Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
The Military Bug Microsoft Security United States Windows

Some Of The Pentagon's Critical Infrastructure Still Runs Windows 95 And 98 (defenseone.com) 152

SmartAboutThings writes: The Pentagon is set to complete its Windows 10 transition by the end of this year, but nearly 75% of its control system devices still run Windows XP or other older versions, including Windows 95 and 98. A Pentagon official now wants the bug bounty program of the top U.S. defense agency expanded to scan for vulnerabilities in its critical infrastructure.
DefenseOne raises the possibility of "building and electrical systems, HVAC equipment and other critical infrastructure laden with internet-connected sensors," with one military program manager saying "A lot of these systems are still Windows 95 or 98, and that's OK -- if they're not connected to the internet." Windows Report notes that though Microsoft no longer supports Windows XP, "the Defense Department is paying Microsoft to continue providing support for the legacy OS."
This discussion has been archived. No new comments can be posted.

Some Of The Pentagon's Critical Infrastructure Still Runs Windows 95 And 98

Comments Filter:
  • by Anonymous Coward on Saturday April 29, 2017 @02:01PM (#54325843)

    You wouldn't beleive the crap that gets implemented. In the last three years I've seen new control systems implemented in windows 2000 pro because that's what the government agency mandated. It's all over the place but fortunately in most cases it's not ever internet connected.

    Posting ac of obvious reasons.

    • You think that's bad? They still use 8" floppies to control the Minuteman nuclear missiles.

      • Now I need this in the next James Bond or Mission Impossible movie. Our dashing hero shows up with all the latest high-tech spy gear, ready to hack into the mainframe (or whatever technobabble) only to be confronted with these archaic systems.
    • by Anonymous Coward

      Microsoft would have a hard time disallowing DoD access at 20 years old and at least 17-20 out of print.

      With the source code fix the bugs, implement a proper firewall and modern FIPS certified encryption systems, call it a day.

      People act like just because software/hardware is old, it SHOULD be obsolete. The truth is often the opposite: As long as it does what it is supposed to, reliably and for less than the alternative, it is a good solution.

      Furthermore, as clunkily designed as the Win9x series was, it has

      • Windows 98 isn't a neat single win98.tgz file that you can download, unpack, and run make on. The build system is probably complex and totally antiquated.

    • not connected to the internet...heres your sign
    • How do they get the licenses for such old software? Ebay? Or is it best not to ask such questions?
    • I thought support for Windows 2000 ended years ago, so this is mind blowing because it is a known insecure configuration. How could you write a spec like that? No wonder we have security problems.

    • And that's secure, as the USB infection vector of a certain bunch of centrifuges can attest.....

  • ...we still run Windows 3.0 with dialup Internet.
  • Wow (Score:5, Funny)

    by Patent Lover ( 779809 ) on Saturday April 29, 2017 @02:04PM (#54325851)
    They should really upgrade to Vista.
    • Wow! 2095!
  • Hopefully they realize that means more than "there's no Ethernet cable connecting this computer to the network", since it sounds like these ancient systems may be connected in various ways to other equipment.

    • Hopefully they realize that means more than "there's no Ethernet cable connecting this computer to the network"

      That a piece of equipment is connected to a network via an Ethernet cable does not mean it's connected the The Internet.

  • We're living in a time where we're building critical infrastructure expected to last decades and integrating it with IT equipment with a lifespan of a few years. So the options are to perform major infrastructure upgrades every few years (which is expensive) or run seriously outdated software (possibly dangerous).
  • Especially if you consider that almost two-thirds of US navy planes can't fly. [defensenews.com]

    Hope this administration can deliver on their [campaign] promise.

  • by cats-paw ( 34890 ) on Saturday April 29, 2017 @02:37PM (#54325939) Homepage

    you really have to wonder

    1 the source would be available so they never have to worry about obsolesence.
    2 in runs on all sorts of hardware so they could maintain very nice consistency across many processor/platforms
    3 the NSA is working on secure linux, and could certainly help to harden military grade linux
    4 to get work done, they could fund open-source efforts. the work would help the military and the country alike.

    probaly makes too much sense. much better to have a closed-source, proprietary system that can never, ever be secure.
    plus it's more expensive !

    • Re: (Score:3, Informative)

      by Anonymous Coward

      The US Defense Department used to fund OpenBSD, until Theo de Raadt criticized the war in Iraq.

      http://www.computerworld.com/article/2580728/security0/darpa-pulls-funding-for-openbsd--leader-says.html [computerworld.com]

    • The one place I ran into Windows 3.1 where I work (state agency) it was running a product called Johnson Controls Metasys - its used to program HVAC controllers - that control the physical devices to cool/heat/duct buildings (and read all the zillions of temperature sensors in a given building). There are newer versions of Metasys that will run on Windows 10, but they require upgrading all the controllers. Upgrading the controllers in a single building was around 250,000 dollars. It was one of those things

      • It was one of those things where I was like - if facilities wants to deal with this I'll wash my hands of it.

        If they knew what they were doing, they didn't want you touching it anyway. Your job is to keep the office computers upgraded and the toner cartridge in the laserjet fresh.

        That their HVAC controller ran on Windows 3.1 was no more relevant to IT than the fact that the ducts were made of 14ga galvanized steel. If there are metallurgists in the engineering department of the company that resides the b

  • by jfdavis668 ( 1414919 ) on Saturday April 29, 2017 @02:38PM (#54325945)
    I work in a building where the heating system is controlled by a Windows 95 machine. Big deal. It's not network connected, and runs like a champ. It only changes the configuration of the system, it doesn't run the system minute by minute. If it goes down, we can recreate it easily. Worry about business critical infrastructure, not old hardware that works.
  • So does that mean the DoD can run Windows XP on Ryzen?

  • If they're critical, don't connect them to the internet. See, that was easy, wasn't it.

    Connecting critical infrastructure to the internet is like putting a top secret next gen nuclear bomb on display in the middle of LA and expecting nobody to try and fuck with it... But I can all the wannabe IT "professionals" out there saying "but a proper firewall and vpn along with continuous monitoring will keep things safe"... no, it won't, you fucking retard... firewalls, vpns, and monitoring systems aren't much b

  • by turkeydance ( 1266624 ) on Saturday April 29, 2017 @02:57PM (#54326009)
    since they are not getting forced updates
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Great, now I need to watch the Battlestar Galactica reboot again...

      "So let me get this straight. You're saying that the Cylons found a way to use your navigation program to disable our ships?"
      "Essentially, uh, yes. I think they're using the CNP to infect your ships with some kind of computer virus, which makes them susceptible to Cylon commands."
      "Uh, well, you can see we do have your CNP navigation program here on Galactica, but... our computers aren't networked, so it's never been loaded into primary memor

  • by Anonymous Coward

    at some point I was working for a company providing software largely used to defense. it was mid 90s, a time when most of the large shops ran IBM mainframes. by that time mainframe operating system went though many generations, yet some of our government users run fairly ancient versions of OS (and I assume fairly ancient hardware as well). Their logic was "why to upgrade if it's not broken". so we had one mainframe running VM (IBM virtual machine) and every time we had a problem report, we had to bring up

  • I see this time and time again in the controls field. Though we may cross over with the IT sector, machine control is a completely different beast. It isn't about swapping out a computer. There are a plethora of closed communications protocols, old SCADA-package-specfic libraries and binaries, and lots of those functions in the script have to be rewritten. It is great when you have a PLC doing the controls and the SCADA package acting as an HMI, because you can develop the new system in parallel to the exis
  • The Pentagon and DOD are playing with fire. I have few qualms with closed source in the consumer arena, but this is a great example of an entity needing to take total ownership of what is theirs. They say these systems are not connected to the internet (I doubt they are really sure), but if they are on a larger network that is, that may not matter. As much as I love open source, I am not typically the zealot that knee jerks straight to that route. This is a bit different. This is my government. While I am s
    • The Pentagon and DOD would be playing with fire if the decided they needed to redo everything for the 'latest greatest' every time anything new came along.

      A 'grand strategy to convert everything, everywhere, to whatever you're claiming is the do-all end-all choice (PCBSD?) is obsolete by your definition two weeks from now.

      I guess, though, that if everything had been hard coded using Slackware in 1995 it would all be just super in your opinion.

    • by Wolfrider ( 856 )

      > While I am sure that they are running a plethora of Windows only software that they likely feel trapped in, they really need to think much further ahead than Windows 10. They need a department for handling and developing operating systems and software in house. I would say move all desktops to a hard implementation of PCBSD. That is, unless they really need to play 3D video games. I am not talking tomorrow. But if they look at it, and come up with a strategy for conversion including developing their ow

  • Comment removed based on user account deletion
  • Why is ANY critical infrastructure being run by ANY Windows product? Not good.
  • by Eravnrekaree ( 467752 ) on Sunday April 30, 2017 @11:18AM (#54329053)

    To be fair, Linux has many of these same problems, in particular, because newer versions break compatability with old hardware, which forces old versions of the OS to be used on the old hardware. For instance, this happened with X11 when they removed XAA which broke support for a vast array of older video cards. This disregard for backward compatability keeps people using old security hole filled versions of software. Many warned against removing XAA, but the lead developers basically dont give a damn about users. The lets "remove old cruft and destroy backwards compatability" people should also be ignored, since you end up creating compatability problems that keeps people using older insecure versions.

  • With 20+ years of testing, all the bugs are ironed out and I am confident military is able to to act in a crisis. I don't want America to lose a battle because all of the soldier's rifles are installing Windows 10 updates at inconvinient time.

  • I work for a number of agencies off and on over the years. Every one of them on a quarterly basis have to tell the big wigs (that's a technical term) how many of fill in the blanks there are. The agency I'm at right now they still have a blank for Windows 95, NT, etc. This one has all zeros up to 2008. That's been the situation for years.

    One thing I keep hearing is IT is really expensive. Hardware, san and everyone to keep it running. SAN storage they want you to plan on a 3 year life believe it or not. Whe

  • Never mind stuff that isn't reported because it is running in a VM.

    Was having a pickle of a time trying to remotely troubleshoot wtf was going on with a client. They were trying to access a corporate application remotely, using a VPN though the corporate firewalls and network, using Citrix (more less a virtual desktop), and their print and network locations within the application were having trouble. They were running "Windows 7"... However after a lot of digging (bc the client doesn't really know), I found

  • And the financial markets are still using COBOL...so what?

If you can't get your work done in the first 24 hours, work nights.

Working...