One of the things I see on an unfortunately regular basis is members of Ye Olde Computer Forum who believe for whatever reason that because a machine is their property, it's within their rights to use it in whatever way they personally see fit. In the 1980s and 1990s, this made some amount of sense, because many computers (certainly personal computers) really were islands whose operation never had any effect whatsoever on other computers nearby.
Even through the late '90s and early 2000s, relatively few computers (at least machines that weren't professionally managed) had quite the smörgåsbord of networked and client/server services with the types of remote exploits that are available today, and that people are aware of. Windows 95/98/ME and Mac OS 9 and earlier are blissfully unaware of all sorts of stuff that became built in with Windows XP and Mac OS X.
I think that there are a few sources for this particular type of attitude.
The first relates to the fact that many people view the computer as their personal property and believe that they should have total dominion over it. As a result of this, there are people online who insist on doing things such as running unpatched installations of Microsoft Windows, or versions of Ubuntu Linux six years ago for various reasons. I completely understand un-networked machines not getting updates (because it's often impossible or impractical, and certainly inconvenient), but it confuses me to no end that somebody would willingly run their own Internet-connected systems in such a state.
I think it's the "my property" attitude that leads people to believe that if they don't care about the information on their computer, or they otherwise safeguard their personal information, it doesn't matter at all. Unfortunately and hilariously, the only concern isn't for one machine's data. I think most people don't understand that this isn't the '90s where a single person on the other end of the wire wants your data. These days for hackers and the like, it's more about having more IP addresses and e-mail accounts, or using a piece of malware to extort you out of money, than it is about finding any given specifically
I think another contributing factor is that some people are told by somebody they trust that it's okay to run their machines in such a state. This might be an uninformed Best Buy employee, somebody in their church group, or the kid down the street who doesn't understand the networked nature of today's computer systems. (Or, even if they understand it, they don't understand its consequences) I'll be honest here, I think a lot of small shop owners and local PC repair people are banking on a surge in business after April 8th as Windows XP owners "inexplicably" start getting
Another thing I think some people don't understand is that a computer is a fairly complex piece of machinery with multiple aspects to operation. I think that a lot of people would prefer to think of their computer as an appliance. This is a fair view, but few computers from a decade ago really were appliances in any possible sense of the idea. Computers that were suitable for thinking of as an appliance really started to show up in 2010, with the iPad, the ChromeBook, and now Windows RT tablets (some of which have taken a more traditional laptop form factor.) Unfortunately, a lot of people with the appliance view of their machines may really have been able to use it without much trouble up to this point, but if it's on the Internet, the time when that's possible is going to be coming to an end relatively soon.
Whatever the attitude (and for the rest of this article, I'm going to focus on the "my property" attitude, because it's the one I deal with most often. This is even though I really like writing about appliances), I think the main thing people need to understand is that a computer isn't just their own machine and is often part of a larger, global network. Especially as we move forward with IPv6 deployments which more or less completely break down the borders between a local LAN and a WAN or Internet connection an gives every single OS or networked instance a unique and semi-permanent IP address, we need to stop thinking about things as though our own border gateway is completely impenetrable.
Firstly, "it's behind my router, it's safe" doesn't make any sense to begin with. It's only completely safe from network penetration if it's not on a network. If it's on a network and there's some kind of user involved with the machine, then there are risks involved with running it. Hitting the WAN interface of the router directly might not grant you access to an XP machine (though this hasn't been proven) but cross-site scripting, faulty flash or java code, or old web browsers, and requests that that machine makes to the wider network will compromise a box.
Secondly, with LAN-WAN borders being broken down, (and let's be honest, with LANs growing in size all the time) we definitely need to keep not only our border gateways secure, but also each individual host. Many people run VPN servers allowing completely unfettered access to everything that touches their LAN, in addition to the fact that mobile devices or any other host on a LAN can be compromised and used either to do drive-bys on insecure systems (things that the gateway might otherwise have protected you from) or just used on their own for various nefarious purposes, the least of which is that the attacker has access to the local data of the compromised device.
So, how do you keep a network, not just your local network, but the whole Internet, secure? The first step is the same step when you're securing a human population against various threats. If you have, say, a vaccination available against a threat, you need to vaccinate a critical mass of the population in order to be secure. But what if you can't vaccinate? Under normal circumstances, herd immunity occurs when some amount of the population is immunized, and a disease, bacteria, etc. simply can't transmit, because of how many people are immunized. In these situations, a susceptible or un-immunized person (or host computer) can still contract "the thing," but they're unlikely to because a large proportion of the people (or hosts) in the population weren't able to receive it and be compromised.
As of the beginning of this month, Windows XP had a staggering 30% usage share of desktop computer operating systems visiting public web sites. This means that, if you exclude any possibility that any Macintosh or Linux/UNIX system ever can be compromised, only 70% of the herd can be immune. Unfortunately, we live in a horrible, horrible reality where there are people running unpatched Windows Vista/7/8/8.1 systems and where people think unpatched Ubuntu 8.04 is a reasonable computing platform. (And, just as an example, these older and unpatched systems are still susceptible to being used for things like DNS and NTP reflection attacks.)
Because of its relative stability in comparison with Windows 95 and even NT/2000, XP gained a whole lot of acceptance as an appliance and embedded operating system. You can find it in everything from kiosks to multi-hundred-thousand-dollar printing systems, and in a lot of these applications, there's simply no easy (and vendor-supported) way to replace it with something more modern, or even better suited to the task. Fortunately, most of these types of industrial systems aren't on the public Internet anyway and they are often configured in such a way that anybody touching them for any reason has extremely limited access. (Like, often to a single executable.)
Unfortunately, the 30% usage share typically doesn't count such systems, so you can't simply argue that a lot of those 30% of systems are critical business systems. That 30% number is systems that are unimportant enough that people are allowed to browse the web on them, they're either home computers or ExcelBoxes somewhere.
I suppose the most I can actually do is just wait and see what horrible things happen and hope people get the point before the population of desktop-experience computers on the Internet is 30% Windows XP zombies.
That doesn't absolve the owners and managers of these boxes of the responsibility for the fact that they're running a thirteen year-old operating system for which support was supposed to have ended three years ago.