security for people using WINDOWS XP.

[mickthefish]

I've been using audacity 2.1.0 since its launch & encountered no problems at all loading it on my three hp laptops,(One is 5 yrs old)none of them are logged on to the internet ,if i need the internet i use my hot mail account at the library,'but i understand your concern about security & understand you can still be open to viruses even when not logged on to the net.

[kozikowski]

Someone posted that an unprotected WinXP machine on an open internet connection has about a fifteen minute life expectancy. Much better if the machine is behind a WiFi Firewall and even better yet if it has current virus protection software.

Air Gap Firewalls can be very effective as long as the other measures are taken. I have those. Machines with no network connection.

Koz

[themickster]

Would XP on the Net through a mobile phone be at risk?

[kozikowski]

Via a hot spot. Good question. You're still vulnerable if you download something naughty, but past that I don't know. I've put my Mac on line before as a diagnostic, but that's fully locked-down Linux system.

Koz

[themickster]

Not through a hotspot. By mobile phone, I mean cell phone.

[kozikowski]

I'm aware of creating a WiFi point on a cellphone and logging into it with my laptop. I've done that. What do you mean?

Koz

[themickster]

I mean 'tethering'. I can plug my PC into my phone and use the phone's mobile data connection. The phone works as a modem. No other hardware needed.

[DVDdoug]

I've got an XP machine here at work that's part of a hardware test station. It's on the network & Internet, but I only download new test programs occasionally. No web browsing/surfing or email on that machine. Since Microsoft Security Essentials no longer works on XP, the only protection I have is Malwarebytes.

I've got a Windows 98 machine with no protection at all, but it's rare that I download anything. The network connection was flaky and the last time I tried to download something I had to use a floppy disk! (I have a USB floppy drive so I can write to a floppy using a newer machine.)

I've got another Windows 98 machine that's not currently networked, and I've even got a (non-networked) Windows 3.1 machine that we use occasionally in a couple of test setups...

Right now, I'm on Win7 (with Windows Security Essentials and the free version of Malwarebytes).

I've only had a computer virus ONCE (15 or 20 years ago) and I've owned computers since before the Internet... I'm "careful", but I'm not super-paranoid.

I have had malware/crapware/spyware/adware and other unwanted stuff...

[themickster]

I'm with you, DVD. I onlined with a PC for several years without any security and without any problems.

[cyrano]

All of this above is purely anecdotal, of course.

The fact is that today's malware isn't your friendly script kiddy prank anymore. While malware in the past didn't really hide it's actions, today's malware is highly covert, often only activates after a while and is really, really good in avoiding malware detection.

Having a router between your local network and the net is a must. But even that router can be compromised and used, fi in DDOS attacks. The advantage for the malware creator is that a router is usually plugged in 24/7 and you hardly ever look at it. And most routers are very bad, security wise. I've even seen instances of backdoors in backdoors on a couple of models. Blank or fixed passwords is another problem that's still alive.

Tethering is usually on the same par as a router. I don't know of any cases of malware targeting that specific use case. It should be relatively safe, imho, because you have to exploit TWO OS'es: the phone and the computer. There are simpler ways to do it. Anyhow, hotspots in airports or coffee shops are far easier to use if you want to "pwn" some computers.

I wouldn't worry too much about XP. Malware makers stopped targeting XP a while ago. It's not that hard to create a virus that easily penetrates XP through Win 10, all versions. Just one example:

The "downloads" directory and several others have special status in Windows. "Naked" .dll's inside will be automatically executed by any installer if they have a special name. "Naked" meaning they aren't zipped or wrapped in something else.

This is clearly a very exploitable hole. Get the user to download a crafted .dll, then to download and install Audacity fi. Boom. Compromise executed. And the Audacity installer doesn't even have to be doctored.

With a bit of social engineering, easy to exploit. Write a plugin howto, make some noise about it on the net, "Waves finally cracked", or something like it...

And not one AV package is really aware of this technique. Some catch some of the .dll's, the majority doesn't notice.

This particular one has existed and is known at least since XP and has current status "feature, not bug, will not fix". The funny thing is, this almost 20 years old hole got recently re-discovered by a couple of researchers. They are making noise, but nobody's listening.

The sad fact is, some forces don't want security. It would make their job harder. The recent happenings with Fortinet and Juniper's products should make this as clear as an unmudded lake...