The... Windows... XPocalypse... is... NIGH The XPocalypse is upon us, gentlebeings, and those of us who must keep XP around are doomed! Or so some very expensive marketing pushes would have us believe. As you know by now, I have to keep some XP systems around. In some cases they'll probably be around for a decade or more. If you believe the breathtaking hyperbole of …
Think about it.
They could take XP of the shelves for a few months, tinker with the OS a bit, rebrand/rebadge XP to "Windows Corporate" double the licence and cash in as IT everywhere would want to licence it. Give it another 5 years premium support (more $$) and hey presto
Roberta Is your mother's brother she don't talk about.... ^_~
It's almost as if you read Trev's previous post :-)
http://www.theregister.co.uk/2014/04/02/the_mathematics_of_trust/
He reckoned about $65 per year should hit the mark as an amount businesses would pay and enough to directly fund the necesary staff at MS. With the added bonus to MS of getting lots of people used to the idea of paying for an OS by annual subscription...
Microsoft does have an option like this, but only receiving application from very large company and had already set plan to migrate away from XP, and charging 200USD per machine for the first year, 400 for second, 800 for third etc., and it had been subscribed by UK and Germany government and etc.
Nice list of all the things to put on your shopping list of things to consider if you've simply no choice but to have XP lingering around, as so many of us do. I'm less concerned about XP in a Corporate environment however, way more worried about the army of consumer users who can't/won't ditch XP, or simply don't know any better. I think they'll be the real targets after the patches run dry.
....but this is only relevant to businesses who can afford a highly* competent windows/network tech to lock down their remaining IT systems.
For smaller businesses without access to the requisite techs with that kind of skillset, they will continue to run XP 'normally' and they will suffer, not necessarily because they don't take it seriously - but because they can't get their staff to not open flaky attachments at the best of times, never mind when the system is unpatched.
If you are in a position to lock down your XP machines in some way, fine - you can mitigate the risk. If you are not in a position to do something like that, then you need to exercise, at best, extreme caution backed up by disciplinary procedures that are enforced (IE treating opening malicious attachments in the same way you'd treat someone forgetting to lock the business up at the end of the night resulting in a robbery), and at worst, you need to throw money/hardware at the problem.
*As opposed to the sort of numpties who build servers with a RAID0 system partition. Yes, I've seen it, and yes, because I was called in after the server crashed. Windows techs may be ten a penny, but a significant minority of them shouldn't be charging more than 10p for their services. Such as the ones selling Norton as a solution to XP end of life. Which I've also seen from a local competitor...
"IE treating opening malicious attachments in the same way you'd treat someone forgetting to lock the business up at the end of the night resulting in a robbery"
OK, so you sack someone. Then there is a tribunal, and their representation asks the following: "Is it true that your business communications depend on an obsolete version of Microsoft Windows for which there are no security updates and no functioning antivirus products?"
The answer will not go down very well, will it?
I understand and have some sympathy with your views, but one has to allow for known human behaviour.
quote: "OK, so you sack someone. Then there is a tribunal, and their representation asks the following: "Is it true that your business communications depend on an obsolete version of Microsoft Windows for which there are no security updates and no functioning antivirus products?"
The answer will not go down very well, will it?"
Depends on the answer.
"My current business communications use enterprise standard products as are currently in use by the UK Government, and we are in the process of migrating to new systems with improved security. I would also like to draw your attention to the employment contract signed by the employee, specifically the "use of computer equipment" clauses which codify the expectations of vigilance, and diligence, required by employees when dealing with suspicious emails or files. Expectations which this employee failed to meet in this circumstance."
If you have contractual terms covering use (and misuse) of corporate computing resources, then it is reasonable to expect employees to adhere to those terms, is it not? Failing to adhere to those terms would be expected to trigger a disciplinary hearing, the result of which could potentially be dismissal, correct?
I'm tempted to invoke a driving analogy involving traffic lights being down (aka reduced security from XP hitting end of life) where drivers are actually expected to be more careful when crossing the junction than if the lights were working. It would make this user sound like one who just barreled through the junction regardless endangering life and limb, and we all know computer malware is nowhere near that dangerous, and that anyway computer security is strictly the responsibility of the IT department, not the end users. :)
OK, Norton is not the answer. But MS said that Security Essentials would continue to be supported, at least for a while. However, last week they turned its icon from green to brown, and now it is red. Surely if MSE is working as it should the icon should be green?
Since MS are being deliberately difficult, they deserve an obstinate response.
>Surely if MSE is working as it should the icon should be green?
It is working! The icon is red because you are now running an unsupported version of Windows...
Personally, I would uninstall MSE and install a third-party firewall & security suite such as Comodo or Agnitum (both do freeware versions).
Additionally or alternatively EMET is quite a useful tool to help harden the system. Whilst it isn't the same as Deep Freeze, Steady State etc. it does enable you to force the usage of many security features inherent in XP...
I am the originating AC - Thanks to Numptyscrub for responding to Keithpeters perfectly salient point in the manner I would have had I not been working and missed this thread. I have worked in the past in places where IT security and disciplinary proceedings are related, and while it's not a solution, when someone gets put on a written warning for getting a network share encrypted, it makes everyone remember that they can't just sit there opening crap up willy nilly if they like their jobs. Or even if they don't like their jobs, but would like to keep getting paid.
I just wanted to add to everyone banging on about AV software and firewall products being a solution; they are not. They are a band-aid on a bifurcation. I'm going to go on something of a rant here, so skip to the end if you feel the need.
AV software does NOT patch a vulnerability in a core OS stack that allows remote code execution - it simply allows you to prevent one method of that expoit getting to the machine after it has been discovered and catalogued - if you are part of the zero day infection (which, incidentally, last longer than zero days) that specifically targets unpatched systems (And this goes for any OS) then you are just as fucked as if you had not bothered to put AV software on there at all because the only thing that will stop that vulnerability is an OS patch - anything else is a half-measure and isn't acceptable if you have valuable data or processes running on your systems.
If you have firewall software, that will not stop a user from running the file from a USB pen.
If the underlying vulnerability is not patched, then all it takes is a minor change to the delivery vector (see the recent recursive attachment email infection to get past network edge and local AV email scanning systems : http://www.theregister.co.uk/2014/04/08/spam_attachment_within_spam_attachment_ruse_deployed_by_bank_trojan_slingers/ ) and you're still fucked because that underlying vulnerability will never get fixed.
Antivirus and firewall software are not a solution to an unpatched system, and anyone who claims otherwise should not be in a position to be handling security processes for any system that requires it's data/process/service integrity - and particularly if you are looking after SMBs or any other kind of business client.
For you garage radio streaming system (as noted by someone else below) which doesn't have sensitive data on it, it's not as big a problem. If you look after a small company, congratulations, telling them to just keep their AV and firewall software up to date to protect them may properly fuck them up in three months time, because someone has re-patched a delivery method for Cryptolocker or a similar, effectively irrecoverable infection. All it takes is for the company to get hit with something like that, and not have the cashflow to pay the bitcoin ransom, and you could have cost half a dozen people their jobs. Remember that.
Repeat after me....
AV and firewall software are not a solution for an unpatched system
AV and firewall software are not a solution for an unpatched system
AV and firewall software are not a solution for an unpatched system
@AC relying on policies and written warnings
"Repeat after me....
AV and firewall software are not a solution for an unpatched system"
So, we are back at the Tribunal, and you have admitted that the system is both unpatched and can never be patched as the manufacturer has declared it obsolete with many years, I repeat Sir, years, nay, half a decade's warning.
The complainant's representation now claims that your policy is, in effect, asking him/her to operate a machine without guards in place and with open hatches. And no goggles or safety shoes.
What might your response be?
PS: my lovely 12h day is tomorrow.
Ey up Keith. AC again. Hallo!
I'd kick that back up the chain 'o command and get the directors and beancounters who turned down multiple requests for systems refresh funding to take the stand; to use your analogy, they refused to pay for the guards and hatch covers despite being told the risks repeatedly by myself, in writing. Signed in triplicate and sent to all the directors to ensure they were all aware, and that I refused to take responsibility for it. So can I leave now, ta?
I'm a slippery motherfucker, I tells thee ;-)
AC
PS: We're getting into the realms of pedantry now, but I think you get my point ;-)
"they turned its icon from green to brown, and now it is red"
Yes. So those who can't or won't switch will get used to seeing a red shield icon due to EOL and won't notice if, for example, it's a warning that it didn't start/has stopped. Ditto the pop-up EOL warning training the users to click it off without reading it.
As opposed to the sort of numpties who build servers with a RAID0 system partition.
I saw one of those at the last place I worked. On that server was a Wiki containing the only real documentation for one of the products they sell.
I got called in after the first-line guy had the brilliant idea of re-formatting one of the drives to get around the disk crash...
Vic.
My garage PC runs XP and will be staying XP. I use it for playing internet radio, viewing service manuals, finding parts on fleabay, and other mundane tasks. I am actually looking forward to not getting update warnings and the resulting 30 minute download/install/reboot sagas. As for security, it has a half decent AV package and all my data is backed up elsewhere, so if it does get Pwned, I'll just wipe it and reinstall XP. Its an Athlon X64 3400+ with 3Gb RAM so although it would run Linux I just can't be bothered to faff about (it has some wierd RAID mirror for the primary disks) to get it working. When it gets infected I may look at Linux or I may just bin it and buy a cheap Win7 box.
To be honest, that's a perfect candidate for a Linux install by the sounds of it.
Drop the RAID if it's hardware based (or soft-hard, like the SilI3112, etc) and just drop Linux on it, and you can set up a linux software RAID mirror if you really feel the need.
If it really is just an internet client, throw a live Mint/Ubuntu/SUSE boot disk at it, and see if it behaves itself. If so, back up the data, nuke it, and carry on.
Bear in mind that if that machines talks to any network stores you have, and you get Cryptolocked - you're humped, period.
I'm not one for pushing Linux on everything, but if it suits, it suits. I'd say it's worth a sniffle if you find yourself bored in the garage at the weekend with a couple of beers to keep you company.
Steven R
"As for security, it has a half decent AV package and all my data is backed up elsewhere, so if it does get Pwned, I'll just wipe it and reinstall XP."
You're working on the assumption you'll know immediately if it gets 'pwned'. In reality it might be some time, by which time the bad guys might have your bank details, your friends email addresses, and as stated above have Cryptolocked your remote file store(s).
If/when you "wipe it and reinstall XP", will you be able to reinstall the existing patches from Windows Updates (will these still be on offer after today)? If not you'll just be making a bad situation worse.
Your complacency is worrying: I think you should listen to the Linux suggestion, or just shell out for a cheap copy of Win7 from FleaBay.
As long as you don't have anything important on it, or do anything like using it to buy something over the Internet, you may accept the risk. But as soon as you read your email, buy some of those parts or something like this on that machine, log on to some site, or the like, you're accepting a not little risk. No FW or AV will protect you enough - and the problem is not what they may delete, is what they could steal without you even knowing it.
Just accepting the risk isn't good enough. It's plain irresponsible.
You might not care about your systems, if malware gets on it - but what bothers me is another drone in the DDoS/spam botnets which hurts everyone.
It's not only you who's effected when your old Windows machine gets infected. Again.
Well, for that you have the far bigger problem of incompetent users and those used illegal copies which of course don't patch system because they're afraid of being identified and their system locked down. They could run the shiniest lates OS but will click on any "pOwn me" sign as long as it is pretty and colorful.
At every opportunity you mention illegal copies of Windows - How come you're always banging on about it? Have you just had to buy your first legit copy, or something?
Nobody else even mentions it.
(If you know the right channel, you can get MS software for free... from MS. Legit)
It's funny most still think malware is designed to crash or wipe your PC. Sorry, that's not 1987 anymore. Most malware is designed to infect you, and stay hidden, while stealing data silently, or perform operations on the bot C&C behalf (spam, DDoS, attack other machine, host illegal contents,do anything illegal you like on someone's else machine....), often even rented to someone else for a given task. Only crappy malware (there's that too) will do something you'll notice easily enough (yes, there's ransomware also, but that's a one-shot malware type). It make take years to discover a well hidden infection.
If AV and FW were really effective, we would not be here talking about vulnerable machines. And the more "0 day" XP will be vulnerable to, the less AV and FW will be able to protect you, there are dozens of effective techniques to avoid detection and make local AV and FW wholly useless - when you compromise a machine, you can also control the software running on it. You may sleep happily while someone else enjoys your machine and your data, or open your eyes and acknowledge that false security is usually equal to no security at all.
Well the simple things you can do over and above what you say (if you aren't already doing them):
1. Ensure you normally use the PC as a non-admin user.
2. Give the admin user a simple password that you can remember - this is to stop simple "run as admin" actions.
3. Install Chrome or FireFox and use these browsers instead of IE.
4. Take a full disk image, to simplify recovery.
Whilst the machine won't be fully secure, it will probably be good enough for most practical purposes...
"Give the admin user a simple password that you can remember - this is to stop simple "run as admin" actions."
Give admin user a "complex" password that you can remember. At least 16 characters long (disables unsecure NTLM hashes) - better, create another admin user, and disable the Administrator one (use gpedit.msc do to that). Beware that to change the XP home password IIRC you need to enter in safe mode or something alike.
Disable useless and unused services, especially if running as LocalSystem. Downloand SysInternal's Autoruns anche check what is started automatically - remove whatever you don't need.
>Give admin user a "complex" password that you can remember.
In the context of the garage, the important thing is that this password needs to be kept safe and accessible, so that it is remembered for periodically use but also is not so simple that users just get in the habit of using "run as admin"...
>Disable useless and unused services
Well two key services I suggest are: Windows Update and Security Centre.
Also do a final full update, confirm the system is stable and disable non-essential third-party auto updaters eg. Adobe Acrobat Reader.
This post has been deleted by its author
"I put Windows 8.1 on them, and supprisingly they are quite quick, interface is sucky but the preformance is ok for what they were doing before."
What specifications were the machines? I'd like to try Win8 on an old(ish) laptop.
Coat icon: just the machine specs everyone, this thread isn't for moaning about interfaces/TIFKAM/ or advocating Linux.
No problem. The only other thing I can think of is that there are lots of machines of that era (I was fortunate with the model I was using) that are kind of marginal when it comes to some driver support and video driver support in particular. It's often possible to use older drivers in compatibility mode, but it can be a bit of a chore to get them working. I had a similar experience with running Windows 7 on a Dell Dimension D410, where Vista drivers would work if installed in compatibility mode. An interested exercise, but definitely a bit of patience required.
"XP at home, one PC too old so just risking it."
No, don't do that. As someone else pointed out, you're risking it becoming part of someone else's botforest, and that can hurt everyone, not just you.
If it can run XP, it can run some lightweight linux. Look into it.
Just upgraded my better half's circa 2008 XP laptop to Win 8.1 (thank you student discount) and it runs fine. 1.6Ghz with 2 GB, plus a 500 GB HD. Took a few minutes for me to figure out where control panel was, but other than that it's heaps easier for her to use than XP ever was. Installed a couple of apps for her, transferred her itunes and good to go.
Then she tells me they've been using Win 8 tablets at school for ages and she knows how to use the interface better than I do.
Last year, I put the Win 8.1 Trial onto a vintage 2007 Lenovo Thinkpad T60, 2GB ram.
It ran fine, with good hardware detect, but I did not like it. It's back to XP, with the red MSE icon I complained about in an earlier comment.
Tip: never access internet from an admin account. That one measure greatly reduces risks.
The biggest remaining risk is if a usb memory stick passes infections to my other machines.
Pott: "There are lots of reasons why this isn't always possible – hardware dongles, the need to power proprietary hardware cards and so forth.."
Well, yeah, but lets take a step back here. If core business equipment is aged and there's no money and/or willingness to invest in serious replacements or upgrades of any kind, we're talking about a bigger, non-technical issue which will affect the production and security of such places in many ways.
So lets look at the situation where there's at least some will and financing available. There are enough PCI centronics or serial port cards for dongles which can be made available to the virtual machine. Having some ISA card to support? USB to ISA card adaptors do exist (eg Arstech) and drivers will be able to detect the redirected IRQ, DMA etc. The hardware costs are not the problem here but time for testing and troubleshooting might be. Especially for timing-sensitive equipment this solution might run into trouble though or as some report, for any non-plug&play cards. So what is being invested in is a supported solution and the work of an engineer to sort it out. But for mission critical equipment that cannot be replaced (yet), it seems worth a try.
that USB support in things like Hyper-V and (probably?) Virtualbox are geared towards USB mass storage and standard devices, rather than a software protection dongle (looks like VMWare copes a bit better with this).
There are also some Open Source projects that provide what amount to USB over IP, which are apparently intended to solve those sorts of problems (dongles, etc) inside a VM. Not tried them yet myself, but the idea sounds like it has some potential.
...grab yourself a copy Windows Steady State, the backbone of libraries and schools for years.
it's hard to find via MS, but there some out there on decent 3rd party sites.
Install,set up policies, turn on Disk protect and bang, a free mini VM. Not that hard to do the basic stuff either, although some tweaks can mess things up (like turning off system tray can bugger up printing).
best of all IT'S FREE.
Deep freeze is good, use it on Win8 machines as Steady State was XP only.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
