Some Of The Pentagon's Critical Infrastructure Still Runs Windows 95 And 98

SmartAboutThings writes: The Pentagon is set to complete its Windows 10 transition by the end of this year, but nearly 75% of its control system devices still run Windows XP or other older versions, including Windows 95 and 98. A Pentagon official now wants the bug bounty program of the top U.S. defense agency expanded to scan for vulnerabilities in its critical infrastructure.
DefenseOne raises the possibility of "building and electrical systems, HVAC equipment and other critical infrastructure laden with internet-connected sensors," with one military program manager saying "A lot of these systems are still Windows 95 or 98, and that's OK -- if they're not connected to the internet." Windows Report notes that though Microsoft no longer supports Windows XP, "the Defense Department is paying Microsoft to continue providing support for the legacy OS."

military grade linux ?

[cats-paw]

you really have to wonder

1 the source would be available so they never have to worry about obsolesence.
2 in runs on all sorts of hardware so they could maintain very nice consistency across many processor/platforms
3 the NSA is working on secure linux, and could certainly help to harden military grade linux
4 to get work done, they could fund open-source efforts. the work would help the military and the country alike.

probaly makes too much sense. much better to have a closed-source, proprietary system that can never, ever be secure.
plus it's more expensive !

Our heating system is run by Win 95 Big deal

[jfdavis668]

I work in a building where the heating system is controlled by a Windows 95 machine. Big deal. It's not network connected, and runs like a champ. It only changes the configuration of the system, it doesn't run the system minute by minute. If it goes down, we can recreate it easily. Worry about business critical infrastructure, not old hardware that works.

Simple Solution: Demand the source code.

Microsoft would have a hard time disallowing DoD access at 20 years old and at least 17-20 out of print.

With the source code fix the bugs, implement a proper firewall and modern FIPS certified encryption systems, call it a day.

People act like just because software/hardware is old, it SHOULD be obsolete. The truth is often the opposite: As long as it does what it is supposed to, reliably and for less than the alternative, it is a good solution.

Furthermore, as clunkily designed as the Win9x series was, it has a *LOT* less attack surface than any of the Windows NT 6.x releases (Vista-10) and has 20 years of enthusiast documentation and patches for its most serious shortcomings. (They have Win9x running on hardware up to Sandy Bridge/K10 or so. Which implies the right maintenance will keep Win9x acceptable for single core 32 bit x86 for as long as anyone needs to run it.)