VivienM wrote on 2024-01-30, 03:10:

creepingnet wrote on 2024-01-30, 02:57:

But you'd be amazed how much hate I've had in the past by armchair infosec dweebs who think that a connected DOS system is a security risk.

There might be more of a risk if you're putting a retro system directly on the IPv4 Internet without a NAT, e.g. on a university network or something (not sure who other than universities would have plentiful IPv4 IPs and a non-NAT setup in 2024). Not sure what ports would be opened by default on, say, a Win2000 system... and how exploitable that might be.

That being said, I would agree with you and presume the bad guys are being pragmatic. Why focus on Windows 9x exploits when the Internet is full of Windows 7 machines running unpatched web browsers?

Yeah, the truth is, I'm not running with a direct address. I'm running through a router almost all the time, or a gateway/router combo. Lately, I think I have the most secure setup I've had in years, because I started using an 802.11 a/b/g/n Wireless Bridge for my retro-machines so I don't need to be running miles of Ethernet all over the apartment. I've noticed my router does not even see my vintage boxes at all - it j ust sees the Wireless Bridge(s) and that's it. Has me thinking there might be an extra layer in security by doing this. All are protected behind a complex WPA2 PSK password - which is funny because I have NEWER stuff like a Wii that does not even have that level of security, 🤣.

I only have one machine that faces the internet that might be any sort of a risk, a Plex Media Server, which runs Linux and is frequently updated. I'm always checking that thing for exploits. So far so good. But I don't really have anything personal on that machine either, just movies and video games mostly. It has an internal FTP I use for my retro-boxes to download software from over FTP from DOS.

TBH, I really question the risk on a regular, home LAN with an ISP presented Gateway and Router setup like I've had since 2005 though. I've been running legacy clients that old on this kind of setup for 15 years, and in that time, I've only had ONE machine contract any sort of malicious software, and it was a Windows 7 machine when Windows 7 was still considered current. It got that software from a "friend" sneaking on it to surf porn I figured out (internet cache), and found out about it when it started spamming people in my hotmail address list including a boss and a former room mate (which I dumped at that time as I was no longer using it).

One new thing I've started doing just in case since this hobby has gotten more popular, is making them not full-time connected, and moving to running my Win9x/older games on Linux in virtual machines or compatibility layers, while keeping the Tandy, 386, and 486 (mostly) Pure DOS. I only have networking enabled when I want to telnet a BBS, surf the web in Links (the only browser worth a crap on a vintage PC IMHO), access my server via FTP (though I might play with that new thing Brutman added).

creepingnet wrote on 2024-01-30, 21:03:

VivienM wrote on 2024-01-30, 03:10:

creepingnet wrote on 2024-01-30, 02:57:

But you'd be amazed how much hate I've had in the past by armchair infosec dweebs who think that a connected DOS system is a security risk.

There might be more of a risk if you're putting a retro system directly on the IPv4 Internet without a NAT, e.g. on a university network or something (not sure who other than universities would have plentiful IPv4 IPs and a non-NAT setup in 2024). Not sure what ports would be opened by default on, say, a Win2000 system... and how exploitable that might be.

That being said, I would agree with you and presume the bad guys are being pragmatic. Why focus on Windows 9x exploits when the Internet is full of Windows 7 machines running unpatched web browsers?

Yeah, the truth is, I'm not running with a direct address. I'm running through a router almost all the time, or a gateway/router combo. Lately, I think I have the most secure setup I've had in years, because I started using an 802.11 a/b/g/n Wireless Bridge for my retro-machines so I don't need to be running miles of Ethernet all over the apartment. I've noticed my router does not even see my vintage boxes at all - it j ust sees the Wireless Bridge(s) and that's it. Has me thinking there might be an extra layer in security by doing this. All are protected behind a complex WPA2 PSK password - which is funny because I have NEWER stuff like a Wii that does not even have that level of security, 🤣.

Since last night, I have considered a wireless option. I was looking at cantennas and other extreme-distance wifi options. My town has free wireless internet for people visiting with their phones/tablets/laptops, plus there are other non-password protected wifi networks here and there. For fun, I considered naming my WInXP box "I know what you did," hehehehe...

I could always get a second internet line, but the price is not worth it for how often I would use it just for retro machines.

I could always get a second internet line, but the price is not worth it for how often I would use it just for retro machines.

I think it’s an overkill. Using VLANs would be more than enough. Actually, you just could get a cheap router and make a nested NATed LAN inside your NATed LAN and that will already lock down a whole segment pretty effectevely and cheap.

Scythifuge wrote on 2024-01-30, 21:53:

I could always get a second internet line, but the price is not worth it for how often I would use it just for retro machines.

That... if anything, would increase the risk, not decrease. Any fancy routers/firewalls, etc between your retro machines and your existing network can only improve security.

rpocc wrote on 2024-01-30, 22:00:

I could always get a second internet line, but the price is not worth it for how often I would use it just for retro machines.

I think it’s an overkill. Using VLANs would be more than enough. Actually, you just could get a cheap router and make a nested NATed LAN inside your NATed LAN and that will already lock down a whole segment pretty effectevely and cheap.

🤣, I have a Cisco Catalyst switch I might be playing with in the future for such VLAN related things. That was the original plan when I moved into my new apartment (when we thought we were getting the larger 2 car garage), was that all the retro-boxes would stay in the garage and I'd have them on their own separate VLAN together down there with even their own separate AP, 🤣.. May still...kinda happen when I start learning how to configure corporate class switches on my own since I have one to mess around with. Honestly, the power requirements are so low on those Wireless Bridges though, I'm half tempted to wire up something to pull the 5VDC from a ISA or PCMCIA port and just put one on each machine and power it off the expansion ports, 🤣.

creepingnet wrote on 2024-01-30, 23:12:

🤣, I have a Cisco Catalyst switch I might be playing with in the future for such VLAN related things. That was the original plan when I moved into my new apartment (when we thought we were getting the larger 2 car garage), was that all the retro-boxes would stay in the garage and I'd have them on their own separate VLAN together down there with even their own separate AP, 🤣.. May still...kinda happen when I start learning how to configure corporate class switches on my own since I have one to mess around with. Honestly, the power requirements are so low on those Wireless Bridges though, I'm half tempted to wire up something to pull the 5VDC from a ISA or PCMCIA port and just put one on each machine and power it off the expansion ports, 🤣.

The better option - use APs that can do separate SSIDs and VLAN tagging, that way you don't need to worry about interference from the retro AP with the normal network's AP...

VLAN

For simple, I have a VLAN for my normal LAN
I have a VLAN for the different "services"
Then I have a retro VLAN on where the retro file server and retro machines sit.

Firewall have masquerade on for all of these so they can all do "*LAN -> Internet"
But I have no routed ports to anything
And I have rule that allow my normal LAN VLAN to connect to Both the services vlan and the retro vlan (so I can access my netware server from my main network to dump files)

But my Retro Vlan can't initiate connections to my normal LAN nor my services vlan

If you want an affordable option to do things like VLANs and firewall-separated subnets without having a PC on 24/7 (which gets expensive very quickly due to power draw), look into Mikrotik routers. They have a learning curve not unlike vintage computers ( 😜 ) but EUR 60 gets you something (their hEX router) that can do WAN to LAN >1Gbps, IPSec >350Mbps and as complex a VLAN and firewall setup as you would wish to configure, and that in a tiny box the size of a pack of cigarettes that draws 5W. What they are not is idiot-proof, and some idiosyncrasies (if you enable a feature, it will have absolutely no configuration, rather than the default configuration for that feature, so for example enable IPv6 and there will be *no* firewall whatsoever for your LAN unless you do a factory reset to get default "deny all", or configure it manually) are downright insecure in less clued-up hands. But as usual you can choose any two of 'powerful', 'user friendly' or 'cheap'. If you know your stuff it's great, and it's not as if 5-10 times more expensive Cisco is point&click either.

Combine a router like this with aforementioned APs with VLAN support - things like Ubiquiti UniFi if you want cheap and fully featured but fiddly upgrades, TP-Link Omada for unpredictable specs but cheap & solid, or HPE Aruba InstantOn for not quite so cheap, but almost idiot-proof yet fully featured.

WiFI is a whole different kettle of fish. The important thing to remember is that the security is only to avoid eavesdropping and is the equivalent of a locked door to block access to a UTP port. It doesn't do anything to secure the payload once it's off the wireless bit, either in the client device, or onward towards the internet. So a statement like "Has me thinking there might be an extra layer in security by doing this. All are protected behind a complex WPA2 PSK password" is untrue. At best it is equally safe as a UTP cable no-one else has access to. If you want that extra layer of security, look into 802.1X (Port-Based Network Access Control), preferably with a certificate-based authentication system (eg EAP-TLS) to be sure that end-to-end no unauthorized devices can connect to your fixed or wireless (WPA2-Enterprise) network. Of course, setting it up is a massive PITA (LDAP and Radius fun 😜 ) and still doesn't protect you if your client device does something stupid (click on that "download Driver Helper" link...). Same applies to using VPNs for communication outside your house: they keep eavesdroppers out, but won't help if you click on something you shouldn't.

Tbh, the most important thing is a good firewall, not just denying incoming connections, but disallowing outbound connections from untrusted devices by default, which should include everything running an OS that's not supported anymore but that is capable of supporting malware (and IoT stuff that might be doing a bit too much phoning home - but that's a whole different kettle of fish). Exceptions should be made on a case-by-case basis only, and revoked when no longer needed.

Yeah I mean its true what the OP says but then its not.

The exploits are out there but theyre not heat seeking missiles designed to home in on you are soon as you connect to the internet and they will find you no matter what.
Theyre there but they have to be used on you. The XP RPC exploit was there and found you but there is a patch for that, there are a couple of others out there too but they were patched too.

I often use Win3.11 (well sometimes anyway) and WIn98 on the internet, in that they pull down websites that are on remote servers located on the internet. But I dont "use the internet" in the same way I "use the internet" on my Windows 10 PC to shop at Tesco, ebay and other tasks that do require modern browsers to do.

There are many retro message boards out there (BBS) that can do used, theres some old retro friendly IRC servers too if you can find them.

Your computers vulnerability on the internet has always depended on where you go and what you do.

ElectroSoldier wrote on 2024-01-31, 02:55:

Yeah I mean its true what the OP says but then its not. […]
Show full quote

Yeah I mean its true what the OP says but then its not.

The exploits are out there but theyre not heat seeking missiles designed to home in on you are soon as you connect to the internet and they will find you no matter what.
Theyre there but they have to be used on you. The XP RPC exploit was there and found you but there is a patch for that, there are a couple of others out there too but they were patched too.

I often use Win3.11 (well sometimes anyway) and WIn98 on the internet, in that they pull down websites that are on remote servers located on the internet. But I dont "use the internet" in the same way I "use the internet" on my Windows 10 PC to shop at Tesco, ebay and other tasks that do require modern browsers to do.

There are many retro message boards out there (BBS) that can do used, theres some old retro friendly IRC servers too if you can find them.

Your computers vulnerability on the internet has always depended on where you go and what you do.

I put an ISA NIC back in my 486 today and plan on going online with it through WfW 3.11. I did so a few years ago, using Netscape Navigator. I am definitely going to avoid doing anything online with my retro PCs which involve money or personal information. I visited gamecopyworld with my main PC (which still looks like it did when I first found it, many years ago,) downloaded a no cd crack, and then ran Malwarebytes, and found nothing. Windows Defender didn't cry about the download, either. It looks like it might be a retro friendly site, and those are sorts of sites I hope to visit. Using mIRC is one of the reasons and inspirations for this thread. I used to use it quite a bit, back in the 90s. I also want to experiment with trying to get some multiplayer games going with real retro machines along with an 86box virtual machine, both at my house and at another location.

Frankly, I am beyond bored and cynical with modern computing and gaming. I hate it. The last "new" games I played were Dragon Age Inquisition and Mass Effect 3, only because I was playing those trilogies straight through. I loved parts 1 & 2 from both series, and I stopped playing the 3rd game of each series because after a while, the suckage became too much - and they aren't even that new. Windows 10 is a bloated mess, and almost every new game focuses on everything but the story and actual gameplay and is almost all always the same game with a crude coat of different paint on each one. I feel that I am not the only one, and I think sales are down across the board, with thousands of layoffs happening all over the place.

I am still glad to have a good, powerful, modern system -for emulating old PCs through 86box. I used Linux in the past and will be using Linux over Windows 10 and up, in the near future. But other than some indie games, I think I am done with modern "gaming," and want to recreate as much of the past as I can with as much functionality as possible.

Of course these days with always on connections are very low energy computers you could run your own bnc and connect to IRC that way.

Cant say it was common back then to use a BNC but there were several of us who did use them often.

NAT is all you need, its not like anyone will be browsing shady sites on 486 running IE 3.0 😀
Nineties were fun times, a simple PING was enough to crash almost everything https://insecure.org/sploits/ping-o-death.html

Putting your old machine behind a NAT/PAT router will not protect it from exploits that allow arbitrary code execution in the browser. (This is also true of modern machines, but modern machines get patched and have active countermeasures)

Edit: This is probably a bigger danger to Win XP. Like someone else said, you won't be loading a huge modern sketchy site on a 386.

kingcake wrote on 2024-01-31, 06:17:

Putting your old machine behind a NAT/PAT router will not protect it from exploits that allow arbitrary code execution in the browser. (This is also true of modern machines, but modern machines get patched and have active countermeasures)

Edit: This is probably a bigger danger to Win XP. Like someone else said, you won't be loading a huge modern sketchy site on a 386.

It's not that so much as that exploits tend to exploit Win32 APIs and/or Javascript, so if your dinosaur doesn't support those, the malware simply can't talk to your computer to infect it. 16b DOS and Win <=3.11 should be essentially immune to anything out there, even if run on modern system. From Win9x onward, there's theoretical risks, but it's WinNT's line that's most at risk, particularly if your system is new enough to support a lot of scripting but old enough to be insecure as hell. And yep, that means XP-7 in particular.

dionb wrote on 2024-01-31, 09:11:

kingcake wrote on 2024-01-31, 06:17:

Putting your old machine behind a NAT/PAT router will not protect it from exploits that allow arbitrary code execution in the browser. (This is also true of modern machines, but modern machines get patched and have active countermeasures)

Edit: This is probably a bigger danger to Win XP. Like someone else said, you won't be loading a huge modern sketchy site on a 386.

It's not that so much as that exploits tend to exploit Win32 APIs and/or Javascript, so if your dinosaur doesn't support those, the malware simply can't talk to your computer to infect it. 16b DOS and Win <=3.11 should be essentially immune to anything out there, even if run on modern system. From Win9x onward, there's theoretical risks, but it's WinNT's line that's most at risk, particularly if your system is new enough to support a lot of scripting but old enough to be insecure as hell. And yep, that means XP-7 in particular.

Yep. I actually meant to change XP to NT-Family but forgot to edit.

dionb wrote on 2024-01-31, 01:21:

EUR 60 gets you something (their hEX router) that can do WAN to LAN >1Gbps, IPSec >350Mbps and as complex a VLAN and firewall setup as you would wish to configure, and that in a tiny box the size of a pack of cigarettes that draws 5W.

I use hEX as advanced smart switch with WOL scripts for remote power-on of my computers. A great tiny thing having all features of RouterOS. SO, I double the advice. I also use wireless RB2011 as my master WAN router on two locations but mainly just because I could afford it at the purchase time, it has WiFi and AFAIR hEX wasn't available on market then.

Are there any open source web browsers still being worked on/updated/patched which would be good for a WinXP system? I am going to start looking for one after I move a bunch of files. My 750GB drive decided to crap out, so now my WinXP box is going to have 2 1tb drives which will probably never be filled.

MyPal seems to work ok on XP.
I dont visit a lot of sites with it but the ones I do it seems to work ok on them.

Scythifuge wrote on 2024-02-01, 00:19:

Are there any open source web browsers still being worked on/updated/patched which would be good for a WinXP system? I am going to start looking for one after I move a bunch of files. My 750GB drive decided to crap out, so now my WinXP box is going to have 2 1tb drives which will probably never be filled.

Theres supermium chrome 120 for xp but your cpu needs sse2, mypal 68 sse2, otherwise roytam fork of palemonn 27 or 28 without sse.

To me the main subject though, theres no cause for any concearn to just put your retro boxes on the same lan behind a NAT router with firewall at home. Your main concearn is securing your main rig that you are doing work on. I could write a essay about it but I dont feel like being white knighted right now.

links for previously mentioned roytam1 non-sse2 browser builds:
https://o.rthost.win/palemoon/index.php?sort=date&order=desc
https://o.rthost.win/basilisk/