End of Windows XP Support Era Signals Beginning of Security Nightmare 646
colinneagle writes "Microsoft's recent announcement that it will end support for the Windows XP operating system in two years signals the end of an era for the company, and potentially the beginning of a nightmare for everyone else. When Microsoft cuts the cord on XP in two years it will effectively leave millions of existing Windows-based computers vulnerable to continued and undeterred cyberattacks, many of which hold the potential to find their way into consumer, enterprise and even industrial systems running the latest software. Although most of the subsequent security issues appear to be at the consumer level, it may not be long until they find a way into corporate networks or industrial systems, says VMWare's Jason Miller. Even scarier, Qualsys's Amol Sarwate says many SCADA systems for industrial networks still run a modified version of XP, and are not in a position to upgrade. Because much of the software running on SCADA systems is not compatible with traditional Microsoft OS capabilities, an OS upgrade would entail much more work than it would for a home or corporate system."
what's the difference (Score:4, Funny)
Re:what's the difference (Score:5, Funny)
Microsoft already cut the chord a decade ago - with their sh*tty Windows XP boot chime.
Re:what's the difference (Score:4, Funny)
Cutting the chord... what does this mean for C#?
Re:what's the difference (Score:5, Insightful)
It's certainly better support than Apple. XP was released in 2001 so that would be equivalent to OS 9.2 in the Apple world. Do they still support it?
Ha! A big fat no. They don't even support my OS, which is as recent as 10.5 (last powerpc variant). If anything Microsoft is acting better than Apple does and should receive some praise for supporting XP as long as they have. I've been using the same computer for 10+ years (and thus saving a lot of cash).
Re: (Score:3)
How many major releases have there been since OS 9.2? How many have there been since XP? Especially considering Vista was a big failure.
Apple and MS have very different release cycles. Comparing them is comparing apples and oranges. That said, I was under the impression MS had already abandoned XP quite some time ago.
Re:what's the difference (Score:5, Informative)
Rather than saying they have different release cycles you should be saying they have different release methodologies or software life cycles. Apple apparently supports two releases back (searches for "apple software life cycle" only result in forum posts asking the same question), while Microsoft has defined support periods that are generally quite long. Microsoft's approach is important for people who intend to incorporate Microsoft's products into their business processes. Apple's approach is (marginally) acceptable for consumer products.
Apple releases new versions that don't have substantial backward compatibility guarantees about as often as Microsoft releases service packs that do make an emphasis on backward compatibility.
As far as comparing between the two -- in my experience having two macs, a first gen apple tv, an ipod, a couple of iphones and an ipad and five windows boxes running XP, Vista and 7 -- windows service packs frequently deliver not only rolled up bug fixes, but new functionality similar to the kinds of new functionality that you'd find in Apple OS X releases.
Fundamentally Microsoft does a much better job of supporting prior generation platforms than Apple does by far. Hell, Apple, as near as I can tell, obsoletes products just because.
Re: (Score:3)
Most of the so-called "releases" from Apple are just minor upgrades to the ongoing OS X project..... equivalent to Microsoft service packs. SO:
Apple had 9 updates (9.2,10.0,.1,.2,.3,.4,.5,.6,.7)
Microsoft also had 9 (XP-0, -1, -2, -3, Vista-0, -1, -2, Seven-0, -1).
But Microsoft provides support across ~13 years (from XP-SP0 initial release to 2014) whereas apple only provides support for 1/3rd as long. Apple's philosophy forces people like me to buy new hardware to stay up-to-date (since 10.6, 10.7 won't r
Re:what's the difference (Score:4, Interesting)
What a shame. My car's only 4 years newer than XP and it still runs fine. So does my TV, even though I had to get a digital tuner for it.
So you have millions of computers that will be unuseable because the OS manufacturer refuses to suport it. Meanwhile, my car needs new struts -- still available and will be for decades. Hell, if it were a '64 Ford I could still get parts and have it serviced.
Good thing we have Linux so those old boxes don't wind up in landfills prematurely.
Re: (Score:3)
The PC(by whatever name you prefer), really only became available to consumers in the form of the old Apple 1 back in 1976, and a bit later, the TRS-80 model 1. Yes, there were other machines around, but for the general consumer, these were some of the first machines that were even available to them. The invention of the TV is quite a bit older, and as a static device that does only ONE thing, it makes sense that SOFTWARE is the key thing that differentiates between problems in the computer realm and t
Re: (Score:3)
P.S.
Is Apple any better? WinXP was released in 2001 so that would be equivalent to OS 9.2 in the Apple world. Do they still support it?
Ha! A big fat no. They don't even support my OS, which is as recent as 10.5 (last powerpc variant). If anything Microsoft is acting better than Apple does and should receive some praise for supporting XP as long as they have. I've been using the same computer for 10+ years (and thus saving a lot of cash).
Re: (Score:3)
Is Apple any better?
No and no linux distro i'm aware of is either. I think some of the big unix vendors may be comparable or better though.
WinXP was released in 2001 so that would be equivalent to OS 9.2 in the Apple world.
IMO support lifecycles should be measured not from when the OS came out but from when it's successor came out. Still MS is better than pretty much everyone else by that measure too.
Re: (Score:3)
Okay. I'm using both XP (2007) and 10.5 (2010) with their date-of-last sale in the parentheses.
So Microsoft will provide a total support of 7 years from XP's final sale to 2014, whereas Apple only provided 1 and a half years for 10.5.
Re: (Score:3)
You miss my point entirely. XP is an 11 year old operating system that runs on 11 year old computers. You're not going to get Win 7 or Ubuntu 11.10 to run on an 11 year old computer. So Grandma has her 11 year old computer that she only uses for email and checking the weather and stuff like that, which is still perfectly useable, except that FLAWS in its OS won't be fixed.
If there's a design defect found in a '98 Chevy, Chevy will recall the car and fix the problem. For Microsoft to not add featres to XP is
Support? (Score:5, Funny)
When Microsoft cuts the chord on XP in two years it will effectively leave millions of existing Windows-based computers vulnerable to continued and undeterred cyberattacks
I can't say I'm going to miss Microsoft XP support.
I can't say I 've ever had Microsoft XP support, either-
Re:Support? (Score:5, Funny)
maybe you should have paid for your copy?
Re:Support? (Score:5, Funny)
>>maybe you should have paid for your copy?
Oh I tried. Microsoft, however, would not sell me a copy. They only sell licenses.
Re: (Score:3)
>>maybe you should have paid for your copy?
Oh I tried. Microsoft, however, would not sell me a copy. They only sell licenses.
I thought that software isn't the same as a tangible physical object? So if you can't steal it, how can you own it?
Support, or broken crutch? (Score:5, Interesting)
I can't say I 've ever had Microsoft XP support, either-
I did, back in the days when XP SP1 was promulgated, but it was not one of Microsoft's prouder moments. The SP1 package downloaded, but would not install. Several attempts yielded the same result, and various help articles on the MS web site were consulted fruitlessly. So I duly filed a report on the MS web site, not expecting much to happen. Somewhat to my surprise, I got a phone call a couple of days later (must have been international, I'm in Finland, and the support person spoke English with an Indian accent). She talked me through what I had already tried, and it failed yet again. So then she told me to disable all firewalls, both in the PC and in the router, and try again. I suggested that would be unwise, since my router logs indicated several nasty packets (fake routing, port probes, etc.) per second were being blocked, and none appeared to be from Microsoft. Her response was that the only way for me to install SP1 was to disable all firewalls. In other words, connect with pants down and legs open to a stream of questionable health. Yeah, right.
I paid attention to her advice, but did not follow it. Instead, I installed Warty Warthog, which seemed to work quite nicely (but had issues with wireless which meant wired connections only). A beta version of Breezy Badger followed, and it autodetected and supported almost everything on the laptop, including the wireless. XP was thrown away shortly thereafter, and the 8-year-old laptop today runs Xubuntu (10.04 LTS, soon upgrading to 12.04 LTS).
Re:Support, or broken crutch? (Score:4, Insightful)
wait.. so what you just said was you never had XP support either..
btw it's "connect with pants down and legs spread" :D
Cutting the chord (Score:4, Funny)
About time. XP default sounds suck.
Alternative title? (Score:5, Insightful)
Companies have two years to upgrade from software that is more than ten years old or install a firewall on systems in industrial networks.
Re:Alternative title? (Score:5, Insightful)
To Slashdot editors: please, FFS, can we just have some news without the heavy bias and inflammatory commentary? That's what comments are for. We can't mod stories as "flamebait".
Re: (Score:3)
Guess what has even longer support... http://en.wikipedia.org/wiki/Windows_XP_Embedded#Windows_XP_Embedded [wikipedia.org]
Most assuredly . Has anyone ever seen a Windows XP embedded system actually upgraded? (Stares at GE portable Ultrasound purchased in 2006 with 'copyright 1997-2001' splashed everywhere.)
Anyone?
Does it really make a difference? (Score:5, Insightful)
Almost nobody ever runs Windows Update on those old SCADA machines anyway, I don't really think this is such a big deal.
Re:Does it really make a difference? (Score:5, Insightful)
Re: (Score:3)
If it's something embedded, they'll have it behind layers of security.
I take umbrage at this statement. It is never wise to assume anything when it comes to security. And if you've been following the articles related to SCADA systems and industrial security that have been popping up lately, it is obvious that the industrial controls market somehow thinks that *their* systems will never get a virus anyway. With the latest crop of SCADA software touting Cloud Storage/Control and Mobile Access as the latest and greatest _must have_ features, security will be more of a concern
Well... (Score:5, Insightful)
14 years of support seems pretty generous - I mean how many versions of OS do Apple currently support? Certainly not all the way back to OS X 10.0. I'm also sure that a lot of those embedded and industrial systems will be updated before then. That's more the job of the manufacturers than Microsoft.
Re:Well... (Score:5, Informative)
I agree, the 14 years was pretty generous.
When XP was originally released, I was running some SuSE 7.x version. The first 7.x version was released in september 2000. The last 7.x version went end-of-life in december 2003, meaning a support span of 3 years and 3 months. Fedora has something like a thirteen month support span, depending on the release date of version x+2. Only RHEL appears to be supported for 10 years.
There is one big difference: all Linux distros release a new version every 1-2 years. The next windows release took 6 years, but the next windows release that was really usable in companies took a few years more.
Re:Well... (Score:5, Informative)
I'm also sure that a lot of those embedded and industrial systems will be updated before then.
I'm very sure a lot of those WON'T be upgraded. Those that do need to pass several barriers:
1. Manufacturer needs to provide an updated system.
2. The system needs to be able to be taken down for maintenance. I know some industrial plants have an 8 year maintenance shutdown cycle.
3a. You need the motivation to upgrade. Security holes in an OS is not motivation, the vendor will have to EOL the entire system before most people will move.
3b. If the entire system isn't EOL'ed the vendor will need to provide an OS / interface update for their existing system. Seeing a vendor provide a partial update like this is rarer than rockinghorse poo. Assuming they have the motivation and capability to do it, some systems need to pass certification as well which they often don't think is a justifiable expense.
4. Speaking of justifiable expense an upgrade like this would involve stripping all I/O out of the old control system, replacing the system itself, recommissioning and loop checking, and then testing the software. Often the time constraints for such an activity is measured in days not weeks. It's a big and very labour intensive job, not to mention expenses will run in the hundreds of thousands. That's a LOT of money for maintaining the status quo.
Basically I guarantee there'll be plenty of embedded and industrial systems running on Windows XP for many years to come. How do I know? Well currently there are plenty of embedded and industrial systems running on Windows NT4 as well. We have about 8 such systems at our plant. One of them at least gets upgraded "soon". Windows NT4 was EOLed in 2004, the PLC was EOL'ed in 2007, we received approval from the corporate bigwigs for the upgrade last year, and the next scheduled shutdown is 2017. Fun fact, we buy old PCs capable of running Windows NT4 from our employees and have about 10 of them in storage, just in case.
Although it could be worse, one plant in my city runs a PLC from the same vendor as the one above which is a version older still. Their attached PCs run DOS.
Re: (Score:3)
I mean how many versions of OS do Apple currently support? Certainly not all the way back to OS X 10.0.
Piss on Apple. When Solaris 2.5.x was out you could still get support for SunOS 4.1.4. That's many versions into a major version upgrade. PC companies like Microsoft don't even know the meaning of support. (And now Sun's hosed since Oracle thinks it means only "earning opportunity")
Re:Well... (Score:5, Interesting)
Computers last longer than 2 years.
And so did XP: it has been around since 2001. That means when the deadline hits it'll have been around for 13 years.
At the end of the day, if you don't want to be forced into upgrading your systems someday then don't base critical hardware around something which someone else controls and is known to make redundant now and again. "But it's cheaper to buy someone else's solution than develop your own!". Yeah, it is, but the tradeoff is that you're at the mercy of their update and redundancy schedule. Businesses should have taken the longevity of the systems into account before they bought it and planned accordingly: it's no secret at all that this sort of thing happens.
Re:Well... (Score:4, Insightful)
Bingo. This also applies to "middleware". I have many times argued with developers about the value of using in-house developed tools and/or simple APIs that can easily be replaced as OS, networks, or other items are updated (or no longer updated) rather than use every shiny new vendor/platform/OS specific shortcut. Using such shortcuts may cut out a little work now, but if it locks you to a specific vendor/OS/version, it's going to become a support problem in a few years, and by then, you'll spend far more time dealing with and/or working around the problem you have created than you would have by doing a little more work up front. If you can't fairly quickly replicate the functionality and substitute another version/vendor/OS/in-house solution, then you haven't done an adequate jobs of designing your software.
Re: (Score:3)
No sympathy (Score:5, Insightful)
This deadline has been known about for the past five years - if you can't resolve upgrade issues in seven years, then you are the problem, not the maker of the software being EOLed.
This isn't happening overnight, you had your chance to do something about it. You might not agree with the EOL, but that's beside the point.
Re:No sympathy (Score:5, Insightful)
it's not like you received too much support from ms by default for running 3rd party scada sw anyways..
those scada systems should not be directly connected to internet anyways though.
however, doesn't ms still kinda receive the right to ship security patches/fixes? I bet they do. you never knew if stuff was going to be fixed before this and you'll never know after this. support just kinda meant that you could phone them up(oh and responsibility for defects doesn't stop just because you eol a product line, no matter what the eula says..).
Re:No sympathy (Score:4, Insightful)
Re:No sympathy (Score:4, Interesting)
Reminds me of how long it took for peripheral manufacturers to write drivers for Vista, despite how long they had developer previews available.
Hey, just another example besides good ol' IE6.
Pretty long EOL too (Score:5, Insightful)
All Windows versions come with 10 years of guaranteed support. 5 years of primary support, where they get new features and service packs, 5 years of extended support, where they get bug and security fixes. MS is known to increase that, but never decrease. In the case of XP, they did extend support. XP is getting 14 years total of support.
I have zero sympathy. You have to cut support for old versions at some point. Even if you are doing everything for free, it just gets infeasible to maintain old code all the time. Ubutnu only does 5 years on LTS releases. In MS's case, it is also because bills need to be paid. They don't charge yearly for maintenance or patches or anything, the cost of that is included in the purchase price. Well, that means that price has to be paid every once and awhile, and once per 10+ years isn't unreasonable.
As you say this isn't happening overnight, nor is it a situation of MS suddenly reducing support life. This has been known for a long, long time. Any company that is sticking their head in the sand about it is bringing about their own problems and on their own heads be it, they can't blame MS at all.
Look people, XP goes out of support in 2014. STFU and deal with it. You've 3 choices:
1) Upgrade. Really, this is not hard. 7 Is an extremely good OS, I've been very pleased with it. It will be supported until January 14, 2020 at a minimum, unless MS chooses to extend it so you've at least 8 years before you need to upgrade again. Once a decade-ish isn't too often to upgrade.
2) Isolate. You can just take the damn thing off the Internet if it is really a problem. We've done that at work with a few old Windows 98 systems. We are a university and so don't always have money for new toys. We get some old piece of equipment that is controlled by software that only runs in 98 or earlier. Fine, it just doesn't get on the net. Yes it is a bit inconvenient. Deal with it. The air gap works.
3) Protect. If it really is an issue, you can lock down and protect the systems. Put them all on a private network that can only be accessed via a controller system that is bitchy about what is and is not allowed in and out. Then internally have each system run a locked down firewall and set of services. Disallow any web access, only access to internal systems. Lock everything down tight, with multiple levels of security, and even lacking patches you can likely keep it secure.
This is nothing more than companies whining because they want to be lazy. They don't want to take the effort to upgrade to a new version of Windows, don't want to take the effort to increase security, and just think that MS should patch shit forever to support their laziness.
No sympathy here.
Re:Pretty long EOL too (Score:5, Insightful)
XP is getting 14 years total of support.
Not if you're one of the many people who bought a netbook or "nettop" with XP on it in the last few years.
This is nothing more than companies whining because they want to be lazy. They don't want to take the effort to upgrade to a new version of Windows, don't want to take the effort to increase security, and just think that MS should patch shit forever to support their laziness.
Actually, they don't want to pay two hundred bucks to go to an operating system that doesn't run their software. Or at least, that's my situation. Windows XP runs stuff that doesn't run on Wine or on Windows 7.
Re:Pretty long EOL too (Score:4, Insightful)
Not to sound unsympathetic, but you bought a disposable computer that was outdated the day it was manufactured. Netbooks were meant to be frequently replaced; making them underpowered and easy to break is how they got the costs so low in the first place.
Re: (Score:3)
if you can't resolve upgrade issues in seven years, then you are the problem
Windows 7 massively broke backwards compatibility, you insensitive clod! It doesn't run Civilization 2 or several other classic games I've got and paid for, even in XP mode which is pure canned crap compared to even the free vmware player.
The truth is that Windows XP has been sold as recently as what, last year? That's a VERY short EOL for a recently-shipped operating system.
Re: (Score:3)
And they will have had four years of support, so what's the problem?
Proofread the summaries! (please) (Score:5, Insightful)
When Microsoft cuts the chord on XP
Cuts the cord?
Or is this some sort of operation that will prevent XP from playing guitar?
Re: (Score:3)
When Microsoft cuts the chord on XP
Oh, what do you know, TFA says "chord" too
Ok, in that case someone should write summaries, instead of always lifting 2 paragraphs from TFA verbatim.
And I've never seen heyday spelled as "hey-day". Just doesn't look right.
What about XP mode in Windows 7 (Score:5, Interesting)
Every time I read about the ending support, I wonder what happens to the so called XP mode in Windows 7. It's an installation of Virtual PC with a XP image ( http://www.microsoft.com/windows/virtual-pc/download.aspx ). Since Windows 7 is supported by MS, how can they leave those users alone?
Re:What about XP mode in Windows 7 (Score:5, Informative)
Is Windows XP Mode supported throughout the lifecycle of Windows 7?
No. Windows XP Mode is a full virtual version of Windows XP and follows the same support lifecycle as Windows XP. Windows XP extended support phase ends in 2014.
Unfortunately IE6/7/8 will live on and I have nightmares that we will be supporting them until 2038...
...running the latest software... (Score:5, Insightful)
I'm all for bashing Microsoft but how can you say
"When Microsoft cuts the chord on XP in two years it will effectively leave millions of existing Windows-based computers vulnerable to continued and undeterred cyberattacks, many of which hold the potential to find their way into consumer, enterprise and even industrial systems running the latest software"
while talking about XP? Its over 10 years old. Microsoft have been trying to push people away for two versions of windows. While their upgrade cycle might be very clunky, I don't think the blame can fall fully on them for people who run software which is 10 years out of date, and now out of support.
Re:...running the latest software... (Score:4, Insightful)
Re:...running the latest software... (Score:5, Insightful)
Absolutely! Unless you pre-purchased a support plan that extends beyond the "about 9 years" you mention, your manufacturer is probably under no obligation in any way to fix your car. In fact, they're not even under any obligation to accept money from you to fix your car (nor is Microsoft, although they will in fact continue supporting outdated OSs if you pay them enough). As for the recall, that's not required either, no. It might be economically wise (as it, "end up costing less than the lawsuits and loss of business") but I'm not aware of any law that would compel them to do so.
Personal anecdote: I couldn't find anybody who was willing to fix some damage to my 1990 Subaru Legacy. It's not that it wasn't fixable, it's just that they literally couldn't find the required part. Even ignoring that the cost would have been greater than the insurance value of the car, I literally couldn't find any shop in the area that would take my money to do it, because the car has been out of production for so long that the wrecking yards had even sold off all their working copies of that part.
Also, a car analogy here is stupid, despite Slashdot tradition. A car is quite reasonably expected to run for at least a decade and usually much longer if treated well. The manufacture and maintenance of them is a practice well over a century in age. The rate of improvements in them, despite your "all better than mine, probably safer and with more features" comment, is really quite minor year-over-year. None of those things are true of desktop operating systems. Additionally, my 22-year-old car still ran on pretty much the same "hardware" (internal combustion of gasoline, asphault-paved roads, etc.) today as it was designed to do over two decades ago. These days, sub-$500 new computers come with too much RAM for XP to even address all of it!
Same as it has always been (Score:5, Insightful)
This is no different from when Windows 2000 reached its end of life, or 98, or NT4. The life cycles of Microsoft products tend to be consistent and well known.
Anyone using Windows on a SCADA system should not just rely on Microsoft's updates for security. Lock them down, limit Internet access to a minimum, don't use Administrator accounts, don't install any Adobe products, don't use the systems for general purpose web browsing and don't feed them after midnight. Most security holes require some active interaction to work.
I still have a bunch of Win2000 systems in use and they chug along fine.
Re:Same as it has always been (Score:5, Insightful)
So, people (incl manufacturer) were choosing to install an OS on their hardware that had incredibly well-known and published EOL dates coming up, even though Microsoft had updated versions with substantially greater lifetimes ahead of them already released. And, somehow, that's Microsoft's fault. Not the manufacturer's fault, not the purchaser's fault... Microsoft's fault.
Whu?
incompetent morons (Score:5, Insightful)
Comment removed (Score:5, Interesting)
Re:Just wondering about activation (Score:5, Insightful)
I'm pretty sure yes, they will continue to run their activation servers for a long time. As you say, your license doesn't expire.
If in the bleak, distant future when robots rule the world you are still using XP and MS wants to turn off the activation servers they will probably release a patch to disable the activation stuff, or provide a 'golden key' as you say. I'm sure by then they won't care too much about potential piracy of a 20+ year old OS. (That'd be like them caring that I may or may not have some pirated floppy disks of DOS 6.22 sitting in my garage somewhere...)
Re: (Score:3)
As a case study, at the end of it's life "Money Plus" had activation bits removed and Microsoft released a "Sunset" version which did not require activation:
http://www.microsoft.com/download/en/details.aspx?id=20738 [microsoft.com]
Office XP is the first mainstream product requiring activation that has left the extended support phase of the lifecycle. The activation and update servers for it are still live.
I believe Microsoft has on several occasions said they will provide "golden key", patch, or whatever to work around Act
Omg its the end of the world! (Score:3, Interesting)
Someone, please, just think of the poor children running SCADA systems!
Oh wait, its only Windows XP
Oh wait, its actually in 2 years
Oh wait, its just support
Seriously, do we need a "Windows XP is gone and the world is already burning" scare-article posted every month on Slashdot? For the entire period of 7 years of pre-announced end of support for an ancient OS? This shouldn't even be on idle. Is this a tech site or little Suzie's shopping ground for pink dresses?
Windows 95? (Score:4, Interesting)
Does anyone know what *actually* happened when everybody was saying the same thing about the end of support for Windows 95 a few years back?
Big problem, little problem, no problem?
Cuts the "chord"? (Score:5, Insightful)
"English, motherfucker! Do you speak it?"
It's a driver issue for me (Score:5, Insightful)
We have a small family business in a city where much of our good manufacturing jobs have gone overseas. Everybody who walks in the front door is looking for a deal because they have no money, or perhaps because their new job at Wal-Mart doesn't pay like the old one.
I don't have the customer base or cashflow to just upgrade at a whim. My major issue is we have several commercial duty printers that cost several thousand dollars each. We do some pretty customized printing, odd sized paper, etc. Under Win 7, NONE of these printers will do anything more than single sided sheet of paper, cannot even duplex. I've contacted HP directly, had the Xerox people in here, and in both cases, they refuse to provide new drivers that will make these printers work under Win 7 the same way they do under XP. Even simple things like duplexing cannot be done in some cases. The official response form these companies? But a new printer. That's it.
I do run linux, but you know something, even though I can make these printers work under linux no problem, there is no good substitute for Pagemaker and/or Indesign in Linux. As long as Scribus does not or cannot import my Pagemaker and./or InDesign files, it is useless to me. I have a library of almost 20 years of Pagemaker and InDesign files that we created from the ground up, and untill I can import them, Scribus and therefore by extention I cannot use Linux.
So I do not mind upgrading to Win 7 in itself, it's the fact that some of my high end printers and scanners do not work well with Win 7 because "They are too old".
One more thing - some - well heck, many of these new printers are junk. My old, Made in Japan printers had heavy duty metal bearings and gears. Many of the new, brand name printers made in China use plastic gear and bears, or cheaper metal they physically breaks down more often than the old printers. A ten year duty cycle of heavy day to day use was not uncommon for a good HP, today I am told expect three years then toss it.
Yeah, in an economy when money is tight everywhere, the upgrade to Win 7 is not doing me much good. For all you guys who say you have no sympathy for guys like me who don't want to upgrade, well sorry, money is tight, we have to keep a tight ship, and when I see perfectly good hardware unable to run under Win 7 simply because somebody will not make a driver for it, well, as Judge Judy would say "Don't pee on my leg and tell me it's raining."
Support lifetime IP lifetime (Score:3, Insightful)
Fourteen years sounds like a long time to support a software product. Yet I find it interesting to point out that, in the U.S., any "inventions" that debuted with the release of Windows XP will still have 6 years of patent protection, and the code itself will have another 75 years of copyright protection. This is for a product that's already been unavailable commercially for a while and will be completely dead in two more years.
Overly long IP lifetimes hurt security, technological progress, innovation, and culture.
NT4, W2k, now XP (Score:5, Interesting)
A client ran an NT4 server (one out of about a dozen servers) until 2009, well past the end of support. They also had a couple W2k servers in that mix, also past the end of support. You know what happened? Nothing! The machines continued to perform just as well as they had for the previous 8-10 years. The reason those weren't upgraded is because they worked very well, and an upgrade simply wasn't necessary, and would have been very costly.
We did take precautions, including; making sure those machines weren't connected to the internet, were locked down as well as we could lock them down, and had anti-virus (for which we downloaded updates daily) software, etc. While the clients had internet access, they too were locked down (users were "users", restricted access to all directories except their own profile, couldn't install anything, etc), and had AV and anti-malware that were updated daily. Windows updates were pushed nightly from MS SUS.
This isn't a looming crisis. You've got 2 more years to prepare or upgrade. As long as you take actions to isolate and protect those systems as much as possible, they can run XP for another 10 or 20 years (as long as you can keep compatible hardware running)
Re:release the source? (Score:5, Insightful)
Why not liberate the source and let other companies continue bugfixing?
Oh... doesn't fit the business model?
open source ftw and for long term maintenance.
An, operating system contains something on the order of tens of millions of lines of code. No company is going to handle a maintenance project like that for free and there is no incentive for Microsoft to pay them for it. As for releasing it in the wild, those tens of millions of lines are not the exclusive product of Microsoft, they almost certainty incorporated code that still belongs to other companies into the final package and this code can not be released even if Microsoft wanted to.
Re: (Score:3)
sounds like a nice list of reasons to avoid proprietary software for mission critical applications like SCADA...or anything really.
Re:release the source? (Score:5, Informative)
You obviously don't know much about SCADA systems. They are proprietary, top to bottom. And there are reasons for this that do make sense.
First of all, let's look at the whole picture of a SCADA implementation...in this example, I'll talk about the systems that control and analyze the burn inside a coal-fired power generation facility that uses coal to heat water into steam which then drives a turbine; this is the kind of power plant that produces most of the power in our country. (I'm in the United States, for context there.) The systems are analagous to the ECU of a car with a fuel-injection engine, both controlling the delivery of fuel and air while monitoring the effects of those controls in the context of the demands being placed upon the boiler. Just as with a car engine, there is lag in making changes to the burn, just as an engine has delay when you step on the throttle.
There are many devices involved...gas sensors, temperature sensors, lasers...and all of them are purpose-built by the company that makes the control system; they are proprietary. The protocols that are spoken between devices are usually open, like DNP3 or modbus, but the data schemas that are used are also proprietary (most ICS protocols are pretty soft, working more like a layer 6 protocol than a layer 7). The logic that drives decisions, reporting, and the translation of human interaction into discrete behavior by control devices? Also proprietary. The control systems are built by the same company to work end-to-end on that specific type, size and model of boiler, and the whole thing is tested as a unit. For the most part, the notion of modularity...the way that you could replace a Cisco firewall with an equivalent Juniper firewall, or replace an EMC SAN with a NetApp SAN...does not exist in any way whatsoever. (It does in small ways, but even then most manufacturers will refuse to support the system if you so much as change the IOS image on a Cisco switch without it having been tested first, which takes about 6 months for a full facility and requires that it be offline the whole time.)
The complexity of these environments...and the ramifications of improper behavior by any one component...cannot be overstated. So, it's essential from a legal standpoint to have entities backing the pre-manufactured components who can be held accountable should it be necessary. I know, you can't sue Microsoft for software bugs, but you can't look at their behavior over the past 15 years and tell me that there wasn't an effective motivation to improve security. They've dramatically improved the security quality of Windows, while rolling out and evolving a patching system that is now the gold standard for software companies. They have something to lose from producing an unreliable product, even if that loss does not come in the form of a lawsuit. And after seeing what Oracle has done to mySQL and Java, it's not hard to see the potential for disaster if you rely on an open-source project that may have to fork because their patron got acquired, as well. An even scarier possibility is what Tenable did with Nessus when they forked and closed the source, ending support for the older OSS version.
One more thing...this isn't a website we're talking about. It's a power plant. When things go wrong in these environments, it isn't just embarassing. People often die. At one plant I've done work at, a mistake caused a ~300 KV transformer to detonate. Oversimplifying the situation, the power ended up flowing the wrong way, and the transformer's cooling spaces (filled with oil) exploded in a BLEVE, showering the nearby parking lot with flaming oil. It was a Michael Bay-like situation; I saw the pictures that were taken while the fires were still burning. A mistake involving the boiler can cause the flame to collapse resulting what they call a "beer can," when the fire suddenly goes out and the inside of the boiler cools so rapidly (in a matter of seconds, or less) that it crushes itself. This is not a small thing...the walls
Re:release the source? (Score:4, Informative)
"Why not liberate the source?"
Maybe because there is XP code still in Vista and later versions?
Maybe because it would just encourage the people who are still using XP to continue using the "Open Source" version?
Re:release the source? (Score:5, Insightful)
Try reporting a bug with the Linux 2.0 kernel or glibc 2.0, you will be told to upgrade to the latest version. And while the upgrade may be free, the time and effort associated with moving an entire codebase to a modern version isn't.
Which is why you need to heed warnings about deadlines well in advance - these SCADA issues wouldn't have been a problem if planning had started two years ago rather than now.
Re:release the source? (Score:5, Interesting)
Re:release the source? (Score:5, Informative)
My comment is based on experience, not supposition.
Re:release the source? (Score:5, Funny)
Sorry Richard, he has a lower uid, therefore only he may claim authority without proof.
Re:release the source? (Score:4, Informative)
Yeah. Besides, why is he slashdotting from work at 3:34AM?
Because the slashdot timestamping system does not stamp posts with your local time. I posted something just afer 14:00 hours yesterday, it is timestamped 7:22PM.
Re: (Score:3, Insightful)
My comment is based on experience, not supposition.
Fortunately for you, you have the code, you have the ability to fix the problem yourself (or pay someone to do it)
You can't do that with XP.
Comment removed (Score:5, Insightful)
Comment removed (Score:5, Insightful)
Re: (Score:3, Insightful)
Remember when they released the Netscape source? Every begged them to open it and said how it would be so awesome with all those developers helping make it better. Well, every looked over the code, decided it was too confusing and started over on Mozilla. Total waste of time. Set open source back by years to throw away the Netscape codebase but "other people's code" always looks confusing and weird. I guess they believed their own hype that if you get the code you can just open it up in emacs and start fix
Re:release the source? (Score:5, Insightful)
Sorry, we're running life critical systems here. We can't rely on "taking a look at it". We need a guarantee which is just a teeny bit stronger than that. Many of our systems do run Linux, but only because a consulting company is willing to fill that gap and assume the role of supplying custom fixes/patches while we wait for "official" ones to make it into the kernal. It's not that we have anything against the community, but frankly we need someone to take responsibility and to be held accountable for all aspects of our system.
As for this news? Shrug. Anybody who doesn't already have a plan still has two years to figure it out and get one in place. I can't find any sympathy in me for someone who hasn't come up with a solution by then.
Emphasis mine. This is possible only because Linux is open source. Thanks for making exactly the point that needed to be made in favor of an open source OS.
Re: (Score:3)
There is a real risk with going down that route however, and that is that unless you can get your changes merged into the main branch (far from guaranteed), you are now running a forked version of Linux - and the more you make changes, the more distant the fork gets and the less the main branch followers want to help you.
So you are only compounding the issue - the money you spent on consulting for the fix should have gone toward moving the codebase to a newer version instead.
Re:release the source? (Score:4, Insightful)
There is a real risk with going down that route however, and that is that unless you can get your changes merged into the main branch (far from guaranteed), you are now running a forked version of Linux
Yes but in the worst case scenario (your changed not merged) that buys you time. This is priceless compared to Windows where you're left on your own with an insecure system.
Look, this is not a perfect solution, just because there is no perfect solution. But having an open source system is much better than a closed source one for that very reason. You *can* do it on your own if you need to.
Re: (Score:3, Insightful)
And a consulting company will happily fill the gap and provide maintenance for a 2.0 kernel, it makes no difference to them... Money is money, and the code is still available.
With closed source you simply don't have the option of hiring a consulting company, it's the original vendor or nothing and it would be utterly irresponsible to make critical systems depend on something you don't have the source of and are utterly beholden to a single vendor for.
Re:release the source? (Score:5, Interesting)
Sorry, we're running life critical systems here. We can't rely on "taking a look at it".
If you're running "life critical systems", what the hell are you doing running an OS that isn't designed for "life critical systems" in the first place? (Hint: Windows and Linux are *not* designed for life critical systems). As for not being able to rely on "taking a look at it", that's why you need to pay someone to do this stuff - you can't expect either Microsoft or a Linux developer to work for you for free, but at least with an open OS you can employ a third party to maintain it beyond its normal support life, whereas if you start out with a closed system you're always going to be at the mercy of the vendor.
but frankly we need someone to take responsibility and to be held accountable for all aspects of our system.
If you think Microsoft are going to "take responsibility and be accountable" in any serious way, you obviously didn't read the licence agreement. I presume what you actually mean is "I want to be able to blame Microsoft when things go wrong to divert the shitstorm away from me" whilst achieving nothing actually useful. Ain't blame culture brillient?
Re:release the source? (Score:4, Interesting)
Which is why you need to heed warnings about deadlines well in advance - these SCADA issues wouldn't have been a problem if planning had started two years ago rather than now.
SCADA systems have a very long lifetime. Many vendors offer life-cycle announcements that provide 10 years of planning to suit rare shutdown events where things like SCADA systems can be upgraded. Now these are just their lifecycle announcements. One of our vendors has last year gotten their software and latest SCADA system running on Windows 7. The upgrade path is toss the entire old system, and upgrade. The older system was also subject of a life-cycle announcement last year. So basically we have until about 2021 to upgrade before the vendor stops supporting their system. For that length of time we're going to need to keep XP running.
Re: (Score:3, Insightful)
Why do these manufacturers not have explicit, individual support contracts from Microsoft to suit their own longterm requirements then?
Relying on the general public support policy of any OS maker or community for this sort of usage is just fucking ridiculous and proves that, as I have said elsewhere, the problem lies with the SCADA manufacturers rather than the OS.
Re: (Score:3, Insightful)
Re: (Score:3)
You don't need a live connection to the Internet to get a network into trouble. See Stuxnet.
Got an open USB port? That Hello Kitty USB drive that you 'found' in the parking lot - I wonder what it has on it?
Re:release the source? (Score:4, Insightful)
Which is why you need to heed warnings about deadlines well in advance - these SCADA issues wouldn't have been a problem if planning had started two years ago rather than now.
Microsoft had publicized these deadlines ever since the product was released. This is not the news here: the news is that a lot of people are still using the system. Serious companies that rely on Windows XP for their business have always known that support would end in 2014, and so have factored that into account.
Re: (Score:3, Informative)
It can take five to ten years (or in some cases I have seen, 20 years) to replace an embedded SCADA system.
Which is a good argument for not using Windows(tm) in any form for industrial control, but that argument was apparently lost in the late 1990s.
sPh
Re:release the source? (Score:5, Insightful)
I don't disagree with you, but the economic pressures are relentless. As late as the mid-1990s a manufacturer could count on there being an ecosystem and trained programmers available for the various high-security, high-reliability architectures on the market (or at least people willing to take jobs being trained as programmers, designers, etc for such systems). By 2000 those ecosystems and finally the architectures themselves had vanished under the avalanche of Wintel systems (bought a new PDP-11 lately? Or even a Tandem Nonstop?). And the cost differential in favor of Wintel went from 1/3x to 1/1000x. It is extremely hard to convince a product development board that your product needs 1000x more funding than the team building what is fundamentally very similar consumer- or commercial-grade system.
And the demand from customers drives things too. Right now every operating manager I work with wants to be able to monitor his plant from home on his iPhone. Customers are putting enormous pressure on their vendors to replace expensive proprietary (but secure) wireless interfaces with much cheaper iPhones. Security gets paid lip service in the spec but doesn't control the decision.
sPh
Re: (Score:3)
When you look at the other roads they could have taken starting around 1995-6, they actually made a pretty good choice. I have worked on systems installed in 1986-8 that are still operating with much pain and purely DOS or ancient UNIX based programs.
Actually, DOS would have been a better choice, as they could then keep the system running indefinitely using FreeDOS.
Really, for a SCADA, there's no point having Windows unless you actually need a GUI, and maybe not even then.
Comment removed (Score:4, Insightful)
Re:"Beginning" of security nightmare? (Score:5, Insightful)
That's a bit of a generalization.
Is it so hard to believe there are people with up-to-date XP systems who simply don't feel like forking out a couple hundred dollars to fix something that isn't broken?
Re: (Score:3)
No, it isn't hard to believe, but should MS be required to continually support them on a platform that is currently two major versions out of date, soon to be three?
Yes it really is (Score:3)
Microsoft has a very well known, documented, life cycle for their software. Go look it up on their site. When you buy Windows part of that price is service and support. You get patches at no additional charge for the life of the software. However at the end of the life, that stops, you have to buy it again. The life of the software is 10 years from release minimum. That's longer than I see elsewhere, even Ubutnu is only 5 for their LTS. Redhat may be willing to go longer, I don't know, but of course you pay
Re:Special treatment again? (Score:4, Insightful)
How many Linux and OSX releases are supported for 12 years?
How many Linux distributions (where maintainers stayed in business) have not seen a major upgrade for the better part of a decade? That's the time it took from XP to Vista. And then the upgrade wasn't even considered an upgrade by many - so maybe you should look at the time it took from XP to Win7 even?
Re: (Score:3)
"I haven't bothered to get myself a corporate edition of XP Pro to replace my regular retail version. What will happen if I swap motherboards?"
OK, you are lazy. XP has been a free download for a long time, including driver packs, from the usual sources. So has 7 with SLIC loaders which permanently bypass activation. It's easy to get "clean" .isos of both.
I don't care for either. I'd rather run Free Linux than "free" Windows.
Re:Special treatment again? (Score:5, Interesting)
3 - Really, How old are your machines?
I have installed Windows 7 onto hundreds of machines up to seven years old and have found drivers for everything apart from a few old GPUs and scanners. Almost everything else has just installed automagicly either bundled on the media or grabbed on first boot from Windows update the rest has just required a quick trip to the vendor site. This is even with the 64 bit versions on 6 year old hardware.
Sofware is mostly supported but you are right that there is a lot that was written really badly and won't run as Windows is actually protecting itself.
I am heavily sceptical about - 2 - linux supporting more hardware than windows, almost all the hardware in existance was released with Windows drivers, Windows supporting less just does not make sense and it is not what I have encountered.
Re: (Score:3)
Windows only really has drivers for hardware that was intended for use with x86 compatible systems. I have various PCI cards that were designed for use on Sparc, Alpha or MIPS based machines and for which there are no windows drivers, but linux handles them just fine... Sun ethernet cards being just one such example.
And then there is the hardware itself, windows either does not run at all on other platforms, or only has an ancient long abandoned version... MIPS and PPC support were cut off after NT4 SP1, Al
Re: (Score:3)
Ah, yes, you are talking about extremely specific hardware that is compared to x86 stuff is about as common in the general population of computers as unicorns are in the population of horses. Likewise by the processor types.
I do take your point with the printers as many of the cheaper devices never did get signed drivers for the later versions. As you say most of the time a generic, or in hp's case from the same series. To be fair, no one - least of all hp - would have thought that those printers would st
Re:First? (Score:5, Funny)
Slashdot needs a button that says "Submit, if this is going to be the FP; otherwise cancel".
Re: (Score:3)
I'll bet vast sums of money that the world won't end within the next two years.
If it doesn't, I win big; if it does, I won't have to pay.
Re: (Score:3)
Some reasons a major oil company requires networked access to the control system on oil rigs from onshore networks:
* Exporting backups. This is a big one.
* Exporting logging data, done through a 'data diode' luckily.
* Remote troubleshooting. ("Integrated Operations" is the new buzzword for having a team onshore to help offshore without flying out..)
* Remote auditing.
There is a theoretical network path (through about 6 layers of firewalls) from the internet to the controllers running the emergency shutdown s
Re: (Score:3)
Disclaimer- although I have never developed embedded control systems, I have developed software in C/C++ and assembly for DOS. I did know insides of DOS in and out. It's been more than a decade and I sti