Windows XP Plug Pulled: 5 Questions - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Comments
Windows XP Plug Pulled: 5 Questions
Newest First  |  Oldest First  |  Threaded View
Michael Endler
50%
50%
Michael Endler,
User Rank: Author
4/12/2014 | 11:57:53 AM
Re: Reminds me of Y2K
Fair enough. But I think a certain amount of uncertainty and doubt is intrinsic to the situation. When you're talking about such a large user base, one can't be certain what risks apply to one user versus another. The large user base does allow us to be certain of one thing, however: Some sets of risks applies to thousands if not millions. (I admit that something like the reverse is also be true; that is, certain XP risk vectors are not applicable to millions of XP users-- but that doesn't negate my point.) Consequently, in attempting a thorough discussion, one has to hit several points, not all of which are equally applicable to all readers:
  • Your machine will still work and is unlikely to become an incubus of malware right away (this point might not get highlighted in headlines, but I've seen it made many times, often in unequivocal terms);
  • Certain risks are real (and they are. Do we know that hackers are stockpiling zero days, or that they'll reverse-engineer exploits using future Windows 7 and 8/8.1 updates? No. But is there a reasonable chance? Yes, which makes the risk worth mentioning.)
  • Certain risks are overblown (such as ATMs, or the millions of locked-down XP boxes running on private corporate networks)

And so on. I'll grant you this: If someone's XP knowledge comes solely from headlines flashing across Google News, that person might have an exaggerated sense of the risks. But if someone is truly concerned, I expect they'd research a tad more than that, and if they do, I've seen more than a few articles that I consider fair. For a mass audience, the situation isn't as simple as "Yes, keep using XP" or "No, you must upgrade now," and I think people who've read beyond the headlines can get an accurate sense of the shades of gray.

No one's denying that many people will continue to run XP without incident, but it would irresponsible to tell people to simply not worry. If I were speaking to an individual and could ask about his/her computing habits, software needs, and security precautions, perhaps then I could endorse continued XP use. But writing for a wide audience, that kind of insight is impossible-- so again, the conversation needs to be approached from several angles. Objectively, Windows XP probably won't destory the Internet, but individual users also face objective risk considerations, some of which are likely to grow more severe over time.
Michael Endler
50%
50%
Michael Endler,
User Rank: Author
4/11/2014 | 6:39:57 PM
Re: Reminds me of Y2K
"The hype is that 'something new might happen!' after 4/8/14.  This appears to just be marketing FUD."

I'm not certain by what objective standard it can be dismissed as pure FUD. I mean, sure, some of the commentary is over-the-top. Windows XP hasn't made ATMs particularly vulnerable, for example. 

But by and large, XP's retirement poses some legitimate security considerations, most of which has been objectively reported by the tech media. Whether one absolutely must act on these considerations is debatable, but the considerations themselves aren't FUD.

In the articles I've written, the perspective has generally been: "If you know what you're doing, you don't have to upgrade, but if you have to ask whether you'll be safe, XP might be more trouble than it's worth." I think this is a pretty responsible and fair assessment. Yes, some people will keep using XP without incident. The ratio of victims to potential victims is usually pretty small, even when we're talking about major cyberthreats. But I think it would be irresponsible to broadly encourage people to keep using XP. Even if only a minority of users get victimized, the consequences can be pretty terrible for the unfortunate few. IT professionals and tech-literate consumers are one thing. But XP's user footprint is huge, and we can safely assume it includes millions who could blithely stumble into a trouble-- and who might unwittingly spread the problem to other machines. Words like "might" and "could" set off alarms for some people-- but in this case, I think they're a necessary part of comprehensive discussion.
Michael Endler
50%
50%
Michael Endler,
User Rank: Author
4/11/2014 | 6:27:45 PM
Re: XP users will eventually migrate, but to what?
I can understand why some people have taken the "How can Microsoft abandon 200 million+ customers?!" perspective. But Microsoft obviously can't support XP indefinitely. It takes resources to do so-- and those resources aren't necessarily adding much to Microsoft's bottom line at this point. In fact, they might be detracting from Microsoft's bottom line, since we're talking about resources that might have gone to, say, Azure or something promising, instead of being lavished on ongoing XP maintenance.

I'm a big proponent of companies considering customers over profits, but at some point, Microsoft has to move on to new technologies. If not after 12 years, how long would be appropriate? If Microsoft had decided that 200 million active users was too many, would 100 million have been acceptable? What about 10 million? I think Microsoft could probably have done some things differently to help with XP's EOL deadline, but I have trouble arguing that Microsoft should have kept XP on life support for another five years.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
4/8/2014 | 7:31:03 PM
XP users will eventually migrate, but to what?
If software companies can't set a date for when their product will no longer be supported, they end up carrying forward an ever growing deadweight of baggage. Microsoft has been better than most about signaling its intentions. On the other hand, I'm not sure if I were Microsoft that I would spur so many customers to migrate. If they wanted to migrate to Windows 7 or Windows 8, they would have done so by now. If their existence becomes tenuous on XP, then they will migrate. I'm just not sure where.
Michael Endler
50%
50%
Michael Endler,
User Rank: Author
4/8/2014 | 1:00:47 PM
Re: fair and balanced reply -- Official word on the Windows XP ATM issue
Microsoft Director of Communications Tom Murphy confirmed to me that some ATMs are running Windows XP Pro Embedded, which loses support today, whereas others are using Windows Embedded SP3, which is supported until 2016. He said Microsoft has been working with banks since 2007, and that all of them have taken appropriate measures, from updating machines to paying Microsoft for extended XP support while they finish migrations. He said, "With banks, trust and security is front and center. ATMs are something they put a lot of thought and investment into." He added he's still going to use ATMs.

I asked about the "old ATM in the corner of a liquor store" scenario, and he said that it's hard to speak specifically, but that those ATMs are operated by companies whose business is to ensure that customers are kept safe. He also said that the vast majority of Microsoft's large customers have moved off of XP, though he said some complex migrations are still ongoing.
Michael Endler
50%
50%
Michael Endler,
User Rank: Author
4/8/2014 | 12:31:38 PM
Re: Lab machines
Thanks for sharing your experience. It's easy to play up the number of active XP systems, and for consumers, I think the hoopla about risks has some merit. But a lot of professionals need to keep using XP and know how to keep it secure, with or without Microsoft, as your story demonstrates. The upgrade urgency isn't the same for everyone, and unfortunately, neither is the upgrade simplicity.
Michael Endler
50%
50%
Michael Endler,
User Rank: Author
4/8/2014 | 12:04:55 PM
Re: fair and balanced reply.
Thanks for the comments. Here are a few additions and clarifications:

1.The hyperlinked portion in the sentence you've singled out included a link to the citation, but here it is again: http://www.informationweek.com/windows-xp-malware-6x-as-bad-as-windows-8/d/d-id/1112122. The source is a Microsoft researcher, which, given the obvious potential for ulterior motives, you can choose to interpret how you wish. The linked article includes a healthy debate about whether Microsoft's claim is a scare tactic or a legitimate warning.

2. I don't think we totally disagreed here. The article states that XP machines can be made more secure if the user implements certain safeguards, disables certain applications, and adopts certain behaviors. But with 100 million+ XP users still out there, we can't quixotically expect everyone will be proactive. Fewer services only means tighter security if those few services are used in a solid way, and XP's retirement makes it easier for some users to run into trouble.

4. There are a lot of ATMs out there. I talked to Michael Silver at Gartner about this one, and he agreed that a lot of ATMs are probably running the now-unsupported OS. Dean Stewart, Senior Director at ATM manufacturer Diehold, has also discussed (citation) that many ATMs run the standard XP Pro edition with embedded restrictions, which is different than Window XP Embedded itself (though that is, as noted, used on ATMs too). Granted, he's selling new ATMs, so I guess you could take his word with a grain of salt, but other sources corroborate. We have an inquiry in to Microsoft about this, but haven't received a comment. If they can share any specific breakdowns, we'll update the article.
Laurianne
50%
50%
Laurianne,
User Rank: Author
4/8/2014 | 12:01:12 PM
Re: fair and balanced reply.
It will be interesting to see how the ATM situation plays out. I suspect many readers are already more cautious of where they use their debit cards, following the Target breach. Are you? Weigh in.


2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

News
Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Slideshows
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Commentary
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
Register for InformationWeek Newsletters
Video
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll