.

        But in any circumstance, the original video is illustrative, of the dangers running outdated software