Some Of The Pentagon's Critical Infrastructure Still Runs Windows 95 And 98

SmartAboutThings writes: The Pentagon is set to complete its Windows 10 transition by the end of this year, but nearly 75% of its control system devices still run Windows XP or other older versions, including Windows 95 and 98. A Pentagon official now wants the bug bounty program of the top U.S. defense agency expanded to scan for vulnerabilities in its critical infrastructure.
DefenseOne raises the possibility of "building and electrical systems, HVAC equipment and other critical infrastructure laden with internet-connected sensors," with one military program manager saying "A lot of these systems are still Windows 95 or 98, and that's OK -- if they're not connected to the internet." Windows Report notes that though Microsoft no longer supports Windows XP, "the Defense Department is paying Microsoft to continue providing support for the legacy OS."

Yeah. Tons of stuff is old

[Anonymous Coward]

You wouldn't beleive the crap that gets implemented. In the last three years I've seen new control systems implemented in windows 2000 pro because that's what the government agency mandated. It's all over the place but fortunately in most cases it's not ever internet connected.

Posting ac of obvious reasons.

Re: So do tell

[guruevi]

Most likely because it needs to run VB6 scripts to talk to the devices or some .NET flavor, most likely v1 or v2. Bad programmers know only bad languages.

In a lot of cases these companies, especially in the various construction and utilities, will have hired a programmer to make something in the late 90s and that same program now operates their entire fleet of devices. They don't want to spend the money on another programmer or systems design engineer so they still operate on the same hardware, same power s

Re:

[guruevi]

I'm sure you have experience porting stuff from the early .NET or VB6 era.

Entire enterprises have been written on the back of Excel scripts, Word integrations and Access databases. VB6 is/was a step up on that and can contain entire ERP's. .NET has improved but the ancestors of current iterations (anything pre-3.5 IMHO) were horrible to use and had many kludges, most of those kludges are the reasons why there is STILL no backwards or Mono compatibility for many components.

Re:

[lucm]

I'm not surprised that there's still some VB6 apps doing important work out there. Just as I'm not surprised to see features added to ancient RPG programs or web services being created to wrap a bunch of FoxPro modules. Old doesn't mean bad; if it has worked until now, why throw it away.

In 10 years those apps will probably still run, but the countless NodeJs packages and ruby gems and whatnot that are currently hosted on github will be gone.

Re:

[alphaomega325]

I'm not surprised that there's still some VB6 apps doing important work out there. Just as I'm not surprised to see features added to ancient RPG programs or web services being created to wrap a bunch of FoxPro modules. Old doesn't mean bad; if it has worked until now, why throw it away.

In 10 years those apps will probably still run, but the countless NodeJs packages and ruby gems and whatnot that are currently hosted on github will be gone.

I will like to amend that in stating that there will probably be some NodeJS packages and Ruby gems that will be running important pieces of software 10 years from now. Like there was countless VB6 software 10 years back.

Re: So do tell

[cyber-vandal]

.NET 1.1 and 2 apps run fine on .NET 3.5. I know because we've just had the pleasure of moving a few away from a 2003 server to a 2012 R2 server. 3.5 is still supported until 2023 if not longer on 2012 R2 (not sure whether it's on 2016).

This is a good answer to the previous poster. People use "Redmondware" because software written in 2002 will still work and is still supported in 2017.

Re:

[guruevi]

If you're lucky and/or your program is well written or simple enough. There is plenty of stuff that doesn't run and the reason people still run Redmondware from 2002.

Re:

[RockDoctor]

What is faster than not needing to re-write anything?

If it works, don't fuck with it.

If its not connected to the internet, glue up the USB ports, cut the floppy controller cable, and don't worry about it.

Re:So do tell

[ArhcAngel]

I Know Right!

At least state governments aren't running that crap. They're all on IBM's much more robust OS/2 Warp. You think I'm kidding...I'm not.

Re:

[cheesybagel]

At least OS/2 has preemptive multitasking and memory protection. I think.

Re:

[lucm]

OS/2 nostalgia is like JFK nostalgia; it's more about an idealized version of what could have been than fond memories of what it actually was.

IBM has created some very advanced stuff for the enterprise, but they don't have a good track record when it comes down to consumer-grade or user-friendly software. Maybe the reason is because they enter the corporate world through the board room and golf greens, forcing their product down the chain of command instead of making things actual users can enjoy.

Windows di

Re: So do tell

[jxander]

SW compatibility. The HVAC monitoring SW was probably written 15-20 years ago, and if it ain't broke, don't spend the money to fix it.

Also, a familiar user interface. When you send the HVAC tech out, everyone has a basic grasp of using Win 95/98. The old guys train the new guys, and the cycle perpetuates.

Re:

[ShanghaiBill]

Why does any of this run redmondware in the first place?

Because DoD runs software projects the same way the British Army fought the Battle of the Somme. If you want to throw 200 programmers at a project, the only way to recruit that many bodies in a hurry is to go with Windows.

Re:

[RightwingNutjob]

Because in the 90's, Microsoft was everywhere, so every vendor for every embedded system component out there produced development kits and compilers and programming toolkits that would run on the machines their customers had handy. Which in the 90's meant Windows. I'll give you an example: Allen Bradley makes embedded controllers for industrial machinery. The controller itself runs VxWorks or RT Linux or QNX or some other real operating system. The develoment environment is Windows only, and a lot of third-

Re:

[technix4beos]

Seems an opportunity for Linux developers to write for older controllers, no?

Re:

[Hognoxious]

I think they come included in the next release of systemd.

Re:

[vtcodger]

Mostly because the military doesn't need or want the latest fad. They need reliability. They have more than sufficient problems executing their missions without constantly changing interfaces and such "features" as automatic software updates made at a time convenient to the vendor.

Also, much military hardware is custom stuff built for a single purpose. The CPUs and OSes (if any) would be selected initially to have sufficient capability for their job, and usually not much more. If they do what's needed,

Excellent comment. Mod parent up.

[Futurepower(R)]

Agreed. If it works, why change it?

Code doesn't age, like wine or people. Code always does what it always did.

Re:

[rtb61]

The run old systems mainly because the tech companies are not tied into the corruption of the war industrial complex as strongly as the arms and munitions manufacturers, those companies who through major corruptive efforts can force through unnecessary purchases. Basically M$ can not force through upgrades as routine but that was before Windows 10, now it seems M$ lobbyists have broken through and will be able to force routine across the board upgrades. Good, bad, indifferent, secure, insecure, buggy, unrel

Re:

[drinkypoo]

The last military contract I worked on -- a number of decades ago -- was a system that ran on a computer built to military standards using discrete transistors -- none of those fancy IC things. It was nowhere near as powerful as the PC-XTs in our office. But it would run equally poorly in the Arctic in January or the Middle East in July. And the computer would probably survive being inadvertently dropped off a truck by some high school dropout then run over by the next two vehicles in the convoy.

Sure, but for the price of maintaining an antique, you could probably put a more modern computer in every pocket...

Re:

[Eravnrekaree]

Much of what you say is naive because old versions of Windows or Linux are full of known security vulnerabilities. So, Windows 2000 may boot, so you say it works. But it is full of security holes that were patched ages ago in newer versions. So while it does work, its not the work/doesnt work binary test that is really the determiner for suitability, its the security holes that do not keep the software from working but are there silently waiting. Linux has advantages with being open source but dont fool you

Re:

[arglebargle_xiv]

Because that was the best, and in fact more or less only, option at the time, and once it's set up there's no incentive to upgrade or replace it because it's an afterthought to the thing it's actually used with. For example there's a... device that costs about $25M each which is managed through a web server running on Widows NT 4. And it's NT 4, and will continue to be NT 4, for exactly the reason given in the first sentence.

Re:

[AHuxley]

Staff skills and outsourcing that saw and opening. The US needed networks quickly and smart new contractors saw an opening to make decades of profit. The US could move from secure networks to "desktop" computers at a low new cost thanks to the skills only found in the "private" sector. Tax payers would get savings. Funding could flow to new mil projects rather than 1970's networks and very expensive existing contractors.
The words private sector, budget issues and easy ongoing staff training got the US

Re:

[dcw3]

Because most govt. contracts require the use of COTS products, and until recently, there was very little chance of any kind of open source. They want COTS because of the low cost to purchase, w/o consideration of the TCO. As a contractor, we often end up spending tons of time configuring COTS to do things hey weren't designed to do originally, and it often ends up costing the govt. more. But don't get me started, I could talk govt. contracting issues all day.

Re:

[ArhcAngel]

Actually many companies, state, and local governments do just that. [ecomstation.com]

Re:

[Hognoxious]

learning english.

Muphry's law strikes again.

Re:

[cheesybagel]

You think that's bad? They still use 8" floppies to control the Minuteman nuclear missiles.

Re: Yeah. Tons of stuff is old

[jxander]

Now I need this in the next James Bond or Mission Impossible movie. Our dashing hero shows up with all the latest high-tech spy gear, ready to hack into the mainframe (or whatever technobabble) only to be confronted with these archaic systems.

Re:

[DontBeAMoran]

And just press [Enter] when Windows 98SE asks for the password.

Re:

[Cmdln Daco]

No, just cancel the dialog box.

And if you're planning to boot up the system frequently, go and delete the *.pwd files in the Windows directory.

Simple Solution: Demand the source code.

[Anonymous Coward]

Microsoft would have a hard time disallowing DoD access at 20 years old and at least 17-20 out of print.

With the source code fix the bugs, implement a proper firewall and modern FIPS certified encryption systems, call it a day.

People act like just because software/hardware is old, it SHOULD be obsolete. The truth is often the opposite: As long as it does what it is supposed to, reliably and for less than the alternative, it is a good solution.

Furthermore, as clunkily designed as the Win9x series was, it has

Re:

[Cmdln Daco]

Windows 98 isn't a neat single win98.tgz file that you can download, unpack, and run make on. The build system is probably complex and totally antiquated.

Re: Yeah. Tons of stuff is old

[dougdonovan]

not connected to the internet...heres your sign

Re:

[Howitzer86]

How do they get the licenses for such old software? Ebay? Or is it best not to ask such questions?

Re:

[Eravnrekaree]

I thought support for Windows 2000 ended years ago, so this is mind blowing because it is a known insecure configuration. How could you write a spec like that? No wonder we have security problems.

Re:

[stoatwblr]

And that's secure, as the USB infection vector of a certain bunch of centrifuges can attest.....

In Seattle...

[110010001000]

...we still run Windows 3.0 with dialup Internet.

Re:

[antdude]

Who is we? :P

Re:

[Vskye]

Probably better than how the EU is doing. Gotta love how the Europeans think they are so awesome, when their unemployment rates suck so bad.

Wow

[Patent Lover]

They should really upgrade to Vista.

Re:

[toddestan]

While I don't have any Vista boxes left around, I must say Vista was also the most stable version of Windows for me. I actually managed to get a Vista box, used daily, up to the 497* day limit, which currently my all-time best Windows uptime record.

* You might recognize 497 days as 10 * 49.7 days, which was the longest Windows 95 could go before it crashed.

Re:

[hcs_$reboot]

Wow! 2095!

Not on the internet

[93 Escort Wagon]

Hopefully they realize that means more than "there's no Ethernet cable connecting this computer to the network", since it sounds like these ancient systems may be connected in various ways to other equipment.

Re:

[Frosty Piss]

Hopefully they realize that means more than "there's no Ethernet cable connecting this computer to the network"

That a piece of equipment is connected to a network via an Ethernet cable does not mean it's connected the The Internet.

Re:

[93 Escort Wagon]

Well, that was more or less my (badly expressed) point.

Let's say this computer is connected to another computer via NetBEUI. If that other computer is exposed to the Internet, then this one is potentially exploitable too.

If there is an Internet connection anywhere within a group of devices using some sort of shared communication protocol (or group of protocols), then all the devices in the group are vulnerable. Sure, an attacker would likely need reasonably detailed knowledge of how the devices communicate,

Re:

[vtcodger]

USB port? Probably not. Or if there is one, it's likely buried in the back of the unit and uses some weird mil-std connector. Not that there's no risk of compromise during maintenance, but probably nowhere near the situation with commercial hardware.

Re:

[Chris Mattern]

The easiest way is to implement the network to a private IP space (like 192.0.0.0/8 subnet) . Done that way, and the network can't be connected to the general internet. At all. Ever. And you don't need to request addresses from IANA, either.

Shouldn't be surprising

[ChrisC1234]

We're living in a time where we're building critical infrastructure expected to last decades and integrating it with IT equipment with a lifespan of a few years. So the options are to perform major infrastructure upgrades every few years (which is expensive) or run seriously outdated software (possibly dangerous).

This really bad, but it gets much worse...

[bogaboga]

Especially if you consider that almost two-thirds of US navy planes can't fly. [defensenews.com]

Hope this administration can deliver on their [campaign] promise.

Re:

[H0p313ss]

This administration couldn't deliver a pizza give a GPS and a limousine service.

Re:

[ChromeAeonium]

Sure they could, they'd just charge you for the free delivery afterwards and then refuse to pay the limo driver.

military grade linux ?

[cats-paw]

you really have to wonder

1 the source would be available so they never have to worry about obsolesence.
2 in runs on all sorts of hardware so they could maintain very nice consistency across many processor/platforms
3 the NSA is working on secure linux, and could certainly help to harden military grade linux
4 to get work done, they could fund open-source efforts. the work would help the military and the country alike.

probaly makes too much sense. much better to have a closed-source, proprietary system that can never, ever be secure.
plus it's more expensive !

Re:

[Anonymous Coward]

The US Defense Department used to fund OpenBSD, until Theo de Raadt criticized the war in Iraq.

http://www.computerworld.com/article/2580728/security0/darpa-pulls-funding-for-openbsd--leader-says.html [computerworld.com]

Re:

[Skuld-Chan]

The one place I ran into Windows 3.1 where I work (state agency) it was running a product called Johnson Controls Metasys - its used to program HVAC controllers - that control the physical devices to cool/heat/duct buildings (and read all the zillions of temperature sensors in a given building). There are newer versions of Metasys that will run on Windows 10, but they require upgrading all the controllers. Upgrading the controllers in a single building was around 250,000 dollars. It was one of those things

Re:

[Cmdln Daco]

It was one of those things where I was like - if facilities wants to deal with this I'll wash my hands of it.

If they knew what they were doing, they didn't want you touching it anyway. Your job is to keep the office computers upgraded and the toner cartridge in the laserjet fresh.

That their HVAC controller ran on Windows 3.1 was no more relevant to IT than the fact that the ducts were made of 14ga galvanized steel. If there are metallurgists in the engineering department of the company that resides the b

Re:

[ebvwfbw]

Everybody has problems with the CAC system. It's a POS. They really should move on. I think it it was made by Wonder systems. It it works, it's a wonder.

Our heating system is run by Win 95 Big deal

[jfdavis668]

I work in a building where the heating system is controlled by a Windows 95 machine. Big deal. It's not network connected, and runs like a champ. It only changes the configuration of the system, it doesn't run the system minute by minute. If it goes down, we can recreate it easily. Worry about business critical infrastructure, not old hardware that works.

Re:

[HalAtWork]

Ah so that's why every 49.7 days it's freezing cold

Re:

[jfdavis668]

It's not modern hardware, and yes, we still have extra hardware that could run Win 95. If necessary, we could visualize it.

Paid support

[thegarbz]

So does that mean the DoD can run Windows XP on Ryzen?

Easy fix...

[drew_92123]

If they're critical, don't connect them to the internet. See, that was easy, wasn't it.

Connecting critical infrastructure to the internet is like putting a top secret next gen nuclear bomb on display in the middle of LA and expecting nobody to try and fuck with it... But I can all the wannabe IT "professionals" out there saying "but a proper firewall and vpn along with continuous monitoring will keep things safe"... no, it won't, you fucking retard... firewalls, vpns, and monitoring systems aren't much b

the B52's still work

[turkeydance]

since they are not getting forced updates

Re:

[Anonymous Coward]

Great, now I need to watch the Battlestar Galactica reboot again...

"So let me get this straight. You're saying that the Cylons found a way to use your navigation program to disable our ships?"
"Essentially, uh, yes. I think they're using the CNP to infect your ships with some kind of computer virus, which makes them susceptible to Cylon commands."
"Uh, well, you can see we do have your CNP navigation program here on Galactica, but... our computers aren't networked, so it's never been loaded into primary memor

why to update if it's not broken?

[Anonymous Coward]

at some point I was working for a company providing software largely used to defense. it was mid 90s, a time when most of the large shops ran IBM mainframes. by that time mainframe operating system went though many generations, yet some of our government users run fairly ancient versions of OS (and I assume fairly ancient hardware as well). Their logic was "why to upgrade if it's not broken". so we had one mainframe running VM (IBM virtual machine) and every time we had a problem report, we had to bring up

Re:

[Cmdln Daco]

There were probably electric motors in some of the equipment in that cheese processing plant from the Windows 3.1 era.

PLC and Controls vs Typical IT systems.

[magic_ninja]

I see this time and time again in the controls field. Though we may cross over with the IT sector, machine control is a completely different beast. It isn't about swapping out a computer. There are a plethora of closed communications protocols, old SCADA-package-specfic libraries and binaries, and lots of those functions in the script have to be rewritten. It is great when you have a PLC doing the controls and the SCADA package acting as an HMI, because you can develop the new system in parallel to the exis

This is a world of hurt

[wjcofkc]

The Pentagon and DOD are playing with fire. I have few qualms with closed source in the consumer arena, but this is a great example of an entity needing to take total ownership of what is theirs. They say these systems are not connected to the internet (I doubt they are really sure), but if they are on a larger network that is, that may not matter. As much as I love open source, I am not typically the zealot that knee jerks straight to that route. This is a bit different. This is my government. While I am s

Re:

[Cmdln Daco]

The Pentagon and DOD would be playing with fire if the decided they needed to redo everything for the 'latest greatest' every time anything new came along.

A 'grand strategy to convert everything, everywhere, to whatever you're claiming is the do-all end-all choice (PCBSD?) is obsolete by your definition two weeks from now.

I guess, though, that if everything had been hard coded using Slackware in 1995 it would all be just super in your opinion.

Re:

[Wolfrider]

> While I am sure that they are running a plethora of Windows only software that they likely feel trapped in, they really need to think much further ahead than Windows 10. They need a department for handling and developing operating systems and software in house. I would say move all desktops to a hard implementation of PCBSD. That is, unless they really need to play 3D video games. I am not talking tomorrow. But if they look at it, and come up with a strategy for conversion including developing their ow

Re:

[account_deleted]

Comment removed based on user account deletion

Not good

[AndyKron]

Why is ANY critical infrastructure being run by ANY Windows product? Not good.

Also a problem on Linux

[Eravnrekaree]

To be fair, Linux has many of these same problems, in particular, because newer versions break compatability with old hardware, which forces old versions of the OS to be used on the old hardware. For instance, this happened with X11 when they removed XAA which broke support for a vast array of older video cards. This disregard for backward compatability keeps people using old security hole filled versions of software. Many warned against removing XAA, but the lead developers basically dont give a damn about users. The lets "remove old cruft and destroy backwards compatability" people should also be ignored, since you end up creating compatability problems that keeps people using older insecure versions.

Re:

[ebvwfbw]

That's fine. Keep them off a network.

Good!

[iamacat]

With 20+ years of testing, all the bugs are ironed out and I am confident military is able to to act in a crisis. I don't want America to lose a battle because all of the soldier's rifles are installing Windows 10 updates at inconvinient time.

How do they get away with this?

[ebvwfbw]

I work for a number of agencies off and on over the years. Every one of them on a quarterly basis have to tell the big wigs (that's a technical term) how many of fill in the blanks there are. The agency I'm at right now they still have a blank for Windows 95, NT, etc. This one has all zeros up to 2008. That's been the situation for years.

One thing I keep hearing is IT is really expensive. Hardware, san and everyone to keep it running. SAN storage they want you to plan on a 3 year life believe it or not. Whe

VM

[DarthVain]

Never mind stuff that isn't reported because it is running in a VM.

Was having a pickle of a time trying to remotely troubleshoot wtf was going on with a client. They were trying to access a corporate application remotely, using a VPN though the corporate firewalls and network, using Citrix (more less a virtual desktop), and their print and network locations within the application were having trouble. They were running "Windows 7"... However after a lot of digging (bc the client doesn't really know), I found

So What

[dcw3]

And the financial markets are still using COBOL...so what?

Re:

[Cmdln Daco]

Where did you get the idea they were running software with heartbleed in the kernel?