Allegro.cc - Online Community

Allegro.cc Forums » Off-Topic Ordeals » Can old operating systems be made secure?

This thread is locked; no one can reply to it. rss feed Print
Can old operating systems be made secure?
Chris Katko
Member #1,881
January 2002
avatar

If I've got say, a DOS, Windows 95, or 98 machine. Is it possible to run one of those open to the internet as a web server without it automatically getting "owned"?

If I only have say, a single port facing the internet and only use it for serving webpages and not for administration tasks (all updates are done locally)... are there ways for people to get around that?

-----sig:
“Programs should be written for people to read, and only incidentally for machines to execute.” - Structure and Interpretation of Computer Programs
"Political Correctness is fascism disguised as manners" --George Carlin

Matthew Leverton
Supreme Loser
January 1999
avatar

Nothing is secure. The Internet is a virus. :-/

MiquelFire
Member #3,110
January 2003
avatar

DOS (if you get it online that is) may work, but for older Windows... I doubt it.

---
Febreze (and other air fresheners actually) is just below perfumes/colognes, and that's just below dead skunks in terms of smells that offend my nose.
MiquelFire.red | +Me
Windows 8 is a toned, stylish, polished professional athlete. But it’s wearing clown makeup, and that creates a serious image problem. ~PCWorld Article

raynebc
Member #11,908
May 2010

I wouldn't expect a 15+ year old Microsoft web server could ever be considered secure on the Internet. You could probably run a somewhat modern and undeniably more secure *nix web server on it. Is this what you wanted to use that ancient laptop for?

Thomas Fjellstrom
Member #476
June 2000
avatar

If you've got source, then sure. Otherwise no.

--
Thomas Fjellstrom - [website] - [email] - [Allegro Wiki] - [Allegro TODO]
"If you can't think of a better solution, don't try to make a better solution." -- weapon_S
"The less evidence we have for what we believe is certain, the more violently we defend beliefs against those who don't agree" -- https://twitter.com/neiltyson/status/592870205409353730

Chris Katko
Member #1,881
January 2002
avatar

If you've got source, then sure. Otherwise no.

I can certainly program a simple one myself and ensure I don't allow buffer over runs, and parse all input.

-----sig:
“Programs should be written for people to read, and only incidentally for machines to execute.” - Structure and Interpretation of Computer Programs
"Political Correctness is fascism disguised as manners" --George Carlin

Thomas Fjellstrom
Member #476
June 2000
avatar

I can certainly program a simple one myself and ensure I don't allow buffer over runs, and parse all input.

You can program a windows yourself? :o Or an "old operating system"?

Now, sure you can code your own OS, that's not really a "problem" as such... But why?

--
Thomas Fjellstrom - [website] - [email] - [Allegro Wiki] - [Allegro TODO]
"If you can't think of a better solution, don't try to make a better solution." -- weapon_S
"The less evidence we have for what we believe is certain, the more violently we defend beliefs against those who don't agree" -- https://twitter.com/neiltyson/status/592870205409353730

Matthew Leverton
Supreme Loser
January 1999
avatar

I can certainly program a simple one myself and ensure I don't allow buffer over runs, and parse all input.

But if the network stack you are using has those bugs, then you are screwed.

e.g., Just making a call to a buggy gethostbyname() could get you hacked.

Chris Katko
Member #1,881
January 2002
avatar

Quote:

You can program a windows yourself? :o Or an "old operating system"?

I meant web server.

But if the network stack you are using has those bugs, then you are screwed.

e.g., Just making a call to a buggy gethostbyname() could get you hacked.

Hmm, that's disturbing. Is there really no way to get around that without using a bleeding-edge new operating system?

-----sig:
“Programs should be written for people to read, and only incidentally for machines to execute.” - Structure and Interpretation of Computer Programs
"Political Correctness is fascism disguised as manners" --George Carlin

Thomas Fjellstrom
Member #476
June 2000
avatar

Hmm, that's disturbing. Is there really no way to get around that without using a bleeding-edge new operating system?

Code your own DNS functions?

--
Thomas Fjellstrom - [website] - [email] - [Allegro Wiki] - [Allegro TODO]
"If you can't think of a better solution, don't try to make a better solution." -- weapon_S
"The less evidence we have for what we believe is certain, the more violently we defend beliefs against those who don't agree" -- https://twitter.com/neiltyson/status/592870205409353730

raynebc
Member #11,908
May 2010

And on top of that, write better code than teams of professionals. It just isn't very worthwhile or even feasible to re-invent the wheel for something that complex.

Chris Katko
Member #1,881
January 2002
avatar

raynebc said:

And on top of that, write better code than teams of professionals. It just isn't very worthwhile or even feasible to re-invent the wheel for something that complex.

Parsing HTTP requests can be done by hand in Telnet. More complex projects tend to have more complex goals in mind, and cannot make assumptions about directory structure and permissions.

-----sig:
“Programs should be written for people to read, and only incidentally for machines to execute.” - Structure and Interpretation of Computer Programs
"Political Correctness is fascism disguised as manners" --George Carlin

MiquelFire
Member #3,110
January 2003
avatar

The issue is the code the web server uses that could allow for a backdoor or exploit. Everything you could do in the code for the web server would not be able to stop the attackers.

---
Febreze (and other air fresheners actually) is just below perfumes/colognes, and that's just below dead skunks in terms of smells that offend my nose.
MiquelFire.red | +Me
Windows 8 is a toned, stylish, polished professional athlete. But it’s wearing clown makeup, and that creates a serious image problem. ~PCWorld Article

Polybios
Member #12,293
October 2010

Why would you stick to Windows 95 or DOS if you could just install Linux or some other Unix variant? ???

Chris Katko
Member #1,881
January 2002
avatar

Polybios said:

Why would you stick to Windows 95 or DOS if you could just install Linux or some other Unix variant? ???

Linux does not run on 16MB of ram.

-----sig:
“Programs should be written for people to read, and only incidentally for machines to execute.” - Structure and Interpretation of Computer Programs
"Political Correctness is fascism disguised as manners" --George Carlin

Polybios
Member #12,293
October 2010

I haven't checked, but there used to be some special-lightweight distributions, maybe one of these will work...

Edit:
For example, I think I had Fli4L running on my old router a very long time ago. It needs a 486 with 16MB of RAM.
But apparently, it cannot run a webserver. :P

Edit2: Your original question about the security of old OSs and software would still be valid for outdated Linux distributions, I guess ...

Aaron Bolyard
Member #7,537
July 2006
avatar

Linux does not run on 16MB of ram.

My router runs Tomato which is a slim Linux distro with the ability to be viewed over the web...

It has 14mb of RAM.

Just compile the kernel from source with the applications you need. It's possible.

---
ItsyRealm, a quirky 2D/3D RPG where you fight, skill, and explore in a medieval world with horrors unimaginable.

Thomas Fjellstrom
Member #476
June 2000
avatar

Linux does not run on 16MB of ram.

If you hack at it it can. There's a whole minification project going on to fit linux onto "internet of things" type devices. So many options you can turn off that should get it to fit into 16MB these days.

Though if you're ok with an old kernel, try out http://delicate-linux.net/

--
Thomas Fjellstrom - [website] - [email] - [Allegro Wiki] - [Allegro TODO]
"If you can't think of a better solution, don't try to make a better solution." -- weapon_S
"The less evidence we have for what we believe is certain, the more violently we defend beliefs against those who don't agree" -- https://twitter.com/neiltyson/status/592870205409353730

Chris Katko
Member #1,881
January 2002
avatar

But won't an old kernel be subjected to exploits? :-/

-----sig:
“Programs should be written for people to read, and only incidentally for machines to execute.” - Structure and Interpretation of Computer Programs
"Political Correctness is fascism disguised as manners" --George Carlin

Thomas Fjellstrom
Member #476
June 2000
avatar

But won't an old kernel be subjected to exploits? :-/

Depends on the kernel. There are people and organizations maintaining old kernels. Though I'm having a hard time finding an official or semi-official 2.4 anywhere. Distro's using the 2.4 would have to maintain it themselves, and try to backport fixes somehow. 3/4 have diverged so much from 2.4 though that I imagine things from 3 or 4 just won't apply to 2.4 :(

It seems the last 2.4 release was in 2011 or so, but there is an "official" 2.4 git here, that has seen some patches since then.

--
Thomas Fjellstrom - [website] - [email] - [Allegro Wiki] - [Allegro TODO]
"If you can't think of a better solution, don't try to make a better solution." -- weapon_S
"The less evidence we have for what we believe is certain, the more violently we defend beliefs against those who don't agree" -- https://twitter.com/neiltyson/status/592870205409353730

Go to: