top | item 46853425

(no title)

illiac786 | 28 days ago

Yes, it is very much atypical. Most hacks happen because admins still haven’t applied a 2 years old patch. I hate updates, but it‘s statistically safer that running an old software version. Try exposing a windows XP to the internet and watch how long it takes before it‘s hacked.

discuss

card_zero|28 days ago

Debatable. "I connected Windows XP to the Internet; it was fine" - https://news.ycombinator.com/item?id=40528117

One comment there points out that XP is old enough for infected attack vectors to have all died out. I dunno.

expedition32|28 days ago

Anyone else noticed that we don't even GET patch notes anymore?

"Fixed some bugs" Yes thank you very helpful that! Now I can make a very informed decision.

bigfatkitten|28 days ago

I experienced this first hand in 2014. We got to a point where drive-by exploit kits just weren’t shipping IE8, Java 6 or Windows XP payloads anymore.

illiac786|28 days ago

https://www.tomshardware.com/software/windows/idle-windows-x...

But good we are talking about my point rather than than the example.

thegrim000|27 days ago

You assume that the old software version has critical vulnerabilities. If it does not, then yes, updating is more of a risk since the new versions are unknowns.

illiac786|27 days ago

My assumption is statistical. All software has critical vulnerabilities, not just the old ones. It’s just that these vulnerabilities are known, in the case of the old ones, which significantly increases the risk.

pibaker|27 days ago

To be fair I doubt there are that many people scanning for internet facing XPs in 2026.

On the other hand, any server running old, unpatched versions of apache or similar will get picked up by script kiddies scanning for publicly known vulns very, very fast.

The notepad++ attack is politically targeted and done through unconventional channels (compromise in the hosting provider). I don't think 99% of the people reading this thread has a comparable threat model.

tasuki|28 days ago

I don't know about Windows, but I've been running all kinds of outdated Linux (Debian mostly) and it never once caused a security problem.

pxc|28 days ago

Debian backports security patches.

bulbar|27 days ago

It depends if the application itself touches the Internet or only when conducting updates.

The threat model for a server and for a personal computer are very different. On a consumer device, typically only the OS mail app and browser have direct contact with the outside world.