back to article Hey banks: Use Win XP after deadline? You'll PAY if card data's snaffled

Banks that use the Windows XP operating system will face a risk to their compliance with payment card data security rules if they continue to operate the software after Microsoft withdraws its extended support services, a US regulatory body has warned. Microsoft confirmed in 2010 that it would end "extended support" for …

COMMENTS

This topic is closed for new posts.

Page:

  1. Anonymous Coward
    Anonymous Coward

    French Police Had The Right Idea

    And for a lot less cash.

    http://linux.slashdot.org/story/13/10/03/185235/french-police-to-switch-72000-desktop-pcs-to-linux

    1. Anonymous Coward
      Anonymous Coward

      Re: French Police Had The Right Idea

      So how long will that Linux distribution be vendor supported for then? Anything over a couple of years is pretty exceptional....And then of course major upgrades in Linux don't normally support in place updates, but require a full rebuild...

      I bet it isn't actually for lot less cash. Munich already demonstrated that it actually costs millions more to run Linux on the desktop....They are almost certainly not covering the full picture in their 'TCO'

      1. Anonymous Coward
        Anonymous Coward

        Re: French Police Had The Right Idea

        The whole article is FUD. Paid support is available for those that need it. They can still get patches.

      2. bigtimehustler

        Re: French Police Had The Right Idea

        Errrr, what? Pretty much all modern linux environments support an in place upgrade to a new major release. What decade are you living in? Might I also add, the upgrades are a lot smoother and take less time to upgrade as well.

        1. Anonymous Coward
          Anonymous Coward

          Re: French Police Had The Right Idea

          "Pretty much all modern linux environments support an in place upgrade to a new major release"

          Redhat / CentOS don't for a start....

      3. Steven Raith

        Re: French Police Had The Right Idea

        ".And then of course major upgrades in Linux don't normally support in place updates, but require a full rebuild..."

        Examples or GTFO.

      4. Anonymous Coward
        Anonymous Coward

        Re: Linux support for in place updates

        Linux distros have supported "in place major updates" for many years. Please check facts before posting.

      5. Anonymous Coward
        Stop

        Re: French Police Had The Right Idea

        "And then of course major upgrades in Linux don't normally support in place updates, but require a full rebuild"

        Save your ignorant uninformed bullshit for the DailyFail, most reg readers are competent across more than one OS and you have only succeeded in making yourself look like either a fanboy, shill, incompetent fool or possibly all three.

        1. Anonymous Coward
          Anonymous Coward

          Re: French Police Had The Right Idea

          Save yours:

          http://serverfault.com/questions/449048/why-is-it-so-difficult-to-upgrade-between-major-versions-of-red-hat-and-centos

      6. josteink
        FAIL

        Re: French Police Had The Right Idea

        "And then of course major upgrades in Linux don't normally support in place updates, but require a full rebuild..."

        Care to back up that statement with ... anything at all? While your comment in general seem to be mostly FUD, that part seems to be entirely fictional, wrong and actually 100% backwards.

        Ofcourse Linux-based systems support in-place updates and upgrades. And they usually do so much better than Windows, since the default on Linux isn't that a single file-lock can cripple the rest of the OS.

        On Windows however, you are almost always forced to reboot the computer after applying updates because file-locks prevents the updates from being done in place. Have a few Adobe or VMWare updates and you will be cursing your computer for the reboot-fest it just became.

        TLDR: I think you got your address wrong.

        1. This post has been deleted by its author

        2. Davidoff
          FAIL

          Of course Linux-based systems support in-place updates and upgrades.

          "Ofcourse Linux-based systems support in-place updates and upgrades. And they usually do so much better than Windows, since the default on Linux isn't that a single file-lock can cripple the rest of the OS."

          Yes, Linux supports upgrades, and for individual programs it usually works fine. However quite often upgrading a distro to the next version doesn't go smoothly and in the worst case results in an unbootable system. And don't start about upgrades 'jumping' over multiple versions. It's certainly not less painful than on Windows, where OS upgrades usually just result in a slower system. I've seen many OS installations that started their live as NT 4 and have been subsequently upgraded to W2k, XP, Vista and W7. On Linux, at least one of the upgrades does fail miserably.

          "On Windows however, you are almost always forced to reboot the computer after applying updates because file-locks prevents the updates from being done in place. Have a few Adobe or VMWare updates and you will be cursing your computer for the reboot-fest it just became."

          That's mostly nonsense (and I can't remember when was the last time that an Adobe update required a reboot, I guess that must have been back in the Windows98 days. And VMWare, oh well...). Windows supports inline updates (no reboot required) for a very long time, and since Vista many of the few cases where a reboot was previously still required have been made reboot free.

          The simple reason why many installers ask you to reboot is because the developer of that piece of software for some reason believes that a reboot would be a good thing. In some cases this is justified, but in many cases it's just down to a poor understanding of how modern day Windows works.

        3. Anonymous Coward
          Anonymous Coward

          Re: French Police Had The Right Idea

          This is a red herring anyway - In 20 years in IT, I've never worked at a major company who does in place upgrades, even if they are available. For servers you don't upgrade production servers, you co-ordinate your server hardware and software upgrades so that you can bring the new service up on the new OS/hardware and seamlessly fail over, once testing is complete. With desktop, having a line in the sand where you rebuild everything from scratch is a good thing, it means that you know all your workstations are at a base level, nobody has any exotic configurations or dodgy non-approved software which has somehow been installed and it's all easier to support. Workstation rollouts I've worked with tend to be either pulled from someone at the desk doing a PXE boot or pushed from a management console. Either way, they will be run by a dedicated build script or workstation image, supplied from a build server. This goes for Linux as much as it goes for Windows.

    2. Anonymous Coward
      Anonymous Coward

      Re: French Police Had The Right Idea

      If you read the document, they started in 2004. So 9 years and not even half way there.

      The TCO is compared against their decentralised legacy environment - not an equivalent centralised, managed one.

      The cost savings would almost certainly have been higher if they had migrated to Windows 7. Hence why near zero enterprises make such a choice - only government departments who can't afford the best IT executives, and who can persuade politicians with short term headline 'savings' regardless of the eventual real cost.

    3. Velv

      Re: French Police Had The Right Idea

      It doesn't matter which OS you choose, you need to maintain your estate.

      The realities are that it will cost roughly the same per user no matter which OS you choose, especially if you are in any form of regulated industry.

      1. Anonymous Coward
        Anonymous Coward

        Re: French Police Had The Right Idea @velv

        Have you seen the recent price increases in CAL licences ?

        1. Anonymous Coward
          Anonymous Coward

          Re: French Police Had The Right Idea @velv

          "Have you seen the recent price increases in CAL licences ?"

          CALs went up 15% - which is not far off the rate of inflation since the last increase.

          nb - Licences are a very small percentage of the TCO.

          1. Anonymous Coward
            Anonymous Coward

            Re: French Police Had The Right Idea @velv

            "CALs went up 15% - which is not far off the rate of inflation since the last increase"

            And these Microsoft products contain ever increasing amounts of functionality.

            And users are now often using multiple devices, so the cost of per user CALs reflects this....

            1. Anonymous Coward
              Anonymous Coward

              Re: French Police Had The Right Idea @AC 9.02

              WTF ?

              "CALs went up 15% - which is not far off the rate of inflation since the last increase"

              Bullshit !

              I don't know what country you are in but for the UK it was 25% followed by 15%.

              http://www.computing.co.uk/ctg/news/2228415/microsoft-to-increase-licence-costs-from-december-1

              You are either a MS channel sales rep spinning a FUD or a badly informed MCSE who doesn't sign the licensing cheques.

      2. Anonymous Coward
        Anonymous Coward

        Re: French Police Had The Right Idea

        "The realities are that it will cost roughly the same per user no matter which OS you choose"

        + cost of 72,000 desktop migration

        + cost of replatforming everything that they use

        + cost of supporting 2 environments for ~ a decade

        = Seems highly unlikely the TCO claims made are valid!

    4. Roland6 Silver badge

      Re: French Police Had The Right Idea

      Missing the point, Linux/open source doesn't solve the support and upgrade problem. For example, systems running Ubuntu 8.04 LTS, for example are now out of support as far as Canonical are concerned, so the typical enterprise running these systems are in a similar situation to those running XP...

      1. Steve Davies 3 Silver badge

        Re: French Police Had The Right Idea

        Any company that uses Ubuntu LTS is mad. They have pretty short support periods.

        If you want proper long term support the RHEL or SLES is the way to go. RedHat support their OS releases for 10 years. Is that good enough for you?

        1. Cliff

          Re: French Police Had The Right Idea

          Steve Davis 3

          You're right, some Linux builds have long term support and 10 years is admirable. Outside that though the upgrade costs are broadly similar to any other OS, so aside from the inititial licence purchase vs support contract the savings may be slight. Especially if MS offer 40% more years of support as they have with XP!

          I like Linux, not so much for the OS itself but for the fact it creates an alternative and prevents monopoly abuse. Were it not for FOSS I reckon many of our much-used proprietary software would be (more?) under-developed and price-gouging, it benefits everyone.

    5. Mad Chaz

      Re: French Police Had The Right Idea

      You need to brush up on your linux. Almost all major distributions now support in place upgrade. The rest no longer have a release cycle, they just keep all the software updated all the time, meaning there is actually no "big upgrade" to do. The rolling upgrade on a lot of them is actually rather awesome. They just need up update the install media every now and then.

      1. Anonymous Coward
        Anonymous Coward

        Re: French Police Had The Right Idea

        No they don't

        http://serverfault.com/questions/449048/why-is-it-so-difficult-to-upgrade-between-major-versions-of-red-hat-and-centos

  2. ecofeco Silver badge
    Facepalm

    It ain't that damn hard

    It really isn't. I've migrated literally thousands of desktop from XP to Win 7 for Very Large Companies and it ain't that hard. Or expensive. We did it all with in house employees and it did NOT cost millions of dollars.

    And good server admins can do the same.

    Got specialized software you need to run but is no longer compatible with Win 7 or Server 2010. Update you lazy git! You should have done so years ago.

    1. Magnus_Pym

      Re: It ain't that damn hard

      "Or expensive"

      Got any figures?

      1. ecofeco Silver badge

        Re: It ain't that damn hard

        Got any figures?

        4 people in deskside support - $2800 per week.

        Per seat license for Win 7 - negotiate per company - avg $50 - X 5000

        Conversion time - 3-6 month by attrition or 3 months dedicated project. Actual execution usually a combination. But let's go with the 3 month. $33600 labor.

        No new hardware required (despite the myth, Win7 runs just fine on dual cores w 4mb of RAM)

        33600 = labor

        250000 = license

        586000 = total for users conversion

        Server side

        Office 2010 suite - again negotiable by company - approx $3000 per module, but usually only Exchange.

        Labor - 1-3 server admins at approx $4000 per week again 3 month to convert.

        Server 2010 Enterprise approx $45000 per processor - at my companies there were no less than 10 main servers running 8+ cores each or 80 cores. - $3,000,000

        Now here's where it gets a little more complicated: the 3 million is NOT paid all at once. Usually it's paid over several years. So there will be 2 sets of figures. One is not known and the other is just total. Payment plans are as proprietary as they come and it will be years before I can say anything in public even hypothetically.

        So:

        48,000 = labor

        3000 - Exchange license

        3,000,000 = server license

        3,051,000 = total

        - X payment plan

        Grand total for 3 month dedicated conversion - $3,700,000 (rounded)

        Minus X payment plans over X years.

        In other words, upfront capital isn't that much. Mostly in labor and first payments for licenses.

        Does that answer your question? You can send the consulting check to this email.

        (all figures are approx avg as each company can negotiate its own costs)

        1. Peter Gathercole Silver badge

          Re: It ain't that damn hard - Ummm

          From your figures, it looks like the estate you are using is 3000 seats. So. $3,700,000/3000 gives us, um, $1,233 (rounded) per seat. You really think this is not a lot?

          Even if you do have a payment plan (and I'm betting that Microsoft would prefer a subscription plan rather than a deferred payment plan), that is still loading the business with costs that they may not have if they opted to stick with XP.

          And the majority of those costs are in license fees, which you may not have if you can find an open-source solution that is adequate.

          You've also not factored in any testing, specific business related software costs, or loss of productivity or training costs. If you are doing 3000 seats over a 6 month period, that's 500 a month, or about 25 a day (assuming that you're doing most of the estate during the working week). That's a tall order for 1-3 admins, even assuming you do across the network upgrades in place (which is disruptive to the users). Of course, if you have a homogeneous estate, you could do a replace, upgrade, replace rolling operation which is less disruptive to users, but you will need spare kit to do that, and will need the time to physically move the kit around..

          Your earlier comment about a dual-core system with 4GB of memory is interesting. I'm sure that many, many business users of XP will have the majority of their estate running on P4 systems running with <2GB of memory. Places like call-centres do not regularly replace working systems, and the demands of filling in screen forms is such that you don't need much oomph.

          For those users, dropping new kit in may not only be essential, but possibly cheaper as well.

        2. spudmasterflex

          Re: It ain't that damn hard

          No new hardware required (despite the myth, Win7 runs just fine on dual cores w 4mb of RAM)

          Wow I wish my machine had 4mb of ram rather that 4GB (should also have been 4MB not mb)

          1. ecofeco Silver badge

            Re: It ain't that damn hard

            4GB. Sorry about the typo.

            I'm well aware that many places are still using very old PCs/laptops, however, the article talks about banks, not SMBs, so I addressed that scale. Banks are notoriously skinflint cheap, but they are NOT broke or struggling and easily have the capital to upgrade.

            Perhaps I didn't post clearly and for that apologize, but the up front costs are not that much and the final total is certainly a hell of a lot cheaper than a million dollar security breach, which is what you count on having if you stay with XP and again, what this article addresses.

            As for the nay-saying in general, where I live, companies of all sizes are upgrading to newer PCs and Win7 every single day and ditching XP as fast as they can. By the thousands.

    2. Alan W. Rateliff, II
      Paris Hilton

      Re: It ain't that damn hard

      "Got specialized software you need to run but is no longer compatible with Win 7 or Server 2010. Update you lazy git! You should have done so years ago"

      Unless you are using software which *is* prohibitively expensive to upgrade, was made by a vendor no longer in existence but who promised it would be around forever, was bought by a new company who has made the software a shadow of its former self, or moving data to a new program is a prohibitive expense (if possible at all) on top of the extortion charged for the new software.

      I have seen all scenarios above. As well as a perpetual license which turned out to not be so perpetual.

      That said, I have had great success in running old software in compatibility mode, Windows 7 XP mode, or just plain Virtual PC. It took some time, fumbling around, obscure forum searches and link resurrection, and a smidgeon of intuition, but I have not yet been unable to move a program to Windows 7 or Server 2008R2. Not to say doing so is always possible, I just have not failed, yet, and it is worth a try every time. Yet *sigh*

  3. Roger Greenwood

    Incremental upgrades . . .

    . . . tend to provide no business or operational benefit, just increase the risk in delicate systems. It may not be ideal, but that is reality for many. Hence hitting a brick wall now and then.

    1. Intractable Potsherd

      Re: Incremental upgrades . . .

      The key part of the article to me is:

      "McFadyen said that businesses are often understandably reluctant to move away from using legacy IT systems due to ... [s]ystem reliability, business continuity and the fact that most security vulnerabilities for the technology may already have been flushed out and resolved ... "

      Being forced to upgrade a system that works perfectly well, and would continue to do so if not for a decision made by another company with an effective monopoly for no other reason than to make more more money out of its chattel slaves customers is not good. At the end of the day, we, the individuals dependent on the companies being blackmailed by the regulators acting on behalf of the monopoly are going to suffer, because systems that have worked for years are going to be farted about with. It isn't as if we haven't seen what happens when banks change systems, have we?

      Make sure you have a store of cash in the house enough to see you through a week's living expenses.

  4. vagabondo
    Childcatcher

    Microsoft -- Security?

    And what history does Microsoft have in providing and maintaining secure software? What credible reassurances are provided by Microsoft support?

    Who prompted the FFIEC to issue this warning?

    1. Anonymous Coward
      Anonymous Coward

      Re: Microsoft -- Security?

      "And what history does Microsoft have in providing and maintaining secure software"

      A better history than enterprise desktop Linux distributions every year without exception since 2004....fewer vulnerabilities, and fewer critical vulnerabilities that on average were fixed faster (fewer days at risk)

      "What credible reassurances are provided by Microsoft support?"

      A full published support road map for all products - for instance XP will have been supported for circa 13 years by the time it is retired - and paid support is still an option after that.....

      1. Anonymous Coward
        Anonymous Coward

        Re: Microsoft -- Security?

        State your source...

        I almost never hear of a real vulnerability in Linux, i.e. one that can be exploited remotely, yet with windows it is normal to hear of this kind of exploit..

        I am serious though, i would love to see a comparison between the two...

        The advantage with Linux IS that its open source, i.e. if a vendor stops supporting your version, for large companies you could hire a couple of developers to keep the distro you use updated with the latest patches, and that would be a damn sight cheaper than yearly licenses from Microsoft..

        That is why I don't get the UK gov using Windows, it would have made sense very early on to hire their own bods to maintain their own linux distro... whats a good linux developer get paid as a permie? £70k I would guess by the offers I've turned down, so for £1million a year, peanuts for the gov, you could have a team of 10 on your distro with plenty left over for office and hardware.. sure finding tech support is harder, i.e. they NEED to be tech monkeys on the end of the phone not script monkeys (by script I mean read from a script)

        1. Anonymous Coward
          Anonymous Coward

          Re: Microsoft -- Security?

          "State your source..."

          Here is an example for you:

          http://www.zone-h.org/news/id/4737

          Linux is much easier to attack remotely (yes I am allowing for market share)

          The vast majority of Windows 'exploits' rely on stupid activities by users with admin rights.

          "you could hire a couple of developers to keep the distro you use updated with the latest patches, and that would be a damn sight cheaper than yearly licenses from Microsoft.."

          Sounds like COBOL all over again to me, lots of custom crap that can't be integrated or migrated that hangs around for decades and eventually costs zillions....

          "I don't get the UK gov using Windows"

          It's substantially cheaper when you look at the big picture.

          1. Anonymous Coward
            Anonymous Coward

            Re: Microsoft -- Security?

            Here are a few more examples dating back to when Microsoft put security as #1 priority::

            http://news.techworld.com/security/1329/forrester-questions-linux-security/

            http://technet.microsoft.com/en-us/library/cc512608.aspx

            http://blogs.technet.com/b/security/archive/2006/10/19/windows-vs-linux-workstation-comparison-q3-2006.aspx

            http://blogs.technet.com/b/security/archive/2006/07/14/441673.aspx

            1. Steve Davies 3 Silver badge

              Re: Microsoft -- Security?

              Strange that three of those links are to a MICROSOFT Site!!!!!! Doh!

            2. vagabondo
              Joke

              Re: Microsoft -- Security?

              Posted by Anonymous Coward Monday 14th October 2013 09:12 GMT

              > when Microsoft put security as #1 priority::

              Did you forget this icon?

          2. Roo

            Re: Microsoft -- Security?

            "Linux is much easier to attack remotely (yes I am allowing for market share)"

            How exactly are you allowing for market share ?

            "Sounds like COBOL all over again to me, lots of custom crap that can't be integrated or migrated that hangs around for decades and eventually costs zillions...."

            Well there's a coincidence, that is exactly what I see every day with Windows applications. Case in point migrating an Excel spreadsheet to a Grid. The alternative was to write a proper app for the grid that did the job properly, but it was considered easier to move the spreadsheet to the compute Grid because the grid vendor and Microsoft had done lots of whitepapers saying it was possible and they were both more than happy to support this configuration.

            Needless to say it didn't work because it turned out that Microsoft were wrong about Excel, it really doesn't like running > 1 copy on a machine and it would fail on about 20% of the invocations with an infinite loop. Microsoft dropped support for that configuration, and the customer hacked up a config that would limit one copy of Excel to a grid node thereby reducing their aggregate compute capacity by a factor of 8.

            So yeah, "crap" that "can't be integrated" or "migrated" and hangs around for years is a problem the closed source folks have too. In fact it's more of a problem because if a vendor decides it can't be arsed to support it's own software you are pretty much SOL.

          3. Anonymous Coward
            Anonymous Coward

            Re: Microsoft -- Security?

            "Linux is much easier to attack remotely (yes I am allowing for market share)"

            FAIL. Read your own article. They are discussing website defacements, which involves multiple attack vectors - most notably poor website code and web hosting security gaffes, as mentioned in the article. Combined with the fact that Linux is the most used website hosting platform, its no suprise that the label "Linux" is attached to this statistic.

            You've just produced a standard case of abusing statistics to support a skewed point of view.

            1. Anonymous Coward
              Anonymous Coward

              Re: Microsoft -- Security?

              "FAIL. Read your own article"

              If YOU bother to read it, you will find that it shows that you are several times more likely to be remotely hacked if you run Linux than Windows - even after adjusting for market share (as per Netcraft)

              It also states that the most common exploit used is a Linux kernel vulnerability.....

              1. Anonymous Coward
                Anonymous Coward

                Re: Microsoft -- Security?

                "If YOU bother to read it, you will find that it shows that you are several times more likely to be remotely hacked if you run Linux than Windows"

                So I read it and it said :- ( and this is YOUR ref remember )

                "we con­sider the fact that last year brought a very high num­ber of the LOCAL linux ker­nel exploits."

                Your usual method of chaining one 'fact' to another to make a story.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Microsoft -- Security?

                  "So I read it and it said :- ( and this is YOUR ref remember )

                  ""we con­sider the fact that last year brought a very high num­ber of the LOCAL linux ker­nel exploits.""

                  Of defaced webservers? Use your brain. It's semantics - these were remote exploits.

              2. Chemist

                Re: Microsoft -- Security?

                Now if you really want remote kernel vulns.

                As reported in The Reg recently

                http://www.theregister.co.uk/2013/10/09/patch_tuesday_double_ie_trouble/

                "The critical MS13-081 update addresses seven vulnerabilities in the Windows kernel, including problems in font handling, and can be triggered remotely through malicious web pages and maliciously formatted Office documents"

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Microsoft -- Security?

                  "Now if you really want remote kernel vulns."

                  "can be triggered remotely through malicious web pages and maliciously formatted Office documents"

                  So not remote then....require local USER interaction....

      2. Tim99 Silver badge
        Meh

        Re: Microsoft -- Security?

        @AC 08:48

        A full published support road map for all products - for instance XP will have been supported for circa 13 years by the time it is retired - and paid support is still an option after that.....

        I used to write software for XP - In quite a lot of instances there was not a lot of similarity between the original XP and XP SP1, SP2 and SP3.

        I note that, so far, there are about 12 fairly extreme posts from ACa for Windows compared to about half that number biased towards Linux. A cynical person might suspect that astroturfers and shills are busy...

  5. Velv

    Scaremongering by journalists and spin doctors.

    PCI, DPA, FCA, PRA, SEC, etc will NOT be issuing fines to companies who have demonstrated a good approach to securing their estate.

    Mainstream and Extended (aka FREE) support will end April 2014. Microsoft have published the prices for Special Support, and therefore ALL users have the OPTION to maintain a supported estate (although they might not have the budget).

    Yes, get rid of XP as soon as you can. But you are more likely to be fined for fucking up a rushed rollout than doing a rollout in a controlled manner.

Page:

This topic is closed for new posts.

Other stories you might like