back to article THOUSANDS of UK.gov Win XP PCs to face April hacker storm... including boxes at TAXMAN, NHS

Thousands of PCs at Britain’s biggest public sector bodies will miss Microsoft’s April deadline to abandon Windows XP before open season for hackers begins. HMRC and the NHS in England and Scotland will still be running thousands of systems using Windows XP after Microsoft turns off the support lifeline on 8 April. HMRC has …

COMMENTS

This topic is closed for new posts.
  1. Elmer Phud

    More time needed?

    It's not as if they didn't know -- but planning more than a couple of months ahead would never get the budget as it's not a politicians knee-trembler of instant gratification.

    In the meantime, while little work is done, huge teams of people generating excuses and finding ways to blame others are hard at work (and expecting bonuses)

  2. Anonymous Coward
    Anonymous Coward

    IE8?

    Migrating from XP to 7 makes sense when you are a MS-shop, but why IE8?

    Why not use the chance to at least go to IE9 or later?

    1. John Smith 19 Gold badge
      Unhappy

      Re: IE8?

      "Migrating from XP to 7 makes sense when you are a MS-shop, but why IE8?

      Why not use the chance to at least go to IE9 or later?"

      Because you've probably bought the whole MS package and run all you server systems on IIS and your developers coded lots of MS specific stuff and now you can't get rid of the crap.

    2. Anonymous Coward
      Anonymous Coward

      Re: IE8?

      IE8 would be a dream - recently I was working with "certain government departments" who refused to move off IE6 as it was too much of a headache to run an update program and get it CESG approved.

      Ultimately it's not that big a deal if the PC's are never allowed on the internet (and restricted environments generally are not), and the multiple layers of firewalls are all configured properly.

      1. John Smith 19 Gold badge
        Unhappy

        AC@10:49

        "Ultimately it's not that big a deal if the PC's are never allowed on the internet (and restricted environments generally are not), and the multiple layers of firewalls are all configured properly."

        Wasn't the "multiple layers of firewalls" not being configured properly that let McKinnon into the DoD?

        And that was an organisation that make annoying people it's business.

        1. Anonymous Coward
          Anonymous Coward

          Re: AC@10:49

          I couldn't possibly comment on that particular event - but (and this is purely conjecture) if some bunch of idle slackers had done the job that they are paid very well for then it would not have happened.

      2. Anonymous Coward
        Anonymous Coward

        Re: IE8?

        except that a big thing in HMRC a year or two back was the roll out of internet access at all desktops on the standard network.

        Try a lunchtime browsing session with IE6 though and you'll soon give up, or resort to trying m. as a prefix rather than www.

      3. Test Man

        Re: IE8?

        "Ultimately it's not that big a deal if the PC's are never allowed on the internet (and restricted environments generally are not), and the multiple layers of firewalls are all configured properly."

        Except a dodgy USB stick can render all of this moot.

        1. Number6

          Re: IE8?

          Except a dodgy USB stick can render all of this moot.

          In theory you can disable such things. Obviously someone didn't, or at least not properly.

  3. localzuk Silver badge

    The XP cut off date has been known for *years*. Windows 7 has been replaced since, and is very stable (and was even 2 years ago).

    So, why are these agencies all scrabbling around now, likely to miss the date?

    1. Neil Alexander

      Because IT departments are lazy and rely too much on the "If it ain't broke, don't fix it" mantra.

      1. ukgnome

        @Neil Alexander

        "Because IT departments are lazy and rely too much on the "If it ain't broke, don't fix it" mantra"

        I don't think that's true, it's more often the case that the clients think they know better. Or as is happening in my organisation, a complete lack of upgrading key systems because the cost is quite staggering. It's cheaper to pay for a few more desktop technicians who can hold the hands of users as they reboot their PC.

      2. Anonymous Coward
        Anonymous Coward

        @ Neil Alexander

        That's a very big brush you're using there. Whilst it maybe true in some cases, as someone working in NHS IT and seeing this first hand, it's more likely to be a case of legacy applications that have been sourced by individual departments within trusts, without consultation with the IT Departments, that the IT Department are then expected to support after the fact, coupled with ridiculously tight budgets and cost cutting that mean that IT Departments are running with approximately 50% of the staffing levels needed to properly deal with day to day running, roll out, and projects.

        Migrating approx 4.5k PC's (in my trust's case) from XP to Win7 takes time and recourse that, simply put, hasn't been made available to us because the trust board don't see it as a priority, despite continued and ongoing warnings from our department of the risks involved.

        AC for obvious reasons.

        1. davefb

          Recently saw an example. OH was getting hearing aids and the app to set these up was on a windows xp machine.

          Now, I'd assume the NHS is at the whim of the supplier and new software for something like that isn't going to be cheap. It certainly wasn't a very simple piece of software either.

          And the pc it was running on, didn't look like it would run win7 anyway,so probably would have needed replacing as well.

      3. WonkoTheSane
        FAIL

        @Neil Alexander

        "Because beancounters are lazy and rely too much on the "If it ain't broke, we ain't paying for it." mantra."

        FTFY

        1. Don Dumb
          Boffin

          Re: @Neil Alexander

          It's not just the beancounters though - "I'm sorry Mrs Smith, you can't have your pacemaker because we are paying for an upgrade to the computer system"

          Imagine what that would do when Mrs Smith goes to the press - the trusts have difficult desicions to make, especially when their budgets are getting cut.

      4. tin 2

        they're also too busy answering stupid FOI requests from people wanting to write exclusive news stories.

        1. Anonymous Coward
          Anonymous Coward

          Having recently worked in several large banks I can say that it is the same story there. To be fair they were also running XP installations which hadn't been patched for several years and so were relying on fire walls and anti-virus software to protect them.... which it seemed to be doing as none of them had had any problems they were admitting to.

          I suspect that the chant of "upgrade by April or you'll all die" may be an example of a boy crying "wolf".

          1. micheal

            "upgrade by April or you'll all die"

            From the same people who made millions from the "Millenium Bug" scare about planes dropping from the sky, trains crashing and world disorder

            1. Pookietoo

              Re: "upgrade by April or you'll all die"

              I can't help thinking that some of those responsible for (not) funding the migration think it'll be the same as Y2K - lots of hype and a damp squib of an event. Only time will tell if they're right ...

              1. lorisarvendu

                Re: "upgrade by April or you'll all die"

                "I can't help thinking that some of those responsible for (not) funding the migration think it'll be the same as Y2K - lots of hype and a damp squib of an event. Only time will tell if they're right ..."

                Not true, at least not in our organisation, where we audited every single PC for Y2K compliance, updated the BIOS of those that we could, scrapped and replaced what we couldn't. We were then accused of hype because nothing happened. But nothing happened because we had fixed it. Y2K was a Lose-Lose for IT Departments, so let's hope April 2014 won't be another.

                It won't be at our place, because we've completed our 2-year migration to W7. But then we're funded by HEFCE so we could afford it.

            2. Anonymous Coward
              Anonymous Coward

              Re: "upgrade by April or you'll all die"

              Your absolutely right, nothing will happen in April.

              The circle jerk people are down voting but come April they will say they thought nothing would happen all along.

            3. Anonymous Coward
              Anonymous Coward

              Re: "upgrade by April or you'll all die"

              "From the same people who made millions from the "Millenium Bug" scare about planes dropping from the sky, trains crashing and world disorder"

              I think you'll find the people who made money from scaring people about Y2K were the media. Those of us in IT didn't have time for that - we were too busy patching software to fix it. But if you want to believe Y2K didn't exist, I won't waste my breath on you.

              And as for "upgrade by April or you'll all die", that's your hyperbole. There will be issues, you can be sure of that.

      5. Number6

        Because IT departments are lazy and rely too much on the "If it ain't broke, don't fix it" mantra.

        Or (b) the IT department highlighted this a couple of years ago but no one gave them the budget to actually do anything about it.

      6. Anonymous Coward
        Anonymous Coward

        Because IT departments put inthe budget for the upgrade each year for the past 4 years. Each time it was declined because of lackof funding, driven by central government spending cuts.

        IT do what has to be done. But even they can't just do it for free.

        Edit: Oops. What he said above me :)

      7. Anonymous Coward
        Anonymous Coward

        "If it ain't broke, don't fix it"

        It's not likely to have run out of money. Or did you mean 'broken'?

    2. Anonymous Coward
      Anonymous Coward

      "So, why are these agencies all scrabbling around now, likely to miss the date?"

      Because regardless what happens, nobody will be held to account. No sackings, no demotions, no personal fines or liability. If the local hospital get fined (eg, as they often do for DPA) what does that matter? It's only a budget transfer from one public sector body to another.

      This attitude is to be expected in the NHS, given that the politicians and civil servants demonstrate leadership like appointing as NHS chief executive David Nicholson, one of those overseeing the criminal shambles at Stafford Hospital. Indeed, the c**t got a knighthood after his culpability for that was known. This demonstrates that the NHS does not discriminate on the grounds of ability, and if that's the sahdow of the leader, you can be fairly sure the rest of the organisation is run on a similar basis.

    3. Roland6 Silver badge

      Re: So, why are these agencies all scrabbling around now...

      From the article no evidence is presented to indicate that these agencies are "scrabbling around".

      Desktop upgrade/refresh outside of the single user/home environment are non-trivial - unless you like living by the seat of your pants and don't really care about your reputation or the reputation of the organisation you work for...

      Remember it is highly unlikely that either HMRC or NHS Scotland are using vanilla Windows; doing the leg work necessary to securely lock windows down and to prove that it is secure and to test that all enterprise applications and systems work and are accessible takes time, particularly if you are also having to wait on vendors to upgrade their products...

      In either case it is unlikely that the systems being referred are not locked down and have: unrestricted internet access, unfiltered email etc. and reside on unmanaged networks, hence "missing the date" isn't the big issue many headless chickens make it out to be.

  4. sysconfig
    FAIL

    "NHS Scotland has 3,603 PCs with 3,537 on Windows XP and the same number on IE6."

    "NHS Scotland beginning its shift relatively late, in July 2013."

    So that's 66 PCs updated in 6 months, or 11 per month on average. (IF the 66 PCs were running XP and not another OS.) They want to be over and done with it in the third quarter? Right, not at that pace. Or they meant Q3 sometime in the 22nd century.

    They might want to check out CyberStreet (see other El Reg article). Seems they can learn a few bits and pieces there.

    1. Anonymous Coward
      Anonymous Coward

      So that's 66 PCs updated in 6 months, or 11 per month on average. (IF the 66 PCs were running XP and not another OS.) They want to be over and done with it in the third quarter? Right, not at that pace. Or they meant Q3 sometime in the 22nd century.

      Or as is a more likely case, that's 1 or 2 computers in each critical department so that applications can be tested ready for a mass migration once that is complete.

      or even better NHS local gov all $hit bunch of idle fekkers don't know what they are doing etc etc etc

      1. Peter2 Silver badge

        Or alternately, "the NHS" (which is btw not one organisation, the NHS is best through of as a billing structure as every county and a lot of hospitals has it's own NHS trust/organisation with it's own CEO making it's own decisions) has a wide range of suppliers for various bits of equipment. Like pacemakers, AED's and all sorts of things that occasionally needs interaction with a PC for diagnostics or the like.

        Unfortunately, some of those companies have had the temerity to dare to go out of business without the NHS's permission since their extremely reliable equipment which lasts a lifetime (sometimes all to literally) relies on the software which came with it, which is no longer produced or updated.

        The approaches to problem detection advocated by some kids based on "I just install it at home and see what doesn't work" is excessively dangerous when dealing with things that absolutely have to work or somebody dies. "The installer ran..." is not good enough. You have to document ever facet of the program as working correctly. Do you have any idea how expensive that is for high hundreds to low thousands of programs?

        This added to the fact that the cost of replacing some equipment needing the PC interface is actually roughly equivalent to the salary costs of the staff using the equipment over the course of their entire career may go some way to explaining why there are still XP/9x boxes around.

  5. Anonymous Coward
    Anonymous Coward

    FUD

    "yet users will continue to be allowed to access the internet from their vulnerable Windows XP machines and using IE6.

    That means users could come under attack with no defence from Microsoft."

    This is just FUD-ing. All those machines are almost certainly behind a firewall that implements layer 7 filtering, which means that the chances of an actual threat reaching the XP machine itself is negligible.

    And there's a reason why things are set up that way - directly exposed Windows machines cannot be trusted to not be exploitable even when fully patched, so other counter-measures are put in - which in turn make the patch level of the Windows machines themselves rather less relevant, other than for panic-mongering headlines.

    1. Anonymous Coward
      Anonymous Coward

      The Elephant in the Firewall

      That is assuming that staff with laptops aren't allowed to take them off-site - a situation that is far too common.

      One infected laptop brought back on a network and all your external firewalls come to naught.

      Anonymous because ... well, let's just say I'm one of those who'll be holding the dustpan.

      1. Anonymous Coward
        Anonymous Coward

        Re: The Elephant in the Firewall @AC 11:24

        "That is assuming that staff with laptops aren't allowed to take them off-site - a situation that is far too common."

        Generally the point of a laptop as far as I'm aware. I remember someone bemoaning getting a laptop years back. While most saw them as symbols of their importance, he twigged that he'd be expected to do a load of work off the clock at home ...

        "One infected laptop brought back on a network and all your external firewalls come to naught."

        That's more of a cultural failing in the organisation than anything else, though.

        1. Matt 21

          Re: The Elephant in the Firewall @AC 11:24

          I haven't worked anywhere for years where the laptops weren't protected with various things such as anti-virus software, firewalls etc; so that they could be safe while off-site.

          Thinking about it the last time I saw a problem caused by an infected work laptop was almost ten years ago.

        2. Number6

          Re: The Elephant in the Firewall @AC 11:24

          I've been given a laptop at my new job. It's lived on my desk apart from a couple of visits to the lab. I see no need to bring it home.

    2. Test Man

      Re: FUD

      "This is just FUD-ing. All those machines are almost certainly behind a firewall that implements layer 7 filtering, which means that the chances of an actual threat reaching the XP machine itself is negligible."

      Actually, THIS is FUD-ing, as a dodgy USB stick/external HDD/whatever can still render the machine unusable (and it has happened).

      Anti-virus software isn't going to help if it's a vulnerability that the software doesn't know how to catch yet (which has happened too!).

      1. Matt 21

        Re: FUD

        ...but all of those are issues (or not) which apply equally to any version of Windows or any other OS.

      2. Anonymous Coward
        Anonymous Coward

        Re: FUD

        @Test Man:

        "Anti-virus software isn't going to help if it's a vulnerability that the software doesn't know how to catch yet (which has happened too!)."

        Those are generally known as 0-day exploits, and as such they will equally penetrate a fully patched OS, so the example is completely bogus. More FUD.

  6. Anonymous Coward
    Anonymous Coward

    M$ is sure to blink first...

    ...and extend the XP support deadline for another year, at least.

    It's in their best interest unless they want to be responsible for generating the largest botnet known to man come April.

    1. Salts

      Re: M$ is sure to blink first...

      I am not a lover of Microsoft, but on this occasion I would have to say, why the F$%# should they even care, they have given more than enough notice and if you want support they are happy to offer it, you just have to pay.

      Not to mention if I was an MS shareholder I would be pissed off with them giving away another year of support, when they could and should be making money out the people who could not get their act together in time.

      1. Anonymous Coward
        Anonymous Coward

        Re: M$ is sure to blink first...

        Perhaps businesses would be more willing to spend money on something worth upgrading to, as opposed to the abomination that is Windows 8?

    2. Piro Silver badge

      Re: M$ is sure to blink first...

      I assume by "M dollar" you mean "Microsoft", so then, I'll start by disagreeing with you.

      I hope horrible things happen to all these internet connected XP machines.

  7. Crisp

    Management drag their heels on keeping tools up to date.

    And then blame everyone but themselves years later when those tools fail.

  8. Anonymous Coward
    Anonymous Coward

    What's the problem?

    I mean they can't be locked in to proprietary systems as they've had policies to protect against that since 2002 ...

  9. Anonymous Coward
    Linux

    Run Kryten Smug-Mode

    No such problems here.

    1. Anonymous Coward
      Anonymous Coward

      Re: Run Kryten Smug-Mode

      Look, I'm a big Linux user and linux fan, but you're not comparing apples with apples: Do Red Hat still support RHEL from 13 years ago? No. What you mean is that you can update for a while, then upgrade to the latest version, but I strongly suspect you don't have any formalised support.

      1. Hans 1

        Re: Run Kryten Smug-Mode

        Mooot point, is XP pre-Sp1 still supported by Microsoft ? No. You have no ff'ing clue!

        1. If you have Linux, you have server interfaces with software standards in place. If you have software standards, you can upgrade Linux, like any other client - yes even windows- without a problem whenever you want. Ideally, you want browser-based or Java-based clients anyway, as it is less pain to go platform-independent.

        2. Linux does not require shitloads of resources to run, so any Pentium 4 will do perfectly fine, provided you put in 1Gb of RAM, which should at least be the case for the XP boxen as with less, they grind to a halt.

        3. Linux has not changed the ui much over the last 15 years

        Alternatives Window cleaners choose:

        1. Put Windows 7 on the boxen, WakeOnLan to boot every PC every weekday morning at 6 o'clock to make sure the the login screen is there when the lusers come in at 7:30.

        2. Pay shitloads for new PC's ... so they can have aero to boost productivity - fancy screensavers and shit ;-)

        1. Anonymous Coward
          Anonymous Coward

          Re: Run Kryten Smug-Mode

          "you have Linux, you have server interfaces with software standards in place. If you have software standards, you can upgrade Linux, like any other client - yes even windows- without a problem whenever you want. "

          So why then do several applications that run just just fine for me on CentOS 5, not work at all on CentOS 6??

          Oh and it didnt support an inplace upgrade like a single version jump of Windows would have....I had to reinstall from scratch.....

          "Linux does not require shitloads of resources to run"

          Benchmarks show that current Windows versions outperform the latest Linux versions (like MINT) on the same hardware for key things like desktop graphics and large file transfers...At the low end, optimised Windows kernels like Windows Phone also outperform Linux based OSs optimised for similar environments like Android. So this is somewhat of a myth (from Windows 7 onwards anyway - Vista was a bloated mess granted).

          "Linux has not changed the ui much over the last 15 years"

          And it shows...

      2. Vic

        Re: Run Kryten Smug-Mode

        > Do Red Hat still support RHEL from 13 years ago

        EL5 and El6 will be supported 13 years from rollout.

        EL3 and EL4 are only 10 years from Red Hat, but there are many third-party support operations who can sell you that extended support if you want it.

        Disclosure: Until very recently, I was one of those third-party suppliers.

        Vic.

        1. Anonymous Coward
          Anonymous Coward

          Re: Run Kryten Smug-Mode

          "EL5 and El6 will be supported 13 years from rollout."

          Security and other patches will only be provided as standard for ten years though - you have to pay extra after that. So still effectively 3 years behind what Microsoft offered with Windows XP....

          1. Vic

            Re: Run Kryten Smug-Mode

            > Security and other patches will only be provided as standard for ten years though

            It's GPL. All those patches will be available to all third parties for free.

            If you want them at zero cost, you might have to turn the handle yourself. But someone else will be doing all the hard work for you.

            Vic.

      3. yossarianuk

        Re: Run Kryten Smug-Mode

        Redhat support OS's for 10 years.

        Why the fuck would you want to run a desktop using 13 year old software anyway?

        If you run debian or variant of it you can generally safely upgrade to the next version anyway (which stick with a shitty old OS?)

    2. Anonymous Coward
      Anonymous Coward

      Re: Run Kryten Smug-Mode @rm -rf / 11:34

      "Run Kryten Smug-Mode

      No such problems here."

      Good for you. Have a lollipop.

      1. Anonymous Coward
        Anonymous Coward

        Re: Run Kryten Smug-Mode @AC 12:26

        Thanks for the lollipop.

    3. Anonymous Coward
      Anonymous Coward

      Re: Run Kryten Smug-Mode

      I share your smugness, though I'm somewhat confused. This is the same government that forced us local authorities, via Government Connect and so forth, to sort ourselves out, kill off our XP and so forth, yet now we hear that the central folk aren't practising what the preach!

      AC because... well... I still need to work, you know!

  10. websey

    I wonder how many law suits will come from this, IANAL but surely there is a law in the UK that would allow us to bring a class action suite against all these public agencies.

    As of April I am pretty sure that none of them would be able to hold up to a case in court where they have intentionally weakened their security by not upgrading systems and services.

    I am pretty sure there is a data protection angle that could be used

    1. Anonymous Coward
      Anonymous Coward

      The UK has no real equivalent to "class action", the best you can hope for is a slap on the wrists from some toothless regulator.

      The real problem with any such action is responsibility - those who make bad decisions (or no decision at all) will not be held to account, nor fired without a generous pension. The only ones to suffer would be patients due to even smaller budgets as a result.

  11. websey

    Or we could maybe for once get someone in public office who knows what the fuck they are going on about.

    1. Phil O'Sophical Silver badge

      That would first require such a person to stand for public office, and we're not that stupid.

    2. Tim99 Silver badge

      @websey

      Or we could maybe for once get someone in public office who knows what the fuck they are going on about.

      In my experience in the public service if, by some mischance, a senior administrator type was placed in a position in which he had significant expertise he was quickly promoted out of the way...

    3. Anonymous Coward
      Anonymous Coward

      If they were competent and skilled without any notable social disabilities then they wouldn't be working in the public sector - they would be getting paid more money in the real world....

  12. Anonymous Coward
    Anonymous Coward

    HMRC XP machines

    Our XP machines were on a closed network not able to access the internet; we had a windows 7 machine on a seperate network for anything that wasn't Dev-related (beaurocracy, internet timewasting etc)

    In the article where it says x amount of machines can still access the internet with XP and IE6 is that inferred or is that stated by HMRC? Do they report how many of the 85k machines are internet-facing?

    Obviously I worked on the Dev-side which will be different than many other departments so I'm genuinely curious how it worked for everyone else

    Anon, natch

    1. Test Man

      Re: HMRC XP machines

      A PC can still catch viruses when not connected.

      1. Anonymous Coward
        Anonymous Coward

        Re: HMRC XP machines

        that wasn't the question

      2. Roland6 Silver badge

        Re: HMRC XP machines

        >A PC can still catch viruses when not connected.

        And the problem is what exactly?

        Ignoring Stuxnet, the user will probably see something and call support, who will investigate and re-image the machine and do a clean up. If the virus is just a data logger it can collect data but it will never get internet access to transmit it's cache or to download other stuff.

        Whilst there is a risk, the art of security is to cover the attack vectors and have relevant strategies in place to handle the fall out. Sometimes these strategies can be very simple. Remember there is no real difference between XP, 7 and 8 on this ~(catching a virus when not connected) - yes in theory XP may be more likely to get a virus, however, you still need to handle the case of 8 getting a virus, so no real change.

    2. Anonymous Coward
      Anonymous Coward

      Re: HMRC XP machines

      The way I remember it being architected and designed for 'normal' end users was that the user accessed the internet via an 'Internet' desktop icon (obviously if they didn't have permission to access the internet then the icon wouldn't be on the desktop) which started up a Citrix session based on their AD profile. So to the user it seemed that they were running webpages on IE6 locally, but in fact they were running them on a remote Citrix server cluster with all internet access being further filtered, cloaked etc... (apologies for my vastly simplified explanation ignoring the details of how this was achieved.)

      Some Dev's were a special case, as they needed to be able to see what the public websites looked liked and behaved, so that they could test their work. Hence why they had some 'dirty' machines and networks wholly isolated from the corporate network.

  13. David Pollard

    Lessons of history

    An elegant solution to American protection rackets running in the 1930s was to charge those responsible with the tax evasion in which they were also engaged.

  14. Anonymous Coward
    Anonymous Coward

    IT loss leader and cowardly lies

    Having worked in a few large corporates, the problem is refusal to acknowlege required IT costs.

    IT is seen to be only a financial loss to business.

    Combine that with cowardly IT managers who don't stand their corner regarding financial budget.

    Of course Microsoft are mainly to blame for creating a superset of web standards that locked users in.

    Thank goodness for Mozilla/Firefox and now mobile/tablet prolification to encourage true web standards.

    MS IE11 runs on Windows 7 and IIRC the only MS browser that wasn't affected by a recent particular zero day exploit. That would be the browser to jump to if sticking with MS.

    Time & money needs to be spent (unfortunately)...

    1. Hans 1
      Facepalm

      Re: IT loss leader and cowardly lies

      IE11 does not even work with browser-based software from Redmond, competing products ? forget it!

      Choose chrome or firefox, those two run on almost anything and work seamlessly regardless of the underlying platform.

      How difficult is it for you guyz to understand that locking yourself into one platform is bad ? MS made its riches on the back of your stupidity and it looks like it will continue doing so for the foreseeable future.

      Christ !

      Anybody can make a mistake, only cretins make the same mistake twice and when it comes to software, you have been happily making the same mistakes again and again ...

      1. Anonymous Coward
        Anonymous Coward

        Re: IT loss leader and cowardly lies

        "IE11 does not even work with browser-based software from Redmond, competing products ? forget it!"

        Name a current product from MS that hasnt already been updated to work with IE11?

        "Choose chrome or firefox, those two run on almost anything and work seamlessly regardless of the underlying platform."

        But are slower and have far more security vulnerabilities to assess and patch than the latest IE.

  15. Anonymous Coward
    Anonymous Coward

    It is not the OS, even the hardware

    ...that is a problem. Hardware is relatively cheap, and building an OS image and deploying it across thousands of workstations can be done in weeks. The problem -generally speaking, not in this specific case- are applications.

    Start with poorly documented applications written ten years ago, whose source code -when you have it- depends to compile or execute on certain specific versions of DLLs and/or IDEs. They don't have any installers, just a bunch of files copied across, including configuration files and depend on local configuration details (e.g, specific drive letters) whose meaning has been lost in time and conflict with the minimum sane security settings requiring all kinds of overrides to policies. Add to it that some of these applications have a test environment, but some of them do not. Plus, the knowledge of what the application does has been lost because the people involved have retired, fired, or moved elsewhere.

    And finally, when you ask for documentation you'll likely find something that does not describe the innards of the application, the processes it supports or both. That is, if said documentation exists at all. Anyway, it is likely out of date, which is often more dangerous than not having any documentation at all.

    And before you say "this would not happen had they followed proper processes" let me give you some food for thought: most of these applications were built without any IT support at all, just some group asking for a server to be installed and handing over support to a third party. This third party is asking now for ransomely sums of money to move the application to W7 or higher, and the business unit/goverment department cannot afford the budget and/or the luxury of allocating dedicated resources for three months just to test the migrated application.

    Mix this with the classic scenario of annual plans to replace/upgrade applications that are not ever executed (because there are other priorities, you know anything that gives a short term benefit especially in politics takes preference) and you have the perfect storm that may make you keep an old version of something running for decades.

    Ever wondered why it took Munich 10 years to move away from Windows? Was not because they needed 10 years to install 50K Linux images. It was because they needed 10 years to move applications. And even when they say that they are done, they likely still keep some virtual Windows instances somewhere for the few that are not worth replacing. Because, you know, the annual plan says they will be replaced next year...

  16. jason 7

    Whats the betting.....

    ....that the public sector will be paying £4000 per Windows 7 Pro PC by March this year when last year they were £1000.

  17. Mr Rizla

    wont be an option for big corporates/military, much as MS says its stoping releasing security fixes etc for Windows XP they wont stop as they have important customers that will have paid a premium for continued support even after end of support life, they just need to spend $$$, wont be publicaly available tho

    1. Anonymous Coward
      Anonymous Coward

      "wont be publicaly available tho"

      They will all undoubtedly be on TPB for download if you really need them...

      1. 's water music

        >> "wont be publicaly available tho"

        > They will all undoubtedly be on TPB for download if you really need them...

        wait wut? is patch Tuesday from TPB better or worse than from windows update? I forget.

        In any case XP embedded is supported for a further year over full fat XP so it isn't hard to imagine a slightly better pedigree of "grey import" patches channel than the Bay

      2. Anonymous Coward
        Anonymous Coward

        Re: They will all undoubtedly be on TPB for download if you really need them...

        Yes, because obviously downloading patches from the Pirate Bay is perfectly in line with both IT policy and professionalism. No doubt some will have some very special 'extra' patches thrown in as a bonus.

        To borrow from those other Pirates, of the Caribbean:

        "You... you used modified Windows XP patches to pwn our network!"

        <Shrug> "Pirate..."

  18. Semtex451
    Stop

    Spoonfull of Scare Mongering

    Could I just point out that an XP box is no more vulnerable after April, than it already is right now.

    We're talking about Future Hotfixes ending.

    If there remain gaping holes in the OS after this long, they're likely already being exploited.

    1. Anonymous Coward
      Anonymous Coward

      Re: Spoonfull of Scare Mongering

      I think I agree with you, but it seems appropriate to remind readers of the MS logic in this picture:

      "There's much code in common between XP and its successors. If we, MS, fix a defect in Win7 or Win8, naughty people will reverse engineer the fix and see if there is an equivalent defect in Win XP and if there is, they will exploit that unfixed defect in Windows XP. To avoid this situation, please pay us lots of money to get some newer software with the same old defects and some new ones, so your unfixed defects will actually get fixed."

      Or something like that. Obviously omitting to mention Windows XP Embedded, where the same defects will still get fixed for another couple of years.

      So who thinks there's a big problem here, for anyone other than Microsoft and corporate lawyers and some IT people?

    2. Darryl

      Re: Spoonfull of Scare Mongering

      Thank you.

      These things aren't Cinderella's carriage or something.. They'll still work the same after midnight.

  19. Anonymous Coward
    Anonymous Coward

    Time to buy some shares in crossover plugin or what ever it's called now

    1. John Bailey

      My thinking too.

      Imagine if the desktop was lost to Linux by programs that ran fine in WINE, but not in Win 7+..

  20. Velv

    "Neither the HMRC – collector for the nation’s purse – nor NHS Scotland will pay for protection, according to our FOIA requests"

    Correct - neither will PAY for additional support. But I think you'll find MS will provide friendly government organisations with access to all fixes that the real paying customers have paid to be produced.

    MS is not stupid, they know who not to piss off.

    1. Hans 1

      @velv

      In fact, government bodies have an unlimited supply of cash, or at least, that's what corps think.

      They have been milking our government bodies heavily, over-charging them royally because they know, nobody will come after them, I mean, the civil servant does not care, it is not his money ... or so he thinks.

      Pubic sector ppl are usually crap at managing public funds, when it comes to their private funds, though, they beat most ... weird, don't you think ?

      Now, if you look at the NHS, they have been very good at wasting shitloads of cash in IT spending - they have even gone so far as setting the whole system up to waste funds, they call it splitting it up into separate trusts.

      MS will milk them mightily ...

    2. Anonymous Coward
      Anonymous Coward

      "But I think you'll find MS will provide friendly government organisations with access to all fixes that the real paying customers have paid to be produced."

      Nope - access to these hotfixes will require a support contract that comes with a significant 'per fix' fee...

      "MS is not stupid, they know who not to piss off."

      Quite - like all the customers that can afford to pay for extended support for instance....

  21. Anonymous Coward
    Anonymous Coward

    All seems a bit Y2K like to me....

    Panic panic panic!!! spend spend spend!!!!!!!

    oh wait, nothing happened.

    meh.

    In reality those government orgs will be the kind of customer that will continue to receive support from Microsoft anyway. Way too much at risk to Microsoft to start losing customers like those and from the publicity of an incident at such a client.

    Lets face it, many of those clients propably have a few Win2k machines (or older) kicking around still as well which are all still running fine.

    1. jason 7

      Re: All seems a bit Y2K like to me....

      Don't knock it, got rid of a whole load of 3.1 and Win95 crap in my organisation.

      The transition from all of us on dumb terminals in the early 90's to some of us on PCs by the late 90's hadn't been managed all that well.

      Not to mention the upteen different versions of Visio/Office/Smartsuite/anti-virus/no anti-virus that had been bought randomly till then.

      Folks didnt know they were born with their new 64MB Windows NT4 desktops. Though the wars that raged over lock down accounts and no floppy drive access were stuff of legend...

      A lot of good came out of Y2K (for end users) however, it did tend to set/synchronise the upgrade cycle for the corporate/enterprise for ever more.

  22. Anonymous Coward
    Anonymous Coward

    I just hope Microsoft release a roll-up package in April and the Windows Update component in XP (SP3) will only have to download 1 (albeit large) package with all GDRs bundled in it...

    1. Anonymous Coward
      Anonymous Coward

      "I just hope Microsoft release a roll-up package in April"

      Why would they bother doing that for a dead OS that no one should be making new installs of? Not going to happen.

      1. Anonymous Coward
        Anonymous Coward

        Because even if noone _should_ be installing the product, they will continue for a while at least - and the Windows Update servers will need to keep every GDR from the last 6 years instead of one package, so it is in their interest.

        Also, if the XP ISO images on MSDN continue to be hosted, they should be updated to be "XP EOL" with this package already installed.

  23. Anonymous Coward
    Anonymous Coward

    PSN Compliance

    Hmmmm, the post-GSi world is one of fairly low tolerance for failure to comply with the PSN code of connection. 2013 saw most of Scotland's councils and health boards being warned of diconnection over compliance issues - I know of two public sector organisations that basically halted all planned change for months in order to divert resources to adressing it.

    One of the major components of the PSN CoCo is that software should be a supported version and fully patched so EoL of XP was always going to be pricey...

    1. Roland6 Silver badge

      Re: PSN Compliance

      Given when HMRC upgraded to XP, I wonder if they have extracted commitment from MS to support Win7 until at least 2024?

      Which also means that the next version of windows that will be widely used in government is likely to be 11 or 12, based on MS's current plans for releasing new versions of Windows every two years ...

  24. Anonymous Coward
    Anonymous Coward

    Windows security updates are mostly just jokes so you won't lost much more after April. 14 years i believed than someday Windows will become secure, stable and decent OS. In 2008 i finally realized that i have been one of those hundreds of millions of fools for Microsoft. I give up moved to Linux and since that day haven't missed Microsoft spyware/malware days never.

    1. Anonymous Coward
      Anonymous Coward

      Genius...... so just when Microsoft got on top of their security you switch to Linux, which is now far more insecure than Windows! well done!

      1. Anonymous Coward
        Anonymous Coward

        "switch to Linux, which is now far more insecure than Windows! "

        "switch to Linux, which is now far more insecure than Windows! "

        Citation needed. E.g. numbers based on Zone-h webserver defacement count (which has been the popular recent source of such silly stories) are not applicable to desktop systems.

        1. Anonymous Coward
          Anonymous Coward

          Re: "switch to Linux, which is now far more insecure than Windows! "

          "Citation needed. E.g. numbers based on Zone-h webserver defacement count (which has been the popular recent source of such silly stories) are not applicable to desktop systems"

          As pretty much no one uses Linux on the desktop, the Zone-H numbers are about as good as it gets. And it is surely much worse to be the OS failing at full remote exploitation like Linux than the one failing at exploitation that involves end user interaction?

    2. Anonymous Coward
      Anonymous Coward

      "I give up moved to Linux and since that day haven't missed Microsoft spyware/malware days never."

      You realise that Linux distributions have far MORE security holes than current Windows versions (even when package adjusted to match the Windows OS functionality)? The only reason Linux doesnt have much malware on the desktop is that pretty much no one uses it as a desktop. A Linux desktop is security by obscurity...

      If you look at where Linux is actually used like Internet Webservers then defacement statistics shows that you are several times more likely to be hacked using Linux than Windows - or we can look at Android - which is a complete malware festival....versus zero malware on Windows Phone...

      1. Anonymous Coward
        Anonymous Coward

        "defacement statistics shows that you are several times more likely to be hacked using Linux than Windows"

        Please come back when you've found another story besides the zone-h survey. It's so old hat.

        1. Anonymous Coward
          Anonymous Coward

          "Please come back when you've found another story besides the zone-h survey. It's so old hat."

          You're wasting your breath. He's obsessed with the belief that said Zone-H survey 'proves' things it doesn't even mention. He'll continue to do so for each and every Windows and Linux story posted on The Reg. I'm just going to tune him out in future.

  25. Marty-SNGC

    Support fees to Microsoft will exceed the GNP by 2028

    If HMRC chooses not to upgrade from Windows XP and pays Microsoft its extended support fee then by 2028 this cost will exceed the current GNP

  26. Anonymous Coward
    Trollface

    > Thousands of PCs at Britain’s biggest public sector bodies will miss Microsoft’s April deadline to abandon Windows XP before open season for hackers begins.

    One wonders why the hackers are waiting until April. Why don't they just do their hacking now?

    It's not like Windows XP is going to change much between now and then.

    1. Mark #255

      One wonders why the hackers are waiting until April. Why don't they just do their hacking now?

      Well, if you were a nefarious type, with an unpatched drive-by exploit ready and waiting, do you

      • release it now, and risk MS releasing a patch for it in a few weeks' time, or
      • wait until mid April, and surf the long-tail of never-going-to-be-fixed boxes.

      And how much would such an exploit be worth?

      1. Anonymous Coward
        Anonymous Coward

        Heh, I didn't think of that :D

        I'm obviously not evil enough.

  27. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: This is why

      We do not need new laws; we just need the police and the CPS to enforce the existing ones, and get enough of a clue that they can counter when a dodgy clever lawyer bamboozles a judge who is probably not that clued up on IT matters, or when a superior in the CPS decides that a case has not been made because he or she doesn't understand what is going on.

      Adding new laws is pointless as there are already too many for the police and the CPS to absorb. The rot seemed to have started under Thatcher when she started ruling by SI to avoid Parliamentary scrutiny, and Blair took it up with enthusiasm.

  28. Zacherynuk
    Windows

    Assuming these people have actual work to do using propriety systems.. which obviously require ActiveX

    I would think the best way of protecting XP 'users' would be to limit their IP capability. No direct or Nat connections to public subnets. Static routes only for internal required resources. would be a start.

    How about even using IPX and an IPX to IP proxy for 'internet' type things (This is XP after all I wouldn't be surprised if they had novell still!) and /32 subnet masks with no default gateway and static routes for all internal systems (dished out via GP/DHCP)

    Should keep 'em fairly safe - at least make sure things can't spread.

  29. Nuno trancoso

    Same FUD again from people with a too obvious agenda, ie market drones...

    If OS XYZ stops getting support at day x, it wont make it more vulnerable than it was at day x-1, just that nothing will be fixed by the manufacturer after that date. On a similar note, OS ZYX, the successor to XYZ, doesn't become more secure after day x either.

    Given that both XYZ and ZYX have been through several rounds of "fixing", one might argue that neither is really more (in)secure than the other. OTOH, XYZ been around (and abused) for a while longer, and it's "pool" of (exploitable) vulnerabilities has shrunk quite a bit. While ZYX's attack surface is quite "virgin" in comparison.

    Malware writers also like to hunt "big game" as profit is directly proportional to numbers. OS FREEBIE and OS FRUITY have benefited from this for ages. Now, if a significant amount of punters move from XYZ to ZYX (or FRUITY or FREEBIE or CAKEY or something), said miscreants change targets, they always do and do it real fast.

    Point in case, was there any 0day for 3.1 making the headlines these last, say... 10 years? You might just get away by being with something nobody gives two tweets about anymore..

    1. This post has been deleted by its author

  30. Jim Bobble

    "8 April is the date when extended support for Windows XP from Microsoft finally comes to an end"

    I don't suppose that, once HMRC misses this deadline date, they'll be stiffed with a £100 penalty, will they?

  31. BongoJoe

    Is the XP Compatability Mode in Windows 7 compatable with XP yet?

    Until it is 100% compatible then this one man outfit can't afford to rewrite 200,000 lines of code just to 'upgrade' to Windows 7 because compiling good, i.e. well written code, which should work on any 'compatible' operating system should, quite simply, work.

    Building and assembling large C++ applications doesn't always work under Win 7.

  32. yossarianuk

    Whatever costs would be needed for a full scale migration of the NHS to Linux the savings over decades would outweigh those costs. Not to mention reliability and security - even the UK gov has said Ubuntu is more secure than Windows8/Mac

    http://news.softpedia.com/news/Ubuntu-12-04-Is-More-Secure-Than-Windows-8-and-Mac-OS-X-Says-UK-Goverment-416016.shtml

    It would mean the tax payer no longer forced to fund an anti competitive patent troll also, another bonus would be the tax payer would be funding technological improvements for the entire world, not Microsoft's patent lawyers.

    I went to an NHS hospital the other day and on a large computer screen (used in reception) it had a post it note that read ' When you lose networking reboot computer' ..... It was running Windows - I can't imagine a Linux desktop ever having that note on - I wonder how much productivity is lost just in that one reception thanks to the NHS using windows - can only imagine how much productivity is lost for the whole organisation.

    1. Anonymous Coward
      Anonymous Coward

      "Whatever costs would be needed for a full scale migration of the NHS to Linux the savings over decades would outweigh those costs"

      Over decades MAYBE - but no one sane invests the amount of effort required to migrate to a niche desktop platform that hardly anyone uses for a return that will be decades into the future....

      Such a slim return that takes decades to realise would also likely be wiped out by the slightest difficulty in the migration project to the risk of failure is also significant.

      Munich already showed this to be the case - the project team have claimed headline savings in licensing costs, but if you look at the true cost of the project, it will as you suggest take decades to make a return - if ever....hence why there is pretty much no interest in this path...

      "Not to mention reliability and security - even the UK gov has said Ubuntu is more secure than Windows8/Mac"

      I havn't seen any such official statement. Than Mac probably (over 2,000 known vulnerabilities in OS-X) but current Windows versions have similar vulnerabilty counts to Ubuntu. Also Windows has more powerful security features like support for constrained delegation and expression based security.

      1. Anonymous Coward
        Anonymous Coward

        "a return that will be decades into the future"

        "Over decades MAYBE - but no one sane invests the amount of effort required to migrate to a niche desktop platform that hardly anyone uses for a return that will be decades into the future...."

        Are you a paid MS shill, or does it not occur to you that there was once a time (possibly before you were born?) when people made that very same comment about migrating from (random x86 OS+apps) to Windows?

      2. yossarianuk

        You know the best things about Linux vulnerabilities?

        They normally get fixed quickly - unlike say with Windows.

        Sometimes you can ever fix stuff yourself - with Windows often your at the mercy of one company to fix it for you.

        1. Anonymous Coward
          Anonymous Coward

          " You know the best things about Linux vulnerabilities?

          They normally get fixed quickly - unlike say with Windows."

          Actually that's not true - on average vulnerabilities are fixed faster (fewer days at risk) on Windows than on Linux.

      3. Anonymous Coward
        Anonymous Coward

        "I havn't seen any such official statement. "

        Canonical's summary of this is here: http://insights.ubuntu.com/wp-content/uploads/UK-Gov-Report-Summary.pdf

        The CESG report they reference is here: https://www.gov.uk/government/collections/end-user-devices-security-guidance--2

        Looks like Windows loses out in a single category - 'Device Update Policy'.

    2. 's water music
      Joke

      > I went to an NHS hospital the other day and on a large computer screen (used in reception) it had a post it note that read ' When you lose networking reboot computer' ..... It was running Windows - I can't imagine a Linux desktop ever having that note on

      Yup, I have never heard of anyone have a networking problem on a linux distro. Ever. And if the connectivity loss from the post-it note had been anything to do with any infrastructure that wasn't the end-point OS then it would have said so on the note to mitigate the risk of MS suing them for defamation. Stands to reason.

  33. Anonymous Coward
    Anonymous Coward

    Probably the tip of the iceberg...

    It would be interesting to send similar FOI requests to educational establishments in the UK and see the results...

    I can foresee many schools turning into big botnets in April (if they're not already).

  34. Adrian Midgley 1

    NHS England incorrect on General Practices as quoted

    Some years ago the NHS declined to fund GP IT any more via Practices, but made a set of deals with suppliers on our behalf, and set up area IT teams to supply and maintain hardware and operating systems, etc.

    They were really keen to do that and declared it would be better and cheaper.

    NHS England is a bit new, and actually doesn't know a lot about how things are running or have run or why or what went wrong last time idea X was tried. In their role that sort of knowledge may seem a handicap, it being far more fun to start as if from scratch.

    XP alas. All the Practice's own stuff hangs off a Debian box in a rack, but the NHS stuff is scattered Windroids.

  35. Anonymous Coward
    Anonymous Coward

    There is a solution to all of this!

    Pick a LINUX distro, install it, and then be happy forever after. That is what I did when Windows Vista came out. Ihave had some minor problems, but they were well worth not having to suffer through one of Vista's self-imposed denial of service attacks. I even tried Windows 7 and was disappointed to see that it does the very same thing once or twice a month. An operating system should not be the cause for a hardware upgrade unless the system is something like ten years old. Oh, and never mind the vagaries of the "upgraded" interfaces. Those are simply a nuisance, not a help. Once you have learned an interface, there should be no need to learn a new one, barring a dramatic change in hardware, such as going from a desktop to a tablet.

    Oh, and for those who simply must have some particular piece of M$oft Software, there is always WINE. WINE will allow almost anything you run on your wintel boxen now on Linux.

    1. Anonymous Coward
      Anonymous Coward

      Re: There is a solution to all of this!

      "Pick a LINUX distro, install it, and then be happy forever after. "

      That only works in Geek Nirvana. It's not even an option for the vast majority of businesses.

This topic is closed for new posts.

Other stories you might like