UK Government Rejects Calls To Upgrade From IE6

pcardno writes "The UK government has responded to a petition encouraging government departments to move away from IE6 that had over 6,000 signatories. Their response seems to be that a fully patched IE6 is perfectly safe as long as firewalls and malware scanning tools are in place, and that mandating an upgrade away from IE6 will be too expensive. The second part is fair enough in this age of austerity (I'd rather have my taxes spent on schools and hospitals than software upgrade testing at the moment), but the whole reaction will be a disappointment to the petitioners." Update: 07/31 11:43 GMT by S : Dan Frydman, the man who launched the petition, has posted a response to the government's decision.

Cleanup

[Tubal-Cain]

The second part is fair enough in this age of austerity (I'd rather have my taxes spent on schools and hospitals than software upgrade testing at the moment), but the whole reaction will be a disappointment to the petitioners."

That AutoRun virus that was going around a while back, how much did that cost to clean up?

An ounce of prevention is worth a pound of cure.

Re:Cleanup

[timeOday]

Upgrading may or may not prevent problems. Many times it's a huge hassle with little or negative improvement. I don't upgrade software OR hardware any more just because I can; it's too much trouble, so I wait until I have a specific reason.

Re:Cleanup

[phoenix321]

Software being too old, insecure and barely compatible is reason enough. A browser is a must-have piece of software nowadays and if you absolutely depend on a specific version of a specific product line, you're doing things wrong in the first place.

As IE6 is absolutely not available on any new version of Windows, it's effectively holding back all significant upgrades on the core operating system. Without updates to the operating system, the entire IT landscape is not only severely hobbled for innovation, but thoroughly insecure on major issues.

Don't allow yourself to fall prey to the illusion that software upgrades are an entirely voluntary - or useless - effort. In the best possible scenarios, holding back upgrades is saving a few percent of the cost and postponing the rest of upgrade expenditures. In friendly real-world scenarios, it's not saving any, merely postponing all upgrade costs. In any case, it's very very likely that during decade-long upgrade holdouts, IT department will lose it's edge and sharpness, get complacent and behind on the current state-of-the-art. And with that, the whole company will lose its pace.

Upgrading from Vista to Windows 7 is easy. Upgrading from XP to Windows 7 is a major undertaking and upgrading from any older version is financial disaster.

Just because you CAN use old equipment until it literally falls apart, it doesn't mean it's the most sensible or cost-effective option to do so.

Re:Cleanup

[phoenix321]

XPSP2 was not a browser upgrade.

Either way, no one is forcing the IT department to stay at the bleeding edge. It may be profitable to do so, because usually, newer systems have some perks the older ones did not. But staying half a decade behind on current issues is not prudent, but paranoid.

That doesn't apply to real-time systems, systems of major criticality and systems with human lives at stake, but for regular office systems, holding back on upgrades forever is not prudent but complacent and possibly paranoid. Some day in the future, even Big Bank, SCADA and mission control systems WILL need to be upgraded. How will paranoid IT departments handle *that* if they never dared to upgrade even a single notebook in the least important offices? How will they gain any experience with the new stuff?

We all like to rave about prudence and ultra-mission-criticality of our IT, but unless we're working for NASA, NORAD, Big Bank or Big Energy SCADA, it's self-aggrandizing paranoia to think upgrading from IE6 to IE8 will bring the enterprise down, financially or otherwise.

Re:Cleanup

[Gonoff]

Software being too old, insecure and barely compatible

old
What is the inherent problem with software just being old? Do some of the bits fall off? Some of the bytes?

insecure
Many people here would remind you that it is insecure because of what it is - MS Windows. If you are going to replace it with MS Windows, it will still be insecure. Large organisations spend a lot of time keeping it secure. That is why people tell me they are not happy about our rules on what you can connect to our network, rules on USB, security policies and much much more.

barely compatible
That is a lot better that Vista which is not compatible at all and Windows 7 which needs to run a virual machine to be able to run most "corporate" applications.
In fact, this is the big killer. We have completely avoided Vista because major applications would not work. Now we are being told that we need to roll out an operating system that will not run on a reasonable fraction of our estate. Then, to make things work, we need to have XP on all of them as well?

Yes, I know that if we have to have the applications rewritten, getting them to work in a grown-up operating system would be a good idea and making all web apps browser agnostic is a must. That costs money now. Carrying on pushes it into the future.

Re:Cleanup

[mpe]

But the real reason to not get too much behind on upgrading is user experience: switching from XP to Vista feels differently, but not a whole lot. Switching from Vista to Win7 is also noticeable with the GUI and interface, but with even less differences than before. But switching from XP to 7 is quite a jump.

Would this "jump" be any smaller going from XP to Ubuntu? Which also means getting rid of complex to administer software licence systems, EULAs, CALs, etc, etc.

Re:Cleanup

[Silvrmane]

What is the inherent problem with software just being old? Do some of the bits fall off?

The problem is that the web has actually moved on from what was standard practice 9 years ago. There are new methods to make crafting pleasant looking web pages easier and more productive. IE6 is simply too out of date for a large chunk of what is possible to do on the web anymore, forcing web developers to waste time doing their sites two ways. In my case, I build my sites to work in all current versions of browsers, and then spend an additional 30% to 40% of my development time making it work in IE6 as well. I'm starting to think of listing support for IE6 as a separate billing item so that the client can more accurately evaluate how important it really is to keep supporting this cranky old beast of a browswer.

Reading Comprehension?

[Manip]

Their response was to the suggestion of changing browsers. Their post sets out very clearly that they're migrating their applications and workstations to IE8.

Complex software will always have vulnerabilities and motivated adversaries will always work to discover and take advantage of them. There is no evidence that upgrading away from the latest fully patched versions of Internet Explorer to other browsers will make users more secure

And:

Upgrading these systems to IE8 can be a very large operation,

Does make one wonder if the submitter or the editor even read it.

Re:Reading Comprehension?

[maxwell+demon]

Their post sets out very clearly that they're migrating their applications and workstations to IE8.

I wonder if you have read it. Here's the complete paragraph from which you quoted one (partial) sentence (emphasis by me; the first emphasized sentence is the one you quoted):

It is not straightforward for HMG departments to upgrade IE versions on their systems. Upgrading these systems to IE8 can be a very large operation, taking weeks to test and roll out to all users. To test all the web applications currently used by HMG departments can take months at significant potential cost to the taxpayer. It is therefore more cost effective in many cases to continue to use IE6 and rely on other measures, such as firewalls and malware scanning software, to further protect public sector internet users.

So it's quite clear that they are not upgrading IE versions.

Oh, here's the problem

[phantomfive]

The petition creators goofed, they started it out with this sentence:

The German and French governments have started to encourage people to upgrade away from the browser Internet Explorer 6

Heh, can't start copying the French and Germans now, can we? Next thing you know we'll be on the Euro! That killed it right there. Made it politically unfeasible. All those petition signers are stupid francophiles.

UK Gov won't go past IE6, but MasterCard need IE8?

[Ocker3]

Some online vendor sites have started requiring that you use IE8 to access the site, apparently because Mastercard is forcing them too. My company's standard is IE7, good thing I'm in IT so I have the rights to install 8 on one workstation for when I have to buy software from that company-selected portal that requires IE8 now...

Re:Frosty Pizzo?

[Tubal-Cain]

Opera is far more configurable.
Firefox plugins leave Opera's configurability in the dust.
Chrome's interface is cleaner and more compact.
Only mobile and cli browsers score lower on Acid3.
Everything else runs circles around IE's rendering times.

Re:Assume IE 6 earns them 1 million dollars a day.

[Gordonjcp]

Assume IE 6 earns them 1 million dollars a day. If they stop using IE6. They start losing 1 million dollars a day. Thats the reality of the situation.

Except it's nothing like reality. They *only* lose 1 million dollars a day if they stop using IE6 *and then don't use anything else*.

Here's a car analogy. Using a Mercedes Vito van makes me a certain quantity of thousands of pounds per year (I'm British, we don't disclose ages or wages). So, if I stop using a Merc, I stop earning money, right? Wrong. If I stop using a Mercedes Vito, I start using a Citroën Berlingo, or a Ford Transit, or some similar van.

It's really a pretty simple idea.

Reality: deal with it

[DNS-and-BIND]

This is something called reality that has to be dealt with. I know this is typically not what petition signers encounter in their daily lives, but endure this explanation. The truth is that critical applications depend on IE6 to function, and upgrading from IE6 would cause work to stop. They shouldn't have built their apps on IE6? Blame Microsoft, their ruthless tactics led to that situation.

Re:Reality: deal with it

[Ice+Tiger]

That's why as part of your upgrade you upgrade / fix those apps to work on a modern browser, the alternative is you come to day when you can't upgrade anything in your IT ecology due to everything being so brittle.

Another way of looking at things is that as IE6 gets dropped from supported browser lists over the next few years you can be faced with the situation of critical app a stuck with IE 6 but critical app b needing to be upgraded but because it has dropped support for IE 6 you can't without incurring massive project costs.

Not keeping your software at least to supported versions is a false economy, much like the money you save not putting oil in your car, that is of course until the engine seizes.

A fully patched IE6?

[nacturation]

IE8 is the patch to IE6.

Myopia

[VincenzoRomano]

The consideration about costs is right, if you defer security decisions so much that you're still running IE6 in 2010.
The consideration about firewalls and scanners is also right, if your policy is to go on patching a broken roof instead or making proper repairs.
God save the Great Britain (as well as the Little one)!

Re:Assume IE 6 earns them 1 million dollars a day.

[dangitman]

I have a bit of a mantra when I talk about IE6. Whenever anyone asks me why anyone would run IE6, I give this response:
Assume IE 6 earns them 1 million dollars a day. If they stop using IE6. They start losing 1 million dollars a day. Thats the reality of the situation.

That's about the most nonsensical thing I've ever heard. If this is your mantra, then you should not be employed anywhere, for any job.

Re:it shouldn't cost anything

[Skrynesaver]

When you are a large institution who have (over)paid consultants to create workflow tools on your intranet, upgrading is far from free. The new approved browser will have to be validated against your existing tools, then you'll have to do rewrites where you had horrible IE6 kludges. The cost of the software isn't the issue, it's the cost of delivering your applications on that platform that is the issue.

With that said it provides a wonderful example of why organisations should avoid proprietary extensions to standards. One day the world will move on and you'll be stuck with an un-integrateable piece of shit platform.

Re:Assume IE 6 earns them 1 million dollars a day.

[Warll]

...ladies and gentlemen of this supposed jury, I have one final thing I want you to consider. Ladies and gentlemen, this is Chewbacca. Chewbacca is a Wookiee from the planet Kashyyyk. But Chewbacca lives on the planet Endor. Now think about it; that does not make sense!

http://en.wikipedia.org/wiki/Chewbacca_defense

Re:Assume IE 6 earns them 1 million dollars a day.

[mlts]

Actually, the tech details are just pushing a .MSI file out with IE8, or just approving it from a WSUS server.

My rant: IE6 is 10 year old technology. A Web browser is on the front lines of keeping a machine secure, almost as much so as a router. IE6 is meant to deal with spyware from the year 2001. Not the botnets and SCADA-seeking malware of 2010. Anyone who has any sense can see this.

There is just no reason to run IE6 on XP unless it is testing backlevel versions. IE8 fixes a lot of security issues. Even Windows XP needs to be binned because it is going to be a decade old, and organizations need to move forward to operating systems more able to handle the security issues of this decade.

This doesn't even need a car example, but a war example: You don't send out Greek phalanxes in formation against people with 10,000 rpm chainguns, Apache helicopters, and flamethrowers. Fielding Windows XP is doing just this.

The blackhats, phishers, scammers, spammers, criminals, and other miscreants are not going to be easing up attacks anytime soon. So why deal with threats of 2010 with an OS made nine years ago?

Of course, firewalls mitigate this, but there is something sort of wrong with compensating for a poor OS's security by having to fortify the router and perimeter instead of having the OS be reliable enough so a blackhat isn't home free once they get into the core network fabric.

Too expensive? Pah.

[Retron]

What a load of rubbish that "too expensive" excuse is. I work as a technician in a school with around 700 PCs (several hundred each of laptops and a mix of old/new desktops) and we ditched IE6 ages ago. The cost was near zero for the curriculum PCs, as RM issued an IE7 patch ages ago. Allocating it was as simple as selecting lists of PCs and clicking "allocate". We upgraded teacher laptops on a rolling programme, the same with desktop PCs. We're now redeploying Windows across the whole site - teacher machines now have Windows 7 so it's not an issue, while the curriculum builds of Windows XP have IE8 in the base image.
The only "expensive" bit was a day of my time fixing issues with some rubbishy Java applet that is used in the library, which isn't very happy with IE8. A day of my time is worth £40, so it wasn't exactly expensive to fix!
If a school can do it, I'm sure government departments can too.

Re:Too expensive? Pah.

[rapiddescent]

most of the large ukgov departments have outsourced their IT support to companies like HP, Fujitsu, Logica, Capita and so on. Due to the ukgov ineptitude of writing good outsource contracts - an IE upgrade is off plan and so the outsourcer (in a monopoly position at that department) simply charge the earth - even if it is just to roll out an update automatically. Excuses such as testing, and verification of intranet applications simply make the cost even higher

Re:Assume IE 6 earns them 1 million dollars a day.

[thegarbz]

That's about the most nonsensical thing I've ever heard. If this is your mantra, then you should not be employed anywhere, for any job.

Yet your post is one sided at best and naive at worst. If your company has 30000 employees who use tools that they quite heavily depend on that only runs on one particular application and you push out and update because "hahah I'm IT and I make the rules" which breaks everything then YOU should not be employed anywhere.

IT is an internal service. If IT just focuses on the enterprise (security, stability etc) at the expense of usability then the IT department should be dissolved and rebuilt (the reverse is also true). You the admin may push an update to IE6 to my computer once you have replaced all, and I mean ALL of the applications that depend on it, and in the fortune 50 company I work for that's actually a lot of web based applications. How you do it, and who funds it is none of my concern. This is a discussion for your department to make with upper management.

Don't forget, users are a nice and quiet bunch of people ... when everything is working.

Re:Frosty Pizzo?

[tomhudson]

Maybe it doesn't support rounded corners, but now that all the major crap has been fixed, I'll do my rounded corners with a few css background: (url://foo.com/round.png) and call it good.

I can now do web sites entirely within linux, boot a laptop temporarily into windows, and guess what - it WORKS.

I don't need any browser sniffing, any shims, any of the crap that people have been using for years. xmlhttprequest is the same object across all browsers now so no checking for different methods for creating a new one.

THAT is what we've been asking for for a decade.

Now as for this:

Most creative and software development companies are forced by government department clients to build websites for IE6 when most of the industry has moved on.

Nobody is forced - you can always give them a separate url with a fugly site and tell them that it's to partition off the insecure users of IE6. Bring along a laptop to show them what they're missing. Tell them they don't have to upgrade from IE6 - they can always use Opera or Forefox in addition ... it's not a binary either-or choice.

After all, a fully-patched system is also just as safe for Firefox or Opera as it is for IE6. Or don't they really believe that their systems are secure, and it's just hand-waving.

I ran into a $16 billion company Thursday that still is on IE6. Will I change anything so my product works with them? No - its chasing the tail of the market. At some point in the next year or two they're going to have to upgrade anyway.

The last boss who insisted on pixel-perfect IE6 compatibility stopped complaining all of a sudden when his favorite porn site (or was it his favorite poker site) forced the upgrade issue. If you believe that people's reasons for not upgrading are based on logic or economics, you're mistaken. Those are justifications or excuses, but the real reason is inertia (or they would have switched to Firefox or Opera long ago).