First post, by st31276a
I cannot say it better than Dijkstra himself in 1972:
The major cause of the software crisis is that the machines have become several orders of magnitude more powerful! To put it quite bluntly: as long as there were no machines, programming was no problem at all; when we had a few weak computers, programming became a mild problem, and now we have gigantic computers, programming has become an equally gigantic problem.
— Edsger Dijkstra, The Humble Programmer (EWD340), Communications of the ACM
The state of "modern" software is abysmal.
Imagine, the modern electron ui insanity of spawning the equivalent of a chromium tab for every ui window, just to be able to do modern things on it programmers have come to expect? Causing the ownage of 250 million Teams users by means of an excellent javascript injection / jailbreak / payload delivery exploit.
Imagine, glibc iconv() including an "rce" charset masquerading as extended chinese for the last 24 years. This one was almost certainly utilized in zero day kits out there.
Imagine, the modern architecture itself, not only being actively backdoorded with Intel ME, AMD PSP and the undocumented registers in the apple chips, but also being vulnerable to a whole portfolio of speculative data exfiltration attacks.
The modern mantras of keeping your software updated seems important on the surface, since many of these exploits are patched as they are found, and not patching them is just asking for it. However, with referral to the quote above, I sometimes wonder if, in spite of all the patching going on, is the software not still getting worse and worse in terms of undetected and undisclosed security problems?
In my opinion, every system online today is hackable with zero day exploits existing out there in the wild, that are known in certain circles but not yet "discovered" in the public domain. Not everybody finding bugs discloses them, as more money is to be made by selling them as exploits. These exploits are just used very sparingly and judiciously, as overdoing it would lead to their discovery and fixing.
Obviously I do not like the status quo, but it is impossible for myself alone to do something about it.
Running older software with known bugs is considered a way worse thing to do by most people.
I wish there were a community somewhere out there that patches the old stuff to fix the known security issues, so that they can be securely used today, by those who still care for their old hardware.
In terms of network security, I have a soft spot for the i586 architecture. It is fast enough to forward traffic at reasonable speeds, yet old enough not to be overtly backdoored and simple enough not to be a victim of speculative attacks. The only hardware feature it is missing is support for the nx bit in the page tables.
This thing is be able to run the latest 2.4 kernel very well, so that it can do nat and conntrack. If there only existed a glacier-time-stable (GTS 😀 maintained version of the 2.4 kernel. Putting such a router between your internet line and network should be very effective to keep out the side channel attacks that use the network as a medium, at least. You can also blackhole network blocks you don't like here, such as those belonging to the facebook and their ilk.
Older but stable and patched httpd, sshd and c libraries would also be a bonus.
Does somebody know where those who do this congregate, or do you think I am being unnecessarily crazy?