
Manchester, UK, police still relies on Windows XP - concerto
http://www.bbc.co.uk/news/technology-41306321
======
peterburkimsher
I work for a tech company in Taiwan. The factory downstairs is making microSD
cards. I write some driver software to talk to the machines, sending commands
using SECS-II and getting the machines to log data to a SQL server.

The testing machines still run Windows 2000.

There is no SQL library for Visual C++ 5. I couldn't use the .NET framework,
or any other libraries - everything running on the testing machine had to be
bundled into a single .exe file.

Why not update? The testing machine was built by another company, and sold
with a 20-year warranty. Updating Windows, or even installing software would
void the warranty.

My program was designed to be easily deleted in case of an audit.

These machines were on their own LAN with no Internet access, thankfully. I've
realised that for my software to endure, I should write it standalone, without
needing libraries, and in a very common language that is likely to still be
around for a while (C, JavaScript, Bash). The code is more verbose, but that
puts the burden on the developer (me) instead of the user, who is more likely
to make really dodgy workarounds than file a bug report.

~~~
Dayshine
>My program was designed to be easily deleted in case of an audit.

Errr what?

~~~
Unknoob
I'd guess a simple .exe file that doesn't create additional files or registry
entries. Since installing additional softwares would void the warranty, they
can simple delete a single .exe to get the computer back to it's factory
state.

------
stupidcar
> The UK's biggest force - London's Metropolitan Police Service - was among
> those that refused to share an up-to-date figure.

> But in June it said about 10,000 of its desktop computers were still running
> XP.

> "Disclosing further information would reveal potential weaknesses and
> vulnerability," the force's information manager, Paul Mayger, said.

So they're concerned enough about security not to disclose the number of XP
machines, but not so concerned as to actually fix the problem.

~~~
dx034
Public services in the UK have faced severe budget cuts in recent years.
Spending money for new software could very well have meant to have less police
on the street. That's not an excuse to use unsafe systems but it can be an
explanation. Public services don't work like companies, especially if they're
forced to reduce their budget by 30% over a few years without neglecting their
duty.

~~~
guitarbill
On the other hand, public services don't have a great track record for
effectively spending IT budgets, and the managers who oversee all this barely
have any accountability. So it's not too different from companies.

~~~
dx034
I'd argue all large organisations have a bad track record for IT budgets. It's
shocking to see the amounts large companies spend on outdated and ineffective
IT systems, just because the vendor is large or the consultant likes it.

------
francis-io
> The remaining XP machines are still in place due to complex technical
> requirements from a small number of externally provided highly specialised
> applications," a spokeswoman told the BBC.

This is the real heart of the issue. In my (very limited) experience, software
choices are made by different people than the ones that deal with them each
day.

My hope is that more and more applications will become web based, and big
enterprises can move to a cut down linux desktop with a limited attack
surface, so internal IT teams can focus more on securing servers.

~~~
rlpb
At a higher level, I think the problem is poor requirements specifications
when the externally sourced applications were first procured. If the procurers
had accurately predicted the lifetime requirement, they could have required
the stack to be fully security supported for that length of time, making it
the vendor's problem to update to a newer OS that has security updates.

Instead, they pushed the cost back while keeping the risk themselves.

Perhaps back then this wasn't so obvious. I hope it is now, and procurement
teams actually do incorporate this into their requirements now.

~~~
grecy
> _If the procurers had accurately predicted the lifetime requirement, they
> could have required the stack to be fully security supported for that length
> of time, making it the vendor 's problem to update to a newer OS that has
> security updates._

Oh sure, but there are a million other reasons too.

Maybe the vendor went out of business, but company is still using whatever
application for edge cases.

Maybe the vendor now has Version 2.0 of application that does support newer
OSs, but it requires hundreds of millions in hardware upgrades.

Maybe it simply takes years and tens of millions to test _every_ application
and piece of hardware used by the company to see how they handle new OS.

(I worked for a large company that _just_ recently upgraded from XP to Win 7,
and the project was years and tens of millions over budget)

~~~
stupidcar
It's 2017, not 1997. None of these issues should be any surprise to a large
organisation's IT department. It's professional negligence to allow the
situation to devolve to the point that such huge, expensive projects are
required to upgrade everything, or the business is relying on a single outside
software vendor for an important function.

IT departments should have complete visibility of all their hardware and
software assets. They should have rolling programmes of upgrades for both
hardware and software, and they should understand exactly how long these will
take, so that they do not overrun an OS end-of-life. They should have
contingency plans for deprecating or replacing software if a vendor goes out
of business.

Failure to do the above is equivalent to a facilities department not doing
essential maintenance, or forgoing safety checks, or a compliance department
ignoring legal requirements. That fact that something costs money, or involves
IT, does not magically excuse incompetence, shortsightedness or ignorance.

~~~
walshemj
The uk police have faced massive cuts year on year so probably don't have the
budget and have lost a lot of in house knowledge

~~~
rlpb
Even more reason to say "we can't deliver X because it'll cost Y and our
budget won't allow for that" rather than "we'll pretend X actually costs Y/10
and defer the inevitable problem". Then politicians in the first year will
consider that you have delivered X for a fraction of its actual cost, and thus
setting the entire service up for failure in the future.

~~~
walshemj
But virtually all MP's and all senior ones have zero idea about the blinky
light boxes work.

------
hoodoof
For hecks sake just put the foot down and cancel the money going to the tardy
vendors.

Cutting off the money supply magically fixes software issues fdast.

~~~
osullivj
Last year I contracted for a mortgage origination system vendor supplying
Virgin Money aka Northern Rock. The client preferred to run a heavily
customised Windows C++ 90s version of the system, with XP desktops. All
attempts to persuade them to move two generations forward to a browser GUI
.Net back end were resisted. Migrating forward two generations would have been
a huge project. The status quo was a heavily customised, almost bespoke,
system that was booking huge volumes of business.

~~~
tixocloud
I totally hear you. Any transformation to push forward new technology in
financial services requires multiyear projects and thousands if not millions
of dependency checks, testing and upgrades that may or may not bring in the
additional revenue that would make the effort worthwhile. Factor in the fact
that systems knowledge might also be scarce and you can see why no one wants
to go through the pain.

------
jaclaz
From the article:

"So, if the [police's] Windows XP computers are exposed to the public
internet, then that would be a serious concern. "If they are isolated, that
would be less of a worry - but the problem is still that if something gets
into a secure network, it might then spread. That is what happened in the NHS
with the recent Wannacry outbreak."

Only problem being that KryptosLogic tests confirmed that WannCry did not
infect "properly"[1] Windows XP machines on the network (while if the malware
is executed locally XP is vulnerable):

[https://blog.kryptoslogic.com/malware/2017/05/29/two-
weeks-l...](https://blog.kryptoslogic.com/malware/2017/05/29/two-weeks-
later.html)

[1] if SP3 the infected machine would blue screen without encrypting anything
and without having the possibility to spread the malware to other machines, if
SP2 (improbable) the machine would not be infected.

------
squarefoot
They could be using the POS version which IIRC will get regular updates until
2019. Probably illegal, unless they have some special license, but surely not
a bad thing given the huge boost in performance compared to newer OSes and the
shrinking number of compatible malware around.

------
xvilka
They should try ReactOS.

------
kennydude
Last I heard Northumbria Police still use COBOL...

~~~
dx034
Once you're language is old enough you're probably much safer. Finding a
hacker who understands how to find weaknesses in a system from the 70s will be
harder than someone who knows how to exploit Win XP.

------
petepete
Yes, my hometown is on the front page on HN!

Oh, damn.

~~~
Nexxxeh
Mine is front page of BBC News this morning. Seems like it's never good news
at the moment.

