This seems like a nice altruistic useful thing, but (given some overly-trusting security practices we still often see) it'd still be good practice to keep some ideas in mind...
DECREASING LEVELS OF SECURITY:
1. Running Microsoft Windows.
2. Running out-of-support Microsoft Windows.
3. Running out-of-support Microsoft Windows and having it report itself to a server of unclear provenance and security (which could be efficiently indexing such insecure machines, and possibly even exploiting vulnerabilities during this simple interaction).
4. Running out-of-support Microsoft Windows and updating its system software from a server of unclear provenance and security (which could install malware, possibly even defeating any outdated vendor signing).
SUGGESTIONS:
* If your important science/medical/industrial/etc. equipment is stuck on ancient Microsoft Windows, probably you want to keep it airgapped and treat it gingerly, while planning to upgrade to more sustainable equipment (and hopefully it doesn't fail abruptly before convenient).
* If you're playing with Microsoft Windows for personal use, that's fine, but maybe consider whether you'd prefer to spend your time and energy instead learning and creating atop an open source software platform.
I hate windows, like I'm trying to get off it because of the ads/ragebait news. I hate edge. Microsoft is basically a never buy anymore, but according to this:
Getting a Windows exploit is higher value than any linux exploit. Given how many servers use Linux, it makes me wonder if Linux 0 click are easier than windows.
There are a bunch of counters like 'there are too many distros', or 'a personal computer of a VIP is higher value than some corporations'. But I'm not sure its fair to include your point number 1.
I like to give people credit where its due, I imagine it took lots of work to make windows as secure as it is. (Giving Android OS the most credit for their 2.5M payout)
Linux servers generally aren't being used interactively though and expose a fairly limited attack surface to the internet, and so I feel like the value in Linux server exploits is more in the openssl/Apache/etc vulnerabilities
Linux is the just kernel. Everything else in a distro is software running on top of it. Kernel bugs are generally hard to exploit remotely and typically have to be chained with other exploits. That's why there's so many specific payouts for common enterprise apps. Windows is a complete, highly integrated OS with a wide array of attack vectors baked right into it.
Plus sketchy companies like Zerodium major customers are nation-state actors who are primarily interested in data exfiltration and the application data stores themselves.
But what’s the point ? Most vulnerable Linux servers are hosting blogs or dns servers. They’re only useful to run a crypto miner or host a phishing page, and for that you probably don’t need to go further than exploit a wordpress bug. No need to go for the kernel or even root.
Whereas a desktop often has users on it who enter banking details or corporate login credentials. Much juicier targets.
The payouts are based on what their 'clients' are willing to pay in turn for the exploits. There's just less of a market for Linux kernel exploits. If nation-state actors are involved in deep APT style attacks where they would leverage low level kernel exploits they are going to either develop the exploits themselves or acquire them through their own clandestine channels. Purchasing that stuff from a publicly facing company that could potentially be compromised themselves is high risk and leaves too obvious of a trail.
It's strange to me that Thunderbird is even on their chart. Surely only a few free software enthusiasts use that anymore? Most of the population doesn't even use a desktop email client and if they do its work-provided Outlook to connect to Exchange/Office365.
>Zerodium reviews, tests, validates, and documents all acquired vulnerability research then provides it to institutional clients as part of the
Zerodium only cares about shit their own customers want to target. They aren't trying to fund the entire world of software security.
Their customers in particular are select governments wanting exploits for their own use. You can sure as shit bet they already have specific targets in mind and what they use.
EDIT: For example, the forum software noted on Zerodium's list are popular for "blackhat" and "darkweb" forums from everything from card dump selling to malware. Many governments would love to get themselves a database dump with some user IPs. Conversely, this is why Discourse which is a major BB these days is missing as it's not popular in those circles.
The endless fluff and clutter to clean up (Search bar appearing on desktop, sidebar foistware). The relentless marketing and push of adjacent services (Bing AI).
The passive-aggressive IE compatibility mode (unremovable nag banner to stop using IECM, your Legacy App URLs expire after 30 days for no good reason).
Compared to Windows, I find that most linux desktop distros have what I would call ‘stability vulnerabilities’ where the user has to tread carefully when doing something basic like updating graphics drivers or applying other updates, or changing resolution. Otherwise they end up with an OS that wont start or will just show a blank screen. I wouldn’t recommend linux for general business or personal use unless this kind of tinkering is enjoyable or you have sufficient IT staff.
There are the same exact problems on Windows though. Microsoft nowadays basically treats it's install base as beta testers and you regularly hear about breaking updates. There are devices out there with funky drivers, most notably Nvidia cards, but if you can avoid those (I know many people can't, me included) and choose a stable distro, I genuinely fail to observe these supposed instabilities on Linux.
Personally, I think the real reason why companies are not switching is familiarity. Think of all that money spent on MS product training over X employees. Billions are spent yearly in this industry I'm sure.
Which is why the first thing I do on any Windows install is disable or block automatic Windows Updates and only run them once every blue moon when I've set aside time to waste on borkage.
And before anyone says I'm in danger by running unpatched Windows:
NO.
My threat model is such that the time lost and wasted from updates breaking shit is significantly greater than the dangers posed by hypothetical threats those patches ostensibly guard against. Updates are simply and literally not worth my time and concern compared to having systems that just work every day all year long.
If I need to comply with regulations or audits or I am the target of focused attacks, then yes the scales shift the other way. But as a general, and particularly personal, concern? No, updates are a waste of my time.
Linux is even worse because I don't even need to run updates for something to break and waste my time.
Your comment feels like it came straight from 2014's /g/. This is literally "My time is too valuable to do X" argument. But perhaps you don't care. Fair enough. You do you. You are, however, absolutely in danger running unpatched Windows, unless it's an airgapped industrial PC or something similar. Even then, such systems can and were compromised (stuxnet, for instance).
>If I need to comply with regulations or audits
I hope you are not handling any customer info on such systems... or are you?!
There seems to be a deeper issue at play. I've seen it many times, even here on HN. So very few people actually know anything about information security, and if they do they only have horrifying misconceptions from god knows where. No wonder why there's so many data leaks when the responsible people have these attitudes.
My time is too valuable to be wasted by god damn updates, because you know what? I'm only getting older, my eventual demise keeps looming closer, and I have so many things I want to do and places I want to go before the grim reaper picks me up.
It's the kind of re-evaluated outlook on life you only get as you grow older and you start witnessing more and more deaths and imminent deaths around you. I'm also dealing with cancer in the family (I'll spare the details), so my time really is too valuable for god damn software updates.
>I hope you are not handling any customer info on such systems... or are you?!
I'm not. Like I said, if my threat model actually incorporates the kind of threats that updates ostensibly protect against, the scales would weigh differently.
Would I keep business computers updated? Absolutely, if for no other reason than so I can make it all someone else's problem. I'm talking about my own personal computers.
That is understandable, and, as I said, your choice. You did mention business use in your original comment though, where I wouldn't say it is, or should be.
On a flip side though, I've seen so many older folks loose so much time and undergo a lot of stress (which may be highly unwarranted for medical reasons) from having money stolen by banking malware, or more recently, good old phishing. It's like a vaccine, we endure a small pain to prevent a much greater one in the future.
I respect your individual experience but this hasn't been the mainstream situation for many years now.
Back in 2012 I was the Head of IT for an A series start-up with about 80 people and we ran almost all machines on Linux (mostly Ubuntu) and it worked like a charm. We scaled to about 400 people before switching to Chromebooks in 2015 for the vast majority of users. Our IT operations team never had more than 4 FTE at any point in time, which compares very favorably with any other company. This was possible because Linux environments are extremely easy to maintain for a trained IT staff and, obviously, because we mostly avoided the MS Office crapware (which was less crappy back then than it is today). Google Suite served us fine and the rest was custom web-based software.
Today I'm at a different company, no longer in the trenches, and use MS Windows machines for my work and there is not a single week going by without need to call tech support. Adding the counter-productive helpfulness of MS Office applications I sometimes think MS is paid by our competitors to destroy our productivity. That's a "stability vulnerability".
Coincidentally, I ran into one of these this week. I decided to upgrade my bog-standard Debian installation on a headless NAS from buster to bookworm. Should have been easy peasy: Update sources.list and then apt full-upgrade, right?
Wrong.
Half way through, Debian seems to have lost[1] libcrypt.so.1, which everything important in the system relies on. Could no longer sudo (needs libcrypt) from the session I was logged into. Couldn't re-log in at all either over the network (ssh needs libcrypt) or locally (local authentication needs it too). Could not even get to single-user mode because init=/bin/bash didn't even work. I ended up having to boot from a liveCD, re-assemble the raid partition containing my root filesystem, and manually copy libcrypt into /lib/x86_64-linux-gnu/
All because I tried to upgrade Debian from 10 to 12, skipping a version, which, apparently you can't do anymore.
As much as I can't stand Windows and I grin-and-bear macOS, I've never had an experience even close to as bad as that on those systems.
Recently had a Windows update break my work computer. Everything seemed fine until trying to run a Windows Service in Virtual Box with the HOST OS being Windows 10 IoT in RTOS mode. The attempt to start the service create an infinite loop. Uninstalling nor re-installing the Windows updates fixed the issue. Took a month to convince IT to re-install Windows from fresh to fix the issue.
The second most recent was when Windows Store local repository become broken. Any attempt at resolving the issue failed using Windows provided tools. Yet again had to reinstall the OS and all applications.
This is the big reason why I prefer Linux over Windows any day of the week. Windows fix always seems to be the same, re-install OS and applications. Never had a problematic Linux installation that couldn't be resolved with a live CD / USB. Boot into live USB, mount encrypted partitions, chroot into environment, fix problematic package(s) or re-edit configuration files, reboot. No need to reinstall the OS and all applications.
Linux packaging system(s) are heaven compared to the Windows update hell-scale. Ever have to find a way to update the Root Certificates in order to install .NET Framework 4.7.2 offline on Windows 7 Embedded SP1 that is air gaped and has not had an update since the computers were shipped? Not fun.
>The second most recent was when Windows Store local repository become broken. Any attempt at resolving the issue failed using Windows provided tools. Yet again had to reinstall the OS and all applications.
oh man, I had my Windows install get into a weird state where trying to open 'Updates & Security' would just crash the Settings app altogether. Eventually I submitted a feedback hub report for it with a dump and tttrace (though that was a journey in and of itself) and in the meanwhile I actually managed to get updates installed via the PSWindowsUpdate powershell module. Alas, that still didn't fix the crashing Settings app. I had a friend at MS promote my feedback hub item to a bug who relayed the reason being that my copy of MusUpdatehandlers.dll was corrupt somehow. Ok, I guess I can try using sfc and dism to hopefully repair that. A couple rounds of that and all I learnt was I actually had a few more update related DLLs that were also corrupted. The real kicker being the copy in the store was also corrupted??
2022-05-25 16:40:41, Info CSI 00000226 [SR] Could not reproject corrupted file \??\C:\WINDOWS\System32\\updatepolicy.dll; source file in store is also corrupted
Anyways, I was too stubborn to just reinstall and got it fixed by grabbing an install.wim from an ISO that matched my install and telling dism to use that. The really dumb thing was i first tried to do the repair in offline mode pointing it at the install.wim for sources but turns out that's just not supported.
Instead you get some opaque failure message and it only mentions the fact that wasn't supported in a single line buried in the huge log file.
It was unsupported to jump releases while upgrading twenty years ago when upgrading woody to sarge as is now. Don't spread rumours. I've been there and the READMEs are still online for reference [1]. And unsupported does not mean impossible. One just can't blame the distro for a failed install.
And if you had bothered to read the Release Notes for bookworm: It's in there [2]. Also you are instructed that only upgrades from bullseye are supported, and to upgrade to bullseye first if you are running an older version.
I've been using Debian since before woody, and am well aware of the usual caution against jumping versions. I have jumped versions in the past with very little pain despite it being officially unsupported. Obviously this time I gambled and lost as it clearly breaks your system more severely than usual.
None of that changes the user-experience comparison with mainstream OS's or parent's point about Linux's "‘stability vulnerabilities’ where the user has to tread carefully". Linux is well known for being a sharp tool without safety guards. That, and the "RTFM" tone of the typical response to trouble, are some reasons why the Year Of The Linux Desktop is perpetually stuck somewhere in the future.
The fact you can fix anything (even a misguided attempt) in 15mins with a live drive is a great strength imho. Back in the 90s you’d often have to reformat partitions to recover any OS.
Windows doesn't let you upgrade from Vista to 10, so I guess your complaint is they didn't stop you from manually editing configuration files manually?
I hear this sentiment frequently, but it doesn't match my experience. I sure can relate to the idea, but that was a decade ago. I install a fair variety of Linux distros on a pretty wide variety of hardware between my work and personal efforts, and it pretty much just seems to work these days. The last grief I recall in this regard was trying to run Ubuntu 64 on a Pi4 with Vulkan, but that was a couple years ago when things were known to be unstable. That or maybe doing something obviously inadvisable like trying to change distro on a live system by changing the apt source files on a Debian install to Ubuntu repositories and running an apt upgrade. And honestly even things like that work a surprising amount of the time. I know it's good to be introspective and truthful about shortcomings, but I really have to hand it to all the open source contributors, package maintainers, and all the rest. The modern Gnu/Linux ecosystem is pretty remarkable, in my opinion.
On the contrary, Linus of LTT managed to uninstall the GUI of his PopOS install within an hour while attempting to install Steam only last year. https://youtu.be/0506yDSgU7M?t=618
By forcibly overriding the safeties that stop you from doing that. I can run `rm -rf --no-preserve-root /` in less than an hour, too, and it's just as meaningful.
Er, this decade? How would setting resolution go badly today? (The closest thing I can think of is that once upon a time you could mess up CRTs with bad settings.)
I would imagine this is only true to a certain point.
Like, I would not be surprised if there were issues trying to run an AGP or PCI video card.
There's probably a sweet spot where some hardware is old enough to have had all the major bugs worked out, but not so old that nobody bothers developing and testing it anymore.
I'm sorry but this is all but true. I've a 13700K and a 4090 and it's more reliable than 2 of my old hardware machines..this is slowly becoming a myth unfortunately as new versions of either DEs or desktop protocol (s) are slowly deprecating tons of stuff..
I’ve had good luck with Xubuntu on a couple older machines so far but I’m not trying to run it on anything modern. My experience trying to do desktop Linux on a recent machine is quite old so maybe things are different.
This. I suppose it can't be helped given the link was posted without context. But yours is the only post here that seems to get it.
For everyone else: This project exists for the joy of the retro-computing community. No one in their right mind - retro-computing enthusiasts included - would ever recommend using any of these versions of Windows for anything other than amusement.
No, DOSBox is not always an alternative.
Retro enthusiasts are quite excited by this project. And for anyone wanting to rebuild an old PC running Win95 for fun, this is going to be a very helpful tool.
I'm with you that they could have stopped talking after the word "instead" but the rest is not fearmongering nor FUD: installing operating system patches from a random server on the internet just isn't a great idea
It is. It's a community project that you can trust, or not. Debian also reports to servers of "unknown provenance" and updates itself from there.
Now, Debian has probably a lot more eyes on it than some Windows Update revival project, but some more niche distros have essentially the same problem.
> Recommending Debian to the retrocomputing community is possibly the most tone-deaf thing I've seen today.
Is Windows 11 with all of the default security settings really that insecure? Like Windows Defender, Windows Firewall, anything that needs admin needed you to click "yes, elevate to admin" through UAC
I just posted this above, but according to Zerodinium, Microsoft Zero Clicks are the highest payout for a desktop OS. Either they are the most secure, or its a popularity thing.
I'll never accuse old Windows of being bulletproof, but I've gotten some considerable reliability out of old appliances by adding SSDs, a passively cooled chassis, and a weekly reboot scheduled task. Basically, just get rid of the moving parts and plan for state drift.
Old OT is actually pretty easy to take care of aside from sourcing replacements for some secret sauce PCI card that is no longer made. New OT blurs the line with IT in a really difficult way however, you can no longer rely on a dead simple airgap to solve your security concerns because everything and its mother wants to be on the internet.
You can not just rely on air gapped either. You have other avenues for attack as well. I actually virtualize most of my legacy OSes when possible. Just maintaining adequate serial connections when a USB to serial connector will not work with your legacy OS and a VM can't maintain a stable serial connection through the host OS. It's been a nightmare.
"Be very careful connecting to some random server and running code from people you've never met, with whom you have no contract or legal comeback, just because other people are doing it. Also, download Debian!"
>* If you're playing with Microsoft Windows for personal use, that's fine, but maybe consider whether you'd prefer to spend your time and energy instead learning and creating atop an open source software platform.
Open source does not address my need or desire for Windows, regardless outdatedness.
Seriously, it's annoying that fReE and oPeN sOuRcE are thrown around like they will solve all the problems in the world. Spoiler alert, they don't. Especially if that problem involves a practical need that most libertarian neckbeards wouldn't care about.
Yes I run Windows, and yes I happily run EOL Windows because they are required to run something reliably. And yes, I happily run unpatched Windows because updates break shit and waste my time compared to the dangers posed by hypothetical threats outside my practical threat model.
Something being free or open source does not in any way fundamentally address my needs and desires. No, Wine is not a panacea (unless we're talking about the drink). No, I'm not going to waste even more time getting Linux to work just so I can get on with life.
What I'd love is a project for Windows 11 that gives me back full control of which updates I download and when I reboot. I've been living with vague registry hacks and the "pause for 5 weeks" button but they're getting less effective.
The genuine answer is that you won't get this functionality unless you use windows enterprise. Which of course you can't purchase.. This functionality is locked to just the enterprise and will likely never change..
Game servers are fairly frequently hosted on Windows, simply because the game server often shares a lot of code with the client (including libraries which may not be cross platform), and game developers are often most familiar with Windows.
VR on Linux depends on your headset mostly AFAIK. Oculus (Quest will work with ALVR streaming, but I had mixed results) and WMR require software that isn't on Linux. Valve Index supposedly has good support and VR games are playable with Proton.
i don't know anymore. i'm getting really annoyed by background processes interfering with my counter-strike ping. like microsoft is checking my mail or uploading some telemetry bs or something. i can't wait to get back on linux.
it's interesting that you say that. i recently installed Portmaster for another reason and have been turning it off when playing CS as it was blocking it. I will look into configuring it. Cheers.
Eh, not really. You can download a windows pro ISO straight from microsoft [0], install it, and then upgrade it to enterprise using the kms client key [1]. That can then be activated using an open source kms server emulator [2] that has a reasonable amount of code you can audit if you're extremely paranoid.
If you don't want to go through the hassle of installing and then upgrading I'm also pretty sure you can upgrade one of the images in the wim offline using dism.
>The genuine answer is that you won't get this functionality unless you use windows enterprise. Which of course you can't purchase.. This functionality is locked to just the enterprise and will likely never change..
Of course you can purchase "enterprise" versions of Windows 11[0].
What's more, anyone can purchase most of Microsoft's offerings for ~USD$1000[1].
a license at 1000 is not a license that's purchasable for a normal consumer.. you may also need to sign a EA and this opens a can of worms. The point is that you normally can't obtain a enterprise license.
>a license at 1000 is not a license that's purchasable for a normal consumer.. you may also need to sign a EA and this opens a can of worms. The point is that you normally can't obtain a enterprise license.
That's just not true. cf. the link I posted[0].
Anyone can buy a Visual Studio Developer Subscription (formerly "Technet Library" and "MSDN" packages) (USD$1199.00) without an enterprise agreement with Microsoft. I've used it for many years and will continue to do so.
And you don't need to renew it either (I'll generally do so every 5-7 years to get access to the latest stuff, but it's not necessary or required), especially since the software isn't "in the cloud" so you can have most of Microsoft's products (workstation and server) on local media.
But if you think I (and the Microsoft subscription page) don't know what I'm talking about, feel free to ignore me. It's no skin off my nose. In fact, it's about time for me to go and do (for the fourth or fifth time) what you say I can't do. Thanks for reminding me!
This should go without saying but this flagrant disregard for what users want is going to continue and get worse as long as people keep buying and using Windows. I wonder pretty often why people put themselves through this crap to use Windows.
A year or three ago, my uncle (mid-50s, telco IT manager, started on a Commodore in the 80s) decided he'd try Mint instead of upgrading from Windows 7. He got it installed and running, and decided he wanted to burn an audio CD.
His install of Mint didn't come with any application to accomplish this. He got something recommended installed easily enough, but it only supported FLAC, not his MP3s. So he removed that and got some different CD burning software that did support his MP3s, but was set to Finnish by default. He got enough Finnish translated to get it changed to English, and then ran into some sort of driver/support issue for his particular CD burner.
At that point, he did the free upgrade to Windows 10 and then burned his CD in less total time than he'd spent not burning a CD via Mint.
It has been a while for me since I last ran Mint, but back in the day it used to come with Brasero which can burn audio CDs. It would have supported mp3's, but he would of had to install the non-free codecs which was an option at install time or would have been installable from the settings.
I can't speak for Linux Mint, but last few times I tried to use Brasero it was issue after issue after issue with some kind of lower level driver thing. I installed the missing libraries, still nothing. Tried searching for a fix and found nothing that could resolve my issue with Brasero. I installed K3B and it just worked, so that is what I do now.
Possibly the parent poster's uncle ran into something like this and gave up instead of trying a KDE application?
Sticking your fingers in your ears and saying "everyone is making up problems, Linux is perfect!" is the other reason the "year of the Linux desktop" is never going to happen
Because that's what comes on computers, and that's what the software they need runs on. The obvious reasons. If you want to fix that, work in antitrust, work on getting at least governments and public schools to choose FOSS solutions, work on improving FOSS solutions, work on Debian installers...
Because I'm an adult who knows how to weigh all the pros and cons of a situation and make decisions based on the sum of that reasoning rather than the emotion raised by one pain point. (My own or someone else's.)
I'm solving this for myself with Windows 10 LTSC, which I keep activated with an activation emulator I host. For a professional, it was super easy to setup, virtually zero maintenance, and I get a pass on at least a good chunk of the bullshit that goes on in the MS-verse. Functionality doesn't seem to be lost, but I just use it to play my multiplayer games because of their Windows-only rootkit, I mean, anti-cheat.
You are the beta tester. While you're using "your" windows, you're performing a task as an unofficial employee. If something is free for you, you are the product that is sold.
Use registry editor to export And then delete wupdsvc and waasMedicSvc services. (HKLM/system/currentControlSet/Services) Reboot. Enjoy. Whenever you want updates, double click exported “reg” file and reboot. Allow updates to install. Delete services again.
This was one of many gripes when I went from Android to iPhone. Holy crap, every day there was some necessary update and I had to sign into my apple ID + be plugged in at 2am or something.
Every time I unlocked that phone it would bother me.
That, a slower response time(might have been due to animations), not having widgets, and some buggy official apps like the podcast app, and I bailed from iPhone pretty quick.
I admittedly was so excited to unbox and give Apple all my personal information. Weird.
Yea I own a iPhone for giggles and use a Pixel daily. HOLY CRAP, the update experience is so ridiculously slow on iPhones, I really don't Apple could not even try it fix it. How are iPhones not capable of having A/B partitions for the system to handle updates behind the scenes faster?
On androids you just don’t have this issue because manufacturers will stop giving you updates so quick that most of your experience with the device will be without them.
They're getting faster in Ventura. Moving to the sealed system volume in macOS 11 made them huge and slow to apply, but they're getting better. On my M1 Ultra machine even large updates don't take more than 5 or 10 minutes in the restart stage, and that can include firmware updates for the Mac and monitor (Apple Studio Display). And now with the rapid security patches there are some updates you don't even have to restart to apply (mostly).
I still don't know why both are so slow. Upgrading my mostly vanilla Devuan boxes costs me a few seconds to minutes and restarts are only to switch kernels.
The sad thing is that IMO, Windows users brought the shitty Windows Update implementation on themselves.
It was common in the Windows XP days for many users to never install updates and it really contributed to Windows's reputation for being incredibly insecure. Forcing updates became the only option to ensure Windows users remain secure.
Last time I tried to tinker with Windows XP few years ago: you couldn't just update it after installation, but if you let it work for a few days, eventually it'd download and install updates automatically. And after those updates are installed, you can actually use Windows Update UI to install optional updates and other things.
DOS is easy to emulate - and dosbox does a great job of it, even in a web browser.
Windows 3.1, 95, 98, Me are less easy to emulate.
Note that that seems to have impacted the preservation of old games and programs. Plenty of dos games are all over the web and still quite popular, yet most stuff from the Win 9x era has almost entirely vanished due to the difficulty of running it on modern hardware.
Archivists take note - if you want something to live for a long time, it needs to be easy to emulate. And in turn, that means it needs to be both very common, and have simple API's so someone in the future can be bothered to make and maintain an emulator.
> most stuff from the Win 9x era has almost entirely vanished due to the difficulty of running it on modern hardware.
The tricky part is that this applies even if you're using a VM. I learned the hard way that Windows 98 isn't compatible with Ryzen CPUs, even through VirtualBox. I had to try again on another PC with an older Intel CPU.
DOS may be easy to emulate and re-implement because it's a single task operating system that does not do much. Most of hardware is accessed directly, and needs to be emulated instead. We enjoy great compatibility because of the enormous leap in performance since then (the slower the system the easier it is to simulate correctly on a modern one), and the combined knowledge of all the ins and outs collected during the PC boom by software authors and hardware makers implementing and re-implementing compatible devices.
Except it is (at least for the use-case of 16-bit apps that are unsupported by a 64-bit Windows)
https://github.com/otya128/winevdm
although no updates since 2021, but maybe it was "good enough" for whatever they were targeting.
I wanted to play certain games from that era (Spiderweb's Exile series), and the best solution I found was to just play the MacOS versions with SheepShaver.
You can technically get Windows 9x software running in a VM, but not without laggy video/audio in my experience.
Some archivists make decisions about what to archive. Something that isn't going to be runnable in the future would be a poor choice if you only have limited resources.
Also, some archivists have the choice to convert media. For example, rather than storing a Wordperfect document, perhaps it is best to convert to PDF. Rather than storing the ROM of an 80's arcade machine, or the whole machine, perhaps it is best to store an MPEG video of a playthrough. Rather than storing the data on a floppy disk in a filing cabinet, perhaps it is best to store the data on a server which will be kept up to date? Well resourced archives might be able to implement emulators - but then the question remains how should that be done - Is it okay to have a PDP11 emulator that runs on dos, emulated by dosbox in windows XP, emulated again by virtualbox on Windows 11?
A big part of being an archivist is making decisions of what to keep, what not to keep, what form to keep it in, and when to convert it.
There is no consensus - some archives knowingly keep data and software that they have no way to open/run, in the hope someone might bother in the future. Others keep dependency tables to ensure that they always have some combination of hardware and software to run/open any stored material.
Personally I'm of the opinion that we should focus on storing as many bytes of data of human endeavors as possible, and not worry about emulation/search/cataloging.
Future people will have better solutions to all these problems, and every bit of effort we put into organising our archives today is effort taken away from collecting more bytes.
This means that you care about byte counter instead of actual content.
For some hardware, the number of people who can make it work has already diminished a lot. You can gather some of the knowledge today, “future people” won't be able to. What's the use of collections of data that can't be used?
It all started in Windows 98 with the launch of Windows Update; they then released the Critical Update Notification Tool (later renamed to Utility, for obvious reasons) which would query the website and just tell you when a critical update was available to go check the site.
Otherwise, in the 95 era, I believe you'd likely be finding out through a software vendor or otherwise that a certain fixpack from Microsoft might fix an issue and you should go grab an update then.
Um… what? You would trigger online updates in Windows 95 OSR 2 by using IE and navigating to the Windows Update website. This would then would trigger the updater.
That was all after the fact. For its initial release and even much of OSR 2 the only updates you got came with a new computer via the OEM updates of which OSR 2 was the big one. If you were lucky you might see a Service Pack on CD though that was more of an NT/2000 thing.
Yeah -- OSR 1 (95 A), 2/2.1 (95 B), and 2.5 (95 C) were just that - OEM Service Releases.
Anything else would have been a direct fix package - such as the DCOM95 OLE Update, DUN 1.4, or Winsock 2 -- things that you only installed if you needed something that used those functions, and often would become bundled with the software anyways because users might not have been given those updates out of the box.
There was at least one XP-era update CD that I do recall - the Windows Security Update 2004 contained patches for 98 through XP and was available by mail from Microsoft.
This is supported by the wikipedia page for Windows Update:
"Critical Update Notification Utility (initially Critical Update Notification Tool) is a background process that checks the Windows Update web site on a regular schedule for new updates that have been marked as "Critical". It was released shortly after Windows 98."
Unfortunately, the citation for that is no longer active on MS's site, and the archive.org version no longer works either.
> Windows Update was introduced as a web app with the launch of Windows 98 and offered additional desktop themes, games, device driver updates, and optional components such as NetMeeting. Windows 95 and Windows NT 4.0 were retroactively given the ability to access the Windows Update website and download updates designed for those operating systems, starting with the release of Internet Explorer 4.
— Software could not expect internet connection (or any network at all) to be available, and would be considered really arrogant if it tried to dial or spend user's traffic by default.
— Those who knew how to enable those features probably checked update sites and news sites manually often enough.
— Almost all software had to bundle required components and updates anyway. Games came with DirectX version 5/6/7/8/9 installers, IE version 4/5/6 installers provided important system components, acting as semi-service-packs for 9x systems… and, of course, Visual Studio library dependencies.
Seems like a centralized repository for a collection of updates issued by MS to windows computers. Does this bring additional security updates not issued by MS?
No, it's just old preexisting patches. In their FAQ and even on the front page they say continuing to run these operating systems is a terrible idea as they are highly vulnerable even after patching.
Legacy Update is a better option for Windows 2000 and later as it uses a proxied Windows Update 6 implementation. Windows Update Restored uses Windows Update 3.1 and is better for Windows 95/98/Me and Windows NT4.
So I may have missed it, are they hosting old updates to make them available still or are they actually patching old SW with new builds. For example say the last update for XP was SP3.5, they got the tooling to build and release 3.6 which was never released by Microsoft but is from this organization? Is it one or both?
No matter if stable enough or not, ReactOS is aimed to replicate a NT based system, as such it can be very different from DOS/Win9x.
Quite a lot of (DOS based but not only) tools and programs (particularly any low-level one and - generally speaking - games) that run just fine in Windows 95 won't work on NT 4.00/2000 and later, and they as well won't in ReactOS.
It’s not the greatest to be still using XP. Although hopefully an ATM would be on a real private network, or at least a VPN provided by some more up to date external box (though the latter could have its own bugs I guess). If you pair that with the fact you don’t have externally accessible general IO[1] there probably isn’t much opportunity to gain access.
[1] If you can get into the innards you can probably just, you know, grab the cash (beware of dye bombs though).
It was pretty crazy how long IBM's OS/2 survived as an OS on tons of ATMs throughout the world, there will probably still be an ATM somewhere running XP in the 2050s.
What is the meaningful purpose of "Windows Update" for versions no longer recieving active patches. (I imagine there's some bigcorp or biggov that will pay whatever price is necessary to get a patch for XP, but anything earlier?)
Couldn't they collect and systematically 'slipstream' every patch and fix that would exist on Windows Update into a "Final Edition" ISO?
Or is the scope broader than a naive reading of the headline, and non-OS packages (drivers, third party software) were also relayed through WU?
> This website requires a minimum of Internet Explorer 5.0 or above, but we recommend Internet Explorer 5.5. To download Internet Explorer 5.5, Click Here
Even the final official build of Firefox that supported Windows XP will break on websites like Github, where a Releases page will never finish loading, and never let you download any files. But the New Moon build on that website (28.10) will work.
(Don't forget to install uBlock Origin and a current fork of uMatrix)
DECREASING LEVELS OF SECURITY:
1. Running Microsoft Windows.
2. Running out-of-support Microsoft Windows.
3. Running out-of-support Microsoft Windows and having it report itself to a server of unclear provenance and security (which could be efficiently indexing such insecure machines, and possibly even exploiting vulnerabilities during this simple interaction).
4. Running out-of-support Microsoft Windows and updating its system software from a server of unclear provenance and security (which could install malware, possibly even defeating any outdated vendor signing).
SUGGESTIONS:
* If your important science/medical/industrial/etc. equipment is stuck on ancient Microsoft Windows, probably you want to keep it airgapped and treat it gingerly, while planning to upgrade to more sustainable equipment (and hopefully it doesn't fail abruptly before convenient).
* If you're playing with Microsoft Windows for personal use, that's fine, but maybe consider whether you'd prefer to spend your time and energy instead learning and creating atop an open source software platform.
* For many business and personal purposes, Debian Stable is a good OS platform, and this is one installer for it: https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/