Ready or not: The demise of Windows XP
By Jason Free, Executive Editor
With final examinations on the horizon, most college students are diligently working on their computers but few are considering a threat that is growing with each day: personal data breaches. Retailers, healthcare organizations and universities (I’m looking at you University of Maryland) have all made headlines for having major lapses in their IT security that resulted in hundreds of thousands of pieces of personal information being taken from their servers. Most students fail to appreciate the full monetary value, as well as the incredibly long shelf life, of the personal information stored on their personal computers. To compound this issue, many students are not making the necessary steps to protect their data on machines currently using Windows XP, an operating system set to lose all technical support April 8.
I spoke with Sergio Galindo, General Manager Infrastructure Business Unit at GFI Software, to learn more about this looming security issue and how the IRS is paying for XP security patches that you will never see.
Jason Free: With so many students using Windows XP, the scale of this issue is massive. Where do things stand now?
Sergio Galindo: What we are gathering from the warnings Microsoft has given us, and from our own market observation, is that XP is an unsupported platform and it brings risks for its users. Naturally, throughout the years, we’ve seen people naturally migrate throughout the different Microsoft platforms: Vista, then Windows 7 and now Windows 8. Just through natural attrition, people have moved off, but there’s still 20-30% of the population, who are still on XP.
Free: What do you attribute that to?
Galindo: There’s a couple of reasons, but the biggest is that a lot of people have that refrigerator mentality, which is where you're thinking , “It works. My refrigerator is cold. Why would I ever change it?” There’s no big driver to move off of a Windows XP machine, especially if it’s working and it’s not having any problems, and your day-to-day business continues normally.
The difference in what we're going be seeing is that the holes that used to be there will continue to be there, but what we lovingly called “Patch Tuesday” is not going to apply to the Windows XP platform anymore.
The holes that you’re seeing today, or tomorrow, or next week, will still be there a month from now, and next month there will be more holes, and the month after that even more. There will be so many more opportunities for somebody to come in and target both your machine and your information. You're just exposing yourself to more and more risk. Given the low cost of hardware these days, it’s probably best to move off of Windows XP and just eliminate that headache.
Free: There are a lot of people out there who feel as though Microsoft is basically putting a gun to people’s heads, and that they’re being coerced to move on, even though their older machine is fully operational. Do you think that's a fair judgement?
Galindo: That’s a loaded question, but I definitely feel as though Microsoft has crossed the line. One of the worst parts is that even though Microsoft has got a gun to your head, if you’ve got enough money in your wallet, it’s okay. He won’t shoot because Microsoft is indeed patching the holes in XP. We have had that information for months. They're being paid copius amounts of money to privately and individually patch these holes for the IRS, large corporations and other government agencies. The problem I have with Microsoft's practices is that once they fix it for one person, is there any additional cost to give it to a million other people? Probably not.
Microsoft is charging the IRS, other government agencies, large corporations, all of the ATM manufacturers, millions of millions of dollars to do the fix, so we know that they're doing the fix in the first place; however, small shops, students and doctor’s offices, they can’t afford it, so they’re shut out. They have no solution.
Free: Do you think that that's a fair practice when dealing with small business, or even for the average consumer?
Galindo: Well, it depends on how you look at it. Microsoft is trying to get people to move forward. It's certainly an aggressive approach, and there’s probably a middle ground that they could’ve taken. They tried to help move people off of the hardware a little bit, but perhaps a little bit more assistance in that move would have been more helpful to the small and medium business. The fact that the patches are being developed and being sold to the larger organizations is the tough pill to swallow.
The IRS has paid $11.6 million this year to have patches created for their machines as they migrate away from XP. They are essentially paying for a custom support plan; a plan that could be shared with the general public but it is not.
Most people, and most companies for that matter, can’t afford $11.6 million to spend of something like this. The solution is there but it is out of reach for most of the population. This happens all of the time, even outside of software development. Microsoft kind of created the holes, and now they’re charging to fix it.They have the fix, for sure. If you can afford it, you get it. If you can’t, they want you to move on.
Free: You're not saying that the holes are intentional, are you?
Galindo: Absolutely not.
There are bugs in everything. There are bugs in cars. There are bugs in manufacturing. There are bugs in software. It’s the name of the game. But is there a way for Microsoft to help an average student? I don’t see it. They did have a plan with their special offer, where they would give you $100 to move you off your old desktop and onto your new desktop. That was an effective short-term program that they had put into place.
Charging a large company millions of dollars just because they can afford is, to me, sending a message that says "If you can pay for it, I’ll continue to support you." It would’ve been better off if perhaps they said, "XP is ending. We’re moving all of our resources to the new operating systems. No more patches for anyone." They could have been done with it, and treated everybody across the board the same. Now, if you have the money and you can afford the support, Microsoft is saying, “Okay. Thank you for your cash. We’ll write the patches you need.”
Free: So, the only real limitation for XP users is money. If you want to keep XP for the next 13 years, you’re okay if you have the money for their support.
Galindo: Well, each one of those agreements was individually negotiated, so it’s up to what Microsoft is willing to do. We know, specifically, though, that in the case of the IRS, a deal was made for support the public will not receive.
Free: You say that there are bugs in everything, so why is it that people are talking the most about this issue, about XP in particular? What makes it special?
Galindo: The difference is that in most situations involving XP, a user, even as a student, is working with information that needs to be protected. It’s different if somebody steals your credit card, for example. You can go and get another credit card. The bank will shut off your credit card, and they’ll credit you for the $100 that somebody went and spent. It's an annoyance, but you recover from that because you get a new credit card with a new PIN number, and you’re back in business. The difference with information is that once that information is out and gone, there’s no way to recover it. There’s no way to stop somebody from populating that information.
For a company using XP, it's reputation can be damaged as well. How do you recover from that? How do you trust a company that had your information and lost it entirely? There is no going back. That bell is already rung.
With credit cards or with a fault in a car, they can do a recall. They can fix it and they get that car back out there. If someone loses ten million credit card numbers, they can invalidate them all. They can ship out new credit cards. They are able to start over. When we talk about personal information, it becomes a bit of a complicated issue because it’s hard to recover it once it's gone.
Free: These considerations of privacy need to become second nature for students, correct? This is just the nature of technology. These types of problems and changes occur very frequently, don't they?
Galindo: The thing is, we’ve got computers now that are built well and continue to run, so much like your refrigerator in your house, as long as it runs, you’re not going to change it. That’s just a mentality that people have. Why invest in something that’s not broken?
One of the IT industry's biggest responsibilities is to teach people that by doing this, they're putting themselves at risk. Sure, we're seeing people slowly move off to more secure operating systems, but that's because it’s not just the operating system that must be considered. It’s the software that runs on top of it. If you have a platform, in this case, Windows XP, that is not supported, the third-parties that write the software eventually stop supporting it as well. This causes the holes in your systems to continually build, and the lack of security patches means that the holes will just keep piling up. Your risk of losing personal information grows and grows.
Free: Do you think that there are people, identity thieves, out there waiting to exploit the new holes?
Galindo: Absolutely, but hopefully the number of targets that they have available continues to shrink.
Our own surveys have shown 20% of our users are still on XP. Microsoft put out their reports, and they said it was closer to 30%. Luckily, people are starting to hear more and more about these security risks and they now have a little bit more of an incentive to move on.
Free: When they move on, are they going to have Patch Tuesday for another 13 years with Windows 8? People aren’t saying great things about Windows 8. That’s another reason why people don’t want to leave XP because while Windows 8 might be more secure, a lot of people feel as though the process of relearning or the retraining isn’t worth the move forward. They figure that they might as well just wait until something bad happens to their machine.
Galindo: To Microsoft’s credit, they have heard the feedback on Windows 8.
Personally, I was an early adopter. It was very touch-friendly, so if you had a touchscreen, it was actually pretty good to use. However, it was unbelievably frustrating using a mouse on Windows 8. They're trying to make that better today. They’re certainly listening to putting back their start menu, and they’re realizing that they probably went too far from an artistic point of view. I think it is a cleaner interface, but it is very different.
Many people are saying, “Move to Windows 7 if you can.” Windows 7 is certainly more similar to Windows XP, and it is solid and it is stable and it performs just as well, if not faster.
Free: Do you users have a responsibly to move on from XP? Will they bear from of the responsibility should they face a personal data breach?
Galindo: If you know about an issue, a crack in your sidewalk, or something that’s wrong near the house you live in, you’re partially responsible. There has to be that realization, at some point, where you think, "I’m putting too much at risk." You're then partially responsible for gradually making the appropriate change in a controlled environment.
Free: Are you seeing different reactions or different plans of actions within different industries? Is it pretty much a uniform transition or are you seeing different thoughts and philosophies?
Galindo: Across the board, people are starting to get the message.
We’re seeing the number of XP users begin to wind down. There are some difficulties in some people not having the money right now to make the change. Slowly but surely, people are moving off of it, but there are a group of people who seem to be holding on to it because of that refrigerator mentality. It’s a lime-green refrigerator that’s probably not energy-efficient, but it keeps my food cold. I’m not swapping it out. I know it’s ugly, I know it’s out of warranty, but it still works, and I know I’m not going to change it.
Trackback from your site.