From owner-freebsd-questions@freebsd.org Mon May 18 01:06:13 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DC82A2FAAE6 for ; Mon, 18 May 2020 01:06:13 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mout.kundenserver.de", Issuer "TeleSec ServerPass Class 2 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49QLS45XkGz400w for ; Mon, 18 May 2020 01:06:12 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from r56.edvax.de ([178.5.91.75]) by mrelayeu.kundenserver.de (mreue011 [212.227.15.167]) with ESMTPA (Nemesis) id 1MFKX3-1jpcMz2jlp-00Fi2u; Mon, 18 May 2020 03:06:00 +0200 Date: Mon, 18 May 2020 03:05:56 +0200 From: Polytropon To: "@lbutlr" Cc: FreeBSD Subject: Re: [FreeBSD-Announce] FreeBSD 12.0 end-of-life Message-Id: <20200518030556.3283f631.freebsd@edvax.de> In-Reply-To: <2161E572-945A-44EC-9E70-35DA3552E8BD@kreme.com> References: <20200217231452.717FA1E820@freefall.freebsd.org> <85E7C97E-EF8B-4FC7-8EF1-758B7BCBAE90@kreme.com> <05112EEC-7FA3-4E18-974B-263A58058E01@kicp.uchicago.edu> <332714B8-2798-42CF-A082-9EDA180CC65B@kreme.com> <20200516201923.8676289a.freebsd@edvax.de> <257EF587-92B5-4671-B6F4-89E86CC2ACA0@kreme.com> <20200516215437.4802660c.freebsd@edvax.de> <2161E572-945A-44EC-9E70-35DA3552E8BD@kreme.com> Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K1:Kerx4g+ola8UPgAk8d6mVodS857AYixz5yf+Ox2O5ulFe6jfjwi GLKeeaqUhRehRK6LzOOad9ggrJOHpZ9I2ASNwLcwyVtO1KsChqpG+lf9+a4k2G/xP0RkVQl J52jlQ9r7iMNZrsY8GzjnGetQlGpdbSJipLpP9hmipDySetIiAI2U1qWOuVzS2bZUjmUZm6 2Uupi0fRqHgYbin8rnflQ== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:iA7fOIpijbE=:n20ChCJ8dqdvVbl7NrLhGl xLlUViKhoQaZ0q/hTIcMuM63RidipBuEGfIlX/V1o+tCEs8802eBueZ3og/3Bfklk82OI53xa mdvQdeeAH1BuK7ANj3Xc8rMIbpTJlPb4uuLSSuI4i8JIqe8moj58n2Q7hEflqNEsfvdo3EamQ Hqbuz1b5UZUiVSpr2zJ3H3yG1hROu1vW0W/2KnHKN2k1q1XC9QzbTuj+suMs0jjfgatNIB+ka 418obi/3Jgb0lc1ALq+x7h/hYuyAugO5HiPheHYuzefl1VbMzK8eiwW/8Leo5wQELuhQxBjFk YVKl//VT5Fu1+ROrhOPanJ0pYJundu98RDWeZqxXzpgGAbDFgQVISA+79/vZNRYEcPT9QpvJW f1Zi8Fwoni2Tf+JjdW2I8c6p0zJ1yF1QTEbb4bq1nc65A4vyWUEnGrCz3mYYaP2/lGOU+ghw+ gcHUrWLTIkS1u8Sp3gYTTC4BladqurmkuND4rvD/+M0SUInh3wRI+gHVLj2nFcHmXwPHuva+k IzYmuh+IAMIrNCacB8HsBqopV3eb1wgBqnnQZNVZBZSbPN9rPV5nftQbc1YfHHk0wDN+qCoCp 8hKOX4QmaVapeuN7wz5sC7411Eh2rs0qAw6a50WvYgQQv2r9heCzGiAkzmM/qrB2xj7SQgrwe XWRXx50/791lcRjf91fAsKC1BiSVoOgqGVq497MaUxQl2Jc0pkri4h18D766e8Uyy49tFvgKX 0sMlHpV2azZI9aLHpbYvS9+5snmLH3KtO48R2/HQ29JYsmIBo/dRLUdvBNk2WVe1WQx4nE/GL f9rl6Zne/bJFnsLRXNZmhqFb3fgNznhrCqJnGXnOOT0LOhHJBw0JyamXjKqz038Fp4h+k0B X-Rspamd-Queue-Id: 49QLS45XkGz400w X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd@edvax.de has no SPF policy when checking 212.227.126.133) smtp.mailfrom=freebsd@edvax.de X-Spamd-Result: default: False [2.54 / 15.00]; HAS_REPLYTO(0.00)[freebsd@edvax.de]; RCVD_VIA_SMTP_AUTH(0.00)[]; REPLYTO_EQ_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; MV_CASE(0.50)[]; NEURAL_SPAM_SHORT(0.14)[0.143]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; AUTH_NA(1.00)[]; DMARC_NA(0.00)[edvax.de]; HAS_ORG_HEADER(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[178.5.91.75:received]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; RCVD_IN_DNSWL_NONE(0.00)[212.227.126.133:from]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE]; RCVD_COUNT_TWO(0.00)[2]; RWL_MAILSPIKE_POSSIBLE(0.00)[212.227.126.133:from] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2020 01:06:13 -0000 On Sun, 17 May 2020 00:33:50 -0600, @lbutlr wrote: > On 16 May 2020, at 13:54, Polytropon wrote: > > On Sat, 16 May 2020 12:56:25 -0600, @lbutlr wrote: > >> Otherwise, old OSes are porous insecure botnets-in-wait with > >> dozens or hundreds or thousands of exploits. > > > > That is true, but is significant only as far as those systems > > interact with other things, especially over Internet. > > If the computer is air-gapped, that is one thing. If the computer > is on a network and that network is air gapped, that is something > else. Oof that computer is on a network and any machines on that > network have access to the Internet, then that old insecure > machine should be assumed to be on the Internet. That is a fully valid opinion (and good description of reality). It depends on how good you can control all involved factors, and especially the "weakest links" in that chain. Luckily, for the setting I've been refering to, everything is under control. There are no "too intelligent" printers, but security-sensitive people using that specific kind of equipment. Data that goes in and out is quite restricted. There is no 100 % security, but you can at least actively try to achieve it (instead of stupid claims or "the PC told me I'm safe"). > Just look at the many exploits for non-Internet connected LAN > printers. Absolutely true. It also applies to battery chargers, fax machines or any other "smart" device that can connect to something else (!) on its own. But if your equipment is old enough, it probably won't be that "smart". ;-) A good countermeasure is to always keep complexity as low as possible. Don't obtain or store data that you don't need. Don't put functionality into the device that isn't neccessary. Test your software. Watch for compiler warnings and _act_ according to them. Check runtime warnings. Keep things simple and use established approaches to problems. Physical security is a plus. Know as much as possible about the things you're using. Understand how things work, don't rely on 3rd party services too much without proper understanding. Read the documentation. Write your own documentation. Don't add things for the sake of adding them. Think outside the box. Always wear a helmet. ;-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...