
Microsoft risks security reputation ruin by retiring XP - ytNumbers
http://www.computerworld.com/s/article/9246837/Perspective_Microsoft_risks_security_reputation_ruin_by_retiring_XP
======
pwthornton
I will not blame MS from moving on. If people don't want to upgrade, that's
their problem. I am a little concerned, however, that so many POS systems
still use XP. I just saw one yesterday at the hardware store I went to. When
will they upgrade?

I don't know how much this will hurt MS with its core users. XP is largely
kept alive by users in the East, not the West, and by businesses. The
businesses will either pay for additional security or upgrade, and many of the
users in Eastern countries don't pay for XP as it is, so what exactly is MS
risking here?

MS needs to move on. There is no money in continuing to support a 13-year-old
OS. You could argue that MS should make available paid support and security
updates, but even OSes like Redhat aren't kept going for 13 years. I just
don't get the outrage here.

~~~
cwyers
I wouldn't worry much about POS systems, they have a very small attack
surface, given their limited exposure to the Internet.

~~~
ceejayoz
Target found that "very small attack surface" isn't the same as "secure".

~~~
cwyers
Target was hacked because they were flagrantly ignoring basic security
procedures, like "making your POS systems available on the same network you
use for everything else." [1]

Blaming the Target break-in on the OS security is like having unprotected sex
in the back of a Buick, and blaming GM for the STD you contracted because it
would've happened if the car hadn't had such a roomy backseat.

[1]
[http://www.computerworld.com/s/article/9246074/Target_breach...](http://www.computerworld.com/s/article/9246074/Target_breach_happened_because_of_a_basic_network_segmentation_error)

------
herf
The PC industry would sell a ton more computers if Microsoft solved the
upgrade problem. Why do you keep a computer for 5 years? Only because it hurts
too much to upgrade, and no way is this solely about the cost.

XP was able to upgrade to Vista, but nobody did.

XP could not upgrade to Windows 7, so nobody did. Microsoft advertises third-
party migration tools, rather than owning this problem and building out of it.
They've had years to get it right.

And yes, the cost in reality is not just an OS upgrade. It's sometimes a new
machine, and also $300 for Office and peripherals without updated drivers.

But it is _mostly_ convenience: preserving apps, preferences, and licenses is
important to regular people. It also isn't that hard, because they did the
work for migrating XP to 32-bit Vista.

I've been consistently amazed that my Mac has updated from version to version
perfectly, even 32-to-64. Windows has been a disaster every time.

Preserve people's state, preserve their data, and they will buy your software.

~~~
clarry
Another reason for people keeping their computer & OS for five or more years
is that it might have just worked for them. So there was no pressing need to
upgrade.

~~~
Corrado
Yes there was a pressing need to upgrade, they just didn't see it. There is a
reason that competent computer support departments don't let software installs
get old/stale. Eventually, that software that you depend on is going to become
obsolete and you are going to wish that you had kept up with the updates.

Just because you _can_ run your business on a DEC Vax from 1986 doesn't mean
that you _should_!

------
cwyers
The article hints at a big reason for retiring XP support, but doesn't get
right at it:

"After April [2014], when we release monthly security updates for supported
versions of Windows, attackers will try and reverse engineer them to identify
any vulnerabilities that also exist in Windows XP," said Tim Rains, director
of Microsoft's Trustworthy Computing group. "If they succeed, attackers will
have the capability to develop exploit code to take advantage of them."

Right now, the cadence of security updates to Vista/7/8/Windows Server
2003/Windows Server 2008/Windows Server 2012 is tied to how quickly those
updates can be backported and tested for Windows XP, because as soon as those
patches are released for any Windows operating system, attackers can use them
to create exploits for those vulnerabilities and backport those exploits to XP
(which they can do faster and with fewer resources than Microsoft can backport
patches, because exploits have a much smaller test suite to ensure they don't
break systems, ie they don't have such a test suite at all).

Continuing to support XP degrades the ability to support newer operating
systems that haven't gotten an extension on their end of life, and at this
point it's pretty clear that people still using XP aren't taking advantage of
postponing its EOL to do anything but keep using XP. Something's got to give.

------
zapman449
I call bs. I'm certain there will be a large scale problem with XP. However,
that won't run in the reputation of MS, but rather the company still using it.

~~~
AldousHaxley
Right? I don't get the mindset of Microsoft having to support an antiquated
product line over a decade past its expiration date because a few business IT
customers are incompetent at writing client software and keeping their systems
up to date. It's not like all of this is coming out from nowhere.

------
heydenberk
There's some conjecture — well-founded, I assume — that a trove of zero-day
exploit have been saved up for years in anticipation of the day Microsoft
retires XP. Considering its install base in government, military and business
institutions, the day that XP gets retired there will be a flood of attacks
using these exploits. So we'll either face a sustained onslaught of
cyberterrorism and/or cyber-counterterrorism (the NSA's interest in zero-days
is well-known) or Microsoft will have to reverse its policy. Should be
interesting in either case.

~~~
Shish2k
> So we'll either face a sustained onslaught of cyberterrorism or Microsoft
> will have to reverse its policy

... or the people who are still using XP could upgrade?

(Also I want a pony)

~~~
keithpeter
They should upgrade, you are perfectly correct.

But suppose that you are the manager of an organisation with just over 1
million PCs running XP, and those PCs are used to access _hundreds_ of
applications that are only guaranteed/certified to work with XP[1]. What do
you do?

At present, you pay at least $200 for _each one_ of those PCs. And the
associated servers. Let us just say some in Whitehall do not like having to
pay that kind of money for updates that Microsoft is _already committed_ to
provide for XP Embedded customers. The result[2] _may_ be an interesting
change in attitude towards Microsoft in government circles.

[1]
[http://www.bcs.org/content/conWebDoc/51393](http://www.bcs.org/content/conWebDoc/51393)

[2] [http://www.theguardian.com/technology/2014/jan/29/uk-
governm...](http://www.theguardian.com/technology/2014/jan/29/uk-government-
plans-switch-to-open-source-from-microsoft-office-suite)

That could be some pony :-)

~~~
bradyd
>But suppose that you are the manager of an organisation with just over 1
million PCs running XP, and those PCs are used to access hundreds of
applications that are only guaranteed/certified to work with XP.

Then you've had years to figure out a solution to this. It's not like there
haven't been 3 OS releases since then (Vista came out 7 years ago). Microsoft
has offered extended (paid) support for their end of life products in the
past, so this is nothing new.

~~~
keithpeter
Agreed it is nothing new, and agreed the situation _should_ have been managed
better. Never the less, here we are, and the need to pay £200,000,000 to
Microsoft for updates that they have to provide for XP embedded anyway is
going to have a negative effect shall we say. As the OA was explaining, this
is all about perceptions.

------
Spooky23
I hear the frustration and "just move on" attitude among the crowd here. But
I'm in a position of supporting over 100k PCs, about 20% of which are on XP.

I place blame squarely on Microsoft here. This a problem of their making, and
they are dumping customers out in the cold at a time where it is really dumb
for them to do so.

First, consider the train wreck that has been Microsoft's strategy over the
last decade. Many of my customers were well funded and eager to keep modern
equipment out in the field. Problem is, the internet happened, and Microsoft
decided at one point to stop developing IE and party like it was 1989 with
client/server apps. So when Vista came around, we couldn't upgrade because IE6
wouldn't run in a supported configuration. Microsoft's bungling of 64-bit
support even breaks older printers!

Then the financial crisis came around, followed by the iPad revolution. That
dried up budgets (my PC replacement budget dropped 85%) and drove early
adopter users to tablets.

Microsoft followed up with lots of fail: IE version weirdness, divergence from
the old polices re: app compatibility, etc. We have a couple of small legacy
apps written for windows 3.1.1 that work great on Windows 7, but MANY
applications written for XP don't work due to a myriad of reasons. It's a real
problem, and my employer has invested 3 years and millions of dollars to
resolve.

And guess what? We are for the first time at a crossroads where we have
choices re:end user computing. And in many cases, we're choosing non-Microsoft
platforms, since we need to rewrite apps anyway. I can deliver and run an iPad
for mobile users for 1/3-1/2 the cost of a laptop -- and the users LOVE them.
We'll be buying thousands of iPads and galaxy tabs!

So I hope Microsoft saves a lot of money by cutting off XP. They will
certainly see a lot less revenue from us in the future.

~~~
pixl97
A long time ago some crazy open source guys said stuff like "Be wary of
building your entire infrastructure on Microsofts solutions". You shouldn't
have given them so much money back then!

The chickens have finally come home to roost it seems.

Your problems are not Microsofts fault. Your problems are that your business
did not have any foresight. At the time computers were changing drastically
every few years, and yet you thought you'd be able to run them and the
software on them forever. You bought crappy printers with no demands that the
manufactures support future operating systems on them. Your businesses
problems are they gave the CEO's 50 million dollar golden parachutes and did
not keep infrastructure up to date. Your businesses problems are bad software
design paradigms.

~~~
Spooky23
It's easy to give people grief and say "I told you so" without any context.

What are the alternatives? Who would have made the call to sole-source all
computers and buy Macs in 2002? Other than Munich, who is operating broad-
scale Linux desktop environments?

I'm not whining about it, my organization is dealing with it just fine. But
Microsoft should be handling it in a way that is less painful, because they
are going to lose a lot of business. They are forgetting that 2014 isn't 2004.

------
ceejayoz
As someone itching to use SNI for SSL certificates, I'm all for discontinuing
a thirteen year old consumer operating system.

Anyone who hasn't updated yet isn't going to update until they get cut off
from patches. Time to do so.

~~~
badsock
Even then, there's still Android 2.x, currently 1/4 of the Android population.
Though it's a safe bet that WinXP will be the more tenacious of the two.

~~~
ceejayoz
Yeah, I figure the short lifespan of mobile devices works in our favour there.

------
Zigurd
Derrrr. The headline would be "Microsoft risks security reputation ruin by
failing to retire XP" if they didn't.

~~~
devx
How exactly? They've already kept it for 13 years. What's the argument for not
continuing to fix its bugs for another 5 years, from a security point of view,
and not a "Microsoft's profits" point of view? It's not about keeping selling
it, but about supporting the people who already use it.

~~~
c0nfused
You could argue the same about any old piece of software. The thing is that
people working on xp cost money, they cost time. Both of those could be spent
doing something that makes Microsoft money or at least advances a product that
is not 3 OS releases back. This is a pretty simple choice for Microsoft's
side.

Supporting people who run at 13 year old 32 bit desktop OS is a money losing
proposition all the way around from Microsoft at this point, both in lost time
and in lost sales of later version of windows.

The thing is that Microsoft's profits is what matters here. IT is their
product.

As a developer, I actually loathe XP, simply because It's another platform I
should test things on before I can consider it working. Generally, the users
running it are doing so because of 2 things: lock in by a different vendor or
a total lack of IT budget. Either of those things is just asking for trouble,
So, when a client starts to ask about XP support I start to get worried about
the bigger picture.

To put it another way, Would you want to write extra code and run extra tests
to support windows 98 today? What about windows 95? 3.1?

I really don't.

~~~
keithpeter
_" The thing is that people working on xp cost money, they cost time. Both of
those could be spent doing something that makes Microsoft money or at least
advances a product that is not 3 OS releases back."_

True, but those people are needed to continue to support XP Embedded. So
_some_ of the work is being done...

Note: I'm not hankering after running XP, but I am realistic about the effect
of the $200 per screen annual tax on mega-corp computers. That _isn 't_ going
to win friends and influence decision makers lets just say.

------
mburst
How does 30% of 488 million = 278 million?

In any case XP is way past it's lifetime. I can only imagine how the
developers must feel working on a code base that is 13 years old.

~~~
furtivefelon
488-300+300*.3

~~~
mburst
Ah that makes sense now. Had to reread it a few times to get it

------
justinreeves
More like companies still running XP risk security reputation. How long should
MS be expected to support that OS? They've already postponed the retirement at
least once to give people more time to upgrade.

------
DanBC
There must be a nice niche finding the software that prevents people from
upgrading and then providing data liberation tools or better new software.

Because that is the only rational reason to not upgrade, right?

~~~
pixl97
On an individual basis, it doesn't make sense for a single user to upgrade
until the point that the old computer needs totally replaced. The cost of
upgrading is higher then the value of the computer.

In business the cost of the applications and data is many hundreds if not
thousands of times more expensive then the computer systems.

A recent example of my own is a vet clinic with a older digital x-ray machine.
I asked what it would take to upgrade the machine to Windows 7. Around $50,000
was there answer. They had to replace all the hardware and software. There was
no 'upgrade' path.

~~~
DanBC
Yes, there's no official upgrade path.

That's where the niche is. The xray machine (I assume) still works well. "All"
they need is Win 7 software to run it, and to display the xrays, and to
display the existing xrays.

For xray machines the niche is too risky and expensive to exploit but there's
a bunch of similar industrial equipment that could have simpler software re-
writes.

------
pwthornton
I wonder how much Apple's decision to make OS X upgrades free will put
additional pressure on Microsoft. I consider OS X less enterprise ready, but
Apple has made huge strides there. Apple clearly has less interest in keeping
OSes updated long term (10.6 is being EOL soon), but the free upgrades solve
part of that issue.

So, will companies be willing to trade Apple's lack of commitment to
maintaining a version of the OS long term like MS for free upgrades? Keep in
mind that OS X upgrades tend to work fairly smoothly, and some of the OS
upgrade issues that Windows faces have not impacted OS X.

Add in the increasing pressure from Linux distros that work well for specific
uses, and MS is in a bind with trying to sell expensive OS upgrades. I wonder
if this will cause MS to move more into the hardware business, where you can
make money off of the whole package.

Of course, if you really like Windows, maybe you'll need to pay for the OS
more than once a decade.

------
norswap
I doubt people would really blame getting hit by security flaws exploits on
Microsoft. Many people are already getting hit by malwares, and they couldn't
tell the difference between a malware that they installed themselves and one
that exploited a security flaw.

~~~
devx
You're kidding. Microsoft has always been blamed for Windows being an insecure
operating system that "gets viruses". The fact that there's a multi-billion
dollar anti-virus industry for Windows, because people pay for it because they
_know_ they are vulnerable on Windows, should confirm that.

------
jessaustin
It has to happen sometime, so I won't quibble about now versus two years from
now or whatever. I appreciate that web developers are happy about the end of
Ie8 support.

However, the various SMBs with which I'm familiar seem unlikely to replace
their dusty collections of antique XP boxes with brand-new 8.1s. I predict
they'll buy used win7 machines where they must for BSS compatibility, but in
general will move to chromebooks and web apps. I don't know that Ms could have
stopped this transition, but they may have hastened it with actions like this.
Then again, how much money did they ever really make from a business running
15 XP boxes in 2014?

------
jessaustin
_The company could bolster its position by revealing the percentage of PCs
running XP that access Windows Update, a telemetric mark it has declined to
disclose, to show how prevalent XP really is, rather than make the media and
customers rely on estimates from the likes of Net Applications._

Why is this metric secret? Do Ms want to conceal this from competitors,
blackhats, consumers, or some other party?

------
kelvin0
Maybe they should open source XP? Of course that would probably never happen,
but would be quite 'philantropic' of Sire Gates ....

~~~
justincormack
That would find the hacks faster.

~~~
clarry
Not necessarily.

But it would definitely make patching and improving the thing easier.

------
badman_ting
This thing is a weight on the entire technology world. Stop bitching and move
on.

~~~
Pacabel
If it were that simple, it would have happened already.

There are still a lot of businesses that, unfortunately, depend very heavily
on Windows XP for their ongoing operation. The cost associated with switching
may far, far exceed any benefit it could bring.

We aren't talking about a couple of Ruby on Rails developers sitting in a cafe
using MacBooks. We're talking about global organizations with tens of
thousands, if not hundreds of thousands, of computers. We're talking about
applications that will only run properly on Windows XP. We're talking about
astronomical costs that will bring only comparatively minor gain. That's the
kind of situation that does not lead to change.

~~~
ceejayoz
They've had a decade to plan an implement upgrades.

~~~
Pacabel
It's the ratio between the costs and the benefits that matters, not how long
people have had the option of moving away from Windows XP.

------
gmuslera
Microsoft had a security reputation to ruin? Ruining it would be a bad thing?

~~~
ceejayoz
Microsoft has made a lot of headway in the security realm, and deserves some
credit there.

~~~
kelvin0
True dat

