[unxdfa]

This sort of stuff doesn’t surprise me any more. I’ve been on a number of “desktop support” sessions over the last few years and seen some shit. The common denominator seems to be entirely unpatched obsolete stuff (stock RTM windows 7 with stock IE in 2021 was my favourite) where either someone turned the updates off because they knew better or stopped paying their MSP for service immediately after they had been set up and assumed it’d just work forever.

People like that and the associated competence level are rolling out the red carpet.

[qikInNdOutReply]

If its really important. Airgap. Or VM-Wrapped with restore points.

I completely understand that somebody does not want to upgrade into the warp-abyss-abomination of modern windows, especially if huge expenses software was written once, that needs backwards compatability or contains sensitive data. You can not use windows if you work for anything with sensitive data.

In todays world the legacy is the good stuff. Just needs protection.

[PeterisP]

It doesn't look like Oakland would have the IT people, time and skills to deploy and maintain a VM-wrapped infrastructure - which has all the same issues with needing to keep it up to date; e.g. I know people for whom this VMWare ESXi attack https://www.crn.com/news/security/vmware-esxi-ransomware-att... managed to ransom-encrypt both their main virtualization environment and also the backup one.

[pjc50]

An airgapped system is one that's basically unusable because you can't communicate with other systems.

[AlexandrB]

Can't help but think back to my youth where nearly every system was airgapped, but were plenty usable regardless.

[mycall]

A system can be more than one computer, i.e. mainframe. Airgapped systems can include multiple computers that are disconnected from external networks. They can be very useful for specialized applications.

[CWuestefeld]

I witnessed a ransomware attack where somebody in operations had a SMB share on their desktop to the backend storage for the VMWare ESXi cluster. So the ransomware was able to encrypt many of the vdisks.

[hanselot]

I love people that believe there exists a version of windows that could be deemed secure. I was there once. Install the latest update to fix the security problems. Don't worry, our software becomes 300mb larger due to 500 other security problems we are rolling out today, but we managed to close off this one tiny hole over here.

Why does it matter anyways. With both Intel and AMD running processors independent of your machine, there's really no way to keep anything secure unless you use a machine that's over 20 years old.

[jmpz]

But, isn't that backwards? 20 year old systems have been thoroughly exploited and usually do not benefit from more recent updates. It's true you can't patch every single vulnerability, but probability is a huge factor in risk. If many of the common exploits have been patched, it's simply harder for your average hacker, the difficulty and opportunity cost just go up.

[pjmlp]

I love people that believe there exists a version of any operating system with C code on it, that can be deemed secure.

https://en.wikipedia.org/wiki/Morris_worm

[HybridCurve]

It is true that C does not protect against a class of errors related to memory safety, but it disingenuous to imply writing an OS in any other language will make it secure. At best, it will only reduce the porosity of the attack surface.

[pjmlp]

One of the reasons why Multics had a better security assessment than UNIX from DoD, was precisely how PL/I does strings and arrays.

Not wearing seatbelts and helmets doesn't save everyone, so it is worthless to use them as a vain attempt to save human lives.

[maccard]

Microsoft have 122k employees. Assuming that every one of them takes the upgrade, it uses an extra 61TB of storage. I can buy 61TB of NVMe storage from a high street retailer for under $5000. It's less than half that for a normal SSD. It costs more than that for the electricity to install the updates to 120k people I would bet.

> there's really no way to keep anything secure unless you use a machine that's over 20 years old.

This is nonsense. Security isnt a binary thing, and even if it was, you're still vulnerable to wrench-ops. If your threat model is that you suspect your procedure manufacture have backdoored your CPU, you better be running your own fab, air gapping your machines, and desoldering input ports.

Meanwhile for probably 95% of people and businesses out there, keeping windows up to date, 2FA required, encryption in transit and at rest, and regular tested backups is enough.

[corbulo]

At this point I don't think the goal is to reach a state of 'secure'; it's shifting vulnerabilities around to be less predictable. Intentionally or not.

[hulitu]

Windows 1.0 was pretty secure by todays standards. /s

[bee_rider]

No networking, right? I guess it was pretty good.

[AnIdiotOnTheNet]

Also no USB support, so even stuxnet won't work.