[guimarin]

seems like a false choice. why couldn't i understand what functions these machines exactly needed and then put a small linux box between them and the network which monitors all incoming/outgoing traffic and only allows allow-list items to pass on to the ancient XP device.

[thehardsphere]

Here's two guesses:

1. Well, maybe you could do that with your abundance of skill and time, but not everyone running a hospital/bank/other-large-organization has the time or budget to slap together and maintain that kind of amateur hour rope-and-tin cans proxy shit.

2. Not everything people use a computer for happens over a network. Some people write software because they need to communicate directly with hardware devices. You can’t intercept network traffic when there is no network traffic to intercept.

[guimarin]

1. Seems like a business opportunity.

2. I believe we're talking about network accessible devices here. Otherwise why would parent make comment about air-gapping infeasible?

[thehardsphere]

1. Not really. I mean, at some point, if you're going to do it properly, it'll cost money. Unless you can reliably do this for less than or equal to what the hospital is willing to pay, there's no business. "Less than or equal to" is probably not going to be enough money to fix the problem if they already decided not to just try this "just put a linux machine in front" idea.

2. The parent mentioned networking, but networking is not the only threat vector that must be accounted for. Malware can spread through removable media, and most organizations outside of the military or federal government simply don't have the sort of security policies in place to prevent that. So the unpatched vulnerabilities people are talking about can still be exploited even without the network stack doing anything.