I get that there won’t be any security updates. So any problem found can be exploited. But how high is the chance for problems for an average user if you say, only browse some safe websites? If you have a pc you don’t really care much about, without any personal information? It feels like the danger is more theoretical than what will actually happen.
Or… are there any examples of people (not corpos) getting wrecked in the past by an eol OS?
I guess that’s where I have a limited understanding of how Internet and maybe even exploits works: how would people even find my machine? There is little to no incentive, unlike with a corporation. They must know where my door is to even use the keys.
Can you just sort of do a brute force scan of all machines currently on the internet? Seems unlikely. In my mind, you can only access a machine if you have some idea about it’s whereabouts, either physically or digitally. But then again, I have no knowledge about these kinds of things.
The internet is cheap, like amazingly cheap. Connecting to every possible computer on the internet is something people do regularly, every minute.
Even if your computer was not directly accessible, the fact that it’s talking on the network is exploitable. There’ll be known payloads, known buffer overflows, known software packages, that can be targeted just by you browsing the web. Advertisement networks or a common delivery mechanism, websites get exploited, somebody send you a link, random messages going to your phone, going to your messenger, going to your email, anything that your computer processes can be a delivery payload mechanism.
There is no Safeway to run outdated software on the network at all in any capacity.
Thanks for the thorough explanation! Interesting stuff, the examples really helped me see the many different ways an attack could work.
Anyone who has services open to the internet sees constant attacks in their log files. I bet I could pull some attacks right now that are less than twenty minutes old.
fail2ban is a common software on Linux that helps defend against these attacks. When someone fails to log into your service three times, it bans their IP permanently. It’s generally issuing many bans a day.
They absolutely do scan every IP.
It’s debated whether software like fail2ban actually helps or if it just makes attacks visible that would anyways fail if you have up to date software. Oftentimes, defensive software adds attack-surface because it adds more software that can be targeted by attackers.
Fail2ban might help with protecting against exploiting of bad passwords though.
Tar pitting, rate limiting, banning failed attempts, are all critical security measures. If you let somebody try passwords, login attempts, with infinite speed, allow people to brute force your systems, you will get exploited
Even if you don’t get exploited, you can get asymmetrically DOSed. It takes a lot of compute power to deal with an authentication attempt, and not much compute power to put in a failed request
I totally agree about rate limiting, mostly against bad passwords that you are not in control of. But banning failed attempts is mostly not interesting if you ask me. It feels like the right thing to do, but IP addresses can change and other measures are better.
I agree. No ban should be permanent, just increasingly larger timeouts. If it’s a legitimate user they’ll have some other channel to reach out to to unban the IP
Check out shodan.io Search your own IP. There are plenty of state actor tools that do the same thing. vulnerable systems are targeted because they’re vulnerable, not because there’s a payout. Most of the time you’d just automate the attacks with something like msfconsole and a ruby script.