London Metropolitan Police's 18,000 Windows XP PCs Is a Disaster Waiting To Happen

According to MSPoweruser, the London Metropolitan Police are still using around 18,000 PCs powered by Windows XP, an operating system Microsoft stopped supporting in 2014. What's more is that the police force is upgrading its PCs from Windows XP to Windows 8.1, instead of Windows 10. Only 8 PCs at the police force are reportedly powered by the "most secure version of Windows right now." From the report: From the looks of things, the London Metropolitan Police will continue to upgrade their systems to Windows 8.1 at the moment. Windows 8.1 is still being supported by Microsoft, although the mainstream support for the OS is set to end on the 9 January 2018. Microsoft will offer extended support for the OS until 2023, which means Windows 8.1 is still a much more secure alternative for the Metropolitan Police than Windows XP. Windows 10 still would have been the best option in terms of security, however. Microsoft is releasing security updates for the OS every month, and the new advanced security features like Windows Defender Advanced Threat Protection makes PCs running Windows a whole lot more secure. The spokesman of the 0Conservative London Assembly said in a statement: "The Met is working towards upgrading its software, but in its current state it's like a fish swimming in a pool of sharks. It is vital the Met is given the resources to step up its upgrade timeline before we see another cyber-attack with nationwide security implications."

I love this crap

[Snotnose]

Private companies upgrade regularly, realizing it improves security/productivity. Government agencies never upgrade, then bitch that their anti-terrorism agencies are using 10 year old HW/SW cuz they can't afford to upgrade.

It's called managing your resources. Or maybe "scare the government into giving us more money than we need cuz look how outdated we are". Either way, the folks in charge need to be fired and the entire culture changed.

/ I used to get a new desktop every 3 years, whether I needed one or not
// Got memory upgrades in between desktop upgrades
/// Not so much nowdays, we seem to have hit "good enough": I'm not complaining, my work PC is plenty fast for what I do.

Re:I love this crap

[beelsebob]

Private companies upgrade regularly, realizing it improves security/productivity. Government agencies never upgrade, then bitch that their anti-terrorism agencies are using 10 year old HW/SW cuz they can't afford to upgrade.

The problem is that while the government fully recognises that upgrading is worthwhile, convincing tax payers that spending millions on upgrading computers is a valid thing to do is nigh on impossible.

You and I can see that in the long run it'll cost less, but some conservative will always tell you that short term tax cuts are worth more than long term stability.

Re:I love this crap

[dbIII]

called managing your resources. Or maybe "scare the government into giving us more money than we need cuz look how outdated we are". Either way, the folks in charge need to be fired and the entire culture changed.

Fired? The person who wouldn't give them a budget to upgrade is Prime Minister now.
It was a deliberate "austerity" policy.

Re:I love this crap

Why would they care about long term stability? A PM will last 1-2 terms tops, so their sole motivation is to be elected in the next cycle. They will always choose a saving now over a saving in 10 years time. That's why they do silly stuff like sell natural monopolies and fail to cover asset maintenance costs.

Re: I love this crap

[guruevi]

How about using free software to begin with, the manpower argument is nil because you're spending more on keeping this old crap running.

Re:I love this crap

I wish idiotic people would stop equating upgrading with security. Windows 10 is the LEAST secure OS ever because it comes prepackaged with spyware, malware and back doors galore.

There is absolutely nothing wrong with running Windows 8 or XP, so long as your administrator is competent. Any OS, aside from Windows 10, can be hardened. Those dinky Microsoft Tuesday patches don't secure shit compared to having a real admin around who understands firewalls, user permissions, network permissions, antivirus/antimalware and plain common sense.

Re:I love this crap

[brantondaveperson]

That isn't an unreasonable question, but the answer is that this isn't possible in any meaningfully secure way. You can have your XP continue to run, provided that the hardware is still available, or that a virtual machine can be built to support it, but your other two requirements are contradictory.

Bug fixes + keep shit the same. If bug fixes are understood to include security patches, and security patches include things like fixing weak encryption algorithms, or immense security disasters like ActiveX or (even worse) third-party immense security disasters like Flash, then you can't really "keep shit the same". Fundamentally, security is not a bug fix, it's an underlying design process that can't be tacked on at the end.

Re: I love this crap

[cyber-vandal]

While that may be satisfying it doesn't solve the problem.

Re: I love this crap

Why use an iPad as a replacement for a PC? Why not use a plastic dish?

The dish can be thinner and more durable while weighing less. It is dishwasher and microwave safe, immune to electronics bans on TSA screened flights and no one can hack it over the internet.

Sure, it doesn't let you type quickly or accurately, but neither does the iPad. It also comes in more colors and has many millions of accessories available, including trays, copies, placemats and even salad forks.

All in all, a PC is great, but if you can't afford one and don't need to actually create content or reports, a dish is a better value than an iPad.

Re: I love this crap

[goose-incarnated]

How about using free software to begin with, the manpower argument is nil because you're spending more on keeping this old crap running.

Came here looking for this comment. Was not disappointed.

You know, all through the years a bunch of us pointed out that anything your office worker is doing on Windows can be done on a Linux desktop. We had little effect on those whining "But, but, but ... training!!!!"

Well, the jump from Win7, to Win8, to Win10 is a lot greater than the jump from WinXP to KDE and guess what - your users managed to do just fine.

So now, to mitigate the security nightmare of literally unsupportable software you want to change to ... temporarily supportable software? You know that this game will play itself out, again, in a few years, right?

At some point in the future you'll be sitting with security nightmare boxes all running Win10, and moaning about how you need more money to move off an unsupportable Win10 to the new temporarily supportable WinSwissCheese.

Move to Linux. "Unsupportable" software becomes "support it ourselves if need be". You can't do that now, with MS, and you cannot do that in the future, with MS.

Or, don't move - I'll still be around to say "I told you so", so at least I'll get to be all smug and stuff.

(NOTE: "Unsupportable" is different from "unsupported". The former is literally "Impossible to support" while the latter is "Vendor doesn't support it, but we can hire people to support it if need be")

Re: I love this crap

[Kiuas]

Move to Linux. "Unsupportable" software becomes "support it ourselves if need be". You can't do that now, with MS, and you cannot do that in the future, with MS.

I fully agree with this as someone who works for IT side of the public health care sector of Finland. In fact the main project I'm currently in charge of which is an ERP overhaul project for hospital logistics is an Linux based project that saves us quite a lot money on the licensing costs alone. Most of the coding itself is done by a midsize Finnish software company.

However let me illuminate to you the difficulties of doing this at a large scale. A recent list I saw which is not comprehensive probably included 66 active systems currently in use by the hospital district. 6 of those, mine included, are Linux based, the rest are running on Windows. Why is this?

Well, the acquisition process itself is in its current shape such that it pretty much prevents small to midsize companies from bidding on major projects. The largest IT project going on at the moment is the replacement of the patient information system with a newer one that also unifies lab and imaging results systems and others directly to the patient files so that the treatment staff itself can access all relevant imaging lab and other data directly from the patient file itself without having to keep open several different systems at once like they still currently do.

We're a large hospital district, the largest in northern Europe. On a yearly basis we treat over a million people and as the most populated district in Finland we're also in charge of all highly specialized care. So needless to say that updating systems critical for the health and safety of over a million people is not exactly something to be done lightly.

Due to this projects of this size and scope are usually tendered out so that the tendering process itself contains a lot of terms and conditions limiting the size and type of companies that can even participate in the process. First of all they have to be on a stable enough basis monetarily, the financial/risk analysis by itself eliminates most smaller players directly from the game as they're deemed in too high risk of bankruptcy to be reliable.

The second thing that really cuts out the companies like the ones I'm currently working with from participating in these large scale projects past experience. Because the margin for error with acquisitions of this kind is so small, it is required that the companies have experience with providing similar systems using similar tech in the past 5 years to a similarly sized hospital area.

This pretty much narrows the options down a lot. And currently there are no open source players on the market that fill these conditions, as Linux based patient information systems are in their infancy at this point and have not been implemented at this scale yet.

Due to this the project is currently being developed by Epic Systems, an american megacorp. It's intended to enter use in 2019 with a total price tag of 385 million for the system itself, with a yearly price tag of around 40 million afterwards. How reliable these estimates are I cannot say, because outside proving technical support in the integration between logistics and the system itself I'm not involved in the management of the patient information system project itself and thus am going purely based on publicly available information.

The way forward here I think would be to set up a government owned IT company. Torvalds is Finnish after all so Linux is more widely used here than in many places so the expertise is there. The government could then pay for the development of large scale open source systems to be used by our public organizations. That's really the only feasible path to a more widespread adoption of open source systems in the public side, because the megacorporations currently in charge of this sphere - Epic included - are not going to be switching over to Linux and surrender their control of the product.

Re:I love this crap

[TheRaven64]

You can. If you want it, I can put you in touch with a couple of companies that will offer you a fixed FreeBSD version with security backports. One of them was supporting FreeBSD 2.2.x[1] until a couple of years ago (not quite 20 years of support, but close). I know of at least one major US bank that runs FreeBSD 6 internally (and have only just finished their upgrade) and are paying for security backports and the occasional feature backport. The lack of SMP support was what eventually caused the last 2.x users to migrate: there are a bunch of things in new CPUs that required some reworking of kernel internals and it was cheaper to upgrade than try to backport them (and the backport would have looked so much like the new system that it wasn't worth it).

The community doesn't want to support a release for more than 5 years, but with any open source project with a decent-sized userbase you'll find a bunch of third parties that will happily take your money for longer support if you want it. Of course, it gets more expensive if you want other things, such as X11, some GNOME or KDE release, or whatever supported.

The real problem is there isn't a single entity that makes it easy to split the costs of doing so. The UK government could probably afford it quite easily, but most of these procurement decisions are made locally and the Metropolitan Police probably couldn't. You really need a critical mass of people to buy into the idea and split the costs between them: being the first (or only) customer wanting this is expensive!

[1] 2.x was released in 1994.

[2] 6 was released in 2005

Re: I love this crap

[fidomuh]

Paid software isn't free either. And if you think moving from Windows XP to 7 to 8 to 10 comes at less of a training cost, as moving to a *nix based system, you're simply wrong. The real caveat is that *nix admins are not cheap, they're not widely available and they often don't fit into the stereotypical view of an IT Supporter/Admin/Manager. Also, there's a real software hurdle, but as with everything, someone has to go first. If not, the monopoly never changes and we're all stuck with less secure, less serviceable and less innovative software. How governments are allowed to use closed software for critical systems and establishing a decade long dependency on 1 company, is beyond me. Bribery or incredible stupidity must be involved.

Win XP still gets updates ...

[CaptainDork]

... after a registry hack to tell it it's an ATM (or other embedded).

To apply the hack, create a text file with a .reg extension and the contents below:

        Windows Registry Editor Version 5.00
        [HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady]
        "Installed"=dword:00000001

Windows is not the way.

[Gravis+Zero]

I'm sorry but if you are serious about security and long-term stability (decades) then Windows isn't the way. Sure, no OS is perfect but that doesn't means you should choose to drink raw sewage because filtered water isn't really pure water. Honestly, they should be using some minimal version of FreeBSD with an minimalistic or possibly text interface. Progress is good but only if you are heading in the right direction.

Re: Windows is not the way.

[lucm]

So you think cops will do "media capture and processing" or software development? They don't even trust them with guns, you think they'll give them C++ compilers?

I blame the public

[jmccue]

Welcome to Public Spending, you see things like this everywhere. No money to fund Gov agencies. Makes one wonder if it is due to graft or incompetence or something else.

I blame the public, the vast majority will talk about a celebrity's sex life or a bunch of millionaires running around on a playing field like the world depends upon it. But knowing or really caring about what an elected official does, no one cares. So we end up with a majority of officials who only cares about themselves and how much they can skim for themselves or family/friends.

Re:Virtualization?

[IonOtter]

Running a VM doesn't take all that much in terms of processor power, but it requires a lot of memory (RAM), usually around 4GB or more. The problem is that 4GB is right at the limit of what XP can use. You want to have at least 8GB of RAM to run smoothly, but that means you have to upgrade to Win7-64 at the very least.

And even if you're running a VM, the machine can still be infected, and act like a vector to spread the virus through the network. So you have to have a firewall and virus scanner, just like a hardware machine.

And since we're dealing with previously unknown zero-days, neither of those are of much use. Indeed, they may be worse than useless, as we're starting to find out.

Can we stop pretending XP is dead?

[thogard]

Forms of XP are still being sent out on brand new systems and will be for years. These devices tend to be the all in one industrial computers or the ones that integrate with car systems like the ones used in police cars. Because no one is making a secure browsers for XP anymore (developers repeat the lie "it isn't supported by MS anymore"), their users may be leaking data about you.

Free support for home XP users stopped but to many, it is still a current product. While it would be great to have it disappear, I expect its use will far outlive Windows 10 simply because of the old hardware the can't run anything newer that is often attached to even more expensive hardware in a way the prevents upgrades.

I hate to be that guy...

...but "18,000 PCs is?" We have this word, "are," for when you have more than one thing. You should look into that.

"most secure version of Windows right now"

[Nexion]

Its called Windows Powered Off Edition. :P

Re: "most secure version of Windows right now"

[TheOuterLinux]

I'm really curious if anyone has tested ReactOS for security.

Re:43 comments and no talk about proper firewall

[PPH]

Completely Firewall off the internet
Completely Firewall off the internet
Completely Firewall off ...

Hey! Look at this neat USB drive I found!

win8.1 vs win10

[cas2000]

What's more is that the police force is upgrading its PCs from Windows XP to Windows 8.1, instead of Windows 10

given that:

a) police computers hold private information on thousands of individuals - convicts, suspects, victims, informants, witnesses, and more

and

b) Windows 10 is spyware that routinely uploads data that it finds on PCs to microsoft servers

It should be illegal for police computers (or those of any government department or any company holding personally identifiable information) to use Windows 10 to store, process, or interact with that data.

I remember reading

[rsilvergun]

that Theresa May pulled about 18,000 police off the beat. It was one of the reasons her party got beat up in the last election. This is small potatoes compared to that. But either way it's pretty obvious the problem is a lack of funding...

Re:43 comments and no talk about proper firewall

[Antique+Geekmeister]

And this great new mouse!!!

http://hackaday.com/2010/09/30...

Re:Why Windows 8.1

[yuvcifjt]

Err, no, WinXP was the best OS Microsoft ever made.
Win 7 has countless annoying usability issues - some of which are fixed by Classic Shell and 7+ Taskbar Tweaker, including usability issues with the start menu.

One of the most glaring problems is the lack of horizontal scrollbar in Windows Explorer in the folders pane. And when expanding a folder with double-click (rather than clicking "+", in the folders pane or on a pop-up folder selection box), for no reason, it spasmodically scrolls up and you can't see what just expanded!