back to article Hey banks: Use Win XP after deadline? You'll PAY if card data's snaffled

Banks that use the Windows XP operating system will face a risk to their compliance with payment card data security rules if they continue to operate the software after Microsoft withdraws its extended support services, a US regulatory body has warned. Microsoft confirmed in 2010 that it would end "extended support" for …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    French Police Had The Right Idea

    And for a lot less cash.

    http://linux.slashdot.org/story/13/10/03/185235/french-police-to-switch-72000-desktop-pcs-to-linux

    1. Anonymous Coward
      Anonymous Coward

      Re: French Police Had The Right Idea

      So how long will that Linux distribution be vendor supported for then? Anything over a couple of years is pretty exceptional....And then of course major upgrades in Linux don't normally support in place updates, but require a full rebuild...

      I bet it isn't actually for lot less cash. Munich already demonstrated that it actually costs millions more to run Linux on the desktop....They are almost certainly not covering the full picture in their 'TCO'

      1. Anonymous Coward
        Anonymous Coward

        Re: French Police Had The Right Idea

        The whole article is FUD. Paid support is available for those that need it. They can still get patches.

      2. bigtimehustler

        Re: French Police Had The Right Idea

        Errrr, what? Pretty much all modern linux environments support an in place upgrade to a new major release. What decade are you living in? Might I also add, the upgrades are a lot smoother and take less time to upgrade as well.

        1. Anonymous Coward
          Anonymous Coward

          Re: French Police Had The Right Idea

          "Pretty much all modern linux environments support an in place upgrade to a new major release"

          Redhat / CentOS don't for a start....

      3. Steven Raith

        Re: French Police Had The Right Idea

        ".And then of course major upgrades in Linux don't normally support in place updates, but require a full rebuild..."

        Examples or GTFO.

      4. Anonymous Coward
        Anonymous Coward

        Re: Linux support for in place updates

        Linux distros have supported "in place major updates" for many years. Please check facts before posting.

      5. Anonymous Coward
        Stop

        Re: French Police Had The Right Idea

        "And then of course major upgrades in Linux don't normally support in place updates, but require a full rebuild"

        Save your ignorant uninformed bullshit for the DailyFail, most reg readers are competent across more than one OS and you have only succeeded in making yourself look like either a fanboy, shill, incompetent fool or possibly all three.

        1. Anonymous Coward
          Anonymous Coward

          Re: French Police Had The Right Idea

          Save yours:

          http://serverfault.com/questions/449048/why-is-it-so-difficult-to-upgrade-between-major-versions-of-red-hat-and-centos

      6. josteink
        FAIL

        Re: French Police Had The Right Idea

        "And then of course major upgrades in Linux don't normally support in place updates, but require a full rebuild..."

        Care to back up that statement with ... anything at all? While your comment in general seem to be mostly FUD, that part seems to be entirely fictional, wrong and actually 100% backwards.

        Ofcourse Linux-based systems support in-place updates and upgrades. And they usually do so much better than Windows, since the default on Linux isn't that a single file-lock can cripple the rest of the OS.

        On Windows however, you are almost always forced to reboot the computer after applying updates because file-locks prevents the updates from being done in place. Have a few Adobe or VMWare updates and you will be cursing your computer for the reboot-fest it just became.

        TLDR: I think you got your address wrong.

        1. This post has been deleted by its author

        2. Davidoff
          FAIL

          Of course Linux-based systems support in-place updates and upgrades.

          "Ofcourse Linux-based systems support in-place updates and upgrades. And they usually do so much better than Windows, since the default on Linux isn't that a single file-lock can cripple the rest of the OS."

          Yes, Linux supports upgrades, and for individual programs it usually works fine. However quite often upgrading a distro to the next version doesn't go smoothly and in the worst case results in an unbootable system. And don't start about upgrades 'jumping' over multiple versions. It's certainly not less painful than on Windows, where OS upgrades usually just result in a slower system. I've seen many OS installations that started their live as NT 4 and have been subsequently upgraded to W2k, XP, Vista and W7. On Linux, at least one of the upgrades does fail miserably.

          "On Windows however, you are almost always forced to reboot the computer after applying updates because file-locks prevents the updates from being done in place. Have a few Adobe or VMWare updates and you will be cursing your computer for the reboot-fest it just became."

          That's mostly nonsense (and I can't remember when was the last time that an Adobe update required a reboot, I guess that must have been back in the Windows98 days. And VMWare, oh well...). Windows supports inline updates (no reboot required) for a very long time, and since Vista many of the few cases where a reboot was previously still required have been made reboot free.

          The simple reason why many installers ask you to reboot is because the developer of that piece of software for some reason believes that a reboot would be a good thing. In some cases this is justified, but in many cases it's just down to a poor understanding of how modern day Windows works.

        3. Anonymous Coward
          Anonymous Coward

          Re: French Police Had The Right Idea

          This is a red herring anyway - In 20 years in IT, I've never worked at a major company who does in place upgrades, even if they are available. For servers you don't upgrade production servers, you co-ordinate your server hardware and software upgrades so that you can bring the new service up on the new OS/hardware and seamlessly fail over, once testing is complete. With desktop, having a line in the sand where you rebuild everything from scratch is a good thing, it means that you know all your workstations are at a base level, nobody has any exotic configurations or dodgy non-approved software which has somehow been installed and it's all easier to support. Workstation rollouts I've worked with tend to be either pulled from someone at the desk doing a PXE boot or pushed from a management console. Either way, they will be run by a dedicated build script or workstation image, supplied from a build server. This goes for Linux as much as it goes for Windows.

    2. Anonymous Coward
      Anonymous Coward

      Re: French Police Had The Right Idea

      If you read the document, they started in 2004. So 9 years and not even half way there.

      The TCO is compared against their decentralised legacy environment - not an equivalent centralised, managed one.

      The cost savings would almost certainly have been higher if they had migrated to Windows 7. Hence why near zero enterprises make such a choice - only government departments who can't afford the best IT executives, and who can persuade politicians with short term headline 'savings' regardless of the eventual real cost.

    3. Velv

      Re: French Police Had The Right Idea

      It doesn't matter which OS you choose, you need to maintain your estate.

      The realities are that it will cost roughly the same per user no matter which OS you choose, especially if you are in any form of regulated industry.

      1. Anonymous Coward
        Anonymous Coward

        Re: French Police Had The Right Idea @velv

        Have you seen the recent price increases in CAL licences ?

        1. Anonymous Coward
          Anonymous Coward

          Re: French Police Had The Right Idea @velv

          "Have you seen the recent price increases in CAL licences ?"

          CALs went up 15% - which is not far off the rate of inflation since the last increase.

          nb - Licences are a very small percentage of the TCO.

          1. Anonymous Coward
            Anonymous Coward

            Re: French Police Had The Right Idea @velv

            "CALs went up 15% - which is not far off the rate of inflation since the last increase"

            And these Microsoft products contain ever increasing amounts of functionality.

            And users are now often using multiple devices, so the cost of per user CALs reflects this....

            1. Anonymous Coward
              Anonymous Coward

              Re: French Police Had The Right Idea @AC 9.02

              WTF ?

              "CALs went up 15% - which is not far off the rate of inflation since the last increase"

              Bullshit !

              I don't know what country you are in but for the UK it was 25% followed by 15%.

              http://www.computing.co.uk/ctg/news/2228415/microsoft-to-increase-licence-costs-from-december-1

              You are either a MS channel sales rep spinning a FUD or a badly informed MCSE who doesn't sign the licensing cheques.

      2. Anonymous Coward
        Anonymous Coward

        Re: French Police Had The Right Idea

        "The realities are that it will cost roughly the same per user no matter which OS you choose"

        + cost of 72,000 desktop migration

        + cost of replatforming everything that they use

        + cost of supporting 2 environments for ~ a decade

        = Seems highly unlikely the TCO claims made are valid!

    4. Roland6 Silver badge

      Re: French Police Had The Right Idea

      Missing the point, Linux/open source doesn't solve the support and upgrade problem. For example, systems running Ubuntu 8.04 LTS, for example are now out of support as far as Canonical are concerned, so the typical enterprise running these systems are in a similar situation to those running XP...

      1. Steve Davies 3 Silver badge

        Re: French Police Had The Right Idea

        Any company that uses Ubuntu LTS is mad. They have pretty short support periods.

        If you want proper long term support the RHEL or SLES is the way to go. RedHat support their OS releases for 10 years. Is that good enough for you?

        1. Cliff

          Re: French Police Had The Right Idea

          Steve Davis 3

          You're right, some Linux builds have long term support and 10 years is admirable. Outside that though the upgrade costs are broadly similar to any other OS, so aside from the inititial licence purchase vs support contract the savings may be slight. Especially if MS offer 40% more years of support as they have with XP!

          I like Linux, not so much for the OS itself but for the fact it creates an alternative and prevents monopoly abuse. Were it not for FOSS I reckon many of our much-used proprietary software would be (more?) under-developed and price-gouging, it benefits everyone.

    5. Mad Chaz

      Re: French Police Had The Right Idea

      You need to brush up on your linux. Almost all major distributions now support in place upgrade. The rest no longer have a release cycle, they just keep all the software updated all the time, meaning there is actually no "big upgrade" to do. The rolling upgrade on a lot of them is actually rather awesome. They just need up update the install media every now and then.

      1. Anonymous Coward
        Anonymous Coward

        Re: French Police Had The Right Idea

        No they don't

        http://serverfault.com/questions/449048/why-is-it-so-difficult-to-upgrade-between-major-versions-of-red-hat-and-centos

  2. ecofeco Silver badge
    Facepalm

    It ain't that damn hard

    It really isn't. I've migrated literally thousands of desktop from XP to Win 7 for Very Large Companies and it ain't that hard. Or expensive. We did it all with in house employees and it did NOT cost millions of dollars.

    And good server admins can do the same.

    Got specialized software you need to run but is no longer compatible with Win 7 or Server 2010. Update you lazy git! You should have done so years ago.

    1. Magnus_Pym

      Re: It ain't that damn hard

      "Or expensive"

      Got any figures?

      1. ecofeco Silver badge

        Re: It ain't that damn hard

        Got any figures?

        4 people in deskside support - $2800 per week.

        Per seat license for Win 7 - negotiate per company - avg $50 - X 5000

        Conversion time - 3-6 month by attrition or 3 months dedicated project. Actual execution usually a combination. But let's go with the 3 month. $33600 labor.

        No new hardware required (despite the myth, Win7 runs just fine on dual cores w 4mb of RAM)

        33600 = labor

        250000 = license

        586000 = total for users conversion

        Server side

        Office 2010 suite - again negotiable by company - approx $3000 per module, but usually only Exchange.

        Labor - 1-3 server admins at approx $4000 per week again 3 month to convert.

        Server 2010 Enterprise approx $45000 per processor - at my companies there were no less than 10 main servers running 8+ cores each or 80 cores. - $3,000,000

        Now here's where it gets a little more complicated: the 3 million is NOT paid all at once. Usually it's paid over several years. So there will be 2 sets of figures. One is not known and the other is just total. Payment plans are as proprietary as they come and it will be years before I can say anything in public even hypothetically.

        So:

        48,000 = labor

        3000 - Exchange license

        3,000,000 = server license

        3,051,000 = total

        - X payment plan

        Grand total for 3 month dedicated conversion - $3,700,000 (rounded)

        Minus X payment plans over X years.

        In other words, upfront capital isn't that much. Mostly in labor and first payments for licenses.

        Does that answer your question? You can send the consulting check to this email.

        (all figures are approx avg as each company can negotiate its own costs)

        1. Peter Gathercole Silver badge

          Re: It ain't that damn hard - Ummm

          From your figures, it looks like the estate you are using is 3000 seats. So. $3,700,000/3000 gives us, um, $1,233 (rounded) per seat. You really think this is not a lot?

          Even if you do have a payment plan (and I'm betting that Microsoft would prefer a subscription plan rather than a deferred payment plan), that is still loading the business with costs that they may not have if they opted to stick with XP.

          And the majority of those costs are in license fees, which you may not have if you can find an open-source solution that is adequate.

          You've also not factored in any testing, specific business related software costs, or loss of productivity or training costs. If you are doing 3000 seats over a 6 month period, that's 500 a month, or about 25 a day (assuming that you're doing most of the estate during the working week). That's a tall order for 1-3 admins, even assuming you do across the network upgrades in place (which is disruptive to the users). Of course, if you have a homogeneous estate, you could do a replace, upgrade, replace rolling operation which is less disruptive to users, but you will need spare kit to do that, and will need the time to physically move the kit around..

          Your earlier comment about a dual-core system with 4GB of memory is interesting. I'm sure that many, many business users of XP will have the majority of their estate running on P4 systems running with <2GB of memory. Places like call-centres do not regularly replace working systems, and the demands of filling in screen forms is such that you don't need much oomph.

          For those users, dropping new kit in may not only be essential, but possibly cheaper as well.

        2. spudmasterflex

          Re: It ain't that damn hard

          No new hardware required (despite the myth, Win7 runs just fine on dual cores w 4mb of RAM)

          Wow I wish my machine had 4mb of ram rather that 4GB (should also have been 4MB not mb)

          1. ecofeco Silver badge

            Re: It ain't that damn hard

            4GB. Sorry about the typo.

            I'm well aware that many places are still using very old PCs/laptops, however, the article talks about banks, not SMBs, so I addressed that scale. Banks are notoriously skinflint cheap, but they are NOT broke or struggling and easily have the capital to upgrade.

            Perhaps I didn't post clearly and for that apologize, but the up front costs are not that much and the final total is certainly a hell of a lot cheaper than a million dollar security breach, which is what you count on having if you stay with XP and again, what this article addresses.

            As for the nay-saying in general, where I live, companies of all sizes are upgrading to newer PCs and Win7 every single day and ditching XP as fast as they can. By the thousands.

    2. Alan W. Rateliff, II
      Paris Hilton

      Re: It ain't that damn hard

      "Got specialized software you need to run but is no longer compatible with Win 7 or Server 2010. Update you lazy git! You should have done so years ago"

      Unless you are using software which *is* prohibitively expensive to upgrade, was made by a vendor no longer in existence but who promised it would be around forever, was bought by a new company who has made the software a shadow of its former self, or moving data to a new program is a prohibitive expense (if possible at all) on top of the extortion charged for the new software.

      I have seen all scenarios above. As well as a perpetual license which turned out to not be so perpetual.

      That said, I have had great success in running old software in compatibility mode, Windows 7 XP mode, or just plain Virtual PC. It took some time, fumbling around, obscure forum searches and link resurrection, and a smidgeon of intuition, but I have not yet been unable to move a program to Windows 7 or Server 2008R2. Not to say doing so is always possible, I just have not failed, yet, and it is worth a try every time. Yet *sigh*

  3. Roger Greenwood

    Incremental upgrades . . .

    . . . tend to provide no business or operational benefit, just increase the risk in delicate systems. It may not be ideal, but that is reality for many. Hence hitting a brick wall now and then.

    1. Intractable Potsherd

      Re: Incremental upgrades . . .

      The key part of the article to me is:

      "McFadyen said that businesses are often understandably reluctant to move away from using legacy IT systems due to ... [s]ystem reliability, business continuity and the fact that most security vulnerabilities for the technology may already have been flushed out and resolved ... "

      Being forced to upgrade a system that works perfectly well, and would continue to do so if not for a decision made by another company with an effective monopoly for no other reason than to make more more money out of its chattel slaves customers is not good. At the end of the day, we, the individuals dependent on the companies being blackmailed by the regulators acting on behalf of the monopoly are going to suffer, because systems that have worked for years are going to be farted about with. It isn't as if we haven't seen what happens when banks change systems, have we?

      Make sure you have a store of cash in the house enough to see you through a week's living expenses.

  4. vagabondo
    Childcatcher

    Microsoft -- Security?

    And what history does Microsoft have in providing and maintaining secure software? What credible reassurances are provided by Microsoft support?

    Who prompted the FFIEC to issue this warning?

    1. Anonymous Coward
      Anonymous Coward

      Re: Microsoft -- Security?

      "And what history does Microsoft have in providing and maintaining secure software"

      A better history than enterprise desktop Linux distributions every year without exception since 2004....fewer vulnerabilities, and fewer critical vulnerabilities that on average were fixed faster (fewer days at risk)

      "What credible reassurances are provided by Microsoft support?"

      A full published support road map for all products - for instance XP will have been supported for circa 13 years by the time it is retired - and paid support is still an option after that.....

      1. Anonymous Coward
        Anonymous Coward

        Re: Microsoft -- Security?

        State your source...

        I almost never hear of a real vulnerability in Linux, i.e. one that can be exploited remotely, yet with windows it is normal to hear of this kind of exploit..

        I am serious though, i would love to see a comparison between the two...

        The advantage with Linux IS that its open source, i.e. if a vendor stops supporting your version, for large companies you could hire a couple of developers to keep the distro you use updated with the latest patches, and that would be a damn sight cheaper than yearly licenses from Microsoft..

        That is why I don't get the UK gov using Windows, it would have made sense very early on to hire their own bods to maintain their own linux distro... whats a good linux developer get paid as a permie? £70k I would guess by the offers I've turned down, so for £1million a year, peanuts for the gov, you could have a team of 10 on your distro with plenty left over for office and hardware.. sure finding tech support is harder, i.e. they NEED to be tech monkeys on the end of the phone not script monkeys (by script I mean read from a script)

        1. Anonymous Coward
          Anonymous Coward

          Re: Microsoft -- Security?

          "State your source..."

          Here is an example for you:

          http://www.zone-h.org/news/id/4737

          Linux is much easier to attack remotely (yes I am allowing for market share)

          The vast majority of Windows 'exploits' rely on stupid activities by users with admin rights.

          "you could hire a couple of developers to keep the distro you use updated with the latest patches, and that would be a damn sight cheaper than yearly licenses from Microsoft.."

          Sounds like COBOL all over again to me, lots of custom crap that can't be integrated or migrated that hangs around for decades and eventually costs zillions....

          "I don't get the UK gov using Windows"

          It's substantially cheaper when you look at the big picture.

          1. Anonymous Coward
            Anonymous Coward

            Re: Microsoft -- Security?

            Here are a few more examples dating back to when Microsoft put security as #1 priority::

            http://news.techworld.com/security/1329/forrester-questions-linux-security/

            http://technet.microsoft.com/en-us/library/cc512608.aspx

            http://blogs.technet.com/b/security/archive/2006/10/19/windows-vs-linux-workstation-comparison-q3-2006.aspx

            http://blogs.technet.com/b/security/archive/2006/07/14/441673.aspx

            1. Steve Davies 3 Silver badge

              Re: Microsoft -- Security?

              Strange that three of those links are to a MICROSOFT Site!!!!!! Doh!

            2. vagabondo
              Joke

              Re: Microsoft -- Security?

              Posted by Anonymous Coward Monday 14th October 2013 09:12 GMT

              > when Microsoft put security as #1 priority::

              Did you forget this icon?

          2. Roo

            Re: Microsoft -- Security?

            "Linux is much easier to attack remotely (yes I am allowing for market share)"

            How exactly are you allowing for market share ?

            "Sounds like COBOL all over again to me, lots of custom crap that can't be integrated or migrated that hangs around for decades and eventually costs zillions...."

            Well there's a coincidence, that is exactly what I see every day with Windows applications. Case in point migrating an Excel spreadsheet to a Grid. The alternative was to write a proper app for the grid that did the job properly, but it was considered easier to move the spreadsheet to the compute Grid because the grid vendor and Microsoft had done lots of whitepapers saying it was possible and they were both more than happy to support this configuration.

            Needless to say it didn't work because it turned out that Microsoft were wrong about Excel, it really doesn't like running > 1 copy on a machine and it would fail on about 20% of the invocations with an infinite loop. Microsoft dropped support for that configuration, and the customer hacked up a config that would limit one copy of Excel to a grid node thereby reducing their aggregate compute capacity by a factor of 8.

            So yeah, "crap" that "can't be integrated" or "migrated" and hangs around for years is a problem the closed source folks have too. In fact it's more of a problem because if a vendor decides it can't be arsed to support it's own software you are pretty much SOL.

          3. Anonymous Coward
            Anonymous Coward

            Re: Microsoft -- Security?

            "Linux is much easier to attack remotely (yes I am allowing for market share)"

            FAIL. Read your own article. They are discussing website defacements, which involves multiple attack vectors - most notably poor website code and web hosting security gaffes, as mentioned in the article. Combined with the fact that Linux is the most used website hosting platform, its no suprise that the label "Linux" is attached to this statistic.

            You've just produced a standard case of abusing statistics to support a skewed point of view.

            1. Anonymous Coward
              Anonymous Coward

              Re: Microsoft -- Security?

              "FAIL. Read your own article"

              If YOU bother to read it, you will find that it shows that you are several times more likely to be remotely hacked if you run Linux than Windows - even after adjusting for market share (as per Netcraft)

              It also states that the most common exploit used is a Linux kernel vulnerability.....

              1. Anonymous Coward
                Anonymous Coward

                Re: Microsoft -- Security?

                "If YOU bother to read it, you will find that it shows that you are several times more likely to be remotely hacked if you run Linux than Windows"

                So I read it and it said :- ( and this is YOUR ref remember )

                "we con­sider the fact that last year brought a very high num­ber of the LOCAL linux ker­nel exploits."

                Your usual method of chaining one 'fact' to another to make a story.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Microsoft -- Security?

                  "So I read it and it said :- ( and this is YOUR ref remember )

                  ""we con­sider the fact that last year brought a very high num­ber of the LOCAL linux ker­nel exploits.""

                  Of defaced webservers? Use your brain. It's semantics - these were remote exploits.

              2. Chemist

                Re: Microsoft -- Security?

                Now if you really want remote kernel vulns.

                As reported in The Reg recently

                http://www.theregister.co.uk/2013/10/09/patch_tuesday_double_ie_trouble/

                "The critical MS13-081 update addresses seven vulnerabilities in the Windows kernel, including problems in font handling, and can be triggered remotely through malicious web pages and maliciously formatted Office documents"

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Microsoft -- Security?

                  "Now if you really want remote kernel vulns."

                  "can be triggered remotely through malicious web pages and maliciously formatted Office documents"

                  So not remote then....require local USER interaction....

      2. Tim99 Silver badge
        Meh

        Re: Microsoft -- Security?

        @AC 08:48

        A full published support road map for all products - for instance XP will have been supported for circa 13 years by the time it is retired - and paid support is still an option after that.....

        I used to write software for XP - In quite a lot of instances there was not a lot of similarity between the original XP and XP SP1, SP2 and SP3.

        I note that, so far, there are about 12 fairly extreme posts from ACa for Windows compared to about half that number biased towards Linux. A cynical person might suspect that astroturfers and shills are busy...

  5. Velv

    Scaremongering by journalists and spin doctors.

    PCI, DPA, FCA, PRA, SEC, etc will NOT be issuing fines to companies who have demonstrated a good approach to securing their estate.

    Mainstream and Extended (aka FREE) support will end April 2014. Microsoft have published the prices for Special Support, and therefore ALL users have the OPTION to maintain a supported estate (although they might not have the budget).

    Yes, get rid of XP as soon as you can. But you are more likely to be fined for fucking up a rushed rollout than doing a rollout in a controlled manner.

    1. Anonymous Dutch Coward

      Scaremongering

      I would agree.

      Just because PCI has some tick mark about having a patch process etc having a properly though out risk assessment+controls+review cycle (a la ISO 27001/2) is much more important and could well indicate that there are enough mitigating controls to make the risk of no patches appearing acceptable (e.g. don't allow XP users access to the web; use of up to date virus scanners, network monitoring etc).

      But that doesn't make for a nice scary headline+increased revenue from switches from XP to 7.

      Note however that PCI DSS *is* a US initiative and it seems Americans are a bit crazy for checkboxes, so who knows, I may well turn out to be proven wrong here.

      1. Mr. Flibble

        Re: Scaremongering

        Anything that isn't under support, and is within the "PCI Scope", IE processes or transfers credit card data, will fail PCI-DSS.

        At our company a few years ago, we had loads of Windows 2000 servers, which of course were going to be out of support. We looked at paying MS for extended support as they ran some rather critical stuff that was within PCI scope, but as that would come in at about $100k, we sacked off that idea.

        Somehow we managed to pass PCI anyway, and we have now finally upgraded, so it doesn't matter, but the point still stands, if your vendor wont support a particular version past a certain date, then you can't be PCI compliant after that date.

        We've now got the fun prospect of upgrading all our old cisco switches as they go out of support soon too, and they are also are in the PCI Scope.

        The key seems to be making your PCI scope as small as possible, which isn't a bad idea in theory, it just causes problems if you've got a flatish network and loads of dependant systems.

    2. Roger Greenwood

      "Microsoft have published the prices for Special Support"

      So they are retaining a team to evaluate future exploits and produce patches/testing etc. just restricting what they test and who has access. Would be nice if they shared a little more, but of course that wouldn't fit the bigger picture of getting people back on the treadmill.

  6. Anonymous Coward
    Anonymous Coward

    Linux is always the best

    Windows sux.

    (Challenge for the penguin downvote mob, upvote this post for agreeing with your world view, or downvote it for being a content-free vapid post)

    1. Chemist

      Re: Linux is always the best

      "Challenge for the penguin downvote mob, upvote this post for agreeing with your world view, or downvote it for being a content-free vapid post)"

      OR don't vote either way and express your contempt for the poster

  7. Daz555

    Organisations with money can simply arrange for a custom support agreement with Microsoft - and their lovely ancient XP workstations will remain patched for a good while yet.

    1. vagabondo
      Meh

      Organisations with money

      PLCs are in the fortunate position of only ever spending other people's money!

      1. vagabondo
        Headmaster

        Pedant needed

        "other people's money"

        Should that have been:

        "other peoples' money"?

        Has anyone got a copy of Fowler's handy?

      2. Anonymous Coward
        Anonymous Coward

        Re: Organisations with money

        Don't be ridiculous - large PLC's spend as little of other peoples money as possible, in order to inflate their own bonuses.

        (board and SMT level bonuses only, that is ... the lackeys never see a bit of this money)

    2. bigtimehustler

      ...and this is a totally pointless situation, what is the point in delaying the inevitable? They have already delayed it too long. One day they are going to have to upgrade and it will cost the same or more by then anyway as the system gets even more legacy and less people understand it. So if they go down this route they will spend a fortune paying Microsoft for a custom support agreement and then have to pay for the upgrade anyway one day in the future. Rather than just paying for the upgrade and no support agreement. Short-sighted actions like this are the reasons large institutions waste so much money!

      1. vagabondo

        @bigtimehustler

        > Short-sighted actions ...

        And the long-sighted would take the opportunity to break free of vendor lock-in and insist on open data structures. Preferably with Free or in-house software.

        1. Anonymous Coward
          Anonymous Coward

          The point here is that the companies running the legacy XP estates are required by their regulatory bodies to have support. There is therefore no such thing as free software, any kind of support which is going to tick whatever box is required by the regulatory bodies is going to cost. You can't just bung CentOS onto machines in these environments and tell the regulators that there are a bunch of people on the Internet who'll do the support. They would need to be using something like RHEL or SLES and it would need to be fully supported, that support doesn't come cheap, it certainly doesn't come free.

          1. vagabondo

            Posted by Anonymous Coward Monday 14th October 2013 12:13 GMT

            > therefore no such thing as free software

            Which is why I used the term "Free". We can expect a modicum of technical knowledge here, can't we?

            From the article there does not appear to be an absolute FFIEC requirement for only Microsoft support. There are plenty of support of options for Free software.

            1. Anonymous Coward
              Anonymous Coward

              @Vagabondo - I've worked in PCI DSS regulated environments, with both Linux and Windows serving and workstations, the Linux was RHEL, this works well for PCI DSS, there are no extra boxes to check if you've got Red Hat support. This is because Red Hat have SLAs and contracts and a solid track record. I daresay you could use third party support, but if they've not got a track record, you'll need to do far more proving that they'll be able to carry out what they claim. In the same vane it's highly unlikely that any free Internet forum/community based support will be taken seriously.

              1. vagabondo

                @AC Monday 14th October 2013 13:34 GMT

                I did not mean "free", but "Free" (as per FSF), and was thinking in the first instance of e.g. Red Hat and SUSE, then perhaps Oracle, IBM, HP and Canonical.

      2. Ken Hagan Gold badge

        "what is the point in delaying the inevitable?"

        By not upgrading to Vista, 7 or 8, they have already saved a small fortune. Depending on the apps they use, and their willingness to fragment their userbase, there are now plausible alternatives to Internet Explorer, Exchange and Office. Maybe their upgrade, when it finally comes, won't be to a Microsoft platform.

      3. Intractable Potsherd

        @bigtimehustler

        It sounds as if you really are hustling big time.

        "... One day they are going to have to upgrade ..."

        Yes, so your argument is that a stable system should be changed every time a new <insert hardware/software update> comes along just in case? That new and untried is better than old and known?

        I think you talk bollocks on this topic.

  8. paulc

    Cash Tills and self check counters?

    I've seen a lot of these running XP behind the scenes...

    1. vagabondo

      Re: Cash Tills and self check counters?

      My understanding is that MS and the vertical suppliers of these devices will continue to provide security patches et. after the 2014 eol for XP Desktop editions.

      1. Anonymous Coward
        Anonymous Coward

        Re: Cash Tills and self check counters?

        don't forget the train status display boards at most London & UK stations - the ones that are usually either showing an XP screensaver, or sitting at a BIOS complaining about not having a keyboard, or occassionally BSOD, but far more frequently simply saying "Your train is late. A normal service is running today".

  9. bailey86

    Why not release XP as open source?

    MS would gain as it would keep people on an MS product - and MS would surely gain later in server/services sales. Otherwise there will be more migrations to Linux/Macs - and once people have moved away from MS on the desktop the server side will follow.

    The world would gain as XP could continue as an operating system which is supported. XP would also improve drastically - look at how much superior Mint/Ubuntu/MacOS/etc is to XP is terms of features and speed.

    What I'm saying is that MS should give away the client OS as a way of keeping people using their servers and services. What they have to be aware of is a simple fact - once people have moved from Windows to MacOS/Linux they never switch back.

    There are millions of dedicated MS fanbois out there and if they were given the code I'm sure they'd make huge improvements to XP over time.

    Even the Linux/OS community would gain because having an open source XP would provide competition which is usually a driver of better products.

    1. vagabondo
      Trollface

      Re: Why not release XP as open source?

      And how much more credibility would MS lose when their code was exposed to expert scrutiny (and/or ridicule)?

      1. Anonymous Coward
        Anonymous Coward

        Re: Why not release XP as open source?

        As has been stated many times here: MS' code is available to many organisations, Industry, Government and Education/Research can all get hold of it with appropriate NDAs. In fact when some code was leaked a few years back one thing that was generally agreed was that it was actually quite well written.

    2. silent_count

      Re: Why not release XP as open source?

      If I had my way, when a company chooses to stop supporting a software product, it should be legally required to place said product's source in the public domain. That'd fix the legal question surrounding abandonware and will likely make the 'planned obsolescence' game less attractive.

      1. Anonymous Coward
        Anonymous Coward

        Re: Why not release XP as open source?

        Win XP has a pretty clear and well defined upgrade path, it's not abandonware if you're supplying an upgrade to a new version, or are you suggesting that all software companies should support all software they have ever written under pain of being forced to open source it?

        If so, that would be a great way to force many companies out of business by either forcing them to support decades old software on obsolete platforms, or give away their IP.

        Also, what of software that contains products from more than one supplier, how do you decide what is to be open sourced? Would a 3rd party supplier of code be forced to give away their product because the vendor stopped supporting the product it was part of?

        1. bailey86

          Re: Why not release XP as open source?

          RE 'Win XP has a pretty clear and well defined upgrade path'

          I don't think Windows 8 will run on the vast majority of machines which are currently running XP.

          And I think there is a national security issue here - after the end of XP support there are going to be millions of vulnerable PC's which will either contain sensitive information or which could be used to attack servers - so maybe MS does have a (moral/financial) responsibility to sort it out. After all, companies which create pollution are required to clear up to stop the pollution affecting others - so maybe the same for MS in this case leaving behind millions of vulnerable PC's. And to me - open sourcing XP would be the easiest, cheapest and fastest way to achieve the clear up.

          1. mmeier

            Re: Why not release XP as open source?

            Oh my deity what a nonsense!

            Maybe it is time for those NATIONALL IMPORTANT COMPANIES to buy new hardware. Any "XP only" rated box in those environments ist 6+ years old, more likely older. Any VISTA rated box will run Win7 or Win8. And that road has been open for quite some time. Buying W7 volume licences in 2012 would have been an option for those "national security relevant" companies as well. W8 did not come as a surprise and a volume licence for W7 is valid till 2020 (EOS for W7)

            1. Intractable Potsherd

              Re: Why not release XP as open source? @mmeier

              "Maybe it is time for those NATIONALL IMPORTANT COMPANIES to buy new hardware. "

              Why? The later versions of Windows have nothing of any real utility in them. XP is still perfectly adequate.

              As I've made clear in several posts here, I'd rather have companies using tried and tested (i.e. old) systems with upgrade only as necessary than be forced into spending money that will put prices up just so the the Microsoft tax keeps flowing.

        2. silent_count

          Re: Why not release XP as open source?

          I didn't have XP in mind when I mentioned abandonware but rather the games of my misspent youth that nobody sells but can't be legally obtained because it's still the property of some company which no longer exists, and nobody knows who owns the code. However, MS *is* still supporting XP, albeit at a cost to the user.

          What ever-so precious IP do you think companies would be sacrificing by releasing the source to "decades old software on obsolete platforms"?

          And in the case of 3rd party libraries or produce from different suppliers, it's not that complicated. Each party has to release *their* code if and when they decide to stop providing support for their product.

          I'll concede there are probably permutations which I haven't considered but musicians and book authors have to give their work to the community after a "reasonable" time-frame so I don't see why it should be different for software authors.

  10. This post has been deleted by its author

  11. Richard 12 Silver badge
    FAIL

    What's this about 2014? XPe-based POS, ATMs etc have support beyond Dec 31st, 2016!

    Windows Embedded Product Lifecycles

    Windows XP Professional for Embedded Systems - released December 31, 2001, Product Distribution End Date December 31, 2016.

    That's distribution, in other words, MS will stop selling XP Embedded licences then, but won't necessarily cease support at that time - and definitely won't stop support before that.

    Go home PCI, you're drunk.

    1. Anonymous Coward
      Anonymous Coward

      Re: What's this about 2014? XPe-based POS, ATMs etc have support beyond Dec 31st, 2016!

      Most "proper" bank ATMs run the full version of the OS, that said when I worked at a large UK bank a few years ago the ATMs were initially moved from OS/2 to NT4 (similar hardware requirements) then, as new ATM hardware was rolled out, they were upgraded to XP and when I left the bank there were ATMs in internal testing running Vista, I suspect they would actually have been skipped to Win7 in the end.

      The sort of ATM which runs XPe are the free-standing ATMs which you see in petrol stations, service stations etc.

      Basically, it's an entirely reasonable position for the PCI to take, just because you don't understand the software used, does not make them "drunk".

      1. Richard 12 Silver badge

        What, really?

        If that's even 1% true then the banks are insane and already took the utterly stupid risks.

        I find it really hard to believe though, XPe is cheap and incredibly easy to deploy on a massive scale, while full-fat XP is neither of those things.

        - Our manufacturing has one-button XPe and Win7e deployment to take a machine from blank drive to everything installed and configured. That button is the power button.

  12. P Taylor

    Security updates ?.

    Since when have banks been interested in Security Updates for ATM's anyway. Well never.

    They are imaged and then rolled out. the ATM's then dial PPP over ISDN (In the UK) when looking up authentication, direct to the bank.

    They have no internet access as such, and they are not part of a domain, so do not receive updates via WSUS.

    I recently repaired some Cash Machines for a major high street chain (no names mentioned). And the units inside were clones, Intel Core2Duo running 1GB ram with XP SP2.

    Yes, that's right SP2.

    And we put our cards into these things !.

  13. Anonymous Coward
    Anonymous Coward

    I wonder what PCI will do about XP-based POS terminals?

    There must be many millions of them about. Hopefully it'll be possible to upgrade most of them to 7 or 8, but lack of RAM or flash may become an issue for that.

  14. Prndll

    A bigger picture

    This is all quite interesting and there seem to be so knowledgeable people here but I do think that all of this completely misses something.

    There are two kinds of people in this world: those that understand and those that don't (most people don't). Those that do understand will ultimately take care of themselves without having too many problems. So I focus more on the ones that don't.

    For the average person using a computer at their job (whatever that job is)...is makes absolutely no difference one way or the other what the OS is (or at least is shouldn't). It ends up as a question for management (is upgrading or changing worth my time/money/investment?) and for any IT staff (can I properly maintain the systems that management has decided to use?).

    For this topic...It's all about "properly maintain". So I'm asking what the point actually is in "updating" (not "upgrading" which is a different thing)?

    If updating is for protection (with systems that DO get the job done): then I ask about the more important things like not allowing internet access for all those machines that don't actually NEED it. ALOT of people only need access to a server with a database (that really should be on-premises). Of course, someone remoting into someones' computer for making software repairs will need online, but not everyone does that. Most people don't even need USB ports (unless for keyboards and mice) or CD roms. If "tech support" is just going to read off of a script anyway....they don't need internet access. They could just log into a server. A system NOT connected can't be hacked via the internet. Well, there is still the question of email (which alot of people need)....that's what in-house email servers are for. Let the server scan ALL email before it ever reaches you. Privacy is of no concern as any email through the server should be business related anyway.

    So often, computers are put online for the sole purpose's of "updates"....for what? Get MS updates against a hack attack you wouldn't get if you were not connected in the first place? Computers can be very powerful tools by themselves....too many people have the mistakin idea that computers are useless unless connected to the net.

    Personally, I can use Windows, Linux, Apple....whatever. It makes little difference to me. They all have their place in life. But from a security standpoint....I'm better off WITHOUT any kind of support from MS at all. I can make XP sing. Computers I build and maintain will run rings around most machines (and for longer periods of time). Half the machines I own run Linux and I'm proud of that fact. I feel like if Linux were the OS of choice for more companies, it would translate to fewer issues with employees.

    Let's get down to our passions for IT and stop accepting mediocrity from our lords-on-high. The boots-on-the-ground know better about what's going on than MS. This is how Linux came to be in the first place. These are OUR computers....NOT theirs.

  15. This post has been deleted by its author

  16. David Goadby

    Why do we accept this?

    Microsoft got 13 years to get this product secure. Why should be product test XP for 13 years and then still be told that it is not secure after all. Then, we are advised to upgrade. Great for the Wintel conspiracy!

    With so many XP installation in the wild why is Microsoft just abandoning it's customers? What other products that we buy do we get this sort of treatment? Imagine that every item in your house came with a replace-by date. Even Win7 is going to be expired in 2020 so then we have to upgrade to Win8? No way.

    The sales driven security fear-sell is also becoming a bit wearing. We just aren't; buying it but don't try to make out that we are criminals when we don't jump to Microsoft's tune...

    1. Anonymous Coward
      Anonymous Coward

      Re: Why do we accept this?

      XP has only had ~500 security vulnerabilities in it's lifetime.

      That's actually quite good. As a comparison, Mac OS-X is on over 2,000, and SUSE Server 10 is on about 4,000.....

This topic is closed for new posts.

Other stories you might like