Slashdot Mirror
End of Windows XP Support Era Signals Beginning of Security Nightmare
colinneagle writes "Microsoft's recent announcement that it will end support for the Windows XP operating system in two years signals the end of an era for the company, and potentially the beginning of a nightmare for everyone else. When Microsoft cuts the cord on XP in two years it will effectively leave millions of existing Windows-based computers vulnerable to continued and undeterred cyberattacks, many of which hold the potential to find their way into consumer, enterprise and even industrial systems running the latest software. Although most of the subsequent security issues appear to be at the consumer level, it may not be long until they find a way into corporate networks or industrial systems, says VMWare's Jason Miller. Even scarier, Qualsys's Amol Sarwate says many SCADA systems for industrial networks still run a modified version of XP, and are not in a position to upgrade. Because much of the software running on SCADA systems is not compatible with traditional Microsoft OS capabilities, an OS upgrade would entail much more work than it would for a home or corporate system."
"When Microsoft cuts the chord on XP in two years it will effectively leave millions of existing Windows-based computers vulnerable to continued and undeterred cyberattacks" So what's the difference between now and when this will happen?
When Microsoft cuts the chord on XP in two years it will effectively leave millions of existing Windows-based computers vulnerable to continued and undeterred cyberattacks
I can't say I'm going to miss Microsoft XP support.
I can't say I 've ever had Microsoft XP support, either-
The three laws of thermodynamics:(1) You can't win. (2) You can't break even. (3) You can't even quit.
About time. XP default sounds suck.
Nothing to worry about, yet...
Companies have two years to upgrade from software that is more than ten years old or install a firewall on systems in industrial networks.
Almost nobody ever runs Windows Update on those old SCADA machines anyway, I don't really think this is such a big deal.
...that's two years to do something about it. What does everyone expect; Microsoft to support it forever?
14 years of support seems pretty generous - I mean how many versions of OS do Apple currently support? Certainly not all the way back to OS X 10.0. I'm also sure that a lot of those embedded and industrial systems will be updated before then. That's more the job of the manufacturers than Microsoft.
This deadline has been known about for the past five years - if you can't resolve upgrade issues in seven years, then you are the problem, not the maker of the software being EOLed.
This isn't happening overnight, you had your chance to do something about it. You might not agree with the EOL, but that's beside the point.
When Microsoft cuts the chord on XP
Cuts the cord?
Or is this some sort of operation that will prevent XP from playing guitar?
Why not liberate the source and let other companies continue bugfixing?
Oh... doesn't fit the business model?
open source ftw and for long term maintenance.
An, operating system contains something on the order of tens of millions of lines of code. No company is going to handle a maintenance project like that for free and there is no incentive for Microsoft to pay them for it. As for releasing it in the wild, those tens of millions of lines are not the exclusive product of Microsoft, they almost certainty incorporated code that still belongs to other companies into the final package and this code can not be released even if Microsoft wanted to.
Every time I read about the ending support, I wonder what happens to the so called XP mode in Windows 7. It's an installation of Virtual PC with a XP image ( http://www.microsoft.com/windows/virtual-pc/download.aspx ). Since Windows 7 is supported by MS, how can they leave those users alone?
sounds like a nice list of reasons to avoid proprietary software for mission critical applications like SCADA...or anything really.
"Why not liberate the source?"
Maybe because there is XP code still in Vista and later versions?
Maybe because it would just encourage the people who are still using XP to continue using the "Open Source" version?
We are the 198 proof..
I'm all for bashing Microsoft but how can you say
"When Microsoft cuts the chord on XP in two years it will effectively leave millions of existing Windows-based computers vulnerable to continued and undeterred cyberattacks, many of which hold the potential to find their way into consumer, enterprise and even industrial systems running the latest software"
while talking about XP? Its over 10 years old. Microsoft have been trying to push people away for two versions of windows. While their upgrade cycle might be very clunky, I don't think the blame can fall fully on them for people who run software which is 10 years out of date, and now out of support.
- http://www.milkme.co.uk
This is no different from when Windows 2000 reached its end of life, or 98, or NT4. The life cycles of Microsoft products tend to be consistent and well known.
Anyone using Windows on a SCADA system should not just rely on Microsoft's updates for security. Lock them down, limit Internet access to a minimum, don't use Administrator accounts, don't install any Adobe products, don't use the systems for general purpose web browsing and don't feed them after midnight. Most security holes require some active interaction to work.
I still have a bunch of Win2000 systems in use and they chug along fine.
Try reporting a bug with the Linux 2.0 kernel or glibc 2.0, you will be told to upgrade to the latest version. And while the upgrade may be free, the time and effort associated with moving an entire codebase to a modern version isn't.
Which is why you need to heed warnings about deadlines well in advance - these SCADA issues wouldn't have been a problem if planning had started two years ago rather than now.
Sooooo let me get this straight, There are industrial networks that still rely on XP for SCADA AND they are not protecting them with other security mechanisms AND they are connected to the internet. And the security nightmare here is somehow Microsoft's fault and not the incompetent morons running these unprotected systems?
That's a bit of a generalization.
Is it so hard to believe there are people with up-to-date XP systems who simply don't feel like forking out a couple hundred dollars to fix something that isn't broken?
-=This sig has nothing to do with my comment. Move along now=-
If you bother to report a bug against the 2.0 kernel, and it's about functionality actually present in the 2.0-kernel rather than something along the lines of "the 2.0 kernel doesn't support USB3", then I can promise you that the maintainer would at least take a look at it.
Set aside for a moment that XP is pretty old. I bought a legal copy of it. It does not have an expiration date on it, I am entitled to run it as long as I wish. My license appears to allow me to replace my hardware if it fails. But at some point XP may find that the changes are 'suspect' and require me to re-activate my legally bought copy. Will Microsoft continue to run their activation servers?
If not, will Microsoft provide a 'Golden Key' to activate without their Genuine Advantage Farm??
To Terminate, or not to Terminate, that's the question - SCSIROB
My comment is based on experience, not supposition.
How many Linux and OSX releases are supported for 12 years?
How many Linux distributions (where maintainers stayed in business) have not seen a major upgrade for the better part of a decade? That's the time it took from XP to Vista. And then the upgrade wasn't even considered an upgrade by many - so maybe you should look at the time it took from XP to Win7 even?
Someone, please, just think of the poor children running SCADA systems!
Oh wait, its only Windows XP
Oh wait, its actually in 2 years
Oh wait, its just support
Seriously, do we need a "Windows XP is gone and the world is already burning" scare-article posted every month on Slashdot? For the entire period of 7 years of pre-announced end of support for an ancient OS? This shouldn't even be on idle. Is this a tech site or little Suzie's shopping ground for pink dresses?
I can't say I 've ever had Microsoft XP support, either-
I did, back in the days when XP SP1 was promulgated, but it was not one of Microsoft's prouder moments. The SP1 package downloaded, but would not install. Several attempts yielded the same result, and various help articles on the MS web site were consulted fruitlessly. So I duly filed a report on the MS web site, not expecting much to happen. Somewhat to my surprise, I got a phone call a couple of days later (must have been international, I'm in Finland, and the support person spoke English with an Indian accent). She talked me through what I had already tried, and it failed yet again. So then she told me to disable all firewalls, both in the PC and in the router, and try again. I suggested that would be unwise, since my router logs indicated several nasty packets (fake routing, port probes, etc.) per second were being blocked, and none appeared to be from Microsoft. Her response was that the only way for me to install SP1 was to disable all firewalls. In other words, connect with pants down and legs open to a stream of questionable health. Yeah, right.
I paid attention to her advice, but did not follow it. Instead, I installed Warty Warthog, which seemed to work quite nicely (but had issues with wireless which meant wired connections only). A beta version of Breezy Badger followed, and it autodetected and supported almost everything on the laptop, including the wireless. XP was thrown away shortly thereafter, and the 8-year-old laptop today runs Xubuntu (10.04 LTS, soon upgrading to 12.04 LTS).
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
All Windows versions come with 10 years of guaranteed support. 5 years of primary support, where they get new features and service packs, 5 years of extended support, where they get bug and security fixes. MS is known to increase that, but never decrease. In the case of XP, they did extend support. XP is getting 14 years total of support.
I have zero sympathy. You have to cut support for old versions at some point. Even if you are doing everything for free, it just gets infeasible to maintain old code all the time. Ubutnu only does 5 years on LTS releases. In MS's case, it is also because bills need to be paid. They don't charge yearly for maintenance or patches or anything, the cost of that is included in the purchase price. Well, that means that price has to be paid every once and awhile, and once per 10+ years isn't unreasonable.
As you say this isn't happening overnight, nor is it a situation of MS suddenly reducing support life. This has been known for a long, long time. Any company that is sticking their head in the sand about it is bringing about their own problems and on their own heads be it, they can't blame MS at all.
Look people, XP goes out of support in 2014. STFU and deal with it. You've 3 choices:
1) Upgrade. Really, this is not hard. 7 Is an extremely good OS, I've been very pleased with it. It will be supported until January 14, 2020 at a minimum, unless MS chooses to extend it so you've at least 8 years before you need to upgrade again. Once a decade-ish isn't too often to upgrade.
2) Isolate. You can just take the damn thing off the Internet if it is really a problem. We've done that at work with a few old Windows 98 systems. We are a university and so don't always have money for new toys. We get some old piece of equipment that is controlled by software that only runs in 98 or earlier. Fine, it just doesn't get on the net. Yes it is a bit inconvenient. Deal with it. The air gap works.
3) Protect. If it really is an issue, you can lock down and protect the systems. Put them all on a private network that can only be accessed via a controller system that is bitchy about what is and is not allowed in and out. Then internally have each system run a locked down firewall and set of services. Disallow any web access, only access to internal systems. Lock everything down tight, with multiple levels of security, and even lacking patches you can likely keep it secure.
This is nothing more than companies whining because they want to be lazy. They don't want to take the effort to upgrade to a new version of Windows, don't want to take the effort to increase security, and just think that MS should patch shit forever to support their laziness.
No sympathy here.
Does anyone know what *actually* happened when everybody was saying the same thing about the end of support for Windows 95 a few years back?
Big problem, little problem, no problem?
Sheesh, evil *and* a jerk. -- Jade
Slashdot needs a button that says "Submit, if this is going to be the FP; otherwise cancel".
Sheesh, evil *and* a jerk. -- Jade
No, it isn't hard to believe, but should MS be required to continually support them on a platform that is currently two major versions out of date, soon to be three?
Sorry Richard, he has a lower uid, therefore only he may claim authority without proof.
Microsoft has a very well known, documented, life cycle for their software. Go look it up on their site. When you buy Windows part of that price is service and support. You get patches at no additional charge for the life of the software. However at the end of the life, that stops, you have to buy it again. The life of the software is 10 years from release minimum. That's longer than I see elsewhere, even Ubutnu is only 5 for their LTS. Redhat may be willing to go longer, I don't know, but of course you pay yearly, quite a lot in fact, for a service contract.
It isn't unreasonable for them to want some money once a decade to have patches developed. It also is plenty of time to plan for upgrades. It isn't as though they jump out of the closet and announce an EOL at random times, it is known years (actually a decade) in advance. Like Windows 7, it ends support January 14, 2020. They may extend that date, if there's a reason, but they won't shorten it. So upgrade, and you don't have to worry for 8 years.
I'll bet vast sums of money that the world won't end within the next two years.
If it doesn't, I win big; if it does, I won't have to pay.
Sheesh, evil *and* a jerk. -- Jade
Sorry, we're running life critical systems here. We can't rely on "taking a look at it". We need a guarantee which is just a teeny bit stronger than that. Many of our systems do run Linux, but only because a consulting company is willing to fill that gap and assume the role of supplying custom fixes/patches while we wait for "official" ones to make it into the kernal. It's not that we have anything against the community, but frankly we need someone to take responsibility and to be held accountable for all aspects of our system.
As for this news? Shrug. Anybody who doesn't already have a plan still has two years to figure it out and get one in place. I can't find any sympathy in me for someone who hasn't come up with a solution by then.
Emphasis mine. This is possible only because Linux is open source. Thanks for making exactly the point that needed to be made in favor of an open source OS.
Write boring code, not shiny code!
There is a real risk with going down that route however, and that is that unless you can get your changes merged into the main branch (far from guaranteed), you are now running a forked version of Linux - and the more you make changes, the more distant the fork gets and the less the main branch followers want to help you.
So you are only compounding the issue - the money you spent on consulting for the fix should have gone toward moving the codebase to a newer version instead.
3 - Really, How old are your machines?
I have installed Windows 7 onto hundreds of machines up to seven years old and have found drivers for everything apart from a few old GPUs and scanners. Almost everything else has just installed automagicly either bundled on the media or grabbed on first boot from Windows update the rest has just required a quick trip to the vendor site. This is even with the 64 bit versions on 6 year old hardware.
Sofware is mostly supported but you are right that there is a lot that was written really badly and won't run as Windows is actually protecting itself.
I am heavily sceptical about - 2 - linux supporting more hardware than windows, almost all the hardware in existance was released with Windows drivers, Windows supporting less just does not make sense and it is not what I have encountered.
Some reasons a major oil company requires networked access to the control system on oil rigs from onshore networks:
* Exporting backups. This is a big one.
* Exporting logging data, done through a 'data diode' luckily.
* Remote troubleshooting. ("Integrated Operations" is the new buzzword for having a team onshore to help offshore without flying out..)
* Remote auditing.
There is a theoretical network path (through about 6 layers of firewalls) from the internet to the controllers running the emergency shutdown system on most rigs these days. Getting there would be a monumental task due to the security in place. Several different vendor firewalls to avoid a security flaw in one allowing access. Very strict firewall rules. Temporary firewall allowances during certain time periods for exporting backups and such. Constant monitoring and flagging of suspicious activity. List goes on.
At the core though, the HMI runs on winxp sp2 workstations and the servers run server2003.
While it would be awesome to have isolated systems, they get just too cumbersome to use. As always functionality and usability versus security is the tradeoff :(
And a consulting company will happily fill the gap and provide maintenance for a 2.0 kernel, it makes no difference to them... Money is money, and the code is still available.
With closed source you simply don't have the option of hiring a consulting company, it's the original vendor or nothing and it would be utterly irresponsible to make critical systems depend on something you don't have the source of and are utterly beholden to a single vendor for.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Sorry, we're running life critical systems here. We can't rely on "taking a look at it".
If you're running "life critical systems", what the hell are you doing running an OS that isn't designed for "life critical systems" in the first place? (Hint: Windows and Linux are *not* designed for life critical systems). As for not being able to rely on "taking a look at it", that's why you need to pay someone to do this stuff - you can't expect either Microsoft or a Linux developer to work for you for free, but at least with an open OS you can employ a third party to maintain it beyond its normal support life, whereas if you start out with a closed system you're always going to be at the mercy of the vendor.
but frankly we need someone to take responsibility and to be held accountable for all aspects of our system.
If you think Microsoft are going to "take responsibility and be accountable" in any serious way, you obviously didn't read the licence agreement. I presume what you actually mean is "I want to be able to blame Microsoft when things go wrong to divert the shitstorm away from me" whilst achieving nothing actually useful. Ain't blame culture brillient?
http://blog.nexusuk.org
Yeah. Besides, why is he slashdotting from work at 3:34AM?
Because the slashdot timestamping system does not stamp posts with your local time. I posted something just afer 14:00 hours yesterday, it is timestamped 7:22PM.
My comment is based on experience, not supposition.
Fortunately for you, you have the code, you have the ability to fix the problem yourself (or pay someone to do it)
You can't do that with XP.
Which is why you need to heed warnings about deadlines well in advance - these SCADA issues wouldn't have been a problem if planning had started two years ago rather than now.
SCADA systems have a very long lifetime. Many vendors offer life-cycle announcements that provide 10 years of planning to suit rare shutdown events where things like SCADA systems can be upgraded. Now these are just their lifecycle announcements. One of our vendors has last year gotten their software and latest SCADA system running on Windows 7. The upgrade path is toss the entire old system, and upgrade. The older system was also subject of a life-cycle announcement last year. So basically we have until about 2021 to upgrade before the vendor stops supporting their system. For that length of time we're going to need to keep XP running.
And watch me get hate for pointing out the crazy in that statement...You HAVE the source for linux and still can't fix the driver issues that have plagued it to this very day! Every forum, pick your distro, on EVERY upgrade gets "update foo broke" followed by a list of sometimes HUNDREDS of things! Hell Dell has to run their own damned fork because even on the teeny tiny subset of devices they offer Linux on they STILL can't promise using the default repo some kernel dev won't get a bug in his ass and break shit. so now you want to do the same thing...to hundreds of millions of computers? with NO budget? Jesus Tap Dancing Christ just step away from the keyboard!
As for TFA has nobody heard of a damned firewall? or NOT using IE perhaps? Its not like these bugs are living things, plotting to take over the world like pinky and the brain ya know. Slap Chrome or Firefox on XP, use a decent firewall of which there are several free to choose from, and there ya go! or if it being no longer supported REALLY bugs you just buy the $89 Win 7 Home and call it a day. or hell throw in with a couple of friends and buy the triple pack, I've seen it go for as little as $120 which is a whole $40 each.
When you show me a SINGLE distro, just one mind you, that not using any tricks can be updated from...oh lets say the 2005 release to current with ZERO breakage then you will have a valid argument. but saying that a community that can't seem to fix the drivers when dealing with a MUCH smaller scale than what they would be having to deal with on XP can do the job with NO budget, just the love from the community? i'm sorry but you left batshit a dozen exits back. hell you can't even get all the damned docs filled in, there are plenty that are "to be done' placeholders and that is a job that any person can technically do!
Now cue the batshit FOSSies that make the whole community look like nutters to call me a "dirty M$ Ninja robot poo poo head" and try to asspull some amazing excuse that handwaves the entire Linux drivers and docs issues away. I swear that while there are many in the FOSS community that is very intelligent and can do frankly amazing things with code the batshit loonie fringe just seems to get louder and more numerous as Linux rolls on. Frankly I would laugh my ass off watching the community try to deal with the bazillion and one half ass hacked up drivers that run on XP. i don't even wanna know what it must be like to do regression testing for patches on XP, I bet the guys stuck with that job live on suffering and BC Powder. Hell I wouldn't be surprised if that is why MSFT is pulling the plug because I'm sure quite a few governments and businesses would be happy to shell out if they continued support but I bet trying to find really good coders that understand low level drivers and can truly get a handle on this giant ancient mess of code must be like trying to find heart surgeons willing to spend their days cleaning the shit out of impacted colons. i wouldn't wish the job of dealing with all that old ass patched all to fuck code on my worst enemy.
ACs don't waste your time replying, your posts are never seen by me.
"English, motherfucker! Do you speak it?"
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
Besides the entire line is moot because if the community thinks they can do better then bring ReactOS up to snuff and there you go! Someone has already done a lot of the early work FOR you, all you have to do is bring it the rest of the way! Then you will truly have a FOSS XP for one and all.
But of course that work is gonna be hard as hell and nobody wants to do it, hence it don't get done. Does ANYONE here think being handed the entire XP codebase would magically make fixing bugs in that huge damned maze of code any easier than just starting over with ReactOS? After all ReactOS doesn't have backwards compatibility going back damned near to DOS built in, isn't gonna have to deal with all this old depreciated crap like .NET 1.0, frankly what this guy is saying might as well be "Just give us XP for free and we'll throw magic pixie dust and make it all better!" which of course is nuts. hell it would probably take the community the better part of a decade just to come to grip with all that damned code and the interactions.
for a perfect example of why the community would be better off using its limited resources on ReactOS just look at LO. I'm sure those guys would tell you they still have a loong way to go to modernize it and bring it up to a more modular design and we are talking about a single program with legacy cruft! In just the system32 folder on my XP nettop you are looking at 256 subfolders containing 6694 files...and that is just one folder...does anyone have any idea how long it would take just to get up to speed on that one folder? Checking the windows folder you are looking at 19, 537 files and 2524 folders. By the time the community, even if they got even say 10% the funding of a Red hat would probably take a good decade just to figure out what interacted with what and how! Now try to fix bugs before they were completely pwned AND trying to learn all those interactions...If you want XP FOSS users you have ReactOS, spend your time there.
ACs don't waste your time replying, your posts are never seen by me.
"I haven't bothered to get myself a corporate edition of XP Pro to replace my regular retail version. What will happen if I swap motherboards?"
OK, you are lazy. XP has been a free download for a long time, including driver packs, from the usual sources. So has 7 with SLIC loaders which permanently bypass activation. It's easy to get "clean" .isos of both.
I don't care for either. I'd rather run Free Linux than "free" Windows.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
There is a real risk with going down that route however, and that is that unless you can get your changes merged into the main branch (far from guaranteed), you are now running a forked version of Linux
Yes but in the worst case scenario (your changed not merged) that buys you time. This is priceless compared to Windows where you're left on your own with an insecure system.
Look, this is not a perfect solution, just because there is no perfect solution. But having an open source system is much better than a closed source one for that very reason. You *can* do it on your own if you need to.
Write boring code, not shiny code!
Hmm, I think DOS is actually quite OK for embedded/control systems. Simple to program, simple to run, almost no complexity, low hardware requirements. Quite easy & direct hardware access. No multiple processes or congestion at CPU to worry much about so it's almost realtime. Ok there are interrupts...
Disclaimer- although I have never developed embedded control systems, I have developed software in C/C++ and assembly for DOS. I did know insides of DOS in and out. It's been more than a decade and I still do not know the insides of windows nor Linux well- these systems are just too complex to fit them in your brain and comprehend everything that is going on. OTOH I don't even bother with low level software development any more- and Java is good enough for enterprise & web.
--Coder
are you kidding? or are you just stupid?
any sane person who can do a search on the internet can see that linux kernel continues to have DOZENS upon DOZENS of security bugs. hell almost every single android phone running linux can be rooted... because linux developers continue to introduce security bugs in source code of every release.
besides which.. malware is something the user has to install themselves, it has nothing to do with security bugs.. although the existence of security bugs in firefox helps when you want to create drive by download method of infection.
Maybe by the time this happens ReactOS will be ready for prime time. This sure sounds like a sales pitch to me. Still running XP systems, no more MS support no problem we at React... have you covered. Mind you I have no connection to said project and only a little knowledge of it, But it sure comes to mind after reading this. Maybe its their big chance?
Windows only really has drivers for hardware that was intended for use with x86 compatible systems. I have various PCI cards that were designed for use on Sparc, Alpha or MIPS based machines and for which there are no windows drivers, but linux handles them just fine... Sun ethernet cards being just one such example.
And then there is the hardware itself, windows either does not run at all on other platforms, or only has an ancient long abandoned version... MIPS and PPC support were cut off after NT4 SP1, Alpha support ended after NT4, IA64 support is going away and ARM support is not released yet, and will be very limited compared to what linux has.
I also have a number of headless servers that cannot boot windows because they don't contain any video hardware (linux boots fine on serial)...
I have an old HP all in one scanner/printer, HP only produced closed source drivers upto 32bit windows xp and macos 10.4 (ppc), the linux drivers are open source so not only do they still work, they come by default on most desktop oriented distros. Incidentally, the printer component still works by default on windows/osx using a generic deskjet driver, but the scanner component does not work at all.
I used to have a DEC Tulip NIC in my workstation, none of the 64bit versions of windows support it (unless you count the old version for the alpha cpu), and yet linux continues to support this card in the latest kernels.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Which is why you need to heed warnings about deadlines well in advance - these SCADA issues wouldn't have been a problem if planning had started two years ago rather than now.
Microsoft had publicized these deadlines ever since the product was released. This is not the news here: the news is that a lot of people are still using the system. Serious companies that rely on Windows XP for their business have always known that support would end in 2014, and so have factored that into account.
It can take five to ten years (or in some cases I have seen, 20 years) to replace an embedded SCADA system.
Which is a good argument for not using Windows(tm) in any form for industrial control, but that argument was apparently lost in the late 1990s.
sPh
I wonder why a SCADA system needs a direct connection to the wild Internet. Surely it wold be better to have a separate interface system connected to the Net, which one could upgrade as needed, sending commands to an isolated SCADA system using a protocol other than IP? That way, IP sent over the Internet can never under any circumstances reach the vulnerable system.
Consciousness is an illusion caused by an excess of self consciousness.
Why do these manufacturers not have explicit, individual support contracts from Microsoft to suit their own longterm requirements then?
Relying on the general public support policy of any OS maker or community for this sort of usage is just fucking ridiculous and proves that, as I have said elsewhere, the problem lies with the SCADA manufacturers rather than the OS.
I don't disagree with you, but the economic pressures are relentless. As late as the mid-1990s a manufacturer could count on there being an ecosystem and trained programmers available for the various high-security, high-reliability architectures on the market (or at least people willing to take jobs being trained as programmers, designers, etc for such systems). By 2000 those ecosystems and finally the architectures themselves had vanished under the avalanche of Wintel systems (bought a new PDP-11 lately? Or even a Tandem Nonstop?). And the cost differential in favor of Wintel went from 1/3x to 1/1000x. It is extremely hard to convince a product development board that your product needs 1000x more funding than the team building what is fundamentally very similar consumer- or commercial-grade system.
And the demand from customers drives things too. Right now every operating manager I work with wants to be able to monitor his plant from home on his iPhone. Customers are putting enormous pressure on their vendors to replace expensive proprietary (but secure) wireless interfaces with much cheaper iPhones. Security gets paid lip service in the spec but doesn't control the decision.
sPh
Ah, yes, you are talking about extremely specific hardware that is compared to x86 stuff is about as common in the general population of computers as unicorns are in the population of horses. Likewise by the processor types.
I do take your point with the printers as many of the cheaper devices never did get signed drivers for the later versions. As you say most of the time a generic, or in hp's case from the same series. To be fair, no one - least of all hp - would have thought that those printers would still be working by now given the quality of their internals which were generally the printer equivilent of a winmodem. They were generally kinder to their laser all in one line as those could concevibly still be working.
There again, printing itself is a bit of an anachronism, I got a printer quite some time ago, and a ream of paper which I still have not made it a quater of the way through. With that kind of usage pattern even the much lower end hp all in ones will keep going forever so long term drivers may be more important but with a new one costing NZD$60 at a supermarket is the hassel really worth it. A wasteful view I know but I have had meals more expencive.
Remember when they released the Netscape source? Every begged them to open it and said how it would be so awesome with all those developers helping make it better. Well, every looked over the code, decided it was too confusing and started over on Mozilla. Total waste of time. Set open source back by years to throw away the Netscape codebase but "other people's code" always looks confusing and weird. I guess they believed their own hype that if you get the code you can just open it up in emacs and start fixing bugs. Well, it doesn't work that way. It would take months to get your head around some shit like Netscape, Windows XP would be even worse.
We have a small family business in a city where much of our good manufacturing jobs have gone overseas. Everybody who walks in the front door is looking for a deal because they have no money, or perhaps because their new job at Wal-Mart doesn't pay like the old one.
I don't have the customer base or cashflow to just upgrade at a whim. My major issue is we have several commercial duty printers that cost several thousand dollars each. We do some pretty customized printing, odd sized paper, etc. Under Win 7, NONE of these printers will do anything more than single sided sheet of paper, cannot even duplex. I've contacted HP directly, had the Xerox people in here, and in both cases, they refuse to provide new drivers that will make these printers work under Win 7 the same way they do under XP. Even simple things like duplexing cannot be done in some cases. The official response form these companies? But a new printer. That's it.
I do run linux, but you know something, even though I can make these printers work under linux no problem, there is no good substitute for Pagemaker and/or Indesign in Linux. As long as Scribus does not or cannot import my Pagemaker and./or InDesign files, it is useless to me. I have a library of almost 20 years of Pagemaker and InDesign files that we created from the ground up, and untill I can import them, Scribus and therefore by extention I cannot use Linux.
So I do not mind upgrading to Win 7 in itself, it's the fact that some of my high end printers and scanners do not work well with Win 7 because "They are too old".
One more thing - some - well heck, many of these new printers are junk. My old, Made in Japan printers had heavy duty metal bearings and gears. Many of the new, brand name printers made in China use plastic gear and bears, or cheaper metal they physically breaks down more often than the old printers. A ten year duty cycle of heavy day to day use was not uncommon for a good HP, today I am told expect three years then toss it.
Yeah, in an economy when money is tight everywhere, the upgrade to Win 7 is not doing me much good. For all you guys who say you have no sympathy for guys like me who don't want to upgrade, well sorry, money is tight, we have to keep a tight ship, and when I see perfectly good hardware unable to run under Win 7 simply because somebody will not make a driver for it, well, as Judge Judy would say "Don't pee on my leg and tell me it's raining."
Relying on the general public support policy of any OS maker or community for this sort of usage is just fucking ridiculous and proves that, as I have said elsewhere, the problem lies with the SCADA manufacturers rather than the OS.
This is really what it boils down to. Everyone's discussing the relative merits of MS support against a team of coders to keep a given linux implementation up to date, but the fact is that the SCADA guys didn't bother to do either, and the customers didn't demand it from them. Negotiate with MS, negotiate with RedHat, employ your own team to write and support a custom kernel based on RMS's personal HURD installation, whatever, but make sure the plans are in place for a 20-30 year support period before you fucking start. Considering the kind of infrastructure we're talking about here, that sounds like some potentially serious incompetence that needs to be investigated...
And hey with a scalpel I'm qualified to be your heart surgeon...right? I mean that IS what you are basically saying, because we aren't talking about some fart app here we are talking about the literal heart of an extremely complex operating system and you just acted like it would be trivial just to DIY. Hell even RMS couldn't write his own kernel and you expect Joe average to pull off a major rewrite? And do you have ANY idea how much it would cost to hire a qualified kernel developer to do your own custom rewrite? Might as well say you can fly down to Redmond in your Lear jet and bitchslap the sweaty monkey with your solid diamond dildo until he agrees to keep supporting XP.
If I was Linus personally i'd be pissed as hell that so many like you think what he does is so damned trivial that just because you have the code you could kick him to the curb. you'd be DAMNED lucky if the number of guys that are truly qualified to do that job is even in the triple digits and they sure as hell won't be working for you. hell guys with those skills are practically the rock stars of coding and have top paying jobs and headhunters trying to steal them away..
To use a /. car analogy just because I hand you the blueprints to a Ferrari and hand you a couple of tons of raw steel does NOT man you will be able to actually build a Ferrari or even be able to rebuild one that has been dropped off a cliff. Remember folks its source code NOT pixie dust.
ACs don't waste your time replying, your posts are never seen by me.
And hey with a scalpel I'm qualified to be your heart surgeon...right?
The two are not the same. Heart surgery is a specialism that requires probably a 5 year degree, following by a decade or so of further training under most medical regimes. Software development is a bit more open. The kernel isn't magic, it's just software; if you are a good C programmer you should be able to figure it out enough to complete the task at hand
you expect Joe average to pull off a major rewrite?
Who said anything about a major rewrite? The vast majority of security fixes are very small, and generally target a few lines of code where some trivial mistake was made. The only reason a major rewrite would be required is if the protocols or implementation are completely broken and insecure. And if that is the case, you're better just disabling the broken functionality.
And do you have ANY idea how much it would cost to hire a qualified kernel developer to do your own custom rewrite?
RedHat, Canonical, etc. all ship custom kernels. Kernel development can be hard, but it's certainly not impossible for a good programmer who has never worked on the kernel to do development there. There are probably at least a few thousand programmers in the world who already have kernel experience. Hiring good C programmers isn't cheap, but it may well be cheaper than rewriting your custom SCADA implementation to run on a more modern OS.
For me it runs fine on my main system. Windows is nothing more to me than a way to start the applications I need. So Microsoft now forces me to pay E 90,- just so I can safely click my apps again ?
I also run it on a PIII 700 at home, which I use to program microcontrollers and play music for my Saxophone lessons. It is doing that job just fine and has a few ISA cards to support the programming. Wouldn't be surprised if Windows 7 refuses to install on that poor old machine. So now what ? Buy a new machine ? With ISA, Serial port and parallel port support ?
This brief makes it sound like the second the timer hits zero and XP support ends, the lights will go out and planes will crash. That's not the way software support works. This will not suddenly render all XP machines inoperative. They will slowly become outdated, less functional, more vulnarable: exactly as you'd expect from not installing updates, no more. I agree that XP has had a good run, much more than most operating systems get, and it's time for it to die, but to say that Microsoft's discontinuing of OS updates will "leave millions of existing Windows-based computers vulnerable to continued and undeterred cyberattacks" is just misleading. I think the far more significant implication of this is the unspoken permission it gives web developers to stop supporting IE6. Which is probably cause for celebration.
Fourteen years sounds like a long time to support a software product. Yet I find it interesting to point out that, in the U.S., any "inventions" that debuted with the release of Windows XP will still have 6 years of patent protection, and the code itself will have another 75 years of copyright protection. This is for a product that's already been unavailable commercially for a while and will be completely dead in two more years.
Overly long IP lifetimes hurt security, technological progress, innovation, and culture.
A client ran an NT4 server (one out of about a dozen servers) until 2009, well past the end of support. They also had a couple W2k servers in that mix, also past the end of support. You know what happened? Nothing! The machines continued to perform just as well as they had for the previous 8-10 years. The reason those weren't upgraded is because they worked very well, and an upgrade simply wasn't necessary, and would have been very costly.
We did take precautions, including; making sure those machines weren't connected to the internet, were locked down as well as we could lock them down, and had anti-virus (for which we downloaded updates daily) software, etc. While the clients had internet access, they too were locked down (users were "users", restricted access to all directories except their own profile, couldn't install anything, etc), and had AV and anti-malware that were updated daily. Windows updates were pushed nightly from MS SUS.
This isn't a looming crisis. You've got 2 more years to prepare or upgrade. As long as you take actions to isolate and protect those systems as much as possible, they can run XP for another 10 or 20 years (as long as you can keep compatible hardware running)
make imaginary.friends COUNT=100 VISIBLE=false
You obviously don't know much about SCADA systems. They are proprietary, top to bottom. And there are reasons for this that do make sense.
First of all, let's look at the whole picture of a SCADA implementation...in this example, I'll talk about the systems that control and analyze the burn inside a coal-fired power generation facility that uses coal to heat water into steam which then drives a turbine; this is the kind of power plant that produces most of the power in our country. (I'm in the United States, for context there.) The systems are analagous to the ECU of a car with a fuel-injection engine, both controlling the delivery of fuel and air while monitoring the effects of those controls in the context of the demands being placed upon the boiler. Just as with a car engine, there is lag in making changes to the burn, just as an engine has delay when you step on the throttle.
There are many devices involved...gas sensors, temperature sensors, lasers...and all of them are purpose-built by the company that makes the control system; they are proprietary. The protocols that are spoken between devices are usually open, like DNP3 or modbus, but the data schemas that are used are also proprietary (most ICS protocols are pretty soft, working more like a layer 6 protocol than a layer 7). The logic that drives decisions, reporting, and the translation of human interaction into discrete behavior by control devices? Also proprietary. The control systems are built by the same company to work end-to-end on that specific type, size and model of boiler, and the whole thing is tested as a unit. For the most part, the notion of modularity...the way that you could replace a Cisco firewall with an equivalent Juniper firewall, or replace an EMC SAN with a NetApp SAN...does not exist in any way whatsoever. (It does in small ways, but even then most manufacturers will refuse to support the system if you so much as change the IOS image on a Cisco switch without it having been tested first, which takes about 6 months for a full facility and requires that it be offline the whole time.)
The complexity of these environments...and the ramifications of improper behavior by any one component...cannot be overstated. So, it's essential from a legal standpoint to have entities backing the pre-manufactured components who can be held accountable should it be necessary. I know, you can't sue Microsoft for software bugs, but you can't look at their behavior over the past 15 years and tell me that there wasn't an effective motivation to improve security. They've dramatically improved the security quality of Windows, while rolling out and evolving a patching system that is now the gold standard for software companies. They have something to lose from producing an unreliable product, even if that loss does not come in the form of a lawsuit. And after seeing what Oracle has done to mySQL and Java, it's not hard to see the potential for disaster if you rely on an open-source project that may have to fork because their patron got acquired, as well. An even scarier possibility is what Tenable did with Nessus when they forked and closed the source, ending support for the older OSS version.
One more thing...this isn't a website we're talking about. It's a power plant. When things go wrong in these environments, it isn't just embarassing. People often die. At one plant I've done work at, a mistake caused a ~300 KV transformer to detonate. Oversimplifying the situation, the power ended up flowing the wrong way, and the transformer's cooling spaces (filled with oil) exploded in a BLEVE, showering the nearby parking lot with flaming oil. It was a Michael Bay-like situation; I saw the pictures that were taken while the fires were still burning. A mistake involving the boiler can cause the flame to collapse resulting what they call a "beer can," when the fire suddenly goes out and the inside of the boiler cools so rapidly (in a matter of seconds, or less) that it crushes itself. This is not a small thing...the walls
For your security, this post has been encrypted with ROT-13, twice.
You don't need a live connection to the Internet to get a network into trouble. See Stuxnet.
Got an open USB port? That Hello Kitty USB drive that you 'found' in the parking lot - I wonder what it has on it?
Faster! Faster! Faster would be better!
When you look at the other roads they could have taken starting around 1995-6, they actually made a pretty good choice. I have worked on systems installed in 1986-8 that are still operating with much pain and purely DOS or ancient UNIX based programs.
Actually, DOS would have been a better choice, as they could then keep the system running indefinitely using FreeDOS.
Really, for a SCADA, there's no point having Windows unless you actually need a GUI, and maybe not even then.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
Oh look, its a FOSSie, aka basement troll. How's the koolaid, is it cherry? You want some links on breakage? be careful what you wish for, because you just might get it and that is showing that one of the largest OEMs on the planet can't keep your craptastic OS running without having to do their own fricking fork!
This is why a decade old Windows beat the shit out of Linux on netbooks or how ASUS has given up on your bullshit or how about Walmart running away from linux as fast as it can? want some more? Nice thing about having the truth on your side instead of religious dogma, i can do this alllll day long! How about you actually have the balls to celebrate getting a whole 1% market share while you are actually lower than JavaME and there is a whole website dedicated To your bullshit and excuses
And how about that "great" Linux security that is supposed to be why we should put up with all this horseshit? Get ready, here they come! Kinda makes that koolaid just a little bitter now, don't it? Now why would anybody care when they could get a Mac or Win 7 and not deal with all this lies and horseshit?
BTW if you'd like a little more food for thought, what OS was 3 of the 4 CAs running that were compromised? take a look and see. Maybe they just had bad configs? Surely someone with knowledge would be safe right? Guess again and its not a fluke by any means.
ACs don't waste your time replying, your posts are never seen by me.