Slashdot Mirror
Ask Slashdot: Preparing For Windows XP EOL?
An anonymous reader writes "As most of us working in IT may know, Microsoft will stop supporting Windows XP on April 8th, 2014. Although this fact has been known for quite some time, XP is still relatively popular in companies and also enjoys noticeable marketshare for home users. Even ATMs are running XP and will continue to do so for some time. A lot of companies/users don't want to change because they see no additional benefit to do a costly upgrade, no reason to change a running system, and they may in some cases be right with their assumptions. So what is the best way to secure this remaining Windows XP systems? Installing the latest security patches, checking firewall status and user permissions etc. should be fairly obvious, as Microsoft Security Essentials may also not receive updates anymore, changing antivirus programs seems a sensible thing to do."
We have mission-critical software that must be run under XP. The software checks the OS somehow and reports Operating System Not Supported if we try to install it under Win7. It *does* run under Win7 in the XP virtual machine, however the software has a hardware security key that attaches to the parallel port, and the VM doesn't let it access the LPT at the low level it needs to (apparently) to recognize the key. It's XP for us for a while, damn the torpedoes.
MSE will have definitions for a year after the EOL: http://blogs.technet.com/b/mmp...
Other than your one embedded example, that I don't think pertains to the other 99% of computer you are discussing, I question that it is really that expensive to upgrade to Win 7...
I realize there is more than hardware costs, but did you really expect your software to work for more than 10-15 years without needing an upgrade? Most people in this situation are there because they have deferred the (most likely needed) updates until now. And now they have an unusual number of computers to upgrade. My employer is squarely in this position.
Bite the bullet and upgrade. If you really want to stand firm against M$ or something, simply install any number of old-hardware-friendly linux distros. Knoppix is my current favorite.
I finally updated my sig, but now it's lame.
stupid AC. I'll tell you why: some people have expensive hardware that only works with xp and its NOT practical to rebuy working hardware just to run a more modern os. the os only exists to run apps and if the value of the apps and hardware are high enough, you will stay with the older os.
of course, AC's think that only linux matters. they can't see that in the real world, you need TOOLS to do your job and if those tools are only running on an older os, you keep that older os!
this should not have to be explained. maybe I got trolled, but figured if he was serious, I'll at least explain WHY you need to continue to run older systems.
--
"It is now safe to switch off your computer."
How about this one. All of your software options are better on 7 than XP. Firefox and Chrome are moving away from supporting it. Microsoft is moving away from supporting it too. You know what that means, Mr. Super Conservative Executive/IT guy? It means your threat vectors are now starting to approach "everything installed on this workstation" instead of just the OS.
I plan to clone my hard drive on April 8th and just restore from that backup whenever I get hacked. No fail in this plan!
In all seriousness, I've been gradually transitioning to Linux Mint as my primary OS, with XP as a dual-boot option (basically for games). I also have a XP VM running under Mint that I'll be able to use if I need XP and don't want to reboot. Everything's installed on a single 1TB platter drive so I really do have 2 cloned backups (on- and off-site) available.
I hadn't planned on getting a Windows OS after XP due to draconian DRM, although I haven't had a problem with XP licensing since I bought it retail in '04; I'm considering getting Win7+SSD since that's what I have at work and it's actually quite nice. That being said, most of the programs I use are cross-platform FOSS, so it's not a strong need (notable exceptions are rFactor and Visual Studio).
my, your, his/her/its, our, your, their
I'm, you're, he's/she's/it's, we're, you're, they're
Use Firefox. Keep the biggest attack vectors up to date (Adobe stuff in particular). Get rid of Java entirely unless you desperately need it; in that case, keep it up to date religiously. Use Adblock Plus (or equivalent) to block ads which sometimes carry malicious code. Don't do stupid things online. Don't run executables unless you absolutely know they're safe. Don't install pirated software since pirated software sometimes comes with lovely surprise infections. Use a limited user account for your daily activities and an administrator account only for maintenance tasks or to run software that won't work under the limited account. Always use a NAT router between the computer and the Internet, and don't run any open wireless network with that PC attached.
It's largely just a matter of (A) don't do obviously dumb things and (B) don't run everything as an administrator in the first place. Remember that antivirus and security software is a final line of defense; everything else is basically a problem with the user's behavior or knowledge, and if you are careful and follow good security practices in the first place, you aren't at any significantly greater risk than you are now.
One more thing: if someone really wants to break in, they will. XP or 7 or 8 or 8.1 and all the updates in the world won't matter in such a case, so my final piece of advice: don't piss anyone off that might want to come after you.
For many of my clients that run milling machines that still run XP, I am just making sure that they are not connected any longer. In that scenario, continuing XP is sensible and cost effective, with little to no risk. I'm sure most of the IT world is going to see the flare up of exploits that people have been hanging on to waiting for MS to no longer be willing to patch. Anyone of my other clients - law firms, non profits etc. - I am forcing the upgrade. No need to be so tied to such a clunky and difficult to recover OS anymore. Embrace the already 4 year old future, get on the update bandwagon and move on. None of my clients are seeing this as the end of the world like the media and others are describing it.
Really. One of my customers has a Win98 box, because it controls a $50,000 device. Another one runs NT Server, because porting 100,000+ part numbers to a new database isn't worth the upgrade.
People forget these contraptions we are typing on are simply tools, especially to businesses that focus on their own products, not what OS is on their computer.
If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
There hasn't been a root exploit in XP for a couple of years now, which means if you are running as a user and not root, and you know what you are doing, XP should be fairly safe.
1. Run as a regular user and only elevate permissions when you need to
2. Make sure your directory permissions are locked down properly (there are guides to help you do this)
3. Turn off all unnecessary services
4. Run a 3rd party antivirus app - BitDefender Free is excellent
5. Regularly run rootkit detectors and a second on-demand scanner (I use Trend Micro)
6. Don't use IE, use Firefox with NoScript turned on
7. Don't use Flash, Adobe Reader or Java. Use Sumatra PDF for PDF viewing.
I keep a VM of XP around for running some old apps and reading my junk email account. I've been sent virii and all sorts of junkware, and running the above config is pretty impervious to anything thrown at me. I can revert the image to it's original state if something bad happens, and I've yet to have to do that.
My Other Computer Is A Data General Nova III.
Windows SteadyState from Microsoft is available for Windows XP.
SteadyState virtualizes the OS directories transparently on the disk. File writes/updates are directed to a secluded area. You can set it to simply delete those journaled updates upon restart/signoff. Any malware will be effectively gone. Windows Update would still be possible when signing in as the SteadyState administrator (creating an updated image), but that's kind of moot at this point.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
If you think that newer versions of windows don't have anything to offer you shouldn't have to do anything at all
First, the only newer version of Windows that "has anything to offer" is Windows 7. Vista isn't as bad as some people have tried to claim, but once Windows 7 became available, Vista became meaningless and there is absolutely no reason to even consider it. Windows 8 is a mess. One of the all time worst.
But the real problem isn't that newer version of Windows don't have anything to offer. The problem is the expense of switching.. Whether it's an individual with one computer or a business with a few thousand, the cost far outweighs the benefits.
Then there is the dirty little secret of business, that isn't so secret. There are millions of computers running shitty, poorly written software that will stop working if you make the tiniest change to the underlying hardware or operating system. That makes switching even more difficult and expensive.
Depends on the device and the support you get for the device. Just think about it: Microsoft never did give any real "support" to you, most of the time they told you to go to your manufacturer for that. If the manufacturer of the $50,000 device still gives you support in the sense that he will fix any problems that occur with the device, including replacing the hardware that still runs Win98, that is more support that you have ever gotten and will ever get from Microsoft.
don't use firefox. don't use any browser at all. if you need a browser, you need windows 7. sorry to burst your bubble, but anything else is going to be dangerous. you should be getting rid of any potential vector for badness (any software, particularly software that is known to touch the internet) altogether.
It's not stupid. It's quite common for specialised equipment to rely on drivers written for a particular OS. We have a 3 year old transmission dynamometer that cost us $180,000 that is controlled by redundant commodity x86 hardware running XP. There is no need to keep the OS up to date as it serves only one purpose.
Stupid lusers these days think all "PCs" are to be connected to the Internet and used for browsing file sharing sites.
Even without admin rights, malware can do a lot of harm with just user profile data.
XP is very lightweight (runs well in 512MB of RAM), so it makes for a great OS to run in a VM for Web browsing. Have the user that the Web browser is running in be a non-admin, use the above add-ons, and use a sandboxing program like sandboxie, and one can have decent protection. Every few weeks or so, roll back the snapshot so if something did get past the sandbox, it would be gone. Of course, bookmarks would have to be saved somewhere else, but that isn't an impossible task. For AV protection, something like Malwarebytes that blocks rogue IPs is decent, but usually AV software is useless against most attacks due to the 0 day nature.
At my company we have dozens of $500K+ machines that are controlled by NT 4.0 boxes, and dozens of somewhat newere $2M machines contolled by XP boxes.
The vendor has no incentive to upgrade their software to work with a new OS, they'd rather we spend several hundred million on new equipment. And the software that controls the machines is closed and proprietary to the vendor.
We'll still be using NT and XP in 2020.
The logical counter to that is:
YOU HAVE SOMEONE RUNNING A $50,000 ON Win98? Holy crap that is stupid.
Why? These types of systems are in a lot of industries. None of those systems are on the internet. And probably not even on a network at all. It may cost $10K to upgrade the controlling computer. And for what? So you can play a game on it? Or iTunes, or surf the web? No one in thier right fucking mind is going to do this. These are very specific use systems. They don't' need to do anything more than what they are doing and spending a pile of money to upgrade them to a modern OS will gain nothing.
Here's a car analogy for you. You own a red 1500 lb. Ferrari with a 500 HP carbureted single cam pushrod engine that gets 15 mpg. Are you going to buy another one for $150K that looks and weighs exactly the same and has 500 HP and gets 15 mph too but the engine is a dual overhead cam with a turbocharged EFI engine and maybe some LCD touch screen gauges and a DVD player? It's a more modern vehicle, but you gain nothing of any value. Seems like a waste of money to me.
Don't. Don't secure it. Just let the chips fall where they may. Failure is an option, and you've presented things such that it's the best option.
Before you reply with "that's crazy" (or "that's lazy") let me remind you, that you there's "no .. benefit" to being more secure, and "no reason" to worry about the consequences. The submission has already stated that solving the security problem has zero value. So why are you working on it? Just let it go. Security is a don't-care condition. Every hour spent on it, is an hour wasted for no benefit.
If you change your mind about it being a don't-care condition, then you open the door to upgrading to a maintainable OS. But you can't do that, until you decide that upgrading does have benefits, and there is reason to change a running system.
So .. have you changed your mind? Are you still sure there's no benefit to an upgrade and no reason to change a running system? Or have you realized that's TOTALLY FUCKING ABSURD yet? Because I think once you realize that it's TOTALLY FUCKING ABSURD then you're going to see some options appear.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Counter to what some people seem to think, running XP isn't an end in itself. In the real world you run XP in order to run certain applications, right? Applications that typically won't run on Linux (closed-source Windows-only stuff) and may not even run on Windows-7.
Besides upgrading would be really expensive. Ripping out several million boxes, reformatting they disks, installing Linux, dealing with a substantial percentage of cases where the hardware breaks when you unplug them or on which the more recent kernels won't run is very expensive. So expensive in fact that the license cost for a Windows copy will be completely dwarfed by the cost of handling the hardware and installing Linux.
By the time you're done installing the OS you'll find your troubles are only beginning. You'll find that your old applications (that you built into your business) won't function anymore. You might be able to write one single application for ATM's that runs on Linux or or a more recent version of Windows but you won't have time to test that thoroughly (enough) and you'll replicate that application millions of time. Good luck! For ordinary office machines you'll be facing a big bill in reinstalling all the old packages and even more (training !) if you decide to upgrade the applications too. And then you can watch your office performance sag as everyone starts learning their way around the new apps.
Chances are you'll lose a lot more money handling, migrating, training, and pushing updates to all those millions of boxes than dealing with any security problems that may start to arise in the next two years.
That, in a nutshell, is why it makes financial sense to just isolate the, shortly very vulnerable, XP boxes behind firewalls than to upgrade them.
In fact I think you might even be able to insure yourself against cost of problems when you continue using XP at a rate that's much lower than the cost of migrating.
Where I work a good number of the surface mount assembly lines are run by windows 2000 and XP.
The screen printers still run DOS. Many of the electrical testers and chip programmer rigs need XP or lower as well.
As most of these setups require custom PCI IO cards, visualization isn't an option either.
(Though I am happy to have found an ISA to USB adapter that works well under visualization)
When "a pc upgrade" involves replacing a quarter million dollars in hardware and finding the time to eat the cost of downtime over three running shifts, even I couldn't justify the cost of doing so just to get a newer OS (that will still be windows and still go EOL at some future point!)
My solution is to segment older OSes on the network. They can reach the SQL server and occasionally the file server as needed.
NO email, NO internet, NO intranet, no random transfers between there and other networks.
Everyone has Win7 desktops for office, outlook, and firefox. There is no need to even treat the XP systems as computers anymore. They are now appliances.
With the SMT line PCs not even showing a desktop or letting the operators exit the controller GUI, and the test hardware being locked to a list of approved executables (More for QA actually), the likelyhood of an infection requiring a reinstall is next to nill.
That leaves hardware failures. I have full drive images to restore once the HDs fail. On a more serious failure, the entire rig is considered failed. Either time to pony up the $25k for a new system, or we do without.
As long as you get your desktops upgraded, there is a lot less you need to use XP for, and most attack vectors can actually be completely blocked without effecting any work flow what so ever.
Firewall and AV products will not catch 0-day exploits of the Web browser and add-ons. If they are pulled via SSL, even the best SPI firewall will be bested, unless one goes with a MITM system and forces all inside machines to trust the MITM appliance's key as a root one.
Browser exploits are the biggest vector of infection these days, and XP has little to no resistance innately against those, other than running as a non-admin user... and even then, malware can do a lot with a regular user's context.
There's a customer of mine who still uses a Windows 2000 machine. It's not connected to the Internet and runs a rare piece of machinery, and the software can't exactly be moved to another platform. Another customer is in a similar spot except their machinery operates on a P3 with Windows 2000 for a different reason: the software works fine on 2000, but for some reason the manufacturing line occasionally moves further than it's supposed to when the software runs on XP, and that could result in dead employees. There are legitimate reasons to not move to newer platforms. The machines not being on a network and not having any storage media plugged into them largely mitigates any security concerns, though.
I see this response a lot, and I completely understand it. Business needs what it needs, and so if it doesn't see a need to update, it won't. Got it. Perfectly. Crystal Clear.
But an honest question: What happens to that 100k database (maybe 200k in the future?) 5,10,20 years from now, when the computer it runs on breaks and you can't get replacement parts for that old motherboard. When Windows 98 does not have drivers for the hardware being made. When the database grows so large that the HDD in your Windows 98 box can't even handle it. When Windows 98 can't keep up with the network speeds and standards of the future that are required to stay competitive. When the install medium itself gets scratched too many types and stops reading.
I don't feel like I've EVER seen any contingency plan for this. The excuse is always "You're out of touch, business needs to run older systems". Again, I agree and understand. But at some point, maybe not soon, but at some point it WILL stop working, or at the very least, it's age hampers the budget more than helps.
Is there a plan to at least move to VMs to try to preserve the software a little more? (Maybe you are already using the VMs). Are there good backups for the VMs? Can the VMs access the USB ports and what not for your devices? How many of your devices use old ports that don't even come on any computer sold in the past 10 years?
While I understand the reasons for not upgrading immediately (or not even quickly), 15-20 years seems excessive, and I start to think this is a failure of business leaders more so than a misunderstanding of technical people.
I'll trying to get an Installfest setup at the local library to help XP users migrate to Ubuntu.
True. There is no support from Microsoft, *especially* with something like Windows 98 which didn't even come with automatic patches. If you need a bug fixed or a problem solved, you have to call someone other than microsoft.
The problem here is that there are capital purchases that last longer than Microsoft supports their operating systems. Support by MS, non-existent as it is, has never lasted more than 5 years past the time that they last sold the OS. But capital purchases may last several decades. Great, you just put in a new house automation system that runs your AC, heating, security system, and so on, for a $10,000 price. 5 years later the OS no longer gets updates (big deal, the computer is in the attic with no internet access). But let's say you're nervous and call up the original company, if they're still in business, they'll say "we'll sell you an upgraded product for only $11,000".
If you're a corporation there may be a lot of expensive machines purchased with the expectation that they would last for a very very long time. No one gets a budget for new oscilloscopes every five years, yet most clockwork IT drones will advise that everyone gets a new PC every 3 to 5 years. IT rules should have no place in manufacturing or industrial sectors. Thus people keep around the XP or NT computer because it still works (even if you get a new computer you can put XP or NT on it, even if it's via VMware).
You're going to see the same effect soon because of all those automobiles that came with smart entertainment/navigation systems because they'll stop working when the services they connected to stop working; or new smart TVs that won't be able to upgrade (whoops, bad design choice to leave off ipv6).
Yes, XP is good enough, and all later versions really offer nothing new that the average consumer needs. This is all just forced upgrades to guarantee that you keep buying new microsoft products. They could have added a support option and keep XP around; say $5/year gets you continued updates. This would be popular I think for businesses which have many legitimate reasons to keep around old turnkey systems or the like, many of which aren't even on the network. Alternatively MS could provide better XP compatibility in newer systems instead of treating it like a pariah (as well as having newer versions of office actually be able to read and write older office formats).
Forced obsolescence was a bad idea when given to the home consumers. But forced obsolescence foisted upon business and industry is destructive.
If it's the same problem I had, installing IE8 fixes it. For some reason.
systemd is Roko's Basilisk.
FWIW there are print shops with $2mil+ printing presses that still run Windows NT 4.0 on Dec Alpha-based controller PCs (AT motherboard no less - not even ATX!), with no upgrade path offered other than being told by the manufacturer to "buy a new press." WHY buy a new press just because the OS and motherboard are outdated, when it otherwise runs flawlessly?
There are perfectly valid reasons to stick with an EOL OS.
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
Word came down today that running any XP images is a security violation.
Security violations are potentially an immediate termination offense.
Never answer an anonymous letter. - Yogi Berra
And there is nothing wrong with using XP for that machine for the next 20 years...
So long as it isn't online, isn't used for anything else, etc...
It doesn't even have to know what decade it is in, just run the transmission dynaometer and that's it...
Your only real issue is that at some point, spare parts for the computer itself may become hard to get, I personally would invest in 1 or 2 spare computers, clone the current one, set them in storage, and have them for backups. It shouldn't cost much, a few hundred dollars, and you'll have backups to the one part that is least likely to get support.
Replying to myself to say that the NT4.0 box is probably more secure than upgrading to XP at this point.
I finally updated my sig, but now it's lame.
I used to do consulting for Xerox, it was fairly typical for hospitals to depreciate hardware (such as beds, autoclaves, photocopiers) over 20 years. You can't even get parts for copiers after that amount of time, you are generally relying on 3rd party refill kits for toner and other consumables. From memory 10 years was pretty standard for printers.
Sara
Designer, Gamer, Macgrrl in an XP World
Why not just install a Linux distro?
Give virtualization a try, if you don't have spare hardware and don't have a way to get more (we've ordered out-of-production hardware from Ebay before). There are PCIe cards that supply serial ports, and VMWare lets you add things like serial/parallel controllers, mapped to your real hardware. Assuming they've got a disk image of their super-important computer, things shouldn't be too hard to work out.
It is pitch black. You are likely to be eaten by a grue.
If you do that, also be sure to find the drivers and installation packages for them and store them along with the computers. If you want to get a fresh Windows 98 box running today, it's often harder to track down the proper drivers for Windows 98 for the various pieces of hardware than it is to come up with the 15 year-old parts themselves.
The UCLA Medical System, a gigantic organization, required all hospitals, providers, etc. to standardize on a single, integrated medical record-keeping system. Medical history, diagnoses, prescriptions, appointments — the works. This was within the last 12 months.
It runs on XP.
Happy privacy!
DOS is also very easy to run on arbitrary hardware. Boot it ; done. That was easy! You don't even need a hard drive or floppy anymore as it will run from flash, USB and other options.
On latest hardware you probably have to turn BIOS emulation on in the UEFI setup.
There are better car analogies.
There are lots of farms that use trucks that were new in the 1950s to haul stuff to and from the fields. I once had a summer job at a seed cleaning plant that used a 2 ton 1938 Ford flatbed truck to move pallets of grass seed from the cleaning operation to the warehouse, a quarter mile away. That truck had not been on a paved road in decades, first and third gear were shot, it was always parked on a hill at overnight because the starting motor was too weak to turn crank the cold engine; it had to be jump started in the morning. We routinely overloaded it with up to 8 tons, but it would chug between the two buildings at all of 5 mph.
Continuing to use WinXP or even Win98 in situations that require nothing more is a no brainer. When the hardware wears out, either placing an order with the local computer refurbisher for a rebuilt box of the same vintage, or jumping to Linux on a new box with the ancient OS and its apps running in a VM, would work just fine.
Will
Looks like they finnaly have a sponsor http://community.reactos.org/?...
Source code isn't much use to the average user - even if it includes the code to the drivers for the stuff the hardware vendor just embedded. And that's even if it wasn't written in something you can't even compile on modern systems.
Nice story, but frankly that old truck is an example of extreme life extension. :)
I'm all for getting your use out of equipment, but I think that one is past its prime, past its extended life, and past its dead by date. :)
Is it? What is the labor cost of having a truck that only goes 5 mph? What is the labor cost of having to screw around with something so old, you have to park it on a hill to start it?
What is the business risk that it just doesn't start one day, a critical day, and it takes time to fix or get a replacement, yet the crops are ready to go?
It is called stepping over dollars to pickup pennies.
I'm all for being frugal, but at some point you're just being foolish.