
Windows for Submarines (2008) - Osiris30
https://blogs.msdn.microsoft.com/ukgovernment/2008/12/17/windows-for-submarines/
======
jaclaz
This blog post is 2008, when the good UK guys deployed a custom made Windows
2000/XP, very UNlike "news".

The news article on Popular Mechanics and the actual original Guardian
article:
[https://www.theguardian.com/technology/2016/jan/16/trident-o...](https://www.theguardian.com/technology/2016/jan/16/trident-
old-technology-brave-new-world-cyber-warfare)

are January 2016, and confirm that they are still running that custom XP.

------
vostok
Very interesting choice. I work on mission critical systems that aren't as
mission critical as nuclear submarines. I don't think we'd ever consider
anything other than an open source *nix.

~~~
cperciva
I would have expected qnx or vxworks rather than any open source UNIX
personally.

~~~
vostok
Fair point.

When I said "mission critical systems that aren't as mission critical as
nuclear submarines" I meant that a mistake can result in us losing $400
million in 30 minutes rather than the destruction of civilization as we know
it.

I don't know what people in the latter case use, but it sounds like they use
Windows for Submarines.

~~~
noir_lord
> $400 million in 30 minutes

You write systems to autoplay Free to Play games?

~~~
Pyxl101
High frequency trading, more like! Or just trading.

Mistakes such as selling 610,000 shares at 1 yen, instead of 1 share at
610,000 yen.

Clash of Clans only makes on the order of ~$2M-$8M per day, according to
estimates, so it'd be tough for a Clash of Clans outage to cost $400M. Only
when playing with money, or with equipment worth $400M can you lose that much
in 30 minutes.

(What kinds of equipment costs $400M and can be ruined in 30 minutes? Offshore
oil rigs, I'm guessing. According to Quora, the least-expensive offshore rigs
are $200M, while average is $360M. Ruining one of those with a software error
would be a very bad day. Another option might be equipment in space such as
satellites, though I imagine those are relatively harder to ruin.)

~~~
tibbetts
I've worked on high frequency trading software infrastructure, including
having been involved in serious bugs which lead to a lot of broken trades and
lost money, and would have said with anything like proper architecture and
governance you can't lose $400 million in 30 minutes.

But Knight Capital did manage to lose $440 million in 45 minutes, due in large
part to what I would call improper architecture and governance. So there you
go. [https://dougseven.com/2014/04/17/knightmare-a-devops-
caution...](https://dougseven.com/2014/04/17/knightmare-a-devops-cautionary-
tale/amp/)

------
foldr
I don't see the big deal with this.

Building a command system on top of a general purpose operating system seems
like a reasonable cost-saving decision. It has attendant risks, but so do all
of the alternatives.

Security issues are moot, I would have thought, since these systems are not
connected to the internet, and the main threat is from people who have
physical access to the hardware.

~~~
origami777
I would have thought the same until stuxnet. Otners know the story better than
I but if memory serves, the Iranian nuclear facilities had systems that were
not connected to the internet compromised. No internet connection for sure
reduces the risk, but for those looking to compromise a sub I don't think it's
an insurmountable roadblock.

~~~
foldr
Right, but my point is that if you have physical access, then the security
holes in Windows XP, as compared to more modern iterations of Windows, aren't
so relevant. It's not like the sub is going to be compromised via a bug in IE
6.

I also sort of suspect (without making any pretence of knowing what I'm
talking about) that it's futile to try to make the computer system itself
invulnerable to attack, and that human factors are likely to have a far
greater influence on the overall security of the system. After all, Stuxnet
was propagated via flash drives, and no-one should be sticking a random flash
drive in a military submarine's computer systems.

~~~
cryptarch
I don't recall any *nix OS's having automount and autorun enabled by default?

What I'm trying to say is, physical access does not necessarily mean full
physical access, and when the virus has to spread through some storage medium
connected to e.g. USB the underlying OS certainly matters.

I mean, they probably autorun that for the subs, but I think its indicative of
the design philosophy behind most MS products. "Made for those who don't need
full control, with politics prioritized over security", because what security-
minded programmer would ever enable that by default?

Edit: inserted middle paragraph + fixed typo

~~~
izacus
Wait, do you really think that embedded Windows versions behave the same as
end-user ones?!

That's like saying "Linux sucks for embedded devices because Ubuntu
automatically updates kernel and breaks stuff".

~~~
pjc50
Point-of-sale Windows dev checking in: yes, mostly they do behave the same.
Especially the "embedded" ones, which are desktop versions with different
licensing, a few management features, special bits of userland (e.g. the OPOS
subsystem) and, most crucially, longer support life.

"Compact" versions (CE, or "embedded compact") genuinely have removed
features, but CE will still automount devices if it has drivers for them and
you've not turned it off.

~~~
TazeTSchnitzel
Is that CE _Windows CE_ , which is a completely different operating system
designed for less powerful devices?

------
peter_retief
I for one dont feel safe that Microsoft is running on critical systems. I
guess its natures way of dealing with human overpopulation - and merry xmas /
happy hanukkah

~~~
mfukar
If you're afraid of critical systems running Microsoft software, boy do I have
news for you..

~~~
peter_retief
Why, does it get worse!

~~~
mfukar
For your fears, yes. Overall? No.

------
Osiris30
News article -
[http://www.popularmechanics.com/military/weapons/a19061/brit...](http://www.popularmechanics.com/military/weapons/a19061/britains-
doomsday-subs-run-windows-xp/)

------
tim333
Hope they don't install Wordpress on the nuclear control system.

~~~
giosch
They don't need to, Windows is already broken on his own.

------
walkingolof
C2/C3 systems have been built ontop of Windows NT since the 90's, nothing
really new.

~~~
noir_lord
Yep, I remember a Destroyer been adrift after Windows for Warships crashed at
least a decade ago.

------
sawmurai
The article is 8 years old... thank god :)

~~~
Osiris30
Yes it is. I found this link when I googled 'Windows for Submarines' when I
read about it in Eric Schlosser's New Yorker essay "World War Three, by
Mistake" which was featured earlier on HN.

[https://news.ycombinator.com/item?id=13249976](https://news.ycombinator.com/item?id=13249976)

------
UK-AL
Not so bad when you consider windows NT is a descendent of VMS. VMS was the
system you went to when unix wasn't considered reliable enough.

I would imagine for a system like they remove all the crap, and just use the
kernel and some well tested custom programs.

~~~
new299
Nit pick: They share the same core designers, but NT wasn't a direct
decendent:

[http://m.windowsitpro.com/windows-client/windows-nt-and-
vms-...](http://m.windowsitpro.com/windows-client/windows-nt-and-vms-rest-
story)

------
ZenoArrow
Brings a new meaning to 'Blue Screen of Death'. ;-)

------
idlewords
DO NOT OPEN THEM

------
mdekkers
> equip the nuclear-propelled and nuclear-armed warship fleet with a Windows-
> based command system

We are all going to die...

------
delegate
It saddens me greatly when smart people work on stupid things.

However you turn it around, a nuclear submarine is an incredibly dumb thing to
invest your intelligence in.

Intelligence without wisdom is very dangerous.

If you're a young brilliant mind, please stay away from military applications.
You're not contributing to anyone, no matter what the (military) propaganda
tells you.

~~~
golergka
Does this 'wisdom' contradict basic game theory?

~~~
delegate
Wisdom is the capacity to understand the true scope of the 'game'.

At that level 'game theory' does not apply.

~~~
golergka
Only if you pretend you can control all the players.

Prisoners in the classic dilemma can all know what's best for everyobody. But
they never be sure others know it too.

