Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
spartanatreyu 7 hours ago

But it was broke, security support ended 3 years ago.

I wouldn't use a condom that broke 3 years ago.

bigstrat2003 2 hours ago | parent | next [-]

Unfortunately, these days it's arguably safer to run an unsupported version of Windows. Microsoft is obsessed with putting adware and features that put your data at risk into the OS, so it's not clearly the best choice to stay current any more.

badsectoracula 6 hours ago | parent | prev | next [-]

In practice this doesn't affect the overwhelming majority of people as they're either not going to be compromised (the most likely case) or, in the tiny chance they're compromised, they're not going to notice (in which case from their perspective it still "isn't broken").

It isn't like this is the original WinXP during the era where computers connected directly to the open internet and caught viruses just by existing, making computers groan and being very visible that something was wrong. Pretty much everyone is connected via a firewall and on top of that Windows has improved its security considerably over the years. And there are still security updates for browsers (the main vector for malware by far) that support Win8.x (e.g. Firefox ESR will be supporting Win8.x until next year and people have made Win7 and Win8 compatible builds for modern Chromium).

So it isn't surprising that for all intents and purposes it isn't broken, especially when the alternative is having to change to something that feels like downgrade in terms of UX. From a user's perspective it is a choice between the unlikely potential of something invisible perhaps happening (getting compromised) versus the absolute certainty of something very visible happening (having to get used to a worse UX). Considering Windows still tie security updates with everything else, it isn't surprising that people judge based on what they perceive the most.

Of course the best solution would be to switch to an OS where such choices are not necessary in the first place. I've been using Window Maker since early 2000s and the UI has remained the same since 1997 when WM was first made, aside from the occasional theme change (which is done only whenever i personally feel like it, i.e. is not forced on me) while at the same time i'm using the latest Linux kernel, C library, drivers, etc with all security fixes. I do not have any choice between having security fixes or using a GUI that i am comfortable with - i get to have both.

esseph 6 hours ago | parent [-]

It is VERY much a "compromised but don't know it, or it doesn't slow down things or break enough for them to notice" territory.

The state of security is /awful/ for general users.

But they also can't figure out how somebody keeps getting into their email account, why they get text messages that quickly disappear from history, or what these weird charges that keep showing up on their bank statement are...

bakugo an hour ago | parent | prev | next [-]

Software is not "broken" just because it doesn't get updated with new spyware and adware every week. This is a misconception spread by companies like Microsoft.

Jigsy 7 hours ago | parent | prev [-]

Support ended in January 2023...

sitzkrieg 6 hours ago | parent [-]

who cares? it impacts nothing. windows updates are counter productive for a decade. "but security and zero days!!"

ok surely that firewall and home lab and ability to not download and run garbage is enough for someone on the supposed "hacker news" to handle. but no, we got heaps of people using "out of support" as some sort of argument whatsoever to upgrade to absolutely dogshit versions of windows. make it make sense

esseph 6 hours ago | parent [-]

People get their identities stolen every day, and it is a super, super, super shitty process to go through depending on how deep it goes. It can change your life forever.

Having oldass OS and application versions make that a thousand times easier when you have so, so, so many CVEs you can exploit. And LLMs have been show to make this very trivial now.

All you need to do is click on the wrong pop-up, or the wrong link in your email, or tap something on your phone screen, or have a poorly configured (often from the factory) router, and the initial intrusion takes place. After that, an outbound encrypted session quickly gets setup, and congrats, now your network is acting as a residential proxy that can be sold to criminals that want to download CSAM from your IP, AI companies that will use your connection for scraping, and other elements that will either mine the data on your systems (your PII, logins, etc) and scrape your screens.

But if you don't care about your life becoming a living hell, then I can't make you.

This happens all the time, every day.

If you have a car, you maintain it. If you have a bike, you maintain it. Power tools? You maintain them. Your electronic devices also need to be maintained. They have access to your most sensitive data, and potentially private conversations.

mixmastamyk 5 hours ago | parent | next [-]

If you're behind a NAT and have an evergreen browser, say FF with UBO, avoid email attachments, etc... it's not very risky.

esseph 4 hours ago | parent [-]

Did you know a website can scan your lan through a browser now?

https://developer.chrome.com/blog/local-network-access

Did you know that a lot of current home router NAT implementations are currently broken, in particular for UDP traffic handling, and you can therefore spoof your way into the network?

https://www.armis.com/research/nat-slipstreaming-v2-0/

A lot of router vulnerabilities floating around out there.

Ever hear of UPnP/UPnP2? Did you know that applications can trigger your router to open inbound ports for you?

There have also been some 0 click exploits lately, those are fun. You don't have to do anything at all!

https://github.com/Defense-Intelligence-Agency/Zero-Click-Ex...

Yeah, you're still at risk, and moreso because you're not aware of how open you are.

mixmastamyk 4 hours ago | parent | next [-]

You're talking to a Slashdot refugee. Haven't ever had UPnP available. I don't use Chrome and do use OpenWRT with AdGuard, you insensitive clod. ;-)

esseph 22 minutes ago | parent [-]

I had a 5 or 6 digit ID which was pretty good for a kid not from the Bay Area, but I never got into slashdot flame wars. I still reflexively check it many times a day.

agoodusername63 4 hours ago | parent | prev [-]

Do you think that the average HN commenter has the same phishing risk as your grandpa?

They're fine.

esseph 2 hours ago | parent [-]

Everybody says that until it happens to them. Every time.

bigstrat2003 2 hours ago | parent [-]

Considering I'm going 40 years strong of not once falling for a phishing scam, I feel pretty confident in my assessment that I won't do so in the future. It has to be an exceptionally good phish to get anyone moderately technical to even take a second look. And even then, generally one can tell upon a second look. It's not hard to not get phished.

esseph 2 hours ago | parent [-]

It can be visually identical to the real domain.

https://www.kicksecure.com/wiki/Unicode

It's also happened with code pushes on GitHub, which didn't get caught in code review, and has compromised build processes by introducing a malicious domain that is visually identical.

Sounds like a HN-type problem.

https://www.knostic.ai/blog/zero-width-unicode-characters-ri...

cindyllm 5 hours ago | parent | prev [-]

[dead]