Page 1 of 1

Trying to convince my work to upgrade from XP

Posted: 2017-01-28 11:54pm
by bilateralrope
At work we are using a Windows XP computer that is connected to the internet with no extra security measures. One of the other people working here pointed out that it's a bad idea, but convincing the company to pay for a new computer is difficult.

Are there any good sources on why sticking with XP is a bad idea ?

Google just gives me articles like this, which aren't too helpful. The computer still works without problem, so the only reason in that list that might be convincing is that that XP isn't secure. But I'll need more detail than a short paragraph that talks about unspecified security problems.

Re: Trying to convince my work to upgrade from XP

Posted: 2017-01-28 11:55pm
by Tribble
If it's working, why upgrade it? Is there anything particularly important on it? Do you need access to the internet?

Re: Trying to convince my work to upgrade from XP

Posted: 2017-01-29 10:37am
by White Haven
Tribble wrote:If it's working, why upgrade it?
Because it's WINDOWS XP, are you new here? The OS went out of support always three years ago, and was already a security nightmare even before that. Exploits don't get patched. Modern browsers increasingly don't work on it. That's even more dire in business environments, where use of Internet Explorer is often mandated by short-sighted idiots in charge, leaving users to the tender security mercies of Internet Explorer 8. Guess what else doesn't get exploits patched anymore.
Tribble wrote:Is there anything particularly important on it?
Without getting too technical, it doesn't matter. Having one or more extremely vulnerable systems (as Windows XP very much is so long after going out of support, and even before that) on your network allows a potential attacker to compromise the low-hanging fruit and then use that access to penetrate more secure systems. The concept is calling pivoting.
Tribble wrote:Do you need access to the internet?
Actually a good question. There are, in small businesses especially, legitimate reasons to be shackled with ancient operating systems, largely when industrial hardware control systems or wildly-overpriced proprietary software is concerned. These are still bad reasons, because they mean that nobody ever bothered budgeting for replacements out of the past decades of profits, but they're still reasons that IT staff have to live with. These reasons go up in smoke, however, if the system can't do its job as a standalone computer.

Does the system require internet access to perform whatever legacy task it's still performing? If yes, replacement is mandatory. If not, get it offline sooner rather than later, and then start budgeting.

Even offline, a system old enough to be running XP in the first place is also old enough that it should be replaced in all but the smallest business environments anyway. Everything in there is likely as old as the operating system itself; you do not want to get stuck in a situation where something finally gives out and you have to scramble to find a fix to get <whatever shitty reason XP was still being run> back in operation only to find out that it's 2020 and nobody can even find an XP box anymore. Controlled replacement is infinitely preferable, and avoids downtime.

Re: Trying to convince my work to upgrade from XP

Posted: 2017-01-29 12:54pm
by Tribble
White Haven wrote:
Tribble wrote:If it's working, why upgrade it?
Because it's WINDOWS XP, are you new here? The OS went out of support always three years ago, and was already a security nightmare even before that. Exploits don't get patched. Modern browsers increasingly don't work on it. That's even more dire in business environments, where use of Internet Explorer is often mandated by short-sighted idiots in charge, leaving users to the tender security mercies of Internet Explorer 8. Guess what else doesn't get exploits patched anymore.
Tribble wrote:Is there anything particularly important on it?
Without getting too technical, it doesn't matter. Having one or more extremely vulnerable systems (as Windows XP very much is so long after going out of support, and even before that) on your network allows a potential attacker to compromise the low-hanging fruit and then use that access to penetrate more secure systems. The concept is calling pivoting.
Tribble wrote:Do you need access to the internet?
Actually a good question. There are, in small businesses especially, legitimate reasons to be shackled with ancient operating systems, largely when industrial hardware control systems or wildly-overpriced proprietary software is concerned. These are still bad reasons, because they mean that nobody ever bothered budgeting for replacements out of the past decades of profits, but they're still reasons that IT staff have to live with. These reasons go up in smoke, however, if the system can't do its job as a standalone computer.

Does the system require internet access to perform whatever legacy task it's still performing? If yes, replacement is mandatory. If not, get it offline sooner rather than later, and then start budgeting.

Even offline, a system old enough to be running XP in the first place is also old enough that it should be replaced in all but the smallest business environments anyway. Everything in there is likely as old as the operating system itself; you do not want to get stuck in a situation where something finally gives out and you have to scramble to find a fix to get <whatever shitty reason XP was still being run> back in operation only to find out that it's 2020 and nobody can even find an XP box anymore. Controlled replacement is infinitely preferable, and avoids downtime.
Perhaps I should have put the "does it require internet access" first, since I agree that upgrading from Windows XP is mandatory in those cases.

I happen to know of a small-business which was using Windows 2000 up until recently when finally made the big move to Windows XP just a couple of years ago! Agreed that there should have been updates along the line, but it's one of those cases where they delayed things so long that it would cost tens of thousands of dollars to replace all of their propriety software (and some of it doesn't even exist anymore). Fortunately none of the computers are on the internet.
They are also in a position where the owner is likely to just close up shop when he's had enough, so in this particular case it probably isn't worth spending that kind of money on upgrades.

An even more ridiculous example is Starbucks, which used MS-DOS up until ~2010 in their cafes when they finally made the move over to... Windows XP! Unfortunately, they didn't replace the computers along with the software (the computers were ~mid 1990s or so) and as a result were they prone to crashing multiple times per day due to not having a CPU / RAM that were quite up to the job. This was finally rectified in 2015 when they swapped out all of their computers for new ones... running Windows 7. To be fair, a lot of companies made the move to Windows 7 instead of 8 / 10, but still...


I would say that the reasons to upgrade are:

Much better security, especially if the computer is connected to the Internet

Newer computers are faster, have more storage space, have more features, etc.

Easier to maintain both the hardware and software

Inexpensive; seriously they can easily pick up a new desktop for a couple hundred bucks, barring proprietary software / hardware that only runs on Windows XP. Even then if the company is planning on staying around for the foreseeable future they are eventually going to have to bite the bullet and upgrade, so why not do it now rather than wait until something breaks?

If its a standalone computer that's not connected to the Internet and at most it's being used for things like MS Word and Solitaire then I don't really see the need to upgrade. As long as the files are backed up on a separate hard drive, it'll be easy enough to swap out when it croaks.

Apart from that I'd say upgrading is worth it.

Re: Trying to convince my work to upgrade from XP

Posted: 2017-01-29 02:44pm
by Zixinus
At work we are using a Windows XP computer that is connected to the internet with no extra security measures. One of the other people working here pointed out that it's a bad idea, but convincing the company to pay for a new computer is difficult.
One word argument: Ransomware. Crypolockerm Locky, whatever.

The only way to avoid those is extensive security features AND patching the operating system (plus backups, but that's really a fallback rather than prevention).

If you are still using Windows XP in a networked environment, you are just asking for any latest bit of ransomeware to catch your computer and put the company in jeopardy by demanding a ransom for your own data. Some malware and ransomware don't even need to trick the user to activate, they just need for an ad on their browser to show. Nobody needs to specifically target your computers: you can get this sort of shit by accident, even while visiting legitimate sites (the article I linked talked about people getting malware from visiting Forbes).

Seriously, this isn't even Cyber Security 101, this is "Common sense". There is a reason Windows Update exists. Unless the computers are running on an isolated network, Windows XP (and to be frank Windows 7) is just a bad idea. Either get along with an upgrade program or switch over to a more secure Linux distro that can do the job required.

If that and many other reasons others have said here won't work due to costs, nothing will.

Re: Trying to convince my work to upgrade from XP

Posted: 2017-01-29 03:24pm
by TheFeniX
bilateralrope wrote:At work we are using a Windows XP computer that is connected to the internet with no extra security measures. One of the other people working here pointed out that it's a bad idea, but convincing the company to pay for a new computer is difficult.
Is that the extent of your "network?" One XP machine?

If so, create a restore disk like, yesterday. Keep a backup of relevant data on an external drive. Restore it when it explodes, backup from external drive you (hopefully) kept up to date. Then tell your boss "told you so. Spend some money tightwad."

If it's one PC out of multiple and HAS to be connected to the Internet: you need to consider isolating it from the rest of the network. But if your boss can't be bothered to upgrade a single PC, you may not have the resources for this. I would need more information about how your work network is setup to give any more specific information.

As for good sources: literally have your boss google "Why upgrade from XP?"

Here's One excerpt from a random page.
The most recent Security Intelligence Report from Microsoft shows that when exposed to a similar volume of potential threats, Windows XP SP3 has a malware infection rate nearly double that of Windows 7, and a whopping 650 percent greater than 64-bit Windows 8. Windows XP systems are more likely to be compromised than ones running newer versions of Windows, the effects of the compromise are typically more insidious, and eradicating the threat and resolving a malware incident takes longer.
This is Microsoft and, whereas they have every reason to get you to upgrade, at some point you have to trust they know their software.

Re: Trying to convince my work to upgrade from XP

Posted: 2017-01-29 11:04pm
by bilateralrope
Context: I work for a security company. The computer I'm talking about is owned by the company I work for, but located on a clients property using their internet connection.
Tribble wrote:If it's working, why upgrade it? Is there anything particularly important on it? Do you need access to the internet?
Security problems.
Yes.
Yes. Worse still, we are using the clients internet connection. So if the computer becomes part of a botnet, the client pays for the bandwidth use. They won't be happy about that.


The good news is that we only need the computer for email, spreadsheets and word processing. No software that only works on XP. We don't even have to stick with Windows.
TheFeniX wrote:If it's one PC out of multiple and HAS to be connected to the Internet: you need to consider isolating it from the rest of the network.
That's the clients choice to make. It might have already been done.

Re: Trying to convince my work to upgrade from XP

Posted: 2017-01-30 12:51am
by TheFeniX
http://download.microsoft.com/download/ ... nglish.pdf

It's a link to a PDF. I'm not hiding it so you can see it's directly from MS. It's the report. Print it, or page 65 to somewhere in the 75s (I forgot where). Highlight the important parts.
bilateralrope wrote:Context: I work for a security company. The computer I'm talking about is owned by the company I work for, but located on a clients property using their internet connection.
Physical security? If so: ethically, I would say if the client is aware there's an XP computer on their network and they don't care: you're in the clear. Legally, I'd say "get it in writing." But still, the irony is evident.

But as you said, your boss should understand the consequences of having that PC not only on a client network, possibly compromising their security, but also if any of the productivity you do on it is confidential in any way or could lead to any security issues from your end. I don't know what you'd need that for on site, incident reporting?

If you're in IT security..... you've got a bit of an ethical dilemma if your boss won't listen.

How sensitive is the data you are crunching and e-mailing on that system? Like, it gets stolen: what's the damage?
Some shift information?
The weekly Fantasy Football rankings?
Names, addresses, SSNs?
Nuclear launch codes?

I don't need to know what exactly, but if this data got compromised and it would cause a shit-storm: then that's a good enough reason to pull the machine right there. And you could go at your boss from that angle: loss of business and (to put it technically) "getting your ass sued off" generally gets companies to drop a few bucks here and there.

Re: Trying to convince my work to upgrade from XP

Posted: 2017-01-30 10:33am
by InsaneTD
And if your boss still doesn't after that, fully price a new machine that does everything you need with a half decent security system. Then you find cases were companies have been sued and how much they cost. Put the two figures side by side and ask how much of that his boss will make him on the second figure.

Honestly, getting a full set of quotes for upgrading the machine and being able to show how cheap that actually is should help sway your boss. Can get cheap machines down here for aud$500.

Re: Trying to convince my work to upgrade from XP

Posted: 2017-02-02 10:06am
by Zaune
bilateralrope wrote:The good news is that we only need the computer for email, spreadsheets and word processing. No software that only works on XP. We don't even have to stick with Windows.
In that case, why not install your workplace's preferred flavour of Linux with KDE or LXDE or some other lightweight but noob-friendly desktop environment and call it a day? Given it's only being used for basic office-productivity stuff, you don't really need to replace the machine until the hard drive fails a SMART check, and even then you might get away with it depending how old the motherboard is.

Re: Trying to convince my work to upgrade from XP

Posted: 2017-02-02 11:48am
by bilateralrope
Thanks for the help. I've passed on what information I can to the site SO, who pass it on to my company's management. If the SO is convincing enough, management will contact our IT people. If they are competent, I'll probably be left out of the loop until the new computer is in place.

There is a possibility that all we needed to tell management was that we are still using an XP computer.
TheFeniX wrote:Physical security?
Yes.
If so: ethically, I would say if the client is aware there's an XP computer on their network and they don't care: you're in the clear. Legally, I'd say "get it in writing." But still, the irony is evident.
If the client doesn't want an XP machine on their network, that's going to be a really convincing reason to change.

Other sites have the clients IT providing and supporting the equivalent computer.
TheFeniX wrote:As for good sources: literally have your boss google "Why upgrade from XP?"
Saying "security issues" isn't enough. I needed something more specific.
Here's One excerpt from a random page.This is Microsoft and, whereas they have every reason to get you to upgrade, at some point you have to trust they know their software.
That should be sufficient. More detail runs the risk of not getting read by the person making the decision.
Zaune wrote:
bilateralrope wrote:The good news is that we only need the computer for email, spreadsheets and word processing. No software that only works on XP. We don't even have to stick with Windows.
In that case, why not install your workplace's preferred flavour of Linux with KDE or LXDE or some other lightweight but noob-friendly desktop environment and call it a day? Given it's only being used for basic office-productivity stuff, you don't really need to replace the machine until the hard drive fails a SMART check, and even then you might get away with it depending how old the motherboard is.
Three reasons:
- Site SO isn't convinced that Linux will be easy enough to use. I'm planning to stick Linux on my laptop to demonstrate that it can be used by anyone willing to follow instructions. The hard part is going to be connecting the laptop to the internet, as we aren't allowed to connect devices to the client's network without their permission.
- Installing software on work computers without permission is forbidden. I'm thinking that includes changing the OS.
- The computer is used 24/7. If an urgent email comes in at midnight, the night guards are expected to take care of it. So leaving the computer down for an hour or two isn't an option.

I know how to deal with those problems, but the solutions aren't going to be quick.

Re: Trying to convince my work to upgrade from XP

Posted: 2017-02-05 02:29am
by White Haven
bilateralrope wrote:- The computer is used 24/7. If an urgent email comes in at midnight, the night guards are expected to take care of it. So leaving the computer down for an hour or two isn't an option.
That right there is enough reason to replace the computer, without even bringing up XP. It's old, and old means a greater chance of something in there failing, statistically. An hour or two of downtime is unacceptable? How much does your client think they're going to tank when something in there finally gives up the ghost because they kept punting on basic hardware replacement cycles?

For all that it's a good argument without XP, it's even better with it. Downtime is unacceptable? Try the downtime caused by a preventable malware infection.

Of course if the only consideration is 'important emails come in on this,' do you know if they've looked into just forwarding emails to the night guards' mobiles? Could obviate the need for replacing the computer altogether, depending on if it's needed for much else.

Re: Trying to convince my work to upgrade from XP

Posted: 2017-02-07 06:19pm
by Enigma
Can the guards access the emails through their phones? If so, then there should be ample time to shut the computer down and replace it with a newer one.

Re: Trying to convince my work to upgrade from XP

Posted: 2017-02-07 11:58pm
by bilateralrope
Some can. Some can't. None will want to pay the cellphone data costs.