Slashdot Mirror
End of Windows XP Support Era Signals Beginning of Security Nightmare
colinneagle writes "Microsoft's recent announcement that it will end support for the Windows XP operating system in two years signals the end of an era for the company, and potentially the beginning of a nightmare for everyone else. When Microsoft cuts the cord on XP in two years it will effectively leave millions of existing Windows-based computers vulnerable to continued and undeterred cyberattacks, many of which hold the potential to find their way into consumer, enterprise and even industrial systems running the latest software. Although most of the subsequent security issues appear to be at the consumer level, it may not be long until they find a way into corporate networks or industrial systems, says VMWare's Jason Miller. Even scarier, Qualsys's Amol Sarwate says many SCADA systems for industrial networks still run a modified version of XP, and are not in a position to upgrade. Because much of the software running on SCADA systems is not compatible with traditional Microsoft OS capabilities, an OS upgrade would entail much more work than it would for a home or corporate system."
When Microsoft cuts the chord on XP in two years it will effectively leave millions of existing Windows-based computers vulnerable to continued and undeterred cyberattacks
I can't say I'm going to miss Microsoft XP support.
I can't say I 've ever had Microsoft XP support, either-
The three laws of thermodynamics:(1) You can't win. (2) You can't break even. (3) You can't even quit.
Nothing to worry about, yet...
Companies have two years to upgrade from software that is more than ten years old or install a firewall on systems in industrial networks.
Almost nobody ever runs Windows Update on those old SCADA machines anyway, I don't really think this is such a big deal.
...that's two years to do something about it. What does everyone expect; Microsoft to support it forever?
14 years of support seems pretty generous - I mean how many versions of OS do Apple currently support? Certainly not all the way back to OS X 10.0. I'm also sure that a lot of those embedded and industrial systems will be updated before then. That's more the job of the manufacturers than Microsoft.
This deadline has been known about for the past five years - if you can't resolve upgrade issues in seven years, then you are the problem, not the maker of the software being EOLed.
This isn't happening overnight, you had your chance to do something about it. You might not agree with the EOL, but that's beside the point.
Why not liberate the source and let other companies continue bugfixing?
Oh... doesn't fit the business model?
open source ftw and for long term maintenance.
An, operating system contains something on the order of tens of millions of lines of code. No company is going to handle a maintenance project like that for free and there is no incentive for Microsoft to pay them for it. As for releasing it in the wild, those tens of millions of lines are not the exclusive product of Microsoft, they almost certainty incorporated code that still belongs to other companies into the final package and this code can not be released even if Microsoft wanted to.
Every time I read about the ending support, I wonder what happens to the so called XP mode in Windows 7. It's an installation of Virtual PC with a XP image ( http://www.microsoft.com/windows/virtual-pc/download.aspx ). Since Windows 7 is supported by MS, how can they leave those users alone?
This is no different from when Windows 2000 reached its end of life, or 98, or NT4. The life cycles of Microsoft products tend to be consistent and well known.
Anyone using Windows on a SCADA system should not just rely on Microsoft's updates for security. Lock them down, limit Internet access to a minimum, don't use Administrator accounts, don't install any Adobe products, don't use the systems for general purpose web browsing and don't feed them after midnight. Most security holes require some active interaction to work.
I still have a bunch of Win2000 systems in use and they chug along fine.
Try reporting a bug with the Linux 2.0 kernel or glibc 2.0, you will be told to upgrade to the latest version. And while the upgrade may be free, the time and effort associated with moving an entire codebase to a modern version isn't.
Which is why you need to heed warnings about deadlines well in advance - these SCADA issues wouldn't have been a problem if planning had started two years ago rather than now.
Microsoft already cut the chord a decade ago - with their sh*tty Windows XP boot chime.
No, no sig. Really.
ThePromenader
Sooooo let me get this straight, There are industrial networks that still rely on XP for SCADA AND they are not protecting them with other security mechanisms AND they are connected to the internet. And the security nightmare here is somehow Microsoft's fault and not the incompetent morons running these unprotected systems?
That's a bit of a generalization.
Is it so hard to believe there are people with up-to-date XP systems who simply don't feel like forking out a couple hundred dollars to fix something that isn't broken?
-=This sig has nothing to do with my comment. Move along now=-
If you bother to report a bug against the 2.0 kernel, and it's about functionality actually present in the 2.0-kernel rather than something along the lines of "the 2.0 kernel doesn't support USB3", then I can promise you that the maintainer would at least take a look at it.
Set aside for a moment that XP is pretty old. I bought a legal copy of it. It does not have an expiration date on it, I am entitled to run it as long as I wish. My license appears to allow me to replace my hardware if it fails. But at some point XP may find that the changes are 'suspect' and require me to re-activate my legally bought copy. Will Microsoft continue to run their activation servers?
If not, will Microsoft provide a 'Golden Key' to activate without their Genuine Advantage Farm??
To Terminate, or not to Terminate, that's the question - SCSIROB
I can't say I 've ever had Microsoft XP support, either-
I did, back in the days when XP SP1 was promulgated, but it was not one of Microsoft's prouder moments. The SP1 package downloaded, but would not install. Several attempts yielded the same result, and various help articles on the MS web site were consulted fruitlessly. So I duly filed a report on the MS web site, not expecting much to happen. Somewhat to my surprise, I got a phone call a couple of days later (must have been international, I'm in Finland, and the support person spoke English with an Indian accent). She talked me through what I had already tried, and it failed yet again. So then she told me to disable all firewalls, both in the PC and in the router, and try again. I suggested that would be unwise, since my router logs indicated several nasty packets (fake routing, port probes, etc.) per second were being blocked, and none appeared to be from Microsoft. Her response was that the only way for me to install SP1 was to disable all firewalls. In other words, connect with pants down and legs open to a stream of questionable health. Yeah, right.
I paid attention to her advice, but did not follow it. Instead, I installed Warty Warthog, which seemed to work quite nicely (but had issues with wireless which meant wired connections only). A beta version of Breezy Badger followed, and it autodetected and supported almost everything on the laptop, including the wireless. XP was thrown away shortly thereafter, and the 8-year-old laptop today runs Xubuntu (10.04 LTS, soon upgrading to 12.04 LTS).
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Sorry Richard, he has a lower uid, therefore only he may claim authority without proof.
3 - Really, How old are your machines?
I have installed Windows 7 onto hundreds of machines up to seven years old and have found drivers for everything apart from a few old GPUs and scanners. Almost everything else has just installed automagicly either bundled on the media or grabbed on first boot from Windows update the rest has just required a quick trip to the vendor site. This is even with the 64 bit versions on 6 year old hardware.
Sofware is mostly supported but you are right that there is a lot that was written really badly and won't run as Windows is actually protecting itself.
I am heavily sceptical about - 2 - linux supporting more hardware than windows, almost all the hardware in existance was released with Windows drivers, Windows supporting less just does not make sense and it is not what I have encountered.
Sorry, we're running life critical systems here. We can't rely on "taking a look at it".
If you're running "life critical systems", what the hell are you doing running an OS that isn't designed for "life critical systems" in the first place? (Hint: Windows and Linux are *not* designed for life critical systems). As for not being able to rely on "taking a look at it", that's why you need to pay someone to do this stuff - you can't expect either Microsoft or a Linux developer to work for you for free, but at least with an open OS you can employ a third party to maintain it beyond its normal support life, whereas if you start out with a closed system you're always going to be at the mercy of the vendor.
but frankly we need someone to take responsibility and to be held accountable for all aspects of our system.
If you think Microsoft are going to "take responsibility and be accountable" in any serious way, you obviously didn't read the licence agreement. I presume what you actually mean is "I want to be able to blame Microsoft when things go wrong to divert the shitstorm away from me" whilst achieving nothing actually useful. Ain't blame culture brillient?
http://blog.nexusuk.org
Besides the entire line is moot because if the community thinks they can do better then bring ReactOS up to snuff and there you go! Someone has already done a lot of the early work FOR you, all you have to do is bring it the rest of the way! Then you will truly have a FOSS XP for one and all.
But of course that work is gonna be hard as hell and nobody wants to do it, hence it don't get done. Does ANYONE here think being handed the entire XP codebase would magically make fixing bugs in that huge damned maze of code any easier than just starting over with ReactOS? After all ReactOS doesn't have backwards compatibility going back damned near to DOS built in, isn't gonna have to deal with all this old depreciated crap like .NET 1.0, frankly what this guy is saying might as well be "Just give us XP for free and we'll throw magic pixie dust and make it all better!" which of course is nuts. hell it would probably take the community the better part of a decade just to come to grip with all that damned code and the interactions.
for a perfect example of why the community would be better off using its limited resources on ReactOS just look at LO. I'm sure those guys would tell you they still have a loong way to go to modernize it and bring it up to a more modular design and we are talking about a single program with legacy cruft! In just the system32 folder on my XP nettop you are looking at 256 subfolders containing 6694 files...and that is just one folder...does anyone have any idea how long it would take just to get up to speed on that one folder? Checking the windows folder you are looking at 19, 537 files and 2524 folders. By the time the community, even if they got even say 10% the funding of a Red hat would probably take a good decade just to figure out what interacted with what and how! Now try to fix bugs before they were completely pwned AND trying to learn all those interactions...If you want XP FOSS users you have ReactOS, spend your time there.
ACs don't waste your time replying, your posts are never seen by me.
I don't disagree with you, but the economic pressures are relentless. As late as the mid-1990s a manufacturer could count on there being an ecosystem and trained programmers available for the various high-security, high-reliability architectures on the market (or at least people willing to take jobs being trained as programmers, designers, etc for such systems). By 2000 those ecosystems and finally the architectures themselves had vanished under the avalanche of Wintel systems (bought a new PDP-11 lately? Or even a Tandem Nonstop?). And the cost differential in favor of Wintel went from 1/3x to 1/1000x. It is extremely hard to convince a product development board that your product needs 1000x more funding than the team building what is fundamentally very similar consumer- or commercial-grade system.
And the demand from customers drives things too. Right now every operating manager I work with wants to be able to monitor his plant from home on his iPhone. Customers are putting enormous pressure on their vendors to replace expensive proprietary (but secure) wireless interfaces with much cheaper iPhones. Security gets paid lip service in the spec but doesn't control the decision.
sPh
We have a small family business in a city where much of our good manufacturing jobs have gone overseas. Everybody who walks in the front door is looking for a deal because they have no money, or perhaps because their new job at Wal-Mart doesn't pay like the old one.
I don't have the customer base or cashflow to just upgrade at a whim. My major issue is we have several commercial duty printers that cost several thousand dollars each. We do some pretty customized printing, odd sized paper, etc. Under Win 7, NONE of these printers will do anything more than single sided sheet of paper, cannot even duplex. I've contacted HP directly, had the Xerox people in here, and in both cases, they refuse to provide new drivers that will make these printers work under Win 7 the same way they do under XP. Even simple things like duplexing cannot be done in some cases. The official response form these companies? But a new printer. That's it.
I do run linux, but you know something, even though I can make these printers work under linux no problem, there is no good substitute for Pagemaker and/or Indesign in Linux. As long as Scribus does not or cannot import my Pagemaker and./or InDesign files, it is useless to me. I have a library of almost 20 years of Pagemaker and InDesign files that we created from the ground up, and untill I can import them, Scribus and therefore by extention I cannot use Linux.
So I do not mind upgrading to Win 7 in itself, it's the fact that some of my high end printers and scanners do not work well with Win 7 because "They are too old".
One more thing - some - well heck, many of these new printers are junk. My old, Made in Japan printers had heavy duty metal bearings and gears. Many of the new, brand name printers made in China use plastic gear and bears, or cheaper metal they physically breaks down more often than the old printers. A ten year duty cycle of heavy day to day use was not uncommon for a good HP, today I am told expect three years then toss it.
Yeah, in an economy when money is tight everywhere, the upgrade to Win 7 is not doing me much good. For all you guys who say you have no sympathy for guys like me who don't want to upgrade, well sorry, money is tight, we have to keep a tight ship, and when I see perfectly good hardware unable to run under Win 7 simply because somebody will not make a driver for it, well, as Judge Judy would say "Don't pee on my leg and tell me it's raining."
You obviously don't know much about SCADA systems. They are proprietary, top to bottom. And there are reasons for this that do make sense.
First of all, let's look at the whole picture of a SCADA implementation...in this example, I'll talk about the systems that control and analyze the burn inside a coal-fired power generation facility that uses coal to heat water into steam which then drives a turbine; this is the kind of power plant that produces most of the power in our country. (I'm in the United States, for context there.) The systems are analagous to the ECU of a car with a fuel-injection engine, both controlling the delivery of fuel and air while monitoring the effects of those controls in the context of the demands being placed upon the boiler. Just as with a car engine, there is lag in making changes to the burn, just as an engine has delay when you step on the throttle.
There are many devices involved...gas sensors, temperature sensors, lasers...and all of them are purpose-built by the company that makes the control system; they are proprietary. The protocols that are spoken between devices are usually open, like DNP3 or modbus, but the data schemas that are used are also proprietary (most ICS protocols are pretty soft, working more like a layer 6 protocol than a layer 7). The logic that drives decisions, reporting, and the translation of human interaction into discrete behavior by control devices? Also proprietary. The control systems are built by the same company to work end-to-end on that specific type, size and model of boiler, and the whole thing is tested as a unit. For the most part, the notion of modularity...the way that you could replace a Cisco firewall with an equivalent Juniper firewall, or replace an EMC SAN with a NetApp SAN...does not exist in any way whatsoever. (It does in small ways, but even then most manufacturers will refuse to support the system if you so much as change the IOS image on a Cisco switch without it having been tested first, which takes about 6 months for a full facility and requires that it be offline the whole time.)
The complexity of these environments...and the ramifications of improper behavior by any one component...cannot be overstated. So, it's essential from a legal standpoint to have entities backing the pre-manufactured components who can be held accountable should it be necessary. I know, you can't sue Microsoft for software bugs, but you can't look at their behavior over the past 15 years and tell me that there wasn't an effective motivation to improve security. They've dramatically improved the security quality of Windows, while rolling out and evolving a patching system that is now the gold standard for software companies. They have something to lose from producing an unreliable product, even if that loss does not come in the form of a lawsuit. And after seeing what Oracle has done to mySQL and Java, it's not hard to see the potential for disaster if you rely on an open-source project that may have to fork because their patron got acquired, as well. An even scarier possibility is what Tenable did with Nessus when they forked and closed the source, ending support for the older OSS version.
One more thing...this isn't a website we're talking about. It's a power plant. When things go wrong in these environments, it isn't just embarassing. People often die. At one plant I've done work at, a mistake caused a ~300 KV transformer to detonate. Oversimplifying the situation, the power ended up flowing the wrong way, and the transformer's cooling spaces (filled with oil) exploded in a BLEVE, showering the nearby parking lot with flaming oil. It was a Michael Bay-like situation; I saw the pictures that were taken while the fires were still burning. A mistake involving the boiler can cause the flame to collapse resulting what they call a "beer can," when the fire suddenly goes out and the inside of the boiler cools so rapidly (in a matter of seconds, or less) that it crushes itself. This is not a small thing...the walls
For your security, this post has been encrypted with ROT-13, twice.
It's certainly better support than Apple. XP was released in 2001 so that would be equivalent to OS 9.2 in the Apple world. Do they still support it?
Ha! A big fat no. They don't even support my OS, which is as recent as 10.5 (last powerpc variant). If anything Microsoft is acting better than Apple does and should receive some praise for supporting XP as long as they have. I've been using the same computer for 10+ years (and thus saving a lot of cash).
My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
Rather than saying they have different release cycles you should be saying they have different release methodologies or software life cycles. Apple apparently supports two releases back (searches for "apple software life cycle" only result in forum posts asking the same question), while Microsoft has defined support periods that are generally quite long. Microsoft's approach is important for people who intend to incorporate Microsoft's products into their business processes. Apple's approach is (marginally) acceptable for consumer products.
Apple releases new versions that don't have substantial backward compatibility guarantees about as often as Microsoft releases service packs that do make an emphasis on backward compatibility.
As far as comparing between the two -- in my experience having two macs, a first gen apple tv, an ipod, a couple of iphones and an ipad and five windows boxes running XP, Vista and 7 -- windows service packs frequently deliver not only rolled up bug fixes, but new functionality similar to the kinds of new functionality that you'd find in Apple OS X releases.
Fundamentally Microsoft does a much better job of supporting prior generation platforms than Apple does by far. Hell, Apple, as near as I can tell, obsoletes products just because.