There is a relatively old—though still fundamentally true—adage about Windows: Microsoft's biggest competition is Microsoft, as a specific subset of users (and businesses) only upgrade to the latest version of Windows kicking and screaming. According to SpiceWorks' Future of Network and Endpoint Security report, published Tuesday, 32% of organizations still have at least one Windows XP device connected to their network, despite extended support for XP ending in 2014. (Notably, the last variant of XP, Windows POSReady 2009, reached end of life in April 2019.)
With the looming end of free support for Windows 7, this reticence of users and enterprises to upgrade to newer versions of Windows is likely to create significant security issues. Presently, 79% of organizations still have at least one Windows 7 system on their network, according to SpiceWorks, which also found that two thirds of businesses plan to migrate all of their machines off Windows 7 prior to the end of support on January 14, 2020, while a quarter will only migrate after that deadline.
(Score: 5, Insightful) by bzipitidoo on Tuesday July 30 2019, @09:29PM (9 children)
That's one way to handle the upgrade treadmill. Don't move. Sure, you get dumped off the end of the treadmill, but the damage from that little fall is puny.
As to the dangers from being hacked, XP can be hardened considerably. Firs thing to do is shut off all those services that weren't being used anyway. Next, a firewall of good quality, running on another machine, can detect and block traffic that's designed to exploit vulnerabilities in XP. It's more work to maintain such a firewall, but that can be less trouble than upgrading.
(Score: 3, Interesting) by Snotnose on Tuesday July 30 2019, @09:38PM (4 children)
10 years ago I worked for a company that still had a lab full of OS/2 machines. I ran OS/2 back in the day, but I didn't have a clue how to drive these machines anymore. They were used to control test equipment, with detailed instructions on exactly what to do to make them work.
Not connected to the internet, no security problem, just a PITA when you needed to run particular tests.
When the dust settled America realized it was saved by a porn star.
(Score: 4, Interesting) by Runaway1956 on Tuesday July 30 2019, @10:44PM (3 children)
Coca Cola in Dallas ran their warehouse inventory system on Win3.1 well after SP2 and SP3 came out for XP. In fact, I was messing with XP 64-bit when I discovered their 3.1 machine. It wasn't connected to the internet, and the software worked. They didn't want to pay anyone to update/upgrade the software to run on XP, they just continued using what they had. For all I know, they still run a couple Win3.1 machines for their own special purposes.
(Score: 2) by PartTimeZombie on Wednesday July 31 2019, @12:12AM (2 children)
I have a Win 98 machine running some colour management software that won't run on anything newer (because of the HAL in newer Windows I expect) and it is not plugged into any network, so I am not going to worry about security.
The business is well aware that when the machine dies the data is gone too, and if they don't want to update the colour standards on the new machines I got them then it won't be my problem.
(Score: 2) by Runaway1956 on Wednesday July 31 2019, @02:48PM (1 child)
Mildly curious - have you ever attempted to run it on NT4, or Win2K? Not sure if they both have HAL or not. Hmmm - it appears that both have HAL - https://en.wikipedia.org/wiki/Hardware_abstraction#Microsoft_Windows [wikipedia.org]
(Score: 2) by PartTimeZombie on Wednesday July 31 2019, @08:07PM
Yeah, I think I remember HAL being introduced as some sort of security improvement in NT4, maybe.
I don't have time to be messing about with 20 year old, unsupported hardware and software. The company has plenty of money and can afford the $30k it will cost to replace the old kit. Everyone is comfortable with the fact it will die one day. Until it dies of course, you know how that goes I'm sure.
(Score: 1, Insightful) by Anonymous Coward on Wednesday July 31 2019, @12:42AM
Old but reliable (unfortunately hackable due to low-moral scum) VS new spyware dictatorship. Hmm... take our chances with the ratbags.
(Score: 2) by driverless on Wednesday July 31 2019, @04:08AM (2 children)
That's one good point about XP, you can shut down pretty much everything that makes an XP machine vulnerable with close to zero loss in functionality. There's a direct correspondence between unnecessary services and open ports, and once you've shut them down your vulnerability is dramatically decreased. With Windows 7 this was still somewhat possible, but with 8 and even more so 10 it's more or less impossible, every service depends on every other service so you need to keep the whole mass of crap running whether you need it or not, and there's so many hidden services and whatnot lurking in the background waiting to accept unchecked external data into their bug-riddled innards that you can never make it really secure.
I bet I can make an XP machine safer to put on a network than a Windows 10 machine for precisely this reason.
(Score: 1, Interesting) by Anonymous Coward on Wednesday July 31 2019, @04:53AM (1 child)
XP in a VM? Maybe. XP on a machine? Hell No. Quite a lot of networking hardware has vulnerabilities that won't get fixed...
(Score: 2) by toddestan on Thursday August 01 2019, @02:56AM
On the other hand, Windows XP will run on hardware that predates all the nonsense that makes that kind of thing possible.
Have fun trying to hack my old K6 and 3Com 3C509B.
(Score: 1, Insightful) by Anonymous Coward on Tuesday July 30 2019, @10:10PM (4 children)
don't fsck with it.
(Score: 2) by Snotnose on Wednesday July 31 2019, @12:15AM
Mid 90s, bunch of Sun machines used for logging (and development, and monitoring, but logging was the issue). They would crash and every time they got rebooted they had less disc space. Heard about this in a meeting that was half VPs and above, the other half a smattering of techs to engineers to PMs. I was an engineer. Tech said "dunno where the disc space is going", I said "fsuck the drive", then thought "oops, should not have said that". A VP looked at me, said "what?". I said "run eff ess cee kay on the drive". Next week the tech said "hey, we got all our disc space back!", and all was well.
Not sure if I was the only one who read fsck as fsuck, but after that meeting I'm sure it spread like a, hey, a meme! I mighta started a meme!
When the dust settled America realized it was saved by a porn star.
(Score: 2) by epitaxial on Wednesday July 31 2019, @11:56AM (1 child)
One of the most important things I've learned.
(Score: 0) by Anonymous Coward on Wednesday July 31 2019, @04:44PM
If you're in an IT leadership or management position, and you change for the sake of change, don't be surprised if the person occupying your position is changed for the sake of change.
(Score: 2) by DannyB on Wednesday July 31 2019, @01:59PM
If it ain't broke. Fix it 'till it is.
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
(Score: 4, Insightful) by Anonymous Coward on Tuesday July 30 2019, @10:16PM (10 children)
while an old one gets both progressively less vulnerable as old holes get patched, and less promising target as more clueless users upgrade to a new shinier sieve.
(Score: 5, Insightful) by RS3 on Tuesday July 30 2019, @10:34PM (7 children)
This is exactly what I've been saying for many years. I'd much rather have an "old" OS that is mature and more debugged. Look at how many GB you have to download and patch on a new Win 10 install. Yow! I don't understand the mentality of so many outspoken individuals slamming "old, ancient, insecure" OSes, in favor of "modern" OSes and browsers. Most of the old vulnerabilities have been patched, assuming the machines are updated as much as possible. New exploits attack new bugs in new "modern" code.
This all started when someone decided the customer is to be the beta test site, and customers accepted it.
And for the record, I support some XP machines, including some that are online (behind a firewall) and even have (patched) Windows Remote Desktop open and have never been hacked. Frankly, the machines are not mission critical- just mostly "stuff", not mine, and I don't care.
(Score: 3, Funny) by Gaaark on Wednesday July 31 2019, @01:24AM (5 children)
Never been
hacked/cracked that you KNOW of.Maybe YOUR machines are running Zuckerberg's brain. SHUT THEM DOWN!
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by RS3 on Wednesday July 31 2019, @01:40AM (4 children)
Hey Gaaark, they are NOT MY machines, okay? You want it different, pay me- fork over some $. Why do you care, anyway?
(Score: 3, Insightful) by Gaaark on Wednesday July 31 2019, @10:30AM (3 children)
Sorry...guess my comedy is off.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by RS3 on Wednesday July 31 2019, @01:47PM (2 children)
I thought it might be humor. No, it's me, and I shouldn't react to things, nor write online, right now. I'm sitting in hospital with my dad who's on day 15. He's finally improving medically, but now he's so deconditioned that he'll spend weeks in skilled nursing / PT. The situation is a bit wearing. I'm a bit weary of, well, many things, including OSes. I'd just like something that works. I'm weary of the update cycles. Win10 forced updating. Just. So. Tiring. And I don't know who to blame- MS? Sheeple? Govt? My head spins. I think too much crap is baked into Windows. Too difficult to separate out. I'd prefer a simple microkernel and configurable modules for all of the "stuff". Every Windows install I have to get in and turn off ton's of unnecessary and potentially dangerous services. Just when I get an OS stable, the general talk is that the OS is old and dangerous to world peace. So I'm the one who is sorry!!
(Score: 2) by Gaaark on Wednesday July 31 2019, @11:15PM (1 child)
No problem.
Sorry about your dad: like with my son, you've got a constant stress right now.
Try to stay sane in the insanity.
I know a guy who only looks after Apple and Unix computers: he basically told his clients they either had to drop Windows or find someone else to look after it for them because of having to deal with the shit you're talking about.
Keep calm and Dad on. Hope things improve for you and him.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by RS3 on Thursday August 01 2019, @03:13AM
It's frustrating on many levels. One is: I wish I had tried for med school. I love asking the doctors stimulating questions, like "would plasmapheresis help my dad's problem?" Didn't really get a detailed answer, but I love the way they respond. He's been in for 2+ weeks and has a lung infection and they're not sure exactly what it is, or how many there are (bacterial, viral, fungal), and there's some indication of autoimmune, and he's had a couple of immunotherapy treatments. So they're doing everything they can. He's slowly getting better- he's very strong, mostly stubborn. Glad I didn't inherit that. Ahem.
(Score: 1, Insightful) by Anonymous Coward on Wednesday July 31 2019, @03:51AM
Hardening systems also goes a long way toward making existing holes impossible or at least very difficult to exploit remotely. All the hand waving FUD about old and insecure operates on the notion that everybody connects their old and insecure systems directly to the internet without anything in between and without any baseline hardening such as disabling everything that isn't actively needed.
(Score: 0) by Anonymous Coward on Tuesday July 30 2019, @10:35PM (1 child)
Except for state agents that routinely weaponize any existing hole.
(Score: 0) by Anonymous Coward on Tuesday July 30 2019, @11:47PM
Isn't it The Silliest Idea of Millenium.
(Score: 1, Informative) by Anonymous Coward on Tuesday July 30 2019, @10:33PM (1 child)
It is 2019 and almost all hardware on the network has back doors baked into them.
Also don't forget that Linux etc also have bugs added to them by helpful contributors/spies.
(Score: 0) by Anonymous Coward on Tuesday July 30 2019, @10:52PM
Ha!, not only the software but also the hardware can be easily trojanized.
Theodore Ts'o writes this about Linux: "I am so glad I resisted pressure from Intel engineers to let /dev/random rely only on the RDRAND instruction." [schneier.com].
Fortunetely RdRand is just one of many inputs used by the Linux kernel’s pool to generate random data. But, yeah, we're pretty much screwed.
(Score: 2) by jmorris on Wednesday July 31 2019, @01:56AM (4 children)
We had a vendor pitch us an embedded system that was still running XP. Yes, in 2019. They aren't fly by night so I guess Microsoft either still sells licenses or you can resell a machine that exercised downgrade rights included in Pro and Corporate licenses. Even downgraded to a version that has been out of support for five effing years. I was gobsmacked.
The lesson to take is everybody talks about security, but the reality is almost nobody actually gives a damn until they get hacked. Which is the secret to Microsoft's continued existence.
(Score: 3, Interesting) by RS3 on Wednesday July 31 2019, @02:11PM (2 children)
Not sure where you got your info on the "out of support for five effing years." XP / POS / Embedded has been supported all along. MS recently have tapered off support, but 2 critical updates came through in the past 3 months.
And in an embedded system that's online, what specific service do you envision is running and vulnerable? SMB/CIFS? You've got a firewall, right? You're not opening ports 137-139, 445, etc., to incoming traffic, right? Worried about internal malware? That'll clobber any Windows.
How about this: instead of "old ancient" and "new modern", we call the OSes "well refined and debugged", and "tons of bugs yet to be found and fixed".
(Score: 0) by Anonymous Coward on Wednesday July 31 2019, @05:09PM
Internal malware can be mostly taken care of with a proper whitelisting based execution policy --- easier in Windows 7 an up because it's built-in (but rarely used and never spoken of by "security experts" for who knows what reason), but there are plenty 3rd party programs to add such functionality to XP. Hell, simply blacklisting %temp% goes a long way to kill almost anything fishy cold.
(Score: 2) by jmorris on Wednesday July 31 2019, @07:01PM
Had we bought, we would be installing the stuff about now. And embedded is a fuzzy thing. These machines would be in a kiosk and boot to a single application, but they would also be exposing a GUI to the general public and accessing Cloud based resources. So what would I do, put them in our DMZ zone where they would be easier for an outsider to hack into but couldn't harm the internal network as easy, or bury them inside the internal net which makes them a harder target, but with all the Cloud activity not invulnerable, but if taken gives an attacker a paved road into our internal net? Or build a third hardened internal net for them?
With the exception of a Windows based accounting system, which is impossible to avoid since the only vendors with access to the government systems required to do payroll reporting is Win/Mac only, I have avoided the Windows plague. No intention to invite it in now, especially a version that would be extinct on the ribbon cutting day. Maybe the vendor would eventually update, maybe we would be stuck on XP for another five to ten years.
(Score: 2) by toddestan on Thursday August 01 2019, @03:11AM
The place I used to work at sold embedded systems, and basically Microsoft's response when we asked about still getting XP licenses was "tough shit". Maybe for larger companies, Microsoft might have changed their tune, but we were way too small for them to care about. We of course moved to Windows 7, but some of the older stuff we had stopped selling some time ago but still supported was never going to move to something newer. They stockpiled a bunch of XP machines for repairs, and smartly would take back working XP machines as trade-ins from customers who would upgrade their equipment and stockpile those too, which gave them even more spare XP machines they could sell as "refurbished".
I'd be a bit curious too about what hardware that system was running too. One of the other issues we ran into was the lack of drivers for newer hardware. For example the last of the new XP machines had an nVidia graphics card - not because it needed one, but because the built-in Intel graphics didn't have an XP driver. And in 2019, there's a fair amount of hardware that doesn't even have a Windows 7 driver, ditto for XP. It wouldn't surprise me if those machines were running some hardware from 5-6+ years ago in addition to Windows XP.
(Score: 0) by Anonymous Coward on Wednesday July 31 2019, @03:35AM (1 child)
If newer versions weren't (even more) cancer compared to older ones this wouldn't be an issue. Reliability > Security (if you keep backups, and I know... they probably don't). Ever since the 2K->XP transition new versions were always a complete revamp of everything, these aren't upgrades as much as they are paradigm shifts with uncounted things that can go wrong.
(Score: 3, Informative) by jb on Wednesday July 31 2019, @05:45AM
Indeed. Although naturally migrating to (any) real OS would be orders of magnitude less risky than either "alternative", it seems probable that even sticking with the unsupported Windows XP would expose those organisations to less risk than "upgrading" to Windows 10.
Even if we assume that there's a very high probability (say, p=0.99) that a non-air-gapped Windows XP machine still running today will be compromised before its hardware expires of old age, that's still marginally better than the certain (p=1) knowledge that Windows 10 ships already compromised, by its own vendor (for more detail, see the terms of service for Windows 10).
(Score: 0) by Anonymous Coward on Wednesday July 31 2019, @07:57AM (1 child)
Who provide them hardware, host it and even pay for the electricity bill.
(Score: 0) by Anonymous Coward on Wednesday July 31 2019, @09:16AM
They sure do, Microsoft does indeed love corporations that run Windows 10 onion nodes.
(Score: 2) by VLM on Wednesday July 31 2019, @12:06PM
I wonder what class of application. The examples I'm all aware of are "appliances" that generally are not connected to the network or are firewalled to ridiculous levels.
HVAC controller. Electronic door lock controller. Eprom (and similar microcontroller device) programmer. An old fashioned film scanner. Generally a front end GUI plugged into very expensive hardware. And you can get away with either never connecting it to anything or transferring files ever, or a little flash drive is more than adequate.
(Score: 2) by DannyB on Wednesday July 31 2019, @02:01PM
I'm still waiting for Windows XP to finish installing.
It's still spinning.
When it is done, I will do the upgrades to XP Service Pack 3.
Then this shiny cool new machine with 256 MB of memory and 4 GB hard drive will be ready to use.
It's still spinning.
I anticipate the installation will be done any time now.
Maybe this year will be the lucky one.
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
(Score: 2) by Hyperturtle on Wednesday July 31 2019, @05:07PM
It sounds like sales are low and the drumbeat of forced upgrades because of the is reducing shareholder value or convenience or SaaS management (Subscriptions as a Service) or...
I noticed that car and home and retail sales are all down this quarter. Nissan is laying off over 10,000 people due to lower sales and even lower expectations.
Subscriptions aren't the same as sales, since there is no even delusional ownership of a locally installed licensed copy of something that still works, which could compete against Microsoft's bottom line. That bottom line got really fat with forced upgrades and Cloud stuff. Subscriptions always make money. Sales only make it for this quarter. I worked at a place that were eagerly shafting their long-term clients in order to kill their own service and support models in order to appease microsoft. They clouded so much they went out of business and were purchased by a competitor... only so much consolidation in a shrinking pool of clients can take place before they run out of targets willing to get upgraded.
Most companies that are holding out actually are not unaware XP was released after Windows 2000 and before Vista/Windows 7, so it is not like the latest scare tactics are going to work and increase sales. I expect something exciting will happen in the market to help encourage more upgrades. Sort of like how anti-virus companies used to regularly have a catchy virus name to hype, I expect something that is secured best on "Microsoft Whatever Millenial Exploitation Cloud365" is going to scare up some sales before long.
The CPU vulnerabilities haven't pushed enough new CPU sales to businesses, so maybe something will come out that is patchable and causes performance to plummet again on older systems, which can then be blamed for being old and only Windows 10 will perform ok for people.
Or I am just skeptical of the altruism in this news of XP still running in 2019, and that really it's a public benefit to point out that even if it still works, you fail as an IT professional for not being part of the cloud crowd even if it isn't applicable to the systems singled out for such derision.
Eh don't get me wrong. Upgrades and updates are often required for reasons too numerous to count. But these articles are mostly just to scare up sales from ignorant people that shouldn't be making IT decisions, and have been repeated ad infinitum ever since holdouts to forced payments have existed.
(Score: 2) by darnkitten on Wednesday July 31 2019, @07:40PM (1 child)
I run a small rural library (town of about 700, service population around 2500). We have4 public access computers (PACs) and 2 staff computers. Everything runs Win7, with F/LOSS software where possible (LibreOffice instead of MS Office, etc). Everything is as secure as we (I) can make it: secure router with segregated wi-fi, no Chrome, IE hidden (there are STILL govt. sites that require IE6 compliance, so we can't remove it completely), Patron-friendly security on Firefox/Pale Moon, default search to Startpage or DDG, anti-malware and automatic clearing of user info, docs, etc. We haven't had an infection in almost a decade.
I'm worried, though, about Win7's EOL. We've experimented with Linux, but unfortunately, though the public catalog is browser-based, the proprietary catalog/ILS software (we are part of a state-run catalog consortium) is Windows only, Linux support having been removed by the company a couple of buyouts ago. We are required to provide PACs, and folks at the State are saying to just bite the bullet and move to 10.
But Win10 is deeply unpopular: the best reaction to it is tolerance, and ranges from there to active hatred--it reminds me of the reaction to Ubuntu's Unity, several years ago, when we tried it out. People have told me they switched to tablet or phone rather than use a Win10 machine given to them. I don't know--I could be reading my own prejudice into the dilemma, but Win10 just does not seem like a good option.
(Score: 0) by Anonymous Coward on Wednesday August 07 2019, @07:46PM
it may not work, but if it doesn't run afoul of the DRM or some funky cornercase of code, you might be able to run it inside of window and provide it to users that way, saving yourself both the licenses and security concerns of Windows. Whether it will continue working between wine updates and software updates is another matter, but if it doesn't it provides a nice cost savings and reproducible environment.
(Score: 0) by Anonymous Coward on Wednesday July 31 2019, @09:07PM
If my choice is theoretical hackers versus deploying known spyware that used malware tactics to trick people into installing it, I'll err on the side of caution and deal with the theoretical hackers that may or may not exist, rather than the obvious threat on my doorstep, thank you very much.
Granted Windows 7 is pretty much OK, but given the shitshow of Windows 10 I think we're going to be seeing XP and 7 installations for a very, very, very long time to come, regardless of Microsoft's "support" status. Contrary to popular belief, if you're using stand-alone software rather than software as a service (for example, Windows 10, or so Microsoft claims), the software will not be obliterated just because the company doesn't think you should run it anymore. Which should be a cautionary tale to anyone who thinks the "cloud" or "software as a service" are answers to all ills, but I think things are going to get a lot worse on that front before they get any better.