Why XP is “Obsolete” Whether You Like it or Not

Standard

I’ve written a bit about the end of XP lately, and several commenters in various venues have called me to task for calling the OS “obsolete.”

It is obsolete. Get over it.

It isn’t obsolete because it no longer serves a purpose. It isn’t obsolete because it’s broken. It isn’t obsolete because I say it is. It’s obsolete because Microsoft says it is.

Now, maybe Microsoft shouldn’t have done that. Maybe they should continue supporting the operating system. Maybe it’s wrong that the software industry drops support for software despite many customers’ wishes. Those are all excellent arguments, and there are a number of productive discussions that I think could be had around them. The way the software industry currently works isn’t optimal for its customers.

But none of that changes the fact that Microsoft has declared XP to be obsolete. They’ve dropped support for it – and that’s important.

And calls for guys like me to “get out in the real world” completely miss the point. “Why should we move off of XP? It still works. You don’t know what the real world is like, it’s difficult to roll out a new operating system.”

Ugh.

do work in the real world. Yes, I know a lot of companies don’t want to move off of XP. Yes, I know it’s difficult and expensive to roll out new operating systems – although I’d argue it’s less difficult, and less expensive, than in the past. I’d probably argue that being able to roll out client operating systems, service packs, and hot fixes is a core IT competency, and that if you find it challenging, you might not be very good at your job. I might argue that.

But none of that changes the fact that, by dropping support for XP, Microsoft has literally dropped a bomb in your organization. A time bomb.

Again, let’s be clear about something: I’m not defending Microsoft’s action, here. I’m not making a case for what “should be” or what’s Right and Just. I’m trying to make a point about what’s really here, right now, in the real world everyone claims to work in. If you think there’s no problem continuing to run XP, you’ve got your head in the sand. You don’t work in the real world.

And that problem has nothing to do with me drinking flavored soft drinks issued by Redmond. The problem has nothing to do with XP’s ability to function in an organization. The problem is that attackers are now free to unleash exploits in XP that they’ve probably already discovered, knowing that Microsoft will no longer move to patch those vulnerabilities.

The problem is that attacking organizations isn’t just something script kiddies do for fun, any longer. It’s a business. It’s a big business, with a crapload of money on the line. And like any big business, tech attackers can think long-term. They can identify OS vulnerabilities and then sit on them, waiting until they know those vulnerabilities will remain open and un-patched.

That XP-based point of sale system your restaurant uses? Yeah, I know it’s stupid expensive to replace. I used to build those things. I get it. But it’s a time bomb waiting for someone to install malware on it and start skimming customer credit card information. And it’ll never get an OS patch, ever again.

And for the haters, I want to make it perfectly clear that I’m not saying you have to immediately replace all your XP stuff. I know exactly how impractical that is. I do wish people had planned a bit more in advance for this situation, but where we’re at is… well, it’s where we’re at.

But you have to acknowledge that XP is obsolete. “Obsolete” doesn’t mean “you have to get rid of it immediately.” “Obsolete” means “you have to acknowledge that it’s a time bomb, and you have to manage it differently than you used it.” Anti-malware software becomes vastly more important than before. Locking down the local firewall for both incoming and outgoing connections becomes more important. Locking down the software that can run on the machine becomes more important.

My frustration with the “XP situation” – a frustration I’ve tried to express, with only limited success so far – isn’t that people are still running XP. Believe me, I know a lot more about business realities than you might think. My frustration is the folks who think keeping XP is “business as usual.” It isn’t. Those XP machines just became massively attractive targets. The businesses I work with every day have, frankly, terrible security on a good day. Yeah, they talk the security talk, but they don’t walk the walk.

So look… XP is obsolete. It’s obsolete because MS dropped support for it, whether or not that was the right thing for them to do. You can continue running it, obviously, and in many cases you’ll be stuck with it for a long time. Hopefully, you expected that was going to happen – and you’ve planned to put appropriate protections on those machines. Rely on XP still having OS-level exploits that haven’t yet been abused in the wild… and rely on that abuse coming to a network near you. Just plan for it, is all I’m saying. Don’t treat the old OS like you used to – give it a little more bubble wrap. A little more coddling. Get off it when you can, and take extra measures when you can’t.

It’s obsolete, but that doesn’t mean it’s going away. And that makes attackers giggle with delight.

 

 

Oh, Noze, Now I Know A Product Exists! Augh! Take The Knowledge AWAAAY!

Standard

So, just got done doing a webinar on AD group management. I thought it went well – a lot of organizations spend WAY too much on group management, and it isn’t really a technical problem as much as it is the right people in the org not having the right UI. Anyway, spent about 40 minutes talking about the things we see companies dealing with, and some of what we’ve seen people try, and what worked, and what didn’t.

I kind of wrapped with a list of 5 main capabilities we see companies needing, like getting a UI in place that lets actual data owners manage the groups that provide access to their data. We also talked a bit how it’s mostly political problems that keep group management from being better.

The webinar was sponsored by a vendor, of course, but they didn’t even show up to do a product demo or sales pitch. They wanted it to be a legit discussion on the problem, and what my company sees companies dealing with. At the end, they do get mentioned as a sponsor. I said something to the effect of, “look, the solution here is basically better distributed, delegated user interfaces, and that doesn’t come with the OS. You have to either build or buy. If buying is an option, look at this sponsor’s web site. They’re a good place to start – this is an area they work in. There are others, and you should do some research.”

One attendee drops a comment in the Q&A queue: “I was not told we would have a product shoved down our throat. Do not contact me.”

Sheesh. First of all, sweet pea, if I’m gonna shove anything, you’ll know it. But seriously, this attitude just vexes me. We spend 40 minutes talking about legit problems, talking about what companies often try, and what happens. We talk about the real money involved – how much it costs to continue dealing with these problems. We talk honestly about the problem being partially political, and some ways to start addressing that. Then in the last 120 seconds, I introduce a sponsor and say that they have a product you should include in your other considerations as you look for solutions. And that’s shoving?

It’s this don’t-market-to-me-at-any-cost attitude I just don’t get. This wasn’t a bait and switch presentation by any stretch; there’s just certain people who think they’ve somehow been personally violated if they’re presented with any kind of knowledge of vendors or commercial activities. Like, knowing that a vendor and a product exists has somehow weighed down your brain and made you less able to function in the world. I mean heck, this wasn’t even the usual webinar, which is mainly just designed to get you online to watch a product demo. I try to not even do those.

like knowing about different solutions. I love it when folks tell me about tools they’re using in their organization, and what they think of them. I’m seriously trying to put together a vendors-not-allowed site where IT folks can share information on their tools, and honest opinions on them – I think it’d be great for research.

But getting PO’d because you had to “endure” the knowledge that a vendor exists? Man. That’s an uptight life. I wonder if that person can even watch network TV. I mean, I skip commercials on my DVR, but I know that the commercials exist. What a terrible knowledge to have to live with.

OK, back to Summit planning.

Why My Old Insurance Agent is a Lot Like an IT Department

Standard

For a long time, I was with a particular insurance company. Since I learned to drive, in fact. As I grew up, they got my renter’s insurance, then my homeowner’s insurance, then another car on the policy. I was pretty happy with their service, and the premiums, I felt, were reasonable.

Then I got to talking to a financial advisor who’ been in the insurance industry. “Ditch that rental car coverage,” he advised. “You’re basically paying for a rental car day per month; we loved those riders because they were almost pure profit. It’s cheaper just to put a little away for that in case you need it.” Okay, sensible opinion. “And you need to raise those coverages. The state minimums won’t cover liability in a real-world scenario, and whoever you hit can come after you for the rest.” Yikes. Well, to be fair, I’d never really looked at my policy since my early twenties, when I owned nothing and was trying to get as cheap a policy as possible. He recommended some more-sensible coverages for a grownup, and also suggested I look into an umbrella policy. “They’re cheap, and they provide an immense amount of coverage across both your home and your car.” We talked at length, and I decided to see what the coverage would cost.

It took my agent almost six weeks to get me a quote. Hello, trying to give you money, can you help out a little? After a family discussion and budget review, we decided on some expansions to our policies. Four weeks later we were still trying to get the agent to make the changes. Hi, me again, trying to give you more money? No?

I started to feel like my business was being taken for granted. I certainly wasn’t getting what I wanted in terms of service – not even a call back. Maybe it was time to shop around a bit.

I put together an RFP. Not kidding. I laid out every single policy item and limit we wanted, and sent out a huge packet to a dozen agents in my area. One got back to me, and his quote was literally half of what I’d been expecting to pay to the current company. Double yikes. He also had some suggestions for cutting back on unnecessary limits and riders and stuff. Anyway, suffice to say we formed a great working relationship and my old agent lost my business.

But I’m not here to bitch about my insurance agent, or to sell you on a particular company. Not at all. I’m not even going to swear that the above story is true, although it’s certainly plausible, and it definitely is at least based on a true story. What I’d like you to simply consider is that, when customers don’t get what they want, they’re often willing to tear up roots and move on. That’s actually bad for everyone: the customer has to go through a lot of hassle, the the business loses the business. The customer might wind up happier in the end, but in that situation it’s actually easier to retain the customer than it is to lose them, because most folks will avoid hassle if they can.

Now, let me retell the story a bit. I’ll be briefer, this time.

For a long time, I was with my IT department. Since I started at the company, in fact. I was pretty happy with their service, and the SLAs, I felt, were reasonable. Then I needed some additional services, like the ability to transfer some files to an external vendor.

It took my IT department almost two weeks to tell me that they couldn’t even provide a way for me to do that and still “comply with regulations,” whatever that means. I certainly wasn’t getting what I wanted in terms of service – not even a fast call back. Maybe it was time to shop around a bit.

I opened a Dropbox account. Yeah, it cost a few bucks, but they were quick, and I got my job done. Anyway, suffice to say we formed a great working relationship and my IT department lost my business. Now I don’t have any problem at all just going and getting what I need if they won’t provide it.

That’s where the “consumerization” of IT came from. Now look, I’m not criticizing IT for following the company rules. But you know IT is the one that gets blamed. We can finger-point at company policy all we want, but it doesn’t matter.

This is a huge problem. No, it isn’t entirely an IT problem. Actually, it’s barely even an IT problem at all; we could certainly implement whatever users needed, if we were funded and permitted. But we take the hate anyway, so it’s kind of our problem. We can do, basically, one of two things about it. We can continue to try and deflect the hate to “company policy,” which will rarely work because it simply isn’t a satisfying target for the hate.

Or we can start to agitate.

I feel that IT has, for far too long, been put in the position of corporate heavyweight. We have to enforce rules that we don’t like, know are senseless, and don’t originate from technical places at all. We’re the ones who know how to set permissions, and so we become the gatekeepers of permissions. That bugs me, because it isn’t technology. 

So instead of standing up to your users… become their advocate.

Ever see Disney-Pixar’s “The Incredibles?” Go watch the first modern-day scene, with Bob Parr is dealing with a little old lady at his insurance company. He looks furtively around, and says, “look, I can’t tell you to go fill out form XYZ and carry it up to so-and-so in order to bypass this and get your claim filled.” Wink, wink.

Do that. Start telling your users to open a ticket every time they need to transfer a file or whatever, and can’t, because IT isn’t allowed to give them that ability. Burn an hour on the ticket explaining the problem, every time. Agitate at planning meetings and other formal outlets. Propose a solution. That’s the important bit. “Look, we could do this, securely and in full compliance, if we just _____. It’d cost us ___, and Lord knows we’re burning that much just opening tickets for users right now.” Become the users’ champion.

Obviously, you don’t do this for silly things. Let’s keep the discussion sensible, right? But for legitimate services that the company just isn’t offering, and which users are going on their own and working around, propose a fix. Price it out. Protest in favor of it. That’s how we move IT forward. It’s certainly how we get our users on our side a little bit. And if the company is going to insist on putting us in the middleman role, well, then it can work both ways.

A proposal doesn’t need to be a full-on ITIL-compliant project, either. Do some research. Get some pricing. Propose. If someone says, “yeah, let’s dig into that,” then you can start treating it as a real thing – and start putting out the word that, “yeah, we’re finally working on it.” Progress!

I know it’s easier just to point to company policy, or another department, or whatever, and throw up your hands and say, “look, I just work here, too.” But I’ve always been a “see the problem, fix the problem” kind of person. Even if it makes me a bit unpopular in meetings (it does), I’d rather keep pushing the organization forward, solve needs, and make things more efficient and productive. Sometimes, that means pushing a bit at both sides.

Awful, Awful IT Management. Just Awful.

Standard

So we’ve all heard the news that the UK and Dutch governments are paying Microsoft million$ to consider supporting XP for them.

I am appalled. What a waste of taxpayer money. Frankly, everyone in charge of IT in these organizations should be fired. Maybe imprisoned. Here’s why:

You didn’t see this coming? For Jah’s sake, XP is 12 years old. You’re telling me that you were so blindsided by the end of support that you have to spend millions to support an outdated, highly vulnerable operating system, instead of upgrading?

You lack capability? What, you can’t efficiently roll out a newer desktop operating system in a reasonable period of time? For shame. I sure hope you don’t have to react to anything important anytime soon.

As an aside, I find it hilarious that the UK government is one of the two entities (so far) doing this. These are the folks who invented ITIL, remember, a framework I have long held as being expressly designed to halt change. I mean, I get the value of change control, but I truly don’t feel ITIL is designed to manage change so much as make sure it doesn’t happen much. Giggles.

You’ve got expensive stuff that only runs on XP. Ah, most people will use this to get a pass on the XP thing. Not from me. You’re telling me that, some years ago, you acquired some technology solution and didn’t ensure it had an upgrade path? You what, thought XP would be the last version of Windows ever? If you put Neil The Help Desk Guy in charge of acquisitions, I’d expect that kind of naiveté. I don’t accept it from technology executives. Part of your procurement process should always be, “what’s the path when Windows ___ is retired?” You should be planning to upgrade everything you buy. Not waiting until it’s a fait accompli and then paying through the nose to support 12-year-old software.

The last guy didn’t do anything to prepare. And you’ve been doing what since we hired you? Your first move wasn’t to find out what kind of obsolete stuff you had lying around, and start to plan what to do about it? Your answer is to spend millions so a software company can support something that’s older than the most recent tax code?

 

…breathe…

I want to acknowledge that governments are never terribly efficient. I don’t necessarily want them to be. There’s a downside to businesslike efficiency when you’re not in the business of making a profit, and I don’t want my government making a profit. No danger there, fortunately. But this is just amateurish. Nobody making these “spend millions to support old software” decisions should be managing anything. Like, not even the local pub.

Things in IT are moving faster, not slower. XP is officially old enough to qualify for a “Classic” license plate in some states. Your car is probably newer than XP. Management that didn’t have an XP plan four years ago is incompetent; management that’s paying extra money to support an obsolete OS isn’t incompetent. They’re criminal.

Especially if they’re spending your money to do it. There should, honestly, be hearings.

Target’s CIO resigned over a lesser offense. One that was, arguably, less predictable. I mean, nobody told Target in advance they were going to be hacked. Microsoft has been telling us for years that XP was going away. There’s been time. 

Sorry. Bit of a rant. This really frustrates me. If our IT leaders can’t get their heads screwed on any tighter than this, then we’re all screwed. Because I guarantee you, if there’s been no XP plan, then there’s damn sure no plans for anything important. Like protecting your personal information.

(And, as an aside, folks in the US should be bloody amazed that HealthCare.gov had as few problems as it did. The tech standard, for governments, is apparently not very high.)

 

…and an update…

As you’ll notice from the comments, at least a few folks aren’t grasping the point of the story. The point isn’t, “you should ditch XP now.”

The point is about learning from your mistakes. 

Okay, so you’re stuck with XP. You should be called up on charges, because you definitely saw this coming. More importantly, what are you doing to make sure this scenario doesn’t happen again? Before you buy that expensive whatever-it-does, are you making sure the vendor has a plan to do something about software obsolescence? I’m sure that if you make that a sticking point on the sale, they’ll come up with an answer. And yeah, vendors go out of business – I get that. But we should be doing all we can reasonably do to make sure we don’t get into this “XP forever” situation again. Maybe we’re screwed this time around… but you know the saying. Screw me once, shame on you….

Hopefully everyone can look at this XP situation, where some people (even if it isn’t you) are going to be stuck with XP for years, and make sure that becomes a discussion point with every vendor. “So the machine cures cancer, huh? What’s the upgrade path when Windows 9.2 is 10 years old? You’ve no idea? Okay, well maybe your competitor does.”

But I truly hate the attitude of, “well, there’s nothing we can do, now or ever, can’t even try harder next time.” It’s just lazy. We should all be pushing for more manageable, more secure, more stable technology. All the time. And I know almost everyone does, and I know sometimes, in edge cases, the situation is what it is.

…not to mention…

And, by the way, let’s draw a bit of a line and make sure you’re reading the preceding rant. I’m not kvetching about a business who got stuck with some specialized controllers running an embedded or near-embedded OS. I’m talking about millions and millions of dollars being spent by governments to support what in most cases are general-purpose PCs. I think there’s a bit of a difference there. These aren’t folks who are stuck. They’re folks who didn’t plan.

Internal IT “Customers” don’t Have to be Happy. They Have to be Productive.

Standard

I don’t know exactly when companies’ IT departments were asked to start thinking of internal users as “customers.” I mean, I get it – businesses exist to make money, and you primarily do that by making customers happy, so happy customers = better business. Sure. Except that our internal users aren’t customers, and we in IT are frequently put in the position of not giving them what they want. Users aren’t paying us, and they often ask for things that are opposed to what’s wanted by the folks are are paying us.

Let’s say you walk into Macy’s and buy some shoes. So long as you pay for them, nobody in that store is going to tell you that you can’t have the shoes, right? On the contrary, they’re going to help you try those things on, and possibly suggest some lovely socks to go with them.

IT just doesn’t work that way. Users don’t pay for things, so we don’t always let them have what they want, and we certainly don’t suggest some add-on items or offer a discount if they use their store charge card. Now, maybe we should. Companies that adopt “private cloud”-ish management practices may indeed give authorized “customers” whatever they (or their department) can pay for. But there aren’t a ton of IT departments being managed that way. Not yet. Maybe someday.

No, our users aren’t customers, and they don’t need to be happy. They need to be productive, they need to be safe, and they need to be compliant, and in many cases making sure those three things are true will make the users happy in some form. I mean, it’s not ice cream, but it’s getting the job done. I had one customer whose IT department mission statement started with “…to delight our internal and external customers.” That’s silly. That’s like being delighted with the water cooler. When IT is doing its job right, we’re invisible, like electricity. We’re not delightful. We just work.

That’s why I don’t like the whole “customer” word being used for internal users. It’s a completely false analogy. It’s one of those Dilbert phrases that we all know is ridiculous, yet we persist in using anyway. Like saying something is an “issue.” No, it’s a problem. Magazines have issues. Stamps have issues. Computers have problems. Calling users “customers” starts to set up this whole mental chain of associations – like the need to “delight” them – that just isn’t accurate. Keep saying “customers” enough, and HR will start surveying users’ level of delight, which is a completely useless metric. Everyone will take the “customer” thing and run with it. I’m sure some of you have seen that happen in your own organization.

IT should probably never be asking itself, “what can we do to make our customers happier?” We should probably be asking, “what shall we give our users to help them be safer, more productive, and more compliant with company rules?” That’s what the company certainly should want us to do, right? Our users are our constituents. Through their representatives (e.g., management), they determine if we in IT have a job or not. Our users are obviously incredibly important – they’re the reason we go to work every morning – but they’re not our customers. They’re partners, for certain; to some degree, we’re all “in it together” to make whatever the organization does happen every day. But not customers.

Words are important. Analogies are especially important. Like the late George Carlin, I think we spend too much time sapping the power from important words, and then misusing other words and creating false impressions. A problem is a problem; a user isn’t a customer. I understand that we need to be respectful to our partners and constituents, and that “users” might not be seen as respectful, but I don’t think we do anyone a service when we start lying to ourselves and to each other about the kind of relationship we’re all in.

And by the way, IT doesn’t get patted on the back all that often. Usually, we’re heads-down working on the next problem. But it’s worth taking a few minutes, perhaps in your weekly or monthly team meetings, to remind yourselves what you’ve done to make your constituents more productive, safer, and more compliant. Remind yourselves what you’ve done (or not done) to not achieve those goals. Retailers ask themselves what they could do to make customers happier – there’s no reason IT can’t have a similar attitude and ask what we can do to make our partners lives’ easier, safer, and more compliant. Heck, most IT teams do just that, all the time. Sure, we’ll joke about not liking our users – but we know they’re an important part of the picture. Taking a little time to borrow one customer-centric behavior from retail – just modifying it to focus less on “happy” and more on company goals – is certainly a good idea.

That just doesn’t make our users customers. 

Why Stores “Penalize” You For Not Using Your Gift Card Within a Year

Standard

I used to work for a retailer, and we issued gift certificates – these days, they’d be preloaded gift cards. Except back then, certificates never had an expiration date.

We hated our gift certificates. And the reason why might surprise you. Today, a lot of retailers start charging fees after a gift card has been unused for a year. Most folks see that as a “penalty” for not using the card, and assume that the motive is sheer corporate greed.

Not exactly.

While I’m not saying it’s any more fair, the reason has to do with accounting. A gift card isn’t a sale by the retailer to you; it’s a “tender exchange.” Meaning, they’ve taken cash, but they can’t count it as revenue because they’ve issued a debt instrument (the card) to you. That card represents a liability until it’s expired, cancelled, or fulfilled – and the accountants have to account for it every single year. It makes the books look funny, too, and a big enough liability like that can make it tough to sell a company, because a potential buyer might look at the outstanding debt vs. the company’s ability to fulfill it and get tweaky.

The fees aren’t so much a penalty as they are an incentive. The merchant really really really wants you to use the card so (a) they can finally count that money as revenue and (b) get the debt off the books.

Again, not saying it’s any more fair, but the motive isn’t purely corporate greed. Call it corporate laziness, if you prefer, as that’s more accurate.

Obviously, some jurisdictions disallow these no-use charges, and some retailers do a better job of disclosing them up front than others.

Frankly, I’ve been in conversations about this with a few retailers, and if they could come up with a better incentive to make you use the card, they probably would. I know one or two smaller ones have tried offering a small discount on your purchase when you use the card within a year (“turn your $100 card into $110 if you use it now!”); those typically don’t have huge success because the discount isn’t usually easy to communicate (people like to buy cards with fancy designs on them, not marketing text).

Keep in mind that a lot of retailers hope your gift card will go to someone who isn’t already a regular customer, thereby earning them the chance to bring in a new repeat customer. So they don’t, in most cases, want to penalize the recipient… they want them to bloody show up and spend the money, already.

BTW – one reason the first folks started charging those “no-use” fees (which are often a few dollars per year) is because there was once talk about letting a consumer cancel a gift card, and get their money back with interest (!!!). Treating the card as a loan instrument, in other words. In that scenario, charging the no-use fee was intended to make the card look less like a loan to regulators, and more like a carrying service. That loan thing never happened anyplace that I’m aware of, but once they had the fees on the books, stores obviously felt inclined to leave it there.

And yeah, I’m sure they don’t hate the income. Remember, I live in Vegas, where thousands of dollars in unredeemed slot machine tickets fly out of town every week. Those expire after a couple of weeks, and we get to keep the cash. We dump it into the pool at Luxor, and all the locals get together once a month and swim in it, while chuckling madly.

Anyway… not saying it’s better or worse, but thought you might appreciate knowing the backstory.

5 Points Each if You Know These People (Throwback Thursday)

Standard

Can you name all four people in these photos?

Yeah, when I was high school-aged, I used to help run some of our local Star Trek conventions, such as Sci-Con, Beach Trek, and others. You definitely want to ask me about Tasha Yar’s underwear sometime. At a bar. You’re buying.