Why XP is “Obsolete” Whether You Like it or Not

I’ve written a bit about the end of XP lately, and several commenters in various venues have called me to task for calling the OS “obsolete.”

It is obsolete. Get over it.

It isn’t obsolete because it no longer serves a purpose. It isn’t obsolete because it’s broken. It isn’t obsolete because I say it is. It’s obsolete because Microsoft says it is.

Now, maybe Microsoft shouldn’t have done that. Maybe they should continue supporting the operating system. Maybe it’s wrong that the software industry drops support for software despite many customers’ wishes. Those are all excellent arguments, and there are a number of productive discussions that I think could be had around them. The way the software industry currently works isn’t optimal for its customers.

But none of that changes the fact that Microsoft has declared XP to be obsolete. They’ve dropped support for it – and that’s important.

And calls for guys like me to “get out in the real world” completely miss the point. “Why should we move off of XP? It still works. You don’t know what the real world is like, it’s difficult to roll out a new operating system.”

Ugh.

do work in the real world. Yes, I know a lot of companies don’t want to move off of XP. Yes, I know it’s difficult and expensive to roll out new operating systems – although I’d argue it’s less difficult, and less expensive, than in the past. I’d probably argue that being able to roll out client operating systems, service packs, and hot fixes is a core IT competency, and that if you find it challenging, you might not be very good at your job. I might argue that.

But none of that changes the fact that, by dropping support for XP, Microsoft has literally dropped a bomb in your organization. A time bomb.

Again, let’s be clear about something: I’m not defending Microsoft’s action, here. I’m not making a case for what “should be” or what’s Right and Just. I’m trying to make a point about what’s really here, right now, in the real world everyone claims to work in. If you think there’s no problem continuing to run XP, you’ve got your head in the sand. You don’t work in the real world.

And that problem has nothing to do with me drinking flavored soft drinks issued by Redmond. The problem has nothing to do with XP’s ability to function in an organization. The problem is that attackers are now free to unleash exploits in XP that they’ve probably already discovered, knowing that Microsoft will no longer move to patch those vulnerabilities.

The problem is that attacking organizations isn’t just something script kiddies do for fun, any longer. It’s a business. It’s a big business, with a crapload of money on the line. And like any big business, tech attackers can think long-term. They can identify OS vulnerabilities and then sit on them, waiting until they know those vulnerabilities will remain open and un-patched.

That XP-based point of sale system your restaurant uses? Yeah, I know it’s stupid expensive to replace. I used to build those things. I get it. But it’s a time bomb waiting for someone to install malware on it and start skimming customer credit card information. And it’ll never get an OS patch, ever again.

And for the haters, I want to make it perfectly clear that I’m not saying you have to immediately replace all your XP stuff. I know exactly how impractical that is. I do wish people had planned a bit more in advance for this situation, but where we’re at is… well, it’s where we’re at.

But you have to acknowledge that XP is obsolete. “Obsolete” doesn’t mean “you have to get rid of it immediately.” “Obsolete” means “you have to acknowledge that it’s a time bomb, and you have to manage it differently than you used it.” Anti-malware software becomes vastly more important than before. Locking down the local firewall for both incoming and outgoing connections becomes more important. Locking down the software that can run on the machine becomes more important.

My frustration with the “XP situation” – a frustration I’ve tried to express, with only limited success so far – isn’t that people are still running XP. Believe me, I know a lot more about business realities than you might think. My frustration is the folks who think keeping XP is “business as usual.” It isn’t. Those XP machines just became massively attractive targets. The businesses I work with every day have, frankly, terrible security on a good day. Yeah, they talk the security talk, but they don’t walk the walk.

So look… XP is obsolete. It’s obsolete because MS dropped support for it, whether or not that was the right thing for them to do. You can continue running it, obviously, and in many cases you’ll be stuck with it for a long time. Hopefully, you expected that was going to happen – and you’ve planned to put appropriate protections on those machines. Rely on XP still having OS-level exploits that haven’t yet been abused in the wild… and rely on that abuse coming to a network near you. Just plan for it, is all I’m saying. Don’t treat the old OS like you used to – give it a little more bubble wrap. A little more coddling. Get off it when you can, and take extra measures when you can’t.

It’s obsolete, but that doesn’t mean it’s going away. And that makes attackers giggle with delight.

 

 

Awful, Awful IT Management. Just Awful.

So we’ve all heard the news that the UK and Dutch governments are paying Microsoft million$ to consider supporting XP for them.

I am appalled. What a waste of taxpayer money. Frankly, everyone in charge of IT in these organizations should be fired. Maybe imprisoned. Here’s why:

You didn’t see this coming? For Jah’s sake, XP is 12 years old. You’re telling me that you were so blindsided by the end of support that you have to spend millions to support an outdated, highly vulnerable operating system, instead of upgrading?

You lack capability? What, you can’t efficiently roll out a newer desktop operating system in a reasonable period of time? For shame. I sure hope you don’t have to react to anything important anytime soon.

As an aside, I find it hilarious that the UK government is one of the two entities (so far) doing this. These are the folks who invented ITIL, remember, a framework I have long held as being expressly designed to halt change. I mean, I get the value of change control, but I truly don’t feel ITIL is designed to manage change so much as make sure it doesn’t happen much. Giggles.

You’ve got expensive stuff that only runs on XP. Ah, most people will use this to get a pass on the XP thing. Not from me. You’re telling me that, some years ago, you acquired some technology solution and didn’t ensure it had an upgrade path? You what, thought XP would be the last version of Windows ever? If you put Neil The Help Desk Guy in charge of acquisitions, I’d expect that kind of naiveté. I don’t accept it from technology executives. Part of your procurement process should always be, “what’s the path when Windows ___ is retired?” You should be planning to upgrade everything you buy. Not waiting until it’s a fait accompli and then paying through the nose to support 12-year-old software.

The last guy didn’t do anything to prepare. And you’ve been doing what since we hired you? Your first move wasn’t to find out what kind of obsolete stuff you had lying around, and start to plan what to do about it? Your answer is to spend millions so a software company can support something that’s older than the most recent tax code?

 

…breathe…

I want to acknowledge that governments are never terribly efficient. I don’t necessarily want them to be. There’s a downside to businesslike efficiency when you’re not in the business of making a profit, and I don’t want my government making a profit. No danger there, fortunately. But this is just amateurish. Nobody making these “spend millions to support old software” decisions should be managing anything. Like, not even the local pub.

Things in IT are moving faster, not slower. XP is officially old enough to qualify for a “Classic” license plate in some states. Your car is probably newer than XP. Management that didn’t have an XP plan four years ago is incompetent; management that’s paying extra money to support an obsolete OS isn’t incompetent. They’re criminal.

Especially if they’re spending your money to do it. There should, honestly, be hearings.

Target’s CIO resigned over a lesser offense. One that was, arguably, less predictable. I mean, nobody told Target in advance they were going to be hacked. Microsoft has been telling us for years that XP was going away. There’s been time. 

Sorry. Bit of a rant. This really frustrates me. If our IT leaders can’t get their heads screwed on any tighter than this, then we’re all screwed. Because I guarantee you, if there’s been no XP plan, then there’s damn sure no plans for anything important. Like protecting your personal information.

(And, as an aside, folks in the US should be bloody amazed that HealthCare.gov had as few problems as it did. The tech standard, for governments, is apparently not very high.)

 

…and an update…

As you’ll notice from the comments, at least a few folks aren’t grasping the point of the story. The point isn’t, “you should ditch XP now.”

The point is about learning from your mistakes. 

Okay, so you’re stuck with XP. You should be called up on charges, because you definitely saw this coming. More importantly, what are you doing to make sure this scenario doesn’t happen again? Before you buy that expensive whatever-it-does, are you making sure the vendor has a plan to do something about software obsolescence? I’m sure that if you make that a sticking point on the sale, they’ll come up with an answer. And yeah, vendors go out of business – I get that. But we should be doing all we can reasonably do to make sure we don’t get into this “XP forever” situation again. Maybe we’re screwed this time around… but you know the saying. Screw me once, shame on you….

Hopefully everyone can look at this XP situation, where some people (even if it isn’t you) are going to be stuck with XP for years, and make sure that becomes a discussion point with every vendor. “So the machine cures cancer, huh? What’s the upgrade path when Windows 9.2 is 10 years old? You’ve no idea? Okay, well maybe your competitor does.”

But I truly hate the attitude of, “well, there’s nothing we can do, now or ever, can’t even try harder next time.” It’s just lazy. We should all be pushing for more manageable, more secure, more stable technology. All the time. And I know almost everyone does, and I know sometimes, in edge cases, the situation is what it is.

…not to mention…

And, by the way, let’s draw a bit of a line and make sure you’re reading the preceding rant. I’m not kvetching about a business who got stuck with some specialized controllers running an embedded or near-embedded OS. I’m talking about millions and millions of dollars being spent by governments to support what in most cases are general-purpose PCs. I think there’s a bit of a difference there. These aren’t folks who are stuck. They’re folks who didn’t plan.