Stories
Slash Boxes
Comments

SoylentNews is people

posted by LaminatorX on Wednesday March 05 2014, @07:30AM   Printer-friendly
from the unplugging-the-network-cable dept.

Appalbarry writes:

"Microsoft is about to abandon Windows XP to the wolves. Fair enough it's ancient. However, there are still going to be a lot of XP boxes out there, and a fair number of them are unlikely to ever get upgraded until the hardware dies.

My question is: what's available to help make this old OS stay reasonably secure and safe for the people who can't or won't abandon it?

Over the years I've been through Central Point Antivirus, Norton, McAfee, AVG, stuff like Zone Alarm, and of course the various Microsoft anti-malware offerings. But since moving over to Linux I really haven't kept up on the wild and wonderful world of Windows security tools.

Suggestions?"

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Informative) by Marand on Wednesday March 05 2014, @07:33AM

    by Marand (1081) on Wednesday March 05 2014, @07:33AM (#11204) Journal

    Probably the safest way to deal with it is to run an OS that still receives updates, such as a Linux distro or newer Windows version, and put XP on a virtual machine using something like VirtualBox. Take away its access to the network completely and just use the software you need.

    Alternately, get a new computer and take the XP one off the network. Use it offline-only.

    • (Score: 5, Funny) by Anonymous Coward on Wednesday March 05 2014, @07:48AM

      by Anonymous Coward on Wednesday March 05 2014, @07:48AM (#11210)

      But nothing else runs IE5 quite as well as XP. You can't do this to me!

    • (Score: 5, Informative) by Bokononist on Wednesday March 05 2014, @08:33AM

      by Bokononist (3013) on Wednesday March 05 2014, @08:33AM (#11218)

      No amount of antivirus is going to stop an unpatched windows box being successfully attacked, I think it's been mentioned a few times that the vulnerabilities that are going to be used by attackers are the ones that are reverse engineered from the patches handed out to supported windows machines. These vulnerabilities will remain there forever, and as such the best advice is use it for an offline machine. The problem is that most people that are still on xp use it for web surfing and itunes(and whatever dodgy filesharing site they can find Bearshare usually.). Now I know some are using it for legacy software etc. but these people are generally geeks and will heed the advice doled out here. Most users will not even be aware of what's happening, and this is a large majority imo, especially developing nations and the poorer parts of 1st world countries (facts pulled from my arse), these are the targets and they will be rinsed until their machine breaks and they have to buy a new one.
        The best advice, that is the advice that I think is the most likely to be listened to and therefore effective is to use an pirate copy of windows 7 and save up for a genuine one in their own time, not that they'll follow the second bit. The only way you could get these people to use a VM is if you put a script on there to boot into it automatically, but we're talking about people who eill likely not be aware this is happening so why would they come to you in the first place?

      --
      Beware of the man who works hard to learn something, learns it, and finds himself no wiser than before.
      • (Score: 5, Interesting) by VLM on Wednesday March 05 2014, @12:26PM

        by VLM (445) on Wednesday March 05 2014, @12:26PM (#11290)

        You could remove the word "unpatched" from the first line and still be correct.

        Most people stuck on XP in my experience are not surfing the web, they're running a $500K FTIR spectrometer, personally I run an old eprom programmer, or they running a CNC machine tool, or a video generator / automation system in the broadcast industry, or something similar.

        If my eprom programmer lives behind a stateful firewall, never runs a web browser, never runs anything but the eprom programmer software which autostarts on boot, well, all that really matters is Samba continuing to support XP to make it easy to burn images. And if that goes away I'd use the web browser to download from an intranet site.

        I have two XP installs, one runs steam and nothing else for the games that don't run on linux steam, and one runs an eprom burner and nothing else. Fairly safe.

        • (Score: 1) by Runaway1956 on Wednesday March 05 2014, @03:17PM

          by Runaway1956 (2926) Subscriber Badge on Wednesday March 05 2014, @03:17PM (#11356) Journal

          We have an NT4 install at work that runs a sonic welder. It has NEVER been connected to any net, and you have to physically open the electrical cabinet, then access the little mini-tower in order to plug anything into it. It's perfectly secure - or so it seems. It's welded many millions of parts now, and it seems to still be doing the same job it has always done.

          I don't know how we got that Windows machine - we have several other welders produced by the same company, all of which run Linux.

          --
          We've finally beat Medicare! - Houseplant in Chief
        • (Score: 1) by ElderGeek on Wednesday March 05 2014, @03:59PM

          by ElderGeek (1387) on Wednesday March 05 2014, @03:59PM (#11372)

          I wish our CNC machine ran on XP, it only speaks NETBEUI and not the version packaged in Windows XP. I have run it in a Windows 98 VM. It seemed like a good idea back in '06, and it seems even a better idea now.

      • (Score: 0) by Anonymous Coward on Thursday March 06 2014, @02:59PM

        by Anonymous Coward on Thursday March 06 2014, @02:59PM (#11966)

        If people were concerned about security, they wouldn't use Windows. Windows 7 and 8 are vulnerable so why change?

    • (Score: 3, Interesting) by TheloniousToady on Wednesday March 05 2014, @01:46PM

      by TheloniousToady (820) on Wednesday March 05 2014, @01:46PM (#11316)

      In my case, the ongoing need I have for a couple of XP machines revolve around hardware and drivers, so the virtual machine idea doesn't apply. (I use some old specialized hardware whose drivers were never ported to the Vista+ driver model.) So, it looks to me like the only defense I have is to leave the machines off or disconnected from the network as much as possible. Along with the usual precautions of having a firewall, anti-virus software, and being selective in where I surf (probably not at all on those machines) and what I install (little, if anything), I don't think I'll run into any problems. Then again, maybe I'm being over-optimistic. We'll see.

      • (Score: 2, Informative) by TK on Thursday March 06 2014, @04:44PM

        by TK (2760) on Thursday March 06 2014, @04:44PM (#12041)

        I have a similar situation with computers running Windows 2000 (and soon the XP ones too), I've taken the first step by taking them off the network, but just in case they catch something from a filthy flash drive (or floppy, in some cases), I've backed the drives up in a raw format with DriveImage XML.
        http://www.runtime.org/driveimage-xml.htm [runtime.org]

        --
        The fleas have smaller fleas, upon their backs to bite them, and those fleas have lesser fleas, and so ad infinitum
    • (Score: 1) by fotonix on Wednesday March 05 2014, @09:39PM

      by fotonix (2922) on Wednesday March 05 2014, @09:39PM (#11533) Homepage

      This is the setup that has worked 80% for me. I dodged the Vista fiasco, didn't like 7 too much, and Win 8 confirmed a new path, away from windows. I moved to Linux and have XP in a VirtualBox VM. It has no internet / network and is certainly never used for any browsing. I run a few legacy apps for photo work.

      But I said 80%.... in the 20% is some paid-for panoramic software that others claim to have working perfectly in a VM. But not mine. Not my VM. I've had one other application do the same - it starts and vanishes. No log, no error, nothing.

      --
      Over-thought solutions get over-engineered and miss the user's requirements.
  • (Score: 5, Funny) by Anonymous Coward on Wednesday March 05 2014, @07:36AM

    by Anonymous Coward on Wednesday March 05 2014, @07:36AM (#11205)

    turn them into honeypots

    • (Score: 1) by nightsky30 on Wednesday March 05 2014, @12:40PM

      by nightsky30 (1818) on Wednesday March 05 2014, @12:40PM (#11294)

      The lentils have marked this as funny, and perhaps it is. But I think this is also a very good idea. The possibility that a box might be a honeypot might cause a would be attacker to think twice before attempting an XP intrusion. Of course this won't stop every attacker. I'm sure some love the challenge and risk. Overall, it might catch a few and deter a few.

    • (Score: 3, Funny) by muthauzem on Wednesday March 05 2014, @04:58PM

      by muthauzem (2084) on Wednesday March 05 2014, @04:58PM (#11397)

      Perfect opportunity for a aquarium XKCD Style: http://www.xkcd.com/350/ [xkcd.com]

  • (Score: 0) by crutchy on Wednesday March 05 2014, @07:44AM

    by crutchy (179) on Wednesday March 05 2014, @07:44AM (#11208) Homepage Journal

    hosts file*

    (c) apk

    • (Score: 0) by Anonymous Coward on Wednesday March 05 2014, @07:59AM

      by Anonymous Coward on Wednesday March 05 2014, @07:59AM (#11212)

      Spybot Destroyer Pro Platinum Gold PLUS AVG Silver Platinum Virus Buster Gold, PLUS Norton's Extra Security Privacy Plus Iron Lock Trojan Killer. I could go on...

    • (Score: 0) by Anonymous Coward on Wednesday March 05 2014, @01:34PM

      by Anonymous Coward on Wednesday March 05 2014, @01:34PM (#11311)

      Care to explain the joke? I know what the host file is and how to use it. But the joke is not there for me.

      • (Score: 3, Informative) by Bokononist on Wednesday March 05 2014, @02:48PM

        by Bokononist (3013) on Wednesday March 05 2014, @02:48PM (#11342)

        apk was a troll on Slashdot for a few months, he used to write ridiculously long posts extolling the great virtues of hosts files and the endless good that they could do. He would copy and paste each post he made and add a few sentences at a time until his posts were insanely long. The apk jokes are based around relief that he finally went away I think.

        --
        Beware of the man who works hard to learn something, learns it, and finds himself no wiser than before.
        • (Score: 2) by ticho on Wednesday March 05 2014, @03:23PM

          by ticho (89) on Wednesday March 05 2014, @03:23PM (#11359) Homepage Journal

          Months? Try years. Or was it really just months that seemed like years, thanks to all the scrolling past APK's posts?

        • (Score: 2, Informative) by cwix on Wednesday March 05 2014, @04:41PM

          by cwix (873) on Wednesday March 05 2014, @04:41PM (#11392)

          Be careful using his name. He is like beatleguise. If you say his name three times in one post he shows up.

        • (Score: 1) by basecase on Thursday March 06 2014, @06:48PM

          by basecase (1952) on Thursday March 06 2014, @06:48PM (#12121)

          Jeremiah Cornielius

    • (Score: 1) by gottabeme on Thursday March 06 2014, @06:49PM

      by gottabeme (1531) on Thursday March 06 2014, @06:49PM (#12122)

      Nooo!! Don't summon him!!! This is our chance to start over!! With a new tr--I mean, without him!!!

  • (Score: 5, Informative) by Popeidol on Wednesday March 05 2014, @08:02AM

    by Popeidol (35) on Wednesday March 05 2014, @08:02AM (#11214) Journal

    The best options are, of course: Disconnect from all networks, or run XP as a VM and always boot to a clean image.

    If you do need physical network-connected boxes, there's still a few steps you can take to mitigate the risk.

    1. Do not use IE. Use firefox with adblock+noscript. Do not install flash.
    2. Use slightly-less-common software to reduce attack vectors. Libreoffice instead of office 2003, sumatraPDF instead of adobe reader, etc.
    3. Firewalls. Use a physically separate firewall, not just the built-in windows variety.
    4. Reduce the attack surface. Disable all unnecessary windows services (and any other software you don't need running).
    5. Antivirus, You seem to have a handle on that one already.
    6. If there are other machines on the network, you might want the XP machine(s) on a separate vlan. Treat it as already compromised.
    7. And of course, keep up-to-the-minute backups of everything.

    You could also try a product like Deep Freeze [faronics.com] which resets the OS partition to a known clean state after each reboot (careful where you save your data!).

    Given the time and money it'd take, it's probably easiest just to keep a strong backup system and prepare to replace it when the inevitable happens.

    • (Score: 1) by BradleyAndersen on Wednesday March 05 2014, @02:00PM

      by BradleyAndersen (3383) on Wednesday March 05 2014, @02:00PM (#11323) Homepage
      Given the time and money it'd take
      that's exactly why there will always be XP machines around ... time and money constraints. it's also why we still have Cobol programmers making more money than I do :)
    • (Score: 2, Informative) by tibman on Wednesday March 05 2014, @03:44PM

      by tibman (134) Subscriber Badge on Wednesday March 05 2014, @03:44PM (#11366)

      Sandboxie is a good option as well. You can run any application that does outside communication or consumes media inside a sandboxie container.

      When an application writes to disk it is virtual. To the application (and any other application in the container) the data is there. You can explore this data or just wipe it. Makes it easy to export configs, downloads, or anything that your applications generate back to the real file-system.

      The only gotcha is applications that require admin access to run. Pretty sure they can punch through the container or do things that sandboxie can't control.

      --
      SN won't survive on lurkers alone. Write comments.
    • (Score: 2, Informative) by _NSAKEY on Wednesday March 05 2014, @05:25PM

      by _NSAKEY (16) on Wednesday March 05 2014, @05:25PM (#11408)

      In regards to reducing the attack surface, I always felt that the part about disabling services in this guide was fun: https://web.nvd.nist.gov/view/ncp/repository/check list/download?id=125 [nist.gov] I spent a weekend in 2007 or so making my own custom XP image that was stripped down and hardened to the "SSLF Laptop" guidelines.

    • (Score: 1) by Common Joe on Thursday March 06 2014, @06:35AM

      by Common Joe (33) <reversethis-{moc ... 1010.eoj.nommoc}> on Thursday March 06 2014, @06:35AM (#11795) Journal

      Is there any good way to authorize an XP box without an Internet connection or do we still have to call up Microsoft? (Haven't done it in a while.)

  • (Score: 5, Informative) by Luke on Wednesday March 05 2014, @08:59AM

    by Luke (175) on Wednesday March 05 2014, @08:59AM (#11222)

    I manage upwards of 1000 machines across a variety of businesses. I also run XP on my own machine (these days inside a VM on a Linux host, but that's another story).

    In the case of my client's machines they are almost always behind a proxy server, do not have any DNS entries, run a lightweight antivirus, do not use IE (and if they use Lookout the IE engine is prevented from accessing the 'net via a proxy rule).

    What's so interesting about that?

    Well, *none* of them have any updates installed from a bare SP3 install (if using XP). This is by design, following a particularly bad M$ update a few years ago...

    In general they do not have any issues, very rarely get a virus and almost never require re-imaging.

    My point of course is that, carefully managed, the world isn't going to end once M$ halts their update program, and there's no reason why XP-based machines couldn't continue to serve a useful life for some years to come.

    In my view there are two main reasons why this works. The first of course is the network design and protection used. The second, and most important I think, is user education. Almost all of the machines are used by people with a modicum of intelligence, who are regularly exhorted *not* to click on random email links, not to believe it when some website tells them they have a virus and all the rest of the sensible things that interweb-aware people should know. Every now and then someone messes up and a problem occurs, but there's nothing to say that wouldn't have happened if the machines were 'up to date' in any event, and usually the perp gets his or her misdemeanour publically aired so they all learn from it.

    In my own case I've used XP since it came out (and all the M$ OS's before that). I *don't* have anti-virus, my machine is direct on the 'net and other than the usual FF plugins I don't have anything else installed that protects the machine. I've not had a virus in at least ten years, probably much more than that in fact. Again I would put this down to education - and that, along with my clients, the machine is used as a business tool; there are no games or any entertainment applications or websites used.

    I realise the latter may be an anathema to some of you (horses for courses of course) but I should think the main premise would still apply - operate carefully, use recognised sites/games, avoid Nigerian money and you should be ok.

    Oh, the other story? Well it's the year of the Linux desktop don't ya know - and I *refuse* to have anything to do with W8 so good ol' XP serves to run anything I need on a M$ platform (and the case has a genuine XP sticker!)...

    • (Score: 2, Insightful) by Gremlin on Wednesday March 05 2014, @10:09AM

      by Gremlin (2959) on Wednesday March 05 2014, @10:09AM (#11247)

      The user is definitely the weak point.

      Up until very recently my dad was running XP, since around 2005. I had him use Opera for browsing and gave him a pep talk on not clicking on suspicious links, responding to dodgy emails etc. He has had exactly ZERO problems in that time.

      Of course if he was browsing porn sites or installing software on a whim then this could be a totally different story. But for your average user, educated on not downloading toolbars, installing software to find mp3's etc I see no problem with using XP.

      • (Score: 1) by GeminiDomino on Wednesday March 05 2014, @02:23PM

        by GeminiDomino (661) on Wednesday March 05 2014, @02:23PM (#11330)

        Of course if he was browsing porn sites or installing software on a whim then this could be a totally different story. But for your average user, educated on not downloading toolbars, installing software to find mp3's etc I see no problem with using XP.

        Your "average user" is more likely going to be the one "browsing porn sites or installing software on a whim" than the one for whom "educated on not downloading toolbars, installing software to find mp3's etc" takes hold.

        --
        "We've been attacked by the intelligent, educated segment of our culture"
        • (Score: 2) by VLM on Wednesday March 05 2014, @06:55PM

          by VLM (445) on Wednesday March 05 2014, @06:55PM (#11461)

          It depends on personal perception. Is your average user my mother in law, or a teenage boy?

          • (Score: 1) by GeminiDomino on Wednesday March 05 2014, @08:41PM

            by GeminiDomino (661) on Wednesday March 05 2014, @08:41PM (#11506)

            Personal anecdotal evidence says: your mother-in-law. The teenage boys probably aren't on XP anymore unless they're on their grandmother's computers now. :)

            Still, when it comes to solutions, you have to develop for the X factor. "Education" didn't cut it for the past 13 years, why would it work now?

            --
            "We've been attacked by the intelligent, educated segment of our culture"
    • (Score: 1) by MozeeToby on Wednesday March 05 2014, @04:53PM

      by MozeeToby (1118) on Wednesday March 05 2014, @04:53PM (#11396)

      My point of course is that, carefully managed, the world isn't going to end once M$ halts their update program, and there's no reason why XP-based machines couldn't continue to serve a useful life for some years to come.Part of the concern being raised is that the black hats know the drop dead date is coming and have been sitting on zero days waiting for the opportunity to attack with no one on the other side actively defending. Your precautions all make sense, and you might even be okay but there are lots and lots of people who haven't taken those kinds of precautions and wouldn't know how to even if they wanted.

  • (Score: 4, Interesting) by gallondr00nk on Wednesday March 05 2014, @09:06AM

    by gallondr00nk (392) on Wednesday March 05 2014, @09:06AM (#11223)

    I've decided to keep an XP box simply because of hardware issues. It's only really used for older games, and barely gets online.

    If you want to install x64 Windows 7, it mandates having signed drivers. There doesn't seem to be a way of getting around it. So this means my Adaptec SCSI card, despite having Windows 7 and Vista drivers, won't install because Adaptec understandably didn't want to fork out $$$ for driver signing on legacy hardware.

    If it becomes a problem , I'll probably just install 32 bit Windows 7 (which doesn't require driver signing), but that means giving up extra RAM. 7 in any form also means giving up a loyal but ancient colour laser printer.

    You've got to love an OS that arbitrarily dictates terms to you..

    The most obvious advice I'd give is *don't log in as admin*. You can escalate permissions just fine in most scenarios, though it isn't as seamless as 7/Vista UAC.

    • (Score: 5, Informative) by damnbunni on Wednesday March 05 2014, @10:38AM

      by damnbunni (704) on Wednesday March 05 2014, @10:38AM (#11253) Journal

      I have unsigned drivers installed in Win7/64 bit. There's a bit of command line hackery involved, but nothing too terrible.

      Open a command line as admin, and:

                bcdedit -set loadoptions DISABLE_INTEGRITY_CHECKS

                bcdedit -set TESTSIGNING ON

      If you don't want to be bothered with the CLI, there's also a program called EasyBCD that has a tickbox in its 'Advanced' section to disable the driver signature check.

      • (Score: 2) by gallondr00nk on Wednesday March 05 2014, @11:02AM

        by gallondr00nk (392) on Wednesday March 05 2014, @11:02AM (#11260)

        Indeed, I've used the method on other machines. The trouble is I believe it needs a reboot, which is out of the question on the installation DVD.

      • (Score: 2) by VLM on Wednesday March 05 2014, @06:59PM

        by VLM (445) on Wednesday March 05 2014, @06:59PM (#11465)

        I remember when windows admins used to make fun of how unintuitive and complicated linux admin work was, especially the command line access. The times certainly change.

  • (Score: 3, Funny) by Anonymous Coward on Wednesday March 05 2014, @09:14AM

    by Anonymous Coward on Wednesday March 05 2014, @09:14AM (#11224)

    That's the only way to be sure.

    • (Score: 1) by desgua on Wednesday March 05 2014, @08:56PM

      by desgua (876) on Wednesday March 05 2014, @08:56PM (#11512)

      Will it blend?

    • (Score: -1) by Anonymous Coward on Thursday March 06 2014, @11:29AM

      by Anonymous Coward on Thursday March 06 2014, @11:29AM (#11874)

      There's nothing wrong with hardware if it is currently running XP.
      All it needs is some modern, SUPPORTED software.
      Hell, I still have a Pentium 2 perking (running Linux, of course).

      To the OP: Solutions will depend on the use case.

      1) For 99.9 percent of boxes running XP, simply install Linux beside the existing OS (aka dual boot). The typical Linux distro ships with more useful apps than M$ ever considered bundling without extra cost. Many folks find that all of their needs are met by the default install of a Linux distro; if not there is the package manager that is included.
      After you have verified that all needs have been have been met, use GPartEd (on your bootable install media) to reclaim the drive space occupied by the obsolete OS.

      Note that residents of Munich should have already picked up one of the thousands of Ubuntu disks handed out gratis by their city fathers.

      Other Windoze users around the world would do well to get Zorin OS. If the box is truly ancient and anemic, there is Zorin OS Lite which runs LXDE (Lightweight X11 Desktop Environment).
      Like Linux Mint, Zorin ships with proprietary drivers, Flash, Java, yada, yada, yada.
      Unlike Mint, Zorin ships with WINE. WINE is a compatibility layer that allows tens of thousands of apps that were written for Windoze to run under Linux.

      2) If a client (contractor) or employer (traditional employee) requires you to run a "Windoze-only" app where there is no non-Windoze app as a substitute/option, see WINE (above).

      If WineHQ doesn't have at least a bronze rating for that app and/or it doesn't Just Work(tm) under WINE, install VirtualBox (a FOSS virtual machine) and install Windoze in that.
      Be sure to make a snapshot of your virtual Windoze install immediately after getting it how you want it so that it is easy to replace when it gets pwned or self-destructs.

      3) Some part of your hardware is "Windoze-only".
      Have you actually tried Linux this decade? Linux has the BEST hardware support of ANY operating system. (Linux supports new gear better than old proprietary OSes and supports old gear better than new proprietary OSes.)

      Some people are simply shocked when they connect their devices to a box running Linux and those obscure gizmos Just Work(tm).
      This is sometimes after having put in effort to get those working under a proprietary OS and failing.

      ...and some people buy newer, better-supported peripherals to replace poorly-supported relics.

      --------

      Now, as far as Windoze and the anti-virus nonsense, don't forget that there's user-supplied data that M$ has decided to allow into Ring0: macro viruses, font viruses, image viruses.
      Stupid, stupid, stupid.
      If it wasn't for M$'s poor designs and their 4th-rate support, there would be no need for an anti-virus app on any computer.

      As for those saying "Train the user", that's another way of saying "Blame the user".
      Just get Linux.

      -- gewg_

  • (Score: 1) by WizardFusion on Wednesday March 05 2014, @09:27AM

    by WizardFusion (498) on Wednesday March 05 2014, @09:27AM (#11230) Journal

    I use XP at home for a few VMs that I have running, mostly because it used far less resources than 7.
    An XP VM is quite happy with 256mb RAM for a simple network monitor (PRTG), or other small apps.

    There will still be patches for Windows 2003, and since it's the same codebase, I am sure they will work for XP too.

  • (Score: -1, Troll) by Anonymous Coward on Wednesday March 05 2014, @09:28AM

    by Anonymous Coward on Wednesday March 05 2014, @09:28AM (#11231)

    is put it back in its original cardboard box and leave that at the bottom of a dumpster.

  • (Score: 3, Insightful) by Anonymous Coward on Wednesday March 05 2014, @10:09AM

    by Anonymous Coward on Wednesday March 05 2014, @10:09AM (#11248)

    Limit the attack vectors:

    - Disable any network-related service you don't use. Bind any you do use to localhost.

    - Put it behind a hardware firewall or NAT router.

    - Keep your browser (including plugins like Flash) up to date. The browser should be the only attack vector left, so that's what you need to worry about. That probably rules out IE (No updates for XP is likely to include no IE updates). So use Chrome or Firefox.

    - Anti virus programs are false sense of security. They only catch the old bad stuff, and it's the new bad stuff you need to worry about. Think "do I really want to open this file", rather than "my anti virus says this file is ok". Plus anti virus software have holes too. Most people don't realise this. Without an anti virus program, your browser (assuming not IE4) will ask you what to do with the file. That gives your brain a chance to stop any attack. With an anti virus program with a security hole, browser downloads file, but before you get asked what to do with it, the anti virus program will "scan" the file. Now imagine a buffer overrun exploit in the anti virus program. Your computer will be "pwned" before you even get asked "do you want to open HotNakedWomen.EXE".

    • (Score: 1) by WizardFusion on Wednesday March 05 2014, @11:20AM

      by WizardFusion (498) on Wednesday March 05 2014, @11:20AM (#11272) Journal

      This. It's all about common sense (which isn't that common anymore)
      It's the same for any device you connect to the Big Bad World (tm), make sure the attack vectors are as small as possible.

      This principal was known about in Roman times.! https://en.wikipedia.org/wiki/Arrowslit/ [wikipedia.org]

    • (Score: 0) by Anonymous Coward on Wednesday March 05 2014, @02:02PM

      by Anonymous Coward on Wednesday March 05 2014, @02:02PM (#11324)

      Does anyone care to recommend a good consumer-grade hardware firewall?

  • (Score: 2, Funny) by TheGrim on Wednesday March 05 2014, @10:30AM

    by TheGrim (3003) on Wednesday March 05 2014, @10:30AM (#11251)

    Move to China.

    Depending on your definition of 'easy'.

  • (Score: 2, Insightful) by Anonymous Coward on Wednesday March 05 2014, @11:42AM

    by Anonymous Coward on Wednesday March 05 2014, @11:42AM (#11278)

    There is only one choice you can make that will keep XP secure.

    Erase it from your disks and install Linux instead.

    • (Score: 2) by VLM on Wednesday March 05 2014, @07:08PM

      by VLM (445) on Wednesday March 05 2014, @07:08PM (#11468)

      In this modern era of mobile devices, just use the gmail app on your phone and the facebook app on your phone. How to protect my sons old computer for email was a puzzle to me as a linux/unix guy, but it was explained to me that no one uses email on their desktops anymore. Its all tablet and email is only for corporate receipts and the like. Non corporate conversations between people no longer use email, all text or IM or facetime or google hangouts or whatever.

      Its like being concerned about my son's teletype machine or telegraph key. I mean, I have stuff like that for ham radio fooling around, but normal people don't.

      Why use email (aka gmail) or web (aka facebook) on an old computer at all, ever?

  • (Score: 4, Interesting) by nightsky30 on Wednesday March 05 2014, @12:29PM

    by nightsky30 (1818) on Wednesday March 05 2014, @12:29PM (#11291)

    1) Install Linux. This is easily and cheaply done. It's secure, and it works.

    2) Unplug the XP box, disable wifi, disable any network adapter, and never ever connect it to any network again. You have something secure, but even more stone age than XP ever was by itself.

    3) You can try and load up XP with all sorts of Anti-malware/Antivirus software. You can attempt to load a good third party firewall. Ultimately some exploit will be found that affected the newer versions of Windows as well as XP. It will be traced back and reverse engineered. You will stumble on a page or click a link which will open the door to anyone who wants in your box. Hell, someone might just come looking for you, and walk right in without your help. Keep connected to the interwebs with your old, unsupported OS, and you will eventually be compromised.

    • (Score: 2) by hatta on Wednesday March 05 2014, @04:12PM

      by hatta (879) on Wednesday March 05 2014, @04:12PM (#11376)

      You will stumble on a page or click a link which will open the door to anyone who wants in your box. Hell, someone might just come looking for you, and walk right in without your help. Keep connected to the interwebs with your old, unsupported OS, and you will eventually be compromised.

      I keep my XP SP2 box online with few problems. No, I don't use it for general purpose browsing, that would be suicide. But if you block incoming ports at the router, disable scripting on your browser, and run only known safe software, there's not many attack vectors left.

      • (Score: 0) by Anonymous Coward on Thursday March 06 2014, @03:42AM

        by Anonymous Coward on Thursday March 06 2014, @03:42AM (#11719)

        I keep *my* XP SP2 box online with no problems, and I *do* use it for general purpose browsing. Am not dead as yet!

        I use Firefox with Adblock, of course, and also have Avast running. Have copies of Malwarebytes Anti-Malware, Superantispyware and Rootkit Revealer to hand for an occasional check, but they've never found anything yet. I use VLC rather than WMP. I *don't* bother to run NoScript, and I *do* still use Flash to play games etc.

        I haven't downloaded a single update since MS dropped support for SP2. If my box is rooted, then they've done a VERY good job of doing it very silently and invisibly. However, just in case, and because I'm not *completely* stupid, I do all my banking using an Ubuntu Live CD on an old hard-drive-less laptop rather than my XP box.

        I am mystified by the rate some people get malware. I've had Avast pop up twice in the last three years, in both cases an attempted drive-by iframe hijack that it blocked. Maybe it's because I don't surf traditional porn sites (I prefer to get my kicks by perving with real-life women I know online) - on the rare occasions I feel the need, it's back to the Ubuntu laptop for that.

        So far I think the danger has been greatly exaggerated. Of course, as has been pointed out, once all the zero-day exploits come out after April, that may well be a different matter... so Linux Mint here I come, I guess (my XP machine isn't up to Windows 7).

        Posted anonymously as I don't want to give anyone a challenge... :-)

  • (Score: 3, Interesting) by martyb on Wednesday March 05 2014, @01:52PM

    by martyb (76) Subscriber Badge on Wednesday March 05 2014, @01:52PM (#11320) Journal

    To the editor: excellent story for discussion... timely AND nerd-y!

    Background: I have a little 1GHz / 1GB 32-bit netbook and a 1-2GHz / 1.25 GB 64-bit athlon. Both are running XP-Home/SP3.

    Problem: As much as I would *like* to move to linux or BSD or the like, I have literally *hundreds* of batch programs (foo.bat or foo.cmd) that I've written over the past 20 years. I use these regularly.

    I sense my short-term best option is to get a new machine with Win 7 on it, and port my tools to that. Later, I can look to porting it all to a linux-like environment.

    Question:Have any of you found yourself in the same position? What did you do?

    --
    Wit is intellect, dancing.
    • (Score: 3, Insightful) by lentilla on Wednesday March 05 2014, @03:32PM

      by lentilla (1770) on Wednesday March 05 2014, @03:32PM (#11362)

      This will be your experience whilst ever you stay with Windows. Let's say you port to Windows 7. In ten years time you will have THIRTY years worth of batch files, will be worrying about porting to Windows 13 and will be considering "moving to Linux".

      The only way to circumvent this "Groundhog Day" of computing is to make the break - waiting will only make the switch more complex and will make the cost higher (as you write more scripts).

      If I were you and I really wanted to ditch Windows? I'd do it as soon as possible. Put your existing installation into a virtual machine and run any "mission critical" scripts from there. Force yourself to do day-to-day tasks in the new OS.

      The only way to break the addiction is to stop feeding it. I guarantee that if this is what you actually want you will not regret making the leap.

      One last piece: when you buy a new computer, resist the urge to "try out" the new version of Windows. Nuke it immediately. Install it as a virtual machine if you must but don't make the mistake of thinking "I'll just try it out...".

      • (Score: 1) by WizardFusion on Wednesday March 05 2014, @04:42PM

        by WizardFusion (498) on Wednesday March 05 2014, @04:42PM (#11393) Journal

        Every single time I buy a new machine I nuke it anyway and install Windows from my TechNet licence. I don't want all the crap that comes with a new machine

      • (Score: 1) by denmarkw00t on Wednesday March 05 2014, @06:25PM

        by denmarkw00t (2877) on Wednesday March 05 2014, @06:25PM (#11439)

        The only way to break the addiction is to stop feeding it.

        Precisely. The original question in the summary of "What should I do to keep XP going" is the wrong question all together. No one should be doing anything to keep XP going if MS is dropping it - honestly. The fact of it is, if you don't move on you'll get bit at some point - I'm almost willing to put up money that someone out there is sitting on an exploit and waiting to release it a few months after XP is "dead" and then they'll have a nice little set of pwnd boxes spanning 50% of desktops in the world.

        --
        buck feta
      • (Score: 2) by jt on Wednesday March 05 2014, @11:38PM

        by jt (2890) on Wednesday March 05 2014, @11:38PM (#11593)

        Agreed - the longer you leave it, the bigger the job. Might as well get on with it.

        Three paths to consider.
        1. Stick with Windows but move to Win7 and port your scripts to Powershell. It's a world away from command.com and surprisingly powerful.
        2. Move over to the free world and port your scripts to ksh/bash/whatever. I don't know what your scripts do, but the old Windows batch language is not exactly awash with advanced features unavailable in *nix shells.
        3. Start transitioning to a shell or scripting language like Python, one script at a time, in your current working environment. Do one at a time to keep confidence that the ecosystem still works. Before long you'll find you've ported the whole lot, and are now platform independent.

        • (Score: 2) by martyb on Thursday March 06 2014, @02:07PM

          by martyb (76) Subscriber Badge on Thursday March 06 2014, @02:07PM (#11933) Journal

          jt (2890) wrote:

          Agreed - the longer you leave it, the bigger the job. Might as well get on with it.

          I'm in agreement with that.


          Three paths to consider.
          1. Stick with Windows but move to Win7 and port your scripts to Powershell. It's a world away from command.com and surprisingly powerful.

          Have considered this but when last I looked, the powershell I found available for what I have (XP-home/SP3) is limited, and I'd rather not add further entanglements to the windows environment... would make it even harder to transition away in the future.


          2. Move over to the free world and port your scripts to ksh/bash/whatever. I don't know what your scripts do, but the old Windows batch language is not exactly awash with advanced features unavailable in *nix shells.

          That would be ideal. I'm familiar with the Unix command environment and have experience with bash, so I like that idea. Several years ago I found a bash implementation that ran under windows: win-bash [sourceforge.net] but it looks like it has not been maintained???

          Does anyone here have experience with this? I'm curious as to how stable, solid, and compatible it is with what I'd find under the various distros out there.


          3. Start transitioning to a shell or scripting language like Python, one script at a time, in your current working environment. Do one at a time to keep confidence that the ecosystem still works. Before long you'll find you've ported the whole lot, and are now platform independent.

          I agree that would be the idea solution. I just re-downloaded win-bash and will play around with it a bit.

          If anyone here has experience with other compatible shells they could recommend, I'd love to hear about it!

          Thanks for the suggestions!

          --
          Wit is intellect, dancing.
      • (Score: 2) by martyb on Thursday March 06 2014, @02:22PM

        by martyb (76) Subscriber Badge on Thursday March 06 2014, @02:22PM (#11940) Journal

        lentilla (1770) wrote:

        This will be your experience whilst ever you stay with Windows. Let's say you port to Windows 7. In ten years time you will have THIRTY years worth of batch files, will be worrying about porting to Windows 13 and will be considering "moving to Linux".

        The only way to circumvent this "Groundhog Day" of computing is to make the break - waiting will only make the switch more complex and will make the cost higher (as you write more scripts).

        Excellent point. That's exactly where I'm at.


        If I were you and I really wanted to ditch Windows? I'd do it as soon as possible. Put your existing installation into a virtual machine and run any "mission critical" scripts from there. Force yourself to do day-to-day tasks in the new OS.

        At the moment, running in a VM is not an option on my current system. Don't have the compute power or memory to handle it. I'm in the market for a new box and will definitely keep this in mind.


        The only way to break the addiction is to stop feeding it. I guarantee that if this is what you actually want you will not regret making the leap.

        Makes sense to me.... thanks for summing it up so succinctly.


        One last piece: when you buy a new computer, resist the urge to "try out" the new version of Windows. Nuke it immediately. Install it as a virtual machine if you must but don't make the mistake of thinking "I'll just try it out...".

        Duly noted! Thanks for the feedback. I guess my hangup is finding a distro that has some staying power (e.g. no gratuitous UI changes), and that is supported on whatever new box I get.

        I'm leaning towards a laptop and am open to hearing people's experiences with running Linux on their system. I've heard various things about driver support, especially with respect to video AMD vs NVidia.

        --
        Wit is intellect, dancing.
    • (Score: 1) by etherscythe on Wednesday March 05 2014, @07:55PM

      by etherscythe (937) on Wednesday March 05 2014, @07:55PM (#11491) Journal

      Might be helpful to see exactly what you're doing with them. Much of the command structure is the same from XP to 7 (if anything there are more options now). You can even port to Bash by taking the commands that Linux does not have and simply making an alias to the rough equivalent (DIR>LS for example) in many cases, depending how complex it is.

      I wrote a script, for example, that allows me to use OEM activation certificates and SLP keys to activate Windows XP, Vista and 7 on client computers with a fresh reload. It works pretty universally across all of them except where the back-end activation (SLMGR) does not exist on certain platforms (XP). I converted it to an EXE file, but that was mainly for ease of including all the certificate files into an easy, uncluttered format (single .exe file rather than dozens of xrm-ms files and a few bat files).

      If nothing else, there is DOSBox, which I even have running on my N900.

      --
      "Fake News: anything reported outside of my own personally chosen echo chamber"
      • (Score: 2) by martyb on Thursday March 06 2014, @01:33PM

        by martyb (76) Subscriber Badge on Thursday March 06 2014, @01:33PM (#11911) Journal

        etherscythe (937) wrote:

        Might be helpful to see exactly what you're doing with them. Much of the command structure is the same from XP to 7 (if anything there are more options now). You can even port to Bash by taking the commands that Linux does not have and simply making an alias to the rough equivalent (DIR>LS for example) in many cases, depending how complex it is.

        Fantastic point! And probably no simple answer. To complicate matters, over the years I've installed several Unix command utilities and have integrated these into my batch programs, too. I tried cygwin but the install broke and messed up my system. Then I found GNU coreutils, fsutils, and updates to them. Then discovered GnuWin32. Still later found ezwinports. So I've got quite the frankenstein environment there. Have not yet found a stable command-line shell (like bash) that I could run things with, so just kept plugging along with CMD.EXE, such as it is.

        I'm open to suggestions for a stable port of, say, bash that I could migrate over to on windows, and then run them *unchanged* on a linux host. It's been a while since I looked and am hoping the community here my be able to offer recommendations.

        If nothing else, there is DOSBox, which I even have running on my N900.

        Never tried DOSBox; sounds interesting! OTOH, I've turned on command extensions and take advantage of them in many places. I've used PC/MS DOS since version 3.0, so I'm sure I could adapt, eventually, but would like to know how far its support goes to emulating what I've got now.

        I'm interested in people's experiences and pointers.

        Thanks so much for the feedback!

        --
        Wit is intellect, dancing.
  • (Score: 3, Insightful) by r00t on Wednesday March 05 2014, @02:52PM

    by r00t (1349) on Wednesday March 05 2014, @02:52PM (#11343)

    You could do something like put Linux in front of it as a hardware firewall, that would negate any software firewall compromise on the XP box but you still have the problem of internet access. One bad web browser exploit or Email malware/phishing and the thing is pwned. Firewall or not. Any OS is caught up in an arms race of patches vs. threats but Windows especially has a miserable track record. Running a Windows install that isn't getting any patches is just a question of "when" it will get smoked.

  • (Score: 2, Interesting) by hendrikboom on Wednesday March 05 2014, @02:56PM

    by hendrikboom (1125) Subscriber Badge on Wednesday March 05 2014, @02:56PM (#11345) Homepage Journal

    Using a VM under Linux seems to be the way to go if the legacy software needs to be net-connected. You can keep backups of the entire VM within Linux, so it will be possible to back out of trouble if it should occur.

    Which brings up some follow-up questions.

    (1) Which VM is appropriate? safe? efficient?

    (2) Is there a VM that can take an existing Windows system and virtualise it, or is it necessary to start with a fresh XP install on the virtual machine?

    -- hendrik

    • (Score: 2, Informative) by dilbert on Wednesday March 05 2014, @04:31PM

      by dilbert (444) on Wednesday March 05 2014, @04:31PM (#11385)
      1. I personally prefer VirtualBox to VMware Workstation.
      2. A quick search turned up this [addictivetips.com]. While the article focuses on using the virtual disk in Workstation, it should work in VirtualBox too.
      • (Score: 1) by hendrikboom on Monday March 10 2014, @06:18PM

        by hendrikboom (1125) Subscriber Badge on Monday March 10 2014, @06:18PM (#14153) Homepage Journal

        Are both Virtualbox and VMware proprietary? If so, I may just end up meeting the same fate with them as with Windows XP now. And do they run under Linux?

        • (Score: 1) by dilbert on Monday March 10 2014, @06:37PM

          by dilbert (444) on Monday March 10 2014, @06:37PM (#14167)
          VirtualBox is open source and available under a GPLv2 license. Oracle does have a proprietary 'Extension Pack' which enables things like USB support, but it's not required.

          Excerpted from https://www.virtualbox.org/ [virtualbox.org]:

          VirtualBox is a powerful x86 and AMD64/Intel64 virtualization product for enterprise as well as home use. Not only is VirtualBox an extremely feature rich, high performance product for enterprise customers, it is also the only professional solution that is freely available as Open Source Software under the terms of the GNU General Public License (GPL) version 2.

          VMware offers VMware Player at no charge, but it's not open source. VMware Workstation is not available at no charge, but had additional features above VMware Player.

        • (Score: 1) by dilbert on Monday March 10 2014, @06:42PM

          by dilbert (444) on Monday March 10 2014, @06:42PM (#14171)

          And do they run under Linux?

          Both VirtualBox and Workstation are both supported on Linux.

          At home I use VirtualBox on Linux every day without any issues.

          I've used Workstation at work on a Win7 machine, but I've never used Workstation on a Linux box.

  • (Score: 3, Interesting) by RobotLove on Wednesday March 05 2014, @04:16PM

    by RobotLove (3304) on Wednesday March 05 2014, @04:16PM (#11383)

    I do a lot of project work for other customers, and we frequently log in through their VPN (usually Cisco or Juniper). Getting these VPN clients to work in anything other than XP and IE8 is almost impossible. I've spent days on the phone with tech support trying to get their VPNs to work, eating up valuable project time. Almost always we end up just going to my XP image and getting it set up in an instant there.

    So while my company-provided laptop is Win7-64, I do 100% of my project work through a WinXP image. I have no idea what I'm going to do once it's no longer supported.

  • (Score: 1, Interesting) by Anonymous Coward on Wednesday March 05 2014, @06:07PM

    by Anonymous Coward on Wednesday March 05 2014, @06:07PM (#11424)

    - Remove/uninstall/disable the 'accessories' like windows media player, IE, windows picture and fax viewer. Replace them with stuff like VLC, Firefox, and IrFanView.
    - everything else you should be doing to stay secure RIGHT NOW.
    - as long as Adobe, java, etc. products keep updating on XP, stick with them. when they stop updating, find alternatives or live without them.

    After 13+ years of service and patches, the core OS should be fairly secure if normal security measures are taken. I think XP has reached a maturity level where it no longer really needs any updates from MS. It's fate is now in the hands of the likes of Google, Mozilla, Adobe, Oracle, and hardware vendors. As long as those parties keep releasing and updating for XP, long-live XP!

    With that said, I predict there will be pressure/incentives issuing from Redmond for those companies to abandon XP.

  • (Score: 0) by Anonymous Coward on Thursday March 06 2014, @03:55AM

    by Anonymous Coward on Thursday March 06 2014, @03:55AM (#11726)

    well just try blowing in its ear (speakers) and see if it follows you everywhere.

  • (Score: 1) by ngarrang on Thursday March 06 2014, @05:55PM

    by ngarrang (896) on Thursday March 06 2014, @05:55PM (#12080) Journal

    As the computer expert at work, I get asked a lot of questions by the users regarding their home machines. I have learned that the OP's question needs more questions in response.

    The first thing I ask the user is for WHAT they use their home PC. I help them to answer my question with prompts:
    1. e-mail?
    2. web browsing places like facebook?
    3. the occasional text document or spreadsheet?
    4. what kind of games?

    If the answer to #4 is "no" or "games through my web browser like..." then my answer to them is to consider Linux. I have a Linux box in my office where I demonstrate using Firefox and Chrome, LibreOffice. I bring up sites like YouTube and game sites that use Flash or Java. I show them how Zorin Linux has a very Windows-like interface and is relatively easy to install. I am not a Linux expert. I point them this way because:

    1. I don't believe in tossing out functional computers just because they are old.
    2. I explain that Linux is actively supported and updated.
    3. Once you sit down with it for a week doing just the normal things, you forget you are running Linux.

    If the answer to #4 is "yes" and the games are locally installed with no Linux version, then they are kinda stuck. I recommend never using IE ever again, make sure they have our SOPHOS installed (corp license allows employees to run it at home) because it is AV and firewall that being kept up to date. It is start.

  • (Score: 1) by AnythingGoes on Saturday March 08 2014, @02:34PM

    by AnythingGoes (3345) on Saturday March 08 2014, @02:34PM (#13185)

    Since there will no longer be any updates to the Windows XP OS, something like Deep Freeze or a tool that blocks all changes to the system files would be best - it won't help the OS from getting pwned, but a reboot will clear out everything :)

    And yes, running a newer OS is the best solution and running XP in a VM with blocked network access is probably the second best solution.

    And for those who say that they cannot afford to upgrade, please count the cost of rectifying from a successful attack, and see if it makes sense then!