Exactly how vulnerable are unsupported versions of Ubuntu?

[buzzingrobot]

In essence that was what i was asking about.

With the impending EOL of Win XP there will be a lot of hardware that won't be capable of running newer releases (due to driver support in newer kernels) even of lightweight distros. It would be a shame for them to go to landfill when they can still be run efficiently with older Ubus.

To refine my original question - bearing the above premise in mind - would running out-of-date Ubus be as safe as running XP (even while it's supported)?

Thanks,

Unless drivers are removed from the kernel, I'm not sure how adding new drivers means old hardware can't run newer kernels.

I think your "as safe as" question is impossible to answer in any measurable way. That said, most attacks on PC's depend on operator error to let them in. Almost all of those attacks target Windows users. If someone continues to use XP after it's sell-by date, that's a pretty good indicator they are not very security aware (ditto using XP now). So, that kind of user *is*, I'd think, more likely to allow his or her machine to be attacked than someone using an unsupported Ubuntu release.

And, if that XP user is security aware, they'd still have much better odds with that old Ubuntu.

All this is down to user behavior and the web environment, not the OS. Unsupported software is vulnerable to attacks created after support ended. Avoiding those attacks depends on user behavior.

(Expect all kinds of malware-infesting "Make XP Secure Forever" sites to appear as it nears its drop-dead date.)

[Mephisto Pheles]

I've used XP for a long time, until a year ago actually, I stayed away from Internet Explorer and refused to use Outlook from the very beginning, those were the attack vectors even on Win 95/98/ME. already
I never had any problems and I visited a lot of very dodgy sites through the years, using Opera mostly.
It's not XP itself that is so insecure, despite the perception, it's all the other Microcrap that creates most of the the problems.
And Adobe (Flash and Reader) and Oracle (Java).
Stay away from Microsoft Software (IE, Outlook, Office), remove Java and keep Flash updated and you'll be able to run it for another 10 years even after EOL.
Anyway I'm on Linux now so..

As for your question, what is the security you're talking about? Or rather what is the security you need?
What would be the worst case scenario? That's how you have to define your "vulnerability".
If you're just an occasional surfer, checking your occasional personal emails and your facebook page and watching some youtube videos what's the risk?
If you're processing company data, running a business, working for one, or are responsible for the websites of your clients, that's an entirely different situation.

And don't forget that it's always the users and their own intelligencce, or lack thereof, and not the platform, that are the main problem.
If you're dumb enough to click on everything and believe everything that might show up in your inbox or on your facebook page.. then you're it.
Or as Beeb Birtles wrote it for the Little River Band... "Curiosity killed the cat."
Even on linux with the best firewall and anti-virus and whatnot else.

It's also good to remind yourself sometimes that the computer security industry is a big industry.
They like to promote themselves in a lot of ways since there's a lot of money to be made.
Even dumb old Bush was smart enough to know that fear sells.
It's easier and more profitable to sell some security software, a lot of it useless and pointless as every expert that doesn't have anythng to sell you will tell you, than to educate people to use their brains.

I read a couple of articles recently about how pointless and useless anti-virus software really is. I'll see if I can find some links
Anti-virus products are rubbish, says Imperva
http://www.theregister.co.uk/2013/01...us_is_rubbish/
The School of Hacking
http://www.thedailybeast.com/newswee...f-hacking.html
The Antivirus Era Is Over
http://www.technologyreview.com/news...s-era-is-over/
Is Traditional Anti-Virus Software Really This Bad?
http://techtalk.pcpitstop.com/2013/0...ally-this-bad/

An interesting story from an insider
Why Antivirus Companies Like Mine Failed to Catch Flame and Stuxnet
http://www.wired.com/threatlevel/201...security-fail/

Your biggest security threats don't come from your own computer or your own OS but from some of the sites you might be using, especially when you're using credit cards etc online.
That should be a far bigger worry than your outdated OS missing out on some security patches.
That doesn't mean you should not consider upgrading to xubuntu 12.04 LTS if your old box can run it.

[whitesmith]

To refine my original question - bearing the above premise in mind - would running out-of-date Ubus be as safe as running XP (even while it's supported)?

A supported version of Windows is just one that doesn't BSOD too frequently. And one that hasn't received excessive knocks from security specialists. Recent revelations indicate that American tech companies are working hand-in-hand with the NSA to implement back doors in software and hardware. Any back door intended to thwart illegal activity can be detected by bad guys and used to implement it. If you believe Windows is acceptably secure, you must also believe that politicians never lie. Go with Linux--any time, any version, full stop.

[whitesmith]

To Mephisto Pheles: ...dumb old Bush and...Nietzsche? My dear sir, you sound like one critical of established belief, a doubter of jingoistic slogans. Better be careful of what you say or the NSA will put you on the list of those needing Special Attention by the Thought Police. Oh, wait a minute, they already have. A tip of my hat to free-thinkers everywhere!

[buzzingrobot]

"...back door intended to thwart illegal actvity..." misconstrues the intent of a back door.

[Mephisto Pheles]

If you believe Windows is acceptably secure, you must also believe that politicians never lie. Go with Linux--any time, any version, full stop.

I wouldn't take such a statement at face value. I doubt it that there are no backdoors in Linux. Despite the whole open source philosophy and the source code checking and so on and so forth. There's enough room to cheat, and enough people smart enough to get away with it. I wouldn't make any bets on it. But I won't lose any sleep over it either.

And as for politicians.. I think I better skip that one

[whitesmith]

I wouldn't take such a statement at face value. I doubt it that there are no backdoors in Linux. Despite the whole open source philosophy and the source code checking and so on and so forth. There's enough room to cheat, and enough people smart enough to get away with it. I wouldn't make any bets on it. But I won't lose any sleep over it either.

I trust FOSS because there is no central source for a government to coerce into complicity. Say, for instance, you're the NSA and you want to compromise implementation of the PKS in Linux. Who do you turn to for help? Linux is the work of a community, not a company, so carrots and sticks are useless. Even--and this is probably the extreme limiting case--you could persuade Torvalds to cave in the name of "national security" or some such bugaboo, that would have no effect on developers around the world tasked with maintaining the PKS piece. Compare that with the NSA's "black room" at AT&T's San Francisco switch. The NSA asked. AT&T complied. All traffic carried by that network went through the filter, whose existence only became public knowledge after the Justice Department mistakenly put defense lawyers on a cc list in an unrelated FOIA matter. Central points of management are easily exploited. Distributed management makes funny business immeasurably more difficult. That is what I like about Linux.

[buzzingrobot]

Regardless, people need to remember that the net is about publishing, not point-to-point communication. The net is not private and is not meant to be a means of secure, private, communication. That includes email.

If you can't risk it being seen, don't use the net.

One point is that the NSA grabbed net traffic, The more important point is that it is so easy, within the capabilities of many, many people.

[Bucky Ball]

Thread moved to Security Discussions.

[Mephisto Pheles]

Regardless, people need to remember that the net is about publishing, not point-to-point communication. The net is not private and is not meant to be a means of secure, private, communication. That includes email.

If you can't risk it being seen, don't use the net.

One point is that the NSA grabbed net traffic, The more important point is that it is so easy, within the capabilities of many, many people.

Good point, doesn't matter what you use the net with, the fact that you're using it already "exposes" you.