Unsupported OSes and the Internet
Two things that don't really mix together, but I suppose we can have a discussion about this at least.
Other than Windows XP, which has more security holes than a block Emmental cheese, is it always a risk to have an unsupported OS hooked up to the Internet? I ask because of two things: one is that I do some internet browsing under the Windows 2000 VirtualBox VM from time to time even though this site does warn you of having an internet connected wired up to it if not filtered and secondly, the Mac that is present in my current work place runs OS X Lion, where Apple pulled support for that the same time WinXP was cut though is considered newer than XP itself. Of course, several sites will deny you access for having an old browser but at least the latest version of Safari was able to be used under it but even so, is it safe to browse under that OS? This would also apply to the Win9x versions also but, does anybody actually surf the net under that, even on a very old version of Firefox or Opera compatible for it?
Discuss, my fellow people.
Other than Windows XP, which has more security holes than a block Emmental cheese, is it always a risk to have an unsupported OS hooked up to the Internet? I ask because of two things: one is that I do some internet browsing under the Windows 2000 VirtualBox VM from time to time even though this site does warn you of having an internet connected wired up to it if not filtered and secondly, the Mac that is present in my current work place runs OS X Lion, where Apple pulled support for that the same time WinXP was cut though is considered newer than XP itself. Of course, several sites will deny you access for having an old browser but at least the latest version of Safari was able to be used under it but even so, is it safe to browse under that OS? This would also apply to the Win9x versions also but, does anybody actually surf the net under that, even on a very old version of Firefox or Opera compatible for it?
Discuss, my fellow people.
Comments
As far as security goes, I don't know if being connected itself is a bad thing unless you're already compromised. I think browsing the web would be problematic in most if not all cases, but IRC or something else? Not necessarily, I suppose, if you actually get on to chat and stay away from warez and porn. Of course, the bigger question is: why take the risk at all?
Second, keep in mind that just the OS and browser are not the only attack vectors. I once got a VM (with nothing important on it) powned because I forgot there was an old buggy version of Acrobat Reader installed (whoever though it was a good idea for a web browser to automatically open PDFs needs to be shot).
Honestly, it has gotten to the point where all browsing really should be done in a carefully quarantined VM.
You can mitigate issues by only visiting known web sites and using a good ad blocker.
Randomly googling for things can be a problem though.
Now, depending on WHAT older OS you are talking about, it just might not be targeted, and possibly "safe enough" just because it can't run that stuff. However, at the moment I would expect XP to be somewhat targeted - especially since browser vendors have dropped support (Yet there is a nice updated fork of Firefox for MacOS 10.4 PPC)
And yes, the other problem is just loading the damn sites where everyone wants HTML 987987982376 or whatever they are up to today. It has gotten even worse because of browser vendors and their rapid updates. If you are browsing with a version more than a month or so old, you literally risk not being able to load sites. (On the flip side, when those same updates break older sites, you are simply fucked).
I have heard of some "translators" that will convert web pages for use on much older browsers, but that will still only get you so far.
Most browser based exploits will target modern browsers and OS's and likely won't work against the old stuff. So I would say if you're running a sufficiently old OS (XP doesn't count since it's still got a decent chuck of users out there, so 2000 and older) that your risk of becoming infected at this point is pretty low. But as with any OS, just don't do anything sketchy and you'll be fine. A machine won't infect itself.
A few years ago, I was working with a team at school to exploit an unfirewalled Windows 2000 box... none of the tools we had at the time had working exploits against 2000... We wound up getting into the XP boxes and the 2008 boxes but not the 2000 box. Now, if we had downgraded our tools or loaded different modules, we probably could have got in... but with the defaults, nothing.
Now, if you connect an old OS directly to the internet, unfiltered, you will probably get owned fairly quickly and if done correctly, you probably wouldn't notice... at least not right away. Why? Because automated scans and scripts run on the internet all the time trying to find holes and exploit them and some of these scripts have been running for quite a while. The internet is a big place...
I don't think it gets much safer than an OS on a CD-R, an OS with obsolete protocol and a hard drive with nothing but old MS-DOS/95/98 games.
The VM idea is darned good & been asking people why they don't just do that and end the worries.
I spend most of my internet time searching for program info/files - have Malwarebytes for on demand scanning only.
In other words, I run naked - always have - always will.
Nanny Google has its "safe browsing" turned off because it flags innocent files as "possible malware, etc" same as all the POS antivirus suites that just raise a flag at everything. Still, Google seach & Google Chrome are the best tools for web searching, so they stay on my machines.
There's some vicious pop-under ads - typically on torrent sites - but I've run into them elsewhere - just have to back out or kill the browser window.
But - as far as security holes etc that everyone is talking about - man life's too short. Put your impoortant files someplace safe, don't leave vital info on your browsing machine and let that be that.
If you're interested in this, look into Qubes OS though - it tries to integrate virtualized applications seamless into the UI with a major focus on security.
I don't care about "support" either. Never saw "support" as having a meaningful benefit in my day-to-day work.
I found it interesting that the Windows 98 VM I installed a couple weeks back - never had a need, but the other day, just for shits & grins, fired up the installation of Opera it had and cruised this site and a couple others I regularly visit.
Got to say, it was quite acceptable.
Personally, I firmly believe ALL of these AV softs blows goats and is /are scams and at best are CPU cycle robbing sluts - at worst - malware themselves.
Blech!