Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Preparing For Windows XP EOL?

timothy posted about 4 months ago | from the stock-up-like-y2k dept.

Windows 423

An anonymous reader writes "As most of us working in IT may know, Microsoft will stop supporting Windows XP on April 8th, 2014. Although this fact has been known for quite some time, XP is still relatively popular in companies and also enjoys noticeable marketshare for home users. Even ATMs are running XP and will continue to do so for some time. A lot of companies/users don't want to change because they see no additional benefit to do a costly upgrade, no reason to change a running system, and they may in some cases be right with their assumptions. So what is the best way to secure this remaining Windows XP systems? Installing the latest security patches, checking firewall status and user permissions etc. should be fairly obvious, as Microsoft Security Essentials may also not receive updates anymore, changing antivirus programs seems a sensible thing to do."

cancel ×

423 comments

No problem (0, Redundant)

Anonymous Coward | about 4 months ago | (#46596109)

Just don't run as an administrator! Also don't run IE or OE. Use Firefox with NoScript. Keep and updated and supported anti virus package installed. Don't use Flash, Adobe Reader or Java. It's actually not a problem.

Re:No problem (-1)

Anonymous Coward | about 4 months ago | (#46596141)

...or just use GNU/Linux. Why even bother with a 13 year old operating system, seriously?

Re:No problem (5, Insightful)

TheGratefulNet (143330) | about 4 months ago | (#46596221)

stupid AC. I'll tell you why: some people have expensive hardware that only works with xp and its NOT practical to rebuy working hardware just to run a more modern os. the os only exists to run apps and if the value of the apps and hardware are high enough, you will stay with the older os.

of course, AC's think that only linux matters. they can't see that in the real world, you need TOOLS to do your job and if those tools are only running on an older os, you keep that older os!

this should not have to be explained. maybe I got trolled, but figured if he was serious, I'll at least explain WHY you need to continue to run older systems.

Re:No problem (5, Interesting)

I'm New Around Here (1154723) | about 4 months ago | (#46596387)

Really. One of my customers has a Win98 box, because it controls a $50,000 device. Another one runs NT Server, because porting 100,000+ part numbers to a new database isn't worth the upgrade.

People forget these contraptions we are typing on are simply tools, especially to businesses that focus on their own products, not what OS is on their computer.

Re: No problem (-1)

Anonymous Coward | about 4 months ago | (#46596465)

Dude that's so lame you can't even run games on that stuff. Linux steam ftw.

Re:No problem (1, Interesting)

Sprouticus (1503545) | about 4 months ago | (#46596485)

The logical counter to that is:

YOU HAVE SOMEONE RUNNING A $50,000 ON Win98? Holy crap that is stupid.

On, not logical, but my point is salient. If you are willing to accept the risk, go for it. But dont be surprised when it breaks and ends up costing you a LOT to fix/recover the data/device.

Re:No problem (5, Insightful)

aix tom (902140) | about 4 months ago | (#46596559)

Depends on the device and the support you get for the device. Just think about it: Microsoft never did give any real "support" to you, most of the time they told you to go to your manufacturer for that. If the manufacturer of the $50,000 device still gives you support in the sense that he will fix any problems that occur with the device, including replacing the hardware that still runs Win98, that is more support that you have ever gotten and will ever get from Microsoft.

Re:No problem (4, Insightful)

DeathElk (883654) | about 4 months ago | (#46596637)

It's not stupid. It's quite common for specialised equipment to rely on drivers written for a particular OS. We have a 3 year old transmission dynamometer that cost us $180,000 that is controlled by redundant commodity x86 hardware running XP. There is no need to keep the OS up to date as it serves only one purpose.

Stupid lusers these days think all "PCs" are to be connected to the Internet and used for browsing file sharing sites.

Re:No problem (3, Insightful)

The Grim Reefer (1162755) | about 4 months ago | (#46596695)

The logical counter to that is:

YOU HAVE SOMEONE RUNNING A $50,000 ON Win98? Holy crap that is stupid.

Why? These types of systems are in a lot of industries. None of those systems are on the internet. And probably not even on a network at all. It may cost $10K to upgrade the controlling computer. And for what? So you can play a game on it? Or iTunes, or surf the web? No one in thier right fucking mind is going to do this. These are very specific use systems. They don't' need to do anything more than what they are doing and spending a pile of money to upgrade them to a modern OS will gain nothing.

Here's a car analogy for you. You own a red 1500 lb. Ferrari with a 500 HP carbureted single cam pushrod engine that gets 15 mpg. Are you going to buy another one for $150K that looks and weighs exactly the same and has 500 HP and gets 15 mph too but the engine is a dual overhead cam with a turbocharged EFI engine and maybe some LCD touch screen gauges and a DVD player? It's a more modern vehicle, but you gain nothing of any value. Seems like a waste of money to me.

Re: No problem (0)

Anonymous Coward | about 4 months ago | (#46596533)

Kind of frustrating that those in the "don't upgrade camp" ignore the cost to their business if one of those older oses gets infected and destroys the machine it controls. Hell, I've seen it happen.

Re:No problem (1)

zipherx (1150327) | about 4 months ago | (#46596543)

Seriously not a good reason. Problem is, people who can not accept how IT works, and evolve, should just use pen and paper and be safer for it.

Or they will just suffer the consequences, or the rest of us will, whenever their pc become part of a botnet.
Yes, there are systems that are running equipment, which has to run its life before it can be retired along with whatever version of any operating system it came with. It is just how it is, and those who are responsible for those systems will just have to sandbox them the best they can.
But honestly any private person, who is not running expensive equipment (no your US robotics 33.6 modem is NOT part of that list), have about zero excuses for running a 13 year old system. Djeez!

Re:No problem (5, Informative)

boristdog (133725) | about 4 months ago | (#46596665)

At my company we have dozens of $500K+ machines that are controlled by NT 4.0 boxes, and dozens of somewhat newere $2M machines contolled by XP boxes.

The vendor has no incentive to upgrade their software to work with a new OS, they'd rather we spend several hundred million on new equipment. And the software that controls the machines is closed and proprietary to the vendor.

We'll still be using NT and XP in 2020.

Re:No problem (1)

mark-t (151149) | about 4 months ago | (#46596581)

This may not necessarily apply to every use case, but I'd suggest that any reason why one might need to run an older system is probably trumped by the distinct possibility of being cut off from the Internet entirely.

Because if or when any previpously unknown exploits for XP get discovered after April 8th, they will probably not be patched, Virus detection can only go so far to stopping vulnerabilities in the underlying OS.

Alert ISP's that can detect the presence of zombie computers on their network and will be able disconnect any that they find

This is singularly the best reason I know of to stay current with regards to whatever operating system one uses to stay online. If one does not have the hardware to remain current, then they may just have to accept staying offline until they do.

Re:No problem (1)

Impy the Impiuos Imp (442658) | about 4 months ago | (#46596589)

We do embedded development. This means re-qualifying a whole new version of tools, and the tools frequently don't work right and you cannot "just upgrade" because these are in the millions of recallable units.

Re:No problem (0)

Anonymous Coward | about 4 months ago | (#46596597)

of course, AC's think that only linux matters. they can't see that in the real world,

Well, that AC's not the only stupid one. You do a pretty good job of it, too.

Re:No problem (5, Interesting)

dissy (172727) | about 4 months ago | (#46596729)

Where I work a good number of the surface mount assembly lines are run by windows 2000 and XP.
The screen printers still run DOS. Many of the electrical testers and chip programmer rigs need XP or lower as well.

As most of these setups require custom PCI IO cards, visualization isn't an option either.
(Though I am happy to have found an ISA to USB adapter that works well under visualization)

When "a pc upgrade" involves replacing a quarter million dollars in hardware and finding the time to eat the cost of downtime over three running shifts, even I couldn't justify the cost of doing so just to get a newer OS (that will still be windows and still go EOL at some future point!)

My solution is to segment older OSes on the network. They can reach the SQL server and occasionally the file server as needed.
NO email, NO internet, NO intranet, no random transfers between there and other networks.

Everyone has Win7 desktops for office, outlook, and firefox. There is no need to even treat the XP systems as computers anymore. They are now appliances.

With the SMT line PCs not even showing a desktop or letting the operators exit the controller GUI, and the test hardware being locked to a list of approved executables (More for QA actually), the likelyhood of an infection requiring a reinstall is next to nill.

That leaves hardware failures. I have full drive images to restore once the HDs fail. On a more serious failure, the entire rig is considered failed. Either time to pony up the $25k for a new system, or we do without.

As long as you get your desktops upgraded, there is a lot less you need to use XP for, and most attack vectors can actually be completely blocked without effecting any work flow what so ever.

No applications ... (2)

golodh (893453) | about 4 months ago | (#46596727)

Because, as will be understood by anyone but the most naive hobbyist, the cost of switching applications for a few million boxes is enormous.

Counter to what some people seem to think, running XP isn't an end in itself. In the real world you run XP in order to run certain applications, right? Applications that typically won't run on Linux (closed-source Windows-only stuff) and may not even run on Windows-7.

Besides upgrading would be really expensive. Ripping out several million boxes, reformatting they disks, installing Linux, dealing with a substantial percentage of cases where the hardware breaks when you unplug them or on which the more recent kernels won't run is very expensive. So expensive in fact that the license cost for a Windows copy will be completely dwarfed by the cost of handling the hardware and installing Linux.

By the time you're done installing the OS you'll find your troubles are only beginning. You'll find that your old applications (that you built into your business) won't function anymore. You might be able to write one single application for ATM's that runs on Linux or or a more recent version of Windows but you won't have time to test that thoroughly (enough) and you'll replicate that application millions of time. Good luck! For ordinary office machines you'll be facing a big bill in reinstalling all the old packages and even more (training !) if you decide to upgrade the applications too. And then you can watch your office performance sag as everyone starts learning their way around the new apps.

Chances are you'll lose a lot more money handling, migrating, training, and pushing updates to all those millions of boxes than dealing with any security problems that may start to arise in the next two years.

That, in a nutshell, is why it makes financial sense to just isolate the, shortly very vulnerable, XP boxes behind firewalls than to upgrade them.

In fact I think you might even be able to insure yourself against cost of problems when you continue using XP at a rate that's much lower than the cost of migrating.

Re:No problem (2)

mlts (1038732) | about 4 months ago | (#46596643)

Even without admin rights, malware can do a lot of harm with just user profile data.

XP is very lightweight (runs well in 512MB of RAM), so it makes for a great OS to run in a VM for Web browsing. Have the user that the Web browser is running in be a non-admin, use the above add-ons, and use a sandboxing program like sandboxie, and one can have decent protection. Every few weeks or so, roll back the snapshot so if something did get past the sandbox, it would be gone. Of course, bookmarks would have to be saved somewhere else, but that isn't an impossible task. For AV protection, something like Malwarebytes that blocks rogue IPs is decent, but usually AV software is useless against most attacks due to the 0 day nature.

Use a firewall (0)

Anonymous Coward | about 4 months ago | (#46596115)

If XP is behind a corporate firewall - no problem.
Everyone should have a separate non-Windows firewall.
It really is all very simple and never requires the running of ridiculous anti-virus products.

Re:Use a firewall (1)

hawguy (1600213) | about 4 months ago | (#46596303)

If XP is behind a corporate firewall - no problem.
Everyone should have a separate non-Windows firewall.
It really is all very simple and never requires the running of ridiculous anti-virus products.

A corporate firewall does little to ensure safety of a Windows installation. I've seen users behind a malware scanning firewall, running antivirus software on Win7 *still* manage to get infected by malware.

If a remote exploite is found in WinXP, a single infected XP machine on a corporate network can hop around to other WinXP machines in that network.

Re:Use a firewall (0)

Anonymous Coward | about 4 months ago | (#46596625)

a single infected XP machine on a corporate network can hop around to other WinXP machines in that network.

I saw that happen at a former employer. They were in the process of switching from an old in-house point-of-sale system (running on MS-DOS) to a shiny Windows XP Embedded 3rd-party system. They had about 100 computers in the Q/A lab (all on a common private network), and all had just been converted to the new Windows P.O.S. (read that both ways).

Within a matter of a couple of weeks, a virus managed to get on to one of the computers. I don't know if they ever figured out whether it was through the network or through someone using an infected thumb drive, but every one of the computers was infected within minutes.

It took them a week to clean up the mess. Those of us who had been warning them away from a Windows-based solution had a good laugh at the expense of the idiots in management who insisted that Windows was a good choice for a special-purpose system running one specific program.

Re:Use a firewall (0)

Anonymous Coward | about 4 months ago | (#46596525)

If XP is behind a corporate firewall - no problem. Everyone should have a separate non-Windows firewall. It really is all very simple and never requires the running of ridiculous anti-virus products.

People really believe this?? That firewall does nothing to protect you against most common internet threats. And neither does "safe user practices" - legitimate sites are the main vector for malware now, not links, downloads and attachments you shouldn't have clicked on.

Re:Use a firewall (2)

mlts (1038732) | about 4 months ago | (#46596793)

Firewall and AV products will not catch 0-day exploits of the Web browser and add-ons. If they are pulled via SSL, even the best SPI firewall will be bested, unless one goes with a MITM system and forces all inside machines to trust the MITM appliance's key as a root one.

Browser exploits are the biggest vector of infection these days, and XP has little to no resistance innately against those, other than running as a non-admin user... and even then, malware can do a lot with a regular user's context.

Errrrrr (1)

segedunum (883035) | about 4 months ago | (#46596117)

No.

Check you premise (0)

Anonymous Coward | about 4 months ago | (#46596119)

If you think that newer versions of windows don't have anything to offer you shouldn't have to do anything at all (as presumably you don't think continued security support is something worth upgrading for).

Re:Check you premise (2)

rudy_wayne (414635) | about 4 months ago | (#46596545)

If you think that newer versions of windows don't have anything to offer you shouldn't have to do anything at all

First, the only newer version of Windows that "has anything to offer" is Windows 7. Vista isn't as bad as some people have tried to claim, but once Windows 7 became available, Vista became meaningless and there is absolutely no reason to even consider it. Windows 8 is a mess. One of the all time worst.

But the real problem isn't that newer version of Windows don't have anything to offer. The problem is the expense of switching.. Whether it's an individual with one computer or a business with a few thousand, the cost far outweighs the benefits.

Then there is the dirty little secret of business, that isn't so secret. There are millions of computers running shitty, poorly written software that will stop working if you make the tiniest change to the underlying hardware or operating system. That makes switching even more difficult and expensive.

Re: Check you premise (1)

cyber-vandal (148830) | about 4 months ago | (#46596711)

It's not a well kept secret.

Antivirus is obsolete (0)

Anonymous Coward | about 4 months ago | (#46596123)

I stopped using an antivirus program in 2005, shortly before converting to Linux.
Aren't actual viruses pretty rare nowadays? Most malware attacks the browser and plugins.

Re:Antivirus is obsolete (1)

kthreadd (1558445) | about 4 months ago | (#46596173)

Anti virus is sort of an incomplete term. Trojans are much more popular these days, and despite its name an anti virus program can protect against them too. It's just software when it comes down to it.

Re:Antivirus is obsolete (0)

Anonymous Coward | about 4 months ago | (#46596531)

I was under the impression that, for a typical box that has updated software AV software is more or less redundant. There's signature-based AV which only protects you from old threats and is pretty easy to subvert with polymorphic code and packers. That's old and busted. Then there's heuristic-based AV which tries to guess when a program is doing something it shouldn't be doing. Which gets in the way constantly and takes a lot of resources. AV is really just a stop-gap solution for doing what the OS should have been doing in the first place.

And most reasonably intelligent users know not to give questionable software the keys to the kingdom.

And no matter of OS security or AV will keep idiots from giving malware the keys to kingdom if they REALLY want to see those kitties.

At this point, AV software companies were making their money on tradition and fear. Ostensibly helping the computer security ecosystem by helping identify and close security holes, but really just preferring to leech of corporate America.

Re:Antivirus is obsolete (0)

Anonymous Coward | about 4 months ago | (#46596669)

I was under the impression that, for a typical box that has updated software AV software is more or less redundant. There's signature-based AV which only protects you from old threats and is pretty easy to subvert with polymorphic code and packers. That's old and busted.

It may be old, but it is prevalent. Even the APT vendors acknowledge that stopping known AV threats stops 90% of real world threats. Discounting the value of that is like discounting the value of condoms because they are not 100% safe.

Then there's heuristic-based AV which tries to guess when a program is doing something it shouldn't be doing. Which gets in the way constantly and takes a lot of resources. AV is really just a stop-gap solution for doing what the OS should have been doing in the first place.

What exactly should the OS be doing (that is different from an AV) when I want to install app X and it is compromised with a trojan?

And most reasonably intelligent users know not to give questionable software the keys to the kingdom.

Malware and exploits have moved on from being avoidable by good user practices. You will lose the keys to the kingdom to a good pickpocket without knowing what hit you.

And no matter of OS security or AV will keep idiots from giving malware the keys to kingdom if they REALLY want to see those kitties.

You are right that OS security won't prevent that, but this is exactly what AV will prevent, it will block and quarantine those kitties, and it will not be easy for the user to circumvent that.

Re:Antivirus is obsolete (1)

rudy_wayne (414635) | about 4 months ago | (#46596573)

Aren't actual viruses pretty rare nowadays? Most malware attacks the browser and plugins.

The term "virus" has evolved to include all forms of malware and anti-virus programs now detect more than just the traditional "virus".

Open your files in text mode (0, Offtopic)

Anonymous Coward | about 4 months ago | (#46596131)

If you need to deal with end-of-line, then it would be a good idea to open your file in text mode. It makes no difference on Unix because the line separator is LF anyway, but as you may know on Windows XP it is CRLF.

You want the best way? You got it. (0)

trifish (826353) | about 4 months ago | (#46596133)

So what is the best way to secure this remaining Windows XP systems?

If you can't keep the box permanently offline, then the best way to secure Windows XP after the EOL date is to uninstall it. By believing otherwise you are only fooling yourself.

Re:You want the best way? You got it. (0)

Anonymous Coward | about 4 months ago | (#46596331)

If you can't keep the box permanently offline, then the best way to secure Windows XP after the EOL date is to uninstall it. By believing otherwise you are only fooling yourself.

Wouldn't just switching the computer off be a lot easier than going to the trouble of uninstalling XP?

Re:You want the best way? You got it. (0)

Anonymous Coward | about 4 months ago | (#46596579)

Wouldn't just switching the computer off be a lot easier than going to the trouble of uninstalling XP?

Yes, but it would be equally easier for the end user of said computer to simply switch it back on again, which is probably what would happen, and the problem will be back. If it doesn't boot when switched back on, then the end user of said computer will request a replacement, which they should have done by now anyhow, and the problem will be solved.

Re:You want the best way? You got it. (1)

mspohr (589790) | about 4 months ago | (#46596563)

I don't understand what all the fuss is about. Windows XP has been infested with malware for years in spite of attempts to patch it up. I don't think the patches did much to improve security since the malware is winning. The lack of new patches shouldn't make much difference. It will still be infested with malware.
If you're concerned about security, you would have moved to something else a long time ago.

Must keep running XP (4, Interesting)

Anonymous Coward | about 4 months ago | (#46596159)

We have mission-critical software that must be run under XP. The software checks the OS somehow and reports Operating System Not Supported if we try to install it under Win7. It *does* run under Win7 in the XP virtual machine, however the software has a hardware security key that attaches to the parallel port, and the VM doesn't let it access the LPT at the low level it needs to (apparently) to recognize the key. It's XP for us for a while, damn the torpedoes.

Re:Must keep running XP (4, Insightful)

kthreadd (1558445) | about 4 months ago | (#46596203)

So what's your plan going forward? Will you use XP ten or twenty years from now? If not then you should start a migration now rather than later.

Re:Must keep running XP (0)

Anonymous Coward | about 4 months ago | (#46596385)

No. There are about a half dozen other issues complicating the situation that I don't feel like spelling out here, but I think they can all be solved by applying sufficient money and programming time. Unfortunately neither has been available up until this point, I'm hoping the growing publicity around the EOL of XP will help the cause. I know, I know, should have started a long time ago - not up to me. The other option is allow something to break irreparably at some point, and everyone will go into meltdown crisis mode. *Then* it'll get fixed. There is a newer version of the software that uses a USB security key, we need to move to that. However, big $$$$$$, and we have no other reason to do it. The EOL of XP probably will be a windfall to a lot of software companies.

Re:Must keep running XP (4, Insightful)

Collective 0-0009 (1294662) | about 4 months ago | (#46596479)

The other option is allow something to break irreparably at some point, and everyone will go into meltdown crisis mode. *Then* it'll get fixed.

You have to weigh the cost of doing it now vs. doing it then. If your company thinks "then" will be in 10 years, then don't bother now. But be prepared for the meltdown. Either way you have perfectly stated the case that you do not have to "Must keep running XP". You have made a risk-based assessment that it will be cheaper to continue running XP.

Re:Must keep running XP (0)

Anonymous Coward | about 4 months ago | (#46596393)

Crack the software - you already bought it. Dongles are for dummies.

Re:Must keep running XP (0)

Anonymous Coward | about 4 months ago | (#46596501)

Dongles and calling home are the only to really make sure you only want the right people to use the software, especially when iran is trying to get it, and make sure the programming office is well locked down and monitored 24/7, the ruskies etc are known for smash and grab to get software

Re:Must keep running XP (1)

Sylak (1611137) | about 4 months ago | (#46596537)

That said this is 100% the case the Library of Congress said was okay to do as fair use last time they did a DMCA review.

Re:Must keep running XP (0)

Anonymous Coward | about 4 months ago | (#46596411)

Exactly this. The end of XP support isn't news, it was announced several years ago. There should have been plenty of time to migrate to newer software versions or find alternate solutions. I'm betting in most cases decision-makers have just been putting it off to not have to spend the money in the short term. Now they are stuck. So it goes...

Re: Must keep running XP (1)

cyber-vandal (148830) | about 4 months ago | (#46596801)

IT departments also have other things to do as well as doing a major upgrade to core systems that takes several months to do. Stuff that actually makes money for firms and therefore is far easier to justify.

Re:Must keep running XP (1)

I'm New Around Here (1154723) | about 4 months ago | (#46596427)

So what's your plan going forward? Will you use XP ten or twenty years from now?

They probably will, if there are motherboards that still support it.

Re:Must keep running XP (1)

Mashiki (184564) | about 4 months ago | (#46596495)

So what's your plan going forward? Will you use XP ten or twenty years from now?

Why not? We've still got mission critical systems that use fortran and cobol in use.

Re: Must keep running XP (0)

Anonymous Coward | about 4 months ago | (#46596571)

Yeah, but that software written for os/360 isn't running on os/360 any more.

Re:Must keep running XP (1)

JohnVanVliet (945577) | about 4 months ago | (#46596371)

That is some "bleeped up "software

Re:Must keep running XP (0)

Anonymous Coward | about 4 months ago | (#46596449)

Test it on ReactOS or WINE?

If the software vendor does not support Win7, hire a hacker to hack the dongle.

Re:Must keep running XP (1)

mark-t (151149) | about 4 months ago | (#46596647)

You better hope that either a) no remote exploits for XP get discovered after april 8th, or b) your systems do not need any kind of connection to the internet.

Certain types of infected computers which have an impact on network usage (zombies, in particular) can be detected by the ISP and disconnected from their network (and it is usually in their best interests to do so)

Re:Must keep running XP (0)

Anonymous Coward | about 4 months ago | (#46596659)

Consider a better VM system. I would expect VMware, in particular, to handle the parallel port well enough to let you continue using your system.

MSE (4, Informative)

theheff (894014) | about 4 months ago | (#46596167)

MSE will have definitions for a year after the EOL: http://blogs.technet.com/b/mmp... [technet.com]

The usual suspects (0)

bbroerman (715822) | about 4 months ago | (#46596179)

Load all patches, install a good antivirus, have a second or third one that you run occasionally manually (not all anti-virus packages get everything), use an updated chrome or Firefox browser. For Firefox, I'd suggest using noscript and web of trust as well. Keep Java in medium or high security mode, only go to reputable sites, and only enable JavaScript when needed.

Re:The usual suspects (1)

jones_supa (887896) | about 4 months ago | (#46596349)

I wouldn't bother with general web surfing using XP at all, when the support ends.

Re:The usual suspects (1)

Sylak (1611137) | about 4 months ago | (#46596553)

don't forget make a disc image if you ever need to restore that machine

Is it really that costly? (2)

Collective 0-0009 (1294662) | about 4 months ago | (#46596189)

Other than your one embedded example, that I don't think pertains to the other 99% of computer you are discussing, I question that it is really that expensive to upgrade to Win 7... [aventissystems.com]

I realize there is more than hardware costs, but did you really expect your software to work for more than 10-15 years without needing an upgrade? Most people in this situation are there because they have deferred the (most likely needed) updates until now. And now they have an unusual number of computers to upgrade. My employer is squarely in this position.

Bite the bullet and upgrade. If you really want to stand firm against M$ or something, simply install any number of old-hardware-friendly linux distros. Knoppix is my current favorite.

Re:Is it really that costly? (0)

Anonymous Coward | about 4 months ago | (#46596429)

It can be that expensive. We have some large, high volume scanners that only work with XP because the drivers required to run the interface cards don't work on newer versions of Windows. The cost to upgrade is not just the cost of a new computer. It's the many hundreds of thousands of dollars per device that it would cost to upgrade the interface cards and scanners. We've already had to decommissions two scanners because they only ran under DOS. All the hardware and software involved is proprietary.

Re:Is it really that costly? (0, Troll)

rudy_wayne (414635) | about 4 months ago | (#46596641)

but did you really expect your software to work for more than 10-15 years without needing an upgrade? .

Why not? Automobiles can last for 20 years or more with little more than minor repairs and routine maintenance. Musicians routinely use instruments made in the 1950s or earlier. But for some reason, people have bought into the absurd idea that software is obsolete and unusable after a few years.

Re:Is it really that costly? (4, Insightful)

Collective 0-0009 (1294662) | about 4 months ago | (#46596767)

How much have roads changed in the last 20 years? Do we now drive on a surface completely un-fathomable just 20 years ago? Have cars increased in power/efficiency by orders of magnitude? Did cars run for 20 years in 1914?

Did you know that my paper cup from my morning coffee is already soaked through and unusable? Why can't they make paper cups to last 20 years like a car?

My dog died last year. He was only 13. Why can't dogs simply live as long as humans?

Do you have any more stupid propositions?

Fixing a leak with tape (1)

Arith (708986) | about 4 months ago | (#46596211)

While what the article says is probably a good way to handle the EOL.. over time this is just going to get bad.
Ever image a machine to win98 and plug it in to the intertubes lately?
Yeah.

Re:Fixing a leak with tape (1)

0racle (667029) | about 4 months ago | (#46596363)

Are you saying that there aren't windows 95/98/2000/older machines out there doing work? Because there are. This really is going to be a non-event.

xp (0)

Anonymous Coward | about 4 months ago | (#46596239)

every one that stays with a unsupported OS
whether it is Windows, Apple , or Linux
should be help LEGALLY RESPONSIBLE for all the "shit" they cause

now there are some needed instances that can be solved by running XP on a VM
just like the sometimes needed need to run RH9 on a VM or RHEL3 on a VM

propitiatory NEVER to be updated software

Microsoft ( Score: +5, Dicely ) (-1)

Anonymous Coward | about 4 months ago | (#46596249)

This is so obviously generated by Dice. This is old news.

"Most of us working in IT may know" ?

When has Microsoft supported its products?
.

Yours In z/vm
K. Trout

See no benefit? (2)

MikeRT (947531) | about 4 months ago | (#46596267)

A lot of companies/users don't want to change because they see no additional benefit to do a costly upgrade, no reason to change a running system, and they may in some cases be right with their assumptions.

How about this one. All of your software options are better on 7 than XP. Firefox and Chrome are moving away from supporting it. Microsoft is moving away from supporting it too. You know what that means, Mr. Super Conservative Executive/IT guy? It means your threat vectors are now starting to approach "everything installed on this workstation" instead of just the OS.

Re: See no benefit? (0)

Anonymous Coward | about 4 months ago | (#46596599)

How 'boSo this: box works. We are on a 5-year replacement cycle now at six due to budget issues. Didn't bite the dog called Vista. Budget cuts meant we didn't roll out Win 7 until 2011. So, given that every year's IT budget is less than the last, where do we find the cash?

Welcome to the public sector. No, I'm not in IT. Show me a competent public-sector IT employee, and I'll show you someone who could earn twice as much in the private sector.

One solution: Migrate (1)

spacefight (577141) | about 4 months ago | (#46596281)

Migrate your apps, fork the code, invest some cash. And next time, write up a long term strategy regarding on how to live with well known product lifecycles.

Re:One solution: Migrate (1)

xushi (740195) | about 4 months ago | (#46596401)

Now if only the corporate companies can also do the same with the damn ticketing systems that insist on an old unpatched version of IE8, with an old version of Java6, where any change will break it.. :/

Re:One solution: Migrate (1)

spacefight (577141) | about 4 months ago | (#46596731)

OTRS to the rescue.

CloneZilla (2)

almitydave (2452422) | about 4 months ago | (#46596283)

I plan to clone my hard drive on April 8th and just restore from that backup whenever I get hacked. No fail in this plan!

In all seriousness, I've been gradually transitioning to Linux Mint as my primary OS, with XP as a dual-boot option (basically for games). I also have a XP VM running under Mint that I'll be able to use if I need XP and don't want to reboot. Everything's installed on a single 1TB platter drive so I really do have 2 cloned backups (on- and off-site) available.

I hadn't planned on getting a Windows OS after XP due to draconian DRM, although I haven't had a problem with XP licensing since I bought it retail in '04; I'm considering getting Win7+SSD since that's what I have at work and it's actually quite nice. That being said, most of the programs I use are cross-platform FOSS, so it's not a strong need (notable exceptions are rFactor and Visual Studio).

Re:CloneZilla (1)

spads (1095039) | about 4 months ago | (#46596513)

I'm mainly concerned with java and adobe/flash updates, which I believe I should still get. I'll give it a try for a while and if I run into trouble I'll probably go to linux and possibly wait for a better, new Windows release to come out. F- 8, and 7 is halfway in the ground itself.

My main concern was using my personal desktop to connect to my work VPN, which I prefer to the company laptop. They (Fortune "mongo") screen your hardware for eligibility, but I was surprised to recently learn that they won't curtail access for XP users. As long as that persists, I'm gonna let er ride!

Btw, that's a good idea what almity said about saving an image. That way you can reinstall with all the final updates. I think this should be fairly practical (???)since I finally wised up and moved all my user data off my main drive. WE SHALL SEE!!! :)

Re:CloneZilla (1)

Threni (635302) | about 4 months ago | (#46596681)

> I plan to clone my hard drive on April 8th and just restore from that backup
> whenever I get hacked. No fail in this plan!

That's actually quite a good plan, with just one small change; replace "get hacked" with "boot".

Install "common sense antivirus" (5, Informative)

Jody Bruchon (3404363) | about 4 months ago | (#46596287)

Use Firefox. Keep the biggest attack vectors up to date (Adobe stuff in particular). Get rid of Java entirely unless you desperately need it; in that case, keep it up to date religiously. Use Adblock Plus (or equivalent) to block ads which sometimes carry malicious code. Don't do stupid things online. Don't run executables unless you absolutely know they're safe. Don't install pirated software since pirated software sometimes comes with lovely surprise infections. Use a limited user account for your daily activities and an administrator account only for maintenance tasks or to run software that won't work under the limited account. Always use a NAT router between the computer and the Internet, and don't run any open wireless network with that PC attached.

It's largely just a matter of (A) don't do obviously dumb things and (B) don't run everything as an administrator in the first place. Remember that antivirus and security software is a final line of defense; everything else is basically a problem with the user's behavior or knowledge, and if you are careful and follow good security practices in the first place, you aren't at any significantly greater risk than you are now.

One more thing: if someone really wants to break in, they will. XP or 7 or 8 or 8.1 and all the updates in the world won't matter in such a case, so my final piece of advice: don't piss anyone off that might want to come after you.

Re:Install "common sense antivirus" (1)

Threni (635302) | about 4 months ago | (#46596567)

> Get rid of Java entirely unless you desperately need it; in that case, keep it up to
> date religiously

Three - sorry now four - updates a year, so that's not going to be hard.

Re:Install "common sense antivirus" (0)

Anonymous Coward | about 4 months ago | (#46596605)

Configure an IDS and firewall. Learn how it works deeply, not just the "automatic stuff" and then spend your days watching new vulnerabilities. Any new vulnerability should be checked against Windows XP as most people will no longer be checking and XP may still be vulnerable. Be prepared to use the IDS/firewall to block attack signatures that current technologies have immunity. Be prepared to convert these highly specialized machines to embedded systems (e.g. include the firewall and IDS as part of the embedded system).

you can do better than that (4, Interesting)

dirtyhippie (259852) | about 4 months ago | (#46596631)

don't use firefox. don't use any browser at all. if you need a browser, you need windows 7. sorry to burst your bubble, but anything else is going to be dangerous. you should be getting rid of any potential vector for badness (any software, particularly software that is known to touch the internet) altogether.

Re:you can do better than that (2)

Jody Bruchon (3404363) | about 4 months ago | (#46596721)

"Any potential vector for badness" includes all software that exists.

I've done my part (1)

viperidaenz (2515578) | about 4 months ago | (#46596307)

10 year old laptop now runs Lubuntu and 5 year old desktop "server" is going in the trash, replaced by an ARM SBC running debian.

"Installing the latest security patches" (1)

xushi (740195) | about 4 months ago | (#46596319)

Hell can you even still do that?

I've been having nothing but hell with a broken updater on all my VMs.. Either it takes 100% CPU usage non stop, or completely fails and immediately fails every update.. Every workaround in the book didn't fix that either.

Luckily I only use the VMs for testing at work.. happy to dump them and get back to my non MS OSes...

Re:"Installing the latest security patches" (1)

jandrese (485) | about 4 months ago | (#46596469)

Leave it be. Amazingly enough, Microsoft's patching system is insanely inefficient and having it require 100% of the CPU for an hour or more to determine which patches to install is normal. It's apparently a flaw in the way the patches work that makes it take an amount of time equivalent to the exponent of the number of patches installed. Since there are a lot of patches now, that can be a very long time. Microsoft has a fix for this, but you'll have to wait through at least one incredibly slow patch cycle for it to get installed.

reference [arstechnica.com]

Re:"Installing the latest security patches" (1)

Jody Bruchon (3404363) | about 4 months ago | (#46596739)

I understood that all the updates have standalone installers; couldn't you install the standalone for the WUAU fix and THEN run all the other updates?

administrator accounts (0)

Anonymous Coward | about 4 months ago | (#46596333)

one tip i keep seeing is not to log in as an administrator if you don't need to. using a regular user account is fine for most uses. from what I understand, malware need administrator access to copy files and send data to remote servers. I might be wrong. also, keep anti-virus software updated.

only downside to using Windows XP is that some games and new software for home users won't run under XP

As a Web Developer (1)

Anonymous Coward | about 4 months ago | (#46596343)

I already have a day off scheduled for the 9th. I will get black out wasted drunk.

missing the point... (0)

Anonymous Coward | about 4 months ago | (#46596359)

" A lot of companies/users don't want to change because they see no additional benefit to do a costly upgrade, no reason to change a running system".

Sigh, organizations with this mentality still view IT departments as an expense instead of a strategic partner...

Take 'em offline (5, Insightful)

browndizzle (2709539) | about 4 months ago | (#46596367)

For many of my clients that run milling machines that still run XP, I am just making sure that they are not connected any longer. In that scenario, continuing XP is sensible and cost effective, with little to no risk. I'm sure most of the IT world is going to see the flare up of exploits that people have been hanging on to waiting for MS to no longer be willing to patch. Anyone of my other clients - law firms, non profits etc. - I am forcing the upgrade. No need to be so tied to such a clunky and difficult to recover OS anymore. Embrace the already 4 year old future, get on the update bandwagon and move on. None of my clients are seeing this as the end of the world like the media and others are describing it.

Relatively safe (4, Informative)

JBMcB (73720) | about 4 months ago | (#46596419)

There hasn't been a root exploit in XP for a couple of years now, which means if you are running as a user and not root, and you know what you are doing, XP should be fairly safe.

1. Run as a regular user and only elevate permissions when you need to
2. Make sure your directory permissions are locked down properly (there are guides to help you do this)
3. Turn off all unnecessary services
4. Run a 3rd party antivirus app - BitDefender Free is excellent
5. Regularly run rootkit detectors and a second on-demand scanner (I use Trend Micro)
6. Don't use IE, use Firefox with NoScript turned on
7. Don't use Flash, Adobe Reader or Java. Use Sumatra PDF for PDF viewing.

I keep a VM of XP around for running some old apps and reading my junk email account. I've been sent virii and all sorts of junkware, and running the above config is pretty impervious to anything thrown at me. I can revert the image to it's original state if something bad happens, and I've yet to have to do that.

This is a small shop question. (0)

Anonymous Coward | about 4 months ago | (#46596421)

So what is the best way to secure this remaining Windows XP systems?

At a large company you pay MS for an extended service contract and life goes on as usual. It isn't like all the ATMs will never get patched again after April.

Don't Use . . . (0)

Anonymous Coward | about 4 months ago | (#46596423)

Don't use IE or Word/Office. That covers most of the exploits.

Embedded XP is going to be here for a long time (1)

jandrese (485) | about 4 months ago | (#46596435)

We were scouring the lab here and noticed that our traffic generator had an embedded OS and it was of course XP. It took a LOT of back and forth with the vendor (whom we pay a big fat support contract to each year) to get a Win 7 disc. Apparently they don't have a plan for XP migration because they don't want to buy a ton of new license keys. This is a problem for people who can not have unpatched systems on the network. Technically the embedded edition is not going EOL yet, but we have concern about Microsoft keeping the patches flowing when the majority of the installs are no longer supported. The last thing we want is someone using one of our own network appliances as an attack vector. The printers are bad enough (they had to be vlaned--no way to properly secure them), but some of the other stuff requires real network access.

2014 (0)

Anonymous Coward | about 4 months ago | (#46596457)

Year of the linux desktop

Windows SteadyState (4, Informative)

benjymouse (756774) | about 4 months ago | (#46596493)

Windows SteadyState [cnet.com] from Microsoft is available for Windows XP.

SteadyState virtualizes the OS directories transparently on the disk. File writes/updates are directed to a secluded area. You can set it to simply delete those journaled updates upon restart/signoff. Any malware will be effectively gone. Windows Update would still be possible when signing in as the SteadyState administrator (creating an updated image), but that's kind of moot at this point.

Re:Windows SteadyState (1)

Krishnoid (984597) | about 4 months ago | (#46596621)

File writes/updates are directed to a secluded area.

But what if the malware directly modifies disk sectors? Is there malware that can attack in this way?

Simple fix: Air gap. (1)

thevirtualcat (1071504) | about 4 months ago | (#46596535)

That's what's going to happen to all the XP machines (that haven't been air gapped already) where I work.

Most of the XP holdouts are lab equipment. (Oscilloscopes, Arbitrary Waveform Generators and the like.) They were already air gapped, anyway.

There are a few machines that run old development tools needed for production. (As in factory, not web services.) They will be left connected long enough to catch the last batch of updates, then relegated to USB storage and optical media for data dransfer. (With sensible precautions, like disabling autorun, of course.)

Fortunately, those projects will not be around forever and will slowly be replaced with newer versions that run on Windows 7 and/or Ubuntu 12.04. (Maybe 14.04.)

Next on the todo list, Ubuntu Server 10.04. It's number is up soon, and that one will be a lot more obnixious to get rid of than XP was.

Re:Simple fix: Air gap. (0)

cognoscentus (1628459) | about 4 months ago | (#46596759)

Of course, an air gap isn't enough to defeat all malware:

http://arstechnica.com/securit... [arstechnica.com]

I guess if they have no speakers and the internal beeper is disabled, the black hats will have to find another covert channel, though. Watch out for steganographic TCP/IP-over-Osciloscope.

Block 'em all (1)

Amorymeltzer (1213818) | about 4 months ago | (#46596575)

I work in a lab in a large research university, and they are taking it very seriously. All of our lab machines are being swapped out for Windows 7 - a non-trivial task given some of the individual software for certain lab machines is... clunky at best. Any computer that must stay running XP (because the instrument's software requires it) will be removed from the network. Personally, I only run XP (for said lab purposes) in VirtualBox, completely cut off from the web. There has even been serious discussion amongst school administrators to proactively block any machine running XP from even connecting to the school's network. Drastic, perhaps, but I can understand it from their point of view.

It's all the lifecycle.... (0)

Anonymous Coward | about 4 months ago | (#46596577)

A vast majority of people have moved away from XP due to the natural IT lifecycle - hardware breaking and replacement machines coming with newer operating systems and newer versions of software only working on Vista/7/8. Even Vista is starting to show its age with Microsoft's decision not to let Office 2013 support Vista - so that's a lot of your customer base etc already sorted.

There's always going to be an "overlap", as such, there's no real way of convicing people off something they see no benefit in replacing - the same reason why people drive battered old cars. If it works, why replace it...? The natural lifecycle will denote these products, like anything else, will be replaced when the owner deems them fit to be replaced - when they're not fit for purpose any more.

A lot of people have been chastitsing MS for their decision not to support XP anymore, which they are well within their rights to withdraw support for a product now >13 years old. Shouldn't some of the blame for XP's continual use be shifted onto the third party software developers who kept XP support in their products going for such a long time?

Zero budget. You can't be helped .. yet. (2)

Sloppy (14984) | about 4 months ago | (#46596717)

they see no additional benefit to do a costly upgrade, no reason to change a running system .. So what is the best way to secure this remaining Windows XP systems?

Don't. Don't secure it. Just let the chips fall where they may. Failure is an option, and you've presented things such that it's the best option.

Before you reply with "that's crazy" (or "that's lazy") let me remind you, that you there's "no .. benefit" to being more secure, and "no reason" to worry about the consequences. The submission has already stated that solving the security problem has zero value. So why are you working on it? Just let it go. Security is a don't-care condition. Every hour spent on it, is an hour wasted for no benefit.

If you change your mind about it being a don't-care condition, then you open the door to upgrading to a maintainable OS. But you can't do that, until you decide that upgrading does have benefits, and there is reason to change a running system.

So .. have you changed your mind? Are you still sure there's no benefit to an upgrade and no reason to change a running system? Or have you realized that's TOTALLY FUCKING ABSURD yet? Because I think once you realize that it's TOTALLY FUCKING ABSURD then you're going to see some options appear.

Why I am still using XP (0)

Anonymous Coward | about 4 months ago | (#46596723)

Why am I, a software developer, still using XP on my primary workstation? The only realistic upgrade path is to purchase a new computer.

in place upgrade of XP->Win7 is not reliable, if it works at all. And the licensing DRM on all software I use will ensure that it is impossible even if Microsoft made it easy to upgrade. So everytime this comes up, I look at all the software I have to manually delicense and relicense (assuming the software even allows that), or purchase upgrades since it doesn't fully work under Win7, and I say fuck it. Days of time and $$$ for absolutely no real benefit. As I've gotten older, my increasingly rare downtime has become far too precious for this bullshit.

So why don't I just buy a new machine? Circumstances ( a blown motherboard) forced my to upgrade my current workstation a couple years ago without upgrading the OS and apps (needed to get back working asap). So I have a modern machine running XP which should last me for a few more years.

Stockin' up (1)

Tablizer (95088) | about 4 months ago | (#46596787)

Twinkies, tents, double-barrel'er, and water jugs

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...