I connected Windows XP to the Internet; it was fine
2 years ago
A couple months ago I installed XP onto a ThinkPad X120e; being the first dual-core AMD ThinkPad the hardware is relatively emaciated, and I wanted something lightweight and productive for it.
I used legacyupdate.net to apply all available important and recommended updates, as well as some nice-to-haves such as updates to the .NET infrastructure. I have been using the Supermium browser, which is an up to date fork of Chromium for older versions of Windows, including XP. All of this has gone off without a hitch, and the laptop has been great to me with its current configuration.
Recently in the tech news sphere I have seen articles exclaiming what a bad idea this is, demonstrating how connecting XP to the internet for just a few minutes leaves it riddled with viruses. Decided to run an MBAM scan with updated databases to see for myself, and it's totally clean.
In other news, this thing is a great little Diablo II machine. I'm maining necro right now.
Back in the days of blaster, if you were connected to a network with infected machines or had a public IP address because you were connected straight into your cable modem, you would get infected in the windows installer before it finished installing. Nowadays, everything is behind NAT and there aren't any infected Windows XP machines left on your local network, so that's not a problem anymore.
For some reason whenever somebody suggests that NAT might have security benefits, there is usually some hysterical screeching about how that isn't true. Often seen in IPv6 discussions.
> For some reason whenever somebody suggests that NAT might have security benefits, there is usually some hysterical screeching about how that isn't true.
It is not the address translation mechanism that does the protecting but rather the state tracking.
Until very recently I was with an ISP with IPv6, and things like my home printer had IPv6 addresses—but just because they were globally addressable did not mean that they were globally reachable.
1 reply →
because it's unnecessary to get the same benefit. Being behind a firewall would have the same effect (and any ipv6 deployment will have this), it's just that NAT requires this. It's like saying eating a spoonfull of cinnamon has health benefits because it hydrates you when you have to drink a glass of water afterwards: you could just drink the water.
31 replies →
I think the usual security objection is that if the NAT router receives a packet from the outside, with its destination set to a local address, the router will just let it through, in the absence of a firewall.
But as far as I can tell, that's only relevant for an attacker who can MITM the connection between the local router and the next ISP router, since clearly the ISP wouldn't know who to forward the local address to. I'd think it isn't within the threat model of the "typical internet user" who'd be running such a poorly-configured network.
Isn't NAT slipstreaming a "real" vector?
https://samy.pl/slipstream/
2 replies →
Because it's really important to know the difference between NAT and a firewall if you are into networks. And IPv6 discussions generally involve such people. In this case it's nothing to do with NAT and everything to do with being behind a firewall.
I would guesstimate about 20-30 seconds was all you needed to be connected for to pick up blaster...
Yep. Before I knew what it was, I genuinely thought that an issue occurred when my connection established. That’s how fast it was, and it was consistently that fast.
2 replies →
[flagged]
Herd immunity, huh?
More that NAT forces your network gear to filter inbound connections from the outside internet by default. This works with one device behind one router as a billion devices behind a billion routers.
>Nowadays, everything is behind NAT and there aren't any infected Windows XP machines
All end-user PCs have been behind NAT since the late 90s unless the system was a dialup straggler. Enterprise users raw-dogging the internet only have themselves to blame.
I'm afraid this is factually wrong, my computer had a public IP until the early 2010s as around these days modems were just models and not routers too.
And with IPv6 all my devices could be publicly addressed but I've enabled a firewall to block incoming traffic at the router level.
5 replies →
Even discounting dial-up, this really depends on where you are in the world at the time. PPPoE and direct hookup (via the cable/ADSL modem) are still relatively common where I was at the time that Blaster was roaming around, while some countries have forced CGNAT even before CGNAT became a common word, usually for "protecting the children" like Cleanfeed (and even discounting that, event at the time you could still get IPv4 effortlessly there had been, and certainty there are still, crappy ISPs which don't really care about direct connections).
This is absolutely false. This only became common when wireless networking became ubiquitous, which wasn't until probably a decade later.
3 replies →
I refurbish and sell Windows XP machines as a side business; there's a surprisingly large market for them. My customers mostly break down into the following groups:
1) People looking to play retro games
2) People looking to work with legacy hardware, especially in manufacturing and healthcare
3) People who want the comfort/familiarity of an older operating system
I'm always careful to issue a disclaimer that Windows XP should never be used for anything where you need security, in practice, I don't see much of an issue. The reality is that although XP is a tempting target in terms of vulnerability, it's not widely used enough to be useful to modern malware.
The machines I sell come with Windows XP Delta Edition[1], which as far as I know comes with all the available updates for XP already installed - no Legacy Update necessary. I've been using the Mypal browser [2], but will definitely try Supermium!
[1] https://xpdelta.weebly.com/xp.html [2] https://github.com/Feodor2/Mypal68/releases
They released XP well into Windows 7, I'm surprised that there's that much incompatibility with modern versions of windows when running software.
Wait, is this legal/allowed?
All the laptops I sell with Windows XP have Windows XP or newer OEM license keys included with them, so yes, it is legal, or at least legal enough that I don't think Microsoft or anyone cares. XP Delta Edition has the same featureset as XP Pro for licensing purposes, though the licensing of some of the software with it is muddier.
That said, as there's currently no way to legally buy Windows XP from Microsoft (or any official source), it's not really harming anyone to just install it wherever, in my view.
I also sell Windows 10 machines, and they all come with genuine licenses (often also OEM, or I buy them). I often get questions about whether my Windows 10 systems are genuine Windows, but nobody has ever asked about XP.
No, but realistically speaking, no one cares. If some big youtuber made a video about it it would likely be shut down.
That whole thing is manufactured drama by some youtubers.
I can't say if the infections themselves are real or staged, but they clearly and explicitly set the OS up for failure: they give it a public internet IP, enable file sharing, RDP, remote assistance, then disable the firewall for good measures. No modern OS would fare better in those circumstances.
> No modern OS would fare better in those circumstances.
Of course they would. Modern Linux, FreeBSD and macOS are totally fine connected to the internet directly with ssh enabled and no firewall. Sure; if you expose samba with write access and no password, you’re in for a world of hurt. But so long as your machine is kept up to date with security patches and has some form of authentication on all remote services, it should (generally) survive just fine on the open internet.
Of course defence in depth is still a good idea. But script kiddies aren’t using 0day attacks to portscan the open internet. But security vulnerabilities in network services get fixed.
Modern Windows is fine, too. You may even be able to use Windows 7 that way these days. A lot has changed since XP SP2.
1 reply →
In my experience, an weekly-patched, default installation debian Linux cira 2015 get a malware in a week or two on the open internet.
2 replies →
AFAICT there was a single YouTube video that started this[0] and they mentioned explicitly several times that this mainly works because they put it in "the open internet" as a server. Disabling the firewall was the icing on the cake and yet that is all sites that reported this[1], no mention about how the computer was not behind, well, anything that a desktop in the last couple of decades would be (and most likely beyond that, i remember around 2002 when i had a modem, i had to visit a web page at my ISP to allow me open various ports as many things were disabled by default).
[0] https://www.youtube.com/watch?v=6uSVVCmOH5w
[1] https://www.xda-developers.com/connected-windows-xp-internet...
The firewall was disabled by default in XP until SP2...
1 reply →
I disagree, I think most modern OSes would be fine, assuming they are up to date and nobody is using secret 0days on you.
When you say connected to the internet, do you mean giving it a public IPv4 address or are you behind NAT?
Yep. I installed XP64 on a high-end 2008 Thinkpad last year, and it was great fun. I wrote it up here:
https://www.theregister.com/2023/07/24/dangerous_pleasures_w...
A key watchword is to not let any MS code access the Internet. Don't use MS email, chat, media players, etc. Use more modern 3rd party ones and you're much much safer.
It's more or less necessary to use IE to get it set up, but you can install IE 8.0.6001 offline before you start updating it, which also saves about half an hour.
Behind a NAT you're safe even with Win9x. Idk about XP-latest, but you don't want to connect a fresh pre-SP installation right to the uplink cable. I wouldn't do that with any version of windows, even from the "windows server" line.
Curiously enough, the youtuber who tried this with windows XP did the same thing with Windows 98 [1]. And it gets hit by strange packets and scans, but that system was fine even when running for a day or two.
1: https://www.youtube.com/watch?v=ssTIx0qm2to
For a really ancient OS like Windows 98, I'd think >99.99% of exploits out there target newer OSes & simply don't work on Win98. Safety by obscurity.
That said: for every idiot who hooks up a Windows 98 machine to the internet, there might be some other idiot checking whether exploits targeting it, still work. Or exploit kits that sniff an OS, and select exploits to apply accordingly.
Vulnerabilities tend to have a long tail...
Do the zombie botnets still search for jurassic OSes to exploit? I feel like connecting the XP system to the Internet might be fine because all the botnets are searching for unpatched Windows 10 systems, maybe 8, 7, but not XP...
What is the cost for someone running a botnet to probe for old OSs also? They can just take something off the shelf and run it on someone elses machine.
2 replies →
For science!
I think the biggest risk you'd have with XP online is using Internet Explorer, as not only is it going to have tons of vulnerabilities that are unpatched, but it'll also be incapable of negotiating SSL with modern websites. And the latter would also be true of any browsers you brought back from that time period to run on it, too, so using Supermium is probably why you're doing well.
It's not like tons of embedded systems aren't still using XP to this day either.
Not useful at all.
Go back in time and connect it to a network full of infected hosts, and you'll have a very different experience.
Why is it such a surprise that a machine won't get infected when the common vectors of attack for those OS's no longer exist.
It is still possible to use an Amiga and connect it to the Internet. It is still possible to use VHS tapes and watch films on them. I am not sure why you would want to do this. Maybe your computer is fine now, but if you are targeted by an attacker, you make it easier, or if someone steals your laptop, I guess there is no encryption by default. Better to use Linux on old machines. And in 2024 we have great emulators or virtual machines for more than 10 years to make old games work fine. Cool that you made it work, but I have no idea why. Maybe for fun, or testing, but for everyday use, nah, thx.
Of course!
The whole security circus is a legend and a paranoïa that mostly serves OS manufacturers. And now that Recall exists, it will be difficult to maintain that Win11 or M$ care about security at all.
I've been using XP for many years and have no complaints about viruses. Moreover, viruses are not created now, but only trojans. and trojans do not get along on old systems; 32 bits is not enough for them to get around))). seriously, modern malware is always for modern hardware, modern tricks on how to deceive the user, and how to get something out of him. what can you take from the user's xp? Nothing! )) i use EEEPC 701 with XP sp3 and i have no problems with it
Do you have an external IP? I expect you are behind NAT and no one is directly scanning your laptop.
Make it available on public IP wait until IP is listed on shodan telling it is XP and then let us know how long it was running without being infected.
There's a lot of fearmongering around keeping updated, and "connecting Windows XP to the internet is a bad idea" is one of them.
What makes this truly devious is that there's a kernel of truth to it: Connecting Windows XP to the internet will indeed give you a bad day.
That's not what happens most of the time now, though: Most computers, Windows XP or otherwise, are going to be connected to a LAN behind a gateway/router and a firewall sitting between the LAN and the internet. Windows XP is therefore isolated from most of the threats that are indeed very real.
Windows XP itself also has a firewall built-in, though the OOTB settings won't provide adequate protection.
The moral of this is, the best lies are those with hints of truth sprinkled in.
Well now that there's no other XP LAN hosts it's mostly OK. Getting it on an unclean LAN with infected hosts will get you infected, and that was a common occurence back in the day.
I've disabled windows defender and gutted the OS of all it's features that I don't need for the past 26 years and never had any problems. I always resist the next update as long as I can get away with it (usually some software I need to use will only work on the next update) It's probably really stupid but I've yet to suffer for it. I mainly use my PC for creative purposes, Steam, and Web browsing. If my identity is in danger someone must be putting it to good use.
So it was behind a firewall. Now do it without a firewall.
The problem is that most XP that is still in active use doesn't have modern updates, are using IE, and are still on.
And showing a single contraindication doesn't mean it's "crap" just means you haven't been exploited yet.
But it isn't like you are paying bills on it, so enjoy.
I had only one problem, all certificates were outdated, so all https resources didn't work (like 99% of web). I had to download certificate updates to flash drive on another PC to install them, then all worked fine, I used outdated Firefox but it still good.
I imagine if you used the initial release of Windows XP, without any service packs or updates, and you tried browsing the web with Internet Explorer 6, you'd get infected quite quickly.
Off-topic: I miss dial-up modus operandi. The assumption was internet access was sporadic and at most attempts to access internet would trigger the dial-up catalog.
Have to try to emulate that by removing the default gateway and adding a proxy to the network.
A firewall is a firewall. If TCP/IP routing is properly setup (and afair Windows XP default settings for non-home networks where alright) and you browse the internet responsible, you can survive for quite a while I guess.
Windows used to have critical vulnerabilities, especially in IE8, making you highly susceptible to hacking. These vulnerabilities have been patched, and the risk is likely lower now.
not just IE - insert Java applets, Adobe Flash; and all the other browser "addons" and plugins - it was a mess. but it also depended on the websites you'd visit. a great deal of malware were spread by ads and even facebook was not spared - its deff not the same as it used to be; adblockers were used back then too - the biggest difference is now we're plagued with javascript and it literally being allowed to do what all malware ever wanted: to spy on users any way the site-op sees fit.
remember malware used to simply crash hard drives, erase everything, sloww your system down, cause bsods... it was mid 2000s when a wise man once said something along the lines of "its amazing that malware can install, auto update, and run flawlessly without the user even knowing - something the OS fails to do"
the browser is not simply safe because the os is safe - certainly the OS helps, but the browser is safe due the latest code techniques and sec folks investing so much time into it. if they solely relied on the os being safe, then we'd all be fools to use a browser - i mean, more than we are in allowing javascript so much power
> now we're plagued with javascript and it literally being allowed to do what all malware ever wanted: to spy on users any way the site-op sees fit.
This is flat-out untrue. Beyond hyperbole. If JavaScript had the system access that literally any piece of malware sought, the world would be an utter shit show in a way it simply isn’t.
1 reply →
Well done. YMMV with IP address.
The author must think all malware comes with an obvious GUI interface…
You missed one other mitigation tool: 0patch
It's usefulness is limited on XP but you might have applications that are captured. They also haven't closed the door (at least as of last year) to patching any future major-drama events that come up: https://0patch.zendesk.com/hc/en-us/articles/360018274139-Do...
In other news, everybody uses a router nowadays, with firewall activated by default.
Diablo II should be running on Linux via Bottles. Do your laptop a favor, remove Windows XP.