"My belief is that computer security is highly overrated. [...] This can actually be quantifiable. [...] In 2021 Project Zero registered 10 0-days that concerned Windows. [...] None affected Windows XP."
Clever! Security by running an OS which none of the exploit authors are targeting anymore.
sure in the tech industry we all know the best practices and more or less try to follow them, but in general I've found that I often have hardware that keeps working long past the desire of the corporate overlords to support it:
- a windows 2000 laptop that I only stopped using (a while) after win2k stopped getting security updates, and the linux i put on it didn't work very well.
- a flip phone that was gloriously good at doing the only two things it knew how to do (calls and sms) that I had to stop using because it literally stopped having compatible towers to talk to.
- a 2013 macbook with a keyboard that still works, but it can't get the latest OS updates anymore, much like OP's XP machine.
I feel like there's a willful blindness -- it's very profitable for companies to keep everyone upgrading all the time, but it creates a lot of trash and there's really no need. There's a huge swath of the population who doesn't mind having 20 year old appliances or cars, and who views their digital tools as just another appliance to be replaced as infrequently as possible.
Those of us in tech need to consider the moral prerogative of slowing the trash cycle and the frugality enabled by letting things work for decades. And to stop pretending there isn't a user base out there who will insist on using things for decades even if we tell them it's not advisable.
> a flip phone that was gloriously good at doing the only two things it knew how to do (calls and sms) that I had to stop using because it stopped having compatible towers to talk to.
That was the situation that finally prompted me to buy an iPhone.
Does it matter? An attacker has to know about a vulnerability to use it. Unless there's some reason that security researchers would be more focused on vulnerabilities in new systems than attackers are, or something like that.
This totally ignores the concept of "zero-days", vulnerabilities discovered that are only known by bad actors or known but not patched yet.
This is very common, and these vulnerabilities are sold for a lot of money and the buyers make sure to protect their investment as long as possible. Of course that also means they go exclusively for high-value targets which means end users are most likely fine (see Pegasus as an example). But that's not the same as being actually secure.
Either Windows XP has no vulnerabilities left and we should all immediately start using it or it has lingering vulnerabilities and they simply aren't noticed by more recent projects like Google Project Zero.
> This totally ignores the concept of "zero-days", vulnerabilities discovered that are only known by bad actors or known but not patched yet.
I'm not ignoring them, I'm just assuming that vulnerabilities discovered by bad actors will follow more or less the same distribution as those found by security researchers.
I would assume that security researchers and most attackers go after what the general public has. But I wonder, are there still a bunch of old industrial/medical machines running XP?
Now I have the mental image of some intelligence guy working on a “get into our geopolitical rivals’ grid in case there’s a war and we need to cause a blackout” discovering the author of the post.
Maybe he will meet up with some friends in “assorted fraud” industry at the local after work watering hole and they can nostalgically steal the post author’s bitcoins together. Hacking an XP machine might trigger a midlife crisis though.
I'd be amazed if there aren't still a number of Win2k or older machines in industrial settings. Until a few weeks ago I was using an Imagesetter at work which had a Windows Server 2003 machine running its RIP software. (Apparently it's just about possible to massage the custom PCI card's driver into working on Windows 7 - but it's easier just to use the intended OS.)
Just the other day I found myself capturing a Vista machine into a VM just to preserve some perpetually-licensed software that we can't ever install again because the activation server's gone away
There is a good chance that all or most of the exploits found in modern windows actually work on Windows XP, but the reporters did not test for it as no one uses XP.
Someone looking to hack the last remaining XP machines would just scroll down the list of new exploits and test them out.
From my experience, there is a lot of software that will not build for platform older than 7/2008 due to missing APIs. Visual studio stopped support for xp compilation awhile ago. You still can use clang or such for simple programs today, but chromium is probably too complicated to port at this point.
I thought I saw it in Visual Studio 2019 but I'm misremembering - Visual Studio 2017 was the last to support building for Windows XP by the looks of it.
Clever! Security by running an OS which none of the exploit authors are targeting anymore.