XP Install screen
The intertubes have been filled with the stories about the coming demise of Windows XP. And I have to admit a certain fondness for the OS, after all, we have been together for 12 years and countless machines. Yes, there was Vista (briefly), and I am still getting used to Windows 7’s quirks just in time to find my way around 8.1. And I am not alone: Kaspersky claims nearly 20% of their current anti-virus customers still run XP. Time is running out, as we all know.
But what hasn’t be covered is what I call the forgotten desktop which runs XP. There are plenty of devices that aren’t actually sitting on anyone’s desk but are connected to your corporate network, and will need upgrading. When you start to look around, you can find them in some surprising places, such as point of sale terminals, ticket kiosks for trains and subway stations, medical equipment, displays at airports, bus stations and train stations, digital payphones, digital LED signage, video conference rooms, red light speed cameras, movie ticket kiosks, and supermarket self-checkout lanes (these have enough problems as is). Take a look at the collection chronicled in the Public Computer Error Board. I am sure you can think of other places XP might be lurking.
“This interconnected world can be a dangerous place when it’s built on an unsupported operating system that’s vulnerable to exploits or simple compatibility limitations,” says Justin Strong, a product marketing manger at Novell. And after all, who would know better than the folks who originally hooked up all these XP machines back in the day?
“IT departments are relieved if they’ve simply migrated their workforce off XP,” says Strong. But that’s not enough.Microsoft’s Craig Mundie at the Techonomy conference last year said, “Even one XP machine represents a major threat.” This is because XP can’t be hardened to avoid today’s threats and has many weaknesses. According to Microsoft,XP machines are six times more likely to be infected with malware than newer versions of Windows. Yikes.
I know many of you still have even Windows NT and 2000 running somewhere on your networks, and maybe even some Novell Netware too. Let’s make a clean sweep. And yes, I will miss XP, we have been through a lot.But it is time to move on.
What about all the medical devices that were certified using Windows XP ? How many manufacturers are still producing machines like that and are extremely reluctant to go through another certification procedure. What about other areas of business where certification is necessary ?
Also I would take it with a grain of salt that “According to Microsoft,XP machines are six times more likely to be infected with malware than newer versions of Windows.” I would suspect that most of the vulnerabilities of XP were discovered a long time ago. I don’t think the same will be true of Windows 8
For as long as an OS is still constructed with an obsolete language like C++ or worse, many of the protections that are built into modern languages will not be available in the OS.
Finally, have you ever found needed functionality in a later version of Windows that is not available in XP ? How necessary is glass ?
Robert, you have a point. And yes, if you look at what I really do in Windows these days, most of it I could easily do with XP. But even on an ordinary desktop, you have plenty of unpatched machines.
I heard from a reader, James Francis who writes his opinion of my post:
Interesting column. But there is a small problem with XP upgrades:
driver support. I’ve had at least two machines that I tried to upgrade
to Windows 7, but had to regress when driver support fell very short.
I’ve also had similar problems with many business systems, especially
POS terminals. Vendors simply abandon a given piece of hardware after
a while, especially if it’s not a top-end product. This is
particularly true with POS systems – often custom hardware that was
expensive to invest in. Many businesses and individuals prefer to
simply stick to XP as they do not need newer hardware, yet the drivers
for new operating systems are not as readily available as one may
think.
Any hope of creating more secure ecosystems will be dashed if we
solely rely on the upgrade treadmill as a business model. And
expecting companies such as restaurants to upgrade, no matter the
security benefits, is a tad ambitious. I agree we can’t harden Windows
XP. But an industry expecting everyone to keep up with the Joneses is
being both a bit ridiculous and also quite unfair to the end consumer.
Why not pressure these vendors to upgrade, I asked. He emailed me back:
Things like POS systems do not require a lot of power or
technical wizardry. That large businesses still manage to operate
without needing to upgrade is testament to this. So, where is the
incentive to upgrade? Security? Other than being an overused word by
eager salesmen, security doesn’t translate as readily into a healthy
bottom line as, say, new uniforms for your staff. It’s not enough to
convince companies that they need to spend a lot of money to upgrade
systems – and do so again in five years, if not sooner. To run a
business is a penny-pinching exercise and the hardware running it will
always be a low priority to many companies. That is for a reason: the
upgrade treadmill business model is actually a very poor one that
benefits the vendors more than their customers. I’m writing this on a
10-year old laptop, which has yet to stop me from doing my job. It’s
easy to see a restaurant owner or retail manager think the same. And
why not? Nobody needs a quad-core this and that to ring up sales.
I suppose I should add a caveat: large businesses and corporates ought
to keep their systems to spec, regardless of cost. They have an
obligation towards security, plus they have the muscle to negotiate
upgrades. This includes large retailers, which wire their POS into
credit card systems. But smaller companies may not need such upgrades
and are probably already jaded from poor IT purchases driven by eager
salespeople. If a small business does store client-critical data, it’s
another story. But many of these responsibilities have been moved to
the banks and other third parties, which already use custom hardware
(like the card terminals) to get the job done.
There is one exception I can think of: if the use of single board
computers like the Raspberry Pi becomes mainstream, it can open the
door to highly cost-effective POS upgrades which would sit well with
current and future security roadmaps.
I am in the same situation here in Holland…
I run a 2002 build Netware 5.1 Server, from which the Mainboard and Harddrives were replaced prior to failure just two jears ago. I allso still run WinXP SP3 Desktops in my highschool attached to this Server. I am sad to have to loose this trusty Server probably this year… 🙁
My superior has decided to switch to M$ Servers…