[WINXP] So who still uses it? and why?

There are fundamental design flaws in Windows XP that make it unsafe for Internet banking and other tasks in a permanently connected world. If you want to use Windows XP "air gapped" from the world, fine. But if you're Internet connected, this isn't a case of Microsoft being big bad guys. It's necessary change for safer software online.

Security is a war of attrition. You can't just wrap an unsafe thing in a safe thing and expect it to be sound and secure. As above, fundamental flaws in XP's design means change was necessary, and no "wrapper" can help you there - a system is only as secure as its weakest link. We call this "defence in depth":
https://en.wikipedia.org/wiki/Defense_in_depth_(computing)

With that said, there are open source tools that aim to give you XP compatibility on more modern software. Two options currently are :

1) WINE - a software layer that runs on Linux, and allows Windows XP software to run quite well. I've found WINE gives me a better overall compatibility for old software and games than even Windows 10:
https://www.winehq.org/

2) ReactOS - a whole new, non-Linux, non-Windows operating system that uses some of WINE's code, and plenty of their own, to make a Windows-like OS. Their end goal is to be like DOSBox and FreeDOS aim for with MS-DOS, in that they want to ultimately be 100% compatible with Microsoft Windows in every way (even right down to third party drivers). ReactOS is still very early in development, and considered "alpha quality", so don't go running your business tools on it. However active development means there are better chances of it targeting newer hardware that Windows XP won't be compatible with, while still running Windows XP era software:
https://reactos.org/

Two massive warnings with both of these options, however:

Firstly, neither has had the formal security scrutiny that modern operating systems have. While their developers actively squash bugs and post security notices, there's not as many people testing flaws in either compared to a modern Windows/Linux/Mac desktop.

Secondly, see the "defence in depth" comment above. Even if WINE or ReactOS are 100% secure (and they aren't), if you're going to load up ancient software on them, it's likely that software is full of security holes, and puts you at risk.

As someone who loves retro computing and retro gaming, I take measures to keep my old stuff and my new stuff separate on my home network. Particularly anything that is responsible for deriving me an income is always supported, patched, and up-to-date software regardless of the vendor or whether it's open source or proprietary.

Old stuff is heaps of fun to play with, and I get the nostalgic memberberries from using old computers. But I don't make the mistake of using them in risky ways that put my Internet, personal or business security at risk.

 

Sure, but I think you should have noticed that the proposal would greatly reduce the vectors.

Sanitised network traffic (Deep packet inspection if feasible, but also blocking the 99.9% of ports that aren't totally necessary for "the one job") would go a long way to achieving that, but also malicious USB devices - and with the instant rollback, you can get on with life while others figure out the cause and add it to the rules to prevent it reoccurring.

You can't stop everything, but you can improve your odds and reduce the impact.

I don't really see WINE or reactos as a potential solution for the "must-be-xp" machines still out there.
For the most part, I expect they've usually got some practically unique IO card that has only that special driver on XP. Otherwise they'd just use hyperv and have an xp image.

 

I have to ask, what's the purpose of this ENORMOUS effort though? You're talking a long list of things that are well beyond the comprehension of the average person, let alone maintenance and constant effort required to check that nasties aren't getting through.

You mention the "crappy card no other OS can run", which is very much a niche business problem. For the most part, the "I want to keep using Windows XP" cries come from the same camp as the "I want to keep using Windows 7" camp - folks who just got used to a thing and can't bear change. What I really want to avoid is giving any of them hope that there's a safe way to keep using these unsupported operating systems as their daily drives.

Examples of "one bit of hardware that can only be supported by XP" typically fall into "cost of doing business" problems, where deep packet inspection and the rest is all just too costly, and it's easier to just air gap the thing than deal with any sort of incredible IT effort that ends up being more cost than the tool is worth. Hence why no "Linux condom" exists, because "air gaps" don't need patching, updating, inspecting, log analysis, and expensive security professional eyes-on regularly.

ReactOS aims to be exactly this - a simple, all GUI, "any idiot can use it" replacement to Windows XP. Their project goal is 100% compatibility (impossible of course, but again look at FreeDOS/DOSBox for what they're attempting to do). The upside is precisely the opposite of the paragraph above - none of the either very difficult or very expensive security expert brain power required, if the end goal is your hypothetical "I have this one crappy old card that no other OS can run" problem, where ReactOS can be considered a drop-in replacement for XP, with the only difference being you don't need XP-era hardware (outside of your ancient IO card) to run it.

I'm using both WINE and ReactOS mostly for old video games, although in a professional capacity - I'm assisting a research group funded by the ARC who want to provide a research platform into video games developed by Australian and New Zealand developers. To date their researchers have spent a lot of time using emulated Windows 95 through to XP for their games, and found that performance suffers terribly. WINE and ReactOS often provide better compatibility (especially around getting colour depths right) and far better performance, all without having to maintain a database of ancient drivers on top of the ancient software they're trying to research.

So niche business uses for WINE/ReactOS over XP exist. But again, the "Linux condom" idea tends to be moot, purely because of the costs associated with keeping the risk profile low, compared to air-gapping the thing and locking it in a room.

 

I see 99% of the effort as in the creation of this 'condom' os - and the installer.

OpenXT is almost all of the way there. Ever played with it? I'd say it's only a few scripts and a firewall off being appropriate.

Maybe I'm assuming here, but I imagine there are old machines like say Xray/CT/MRI that aren't upgradeable to a new/alternate OS for whatever retarded reason where some network capability is still essential.

We all know what reactos aims to do, but man, it's taken 20 years so far, and is it out of alpha yet? Not something you could convince a corp to run on a critical tool. Hence I figured someone somewhere would have created a hypervisor based solution that shielded all the known vectors, and could be rolled back instantly when not if it gets fucked over.

 

Straight up, if I were CSO for places that used these, I'd demand they be air gapped. No exceptions, no arguments.

This is unsurprising. Building a new OS from scratch is far easier than white-room/black-box cloning an existing one, and doing so legally.

With that said, for non-business-critical uses, it's amazing quality for an alpha product. There is very much a niche it can and does fill (again, just like FreeDOS).

Which is exactly what I said above. It's uses right now are certainly not for business users (compared to FreeDOS, which I know does get used in businesses all over the world).

The problem with real world security is less "when you know it gets fucked over", and more when it gets fucked over and you have no idea.

See recent(ish) stories about ANU who had attackers sitting in their network for a minimum of 6 months (likely more - they can't tell for sure), doing who-knows-what with who-knows-how-much data.

Your example above about medical platforms? Once again, if I had ultimate responsibility for that, I'd personally come in and cut the Ethernet cable and sack anyone who argued. Even with one port and one application and "doing the one thing it needs to do", if that one thing is security-swiss-cheese, it doesn't matter how many condoms you wrap it in - you're still poking a big hole through all of them in one fell swoop.

 

Must be nice to have the CEO 120% behind you. You've never been told to implement something you consider stupid - and done it?

 

No hospital/medical CEO understands Ethernet on MRI machines.

But they understand multi billion dollar risk. A good CSO speaks the language the CEO/CFO/COO need to hear.

Nope. My whole career has been fighting decision makers who make bad decisions based off incomplete data. Doesn't take a whole lot of bravery to stand by solid data.

 

Who knows what's going to happen in the future! https://www.theregister.com/2020/09/28/eric_raymond_linux_beats_windows_prediction/

 

The paint shop I go to uses a computer running 95 for their paint matching software.

 

Just a heads up: the guy who made that prediction (Eric S Raymond) is universally loathed in both the Linux and non-open-source communities.

I'm actually quite amazed The Register bothered to quote him. Must have been a slow news day.

Here's a more considered response:
https://boxofcables.dev/no-microsoft-is-not-rebasing-windows-to-linux/

 

Yeah I can't see it happening. Period.

The windows kernel is generally speaking fine after 30 years of development.

 

Are you serious? Both the NT kernel and NTFS file system haven't aged well at all. It's 2020 and you still need to reboot to apply updates while the file system fragments more efficiently than it performs IO operations. You literally 'need' an SSD to overcome the shortfalls of an inefficient file system, without an SSD you'll literally stomp your laptop to dust in frustration while the HDD thrashes it's head off.

 

So... if they integrated a better FS it'd be better? They've been working on winfs for 20 years now... wonder if it'll ever happen

 

It's not just a file system issue, the kernel really hasn't aged well. Due to the fact Windows runs an API translation layer, the Wine project highlights that translating Win32 system calls from an NT kernel to a Linux kernel is entirely possible and actually quite effective. In many cases performance is better under the Linux kernel due to the efficiencies of the Linux kernel and file system over NT/NTFS.

 

Well, not technically true. Win7 ran fine on an HDD, Win10 runs poorly. It's the constant IO in Win10 that makes regular HDD's untenable, not the filesystem.
Linux filesystems largely made the choice to allow create large gaps between files, which reduces fragmentation but increases seek latency with consecutive reads. This turns out to be the better strategy in the SSD era where latency isn't an issue so much.

 

You won't need too, this has been the trend for the last 2 decades in the UK and Australia, cant speak for other countries.... Legacy medical equipment are all air gapped because of security lol. In fact, its common that a totally air gapped network and storage solution is implemented for medical equipment

 

well not really as bad as you are making out. I have a W10 laptop at home that the mrs uses, i was going to upgrade it with an SSD but it's pretty ok as it is. and no i'm not being funny or contrary it works fine with the drive it came with.

 

Honestly doesn't surprise me in the slightest. In a world where ransomware is the number one threat, just removing critical infrastructure from the Internet is possibly the single biggest step you can take towards sensible security.

When your risk profile is literally "someone could die", the concept of minor inconvenience gets thrown straight out the window.

Running WinXP at home for shits and giggles is a different story, of course. But I still recommend anyone with the skills to do so consider splitting their home network in half, and putting their retro gear in a separate network to their main stuff.

 

we don't allow and IoT devices on our network for this reason (security), and yes that includes your stupid security cameras the salesman told you that you could look at from your iPhone.

The irony that a device designed to "increase" security can open a security hole is not lost on me at least.

 

Well, technically, run any device using Windows 7 or 10 under Linux using a conventional spinner and it's almost as responsive as a Windows 10 PC running an SSD...