Eric KobrinNov 6, 2023
SwiftOnSecurity
Microsoft has a fundamental problem in their approach to EOL products: They appear fully patched.
All EOL products should be issued a final gimped patch that never installs correctly so EOL products always show unpatched.
Nov 4, 2023 at 8:43pmWeb
Show threadSwiftOnSecurityNov 4, 2023
Microsoft was really like “Well your gas tank fell off, time to take away the out-of-fuel warning light. Logic.”
Show threadDave👾Nov 4, 2023
@SwiftOnSecurity they did something similar with the original XBox, but at the beginning of the life cycle. It wouldn't BSOD because they removed that code (and bragged about it when they were doing campus roadshows in the lead up to the release).
Show threadFritz AdalisNov 4, 2023
@SwiftOnSecurity
This used to be common with used car dealers. Oil light coming on? Take out the bulb. That's why all the dash lights now turn on at startup.
Show threadAlex RussellNov 5, 2023
@SwiftOnSecurity Have I got some EOL'd Androids for *you*.
Show threadkurtshNov 5, 2023
@slightlyoff @SwiftOnSecurity Nailed it. Samsung Galaxy S10. Android 12. Last patch March 2023. Perfectly operational, no warnings or notifications & silently very vulnerable to some extremely nasty security issues.
Show threadbasisbit 🦈🇪🇺🇺🇦 🔜 KnStNov 5, 2023
@kurtsh @slightlyoff @SwiftOnSecurity
LG G6: last Android security update for it was 5 years ago, the phone still gets sold as "new" on Amazon. Banking apps will happily work on it. If you install LineageOS with somewhat current Android on it, banking apps will stop working because rooted phone is not secure enough.
Show threadkurtshNov 5, 2023

@slightlyoff @SwiftOnSecurity For those not aware, the Samsung Galaxy S10 cost $1100 at the time & was 4yrs old when Samsung ended security patch & OS upgrade support without any notification even for Enterprise deployments.

The device is vulnerable, permanently stuck on Android 12/March 2023 update. The latest is Android 14.

Our company is locking out all mobiles - including those used for MFA Apps - that don't meet the minimum update requirements. I sucked it up & bought an S23.

Show threadPeter Jakobs ⛵Nov 4, 2023
@SwiftOnSecurity don't give them ideas!
Show threadrm -liningerNov 4, 2023
@SwiftOnSecurity that’s what we pay tenable for
Show threadDave PNov 4, 2023
@SwiftOnSecurity I’d like to see it do something akin to the old unlicensed watermark complaining that it’s EOL and no longer patched.
Show threadTupcakesNov 4, 2023
@SwiftOnSecurity ….this…is genius!
Show threadAlexander The 1stNov 4, 2023
@SwiftOnSecurity Isn't this essentially "Windows Genuine Advantage" with extra steps?
Show threadCameronNov 4, 2023
@SwiftOnSecurity
I know my fleet of Server 2008 VMs is secure because Windows is telling me it's fully patched.
Show threadEpiphanic SynchronicityNov 4, 2023
@SwiftOnSecurity Unfortunately, that’s also true of obsolete versions of Android, iOS, and macOS.
Show threadLeaveNothingForTheFutureNov 4, 2023
@SwiftOnSecurity pretty sure most Windows systems quit patching properly long before EOL so most users probably see the lack of notification as a plus.
Show threadRichard HectorNov 4, 2023
@SwiftOnSecurity
Same with lots of software repos, really. #Debian shows no updates for an obsolete release. #Fdroid shows no updates for a withdrawn app. #WordPress plugins are similar. All of these should have a way to tell the user that the thing they're after is gone.
Show threadDon ArmstrongNov 4, 2023
@richardh @SwiftOnSecurity for Debian at least, updates will fail for systems which are out of date because we remove them from the main archives. So you'll get some indication that you're out of support.
Show threadRichard HectorNov 5, 2023
@dondelelcaro @SwiftOnSecurity True, but that happens a little later, doesn't it? And IIRC LTS releases don't get support for all packages?
Show threadRichard HectorNov 5, 2023
@dondelelcaro @SwiftOnSecurity Or maybe I'm getting confused with #Ubuntu LTS policy, for which I apologise.
Show threadDon ArmstrongNov 5, 2023
@richardh @SwiftOnSecurity it's supposed to be removed from deb.debian.org when support ends; the LTS release is available as oldoldstable until then (and after on archive.debian.org, but using that location requires manual work.) I'm not as up on Ubuntu's LTS, so you may be right there. See https://wiki.debian.org/DebianOldOldStable for some more information.
DebianOldOldStable - Debian Wiki

Show thread-dsr- (not a dog)Nov 5, 2023

@richardh

@SwiftOnSecurity

When a Debian stable release has passed beyond all support boundaries, it is moved from the repo where it lived to archive.debian.org. Currently, that's buzz through jessie.

Old install images won't work without modifications, automatic updates will return errors rather than a mere lack of updates.

Show threadRobert SteinNov 5, 2023
@SwiftOnSecurity Explaining that Win7 devices showed compliant because ESU was not purchased and/or license for ESU not installed. That was fun.
Show threadBilly O'NealNov 5, 2023
@rasldasl @SwiftOnSecurity obligatory “are you trying to defend against an attacker or against an auditor” goes here
Show threadGorgeous na Shock!Nov 5, 2023
@malwareminigun @rasldasl @SwiftOnSecurity Which one is cheaper to defend against *right now*?
Show threadBilly O'NealNov 5, 2023
@indigoparadox I think you generally don’t know until it becomes Expensive
Show threadMikeytsiNov 5, 2023

@SwiftOnSecurity just place a nag message like they do with eval.

"This is EOL, dumbass"

Show threadEvilGinger- Queen of NapsNov 5, 2023

@SwiftOnSecurity
My car has a tire inflation light- the battery went bad in the sensor, but of course... can't replace the battery, can only replace the entire sensor array. Which would cost almost as much as the car is worth, lol.

So every time I start the car, the light flashes for 5 minutes before going to "Hey, imma just stay on and annoy or worry you, so you check the tire pressure every now and then" mode.

It works- it annoys/worries me enough that I actually check the tire pressure every few weeks. 🤣

Show threadShadow D. Wolf 🏳️‍🌈Nov 5, 2023
@SwiftOnSecurity Not everyone is willing to follow IBM's approach to long-term support. They will generally support a piece of enterprise hardware so long as (a) you pay them, and (b) there are still living engineers who know how to do it. I had a friend whose dad was an IBM retiree, and up until he died 10 years ago, he'd get the occasional call to fly to some bank in Africa (all expenses paid, of course) whose antique mainframe was acting up.