Ask Slashdot: Preparing For Windows XP EOL?

An anonymous reader writes "As most of us working in IT may know, Microsoft will stop supporting Windows XP on April 8th, 2014. Although this fact has been known for quite some time, XP is still relatively popular in companies and also enjoys noticeable marketshare for home users. Even ATMs are running XP and will continue to do so for some time. A lot of companies/users don't want to change because they see no additional benefit to do a costly upgrade, no reason to change a running system, and they may in some cases be right with their assumptions. So what is the best way to secure this remaining Windows XP systems? Installing the latest security patches, checking firewall status and user permissions etc. should be fairly obvious, as Microsoft Security Essentials may also not receive updates anymore, changing antivirus programs seems a sensible thing to do."

Errrrrr

[segedunum]

No.

Re:Errrrrr

[VernonNemitz]

"No" to what, exactly? XP is probably OK as part of an "intranet", especially if that intranet is isolated from the Internet.

Re:Errrrrr

[Hadlock]

Until you need to install some new package to your webserver which requires IIS 9 or .net 5.5 framework or whatever crazy new thing is coming down the pipeline.

Must keep running XP

We have mission-critical software that must be run under XP. The software checks the OS somehow and reports Operating System Not Supported if we try to install it under Win7. It *does* run under Win7 in the XP virtual machine, however the software has a hardware security key that attaches to the parallel port, and the VM doesn't let it access the LPT at the low level it needs to (apparently) to recognize the key. It's XP for us for a while, damn the torpedoes.

Re:Must keep running XP

[kthreadd]

So what's your plan going forward? Will you use XP ten or twenty years from now? If not then you should start a migration now rather than later.

Re:Must keep running XP

[JohnVanVliet]

That is some "bleeped up "software

Re:Must keep running XP

[I'm+New+Around+Here]

So what's your plan going forward? Will you use XP ten or twenty years from now?

They probably will, if there are motherboards that still support it.

Re:Must keep running XP

[Collective+0-0009]

The other option is allow something to break irreparably at some point, and everyone will go into meltdown crisis mode. *Then* it'll get fixed.

You have to weigh the cost of doing it now vs. doing it then. If your company thinks "then" will be in 10 years, then don't bother now. But be prepared for the meltdown. Either way you have perfectly stated the case that you do not have to "Must keep running XP". You have made a risk-based assessment that it will be cheaper to continue running XP.

Re:Must keep running XP

[Mashiki]

So what's your plan going forward? Will you use XP ten or twenty years from now?

Why not? We've still got mission critical systems that use fortran and cobol in use.

Re:Must keep running XP

[Sylak]

That said this is 100% the case the Library of Congress said was okay to do as fair use last time they did a DMCA review.

Re:Must keep running XP

[mark-t]

You better hope that either a) no remote exploits for XP get discovered after april 8th, or b) your systems do not need any kind of connection to the internet.

Certain types of infected computers which have an impact on network usage (zombies, in particular) can be detected by the ISP and disconnected from their network (and it is usually in their best interests to do so)

Re: Must keep running XP

[cyber-vandal]

IT departments also have other things to do as well as doing a major upgrade to core systems that takes several months to do. Stuff that actually makes money for firms and therefore is far easier to justify.

Re: Must keep running XP

[cyber-vandal]

No but the systems are backward compatible for this reason.

Re:Must keep running XP

[BobMcD]

But chances are, there won't be. The Intel rep said that they will no longer be developing drivers for it, and their new chipsets do not support it.

Re:Must keep running XP

[kyrsjo]

There are still tons of software being *written* in FORTRAN. COBOL I don't know, I don't work for a bank... But when I (2-3 years ago) where digging into the depths of the website of our local equivalent of IRS to try and figure out some piece of tax law, I found a link named "program for calculating tax" or somesuch. Clicked it - and got my screen filled with what I eventually identified as COBOL code!

Re:Must keep running XP

[westlake]

Test it on ReactOS or WINE?
If the software vendor does not support Win7, hire a hacker to hack the dongle.

Do the words like "mission critical" or "breach of contract" have any meaning to you?

Re:Must keep running XP

[Darinbob]

If it was me, my plan for the future would be to never again buy equipment that requires a closed source operating system to run, or even never buy equipment that requires a computer, stick with analog or mechanical devices. Also instill heavy doses of cynicism, and realize that if you buy the least available OS that the next day they will announce the end of life data for it.

Or just go with a whole startup mentality and pretend that your business will never last more than 5 years anyway and never plan on buying any equipment that might last longer than that.

Re: Must keep running XP

[Darinbob]

And sometimes this actually gives new companies an advantage, because they can afford (with the help of naive investors) to buy brand new equipment whereas the older companies are stuck with capital equipment that they can not discard or replace without massive investments. This is where idiocy like outsourcing or renting services or cloud services will start taking off big time, because companies will realize that they can not afford to ever buy anything because it will become obsolete by fiat before the cost has amortized.

Re:Must keep running XP

[Darinbob]

Problem most likely is being unable to hire the hacker either. It comes down to the budget. Generally nobody ever has the budget to replace something that works. Even in rich companies all that profit goes to the execs and not to the guy in the basement.

Re:Must keep running XP

[AmiMoJo]

You are headed for disaster. Eventually the hardware will fail. New mobos don't come with drivers for XP any more. You will be scouring eBay for used junk and praying it carries on working. You will find it increasingly difficult to even get LPT ports too.

FWIW both VMWare and VirtualBox support LPT ports IIRC, and both are free. Migrate to a VM ASAP.

Actually, one other thing. Try running the app in compatibility mode. When it asks for the OS version it will be told it is running on XP, even if it is really 7. Works a treat.

Re:Must keep running XP

[camperdave]

If it was me, my plan for the future would be to never again buy equipment that requires a closed source operating system to run, or even never buy equipment that requires a computer, stick with analog or mechanical devices.

Why bother with mechanical devices when there are draft animals and ethnic slave labour available?

Re:Must keep running XP

[Darinbob]

Because I'm a geek and like mechanical devices?

Re:Must keep running XP

[thegarbz]

What's my business case to upgrade fully working production because one small component is EOL?

No seriously, what is the business case? Spend $100k to maintain the status quo? We have machines that still run Windows NT4, heck we have one system which still runs on DOS. The other day I ordered a network card for a 10base2 network off ebay. If a vendor keeps supporting the expensive components then how do you justify upgrading because the cheapest part of the system is obsolete?

Our mitigation strategy is spare parts. Hardware runs a long time, lots of hardware is interchangeable. Where we've had 10base2 networked systems fail we've switched to ethernet on the PCs and used media converts to talk to the 10base2 systems. Where we've had DOS based laptops break we've virtualised the OS where possible to run in windows. And some times when we didn't have another option we built a new system out of compatible parts. There's heaps of stuff available on ebay that will still run on ancient systems and we've started stockpiling.

Re:Must keep running XP

[dbIII]

If it was me, my plan for the future would be to never again buy equipment that requires a closed source operating system to run

That's why the stuff at my workplace that requires SunOS 5.6 or Win98 is steadily getting rewritten in python. Don't like linux/Win7 ? Run it on whatever you do like. A nice side effect is being able to run it on dirt cheap tablets standing right next to the gear it's testing.

Re:Must keep running XP

[FlyHelicopters]

Then the Target data breach happens...

The problem is people keep saying "it works, why change it".

No, it doesn't work, having security holes is not "working", it is broken.

The first task is to change the status from "working" to "broken due to unpatchable security holes".

Re:Must keep running XP

[I'm+New+Around+Here]

Then those will be the motherboards they are using. I didn't insist they will be changing hardware, just speculating on what happens if they need to.

Re:Must keep running XP

[Maxoverdrive]

Hex Edit

Re:Must keep running XP

[Darinbob]

Also realize that much of this stuff is not a big security problem because the machines are not on any network.

Re:Must keep running XP

[FlyHelicopters]

Tell that to Iran who had the computers running their nuclear centrifuges air gapped.

MSE

[theheff]

MSE will have definitions for a year after the EOL: http://blogs.technet.com/b/mmp...

Re:MSE

[RR]

MSE will have definitions for a year after the EOL: http://blogs.technet.com/b/mmp...

I think that is a grave mistake on Microsoft's part. It makes people think that they can still run Windows XP securely, just intercepting viruses that match the signatures, instead of patching the underlying vulnerabilities.

I also think continuing to let OEMs install Windows XP until Windows 7 was also a grave mistake. In the short term, it slowed people from fleeing to Linux, especially for the early-model netbooks. In the long term, it has delayed the end of Windows XP by years, making it more painful when people do finally upgrade.

Re:Antivirus is obsolete

[kthreadd]

Anti virus is sort of an incomplete term. Trojans are much more popular these days, and despite its name an anti virus program can protect against them too. It's just software when it comes down to it.

Is it really that costly?

[Collective+0-0009]

Other than your one embedded example, that I don't think pertains to the other 99% of computer you are discussing, I question that it is really that expensive to upgrade to Win 7...

I realize there is more than hardware costs, but did you really expect your software to work for more than 10-15 years without needing an upgrade? Most people in this situation are there because they have deferred the (most likely needed) updates until now. And now they have an unusual number of computers to upgrade. My employer is squarely in this position.

Bite the bullet and upgrade. If you really want to stand firm against M$ or something, simply install any number of old-hardware-friendly linux distros. Knoppix is my current favorite.

Re:Is it really that costly?

[Collective+0-0009]

How much have roads changed in the last 20 years? Do we now drive on a surface completely un-fathomable just 20 years ago? Have cars increased in power/efficiency by orders of magnitude? Did cars run for 20 years in 1914?

Did you know that my paper cup from my morning coffee is already soaked through and unusable? Why can't they make paper cups to last 20 years like a car?

My dog died last year. He was only 13. Why can't dogs simply live as long as humans?

Do you have any more stupid propositions?

Re:Is it really that costly?

[Cammi]

I am surprised you did not post as AC due to all the trolling you just did. Perhaps you should read his post.

Re:Is it really that costly?

[Collective+0-0009]

Why? So he can compare a mostly mechanical object with 100 years of continuous improvements to hardware/software that has radically changed in the past 20 years? Or in the case of musical instruments - completely mechanical with thousands of years of improvements.

It is true that software will continue to work for thousands of years, theoretically. If the hardware, the items they interface with (including humans) don't change. Sure the software is good. But to plan for software that has that level of stability in it's environment is rather ridiculous.

So, instead of your one-liner troll statement, why don't you add something to the discussion?

Re:Is it really that costly?

[Cammi]

How about reading his post? Trolling him doesn't help a thing. The whole theory that software changes radically in the past 20 years is pure BS as anyone know develops know. Try coding for once, instead of making crap up? Anyone who EVER developed on their lives know for a fact that software does not change radically. The tools to develop software -sometimes- changes. Ever looked at C or even C++? Seriously ... your trolling is getting old.

Re:Is it really that costly?

[AdamHaun]

Computers in 2004 weren't all that different from today's computers, though. The AMD64 instruction set was out and consumer-level 64-bit CPUs were available. PCI Express and Serial ATA were standardized the previous year. DDR2 was in use, and you can still buy that today! The biggest changes in PC hardware since 2004 have been multi-core CPUs (which XP handles just fine) and solid state disks, which aren't exactly a compatibility killer. There have been a lot of huge changes in the mobile space, but that has nothing to do with XP. Virtualization is a big deal for servers now, but there are plenty of applications where it's irrelevant.

As a gamer, I upgraded to Win7 for hardware support and newer versions of DirectX. Aside from that, I didn't see a compelling reason to do so. It's not like I could suddenly do anything new with my computer. I can understand why people wouldn't want to shell out tons of money to upgrade. And then there are embedded applications. Where I work we have a ~$20k oscilloscope that runs XP. We're certainly not going to throw *that* out.

Re:Is it really that costly?

[Darinbob]

Often this happens because the original creator of the software has gone out of business or it is too expensive to upgrade. They planned to keep it up to date for a long time, assuming the TrustUsLol LLC would stay around and support the system as necessary. Only they were acquired by someone else who dropped the product that wasn't sellling well, or are willing to only sell new products intead supporting old ones, etc.

And by the fictional TrustUsLol LLC, this can refer to many big name companies who make it a common practice to drop old products at a moment's notice or provide lousy service. Basically once they get your signed purchase order the honeymoon is over and the friendly sales people will have nothing more to do with you.

Re:Is it really that costly?

[AmiMoJo]

The reality is that there isn't even that much hardware from 10-15 years ago still working. I'm sure there will be a flood of anecdotes about stuff that old now, but it was right around the time when the capacitor plague was at its height and when the ultra unreliable P4 was in everything. A lot of mobos of that era don't support hard drives over a certain size or have broken SATA controllers too, so even a HDD failure could be fatal.

Re:Is it really that costly?

[Bing+Tsher+E]

Some of us have a dream of software convergence. Where software 'improves' over time by getting better and better, until almost all the bugs are found and removed.

Sadly, this can only occur in an Open Source world, and not the one we presently have. It has to be a world where programming fads don't replace consistency. Where the latest hot dog volunteer programmer doesn't rip out an old section of code and replace it wholesale with something completely new.

Still, the idea that if software continually improves, new versions of software based on the same code base should run faster and faster on the same hardware isn't out of reach. It's just out of mind, sadly.

Re:Is it really that costly?

[toddestan]

My experience is if the capacitors don't fail, 10-15 year old hardware is overall pretty reliable. Even if the capacitors fail, they can be replaced with some patience. True, hard drives that old are kind of a crap-shoot, and by now you've probably replaced all the fans at least once. But otherwise the stuff will keep going. It's certainly more reliable than the newer (2005-2009 or so) stuff that seems to like to randomly die for no apparent reason. I blame the lead-free solder and tin whiskers, but that's only a theory.

I've also never considered the P4 unreliable. Sure, a bit slow, but Intel's chipsets are pretty solid. Now, the contemporary Athlon systems are junk. Not really AMD's fault so much, but the available chipsets, especially VIA which is in the majority of Athlon systems I run across. Unless it's an nForce2 chipset, a 10-15 year old AMD system is pretty much only good for parts.

Re:Is it really that costly?

[LordLimecat]

Must be the profits. Thats clearly why Linux 2.4 (released at the same time as XP) was EOL'd several years back. Clearly its why Firefox EOL'd support for Win 98 about 5-6 years ago, and Win 2k a few years back.

Software changes, the internet changes, frameworks change, and new vulnerabilities are discovered. Hardware changes and support for old stuff just ends; thats how it works.

Re:Is it really that costly?

[Blaskowicz]

The environment around software changes.
20 years ago we used computers that had no notion of users and services/daemons, javascript didn't exist and the computers didn't know what books you read, what music you listen to and what movies you watch (among other things)

Re:Is it really that costly?

[Blaskowicz]

If you have "only" 1GB RAM (which used to be an unfathomably high figure) and a not-that-great hard drive, Windows 7 will be a pig and XP will fly. It's fallacious to believe that because it runs great with your 4GB or whatever, then it runs great everywhere. (Like Chrome : nice on a computer with 16GB RAM, but with "only" 4GB or less it may be too much of a memory pig).

Still, I recommend upgrading a 1GB machine to 7 and live with the slowness (or live within the memory limitations)

Re:Is it really that costly?

[Blaskowicz]

Funnily the Pentium III systems tend to survive the newer Athlon/XP systems and some bad Pentium 4 ones (there were bad motherboards and VIA chipset for Pentium 4 too, and the high power draw may put some strain on the electric stuff on the motherboard)

Not many people still use Pentium III systems though. They are still decent (much better than a Raspberry Pi) but can't play fullscreen youtube video, which is apparently an extremely demanding task unless you use html5 + hardware acceleration.

Re:Is it really that costly?

[BadDreamer]

"did you really expect your software to work for more than 10-15 years without needing an upgrade?"

Yes, I did. What reason would I have not to expect this?

Many banks still run software from the 1960's and it does what it's supposed to do just fine. What is it about my software which makes it impossible to continue to use it after 10-15 years? Other than Microsoft being greedy, that is.

Re:Is it really that costly?

[dbIII]

How much have roads changed in the last 20 years?

With computer networking we had fibre optics, copper and microwave links 20 years ago.

Re:Is it really that costly?

[dbIII]

Sun, DEC and others had 64 bit back then.
I had a relatively cheap two socket PC motherboard with two fairly inexpensive CPUs (Celeron300) back then.
SCSI was more complicated and capable than SATA is now back then. SATA is a similar thing for a subset of what SCSI does for hardware that doesn't need all the rest.
Gigabit networking was around back then as well.

WinXP was never about the state of the art.

Re:Is it really that costly?

[FlyHelicopters]

C and C++ may not have changed as much, but the computers they run on sure have...

10 years ago, my desktop computer had a 20GB hard drive.

Today, my desktop computer has 32GB of RAM.

What a change... the world moved on, the pace of computers FAR exceeds the pace of... well, just about everything else...

Re:Is it really that costly?

[FlyHelicopters]

If cars had the same level of improvement, we'd all be getting 1,000+ MPGs and driving at 1,000 MPH.

If cars today could do either of those, do you think ANYONE would be driving a 20 year old car? (besides the odd collector)

A 20 MPG car would be insane and a waste of time in a world of 1,000 MPG cars.

That is why 20 year old computers are very rarely used anymore.

Even Supercomputers have this problem, go look up ASCI Red, once the world's most powerful computer, less than 20 years ago.

Today? It no longer exists, it was taken apart because replacements were faster, cheaper, and smaller, using far less power.

Re:Is it really that costly?

[FlyHelicopters]

You are looking at it all wrong...

Yes, most of what we have today, was coming out about 10 years ago, give or take a year...

But computers in 2004 may have had a 20GB hard drive and 1GB of RAM. Today they have 2TB hard drives and 16GB of RAM.

In order to continue development and have anything new in 10 years, we have to let 2004 go and move towards 2024. We can't do that and hold on to Windows XP, an OS that was really written in the late 1990s.

Re:Is it really that costly?

[FlyHelicopters]

That, and the whole computer revolution is still chugging along.

As long as we continue to fit 2x as many transistors in the same space every 18 months, you simply can't compare computer advancements to anything else.

Once that slows down, the business model will change, but the fact is a computer today can easily have more RAM in it than a computer had in total hard drive space 10 years ago, to say nothing of 20 years.

Re:Is it really that costly?

[FlyHelicopters]

Of course it will continue to work, it just won't be supported.

Microsoft isn't being greedy, they are in business to make money, not provide free support for decades for software that you paid for a LONG time ago.

Re:Is it really that costly?

[BadDreamer]

I am prepared to pay for support. Microsoft do not care. They want me to upgrade from a perfectly working system so they can make more money than they can from support.

That is greed, pure and simple.

Re:Is it really that costly?

[Vlad_the_Inhaler]

My "old laptop" - it was released as "Vista ready" which gives an indication as to its age - has 1GB and a Core Duo processor.
It is totally unuseable under XP for several minutes after booting, XP is doing all the things it really *has* to do with the very highest priority.

I'll admit it runs decently after that.

It is not going to be upgraded for several reasons, what I have done is to uninstall security holes like Flash or Java. I never browsed as Administrator anyway, people who did are a big reason XP is considered so insecure.

Re:Is it really that costly?

[AdamHaun]

But computers in 2004 may have had a 20GB hard drive and 1GB of RAM. Today they have 2TB hard drives and 16GB of RAM.

But again, what about the OS needs to change to accommodate that? WinXP can handle 2 TB hard drives just fine. And 16 GB of RAM is neither common nor a necessity for most users. Best Buy still sells plenty of computers with 4 GB of RAM.

Now what we do (and did) need is a good 64-bit operating system, and XP-64 never fit the bill. But what are the alternatives? Vista was a mess. Win7 is good on newer hardware, but only the OEM versions are sold anymore. Today there's a choice between sticking with XP, buying Win8, or taking a chance on an eBay copy of Win7. I did the latter for my wife's computer, but it's hard to recommend for the general public.

I'm not disagreeing that we need to move on. But Microsoft has spent most of the last decade screwing up their upgrade path. Maybe if they stopped wildly redesigning the UI every time they put out a new OS, more people would have upgraded by now.

Re:Is it really that costly?

[FlyHelicopters]

If it were greed, Microsoft would charge you $50 per seat, per year, for continued XP support.

Re:Is it really that costly?

[FlyHelicopters]

Windows XP does handle 2TB just fine, it does not handle SSDs as well. It also doesn't really use the 4GB of ram in those BB computers, and a lot of machines have 8GB now.

XP also uses an older driver model, the way Windows Vista/7/8 handle drivers is better than the old way, display drivers being the single biggest improvement.

You're also mistaken about the Windows 7 options. If you buy a copy of Windows 8 Pro, you can downgrade to Windows 7 Pro. In addition, companies that use a volume licence can install almost any version of Windows they want, so long as each seat is paid for.

Windows 8 happened due to Microsoft taking their eyes off the desktop ball and being suckered into phones and tablets. In fairness, I understand why, they are worried about computer use habbits changing and they not changing with the times.

How many companies have been accused of not improving? Microsoft is dammed if they do, dammed if they don't. Keep it the same and half the people will say they aren't keeping up with technology and living in the past, change it all and the other half will say "stop messing with my OS!".

What they really should have done was hedged their bets and offered both options, boot to desktop on desktops (hey, what a thought!) and boot to Metro on anything with a touchscreen (hey, what it was designed for).

Balmer is gone, we'll finally hopefully see some change and improvement, finally...

BTW, Vista sucked due to the hardware not being ready and the drivers sucking for about a year or so, Vista fully updated and patched today on current hardware is actually just fine. Keep in mind that it was launched in 2006 on hardware that looks downright quaint today. :)

Re:Is it really that costly?

[BadDreamer]

There is greed and there is the impossible. If Microsoft tried that they'd be abandoned for alternatives. Instead they try to use the planned obsolescence to make XP no longer viable and let regulations and policies do their dirtywork.

But sure, if they were still in the position they were 15 years ago they would charge that. Even they know they're not. But they're still greedy, and still care not one iota about the worldwide IT infrastructure they have helped building up.

Fixing a leak with tape

[Arith]

While what the article says is probably a good way to handle the EOL.. over time this is just going to get bad.
Ever image a machine to win98 and plug it in to the intertubes lately?
Yeah.

Re:Fixing a leak with tape

[0racle]

Are you saying that there aren't windows 95/98/2000/older machines out there doing work? Because there are. This really is going to be a non-event.

Re:Fixing a leak with tape

[Arith]

No, I'm saying it's not a great idea. I realize there's cases where it's unavoidable. Software/hardware constraints and what have you.
Patches stop coming out, exploits rise and then what?. Fixing a leak with tape.

Re:No problem

[TheGratefulNet]

stupid AC. I'll tell you why: some people have expensive hardware that only works with xp and its NOT practical to rebuy working hardware just to run a more modern os. the os only exists to run apps and if the value of the apps and hardware are high enough, you will stay with the older os.

of course, AC's think that only linux matters. they can't see that in the real world, you need TOOLS to do your job and if those tools are only running on an older os, you keep that older os!

this should not have to be explained. maybe I got trolled, but figured if he was serious, I'll at least explain WHY you need to continue to run older systems.

See no benefit?

[MikeRT]

A lot of companies/users don't want to change because they see no additional benefit to do a costly upgrade, no reason to change a running system, and they may in some cases be right with their assumptions.

How about this one. All of your software options are better on 7 than XP. Firefox and Chrome are moving away from supporting it. Microsoft is moving away from supporting it too. You know what that means, Mr. Super Conservative Executive/IT guy? It means your threat vectors are now starting to approach "everything installed on this workstation" instead of just the OS.

Re: See no benefit?

[Cammi]

Ah yes, the private sector where people are canned because the manager is mentally unstable .... no thanks. Security over stupidity is better in every case.

Re: See no benefit?

[CohibaVancouver]

Show me a competent public-sector IT employee

My buddy.

Pension plan, 9-5, 5 weeks vacation, stat holidays. job security. Lots of reasons people stay in the public sector.

Re:See no benefit?

[multimediavt]

A lot of companies/users don't want to change because they see no additional benefit to do a costly upgrade, no reason to change a running system, and they may in some cases be right with their assumptions.

How about this one. All of your software options are better on 7 than XP. Firefox and Chrome are moving away from supporting it. Microsoft is moving away from supporting it too. You know what that means, Mr. Super Conservative Executive/IT guy? It means your threat vectors are now starting to approach "everything installed on this workstation" instead of just the OS.

You've never worked with specialized equipment that costs hundreds of thousands or millions of dollars have you? Either that or you work for a DoE lab with deep pockets. Businesses, universities and private research labs usually don't get to replace equipment costing that much on a four to five year cycle. They get the equipment and use it until it just flat out doesn't work anymore then they spend the money to get something new. If the machine that interfaces with the equipment requires a 16-bit DOS or older version of Windows and has a proprietary dongle or need for some 16-bit ISA card then that's what stays. You buy replacement computers that will support the equipment at auction or on eBay and you keep the thing running. If the equipment can still be used, you use it. Like was said above, the computer's only job is to interface with the equipment. It's not networked, doesn't need to be. Modern malware can't effect it because it won't run on it, dummies! You can't run 32-/64-bit malware on a 16-bit machine! XP maybe, but there are very good ways around the security issues. You don't obsolete $250,000 plus machine that still gets used because the OS needed to interface with it is "old". Why is this so hard for some people to understand? You just don't treat capital expenses like that unless you have a ridiculous amount of money to burn. There really isn't a good analogy for this. It is what it is. I am sure you know the common euphemism, "If it ain't broke, don't fix it." That saying isn't just a saying, just like stereotypes exist because there are people that fit them.

Re:See no benefit?

"if it ain't broke, don't fix it"

That just about sums it up. It's just that people don't realize that Microsoft saying "EOL" for the OS does not qualify as "broke" when we're talking about an appliance.

At work a few weeks ago I watched this brandy dandy new "Entertainment IT" guy freak the hell out because he saw a laser controller running Win98. He was going on some tirade about how if his boss knew he would never let the machine in the building and blah blah blah. Should have seen the look on his face when I told him the entire stage hydraulic system was controlled by a PLC hooked up to a Win95 machine... Some people just don't get it...

Re:See no benefit?

[nmr_andrew]

Seriously, why don't I have mod points when a comment like this comes up. Seriously, +5 Insightful

I work at a university. Around here, lots of investigators have aging but perfectly serviceable equipment of all flavors. Some of it is tied to XP (or Win9x, or DOS) because the software to run the equipment hasn't been updated to run under a newer OS. Some of the equipment is one off or made by a company that's been out of business for years, or there is a newer and fancier instrument so they won't upgrade software for the old stuff and there's no budget to spend >$100k to upgrade a piece of equipment just so it can run newer software.

This isn't limited to Windows, either. The NMR spectrometer I'm chiefly responsible for has parts (including the acquisition computer) that are nearly 16 years old, and the software we use to control it was released in ~2006. That version of the software will only run under RHEL 4.0 with certain specific PC hardware and drivers. When the Dell PC died ~2 years ago, I could either find a similar box online ($350 delivered) OR I could upgrade 1. the computer (cheapest supported workstation was ~$2500) and 2. buy a license for a newer version of the control software (~$10k). That's not the newest software, which only works with newer hardware.

Fortunately, at least our IT and CompSec people are willing to begrudgingly accept the status quo. They are "mandating" that nearly all Windows boxes get update to at least Win 7 by next Monday. However, for those computers that can't, they are willing to accept keeping them offline as much as possible and behind a strong firewall plus using common sense security measures (i.e. not running normal tasks as admin).

One solution: Migrate

[spacefight]

Migrate your apps, fork the code, invest some cash. And next time, write up a long term strategy regarding on how to live with well known product lifecycles.

Re:One solution: Migrate

[xushi]

Now if only the corporate companies can also do the same with the damn ticketing systems that insist on an old unpatched version of IE8, with an old version of Java6, where any change will break it.. :/

Re:One solution: Migrate

[spacefight]

OTRS to the rescue.

Re:One solution: Migrate

[Darinbob]

Product life cycles are not well known, especially if what you're doing is buying a turnkey software product from a no-name company from a smooth salesman. Even if they do tell you "oh ya, this runs on Windows and that version expires in only 6 years", they'll say "don't worry, we'll help you upgrade since you have a support contract", but then they go out of business or the support contract turns out to be too expensive or doesn't cover migrating to a new product.

As for investing cash, these problems occur at the bottom level of the company. If this was the CEOs computer you can guarantee there's a brand new shiny PC every month with an intern hired to polish it every night. But down in the basement where the product actually gets made they don't even have budget for duct tape to keep their office chairs from falling apart. If it's this year, then they don't get any readjustments to the budget until next year anyway, and they could have replaced it all last year except that they needed the budget for a different emergency.

Sure, this all sounds so simple from outside the companies that have these old systems. But on the inside there aren't simple solutions.

CloneZilla

[almitydave]

I plan to clone my hard drive on April 8th and just restore from that backup whenever I get hacked. No fail in this plan!

In all seriousness, I've been gradually transitioning to Linux Mint as my primary OS, with XP as a dual-boot option (basically for games). I also have a XP VM running under Mint that I'll be able to use if I need XP and don't want to reboot. Everything's installed on a single 1TB platter drive so I really do have 2 cloned backups (on- and off-site) available.

I hadn't planned on getting a Windows OS after XP due to draconian DRM, although I haven't had a problem with XP licensing since I bought it retail in '04; I'm considering getting Win7+SSD since that's what I have at work and it's actually quite nice. That being said, most of the programs I use are cross-platform FOSS, so it's not a strong need (notable exceptions are rFactor and Visual Studio).

Re:CloneZilla

[spads]

I'm mainly concerned with java and adobe/flash updates, which I believe I should still get. I'll give it a try for a while and if I run into trouble I'll probably go to linux and possibly wait for a better, new Windows release to come out. F- 8, and 7 is halfway in the ground itself.

My main concern was using my personal desktop to connect to my work VPN, which I prefer to the company laptop. They (Fortune "mongo") screen your hardware for eligibility, but I was surprised to recently learn that they won't curtail access for XP users. As long as that persists, I'm gonna let er ride!

Btw, that's a good idea what almity said about saving an image. That way you can reinstall with all the final updates. I think this should be fairly practical (???)since I finally wised up and moved all my user data off my main drive. WE SHALL SEE!!! :)

Re:CloneZilla

[Threni]

> I plan to clone my hard drive on April 8th and just restore from that backup
> whenever I get hacked. No fail in this plan!

That's actually quite a good plan, with just one small change; replace "get hacked" with "boot".

Re:CloneZilla

[operagost]

I kind of wonder whether activation is going to work after April 8. No one has brought this up in years. Microsoft's servers have to still answer to requests from XP machines; if they don't, the software is unusable. Really, they should activate any request with any key since it's unsupported and it would take more effort on their part to continue maintaining the database.

Re:CloneZilla

[Dogtanian]

I kind of wonder whether activation is going to work after April 8. No one has brought this up in years. Microsoft's servers have to still answer to requests from XP machines; if they don't, the software is unusable.

I kind of wonder what the legal issues would be if they *didn't* keep the activation servers working for the forseeable future.

Yes, I'm sure they've got a "you agree to give us your firstborn if we ask for it and not to sue us if we turn of the servers" clause in the EULA somewhere. Whether that would stand up in court- especially outwith the US- given MS's near-monopoly position on the desktop market (*) is open to question.

(*) Yes, MS are arguably losing dominance, not because anyone achieved the impossible and unseated them in the desktop arena, but because the current paradigm shift in computer hardware is moving things away from desktop PCs. Still a massively dominant company, however.

Re:CloneZilla

The FAQ says new activations will still work.

Re:CloneZilla

[LordLimecat]

Just set up the system with Server 2008 /2012 and install your guest XP box as a VM. Set the primary disk as transient (assuming HyperV supports that?) and do a reboot once a day. No more permenant threats!

Re:CloneZilla

[LordLimecat]

I sort of wonder how much luck you'd have trying to activate RHN on Red Hat 8 (or whatever the equivalent would be) these days. I sort of feel like their answer if you complained would be "what are you, stupid? Upgrade to RHEL 5.6."

Re:CloneZilla

[Blaskowicz]

You have transient threats instead :)
I wonder if malware will target such "clever" uses of Windows. You boot your XP VM, get owned in 5 minutes and then the malware has a 10 hour or so window to do some malware stuff. Next day you start anew.

Re:CloneZilla

[AmiMoJo]

The official word is that the activation servers will remain operational for the foreseeable future, as will Windows Update. There just won't be any new patches or support available.

Install "common sense antivirus"

[nctritech]

Use Firefox. Keep the biggest attack vectors up to date (Adobe stuff in particular). Get rid of Java entirely unless you desperately need it; in that case, keep it up to date religiously. Use Adblock Plus (or equivalent) to block ads which sometimes carry malicious code. Don't do stupid things online. Don't run executables unless you absolutely know they're safe. Don't install pirated software since pirated software sometimes comes with lovely surprise infections. Use a limited user account for your daily activities and an administrator account only for maintenance tasks or to run software that won't work under the limited account. Always use a NAT router between the computer and the Internet, and don't run any open wireless network with that PC attached.

It's largely just a matter of (A) don't do obviously dumb things and (B) don't run everything as an administrator in the first place. Remember that antivirus and security software is a final line of defense; everything else is basically a problem with the user's behavior or knowledge, and if you are careful and follow good security practices in the first place, you aren't at any significantly greater risk than you are now.

One more thing: if someone really wants to break in, they will. XP or 7 or 8 or 8.1 and all the updates in the world won't matter in such a case, so my final piece of advice: don't piss anyone off that might want to come after you.

Re:Install "common sense antivirus"

[Threni]

> Get rid of Java entirely unless you desperately need it; in that case, keep it up to
> date religiously

Three - sorry now four - updates a year, so that's not going to be hard.

Re:Install "common sense antivirus"

[steelfood]

You forgot NoScript. That single-handedly, even more so than AdBlock, prevents a good chunk of website-delivered malware from running client-side.

It can't help if you trust the wrong site that's compromised by injection or some other method though.

Re:Install "common sense antivirus"

[antdude]

You pissed me off with your post so I cam coming after you with your computers. I care not if it is Linux, Mac OS X, etc. [grin]

Re:Install "common sense antivirus"

[Blaskowicz]

I would even run dillo on cygwin (if built successfully) or elinks/links/lynx etc. Lynx at least has a Windows version.

Even then I would have trouble trusting it. Near every service would have to be disabled, hack to prevent any execution of mshtml.dll and whatever things, no internet access other than by proxy and you still could get owned by a vulnerability in some jpeg or png rendering library or whatever stupid thing.

Re:Use a firewall

[hawguy]

If XP is behind a corporate firewall - no problem.
Everyone should have a separate non-Windows firewall.
It really is all very simple and never requires the running of ridiculous anti-virus products.

A corporate firewall does little to ensure safety of a Windows installation. I've seen users behind a malware scanning firewall, running antivirus software on Win7 *still* manage to get infected by malware.

If a remote exploite is found in WinXP, a single infected XP machine on a corporate network can hop around to other WinXP machines in that network.

I've done my part

[viperidaenz]

10 year old laptop now runs Lubuntu and 5 year old desktop "server" is going in the trash, replaced by an ARM SBC running debian.

"Installing the latest security patches"

[xushi]

Hell can you even still do that?

I've been having nothing but hell with a broken updater on all my VMs.. Either it takes 100% CPU usage non stop, or completely fails and immediately fails every update.. Every workaround in the book didn't fix that either.

Luckily I only use the VMs for testing at work.. happy to dump them and get back to my non MS OSes...

Re:"Installing the latest security patches"

[jandrese]

Leave it be. Amazingly enough, Microsoft's patching system is insanely inefficient and having it require 100% of the CPU for an hour or more to determine which patches to install is normal. It's apparently a flaw in the way the patches work that makes it take an amount of time equivalent to the exponent of the number of patches installed. Since there are a lot of patches now, that can be a very long time. Microsoft has a fix for this, but you'll have to wait through at least one incredibly slow patch cycle for it to get installed.

reference

Re:"Installing the latest security patches"

[nctritech]

I understood that all the updates have standalone installers; couldn't you install the standalone for the WUAU fix and THEN run all the other updates?

Re:"Installing the latest security patches"

[jafac]

They also eat a shitton of disk space.

Windows 7 SP1, set of windows updates, is nearly 1 gb.

Re:"Installing the latest security patches"

[nctritech]

cd \windows
for /f "tokens=*" %d in ('dir /a:dh /b $Nt*$') do rd /s /q "%d"

All update uninstallers deleted. Once XP EOL happens, you can also permanently delete \Windows\$hf_mig$ and then turn off automatic updates entirely.

Re:"Installing the latest security patches"

[wonkey_monkey]

If it's the same problem I had, installing IE8 fixes it. For some reason.

Re:"Installing the latest security patches"

[FlyHelicopters]

1GB of space is a lot in 2014?

We have different definitions of "shitton of disk space" then...

Re:"Installing the latest security patches"

[Darinbob]

Microsoft won't fix it anyway. Their business plan is to make sure that everything is vital and can't be lived without while also being incredibly annoying so that everyone upgrades when they're told.

As a Web Developer

I already have a day off scheduled for the 9th. I will get black out wasted drunk.

Re:The usual suspects

[jones_supa]

I wouldn't bother with general web surfing using XP at all, when the support ends.

Take 'em offline

[browndizzle]

For many of my clients that run milling machines that still run XP, I am just making sure that they are not connected any longer. In that scenario, continuing XP is sensible and cost effective, with little to no risk. I'm sure most of the IT world is going to see the flare up of exploits that people have been hanging on to waiting for MS to no longer be willing to patch. Anyone of my other clients - law firms, non profits etc. - I am forcing the upgrade. No need to be so tied to such a clunky and difficult to recover OS anymore. Embrace the already 4 year old future, get on the update bandwagon and move on. None of my clients are seeing this as the end of the world like the media and others are describing it.

Re:Take 'em offline

[FlyHelicopters]

For offline machines that are kept for a single task, such as running an expensive machine and they do nothing else, you can generally lock them down to the point where it doesn't matter.

For general use Internet connected machines, yea, XP needs to go, and frankly, needed to go years ago.

Windows 7, for general computer use, is far superior to XP from just about every angle.

Re:Take 'em offline

[jsepeta]

there are good reasons to keep XP around in a virtual machine for running apps that won't work on newer OS's, but I fear that i won't be able to authorize XP so there will be no more fresh installs / reinstalls of XP

Re:Take 'em offline

[WuphonsReach]

there are good reasons to keep XP around in a virtual machine for running apps that won't work on newer OS's, but I fear that i won't be able to authorize XP so there will be no more fresh installs / reinstalls of XP

In other words, companies with products who rely on software that only runs in WinXP have had their head in the sand for 5+ years now.

We spent the last 5 years moving everything to web applications (that work fine across all the major browsers) and switching to open-source applications in every possible niche. I estimate that in another year, 80-90% of our desktop users could easily be switched to OS X or Linux. There's only a few remaining applications which are Windows-only.

Re:Take 'em offline

[ThatsNotPudding]

For many of my clients that run milling machines that still run XP, I am just making sure that they are not connected any longer. In that scenario, continuing XP is sensible and cost effective, with little to no risk.

Unless they also epoxy all the USB ports closed, they run the real risk of it becoming a viral reservoir, created and spread by harried machinists sneaker-netting CNC code back and forth to various machines and even home and back again after a little custom tweaking. Most machinists I know ain't overly concerned about security - nor are their smallish companies.

Re:Take 'em offline

[browndizzle]

I prefer the invisible force field that is packing tape when I need truly secure. However, most the machines that are there are still running serial, and not USB. If security over USB is a concern of yours you can disable them on BIOS level, Windows level, or as suggested really get to grit of it with some glue. Building security on the other hand isn't really up to the external IT guy =/ Thanks for the nightmares though, I'll be panicking about my clients issues with USB now.

Re:No problem

[I'm+New+Around+Here]

Really. One of my customers has a Win98 box, because it controls a $50,000 device. Another one runs NT Server, because porting 100,000+ part numbers to a new database isn't worth the upgrade.

People forget these contraptions we are typing on are simply tools, especially to businesses that focus on their own products, not what OS is on their computer.

Relatively safe

[JBMcB]

There hasn't been a root exploit in XP for a couple of years now, which means if you are running as a user and not root, and you know what you are doing, XP should be fairly safe.

1. Run as a regular user and only elevate permissions when you need to
2. Make sure your directory permissions are locked down properly (there are guides to help you do this)
3. Turn off all unnecessary services
4. Run a 3rd party antivirus app - BitDefender Free is excellent
5. Regularly run rootkit detectors and a second on-demand scanner (I use Trend Micro)
6. Don't use IE, use Firefox with NoScript turned on
7. Don't use Flash, Adobe Reader or Java. Use Sumatra PDF for PDF viewing.

I keep a VM of XP around for running some old apps and reading my junk email account. I've been sent virii and all sorts of junkware, and running the above config is pretty impervious to anything thrown at me. I can revert the image to it's original state if something bad happens, and I've yet to have to do that.

Re:Relatively safe

[FlyHelicopters]

You can do all that, if you know what you're doing, which 90%+ of computer users do not, nor will they EVER do that...

Upgrading to Windows 7 or 8 makes far more sense.

Just last year I managed to get my Mother off Windows XP, I simply told her that it was time and that if she wanted any further computer help from me, she had to do it, I haven't personally used XP in years and my skills in it are starting to rust and frankly I have no interest in messing with EOL support.

It was $500 to buy a brand new machine that is about 10 times faster than her old 2005 model (one of the very first Athlon X2 machines, just before the Core 2 line came out). Her new machine is a Core i5 and runs Windows 7 and runs rings around the old machine. I did spend $100 and put an SSD in for her, what a difference that makes. :)

Embedded XP is going to be here for a long time

[jandrese]

We were scouring the lab here and noticed that our traffic generator had an embedded OS and it was of course XP. It took a LOT of back and forth with the vendor (whom we pay a big fat support contract to each year) to get a Win 7 disc. Apparently they don't have a plan for XP migration because they don't want to buy a ton of new license keys. This is a problem for people who can not have unpatched systems on the network. Technically the embedded edition is not going EOL yet, but we have concern about Microsoft keeping the patches flowing when the majority of the installs are no longer supported. The last thing we want is someone using one of our own network appliances as an attack vector. The printers are bad enough (they had to be vlaned--no way to properly secure them), but some of the other stuff requires real network access.

Re:Embedded XP is going to be here for a long time

[Darinbob]

Embedded operating systems are supposed to last for the life of the product. They are not intended to live and die by the whims of Microsoft or the IT support staff. Whoops; time to replace your pacemaker Mr Smith, it seems you have a 5 year old operating system and the legal department has determined that you're a security risk.

Re:Embedded XP is going to be here for a long time

[jandrese]

This is unfortunately not compatible with the security threat from a connected world. If a machine is on the network then it needs to be supported and fixable if some previously unknown security flaw is detected. You can minimize the risk with careful design and programming, but hardware manufacturers generally don't do a good job of that. This is why in places where it matters, people set up secure private networks for their embedded devices, and when they don't it is a disaster. See: Target.

Re:No problem

[Sprouticus]

The logical counter to that is:

YOU HAVE SOMEONE RUNNING A $50,000 ON Win98? Holy crap that is stupid.

On, not logical, but my point is salient. If you are willing to accept the risk, go for it. But dont be surprised when it breaks and ends up costing you a LOT to fix/recover the data/device.

Windows SteadyState

[benjymouse]

Windows SteadyState from Microsoft is available for Windows XP.

SteadyState virtualizes the OS directories transparently on the disk. File writes/updates are directed to a secluded area. You can set it to simply delete those journaled updates upon restart/signoff. Any malware will be effectively gone. Windows Update would still be possible when signing in as the SteadyState administrator (creating an updated image), but that's kind of moot at this point.

Re:Windows SteadyState

[Krishnoid]

File writes/updates are directed to a secluded area.

But what if the malware directly modifies disk sectors? Is there malware that can attack in this way?

Re:Windows SteadyState

[benjymouse]

From Steve Gibson and Leo Laporte:

Now, it's not quite as onerous in my experience as Jim's letter indicates because it does not
make an entire copy of your system partition and/or drive. Instead you set aside a block of
hard drive space. And using a feature, basically it's file system filtering, this is able to capture
any changes which are made to the system drive. And essentially it caches the changes. So, for
example, when any application, installer, literally anything you do, I mean, this thing is global.
You cannot turn it off without restarting Windows. So it's not something that just sort of easily
comes and goes. I mean, this is meant to be bulletproof.
And I discovered the hard way that it even protects the partition table, and that first track of
the drive which we were talking about recently could be prone to preboot kernel rootkits. I was
using something else that did deliberately change that first track, very much in a kernel rootkit
fashion. And that'll be the subject of an upcoming podcast because it involves performing whole
drive encryption. And it turns out that SteadyState uninstalled this thing, even though I had
SteadyState sort of in a mode where it was supposed to allow changes to be saved. So, I
mean...

Simple fix: Air gap.

[thevirtualcat]

That's what's going to happen to all the XP machines (that haven't been air gapped already) where I work.

Most of the XP holdouts are lab equipment. (Oscilloscopes, Arbitrary Waveform Generators and the like.) They were already air gapped, anyway.

There are a few machines that run old development tools needed for production. (As in factory, not web services.) They will be left connected long enough to catch the last batch of updates, then relegated to USB storage and optical media for data dransfer. (With sensible precautions, like disabling autorun, of course.)

Fortunately, those projects will not be around forever and will slowly be replaced with newer versions that run on Windows 7 and/or Ubuntu 12.04. (Maybe 14.04.)

Next on the todo list, Ubuntu Server 10.04. It's number is up soon, and that one will be a lot more obnixious to get rid of than XP was.

Re:Simple fix: Air gap.

[thevirtualcat]

Oh, crap. That must be why there's a camera crudely duct taped to every oscilloscope we've ever ordered. We were given strict instructions to NEVER EVER EVER remove them for ANY REASON EVER because the were EXTRMELY CRITICAL to the operation!

Re:No problem

[zipherx]

Seriously not a good reason. Problem is, people who can not accept how IT works, and evolve, should just use pen and paper and be safer for it.

Or they will just suffer the consequences, or the rest of us will, whenever their pc become part of a botnet.
Yes, there are systems that are running equipment, which has to run its life before it can be retired along with whatever version of any operating system it came with. It is just how it is, and those who are responsible for those systems will just have to sandbox them the best they can.
But honestly any private person, who is not running expensive equipment (no your US robotics 33.6 modem is NOT part of that list), have about zero excuses for running a 13 year old system. Djeez!

Re:Check you premise

[rudy_wayne]

If you think that newer versions of windows don't have anything to offer you shouldn't have to do anything at all

First, the only newer version of Windows that "has anything to offer" is Windows 7. Vista isn't as bad as some people have tried to claim, but once Windows 7 became available, Vista became meaningless and there is absolutely no reason to even consider it. Windows 8 is a mess. One of the all time worst.

But the real problem isn't that newer version of Windows don't have anything to offer. The problem is the expense of switching.. Whether it's an individual with one computer or a business with a few thousand, the cost far outweighs the benefits.

Then there is the dirty little secret of business, that isn't so secret. There are millions of computers running shitty, poorly written software that will stop working if you make the tiniest change to the underlying hardware or operating system. That makes switching even more difficult and expensive.

Re:The usual suspects

[Sylak]

don't forget make a disc image if you ever need to restore that machine

Re:No problem

[aix+tom]

Depends on the device and the support you get for the device. Just think about it: Microsoft never did give any real "support" to you, most of the time they told you to go to your manufacturer for that. If the manufacturer of the $50,000 device still gives you support in the sense that he will fix any problems that occur with the device, including replacing the hardware that still runs Win98, that is more support that you have ever gotten and will ever get from Microsoft.

Re:You want the best way? You got it.

[mspohr]

I don't understand what all the fuss is about. Windows XP has been infested with malware for years in spite of attempts to patch it up. I don't think the patches did much to improve security since the malware is winning. The lack of new patches shouldn't make much difference. It will still be infested with malware.
If you're concerned about security, you would have moved to something else a long time ago.

Re:Antivirus is obsolete

[rudy_wayne]

Aren't actual viruses pretty rare nowadays? Most malware attacks the browser and plugins.

The term "virus" has evolved to include all forms of malware and anti-virus programs now detect more than just the traditional "virus".

Block 'em all

[Amorymeltzer]

I work in a lab in a large research university, and they are taking it very seriously. All of our lab machines are being swapped out for Windows 7 - a non-trivial task given some of the individual software for certain lab machines is... clunky at best. Any computer that must stay running XP (because the instrument's software requires it) will be removed from the network. Personally, I only run XP (for said lab purposes) in VirtualBox, completely cut off from the web. There has even been serious discussion amongst school administrators to proactively block any machine running XP from even connecting to the school's network. Drastic, perhaps, but I can understand it from their point of view.

Re:Block 'em all

[FlyHelicopters]

If I was a University Network admin, that is my first thought, simply refuse access to any OS that is EOL, such as XP.

So long as everyone knows this, it makes life easier.

Vista will EOL in a few years, when it does, any machine still running that needs to upgrade, but thankfully going to 7 is pretty easy. :)

Re:No problem

[mark-t]

This may not necessarily apply to every use case, but I'd suggest that any reason why one might need to run an older system is probably trumped by the distinct possibility of being cut off from the Internet entirely.

Because if or when any previpously unknown exploits for XP get discovered after April 8th, they will probably not be patched, Virus detection can only go so far to stopping vulnerabilities in the underlying OS.

Alert ISP's that can detect the presence of zombie computers on their network and will be able disconnect any that they find

This is singularly the best reason I know of to stay current with regards to whatever operating system one uses to stay online. If one does not have the hardware to remain current, then they may just have to accept staying offline until they do.

Re:No problem

[Impy+the+Impiuos+Imp]

We do embedded development. This means re-qualifying a whole new version of tools, and the tools frequently don't work right and you cannot "just upgrade" because these are in the millions of recallable units.

you can do better than that

[dirtyhippie]

don't use firefox. don't use any browser at all. if you need a browser, you need windows 7. sorry to burst your bubble, but anything else is going to be dangerous. you should be getting rid of any potential vector for badness (any software, particularly software that is known to touch the internet) altogether.

Re:you can do better than that

[nctritech]

"Any potential vector for badness" includes all software that exists.

Re:you can do better than that

[Twinbee]

SOG aka - shades of grey. The risk is a continuum, not a binary state.

Re:you can do better than that

[nmr_andrew]

you should be getting rid of any potential vector for badness (any software, particularly software that is known to touch the internet) altogether.

While you have a point, how do you suggest data get moved on and off that old PC? SFTP/SCP touch the internet. USB sticks are a potential attack vector. We can restrict access to only computers on the LAN that lives behind the firewall, but our other computers have to be able to get outside in order for us to do work, which means that our LAN could in theory get compromised.

Re:you can do better than that

[Waccoon]

If there's a vulnerability in your web browser, it really doesn't matter what OS you use.

Re:No problem

[DeathElk]

It's not stupid. It's quite common for specialised equipment to rely on drivers written for a particular OS. We have a 3 year old transmission dynamometer that cost us $180,000 that is controlled by redundant commodity x86 hardware running XP. There is no need to keep the OS up to date as it serves only one purpose.

Stupid lusers these days think all "PCs" are to be connected to the Internet and used for browsing file sharing sites.

Re:No problem

[mlts]

Even without admin rights, malware can do a lot of harm with just user profile data.

XP is very lightweight (runs well in 512MB of RAM), so it makes for a great OS to run in a VM for Web browsing. Have the user that the Web browser is running in be a non-admin, use the above add-ons, and use a sandboxing program like sandboxie, and one can have decent protection. Every few weeks or so, roll back the snapshot so if something did get past the sandbox, it would be gone. Of course, bookmarks would have to be saved somewhere else, but that isn't an impossible task. For AV protection, something like Malwarebytes that blocks rogue IPs is decent, but usually AV software is useless against most attacks due to the 0 day nature.

Re:No problem

[boristdog]

At my company we have dozens of $500K+ machines that are controlled by NT 4.0 boxes, and dozens of somewhat newere $2M machines contolled by XP boxes.

The vendor has no incentive to upgrade their software to work with a new OS, they'd rather we spend several hundred million on new equipment. And the software that controls the machines is closed and proprietary to the vendor.

We'll still be using NT and XP in 2020.

Re:No problem

[The+Grim+Reefer]

The logical counter to that is:

YOU HAVE SOMEONE RUNNING A $50,000 ON Win98? Holy crap that is stupid.

Why? These types of systems are in a lot of industries. None of those systems are on the internet. And probably not even on a network at all. It may cost $10K to upgrade the controlling computer. And for what? So you can play a game on it? Or iTunes, or surf the web? No one in thier right fucking mind is going to do this. These are very specific use systems. They don't' need to do anything more than what they are doing and spending a pile of money to upgrade them to a modern OS will gain nothing.

Here's a car analogy for you. You own a red 1500 lb. Ferrari with a 500 HP carbureted single cam pushrod engine that gets 15 mpg. Are you going to buy another one for $150K that looks and weighs exactly the same and has 500 HP and gets 15 mph too but the engine is a dual overhead cam with a turbocharged EFI engine and maybe some LCD touch screen gauges and a DVD player? It's a more modern vehicle, but you gain nothing of any value. Seems like a waste of money to me.

Re: Check you premise

[cyber-vandal]

It's not a well kept secret.

Zero budget. You can't be helped .. yet.

[Sloppy]

they see no additional benefit to do a costly upgrade, no reason to change a running system .. So what is the best way to secure this remaining Windows XP systems?

Don't. Don't secure it. Just let the chips fall where they may. Failure is an option, and you've presented things such that it's the best option.

Before you reply with "that's crazy" (or "that's lazy") let me remind you, that you there's "no .. benefit" to being more secure, and "no reason" to worry about the consequences. The submission has already stated that solving the security problem has zero value. So why are you working on it? Just let it go. Security is a don't-care condition. Every hour spent on it, is an hour wasted for no benefit.

If you change your mind about it being a don't-care condition, then you open the door to upgrading to a maintainable OS. But you can't do that, until you decide that upgrading does have benefits, and there is reason to change a running system.

So .. have you changed your mind? Are you still sure there's no benefit to an upgrade and no reason to change a running system? Or have you realized that's TOTALLY FUCKING ABSURD yet? Because I think once you realize that it's TOTALLY FUCKING ABSURD then you're going to see some options appear.

No applications ...

[golodh]

Because, as will be understood by anyone but the most naive hobbyist, the cost of switching applications for a few million boxes is enormous.

Counter to what some people seem to think, running XP isn't an end in itself. In the real world you run XP in order to run certain applications, right? Applications that typically won't run on Linux (closed-source Windows-only stuff) and may not even run on Windows-7.

Besides upgrading would be really expensive. Ripping out several million boxes, reformatting they disks, installing Linux, dealing with a substantial percentage of cases where the hardware breaks when you unplug them or on which the more recent kernels won't run is very expensive. So expensive in fact that the license cost for a Windows copy will be completely dwarfed by the cost of handling the hardware and installing Linux.

By the time you're done installing the OS you'll find your troubles are only beginning. You'll find that your old applications (that you built into your business) won't function anymore. You might be able to write one single application for ATM's that runs on Linux or or a more recent version of Windows but you won't have time to test that thoroughly (enough) and you'll replicate that application millions of time. Good luck! For ordinary office machines you'll be facing a big bill in reinstalling all the old packages and even more (training !) if you decide to upgrade the applications too. And then you can watch your office performance sag as everyone starts learning their way around the new apps.

Chances are you'll lose a lot more money handling, migrating, training, and pushing updates to all those millions of boxes than dealing with any security problems that may start to arise in the next two years.

That, in a nutshell, is why it makes financial sense to just isolate the, shortly very vulnerable, XP boxes behind firewalls than to upgrade them.

In fact I think you might even be able to insure yourself against cost of problems when you continue using XP at a rate that's much lower than the cost of migrating.

Re:No problem

[dissy]

Where I work a good number of the surface mount assembly lines are run by windows 2000 and XP.
The screen printers still run DOS. Many of the electrical testers and chip programmer rigs need XP or lower as well.

As most of these setups require custom PCI IO cards, visualization isn't an option either.
(Though I am happy to have found an ISA to USB adapter that works well under visualization)

When "a pc upgrade" involves replacing a quarter million dollars in hardware and finding the time to eat the cost of downtime over three running shifts, even I couldn't justify the cost of doing so just to get a newer OS (that will still be windows and still go EOL at some future point!)

My solution is to segment older OSes on the network. They can reach the SQL server and occasionally the file server as needed.
NO email, NO internet, NO intranet, no random transfers between there and other networks.

Everyone has Win7 desktops for office, outlook, and firefox. There is no need to even treat the XP systems as computers anymore. They are now appliances.

With the SMT line PCs not even showing a desktop or letting the operators exit the controller GUI, and the test hardware being locked to a list of approved executables (More for QA actually), the likelyhood of an infection requiring a reinstall is next to nill.

That leaves hardware failures. I have full drive images to restore once the HDs fail. On a more serious failure, the entire rig is considered failed. Either time to pony up the $25k for a new system, or we do without.

As long as you get your desktops upgraded, there is a lot less you need to use XP for, and most attack vectors can actually be completely blocked without effecting any work flow what so ever.

Stockin' up

[Tablizer]

Twinkies, tents, double-barrel'er, and water jugs

Re:Use a firewall

[mlts]

Firewall and AV products will not catch 0-day exploits of the Web browser and add-ons. If they are pulled via SSL, even the best SPI firewall will be bested, unless one goes with a MITM system and forces all inside machines to trust the MITM appliance's key as a root one.

Browser exploits are the biggest vector of infection these days, and XP has little to no resistance innately against those, other than running as a non-admin user... and even then, malware can do a lot with a regular user's context.

Re:missing the point...

[nctritech]

There's a customer of mine who still uses a Windows 2000 machine. It's not connected to the Internet and runs a rare piece of machinery, and the software can't exactly be moved to another platform. Another customer is in a similar spot except their machinery operates on a P3 with Windows 2000 for a different reason: the software works fine on 2000, but for some reason the manufacturing line occasionally moves further than it's supposed to when the software runs on XP, and that could result in dead employees. There are legitimate reasons to not move to newer platforms. The machines not being on a network and not having any storage media plugged into them largely mitigates any security concerns, though.

Anyone else just a bit slightly worried?

[GoodNewsJimDotCom]

The virus writers who have been holding back XP payload might have vectors that also hit Vista/7/8. With all the juicy XP targets to compromise, they can do more effective random IP address attacks like the days when XP Service Pack 2 wasn't around. So I'm not totally concerned, but just a little bit concerned that this could hose more than just the XP installations.

Not a problem at all

[Gim+Tom]

End of support for XP is no real problem at all! Just downgrade to Windows 2000! It doesn't even need activation!

Re:Antivirus is obsolete

[mlts]

AV programs are useful for two things:

1: Make the legal eagles happy.

2: Scan an offline volume (a VM's disk image) for potential infections.

For real time threats that attack the Web browser and the add-ons, the only real protection is blocking ads via AdBlock, utilities that block by IP address, denying plugins the ability to run unless explicitly clicked on, sandboxing the whole mess so any changes to the filesystem can be easily dumped, and running the browser that you use for banking in a different browser/sandbox as the one you do for other sites.

Forever?

[mx+b]

I see this response a lot, and I completely understand it. Business needs what it needs, and so if it doesn't see a need to update, it won't. Got it. Perfectly. Crystal Clear.

But an honest question: What happens to that 100k database (maybe 200k in the future?) 5,10,20 years from now, when the computer it runs on breaks and you can't get replacement parts for that old motherboard. When Windows 98 does not have drivers for the hardware being made. When the database grows so large that the HDD in your Windows 98 box can't even handle it. When Windows 98 can't keep up with the network speeds and standards of the future that are required to stay competitive. When the install medium itself gets scratched too many types and stops reading.

I don't feel like I've EVER seen any contingency plan for this. The excuse is always "You're out of touch, business needs to run older systems". Again, I agree and understand. But at some point, maybe not soon, but at some point it WILL stop working, or at the very least, it's age hampers the budget more than helps.

Is there a plan to at least move to VMs to try to preserve the software a little more? (Maybe you are already using the VMs). Are there good backups for the VMs? Can the VMs access the USB ports and what not for your devices? How many of your devices use old ports that don't even come on any computer sold in the past 10 years?

While I understand the reasons for not upgrading immediately (or not even quickly), 15-20 years seems excessive, and I start to think this is a failure of business leaders more so than a misunderstanding of technical people.

Re:Forever?

[blue9steel]

It's pretty simple really:

If cost of upgrade > (benefits + risk) then the upgrade won't be done. (Risk being chance of problems times cost if problems occur)

In most organization what will likely happen instead is that you'll take a good backup and perhaps virtualize or sandbox the system in question.

Of course some bad organizations ignore the risk part of the equation which leads to poor decisions about replacement timelines.

Re:Forever?

" What happens to that 100k database (maybe 200k in the future?) 5,10,20 years from now, when the computer it runs on breaks and you can't get replacement parts for that old motherboard. When Windows 98 does not have drivers for the hardware being made"

You do what we've done for the past ~7 years. Run Windows98 as a virtual machine under VMWare. We're only using hardware that 98 doesn't have driver for. It doesn't matter, as long as the host virtualizing OS does. Parallel port hardware dongle? No problem. USB hardware dongle? No problem.

As for install media. We have backups of backups. And so many backups of the virtual machines, I doubt we will ever touch the install media.

Business leaders sometimes don't have much choice in fields where there is specialty software that regulatory bodies like the FDA have certified, and needs to be used. Not every business has the financial option of writing their own from scratch and getting it through every regulatory hurdle. If the choice is using proprietary software you might have to jump through some hoops to keep running, or be out of business, using the proprietary stuff will win every time.

Re:Forever?

[multimediavt]

http://tech.slashdot.org/comme...

Re:Forever?

[bitflip]

If you have a problem, you call the vendor.

There's hundred of thousands, sometimes millions of dollars on the line. It's their problem, they fix it.

Re:Forever?

[Agent0013]

Worrying about what is going to happen in 15-20 years can simply be a waste of time as the business might not even be around then. Plenty of businesses fail, but even just selling it to some larger company puts the problem out of your worry just as well. I have noticed that it sometimes seems that things that should be upgraded or improved aren't, but when you look at it in this light it might be a good policy. Never do anything that isn't necessary right now as it might not even be needed or be your problem later.

Wrong.

[Cammi]

Ummm no. Most people will not change because here is literally no upgrades available.

Re:No problem

[LoRdTAW]

We have a spare glove box here at work that handles overflow from our main glovebox. It used to be our main glovebox until we bought a much larger, more modern box. It has two Pentium 3 computers running Windows 98 but they boot straight to DOS and run the control software. One PC runs the glove box environmental controls and vacuum airlocks/ovens. The second PC runs an ancient DOS based motion control system.

Here is the problem: Replacing the glovebox is at least 100,000 USD. And that does not include upgrading the motion system which I estimated between 20 and 60 thousand depending on how much of the motion system we want to replace.

So now we look at how much work the glove box does per year: about twenty thousand dollars. So the boss has to justify dropping over 120-160 thousand dollars and waiting over 5-8 years to recoup the cost. Does that make sense? Of course not. We need the box but at the same time its not worth the cost to upgrade. So you live with it. I have a small stock of old computer parts to keep it going along with block level disk backups. I could upgrade the environmental controls but the engineering cost would still wind up costing tens of thousands of dollars, months of design and a lot of downtime. Not worth it.

And if it breaks? Oh well. It wont kill us, we just might have to pay someone overtime to get the extra work out.

Running an Ubuntu Installfest at the local library

[gQuigs]

I'll trying to get an Installfest setup at the local library to help XP users migrate to Ubuntu.

Re:No problem

[kyrsjo]

Or, more likely, they have a stack of old computers with a win98 install, ready to swap out. The biggest issue is probably to keep all the driver disks around as well - installing old windows on old hardware is "a bit" more work than installing Linux, as you have to install a bunch of software after installing the OS, and the drivers are often hard to find via google...

To be honest, I've seen much, much older than that. I remember using a old IBM PS/2 (looked ~ like this: http://en.wikipedia.org/wiki/F... ) around 5 years ago. It was running some kind of instrument to measure the thickness of the oxide layer on Si wafers. Also remember having fun reparing Win95 boxen with a SCSI card connecting to some educational DAC box - which I eventually got to work win Windows XP (it supported the SCSI board right out of the box, and the new version of the LabView-esque software supported the ancient DAC!).

Re:No problem

[Collective+0-0009]

Yes, we have a multi-million dollar machine that runs on NT4.0. They will upgrade it to XP for $20k. But the company won't pay for it. We did however pay to upgrade from XP to 7 on another machine.

The older "must haves" don't get plugged into the network.

Re:No problem

[Darinbob]

True. There is no support from Microsoft, *especially* with something like Windows 98 which didn't even come with automatic patches. If you need a bug fixed or a problem solved, you have to call someone other than microsoft.

The problem here is that there are capital purchases that last longer than Microsoft supports their operating systems. Support by MS, non-existent as it is, has never lasted more than 5 years past the time that they last sold the OS. But capital purchases may last several decades. Great, you just put in a new house automation system that runs your AC, heating, security system, and so on, for a $10,000 price. 5 years later the OS no longer gets updates (big deal, the computer is in the attic with no internet access). But let's say you're nervous and call up the original company, if they're still in business, they'll say "we'll sell you an upgraded product for only $11,000".

If you're a corporation there may be a lot of expensive machines purchased with the expectation that they would last for a very very long time. No one gets a budget for new oscilloscopes every five years, yet most clockwork IT drones will advise that everyone gets a new PC every 3 to 5 years. IT rules should have no place in manufacturing or industrial sectors. Thus people keep around the XP or NT computer because it still works (even if you get a new computer you can put XP or NT on it, even if it's via VMware).

You're going to see the same effect soon because of all those automobiles that came with smart entertainment/navigation systems because they'll stop working when the services they connected to stop working; or new smart TVs that won't be able to upgrade (whoops, bad design choice to leave off ipv6).

Re:No problem

[Abalamahalamatandra]

I got you beat - I know of a company that's still running OS/2 Warp on two production systems. They track the entire backup tape library.

Preparing for Windows XP EOL?

[aynoknman]

That's easy:

fromdos *.txt

Re:No problem

[Darinbob]

So just remove all computing from industry then? Because it's impossible to buy a $100,000 manufacturing machine that will last more than the 5 year IT upgrade cycle?

And XP is most definitely not 13 years old, Microsoft still sold it NEW five years ago. May as well say that Windows in its entirety is 25 years old, and that only a fool would buy Windows 8 today because it's a quarter of a century old.

"Captain, Iceberg dead-ahead!"

[Culture20]

"What's our iceberg preparedness response again?"

not all bad

[Dale512]

We have a system running Win98 at the office. It is not on the network. The only thing it does is controls the door system. To get the updated software supported by a more current OS would cost $5k. It just isn't worth the headache right now. I did talk them into running on a current machine and we just use a virtual Win98 environment to do the software bits. Overall it is still pointless since the machine isn't on any network. Eventually we'll upgrade the whole door lock system but until then that virtual Win98 environment will get the job done.

Re:Check you premise

[Darinbob]

Yes, XP is good enough, and all later versions really offer nothing new that the average consumer needs. This is all just forced upgrades to guarantee that you keep buying new microsoft products. They could have added a support option and keep XP around; say $5/year gets you continued updates. This would be popular I think for businesses which have many legitimate reasons to keep around old turnkey systems or the like, many of which aren't even on the network. Alternatively MS could provide better XP compatibility in newer systems instead of treating it like a pariah (as well as having newer versions of office actually be able to read and write older office formats).

Forced obsolescence was a bad idea when given to the home consumers. But forced obsolescence foisted upon business and industry is destructive.

Re:You want the best way? You got it.

[Darinbob]

And what's the worst that happens to a computer that's on and not connected to the network? Microsoft loses some profits.

No problem, you are your best support

Still using DOS, Win98, and OS 7 to support thousands in legacy hardware (vendor did not port their applications to newer OS's) These OS's are not networked and used only for supporting the older hardware. Sure, it would be nice to move the old equipment out to pasture, but it still works.

You can keep an old OS going by keeping working backups, accepting limited functionality, not being attached to an external network, accepting that new peripherals are not supported, using best practices, monitoring your system, and being ready to do your own repairs.

Some may be surprised but companies still sell new copies of DOS programs, for niche markets. Just add your 386 box from ebay. XP will just continue the trend.

Re:No problem, you are your best support

[Blaskowicz]

DOS is also very easy to run on arbitrary hardware. Boot it ; done. That was easy! You don't even need a hard drive or floppy anymore as it will run from flash, USB and other options.
On latest hardware you probably have to turn BIOS emulation on in the UEFI setup.

puppy linux

[crazyprogrammer]

for casual web browsing/listening to music on my XP machine I'll boot to puppy linux on a usb drive. Whenever I need to run something in Windows I'll just boot into XP after unplugging the ethernet cable.

Re:No problem

[kimvette]

FWIW there are print shops with $2mil+ printing presses that still run Windows NT 4.0 on Dec Alpha-based controller PCs (AT motherboard no less - not even ATX!), with no upgrade path offered other than being told by the manufacturer to "buy a new press." WHY buy a new press just because the OS and motherboard are outdated, when it otherwise runs flawlessly?

There are perfectly valid reasons to stick with an EOL OS.

Re: The usual suspects

[bbroerman]

I do that anyway when I get a machine or when I upgrade it.

Re:No problem

[wiredlogic]

To alleviate some of the pain of not being admin you can put yourself into the "Power User" group which is less restrictive than the defaults for ordinary users. It does introduce some security holes but will still thwart most malware expecting to run as admin.

Re:Use a firewall

[kimvette]

> A corporate firewall does little to ensure safety of a Windows installation. I've seen users behind a malware scanning firewall, running antivirus software on Win7 *still* manage to get infected by malware.

That is why you run multiple layers of protection; a UTM with antivirus/malware signature update subscriptions plus centrally-administered antivirus/antimalware software and policies covering use of USB devices.

oh the language, it editors

[richlv]

or something.

i just came here to make fun of "this remaining ... systems" :)

Banned, as of today.

[funwithBSD]

Word came down today that running any XP images is a security violation.

Security violations are potentially an immediate termination offense.

Re:No problem

[UltraZelda64]

Really. XP's future was looking a bit bleak about 8-10 years ago, why the fuck would anyone want put up with the torture this long... and then *STILL* (!) not want to let it go even at the official end of its life? Which, I might as well add, was continually put off by Microsoft due to their own failures (Vista) and the unexpected success of their competition (Linux) in markets that they themselves weren't quite a part of. Now it's such a crusty old turd, you have to be a masochist to keep wanting to use it. If that's the case... have at it. Cut away.

I will never know why people have such a reliance on such an antiquated operating system, but then, I don't really care, because I jumped ship back in 2006 for Linux, just in time for the V-Bomb. It's been much better ever since. The simple solution is to get a new, "modern" computer; or if you're cheap, switch to a different operating system. It's not rocket science.

Re:No problem

[FlyHelicopters]

And there is nothing wrong with using XP for that machine for the next 20 years...

So long as it isn't online, isn't used for anything else, etc...

It doesn't even have to know what decade it is in, just run the transmission dynaometer and that's it...

Your only real issue is that at some point, spare parts for the computer itself may become hard to get, I personally would invest in 1 or 2 spare computers, clone the current one, set them in storage, and have them for backups. It shouldn't cost much, a few hundred dollars, and you'll have backups to the one part that is least likely to get support.

Re:Use a firewall

[hawguy]

> A corporate firewall does little to ensure safety of a Windows installation. I've seen users behind a malware scanning firewall, running antivirus software on Win7 *still* manage to get infected by malware.

That is why you run multiple layers of protection; a UTM with antivirus/malware signature update subscriptions plus centrally-administered antivirus/antimalware software and policies covering use of USB devices.

Multiple layers is good. Running an unsupported and unpatched version of Windows is a huge gaping hole in your layers of security. Your UTM should automatically block WinXP machines from the network when they fail the NAC check - no network access for devices not up to date on patches, and by definition, WinXP systems are not up to date on patches after support ends.

Re:No problem

[NFN_NLN]

some people have expensive hardware that only works with xp and its NOT practical to rebuy working hardware

Old hardware as in systems without support contracts? Or old hardware with no available parts?
So you just wait until the hardware fails AND THEN scramble to get the services back online? Doesn't sound very proactive to me.

Worst case scenario is to virtualize the system and use IO Passthrough for any proprietary cards. But hardware availability should not be a limitation because hardware fails.

This should not have to be explained. Maybe I got trolled.

Re:No problem

[VortexCortex]

One of my customers has a Win98 box, because it controls a $50,000 device. Another one runs NT Server, because porting 100,000+ part numbers to a new database isn't worth the upgrade.

I have had similar experiences in the past with customers. I recommended them not allow the systems Internet connections. In the cases where this wasn't possible, GNU/Linux + WINE and Linux + VirtualBox have proven effective solutions. Even for some crazy low level COM port gizmo made by a now defunct company with Win Server 2003 only driver...

You talk a big talk, but I suspect you haven't tried walking the walk. The contraptions are simple tools, which can bring down the entire company with a single crypto locker exploit.

Re:Microsoft ( Score: +5, Dicely )

[CohibaVancouver]

When has Microsoft supported its products?

I ran Windows Update on my XP box last night. Seemed to work fine. So I guess the answer to your question is "yesterday."

Re:No problem

[js_sebastian]

It's not stupid. It's quite common for specialised equipment to rely on drivers written for a particular OS. We have a 3 year old transmission dynamometer that cost us $180,000 that is controlled by redundant commodity x86 hardware running XP. There is no need to keep the OS up to date as it serves only one purpose.

Stupid lusers these days think all "PCs" are to be connected to the Internet and used for browsing file sharing sites.

Before you pay 180k for a piece of hardware, you should require either one of (a) a support contract that commits them to developing drivers for the foreseed lifetime of said hardware or (b) an open source driver and specification that allows you to develop the driver yourself. A combination of the two is also possible, where the source code and spec is held in escrow, and you have access to it only if they go under or breach their support contract.

Re:No problem

[js_sebastian]

The logical counter to that is:

YOU HAVE SOMEONE RUNNING A $50,000 ON Win98? Holy crap that is stupid.

Why? These types of systems are in a lot of industries. None of those systems are on the internet. And probably not even on a network at all

That airgap worked real well at Natanz, didn't it?

Re:No problem

[Collective+0-0009]

Replying to myself to say that the NT4.0 box is probably more secure than upgrading to XP at this point.

Re: The usual suspects

[bbroerman]

Don't have a choice. I don't have hundreds of dollars for new copies of Windows, and the time to spend days reinstalling all the apps for everyone in the house...

Industrial Equipment

[labnet]

We have Surface Mount Asembly Equipment that runs Windows NT4 and Windows 2000.
Suprisingly, it all still networks OK. (But of course on its own isolated subnet)

There is ZERO chance any of this industrial equimpent will ever have an OS update.

Re:Industrial Equipment

[thsths]

And that is exactly the reason for not upgrading: it is not possible. Upgrading means throwing away a perfectly fine machine, and that is just not on.

Of course this is a culture clash. A Windows 98 computer can be attacked by a virus, and turned into a virus / spam distribution machine or worse.

To get a car analogy: that is pretty much a were-car. In an engineering world that would just not be imaginable, because physical safety is actually taken seriously. But for some reasons computer scientists keep telling us that "software has bugs, get used to it".

Cars just have bugs, sometimes they will try to run you over, get used to it. Yeah, right.

Re:No problem

[MightyMartian]

And what percentage of XP users do you suppose are running such specialized equipment that something like Linux Mint would not install and run on?

Re:No problem

[MightyMartian]

Hell, the phone system we're about to retire runs an embedded DOS variant.

Re:No problem

[NatasRevol]

What's the cost of the computer dying, and replacement parts are weeks out?

Re:No problem

[Kremmy]

While it is possible to trim XP down and squeeze it into 512MB, my own experience tells me that it's foolish to consider it to run well in 512MB. The very idea throws me back to a slightly earlier time, upgrading a Windows 2000 machine from 64MB to 128MB of RAM. Coincidentally, if you've trimmed XP down to fit into the low memory environment, you've basically got Windows 2000...

Re:The usual suspects

[bbroerman]

I've worked for companies like that. Sometimes it happens. They don't have the time or money to invest in writing all new software. I'm still writing web apps that have to support IE 6 due to a partner using an older version of Developer Studio where the embedded browser widget renders as IE6. They don't have the money to re-tool and rewrite it all, and we have to support them...

Re: No problem

[pspahn]

This is the same FUD all those guys at the Microsoft shops always tell me. "You need to upgrade because it will be catastrophic if you don't."

Meanwhile, he's perfectly content selling upgrades from Win7 to Win8 on machines that do nothing but run an HP-UX terminal emulator running a basic inventory system. The irony in this is brilliant.

There is always going to be systems that were sold by a sales person. These systems will need to be updated. There are also going to be systems that were built in-house. These systems are also going to need to be upgraded. The difference between the two is who decides the upgrade path.

Re:No problem

[Macgrrl]

I used to do consulting for Xerox, it was fairly typical for hospitals to depreciate hardware (such as beds, autoclaves, photocopiers) over 20 years. You can't even get parts for copiers after that amount of time, you are generally relying on 3rd party refill kits for toner and other consumables. From memory 10 years was pretty standard for printers.

Re:No problem

[lgw]

Windows is typically disk I/O bound when it's slow. Booting and launching IE are both amazingly I/O intensive.

Re:No problem

[RabidReindeer]

stupid AC. I'll tell you why: some people have expensive hardware that only works with xp and its NOT practical to rebuy working hardware just to run a more modern os. the os only exists to run apps and if the value of the apps and hardware are high enough, you will stay with the older os.

of course, AC's think that only linux matters. they can't see that in the real world, you need TOOLS to do your job and if those tools are only running on an older os, you keep that older os!

this should not have to be explained. maybe I got trolled, but figured if he was serious, I'll at least explain WHY you need to continue to run older systems.

Oh crap. April 8?

There are exactly 2 apps in my collection that I run under Windows. MS Flight Simulator (the Linux sim is supposed to be good, but I just happen to like what I have). And Turbo Tax. Because Intuit has Microsoft so far up their butts that their idea of "export to Excel" means use OLE to bring up a copy of Excel installed on the machine that the Intuit product is located on and ram the data in that way instead of allowing export to XLS files like everyone else does (just in case Excel might happen to be on some other machine, maybe?)

I like my little XP box - when I have it powered up - but it ain't going to stand moving up to Windows 7 and I wouldn't touch Windows 8 while wearing a hazmat suit even if the chances weren't even worse. So I'd better do my taxes fast. After that, I guess I just found a new Linux box.

I already have enough Linux boxes. Most of them started out as Windows boxes that I recycled when the next big version of Windows wouldn't run on them.

Re:No problem

[ebh]

If it works, don't fix it.

In the real world, the risk of unnecessarily perturbing working systems is often higher than the risk of those systems breaking on their own. (Think about the longevity of Netware 3.12.)

Relatively safe

If I had an XP exploit, I'd just sit on it until it goes EoL. It's worth more when you can use it with impunity and not worry about it being patched.

Re:No problem

[bsDaemon]

Run it in a VM and pass the hardware through to the hypervisor?

Re: The usual suspects

[jones_supa]

Why not just install a Linux distro?

Huh?

[wxjones]

What is this "Windows" of which you speak?

Re:No problem

[khellendros1984]

Give virtualization a try, if you don't have spare hardware and don't have a way to get more (we've ordered out-of-production hardware from Ebay before). There are PCIe cards that supply serial ports, and VMWare lets you add things like serial/parallel controllers, mapped to your real hardware. Assuming they've got a disk image of their super-important computer, things shouldn't be too hard to work out.

Antivirus

[Chewbacon]

My employer is planning on falling back to antivirus for defense. I work at a hospital with thousands of workstations almost all of which are XP. While I don't do any real browsing at work other than following weather in the event it's severe or big news stories, many people do and lack the "common sense" antivirus suite in their head.

Re:No problem

[slashmydots]

YOU
ARE
WRONG!!!!!!!!!!!!

I hear that stupid, incorrect argument all day. When you buy a piece of hardware, IMMEDIATELY budget for its replacement in the recommended average number of years. Doing anything else is 100% your fault for doing the SDLC and 5 year planning wrong. For example, if you bought a desktop, plan and save for replacing it with another desktop in 5-7 years because that's reality. Pretending your machines will run forever then blaming microsoft because you fucked your budgeting is so unbelievably incorrect.

Re:No problem

[Salgat]

I worked at a place where they had a SMD (tiny electronic components) placement machine that used 98. It didn't connect to the internet and only accepted tab deliminated placement files. Running 98 in this situation is completely acceptable.

Re:No problem

[toddestan]

Your only real issue is that at some point, spare parts for the computer itself may become hard to get, I personally would invest in 1 or 2 spare computers, clone the current one, set them in storage, and have them for backups. It shouldn't cost much, a few hundred dollars, and you'll have backups to the one part that is least likely to get support.

If you do that, also be sure to find the drivers and installation packages for them and store them along with the computers. If you want to get a fresh Windows 98 box running today, it's often harder to track down the proper drivers for Windows 98 for the various pieces of hardware than it is to come up with the 15 year-old parts themselves.

Re:missing the point...

[nevermindme]

If a desktop OS computer command can kill an employee you have a bigger problem than end of support. There is a reason for those wacky statements in the Licensing Agreement.

They will have to extend it...

[Sir+Holo]

The UCLA Medical System, a gigantic organization, required all hospitals, providers, etc. to standardize on a single, integrated medical record-keeping system. Medical history, diagnoses, prescriptions, appointments — the works. This was within the last 12 months.

It runs on XP.

Happy privacy!

Bummer

[sgt+scrub]

I've been dreading having to roll that big'ass barrel of unused XP CD's out the door. That thing is freakin heavy.

Re: No problem

[lewi]

The real problem is that Microsoft wedged its software into industrial and other non-consumer systems without apparently understanding those markets.

An industrial system, say a steel press for instance, is designed to function without the need for changing software unless new features are added. That same type of steel press may have been built forty years ago with relay controls and pushbuttons. Those relays and pushbuttons don't get upgraded - they get replaced as needed and upgraded when improvements are desired.

On the other hand using a consumer based set of software such as Windows that is intended to be upgraded every five years is an unneeded and unwanted expense with no real benefits. This supports the idea of using PLC's and Panelmates/Panelviews because their manufacturers usually provide support for at least ten years - in some cases 20 - and even provide an upgrade path at a reduced cost in many cases.

However, the real lunacy to me is when such a company provides SCADA systems that run on Windows. On the other hand, they will likely sell you an upgraded system that is equivalent when Windows XP dead next month.

I don't wasn't to be a Luddite but in some cases it may be better to just stick with or go back to relays and pushbuttons.

Re:No problem

[rubycodez]

nonsense, why would a cnc machine, for example, need a new driver after running fine for 10+ years? nothing changes!

a manufacturing plant that cuts metal has no interest in developing drivers, probably wouldn't even know what the phrase meant

Re:No problem

[rubycodez]

newflash for you, 486 machines and motherboards still made

Re:No problem

[rubycodez]

also common with ms-dos, not just in printing world but cnc

Re:No problem

[The+Grim+Reefer]

What do you do when the Win98 machine has a hardware failure?

Unless you've been stockpiling spares since the late 90s, that is a real problem.

Most places that have these systems have done just that. Plus most of the hardware from that era tends to be a less complex and on larger die sizes than what we have today, so it tends to last a lot longer.

Re:No problem

[Nefarious+Wheel]

There are analogue targeting computers on naval ships that still work, and work quite well. Deck guns that can fire a Volkswagen Golf-sized projectile from (say) Hobart to any tennis court in Launceston. Maybe not the best economical solution, but what's money to the military, anyway?

Point is, you look at the system, and determine whether you can support the subsystem that drives it. As an integrated system it either works or it doesn't, irrespective of the weight, the cost, or the paint job on any subcomponent of it. And sometimes the bit that the computer controls is just as old and slagged-out as the operating system driving it.

Re:No problem

[MeNeXT]

Really? What risk? I have the same situation. They are custom cash registers which would require hundreds of thousands of dollars to replace. to you it's a computer to my client it's a fancy cash register. He tried to replace the business logic by off the shelf software but none would meet the requirements. So his choice is to spend hundreds of thousands on redeveloping his cash register, buy off the shelf software and hire additional staff to meet the requirements, or go to discount stores and pickup the stuff that is been thrown away?

Yeah Win95, Win98, NT are still going strong today and they will for at least the next 10 years. Maybe by that time the off the shelf software will catch up to his business logic. It's not for you fine, but I know for a fact that if he would have followed MS current he would have spent over a million just keeping up with the times. The code is completely debugged in the last 20 years of operation and a solution that none of his competitors can match.

Re:No problem

[Blaskowicz]

Btw the just-launched AM1 platform from AMD comes with Windows XP support, which may seem assinine except for those industrial scenarios.

Run it in a true VM

[Chirs]

With the parallel port on the host passed through to the guest.

Re:Run it in a true VM

[dbIII]

Some "protection" dongle software uses annoying tricks that VMs don't emulate the hardware well enough for yet. One trick that was fixed with some VM software was ensuring that the parallel port was at exactly the same memory address but there are other tricks from evil bastards such as macrovision that are there merely to punish the honest that haven't gone for a full crack.
One solution a lot of vendors allow is to keep one real XP machine as a licence server and then the virtual machines check out from that. There's some very low end mini pc devices that use very little power, have parallel ports, a network port and can run XP.
So you've got a vunerable POS sitting exposed on your network for anyone to play with if they get in? Why is one more a problem when kiddies can mess around with vunerable VoIP phones and all the rest where vendors think their company name is a good password?

Re:Run it in a true VM

[FlyHelicopters]

It will take real losses and lawsuits that follow those losses before those vendors change their tune.

The old "dongles" need to go away, they go out of date faster than the hardware they run on, sooner or later someone with big pockets is going to suffer a loss traced to such a thing and turn around and sue their vendor.

Lawyers have a funny way of making things move.

Or run it in a VM

[Chirs]

And keep your old working code.

Re:No problem

[the_Bionic_lemming]

Huh?

Can you elaborate? Because if someone actually has a win XP machine or better in that office the cost should be free.

Re:No problem

[Blaskowicz]

I see you're running MS-DOS 7.10, great version, with fat32 support, really easy to get over 600K of conventional memory for playing games. I think it will run in nearly every PC, but doesn't support a hard drive bigger than 2 TiB.

can always use VMs

[Chirs]

Copy the current machine as a VM and backup the image somewhere. When the current hardware dies, run the VM on something newer.

Re:can always use VMs

[FlyHelicopters]

VMs don't always work, some hardware demands direct access.

Hardware security keys being but one example...

Re:No problem

[Chirs]

The screen printers still run DOS.

DOS was actually decent as an RTOS if you could dedicate it to one task. I did some control systems work for a lab-size Tokomak fusion reactor in DOS.

Re:No problem

[hairyfeet]

So does Win 7 Tiny and unlike XP it doesn't pimpslap the swap even when there is tons of RAM available. And in this day and age there really is no point in running an OS, VM or not, in a lousy 512Mb of RAM. After all what good is a VM if you don't run any programs? Look at how much Chrome or Firefox uses with just a half dozen tabs open and you'l see 512Mb of RAM really don't cut it anymore.

Re:No problem

[Will.Woodhull]

Not so fast.

If the box can run Win XP, it can run any contemporary Linux distro, and the original Win XP with the apps that are still needed can be run as a VM under that Linux. Performance will not be affected.

But this approach is probably not going to be widely adopted since the great majority of persons who provide Windows support for a living cannot be bothered to learn anything new. This upgrade path won't be utilized mostly because learning new stuff is hard and the value for the tech support person is not obvious.

Re:No problem

[Will.Woodhull]

In both cases, a possible low cost upgrade that would probably provide a fix good for a decade or two is to get contemporary hardware, install an industrial grade Linux distro, and install Win98 or WinNT in virtual machines under the Linux shell. As far as the critical Windows apps are concerned, they would see the same environment they are in now. Except that the new hardware would be a lot faster.

If there is something basically wrong with this approach, I'm sure it will be mentioned in following comments. Along, almost certainly, with a lot of Windows fanboi crap about how this can't possibly work since you aren't spending any money (except for the better hardware).

Re:No problem

[Will.Woodhull]

The magic words in parent post are "via VMware"). Running the original OS in a VM under a solid Linux distro is an inexpensive solution for many upgrade issues. The VM can be set up to keep the WinXP, Win98, or WinNT isolated from sources of infection while distros like RH/Fedora, Debian, or Ubuntu have excellent patch and upgrade management systems.

Re:No problem

[Will.Woodhull]

There are better car analogies.

There are lots of farms that use trucks that were new in the 1950s to haul stuff to and from the fields. I once had a summer job at a seed cleaning plant that used a 2 ton 1938 Ford flatbed truck to move pallets of grass seed from the cleaning operation to the warehouse, a quarter mile away. That truck had not been on a paved road in decades, first and third gear were shot, it was always parked on a hill at overnight because the starting motor was too weak to turn crank the cold engine; it had to be jump started in the morning. We routinely overloaded it with up to 8 tons, but it would chug between the two buildings at all of 5 mph.

Continuing to use WinXP or even Win98 in situations that require nothing more is a no brainer. When the hardware wears out, either placing an order with the local computer refurbisher for a rebuilt box of the same vintage, or jumping to Linux on a new box with the ancient OS and its apps running in a VM, would work just fine.

ReactOS has sterted countdown

[jeditobe]

Looks like they finnaly have a sponsor http://community.reactos.org/?...

Re: The usual suspects

[Blaskowicz]

Just use warez Windows 7. You torrent an iso and it's free, CD key baked in (you don't even need one), activated, "genuine" and receives updates. At this point it's getting more ethical to run non-legit Windows 7 than legit XP.. You will be endangering your family, friends, and also the internet at large as your computers are added to botnets.
In the mean time watch for license deals, MS may have cheap Windows XP to 8.1 upgrade, "family plan" to install Windows 7 on three computers, whatever.

You can reconsider what's a box needed to run Windows 7. Anything with 1GHz or less and 1GB or more runs it, and Windows 7 32bit has vast compatibilty with software and even some XP/2000 drivers. Most software that doesn't run on it wouldn't run on XP either.
RAM upgrades are possible and hard drives can be shuffled around. If a computer still can't run Windows 7 after that, it probably isn't able to play youtube videos decently. You might as well put Windows 98SE or ME on such a computer to run 90s/early 00s games on it, or use a linux distro with LXDE if you want to browse the web and other networked tasks.

Re:No problem

[Hal_Porter]

XP had a bug where you got very high CPU usage in SVCHOST.EXE. Somewhat surprisingly MS fixed it a couple of months ago. If I were in charge I'd have left it unfixed in order to encourage people to upgrade.

Cold spares until entire system is retired

[dbIII]

when the computer it runs on breaks and you can't get replacement parts for that old motherboard. When Windows 98 does not have drivers for the hardware being made.

Haven't hit that yet - take a look at the drivers on some install disks some time. For when we do hit it there is the option of cold spares. For example I got about 10 Sunblade 5 machines second hand not very many years ago to act as spares for antiquated data aquisition systems - and I can see people on the PC side of things doing similar things. It may not be an ideal solution, but it is a solution of a kind which can keep things going until other components reach a point where they can be replaced (eg. the example I gave above is being phased out).

Re:No problem

[Hal_Porter]

The people that hacked Natanz would probably find it easier to get exclusive access to a zero day exploit on Windows 7 or 8 than XP.

When you're working for a government spy agency and have endless cash to pay off unprincipled 'security researchers' I think you can get into any OS whether old or new.

China can do the same thing. E.g.

http://en.wikipedia.org/wiki/O...

http://www.symantec.com/connec...

If you look at Stuxnet it seems like the initial infection was done by leaving USB sticks around

http://spectrum.ieee.org/podca...

Ralph Langner: Yeah, that's true. So the distribution we see with Stuxnet is mainly done via infected USB sticks. So, in technical terms, it would be not appropriate to call Stuxnet a worm because Stuxnet does not distribute by self-replication over the Internet, but thisâ"it distributes mostly by infected USB sticks. This is the exact strategy that you would use when attacking an aero jet facility. So just like a nuclear power plant. In this case, it makes most sense to assume that the attack was carried out via the Russian integrator that built the plant. Because if you are familiar with the commissioning of such big plans, you know security in those situations is practically nonexistent, especially IT security. So engineers walk in and out with their notebooks, with their programming devices that they use for programming the PLCs. And those engineers that walk in and out, they easily be lured into picking up infected USB sticks, so this makes very much sense to assume that the attack was performed via the integrator just by making sure that some of their engineers accept infected USB sticks, plug them in their notebooks, go home with their notebooks to their company headquarters, and at some point in time, go with their infected notebooks to the target site. By the way, this also explains all the infections that we see in India, Indonesia, and Pakistan. Because these are also regions where this particular integrator has business.

I've worked at companies where you were searched for removable storage going in. Hell I've worked at places where the USB ports where filled up with epoxy or disabled by group policy.

If you look at Bradley Manning air gap security is vulnerable to a single rogue employee. Also you need management that will enforce the policies - in Manning's case they should have stopped him bringing in CDs.

So a guess is better than "reality"

[dbIII]

plan and save for replacing it with another desktop in 5-7 years because that's reality

Rubbish. For many requirements the cycle is much shorter, some incremental and some longer. An arbitrary number is not "reality" no matter what bold type and capitals you use to pretend your opinion is some sort of fact.
Also with enough spare machines you can pretend machines are going to run forever and just replace them when you need something quicker. If it dies most people can put up with something slower for a day or two until something with better specs than could be justified with a rapid replacement cycle or standard PCs purchased in bulk every 3, 5 whatever years. More work in budgeting but a job isn't there to make it easy for the person doing it.

I've got some people using pretty old stuff with a new video card, an SSD and 3 screens - to them it's like having a new computer but with XP and all their old apps still on it. Others might have had a machine that maxed out at 8GB two years ago, so they got a machine that can take 16GB last year and looking at 32GB now - putting an arbitrary date on these things instead of considering usability is IMHO wrong (with capitals, bold and a lot of exclamation marks if you wish).

There HAVE been XP privilege escalations recently

[Sits]

It's not entirely clear what you mean when you say "root exploit" but one interpretation is an exploit that when run as a regular user gives you administrator/root permissions. There have definitely been recent XP privilege escalations exploits for XP recently (e.g. CVE-2013-5065 leverages a bug in NDProxy).

Perhaps you meant "remote exploit" but also last year there was CVE-2013-3175 malformed asynchronous RPC request so another machine can attack your XP machine over the network with no user intervention. See this table of 2013 Windows XP CVE entries for a list of what MS have been patching...

If you are no longer able to keep your OS regularly patched it's no longer safe and you are better off using something else for online activities. Save XP for those appliances that have to use it and can be stringently firewalled/quarantined.

Maybe because of that longevity

[dbIII]

The XP users I know have a large menagerie of applications they've collected over a decade or more with very few that will run in Win7. Migration is a matter of replacing a pile of stuff and learning to do things in a new way instead of the quick ways they know from years of use. While current hardware still supports their platform the XP mode virtual machine in Win7 looks like utter crap in comparison and Virtualbox not much better (athough I have a few people on Win7 using that just to run some old AutoDesk software from before they fucked up the interface).
Then there's the stuff locked to hardware that won't run Win7.

To sum up, there's no point people moving unless they get some sort of benefit out of what they move to. More memory that XP can handle was the no brainer for a lot of us, but for some tasks 2-3GB is plenty leaving some people with no problems with the platform.

I think in the future I'll probably end up with people running Win7 (or 9 if it isn't shit) to run MS Office+firefox and for just about everything else they'll VNC to an XP virtual machine on something quick and almost live in that space. People who have been using the same stuff for a decade+ don't want a replacement from a different vendor with a crap metro or ribbon front end, they want the app that they can operate without thinking much about it.

Re:Maybe because of that longevity

[UltraZelda64]

All I got out of that was, "blah blah blah, been using it for a decade, don't want to change." Tough. Maybe I should mention that I was using Windows since Windows 95 (first computer: 1997), so when I finally pulled the plug in 2006 it was not a light move. I had dozens of programs that I was so used to I felt almost as if I couldn't function without them. The landscape was slightly different back then, but yet eerily similar to what people are dealing with these days... just replace a couple OS names and the stories could probably be interchanged. The only difference is, the Linux world is lightyears away from even where it was when I first used it. NTFS-3G? Hah, highly experimental. X11? It was only beginning to truly get simplified. Now it's mostly a cakewalk, I really don't see much room for excuse. Either put up with Microsoft's shit, or get up and do something about it. It's as simple as that.

Re:No problem

[dbIII]

There's so many escalation holes that you can assume that malware without apparent admin rights never wanted it in the first place :(

Then you manage that specific problem ...

[golodh]

ATM's don't need a browser, so in those cases your comment is irrelevant.

For other kinds boxes, just remove the browser and tell people to surf using their tablet or the shared machine down the hall.

Those whose work absolutely requires them to use a browser you can provide with more modern boxes.

Still way cheaper than replacing every single XP box.

Re:No problem

[thsths]

> Just don't run as an administrator!
> Also don't run IE or OE.
> Don't use Flash, Adobe Reader or Java.

Well, in that case you could just switch to Linux? IE6 is one of the main reasons why XP is still so popular. Many old web applications were targetting IE5.5 or earlier, and IE6 is the last version with a good compatibility mode.

The only other important reason is hardware. If it is just the PC, the scales have tipped now: a new basic PC is cheaper than another year of support for XP.

But there is also specialist hardware, from ATMs to raster electron microscopes, that need XP for the hardware interface. These are the use cases were locking down XP may actually be an option.

Layoffs did it too

[dbIII]

Often this happens because the original creator of the software has gone out of business or it is too expensive to upgrade

The idea of "let's fire the developers and outsource to India" idea has been going on for a while and left us with a lot of orphened software that only works on XP.
There's a bit of it in the *nix world too, hence a pile of stuff that can't be moved beyond RHEL5 (and for one spectacular piece of shit that needs an old flexlm, Redhat7.2).

Re:No problem

[Chris+Hodges]

I know of kit with ~£1million replacement cost running on a mix of 95 and 98. The ISA cards that support the hardware won't run under anything later, and an upgrade to what's on the other end would be ~£20k per unit if you could convince the manufacturer to do it. Budget for upgrades =0. Data recovery - not an issue: store it properly. If the controlling PC breaks - well, it's getting harder to find 98 boxes, but we've got spares and we can reinstall everything in a few hours.

Of course we're about to be in the same position with the next-gen kit that only supports XP.

We'll end up with all the data from the XP and 9x machines written over a local network to a win7 box, which can also see the proper network and therefore be backed up properly. No more VNC/RDP into the XP machines though - unless we can find a workaround - and we probably can.

Re:The usual suspects

[FlyHelicopters]

Your partner will have to update that sooner or later, or if there is really no money, why be in business?

I keep hearing "but we can't afford to upgrade".

Really? Then why do you go to work every day for years on end, if you'll never have the money for upgrading anything.

What, you bought computers and figure they'll last 50 years?

Budget for it, or change something, cause you're just one step from bankruptcy if the budget is really that tight.

Re:No problem

[Chris+Hodges]

I agree - but not completely - and do something like this for software that requires XP. When the limit is hardware it's another story. Especially if the hardware was pretty esoteric in the first place (and it usually is - mass-market stuff can often be replaced if the drivers aren't avilable).

Re:No problem

[Chris+Hodges]

That's support contract is a very nice idea. And the vendor will either just say "no" or quote you what we used to call in the industry a "fuck-off price". Perhaps the cost of employing a software engineer for the next ten years. Per unit.

Source code isn't much use to the average user - even if it includes the code to the drivers for the stuff the hardware vendor just embedded. And that's even if it wasn't written in something you can't even compile on modern systems.

Re:No problem

[rew]

I wrote software that is now cloned to 5 machines. The machine runs a terribly old OS, no longer supported. But the rest of the machine cost about $2M each....replacing them or part is not an option! So: don't connect it to the internet. These machines have processed countless billions worth of product. The product is worth more than whatever can be found on the machine, so yes the operators will be able to use a privilege escalation bug to gain root access.

Anyway, they run Linux 2.4 on Suse 7.2....

no more OS changes means potentially more secure

[LodCrappo]

Since we can assume XP will never change once support is over, can't we then do new things to secure it that were impractical in the past?
Hard coded file checks, read only filesystems, out of band checks and so on.. It wouldn't take much to install Linux on a USB key and have it check the local HDD or even just overwrite the OS files at boot, and that's just the first idea that comes to mind. Maybe a bios that won't boot if any of the xp boot files are changed, etc. I'm not saying it's ideal, but it seems like a once moving target is now static, so maybe that can be leveraged to create some safety, especially for the types of systems that are required to continue using XP (I.e. not consumer desktops).

Re:No problem

[rew]

Haha. I worked on a project where the machine doesn't const a lowly $50K. The machine costs on the order of $2M. The machine has processed (I just looked it up) about $40B worth of product... And it's still running software from around '2000. (installed in '97, upgraded in '00)

Re:No problem

[FlyHelicopters]

Nice story, but frankly that old truck is an example of extreme life extension. :)

I'm all for getting your use out of equipment, but I think that one is past its prime, past its extended life, and past its dead by date. :)

Re:No problem

[FlyHelicopters]

If the machine costs over $1M and the vendor will do an upgrade for $20K, that is cheap.

Re:No problem

[FlyHelicopters]

Yes, but the ax sold back then is more or less the same as the ax sold today.

The same is not true of computers, hence the problem with such comparisons.

Re: No problem

[TellarHK]

Have you ever looked closely at medical devices? I work with some systems less than five years old that cost close to $100,000 and they run Windows XP. Should they be replaced? No, not just because the OS beneath the application layer is old. I'm probably the only person in the office that knows it's an XP machine, which helps with security. Sometimes you can't just upgrade.

Re: No problem

[TellarHK]

Numbers that you can't even comprehend. Any system that uses Windows software on non-upgradeable hardware. Medical devices that require specific levels of precision and predictability.

Re:No problem

[MouseTheLuckyDog]

You know that OS/2 is still being sold as eCommStation?

Re:No problem

[e70838]

Run XP in a VM that starts always fresh.

Lock-in

[mariox19]

I just left a job where we produced POS and back office software for specialty retailers and saw the same thing. The lock-in is just incredible when you're running a nationwide chain with X-number of registers. I think a customer was running Windows 98 on a box with 128 MB of RAM. In fact, if anything you worry about customers looking to upgrade, because if they're going to have to spend all the money to buy new hardware, they're going to reevaluate their software as well, and perhaps choose another vendor.

Re:No problem

[BVis]

Yeah, because drivers are never buggy shit developed in some third world country for 25 cents an hour.. Some bugs may not emerge for years.

ATMs are running XP Embedded

[suss]

XP Embedded's support doesn't end when XP does.

Windows XP Embedded (Toolkit and Runtime), all versions - January 12, 2016

From https://www.microsoft.com/wind...

Re:No problem

[queBurro]

have you virtualised it?, because that HW will give up one day

Re:No problem

[Megane]

What in particular about web browsing in a VM requires Windows as the OS, as opposed to Linux? The only thing I can think of is Flash, if you happen to like advertisements that wave or scream at you, or take over the whole browser window. And maybe a few video players, except that YouTube can work with plain HTML5 now, right?

Re:No problem

[Megane]

I know someone who is an optometrist who years ago wrote up some cool software to type in and print out exam prescriptions using Wordstar and Mailmerge. At least it's the x86 version (he got it with a Sanyo MBC-555 back in the day), but his main problem so far is finding printers that will work with it. At some point, being a .COM executable is going to be another problem. At least there's no problem with losing that version of Wordstar, because you can download it from Computer History Museum. (I even verified the CRCs.)

You can't.

[Kimomaru]

It's foolish to try and secure XP after its support ends. So much logic is thrown out the window with this idea. Try to remember that Windows XP was designed and released around the the time of the Tech Boom/Bust. A pretty different technical environment. That it's still being used is, in a way, a testament to Microsoft's dedication to it, but after twelve years - I mean, geeze, who runs the same OS for twelve years? Do you still play games on a Sega Dreamcast? Ok, that's a bad example, even I still play games on a Sega Dreamcast. But that's an entirely different era by tech standards. The larger problem you may be dealing with is that Microsoft can basically pull support when it likes and if your shop doesn't like it, you should focus on alternatives. If you're going to be a Microsoft Shop, you should adjust your upgrade budget and IT Shop's priorities appropriately, not try to keep using XP and O/S2 Warp and Windows Me because the change is too (understandably) painful.

Re:No problem

[Will.Woodhull]

And yet, still doing the job and saving the company from the cost of purchasing a new(er) truck. Much as Win98 or even DOS boxes can save a ton of money in similar, specialized, situations. Which is why it is a good car analogy. For those who need car analogies.

Say what?

[fuzznutz]

I'm not even sure what your "salient" point is. We have a $250,000 research NMR with a computer controlling it running XP. The upgrade to use Windows 7 requires a $50,000 investment in new hardware. We don't have that kind of money just hiding in the cracks of the sofa. That NMR doesn't stop running just because Microsoft is tired of playing with XP.

I have one researcher still using Windows 95 on a semiconductor test instrument. That's not getting upgraded either. The cost to "fix/recover" is much cheaper than upgrading. We keep spare drives and drive images and all data is copied off the machine. My biggest concern is replacing a bad motherboard and finding drivers that run the older OS.

Simply slapping a new fresh install of Win8.1 on a research instrument controller is not always an easy or cheap thing to do. Not everybody is just using their computer to surf the web and check email.

Re:no more OS changes means potentially more secur

[terrab0t]

Someone mentioned it above. There is software called Windows Steadystate that keeps the base file system unwritable to regular users and instead lets them write changes to a journaled file system that can be selectively restored from the base.

Home use

[brunnegd]

Slashdot readers are much more sophisticated than the average home user, who only uses a computer for e-mail, social media, and web surfing. Why should they be expected to pay good money for a new computer, or to upgrade from XP and install all of the necessary drivers, hardware, etc.

Re:No problem

[FlyHelicopters]

Is it? What is the labor cost of having a truck that only goes 5 mph? What is the labor cost of having to screw around with something so old, you have to park it on a hill to start it?

What is the business risk that it just doesn't start one day, a critical day, and it takes time to fix or get a replacement, yet the crops are ready to go?

It is called stepping over dollars to pickup pennies.

I'm all for being frugal, but at some point you're just being foolish.

Re:No problem

[david_thornley]

On the other hand, when you buy a $100K machine that you intend to use for years, you probably should inquire about the software. Is it likely to be EOLed in the next ten years when you were hoping to use the machine for thirty?

Much like two-digit years and IE6-only webapps, where there was never money to do something that had no immediate value until it was suddenly necessary.

Re:No problem

[david_thornley]

Sure. Now, how do you get the gcode to the cnc machine? Is it connected to the same ethernet that handles the outside connections? I sometimes create gcode on the computer I'm currently using to connect to /., myself, and I'm not saying there is or isn't an air gap, but air gaps are inconvenient and not necessarily effective (*cough*Stuxnet*cough*).

Re:No problem

[I'm+New+Around+Here]

When it died last year, I grapped another Win98 computer I have on hand and brought it to his business. Loaded the software and he was back up and running.

I then bought another Win98 computer that someone was selling, and it is sitting in the corner, waiting its turn.

Re:No problem

[martyn1807]

Except access to:

* Serial Ports
* Parallel Ports
* USB Devices
* Firewire Devices

(..obviously differs based on hypervisor chosen...)

With PCI devices, it may even be possible to do passthrough in some cases.
He's probably on nootropics, you should probably try some ;-)

Re:No problem

[I'm+New+Around+Here]

I'm not talking any particular size of talk. And others have far outpaced what I wrote anyway. But as we see above, there are valid reasons for many places to keep systems running outmoded (by today's standard) operating systems. Whether the reason is purely physical (no other hardware will work) or purely financial (not worth the cost of upgrades), or a combination of the two with other considerations thrown in (not worth the risk of trying other hardware), it is up to the business owner to decide, since that is the person who makes or loses money based on the decision.

All I can do is research the issue and give recommendations. I can't force them to spend money if they don't want to.

Re:No problem

[I'm+New+Around+Here]

The hardware may be free, as in already there, but my time isn't. If they don't want to pay me, or can't pay me until the economy actually recovers, then the system stays as it is now. I mentioned above, but the Win98 system died last fall, just as that customer started a big job for a customer. He called me in a panic, I grabbed a Win98 system I had in my room, brought it to his shop, loaded the software, and he was back up that afternoon. A week later, I bought another Win98 system that someone was looking to sell, so I have one on hand if needed.

Would a newer system work in its place? Probably. But he isn't interested in paying me to find out. And the software is very specialized to run one piece of machinery, so I can't exactly test it at home. After reading some of the responses above, I may give some effort to trying Linux with a VM, but I haven't used either too much and have no idea what I would be able to make work for this case. It is worth a look-see though. :^)

As for the WinNT server with the database, this is a new client (not same one as the Win98), so I don't know the whole details. But he explained that the database is some custom software that he's used forever, and he has looked into porting it to something newer. But the task would have to be done manually by a database expert, and it isn't worth the attempt. The box is actually a newer HP server, not something 15 years old. But he made sure it would run WinNT 4, and that is what he is happy with.

Re:No problem

[I'm+New+Around+Here]

Not all computers are on the internet of things.

Re:What Industry are you in?

[I'm+New+Around+Here]

You seriously think his company has no competitors? And no competitors that are young and have shit for brains like yourself? There's probably been dozens that have used your business method and failed because they couldn't handle the upgrade cycle of MS Office, let alone the operating system.

Putz.

Re:No problem

[mark-t]

You didn't read the first 9 words that I wrote above, did you?

Re:No problem

[I'm+New+Around+Here]

You didn't read the last 10 words of that same sentence, did you?

I'm not trying to get in a pissing match, but it does seem like you are saying all these outdated systems are on the internet.

Re:No problem

[mark-t]

Yes. but owing to the fact that I had already prefaced the whole comment with "This may not necessarily apply to every use case..." one would generally figure that facing a "... distinct possibility of being cut off from the Internet entirely" wasn't ever intended to apply to systems which do not regularly utilize an internet connection in the first place.

Re:No problem

[the_Bionic_lemming]

Not going to try to fight here, but I think that if you had elaborated in the OP about this then the impact you were striving for would of been greatly diminished.

If you could provide me some contact information for that client, I'd most likely be able to fix the situation for a nominal fee that I'm sure they'd accept.

Re:No problem

[I'm+New+Around+Here]

I'll concede I misread your point. But you buy the first round at the beer summit. Fair?

Re: No problem

[nine-times]

I would generally disagree. I could see having some weird old piece of hardware that is completely isolated from the internet running an old OS for a good long time simply because there's no reason to upgrade, but then again, 10 years is already a good long time.

Among most users, the problem is usually just poor planning and bad budgeting. Someone spent a bunch of money buying a solution that they then don't have the money to maintain properly. That's how you end with with businesses running internal custom apps that only run on IE6. That's how you end up with businesses relying on some junky old piece of hardware that constantly breaks down and nobody can fix. That's how you end up needing to rebuild your system from scratch because there's no upgrade path-- the upgrade path from v3 to v7 requires you upgrade through v4, v5, and v6, but v4 is completely unavailable now.

If you're spending 50k in hardware this year, you should have an estimated lifetime for that hardware, a maintenance plan for the lifetime of the hardware, and you should be budgeting for the replacement of the hardware once the lifetime expires. I don't have much sympathy for businesses that bought hardware 10 years ago with no maintenance plan or budget for replacements. If you're running your business and you can't afford to maintain and eventually replace business-critical systems as needed, then your business model isn't sustainable.

Re:No problem

[wild_berry]

Another one runs NT Server, because porting 100,000+ part numbers to a new database isn't worth the upgrade.

Can you name and shame your customer*, so I don't get delayed by parts from that DB when it goes pear-shaped? Data should be transferrable; migration -- like backups and disaster recovery -- should be a thing we expect as normal for digital information.

*: well, no you won't, this request is hyperbole on Slashdot.

Re:No problem

[RockDoctor]

I used to do consulting for Xerox, it was fairly typical for hospitals to depreciate hardware (such as beds, autoclaves, photocopiers) over 20 years.

One of my friends works in infrastructure maintenance. His typical equipment lifetime is expected to have a mean lifetime of about 50 years, otherwise they get very, very pissed off.

It's not very computerised equipment though.

Re:missing the point...

[nctritech]

Your statement makes no sense. "A desktop OS computer" describes pretty much every single computer used to control machinery, excluding embedded systems/PLCs (which are still programmed with "desktop OS computers") and machines can kill users if they behave outside of specified parameters for whatever reason.

Is upgrade to win7 a fix?

[jago25_98]

Is an upgrade to Win7 in these kinds of situations really any fix? Likelihood is that we'll see the same situation come round again in a few years time.

Sometimes it's possible to skip a whole stage, for example, NT to Win7.

That's the logic anyway, for people who don't trust the upgrade cycle, usually burnt from vendor lock-in.