Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Some Windows XP Users Can't Afford To Upgrade

samzenpus posted about a year ago | from the high-cost-of-upgrading dept.

Windows 953

colinneagle writes "During a recent trip to an eye doctor, I noticed that she was still using Windows XP. After I suggested that she might need to upgrade soon, she said she couldn't because she couldn't afford the $10,000 fee involved with the specialty medical software that has been upgraded for Windows 7. Software written for medical professionals is not like mass market software. They have a limited market and can't make back their money in volume because there isn't the volume for an eye doctor's database product like there is for Office or Quicken. With many expecting Microsoft's upcoming end-of-support for XP to cause a security nightmare of unsupported Windows devices in the wild, it seems a good time to ask how many users may fall into the category of wanting an upgrade, but being priced out by expensive but necessary third-party software. More importantly, can anything be done about it?"

cancel ×

953 comments

Sorry! There are no comments related to the filter you selected.

I'm gonna say... (5, Informative)

Anonymous Coward | about a year ago | (#43519117)

VMWare.

Helps but not a complete solution. (5, Insightful)

HaeMaker (221642) | about a year ago | (#43519141)

That helps with hardware incompatibility but not security.

Re:Helps but not a complete solution. (2, Interesting)

rbprbp (2731083) | about a year ago | (#43519199)

You can run Windows XP as a VM which is isolated from the internet through a firewall. That will probably help.

Re:Helps but not a complete solution. (4, Insightful)

DragonWriter (970822) | about a year ago | (#43519293)

You can run Windows XP as a VM which is isolated from the internet through a firewall. That will probably help.

Unless your WinXP-reliant software is also needs access to the internet.

Re:Helps but not a complete solution. (4, Insightful)

CanHasDIY (1672858) | about a year ago | (#43519435)

You can run Windows XP as a VM which is isolated from the internet through a firewall. That will probably help.

Unless your WinXP-reliant software is also needs access to the internet.

Considering this particular summary is in regards to medical software, I certainly hope that's not the case.

Although I can see it being an issue for other industries.

Re:Helps but not a complete solution. (5, Insightful)

Anonymous Coward | about a year ago | (#43519317)

Run it through a WHAT? Why am I running XP inside of a window? Oh no, I just deleted it. Did you break my computer? I don't care if you think you're smarter than me. I just need things to work. I have a lot of patients to see.

Re:Helps but not a complete solution. (5, Insightful)

Hylandr (813770) | about a year ago | (#43519377)

This. Pretty much sums it up. We can engineer all sorts of solutions but in the end they will be calling you to run it for them.

Don't let them try an barter services for it either, they will *own* you.

Re:I'm gonna say... (4, Insightful)

Anonymous Coward | about a year ago | (#43519161)

It's possible that the machine is actually more of an embedded system, acting as a front-end for a device whose drivers won't work in a VM.

dom

Re:I'm gonna say... (0)

Anonymous Coward | about a year ago | (#43519419)

Er .. then why does it have to be upgraded? If it's embedded, presumably it works and requires no modification. If it does require modification or upgrade, and this isn't on the vendor, then someone made a terrible decision investing in it.

Disconnect XP from Internet (0)

VernonNemitz (581327) | about a year ago | (#43519449)

1. Disconnect XP system from Internet.
2. Buy a more-up-to-date system, for connecting to Internet.
3. Maybe buy a small local network hub. Connect both machines to it, and use carefully:
3A. Let XP machine be OFF when other machine is connected to Internet.
3B. Use "network connections" in other machine to disable connection to Internet when XP machine is on. This way the Internet machine can gather data that the other machine can access if needed, via the local network.

Re:I'm gonna say... (1, Informative)

Synerg1y (2169962) | about a year ago | (#43519289)

Windows XP mode.

XP has the best HOST file support... apk (-1, Troll)

Anonymous Coward | about a year ago | (#43519133)

A corrupt slashdot luser has pentrated the moderation system to downmod all my posts while impersonating me.

Nearly 230++ times that I know of @ this point for all of March/April 2013 so far, & others here have told you to stop - take the hint, lunatic (leave slashdot)...

Sorry folks - but whoever the nutjob is that's attempting to impersonate me, & upset the rest of you as well, has SERIOUS mental issues, no questions asked! I must've gotten the better of him + seriously "gotten his goat" in doing so in a technical debate & his "geek angst" @ losing to me has him doing the:

---

A.) $10,000 challenges, ala (where the imposter actually TRACKED + LISTED the # of times he's done this no less, & where I get the 230 or so times I noted above) -> http://it.slashdot.org/comments.pl?sid=3585795&cid=43285307 [slashdot.org]

&/or

B.) Reposting OLD + possibly altered models - (this I haven't checked on as to altering the veracity of the info. being changed) of posts of mine from the past here

---

(Albeit massively repeatedly thru all threads on /. this March/April 2013 nearly in its entirety thusfar).

* Personally, I'm surprised the moderation staff here hasn't just "blocked out" his network range yet honestly!

(They know it's NOT the same as my own as well, especially after THIS post of mine, which they CAN see the IP range I am coming out of to compare with the ac spamming troll doing the above...).

APK

P.S.=> Again/Stressing it: NO guys - it is NOT me doing it, as I wouldn't waste that much time on such trivial b.s. like a kid might...

Plus, I only post where hosts file usage is on topic or appropriate for a solution & certainly NOT IN EVERY POST ON SLASHDOT (like the nutcase trying to "impersonate me" is doing for nearly all of March/April now, & 230++ times that I know of @ least)... apk

P.S.=> here is CORRECT host file information just to piss off the insane lunatic troll:

--

21++ ADVANTAGES OF CUSTOM HOSTS FILES (how/what/when/where/why):

Over AdBlock & DNS Servers ALONE 4 Security, Speed, Reliability, & Anonymity (to an extent vs. DNSBL's + DNS request logs).

1.) HOSTS files are useable for all these purposes because they are present on all Operating Systems that have a BSD based IP stack (even ANDROID) and do adblocking for ANY webbrowser, email program, etc. (any webbound program). A truly "multi-platform" UNIVERSAL solution for added speed, security, reliability, & even anonymity to an extent (vs. DNS request logs + DNSBL's you feel are unjust hosts get you past/around).

2.) Adblock blocks ads? Well, not anymore & certainly not as well by default, apparently, lol - see below:

Adblock Plus To Offer 'Acceptable Ads' Option

http://news.slashdot.org/story/11/12/12/2213233/adblock-plus-to-offer-acceptable-ads-option [slashdot.org] )

AND, in only browsers & their subprogram families (ala email like Thunderbird for FireFox/Mozilla products (use same gecko & xulrunner engines)), but not all, or, all independent email clients, like Outlook, Outlook Express, OR Window "LIVE" mail (for example(s)) - there's many more like EUDORA & others I've used over time that AdBlock just DOES NOT COVER... period.

Disclaimer: Opera now also has an AdBlock addon (now that Opera has addons above widgets), but I am not certain the same people make it as they do for FF or Chrome etc..

3.) Adblock doesn't protect email programs external to FF (non-mozilla/gecko engine based) family based wares, So AdBlock doesn't protect email programs like Outlook, Outlook Express, Windows "LIVE" mail & others like them (EUDORA etc./et al), Hosts files do. THIS IS GOOD VS. SPAM MAIL or MAILS THAT BEAR MALICIOUS SCRIPT, or, THAT POINT TO MALICIOUS SCRIPT VIA URLS etc.

4.) Adblock won't get you to your favorite sites if a DNS server goes down or is DNS-poisoned, hosts will (this leads to points 5-7 next below).

5.) Adblock doesn't allow you to hardcode in your favorite websites into it so you don't make DNS server calls and so you can avoid tracking by DNS request logs, OR make you reach them faster since you resolve host-domain names LOCALLY w/ hosts out of cached memory, hosts do ALL of those things (DNS servers are also being abused by the Chinese lately and by the Kaminsky flaw -> http://www.networkworld.com/news/2008/082908-kaminsky-flaw-prompts-dns-server.html [networkworld.com] for years now). Hosts protect against those problems via hardcodes of your fav sites (you should verify against the TLD that does nothing but cache IPAddress-to-domainname/hostname resolutions (in-addr.arpa) via NSLOOKUP, PINGS (ping -a in Windows), &/or WHOIS though, regularly, so you have the correct IP & it's current)).

* NOW - Some folks MAY think that putting an IP address alone into your browser's address bar will be enough, so why bother with HOSTS, right? WRONG - Putting IP address in your browser won't always work IS WHY. Some IP adresses host several domains & need the site name to give you the right page you're after is why. So for some sites only the HOSTS file option will work!

6.) Hosts files don't eat up CPU cycles (or ELECTRICITY) like AdBlock does while it parses a webpages' content, nor as much as a DNS server does while it runs. HOSTS file are merely a FILTER for the kernel mode/PnP TCP/IP subsystem, which runs FAR FASTER & MORE EFFICIENTLY than any ring 3/rpl3/usermode app can since hosts files run in MORE EFFICIENT & FASTER Ring 0/RPL 0/Kernelmode operations acting merely as a filter for the IP stack (via the "Plug-N-Play" designed IP stack in Windows) vs. SLOWER & LESS EFFICIENT Ring 3/RPL 3/Usermode operations (which webbrowsers run in + their addons like AdBlock slow down even MORESO due to their parsing operations).

7.) HOSTS files will allow you to get to sites you like, via hardcoding your favs into a HOSTS file, FAR faster than remote DNS servers can by FAR (by saving the roundtrip inquiry time to a DNS server, typically 30-100's of ms, vs. 7-10ms HardDisk speed of access/seek + SSD seek in ns, & back to you - hosts resolutions of IP address for host-domain names is FAR faster...). Hosts are only a filter for an already fast & efficient IP stack, no more layered b.s. (remote OR local). Hosts eat less CPU, RAM, I/O in other forms, + electricity than a locally running DNS server easily, and less than a local DNS program on a single PC. Fact. Hosts are easier to setup & maintain too.

8.) AdBlock doesn't let you block out known bad sites or servers that are known to be maliciously scripted, hosts can and many reputable lists for this exist:

GOOD INFORMATION ON MALWARE BEHAVIOR LISTING BOTNET C&C SERVERS + MORE (AS WELL AS REMOVAL LISTS FOR HOSTS):

http://www.mvps.org/winhelp2002/hosts.htm [mvps.org]
  http://someonewhocares.org/hosts/ [someonewhocares.org]
  http://hostsfile.org/hosts.html [hostsfile.org]
  http://hostsfile.mine.nu/downloads/ [hostsfile.mine.nu]
  http://hosts-file.net/?s=Download [hosts-file.net]
  https://zeustracker.abuse.ch/monitor.php?filter=online [abuse.ch]
  https://spyeyetracker.abuse.ch/monitor.php [abuse.ch]
  http://ddanchev.blogspot.com/ [blogspot.com]
  http://www.malware.com.br/lists.shtml [malware.com.br]
  http://www.stopbadware.org/ [stopbadware.org]
Spybot "Search & Destroy" IMMUNIZE feature (fortifies HOSTS files with KNOWN bad servers blocked)

And yes: Even SLASHDOT &/or The Register help!

(Via articles on security (when the source articles they use are "detailed" that is, & list the servers/sites involved in attempting to bushwhack others online that is... not ALL do!)).

2 examples thereof in the past I have used, & noted it there, are/were:

http://it.slashdot.org/comments.pl?sid=1898692&cid=34473398 [slashdot.org]
  http://it.slashdot.org/comments.pl?sid=1896216&cid=34458500 [slashdot.org]

9.) AdBlock & DNS servers are programs, and subject to bugs programs can get. Hosts files are merely a filter and not a program, thus not subject to bugs of the nature just discussed.

10.) HOSTS files protect you vs. DNS-poisoning &/or the Kaminsky flaw in DNS servers, and allow you to get to sites reliably vs. things like the Chinese are doing to DNS -> http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders [slashdot.org]

11.) HOSTS files are EASILY user controlled, obtained (for reliable ones -> http://www.mvps.org/winhelp2002/hosts.htm [mvps.org] ) & edited too, via texteditors like Windows notepad.exe or Linux nano (etc.)

12.) With Adblock you had better be able to code javascript to play with its code (to customize it better than the GUI front does @ least). With hosts you don't even need source to control it (edit, update, delete, insert of new entries via a text editor).

13.) Hosts files are easily secured via using MAC/ACL (even moreso "automagically" for Vista, 7/Server 2008 + beyond by UAC by default) &/or Read-Only attributes applied.

14.) Custom HOSTS files also speed you up, unlike anonymous proxy servers systems variations (like TOR, or other "highly anonymous" proxy server list servers typically do, in the severe speed hit they often have a cost in) either via "hardcoding" your fav. sites into your hosts file (avoids DNS servers, totally) OR blocking out adbanners - see this below for evidence of that:

---

US Military Blocks Websites To Free Up Bandwidth:

http://yro.slashdot.org/story/11/03/16/0416238/US-Military-Blocks-Websites-To-Free-Up-Bandwidth [slashdot.org]

(Yes, even the US Military used this type of technique... because IT WORKS! Most of what they blocked? Ad banners ala doubleclick etc.)

---

Adbanners slow you down & consume your bandwidth YOU pay for:

ADBANNERS SLOW DOWN THE WEB: -> http://tech.slashdot.org/article.pl?sid=09/11/30/166218 [slashdot.org]

---

And people do NOT LIKE ads on the web:

PEOPLE DISLIKE ADBANNERS: http://yro.slashdot.org/yro/08/04/02/0058247.shtml [slashdot.org]

---

As well as this:

Users Know Advertisers Watch Them, and Hate It:

http://yro.slashdot.org/yro/08/04/02/0058247.shtml [slashdot.org]

---

Even WORSE still, is this:

Advertising Network Caught History Stealing:

http://yro.slashdot.org/story/11/07/22/156225/Advertising-Network-Caught-History-Stealing [slashdot.org]

---

15.) HOSTS files usage lets you avoid being charged on some ISP/BSP's (OR phone providers) "pay as you use" policy http://yro.slashdot.org/story/10/12/08/2012243/FCC-Approving-Pay-As-You-Go-Internet-Plans [slashdot.org] , because you are using less bandwidth (& go faster doing so no less) by NOT hauling in adbanner content and processing it (which can lead to infestation by malware/malicious script, in & of itself -> http://apcmag.com/microsoft_apologises_for_serving_malware.htm [apcmag.com] ).

16.) If/when ISP/BSP's decide to go to -> FCC Approving Pay-As-You-Go Internet Plans: http://yro.slashdot.org/story/10/12/08/2012243/FCC-Approving-Pay-As-You-Go-Internet-Plans [slashdot.org] your internet bill will go DOWN if you use a HOSTS file for blocking adbanners as well as maliciously scripted hacker/cracker malware maker sites too (after all - it's your money & time online downloading adbanner content & processing it)

Plus, your adbanner content? Well, it may also be hijacked with malicious code too mind you:

---

Yahoo, Microsoft's Bing display toxic ads:

http://www.theregister.co.uk/2011/09/16/bing_yahoo_malware_ads/ [theregister.co.uk]

---

Malware torrent delivered over Google, Yahoo! ad services:

http://www.theregister.co.uk/2009/09/24/malware_ads_google_yahoo/ [theregister.co.uk]

---

Google's DoubleClick spreads malicious ads (again):

http://www.theregister.co.uk/2009/02/24/doubleclick_distributes_malware/ [theregister.co.uk]

---

Rogue ads infiltrate Expedia and Rhapsody:

http://www.theregister.co.uk/2008/01/30/excite_and_rhapsody_rogue_ads/ [theregister.co.uk]

---

Google sponsored links caught punting malware:

http://www.theregister.co.uk/2008/12/16/google_sponsored_links/ [theregister.co.uk]

---

DoubleClick caught supplying malware-tainted ads:

http://www.theregister.co.uk/2007/11/13/doubleclick_distributes_malware/ [theregister.co.uk]

---

Yahoo feeds Trojan-laced ads to MySpace and PhotoBucket users:

http://www.theregister.co.uk/2007/09/11/yahoo_serves_12million_malware_ads/ [theregister.co.uk]

---

Real Media attacks real people via RealPlayer:

http://www.theregister.co.uk/2007/10/23/real_media_serves_malware/ [theregister.co.uk]

---

Ad networks owned by Google, Microsoft serve malware:

http://www.theregister.co.uk/2010/12/13/doubleclick_msn_malware_attacks/ [theregister.co.uk]

---

Attacks Targeting Classified Ad Sites Surge:

http://it.slashdot.org/story/11/02/02/1433210/Attacks-Targeting-Classified-Ad-Sites-Surge [slashdot.org]

---

Hackers Respond To Help Wanted Ads With Malware:

http://it.slashdot.org/story/11/01/20/0228258/Hackers-Respond-To-Help-Wanted-Ads-With-Malware [slashdot.org]

---

Hackers Use Banner Ads on Major Sites to Hijack Your PC:

http://www.wired.com/techbiz/media/news/2007/11/doubleclick [wired.com]

---

Ruskie gang hijacks Microsoft network to push penis pills:

http://www.theregister.co.uk/2010/10/12/microsoft_ips_hijacked/ [theregister.co.uk]

---

Major ISPs Injecting Ads, Vulnerabilities Into Web:

http://it.slashdot.org/it/08/04/19/2148215.shtml [slashdot.org]

---

Two Major Ad Networks Found Serving Malware:

http://tech.slashdot.org/story/10/12/13/0128249/Two-Major-Ad-Networks-Found-Serving-Malware [slashdot.org]

---

THE NEXT AD YOU CLICK MAY BE A VIRUS:

http://it.slashdot.org/story/09/06/15/2056219/The-Next-Ad-You-Click-May-Be-a-Virus [slashdot.org]

---

NY TIMES INFECTED WITH MALWARE ADBANNER:

http://news.slashdot.org/article.pl?sid=09/09/13/2346229 [slashdot.org]

---

MICROSOFT HIT BY MALWARES IN ADBANNERS:

http://apcmag.com/microsoft_apologises_for_serving_malware.htm [apcmag.com]

---

ISP's INJECTING ADS AND ERRORS INTO THE WEB: -> http://it.slashdot.org/it/08/04/19/2148215.shtml [slashdot.org]

---

ADOBE FLASH ADS INJECTING MALWARE INTO THE NET: http://it.slashdot.org/article.pl?sid=08/08/20/0029220&from=rss [slashdot.org]

---

London Stock Exchange Web Site Serving Malware:

http://www.securityweek.com/london-stock-exchange-web-site-serving-malware [securityweek.com]

---

Spotify splattered with malware-tainted ads:

http://www.theregister.co.uk/2011/03/25/spotify_malvertisement_attack/ [theregister.co.uk]

---

As my list "multiple evidences thereof" as to adbanners & viruses + the fact they slow you down & cost you more (from reputable & reliable sources no less)).

17.) Per point #16, a way to save some money: ANDROID phones can also use the HOSTS FILE TO KEEP DOWN BILLABLE TIME ONLINE, vs. adbanners or malware such as this:

---

Infected Androids Run Up Big Texting Bills:

http://it.slashdot.org/story/11/03/01/0041203/Infected-Androids-Run-Up-Big-Texting-Bills [slashdot.org]

---

AND, for protection vs. other "botnets" migrating from the PC world, to "smartphones" such as ZITMO (a ZEUS botnet variant):

http://www.google.com/search?hl=en&source=hp&q=ZITMO&btnG=Google+Search [google.com]

---

It's easily done too, via the ADB dev. tool, & mounting ANDROID OS' system mountpoint for system/etc as READ + WRITE/ADMIN-ROOT PERMISSIONS, then copying your new custom HOSTS over the old one using ADB PULL/ADB PUSH to do so (otherwise ANDROID complains of "this file cannot be overwritten on production models of this Operating System", or something very along those lines - this way gets you around that annoyance along with you possibly having to clear some space there yourself if you packed it with things!).

18.) Bad news: ADBLOCK CAN BE DETECTED FOR: See here on that note -> http://arstechnica.com/business/news/2010/03/why-ad-blocking-is-devastating-to-the-sites-you-love.ars [arstechnica.com]

HOSTS files are NOT THAT EASILY "webbug" BLOCKABLE by websites, as was tried on users by ARSTECHNICA (and it worked on AdBlock in that manner), to that websites' users' dismay:

PERTINENT QUOTE/EXCERPT FROM ARSTECHNICA THEMSELVES:

----

An experiment gone wrong - By Ken Fisher | Last updated March 6, 2010 11:11 AM

http://arstechnica.com/business/news/2010/03/why-ad-blocking-is-devastating-to-the-sites-you-love.ars [arstechnica.com]

"Starting late Friday afternoon we conducted a 12 hour experiment to see if it would be possible to simply make content disappear for visitors who were using a very popular ad blocking tool. Technologically, it was a success in that it worked. Ad blockers, and only ad blockers, couldn't see our content."

and

"Our experiment is over, and we're glad we did it because it led to us learning that we needed to communicate our point of view every once in a while. Sure, some people told us we deserved to die in a fire. But that's the Internet!"

Thus, as you can see? Well - THAT all "went over like a lead balloon" with their users in other words, because Arstechnica was forced to change it back to the old way where ADBLOCK still could work to do its job (REDDIT however, has not, for example). However/Again - this is proof that HOSTS files can still do the job, blocking potentially malscripted ads (or ads in general because they slow you down) vs. adblockers like ADBLOCK!

----

19.) Even WIKILEAKS "favors" blacklists (because they work, and HOSTS can be a blacklist vs. known BAD sites/servers/domain-host names):

---

PERTINENT QUOTE/EXCERPT (from -> http://www.theregister.co.uk/2010/12/16/wikileaks_mirror_malware_warning_row/ [theregister.co.uk] )

"we are in favour of 'Blacklists', be it for mail servers or websites, they have to be compiled with care... Fortunately, more responsible blacklists, like stopbadware.org (which protects the Firefox browser)...

---

20.) AND, LASTLY? SINCE MALWARE GENERALLY HAS TO OPERATE ON WHAT YOU YOURSELF CAN DO (running as limited class/least privlege user, hopefully, OR even as ADMIN/ROOT/SUPERUSER)? HOSTS "LOCK IN" malware too, vs. communicating "back to mama" for orders (provided they have name servers + C&C botnet servers listed in them, blocked off in your HOSTS that is) - you might think they use a hardcoded IP, which IS possible, but generally they do not & RECYCLE domain/host names they own (such as has been seen with the RBN (Russian Business Network) lately though it was considered "dead", other malwares are using its domains/hostnames now, & this? This stops that cold, too - Bonus!)...

21.) Custom HOSTS files gain users back more "screen real estate" by blocking out banner ads... it's great on PC's for speed along with MORE of what I want to see/read (not ads), & efficiency too, but EVEN BETTER ON SMARTPHONES - by far. It matters MOST there imo @ least, in regards to extra screen real-estate.

Still - It's a GOOD idea to layer in the usage of BOTH browser addons for security like adblock ( http://adblockplus.org/en/ [adblockplus.org] ), IE 9's new TPL's ( http://ie.microsoft.com/testdrive/Browser/TrackingProtectionLists/ [microsoft.com] ), &/or NoScript ( http://noscript.net/ [noscript.net] especially this one, as it covers what HOSTS files can't in javascript which is the main deliverer of MOST attacks online & SECUNIA.COM can verify this for anyone really by looking @ the past few years of attacks nowadays), for the concept of "layered security"....

It's just that HOSTS files offer you a LOT MORE gains than Adblock ( http://adblockplus.org/en/ [adblockplus.org] ) does alone (as hosts do things adblock just plain cannot & on more programs, for more speed, security, and "stealth" to a degree even), and it corrects problems in DNS (as shown above via hardcodes of your favorite sites into your HOSTS file, and more (such as avoiding DNS request logs)).

ALSO - Some more notes on DNS servers & their problems, very recent + ongoing ones:

---

DNS flaw reanimates slain evil sites as ghost domains:

http://www.theregister.co.uk/2012/02/16/ghost_domains_dns_vuln/ [theregister.co.uk]

---

BIND vs. what the Chinese are doing to DNS lately? See here:

http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders [slashdot.org]

---

SECUNIA HIT BY DNS REDIRECTION HACK THIS WEEK:

http://www.theregister.co.uk/2010/11/26/secunia_back_from_dns_hack/ [theregister.co.uk]

(Yes, even "security pros" are helpless vs. DNS problems in code bugs OR redirect DNS poisoning issues, & they can only try to "set the DNS record straight" & then, they still have to wait for corrected DNS info. to propogate across all subordinate DNS servers too - lagtime in which folks DO get "abused" in mind you!)

---

DNS vs. the "Kaminsky DNS flaw", here (and even MORE problems in DNS than just that):

http://www.scmagazineus.com/new-bind-9-dns-flaw-is-worse-than-kaminskys/article/140872/ [scmagazineus.com]

(Seems others are saying that some NEW "Bind9 flaw" is worse than the Kaminsky flaw ALONE, up there, mind you... probably corrected (hopefully), but it shows yet again, DNS hassles (DNS redirect/DNS poisoning) being exploited!)

---

Moxie Marlinspike's found others (0 hack) as well...

Nope... "layered security" truly IS the "way to go" - hacker/cracker types know it, & they do NOT want the rest of us knowing it too!...

(So until DNSSEC takes "widespread adoption"? HOSTS are your answer vs. such types of attack, because the 1st thing your system refers to, by default, IS your HOSTS file (over say, DNS server usage). There are decent DNS servers though, such as OpenDNS, ScrubIT, or even NORTON DNS (more on each specifically below), & because I cannot "cache the entire internet" in a HOSTS file? I opt to use those, because I have to (& OpenDNS has been noted to "fix immediately", per the Kaminsky flaw, in fact... just as a sort of reference to how WELL they are maintained really!)

---

DNS Hijacks Now Being Used to Serve Black Hole Exploit Kit:

https://threatpost.com/en_us/blogs/dns-hijacks-now-being-used-serve-black-hole-exploit-kit-121211 [threatpost.com]

---

DNS experts admit some of the underlying foundations of the DNS protocol are inherently weak:

http://it.slashdot.org/story/11/12/08/1353203/opendns-releases-dns-encryption-tool [slashdot.org]

---

Potential 0-Day Vulnerability For BIND 9:

http://it.slashdot.org/story/11/11/17/1429259/potential-0-day-vulnerability-for-bind-9 [slashdot.org]

---

Five DNS Threats You Should Protect Against:

http://www.securityweek.com/five-dns-threats-you-should-protect-against [securityweek.com]

---

DNS provider decked by DDoS dastards:

http://www.theregister.co.uk/2010/11/16/ddos_on_dns_firm/ [theregister.co.uk]

---

Ten Percent of DNS Servers Still Vulnerable: (so much for "conscientious patching", eh? Many DNS providers weren't patching when they had to!)

http://it.slashdot.org/it/05/08/04/1525235.shtml?tid=172&tid=95&tid=218 [slashdot.org]

---

DNS ROOT SERVERS ATTACKED:

http://it.slashdot.org/it/07/02/06/2238225.shtml [slashdot.org]

---

TimeWarner DNS Hijacking:

http://tech.slashdot.org/article.pl?sid=07/07/23/2140208 [slashdot.org]

---

DNS Re-Binding Attacks:

http://crypto.stanford.edu/dns/ [stanford.edu]

---

DNS Server Survey Reveals Mixed Security Picture:

http://it.slashdot.org/it/07/11/21/0315239.shtml [slashdot.org]

---

Halvar figured out super-secret DNS vulnerability:

http://www.zdnet.com/blog/security/has-halvar-figured-out-super-secret-dns-vulnerability/1520 [zdnet.com]

---

BIND Still Susceptible To DNS Cache Poisoning:

http://tech.slashdot.org/tech/08/08/09/123222.shtml [slashdot.org]

---

DNS Poisoning Hits One of China's Biggest ISPs:

http://it.slashdot.org/it/08/08/21/2343250.shtml [slashdot.org]

---

DDoS Attacks Via DNS Recursion:

http://it.slashdot.org/it/06/03/16/1658209.shtml [slashdot.org]

---

High Severity BIND DNS Vulnerability Advisory Issued:

http://tech.slashdot.org/story/11/02/23/156212/High-Severity-BIND-Vulnerability-Advisory-Issued [slashdot.org]

---

Photobucketâ(TM)s DNS records hijacked:

http://blogs.zdnet.com/security/?p=1285 [zdnet.com]

---

Protecting Browsers from DNS Rebinding Attacks:

http://crypto.stanford.edu/dns/ [stanford.edu]

---

DNS Problem Linked To DDoS Attacks Gets Worse:

http://tech.slashdot.org/story/09/11/15/1238210/DNS-Problem-Linked-To-DDoS-Attacks-Gets-Worse [slashdot.org]

---

HOWEVER - Some DNS servers are "really good stuff" vs. phishing, known bad sites/servers/hosts-domains that serve up malware-in-general & malicious scripting, botnet C&C servers, & more, such as:

Norton DNS -> http://nortondns.com/ [nortondns.com]
  ScrubIT DNS -> http://www.scrubit.com/ [scrubit.com]
  OpenDNS -> http://www.opendns.com/ [opendns.com]

(Norton DNS in particular, is exclusively for blocking out malware, for those of you that are security-conscious. ScrubIT filters pr0n material too, but does the same, & OpenDNS does phishing protection. Each page lists how & why they work, & why they do so. Norton DNS can even show you its exceptions lists, plus user reviews & removal procedures requests, AND growth stats (every 1/2 hour or so) here -> http://safeweb.norton.com/buzz [norton.com] so, that ought to "take care of the naysayers" on removal requests, &/or methods used plus updates frequency etc./et al...)

HOWEVER - There's ONLY 1 WEAKNESS TO ANY network defense, including HOSTS files (vs. host-domain name based threats) & firewalls (hardware router type OR software type, vs. IP address based threats): Human beings, & they not being 'disciplined' about the indiscriminate usage of javascript (the main "harbinger of doom" out there today online), OR, what they download for example... & there is NOTHING I can do about that! (Per Dr. Manhattan of "The Watchmen", ala -> "I can change almost anything, but I can't change human nature")

HOWEVER AGAIN - That's where NORTON DNS, OpenDNS, &/or ScrubIT DNS help!

(Especially for noob/grandma level users who are unaware of how to secure themselves in fact, per a guide like mine noted above that uses "layered-security" principles!)

ScrubIT DNS, &/or OpenDNS are others alongside Norton DNS (adding on phishing protection too) as well!

( & it's possible to use ALL THREE in your hardware NAT routers, and, in your Local Area Connection DNS properties in Windows, for again, "Layered Security" too)...

---

20++ SLASHDOT USERS EXPERIENCING SUCCESS USING HOSTS FILES QUOTED VERBATIM:

---

"Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)

"I use a custom /etc/hosts to block ads... my file gets parsed basically instantly ... So basically, for any modern computer, it has zero visible impact. And even if it took, say, a second to parse, that would be more than offset by the MANY seconds saved by not downloading and rendering ads. I have noticed NO ill effects from running a custom /etc/hosts file for the last several years. And as a matter of fact I DO run http servers on my computers and I've never had an /etc/hosts-related problem... it FUCKING WORKS and makes my life better overall." - by sootman (158191) on Monday July 13 2009, @11:47AM (#28677363) Homepage Journal

"I actually went and downloaded a 16k line hosts file and started using that after seeing that post, you know just for trying it out. some sites load up faster." - by gl4ss (559668) on Thursday November 17, @11:20AM (#38086752) Homepage Journal

"Better than an ad blocker, imo. Hosts file entries: http://www.mvps.org/winhelp2002/hosts.htm [mvps.org] " - by TempestRose (1187397) on Tuesday March 15, @12:53PM (#35493274)

"^^ One of the many reasons why I like the user-friendliness of the /etc/hosts file." - by lennier1 (264730) on Saturday March 05, @09:26PM (#35393448)

"They've been on my HOSTS block for years" - by ScottCooperDotNet (929575) on Thursday August 05 2010, @01:52AM (#33147212)

"I'm currently only using my hosts file to block pheedo ads from showing up in my RSS feeds and causing them to take forever to load. Regardless of its original intent, it's still a valid tool, when used judiciously." - by Bill Dog (726542) on Monday April 25, @02:16AM (#35927050) Homepage Journal

"you're right about hosts files" - by drinkypoo (153816) on Thursday May 26, @01:21PM (#36252958) Homepage

"APK's monolithic hosts file is looking pretty good at the moment." - by Culture20 (968837) on Thursday November 17, @10:08AM (#38085666)

"I also use the MVPS ad blocking hosts file." - by Rick17JJ (744063) on Wednesday January 19, @03:04PM (#34931482)

"I use ad-Block and a hostfile" - by Ol Olsoc (1175323) on Tuesday March 01, @10:11AM (#35346902)

"I do use Hosts, for a couple fake domains I use." - by icebraining (1313345) on Saturday December 11, @09:34AM (#34523012) Homepage

"It's a good write up on something everybody should use, why you were modded down is beyond me. Using a HOSTS file, ADblock is of no concern and they can do what they want." - by Trax3001BBS (2368736) on Monday December 12, @10:07PM (#38351398) Homepage Journal

"I want my surfing speed back so I block EVERY fucking ad. i.e. http://someonewhocares.org/hosts/ [someonewhocares.org] and http://winhelp2002.mvps.org/hosts.htm [mvps.org] FTW" - by UnknownSoldier (67820) on Tuesday December 13, @12:04PM (#38356782)

"Let me introduce you to the file: /etc/hosts" - by fahrbot-bot (874524) on Monday December 19, @05:03PM (#38427432)

"I use a hosts file" - by EdIII (1114411) on Tuesday December 13, @01:17PM (#38357816)

"I'm tempted to go for a hacked hosts file that simply resolves most advert sites to 127.0.0.1" - by bLanark (123342) on Tuesday December 13, @01:13PM (#38357760)

"this is not a troll, which hosts file source you recommend nowadays? it's a really handy method for speeding up web and it works." - by gl4ss (559668) on Thursday March 22, @08:07PM (#39446525) Homepage Journal

"A hosts file certainly does not require "a lot of work" to maintain, and it quite effectively kills a LOT of advertising and tracking schemes. . In fact, I never would have considered trying to use it for ddefending against viruses or malware." - by RocketRabbit (830691) on Thursday December 30 2010, @05:48PM (#34715060)

---

Then, there is also the words of respected security expert, Mr. Oliver Day, from SECURITYFOCUS.COM to "top that all off" as well:

A RETURN TO THE KILLFILE:

http://www.securityfocus.com/columnists/491 [securityfocus.com]

Some "PERTINENT QUOTES/EXCERPTS" to back up my points with (for starters):

---

"The host file on my day-to-day laptop is now over 16,000 lines long. Accessing the Internet -- particularly browsing the Web -- is actually faster now."

Speed, and security, is the gain... others like Mr. Day note it as well!

---

"From what I have seen in my research, major efforts to share lists of unwanted hosts began gaining serious momentum earlier this decade. The most popular appear to have started as a means to block advertising and as a way to avoid being tracked by sites that use cookies to gather data on the user across Web properties. More recently, projects like Spybot Search and Destroy offer lists of known malicious servers to add a layer of defense against trojans and other forms of malware."

Per my points exactly, no less... & guess who was posting about HOSTS files a 14++ yrs. or more back & Mr. Day was reading & now using? Yours truly (& this is one of the later ones, from 2001 http://www.furtherleft.net/computer.htm [furtherleft.net] (but the example HOSTS file with my initials in it is FAR older, circa 1998 or so) or thereabouts, and referred to later by a pal of mine who moderates NTCompatible.com (where I posted on HOSTS for YEARS (1997 onwards)) -> http://www.ntcompatible.com/thread28597-1.html [ntcompatible.com] !

---

"Shared host files could be beneficial for other groups as well. Human rights groups have sought after block resistant technologies for quite some time. The GoDaddy debacle with NMap creator Fyodor (corrected) showed a particularly vicious blocking mechanism using DNS registrars. Once a registrar pulls a website from its records, the world ceases to have an effective way to find it. Shared host files could provide a DNS-proof method of reaching sites, not to mention removing an additional vector of detection if anyone were trying to monitor the use of subversive sites. One of the known weaknesses of the Tor system, for example, is direct DNS requests by applications not configured to route such requests through Tor's network."

There you go: AND, it also works vs. the "KAMINSKY DNS FLAW" & DNS poisoning/redirect attacks, for redirectable weaknesses in DNS servers (non DNSSEC type, & set into recursive mode especially) and also in the TOR system as well (that lends itself to anonymous proxy usage weaknesses I noted above also) and, you'll get to sites you want to, even IF a DNS registrar drops said websites from its tables as shown here Beating Censorship By Routing Around DNS -> http://yro.slashdot.org/story/10/12/09/1840246/Beating-Censorship-By-Routing-Around-DNS [slashdot.org] & even DNSBL also (DNS Block Lists) -> http://en.wikipedia.org/wiki/DNSBL [wikipedia.org] as well - DOUBLE-BONUS!

---

* POSTS ABOUT HOSTS FILES I DID on "/." THAT HAVE DONE WELL BY OTHERS & WERE RATED HIGHLY, 26++ THUSFAR (from +3 -> +1 RATINGS, usually "informative" or "interesting" etc./et al):

BANNER ADS & BANDWIDTH:2011 -> http://hardware.slashdot.org/comments.pl?sid=2139088&cid=36077722 [slashdot.org]
  HOSTS MOD UP:2010 -> http://yro.slashdot.org/comments.pl?sid=1907266&cid=34529608 [slashdot.org]
  HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1490078&cid=30555632 [slashdot.org]
  HOSTS MOD UP:2010 -> http://it.slashdot.org/comments.pl?sid=1869638&cid=34237268 [slashdot.org]
  HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1461288&threshold=-1&commentsort=0&mode=thread&cid=30272074 [slashdot.org]
  HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1255487&cid=28197285 [slashdot.org]
  HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1206409&cid=27661983 [slashdot.org]
  HOSTS MOD UP:2010 -> http://apple.slashdot.org/comments.pl?sid=1725068&cid=32960808 [slashdot.org]
  HOSTS MOD UP:2010 -> http://it.slashdot.org/comments.pl?sid=1743902&cid=33147274 [slashdot.org]
  APK 20++ POINTS ON HOSTS MOD UP:2010 -> http://news.slashdot.org/comments.pl?sid=1913212&cid=34576182 [slashdot.org]
  HOSTS MOD UP:2010 -> http://it.slashdot.org/comments.pl?sid=1862260&cid=34186256 [slashdot.org]
  HOSTS MOD UP:2010 (w/ facebook known bad sites blocked) -> http://tech.slashdot.org/comments.pl?sid=1924892&cid=34670128 [slashdot.org]
  HOSTS FILE MOD UP FOR ANDROID MALWARE:2010 -> http://mobile.slashdot.org/comments.pl?sid=1930156&cid=34713952 [slashdot.org]
  HOSTS MOD UP ZEUSTRACKER:2011 -> http://it.slashdot.org/comments.pl?sid=2059420&cid=35654066 [slashdot.org]
  HOSTS MOD UP vs AT&T BANDWIDTH CAP:2011 -> http://tech.slashdot.org/comments.pl?sid=2116504&cid=35985584 [slashdot.org]
  HOSTS MOD UP CAN DO SAME AS THE "CloudFlare" Server-Side service:2011 -> http://it.slashdot.org/comments.pl?sid=2220314&cid=36372850 [slashdot.org]
  HOSTS and BGP +5 RATED (BEING HONEST):2010 http://tech.slashdot.org/comments.pl?sid=1901826&cid=34490450 [slashdot.org]
  HOSTS & PROTECT IP ACT:2011 http://yro.slashdot.org/comments.pl?sid=2368832&cid=37021700 [slashdot.org]
  HOSTS MOD UP:2011 -> http://yro.slashdot.org/comments.pl?sid=2457766&cid=37592458 [slashdot.org]
  HOSTS MOD UP & OPERA HAUTE SECURE:2011 -> http://yro.slashdot.org/comments.pl?sid=2457274&cid=37589596 [slashdot.org]
  0.0.0.0 in HOSTS:2009 -> http://tech.slashdot.org/comments.pl?sid=1197039&cid=27556999 [slashdot.org]
  0.0.0.0 IN HOSTS:2009 -> http://tech.slashdot.org/comments.pl?sid=1143349&cid=27012231 [slashdot.org]
  0.0.0.0 in HOSTS:2009 -> http://it.slashdot.org/comments.pl?sid=1198841&cid=27580299 [slashdot.org]
  0.0.0.0 in HOSTS:2009 -> http://tech.slashdot.org/comments.pl?sid=1139705&cid=26977225 [slashdot.org]
  HOSTS MOD UP:2009 -> http://hardware.slashdot.org/comments.pl?sid=1319261&cid=28872833 [slashdot.org] (still says INSIGHTFUL)
  HOSTS MOD UP vs. botnet: 2012 -> http://it.slashdot.org/comments.pl?sid=2603836&cid=38586216 [slashdot.org]

---

Windows 7, VISTA, & Server 2008 have a couple of "issues" I don't like in them, & you may not either, depending on your point of view (mine's based solely on efficiency & security), & if my take on these issues aren't "good enough"? I suggest reading what ROOTKIT.COM says, link URL is in my "p.s." @ the bottom of this post:

1.) HOSTS files being unable to use "0" for a blocking IP address - this started in 12/09/2008 after an "MS Patch Tuesday" in fact for VISTA (when it had NO problem using it before that, as Windows 2000/XP/Server 2003 still can)... & yes, this continues in its descendants, Windows Server 2008 &/or Windows 7 as well.

So, why is this a "problem" you might ask?

Ok - since you can technically use either:

a.) 127.0.0.1 (the "loopback adapter address")
b.) 0.0.0.0 (next smallest & next most efficient)
c.) The smallest & fastest plain-jane 0

PER EACH HOSTS FILE ENTRY/RECORD...

You can use ANY of those, in order to block out known bad sites &/or adbanners in a HOSTS file this way??

Microsoft has "promoted bloat" in doing so... no questions asked.

Simply because

1.) 127.0.0.1 = 9 bytes in size on disk & is the largest/slowest
2.) 0.0.0.0 = 7 bytes & is the next largest/slowest in size on disk
3.) 0 = 1 byte

(& HOSTS files extend across EVERY webbrowser, email program, or in general every webbound program you use & thus HOSTS are "global" in coverage this way AND function on any OS that uses the BSD derived IP stack (which most all do mind you, even MS is based off of it, as BSD's IS truly, "the best in the business"), & when coupled with say, IE restricted zones, FireFox addons like NoScript &/or AdBlock, or Opera filter.ini/urlfilter.ini, for layered security in this capacity for webbrowsers & SOME email programs (here, I mean ones "built into" browsers themselves like Opera has for example))

MS has literally promoted bloat in this file, making it load slower from disk, into memory! This compounds itself, the more entries your HOSTS file contains... & for instance? Mine currently contains nearly 654,000 entries of known bad adbanners, bad websites, &/or bad nameservers (used for controlling botnets, misdirecting net requests, etc. et al).

Now, IF I were to use 127.0.0.1? My "huge" HOSTS file would be approximately 27mb in size... using 0.0.0.0 (next smallest) it would be 19mb in size - HOWEVER? Using 0 as my blocking IP, it is only 14mb in size. See my point?

(For loads either in the local DNS cache, or system diskcache if you run w/out the local DNS client service running, this gets slower the larger each HOSTS file entry is (which you have to stall the DNS client service in Windows for larger ones, especially if you use a "giant HOSTS file" (purely relative term, but once it goes over (iirc) 4mb in size, you have to cut the local DNS cache client service)))

NO questions asked - the physics of it backed me up in theory alone, but when I was questioned on it for PROOF thereof?

I wrote a small test program to load such a list into a "pascal record" (which is analagous to a C/C++ structure), which is EXACTLY what the DNS client/DNS API does as well, using a C/C++ structure (basically an array of sorts really, & a structure/record is a precursor part to a full-blown CLASS or OBJECT, minus the functions built in, this is for treating numerous variables as a SINGLE VARIABLE (for efficiency, which FORTRAN as a single example, lacks as a feature, @ least Fortran 77 did, but other languages do not))!

I even wrote another that just loaded my HOSTS file's entirety into a listbox, same results... slowest using 127.0.0.1, next slowest using 0.0.0.0, & fastest using 0.

And, sure: Some MORE "goes on" during DNS API loads (iirc, removal of duplicated entries (which I made sure my personal copy does not have these via a program I wrote to purge it of duplicated entries + to sort each entry alphabetically for easier mgt. via say, notepad.exe) & a conversion from decimal values to hex ones), but, nevertheless? My point here "holds true", of slower value loads, record-by-record, from a HOSTS file, when the entries become larger.

So, to "prove my point" to my naysayers?

I timed it using the Win32 API calls "GetTickCount" & then again, using the API calls of "QueryPerformanceCounter" as well, seeing the SAME results (a slowdown when reading in this file from disk, especially when using the larger 127.0.0.1 or 0.0.0.0 line item entries in a HOSTS file, vs. the smaller/faster/more efficient 0).

In my test, I saw a decline in speed/efficiency in my test doing so by using larger blocking addresses (127.0.0.1 &/or 0.0.0.0, vs. the smallest/fastest in 0)... proving me correct on this note!

On this HOSTS issue, and the WFP design issue in my next post below?

I also then questioned MS' own staff, even their VP of development (S. Sinofsky) on this here -> http://blogs.msdn.com/e7/archive/2009/02/09/recognizing-improvements-in-windows-7-handwriting.aspx?CommentPosted=true#commentmessage [msdn.com] & other places in their blogs, to get them to tell me WHY this seemingly intentional inefficiency was implemented... & I have YET to get a solid LOGICAL answer on this as to why it was done - THUS, @ this point?

I am convinced they (MS) do NOT have a good reason for doing this... because of their lack of response there on this note. Unless it has something to do with IPv6 (most folks use IPv4 still), I cannot understand WHY this design mistake imo, has occurred, in HOSTS files...

AND

2.) The "Windows Filtering Platform", which is now how the firewall works in VISTA, Server 2008, & Windows 7...

Sure it works in this new single point method & it is simple to manage & "sync" all points of it, making it easier for network techs/admins to manage than the older 3 part method, but that very thing works against it as well, because it is only a single part system now!

Thus, however?

This "single layer design" in WFP, now represents a SINGLE POINT OF FAILURE/ATTACK for malware makers to 'take down'!

(Which is 1 of the 1st things a malware attempts to do, is to take down any software firewalls present, or even the "Windows Security Center" itself which should warn you of the firewall "going down", & it's fairly easy to do either by messaging the services they use, or messing up their registry init. settings)

VS. the older (up to) 3 part method used in Windows 2000/XP/Server 2003, for protecting a system via IP Filtering, the Windows native Firewall, &/or IPSEC. Each of which uses diff. drivers, & layers of the IP stack to function from, as well as registry initialization settings.

Think of the older 3 part design much the same as the reason why folks use door handle locks, deadbolt locks, & chain locks on their doors... multipart layered security.

(Each of which the latter older method used, had 3 separate drivers & registry settings to do their jobs, representing a "phalanx like"/"zone defense like" system of backup of one another (like you see in sports OR ancient wars, and trust me, it WORKS, because on either side of yourself, you have "backup", even if YOU "go down" vs. the opponent)).

I.E.-> Take 1 of the "older method's" 3 part defenses down? 2 others STILL stand in the way, & they are not that simple to take them ALL down...

(Well, @ least NOT as easily as "taking out" a single part defensive system like WFP (the new "Windows Filtering Platform", which powers the VISTA, Windows Server 2008, & yes, Windows 7 firewall defense system)).

On this "single-part/single-point of attack" WFP (vs. Windows 2000/XP/Server 2003's IP stack defense design in 3-part/zone defense/phalanx type arrangement) as well as the HOSTS issue in my post above?

I also then questioned MS' own staff, even their VP of development (S. Sinofsky) on this here -> http://blogs.msdn.com/e7/archive/2009/02/09/recognizing-improvements-in-windows-7-handwriting.aspx?CommentPosted=true#commentmessage [msdn.com] & other places in their blogs, to get them to tell me WHY this seemingly intentional inefficiency was implemented... & I have YET to get a solid LOGICAL answer on this as to why it was done - THUS, @ this point?

I'll stick to my thoughts on it, until I am shown otherwise & proven wrong.

----

Following up on what I wrote up above, so those here reading have actual technical references from Microsoft themselves ("The horses' mouth"), in regards to the Firewall/PortFilter/IPSec designs (not HOSTS files, that I am SURE I am correct about, no questions asked) from my "Point #2" above?

Thus, I'll now note how:

----

1.) TCP/IP packet processing paths differences between in how Windows 2000/XP/Server 2003 did it (IPSEC.SYS (IP Security Policies), IPNAT.SYS (Windows Firewall), IPFLTDRV.SYS (Port Filtering), & TCPIP.SYS (base IP driver))...

2.) AND, how VISTA/Server 2008/Windows 7 do it now currently, using a SINGLE layer (WFP)...

----

First off, here is HOW it worked in Windows 2000/XP/Server 2003 - using 3 discrete & different drivers AND LEVELS/LAYERS of the packet processing path they worked in:

http://technet.microsoft.com/en-us/library/bb878072.aspx [microsoft.com]

The Cable Guy - June 2005: TCP/IP Packet Processing Paths

====

The following components process IP packets:

IP forwarding Determines the next-hop interface and address for packets being sent or forwarded.

TCP/IP filtering Allows you to specify by IP protocol, TCP port, or UDP port, the types of traffic that are acceptable for incoming local host traffic (packets destined for the host). You can configure TCP/IP filtering on the Options tab from the advanced properties of the Internet Protocol (TCP/IP) component in the Network Connections folder.

* "Here endeth the lesson..." and, if you REALLY want to secure your system? Please refer to this:

http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE [bing.com]

APK [mailto]

P.S.=> SOME MINOR "CAVEATS/CATCH-22's" - things to be aware of for "layered security" + HOSTS file performance - easily overcome, or not a problem at all:

A.) HOSTS files don't function under PROXY SERVERS (except for Proximitron, which has a filter that allows it) - Which is *the "WHY"* of why I state in my "P.S." section below to use both AdBlock type browser addon methods (or even built-in block lists browsers have such as Opera's URLFILTER.INI file, & FireFox has such as list as does IE also in the form of TPL (tracking protection lists -> http://ie.microsoft.com/testdrive/Browser/TrackingProtectionLists/ [microsoft.com] , good stuff )) in combination with HOSTS, for the best in "layered security" (alongside .pac files + custom cascading style sheets that can filter off various tags such as scripts or ads etc.) - but proxies, especially "HIGHLY ANONYMOUS" types, generally slow you down to a CRAWL online (& personally, I cannot see using proxies "for the good" typically - as they allow "truly anonymous posting" & have bugs (such as TOR has been shown to have & be "bypassable/traceable" via its "onion routing" methods)).

B.) HOSTS files do NOT protect you vs. javascript (this only holds true IF you don't already have a bad site blocked out in your HOSTS file though, & the list of sites where you can obtain such lists to add to your HOSTS are above (& updated daily in many of them)).

C.) HOSTS files (relatively "largish ones") require you to turn off Windows' native "DNS local client cache service" (which has a problem in that it's designed with a non-redimensionable/resizeable list, array, or queue (DNS data loads into a C/C++ structure actually/afaik, which IS a form of array)) - mvps.org covers that in detail and how to easily do this in Windows (this is NOT a problem in Linux, & it's 1 thing I will give Linux over Windows, hands-down). Relatively "smallish" HOSTS files don't have this problem (mvps.org offers 2 types for this).

D.) HOSTS files, once read/loaded, once? GET CACHED! Right into the kernelmode diskcaching subsystem (fast & efficient RAM speed), for speed of access/re-access (@ system startup in older MS OS' like 2000, or, upon a users' 1st request that's "Webbound" via say, a webbrowser) gets read into either the DNS local caching client service (noted above), OR, if that's turned off? Into your local diskcac

Re:XP has the best HOST file support... apk (0, Offtopic)

Anonymous Coward | about a year ago | (#43519219)

Fact: it takes amost 2 hours for windows to load a 645,000 lines HOSTS file into the DNS cache. While loading, all DNS queries are blocked. That is neither fast nor efficient.

Eat your words ("big fail")

Re:XP has the best HOST file support... apk (0)

Anonymous Coward | about a year ago | (#43519269)

Make fun of Space Nutter delusions once, get your account modded to bad karma forever. Trolling with this crap? No problem. Ah, slashdot....

Disprove my points then, Jeremy ... apk (-1)

Anonymous Coward | about a year ago | (#43519319)

See here, explains it all -> http://tech.slashdot.org/comments.pl?sid=3561925&cid=43223585 [slashdot.org]

* :)

I.E./Summary: Trolls had a challenge put to them to validly disprove my points in the post I just replied to - result? Trolls FAIL... lol!

APK

P.S.=> That's what makes me LAUGH harder than ANYTHING ELSE on this forums (full of "FUD" spreading trolls) - When you hit trolls with facts & truths they CANNOT disprove validly on computing tech based grounds, this is the result - Applying unjustifiable downmods to effetely & vainly *try* to "hide" my posts & facts/truths they extoll!

Hahaha... lol, man: Happens nearly every single time I post such lists (proving how ineffectual these trolls are), only showing how solid my posts of that nature are...

Ah yes "geek angst" @ it's 'finest' (not), vs. facts & truths = downmod by /. weak trolls!

... apk

specialty software prices (5, Funny)

Anonymous Coward | about a year ago | (#43519137)

They have a limited market and can't make back their money in volume because there isn't the volume for an eye doctor's database product like there is for Office or Quicken.

Kind of like college textbooks?

*ducks*

Re:specialty software prices (0)

fredprado (2569351) | about a year ago | (#43519343)

College textbooks are largely irrelevant in the age of Internet. They only exist to keep publishers and bought teachers rich.

Should run on Win7 (0)

Anonymous Coward | about a year ago | (#43519139)

No need to upgrade to new software, it should run on Win7. There are multiple ways to configure compatibility.

Re:Should run on Win7 (5, Informative)

adonoman (624929) | about a year ago | (#43519163)

Yup. The easiest is to upgrade to windows 7 Pro or Ultimate and install XP Mode [microsoft.com]

Re:Should run on Win7 (0)

Anonymous Coward | about a year ago | (#43519239)

But even that won't work for all titles.

At my job I provide tech support for some very old educational software, if XP mode had worked for one of our titles we wouldn't have created a new version.

No seriously, if it barely works it's considered to work and won't get upgraded.

Re:Should run on Win7 (5, Informative)

Anonymous Coward | about a year ago | (#43519261)

The issue is that medical devices require certified tested/verified drivers to ensure accurate results.
Due to the changes between XP and 7, some instruments require updates software with the corresponding "certified" drivers.

I recently ran across this with pulmonary function testing software at our mine.

Re:Should run on Win7 (0)

Anonymous Coward | about a year ago | (#43519443)

I don't get it. There's medical software (they usually get lauded for being cheap an accessible) with i devices.

If they never bothered updating their software, they would be stuck on each original model -- and they don't even SELL those anymore, let alone having the possibility of buying some cheap hardware and use your existing installation media to have a fighting chance of it working.

APIs in Windows XP are still available in Windows 7 and 8. Hell, I've run Windows 3.11 on XP and there's no reason to think it won't work on Vista, 7 and 8 - especially with XP compatibility mode.

Re:Should run on Win7 (3, Insightful)

steveg (55825) | about a year ago | (#43519397)

How well does this interact with hardware?

We tried using a virtual machine to run National Instrument's LabView. It did not get along well with the NI Elvis breadboard systems we are using. Using it on native Win7 machines didn't work either.

XP mode is a VM based technology, though admittedly not the same as we used. Does it communicate better with external hardware than VMware?

I don't know the nature of the software she was using, but some I have seen in optomitrists' offices *does* run hardware. If that's the case, XP mode and other virtual machines might not be good a solution.

Re:Should run on Win7 (2)

ChumpusRex2003 (726306) | about a year ago | (#43519243)

True. However, there may be issues of vendor support. Some business apps are, and this includes specialist medical apps, mission critical, or at least sufficiently important that business may be compromised in the event of failure.

I know one hospital that recently upgraded their hardware. However, some of the middleware needed to make their various medical records applications work together, was only supported by the vendor on XP SP1. There were several problems:
1. The critical nature of this middleware, and the fact that the vendor would not support windows 7 (or even XP SP3) with their version of the software.
2. The complex interaction of this middleware with so many other apps meant that they could not run the middleware in VM as it would not connect to the other apps via OLE/COM or whatever non-networkable protocol it used.
3. The prohibitive cost of sourcing an updated version of what was effectively a custom built solution, and the fact that the original vendor had been bought-out by a new company who were desperate to kill the original product, but were tied into a 10 year support contract. So, although they were contracted to provide 10 years of support, they were only going to support the original config.

The result was that when the original hardware reached end-of-life and had to be updated late last year, the hospital had shiny new quad-core Xeons with 8 GB ECC RAM, and 15k RPM SAS RAID workstations with 2 GB Quadro cards running XP SP1.

Re:Should run on Win7 (1)

Synerg1y (2169962) | about a year ago | (#43519389)

Anybody with half a brain checks compatibility before doing business upgrades.

Anybody with a quarter knows how to run win 7 with xp mode to run xp apps. I don't believe #2 for a second, OLE / COM don't do anything special that would interfere with the virtualized IO of a VM. I honestly just think people blame the VM when they can't get networking to work. If it required special hardware components that required drivers that weren't on 7 and had no virtual equivalent, that I'd understand.

I wouldn't say anything, except I somehow feel like my tax dollars are getting indirectly wasted by incompetent IT.

Re:Should run on Win7 (4, Interesting)

slew (2918) | about a year ago | (#43519375)

No need to upgrade to new software, it should run on Win7. There are multiple ways to configure compatibility.

FWIW, Win7 seems to be much more friedly to this than win8.

I've had two 16-bit programs (one used for point-of-sale another a game my mom likes to play) hobbling along since win95. WinXP worked okay (some compatibility flags made it work), Win7 was a bear to make work with the printer and the point-of-sale program, and finally win8 broke both of them. No application error message, just win8 says, you can't run them anymore (the troubleshooter recommends using winxp mode sp3, but that doesn't work, nor do any of the other modes from win95, 98, me, XP-sp2, Vista, or win7, w/ or w/o administrator priviledges, or in reduced color mode). The orginal publisher of both pieces of software are no longer in business, so purchasing upgrades to the new OS is a non-starter.

I've had to downgrade two new computers back to win7 and winxp (didn't have more than one spare win7 licence, so I had to reach back to xp) to support these programs for now, but now the writing is on the wall. I'm sure that my case is not unique and given my predicament, I'm sure that there are some applications that just won't run on win7 either even in compatibility mode.

Re:Should run on Win7 (5, Informative)

lennier (44736) | about a year ago | (#43519457)

No need to upgrade to new software, it should run on Win7. There are multiple ways to configure compatibility.

"Should" is most certainly not "will". There's a piece of somewhat exotic medical hardware I have the misfortune of knowing which has drivers which only work on XP - mostly because it uses an extremely cheap and badly designed anti-piracy dongle. And no, it does not run on Windows 7 with compatibility mode, and no, it does not run in Virtual PC either. Because dongle.

(Because when a piece of hardware costs $10,000 and up, and the software which connects to it is utterly useless without that expensive hardware - because it's basically just a dial showing a readout - of course a practical use of programer time is to add an extra pointless $1 anti-piracy hardware component to stop the millions of free copies which will soon flood the intertubes. Sigh.)

Anyway, tldr, yes, this is a huge problem in medical (or any special-purpose, critical-path) software. It's written by a hybrid of Ebenezer Scrooge and Bizarro Iron Man. Exorbitantly expensive, cheaply written, full of edge cases and bugs, hugely dependent on the manufacturer's support whims, will only run or be supported on extremely vanilla OS, and built without any concept of security or ability to work with a patching plan.

And then there's actual "security" software, that runs cameras and such, and if anything that's worse.

easy (0)

Anonymous Coward | about a year ago | (#43519145)

Run XP as a VM on Windows 7

Unplug the computer from the WWW (4, Insightful)

Anonymous Coward | about a year ago | (#43519149)

Who cares if XP is unpatched?
Special dental application to track intervention history, show X-rays associated, etc should not communicate with the internet.
Same goes to timetables / reservations.
If they need machines connected for mobility : make an internal network.

I don't see such a problem here.

Spare parts is a problem. (1)

Anonymous Coward | about a year ago | (#43519203)

Old disks die... new disks may not work properly with old controllers.

Can you still find PATA disks? How about floppy drives?

How about motherboards? or memory?

Re:Spare parts is a problem. (2)

jedidiah (1196) | about a year ago | (#43519245)

PATA and floppy drives were already out of style when service packs were still being released for XP.

From a support perspective, XP just isn't that old. It's a recently discontinued product regardless of how long of a supported service life it had.

Re:Spare parts is a problem. (1)

Anonymous Coward | about a year ago | (#43519263)

"VMWARE"

Re:Spare parts is a problem. (1)

Anonymous Coward | about a year ago | (#43519303)

You can run SATA disks in a PATA computer (or visa versa) via an adapter.

Re:Spare parts is a problem. (1)

Anonymous Coward | about a year ago | (#43519373)

If only there was some way to have the software run on some kind of "pretend" machine that itself existed only in software on some other host operating system.

Oh man, I've got a startup idea with these "pretend machines". See if "PMWare" is already trademarked, would you?

Re:Unplug the computer from the WWW (2)

SleazyRidr (1563649) | about a year ago | (#43519277)

The sibling post made the point about finding replacement parts for when things die. That was always my motivation for a complete system upgrade - something dieing and needing to be replaced without me digging deep enough to find something that would work with the old system.

Secondly, some things do need to be connected to the internet. Sure you can make an internal network, but what if you need to connect to another doctor's office? What if you need to connect to any other doctor using the same software?

Re:Unplug the computer from the WWW (1)

Synerg1y (2169962) | about a year ago | (#43519415)

The people with BYOD policies for one.

Certification (4, Insightful)

OverlordQ (264228) | about a year ago | (#43519159)

I bet a lot of that $10k fee is due to the software requiring FDA certification.

Re:Certification (5, Insightful)

Nadaka (224565) | about a year ago | (#43519215)

Yea, its not like medical software errors ever killed anybody. Eh Therac-25?

Re:Certification (4, Interesting)

Mashiki (184564) | about a year ago | (#43519233)

I bet a lot of that $10k fee is due to the software requiring FDA certification.

Oh that wouldn't surprise me, back oh 15 years ago I helped due a transition from paper to electronic. It was right up along the lines of $38k here in Canada for the software. And my family doctor just dumped their old version of Wolf Medical to a new version, total cost for 6 computers? $118k.

Re:Certification (4, Informative)

SleazyRidr (1563649) | about a year ago | (#43519235)

On the off chance you're not trolling:

Just because the example in the summary is a medical example doesn't mean that they're the only types of software that are expansive. I use some $20k/seat engineering software that isn't certified by anybody except me knowing what it's doing and putting my own name to it. Stop looking for big-government boogey men under every bed.

Re:Certification (4, Informative)

Synerg1y (2169962) | about a year ago | (#43519455)

Coincidentally, you've never worked in the medical industry. The software itself may cost $5-$10k, then the SEPARATE cost of validation tacks on that 20k.

Re:Certification (4, Informative)

tftp (111690) | about a year ago | (#43519259)

No, I don't think that a housekeeping database that doesn't ever touch the patient needs an FDA approval. Not any more than MS Windows or MS Office do, at least.

A $10K price is a common sight in niche markets. Even in non-niche markets specialty s/w, especially with lock-in, command prices of $20K and above. Have this here CNC milling center? Then you need SolidWorks and MasterCAM (or whatever CAM you pick.) That may easily cost you about half the price of the machine.

The price is driven by the need and the opportunity. The need lies in fact that a very complex piece of software has to be designed for sale to a handful of customers. A smaller ISV may see tens of sales per YEAR, and each of those customers will bitch and moan about economic downturn, trolling for a discount. The ISV needs the high price to stay afloat, and to survive periods between orders.

The opportunity lies in fact that the customer has to have this software - if not yours then one from your two competitors; and you know how to play that game. The prices will be set to the maximum that the customer can afford.

Just asking... (0)

Anonymous Coward | about a year ago | (#43519169)

Compatibility mode?

Ummm Yes (0)

Anonymous Coward | about a year ago | (#43519171)

It's called a Virtual Machine (VM). Sandbox XP in it, don't allow it to interact with the host system, and enjoy the rest of the world. Problem solved, I'd like a pint please.

-tehprofessor

Re:Ummm Yes (1)

W. Justice Black (11445) | about a year ago | (#43519253)

Seconded. Either:

1. Run it on a hypervisor host and RDP into it or
2. Run it in a local VM using VirtualBox (which does surprisingly well running XP-on-7 as long as you have the VM tools instaled). Set the desktop to change size when its window does, auto-hide the toolbar, and it looks/behaves fairly similarly to a local app on W7.

I had a friend's business (which relied on an old map application whose DRM WOULD NOT run on W7) implement such a thing and it's worked great. Plus you get snapshots, which is enough of a reason for me to recommend just about all embedded/oddball apps run on a VM.

Windows XP Compatibility Mode. (0)

rarumberger (2708801) | about a year ago | (#43519175)

Shouldn't that work?

Virtualize the environment (1)

Anonymous Coward | about a year ago | (#43519179)

Take an image of the workstation running XP, convert it to a virtual machine. Take your new Windows 7 Machine, load up VMWare.. and tada.. you're running in a more secure, easy to manage virtual XP environment which you can keep protected and unchanged for years to come.

Re:Virtualize the environment (4, Informative)

W. Justice Black (11445) | about a year ago | (#43519345)

If you can do a fresh install, this would be a good opportunity to do so:

1. Install XP from scratch, with all the latest fixes and whatnot. Get it nice and pristine with no crap milling about beyond the barebones stuff. Get the licensing happy.
2. SNAPSHOT
3. Get your custom software installed.
4. SNAPSHOT
5. BACK IT ALL UP.
6. Use gingerly :-)

I see no value in upgrading. (-1)

Anonymous Coward | about a year ago | (#43519185)

I see no value in upgrading.

Although, medical equipment has no business being on the internet,
especially running anything from Microsoft.
That, in itself, should be a HIPAA violation. But I Digress.

If it works under XP, I see no reason to upgrade.

CAPTCHA = 'trolls' - so funny!

Disable Networking (4, Interesting)

jacobsm (661831) | about a year ago | (#43519189)

Prevent those few computers that are running the program from touching the Internet in anyway. No networking services, web, email, ... or anything else. Make them strictly one function standalone devices.

Re:Disable Networking (1)

rsmith-mac (639075) | about a year ago | (#43519323)

Strictly speaking they don't need to be off the network; the threat isn't other XP machines in general, it's things coming straight from the Internet or through other computers connected to the Internet. Put the XP machines on an airgapped network (and epoxy the USB ports if you can) where they can't transmit or receive malware, and those machines could very well run forever.

Re:Disable Networking (1)

Derekloffin (741455) | about a year ago | (#43519453)

You assume that is an option. Many of these are have network components and require network access. You can probably do some heavy duty port blocking and such, but even that assumes the user has enough knowledge to know what they can and can't block.

Can't afford? (0)

Anonymous Coward | about a year ago | (#43519193)

That's bs, they had years to upgrade, plus, you can just put a vm with xp without network and that's it, if you really can't afford upgrade.

So? make a small Windows XP VM on the new box (0)

Anonymous Coward | about a year ago | (#43519201)

My solution for running really old stuff is just to have a bunch of VM clients running... and then you can safely backup the VM when you need to (nightly) and restore it when it gets infected (weekly)

On my Mac, I've got a couple of Windows XP VMs running old software and a VERY OLD Windows 98 VM running a single ancient cabling database app

Emulation / Compatability Mode? (0)

Anonymous Coward | about a year ago | (#43519205)

Isn't this why Windows Vista/7/8 has an emulation mode for XP specific software?

Specialty Software (3, Insightful)

jasnw (1913892) | about a year ago | (#43519223)

A lot of "professional" users of computers (doctors, lawyers, bankers, etc) seem to think that they gotta have really special software to handle everything they do, because everything they do is so special. Much of this is due to people who think they're smart being duped by people who are smarter into thinking they need special software. Is the solution here that these professionals need to do a better job of buying their IT support in the first place? Admittedly, there is certainly some software that has to be written for very narrow and specialized needs, but a lot of these needs can be met by pretty much off-the-shelf solutions implemented by people who know what they're doing. I think these professionals start off by trying to do it themselves (because they are smart, you know?), find that it's not as easy as they thought, and then buy into the pitch that they need REALLY smart IT people doing specialized stuff for them. I'd laugh at all this, but it's part of why our health care costs so damn much.

Re:Specialty Software (0)

Anonymous Coward | about a year ago | (#43519347)

+1 Insightful for you, sir!

(If I had mod points at the moment...)

Re:Specialty Software (5, Insightful)

Anonymous Coward | about a year ago | (#43519401)

A lot of "professional" users of computers (doctors, lawyers, bankers, etc) seem to think that they gotta have really special software to handle everything they do, because everything they do is so special. Much of this is due to people who think they're smart being duped by people who are smarter into thinking they need special software. Is the solution here that these professionals need to do a better job of buying their IT support in the first place? Admittedly, there is certainly some software that has to be written for very narrow and specialized needs, but a lot of these needs can be met by pretty much off-the-shelf solutions implemented by people who know what they're doing. I think these professionals start off by trying to do it themselves (because they are smart, you know?), find that it's not as easy as they thought, and then buy into the pitch that they need REALLY smart IT people doing specialized stuff for them. I'd laugh at all this, but it's part of why our health care costs so damn much.

Well I can certainly tell that you're not a physician, as a physician I can tell you that you have no idea how many limitations, restrictions, and compliance requirements exist in medical software. The issue isn't that you need these things, sure you could host your patient information on Google docs, but when someone breaks into that it can cost you 250K per patient that is lost, there isn't an upper limit on that either, I don't see that many doctors with that kind of cash willing to take those risks. I am not saying it is better to be running on unsupported systems, but it isn't like you can go download some mysql database and front-end designed to organize your DVD collection and safely store patient information. Also most doctors don't have the time or knowledge to do it well themselves so they are stuck with what is 1) out there, and 2) compliant.

Re:Specialty Software (1)

tftp (111690) | about a year ago | (#43519411)

A lot of "professional" users of computers (doctors, lawyers, bankers, etc) seem to think that they gotta have really special software to handle everything they do, because everything they do is so special. Much of this is due to people who think they're smart being duped by people who are smarter into thinking they need special software.

Next time you are at your dentist's office, have a look at the software they are using - and then please advise me how one (especially a doctor!) can put together something like that. Note that you will need an interface to the digital X-ray machine; the thing should be distributed or centralized, but it must allow operation from any terminal, and often concurrently (a doctor writes up her notes, and the receptionist is scheduling your next appointment.) The software must be also operable by minimally trained personnel, and that goes for everyone in the doctor's office (they are trained in other, and more complex, things.)

Admittedly, there is certainly some software that has to be written for very narrow and specialized needs, but a lot of these needs can be met by pretty much off-the-shelf solutions implemented by people who know what they're doing.

As opposed to such software being written using only brand new code, and by people who have no clue what their customers need?

Re:Specialty Software (1)

Anonymous Coward | about a year ago | (#43519421)

Well I can certainly tell that you're not a physician, as a physician I can tell you that you have no idea how many limitations, restrictions, and compliance requirements exist in medical software. The issue isn't that you need these things, sure you could host your patient information on Google docs, but when someone breaks into that it can cost you 250K per patient that is lost, there isn't an upper limit on that either, I don't see that many doctors with that kind of cash willing to take those risks. I am not saying it is better to be running on unsupported systems, but it isn't like you can go download some mysql database and front-end designed to organize your DVD collection and safely store patient information. Also most doctors don't have the time or knowledge to do it well themselves so they are stuck with what is 1) out there, and 2) compliant.

Re:Specialty Software (0)

Anonymous Coward | about a year ago | (#43519445)

I think these professionals start off by trying to do it themselves (because they are smart, you know?), find that it's not as easy as they thought, and then buy into the pitch that they need REALLY smart IT people doing specialized stuff for them.

I think these IT professional start off by trying to do [dentistry] themselves (because they are smart, you know?), find that it's not as easy as they thought, and then buy into the pitch that they need a dentist doing dentistry stuff for them.

Re:Specialty Software (1)

ghelmer (191783) | about a year ago | (#43519467)

I think you are missing the point that many of these dated systems are running control software for specialized hardware. Even for plain old data processing systems, though, there is astonishing complexity involved in managing electronic health records correctly, safely, and confidentially.

Very strict firewall rule (1)

Anonymous Coward | about a year ago | (#43519225)

If the software needs to be on the network, write a very strict IP to IP firewall rule. The rule only allows the box to talk to the IP-block owned by the company that requires that box to talk to it. If the software doesn't need connectivity to function, unplug that cable!

I mean, really, what are you doing with the eye tester? Running multiplayer game servers there? Stop that. This is a specialized device. It should need very limited network connectivity, if any at all.

I doubt that. (-1, Flamebait)

Anonymous Coward | about a year ago | (#43519229)

I doubt she "can't" afford the $10,000 software. I mean, if one of her $100,000 pieces of physical gear failed, she would replace it without thinking.

I *suspect* what is going on is that she is unable to process that software is worth $10,000 when she gets "super cool" games for her iPhone for only $4.99.

Frankly, her clinic deserves to go out of business.

Re:I doubt that. (0)

Anonymous Coward | about a year ago | (#43519385)

Most fancy expensive software has a perfectly good FOSS replacement.
I'm unable to process the concept of any software worth $10,000.

Re:I doubt that. (2)

war4peace (1628283) | about a year ago | (#43519425)

You know what, I was thinking the same. It's good I browse through comments before rushing to the "reply" button.
Also, dental business is lucrative business, if you're a good doctor you can make 10K profit in a month. My uncle (retired dentist) used to make 12-14K EUR monthly profit in Germany on average. Granted, he worked his ass off in 12 hour shifts at his own clinic, but customers kept pouring in.
The real reason is "I can't be arsed to do it" or "the new version of the software is not backwards compatible" which is not that far fetched.

Re:I doubt that. (0)

Anonymous Coward | about a year ago | (#43519441)

I doubt she "can't" afford the $10,000 software. I mean, if one of her $100,000 pieces of physical gear failed, she would replace it without thinking.

Right, everyone can afford to waste money.

I *suspect* what is going on is that she is unable to process that software is worth $10,000 when she gets "super cool" games for her iPhone for only $4.99.

I suspect she believe she already paid $10K for that software and shouldn't have to pay again.

Frankly, her clinic deserves to go out of business.

Jerk.

Wrong platform (1)

MikeBabcock (65886) | about a year ago | (#43519231)

Stop writing medical and industrial software for a platform that forces you to upgrade.

There's nothing stopping you from running X based *nix CAD software from ten years ago on today's hardware.

There's no reason to use Windows on a dedicated medical or industrial computer.

Re:Wrong platform (1)

the eric conspiracy (20178) | about a year ago | (#43519265)

Yes, the big problem is OSs that don't have stable APIs.

Re:Wrong platform (5, Insightful)

PhreakinPenguin (454482) | about a year ago | (#43519299)

Sounds like someone has never had to use medical software. As much as the "zealots" would like to think, not everything is best run on OpenSource. It's not a troll, it's based on 15 years working with medical offices and doctors that don't have time to figure out how to get things to work. And yes, a lot of doctors offices don't have any support on staff or contract other than the EMR or EPM company they are dealing with.

Re:Wrong platform (0)

Anonymous Coward | about a year ago | (#43519477)

Sounds like someone has never had to use medical software. As much as the "zealots" would like to think, not everything is best run on OpenSource. It's not a troll, it's based on 15 years working with medical offices and doctors that don't have time to figure out how to get things to work. And yes, a lot of doctors offices don't have any support on staff or contract other than the EMR or EPM company they are dealing with.

GP didn't mention OpenSource.

Heck, in this circumstance Linux is worse than Microsoft - we all know what response you get from the OpenSource community if your app gets broken by some upgrade - "Just recompile it".

Even without that condescending crap, Linux has no guaranteed backwards compatability nor a stable, specified binary interface.

And OpenSource zealots always make fun of companies like Sun (RIP) and HP and IBM that actually do things like stable, specified binary interfaces even inside the kernel.

Re:Wrong platform (0)

Anonymous Coward | about a year ago | (#43519337)

I still frequently run Photoshop 5.0. Not CS5, but version 5.0 released in 1998! It runs just fine under Windows 7. PS5 also suits my needs better than recent versions when it comes to handling PNG alpha/transparency.

Med-V (0)

Anonymous Coward | about a year ago | (#43519237)

http://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/virtualization/med-v.aspx

Yes (1)

Mike Frett (2811077) | about a year ago | (#43519247)

Something can be done about it, whether or not you like it is a different story. All those computers can be converted to Linux boxes and I'm sure they can find the software for all their medical records etc. If they can't find it, I'm quite sure some coders would be willing to write some for substantially less than than the $10,000 required for switching to yet another version of Windows that will be out-of-date in a year or two.

They need to decide if they want to continue on this never-ending path of spending a fortune whenever Mr. Ballmer says jump. That's the matter at hand, spend a small fortune or do it for free or nearly free and not have to worry about the security of your customers. I'm quite sure some deal could even be worked out with a Linux group willing to help out if they could; although I know of no such group off hand. Well their it is, I told you in advance you wouldn't like it. You have options if you suck up your closed source pride.

She can afford it (0)

Anonymous Coward | about a year ago | (#43519251)

She'll pay the $10k after her system is wiped out by malware, you can bet. She really means she doesn't want to shell out the money, but if she had to she could and would.

Medical Software (1)

djrosen (265939) | about a year ago | (#43519255)

I have a Doctor as a client and the largest cost for his upgrade is hardware, not software. I just bought a new $7500 server to beat the current system requirements for the EHR software they use. The upgrade cost for them is only about $1200 + services. The hardware requirement is unreasonable but the software is in massive need of a redesign. The vendor is always pointing fingers back at my client when the software fails (its already a decently sized server). Keeping the old server as a TS server to run the client (Windows 2008 R2) and the new server for the DB and the software (32 gigs of RAM, 2 RAID cards with 6 15K drives and 2 Hexcore Processors). If the problems aren't resolved they cant point the finger at me anymore.

The problem with this type of software is that once a vendor hooks a Doctor for any length of time, they are hooked for life. Migration is near impossible if they wish to retain useable client histories not to mention HIPPA requirements.

I call BS (0)

Anonymous Coward | about a year ago | (#43519275)

The feds have been paying $40k/yr to doctors as an incentive for doctors to go electronic.

That said - this is a problem with the junk MEDICAL SOFTWARE not the OS.

Nothing new (4, Insightful)

BetterSense (1398915) | about a year ago | (#43519281)

I work in a very large semiconductor fab that is full of dozens, probably hundreds, of DOS, Windows 2000, Windows 98, Windows ME, and Windows XP machines. They will never be upgraded or patched.

Is this stupid? Yes. Is there anything I can do about it? No.

I just got done negotiating the purchase of a 2-million-dollar piece of equipment that comes with Windows. We actually have a purchasing requirement that all software be provided with patches as necessary, including OS upgrades, and that all source code be held in escrow in case the company goes under. However, when we negotiate the purchase specs, those lines get crossed out, because the vendor refuses to comply and we have no leverage, so we buckle.

Personally I think that anyone who uses something like Windows (a desktop OS with known, SHORT service lifetime, suitable for desktop computing in non-critical applications) in an industrial tool with 10+ year lifetime, should be fired immediately, and this should have been the case from the very beginning, but I was not around back then, and it became acceptable. Nobody ever got fired for buying Microsoft, even when it's an idiotic thing to do.

Re:Nothing new (1)

geek (5680) | about a year ago | (#43519465)

Personally I think that anyone who uses something like Windows (a desktop OS with known, SHORT service lifetime, suitable for desktop computing in non-critical applications) in an industrial tool with 10+ year lifetime, should be fired immediately

XP is 12 years old. It'll be 13 when it's EOL'd. I wouldn't call that short. The problem isn't Windows, it's vendors using proprietary file formats and charging for full software upgrades instead of just driver updates for existing software.

There shouldn't be anything stopping a vendor from releasing the same version of their applications on win7 as well as XP but they see dollar signs and gouge the fuck out of you because you're a "professional."

XP has had a longer lifespan than either a Red Hat or an Ubuntu LTS release. I hate defending Microsoft but on this one they are right to EOL the fucker and vendors need to be supporting their shit with upgrades and compat updates if they want to continue charging the hundreds of thousands, even millions, for software. Either that or release the fucking specs and let the free software folks take a crack at it.

More importantly, can anything be done about it? (2)

turbidostato (878842) | about a year ago | (#43519295)

Yes, something can be done about it. Not overnight, but it can be done.

What?

Use Open Source.

Your either need to pay 10.000 because it really costs 10.000 in which case you wouldn't be making a case out of it, you would just pay for it as part as your making business costs, or it doesn't costs 10.000 but you end paying 10.000 because third parties controlling your business instead of you.

If you think you are in the second case, just ally with other "eye doctors" and make a software factory to produce the software in your behalf as open sourced. On one hand, you'll pay the real cost; on the other, the old producers will be forced to either down their prices to the new market standard or fold down. Any case, a win-win situation.

Very common (5, Interesting)

Anonymous Coward | about a year ago | (#43519297)

My old hospital was hit by this already. They couldn't afford an enterprise license from Microsoft that allows them to pick which version of windows to install on their PC's, (hundreds of thousands of dollars), some of our critical EMR software was only XP compatibe and would not work on WIndows7. When Microsoft quit selling XP and wouldn't allow us to downgrade our Windows 7 systems, we were in a bind. We were able to find some XP licenses in the wild but still are between a rock and a hard place. FDA certification for our EMR vendors is a pain and moving to the new version of windows is hard. I have no idea how we will overcome the sunsetting of XP.
 

Many science / data acquisition users (0)

Anonymous Coward | about a year ago | (#43519305)

Move from Win XP higher was linked with National Instruments introducing new generation of drivers (due to changes in Windows drivers models). Most old software written for the old drivers will not work with the new NI drivers, and new versions of the specialty programs using it are either overpriced, or outright impossible to get due to developer's demise.

Roland MDX-3 (1)

ArcadeMan (2766669) | about a year ago | (#43519309)

My old Roland MDX-3 needs a parallel port but other than that I can simple send files to cut via the command line (ex: "copy cutfile.txt lpt1") so I'm still using Windows 98SE without any problem whatsoever.

If it ain't broke, don't try to fix it.

Seems Obvious (0)

Anonymous Coward | about a year ago | (#43519313)

Virtual Machine with XP on it. Derp.

XP mode (0)

Anonymous Coward | about a year ago | (#43519315)

Windows 7, XP mode seems to be an answer as it's pretty much fully featured XP VM.

Misleading headlines are misleading (2, Insightful)

dhavleak (912889) | about a year ago | (#43519321)

In the linked article, the doctor couldn't afford to upgrade her specialty medical software.

1. It's unlikely that the version she currently uses does not run on Win7
2. It's unlikely that the version she would upgrade to does not run on XP
3. It's likely that the upgrade would cost $10,000 even if she wasn't changing OS versions

So what does this have to do with Windows? Nothing. The only information in the article is that specialty software can be very expensive. That fact stands alone and would do so on any OS and any version.

Has Slashdot become this gullible??

Re:Misleading headlines are misleading (1)

erroneus (253617) | about a year ago | (#43519485)

It's *NOT* unlikely because I have seen something quite similar in my dentist's office. He couldn't afford what this company wanted to charge for the software on a new server. The software was licensed for a particular server and all this nonsense. The best I was able to offer was an upgrade of memory. The user couldn't install the software for himself. And so while yes, "it's not a Windows thing" specifically, it is definitely a case of Microsoft enabling and even encouraging this type of behavior. I also recall a similar problem with a private investigator's software. I offered the VMWare solution as a means of getting this Windows95 software moved into WindowsXP life but in the end, the software originator would not budge and this guy did not want to risk his configuration. I told him the Windows95 machine's HDD would eventually fail and he just said he'd have to cross that bridge when he came to it. Sad, sad, sad...

Software is stupidly expensive to the point they are often completely unfair in the way they do things. Unskilled customers often give in to the demands without realizing what they are giving up or what it all means..,.until it's too late and often even after that.

The IT world sickens me often when I see this crap. And don't get me started on Cisco...

A big problem (0)

Anonymous Coward | about a year ago | (#43519329)

Sure IT dept are moving to Win7/8, but look at Kasier Perm health care. All it hospitals are still running XP at the patient room level.

It's a big problem IT depts are sure ignoring. Likely to force the hand of the CFO for a big IT budget in the near future.

Then Don't Upgrade??? (0)

Anonymous Coward | about a year ago | (#43519335)

Just because Microsoft doesn't support it anymore doesn't mean it is just going to stop working. Eventually, software won't be supported and new versions may not work, but they probably can't afford that either.

Sorry, there is a real cost to doing things, whether it is open source or commercial. I don't care if some folks can't afford it. Quit whining like children.

How many versions behind is she? (1)

cianduffy (742890) | about a year ago | (#43519339)

This is my industry and I'm not aware of any system where you could be on a compliant, secure system that had been updated that won't run above XP.

The only systems I run in to that are stuck on XP or below are some Win16 apps. Would consider seeing if they'd run on ecomstation to have a less easily attacked (if only by rareness) system if they weren't competitors systems. Our own Win16 and DOS applications were borked in to running on Windows 7 and a brief bit of playing with one of them on Windows 8 was succesful too - but the last one to be withdrawn from sale was in 2008.

To be stuck on XP you either need to have been extremely unlucky, or be using something ancient and likely unsupported. And if a normal upgrade for an opticians is $10k, we really need to move markets/country.

Bad example (5, Insightful)

onyxruby (118189) | about a year ago | (#43519341)

This is a really bad example to make your case. She has HIPAA data and needs to upgrade as her computer can't be patched anymore next year. No sympathy for someone with HIPAA data trying to get out of patching their system.

Now, if you had picked an example of someone who didn't have HIPAA data I'd point to options that could be done. However to be frank I am all out of sympathy for anyone in this situation. Microsoft announced end of life on this a very long time ago and frankly gave a lot longer on the EOL and support for the OS than Mac or any of the Linux variants.

This reminds me of the gas station owners put out of business by the new standards for underground tanks. They had years of advanced notice, yet they still refused to modernize something critical to their business that they knew they needed to. Time came that they could no longer be grandfathered in and all of a sudden a bunch of stations went out of business.

Why, because they didn't want to spend money for tanks that were resistant to leaks that could ruin the environment? A doctor that doesn't want to spend money to help prevent leaks (patient data) is no better than the gas station owner. It's a business expense just like any other and a business owner that refuses to give IT it's due as they should. Quit supporting IT neglect by helping people like this out.

Virtualise (2)

Bogtha (906264) | about a year ago | (#43519351)

Just because a piece of software needs to run on an obsolete operating system, it doesn't mean that should be their main operating system. Stick it in a VM and don't attach it to the network unless necessary.

Increasingly hostile (1)

erroneus (253617) | about a year ago | (#43519353)

Oh yes... the software world is increasingly greedy and hostile to the customer and it has been Microsoft leading the way from the beginning. And in case anyone was wondering when we would reach the breaking point? I'd say many of us have reached it or so sayeth the declining PC sales.

Things are about to enter a stage of incredible change and upheaval and not just in the computer/internet worlds, but all over. "we live in interesting times."

Could be worse (0)

Anonymous Coward | about a year ago | (#43519357)

I have to keep an old Windows XP machine around to run Internet Explorer 7 because a website that I need to access only supports IE7 or older. I have *no* control over what they run on their servers, so there's no way for me to upgrade things at my end. I've tried emulating IE7 various ways without success. The server won't let me log in with anything but IE7 or older. About my only other option is to run XP in a VM, but I figured I may as well keep any problems isolated to one old machine and not let people in the lab use it for anything other than accessing that one fussy and archaic site.

Elsewhere on campus, there are machines running Windows 98 that run our scanning electron microscope, and a year or two ago I helped a colleague by finding an ISA video card to go into an old IBM PC that runs an x-ray diffraction machine (the DOS software runs from a boot floppy!). When it comes to expensive instruments that run for years with custom hardware/software combinations, it's like a trip back in time on the computer side. Unless you want to buy a whole new multi-$100k instrument, you make do with some pretty vintage computer hardware and software. It's not that the upgrade from Windows XP would cost a lot, but that the software and hardware would have to be upgraded simultaneously and cost much more. Sometimes many orders of magnitude more. You save the upgrade until something essential and unfixable has permanently broken, or where the increase in efficiency by getting a new machine outweighs the huge cost. That can be a long time in "computer years".

Aside from that, if it isn't broken, why fix it? Isolate it from the network, disable autorun, impose strict policy on what can and can not be done on that machine (e.g., general file / web browsing / e-mail not allowed), whitelist only the essential stuff, blacklist everything else, and it can be "secure enough" even as Microsoft's security updates lapse. Worst case, run XP in a VM if the software will let you do so.

Win 7 XP mode? (1)

WillyWanker (1502057) | about a year ago | (#43519359)

What about XP mode in Windows 7?

Wine? (1)

grungy (634468) | about a year ago | (#43519381)

If her problem is that her new software won't run modern Windows, maybe she can upgrade to Windows 7, but then use Wine to keep her older version running? (Although I can't see why Windows' own backward-compatability would be inferior to that.)

FOSS (1)

Anonymous Coward | about a year ago | (#43519383)

Yet again the closed source model fails society.

the real world (0)

Anonymous Coward | about a year ago | (#43519461)

A lot of these small town doctors/dentists can't afford an IT staff. They rely on the software vendors for advice and sometimes people they know around town. It's really scary to think when you pay for appointments that a lot of those computers probably haven't been patched since they were installed.

A Dickhead's Idiom (4, Insightful)

CanHasDIY (1672858) | about a year ago | (#43519473)

You made your bed, now lie in it.

Virtualise the legacy OS. (0)

Anonymous Coward | about a year ago | (#43519475)

Just P2V it. This will work with many line of business applications, but not all. Particularly problematic would systems that control external equipment.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>