End of Windows XP Support Era Signals Beginning of Security Nightmare 646
colinneagle writes "Microsoft's recent announcement that it will end support for the Windows XP operating system in two years signals the end of an era for the company, and potentially the beginning of a nightmare for everyone else. When Microsoft cuts the cord on XP in two years it will effectively leave millions of existing Windows-based computers vulnerable to continued and undeterred cyberattacks, many of which hold the potential to find their way into consumer, enterprise and even industrial systems running the latest software. Although most of the subsequent security issues appear to be at the consumer level, it may not be long until they find a way into corporate networks or industrial systems, says VMWare's Jason Miller. Even scarier, Qualsys's Amol Sarwate says many SCADA systems for industrial networks still run a modified version of XP, and are not in a position to upgrade. Because much of the software running on SCADA systems is not compatible with traditional Microsoft OS capabilities, an OS upgrade would entail much more work than it would for a home or corporate system."
Alternative title? (Score:5, Insightful)
Companies have two years to upgrade from software that is more than ten years old or install a firewall on systems in industrial networks.
Does it really make a difference? (Score:5, Insightful)
Almost nobody ever runs Windows Update on those old SCADA machines anyway, I don't really think this is such a big deal.
Well... (Score:5, Insightful)
14 years of support seems pretty generous - I mean how many versions of OS do Apple currently support? Certainly not all the way back to OS X 10.0. I'm also sure that a lot of those embedded and industrial systems will be updated before then. That's more the job of the manufacturers than Microsoft.
No sympathy (Score:5, Insightful)
This deadline has been known about for the past five years - if you can't resolve upgrade issues in seven years, then you are the problem, not the maker of the software being EOLed.
This isn't happening overnight, you had your chance to do something about it. You might not agree with the EOL, but that's beside the point.
Proofread the summaries! (please) (Score:5, Insightful)
When Microsoft cuts the chord on XP
Cuts the cord?
Or is this some sort of operation that will prevent XP from playing guitar?
Re:release the source? (Score:5, Insightful)
Why not liberate the source and let other companies continue bugfixing?
Oh... doesn't fit the business model?
open source ftw and for long term maintenance.
An, operating system contains something on the order of tens of millions of lines of code. No company is going to handle a maintenance project like that for free and there is no incentive for Microsoft to pay them for it. As for releasing it in the wild, those tens of millions of lines are not the exclusive product of Microsoft, they almost certainty incorporated code that still belongs to other companies into the final package and this code can not be released even if Microsoft wanted to.
Re:No sympathy (Score:5, Insightful)
it's not like you received too much support from ms by default for running 3rd party scada sw anyways..
those scada systems should not be directly connected to internet anyways though.
however, doesn't ms still kinda receive the right to ship security patches/fixes? I bet they do. you never knew if stuff was going to be fixed before this and you'll never know after this. support just kinda meant that you could phone them up(oh and responsibility for defects doesn't stop just because you eol a product line, no matter what the eula says..).
...running the latest software... (Score:5, Insightful)
I'm all for bashing Microsoft but how can you say
"When Microsoft cuts the chord on XP in two years it will effectively leave millions of existing Windows-based computers vulnerable to continued and undeterred cyberattacks, many of which hold the potential to find their way into consumer, enterprise and even industrial systems running the latest software"
while talking about XP? Its over 10 years old. Microsoft have been trying to push people away for two versions of windows. While their upgrade cycle might be very clunky, I don't think the blame can fall fully on them for people who run software which is 10 years out of date, and now out of support.
Same as it has always been (Score:5, Insightful)
This is no different from when Windows 2000 reached its end of life, or 98, or NT4. The life cycles of Microsoft products tend to be consistent and well known.
Anyone using Windows on a SCADA system should not just rely on Microsoft's updates for security. Lock them down, limit Internet access to a minimum, don't use Administrator accounts, don't install any Adobe products, don't use the systems for general purpose web browsing and don't feed them after midnight. Most security holes require some active interaction to work.
I still have a bunch of Win2000 systems in use and they chug along fine.
Re:release the source? (Score:5, Insightful)
Try reporting a bug with the Linux 2.0 kernel or glibc 2.0, you will be told to upgrade to the latest version. And while the upgrade may be free, the time and effort associated with moving an entire codebase to a modern version isn't.
Which is why you need to heed warnings about deadlines well in advance - these SCADA issues wouldn't have been a problem if planning had started two years ago rather than now.
incompetent morons (Score:5, Insightful)
Re:"Beginning" of security nightmare? (Score:5, Insightful)
That's a bit of a generalization.
Is it so hard to believe there are people with up-to-date XP systems who simply don't feel like forking out a couple hundred dollars to fix something that isn't broken?
Re:Alternative title? (Score:5, Insightful)
To Slashdot editors: please, FFS, can we just have some news without the heavy bias and inflammatory commentary? That's what comments are for. We can't mod stories as "flamebait".
Re:Special treatment again? (Score:4, Insightful)
How many Linux and OSX releases are supported for 12 years?
How many Linux distributions (where maintainers stayed in business) have not seen a major upgrade for the better part of a decade? That's the time it took from XP to Vista. And then the upgrade wasn't even considered an upgrade by many - so maybe you should look at the time it took from XP to Win7 even?
Pretty long EOL too (Score:5, Insightful)
All Windows versions come with 10 years of guaranteed support. 5 years of primary support, where they get new features and service packs, 5 years of extended support, where they get bug and security fixes. MS is known to increase that, but never decrease. In the case of XP, they did extend support. XP is getting 14 years total of support.
I have zero sympathy. You have to cut support for old versions at some point. Even if you are doing everything for free, it just gets infeasible to maintain old code all the time. Ubutnu only does 5 years on LTS releases. In MS's case, it is also because bills need to be paid. They don't charge yearly for maintenance or patches or anything, the cost of that is included in the purchase price. Well, that means that price has to be paid every once and awhile, and once per 10+ years isn't unreasonable.
As you say this isn't happening overnight, nor is it a situation of MS suddenly reducing support life. This has been known for a long, long time. Any company that is sticking their head in the sand about it is bringing about their own problems and on their own heads be it, they can't blame MS at all.
Look people, XP goes out of support in 2014. STFU and deal with it. You've 3 choices:
1) Upgrade. Really, this is not hard. 7 Is an extremely good OS, I've been very pleased with it. It will be supported until January 14, 2020 at a minimum, unless MS chooses to extend it so you've at least 8 years before you need to upgrade again. Once a decade-ish isn't too often to upgrade.
2) Isolate. You can just take the damn thing off the Internet if it is really a problem. We've done that at work with a few old Windows 98 systems. We are a university and so don't always have money for new toys. We get some old piece of equipment that is controlled by software that only runs in 98 or earlier. Fine, it just doesn't get on the net. Yes it is a bit inconvenient. Deal with it. The air gap works.
3) Protect. If it really is an issue, you can lock down and protect the systems. Put them all on a private network that can only be accessed via a controller system that is bitchy about what is and is not allowed in and out. Then internally have each system run a locked down firewall and set of services. Disallow any web access, only access to internal systems. Lock everything down tight, with multiple levels of security, and even lacking patches you can likely keep it secure.
This is nothing more than companies whining because they want to be lazy. They don't want to take the effort to upgrade to a new version of Windows, don't want to take the effort to increase security, and just think that MS should patch shit forever to support their laziness.
No sympathy here.
Re:Does it really make a difference? (Score:5, Insightful)
Re:release the source? (Score:5, Insightful)
Sorry, we're running life critical systems here. We can't rely on "taking a look at it". We need a guarantee which is just a teeny bit stronger than that. Many of our systems do run Linux, but only because a consulting company is willing to fill that gap and assume the role of supplying custom fixes/patches while we wait for "official" ones to make it into the kernal. It's not that we have anything against the community, but frankly we need someone to take responsibility and to be held accountable for all aspects of our system.
As for this news? Shrug. Anybody who doesn't already have a plan still has two years to figure it out and get one in place. I can't find any sympathy in me for someone who hasn't come up with a solution by then.
Emphasis mine. This is possible only because Linux is open source. Thanks for making exactly the point that needed to be made in favor of an open source OS.
Re:...running the latest software... (Score:4, Insightful)
Re:release the source? (Score:3, Insightful)
And a consulting company will happily fill the gap and provide maintenance for a 2.0 kernel, it makes no difference to them... Money is money, and the code is still available.
With closed source you simply don't have the option of hiring a consulting company, it's the original vendor or nothing and it would be utterly irresponsible to make critical systems depend on something you don't have the source of and are utterly beholden to a single vendor for.
Re:release the source? (Score:2, Insightful)
Having the sourcecode doesn't seem to help people create malware targeted at linux or bsd users...
Re:release the source? (Score:3, Insightful)
My comment is based on experience, not supposition.
Fortunately for you, you have the code, you have the ability to fix the problem yourself (or pay someone to do it)
You can't do that with XP.
Re:Just wondering about activation (Score:5, Insightful)
I'm pretty sure yes, they will continue to run their activation servers for a long time. As you say, your license doesn't expire.
If in the bleak, distant future when robots rule the world you are still using XP and MS wants to turn off the activation servers they will probably release a patch to disable the activation stuff, or provide a 'golden key' as you say. I'm sure by then they won't care too much about potential piracy of a 20+ year old OS. (That'd be like them caring that I may or may not have some pirated floppy disks of DOS 6.22 sitting in my garage somewhere...)
Comment removed (Score:4, Insightful)
Cuts the "chord"? (Score:5, Insightful)
"English, motherfucker! Do you speak it?"
Comment removed (Score:5, Insightful)
Re:...running the latest software... (Score:5, Insightful)
Absolutely! Unless you pre-purchased a support plan that extends beyond the "about 9 years" you mention, your manufacturer is probably under no obligation in any way to fix your car. In fact, they're not even under any obligation to accept money from you to fix your car (nor is Microsoft, although they will in fact continue supporting outdated OSs if you pay them enough). As for the recall, that's not required either, no. It might be economically wise (as it, "end up costing less than the lawsuits and loss of business") but I'm not aware of any law that would compel them to do so.
Personal anecdote: I couldn't find anybody who was willing to fix some damage to my 1990 Subaru Legacy. It's not that it wasn't fixable, it's just that they literally couldn't find the required part. Even ignoring that the cost would have been greater than the insurance value of the car, I literally couldn't find any shop in the area that would take my money to do it, because the car has been out of production for so long that the wrecking yards had even sold off all their working copies of that part.
Also, a car analogy here is stupid, despite Slashdot tradition. A car is quite reasonably expected to run for at least a decade and usually much longer if treated well. The manufacture and maintenance of them is a practice well over a century in age. The rate of improvements in them, despite your "all better than mine, probably safer and with more features" comment, is really quite minor year-over-year. None of those things are true of desktop operating systems. Additionally, my 22-year-old car still ran on pretty much the same "hardware" (internal combustion of gasoline, asphault-paved roads, etc.) today as it was designed to do over two decades ago. These days, sub-$500 new computers come with too much RAM for XP to even address all of it!
Re:release the source? (Score:4, Insightful)
There is a real risk with going down that route however, and that is that unless you can get your changes merged into the main branch (far from guaranteed), you are now running a forked version of Linux
Yes but in the worst case scenario (your changed not merged) that buys you time. This is priceless compared to Windows where you're left on your own with an insecure system.
Look, this is not a perfect solution, just because there is no perfect solution. But having an open source system is much better than a closed source one for that very reason. You *can* do it on your own if you need to.
Re:Support, or broken crutch? (Score:4, Insightful)
wait.. so what you just said was you never had XP support either..
btw it's "connect with pants down and legs spread" :D
Re:release the source? (Score:2, Insightful)
are you kidding? or are you just stupid?
any sane person who can do a search on the internet can see that linux kernel continues to have DOZENS upon DOZENS of security bugs. hell almost every single android phone running linux can be rooted... because linux developers continue to introduce security bugs in source code of every release.
besides which.. malware is something the user has to install themselves, it has nothing to do with security bugs.. although the existence of security bugs in firefox helps when you want to create drive by download method of infection.
Re:release the source? (Score:4, Insightful)
Which is why you need to heed warnings about deadlines well in advance - these SCADA issues wouldn't have been a problem if planning had started two years ago rather than now.
Microsoft had publicized these deadlines ever since the product was released. This is not the news here: the news is that a lot of people are still using the system. Serious companies that rely on Windows XP for their business have always known that support would end in 2014, and so have factored that into account.
Re:release the source? (Score:3, Insightful)
Why do these manufacturers not have explicit, individual support contracts from Microsoft to suit their own longterm requirements then?
Relying on the general public support policy of any OS maker or community for this sort of usage is just fucking ridiculous and proves that, as I have said elsewhere, the problem lies with the SCADA manufacturers rather than the OS.
Re:Pretty long EOL too (Score:5, Insightful)
XP is getting 14 years total of support.
Not if you're one of the many people who bought a netbook or "nettop" with XP on it in the last few years.
This is nothing more than companies whining because they want to be lazy. They don't want to take the effort to upgrade to a new version of Windows, don't want to take the effort to increase security, and just think that MS should patch shit forever to support their laziness.
Actually, they don't want to pay two hundred bucks to go to an operating system that doesn't run their software. Or at least, that's my situation. Windows XP runs stuff that doesn't run on Wine or on Windows 7.
Re:Pretty long EOL too (Score:4, Insightful)
Not to sound unsympathetic, but you bought a disposable computer that was outdated the day it was manufactured. Netbooks were meant to be frequently replaced; making them underpowered and easy to break is how they got the costs so low in the first place.
Re:release the source? (Score:5, Insightful)
I don't disagree with you, but the economic pressures are relentless. As late as the mid-1990s a manufacturer could count on there being an ecosystem and trained programmers available for the various high-security, high-reliability architectures on the market (or at least people willing to take jobs being trained as programmers, designers, etc for such systems). By 2000 those ecosystems and finally the architectures themselves had vanished under the avalanche of Wintel systems (bought a new PDP-11 lately? Or even a Tandem Nonstop?). And the cost differential in favor of Wintel went from 1/3x to 1/1000x. It is extremely hard to convince a product development board that your product needs 1000x more funding than the team building what is fundamentally very similar consumer- or commercial-grade system.
And the demand from customers drives things too. Right now every operating manager I work with wants to be able to monitor his plant from home on his iPhone. Customers are putting enormous pressure on their vendors to replace expensive proprietary (but secure) wireless interfaces with much cheaper iPhones. Security gets paid lip service in the spec but doesn't control the decision.
sPh
Re:release the source? (Score:3, Insightful)
Remember when they released the Netscape source? Every begged them to open it and said how it would be so awesome with all those developers helping make it better. Well, every looked over the code, decided it was too confusing and started over on Mozilla. Total waste of time. Set open source back by years to throw away the Netscape codebase but "other people's code" always looks confusing and weird. I guess they believed their own hype that if you get the code you can just open it up in emacs and start fixing bugs. Well, it doesn't work that way. It would take months to get your head around some shit like Netscape, Windows XP would be even worse.
Re:No sympathy (Score:4, Insightful)
It's a driver issue for me (Score:5, Insightful)
We have a small family business in a city where much of our good manufacturing jobs have gone overseas. Everybody who walks in the front door is looking for a deal because they have no money, or perhaps because their new job at Wal-Mart doesn't pay like the old one.
I don't have the customer base or cashflow to just upgrade at a whim. My major issue is we have several commercial duty printers that cost several thousand dollars each. We do some pretty customized printing, odd sized paper, etc. Under Win 7, NONE of these printers will do anything more than single sided sheet of paper, cannot even duplex. I've contacted HP directly, had the Xerox people in here, and in both cases, they refuse to provide new drivers that will make these printers work under Win 7 the same way they do under XP. Even simple things like duplexing cannot be done in some cases. The official response form these companies? But a new printer. That's it.
I do run linux, but you know something, even though I can make these printers work under linux no problem, there is no good substitute for Pagemaker and/or Indesign in Linux. As long as Scribus does not or cannot import my Pagemaker and./or InDesign files, it is useless to me. I have a library of almost 20 years of Pagemaker and InDesign files that we created from the ground up, and untill I can import them, Scribus and therefore by extention I cannot use Linux.
So I do not mind upgrading to Win 7 in itself, it's the fact that some of my high end printers and scanners do not work well with Win 7 because "They are too old".
One more thing - some - well heck, many of these new printers are junk. My old, Made in Japan printers had heavy duty metal bearings and gears. Many of the new, brand name printers made in China use plastic gear and bears, or cheaper metal they physically breaks down more often than the old printers. A ten year duty cycle of heavy day to day use was not uncommon for a good HP, today I am told expect three years then toss it.
Yeah, in an economy when money is tight everywhere, the upgrade to Win 7 is not doing me much good. For all you guys who say you have no sympathy for guys like me who don't want to upgrade, well sorry, money is tight, we have to keep a tight ship, and when I see perfectly good hardware unable to run under Win 7 simply because somebody will not make a driver for it, well, as Judge Judy would say "Don't pee on my leg and tell me it's raining."
Comment removed (Score:3, Insightful)
Comment removed (Score:5, Insightful)
Re:Same as it has always been (Score:5, Insightful)
So, people (incl manufacturer) were choosing to install an OS on their hardware that had incredibly well-known and published EOL dates coming up, even though Microsoft had updated versions with substantially greater lifetimes ahead of them already released. And, somehow, that's Microsoft's fault. Not the manufacturer's fault, not the purchaser's fault... Microsoft's fault.
Whu?
Re:release the source? (Score:2, Insightful)
And hey with a scalpel I'm qualified to be your heart surgeon...right?
The two are not the same. Heart surgery is a specialism that requires probably a 5 year degree, following by a decade or so of further training under most medical regimes. Software development is a bit more open. The kernel isn't magic, it's just software; if you are a good C programmer you should be able to figure it out enough to complete the task at hand
you expect Joe average to pull off a major rewrite?
Who said anything about a major rewrite? The vast majority of security fixes are very small, and generally target a few lines of code where some trivial mistake was made. The only reason a major rewrite would be required is if the protocols or implementation are completely broken and insecure. And if that is the case, you're better just disabling the broken functionality.
And do you have ANY idea how much it would cost to hire a qualified kernel developer to do your own custom rewrite?
RedHat, Canonical, etc. all ship custom kernels. Kernel development can be hard, but it's certainly not impossible for a good programmer who has never worked on the kernel to do development there. There are probably at least a few thousand programmers in the world who already have kernel experience. Hiring good C programmers isn't cheap, but it may well be cheaper than rewriting your custom SCADA implementation to run on a more modern OS.
Support lifetime IP lifetime (Score:3, Insightful)
Fourteen years sounds like a long time to support a software product. Yet I find it interesting to point out that, in the U.S., any "inventions" that debuted with the release of Windows XP will still have 6 years of patent protection, and the code itself will have another 75 years of copyright protection. This is for a product that's already been unavailable commercially for a while and will be completely dead in two more years.
Overly long IP lifetimes hurt security, technological progress, innovation, and culture.
Re:Well... (Score:4, Insightful)
Bingo. This also applies to "middleware". I have many times argued with developers about the value of using in-house developed tools and/or simple APIs that can easily be replaced as OS, networks, or other items are updated (or no longer updated) rather than use every shiny new vendor/platform/OS specific shortcut. Using such shortcuts may cut out a little work now, but if it locks you to a specific vendor/OS/version, it's going to become a support problem in a few years, and by then, you'll spend far more time dealing with and/or working around the problem you have created than you would have by doing a little more work up front. If you can't fairly quickly replicate the functionality and substitute another version/vendor/OS/in-house solution, then you haven't done an adequate jobs of designing your software.
Re:what's the difference (Score:5, Insightful)
It's certainly better support than Apple. XP was released in 2001 so that would be equivalent to OS 9.2 in the Apple world. Do they still support it?
Ha! A big fat no. They don't even support my OS, which is as recent as 10.5 (last powerpc variant). If anything Microsoft is acting better than Apple does and should receive some praise for supporting XP as long as they have. I've been using the same computer for 10+ years (and thus saving a lot of cash).