/tech/ - Technology<a id="favorite-star" href="#" data-active="false" style="color: grey; text-decoration:none">★

more like install gentoo

▶Anonymous 12/21/18 (Fri) 09:48:46 No.1011083>>1011274

install openbsd

▶Anonymous 12/21/18 (Fri) 10:17:21 No.1011088>>1011092 >>1011331 >>1011417 >>1011889 >>1013735

Seriously, I would install a linux of some kind. If it's xp era support they need, wine can handle it. There is an old version of ylmf os in english (v3 iirc) that has a very accurate gnome/gtk2 xp theme. Just rip the theme from there and stick it in a Mate LMDE or Ubuntu install. You can even rip the current software they use and have wine prefixes for them. Don't forget to remove any non wine drives from the config.

Also, this isn't /g and there is a sticky, go fuck yourself, merry christmas.

▶Anonymous 12/21/18 (Fri) 10:52:27 No.1011092>>1011097 >>1012393

Well that would be simple, but I'm unsure if antivirus would even support systems that old.

If it would problem solved.

Yes I deserved that burn

Thanks anon

▶Anonymous 12/21/18 (Fri) 11:45:27 No.1011097>>1011101

File (hide): 5af52a28f2a2a79⋯.jpg (37.63 KB, 402x397, 402:397, y2kSurvivalKit.jpg) (h) (u)

>>1011079 (OP)

>>1011092

Personally find 2k/XP to be a rather stable business OS - just isolate them to the internal networks. For manual av scanning ClamWin still works.

▶Anonymous 12/21/18 (Fri) 11:54:40 No.1011101>>1011103 >>1011105 >>1011162 >>1011331 >>1011417 >>1011866

>>1011097

I'm going to set up internal email and isolate the office computers - but they whine they can't use Google for checking spellings etc.

I miss xp, working with it was a blast from the past.

Human error is a big security issue, every computer was riddled with ransomware and Trojans when I arrived.

I might have to whitelist incoming mail as well but I can't find a long term IT officer.

Antivirus will have to be free or pirated--the office can't afford pens let alone licences.

▶Anonymous 12/21/18 (Fri) 12:06:01 No.1011103

File (hide): 868109a2d3fbd48⋯.jpg (53.47 KB, 636x408, 53:34, humanzee.jpg) (h) (u)

>Human error

Well, ClamWin is FOSS but can't protect from that

▶Anonymous 12/21/18 (Fri) 12:13:23 No.1011105>>1011464

Only let the Google botnet pass through firewall when it's from any of those PCs. If they're isolated, anything past that point can be checked with ClamAV. Some places also prevent USB drives from working until they are whitelisted by tech support. Meaning no chucklefuck with an infected drive can compromise your system.

▶Anonymous 12/21/18 (Fri) 17:54:11 No.1011162>>1011166 >>1011331 >>1011464

Install the last version of EMET that works on XP (4.something) and set it up properly, install an actual firewall, disable USB ports through the BIOS, if at all possible at least install the last security updates available for XP. If you had the funds to do so I would also recommend licensing Deep Freeze and using it on every box. Why do these users even HAVE administrator access to the company's computers? I know XP can be a shitshow when it comes to restricted user rights but if their requirements are literally "use google in a web browser" then block everything except for the web browser through Group Policy.

Seriously, you would save hundreds of dollars a month migrating these old P4 boxes to Raspberry Pis. What are these people doing on these machines, Word 2003 and Outlook 2003? Is this just another "it works for me" scenario that never stopped "working" for them? Switching to SBCs and retraining on Debian XFCE/MATE will pay for itself after a couple months from the electricity bills alone. If you absolutely need old XP32 binary compatibility isolate the fuck out of anything that runs XP32 and consider them permanently pozzed with every virus and malware on the face on the earth, don't connect them to anything. Glue the USB ports shut. Actually just glue all the USB ports shut on every box at bare minimum since you can't really stop the 45 year old secretary from shoving whatever device she finds laying around into "her" computer.

▶Anonymous 12/21/18 (Fri) 18:06:29 No.1011166>>1011177 >>1011464

>>1011162

Good advice, although if you really want autistic security Alpine Linux or OpenBSD are probably better options.

▶Anonymous 12/21/18 (Fri) 18:36:46 No.1011169>>1011325 >>1011331 >>1011464 >>1012307

>>1011079 (OP)

XP can't be secure anymore, either upgrade to a newer version of Windows that actually gets security updates, or just use some minimal linux distro instead

there are remotely-exploitable security issues for XP

only government contracts get security updates for XP, and there are additional mitigations like network segmentation with VLANs and ACLs and shit, and MS gives security updates to partners who pay, but you're some random person, not a government or military still relying on XP for legacy critical infrastructure

http://wiki.NetBSD.org/ports/evbarm/raspberry_pi/

common sense won't protect you against remote code execution on unpatched CVEs, dumbass

▶Anonymous 12/21/18 (Fri) 19:51:42 No.1011177>>1011183 >>1011377

>>1011166

OpenBSD won't run on RPis. Alpine Linux is a good recommendation, though.

▶Anonymous 12/21/18 (Fri) 20:21:55 No.1011181>>1011464

>>1011079 (OP)

Windows 10 minimum requirement is 1GHz CPU DX9 GPU 1GB RAM 20GB HDD. You can get volume license agreements from Microsoft on 250+ machines. You might also look into replacing the old PCs with ~$300 Dell or Lenovo microshit boxes that come with Windows 10 Pro.

▶Anonymous 12/21/18 (Fri) 20:23:06 No.1011182>>1011206

>>1011079 (OP)

>/g/

you have to go back

▶Anonymous 12/21/18 (Fri) 20:29:00 No.1011183

>>1011177

NetBSD does. In fact, RPi is probably their best supported ARM board.

▶Anonymous 12/21/18 (Fri) 22:25:26 No.1011205>>1013735

fun fact: theres literally nothing wrong with using netscape navigator in 2018

▶Anonymous 12/21/18 (Fri) 22:26:03 No.1011206>>1011213

>>1011182

>he doesn't know

Where do you think we are?

▶Anonymous 12/21/18 (Fri) 23:34:30 No.1011213>>1011453

>>1011206

not /g/, and certainly not on cuckchannel

▶Anonymous 12/22/18 (Sat) 00:53:39 No.1011265>>1011284

>>1011079 (OP)

Wasn't there some Japanese dude that was basically hacking security patches into XP still?

▶Anonymous 12/22/18 (Sat) 01:04:23 No.1011273

>>1011079 (OP)

> for you /g/.

>>>/oven/

▶Anonymous 12/22/18 (Sat) 01:09:29 No.1011274

>>1011081

based

>>1011083

unbased

▶Anonymous 12/22/18 (Sat) 01:50:53 No.1011283

>/g/

Why do cuckchan refugees keep cumming here.

▶Anonymous 12/22/18 (Sat) 01:51:20 No.1011284

>>1011265

No actually he was running Windows 2000.

▶Anonymous 12/22/18 (Sat) 02:57:51 No.1011319>>1013735

Would be a good audience to sell a preconfigured setup to. Gentoo+wine+your proprietary shims to make their dumb app work. Bonus points if you instead hook em on your own closed source OS instead.

▶Anonymous 12/22/18 (Sat) 02:59:18 No.1011320

install gentoo

▶Anonymous 12/22/18 (Sat) 03:06:07 No.1011325

>>1011079 (OP)

Put a proxy between all of the computers and the Internet. Filter the traffic for malicious content.

>common sense won't protect you against remote code execution on unpatched CVEs, dumbass

But good network traffic monitoring will mitigate frequency of occurrence.

▶Anonymous 12/22/18 (Sat) 03:18:18 No.1011331>>1011337 >>1011463 >>1013735

>They keep getting ye olde viruses and are being used as zombies in DDOS attacks against unrelated targets in close geographical proximity.

then something is wrong with you or your shit setup

1. use internet connection or router that will put you behind NAT. do not have ports accessible from the internet, why would you need that if you are not a server?

2. install 3rd party firewall (can be old) and set block everything policy, then you manually add some rules for software to work with the internet

3. uninstall flash and java

>Seriously, I would install a linux of some kind.

linux is piece of nigger dog shit

windows95 is more usable and user friendly than any linux ever

also linux uses 3 times as much memory as win2000/xp but it is 3 times less productive

>I'm going to set up internal email and isolate the office computers - but they whine they can't use Google for checking spellings etc.

why the fuck do you cut internet from them?

just do what I told

but if idiots will voluntary install viruses, nothing will help, no operating system is safe from that

>>1011162

>Seriously, you would save hundreds of dollars a month migrating these old P4 boxes to Raspberry Pis

what a bullshit

raspberry is overpriced piece of shit that can't even run windows. so it cannot do anything useful

>XP can't be secure anymore, either upgrade to a newer version of Windows that actually gets security updates, or just use some minimal linux distro instead

>there are remotely-exploitable security issues for XP

what a bullshit. fuck off jewish shill

I use XP with internet and I watch and store CP, I commit crimes. I am waiting till you hack me. Come at me

>common sense won't protect you against remote code execution on unpatched CVEs, dumbass

bullshit

show a single CVE that will work on my setup, XP behind NAT and firewall

▶Anonymous 12/22/18 (Sat) 03:35:21 No.1011335>>1011463 >>1011464

>Why are any companies using old shit

There are plenty of companies still using 3.11, locked in ancient software contracts combined with garbage budgets.

A lot of the terminals I've used at airports use older console only Apple II era crap.

▶Anonymous 12/22/18 (Sat) 03:38:53 No.1011337>>1011464

>>1011331

I think we can all agree that the first thing OP needs to do is put anything between the business computers and the open Internet. Proxy, router with NAT, Anything that blocks other computers from attempting arbitrary port connections to the machines.

My concern with just NAT is that they're probably using an Internet Explorer / Firefox that will allow arbitrary websites to download shit to the temp folder and then install links to it in the Startup folder of the Start menu. Had that happen once with 2K.

▶Anonymous 12/22/18 (Sat) 03:40:20 No.1011338

>>1011079 (OP)

There are fundamental vulnerabilities in those old hardware/software. You're not going to be able to patch everything, ever.

▶Anonymous 12/22/18 (Sat) 06:00:28 No.1011377

>>1011177

OpenBSD does in fact run on the Pi.

▶Anonymous 12/22/18 (Sat) 09:19:27 No.1011417>>1011897 >>1013735

https://www.faronics.com/products/deep-freeze

wine doesn't support proprietary dongles and oddball devices including ubiquitous scanners and scanner software.

>>1011079 (OP)

Spend the company's money and get deep freeze.

Then firewall the shit out of everything and require the use of as much offline software as possible.

>spell check

Get a software dictionary.

Anything that touches the outside world needs to be on a separate network with a locked down linux distro.

Use something that resembles windows.

▶Anonymous 12/22/18 (Sat) 11:54:51 No.1011451

Eset usually continues support for older OS versions. That being said, most are still vulnerable to exploits and malware, so virus infections aren't the greatest risk on an older OS. On the plus side, most people don't actively develop new exploits for software that is "dead".

▶Anonymous 12/22/18 (Sat) 12:06:52 No.1011453>>1011457 >>1011539

>>1011213

>being this oblivous

You must be new here? High time you went back to >>>/pol/ crossposter

▶Anonymous 12/22/18 (Sat) 12:28:25 No.1011457>>1011539

>>1011453

>not posting on BASED /pol/

Umm sweetie, I don't think you belong

▶Anonymous 12/22/18 (Sat) 12:57:57 No.1011463

>>1011335

Kek, an Apple II is much safer than any modern computer. If that's all they need for the job, it's the best possible choice, so long as they can continue to source parts for it.

For a long time, banks used old school terminals also. After all, the staff only needed to edit simple text/numeric forms. And it's all that should be required for *me* to login to my online banking account as well. A simple text browser like Lynx is all that should be needed for this kind of task.

>>1011331

RPi isn't useful for everything, but it sure is good enough to do common office tasks like spreadsheets and word processing, plus email and basic web stuff. Oh but right, you think only Windows can do those things, even though office tasks were done long before Windows even existed, and on much weaker computers.

▶Anonymous 12/22/18 (Sat) 13:00:41 No.1011464>>1011539

>>1011105

Blocking usb ports or getting portable drives whitelist.

Now on my to do list

>>1011162

Honestly I only understood a fraction of that.

>it never stopped working.

Basically, and part of the issue is that there is a Charlie foxtrot of genetic office equipment that might have to be replaced if a shell was installed, budget is basically Nill.

Finance won't release lump sum payments, only a monthly allowance I have to shave off.

Fucking third world.

>>1011166

>alpine linux

I'll look into it, thanks anon.

I'm leaning towards isolating the office computers and continue running a patched xp, maybe a Linux system with xp interface in a shell.

Thanks.

>you're some random person, not a government or military still relying on XP for legacy critical infrastructure

Hahaha, hahaha. Pray for me.

>>1011181

Net BSD on rasbery pi's huh.

Budget might stretch but it would have to be a gradual roll out.

>>1011335

Critical infrastructure in China often runs xp, the system is just phisicaly isolated

>>1011337

Confirming this is an issue.

There were firewls but not set up properly

I'm just going to close all the ports and route everything through a Linux.

But if you would believe it power cuts are actually an issue.

We've got phisical wires running next door in case our fuses go and acid batteries to support the back up of files in the event of total power outage

I havnt used a computer since win10 and can't even fix the office printers - but for some reason responsibility for this cluster fuck has fallen on me and I don't have time to study IT for three years.

I DDOS'd someone over a game server, that is the height of my it skills - but we don't have the funds to bring in an expert and there's nobody we trust.

"do the best you can, it can't get any worse and we don't have the money to make it better"

▶Anonymous 12/22/18 (Sat) 18:43:19 No.1011539>>1011649

File (hide): deb87feaf01d8bb⋯.png (213.63 KB, 996x777, 332:259, deb87feaf01d8bb6155941f3af….png) (h) (u)

File (hide): 4d629f1adeb2203⋯.jpg (934.58 KB, 3840x2160, 16:9, where do you think we are.jpg) (h) (u)

>>1011453

>>1011457

>A cuckchan crossposter accusing others of being crossposters

No wonder you're so oblivious to 8chan's board culture, you stuck there through every exodus, moot cucking out to jewgle, and only thought of coming here once that place had thoroughly been pozzed to where even the most dedicated cuckchanners couldn't stand it. And now you're acting like you've been here for years now that your shithole is too far gone even for you.

It's no surprise that rapefugees like you can only think in terms of /pol/, not-/pol/, and muh enlightened centrist septics- you were dumb enough to keep posting to cuckchan after the first exodus in 2014.

>>1011464

You should be fine just installing linux or OpenBSD/NetBSD on those machines. As long as they're just used for browser stuff it should be pretty painless as long as you lock them down enough.

▶Anonymous 12/23/18 (Sun) 00:07:11 No.1011649>>1011662 >>1011688

>>1011539

>8chan

>culture

Want to know how i know you're not from here?

▶Anonymous 12/23/18 (Sun) 00:24:14 No.1011662>>1011825 >>1011913

File (hide): f8037cae4c08ca2⋯.png (297.54 KB, 512x564, 128:141, infinite_ammo.png) (h) (u)

>>1011649

>being unironically so new as to not know the board culture of any part of 8chan

Just because you didn't pick up on it doesn't mean it isn't there.

▶Anonymous 12/23/18 (Sun) 01:26:01 No.1011688>>1011913

>>1011649

leave

▶Anonymous 12/23/18 (Sun) 07:02:33 No.1011819

>>1011079 (OP)

>Business has hundreds of computers made in the early 2000's running winxp

>Some hadn't even been updated to the "latest" service pack.

Install SP3, the necessary updates, and run the regedit to get PoS updates as well.

>They keep getting ye olde viruses and are being used as zombies in DDOS attacks against unrelated targets in close geographical proximity.

I cut down most of my clients' viruses by installing uBlock Origin in their browsers. If necessary, I switch the default browser to a uBlock compatible browser. (XP support is being dropped, so keep that in mind)

Ultimately these machines aren't secure and they should have the default gateway removed if WAN access isn't necessary. (PoS updates end next year anyway.) Look into possibly using Linux/Wine for said machines if upgrading hardware is out of the question and WAN access is still necessary.

▶Anonymous 12/23/18 (Sun) 07:27:30 No.1011825>>1013065

>>1011662

All 8chan culture is shit and should not be encouraged.

▶Anonymous 12/23/18 (Sun) 07:42:50 No.1011829

>>1011079 (OP)

are they being exploited or are your users just retarded? and why can't you run something that has security patches? I run linux with the latest security patches fine on my """early 2000's computers"""

▶Anonymous 12/23/18 (Sun) 08:58:31 No.1011846

sandbox the shit out of it, perhaps helps

but really you should atleast be running Windows 7

▶Anonymous 12/23/18 (Sun) 09:13:53 No.1011848

>>1011079 (OP)

Install Debian.

▶Anonymous 12/23/18 (Sun) 10:26:43 No.1011866

>I'm going to set up internal email and isolate the office computers - but they whine they can't use Google for checking spellings etc.

Let them complain. The clever ones will figure out how to spellcheck without this magic Google thing.

▶Anonymous 12/23/18 (Sun) 13:20:13 No.1011889

>If it's xp era support they need, wine can handle it.

How to spot a NEET 101.

Wine is ok for personal use, and absolutely unacceptable for business use that absolutely needs special software/hardware to work.

▶Anonymous 12/23/18 (Sun) 14:12:19 No.1011897>>1013735

File (hide): 3052ec2c7eb06eb⋯.gif (379.04 KB, 500x520, 25:26, 3052ec2c7eb06ebbafd7097fb1….gif) (h) (u)

>>1011079 (OP)

I wrestled with this problem while doing IT like a decade ago. (But don't call us /g/)

You should definitely evaluate who can be moved to Unix and who can't. This requires knowing what is or isn't compatible. If someone is just checking e-mails and browsing the web then they're a prime candidate. If they need any kind of specialty software or drivers, then they're out. If you tell us what kind of business it is, I might be able to offer more specific advice.

Bear in mind that a mixed Linux/Windows network can add additional problems getting them to communicate, so if you can't move everyone over then you might need to make additional tweaks at the network level to compensate. One of the benefits of an all-Windows network in enterprise is the ability to micromanage stuff with Active Directory.

The next thing I would do is build your own minimal XP ISO. Since your employer is covering it, you can probably afford NTLite (or just use it for free and don't tell anyone). Remove stuff that nobody uses. Nobody uses a scanner? Remove that. Nobody (unlikely) uses printers? Remove it. Dial-up modem support? Gone. Remove the cruft. This gives you a smaller attack surface.

As >>1011417 mentioned, Faronics DeepFreeze will be a great help. Once you're certain you have a "perfect" image, you can install it and immediately DeepFreeze it. You will need to provide a network share for users to save their files on. Training them not to dump stuff they want to save onto their desktop may be an entire issue on its own though: lusers are resistant to basic things like "navigating to a network folder" and you may need to map it and put it on the desktop for their own convenience.

As others said, airgapping is probably a good move. At least relegate them to their own VLAN so they can talk to your servers and that's it. Use HOSTS to reroute any other request; you don't want to risk them pinging the outside world and redirecting all traffic back to home will actually neuter a fair bit of malware.

Honestly, the real issue is that if people can read e-mails they're going to click stuff they shouldn't. And XP has a ton of IE6 vulnerabilities baked-in. You can also consider anti-virus. Kaspersky is probably Russian Botnet but it's effective at keeping other stuff out, so if you need to cave it's probably your best bet. Although Anti-Virus usually is only good for a few years before getting bloated, so maybe there's something better on the market now.

There may be some more elegant solutions, though

Everything from here on out is spitballing based on newer options you have that I didn't when I had these problems. They may be doable but you will need to do additional research.

First and foremost, switching to Linux is the best way forward. Your simplest solution is to pick a stable LTS distribution (Preferably not a Debian-based one, but the best alternative is Fedora or CentOS, and IBM owns those now) and to put it on all the old machines in lieu of outdated versions of Windows. Bar none, this is the most straightforward option you will have.

But, you will need to test out everything before rolling it out. Every driver and piece of software will need to be manually verified by you and users will either need a DE that is close to Windows or just one simple enough to "just work". If you can get all the special enterprise software working in WinE then you're probably 90% good to go.

Other users have mentioned issues with stuff like scanners or other peripheral devices. This is certainly the case. There's no easy workaround for specific hardware keys (I've encountered software that uses hardware dongles to verify purchases) but if it's just scanners and such then you can probably configure a server to handle it at designated Scan Stations. Or just hope the company already has a Xerox machine that supports USB drives.

Another option that may be viable, but is a longshot, is ReactOS. It's still in Alpha and not super stable, but support for older software is generally better. I'm not sure if it's any more secure than Windows, because it's supposed to be identical, but it probably isn't using IE6 to render internal UI elements, and that's like 99% of exploits right there, so it may help. I think this solution is more trouble than it's worth; you may verify everything and then find one thing that bombs the entire system. It's not stable nor necessarily more secure, but it is free software and it may be an improvement.

Ultimately, it's up to you to use your head, OP. There's too many details you left-out about your company, its current infrastructure, what they do, etc. The best solution for your employer depends heavily on the mix of other PCs and how much authority you have to exercise here.

▶Anonymous 12/23/18 (Sun) 15:36:08 No.1011913

File (hide): ddd7815bd5ab055⋯.png (77.91 KB, 337x329, 337:329, Pikachu_face.png) (h) (u)

>>1011662

>>1011688

>still can't take the hint

▶Anonymous 12/24/18 (Mon) 08:13:58 No.1012273

>>1011079 (OP)

>/g/

▶Anonymous 12/24/18 (Mon) 11:26:10 No.1012307