-
Notifications
You must be signed in to change notification settings - Fork 2.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* DIE, XP, DIE!!!! * Closes #820
- Loading branch information
Showing
2 changed files
with
6 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cc758f5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe you can make a version that work on XP and then drop the support for it.
cc758f5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Which is pretty much what I'm trying to do right now.
cc758f5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, you guys are to harsh :p
cc758f5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
<sigh> I wish people who are still hell bent on using XP on machines, that they are going to connect to the internet, realized HOW MUCH they are likely to be putting both themselves and other users at risk.
It is exceedingly likely that any XP machine that connects to the internet can be easily infected with drive-by exploits (such as ones coming from a malicious ad banner), due to hackers having had ample time to study critical flaws, that apply to ALL versions of Windows, and that have only been fixed in the more recent versions. It doesn't matter if your browser is the latest version of Firefox or Chrome, when these browsers still directly rely on many Windows kernel libraries that may be very easy to breach.
So, I'm sorry to say but thinking that continuing to use XP, in a connected manner, more than 2 years after it has been officially retired is both foolish and a sign that someone doesn't have the slightest concern for others (who may get infected due to XP based botnets being readily available on the internet).
So please grow some consideration for others, and stop pretending that using XP is okay.
cc758f5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not that I had expected to go OT on the comments of a commit.. But 2 years since April 2014 and counting.
Back then with the P4 and the Radeon 7500LE it was the only usable OS, but I can't complain even with my C2D now.
And I find quite hard for random hackers to exploit my kernel simply by browsing wikipedia or working on my Access docs. Indeed, there's no weird network or cpu activity, and even Avira never reported anything (fantastic what proper behaviours can do).
...
Said this anyway, this should have no connection with whether a program can or should support it.
If somehow something breaks, you aren't even expected to fix it (I mean, if it isn't so incredibly trivial like this). But really, I can't understand this like "fuck it even if somebody find the time to fix it" attitude.
cc758f5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should, when people very foolishly persist on putting both themselves and others at risk by placing their fingers in their ears and pretending that "proper behaviour" is enough to ward off critical kernel and DLL vulnerabilities. It's just like drink driving, really - yes, the chances are you''ll be able get home safe tonight, even if you've drunk too much, but, through the irresponsible behaviour of thinking you can just drink and drive, you have greatly increased the likelihood that something really bad is going to happen to you or, worse, somebody else. Thus, just like friends don't let other friends drive drunk (which may very well piss them off but is for their own good), friends don't let other friends use XP, in a connected fashion more than 2 years after it has ceased to receive critical updates. This is the precise reason why you will find many vehement voices that tell you to stop using XP. Using an OS where critical flaws haven't been patched for years IS just that risky.
Also, unless you are a security specialist, analysing every single network frame that goes in and out of your connected XP machine, there is no way you can claim that your machine isn't infected. Apart from ransomware, the purpose of most malware these days is to not do anything that may bring suspicion to users, whilst at the same time leaving the door open for the malicious people or malicious activities. There exist way too many zero days to believe that an up to date antivirus, running on an unpatched machine with an OS that wasn't really designed with security in mind, is enough to protect it.
cc758f5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security risks even nothing to do with feasibility of support. Or to whatever effort you need to accomplish it.
You have to reach these components beforehand. There is where the proper behavior thing matters so much.
Tbh I don't understand why you talk about likelihood, then fail to assess such increment (because I mean drinking too much is quite of a random statement)
I'm not claiming that. Simply, it works as expected.
Yes, but for god's sake, it's like you were suggesting malware could leech the kernel remotely, as if that was exposed on the net.
cc758f5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It does when I see it as my duty, as an experienced software developer producing an application that may be used by people running XP, to tell these users that they should stop using an insecure OS, that puts both themselves and others at risk. I get that, as an XP user, you may not like that message (you're really not the first one there and I do get a lot of flak from consistently berating XP users), but just like I wouldn't keep silent if I saw that you had a few too many drinks and were planning to drive, I'm not gonna keep silent when someone is trying to defend their use of a connected XP machine as something benign. There is NOTHING benign about it when you are putting people at risk, and you will definitely find me repeating the same message over and over as long as I am under the impression that you still don't understand the risks you are facing from using XP in a connected fashion.
I'm sorry, but, again, short of being a security expert, you cannot claim that. All you can claim is that you think that your computer works as expected, which may be very different from the actual state of things, especially as the goal of most malware is to make users think that their computer does work as expected, even after it has been infected. If your computer is part of a botnet (which is a very common use of infected machines these days), you won't be able to notice it unless you carefully monitor the network, as it only needs to send a few packets to the unfortunate target of the DDoS attack every few seconds, or more, to still be effective. During that time, you may be surfing Wikipedia or altering your Access DB, and won't notice a thing. There won't even be a spike of activity on your CPU.
So, really, it's the same as claiming that you think you're not drunk enough to drive, when you haven't taken a breathalyser test to prove it. Maybe you are right, but if the only evidence you can provide is your own judgement, it is tenuous at best, especially as, just like it is common knowledge that alcohol impairs the ability to drive, it is also common knowledge that unpatched kernels and libraries impair the ability of an OS to be secure, and therefore, if your judgement is wrong, the consequences could be disastrous.
Yes, that's precisely what I am suggesting.
This is called a drive-by infection (and I believe there's a competition every year where people try to break into up-to-date versions of modern OSes and browsers to see if they can manage a drive by infection... usually with a worrying level of success). If you have a solid zero day (e.g. a Javascript browser exploit), and combine it with an unpatched OS, it may only take someone surfing a web site that displays an ad that you control (or even a server that you managed to compromise), to infect that person's computer. This becomes all the more easier if the browser uses plugins that rely on out of date or unpatched libraries to display content (since plugins rarely do the data processing all by themselves, but do use multiple OS libraries), and you know how some of the libraries being used have critical vulnerabilities, due to having studied the patches pushed by the OS manufacturer in the more recent versions of their OS.
Logically then, the longer an OS remains unpatched, the easier it becomes to perform such an attack. Thus, the chances of being able to ward off attacks such as these is not is not really on the XP user side as time goes by, which is precisely why people should really look into migrating to a more modern OS, which doesn't have to be Windows — if all you need is Access and Wikipedia, any modern Linux distro with OpenOffice, should actually be a very decent replacement for XP...
cc758f5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Aside of dumb liberalist arguments about this not being "your business"... It's not like there couldn't be people still using it offline and all (for as much they may be few, but that's the point if any)
I dunno about your past experience, but I hope you are getting the message I'm not advocating about you nursing the OS forever. Just don't.. I guess recommend people to go fuck themselves?
We can enter into the philosophical realm then, and I might say the same applies to you too.
Then you would reply that "probabilities" are way lower, and then I'd suggest you to check back what statistics say.
Seriously, I dunno where you live, but here nobody is that dumb not to know it in the first place.
Lying to oneself then is another matter.
Drive-by download perhaps?
Yes, but you see, aside of me not using that computer to surf warez (which is just to say bad ad networks aren't REAAAALY that common), that's not the FUBAR-level kind of craziness I was talking in my "remotely leech kernel" hypothesis.
I'm glad for you help.. But no, really, even Access 97 seems to offer more features then latest libreoffice.
And unfortunately wine is still not on par (for as much patches to fix all the few remaining bugs aren't really any special and could be pushed at any moment afaik).
But besides, with a Radeon 7500LE that's really the most that could offer an acceptable experience.
I have a shiny new geforce 7300GS now, but still I'd like you to see my points.
cc758f5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Which I addressed every step of the way by making sure to always mention "connected" in the posts above. I have no issue with offline use of XP, and thought I made that fairly explicit.
I'm curious how you interpret this as my message when:
If you want to deny the common sense that, no matter how careful you think you are, an OS where critical vulnerabilities remain unpatched is by definition an unsafe OS, and therefore that the probability of getting infected is quite significant compared to a modern supported OS, fine by me. But I don't think you'll find many people swayed by trying to use a pseudo philosophical argument in an attempt to dismiss that your impression of your OS being in a "working state" might very well be just an impression and hardly reflect the actual state of things. And precisely because of unpatched critical flaws, my saying that your OS may very well be compromised without your knowledge does have a lot more weight than you saying that if that was the case, you would immediately notice it, as was your argument. But you can still try deluding yourself into thinking that you are as safe in the long run when using XP, as you would using a more modern OS, despite logic being squarely against you.
So, again, all I have been saying is that by using XP in a connected fashion, you are putting yourself and other at risks, regardless of whether you (want to) believe that you are actually safe. The safety of an unpatched OS is less than the safety of a patched OS, and in a connected world, it does have negative consequences, period.
Which is precisely the kind of stupidity I am trying to make you realize using XP in a connected fashion equates to in 2016. If you are smart enough to realize that drinking and driving is bad, you should be smart enough to realize that using an unpatched OS to surf the internet is bad, no matter how safe your other behaviours are - it's like trying to take the road with tyres that you know are worn out - it doesn't matter how good of a driver you think you are when you are putting both yourself and other at risk from trying to dismiss a dangerous behaviour as something that should be acceptable.
Nope, drive-by infection, without download, which can come from javascript running on malicious ads for instance. No need to click or download anything, or even browse a disreputable site, if they subscribe to an ad network that doesn't vet ads carefully enough. I even went to the trouble of explaining what I had in mind. Javascript can be a very efficient as an attack vector, but there are others too.
cc758f5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wasn't talking about your behavior, but your thinking. I totally appreciate your work (for as much I'm not even using XP at this point)
I can hardly expect Windows developers to follow microsoft in dropping it then, but
I'm not denying that. I'm not saying it's not "unsafer".
I'm saying it isn't so much not still to make sense someway.
But of course if we fail to quantify the unsafeness (and see if we are past the "decency bar" or not), we are going nowhere.
It's statistics. Bayesian specifically. No sorcery.
Risks, sure. But I hope you know the difference between that word and raw danger (and then we are back into what I said above)
Driving and surfing the net are two completely unrelated situations.
If a point is a "driver being smart", that has nothing to do with whatever alcohol do to your brain in the first place.
Oh, I got it. Yes, I saw in the past some cases of stupid ads opening hijacking the page..
Still, probabilities to hit these, multiplied for chances of zero-days browser bugs are quite slim for a normal user if you ask me.
cc758f5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The unsafeness quantification pretty much boils down to this: after 2 years of non support from Microsoft it is exceedingly likely that there exist major exploitable critical vulnerabilities in Windows XP that can be exploited through simple drive by due to browsers having to rely on unpatched system libraries. As a software developer with more than 30 years experience, this conclusion is exceedingly obvious, at least to me, especially considering that one of the thing Microsoft did no more than a few weeks after XP support ended, was patch a very critical flaw, even though they weren't supposed to, because they realized they had just uncovered yet another in the long series of critical issues, and used the fact that they still hadn't dismantled their ability to deliver such patches (infrastructure + people) to still provide a patch for it as a last gesture of good will.
But hey, feel free to believe that that last crit vuln was just a poorly timed coincidence and that nothing of the same magnitude has happened to be uncovered by malware people in the 2 and a half years ever since...
However, if you combine the simple facts that:
Then there is more than enough circumstantial evidence to logically conclude that you, and everybody else who keeps using XP in a connected fashion, is taking a very bad gamble.
The point is not drivers being smart. The point is best practices, which dictate that you don't drink and drive, or drive with worn out tyres, or surf the net with an unpatched OS, as any person who decides that one of these best practices shouldn't apply to them is equally idiotic.
Or do you really believe that security experts are going to side with you and say "Well, the best practice of surfing the internet with software, including the OS, that is fully up to date in terms of security patches, is quite overrated, really, and people should be just fine surfing the net using an OS that hasn't been seen security fixes in years..."
There's no such thing as cherry picking only the best practices you like, by trying to pull out a low probability out of your ass ("Still, probabilities to hit these, multiplied for chances of zero-days browser bugs are quite slim for a normal user if you ask me."), when it comes to security.
cc758f5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We already agreed kernel suck yesterday.
You continuously overfly this mythical "drive by infection" merits.
In Internet Explorer?
If you really want to stress this metaphor so much, we could say then you have this driver that (for whatever reason) still remain capable of discernment and with only reflexes in the shit.
And the (online, yes) use cases I'm telling you are like driving at 10 km/h.
You are talking about a use-case I have never considered as sane.
Still have to hear your probabilities over drive by infections.
cc758f5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Which is still a more reasonable view than saying that, something which has been demonstrated to be used as an attack vector in the wild, somehow just cannot apply to you.
We can go at this all day, but in the end your argument boils down to "I don't believe there exists a drive by exploit out there that can apply to me and my 2 year+ unpatched version of Windows XP, because, by my own estimate, I'm simply too careful".
Sorry to have to burst your bubble again, but no matter how much you'd like to pretend otherwise, the odds are squarely against you.
In one of the many systems and subsystems that constitute XP. IE is the one that I used for an example illustrating just how fast after EOL had ended Microsoft found a critical issue that they figured was just too serious not too patch, in the attempt to make you understand that, if Microsoft decided to create an out of band patch for just this one, even though officially support had ended, one can only guess how many critical vulnerabilities have been discovered since then, in IE, kernel, DLLs or other components.
I kind of suspected that you'd latch on the fact that this was IE and would either miss the point, or pretend it shouldn't apply, so no real surprise there...
Unless you are a security specialist, you're ill placed to be the judge of what your online behaviour amounts to in terms of safety. Your statement is simply "Trust me, I'm making sure I connect my XP machine in a safe way", which is hardly something one will be willing to take at face value unless you are called Bruce Schneier. Moreover, and this is what most people who are hell bent on saying that connected XP usage is their entitlement, you should also understand that, even if your behaviour was safe, by promoting the idea that people should be able to connect an XP machine to the internet more than 2 years after it has been retired, if they feel like they are taking enough precautions, you are actually encouraging reckless behaviour, which is precisely why I have an issue with people like you.
By publicly trying to advertise that it's your God given right to keep using XP in a connected manner, because "you somehow happen to know what security practices are actually relevant, and using a system with unpatched vulnerabilities, in the connected manner you are using it, isn't one of them", you are encouraging more damage. As a side note, it also never cease to amaze me how every single person I have ever tried to discourage using XP in a connected manner since it was officially retired (and, because Rufus runs on XP there have been quite a few) just happens to be, according to them, one of the most security conscious person you may find, and therefore, immune to any of the dangerous online behaviour that may affect other XP users... Or, in other words, "driving at 10km/h".
Drive by infections are insane, and/or you're not using any of the plugins that may be installed by default in your browser to view content, unless you have thoroughly vetted it first. Gotcha. Yup, extraordinary how the very people who insist on using an obsolete OS in a connected manner conveniently turn out to be some of the most security conscious in the world. It's so counter intuitive I would never have guessed, hadn't so many of the people concerned insisted that this is actually the case...
As far as I'm concerned, I'll keep pondering about the the Pwn2Own competition of 2014, the year XP was retired, where, for instance, "Google's Chrome Web browser was successfully exploited by with a use-after-free memory flaw that enabled a sandbox bypass.", which is something that I'd venture to say might well have been triggered through a mere Javascript exploit or something similar. Sadly it doesn't say, and of course you're going to argue that, it's just impossible that Javascript in Chrome, or whatever browser you are currently using, could be subject to a similar flaw, since JS drive by exploits, or browser exploits that are tied to relying on unpatched libraries, are simply too insane to even consider as a remote possibility. I guess I'll also just keep insanely hoping that, if the browser I use is ever breached, at least the rest of my up to date OS will hold the fort.
cc758f5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm telling you it's quite improbable. It's enormously different.
Except most of people aren't me, and wouldn't be able to maintain a Pentium 4 usable today?
To be honest, I see 0 reasons for
I wonder who's the moron with no particular "situation" that still use it.
Oh, btw.. When you crash with your car, you hardly can't notice it.
On the other hand here we are almost arrived talking about stuxnet-class malware.
Last time I checked, "security experts" were working for big companies that haven't really all that time to waste.
Assuming we aren't still over your carelessness for statistics, for as much I never said it, I guess that.. Yes, under a certain 0.0..% threshold you can't round probabilities.
But again, I feel like you'll never assess how likely is for a reputable site to end up with a shitty ad network?
Or in turn chances for as much as shitty ad network to get powned?
And last, for whoever violate it to inject a malware rather than his own bad ads?
And.. I mean, let's consider zero-days are quite precious to be wasted on such a lame operation.
Oh, and that these is probably going to hit every browser-user, regardless of the OS.
Triggering in turn plenty of AV software and thus aforementioned gurus.
When I'm going to see your rough estimates I'll be happy.
cc758f5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, you're telling what you would conveniently like things to be, whereas we have evidence that drive by exploits exist and are not in the realm of improbability. The yearly Pwn2Own competition demonstrates that.
Curious how your reply makes no mention of the Pwn2Own example I linked to. Security teams demonstrating year over year that, with a little research, drive by exploits are exploitable are hardly something to dismiss as "quite improbable". But sure, it's convenient for your narrative to pretend otherwise, or ask me to come with hundreds of examples of those, which, obviously, I'm not gonna be wasting time on, especially as it should be obvious that the person needing to demonstrate that their usage is not introducing security liability, as you are trying (and failing) to argue, is you.
Thank you for proving my point that somehow you're better than the rest, therefore bad things can't happen to you, even when you are advocating that blatant security risks can just be dismissed.
The yearly Pwn2Own competition begs to differ with your readout of probabilities.
Once again, missing the point.
Unfortunately for you I can. I'm using adsense, which is supposed to be a reputable ad network, yet I am having trouble filtering out the fake download buttons due to google being more interested generating revenue than weeding out dodgy ads (#789). Considering that they let through fake download buttons, which are easy to filter, one has to wonder what a creative person might be able to get away with in a banner...
Cue in your retort on how my site is not reputable (whereas we're discussing what every person using adsense will be facing) or how my example only applies to download buttons, and you're just too smart to ever click on them even by mistake, or ever engage in any kind of risky behaviour without being able to prevent it.
cc758f5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They are a demonstration of possibility, not probability.
Cause correct facts don't need any further comment?
If I said you are better than the average would it be false?
We are indeed talking about chances for browser to fail, so don't move the goalpost.
I guess it's true, but tbh if I managed to hijack an ad network.. I surely wouldn't waste that opportunity to target some tens of XP users.
Are you seriously comparing a png image to malicious js code ?
Could you explain how we passed from talking about javascript to social engineering ?
So, since I'm fucking cut out of commenting I'll edit here the reply for below:
They are a demonstration of danger (=possibility), not risk (=probabilities).
What are you talking about?
I was referring to Pwn2Own, with its facts that are true and all.
It's not goddamn philosophy.
How about javascript code is indeed pretty easy to automatically scrutinize?
But that there's no straightforward way for a normal program to discern between perfume ads and a "DOWNLOAD HERE" ones?
Man?
I try to keep points clear. I still have to understand if our problem is about your recognizance of statistics or some possible dumbness of mine in knowing how a button work..
But how in the hell can you think that analogy [full of conditions you say] is simple?
cc758f5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wrong again. They are a demonstration of risk, which is exactly what you deliberately choose to ignore.
You do realize that it's very hard to listen to someone who uses tautology to prove their point ("I am correct because I am correct"), whereas I seem to be the only one so far who has pointed to verifiable examples to back up my points.
I'll also cut short to the rest of your pseudo-philosophical drivel, which is equally short on hard evidence or your additional "points" that are just plain wrong (just so you know, ads can and do run Javascript to provide interractive content, including those fake downloads one — those are rarely "just" png, and especially the download ones you saw in the screenshot weren't, as they used JS to respond to mouseover and alternate between multiple images).
So, since this has been going on long enough, allow me to cut this short, by once again, using our good old car analogy:
You are still doing nothing but encouraging reckless behaviour by trying to advocate that, under certain circumstances, it is okay to take an unmaintained car, with worn out tyres, onto a busy public road.
Well, let me say this again, it doesn't matter if you're Ayrton Senna ("nobody else drives XP on a P4 like I do"), using a car made entirely of air-bags ("I have the latest antivirus and an up to date browser"), going 10 km/h, and driving up to Fort Knox, you will ALWAYS be driving it under a road network and weather conditions that are beyond your control.
If there happens to be a sudden downpour (and, I have tried to point to you that, as much as you would like it to be otherwise, those are non-theoretical things) or the surface conditions change for any reason (there is a wide range of possibilities for your car traction to be diminished - I only pointed one of many) then even if you are the best driver in the world going 10 km/h, there's a high risk that, with worn out tyres, you will be unable to maintain enough control so as not to swerve outside of your lane onto upcoming traffic, which is something that is not an issue if using a properly maintained car. Therefore, as I have now repeated countless time, it doesn't matter how safe you think (or rather, seeing the argumentative you use, want to believe) your behaviour is, because you are driving your car under conditions that are beyond your control you are not only putting yourself at risk, but, more crucially others, especially on the busy and inherently hostile road network that is the internet.
Furthermore, the best you have been able to put forward to try to dismiss the idea (still haven't seen many hard facts from you) has been something like:
"Your argument is non-receivable, because you don't have statistics to indicate how well Ayrton Senna would do if confronted with a sudden downpour, when doing 10 km/h in an car made entirely out of air-bags". Obviously, if this is your sole idea of how you can declare your behaviour as "safe enough", I think it's clear to say that just like this theoretical Ayrton Senna, we're not going to get anywhere fast.
So allow me to spare you, and everyone else, any more wasted time. Considering that you persist in claiming that engaging in reckless security behaviour, such as using 2-year old obsolete and unpatched OS in a connected manner, is okay under some circumstances, I'm just going to ask you to take these irrational claims elsewhere (by all means, please try security-centered forums — I'm sure they'd like to have some fun), and will be preventing you from making any further posts on this issue tracker from now on.