Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Windows Government Microsoft

London's Metropolitan Police Still Running 27,000 Windows XP Desktops (thestack.com) 166

An anonymous reader writes: London's Met Police has missed its deadline for abandoning the out-of-date operating system Windows XP, as findings reveal 27,000 computers still run on the software two years after official support ended. Microsoft stopped issuing updates and patches for Windows XP in Spring 2014, meaning that any new bugs and flaws in the operating system are left open to attack. A particularly risky status for the UK capital's police force – itself running operations against hacking and other cybercrime activity. The figures were disclosed by Conservative politician Andrew Boff. The Greater London Assembly member said: 'The Met should have stopped using Windows XP in 2014 when extended support ended, and to hear that 27,000 computers are still using it is worrying.' As in similar cases across civil departments, the core problem is bespoke system development, and the costs and time associated with integrating a new OS with customized systems.
This discussion has been archived. No new comments can be posted.

London's Metropolitan Police Still Running 27,000 Windows XP Desktops

Comments Filter:
  • by ZeroPly ( 881915 ) on Tuesday August 09, 2016 @10:35AM (#52671263)
    As someone who is on the tail end of a 700 computer migration from WinXP to Win7, I feel their pain. A single critical program that won't run on Win7 can be a showstopper. Not to mention special hardware for which no Win7 drivers are available - all of a sudden that $120 upgrade cost for a Win7 license became $25,120 when you include the cost of a new laser engraver.
    • They had years to plan for the transition and they can always leave a few isolated XP boxes up to support laser engravers and the like.
      • Years to plan, but generally when you have no budget the planning is pointless. These are not like corporations where expenses are approved with a rubber stamp.

        Another issue is that this "planning" often happens at the IT level, which over time has become more insular and disconnected from the larger organization they're supposed to be working with. So plans come down as directives or orders, "do as we say" rather than "let us help you".

    • by AmiMoJo ( 196126 )

      Seems unlikely they would have 27,000 PCs with hardware that isn't supported by Windows 7, and if they do it would make sense to get a driver created for it. More likely it's just their usual incompetence.

      It's going to bad when the first copy of the Police's national database is stolen. It's got a lot of information about not just criminals, but everyone they come into contact with. Biometrics, photos, suspicions, unproven allegations, random comments... And they are relying on XP to keep it safe.

      • Seems unlikely they would have 27,000 PCs with hardware that isn't supported by Windows 7, and if they do it would make sense to get a driver created for it. More likely it's just their usual incompetence.

        Go down to your local underfunded hospital. There's lots of old hardware floating around that are just chugging away doing their jobs even though you wouldn't want to run anything more modern on them, like something that requires more than 32 megs of ram.

    • As someone who is on the tail end of a 700 computer migration from WinXP to Win7, I feel their pain. A single critical program that won't run on Win7 can be a showstopper. Not to mention special hardware for which no Win7 drivers are available - all of a sudden that $120 upgrade cost for a Win7 license became $25,120 when you include the cost of a new laser engraver.

      Since I'm going to assume that not every computer in your organization has a laser engraver attached to it, I'm thinking that a moderately-built Win7 machine running a virtual XP environment under VMWare Workstation would likely be far less than $25,000.

      Then you lock down that virtual XP environment where it does not talk to anything other than the laser engraver. Perhaps you have not removed the issue altogether, but you've certainly taken considerable steps to insulate risk by keeping the unsupported OS

      • VMware Workstation can't do PCI Pass through so if that laser engraver needs an custom card then no. It can do true serial pass through? use an usb one as real one?

    • by stooo ( 2202012 ) on Tuesday August 09, 2016 @11:23AM (#52671637) Homepage

      JUL
      Linux Rocks

    • For applications that had to stay on XP, couldn't they have just run it in VirtualPC/XP mode under Windows 7, while running everything else natively?
      • by ZeroPly ( 881915 ) on Tuesday August 09, 2016 @12:44PM (#52672513)
        We actually do that for our accounting software, but that opens up another can of worms. For example, the software opens up reports in Excel and needs an email client available. That means we need a copy of Office running _inside_Virtual PC. Now all of a sudden we're looking at licensing two copies of Office per machine - not chump change. Export to PDF functionality? Sorry - even though you have a full blow Acrobat DC subscription, it won't work inside your Virtual PC.

        And of course, it's possible to get malware inside the Virtual PC. So now we're looking at two antivirus licenses per computer.
        • Then write some custom software/scripts to allow those functions to pass through to the parent machine. SysAdmin isn't meant to be a walk through the park. Use a little bit of ingenuity to make the workflow smooth.

    • Why do police need laser engravers?

      /sarcasm
    • by thsths ( 31372 )

      That is all very nice, but as an engineer I am always surprised how many IT problems are self inflicted.

      "Every computer has to run off the same image" must be up there with the most painful guidelines ever. 90% - sure, 98% - good. But every computer? That is just not feasible, and there is always going to be the odd laser engraver, scanning oscilloscope, motion simulator, or ATM machine that still runs an obsolete OS as an embedded system. Nothing wrong with that as long as network connections are strictly

      • by HiThere ( 15173 )

        From most of the reports I've encountered, MSWind10 should be avoided no matter what the circumstances. I've encountered one report that (with certain options I don't remember) they've fixed many of the GUI problems. Everyone else has been dubious, speculative, or downright abusive about things like it's privacy policy, it updating requirements, etc.

        • by thsths ( 31372 )

          That is all very nice, but if you want to avoid Windows 10, you have to avoid Windows. Or you stay with an unsupported product like Windows 7, but then again you could have saved yourself all that trouble and stayed on unsupported Windows XP.

          Windows 7 is nearly seven years old, and extended support will end in just over three years, so migrating to it now is madness.

      • And while we are at it, why is anybody migrating to Windows 7, a system that is already EOLed? Surely by now migration to Windows 10 would be indicated.

        You're right.
        You don't work in IT.

    • by boristdog ( 133725 ) on Tuesday August 09, 2016 @01:51PM (#52673031)

      I still have to support NT4, XP, VxWorks, Win98 and even some networked DOS machines in our factory.

      You don't go changing the OS on a piece of equipment that costs over a million bucks to replace and all the software for the equipment is written for that OS. You just keep supporting it. And when you have hundreds of machines that cost a shit-ton of money to replace but work fine with the old OS, you keep supporting it.

      And you call the new employees a buncha goddamn whiners because they don't want to learn "old stuff."

      Knowing old stuff makes you valuable.

      • I always held the philosophy that security starts with the network. If a custom or legacy solution needs to be roped off, then what's the problem? Almost anything can be mitigated.

    • We ran into this same issue - in our case it was a video/controller board for some electron microscope - and the board itself was like 15k, and it just wasn't in the cards to upgrade it mid research project. So all dozen or so XP machines get to use the local network and that is it.

      Every single other application I was able to hack/triage to get running on Windows 7 or 10 in some way or another.

      I would suspect in the police dept - network security should be as concerning as physical security though - you nev

    • We just run XP vms to support the few apps that have to run on XP.
    • by mjwx ( 966435 )

      As someone who is on the tail end of a 700 computer migration from WinXP to Win7, I feel their pain. A single critical program that won't run on Win7 can be a showstopper. Not to mention special hardware for which no Win7 drivers are available - all of a sudden that $120 upgrade cost for a Win7 license became $25,120 when you include the cost of a new laser engraver.

      I completely agree with your point but if you've got an SA or other enterprise or SMB licensing agreement with Microsoft then your upgrade licenses are $0. If you're buying OEM with 50, let alone 500 desktops you're doing it wrong.

      But I do agree with your point, the major cost in doing any kind of upgrade comes in support and ancillary costs, not in the upgrade itself.

  • by DidgetMaster ( 2739009 ) on Tuesday August 09, 2016 @10:36AM (#52671271) Homepage
    I wonder how many systems around the world are still running Windows 95? DOS? Older versions of Linux, Unix, or Apple's operating systems?
    • by Yvan256 ( 722131 )

      My CNC is connected to a ThinkPad 760XL running MS-DOS with TurboCNC.

      Now get off my lawn.

    • by PPH ( 736903 )

      I know of some old PLCs with programming and HMIs that run on XP. The manufacturer is unwilling to port their software to newer platforms. And the PC components were written to check for XP-specific components and abort if they were not found. They don't actually use these components, but my guess is that these tests were 'baked in' by the development toolchain to prevent running the produced s/w on Wine or Apple platforms.

      • I know some _new_ PLCs running on WinXP embedded or, even worse, Win CE 6.0. There are current EATON PLCs running on Windows CE 6.0, and there is a big cruise ship, that will launch this autumn, automated by a network of Win CE 6.0 machines.

        At least on Linux you could patch the kernel yourself (I mean, if you're a big corporation like EATON or Siemens), but this Windows lock-in in industrial automation is one of the worst problem ready to explode: ten years ago all these insecure plants weren't connected
      • Lol that's cute. I work with a DOS programming / HMI tool for turbine control and for programming safety systems on several of our plants.

    • by HiThere ( 15173 )

      Well, I've got one MSWind95 system running, but it's about to go away, and a Mac 10.4 system that is turned off, and has been for over a year.

      In both cases the machines have been retained because of proprietary software that held data in proprietary file formats written by companies that have died. This has created in me a very strong bias in favor of FOSS software, and especially GPL, though if the code is open other FOSS licenses can also be accepted.

  • by iamacat ( 583406 ) on Tuesday August 09, 2016 @10:39AM (#52671291)

    As long as firewall is on and you run a fixed set of apps from trusted sources, you are perfectly safe. So is IE if you only visit internal sites. And for external browsing, browser security is more important than OS security. There will be forked versions of recent Firefox and Chromium builds forever.

    The whole upgrade hype is largely financially motivated on part of Microsoft and consulting agencies.

    • by mdm-adph ( 1030332 ) on Tuesday August 09, 2016 @10:55AM (#52671403)

      To IT Admin,

      Don't worry, I've got the solution to our Win XP upgrade issue -- it's a weird forked version of Chromium I found on some website. I'm sure it's super safe.

      Thanks,

      Random Internet Person

    • The whole upgrade hype is largely financially motivated on part of Microsoft and consulting agencies.

      Not really. Your scenario means the sysadmins must forever deal with exceptions, control tightly the set of applications, the trusted sources and so on. There is an extra burden of work for this and it is prone to errors from the sysadmins. So, the switch may worth the extra bucks depending on the size and complexity of the environment. I tend to believe it is the case here with 26 000 workstations still running Windows XP.

      • by iamacat ( 583406 )

        Say Microsoft is charing you $75 to upgrade each seat. Now ad in labor, troubleshooting, user training / support. Very optimistically real cost to just get built in functionality running to the same level will bring the total to $200/seat or 5.2 million dollars. I have no idea how much of your hardware will need to be upgraded, again with associated labor costs. Add in fees for upgrading Office and 3rd party apps that do not run well Windows 10. And cost of fixed in-house apps.

        I will be happy to assist with

        • by PRMan ( 959735 )
          $5.2 million isn't really that much for a company that employs over 27,000 people.
          • by iamacat ( 583406 )

            Just locking down existing software can be conceivably done in 100K (say a month time for 3 engineers and support for 1% of users who had an unexpected problem). You already have ability to push group policies and remotely install software in bulk right?

            If your company routinely accepts 5000% overspending, this will not be the only project when this happens and expenses add up. Doubly important for a police department or other entity running at taxpayer expense.

             

      • Your scenario means the sysadmins must forever deal with exceptions, control tightly the set of applications, the trusted sources and so on.

        And how is this different from what goes on every day under any scenario dealing with networked computers?

    • I run an XP desktop at my office. It's used exclusively for our high-speed document scanner. It's not allowed on the internet, meaning that it only accepts connections to and from our file server, which is running Debian. I don't see any reason to upgrade to Windows 10 for this use. There are five computers in my office, four of them desktops, so this means that 25% of the desktops at my firm are running Windows XP.

    • by hey! ( 33014 )

      Well, in theory you're right. But as the old engineering saying goes: in theory, theory and practice are the same but in practice they're different.

      Sure, in many cases you can depart from best practices and still be OK ... if you are scrupulous about other best practices. But if the reason you're being cavalier with the rules of thumb you're breaking is that you don't have the budget or bandwidth to implement them, chances are that reason applies across the board.

      So a lot depends on why you do something

  • Bespoke software development isn't the problem, software not developed to sensible cross platform standards is the problem.
    I regularly use a piece of bespoke software that was developed many years ago as a standards compliant webapp, it still works today in all the major browsers on any platform - including on mobile phones, which didn't even have browsers when this software was written.

    If you plan appropriately when acquiring new software, these problems wouldn't occur.

    • by NotAPK ( 4529127 )

      "a standards compliant webapp"

      Sure, but what if the software has to do something with real hardware: machine control, machine vision, network analysis, hardware programming and IO, data logging, etc.... no "webapp" is able to do anything like that. And while a good cross-platform native program will compile cross platform without [much] issue, what about the hardware drivers that you rely on. What if multiple vendors are involved?

      All I'm saying is that it can get really complex really quickly. For my work,

      • what if the software has to do something with real hardware

        then write low level driver code in standard C, and the UI in Java, or BASIC or anything that is not machine dependent. Come on, some of us knew how to do this in 1980.

        OTOH, perhaps the problem is all down to hiring young whipper-snappers, and paying peanuts.

        Anyway, its entirely likely that not even one of the 27,000 XP machines are connected to the Internet anyway. I know its hard for people here to realise it, but there are many uses of compu

        • by NotAPK ( 4529127 )

          "then write low level driver code in standard C"

          While a nice modular approach that will most certainly be platform specific.

          When it comes to hardware IO there is nothing that offers true write-once compile-anywhere... :(

          • But if you do it well you only have to rewrite the hardware specific portion which should be fairy small
    • developed many years ago as a standards compliant webapp, ... If you plan appropriately when acquiring new software, these problems wouldn't occur.

      I'm not sure what you mean by "standards compliant". The standards are only suggestions, and not all browsers followed them, or interpret them differently, and CHANGE how they interpret them over time.

      I've seen web apps "break" and/or degenerate due to browser implementation changes that one could not foresee.

      One really annoying problem is that if Page X opens P

  • M$ doesn't sell or support XP anymore, release the source code and let the market create it's own security patches.

    Win10 is a combination of Spyware and Adware masquerading as an Operating System...

    • M$ doesn't sell or support XP anymore, release the source code and let the market create it's own security patches.

      Maybe everyone can buy patches for windows 2000 server from the Russian mob [zdnet.com] or a github account [softpedia.com]

    • by gtall ( 79522 )

      And remove one of the major clubs MS uses to beat its users into migrating to their latest? They'd be cutting their own throats. Also, XP would then never die, it would get reborn as "MS without MS" and represent a fork of their alleged software that they do not control.

      • Well, if they aren't supporting it or selling it anymore, they should lose copyright protection over it then.

    • This idea has been discussed to death... the drivers and a lot of OS code is protected with NDA from various vendors so they can't release the source code.
    • Re: (Score:2, Interesting)

      by The-Ixian ( 168184 )

      I think you are assuming that every Windows release has different code.

      I would be willing to bet that Windows 10 is basically Windows 2000 with updated UI and a few more drivers baked in to the kernel.

      When a Windows vulnerability affects all previous versions of the OS, it's a strong indicator that this is true.

  • should have..... (Score:4, Insightful)

    by phantomfive ( 622387 ) on Tuesday August 09, 2016 @11:07AM (#52671493) Journal

    'The Met should have stopped using Windows XP in 2014

    The Met should have begun the switch to Linux (or at least open source technologies) in 2001.

  • If the government would have forced Microsoft to open the platform or continue support indefinitely there is no technical reason not to continue using XP. The only barrier right now is the lack of support, which means no security updates.

    But as an operating system it still does the job of launching your applications and getting shit done.

    • It's main danger is in that runs services in the same session as the locally logged-in user (session 0). This will always remain a vector of attack. But other than that, it's just as easy to secure as Win 7.
  • All they need to do is to firewall them with Linux boxes containing two Ethernet cards. Just like everybody else does.

    Some of us ARE stuck on XP. For example, a piece of multi-$M scientific equipment might only have drivers that were issued for XP, back when it was purchased. We don't fix what isn't broken; we firewall or ghostwall it.

  • by superwiz ( 655733 ) on Tuesday August 09, 2016 @11:37AM (#52671805) Journal
    I believe contract-based enterprise support is still available. My retail-licensed XP vm's still get occasional security update pushes, too.
    • Re: (Score:3, Informative)

      by Anonymous Coward

      What you believe is true, despite the click-bait article's allusions. Proof? Here's the Premier Support Agreement that provides support through 2019.

      https://www.london.gov.uk/site... [london.gov.uk]

  • by Stan92057 ( 737634 ) on Tuesday August 09, 2016 @01:45PM (#52672995)
    I think patching security holes be forced on Microsoft. Any new security hole should be a matter of national/World security and if Microsoft refused to path them, then they should be forced to open the source so it can be patched. That is IMO windows is bigger them MS.

If all else fails, lower your standards.

Working...