
Government computers running Windows XP will be vulnerable after April 8 - danso
http://www.washingtonpost.com/business/technology/government-computers-running-windows-xp-will-be-vulnerable-to-hackers-after-april-8/2014/03/16/9a9c8c7c-a553-11e3-a5fa-55f0c77bf39c_story.html?hpid=z5
======
JohnTHaller
1\. All computers running Windows XP will be vulnerable after April 8th

2\. Everyone has known about this for more than 6 years.

3\. Microsoft already extended it once.

4\. To the person who said this: "For all the money we collectively give
Microsoft, they were not too receptive to extending the deadline. There was
some grumbling that they were not willing to extend." ... A) See 1 through 3.
B) You suck at your job.

~~~
djKianoosh
I laugh-cringed at #4 when I read it in the article. I find it totally
plausible for someone in the government to really say/believe this. It's
pathetic, but I fear it's common enough in executive positions for some
reason.

Tangentially, this is why in every project I've been at I always push for
upgrading to the latest browser. Initially there is some resistance, but once
in a while you meet with a gov manager, that has some pull, and will push back
on IT. That's been the case at CBP. A year ago we were all supporting IE8 and
cursing every minute of it. Now we're happily developing to IE11 and latest
FF. Sadly it takes an adamant developer to push repeatedly for this when it
should be IT itself forcing users and all developers to upgrade, if for
nothing else than plain old security. I think they're "getting it" now
though...

------
djKianoosh
I've been a contractor at several DHS projects over the years, and believe me,
the problem is not technical; it rarely is in the government. It's not even
political most of the time. It's just bad management and, mainly, poor
planning. Most everyone in IT roles know keeping around XP and old IE/Outlook
is bad. They really do (or maybe I'm way too optimistic)...

------
ChuckMcM
The more interesting lapse will be that all those bank ATMs that run XP will
also be vulnerable. Presumably some folks are saving their bestest zero day
for April 9th. That said, its an effect that software has that isn't well
managed yet. Companies go out of business all the time and their software
which is running control processes or lumber mills or what have you stops
being supported. Basically the costs get paid in bulk a bit later as computer
is taken offline and the operation halted while a replacement is developed.
Its going to be a very 21st century sort of phenomena. Computers with out of
date software that touched everyone really only became ubiquitous around the
turn of the century.

~~~
fpgeek
My understanding is that bank ATMs aren't on Windows XP proper, they're on
Windows XP Embedded. According to this document:

[https://www.microsoft.com/windowsembedded/en-us/product-
life...](https://www.microsoft.com/windowsembedded/en-us/product-
lifecycles.aspx)

The equivalent end-of-support date for XP Embedded appears to be January 12,
2016 (though I don't understand the end-of-license date about a year later).
And I'd have to think that that banks using XP Embedded for ATMs would be
extremely likely to pay for ongoing security fixes if they still depended on
it in 2016.

------
bananas
This is expected. Here in the UK, the National Health Service is rapidly
moving away from it. When I say rapidly, a friend of mine who is an HP
reseller is deploying 750 workstations a week at the moment with Windows 7 on.

The big chunk of pain though is really windows 2003 server which is EOL July
2015. People seem to have missed that one coming!

------
danso
> _The need to update computer operating systems has come at a time of major
> new investment in cybersecurity, including the creation of the new military
> U.S. Cyber Command, based at Fort Meade. But the unglamorous work of
> updating operating systems was a lower priority than buying expensive, high-
> tech systems to monitor and rebuff cyberattacks, critics said._

 _“Nobody is going to be promoted on the back of moving from XP to Windows 7,”
said Christopher Soghoian, a computer security expert and principal
technologist for the American Civil Liberties Union. “It’s so mundane but so
important.”_

\---

Sad, but true...you'd think if there would be one sector of society in which
the mundane-but-important work could be rewarded, it'd be in the government
sector, where the force of law and regulation would make it a political
priority, even if it will never become a glamorous role.

~~~
Spooky23
I work for a non-federal US govt.

The key issue is that the economy exploded in 2008 and the PC refresh cycle
ended. The other issue is that Microsoft shipped a stinker with Vista, and
took the liberty of breaking lots of legacy Microsoft tech in 7.

Few big organizations actually upgrade zone rating systems... They replace the
devices. Because the upgrade cycles of PCs were stopped like 5-6 years ago,
getting the budget for PC replacement was very difficult. Government bean-
counters like slow growth in budget lines. Going from $10M/year to $0 to $30M
for a bug refresh results in poor results.

~~~
naveen99
You don't need a whole pc refresh, just put in $100 solid state drives. I
haven't thrown away any computers since ssd's came out.

~~~
Spooky23
Autocorrect mangled part of my post. The issue is that desk-side visits for OS
installs or part upgrades are both expensive and error prone.

If you are outsourcing the process, you're easily looking at $250-400 of labor
per unit for an asset that is worth < $100. As an added issue, you're going to
have quality issues that are even more expensive to deal with.

------
higherpurpose
Non-American governments especially should take this opportunity to switch to
Linux.

~~~
sliverstorm
Agreed. CentOS 3 will be supported forever, b*tches.

------
vaadu
Website operators ought to stop serving content for XP users like they did
with older version of Internet Explorer. A vulnerable computer puts everyone
at risk. Maybe also point these users to a free Linux download.

------
userbinator
They said the same thing about 98SE when its support period ended.

I used it for several years after that, and never got infected. Ditto for my
XP installation, which is approaching 8 years old.

If 98SE was any indication (Google "kernelex"), with XP's popularity and
persistence being much greater, I think once again a whole "cottage industry"
will form and continue to provide various bugfixes/patches and enhancements to
XP for another decade or more...

------
gregimba
My school is still running XP for all of its desktops.

~~~
ne0codex
Yup. Retail stores and banks as well. There's plenty of large institutions
that are using XP for day-to-day operations.

And people wonder how "easy" it is for those darn hackers to "steal info."
It's easy to steal from a house with the door wide open.

------
skennedy
Were they not vulnerable to hackers now and in the past?

~~~
lutusp
Yes, but only until Microsoft issued a fix for any vulnerabilities discovered.
After April 8th, no more fixes, just bugs that can be exploited forever.

Rumors have it that hackers are detecting and cataloging vulnerabilities that
they're holding in reserve for the day Microsoft stops support for XP, after
which they'll have a field day exploiting known vulnerabilities, secure in the
knowledge that the errors will remain in place until the victims finally dump
XP.

~~~
asdafa
Not only that... The main concern is that since Vista/7/8 are derived from XP,
they also share critical vulnerabilities hidden inside the core of the OS. If
Microsoft stops publishing patches for XP, there is a non trivial risks that
attackers will be able to look at a patch for a newer Windows version, reverse
it and make an exploit that will work perfectly on XP, which won't get the
security fix.

~~~
korethr
No they're not. Check the major version numbers. Windows 2000, 2003 and XP
were build on version 5 of the NT kernel/architecture. Vista involved a major
overhaul and was version 6. Windows 7, 8 and 8.1 are versions 6.1, 6.2, and
6.3, respectively.

~~~
tanzam75
You can't make blanket statements like that. It depends on where the
vulnerability is.

For example, Vista has a substantially-rewritten networking stack. A
networking exploit in Vista would not necessarily translate over to XP.

On the other hand, there's a lot of legacy code around in GDI+ for decoding
graphics formats. A file format exploit would be highly likely to carry over
to XP.

~~~
korethr
Fair enough. I misunderstood the parent when posting that. Re-reading it and
your comment, it makes more sense.

That makes me curious as to just how much legacy code still exists in
Vista/7/8/8.1, and where. I guess it's time for me to do some more research.

------
runn1ng
Maybe it's a stupid remard, but - isn't Windows XP vulnerable as it is right
now anyway?

Also, if someone is still running Windows XP in 2014, he probably doesn't use
the newest updates and antivirus anyway, so his security is weak in other
respects too.

~~~
lutusp
> Maybe it's a stupid remard, but - isn't Windows XP vulnerable as it is right
> now anyway?

Yes, but until April 8th Microsoft will patch any uncovered vulnerabilities.
After April 8th, hackers can have a field day because no one will patch any
detected flaws. That's a big difference.

> Also, if someone is still running Windows XP in 2014, he probably doesn't
> use the newest updates and antivirus anyway ...

Not true, not true at all. It's too easy for a user to turn on automatic
updates and run an antivirus program. My point is that one of these features
will disappear 22 days from today, and hackers are going to exploit that fact
to the fullest. There are even rumors that hackers are saving discovered XP
vulnerabilities for use after April 8th, because they'll never be fixed and
can therefore be exploited over and over.

~~~
Already__Taken
It's more good business sense than rumour it doesn't take a genius.

People might even be ready to start hijacking automatic updates. XP uses the
very old way of a custom site and some activeX to launch the update methods.
MS probably wants to stop supporting that crazy old site a soon as possible.

~~~
lutusp
> It's more good business sense than rumour ...

Yes, very true. This is something most people don't understand about hacking
-- it's just a business, much like any other. What was once an entertainment
for a bright, bored youngster is now a trade, with tools and goals.

> People might even be ready to start hijacking automatic updates.

It's my hope that Microsoft will think of a way to prevent automatic updates
from being taken over by just anyone after they close down the "real thing".

------
InclinedPlane
Any organization with enough money can pay MS to continue to keep the patch
train going, and many do. Whether or not the government will or will instead
choose to upgrade or to remain vulnerable is an open question.

------
balladeer
A very good reason to move to a Linux distro instead.

Ubuntu/RedHat/SUSE abandoned the distro? Well, hire devs to support it. You
have the code.

~~~
thomasz
> Ubuntu/RedHat/SUSE abandoned the distro? Well, hire devs to support it. You
> have the code.

They are too incompetent to switch from xp to vista or 7. What makes you think
they could survive the transition to linux, let alone _maintain_ a
distribution?

------
tigrank
No they won't. The government will pay Microsoft lots of money to get patches
just for themselves.

~~~
djKianoosh
I fear this very utter waste of money. Someone at microsoft must be crying
laughing.

------
peterbotond
<sarcasm>Is that a feature or a bug built in?</sarcasm>

