I work for a tech company in Taiwan. The factory downstairs is making microSD cards. I write some driver software to talk to the machines, sending commands using SECS-II and getting the machines to log data to a SQL server.
The testing machines still run Windows 2000.
There is no SQL library for Visual C++ 5. I couldn't use the .NET framework, or any other libraries - everything running on the testing machine had to be bundled into a single .exe file.
Why not update? The testing machine was built by another company, and sold with a 20-year warranty. Updating Windows, or even installing software would void the warranty.
My program was designed to be easily deleted in case of an audit.
These machines were on their own LAN with no Internet access, thankfully. I've realised that for my software to endure, I should write it standalone, without needing libraries, and in a very common language that is likely to still be around for a while (C, JavaScript, Bash). The code is more verbose, but that puts the burden on the developer (me) instead of the user, who is more likely to make really dodgy workarounds than file a bug report.
Public services in the UK have faced severe budget cuts in recent years. Spending money for new software could very well have meant to have less police on the street. That's not an excuse to use unsafe systems but it can be an explanation. Public services don't work like companies, especially if they're forced to reduce their budget by 30% over a few years without neglecting their duty.
> The remaining XP machines are still in place due to complex technical requirements from a small number of externally provided highly specialised applications," a spokeswoman told the BBC.
This is the real heart of the issue. In my (very limited) experience, software choices are made by different people than the ones that deal with them each day.
My hope is that more and more applications will become web based, and big enterprises can move to a cut down linux desktop with a limited attack surface, so internal IT teams can focus more on securing servers.
At a higher level, I think the problem is poor requirements specifications when the externally sourced applications were first procured. If the procurers had accurately predicted the lifetime requirement, they could have required the stack to be fully security supported for that length of time, making it the vendor's problem to update to a newer OS that has security updates.
Instead, they pushed the cost back while keeping the risk themselves.
Perhaps back then this wasn't so obvious. I hope it is now, and procurement teams actually do incorporate this into their requirements now.
The problem is that you'd want to have desktop apps for some parts and you'd then probably end up with some Electron app which looks nice but is slower than a 20yr old programme with the same function. Esp where hardware needs to be integrated (e.g. taking fingerprints), I imagine it's not easy to create platform independent applications.
Last year I contracted for a mortgage origination system vendor supplying Virgin Money aka Northern Rock. The client preferred to run a heavily customised Windows C++ 90s version of the system, with XP desktops. All attempts to persuade them to move two generations forward to a browser GUI .Net back end were resisted. Migrating forward two generations would have been a huge project. The status quo was a heavily customised, almost bespoke, system that was booking huge volumes of business.
"So, if the [police's] Windows XP computers are exposed to the public internet, then that would be a serious concern.
"If they are isolated, that would be less of a worry - but the problem is still that if something gets into a secure network, it might then spread. That is what happened in the NHS with the recent Wannacry outbreak."
Only problem being that KryptosLogic tests confirmed that WannCry did not infect "properly"[1] Windows XP machines on the network (while if the malware is executed locally XP is vulnerable):
[1] if SP3 the infected machine would blue screen without encrypting anything and without having the possibility to spread the malware to other machines, if SP2 (improbable) the machine would not be infected.
They could be using the POS version which IIRC will get regular updates until 2019. Probably illegal, unless they have some special license, but surely not a bad thing given the huge boost in performance compared to newer OSes and the shrinking number of compatible malware around.
Once you're language is old enough you're probably much safer. Finding a hacker who understands how to find weaknesses in a system from the 70s will be harder than someone who knows how to exploit Win XP.
[+] [-] peterburkimsher|8 years ago|reply
The testing machines still run Windows 2000.
There is no SQL library for Visual C++ 5. I couldn't use the .NET framework, or any other libraries - everything running on the testing machine had to be bundled into a single .exe file.
Why not update? The testing machine was built by another company, and sold with a 20-year warranty. Updating Windows, or even installing software would void the warranty.
My program was designed to be easily deleted in case of an audit.
These machines were on their own LAN with no Internet access, thankfully. I've realised that for my software to endure, I should write it standalone, without needing libraries, and in a very common language that is likely to still be around for a while (C, JavaScript, Bash). The code is more verbose, but that puts the burden on the developer (me) instead of the user, who is more likely to make really dodgy workarounds than file a bug report.
[+] [-] Dayshine|8 years ago|reply
Errr what?
[+] [-] stupidcar|8 years ago|reply
> But in June it said about 10,000 of its desktop computers were still running XP.
> "Disclosing further information would reveal potential weaknesses and vulnerability," the force's information manager, Paul Mayger, said.
So they're concerned enough about security not to disclose the number of XP machines, but not so concerned as to actually fix the problem.
[+] [-] dx034|8 years ago|reply
[+] [-] dTal|8 years ago|reply
You hear this sort of thing a lot from secretive bureaucracies.
[+] [-] francis-io|8 years ago|reply
This is the real heart of the issue. In my (very limited) experience, software choices are made by different people than the ones that deal with them each day.
My hope is that more and more applications will become web based, and big enterprises can move to a cut down linux desktop with a limited attack surface, so internal IT teams can focus more on securing servers.
[+] [-] rlpb|8 years ago|reply
Instead, they pushed the cost back while keeping the risk themselves.
Perhaps back then this wasn't so obvious. I hope it is now, and procurement teams actually do incorporate this into their requirements now.
[+] [-] dx034|8 years ago|reply
[+] [-] jlebrech|8 years ago|reply
[+] [-] hoodoof|8 years ago|reply
Cutting off the money supply magically fixes software issues fdast.
[+] [-] osullivj|8 years ago|reply
[+] [-] jaclaz|8 years ago|reply
"So, if the [police's] Windows XP computers are exposed to the public internet, then that would be a serious concern. "If they are isolated, that would be less of a worry - but the problem is still that if something gets into a secure network, it might then spread. That is what happened in the NHS with the recent Wannacry outbreak."
Only problem being that KryptosLogic tests confirmed that WannCry did not infect "properly"[1] Windows XP machines on the network (while if the malware is executed locally XP is vulnerable):
https://blog.kryptoslogic.com/malware/2017/05/29/two-weeks-l...
[1] if SP3 the infected machine would blue screen without encrypting anything and without having the possibility to spread the malware to other machines, if SP2 (improbable) the machine would not be infected.
[+] [-] squarefoot|8 years ago|reply
[+] [-] xvilka|8 years ago|reply
[+] [-] kennydude|8 years ago|reply
[+] [-] dx034|8 years ago|reply
[+] [-] sjmulder|8 years ago|reply
[+] [-] petepete|8 years ago|reply
Oh, damn.
[+] [-] Nexxxeh|8 years ago|reply