Network Security and the Vintage PC |
This has been a hot-button topic among retro-computing enthusiasts for a really, really, really long time - how safe are you putting that old computer on the internet. To be honest, while I understand the idea of "unknowns", I also understand that I.T., like music, is a BUSINESS, and business is not particularly happy we're still using our legacy ancient hardware because they want us to get rid of it all and buy the latest, and greatest new thing, including any "retro" shit they want to sell to us to appease our nostalgic appetities for old software and games.
The Most Secure Computer is... A computer in a locked room with no network connection, behind a big steel door, that isn't obvious, that requires a padlock that's always locked. Outside of that, there's always going to be some level of risk of using a digital device, and that increases the more access you give to it. This goes for ANY PC, not just some ancient DOS System. You could get viruses and lose data over "Sneakernet" (aka, walk across the office with a floppy in your hands) back in the day if someone was skilled enough to code one and put it on a floppy. Risk has always been there, and that's life, and something that the younger crowds it seem can't quite understand. The F.U.D. (Fear, Uncertainty, and Doubt) that lead to me writing (multiple versions) of this article... The F.U.D. that Microsoft, Google, McAfee, or some guy with a thick accent named "Steve" trying to sell you "Nordstrom Internet Security" will tell you, your Ancient MS-DOS machine from 1990 is going to be a massive security risk that will get hit with Spectre, Meltdown, ILuvU, OmniCron, and a bitcoin miner as soon as you plug it into a Broadband internet connection, this is total and utter horseshit. Now, it's not all sunshine and rainbows either - the truth lies in the middle somewhere. Somewhere between "you'll be absolutley fine" and "oh my god, you're going to destroy the internet with your virus ridden PC". For starters, these types of things are often pushed by organizations with an interest to SELL YOU SOMETHING! Their intent is that if they scare you enough, you'll get rid of anything older than 3 years old, buy their protection software, VIP Packages, and top-of-the-line security tools, and then live cowering under that Star Wars afghan like your computer will start WWIII. The second type are typically lonely incel Armchair InfoSec dweebs. These are the guys who will do a part of what I do - sit around and read tech books for fun - but feel somehow by acting like a total keyboard warrior on the internet is going to make more people love them, which just shows how little they know. This was a reason I left AtariAge for a time. These guys have basically nothing better to do than sit on their fat asses, drinking Monster, and talking about things they'd be better off actually studying, doing in a Corporate I.T. environment, and making money doing. But hey, who am I to judge - oh yeah - I'll judge em' all I want, because they've judged me enough times to piss me off. Most of these guys are younger (ie b.1983 or younger) and have never touched a DOS system or used an old version of Windows when they were at a skill level to understand it. The last part is the "keeping up with the joneses" lamestreamer types. These peopel don't really know jack-shit about computers, but they think they are "just helping" by acting like an asshole. They don't even know what web browser they are using, and can't tell the difference between a web browser, an Operating System, and an Office Suite. And I don't blame em' for that, it's not their bag. But it's kind of like a person with no kids telling you how to be a parent, or a person who has never had to tow anything telling you to get rid of your truck that meets what you need it to do. OR a C-suite executive telling you his Business and Law Degrees give him credence over I.T. Infrastructure and Engineering. Honestly, if you were to ask me, the problem with InfoSec in reality - is PEOPLE!!!So How "At-Risk" Am I with an old PC In a nutshell, the risk escalates the NEWER you go. Let's talk about why.... The oldest hardware - ie 8088-80486 - our bread-and-butter in this section, are pretty secure from a hardware standpoint. The BIOS is a factory written chip that cannot be re-written, a new chip needs to be burned by the (now most likely defunct) OEM to make ANY Change to how the computer functions. And it's pretty tiny so even if they could they would probably just brick the computer. And BIOS in those generations were generally fairly universal so you could just slap another one in the same computer and you're back up and going anyway. Older Ethernet Cards are too slow and can slow transfer rates enough in modern DOS apps to make it obvious somethign is amiss network-wise. These machines can be fully disabled from any form of local interface using a damn KEY! Not an RSA key, or a Windows key - a metal, physical, bloody key. And often a hard to copy barrel-style key at that. Then there's DOS itself, which is on the higher end of secure by default because it doesn't even come with networking on bare metal until you ENABLE IT. And it's not like a WIndows PC where you just tap in a hostname, click on "share my files" and "Share my printers", and then viola you have a networked PC - or worse, just enabled out of the box (Modern WIndows). Instead, you have a task that only seems easy to us who use DOS still - setting up mTCP. THat means finding a packet driver for your antiquated network card, which can be a real pain if you don't know where to look. Then after you have the packet driver, you have to learn what interrupt vector to load it at, then figure out how to configure your mtcpcfg environment variable and the file it points to where all of your network settings are stored - and this is ALL done manually with text files. But get this, you can be like me and be REALLY secure by just disabling networking when you don't need it. Which saves on RAM for DOS anyway. Once we jump to Windows, or if you're using that outdated and antiquated networking manager/client - Microsoft Network Client/Manager 3.0 - then we begin the actual discussions about security. Because, first off, all of these legacy clients and Windows by extension (especially 95/98/Me) all use Server Message Block 1.0 (SMB - or "Samba" for you linux-heads like me ;), or other variants of outdated SMB which have known security holes. Your best bet for protection against this at the common-sense level is only use Windows WHEN you need to, and if you don't need networking, then don't use it. Because in 3.1x, 95, and even 98 and Me, those were from the days of Dial-Up and thusly file and printer sharing over TCP/IP wasn't even setup by default. TO make it even more hilarious, 3.1 has an extra edge in security in that if you are doing ALL of your file sharing between these clients, you could just use NetBEUI or IPX/SPX protocols and avoid the whole TCP/IP internet compatible thing to begin with. Just build out a nice, beefy Windows 3.11 For Workgroups "Server" using some old thing like a 386SX or 486SLC....even a laptop will do, and only talk on those protocols. OR better yet, you can do what I do, and block the SMB ports in your firewalls from communication over the internet by only allowing it over Class-C IP addresses (ie your internal 192.168.1.xxx IPv4 Address). That should keep most of the network communication between your legacy clients and Samba protected. This is a stub for me adding more on this in a bit. Once we start getting into newer NT based versions of windows, that's when the risk goes up. People used to spam the Windows Messenger service in Windows 2000 PRofessional for example, as a form of advertising and phising attacks back in the 2000's. Once we hit XP, the vulnerabilities can increase. That's why I suggest using windowsupdaterestored (all) or legacyupdate (Windows NT) to continue to use these as safely as possible with networking and internet access enabled. Once you patch your clients with these, restrict traffic to the internet through the firewall on your router + maybe on the VM or bare metal hardware yourself, you should be pretty safe. But the most important security on ANY computer is something in short supply these days: COMMON SENSE! - what has saved me a ton of money, time, frustration, heartache, pain, and problems that so many others go through all the time, is having the common sense god gave a gopher. So what is some common sense with vintage PC's?
|