Fully agree, it’s akin to atheists, they very often are convinced they are not religious. Agnostics are the unreligious ones. In fact, atheists are the most fanatical zealots in my friends circle.
Yes, it is very much atypical. Most hacks happen because admins still haven’t applied a 2 years old patch. I hate updates, but it‘s statistically safer that running an old software version. Try exposing a windows XP to the internet and watch how long it takes before it‘s hacked.
I hate that. “Bug fixes and improvements” every time. And then there are the ones who think they’re being cute with “our bird Fernando has been hard ar work eating those nasty bugs and flying over the rainbow to bring you an ever delightful experience”. Just, no. I don’t mind you flexing some creative writing muscles in your release notes if you provide actual clear information, but if you’re going to say nothing like everyone else, might as well use the same standard useless message so I can dismiss it quick.
> YouTuber Eric Parker demonstrated in a recent video how dangerous it is to connect classic Windows operating systems
The video referenced in that article explicitly connects directly to the internet, using a VPN to bypass any ISP and router protections and most importantly disables any protections WinXP itself has.
So yeah, if you really go out of your way to disable all security protections, you may have a problem.
You assume that the old software version has critical vulnerabilities. If it does not, then yes, updating is more of a risk since the new versions are unknowns.
My assumption is statistical. All software has critical vulnerabilities, not just the old ones. It’s just that these vulnerabilities are known, in the case of the old ones, which significantly increases the risk.
To be fair I doubt there are that many people scanning for internet facing XPs in 2026.
On the other hand, any server running old, unpatched versions of apache or similar will get picked up by script kiddies scanning for publicly known vulns very, very fast.
The notepad++ attack is politically targeted and done through unconventional channels (compromise in the hosting provider). I don't think 99% of the people reading this thread has a comparable threat model.
It depends if the application itself touches the Internet or only when conducting updates.
The threat model for a server and for a personal computer are very different. On a consumer device, typically only the OS mail app and browser have direct contact with the outside world.
But if you weren't one of them, would you be able to tell that they had emotions (and not just simulations of emotions) by looking at them from the outside?
If I wasn’t one of them I wouldn’t care. It’s like caring about trees having branches. They just do. The trees probably care a great deal about their branches though, like I care a great deal about my emotions.
Yes, my point was that people aren't better than machines, but just because I don't exceptionalize humanity doesn't mean I don't appreciate it for what it is (in fact I would argue that the lack of exceptionality makes us more profound).
I wouldn't proclaim a lack of exceptionality until we get human level AI. There could still be some secrets left in these squishy brains we carry around.
I think most of the comments on this thread crystallise two different conception of security: the intended one and the effective one.
The second one is messy to measure, it requires making statistics on how often NAT saved the day by accident, which is hard if not impossible.
I personally think that statistics always win, even if they are unexplainable. My bet (zero proof) is, IPv4 is statistically (maybe by accident) more secure than IPv6, just because of NAT.
I have seen so many horrors in terms of multiple NATs I will always prefer IPv6, also because I think the benefits outweigh by far the difference in _effective_ security.
Summary: yes, IPv4 is more secure, but the difference is so marginal that IPv6 is still way better. Security is not the only metric in my world and theoretical discussions obsessing about a single metric are pointless.
I see the split too. I'll add that each camp is frustrated and feels the other is missing the point and would make information security worse if its worldview won.
You can do some empirical analysis. Someone downthread linked to a paper claiming to being able to reach a few million vulnerable devices over IPv6 and not IPv4. This kind of analysis isn't dispositive, though, because there are all sorts of second-order effects and underlying philosophical differences. Facts seldom change minds when you can build multiple competing true stories around these facts.
I'll call one camp the "veterans". They see security mostly as a matter of increasing the costs incurred by attackers relative to defenders, looking at the system holistically. Anything that increases attacker workload is good, even if it's an unintentional side effect of something else or interacts with software architecture in a cumbersome way. It's vibes-bases: whether a give intervention is "worth it" is an output of a learned function that gives in the stomach of a seasoned security researcher who's seen shit.
The other camp I'll call the "philosophers". (My camp.) The perspective here is to build security like Euclid's elements, proving one invariant at a time, using earlier proofs to make progressively more capable systems, each proven secure against a class of threat so long as enumerated assumptions hold. They read security as an integral part of system architecture. Security comes from simplicity, as complexity and corner cases are the enemy of assurance.
The veterans see the philosophers as incoherent. There's no such thing as a safe system: only one not yet compromised. You can't solve problems for good anyway, so there's no use trying to come up with axioms. Throw away the damn compass and strait edge and just draw siege map in the dirt with a stick.
The philosophers see the veterans as short-term-oriented defeatists who make it harder to reach levels of provable security that can solve problems once and for all so we don't have to worry about them anymore. You have to approach complex systems piece by piece or you can't understand them at all -- and worse, you'll do things in the name of security gutfeels that compromise other goals without payoff that feels worth it to them. They say, "Without my compass and straightedge, how can I design my star fort with firing lines I know cover every possible approach?"
The divide shows up in various projects. TLS is a philosopher project. Certificate transparency is a veteran project. Stack canaries are a veteran project. Shadow call stacks are a philosopher project. I think you get the point.
This thread reveals a surprising split between veterans and philosophers on NAT. In retrospect, it's kinda obvious that the veterans would insist that "duh, of course IPv4 prevents inbound connections and it must because otherwise the Internet won't work", and the philosopher camp is "Hold up. One thing at a time. What's the actual goal? How can we achieve this goal minimally without side effects on Internet routing?"
My camp sees the NAT configuration issue as a red herring. We see "the UX makes it too easy to run unsafe" as an HCI issue distinct from the underlying network architecture. The veterans say "Well, you can't build that button if you have NAT, so we are led not into temptation."
Both camps have something to contribute, I think, but the divide will never fully disappear.
I understand your view, I just disagree with the value you're putting on it, and I feel you're straying into accidentally insulting people to justify yourself:
You called yourself a philosopher and then proclaimed philosophers are the only ones who read security as an integral part of system architecture, whilst veterans are essentially vibe coding and surviving on the lucky mess they create.
I find your position that misconfiguration is a red herring in security as completely unjustifiable and untenable.
It's probably that I'm just a puny brained veteran seeing your big complex philosopher smarts as incoherent though.
Anyway, I digress from the key point I've been trying to make in this entire thread:
I'm not arguing that IPv6 is not secure because it lacks NAT. My point was that this entire discussion is silly engagement bait: there's no clear right answer, but it's an easy topic for dogma and engagement. A holywars topic like NAT, IPv6 and security is prime for that. The author and submitter muddies the waters further by - probably not intentionally - choosing a strawman submission title.
In assuming you are not using your keyboard to set brightness because it’s an external display plugged into a laptop? Search for a DDC application for your desktop, it’s amazing, the brightness controls of your laptop will then control the external display as well. I use lunar on my MacBook, it was a revelation.
According to my (limited) testing, you can only control brightness when the transfer function used on the HDR content you see is HLG. When it is PQ, the luminance seems to be “absolute” and ignores the display’s brightness settings.
Autobrightness only works for screens which are against a wall. Your eyes care about what is behind the screen, not in front of it, and that’s one thing autobrightness never took into account.
I used to jailbreak my iPhone 4s to get some dark mode.
The EU defence clause is more binding than the NATO Article 5. It also demands that the other states * obligation of aid and assistance by all the means in their power*
whereas Article 5 let's other states decide how much aid they want to supply
ok, but now we’re nit-picking about the meaning of “army”. There are “NATO troops” while there aren’t “EU Troops”.
I would still like to understand why previous poster said the EU defense agreement was more robust, I am genuinely curious about what that agreement contains and how well it was respected in the past.
