Slashdot Mirror
Some Of The Pentagon's Critical Infrastructure Still Runs Windows 95 And 98 (defenseone.com)
SmartAboutThings writes:
The Pentagon is set to complete its Windows 10 transition by the end of this year, but nearly 75% of its control system devices still run Windows XP or other older versions, including Windows 95 and 98. A Pentagon official now wants the bug bounty program of the top U.S. defense agency expanded to scan for vulnerabilities in its critical infrastructure.
DefenseOne raises the possibility of "building and electrical systems, HVAC equipment and other critical infrastructure laden with internet-connected sensors," with one military program manager saying "A lot of these systems are still Windows 95 or 98, and that's OK -- if they're not connected to the internet." Windows Report notes that though Microsoft no longer supports Windows XP, "the Defense Department is paying Microsoft to continue providing support for the legacy OS."
DefenseOne raises the possibility of "building and electrical systems, HVAC equipment and other critical infrastructure laden with internet-connected sensors," with one military program manager saying "A lot of these systems are still Windows 95 or 98, and that's OK -- if they're not connected to the internet." Windows Report notes that though Microsoft no longer supports Windows XP, "the Defense Department is paying Microsoft to continue providing support for the legacy OS."
You wouldn't beleive the crap that gets implemented. In the last three years I've seen new control systems implemented in windows 2000 pro because that's what the government agency mandated. It's all over the place but fortunately in most cases it's not ever internet connected.
Posting ac of obvious reasons.
They should really upgrade to Vista.
Hopefully they realize that means more than "there's no Ethernet cable connecting this computer to the network"
That a piece of equipment is connected to a network via an Ethernet cable does not mean it's connected the The Internet.
If you want news from today, you have to come back tomorrow.
I Know Right!
At least state governments aren't running that crap. They're all on IBM's much more robust OS/2 Warp. You think I'm kidding...I'm not.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
you really have to wonder
1 the source would be available so they never have to worry about obsolesence.
2 in runs on all sorts of hardware so they could maintain very nice consistency across many processor/platforms
3 the NSA is working on secure linux, and could certainly help to harden military grade linux
4 to get work done, they could fund open-source efforts. the work would help the military and the country alike.
probaly makes too much sense. much better to have a closed-source, proprietary system that can never, ever be secure.
plus it's more expensive !
Absolute statements are never true
I work in a building where the heating system is controlled by a Windows 95 machine. Big deal. It's not network connected, and runs like a champ. It only changes the configuration of the system, it doesn't run the system minute by minute. If it goes down, we can recreate it easily. Worry about business critical infrastructure, not old hardware that works.
This administration couldn't deliver a pizza give a GPS and a limousine service.
XML is a known as a key material required to create SMD: Software of Mass Destruction
since they are not getting forced updates
Microsoft would have a hard time disallowing DoD access at 20 years old and at least 17-20 out of print.
With the source code fix the bugs, implement a proper firewall and modern FIPS certified encryption systems, call it a day.
People act like just because software/hardware is old, it SHOULD be obsolete. The truth is often the opposite: As long as it does what it is supposed to, reliably and for less than the alternative, it is a good solution.
Furthermore, as clunkily designed as the Win9x series was, it has a *LOT* less attack surface than any of the Windows NT 6.x releases (Vista-10) and has 20 years of enthusiast documentation and patches for its most serious shortcomings. (They have Win9x running on hardware up to Sandy Bridge/K10 or so. Which implies the right maintenance will keep Win9x acceptable for single core 32 bit x86 for as long as anyone needs to run it.)
Mostly because the military doesn't need or want the latest fad. They need reliability. They have more than sufficient problems executing their missions without constantly changing interfaces and such "features" as automatic software updates made at a time convenient to the vendor.
Also, much military hardware is custom stuff built for a single purpose. The CPUs and OSes (if any) would be selected initially to have sufficient capability for their job, and usually not much more. If they do what's needed, what point would there be in upgrading? And why would you risk it? If you do it routinely, you'll probably make mistakes with serious consequences.
The last military contract I worked on -- a number of decades ago -- was a system that ran on a computer built to military standards using discrete transistors -- none of those fancy IC things. It was nowhere near as powerful as the PC-XTs in our office. But it would run equally poorly in the Arctic in January or the Middle East in July. And the computer would probably survive being inadvertently dropped off a truck by some high school dropout then run over by the next two vehicles in the convoy.
Frankly, the notion of having my life and safety depend on an NT based OS from Microsoft would not make me feel vary secure. Unix, compiled with only what is needed, would be better. But only if the system underwent a LOT of rigorous testing prior to deployment and wasn't upgraded unless the change were absolutely necessary.
There's a lot of truth in Arthur Clarke's short story "Superiority" http://www.mayofamily.com/RLM/... Folks who haven't read it, should.
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
To be fair, Linux has many of these same problems, in particular, because newer versions break compatability with old hardware, which forces old versions of the OS to be used on the old hardware. For instance, this happened with X11 when they removed XAA which broke support for a vast array of older video cards. This disregard for backward compatability keeps people using old security hole filled versions of software. Many warned against removing XAA, but the lead developers basically dont give a damn about users. The lets "remove old cruft and destroy backwards compatability" people should also be ignored, since you end up creating compatability problems that keeps people using older insecure versions.