81 comments

[ 3.3 ms ] story [ 131 ms ] thread
Microsoft had a security reputation to ruin? Ruining it would be a bad thing?
Microsoft has made a lot of headway in the security realm, and deserves some credit there.
I call bs. I'm certain there will be a large scale problem with XP. However, that won't run in the reputation of MS, but rather the company still using it.
Right? I don't get the mindset of Microsoft having to support an antiquated product line over a decade past its expiration date because a few business IT customers are incompetent at writing client software and keeping their systems up to date. It's not like all of this is coming out from nowhere.
More like companies still running XP risk security reputation. How long should MS be expected to support that OS? They've already postponed the retirement at least once to give people more time to upgrade.
As someone itching to use SNI for SSL certificates, I'm all for discontinuing a thirteen year old consumer operating system.

Anyone who hasn't updated yet isn't going to update until they get cut off from patches. Time to do so.

Even then, there's still Android 2.x, currently 1/4 of the Android population. Though it's a safe bet that WinXP will be the more tenacious of the two.
Yeah, I figure the short lifespan of mobile devices works in our favour there.
I'm not sure if being cut off from patches means a lot to people. Most XP users I know use a third-party browser and a third-party internet security suite. They're probably even happy to never see the stupid force-reboot dialog again. But the issue is that they pose a risk to everyone else too (botnet infections etc.)
Maybe they should open source XP? Of course that would probably never happen, but would be quite 'philantropic' of Sire Gates ....
That would find the hacks faster.
Not necessarily.

But it would definitely make patching and improving the thing easier.

They would get fixed quicker too...
Derrrr. The headline would be "Microsoft risks security reputation ruin by failing to retire XP" if they didn't.
How exactly? They've already kept it for 13 years. What's the argument for not continuing to fix its bugs for another 5 years, from a security point of view, and not a "Microsoft's profits" point of view? It's not about keeping selling it, but about supporting the people who already use it.
The short answer is, after 13 years, it's the customers' fault for not planning upgrades.

The longer answer is about the mismatch between PCs and mission critical enterprise computing. There is blame to spread around for that one.

Do you expect Ford to keep making parts for the Model A as well? That would be supporting people that still use it.
Well, you would be surprised what happens in the world of embedded systems and process control.

http://www.theregister.co.uk/2013/06/19/nuke_plants_to_keep_...

Is that really a good example? Had unsafe old nuke plant designs been decommissioned at the end of their design-life, we would not be dealing with Fukishima, and we might have inherently safe designs and alternative fuel cycles up and running.
You could argue the same about any old piece of software. The thing is that people working on xp cost money, they cost time. Both of those could be spent doing something that makes Microsoft money or at least advances a product that is not 3 OS releases back. This is a pretty simple choice for Microsoft's side.

Supporting people who run at 13 year old 32 bit desktop OS is a money losing proposition all the way around from Microsoft at this point, both in lost time and in lost sales of later version of windows.

The thing is that Microsoft's profits is what matters here. IT is their product.

As a developer, I actually loathe XP, simply because It's another platform I should test things on before I can consider it working. Generally, the users running it are doing so because of 2 things: lock in by a different vendor or a total lack of IT budget. Either of those things is just asking for trouble, So, when a client starts to ask about XP support I start to get worried about the bigger picture.

To put it another way, Would you want to write extra code and run extra tests to support windows 98 today? What about windows 95? 3.1?

I really don't.

"The thing is that people working on xp cost money, they cost time. Both of those could be spent doing something that makes Microsoft money or at least advances a product that is not 3 OS releases back."

True, but those people are needed to continue to support XP Embedded. So some of the work is being done...

Note: I'm not hankering after running XP, but I am realistic about the effect of the $200 per screen annual tax on mega-corp computers. That isn't going to win friends and influence decision makers lets just say.

And then another 5. And another 5 after that. For an operating system so old that any other company would have long ago discontinued it.

These businesses had a decade to plan to transition off XP. It's not like other vendors that have no planned EOL dates and don't even announce their plans. Contrast Microsoft with Apple where Snow Leopard, which is only 5 years old, is suddenly abandoned and is no longer getting security patches, but there's been no announcement.

How does 30% of 488 million = 278 million?

In any case XP is way past it's lifetime. I can only imagine how the developers must feel working on a code base that is 13 years old.

The XP OS is old, really really old. XP was annouced EOL years ago. Move on people.
488-300+300*.3
(comment deleted)
Ah that makes sense now. Had to reread it a few times to get it
I doubt people would really blame getting hit by security flaws exploits on Microsoft. Many people are already getting hit by malwares, and they couldn't tell the difference between a malware that they installed themselves and one that exploited a security flaw.
You're kidding. Microsoft has always been blamed for Windows being an insecure operating system that "gets viruses". The fact that there's a multi-billion dollar anti-virus industry for Windows, because people pay for it because they know they are vulnerable on Windows, should confirm that.
This thing is a weight on the entire technology world. Stop bitching and move on.
If it were that simple, it would have happened already.

There are still a lot of businesses that, unfortunately, depend very heavily on Windows XP for their ongoing operation. The cost associated with switching may far, far exceed any benefit it could bring.

We aren't talking about a couple of Ruby on Rails developers sitting in a cafe using MacBooks. We're talking about global organizations with tens of thousands, if not hundreds of thousands, of computers. We're talking about applications that will only run properly on Windows XP. We're talking about astronomical costs that will bring only comparatively minor gain. That's the kind of situation that does not lead to change.

Not to mention the millions of small mom and pop shops running that thing. XP's retirement isn't even on their radar.
They've had a decade to plan an implement upgrades.
It's the ratio between the costs and the benefits that matters, not how long people have had the option of moving away from Windows XP.
If you wrote applications that were heavily dependent on XP and couldn't either run on Windows 7 or easily be tweaked to run on it, this is your problem. That's bad programming. That's bad management.

To expect MS to bail out global corporations who write crappy software is crazy. If you have software in 2014 that requires Windows XP and/or IE 6, you need to look at your life and look at your choices.

There is so much bad IT management and procurement at large corporations, and that's the root cause of a lot of the XP consternation from certain companies.

There must be a nice niche finding the software that prevents people from upgrading and then providing data liberation tools or better new software.

Because that is the only rational reason to not upgrade, right?

Well let's not forget cost. Most of the world treats XP as freeware.
Or people who are poor and don't want to upgrade to a new OS or buy a computer that will support one. Or old people who have only just got used to using the XP computer that someone gave them for free as a hand-me-down (or up).
On an individual basis, it doesn't make sense for a single user to upgrade until the point that the old computer needs totally replaced. The cost of upgrading is higher then the value of the computer.

In business the cost of the applications and data is many hundreds if not thousands of times more expensive then the computer systems.

A recent example of my own is a vet clinic with a older digital x-ray machine. I asked what it would take to upgrade the machine to Windows 7. Around $50,000 was there answer. They had to replace all the hardware and software. There was no 'upgrade' path.

Yes, there's no official upgrade path.

That's where the niche is. The xray machine (I assume) still works well. "All" they need is Win 7 software to run it, and to display the xrays, and to display the existing xrays.

For xray machines the niche is too risky and expensive to exploit but there's a bunch of similar industrial equipment that could have simpler software re-writes.

There's some conjecture — well-founded, I assume — that a trove of zero-day exploit have been saved up for years in anticipation of the day Microsoft retires XP. Considering its install base in government, military and business institutions, the day that XP gets retired there will be a flood of attacks using these exploits. So we'll either face a sustained onslaught of cyberterrorism and/or cyber-counterterrorism (the NSA's interest in zero-days is well-known) or Microsoft will have to reverse its policy. Should be interesting in either case.
> So we'll either face a sustained onslaught of cyberterrorism or Microsoft will have to reverse its policy

... or the people who are still using XP could upgrade?

(Also I want a pony)

They should upgrade, you are perfectly correct.

But suppose that you are the manager of an organisation with just over 1 million PCs running XP, and those PCs are used to access hundreds of applications that are only guaranteed/certified to work with XP[1]. What do you do?

At present, you pay at least $200 for each one of those PCs. And the associated servers. Let us just say some in Whitehall do not like having to pay that kind of money for updates that Microsoft is already committed to provide for XP Embedded customers. The result[2] may be an interesting change in attitude towards Microsoft in government circles.

[1] http://www.bcs.org/content/conWebDoc/51393

[2] http://www.theguardian.com/technology/2014/jan/29/uk-governm...

That could be some pony :-)

I don't give a damn if you have 1 or 1 billion computers. I don't care what your applications require and how much you paid for them. This is not my problem or Microsofts problem any more. Did you think this was going to last forever, because if you did and you don't have a contract saying so, well good luck.

All this really sounds like is a regurgitated argument along the lines of "Regulations are so expensive, we shouldn't have to follow them" or "Minimum wage is to expensive, get rid of worker protections!"

Keeping your systems up to date is the cost of doing business. If you can't afford the cost of doing business please feel free to leave the market to others that can.

I suspect this will actually be Microsoft's problem in the future. See the second reference I posted. Attitudes are changing. The OA was talking mainly about consumers and malware. I think the biggest effect on Microsoft will be from mega-corps burned by this.

PS: I would like to see the NHS get rid of XP as soon as possible, don't worry. It is just the complexity of the job exacerbated by budgets being hammered in the last 5 years or so (exactly when a planned approach to upgrade should have been happening).

As a BSD/Linux user from the mid '90's it's nice to see the government joining the movement 15 years later. Of course no one listens when the money is good. Don't be surprised if the economy does well again these lessons will be quickly forgotten.
>But suppose that you are the manager of an organisation with just over 1 million PCs running XP, and those PCs are used to access hundreds of applications that are only guaranteed/certified to work with XP.

Then you've had years to figure out a solution to this. It's not like there haven't been 3 OS releases since then (Vista came out 7 years ago). Microsoft has offered extended (paid) support for their end of life products in the past, so this is nothing new.

(comment deleted)
Agreed it is nothing new, and agreed the situation should have been managed better. Never the less, here we are, and the need to pay £200,000,000 to Microsoft for updates that they have to provide for XP embedded anyway is going to have a negative effect shall we say. As the OA was explaining, this is all about perceptions.
I will not blame MS from moving on. If people don't want to upgrade, that's their problem. I am a little concerned, however, that so many POS systems still use XP. I just saw one yesterday at the hardware store I went to. When will they upgrade?

I don't know how much this will hurt MS with its core users. XP is largely kept alive by users in the East, not the West, and by businesses. The businesses will either pay for additional security or upgrade, and many of the users in Eastern countries don't pay for XP as it is, so what exactly is MS risking here?

MS needs to move on. There is no money in continuing to support a 13-year-old OS. You could argue that MS should make available paid support and security updates, but even OSes like Redhat aren't kept going for 13 years. I just don't get the outrage here.

> I just saw one yesterday at the hardware store I went to. When will they upgrade?

When the cost of staying is greater than the cost of moving. For many embedded scenarios, the cost of staying is generally small (just occasional maintenance) and the cost of moving is huge (probably a whole new set of hardware).

Pretty much this.

One of my clients has a set of 7 or so touchscreen POS systems at a restaurant. They are all older XP embedded machines and the software they run has no upgrade path to a newer OS. It will take somewhere around $20k to put in new computers and do the initial inventory setup.

Whether this work is done now or not, if the restaurant stays in business it must be done eventually. ISTM that embedded-MS-that-is-never-upgraded is only one possible model for this sort of system. Have your clients expressed an interest in acquiring something more maintainable?
Yes, they know very well that they have to replace the system at some point. But it doesn't make sense for them to do this at this point. They have plenty of spare parts for the system at this time. The system has a very small attack surface from outside threats. And the current system is very stable and low maintenance.

They do have a good idea of what they would go to if they needed to upgrade tomorrow. It's just currently a no sale, supporting a new system will cost more at this time then the old system.

...what they would go to if they needed to upgrade tomorrow.

Can you say if that system would be any more maintainable than the current one, especially e.g. 7-8 years after installation? Do these restaurants update e.g. prices or sales tax rates without outside help? Could they radically change their menu if they needed to do so? Are there forests of sticky notes sprouting from the sides of the machines reminding users how to make the system do what they want? How long does it take for new waitstaff to use the POS without supervision?

Is the current setup PCI-compliant, and will it still be a couple of months from now?

You seem to think their current system is hard to use or in any way broken. No, it works very well, it is easy to use, it is easy to train on, easy to change menu's and taxability. It is very extensible. Management has around a decade experience with it.
Things like POS terminals and ATMs usually use Windows XP Embedded (if they're on XP at all). XP Embedded is still under support until July 12, 2016.

However, even if these systems are, for whatever reason, running a consumer version of XP which is slated to end extended support on April 8, 2014, they are most likely not connected to the internet and therefore safe from external threats.

That's just the best case scenario anyway. As we saw with the Target breach, they obviously did not have the required network segmentation in place. Any PCI compliant company is going to have their POS terminals running on an isolated network. This is hardly a reason to justify not upgrading though.

I wouldn't worry much about POS systems, they have a very small attack surface, given their limited exposure to the Internet.
Target found that "very small attack surface" isn't the same as "secure".
From what I've read on Krebs site, I don't think Target understands what 'very small attack surface means'.
Target was hacked because they were flagrantly ignoring basic security procedures, like "making your POS systems available on the same network you use for everything else." [1]

Blaming the Target break-in on the OS security is like having unprotected sex in the back of a Buick, and blaming GM for the STD you contracted because it would've happened if the car hadn't had such a roomy backseat.

[1] http://www.computerworld.com/s/article/9246074/Target_breach...

In "Kingpin" by Kevin Poulsen [1], one of the key players made a lot of money by hacking into POS systems at "mom & pop" locations (restaurants, dry cleaners, etc).

Their surface area was "just enough" - they're online in order to run credit cards and early versions of the POS software kept the card details in local files. Once he was into their system, he had access to thousands of cards... when the cards were used fraudulently, it was very difficult to know how it'd been stolen because it was via lots of small breaches that never made the news.

Appropriately for this post... the POS software vendors eventually rushed to be compliant with new security standards (PCI?) and not store those details locally. But the store owners were reluctant to upgrade because the new software versions had an upgrade fee or, even when the upgrade was free, they'd have to pay thousands to their local consultant to actually perform the upgrade.

[1] - http://amzn.com/0307588696 ... Twitter-sized review: Pretty good book and it read like a technology novel at times. Will definitely get you re-thinking where/when your cards are used.

I totally agree with you. At some point, it is no longer Microsoft's problem. (Heck, just look at how long OS/2 held on in POS systems after being taken off the market.)
> If people don't want to upgrade, that's their problem.

But running a company is not about doing the right thing, and Microsoft is not in a good diplomatic position to force an update on people after Vista and Windows 8 have been publicity disasters. I won't blame MS whatever they do, but if I were them, I would try to fix the Windows 8 mess first before risking negative headlines.

"I don't know how much this will hurt MS with its core users"

It will hurt everyone with an Internet connection.

MS has filled the World with machines which are full of security holes and which only they can patch, and they've made a mint doing it. I would say it's their responsibility (ethically, not legally) to patch those machines until they stop being a massive threat to the stability of the Internet. I realise that this wont happen though.

The PC industry would sell a ton more computers if Microsoft solved the upgrade problem. Why do you keep a computer for 5 years? Only because it hurts too much to upgrade, and no way is this solely about the cost.

XP was able to upgrade to Vista, but nobody did.

XP could not upgrade to Windows 7, so nobody did. Microsoft advertises third-party migration tools, rather than owning this problem and building out of it. They've had years to get it right.

And yes, the cost in reality is not just an OS upgrade. It's sometimes a new machine, and also $300 for Office and peripherals without updated drivers.

But it is mostly convenience: preserving apps, preferences, and licenses is important to regular people. It also isn't that hard, because they did the work for migrating XP to 32-bit Vista.

I've been consistently amazed that my Mac has updated from version to version perfectly, even 32-to-64. Windows has been a disaster every time.

Preserve people's state, preserve their data, and they will buy your software.

Another reason for people keeping their computer & OS for five or more years is that it might have just worked for them. So there was no pressing need to upgrade.
Yes there was a pressing need to upgrade, they just didn't see it. There is a reason that competent computer support departments don't let software installs get old/stale. Eventually, that software that you depend on is going to become obsolete and you are going to wish that you had kept up with the updates.

Just because you can run your business on a DEC Vax from 1986 doesn't mean that you should!

> I've been consistently amazed that my Mac has updated from version to version perfectly, even 32-to-64. Windows has been a disaster every time.

Don't forget the whole PowerPC -> Intel thing too.

I started on Mac OS X 10.2 on a G3 iBook, made my way up to a PowerBook, then an Intel MacBook Pro follwed by another Intel MacBook Pro. There were a handful of programs that didn't get updated to support Intel along the way, but the only one that I actually miss is Quicken. I wish Apple hadn't dropped Rosetta, but I suspect that they needed to in order to force software makers to move forward. Intuit didn't, and a few other companies opted to force a paid upgrade to get a version that works on Intel.

By and large, my programs and data have survived being migrated through four computers, seven major OS versions, a major architecture change, and the move from a 32-bit OS to a 64-bit OS. That's pretty cool.

I'm still looking for a Quicken-like program that works for me, but I have a feeling I'll end up either making my own or using Excel.

"I've been consistently amazed that my Mac has updated from version to version perfectly"

If you stayed on 10.5 too long, there was no way to go to 10.8 without serious hijinx.

...the same Mac that, the year Windows XP was released, switched from OS9 to OSX, a completely different BSD/NeXTStep based operating system that eventually forced users to completely upgrade every single application they ran once they moved to Leopard about seven years ago? That one?
The company could bolster its position by revealing the percentage of PCs running XP that access Windows Update, a telemetric mark it has declined to disclose, to show how prevalent XP really is, rather than make the media and customers rely on estimates from the likes of Net Applications.

Why is this metric secret? Do Ms want to conceal this from competitors, blackhats, consumers, or some other party?

I hear the frustration and "just move on" attitude among the crowd here. But I'm in a position of supporting over 100k PCs, about 20% of which are on XP.

I place blame squarely on Microsoft here. This a problem of their making, and they are dumping customers out in the cold at a time where it is really dumb for them to do so.

First, consider the train wreck that has been Microsoft's strategy over the last decade. Many of my customers were well funded and eager to keep modern equipment out in the field. Problem is, the internet happened, and Microsoft decided at one point to stop developing IE and party like it was 1989 with client/server apps. So when Vista came around, we couldn't upgrade because IE6 wouldn't run in a supported configuration. Microsoft's bungling of 64-bit support even breaks older printers!

Then the financial crisis came around, followed by the iPad revolution. That dried up budgets (my PC replacement budget dropped 85%) and drove early adopter users to tablets.

Microsoft followed up with lots of fail: IE version weirdness, divergence from the old polices re: app compatibility, etc. We have a couple of small legacy apps written for windows 3.1.1 that work great on Windows 7, but MANY applications written for XP don't work due to a myriad of reasons. It's a real problem, and my employer has invested 3 years and millions of dollars to resolve.

And guess what? We are for the first time at a crossroads where we have choices re:end user computing. And in many cases, we're choosing non-Microsoft platforms, since we need to rewrite apps anyway. I can deliver and run an iPad for mobile users for 1/3-1/2 the cost of a laptop -- and the users LOVE them. We'll be buying thousands of iPads and galaxy tabs!

So I hope Microsoft saves a lot of money by cutting off XP. They will certainly see a lot less revenue from us in the future.

A long time ago some crazy open source guys said stuff like "Be wary of building your entire infrastructure on Microsofts solutions". You shouldn't have given them so much money back then!

The chickens have finally come home to roost it seems.

Your problems are not Microsofts fault. Your problems are that your business did not have any foresight. At the time computers were changing drastically every few years, and yet you thought you'd be able to run them and the software on them forever. You bought crappy printers with no demands that the manufactures support future operating systems on them. Your businesses problems are they gave the CEO's 50 million dollar golden parachutes and did not keep infrastructure up to date. Your businesses problems are bad software design paradigms.

It's easy to give people grief and say "I told you so" without any context.

What are the alternatives? Who would have made the call to sole-source all computers and buy Macs in 2002? Other than Munich, who is operating broad-scale Linux desktop environments?

I'm not whining about it, my organization is dealing with it just fine. But Microsoft should be handling it in a way that is less painful, because they are going to lose a lot of business. They are forgetting that 2014 isn't 2004.

It has to happen sometime, so I won't quibble about now versus two years from now or whatever. I appreciate that web developers are happy about the end of Ie8 support.

However, the various SMBs with which I'm familiar seem unlikely to replace their dusty collections of antique XP boxes with brand-new 8.1s. I predict they'll buy used win7 machines where they must for BSS compatibility, but in general will move to chromebooks and web apps. I don't know that Ms could have stopped this transition, but they may have hastened it with actions like this. Then again, how much money did they ever really make from a business running 15 XP boxes in 2014?

The article hints at a big reason for retiring XP support, but doesn't get right at it:

"After April [2014], when we release monthly security updates for supported versions of Windows, attackers will try and reverse engineer them to identify any vulnerabilities that also exist in Windows XP," said Tim Rains, director of Microsoft's Trustworthy Computing group. "If they succeed, attackers will have the capability to develop exploit code to take advantage of them."

Right now, the cadence of security updates to Vista/7/8/Windows Server 2003/Windows Server 2008/Windows Server 2012 is tied to how quickly those updates can be backported and tested for Windows XP, because as soon as those patches are released for any Windows operating system, attackers can use them to create exploits for those vulnerabilities and backport those exploits to XP (which they can do faster and with fewer resources than Microsoft can backport patches, because exploits have a much smaller test suite to ensure they don't break systems, ie they don't have such a test suite at all).

Continuing to support XP degrades the ability to support newer operating systems that haven't gotten an extension on their end of life, and at this point it's pretty clear that people still using XP aren't taking advantage of postponing its EOL to do anything but keep using XP. Something's got to give.

I wonder how much Apple's decision to make OS X upgrades free will put additional pressure on Microsoft. I consider OS X less enterprise ready, but Apple has made huge strides there. Apple clearly has less interest in keeping OSes updated long term (10.6 is being EOL soon), but the free upgrades solve part of that issue.

So, will companies be willing to trade Apple's lack of commitment to maintaining a version of the OS long term like MS for free upgrades? Keep in mind that OS X upgrades tend to work fairly smoothly, and some of the OS upgrade issues that Windows faces have not impacted OS X.

Add in the increasing pressure from Linux distros that work well for specific uses, and MS is in a bind with trying to sell expensive OS upgrades. I wonder if this will cause MS to move more into the hardware business, where you can make money off of the whole package.

Of course, if you really like Windows, maybe you'll need to pay for the OS more than once a decade.