here here, I'm so sick of the cybersecurity FUD

Somehow, purely out of sporting interest, I launched one popular virus on my home machine running Windows 98 [4.10.1998] and here is what came of it:

For comparison, this is what happened when the same virus was launched, but under different systems:

The RDD, my main computer, uses Windows XP. I have been using it since 2017 (three years) connected to the internet regularly, no antivirus. I never, ever got infected. It's also true that my web browsing is limited to a few sites, and it only has like five services running, but for general use, it has never let me down. I periodically scan the system to check if there are potential threats, but nothing is reported. The only reason behind why I had to format and start with a new installation of XP was due to the death of the old motherboard (the chipset burned out), which required me to reinstall everything since XP would not boot on the replacement one, an Asus TUV4X, and even if it would, a clean installation is always better.

The machine is running perfectly fine. And not only, I'm setting up XP on a laptop with an Athlon XP-M 2500+ as a mobile version of the RDD, connected to the internet as well. No virus, no infection, just like its desktop counterpart.

I would go through each point and describe how wrong it is but there wouldn't be a point if no one listens since you just want to use your machine and not think about it.

I will say this is 2020, everything is automated and there are packages you can aquire of exploits so it is quite simple to have multiple versions and/or code your explot o use the APIs that exist in all versions of windows which is how they should be written anyway to target the most machines. The mindset of you need to browse to "safe" sites and don't click on the wrong thing is just wrong. It was never good advice and never will be.

Not every malware found on the net works on the client side.

IMO, it's an issue of how valuable your data is. Are you doing your taxes, checking email, or doing online banking on your retro computer? Probably not.

So install your OS, install your favorite games, create an offline backup (pretty quick and easy if you have moved to ide-CF or similar storage solution).

At this point I have no fear of putting the computer online. If something corrupts restore it.

If you don't have any valuable data on your retro computer, there's no point in jumping thru hoops to protect it.

BinaryDemon wrote on 2020-01-22, 19:21:

If you don't have any valuable data on your retro computer, there's no point in jumping thru hoops to protect it.

This is true, but you also have to remember that viruses can jump over your home network once they infect one machine.

My original post still applies though, I don't think your retro machine would get the virus to begin with.

DosFreak wrote on 2020-01-22, 18:45:

The mindset of you need to browse to "safe" sites and don't click on the wrong thing is just wrong. It was never good advice and never will be.

I wouldn't give this advice to anyone who I don't trust to not click on the wrong things.
Someone like me, though... I've never had issues. Over years of usage with no antivirus.

Heck, I doubt you could infect a Windows 95 computer if you tried. You'd have to go to archive.org and get copies of old viruses, but that's cheating since it's not the "wild" web.

I want a modern virus that demands I upgrade my operating system to best take advantage of it's services.

keenmaster486 wrote on 2020-01-21, 18:14:

Basically, I see so much superstition around connecting old machines to the internet. People go to great lengths to reassure vintage computer communities that "no, I'm not connecting this old computer to the network! Please don't kill me!"

Everything you say is obvious to anyone who is not addicted to cybersecurity FUD.

But the good thing is that this FUD does not really have any ability to affect anyone who is not willing to simply swallow it. You can still run WIndows 7 and Windows XP and even Windows 9x connected to the internet despite anything they tell you.

Kinda like drinking. Drinking irresponsibly/excessively is bad and dangerous. Drinking reasonably is generally safe and fun. If someone tells you that you shouldn't drink because of all the terrible things that can happen (they really can), you can still ignore them.

I understand and can empathize with some of OP's gripes with some of the fud you hear about this stuff. But I have a few points that I hope OP and others will consider before connecting unpatched computers of any kind to the internet.

Spectre was actually proven through a JavaScript vulnerability.

One way this could happen, would be that someone could slip some nasty JavaScript onto a website or even through the comments of an older forum that has open XSS vulnerabilities, and execute code on your machine.

I think JavaScript is somewhat in people's blind spot when it comes to ways of running code on your machine. I kinda figured in the late 90s that we'd see these types of "buffer overrun" style attacks sort of taper out and they'd be fully patched eventually; but every once in a while stuff like that does still come out.

There are also people all over the world running IP and port sweeps to try to find unpatched machines. If you ever check your router logs, (last time I did was on a checkpoint router a few years back), you can see that people are actually constantly attempting to hit your IP on all sorts of ports from all over the globe.

While you're probably right that most attacks these days are focused on newer operating systems, you really never know. While every year the military, government, electrical grid infrastructure, etc are updating their systems, I think it is generally known that there are still a few older PCs out in the wild. If there's stuff a the end of some script that's been added to and added to over the years which looks for vulnerabilities on one of these IP sweeps, and it happens to poke through your firewall (not saying this is likely), you really never know what you could end up with.

One final point, is if you remember how nasty some of these bear share / limewire / p2p era things were, they were just awful. I was fixing someone's computer back in 2006 or so, and all of a sudden, an IE window popped up, that popped up a command prompt, that ran notepad, and wrote *you have been p0wned" 🤣

I would hate to see good people who enjoy this hobby unwittingly be a party to the seedy intentions of those who would look to exploit your PC as a proxy to download and share who knows what. I'm not trying to put FUD out there or scare anyone, but please just think about it.

beastlike wrote on 2020-01-22, 22:09:

I would hate to see good people who enjoy this hobby unwittingly be a party to the seedy intentions of those who would look to exploit your PC as a proxy to download and share who knows what. I'm not trying to put FUD out there or scare anyone, but please just think about it.

In other words - I'm not trying to put FUD out there, but I am.

I mostly agree with his points, however you need to be fire walled. Cyber criminals, spy agencies of other countries, go after banks, government institutions, corporations, famous people, political campaigns etc. We are literally no one, as long as you use some common sense you have nothing to worry about. Common sense also involves having backups of your data so if somthing catastrophic were to happen that you can't fix you can image it back.

I always think it is strange to lecture a computer expert about viruses and security, as if they don't know what they are doing and can't fix their own rigs. It's kinda like someone lecturing a dentist about cavities..

beastlike wrote on 2020-01-22, 22:09:

Spectre was actually proven through a JavaScript vulnerability.

A P4 or older won't be affected due to lacking the feature that Spectre exploits. Still relevant for the time scale in which newer CPUs than P4 can be considered "old". It is also rather dependent on modern JavaScript APIs or JIT-based JS runtimes due to timing requirements.

I'd be more wary as you say of using older browsers for anything involving personally identifying information because of old buffer overflow exploits possibly laying around abandoned wordpress or whatever sites since back when they were relevant.

beastlike wrote on 2020-01-22, 22:09:

I think JavaScript is somewhat in people's blind spot when it comes to ways of running code on your machine.

Yes, the sad state of affairs is that adblockers and NoScript are basically anti-malware packages that everyone should install in their modern JS-enabled browsers at this point.

Some food for thought: this is a relatively recent case of a Windows 95 based IT system being rendered unusable because of malware: https://www.tagesspiegel.de/berlin/experten-w … e/25163810.html

That may have been a targeted attack, though, rather than something likely to affect a casual user. Also, the network may not have been the initial attack vector.

boomlinde wrote on 2020-01-23, 10:52:

That may have been a targeted attack, though, rather than something likely to affect a casual user. Also, the network may not have been the initial attack vector.

That's the thing - edge cases where OS exploits could be used to compromise a vintage PC on the internet (especially one behind any run of the mill NAT) would essentially require a targeted attack. The odds of a random attack affecting a Windows 95 PC on the internet behind a router WITHOUT USER ERROR are so infinitesimal as to be non-existent

All my computers run behind a router, but these are modern OS. Older OS like Win 3.x or Win 9x I run only on virtual machines.

While I agree with the OP... but there is one way to get infected: How about the updates and other older software/games we download for our retro machines from sites that are not the ones who actually produced the software (which may be or not be actually abandonware, for example). These ones might have a virus.

I can't remember the year, somewhere between 2014 and 2017, I had a hackintosh with Win 10 installed and it got infected with a ransomware. Some of my files were encrypted and it was demanding a bitcoin payment to get them back. Dude, I have like, three backups of my files (OneDrive, external HDD, my network's Time Capsule) so I had to laugh at this and I just formatted, cleaned it up and reinstalled the system.

That's exactly the thing. In the private sector, nobody, and I mean nobody, has systems connected directly to the internet without at least a NAT router. And if you are the one in a hundred (or in a thousand) that has only one machine, no LAN, no router - then that machine, being your primary machine, better run a modern OS for reasons that have more to do with usability than security.

dr_st wrote on 2020-01-23, 17:21:

In the private sector, nobody, and I mean nobody, has systems connected directly to the internet without at least a NAT router.

That's a gross exaggeration. I have servers directly connected to the core. They have a reduced attack surface and proactive measures in place to help prevent exploitation.

What do you do and why do you need those servers?

I'm posting from MS-DOS right now.

How fun is this!