Is Continuing to Patch Windows XP a Mistake?

Last week, Microsoft issued a security patch for Windows XP, a 16-year-old operating system that Microsoft officially no longer supports. Last month, Microsoft issued a Windows XP patch for the vulnerability used in WannaCry.

Is this a good idea? This 2014 essay argues that it's not:

The zero-day flaw and its exploitation is unfortunate, and Microsoft is likely smarting from government calls for people to stop using Internet Explorer. The company had three ways it could respond. It could have done nothing­ -- stuck to its guns, maintained that the end of support means the end of support, and encouraged people to move to a different platform. It could also have relented entirely, extended Windows XP's support life cycle for another few years and waited for attrition to shrink Windows XP's userbase to irrelevant levels. Or it could have claimed that this case is somehow "special," releasing a patch while still claiming that Windows XP isn't supported.

None of these options is perfect. A hard-line approach to the end-of-life means that there are people being exploited that Microsoft refuses to help. A complete about-turn means that Windows XP will take even longer to flush out of the market, making it a continued headache for developers and administrators alike.

But the option Microsoft took is the worst of all worlds. It undermines efforts by IT staff to ditch the ancient operating system and undermines Microsoft's assertion that Windows XP isn't supported, while doing nothing to meaningfully improve the security of Windows XP users. The upside? It buys those users at best a few extra days of improved security. It's hard to say how that was possibly worth it.

This is a hard trade-off, and it's going to get much worse with the Internet of Things. Here's me:

The security of our computers and phones also comes from the fact that we replace them regularly. We buy new laptops every few years. We get new phones even more frequently. This isn't true for all of the embedded IoT systems. They last for years, even decades. We might buy a new DVR every five or ten years. We replace our refrigerator every 25 years. We replace our thermostat approximately never. Already the banking industry is dealing with the security problems of Windows 95 embedded in ATMs. This same problem is going to occur all over the Internet of Things.

At least Microsoft has security engineers on staff that can write a patch for Windows XP. There will be no one able to write patches for your 16-year-old thermostat and refrigerator, even assuming those devices can accept security patches.

Posted on June 21, 2017 at 1:58 PM • 48 Comments

Comments

MeJune 21, 2017 2:15 PM

Yup, and this is why I've become such a Luddite with respect to these things.

I have my computer, I have a Roku, and I try to keep everything else off the net.

Vesselin BontchevJune 21, 2017 2:26 PM

Since Microsoft released publicly the WinXP patch after the WannaCry virus appeared, many people assume that it was developed in response to it. This is a mistake.

If you examine the patch, you'll see that it was created in March - at the same time as the Win7, etc. patches for the same problem that were released at the time. Patches were developed for all the vulnerable versions of Windows at the same time. Why was an WinXP patch developed then, if this OS is not supported? Because it is supported, only not for free. Companies that cannot afford to replace it (usually banks with ATM machines but other customers as well) pay Microsoft big bucks to keep patching their OS.

After the worm was released, Microsoft simply decided to release publicly and for free the patch which they had already developed, months ago, for their paying customers.

So, the question is not "should Microsoft keep developing security patches for WinXP" - because they already do so. The question is - should they release them publicly for free? I think that in extreme cases, like a widespread wormable vulnerability, it is perfectly reasonable to do so. It doesn't cost them any significant additional efforts or money.

AnuraJune 21, 2017 2:33 PM

If XP is used so much, it should never have been deprecated in the first place. As long as people are willing to pay for the costs of supporting XP (and bug fixes are not that costly compared to the number of users) they should still support it. The reason for dropping support is simply to get them to buy the newer product (i.e. planned obsolescence). It's a horrible business tactic from a horrible company.

tzJune 21, 2017 2:43 PM

This is like anti-vaxxers. Herd immunity.

There are a lot of old XP systems because Microsoft:
1. Decided to charge a huge fee to upgrade to Windows 7 assuming the hardware supports it and changed the API so as to require rewriting critical software. And Windows 10 is spyware and can't run on most. This is your IoT point except with XP as the embedded OS. Oh, just spend a billion (think the UK's NHS) to change out all your hardware and software and rewrite a lot of stuff.
2. Sold XP and XP Embedded (which has partial upgrade support) as an alternative to something which could be maintained and upgraded. You might hate Linux or BSD or embedded OSes but it is still easier to back-patch an old Linux kernel because you do have the source.

Some are saying Microsoft should treat XP like the IoT vendors who don't care. That doesn't fix anything. It merely leaves millions of computers vulnerable. When it is an XP botnet instead of IoT botnet that wrecks something next week?

Microsoft should release critical patches for XP vulnerabilities if for no reason to prevent the computers from being hijacked to be used as vectors for attacks or further infections.

PeteJune 21, 2017 3:17 PM

There are 2 reasons people run WinXP.

a) Business requires it and there isn't an alternative and probably never will be any alternative.

b) Home user doesn't see security issues ever. They are behind a 5 yr old, unpatch, router too.

From 2K miles away, it is easy to say they get what they deserve. After all, nobody forced them to buy WinXP, ingrain it into their work/home so much that changing isn't desirable. They brought this on themselves.

Part of the issue is that support for WinXP is too long. If people are forced to move to a new OS every few years, then they don't get stuck with a system that cannot be maintained. It becomes a normal thing to switch everything every few years. This is where the Ubuntu LTS and Debian "stable" releases really are a good thing. Redhat is more like Microsoft, providing support for so long that system get put in and can never be replaced.

Is there an answer to the question? Sure. "It depends."

BillJune 21, 2017 3:29 PM

I still use XP because I'm supporting a "thing". I have an older TomTom GPS with a lifetime map update subscription. The update software works fine on Windows XP and I have no reason to even try to go to the trouble to see if it will work on Windows 10. As long as TomTom continues to make new maps available and the GPS doesn't die on me, I will continue to "run" Windows XP. (Admittedly, I'm running it in a VM under VirtualBox where the host operating system is Linux; but it is still Windows XP.)

HMS PwnmeJune 21, 2017 4:13 PM

The funniest example of Microsoft crapware is Windows for Submarines on Britain's Vanguard-class ballistic-missile subs. So you, or any baked adolescent, can shoot off all Her Majesty's missiles and become the Emperor of 4Chan.

Clive RobinsonJune 21, 2017 5:22 PM

@ Vesselin Bontchev,

It doesn't cost them [MS] any significant additional efforts or money.

It does and it does not, depending on where it is in the MS code stack.

The bottom of the MS code stack above driver level is generally consistent across the MS OS's. It's towards the top of their code stack you will find most differences, but evem at that level the code is still gairly consistent from it's first time of introduction.

Thus if the attack vector is in XP code the chances are it's also in generally supported MS OSs, so the cost is in effect "for free" with automated build systems.

MS want to get rid of XP, because it is what most users were more than happy with, thus they did not want to upgrade. Thus XP was starting to have a negative impact not on cash flow but on the magnitude of cash flow. Hence the "push at any cost Win10", then having done that along with all it's spyware and new backdoors for the IC's to play with, they stoped supporting "free Win10" that had cost so many people dearly when the upgrade was forced on them.

In effect it was Steve Ballmer "sociopath wet dream" scenario.

Lawrence D’OliveiroJune 21, 2017 6:25 PM

How long is a “reasonable” interval for Microsoft to continue to provide patches and updates for this ancient OS?

My reasoning is thus: Windows XP is still under copyright. Microsoft still considers it to be its “intellectual property”. The term “property” is deliberately used, to convey the idea of something owned by Microsoft, not by you, the customer. All you get when you buy it is a “licence”, not ownership.

But with property rights come property responsibilities. If your property is causing harm or nuisance to others, the onus is on you to fix it. Therefore, Microsoft’s responsibilities over its “intellectual property” should continue just as long as it claims those property rights. If unmaintained Windows XP machines are being exploited as parts of botnets or spam relays or virus vectors or whatever, the onus for fixing those problems should be on the property owner, right?

Under current US copyright law, that duration would be 90 years from when Windows XP was first published, or, by my reckoning, the year 2091.

AnonJune 21, 2017 6:40 PM

I understand where Microsoft is coming from in not wanting to support an ancient product.

That said, I think a law should be passed that requires a company to provide critical service patches for any product that they at one point sold if they prevent the people who they sold it to from fixing it themselves or via 3rd party.

In the case of Windows, this means a mandate to release source as a condition for discontinuing service.

I already hear people saying "but some bits of code have not changed from one version of Windows to the next and it's still used in the current one". So, in that case, that particular code can still be considered supported and a patch must be issued by Microsoft for all platforms that use it - even Windows XP.

The very notion that we allow some company to define an arbitrary "life-cycle" for a program which they can change anytime they want (by way of some click through EULA), after which we cannot use the product we buy is something consumers should not tolerate.

Copyright here is working against the interests of the consumers, and needs serious reforms to stamp out this nonsense. I am fully happy with companies protecting their IP and monetizing it, but once the company decides to refuse to sell/support the product anymore, they should forfeit their rights to prevent people from using the stuff they already bought. This should be very basic consumer protection - something we've lived without for far too long.

WhiskersInMenloJune 21, 2017 8:27 PM

In the context of IOT devices bug fixing is clearly not a cut and run choice.

They have a responsibility as holder of the copyright.
They have a global responsibility because in much of the world
hardware lasts decades. All law is not US law...

By patching things where they can they (MS) can demonstrate that they
have not abandoned the property (Copyright).

Owners of pools must have fences or incur liability for an attractive nuisance.

As more and more network attacks originate outside of the US perhaps from such old hardware there may be FISA pressure to repair bugs. Some groups in TLA's take defending the US seriously others not so much.

Liability maters to Microsoft they have deep pockets. A tossed together kickstarter thing may have a business plan: quickly. sell stuff, pay themselves well, then cut and run from a LLC. If the LLC is bought the buyer has the liability. If drained and flushed by the founders it is an empty shell. The code base is an asset -- if sold there is no liability for the new code base owner and another product could be glued together slightly different perhaps fixed.

Follow the money.

What if the patch was handed to them by a TLA?


RatioJune 21, 2017 8:32 PM

@Vesselin Bontchev,

After the worm was released, Microsoft simply decided to release publicly and for free the patch [for XP] which they had already developed, months ago, for their paying customers. [... Releasing security patches for XP publicly and for free like this] doesn't cost them any significant additional efforts or money.

Exactly.

Wesley ParishJune 22, 2017 2:45 AM

@Lawrence D’Oliveiro, @Anon

My reasoning, as well. A good while ago I attempted to make a point on Groklaw that computers and computer networks now are an essential trade route, not at all dissimilar to shipping lanes in meatspace. Derelict shipping are a navigational hazard to all and sundry.

And the price of having a ship go derelict is to pay a substantial sum to salvage.

I think most computer techies who have worked hard on maintaining Microsoft's products and thus salvaging Microsoft's reputation over the years would be gratified to receive MS Windows 9.x, WinNT3.x,4.x, and 5.x source trees and the like under a suitable Free and Open Source Software license.

Ross AndersonJune 22, 2017 3:13 AM

Under the laws of some countries you may have a legal duty to release patches. This gets complex fast. If company X sells a medical scanner based on XP then the patching duty falls on that company not Microsoft. And in transport it's not uncommon for software to be built out of components supplied by the OEM and the major component suppliers. So, just as patching an old Samsung phone requires not just a new version of Android but effort from the Samsung engineers who customised it, patching a car may require effort from several firms plus integration testing and potentially approval from an independent testing lab.

It might be convenient for car makers if they could just order all cars to be scrapped after seven years and replaced with new ones (the Microsoft philosophy for operating systems). But the embedded carbon cost of a car is about equal to its lifetime fuel burn, and halving vehicle lifetimes would double the industry's already large CO2 emissions. Governments won't stand for that. So we're heading for a perfect storm around the sustainability of software. I will be talking about this on Monday at the Workshop on the Economics of Information Security.

WinterJune 22, 2017 3:22 AM

"Therefore, Microsoft’s responsibilities over its “intellectual property” should continue just as long as it claims those property rights. "

Exactly. This is the way to go for IoT. If you do not allow the user to solve any problems, either claiming copyright or not giving details, then you are having to solve these problems yourself.

DroneJune 22, 2017 3:56 AM

The Greedheads at Micro$oft missed out on a huge opportunity with XP support!

As long as Microsoft continuous to "update" XP, with each update it could move the old OS closer and closer to the current rolling release of Windows - at XP's level of functionality of course. Plus, with each XP "update", Micro$oft can install more revenue generating spyware and adware! Once all the XP'ers are up to date with their XP-like version of the rolling release, you then wean them off the old XP compatible hardware bit by bit. The reward is each hardware upgrade unlocks more functionality in the OS.

In the end all Windows users are current, and Micro$oft made money making them that way.

TSJune 22, 2017 4:10 AM

my monitor has a built in camera.
It worked in vista, it worked in windows 10.0

Suddenly it stopped working in windows 10.1 - and not just stopped working - it absolutely died,. anytime I try to access it, the whole system crashes, freezes, etc.
I had to unplug it.

Another case of old hardware that is no longer supported.
Does that mean it should crash?
Does that mean windows should test more peripherals before releasing updates?

sucks for me,. but it "is" a 7 year old monitor.

CassandraJune 22, 2017 5:10 AM

Betteridge's law of headlines says "No".

(Cassandra is in a frivolous mood.)

John E. QuantumJune 22, 2017 6:30 AM

Perhaps the best way to resolve this issue is to allow Microsoft to stop supporting software as long as they provide full refunds for the software they stop supporting. I don't recall anything in their promotional material when XP was introduced that said in effect "This is the greatest, most secure operating system you will own, but only for the next 7 years"

JoeSoapJune 22, 2017 6:31 AM

Backtracking like this will just cause more complacency. XP was a product that has had its day. The world has moved on. Now, we are giving people another excuse not to upgrade/replace 'ah .... they fixed that big issue, I'm sure they'll be forced into doing the same again'.

HIJune 22, 2017 8:59 AM

I still have two Win XP boxes - each one with a nice set of specific software. One is for image processing the other one for pdf editing and mp3 playing. Both have not been allowed to the internet since years and I/O goes only by usb stick (autoplay disabled). Although it is heartbreaking at times how much they (the os and some apps) want to connect to the internet, working on them is absolute hassle free, can only recommend computers without internet access.

But I do not patch my Win7 box either (it is not in a corporate environment). I did do it up to some point but actually I don't want Microsoft any more to install something which I'm not able to control on my machine (they also long time cooperate with the NSA - remember that Snowden slide?). I just do not accept this culture of continuous patching any more. Each month some more buffer overflows and other open barn doors detected... This is not normal in my eyes.

But I apply some reasonable measures for my security: work only from a restricted account, have all protocols I don't need removed, including SMB = (secondary) infection path for WannaCry, don't click on links in emails (and on allow button in MS Office lol) when I'm not sure, restrict the web browser as regards scripts (you'd wonder how much is possible without JavaSript), poison the canvas api, do surf crap only in ToR, and above, use ToR to avoid being exessively profiled when I'm just looking up things eg in Amazon). I don't use Google services, have in fact *google* (and other crap) blocked by firewall rule since several years now. Sure some secret service or other crooks likely might be able to break into my box anyway, but patching would certainly not help much against that either.

John DittmerJune 22, 2017 9:55 AM

At a government IT perspective, there are tons of Windows XP based systems out there. Unless we are willing to fund billions to replace these systems soon, these systems will still be out there, performing critical functions. I believe in special cases such as WannaCry, putting out a special patch is necessary.

Clive RobinsonJune 22, 2017 10:23 AM

@ Cassandra,

Cassandra is in a frivolous mood.

And long may it bring you pleasure and contentment, frivolity is one of those essential spices in life B-)

CallMeLateForSupperJune 22, 2017 12:24 PM

XP is throwing sand in the gears of progress, just by being.

As Marcy Wheeler pointed out in an article last Monday about last week's Oversight Committee hearing on WannaCry, "... two of the four witnesses appear to have misstated one detail about the attack. That is, one implied that unpatched XP was the WannaCry firestorm, and the other said ... Win95. Seriously.

That testimony should have been slapped down with malice before the hearing ended.

"The Outdated XP Testimony on WannaCry to Congress"
https://www.emptywheel.net/2017/06/19/the-outdated-xp-testimony-to-congress/

DavidJune 22, 2017 12:25 PM

I'm troubled by the assertion that Microsoft should be required to patch any system they ever sold. The justification seems based on the market penetration of Microsoft, but how would a law or regulation be written that would only obligate entities based on their market share at a particular time? How would mergers and divestitures be handled? Could we require IETF to revamp telnet (Windows XP) so that it is secure rather than proposing alternate means (Windows 10)?

@WhiskersInMenlo: Are you proposing that IP laws (trademarks, copyrights, patents) should mandate that IP be considered abandoned if they are not updated within certain sequential timeframes?

AJune 22, 2017 4:00 PM

@David

Are you proposing that IP laws (trademarks, copyrights, patents) should mandate that IP be considered abandoned if they are not updated within certain sequential timeframes?

Whiskers was only talking about copyright. However, what you suggest is already true for trademarks (which can be lost if not defended) and patents (which have an automatic expiry date).

To the extent that a work subject to copyright is functional (eg, computer code, as compared to say a novel, or piece of music), then the owner of a copy of that should have an expectation of continued functionality. If not provided by the copyright holder, then he should be free to repair it himself, or hire someone to do so. That requires source.

Now, a fair argument could be made that the above requirement could be met by Microsoft releasing the source to XP when it has dropped support, and that existing XP license holders should be free to modify (but not copy and distribute) said code.

This is (or was) not uncommon practice in the software industry at one time, where source escrow of an expensive and critical software system was typically part of the contract, in case the vendor dropped support for whatever reason. (I was once hired to support just such, when my original employer, the vendor, went bankrupt.)

xinxingrenJune 22, 2017 6:31 PM

XP still exists because it does some tasks moderately well on hardware that continues to run. Strip off the crapware, and don't connect to malicious networks and XP will keep on keeping on for things like hospital database systems (NHS) and ticket booking and sales systems (China Railways). What's the difference between NHS and CR? Apart from the castiron and granite firewalling, anyone found within sight of a CR terminal with a USB stick could be taken out back and shot...

JonKnowsNothingJune 22, 2017 6:42 PM

The security of our computers and phones also comes from the fact that we replace them regularly. We buy new laptops every few years. We get new phones even more frequently.

THAT is really the problem isn't it?

The 1% who change every few months. The 20% who change regularly. Then there is the 79% who don't change. Some may never change.

How can that be?

Because there are still DOS boxes around. There is still XP. There are old old systems that are not upgradeable and the software cannot be replaced (air traffic control anyone?).

Withholding "fixes" for "$$" is essentially corporate blackmail. Works OK if you are in the 21% and you have the money to pay the ransom. Or if you are in the 21% that opts for the so-called upgrade which may not be a whole lot better than what you gave up and guarantees to break everything you already have working. It doesn't work at all for the 79% who don't have the money. That's the 79% who use hand-me-down computers. The 79% who are lucky even to get a recycled machine.

The question is never going to be "Can we do away with the old stuff?" because old stuff still hangs around, it never goes away. We still look at enigma machines. We look at hieroglyphs. We decipher Mayan Codices and we still have no idea how Stonehenge was built or how the New World pyramids were made or how ancient civilizations built all the stuff they did. Old DOS and XP machines are not going away.

Then we are getting the new fallible: auto-driving hearses (aka cars) ready to take you where you don't want to go that soon. self conviction for: speeding, red lights, out of date license tags, no insurance, wrong face, wrong race, wrong gender, wrong phone, wrong dress, wrong email, wrong friends. These aren't going to go away either.

If the 1% and the 20% don't want to be inconvenienced by the 79%, everyone pretty much knows or can guess what happens under that policy too. The problem of the 21% is that they need the 79% so they can be in the 21% portion of the curve.

I have a Timex Sinclair built from their scratch kit. All hand soldered. Bubble memory, Basic and an external keyboard wire wrapped by hand. It still works.

Cheers from the 79%. The 21% are gonna need it.

ht tps://en.wikipedia.org/wiki/Timex_Sinclair_1000

Clive RobinsonJune 22, 2017 7:08 PM

@ xinxingren,

XP still exists because it does some tasks moderately well on hardware that continues to run.

It's one of the reasons I still run it, along with still supporting code I wrote for it, in what feels like decades ago.

The simple fact is there is a lot of old perfectly servicable hardware, including PC109 Industrial control boards. For various reasons these are not going to get replaced any time soon.

It's one of the reasons I suggest for more standard hardware that those that have not only have to support legacy code but actually argument it from time to time to look at,

http://www.tldp.org/HOWTO/4mb-Laptops.html

Oh one other reason to run older hardware is the lack of Intel ME etc etc etc.

Frank WilhoitJune 22, 2017 7:09 PM

Is patching XP -- or any back version -- a mistake? Why, yes. No one -- repeat, no one, neither individuals nor any size or standing of organization -- can take responsibility for running back bits. Gold bits or GTFO.

MaxJune 22, 2017 11:58 PM

No more a mistake than patching Win10. Win10 patches encourage people to stay on Win10, delaying the migration to a more secure OS, etc.

TatütataJune 23, 2017 9:56 AM

Like several other readers, I have a couple of XP machines left, essentially for supporting older peripherals that still work fine, and which would cost mucho dinero to replace. As a non-industrial end-user, why should I? What's the remaining attack surface? Microfotz Explorer has been removed a long time ago. Chrome and Firefox decided they would no longer support XP, which I consider a greater issue. I could block the machines' external access at the router, but I hardly use them for browsing anyway.

Win10, which is the only current M$ offering, won't run on that 32 bit hardware, so if I upgrade the OS, it would be to a Linux offering. But this would work only for one of the machine IF AND WHEN Wine finally supports USB, and works properly with the said hardware.

Sp the best option for me is to keep going, rather than blowing a couple of grands.

I have much more of an issue with Adobe Flash than XP. There are a few VOD sites I frequent that still rely on it. Just yesterday I went once more through the charade of updating this utter garbage: going to the Adobe site, unchecking the boxes for their crapware offers, downloading an EXE, run it, unchecking the box for automatic update (why do they still do this?), and getting a couple of pop-up ads.

JardaJune 23, 2017 1:12 PM

Hmm, Bruce, where exactly have you seen fridges which last 25 years? Such fridges were made some 30 oor 40 yars ago for the last time. Today you are glad if the crap lasts 6 years. If nothing else, they physically disintegrate. Shelves break, magnetic rubber either becomes not magntic or falls appart or doesn't seal any more or any combination of the three, the case cracks,.... whatever.

Wendy M. GrossmanJune 23, 2017 1:37 PM

If you are relying for security on replacing your devices, then you may be protected personally but it does nothing for wider society. In many, if not most, families only the richest member or few buys new stuff; their old devices trickle down to the poorer and younger members. But they still say active.

When Microsoft terminated support for XP, I wrote this: http://www.pelicancrossing.net/netwars/2014/05/software_is_forever.html

I still think it was right: software is forever. The future is not one of new, shiny devices, but of a ratty Terry Gilliam-like patchwork junkyard of new and old devices. At some point, as Steve Bellovin wrote recently (here: https://www.cs.columbia.edu/~smb/blog/2017-05/2017-05-16.html) we're going to have to find a way to pay for updating old software. Otherwise, we all will keep on paying as we are now for poor security.

wg

65535June 25, 2017 10:40 PM

@ Vesselin Bontchev

"Microsoft released publicly the WinXP patch after the WannaCry virus appeared, many people assume that it was developed in response to it. This is a mistake. If you examine the patch, you'll see that it was created in March - at the same time as the Win7, etc. patches for the same problem that were released at the time. Patches were developed for all the vulnerable versions of Windows at the same time. Why was an WinXP patch developed then, if this OS is not supported? Because it is supported, only not for free. Companies that cannot afford to replace it (usually banks with ATM machines but other customers as well) pay Microsoft big bucks to keep patching their OS."

+1

@ Anura

“If XP is used so much, it should never have been deprecated in the first place.”

Yes, I agree. I don’t know if Vista, Win 7 with its aeroview was much better considering the processor and video resources used [total costs].

Win 8/Win 8.1 along side Satya Nadella and John Wendell Thompson started the drive into advertising, data-mining and spying. This has shifted the largest Personal Computer maker into a data mining giant.

Satya Nadella should be dismissed and a new thrust into security and main line personal computer and business computing should be Microsoft’s goal – not data mining, spying and ad leads. XP and the server versions were a fairly good start. Now, it is all about ads and data mining. This is a sad situation for the company – and maybe it’s own downfall.

@ Pete

“There are 2 reasons people run WinXP.

“a) Business requires it and there isn't an alternative and probably never will be any alternative.

“b) Home user doesn't see security issues ever. They are behind a 5 yr old, unpatch, router too.

“From 2K miles away, it is easy to say they get what they deserve. “

Maybe and maybe not. We shall see.

@ Clive Robinson

“…MS want to get rid of XP, because it is what most users were more than happy with, thus they did not want to upgrade. Thus XP was starting to have a negative impact not on cash flow but on the magnitude of cash flow. Hence the "push at any cost Win10", then having done that along with all it's spyware and new backdoors for the IC's to play with, they stoped supporting "free Win10" that had cost so many people dearly when the upgrade was forced on them.” -Clive

That is a fair assessment. But, I’ll take Ballmer over Satya Nadella’s spyware path into everyone's bedroom any day of the week.

[And]

“XP still exists because it does some tasks moderately well on hardware that continues to run.” -xinxingren

“It's one of the reasons I still run it, along with still supporting code I wrote for it, in what feels like decades ago. The simple fact is there is a lot of old perfectly servicable hardware, including PC109 Industrial control boards. For various reasons these are not going to get replaced any time soon.”- Clive

Another good observation by Clive, XP Pro and embedded was not the best stack for the money but it did work on numerous platforms and many programs that are still useful today.

Win 7 Pro had heavier hardware requirements and signed code requirements. That was a pain in the rear-end. But, Win 10 spy bundle is terrible and monthly sketchy patches are not good. Sure, maybe M$ bling phone and glued together surface shine interests others but not me. I’ll leave it there.

Clive RobinsonJune 26, 2017 1:58 AM

@ 65535,

But, I’ll take Ballmer over Satya Nadella’s spyware path into everyone's bedroom any day of the week.

Steve Ballmer, joined Microsoft in mid 1980 as employee number 30 and effectivly got his marching orders sometime in 2012-13. This came about after his public behaviour became somewhat eratic to put it mildly and hedge fund investors got to many mixed messages.

But back then very few peiple in the US knew what was going on with the FBI NSLs, the NSA, and even less so the CIA. Google still appeared to be "the chocolate factory" giving it all away for free as some benign Willy Wonka. With FaceBook appearing to be a global spanning way for friends to save postage for party invites, rather than the play thing of a prototype peeping tom / sex offender.

That is even though Big Data had got started, to most it had not got creepy. Where as now with Ed Snowden and other leaks --like Sony hemorrhaging user data time after time, the OPM etc and-- the USG IC agencies blaiming China/Russia/North Korea via their "favoured contractors" most people did not have time for US corporate creepy to creep up on them. That is it's back to "The Reds Under the bed" type scare tactics to keep most people from realising what money is being made by Corporate USA off of spying on them.

Thus I have to ask myself if Microsoft employee 30 would have followed a similar customers are product mentality. And to me at least the answer is yes I realy think he would because it would have been in line with his previous decade of behaviour including the purchase of Skype. The difference between Steve Ballmer and Satya Nadella being only the time line of what the public accept.

Importantly Bill Gates is a social misfit who made up for this by driving himself into business supported by his familly and initialy their contacts. It was Gates that selected Ballmer as his replacment, and Gates and Ballmer that selected Nadella. Thus there is a self selecting succession line in progress. Which makes Nadella a sufficiently simillar type to be from the same mold as Gates / Ballmer, just a bit younger.

You can see this in Nadella's career and importantly his statement at a women in computing conference in 2014 that "women should not ask for a raise and should trust the system". He is likewise suspect on the social front, again being a person with no time for it. His marriage was arranged by his parents to the daughter of one of his fathers "India Service" colleagues. All three married late and have three children.

The thing is Nadella's got a tough act to follow, even though he was a very large part of Ballmer's success. For all the stories about Ballmer dropping the ball on this technology or that technology, he oversaw a 16% rise in the business which few other CEOs of similar sized organisations achieve. He managed the move off of the regulatory rocks Gates had steared it onto as well as shifting the business off of it's PC dependence and into the server and cloud area. To be honest he was right to disgard many of the things he was criticized for as the reality was they were distractions that were disappating core development.

So whilst Nadella is no more a Ballmer clone than Ballmer was to Gates they are very similar in the way they view life and people and their world outlooks and morals and ethos are very similar. Their main differences being their view point on technology sectors and timing.

The thing is people expect Microsoft to be on the leading edge all the time. But the days of personal computing being not just the leading edge but the profitable place to be are over. The profit these days is in enterprise solutions and it will continue to do so for maybe a half decade or so before new sectors open up. Personally whilst the IoT market will make a lot of noise for some time yet there is not realy any profit to be made by large corporates, just the "fly by night, noname" entities where resources like labour is cheap. The big corp profits will be in AI as applied to data in the near future, and those with ample cloud data will profit by it. The trick is going to be getting the instrumentation into everywhere and keeping your competitors out. Ballmer did not get to kill Google, but it is very likely on not just Microsoft's list of things to do, liekwise Apple. Big as they both are they are quite dependent on others whilst Microsoft less so. Thus Microsoft can probably play the "walled garden" game better than either Google or Apple and collect a lot more data. In the process they can start to kill off various asspects of Google, similarly with Apple.

The trick to pull will be to be the data manager for IoT devices. Whilst there is little profit in trying to compeate on the manufacture of such devices there is a lot of money to be made on being the back end to them. Think of it like mobile phones, whilst the public see big names in handsets they do not see the names that supply the equipment software and services that make it all work. Similar is true for the Internet. It's this infrastructure and the data that flows on it are where the large corporates are going to find their profit as the Internet and Phone networks become indistinguishable. Most will not know the names of the supplierd of the infrastructure lower layers, but they do know those that will be supplying both the content and the big data activities. The current content providers of the record and film and news indistries will find their dominance subsiding to that of "service provider" to those with what might get called "Cloud2".

So keep your eyes on the intersection between IoT and walled gardens control and development of that is where the fun is most likely to be within a decade at most.

Oh one thing to keep your eye on Smart Meters, in the UK certainly the market has had uncertainty thrown into it. Customer confidence has been knocked by some news stories, the take up was not high even with Gov backing, but the current encumbrents have "long grassed it" way way beyond the back burner. It probably will come back but it's had quite a knock.

Doug BostromJune 27, 2017 12:00 PM

EOL for this particular software (XP) is purely a business decision rooted in factors entirely unrelated to technicalities of software maintenance. EOL was not driven by forced, intractable technical constraints, as we have just seen crisply demonstrated.

EOL of XP was triggered to drive adoption of new products and perhaps equally importantly limit costs that affect profitability. EOL here is a choice made by Microsoft and was imposed on users for the usual reason: unaligned objectives of vendors and customers.

The objective of private enterprise is to divert money supplied by customers from the accomplishment of consumer objectives, the resulting gap being called "profit."

In this particular case, the objective of Microsoft in imposing EOL on XP is to redirect money that might be employed in protecting customers and instead free it for uses entirely unrelated to the requirements and needs of customers, such as buying a larger yacht, another exotic vacation home etc.

Private enterprise isn't inherently bad. It's just not suitable for certain purposes, such as where societal costs of supporting private enterprise diversion schemes become too large.


RichardJune 28, 2017 12:58 AM

Given the situation, Microsoft should either continue to patch XP, or create a 'lite' Windows 10 variant that will run on XP level hardware - and provide existing XP users with a FREE upgrade path.

It's hard for me to buy the argument that forcing Microsoft to provide a free upgrade path to XP users would hurt their business interests since they did every sleazy thing possible to FORCE people to accept unwanted 'free' upgrades to Windows 10 from Windows 8 and Windows 7.

Sadly though, this upgrade path was NOT provided, and I believe that Microsoft's actions in willfully failing to patch known XP vulnerabilities, except for paying customers, when they could have done so, exposes Microsoft to HUGE legal liability.

The damning issue is that Microsoft HAD patches available, HAD apparently deployed these patches to customers who had paid for extended support but chose to willfully withhold these patches from others till now, subjecting them to loss and injury.

This willful disregard on Microsoft's part is basically the kind of wake up call that the 'Exploding Pinto Gas Tank' was to the automotive world.

To understand the parallel, imagine that an automobile company like Ford or Toyota found a software defect in one of their cars onboard ignition module microcontroller's firmware where, after 15 years or so, the module's eeprom storage log would overflow and create a condition where the car might randomly stall at freeway speeds.

Now imagine that there is a simple fix (for example re-booting the module using a maintenance jumper) - but the manufacture decides to ONLY provide this fix info to CUSTOMERS WHO HAVE PAYED FOR EXTENDED SERVICE CONTRACTS -- and that as a result, there are numerous accidents as affected vehicles randomly stall out on the road.

Hard to imaging that this would not result in record setting multi-billion dollar fines.

This latest Microsoft abomination would be a wonderful test case for the courts to finally VOID the bullshit click through 'consequential damage' disclaimers inflicted on customers as 'terms of use' and finally start to hold the software industry to the same standards of responsibility as every other business on the planet.

Whether the software defects in question were simply caused by Microsoft's negligence - or where the result of intentionally introduced backdoor vulnerabilities - in either case, a few Billion dollars in fines would go a long way in convincing Microsoft that they WILL be held accountable for damages caused by their actions - especially if they willfully withhold software fixes in the future,

This won't happen here in the U.S. thanks to the election of our current swamp-dweller-and-chief and his appointment of the best-government-big-money-CAN-buy (living proof that elections do have consequences - and the fact that the bell shaped I.Q. curve has a lower half) - but a whopping big fine might, just might, be leaved against Microsoft in France or some other E.U. member nation -- and if that does happen it will represent a sea change in how we hold companies like Microsoft accountable in the future.

Dirk PraetJune 28, 2017 4:59 AM

@ Richard

Microsoft should either continue to patch XP, or create a 'lite' Windows 10 variant that will run on XP level hardware - and provide existing XP users with a FREE upgrade path.

What you're proposing is the equivalent of demanding that a clothes manufacturer provides a free upgrade path when your pants go out of fashion. I'm not an MSFT supporter, but ultimately it's a "damned if you do, damned if you don't" situation for them.

From a risk management perspective, the only correct strategy is to move off technologically outdated and no longer supported operating systems running on legacy hardware, or accept the risks of not doing so. There is of course a number of mitigation strategies, like refurbishing XP/Vista-era hardware with Linux/OpenBSD, or simply disconnecting such devices from the network, both of which may or may not be viable solutions in any given context.

The most important lesson learned (again) from Wannacry and (Not)Petya is that individuals and businesses alike CANNOT rely on vendors and legislators to solve all problems for them, but instead need to put in place sensible policies and procedures governing lifecycle management of both hardware and software all the way from tender and procurement to EoL. While I am all for appropriate regulation as well, the simple fact of the matter is that it will always lag behind technology and in many cases will not even materialize until (a) large scale disaster(s) happen(s).

For those interested: there is no cure or killswitch for (Not)Petya/SortaPetya yet, only an alleged vaccine which can be found here.

JonKnowsNothingJune 28, 2017 10:46 PM

@Richard

Given the situation, Microsoft should either continue to patch XP, or create a 'lite' Windows 10 variant that will run on XP level hardware - and provide existing XP users with a FREE upgrade path.

While I might wish for the same thing but... have you tried to use a rotary phone recently?

There are some things that are not upgradeable.

Not long ago, I asked my ISP (ATT ahem ahem ahem) if I could just have PHONE service with NO INTERNET service?

My thinking was I would just hang out with the ubiquitous data tracker/warhead delivery device with built-in easily manipulated evidence producers for pre-crimes and pre-thought-crime convictions that I carry with me. Who needs wires when you can be convicted much more easily with a wireless one.

SURPRISE! The answer is NO. I can no longer have just a PHONE. I can drop the PHONE and go INTERNET only but if I want a PHONE and MUST HAVE the INTERNET + PHONE combo package. There is no PHONE ONLY option anymore.

So.. why is there "Telephone" still in the name ATT? I dunno but they don't really offer it anymore. Just Fake Fone Service (voip).

There are some things that worked and worked well. Most of them are No Longer In Service.

So, if you want to use a rotary phone, you might have to move "elsewhere". If M$ and Others want to kill off old tech they are going to have to block it another way. You cannot block what isn't on the internet but if it is then companies do what they are doing: forcing upgrades that do not work, to force people to buy new stuff in desperation.

Perhaps PETYA-NOT is the answer.


Clive RobinsonJune 29, 2017 4:41 AM

@ JonKnowsNothing,

While I might wish for the same thing but... have you tried to use a rotary phone recently?

Yes and it still works ;-)

There are some "entities" that have a requirment to use them. In part because of their reliability under certain extream conditions[1], and in part because no other phone type has been certified for use (and may never do so now)[2].

Part of the issue is "legacy systems" the cost of the copper wire is way less than the cost of installing it and in some cases certifing it. Thus there is a hugh investment in existing systems and replacing them with a like for like system using new protocols / standards is going to be way to expensive. Hence they hang around like the ghost at the banquet.

Howrver some newer installations are actually looking to replace traditional 2 / 4 / 6 wire base band phone wiring systems with "leaky feeder" RF systems as this gives much greater expansion capabilities both currently and in the future (thus keeping the instalation investment longer). Thus low power VHF/UHF PMR, Wifi, GSM and other services all use the same cable with minimal provlems. Thus existing intrinsically safe (Ex-I) radio systems can be used along with newer systems, without requiring "re-wiring" and certification.

[1] Military field tellephones and any network where EMP from nukes or solar flares etc or where the infrastructure may loose power. So you will find them also in critical infrastructure such as water and energy supply in "Engineering Order Wire" circuits.

[2] You will find both Ex-D and Ex-I phones in "safety critical" areas in Industrial Control Systems, Petro-chem, mines, gas/oil platforms and the like, usually these have "low voltage" ring circuits some systems work below three volts. Part of the problem is that modern surface mount components can not meet the "physical" issolation distances of 0.5mm between tracks on a PCB. Whilst there are ways around this it's expensive to get through certification. One way around is Ex-E encapsulation, but as nearly all existing wiring is for a different method, you have a very limited market to sell new into...

RachelJune 29, 2017 6:03 AM

@ Clive
@ Jonknows nothing

We have a rotary phone or three on hand all time. Living in the country,at the very end of the supply line that happes to be old, power goes out not infrequently sometimes for several days. Or lightning strikes will blow up anything plugged in so we've gone through countless electricity-reliant phones. As clive noted,a rotary phone will still work without electricity. The line is often clearer also - less interference. I recommend everyone to have a rotary phone in the house just in case

pots or notJune 29, 2017 10:26 AM

@Clive Robinson
@Rachel
@JonKnowsNothing

In some parts of the usa, it costs about 75 usd per month for an old fashioned land line.

For a user that can marginally afford it is it worth keeping that copper twisted pair landline for things like 56 kbs modems to internet, phone service that doesn't require ac or battery back up, etc., since some phone companies tear out the old copper wire when they update to fiber and won't replace copper if you quit fiber. In fact some companies, I believe, have federal appproval to stop supporting copper if, for example, they can provide fiber phone service (presumably voip) instead.

Regardless at least one usa resident plans to keep the status quo, at least until receiving feedback from SOS bloggers.

The phone company indicated that any complaints about copper, ie. requested service calls, could force a fiber conversion. That begs the question: if a separate cable provider installs cable and cuts the twisted pair could I solder the twisted pair back together. Should the cable company know where the twisted pair is outside?

OT where people are lucky enough to have a choice between fiber and cable, from a security perspective, what are the pros and cons for a home or small business user? For example a cable modem can be purchased, but fiber might require specialized hardware from the phone company before the customer's router. Legally might, pots, fiber , coax cable have different protections under federal, state, or local law. In the past I think that eff.org indicated that cable might provide some advantages from a privacy or security perspective under the law.

Thanks in advance

DelJune 30, 2017 7:37 AM

I dread to think how many millions or billions of $ of kit has had to be replaced either because of an OS update or a new PC.
If I buy a scanner that I use a few times a year why, unless it broke would I want to change it. it does not matter how slow it is, as long as it works.
For those that have the money and the inclination replacing a piece of kit just because you want to, not because you need to is OK, but the cost in landfill for the old kit has to be weighed up. Using the Scanner analogy my old scanner had a parallel port interface. Slow, but it worked. But when I bought a new PC they no longer included a parallel port.
Micro$oft, bless their cotton socks have a habit of breaking perfectly functioning kit on a New or updated OS. Web cameras with Windows 10 Anyone!
The number of times they have changed the driver model, nearly every time there is a new O/S! and then the device manufactures cannot or will not provide drivers for these "old" items. "Have to buy a new one please".
I know that things change. USB has gone through a number of iterations but basically and with a few exceptions you should still be able to use most USB1 device in a USB3 port.

Clive RobinsonJune 30, 2017 9:46 AM

@ Del,

The number of times they have changed the driver model, nearly every time there is a new O/S! and then the device manufactures cannot or will not provide drivers for these "old" items.

It's quite a delibert ploy by Microsoft, and it's a form of "vendor-lock-in" only it's not on the end customers --you the much benited user-- but product suppliers, who Microsoft also make money out of one way or another.

The solution is Device Independent Protocols, and a Linux or similar FOSS OS box. Put your "nolonger MS supported" devices onto there and put all the files in an independent format that is supported (you'ld be surprised at how many MS do support). As an example Postscript and CUPS for older printers and similar for scanners cameras even webcams.

I know it's an extra box, but it generaly does not have to be high spec, and you can use it for other things as well such as a file server or even media server if the spec is upto it. Also those dull neywork protocols you have to run when you have your own home network.

JonKnowsNothingJune 30, 2017 6:25 PM

re: Rotary Phones

Glad to know they still work if you have one. :)
Alas for me I cannot get PHONE ONLY service from ATT.
Not even if I use a Princess Phone. :)

Obsolete is Obsolete but that doesn't mean it doesn't work. What it means is It's No Longer Officially Supported and therefore sent to the landfills and tech museums.

But if it works and you plug in your old rotary to a telephone network and it blows up the back end switch or fries a connection at the CO - there will be some irate folks coming to your door.

Same thing happens if you are digging post holes with an auger and locate the fiber optic lines running parallel .... about a mile of fiber later ....


XP is in the same category. It works. It's used. It's not broken. So why expect folks to throw it away just because M$ no longer support it?

LINKS are shaping up to be the Worst-Ever/Bad-Idea on the Internet....
PEGASUS on wings!


martinrJuly 19, 2017 12:51 PM

I'm slightly diaappointed to read 100% FUD on Schneier's Blog.

Windows XPsp3 (aka Windows PosReady 2009) is going to officially get patches until 2019.
Windows XPsp3 is also the most secure version of Microsoft Windows that exists. And since it is no longer considered mainstream, it is actually targetted less often than newer versions of Microsoft Windows (see WannaCry, which was most successful on Windows 7).

The Microsoft Malware Protection Engine is probably in desperate need of several more software updates. Given how often and how unsuccessfully Microsoft attempted to fix--and failed-- the comparatively trivial Windows font parser, I have little hope that Microsoft manages to fix the design flaws and bugs in the Malware Protection Engine anytime soon.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.