• Please review our updated Terms and Rules here

XP Forever?

The city of Munich, Germany is spending $18 million to replace 41 remaining Windows XP and 2000 applications still in use there "for crucial work in the city, from monitoring emissions for air pollution to flood protection":

The cost of ditching Windows XP? More than $12,000 per person
http://www.techrepublic.com/article...p-more-than-12000-per-person/#ftag=YHF87e0214

That's a bit puzzling. Won't XP applications run on 10? I wonder if they realized that if they'd used BSD, Unix or Linux, this would have been a no-brainer.
 
That's a bit puzzling. Won't XP applications run on 10? I wonder if they realized that if they'd used BSD, Unix or Linux, this would have been a no-brainer.

They tried to move to linux years ago, but apparently they still had to keep a lot of XP/2000 systems for certain software that they could not replace with a linux version.
Probably the biggest fiasco in the history of linux.
 
That's a bit puzzling. Won't XP applications run on 10? I wonder if they realized that if they'd used BSD, Unix or Linux, this would have been a no-brainer.

The article says they're already running some of the XP applications from within virtual machines. The rest are running on standalone computers or have hardened network security.

It sounds like the city government got scared by all the "XP is insecure and dangerous" headlines and decided to go for a complete overhaul even though it appears that the people actually running their computer systems knew what they're doing and have it set up about as secure as any system can possibly be.
 
They tried to move to linux years ago, but apparently they still had to keep a lot of XP/2000 systems for certain software that they could not replace with a linux version.
Probably the biggest fiasco in the history of linux.

I'm not sure that I'd replace Windows with Linux for any mission-critical work. OpenBSD? Sure. SunOS/Solaris? Okay.
 
I suppose it all comes down to what we call "mission critical". 98.8% of the TOP 500 supercomputers run Linux, as do anywhere from 70 to 95% of the world's web servers (depends on how and who's counting) so... yeah, totally can't trust it for anything.
 
I'd call that a straw man argument. "Mission critical" to me implies high security.

OpenBSD is probably the most paranoid *nix distro, where security is very important to their mission. Hell, they don't even support telnet because they're suspicious. VirtualBox? Nope--too dangerous. Changes to the codebase are strictly controlled.

Most supercomputer setups use their own particular version of Linux, as it's easy to port and, most supercomputers aren't web servers--they mostly compute.

And let's face it--most, but not all, Linuces use basically the same kernel code, so it's not as if they're completely different once you strip away the GUI.

As far as what's popular being an indicator; well, Ubuntu Linux, the last time I looked, was the most popular, but hardly the most reliable. But then many times more CocaCola is sold than Bordeaux wine; that doesn't make it better. Popularity is not an indicator of anything but...popularity.

So, my router and mailserver box runs OpenBSD; my desktop runs Ubuntu (actually Xubuntu) and XP runs in a VirtualBox session. I also use NetBSD and very old Debian (e.g. "Woody") as well as old Windows and DOS versions as (hardware) needs arise. Backups are done frequently, so I can afford to lose a system from time to time.
 
Last edited:
I'd call that a straw man argument. "Mission critical" to me implies high security.

I'm not sure the counter-argument is any less straw-y, really. Yes, OpenBSD is paranoid out of the box, that's nice... but frankly all that means is that it's *slightly* less likely that someone who's completely ignorant about the basics of Internet security will get p0wned hanging an unconfigured box on an unfiltered Internet connection. Once you start piling on the services that run a typical Internet server 99% of the time you'll find exactly the same userland code running on Linux and BSD based servers, with the same exploitable holes. If you happen to be running what amounts to a LAMP server the only vulnerabilities you're eliminating by changing out the Linux kernel for the BSD one is the relatively small category of exploits that specifically depend on kernel vulnerabilities. If you're running a cruddy PHP application that does poor bounds checking and is riddled with SQL injection vulnerability you're going to get just as wasted just as fast.

I'll grant it might get you just a little bit of security through obscurity, but that's about the most piss-poor sort there is. If someone *really* decides to get you the last thing you need is a false sense of security.
 
... Anyway, one more link that points the semi-fallacy that OpenBSD is magically more fundamentally secure than Linux is; it all depends on how you define your terms and how complex the system is. For a simple single-purpose router box a case can be made for it but it starts degrading rapidly once you increase the complexity of the server and start piling on third party software, and if you extend the discussion to mechanisms for enforcing per-process access controls OpenBSD is, among other things, almost completely lacking in MAC/RBAC frameworks. (SELinux, TrustedBSD, etc.) Heck, it doesn't even have FreeBSD's jails. Yes, there's the counter-arguments that those fancy-schmancy things are just more moving parts to break and that if you can keep the bastards out entirely you don't need to worry about fancy "internal" security mechanisms, good old UNIX permissions will work just fine thank you, but it's more than a little disingenuous to pretend that it's not at least an arguable point.

Now if you want to talk about how ***tty the state of system administration and security-by-design is today in the age of DevOps and cloud containers that's totally a thing worth shedding tears over, but Linux is pretty much the victim there, not the root cause. Installing software by 'curl'-ing a script into a root prompt is equally dumb no matter what you're running, but it's totally the in thing now.
 
... Anyway, one more link that points the semi-fallacy that OpenBSD is magically more fundamentally secure than Linux is; it all depends on how you define your terms and how complex the system is. For a simple single-purpose router box a case can be made for it but it starts degrading rapidly once you increase the complexity of the server and start piling on third party software, and if you extend the discussion to mechanisms for enforcing per-process access controls OpenBSD is, among other things, almost completely lacking in MAC/RBAC frameworks. (SELinux, TrustedBSD, etc.) Heck, it doesn't even have FreeBSD's jails. Yes, there's the counter-arguments that those fancy-schmancy things are just more moving parts to break and that if you can keep the bastards out entirely you don't need to worry about fancy "internal" security mechanisms, good old UNIX permissions will work just fine thank you, but it's more than a little disingenuous to pretend that it's not at least an arguable point.

Now if you want to talk about how ***tty the state of system administration and security-by-design is today in the age of DevOps and cloud containers that's totally a thing worth shedding tears over, but Linux is pretty much the victim there, not the root cause. Installing software by 'curl'-ing a script into a root prompt is equally dumb no matter what you're running, but it's totally the in thing now.

You don't install OpenBSD from much canned stuff--generally, you have to know what you're doing. No fancy GUI configuration. After you've installed the basic system, you get a command prompt. If you want to use X and a GUI desktop, you have to figure out how to install it. No "you can do it, any idiot can" stuff.

I believe that inherently this makes for a more stable, secure system. Clearly you don't agree, but well, that's what makes the world interesting.
 
They've moved up to PDP-11s? Wow. About 20-30 years ago, they were still using core and paper tape--for all I know, some still are.

homer-simpson-any-key.jpg
 
I believe that inherently this makes for a more stable, secure system. Clearly you don't agree, but well, that's what makes the world interesting.

Interesting indeed.

Really the gripe I have with it is it's largely a tautological argument instead of a technical one that pretty much boils down to "OpenBSD is more secure because it's hard, therefore we can assume that anyone who goes through the additional effort to use it knows what they're doing when it comes to security". There's some unsupported assumptions in there.

(And there's also an "apples to oranges" problem in assuming that every Linux server out there that's doing mission critical work is just automatically LOADED with all sorts of extraneous stuff that no sysadmin could possibly know or understand. A real production Linux server starts with a pretty minimal base and gets loaded up with just the packages it needs, just like an OpenBSD of FreeBSD or whatever system. Sure, maybe your average clueless home user starts from an Ubuntu desktop install and just starts turning on daemons willy-nilly, but when you're paying for industrial grade disk space in a data center *hopefully* your sysadmin in charge of designing the Kickstart configuration is smart enough to leave the Gnome Desktop meta-packages off the manifest list.)

And I guess the other thing I'd toss out there is while there are certainly costs to being popular, IE, you're a bigger target for "Black Hats", there's also the flip side that there's also going to be more "White Hats" auditing your code and packages for vulnerabilities. OpenBSD's guarantee pretty much fall apart once you go beyond the base installation; if you're tracking, say, RedHat Enterprise there's a huge library of software that's being actively watched for security vulnerabilities and you'll get notified by the system itself if something is found, should you choose to allow it. OpenBSD, not so much, particularly if you're building everything yourself out of the ports tree.

Anyway. Different strokes for different folks. ;)
 
Back
Top