Slashdot Mirror
End of Windows XP Support Era Signals Beginning of Security Nightmare
colinneagle writes "Microsoft's recent announcement that it will end support for the Windows XP operating system in two years signals the end of an era for the company, and potentially the beginning of a nightmare for everyone else. When Microsoft cuts the cord on XP in two years it will effectively leave millions of existing Windows-based computers vulnerable to continued and undeterred cyberattacks, many of which hold the potential to find their way into consumer, enterprise and even industrial systems running the latest software. Although most of the subsequent security issues appear to be at the consumer level, it may not be long until they find a way into corporate networks or industrial systems, says VMWare's Jason Miller. Even scarier, Qualsys's Amol Sarwate says many SCADA systems for industrial networks still run a modified version of XP, and are not in a position to upgrade. Because much of the software running on SCADA systems is not compatible with traditional Microsoft OS capabilities, an OS upgrade would entail much more work than it would for a home or corporate system."
Nothing to worry about, yet...
Companies have two years to upgrade from software that is more than ten years old or install a firewall on systems in industrial networks.
Almost nobody ever runs Windows Update on those old SCADA machines anyway, I don't really think this is such a big deal.
...that's two years to do something about it. What does everyone expect; Microsoft to support it forever?
14 years of support seems pretty generous - I mean how many versions of OS do Apple currently support? Certainly not all the way back to OS X 10.0. I'm also sure that a lot of those embedded and industrial systems will be updated before then. That's more the job of the manufacturers than Microsoft.
This deadline has been known about for the past five years - if you can't resolve upgrade issues in seven years, then you are the problem, not the maker of the software being EOLed.
This isn't happening overnight, you had your chance to do something about it. You might not agree with the EOL, but that's beside the point.
When Microsoft cuts the chord on XP
Cuts the cord?
Or is this some sort of operation that will prevent XP from playing guitar?
Why not liberate the source and let other companies continue bugfixing?
Oh... doesn't fit the business model?
open source ftw and for long term maintenance.
An, operating system contains something on the order of tens of millions of lines of code. No company is going to handle a maintenance project like that for free and there is no incentive for Microsoft to pay them for it. As for releasing it in the wild, those tens of millions of lines are not the exclusive product of Microsoft, they almost certainty incorporated code that still belongs to other companies into the final package and this code can not be released even if Microsoft wanted to.
I'm all for bashing Microsoft but how can you say
"When Microsoft cuts the chord on XP in two years it will effectively leave millions of existing Windows-based computers vulnerable to continued and undeterred cyberattacks, many of which hold the potential to find their way into consumer, enterprise and even industrial systems running the latest software"
while talking about XP? Its over 10 years old. Microsoft have been trying to push people away for two versions of windows. While their upgrade cycle might be very clunky, I don't think the blame can fall fully on them for people who run software which is 10 years out of date, and now out of support.
- http://www.milkme.co.uk
This is no different from when Windows 2000 reached its end of life, or 98, or NT4. The life cycles of Microsoft products tend to be consistent and well known.
Anyone using Windows on a SCADA system should not just rely on Microsoft's updates for security. Lock them down, limit Internet access to a minimum, don't use Administrator accounts, don't install any Adobe products, don't use the systems for general purpose web browsing and don't feed them after midnight. Most security holes require some active interaction to work.
I still have a bunch of Win2000 systems in use and they chug along fine.
Try reporting a bug with the Linux 2.0 kernel or glibc 2.0, you will be told to upgrade to the latest version. And while the upgrade may be free, the time and effort associated with moving an entire codebase to a modern version isn't.
Which is why you need to heed warnings about deadlines well in advance - these SCADA issues wouldn't have been a problem if planning had started two years ago rather than now.
Sooooo let me get this straight, There are industrial networks that still rely on XP for SCADA AND they are not protecting them with other security mechanisms AND they are connected to the internet. And the security nightmare here is somehow Microsoft's fault and not the incompetent morons running these unprotected systems?
That's a bit of a generalization.
Is it so hard to believe there are people with up-to-date XP systems who simply don't feel like forking out a couple hundred dollars to fix something that isn't broken?
-=This sig has nothing to do with my comment. Move along now=-
How many Linux and OSX releases are supported for 12 years?
How many Linux distributions (where maintainers stayed in business) have not seen a major upgrade for the better part of a decade? That's the time it took from XP to Vista. And then the upgrade wasn't even considered an upgrade by many - so maybe you should look at the time it took from XP to Win7 even?
All Windows versions come with 10 years of guaranteed support. 5 years of primary support, where they get new features and service packs, 5 years of extended support, where they get bug and security fixes. MS is known to increase that, but never decrease. In the case of XP, they did extend support. XP is getting 14 years total of support.
I have zero sympathy. You have to cut support for old versions at some point. Even if you are doing everything for free, it just gets infeasible to maintain old code all the time. Ubutnu only does 5 years on LTS releases. In MS's case, it is also because bills need to be paid. They don't charge yearly for maintenance or patches or anything, the cost of that is included in the purchase price. Well, that means that price has to be paid every once and awhile, and once per 10+ years isn't unreasonable.
As you say this isn't happening overnight, nor is it a situation of MS suddenly reducing support life. This has been known for a long, long time. Any company that is sticking their head in the sand about it is bringing about their own problems and on their own heads be it, they can't blame MS at all.
Look people, XP goes out of support in 2014. STFU and deal with it. You've 3 choices:
1) Upgrade. Really, this is not hard. 7 Is an extremely good OS, I've been very pleased with it. It will be supported until January 14, 2020 at a minimum, unless MS chooses to extend it so you've at least 8 years before you need to upgrade again. Once a decade-ish isn't too often to upgrade.
2) Isolate. You can just take the damn thing off the Internet if it is really a problem. We've done that at work with a few old Windows 98 systems. We are a university and so don't always have money for new toys. We get some old piece of equipment that is controlled by software that only runs in 98 or earlier. Fine, it just doesn't get on the net. Yes it is a bit inconvenient. Deal with it. The air gap works.
3) Protect. If it really is an issue, you can lock down and protect the systems. Put them all on a private network that can only be accessed via a controller system that is bitchy about what is and is not allowed in and out. Then internally have each system run a locked down firewall and set of services. Disallow any web access, only access to internal systems. Lock everything down tight, with multiple levels of security, and even lacking patches you can likely keep it secure.
This is nothing more than companies whining because they want to be lazy. They don't want to take the effort to upgrade to a new version of Windows, don't want to take the effort to increase security, and just think that MS should patch shit forever to support their laziness.
No sympathy here.
Sorry, we're running life critical systems here. We can't rely on "taking a look at it". We need a guarantee which is just a teeny bit stronger than that. Many of our systems do run Linux, but only because a consulting company is willing to fill that gap and assume the role of supplying custom fixes/patches while we wait for "official" ones to make it into the kernal. It's not that we have anything against the community, but frankly we need someone to take responsibility and to be held accountable for all aspects of our system.
As for this news? Shrug. Anybody who doesn't already have a plan still has two years to figure it out and get one in place. I can't find any sympathy in me for someone who hasn't come up with a solution by then.
Emphasis mine. This is possible only because Linux is open source. Thanks for making exactly the point that needed to be made in favor of an open source OS.
Write boring code, not shiny code!
And a consulting company will happily fill the gap and provide maintenance for a 2.0 kernel, it makes no difference to them... Money is money, and the code is still available.
With closed source you simply don't have the option of hiring a consulting company, it's the original vendor or nothing and it would be utterly irresponsible to make critical systems depend on something you don't have the source of and are utterly beholden to a single vendor for.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Having the sourcecode doesn't seem to help people create malware targeted at linux or bsd users...
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
My comment is based on experience, not supposition.
Fortunately for you, you have the code, you have the ability to fix the problem yourself (or pay someone to do it)
You can't do that with XP.
I'm pretty sure yes, they will continue to run their activation servers for a long time. As you say, your license doesn't expire.
If in the bleak, distant future when robots rule the world you are still using XP and MS wants to turn off the activation servers they will probably release a patch to disable the activation stuff, or provide a 'golden key' as you say. I'm sure by then they won't care too much about potential piracy of a 20+ year old OS. (That'd be like them caring that I may or may not have some pirated floppy disks of DOS 6.22 sitting in my garage somewhere...)
And watch me get hate for pointing out the crazy in that statement...You HAVE the source for linux and still can't fix the driver issues that have plagued it to this very day! Every forum, pick your distro, on EVERY upgrade gets "update foo broke" followed by a list of sometimes HUNDREDS of things! Hell Dell has to run their own damned fork because even on the teeny tiny subset of devices they offer Linux on they STILL can't promise using the default repo some kernel dev won't get a bug in his ass and break shit. so now you want to do the same thing...to hundreds of millions of computers? with NO budget? Jesus Tap Dancing Christ just step away from the keyboard!
As for TFA has nobody heard of a damned firewall? or NOT using IE perhaps? Its not like these bugs are living things, plotting to take over the world like pinky and the brain ya know. Slap Chrome or Firefox on XP, use a decent firewall of which there are several free to choose from, and there ya go! or if it being no longer supported REALLY bugs you just buy the $89 Win 7 Home and call it a day. or hell throw in with a couple of friends and buy the triple pack, I've seen it go for as little as $120 which is a whole $40 each.
When you show me a SINGLE distro, just one mind you, that not using any tricks can be updated from...oh lets say the 2005 release to current with ZERO breakage then you will have a valid argument. but saying that a community that can't seem to fix the drivers when dealing with a MUCH smaller scale than what they would be having to deal with on XP can do the job with NO budget, just the love from the community? i'm sorry but you left batshit a dozen exits back. hell you can't even get all the damned docs filled in, there are plenty that are "to be done' placeholders and that is a job that any person can technically do!
Now cue the batshit FOSSies that make the whole community look like nutters to call me a "dirty M$ Ninja robot poo poo head" and try to asspull some amazing excuse that handwaves the entire Linux drivers and docs issues away. I swear that while there are many in the FOSS community that is very intelligent and can do frankly amazing things with code the batshit loonie fringe just seems to get louder and more numerous as Linux rolls on. Frankly I would laugh my ass off watching the community try to deal with the bazillion and one half ass hacked up drivers that run on XP. i don't even wanna know what it must be like to do regression testing for patches on XP, I bet the guys stuck with that job live on suffering and BC Powder. Hell I wouldn't be surprised if that is why MSFT is pulling the plug because I'm sure quite a few governments and businesses would be happy to shell out if they continued support but I bet trying to find really good coders that understand low level drivers and can truly get a handle on this giant ancient mess of code must be like trying to find heart surgeons willing to spend their days cleaning the shit out of impacted colons. i wouldn't wish the job of dealing with all that old ass patched all to fuck code on my worst enemy.
ACs don't waste your time replying, your posts are never seen by me.
"English, motherfucker! Do you speak it?"
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
Besides the entire line is moot because if the community thinks they can do better then bring ReactOS up to snuff and there you go! Someone has already done a lot of the early work FOR you, all you have to do is bring it the rest of the way! Then you will truly have a FOSS XP for one and all.
But of course that work is gonna be hard as hell and nobody wants to do it, hence it don't get done. Does ANYONE here think being handed the entire XP codebase would magically make fixing bugs in that huge damned maze of code any easier than just starting over with ReactOS? After all ReactOS doesn't have backwards compatibility going back damned near to DOS built in, isn't gonna have to deal with all this old depreciated crap like .NET 1.0, frankly what this guy is saying might as well be "Just give us XP for free and we'll throw magic pixie dust and make it all better!" which of course is nuts. hell it would probably take the community the better part of a decade just to come to grip with all that damned code and the interactions.
for a perfect example of why the community would be better off using its limited resources on ReactOS just look at LO. I'm sure those guys would tell you they still have a loong way to go to modernize it and bring it up to a more modular design and we are talking about a single program with legacy cruft! In just the system32 folder on my XP nettop you are looking at 256 subfolders containing 6694 files...and that is just one folder...does anyone have any idea how long it would take just to get up to speed on that one folder? Checking the windows folder you are looking at 19, 537 files and 2524 folders. By the time the community, even if they got even say 10% the funding of a Red hat would probably take a good decade just to figure out what interacted with what and how! Now try to fix bugs before they were completely pwned AND trying to learn all those interactions...If you want XP FOSS users you have ReactOS, spend your time there.
ACs don't waste your time replying, your posts are never seen by me.
There is a real risk with going down that route however, and that is that unless you can get your changes merged into the main branch (far from guaranteed), you are now running a forked version of Linux
Yes but in the worst case scenario (your changed not merged) that buys you time. This is priceless compared to Windows where you're left on your own with an insecure system.
Look, this is not a perfect solution, just because there is no perfect solution. But having an open source system is much better than a closed source one for that very reason. You *can* do it on your own if you need to.
Write boring code, not shiny code!
wait.. so what you just said was you never had XP support either..
btw it's "connect with pants down and legs spread" :D
are you kidding? or are you just stupid?
any sane person who can do a search on the internet can see that linux kernel continues to have DOZENS upon DOZENS of security bugs. hell almost every single android phone running linux can be rooted... because linux developers continue to introduce security bugs in source code of every release.
besides which.. malware is something the user has to install themselves, it has nothing to do with security bugs.. although the existence of security bugs in firefox helps when you want to create drive by download method of infection.
Which is why you need to heed warnings about deadlines well in advance - these SCADA issues wouldn't have been a problem if planning had started two years ago rather than now.
Microsoft had publicized these deadlines ever since the product was released. This is not the news here: the news is that a lot of people are still using the system. Serious companies that rely on Windows XP for their business have always known that support would end in 2014, and so have factored that into account.
Why do these manufacturers not have explicit, individual support contracts from Microsoft to suit their own longterm requirements then?
Relying on the general public support policy of any OS maker or community for this sort of usage is just fucking ridiculous and proves that, as I have said elsewhere, the problem lies with the SCADA manufacturers rather than the OS.
I don't disagree with you, but the economic pressures are relentless. As late as the mid-1990s a manufacturer could count on there being an ecosystem and trained programmers available for the various high-security, high-reliability architectures on the market (or at least people willing to take jobs being trained as programmers, designers, etc for such systems). By 2000 those ecosystems and finally the architectures themselves had vanished under the avalanche of Wintel systems (bought a new PDP-11 lately? Or even a Tandem Nonstop?). And the cost differential in favor of Wintel went from 1/3x to 1/1000x. It is extremely hard to convince a product development board that your product needs 1000x more funding than the team building what is fundamentally very similar consumer- or commercial-grade system.
And the demand from customers drives things too. Right now every operating manager I work with wants to be able to monitor his plant from home on his iPhone. Customers are putting enormous pressure on their vendors to replace expensive proprietary (but secure) wireless interfaces with much cheaper iPhones. Security gets paid lip service in the spec but doesn't control the decision.
sPh
Remember when they released the Netscape source? Every begged them to open it and said how it would be so awesome with all those developers helping make it better. Well, every looked over the code, decided it was too confusing and started over on Mozilla. Total waste of time. Set open source back by years to throw away the Netscape codebase but "other people's code" always looks confusing and weird. I guess they believed their own hype that if you get the code you can just open it up in emacs and start fixing bugs. Well, it doesn't work that way. It would take months to get your head around some shit like Netscape, Windows XP would be even worse.
We have a small family business in a city where much of our good manufacturing jobs have gone overseas. Everybody who walks in the front door is looking for a deal because they have no money, or perhaps because their new job at Wal-Mart doesn't pay like the old one.
I don't have the customer base or cashflow to just upgrade at a whim. My major issue is we have several commercial duty printers that cost several thousand dollars each. We do some pretty customized printing, odd sized paper, etc. Under Win 7, NONE of these printers will do anything more than single sided sheet of paper, cannot even duplex. I've contacted HP directly, had the Xerox people in here, and in both cases, they refuse to provide new drivers that will make these printers work under Win 7 the same way they do under XP. Even simple things like duplexing cannot be done in some cases. The official response form these companies? But a new printer. That's it.
I do run linux, but you know something, even though I can make these printers work under linux no problem, there is no good substitute for Pagemaker and/or Indesign in Linux. As long as Scribus does not or cannot import my Pagemaker and./or InDesign files, it is useless to me. I have a library of almost 20 years of Pagemaker and InDesign files that we created from the ground up, and untill I can import them, Scribus and therefore by extention I cannot use Linux.
So I do not mind upgrading to Win 7 in itself, it's the fact that some of my high end printers and scanners do not work well with Win 7 because "They are too old".
One more thing - some - well heck, many of these new printers are junk. My old, Made in Japan printers had heavy duty metal bearings and gears. Many of the new, brand name printers made in China use plastic gear and bears, or cheaper metal they physically breaks down more often than the old printers. A ten year duty cycle of heavy day to day use was not uncommon for a good HP, today I am told expect three years then toss it.
Yeah, in an economy when money is tight everywhere, the upgrade to Win 7 is not doing me much good. For all you guys who say you have no sympathy for guys like me who don't want to upgrade, well sorry, money is tight, we have to keep a tight ship, and when I see perfectly good hardware unable to run under Win 7 simply because somebody will not make a driver for it, well, as Judge Judy would say "Don't pee on my leg and tell me it's raining."
Relying on the general public support policy of any OS maker or community for this sort of usage is just fucking ridiculous and proves that, as I have said elsewhere, the problem lies with the SCADA manufacturers rather than the OS.
This is really what it boils down to. Everyone's discussing the relative merits of MS support against a team of coders to keep a given linux implementation up to date, but the fact is that the SCADA guys didn't bother to do either, and the customers didn't demand it from them. Negotiate with MS, negotiate with RedHat, employ your own team to write and support a custom kernel based on RMS's personal HURD installation, whatever, but make sure the plans are in place for a 20-30 year support period before you fucking start. Considering the kind of infrastructure we're talking about here, that sounds like some potentially serious incompetence that needs to be investigated...
And hey with a scalpel I'm qualified to be your heart surgeon...right? I mean that IS what you are basically saying, because we aren't talking about some fart app here we are talking about the literal heart of an extremely complex operating system and you just acted like it would be trivial just to DIY. Hell even RMS couldn't write his own kernel and you expect Joe average to pull off a major rewrite? And do you have ANY idea how much it would cost to hire a qualified kernel developer to do your own custom rewrite? Might as well say you can fly down to Redmond in your Lear jet and bitchslap the sweaty monkey with your solid diamond dildo until he agrees to keep supporting XP.
If I was Linus personally i'd be pissed as hell that so many like you think what he does is so damned trivial that just because you have the code you could kick him to the curb. you'd be DAMNED lucky if the number of guys that are truly qualified to do that job is even in the triple digits and they sure as hell won't be working for you. hell guys with those skills are practically the rock stars of coding and have top paying jobs and headhunters trying to steal them away..
To use a /. car analogy just because I hand you the blueprints to a Ferrari and hand you a couple of tons of raw steel does NOT man you will be able to actually build a Ferrari or even be able to rebuild one that has been dropped off a cliff. Remember folks its source code NOT pixie dust.
ACs don't waste your time replying, your posts are never seen by me.
And hey with a scalpel I'm qualified to be your heart surgeon...right?
The two are not the same. Heart surgery is a specialism that requires probably a 5 year degree, following by a decade or so of further training under most medical regimes. Software development is a bit more open. The kernel isn't magic, it's just software; if you are a good C programmer you should be able to figure it out enough to complete the task at hand
you expect Joe average to pull off a major rewrite?
Who said anything about a major rewrite? The vast majority of security fixes are very small, and generally target a few lines of code where some trivial mistake was made. The only reason a major rewrite would be required is if the protocols or implementation are completely broken and insecure. And if that is the case, you're better just disabling the broken functionality.
And do you have ANY idea how much it would cost to hire a qualified kernel developer to do your own custom rewrite?
RedHat, Canonical, etc. all ship custom kernels. Kernel development can be hard, but it's certainly not impossible for a good programmer who has never worked on the kernel to do development there. There are probably at least a few thousand programmers in the world who already have kernel experience. Hiring good C programmers isn't cheap, but it may well be cheaper than rewriting your custom SCADA implementation to run on a more modern OS.
Fourteen years sounds like a long time to support a software product. Yet I find it interesting to point out that, in the U.S., any "inventions" that debuted with the release of Windows XP will still have 6 years of patent protection, and the code itself will have another 75 years of copyright protection. This is for a product that's already been unavailable commercially for a while and will be completely dead in two more years.
Overly long IP lifetimes hurt security, technological progress, innovation, and culture.
It's certainly better support than Apple. XP was released in 2001 so that would be equivalent to OS 9.2 in the Apple world. Do they still support it?
Ha! A big fat no. They don't even support my OS, which is as recent as 10.5 (last powerpc variant). If anything Microsoft is acting better than Apple does and should receive some praise for supporting XP as long as they have. I've been using the same computer for 10+ years (and thus saving a lot of cash).
My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"