Lesley Carhart 1d ago
I just finished a 16,000 word whitepaper on conficker incident response in 2026 because we’ve gotten that many IR activations and I really didn’t think this is where I’d be
Show threadSpace Invader1d ago
@hacks4pancakes how did you get to 16,000 words? I’ve written three drafts and only managed three words each time:
Draft 1: “Oh my god.”
Draft 2: “Patch your shit”
Draft 3: “What the fuck”
Keith Hoodlet  12h ago
Show threadLesley Carhart 
@spaceinvader “patch your shit”is a little hard when it’s the windows 2000 systems keeping water on safely for a city and the person who installed the system and attached pumps is now dead.
Jun 18 at 3:10amWeb
Show threadLesley Carhart 20h ago

@spaceinvader 16,000 words complicated, in fact.

This is the norm, not the exception.

Show threadSpace Invader20h ago

@hacks4pancakes so glad they finally upgraded from Win98.

I actually really liked Win2K and ran it (I think SP6?) for a long time. (Not as long as municipal infrastructure.)

It never ceases to surprise me how much of a house of cards modern civilization is built atop.

Show threadTero Hänninen20h ago
@hacks4pancakes @spaceinvader a while back I found an NT4 in a place that does Pretty Important things. The maintainers were buying old hardware from eBay for spare parts in case something breaks. That was the DR plan. Patching would have required tearing down a building.
Show threadGrumpy Old Techie 🕊️19h ago
@0xtero @hacks4pancakes @spaceinvader Oh, I’ve done that but it was sparc20 workstations. On another occasion we found a supplier in India that stockpiled decommissioned PLC equipment and resold it at a premium for these type of situations.
Show threadTero Hänninen19h ago
@grumpyoldtechie @hacks4pancakes @spaceinvader oh that’s very smart. I wonder if in 30 years people will go ”OMG this power plant is running their systems through GPT-5 on ancient NVDIA chip! Does anyone know what its supposed to do?” I feel 2026 Industrial AI might be a wild ride in 2050.
Show threadGraeme Hilton11h ago
@0xtero @grumpyoldtechie @hacks4pancakes @spaceinvader "Industrial AI" is a phrase I do not like the sound of.
Show threadOwlFromTheMoon16h ago
@0xtero @hacks4pancakes @spaceinvader So much critical infrastructure (worldwide) depends on things that are that horrific combination of (a) fragile (in a modern, "let's poke it across the network and see what happens" sense) and (b) irreplaceable (in the "the manufacturer went bust twenty years ago and the one guy who actually understood this kit retired ten years ago and now lives as a monk in Paraguay" sense).
Show threadGrumpy Old Techie 🕊️19h ago
@hacks4pancakes @spaceinvader Or - we can run the plant for 2 hours without control but after that we alert the city emergency services and start a manual shutdown. So make sure your backout plan can be safely completed in 2 hours if your patch/upgrade doesn’t work.
Show threadYet another Josh 19h ago

@hacks4pancakes @spaceinvader

Ive had similar, except Win98 running a million $ electron microscope.

The solution I made was to put a RPi between it and put auth on passthrough.

Wasnt great, but it did follow the university reqd sec policy.

Show threadDavid Chisnall (*Now with 50% more sarcasm!*)16h ago

@crankylinuxuser @hacks4pancakes @spaceinvader

This is one of the big markets some of our customers is looking at for our first chips: a memory-safe device with a compartmentalised network stack that sits between some known-to-be-vulnerable thing and the rest of the world. In a lot of places, you can get away with a serial link on the ancient-Windows-machine side, so you’re not even talking TCP/IP in that direction, just taking commands and reporting current status. Data rates are very low, so you can use a (fast) microcontroller on the bridge, and having one that rarely needs patching is useful because some sites allow very brief limited off-site network access for updates once every six weeks.

Show threadThe Psychotic Network Ferret14h ago

@hacks4pancakes @spaceinvader Oh god, flash backs.....

I worked for an ISP that provided the connectivity for an entire water and sewer district. We also did their phones, security cameras, and worked with their MSP for anything that needed to touch their WAN, which we provided.

I saw NT4 and Netware systems deployed in 2015. I did some consulting for them in 2020, very little had changed.

But the real horror show part? All behind a pair of Fortigates.

Show threadResuna11h ago

@nuintari @hacks4pancakes @spaceinvader

There's still PDP-11s out there, I think.

Show threadThe Psychotic Network Ferret11h ago

@resuna @hacks4pancakes @spaceinvader Wouldn't surprise me at all. I've seen Sun, DEC, SGI.... all in the last few years. There is much SCO and Netware still floating around small engineering shops and factories.

I saw honest to god, Cisco AGS in service about five years back.

Old ass IBM iron is bloody everywhere.

Show threadFurryBeta7h ago
@nuintari @hacks4pancakes @spaceinvader I used to do utility DCS work. Some of the little auxiliary systems my main DCS had to talk to were ancient. The site techs had to keep quite old laptops with incredibly out of date software to access/program equipment. Hell, some of my equipment required MS-DOS 5.0 (mainly for serial links, and I have no idea how they got licenses for that). Small outfits have even a harder time
Show threadmusing_sys🇨🇦11h ago
@hacks4pancakes @spaceinvader “Patch your shit that’s segregating the real shit”?
Show threadEndlessMason11h ago
@hacks4pancakes @spaceinvader
"Patch your shit" is even a nightmare if you fall too many releases behind because your friends at the package mirror start deleting old distributions. Even if the upstream are backporting fixes to 10 year old releases (lmao) you still can't get a package for that shipped for your old-ass system, and you can't upgrade to the next dist because it's gone now, so you gotta hope that Mr We-built-this-system-on-rock-and-roll happened to commit all the setup scripts to (at best) cvs so you can re-build the system
Show threadAdvanced Persistent Teapot11h ago
@EndlessMason @hacks4pancakes @spaceinvader CVS? Oh, that server we decommissioned back in 2021 when management ordered us to cut running costs and hardware?
Show threadAdvanced Persistent Teapot11h ago
@EndlessMason @hacks4pancakes @spaceinvader or even better, it's still there but has been sat displaying an error related to a disk failure that nobody's seen for the past 18 months because it wasn't ever hooked in to IT's monitoring
Show threadEndlessMason11h ago

@http_error_418 @hacks4pancakes @spaceinvader

Data centre tour guide: ... and here we have vcs-01, the oldest machine in the DC. Note the distinct shade of purple, very nice, no? We rely on this machine to boot strap most of our infra.
visitor: Is... is that LED blinking out morse code for SOS?
Tour guide: dot dot dot dash dash dash-- you know, it might be. Somebody remind me of that when we get to the operators' desk.

Show threadMichael Weiss5h ago

@hacks4pancakes @spaceinvader I don't even mind that they continue to run W2k as long as it's properly airgapped. But they don't even do that in many cases.

There's a distinct advantage to software that's well understood, including whatever bugs it has. It's predictable. And that's fine until you have adversaries who are able to exploit that predictability.

Of course, you also start to find difficulty obtaining hardware that can *run* the old software...