|
Can old operating systems be made secure? |
Chris Katko
Member #1,881
January 2002
|
If I've got say, a DOS, Windows 95, or 98 machine. Is it possible to run one of those open to the internet as a web server without it automatically getting "owned"? If I only have say, a single port facing the internet and only use it for serving webpages and not for administration tasks (all updates are done locally)... are there ways for people to get around that? -----sig: |
Matthew Leverton
Supreme Loser
January 1999
|
Nothing is secure. The Internet is a virus. |
MiquelFire
Member #3,110
January 2003
|
DOS (if you get it online that is) may work, but for older Windows... I doubt it. --- |
raynebc
Member #11,908
May 2010
|
I wouldn't expect a 15+ year old Microsoft web server could ever be considered secure on the Internet. You could probably run a somewhat modern and undeniably more secure *nix web server on it. Is this what you wanted to use that ancient laptop for? |
Thomas Fjellstrom
Member #476
June 2000
|
If you've got source, then sure. Otherwise no. -- |
Chris Katko
Member #1,881
January 2002
|
Thomas Fjellstrom said: If you've got source, then sure. Otherwise no. I can certainly program a simple one myself and ensure I don't allow buffer over runs, and parse all input. -----sig: |
Thomas Fjellstrom
Member #476
June 2000
|
Chris Katko said: I can certainly program a simple one myself and ensure I don't allow buffer over runs, and parse all input. You can program a windows yourself? Or an "old operating system"? Now, sure you can code your own OS, that's not really a "problem" as such... But why? -- |
Matthew Leverton
Supreme Loser
January 1999
|
Chris Katko said: I can certainly program a simple one myself and ensure I don't allow buffer over runs, and parse all input. But if the network stack you are using has those bugs, then you are screwed. e.g., Just making a call to a buggy gethostbyname() could get you hacked. |
Chris Katko
Member #1,881
January 2002
|
Quote: You can program a windows yourself? Or an "old operating system"? I meant web server. Matthew Leverton said: But if the network stack you are using has those bugs, then you are screwed. e.g., Just making a call to a buggy gethostbyname() could get you hacked. Hmm, that's disturbing. Is there really no way to get around that without using a bleeding-edge new operating system? -----sig: |
Thomas Fjellstrom
Member #476
June 2000
|
Chris Katko said: Hmm, that's disturbing. Is there really no way to get around that without using a bleeding-edge new operating system? Code your own DNS functions? -- |
raynebc
Member #11,908
May 2010
|
And on top of that, write better code than teams of professionals. It just isn't very worthwhile or even feasible to re-invent the wheel for something that complex. |
Chris Katko
Member #1,881
January 2002
|
raynebc said: And on top of that, write better code than teams of professionals. It just isn't very worthwhile or even feasible to re-invent the wheel for something that complex. Parsing HTTP requests can be done by hand in Telnet. More complex projects tend to have more complex goals in mind, and cannot make assumptions about directory structure and permissions. -----sig: |
MiquelFire
Member #3,110
January 2003
|
The issue is the code the web server uses that could allow for a backdoor or exploit. Everything you could do in the code for the web server would not be able to stop the attackers. --- |
Polybios
Member #12,293
October 2010
|
Why would you stick to Windows 95 or DOS if you could just install Linux or some other Unix variant? |
Chris Katko
Member #1,881
January 2002
|
Polybios said: Why would you stick to Windows 95 or DOS if you could just install Linux or some other Unix variant? Linux does not run on 16MB of ram. -----sig: |
Polybios
Member #12,293
October 2010
|
I haven't checked, but there used to be some special-lightweight distributions, maybe one of these will work... Edit: Edit2: Your original question about the security of old OSs and software would still be valid for outdated Linux distributions, I guess ... |
Erin Maus
Member #7,537
July 2006
|
Chris Katko said: Linux does not run on 16MB of ram. My router runs Tomato which is a slim Linux distro with the ability to be viewed over the web... It has 14mb of RAM. Just compile the kernel from source with the applications you need. It's possible. --- |
Thomas Fjellstrom
Member #476
June 2000
|
Chris Katko said: Linux does not run on 16MB of ram. If you hack at it it can. There's a whole minification project going on to fit linux onto "internet of things" type devices. So many options you can turn off that should get it to fit into 16MB these days. Though if you're ok with an old kernel, try out http://delicate-linux.net/ -- |
Chris Katko
Member #1,881
January 2002
|
But won't an old kernel be subjected to exploits? -----sig: |
Thomas Fjellstrom
Member #476
June 2000
|
Chris Katko said: But won't an old kernel be subjected to exploits? Depends on the kernel. There are people and organizations maintaining old kernels. Though I'm having a hard time finding an official or semi-official 2.4 anywhere. Distro's using the 2.4 would have to maintain it themselves, and try to backport fixes somehow. 3/4 have diverged so much from 2.4 though that I imagine things from 3 or 4 just won't apply to 2.4 It seems the last 2.4 release was in 2011 or so, but there is an "official" 2.4 git here, that has seen some patches since then. -- |
|