I still have two XP instances
One is physical, the other virtual. Both are patched using the hack the Reg published long ago.
So what am I guilty of?
Cops in Manchester, England, have 1,518 PCs running on Microsoft's dusty operating system Windows XP, according to a Freedom of Information response. This equates 20.3 per cent of the total PC fleet that GMP has in use, despite Microsoft ending support for the much loved operating systems back in April 2014. A spokesman for …
"Punishable by 100 hours community service where you will be installing Dos from 1.44mb discs."
That's hardly a trying experiance, from memory it only came on about half a dozen discs. Try doing a win95 install from floppies. We lent somebody the set once. Turned out that somebody had re-used disc fifty something as a bootdisc without marking it, on the assumption that nobody would ever want to install win95 via floppy instead of via CD.
ref the XP VM thing. XP is fine on a VM as there was nothing prohibiting you from doing so, any old sticker was transferable to VM and the 90 day transfer rule was also acceptable.
Windows 7 on the otherhand is a fucking nightmare to license on VM. it is cheaper to use server. you cant use a desktop license as it is prohibited. you need specialists to get you licensed.
"What can those XP boxes do that you won't be able to do with Linux with a modern wine setup?"
I'm thinking that THIS might be a really good selling feature for a commercial Linux: 100% XP compatibility!
Then we just get everyone STILL running XP to UPgrade to Linux!
"Somehow I think this tells us all we need to know about how Microsoft got their reputation for lack of quality."
run a decent looking desktop, run a piece of software where when you go into the forums you don't get slated for asking questions people see as beneath them, run software that works out of the box than having to dick about with....... and on..... and on....... and on .........
write about Microsoft and the penguins pop their heads out of the holes - should have picked a meerkat as its logo.
Also next time you're flying anywhere, take a good look at quite how many XP based machines you'll still find around most airports (I know from personal experience Gatwick and Heathrow are included). In some cases also still attached to dot-matrix printers.
Of course they're just for logistics and cattle movement rather than anything directly related to flying itself, but it may explain some of the frequent delays in packing the herd into their tin crate to be transported wherever.
"Raj Samani, McAfee fellow and chief scientist, agreed. “The public sector is an increasingly popular target for cybercriminals. Its ample sensitive data provides large-scale opportunities to cause havoc, as was made evident this year with the WannaCry attack which targeted the NHS.""
Which is utter bollocks and someone with that job title should know better than to make inacurate statements like that.
Wannacry DID NOT target the NHS. It was set free to target whatever it found out in the wild. The NHS was one unfortunate victim of many.
Under funded, under staffed and under regarded. we have 35 IT staff in an organisation of 4500 which is about 1:130. The average is around 1:20 or 1:10 in finance/Insurance.
We also get expected to do more than IT in most companies and have highly desirable data to protect.
If you want to critisize, try doing your job with no budget and 1/10th the staff and the world+dog trying to get in, along with all the consultancies that wont take we have no money for that as an answer
All it proves is that the NHS, like most public sector organisations, are not free to hush up instances of their IT going tits-up.
There were probably plenty of other organisations that were equally badly hit, but they weren't providing life-saving operations and didn't have any obligation to tell the world how badly hit they'd been. There is only a legal obligation in the event of a data breach. If you get all your files encrypted in situ, it's no-one's problem but your own.
Legacy specialist applications will include drivers for specialist hardware. I seem to recall someone mentioning drivers for tasers but it could be all kinds of stuff. This should be doable with virtualised and locked down setups but that is going to take time and expertise to set up correctly. Meanwhile, since 2010 the police force has been busy shedding personnel and doing additional anti-terrorist stuff. At some point something has to give. Ditto for the rest of the public sector.
The digital photo booths, fingerprint scanners, cell monitoring systems, interfaces to in-vehicle data systems, evidence barcoding systems etc etc. There's a lot of embedded technology in things nowadays. I'm actually shocked, though, by how much of the "must have legacy systems" are actually an on-the screen form drawn in some visual basic like interface designer that relies on IE6 foibles to work. I always get a little buzz when I see something like in a shop where they tab through a VT-100 style interface and get an immediate response from some big back end system. No reliance on any real local processing, no reliance on Windows or Microsoft libraries for the actual leg work... I mean, it's how it should be, right? It's going to keep working forever, practically. It could work with a VT-100 CRT display and an ethernet card, or with a VT-100 emulator on Windows XP, or on a Windows 7 , or Win 10 or a VT-100 emulator on a Raspberry Pi stuck under the counter. It just keeps going because you're asking so little of it.
"I mean, it's how it should be, right? It's going to keep working forever, practically."
Well that's a general trend in IT and perhaps other areas. Why make something simple when you can make it more complicated? If course we'd be better off if we ran business systems of text-mode interfaces. However in the 1990s there was this bizarre trend towards Windows and "distributed computing", since suddenly PCs were cheaper than terminals, and Unixoid systems were more expensive than a computer running Windows 95. Also there was a time when Unixoid systems were seen as "lagging behind". Of course with Linux and *BSD this has changed a lot.
BTW here's a nice anti UNIX rant from 1985
It also highlights one point unixoid systems had back then, since software was distributed as so-called object code, which is the output of the compiler. Obviously that's not portable.
I mean, it's how it should be, right?
Not unless you consider it a good use of the "big back end system" to be taking an interrupt for every character typed and keeping a map of the screen contents so that it can redraw it when the noisy and unreliable async connections suffers a parity error. And, indeed, be intimately bound to the minutiate of the user interface.
The whole point of multi-tier systems is for each layer to do what it does most efficiently and appropriately in such a way that it can be swapped out without the adjacent layers noticing if and when it becomes necessary.
If you're going to implement code with hard-to-maintian and short-lived technology, it's at least marginally better that it isn't built into the back-end logic too.
Incidentally, since you mention VT-100s and their ilk, the terminal driver was the most complex part of the RSX operating system and even minor patches tended to cause chaos as nearly every character-based UI depended on some undocumented behaviour or another and would break randomly if something changed. That's the downside of monolithic systems.
"Not unless you consider it a good use of the "big back end system" to be taking an interrupt for every character typed and keeping a map of the screen contents so that it can redraw it when the noisy and unreliable async connections suffers a parity error."
a) There's ethernet now, as well as port concentrators.
b) The redrawing is done by ncurses, which is still magnitudes simpler than most web frameworks
"...and appropriately in such a way that it can be swapped out without the adjacent layers noticing if and when it becomes necessary."
I would not consider the sorts of applications that make use of esoteric IE6 functionality or rely on deprecated UI interfaces in the host OS as fulfilling that criterion either. I merely offered the sort of very simple, very-thin client, text-based interfaces that some businesses rely on and have done for many, many years as an example of making something that has a long operational life and that requires very little done to it, if anything, when the other end, the client bit, needs to change. Changing something in one place is, usually, far easier and cheaper than having to change it in ten thousand places. As many of these "web form" type applications are feeding information back to a central repository, having excessive complexity at both ends makes things much worse.
>Perhaps they should consult the French police
Suspect because of licencing issues, the UK police will have to build their own distro, as if the French police supplied a version to the UK police, it would count as 'distribution' under the Linux licence.
Also post-Mar 2019, it could become subject to export controls (depending on just how much the French police have modified it to contain security and policing specific functionality)...
"The remaining XP machines are still in place due to complex technical requirements from a small number of externally provided highly specialised applications"
My best guess is some dismal web app that is heavily dependent on some of the non standard idiosyncrasies of IE6 (less likely would be driver issues as number of machines way too high for any hardware related driver, and for most other issues compatibility mode on Win 7 would fix teh issue)
Though I have sympathy with GMP, I do not like planned obsolescence by stopping security patches (which is what we get from all the Software vendors, be it Apple or MS on desktop or Apple and Google on mobile, and in between makers of software e.g. Firefox that only support more recent Mac OS versions) and thus ensuring a costly purchase of new hardware and software when the old system "did the job"
I run plenty of archaic low spec hardware - it just ends up having its original OS replaced by a lightweight Linux so I can choose to add key security patches
Ah, yes, those mission critical apps that haven't seen a developer in many a moon.
Who is responsible for apps that fall in this category? The entity who bought it, or the developer who kicked it loose like a red-headed step-child?
Pedant as he is wondering too...
I'm still running Windows XP, although I keep meaning to upgrade from SP2 to SP3. Maybe I'll get to it in a year or two. Hey, it still does what I need, and does it quite well, without all of the bloat that Vista/7/8/10 imposes. If it ain't broke, then don't fix it.
Anon Y. Mous
P.S. I've never been hit with a virus on that machine, mainly due to two layers of firewall protection, NAT, and careful operation of the machine (e.g., Flash is disabled.). But, I still back it up regularly, just because disks can crash unexpectedly.
Two years ago there was a Major Govt. Dept. keeping a WinNT4 machine limping along because the software only run under WinNT4 and nothing else. They needed the data for compliance reasons and the least risk and cost option was to keep it ticking over for as long as possible until the compliance window closed. If it died then I am sure that someone could reverse engineer the database, but that was ldeemd to be "too expensive until absolutely necessary".
It's probably still there.
"The remaining XP machines are still in place due to complex technical requirements from a small number of externally provided highly specialised applications," a spokeswoman told the BBC."
i read as:
"The remaining XP machines are still in place due to an incredible lack of foresight and standards on the part of the teenager who wrote the system as his 6th form project"
The machine I am writing this on is running Windows 7, but my other work machine still runs XP. With that said, it's also on a completely air-gapped network with very strict data ingress rules.
There are plans for that network to be updated to W7 at some point, but there are also good reasons for keeping the state of that network consistent until the current work being done on it is completed.
Somewhere buried in one of the HW labs is an Archimedes - also stand-alone, the worry there is that it is the only machine capable of running bespoke software to perform hardware testing for refurbished components we work with. If it were to fail...
Point is, there is still a valid reason for some legacy H/W and S/W, as long as the correct protection is in place.
Anything connected to the internet however? I'd be wary.
There are replacements for your Arc,
Titanium/RapidO Ti - http://www.rcomp.co.uk/ http://www.cjemicros.co.uk/ http://www.elesar.co.uk/
ARMX6/RapidO Ig - http://www.rcomp.co.uk/ http://www.cjemicros.co.uk/
RasberryPi - As above + https://www.raspberrypi.org/
And a good few others, just (google) RISCOS hardware.
Apologies for not mentioning all the others by name.
"complex technical requirements from a small number of externally provided highly specialised applications"
So I guess they are talking about stuff made with VB6 that does not work nicely past XP. Or would it be one of Pascal or COBOL? Let me guess, they "acquired" the license to use that software, but the provider ceased to exist ages ago.
Listen, in France, they developed GendBuntu to get the police to move from XP to Linux. How about they get in touch???
Just hire someone to outfit the entire thing with Linux and port over the applications. It may cost but in the long run it'll be cheaper since no MS licenses anymore.
Noble sentiments, but have you given any thought to how much that would cost? Have you any idea how many machines would need to be swapped from one OS to another, how many applications would need to be ported, how many of those applications are proprietary/closed-source? The obstacles and costs for "just" doing that would be eye-watering, and way beyond the budget of any cash-strapped public sector organisation.
>> lead malware man at Malwarebytes, said Manchester Police seem to be suffering from a common
>> problem - reliance on custom applications which don't work with other versions of Windows.
Users must realise that they should only be using their PCs for the convenience and enrichment of vendors and should take every opportunity to buy new versions of wares that the vendors are peddling as soon as they become available.
The real fault lies with the vendors, whose strategy in respect of application / device / format compatibility seems to place users, their organisations and the purposes for which they, THE USERS, want to use PCs at the end of their list of priorities. After all, if a user's application / device becomes (or, is made) obsolete, why hey! they'll have to buy a new one. All good for vendor profits.
The IT department where I've been working completely bricked an entire laboratory by upgrading all their PCs to Windows 10. They're now secure. They just can't be used for anything.
This obsession with upgrading comes from a world where PCs just run Microsoft Office and are connected to the Internet. You can upgrade these without much of a problem. There are plenty of systems that have software and peripherals that are not compatible with the new software so upgrading causes a lot of extra expense. This is particularly the case with industrial systems -- you can't keep upgrading them every five minutes (or even every Tuesday) -- they've got work to do.
The moral is don't build mission critical systems on Windows. The user interface might be pretty but you need something that's upgradable without killing off your production software.
"The moral is don't build mission critical systems on Windows. The user interface might be pretty but you need something that's upgradable without killing off your production software."
Your IT department clearly didn't talk to the people running the lab before pushing that out, and they should be ashamed of themselves.
as far as building business critical systems on a windows platform? As long as it's built using documented APIs and system calls, doesn't require bizzare and/or obscure drivers/hardware 'license' dongles/turns the parallel port into a high data rate serial bus/ interface with something custom-built (hardware AND software) by some oddball who retired into a coffin-shaped hole in the ground you should be moderately ok.
Also, as long as it's also still supported by the company who wrote it, and the place doesn't cheap out on keeping it up to date.
For the edge cases, then it's time to look at a work around for short term whilst planning/budgeting for an upgrade to something supported by the vendor.
(Case in point: my company has a large handful of tiny devices running XP embedded doing SCADA-esque system controls. I asked the vendor about upgrading the devices, and his reply was that it was pretty much a forklift upgrade. So we are going to further lock down the network they sit on as a work around, and start budgeting the 5 or 6 digit cost of upgrading the system to something that's better supported.)
Anon for patently obvious reasons.
Beyond mission critical software, don't forget expensive add-ons such as large format printers whose vendor may not provide new drivers. I have several old PCs hanging about in poly bags against the day I need a replacement that will run XP or has an ISA slot for a bespoke card.
Some software doesn't need a 4x annual revision cycle to be capable of doing the job it was purchased for. An agency as large as the Manchester police may lack funds not only for new hardware which in turn will require all new software, but also there is the cost of training everybody on what will likely be a radically different UI. Lots of those people aren't going to be very tech savvy and changing what they are already competent on is problematic. I always have to lock myself in a small room and have a good scream when a new rev of engineering software has all new icons on the buttons.
The government (any one you care to choose) usually sucks when it comes to bringing things in-house, but the applications they need for various agencies are so specialized that it might be necessary to have an agency that publishes and maintains software for the police, fire and other services. Not only is there a small market for something like a suite for the police, each country will also have certain requirements regarding what information is recorded and how it needs to be presented. How does a private company code and support a comprehensive application that will only sell a couple of thousand seats without needing to charge stupid amounts of money for each license?
VietNam's Cong An (Peoples Police), CGST (Traffic Cops) all run on XP, proudly standing next to low resolution 8-bit Epson dot-matrix printers.
Both some of the UK and US nuclear submarines also run on XP, as do older generations of ATMs.
But since most of these act simply as 'dumb' terminals, with the heavy lifting done by main frames, does it matter?
I still use a dot matrix printer! The ink is essentially free and they work for virtually forever, code is easy to read, it's utterly stress free to print.. aside from the din which one would suppose is undesirable in a sub...
I still use XP! I hated it because it ran slowly on pentiums when it first came out, but on a Core2Quad on a brand new motherboard, it flies! The OS shouldn't hog the majority of the resources available to the machine! The OS shouldn't be the reason people have to upgrade! The required computing task should prompt upgrades not the damned OS!
And this is the nub of everything, the stupidity of the Freedom of Information Act that allows these sorts of pointless requests. The Act is so misused it is not true. There is an entire industry around extracting commercial information from public bodies to sell on.
Just Google this name to see how it is abused
Francios Charles freedom of information
A threat actor has taken to a forum for news and discussion of data breaches with an offer to sell what they assert is a database containing records of over a billion Chinese civilians – allegedly stolen from the Shanghai Police.
Over the weekend, reports started to surface of a post to a forum at Breached.to. The post makes the following claim:
Europol cops have arrested nine suspected members of a cybercrime ring involved in phishing, internet scams, and money laundering.
The alleged crooks are believed to have stolen "several million euros" from at least "dozens of Belgian victims," according to that nation's police, which, along with the Dutch, supported the cross-border operation.
On Tuesday, after searching 24 houses in the Netherlands, officers cuffed eight men between the ages of 25 and 36 from Amsterdam, Almere, Rotterdam, and Spijkenisse, and a 25-year-old woman from Deventer. We're told the cops seized, among other things, a firearm, designer clothing, expensive watches, and tens of thousands of euros.
The UK's police service is set to spend up to £50 million ($62.7 million) buying hardware and software for a legacy communication network that was planned to become obsolete in 2019.
The Home Office had planned to replace the Airwave secure emergency communication system, which launched in 2000, with a more advanced Emergency Services Network by the close of the decade. However, the legacy network has seen its life extended as its replacement was beset with delays. The ESN is expected to go live in 2026.
In a procurement notice, the Police Digital Service (PDS) said it was looking for up to three suppliers of Terrestrial Trunked Radio (TETRA) Encryption Algorithm 2 (TEA2) compatible radio devices – including handheld, desktop, and mobile terminals – as well as software, accessories, services, and maintenance for use on the UK Airwave system.
FluBot, the super-spreader Android malware that infected tens of thousands of phones globally, has been reportedly squashed by an international law enforcement operation.
In May, Dutch police disrupted the mobile malware's infrastructure, disconnecting thousands of victims' devices from the FluBot network and preventing more than 6.5 million spam text messages propagating the bot from reaching potential victims, according to Finland's National Bureau of Investigation on Wednesday.
The takedown followed a Europol-led investigation that involved law enforcement agencies from Australia, Belgium, Finland, Hungary, Ireland, Spain, Sweden, Switzerland, the Netherlands and the US.
The Home Office is looking to replace its ancient and creaky National Firearms Licensing Management System (NFLMS) in a £20m contract.
NFLMS is the central police database of every firearm owner and every individual firearm in England and Wales. Whoever wins the contract will have a relatively low profile but critically important system to deliver.
"NFLMS is used by forces teams across England and Wales and these teams conduct approximately 170,000 licence grants, renewals and variations per year," said a notice on procurement website Bidstats.uk.
UK police forces have no overarching rules for introducing controversial technologies like AI and facial recognition, the House of Lords has heard.
Baroness Shackleton of the Lords' Justice and Home Affairs Committee said the group had found 30 organisations with some role in determining how the police use new technologies, without any single body to guide and enforce the adoption of new technologies.
Under questioning from the Lords, Kit Malthouse, minister for crime and policing, said: "It is complicated at the moment albeit I think most [police] forces are quite clear about their own situation."
The Clop ransomware gang pwned a managed service provider with access to the UK's Police National Computer, dumping data on its dark web leaks site – but officials deny that police data was compromised.
Dacoll, a Scotland-based MSP, was attacked in October by the notorious criminal crew. Reports surfaced in the Mail on Sunday newspaper over the weekend that the criminals had published information from the Police National Computer on their leaks site.
The paper claimed that data was harvested through illicit access to Dacoll's systems when the company was subject to a ransomware attack back in October. A Dacoll subsidiary, NDI Technologies, advertises itself as "the leader for all things related to the Police National Computer."
Ukrainian police have arrested five people on suspicion of operating a ransomware gang, including a husband-and-wife team, following tipoffs from UK law enforcement.
"The organizer of the group, a 36-year-old resident of Kyiv, together with his wife and three acquaintances carried out cyberattacks on foreign companies," cops alleged in a characteristically blunt statement (in Ukrainian).
They claimed "more than 50" companies were targeted by the alleged gang, causing damage estimated at "more than one million US dollars."
The European Data Protection Supervisor (EDPS) has ordered European Union law enforcement agency Europol to delete any data it has on individuals that's over six months old, provided there's no link to criminal activity.
EDPS says it probed Europol's collection of large datasets for strategic and operational analysis from April 2019 until September 2020. The investigation concluded the law enforcement agency needed to up its game when it came to data minimisation and retention and encouraged Europol to make necessary changes and then let the EDPS know of its action plan.
According to regulations, "personal data should be adequate, relevant, and limited to what is necessary in relation to the purposes for which this data is processed," and "personal data processed by Europol shall be kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data are processed."
A Canadian man is accused of masterminding ransomware attacks that caused "damage" to systems belonging to the US state of Alaska.
A federal indictment against Matthew Philbert, 31, of Ottawa, was unsealed yesterday, and he was also concurrently charged by the Canadian authorities with a number of other criminal offences at the same time. US prosecutors [PDF] claimed he carried out "cyber related offences" – including a specific 2018 attack on a computer in Alaska.
The Canadian Broadcasting Corporation reported that Philbert was charged after a 23 month investigation "that also involved the [Royal Canadian Mounted Police, federal enforcers], the FBI and Europol."
Biting the hand that feeds IT © 1998–2022