Maybe theres less MS telemetry in Windows XP, unlike the windows 10 telemetry which has been back ported to windows 7, besides you can also change windows drivers quite easily to run on other versions of windows, and lets face it, how hard will it be to hack a satellite linked floating steel box? Perhaps the UK Govt has some IDS/IPS set up on the satellite link?
Or when looking at how little of the MS Windows core has changed over the years think wannacry & SMB v1 despite rebranding and new layers like dot net added to keep people busy using a different method to code a result, I sometimes wonder if all these different versions are just an exercise in keeping people indoors out of harms way.
It's a bit disingenuous to say that a ship is ’running’ an OS. It isn't like a computer that is entirely managed by a given software system. Here computers are but one component of an integrated system, and I'm presuming these systems are air-gapped and not connected to public networks. I'd be very surprised if these machines were reachable by public networks, or indeed any network at all that originates beyond the confines of the ship itself.
And by God doesn't it irk me to hear mentions of ’cyber’ as if it were an object.
Presumably there must be some connectivity from onboard networks - even if only while in port?
[NB I meant to watch as HMSQNLZ sailed down the Forth last night - but was later than I was expecting. The MarineTraffic app currently has her doing circuits out in the North Sea past the mouth of the Forth]
Never assume that a large organisation has a sane computer policy. For example the computers in voting machines and cars both have the least sane design you could think up. I don't see why the navy would be any more competent.
Just because they're only a part of a system doesn't mean they're not crucial[1]. Also its alarming how many systems you would presume are air-gapped but actually aren't, and air-gapping doesn't prevent PEBKAC errors (eg stuxnet being spread by flashdrive)
You've got it backwards. That situation happened because a "more technology because computers and buzzwords and shit" resulted in political pressure to get stuff done and the end result was an OS jammed into a place it shouldn't have been without more testing and 3hr of downtime. That's why we run software that's been verified to work even if it's old.
Not easily accessible doesn't mean inaccessible and invulnerable. Having a vulnerable OS means if it can be accessed even for a short time then you're done. Also in integrated systems Computers form an integral part where most of the automatic stuff happens. Most of the monitoring of all the dials you see in movies is done by computers. Screw that up and you have a big problem in your hands. Your ship may start sinking and you may not even know because the OS misinterpreted the input from a sensor responsible for this because of data corruption.
As systems become more sophisticated, manual intervention becomes that much more difficult and vulnerable systems create that much more weak spots. So screw up a system to sink a ship may one day become a reality.
Something similar to the stuxnet approach (sprinkle infected USB drives around employees hoping they'll bring it into the facility) or spearphishing will easily work on sailors whenever they bring "reading material" from shore to the ship; and from there it's just a matter of some sloppiness (which is likely to happen) and the malware will spread from the personal devices to the ship's systems.
The really devious approach would be to embed malware in the billions of USB keys manufactured in China every year. Not too hard if you make USB flash controllers.
In fact I'd be surprised if $large_nation_states aren't doing this already.
That would burn the vulnerabilities/exploits you use in this malware (e.g. stuxnet used 4 zero-days that weren't discovered for years after it had been first deployed), causing them to be detected, the particular holes fixed, and the signature of that particular malware added to detection lists.
No, you most likely want a targeted attack - manufacture such USB keys, distribute them only where you want them to be, and implement various triggers for the malware to delete itself (expiry date, IP ranges, regional settings) so that it doesn't spread worldwide beyond where you want it. Infecting millions of non-target systems is undesirable, that's how Stuxnet got discovered.
Seriously, I doubt that sailors and officers could be so clueless as to plug random USB drives into their embedded computers. Indeed I'd be really surprised if these machine's ports were exposed and their USB mass storage device drivers not disabled.
On the other hand naval ships are increasingly designed around onboard distributed datacenters, where IT is grabbing the power: everything runs in virtualized, HA environments.
Just like the rest of the world, eaten by software.
Maybe I'm being myopic here, but is there any sane (as opposed to red-tape based or political) reason to use Windows in an application like this? HMS Queen Elizabeth wasn't ordered until 2008, and construction didn't even begin until mid-2009, so there's not even the excuse that some Linux or BSD distribution wasn't production-ready. I really can't think of a single advantage that XP has here that some more open, safer operating system doesn't, and I can think of plenty of disadvantages with XP.
>> so there's not even the excuse that some Linux or BSD distribution wasn't production-ready
Possible there's a lot of custom software used across the navy which is only support on Windows XP. Maybe too costly to rewrite than for another system and have it interoperate with other ships etc. on the old (current) system.
More likely, the manufacturer simply couldn't be arsed to use anything better. This sort of contract is rarely decided on features - it's settled by long-winded political process (where will the ship be built? What country will supply parts? Etc etc) between a very small array of suppliers (if there is an array at all, more often it's a single company in each country), where OS choice is probably the lowest priority. In fact, UK Navy upper echelons might have even preferred XP because it didn't require any extra training for their existing workforce.
That's it exactly. The software was already written to run on XP and the crew trained to use those versions of the software. As long as the ship's hardwired-only network is secured from the outside and physical access is limited (disable USB ports, lock down BIOS, locked cabinets, sealed ethernet conduits, etc), you won't have any problems with typical malware and people will have less opportunity to infect systems. Additionally, you can run whitelists to limit what files can even exist on the system or be run. As long as the firewall is strong, network access is restricted to need based, and any servers are fully patched, the various clients on the ship don't need any additional protection from attacks.
As an argument of running on Windows maybe, but I can't really see how that would restrict you to Windows XP. It will probably cost them more to make sure new software can run on Windows XP, than porting the few pieces of software that couldn't run on more modern versions.
It takes millions of pounds and several years to develop military systems. The computers running the systems (everything from heating/cooling, to engine management) are integral parts of these systems, and explicitly configured to do these specific tasks. These task-orientated units would have be designed down to the nth degree, complete with extensive operating/troubleshooting manuals and config guides, including approved 'gold images' to rebuild them easily if required. Swapping out the base OS needlessly (if it's still capable of performing its duties) would require an extensive rebuild of the system concerned, again taking years to get through all the admin, testing, and sign off hoops.
I very much doubt when it says 'running XP' it means the general purpose computers for end-users to use.
Obviously, if these XP machines are not air-gapped, or behind hardware firewalls (with very restrictive rulesets) away from the general internet, then that's insane. Cynical as I am, I still have a hard time believing that these XP machines would be remotely accessible from outside the ship in question.
Edit: I've zoomed in on the image in question. Yes that's a Windows XP lock screen (the header of the dialog is blue, if it was Windows Server 2003, it'd be grey) However it's in 'classic theme' mode. As it's on the lock screen, then that's a 'system wide' setting, which infers that the themes service is disabled. If they've disabled the themes service, then it's safe to assume that lots of other parts have been disabled or locked down also. This doesn't make XP safe, but it does at least a) mitigate the risk somewhat, and b) indicate that steps have been taken to secure the OS.
Doesn't mean the security or the quality is up to spec however. Most of the defence sector people I've worked with pretty much run on procedural knowledge developed independently rather than using their nut or consulting the rest of the industry.
Your link describes exactly the situation that boatloads of testing and a massive QA process are put in place to avoid. They slapped NT on something quickly and it broke. The result of extensive QA safeguards is that it takes time to roll out code and you get an outdated OS but with a far smaller chance of those sorts of failures.
> The source of the problem on the Yorktown was that bad data was fed into an application running on one of the 16 computers on the LAN. The data contained a zero where it shouldn't have, and when the software attempted to divide by zero, a buffer overrun occurred – crashing the entire network and causing the ship to lose control of its propulsion system.
For the requirements you correctly identified - very long service times, very strict reliability requirements, etc, I think it's insane to rely on a closed source operating system in the first place. With open source you can always hire some programmers to fix bugs. With Windows you're at the mercy of Microsoft.
If ever there were a situation where that argument didn't apply, surely this is it.
This is a multi-billion project, in the defence sector, for a major US ally.
So for one thing, it seems very likely that someone involved in the carrier project does have access to all the relevant Windows source and build infrastructure, one way or another. Relevant Microsoft staff have probably been checked as well.
In any case, obviously you can't install some OSS and then just "hire some programmers" to fix bugs in this environment.
Using Windows on naval vessels is not unprecedented. The US Navy "Windows for Warships" situation showed that it is already done, and sometimes problems are then found in trials, and those problems do then have to be fixed.
> With open source you can always hire some programmers to fix bugs.
That might work for changing the text on a web site running Drupal 6 ten years later, but thinking that this sentence makes any sense when you're talking about a huge distributed system ported from probably some commercial Unix-like or even bare-metal Ada or whatever to NT then that's just a very naive sentiment.
Speaking of which, a commercial Unix might actually be the best choice for these kinds of systems.
The Royal Navy has the budget and bargaining power to sign a multi-decade support contract from the likes of IBM, HP, and Oracle. The latter already offers 24 years of support for the latest series of Solaris; maybe they can add another dozen years on top of that if you throw enough money in their general direction. By contrast, no version of Windows has been supported for more than 13 years (though they might also offer special long-term contracts), and most flavors of Linux only get 5-10 years.
It is. They jokingly call it "Windows for Warships", because instead of taking the time to develop a more-or-less dedicated OS to run the entire ship, they used OTS software. It is and was a terrible idea.
What are you suggesting? Building atop Unix or building a custom OS?
Microsoft essentially does develop a custom version of Windows for mission critical state-backed infrastructure, which is most certainly not the "off the shelf" version.
It's odd. We have so many government resources dedicated to offensive software weapons. Other comments mentioned Microsoft being more willing to support their OS long term than Redhat..
Why not build the capability within the military itself to build and maintain specialized *nix-based OS's for precisely this situation? Then you have indefinite support and on-site capabilities.
Having worked deep in the OS space in a past life, I could probably list 100 top people in the space. Of the first 20 that come to mind, I can't imagine a single one of them wanting to build for the military (at least as a permanent employer)
''Despite the concerns of some engineers, SMCS-NG was created as a port to Microsoft Windows of the SMCS infrastructure and applications, a move which some commentators have termed "Windows for Warships".
The UK's Defence Ministry later gave assurances, through questions in the UK parliament, that this is a low risk use of Microsoft Windows. However, some other suppliers have taken a different path.
The console for the new Sonar 2076 supplied by Thales Underwater Systems for the Astute class submarines, and which may be retro-fitted to other classes, are built as PCs running Linux rather than Windows.''
Sometimes truth really is stranger than fiction. This is not an old computer producing colours in a paint shop. This is on a war machine, can't believe it.
You're right. I was also alluding to the fact that they don't have catapult system, but instead a lame-looking ramp on the end. So not only does it visually look pathetic, but it is also running Windows XP which can't help its rep either.
This will be a special version of windows XP with all the rubbish taken out and only the required services running etc. We used a similar version of XP as a base OS for a security camera control device.
It will have been security validated to the extreme and to assume it is anything like the commerical version is wrong
Does it feature the bugs that WannaCry utilised? When you were tested those bugs were probably not known yet, so what if they are in the specialised version as well? I guess a security camera is connected to a network?
It sounds to me as if it's still a version of Windows XP (or 2000)? That means that although it's adapted, it likely still has problems that appear in Windows XP.
If you use a specialised, highly adapted version of an OS, why not base it on Linux? Wouldn't that be easier than paying Microsoft to be able to change the kernel of XP?
> If you use a specialised, highly adapted version of an OS, why not base it on Linux?
Why not something that isn't made of "swiss cheese"? With an old Linux system you have exactly the same problems as with an old Windows, probably even more.
Sticking "Linux" and "Open Source will save this" into it does not tangibly improve the situation.
(There are operating systems with a very good maintenance, stability and security track record that could be used for some of these cases, but seemingly aren't)
You could potentially patch the kernel without support from another company. If Microsoft never gave them the source code, could they fix a bug with no help from Microsoft?
It's reasonable to assume that they have access to Windows XP source code and also the extended non-public support for Windows XP by Microsoft itself; MS is known to provide such services to defence contractors.
But can you build the kernel by yourself? Aircraft carriers are designed for several decades, so you need to make sure that you could fix a bug in 2035. Wouldn't rely on a contract there. Especially if it's a company in another country (even for allies).
I cannot think of many reasons to run RHEL and pay Redhat, but if I was building a warship for 3.5 billion, I'd install RHEL on it and pay to have my version of the OS maintained indefinitly.
My understanding from an engineer who worked on UK military projects and UK satellites (not sure if there was overlap there) was that RHEL was far less willing to enter extremely long-term support contrtacts than Microsoft, and THAT was the one requirement that allowed even Vista to trump RHEL for some mission-critical systems.
Could be the different use cases, too. Also been a few years since I was up to date, but Windows certainly used to dominate the control systems market a bit more than the server market.
And i have long wondered if the real push behind Wayland is not that X is "broken" but that X is a bad fit on IVI and similar uses, because of various overheads.
I used to work for a defense contractor. MS does offer continued support for XP if your pockets are deep enough. The US Navy has deep enough pockets IIRC. I dunno about anyone on the wrong side of the pond but it's possible they shelled out for it. A different commenters mentioned paying to have an OS maintained indefinitely. That's probably exactly why they're running XP.
Systems like this have the same "we proved it worked correctly once, do you really want to screw with it?" factor as the space shuttle. Proper functionality has been verified with those systems using XP. That goes out the window if you do a major upgrade. All the layers of security you need to implement elsewhere because the OS is fundamentally outdated and insecure is still easier than upgrading the OS. Finally, if an attacker can manipulate those systems then you've already lost. Defense in depth is important but serious defense at these levels is like a "no trespassing, police take notice" sign on the inside of your bank vault above a pile of gold bars.
I agree they probably should have been based on a unix system from the beginning but a lot of these hardware/software system passed the point of no return for the OS portion of their design a decade or more ago when XP wasn't an insane choice. The industry is slowly coming around.
edit: There are a lot of people in here who need to realize that you know very little about the hardware, performance and software requirements of the system. Just because you can write code in the trendy language of the day and use docker to cover up systemic reliability issues that would cripple a LAMP stack does not make you qualified to armchair engineer a software stack that people's lives depend on. This article should make you wonder what set of constraints resulted in them running XP. They did it for a reason. Nobody runs an OS that old without a really good reason.
Indeed. Anecdote: Several years ago I worked on a U.S. GOSS (Government Open-Source Software) project that was a web app that allowed different apps running on different domains to function as "widgets" and allowed cross-domain communication between these apps in a drag-and-drop window environment in the browser. The intention was small apps could be composed into larger apps by allowing them to communicate with each other in this environment.
It supported multiple browsers, including IE7 in as late as summer 2014, because end-users in the U.S. Navy had machines that only had IE7. Countless man-hours (and U.S. taxpayer dollars) were spent to ensure all features worked in IE7, including drag-and-drop and responsive UI.
That project was the single biggest driver for me to get the hell out of the government contracting world and into the "truly" private sector. At least at a startup I can say more or less "if it works in Chrome, it works."
I know a lot of people think that choosing XP is crazy but I did an evaluation of an operating system for a video processing system around 2003. I was sure that Linux would win easily but after looking at support options, long term maintenance, software availability and a few other factors Windows XP Embedded actually came out ahead.
I probably would have gone with Linux anyway but if you have to do a "neutral" vendor assessment Windows doesn't look that bad. You can't just put "Windows sucks" into your report.
I think it's because it's XP, not Windows, being used on a ship that won't even be deployed for several years yet, not for one that was deployed back in 2003.
Here's a very interesting link I came across from December of 2015, which claims:
“The MoD can confirm that Windows XP will not be used by any onboard system when the [HMS Queen Elizabeth] becomes operational,” the spokesman added. “This also applies to HMS Prince of Wales.”
Well some of the US Navy computers still use DOS 6 and Windows NT4. Can't say which ones but they are not connected to any network and still use 3.5 floppies.
90 comments
[ 4.2 ms ] story [ 191 ms ] threadhttps://governmenttechnology.blog.gov.uk/2015/05/22/update-o...
I don't think it work out as a cost effective saving of course, as the NHS was badly hit by WannaCry as we all know.
Or when looking at how little of the MS Windows core has changed over the years think wannacry & SMB v1 despite rebranding and new layers like dot net added to keep people busy using a different method to code a result, I sometimes wonder if all these different versions are just an exercise in keeping people indoors out of harms way.
And by God doesn't it irk me to hear mentions of ’cyber’ as if it were an object.
[NB I meant to watch as HMSQNLZ sailed down the Forth last night - but was later than I was expecting. The MarineTraffic app currently has her doing circuits out in the North Sea past the mouth of the Forth]
[1] See https://en.wikipedia.org/wiki/USS_Yorktown_(CG-48) where a divide-by-zero error brought down the ships propulsion for almost 3 hours.
As systems become more sophisticated, manual intervention becomes that much more difficult and vulnerable systems create that much more weak spots. So screw up a system to sink a ship may one day become a reality.
Something similar to the stuxnet approach (sprinkle infected USB drives around employees hoping they'll bring it into the facility) or spearphishing will easily work on sailors whenever they bring "reading material" from shore to the ship; and from there it's just a matter of some sloppiness (which is likely to happen) and the malware will spread from the personal devices to the ship's systems.
In fact I'd be surprised if $large_nation_states aren't doing this already.
No, you most likely want a targeted attack - manufacture such USB keys, distribute them only where you want them to be, and implement various triggers for the malware to delete itself (expiry date, IP ranges, regional settings) so that it doesn't spread worldwide beyond where you want it. Infecting millions of non-target systems is undesirable, that's how Stuxnet got discovered.
Just like the rest of the world, eaten by software.
There was an MOD denial some years ago but the phrase 'when the ship becomes operational' was used. So possibly 'Windows for warships' during trials.
Possible there's a lot of custom software used across the navy which is only support on Windows XP. Maybe too costly to rewrite than for another system and have it interoperate with other ships etc. on the old (current) system.
I very much doubt when it says 'running XP' it means the general purpose computers for end-users to use.
Obviously, if these XP machines are not air-gapped, or behind hardware firewalls (with very restrictive rulesets) away from the general internet, then that's insane. Cynical as I am, I still have a hard time believing that these XP machines would be remotely accessible from outside the ship in question.
Edit: I've zoomed in on the image in question. Yes that's a Windows XP lock screen (the header of the dialog is blue, if it was Windows Server 2003, it'd be grey) However it's in 'classic theme' mode. As it's on the lock screen, then that's a 'system wide' setting, which infers that the themes service is disabled. If they've disabled the themes service, then it's safe to assume that lots of other parts have been disabled or locked down also. This doesn't make XP safe, but it does at least a) mitigate the risk somewhat, and b) indicate that steps have been taken to secure the OS.
This whole thing has gone wrong before: https://www.wired.com/1998/07/sunk-by-windows-nt/
In this case, quite literally so.
This is a multi-billion project, in the defence sector, for a major US ally.
So for one thing, it seems very likely that someone involved in the carrier project does have access to all the relevant Windows source and build infrastructure, one way or another. Relevant Microsoft staff have probably been checked as well.
In any case, obviously you can't install some OSS and then just "hire some programmers" to fix bugs in this environment.
Using Windows on naval vessels is not unprecedented. The US Navy "Windows for Warships" situation showed that it is already done, and sometimes problems are then found in trials, and those problems do then have to be fixed.
That might work for changing the text on a web site running Drupal 6 ten years later, but thinking that this sentence makes any sense when you're talking about a huge distributed system ported from probably some commercial Unix-like or even bare-metal Ada or whatever to NT then that's just a very naive sentiment.
The Royal Navy has the budget and bargaining power to sign a multi-decade support contract from the likes of IBM, HP, and Oracle. The latter already offers 24 years of support for the latest series of Solaris; maybe they can add another dozen years on top of that if you throw enough money in their general direction. By contrast, no version of Windows has been supported for more than 13 years (though they might also offer special long-term contracts), and most flavors of Linux only get 5-10 years.
Microsoft essentially does develop a custom version of Windows for mission critical state-backed infrastructure, which is most certainly not the "off the shelf" version.
Why not build the capability within the military itself to build and maintain specialized *nix-based OS's for precisely this situation? Then you have indefinite support and on-site capabilities.
It's all outsourced to contractors making such an effort much more difficult.
It got progressively worse with every SP pack installed but the original system was very well engineered.
I hope these computers are air gapped and USB ports are removed / disabled though.
That's damning with faint praise...
> It got progressively worse with every SP pack installed
Well, SP2 removed craptons of exploitable scenarios. Anything before that was a security nightmare, and that includes my beloved Windows 2000.
> I hope these computers are air gapped and USB ports are removed
That's optimistic. At some level, there will be some sort of port for servicing requirements anyway. Chances are that it will be an USB.
https://mspoweruser.com/uks-nuclear-submarines-runs-windows-...
http://www.popularmechanics.com/military/weapons/a19061/brit...
The UK's Defence Ministry later gave assurances, through questions in the UK parliament, that this is a low risk use of Microsoft Windows. However, some other suppliers have taken a different path.
The console for the new Sonar 2076 supplied by Thales Underwater Systems for the Astute class submarines, and which may be retro-fitted to other classes, are built as PCs running Linux rather than Windows.''
It will have been security validated to the extreme and to assume it is anything like the commerical version is wrong
https://ukdefencejournal.org.uk/no-our-new-aircraft-carriers...
If a mirky shot of a login screen is the only thing informing this article, it's poor journalism IMO.
The Royal Navy have a specialisd version of Windows, and I'm happy to believe they didn't spend a lot of time tarting up the login screen.
If you use a specialised, highly adapted version of an OS, why not base it on Linux? Wouldn't that be easier than paying Microsoft to be able to change the kernel of XP?
Why not something that isn't made of "swiss cheese"? With an old Linux system you have exactly the same problems as with an old Windows, probably even more.
Sticking "Linux" and "Open Source will save this" into it does not tangibly improve the situation.
(There are operating systems with a very good maintenance, stability and security track record that could be used for some of these cases, but seemingly aren't)
Well then everything is fine I guess...
Systems like this have the same "we proved it worked correctly once, do you really want to screw with it?" factor as the space shuttle. Proper functionality has been verified with those systems using XP. That goes out the window if you do a major upgrade. All the layers of security you need to implement elsewhere because the OS is fundamentally outdated and insecure is still easier than upgrading the OS. Finally, if an attacker can manipulate those systems then you've already lost. Defense in depth is important but serious defense at these levels is like a "no trespassing, police take notice" sign on the inside of your bank vault above a pile of gold bars.
I agree they probably should have been based on a unix system from the beginning but a lot of these hardware/software system passed the point of no return for the OS portion of their design a decade or more ago when XP wasn't an insane choice. The industry is slowly coming around.
edit: There are a lot of people in here who need to realize that you know very little about the hardware, performance and software requirements of the system. Just because you can write code in the trendy language of the day and use docker to cover up systemic reliability issues that would cripple a LAMP stack does not make you qualified to armchair engineer a software stack that people's lives depend on. This article should make you wonder what set of constraints resulted in them running XP. They did it for a reason. Nobody runs an OS that old without a really good reason.
It supported multiple browsers, including IE7 in as late as summer 2014, because end-users in the U.S. Navy had machines that only had IE7. Countless man-hours (and U.S. taxpayer dollars) were spent to ensure all features worked in IE7, including drag-and-drop and responsive UI.
That project was the single biggest driver for me to get the hell out of the government contracting world and into the "truly" private sector. At least at a startup I can say more or less "if it works in Chrome, it works."
I probably would have gone with Linux anyway but if you have to do a "neutral" vendor assessment Windows doesn't look that bad. You can't just put "Windows sucks" into your report.
EDIT: I wonder why this is being downvoted.
Please don't do this. It breaks the HN guidelines (https://news.ycombinator.com/newsguidelines.html) and mars your otherwise fine comment.
“The MoD can confirm that Windows XP will not be used by any onboard system when the [HMS Queen Elizabeth] becomes operational,” the spokesman added. “This also applies to HMS Prince of Wales.”
https://www.theregister.co.uk/2015/12/18/windows_for_warship...