Imagine I handed you a Twinkie (or your favorite shelf-stable food item), and asked you to hold on to it for almost 13 years, and then eat it.
Aw, c’mon. Why the revulsion?
It’s been hard for me to watch the excited countdown to the demise of Windows XP. Though I did help ship Windows Server 2003 as well, no one product (or service) that I’ve ever worked on became so popular, for so long – by any stretch of the imagination – as Windows XP did.
Yet, here we are, reading articles discussing the topic of what country or what company is now shelling out $M to get support coverage for Windows XP for the next 1, 2, or 3 years (getting financially more painful as the year count goes up). It’s important to note that this is no “get out of jail free” card. Nope. This is just life support for an OS that has terminal zero-day. These organizations still have to plan and execute a migration to a newer version of Windows that isn’t on borrowed time.
Why didn’t these governments and companies execute an XP evacuation plan? That’s a very good question. Putting aside the full blame for a second, there’s a bigger issue to consider.
Go back and think of that Twinkie. Contrary to popular opinion, Twinkies don’t last forever (most sources say it’s about 25 days). Regardless, you get the idea that for most normal things, even shelf-stable isn’t shelf-stable forever. Heck, even most MRE‘s need to be stored at a reasonable temperature and will taste suboptimal after 5 or more years.
While I can perhaps excuse consumers who decide to hang on to an operating system past it’s expiration date, I have a harder time understanding how organizations and governments with any long-term focus sat by and let XP sour on them. It would be one thing if XP systems were all standalone and not connected to the Internet. Perhaps then we could turn a blind eye to it. But that’s not usually the case; XP systems in business environments, which lack most of the security protections delivered later for Windows Vista, 7, and 8.x, are largely defenseless, and will be standing there waiting to get pwned as the vulnerabilities stack up after tomorrow. In my mind, the most dangerous thing is security vendors claiming to be able to protect the OS after April 8. In most cases, that’s an all but impossible feat, and instills a false sense of confidence in XP users and administrators.
The key concern I have is that people are looking at Windows XP as if software dying is a new thing, or something unusual. It isn’t. In fact, tomorrow, the entire spectrum of Office 2003 software (the Office productivity suite, SharePoint, Exchange, and more) also leave support and could have their own set of security compromises down the road. But as I said, this isn’t the first time software has entered an unsupportable realm, and it won’t be the last. It’s just a unique combination as we get the perfect storm of XP’s pervasiveness, the ubiquity of the Internet, and the increasing willingness of bad people to do bad things to computers for money. Windows Server 2003 (and 2003 R2) are next, coming up in July of 2015.
People across the board seem to have this odd belief that when they buy a perpetual license to software, it can be used forever (versus Office 365, which people more clearly understand as a subscription that expires if not paid in an ongoing manner). But no software, even if “perpetually licensed”, is actually perpetual. Like that Twinkie I’ve mentioned a few times, even good software goes bad. As an industry, we need to start getting customers throughout the world to understand that, and get more organizations to begin planning software deployments as an ongoing lifecycle, rather than a one-time expense that is ignored until it goes terminal.