End of Windows XP Support Era Signals Beginning of Security Nightmare

colinneagle writes "Microsoft's recent announcement that it will end support for the Windows XP operating system in two years signals the end of an era for the company, and potentially the beginning of a nightmare for everyone else. When Microsoft cuts the cord on XP in two years it will effectively leave millions of existing Windows-based computers vulnerable to continued and undeterred cyberattacks, many of which hold the potential to find their way into consumer, enterprise and even industrial systems running the latest software. Although most of the subsequent security issues appear to be at the consumer level, it may not be long until they find a way into corporate networks or industrial systems, says VMWare's Jason Miller. Even scarier, Qualsys's Amol Sarwate says many SCADA systems for industrial networks still run a modified version of XP, and are not in a position to upgrade. Because much of the software running on SCADA systems is not compatible with traditional Microsoft OS capabilities, an OS upgrade would entail much more work than it would for a home or corporate system."

release the source?

Why not liberate the source and let other companies continue bugfixing?

Oh... doesn't fit the business model?

open source ftw and for long term maintenance.

Re:release the source?

[tao]

If you bother to report a bug against the 2.0 kernel, and it's about functionality actually present in the 2.0-kernel rather than something along the lines of "the 2.0 kernel doesn't support USB3", then I can promise you that the maintainer would at least take a look at it.

Re:release the source?

If you bother to report a bug against the 2.0 kernel, and it's about functionality actually present in the 2.0-kernel rather than something along the lines of "the 2.0 kernel doesn't support USB3", then I can promise you that the maintainer would at least take a look at it.

Sorry, we're running life critical systems here. We can't rely on "taking a look at it". We need a guarantee which is just a teeny bit stronger than that. Many of our systems do run Linux, but only because a consulting company is willing to fill that gap and assume the role of supplying custom fixes/patches while we wait for "official" ones to make it into the kernal. It's not that we have anything against the community, but frankly we need someone to take responsibility and to be held accountable for all aspects of our system.

As for this news? Shrug. Anybody who doesn't already have a plan still has two years to figure it out and get one in place. I can't find any sympathy in me for someone who hasn't come up with a solution by then.

Re:release the source?

[FireFury03]

Sorry, we're running life critical systems here. We can't rely on "taking a look at it".

If you're running "life critical systems", what the hell are you doing running an OS that isn't designed for "life critical systems" in the first place? (Hint: Windows and Linux are *not* designed for life critical systems). As for not being able to rely on "taking a look at it", that's why you need to pay someone to do this stuff - you can't expect either Microsoft or a Linux developer to work for you for free, but at least with an open OS you can employ a third party to maintain it beyond its normal support life, whereas if you start out with a closed system you're always going to be at the mercy of the vendor.

but frankly we need someone to take responsibility and to be held accountable for all aspects of our system.

If you think Microsoft are going to "take responsibility and be accountable" in any serious way, you obviously didn't read the licence agreement. I presume what you actually mean is "I want to be able to blame Microsoft when things go wrong to divert the shitstorm away from me" whilst achieving nothing actually useful. Ain't blame culture brillient?

Re:release the source?

[thegarbz]

Which is why you need to heed warnings about deadlines well in advance - these SCADA issues wouldn't have been a problem if planning had started two years ago rather than now.

SCADA systems have a very long lifetime. Many vendors offer life-cycle announcements that provide 10 years of planning to suit rare shutdown events where things like SCADA systems can be upgraded. Now these are just their lifecycle announcements. One of our vendors has last year gotten their software and latest SCADA system running on Windows 7. The upgrade path is toss the entire old system, and upgrade. The older system was also subject of a life-cycle announcement last year. So basically we have until about 2021 to upgrade before the vendor stops supporting their system. For that length of time we're going to need to keep XP running.

Re:release the source?

[Richard_at_work]

Good for you, in a recent job I had a PHP codebase developed inhouse by others that was stuck on a very old version of PHP and MySQL - upgrading the codebase was out of the question (it would have taken a rewrite), but the fact that Gentoo explicitly removed the version of PHP on upgrade I needed meant that I could not actually keep the OS up to date using the OS providers methods.

The older PHP wouldn't compile against the newer system libs either, so I was stuck with what I had.

The application suite was infact being replaced by a new system also being developed inhouse, but of course that takes time - and during that time I was stuck with an out of date install.

Yup, shit like that does exist all over the place.

What about XP mode in Windows 7

Every time I read about the ending support, I wonder what happens to the so called XP mode in Windows 7. It's an installation of Virtual PC with a XP image ( http://www.microsoft.com/windows/virtual-pc/download.aspx ). Since Windows 7 is supported by MS, how can they leave those users alone?

Re:Well...

Computers last longer than 2 years.

And so did XP: it has been around since 2001. That means when the deadline hits it'll have been around for 13 years.

At the end of the day, if you don't want to be forced into upgrading your systems someday then don't base critical hardware around something which someone else controls and is known to make redundant now and again. "But it's cheaper to buy someone else's solution than develop your own!". Yeah, it is, but the tradeoff is that you're at the mercy of their update and redundancy schedule. Businesses should have taken the longevity of the systems into account before they bought it and planned accordingly: it's no secret at all that this sort of thing happens.

Re:No sympathy

[Waccoon]

Reminds me of how long it took for peripheral manufacturers to write drivers for Vista, despite how long they had developer previews available.

Hey, just another example besides good ol' IE6.

Just wondering about activation

[scsirob]

Set aside for a moment that XP is pretty old. I bought a legal copy of it. It does not have an expiration date on it, I am entitled to run it as long as I wish. My license appears to allow me to replace my hardware if it fails. But at some point XP may find that the changes are 'suspect' and require me to re-activate my legally bought copy. Will Microsoft continue to run their activation servers?

If not, will Microsoft provide a 'Golden Key' to activate without their Genuine Advantage Farm??

Omg its the end of the world!

[wye43]

Someone, please, just think of the poor children running SCADA systems!
Oh wait, its only Windows XP
Oh wait, its actually in 2 years
Oh wait, its just support

Seriously, do we need a "Windows XP is gone and the world is already burning" scare-article posted every month on Slashdot? For the entire period of 7 years of pre-announced end of support for an ancient OS? This shouldn't even be on idle. Is this a tech site or little Suzie's shopping ground for pink dresses?

Support, or broken crutch?

[AliasMarlowe]

I can't say I 've ever had Microsoft XP support, either-

I did, back in the days when XP SP1 was promulgated, but it was not one of Microsoft's prouder moments. The SP1 package downloaded, but would not install. Several attempts yielded the same result, and various help articles on the MS web site were consulted fruitlessly. So I duly filed a report on the MS web site, not expecting much to happen. Somewhat to my surprise, I got a phone call a couple of days later (must have been international, I'm in Finland, and the support person spoke English with an Indian accent). She talked me through what I had already tried, and it failed yet again. So then she told me to disable all firewalls, both in the PC and in the router, and try again. I suggested that would be unwise, since my router logs indicated several nasty packets (fake routing, port probes, etc.) per second were being blocked, and none appeared to be from Microsoft. Her response was that the only way for me to install SP1 was to disable all firewalls. In other words, connect with pants down and legs open to a stream of questionable health. Yeah, right.

I paid attention to her advice, but did not follow it. Instead, I installed Warty Warthog, which seemed to work quite nicely (but had issues with wireless which meant wired connections only). A beta version of Breezy Badger followed, and it autodetected and supported almost everything on the laptop, including the wireless. XP was thrown away shortly thereafter, and the 8-year-old laptop today runs Xubuntu (10.04 LTS, soon upgrading to 12.04 LTS).

Windows 95?

[Black+Parrot]

Does anyone know what *actually* happened when everybody was saying the same thing about the end of support for Windows 95 a few years back?

Big problem, little problem, no problem?

Re:Special treatment again?

[sensationull]

3 - Really, How old are your machines?

I have installed Windows 7 onto hundreds of machines up to seven years old and have found drivers for everything apart from a few old GPUs and scanners. Almost everything else has just installed automagicly either bundled on the media or grabbed on first boot from Windows update the rest has just required a quick trip to the vendor site. This is even with the 64 bit versions on 6 year old hardware.

Sofware is mostly supported but you are right that there is a lot that was written really badly and won't run as Windows is actually protecting itself.

I am heavily sceptical about - 2 - linux supporting more hardware than windows, almost all the hardware in existance was released with Windows drivers, Windows supporting less just does not make sense and it is not what I have encountered.

Re:what's the difference

[mcgrew]

What a shame. My car's only 4 years newer than XP and it still runs fine. So does my TV, even though I had to get a digital tuner for it.

So you have millions of computers that will be unuseable because the OS manufacturer refuses to suport it. Meanwhile, my car needs new struts -- still available and will be for decades. Hell, if it were a '64 Ford I could still get parts and have it serviced.

Good thing we have Linux so those old boxes don't wind up in landfills prematurely.

NT4, W2k, now XP

[gstrickler]

A client ran an NT4 server (one out of about a dozen servers) until 2009, well past the end of support. They also had a couple W2k servers in that mix, also past the end of support. You know what happened? Nothing! The machines continued to perform just as well as they had for the previous 8-10 years. The reason those weren't upgraded is because they worked very well, and an upgrade simply wasn't necessary, and would have been very costly.

We did take precautions, including; making sure those machines weren't connected to the internet, were locked down as well as we could lock them down, and had anti-virus (for which we downloaded updates daily) software, etc. While the clients had internet access, they too were locked down (users were "users", restricted access to all directories except their own profile, couldn't install anything, etc), and had AV and anti-malware that were updated daily. Windows updates were pushed nightly from MS SUS.

This isn't a looming crisis. You've got 2 more years to prepare or upgrade. As long as you take actions to isolate and protect those systems as much as possible, they can run XP for another 10 or 20 years (as long as you can keep compatible hardware running)