THOUSANDS of UK.gov Win XP PCs to face April hacker storm... including boxes at TAXMAN, NHS Thousands of PCs at Britain’s biggest public sector bodies will miss Microsoft’s April deadline to abandon Windows XP before open season for hackers begins. HMRC and the NHS in England and Scotland will still be running thousands of systems using Windows XP after Microsoft turns off the support lifeline on 8 April. HMRC has …
It's not as if they didn't know -- but planning more than a couple of months ahead would never get the budget as it's not a politicians knee-trembler of instant gratification.
In the meantime, while little work is done, huge teams of people generating excuses and finding ways to blame others are hard at work (and expecting bonuses)
"Migrating from XP to 7 makes sense when you are a MS-shop, but why IE8?
Why not use the chance to at least go to IE9 or later?"
Because you've probably bought the whole MS package and run all you server systems on IIS and your developers coded lots of MS specific stuff and now you can't get rid of the crap.
IE8 would be a dream - recently I was working with "certain government departments" who refused to move off IE6 as it was too much of a headache to run an update program and get it CESG approved.
Ultimately it's not that big a deal if the PC's are never allowed on the internet (and restricted environments generally are not), and the multiple layers of firewalls are all configured properly.
"Ultimately it's not that big a deal if the PC's are never allowed on the internet (and restricted environments generally are not), and the multiple layers of firewalls are all configured properly."
Wasn't the "multiple layers of firewalls" not being configured properly that let McKinnon into the DoD?
And that was an organisation that make annoying people it's business.
"Because IT departments are lazy and rely too much on the "If it ain't broke, don't fix it" mantra"
I don't think that's true, it's more often the case that the clients think they know better. Or as is happening in my organisation, a complete lack of upgrading key systems because the cost is quite staggering. It's cheaper to pay for a few more desktop technicians who can hold the hands of users as they reboot their PC.
@ Neil Alexander
That's a very big brush you're using there. Whilst it maybe true in some cases, as someone working in NHS IT and seeing this first hand, it's more likely to be a case of legacy applications that have been sourced by individual departments within trusts, without consultation with the IT Departments, that the IT Department are then expected to support after the fact, coupled with ridiculously tight budgets and cost cutting that mean that IT Departments are running with approximately 50% of the staffing levels needed to properly deal with day to day running, roll out, and projects.
Migrating approx 4.5k PC's (in my trust's case) from XP to Win7 takes time and recourse that, simply put, hasn't been made available to us because the trust board don't see it as a priority, despite continued and ongoing warnings from our department of the risks involved.
AC for obvious reasons.
Recently saw an example. OH was getting hearing aids and the app to set these up was on a windows xp machine.
Now, I'd assume the NHS is at the whim of the supplier and new software for something like that isn't going to be cheap. It certainly wasn't a very simple piece of software either.
And the pc it was running on, didn't look like it would run win7 anyway,so probably would have needed replacing as well.
It's not just the beancounters though - "I'm sorry Mrs Smith, you can't have your pacemaker because we are paying for an upgrade to the computer system"
Imagine what that would do when Mrs Smith goes to the press - the trusts have difficult desicions to make, especially when their budgets are getting cut.
Having recently worked in several large banks I can say that it is the same story there. To be fair they were also running XP installations which hadn't been patched for several years and so were relying on fire walls and anti-virus software to protect them.... which it seemed to be doing as none of them had had any problems they were admitting to.
I suspect that the chant of "upgrade by April or you'll all die" may be an example of a boy crying "wolf".
"I can't help thinking that some of those responsible for (not) funding the migration think it'll be the same as Y2K - lots of hype and a damp squib of an event. Only time will tell if they're right ..."
Not true, at least not in our organisation, where we audited every single PC for Y2K compliance, updated the BIOS of those that we could, scrapped and replaced what we couldn't. We were then accused of hype because nothing happened. But nothing happened because we had fixed it. Y2K was a Lose-Lose for IT Departments, so let's hope April 2014 won't be another.
It won't be at our place, because we've completed our 2-year migration to W7. But then we're funded by HEFCE so we could afford it.
"From the same people who made millions from the "Millenium Bug" scare about planes dropping from the sky, trains crashing and world disorder"
I think you'll find the people who made money from scaring people about Y2K were the media. Those of us in IT didn't have time for that - we were too busy patching software to fix it. But if you want to believe Y2K didn't exist, I won't waste my breath on you.
And as for "upgrade by April or you'll all die", that's your hyperbole. There will be issues, you can be sure of that.
"So, why are these agencies all scrabbling around now, likely to miss the date?"
Because regardless what happens, nobody will be held to account. No sackings, no demotions, no personal fines or liability. If the local hospital get fined (eg, as they often do for DPA) what does that matter? It's only a budget transfer from one public sector body to another.
This attitude is to be expected in the NHS, given that the politicians and civil servants demonstrate leadership like appointing as NHS chief executive David Nicholson, one of those overseeing the criminal shambles at Stafford Hospital. Indeed, the c**t got a knighthood after his culpability for that was known. This demonstrates that the NHS does not discriminate on the grounds of ability, and if that's the sahdow of the leader, you can be fairly sure the rest of the organisation is run on a similar basis.
From the article no evidence is presented to indicate that these agencies are "scrabbling around".
Desktop upgrade/refresh outside of the single user/home environment are non-trivial - unless you like living by the seat of your pants and don't really care about your reputation or the reputation of the organisation you work for...
Remember it is highly unlikely that either HMRC or NHS Scotland are using vanilla Windows; doing the leg work necessary to securely lock windows down and to prove that it is secure and to test that all enterprise applications and systems work and are accessible takes time, particularly if you are also having to wait on vendors to upgrade their products...
In either case it is unlikely that the systems being referred are not locked down and have: unrestricted internet access, unfiltered email etc. and reside on unmanaged networks, hence "missing the date" isn't the big issue many headless chickens make it out to be.
"NHS Scotland has 3,603 PCs with 3,537 on Windows XP and the same number on IE6."
"NHS Scotland beginning its shift relatively late, in July 2013."
So that's 66 PCs updated in 6 months, or 11 per month on average. (IF the 66 PCs were running XP and not another OS.) They want to be over and done with it in the third quarter? Right, not at that pace. Or they meant Q3 sometime in the 22nd century.
They might want to check out CyberStreet (see other El Reg article). Seems they can learn a few bits and pieces there.
So that's 66 PCs updated in 6 months, or 11 per month on average. (IF the 66 PCs were running XP and not another OS.) They want to be over and done with it in the third quarter? Right, not at that pace. Or they meant Q3 sometime in the 22nd century.
Or as is a more likely case, that's 1 or 2 computers in each critical department so that applications can be tested ready for a mass migration once that is complete.
or even better NHS local gov all $hit bunch of idle fekkers don't know what they are doing etc etc etc
Or alternately, "the NHS" (which is btw not one organisation, the NHS is best through of as a billing structure as every county and a lot of hospitals has it's own NHS trust/organisation with it's own CEO making it's own decisions) has a wide range of suppliers for various bits of equipment. Like pacemakers, AED's and all sorts of things that occasionally needs interaction with a PC for diagnostics or the like.
Unfortunately, some of those companies have had the temerity to dare to go out of business without the NHS's permission since their extremely reliable equipment which lasts a lifetime (sometimes all to literally) relies on the software which came with it, which is no longer produced or updated.
The approaches to problem detection advocated by some kids based on "I just install it at home and see what doesn't work" is excessively dangerous when dealing with things that absolutely have to work or somebody dies. "The installer ran..." is not good enough. You have to document ever facet of the program as working correctly. Do you have any idea how expensive that is for high hundreds to low thousands of programs?
This added to the fact that the cost of replacing some equipment needing the PC interface is actually roughly equivalent to the salary costs of the staff using the equipment over the course of their entire career may go some way to explaining why there are still XP/9x boxes around.
"yet users will continue to be allowed to access the internet from their vulnerable Windows XP machines and using IE6.
That means users could come under attack with no defence from Microsoft."
This is just FUD-ing. All those machines are almost certainly behind a firewall that implements layer 7 filtering, which means that the chances of an actual threat reaching the XP machine itself is negligible.
And there's a reason why things are set up that way - directly exposed Windows machines cannot be trusted to not be exploitable even when fully patched, so other counter-measures are put in - which in turn make the patch level of the Windows machines themselves rather less relevant, other than for panic-mongering headlines.
That is assuming that staff with laptops aren't allowed to take them off-site - a situation that is far too common.
One infected laptop brought back on a network and all your external firewalls come to naught.
Anonymous because ... well, let's just say I'm one of those who'll be holding the dustpan.
"That is assuming that staff with laptops aren't allowed to take them off-site - a situation that is far too common."
Generally the point of a laptop as far as I'm aware. I remember someone bemoaning getting a laptop years back. While most saw them as symbols of their importance, he twigged that he'd be expected to do a load of work off the clock at home ...
"One infected laptop brought back on a network and all your external firewalls come to naught."
That's more of a cultural failing in the organisation than anything else, though.
I haven't worked anywhere for years where the laptops weren't protected with various things such as anti-virus software, firewalls etc; so that they could be safe while off-site.
Thinking about it the last time I saw a problem caused by an infected work laptop was almost ten years ago.
"This is just FUD-ing. All those machines are almost certainly behind a firewall that implements layer 7 filtering, which means that the chances of an actual threat reaching the XP machine itself is negligible."
Actually, THIS is FUD-ing, as a dodgy USB stick/external HDD/whatever can still render the machine unusable (and it has happened).
Anti-virus software isn't going to help if it's a vulnerability that the software doesn't know how to catch yet (which has happened too!).
@Test Man:
"Anti-virus software isn't going to help if it's a vulnerability that the software doesn't know how to catch yet (which has happened too!)."
Those are generally known as 0-day exploits, and as such they will equally penetrate a fully patched OS, so the example is completely bogus. More FUD.
I am not a lover of Microsoft, but on this occasion I would have to say, why the F$%# should they even care, they have given more than enough notice and if you want support they are happy to offer it, you just have to pay.
Not to mention if I was an MS shareholder I would be pissed off with them giving away another year of support, when they could and should be making money out the people who could not get their act together in time.
Look, I'm a big Linux user and linux fan, but you're not comparing apples with apples: Do Red Hat still support RHEL from 13 years ago? No. What you mean is that you can update for a while, then upgrade to the latest version, but I strongly suspect you don't have any formalised support.
Mooot point, is XP pre-Sp1 still supported by Microsoft ? No. You have no ff'ing clue!
1. If you have Linux, you have server interfaces with software standards in place. If you have software standards, you can upgrade Linux, like any other client - yes even windows- without a problem whenever you want. Ideally, you want browser-based or Java-based clients anyway, as it is less pain to go platform-independent.
2. Linux does not require shitloads of resources to run, so any Pentium 4 will do perfectly fine, provided you put in 1Gb of RAM, which should at least be the case for the XP boxen as with less, they grind to a halt.
3. Linux has not changed the ui much over the last 15 years
Alternatives Window cleaners choose:
1. Put Windows 7 on the boxen, WakeOnLan to boot every PC every weekday morning at 6 o'clock to make sure the the login screen is there when the lusers come in at 7:30.
2. Pay shitloads for new PC's ... so they can have aero to boost productivity - fancy screensavers and shit ;-)
"you have Linux, you have server interfaces with software standards in place. If you have software standards, you can upgrade Linux, like any other client - yes even windows- without a problem whenever you want. "
So why then do several applications that run just just fine for me on CentOS 5, not work at all on CentOS 6??
Oh and it didnt support an inplace upgrade like a single version jump of Windows would have....I had to reinstall from scratch.....
"Linux does not require shitloads of resources to run"
Benchmarks show that current Windows versions outperform the latest Linux versions (like MINT) on the same hardware for key things like desktop graphics and large file transfers...At the low end, optimised Windows kernels like Windows Phone also outperform Linux based OSs optimised for similar environments like Android. So this is somewhat of a myth (from Windows 7 onwards anyway - Vista was a bloated mess granted).
"Linux has not changed the ui much over the last 15 years"
And it shows...
> Do Red Hat still support RHEL from 13 years ago
EL5 and El6 will be supported 13 years from rollout.
EL3 and EL4 are only 10 years from Red Hat, but there are many third-party support operations who can sell you that extended support if you want it.
Disclosure: Until very recently, I was one of those third-party suppliers.
Vic.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
