End of WinXP - and a coming storm?

This may be OT, but then again maybe not. Economic survival is part of the big picture.

As most/all of you know, the venerable Windows XP operating system will cease to have any support, including security updates, as of April 2014.

Some estimates say that nearly 30% of networked computers, including ATMs and point-of-sale machines, still run XP and will likely continue to do so. This article, FWIW, suggests the possible vulnerabilities: http://www.edmontonjournal.com/business/...7918/story.html

Now, I know of some systems with extremely specialized, proprietary software that will run XP buried deep within corporate firewalls. Not really an issue.

But I suspect a lot of people on the small business and consumer side will not pay much attention until they have been compromised. Not good. Possible feeding frenzy for crooks.

Anyway, I'm curious what measures other ETS members have taken regarding this. If there's any interest, I'll post the measures I've been testing as well.

Cheers,
Doug(wa_)

The North Korean Version of Windows XP is a little difficult to get hold off, but it could become quite popular after they back engineered it and plugged up all the security holes, but using it would probably mean a knock at the door by Bill's associates and you might find yourself hanging from a tree. e.g. A: becomes C:

http://www.newyorker.com/online/blogs/bo...-windows-8.html

The old model of keeping bad things out of the network with a firewall is largely ineffective in modern "borderless" networks. With few exceptions, networks are not architected to defend against malware spreading from the inside, nor are cumbersome security measures taken to prevent malware from being brought in by laptops, thumb drives and other devices.

Embedded XP devices are going to be compromised in even greater numbers until corporations do away with them.

Just update to Windows 7. I hate Vista and Windows 8. Hopefully, I can skip those and hold out until Windows 9. I contemplate moving over to Apple IOS, but the prices keep giving me pause.

Vista was a train wreck and Windows 8 is worse. The problem for WinXP users is that Win7 won't run on most older hardware. Replacing the hardware means getting the new OS that's bundled with it, at least for most consumers. Nobody wants Win8 so WinXP soldiers on.

In embedded systems it's just as bad, as the embedded devices generally need to be completely replaced.

No need to. The same old hardware runs any modern Linux distro fine. iOS is just an annoying front end on top of BSD, you can configure window managers in Linux to look just like iOS if you really want. Its free and everything just works.

I made the switch right after buying a a laptop with XP and XP was just a less stable version of 2000.

<cough> Target </cough>

Actually it was WinCE not XPembedded IIRC

If you're buying new, you can still get Windows 7 factory installed. We just got a new desktop in at the office with it. Windows 7 on older equipment depends on your definition of older. It runs well on an HP DV1000 series laptop. It was 2-3 years old when I upgraded it from XP to Vista. It got 7 put on as soon as I ran the upgrade checker.

If you're seriously concerned about security, you don't run Windows. Period. However, most people make the choice to run Windows anyway. Some based on a feeling that they can secure it adequately, others due to plain ignorance (they don't even realize there is a threat). There is an entire high-dollar industry built around selling you stuff to "protect" your Windows computer. Everyone is allowed to make their own choices and live with the consequences of their choices. To each their own. Live and let live. Run the operating system of your choice.

As far as older WindowsXP inbedded in ATM's and other stuff, there's not much you can do to protect yourself there except to not use ATM's and other stuff when they become unsecure. I do not know if they have reached that point yet, of when they may reach that point.

The problem with switching to a free OS like Linux is 1) no support division and 2) no one to sue if there's a problem with it.

Then the next questions are: (1) Have you ever gotten good support from a different OS?, and (2) Have you ever sued an OS when there were problems with it?

If not, what is the supposed benefit? If you are good at searching the web, there is better support out there than from paid organizations. Most official support you get these days are inexperienced people reading from scripts with a foreign accent you can barely understand.

Most of the embedded software for the Worlds ATMs was actually written by Students at Abertay University. Adamson at NCR in Dundee found it cheaper (free) to use students studying for their postgraduate mechatronics coursework than to actually employ professional programmers. The NCR ATMs didn't require much more processing power than a 80286 running Windows 3.1

The NSA backdoors in MS Windows only really appeared in Windows 98 or 98SE I believe from memory. Much of the UK Nuclear Missile Submarine fire control systems use Windows 2000. I wouldn't really worry about WinXP assuming that Service Pack 2 was installed to ensure greater stability.

I'm not terribly worried about WinXP going out of support in regards to ATM's. These machines should already be fairly well shut down regarding outside connections. They're not running webservers and BitTorrents. They don't have normal users viewing content from questionable websites, installing virus-infested programs, clicking on links in phishing emails, opening some unknown persons Excel spreadsheet with macros enabled, etc. I might even go so far as to guess that many of them have never seen a security update to their OS even when WinXP was supported.

I don't trust Windows for security on a normal user system. But on a dedicated single-function device like an ATM, it's probably not the end of the world if the OS goes off official support. At least not in the short term. I'm surprised that an engineer would base something like an ATM on an OS intended for end-user local computing. I certainly wouldn't have done that myself. But evidently the ATM engineers did exactly that, based on recent news reports. Or more likely, this news is being reported by idiots, as many news reports are, and the truth is ATM's may be based on some chopped down simplified OS that was originally derived from some components of WinXP. Which is not the same thing as saying "ATM's run WinXP".

Besides, if ATM's really ran a full blown version of WinXP, wouldn't that mean that they'd lock up on users frequently, have to be rebooted often, have their registry routinely cleaned, and have the whole OS reinstalled from scratch every year or two just to keep them running?

I've had at least three different tickets opened with Microsoft that were not fixed. One was at home for Microsoft Money, one with work for XPEmbedded and one for Server 2003's typeperf because it went from an unsupported resource kit tool in 2000 to integrated part of the OS in 2003 and supposedly supported. So closed source does not = well supported.

I've reported issues and asked for enhancements over the years with open source and had some implemented. The only ones that haven't so far are with Android since Google is driving the development primarily.

There are many companies such as Redhat which you can pay for support just like Microsoft/Apple and are free to sue just like Microsoft/Apple. I'd be surprised if anyone here has deep enough pockets to sue either anyway and with Apple's track record your more likely to get sued by them rather than sue them.

Yep, I am about done with Microsoft. I have forsaken MS Office in favor of open source apps that work better.

It is amazing how the big computer companies act so contemptible toward their end-users. IBM, Oracle, Microsoft, Apple, they all need a good dose of product rejection.

But Microsoft is by far the worst of the bunch. Their products suck. They are the epitome of a good concept poorly executed and forcibly marketed.

From now on, the first thing I will be doing with any new laptop/desktop unit I buy will be to wipe the hard drive and start over with something better. OEM Windows has had it.

Interesting comments. Thanks!

My office laptops are all going to Win 7. I only have one left to do, but it's an XP machine. It's going to be a royal pain to reload all my software and rebuild my archives and workspace.

Going forward, I suspect Win 7 is going to be harder to get. New licenses haven't been offered for a while. There's still old stock out there. As noted, business class PCs still offer the downgrade/upgrade option (Lenovo does this fix right at the factory). Wonder if bidding on eBay will heat up for Win7 packages?

All of my older/personal machines are moving to Linux. I spent the last year playing with different distros. I keep coming back to Lubuntu, which is light and fast, does all the web-browser stuff I need, and has a robust and problem-free installer. I added Chromium as a browser and avast! antivirus for on-demand scanning.

BTW, there are going to be a lot of freebies out there for Linux users. People and companies are starting to discard perfectly good XP machines.

How does one NOT use Microsoft Office? My job involves tracking changes in Microsoft Word. For that alone, I'm stuck with Office (I think).

The idea of using another operating system besides Windows or IOS intrigues me. But is it more trouble than it's worth? I really don't have time to figure out if it's more trouble than it's worth. I need someone else to tell me. I guess it's time for a Google search...

I'm stuck with Microsoft office at work too but thats their choice, their data, their risk. When Excel crashes and looses the last hour of changes thats on them.

You should not be working on work documents on your personal systems and vice versa. Even if the companies risk management doesn't forbid it you should not take the risk yourself.

I was experimenting with Linux anyway a few years ago when I first got XP and its many problems. I setup a dual boot and then would test out converting documents into the native Linux apps until i was able to use Linux more and Windows less. Eventually as I upgraded hdd's I quit installing the windows partition.

You can download a gpartd bootdisk nd repartition your drive for a dual boot but any time I make a major change I follow my normal backup routine then put a new drive in my system and clean setup what I want then plug my old drive into a usb enclosure and copy my data over.

I run my own business. My personal and business laptop are the same machine. I have never had problems with an Office document not saving. Actually, I don't have any noteworthy problems with Windows 7. I will just always listen to success stories from people who escaped the evil empire. I'll move away from Windows/Office for the principal of the matter.

In practice, that's essentially correct. If your work (like mine) requires you to be seamlessly interoperable with clients that operate in Microsoft Office, you need to run it. This is particularly true for complex documents. Sending an ugly mess back to the client makes you (and me) look incompetent. Not good for our businesses.

If you want to test drive an alternative, the OpenOffice/LibreOffice 4.0 (now 4.2?) office suite is free to download. They claim that interoperability with MS Office file formats is much improved from previous versions. LibreOffice is available for both Windows OS and Linux. I've been meaning to do some hardcore testing but haven't found time yet.



IMHO the best approach is to run a separate PC with Linux and see if it covers your bases. There are a lot of PC users who don't need the fully interoperable corporate suite; they mostly do everything through a web browser. For them, Linux can do everything they need done.

Linux also has WINE, a Windows emulator, that can in theory run a genuine MS Office suite within the Linux OS. I have a Linux box with the horsepower to do this, but just haven't found time to test it all. Interesting idea though.

Hope this is somewhat helpful.

Or if you don't want two pc's or dual boot you can always run one OS under with virtualbox or vmware player or any number of other virtualization tools. I suggest using Linux as a host as the performance is much faster. I used to run XP under Linux on my old laptop and when I flipped to full screen no one could tell the difference. I've had up to 4 servers running at one time under a Linux host to do a lab test.
Any time I've had to use MSOffice I would just use the free viewers in a virtual XP session to make sure it looked good.

It's time for XP to die. That OS was released in 2001, and it is now 2014. Name one other OS that made it that long? That had three Service Packs to it's history?

In my opinion, a PC's (or laptops) life is somewhere between 3 - 5 years depending on how top of the food chain you were when you purchased it.

As far as ATM's running embedded versions, etc.. I am not going to lose one minute of sleep over it. Those systems access and security is well known. Honestly, it's easier for a crook to roll in a completely counterfeit machine to collect account numbers and pins.

You would be surprised at what Windows 7 will run on, but it's generally hardware memory limitations where you get into trouble. 3GB's of ram is pretty much the minimum for a Windows 7 machine. That's about 25% less than what I think Vista needed prior to it's Service Packs.

I think 80% of the complains about Windows 8 is just noise. It's different. They are not going back, but their biggest mistake was trying to put a Tablet interface on a desktop computer. Make the OS "smart" enough to see that there's a keyboard and mouse hooked up, dual monitors.. etc.. and boot straight to the desktop and skip the tiles.

If there's a touch screen, no keyboard, boot to the tiles, and give the end user a choice to change it anyway they want.

Underneath, Windows 8 is a sound OS. They just missed some details.

Rod

Distributing an OS such as Windows 8, that could not perform a basic function such as configuring a POP email account that Windows 98SE was able to do was also another major short coming. The NSA influence was clearly seen with regard to the email provision in Windows 8 having to use their corporate proxy servers. The Simon Says Toy GUI is appalling being completely unintuitive to the principles of a Windows OS established by XeroxPARC research in the late 1970s.

If Windows 8 had booted to a C:\Simon_Says> Desktop - Y | Tablet - CTRL_ALT_DELETE

They may have been on to a winner..

Various flavors of Unix .



I've spent some time in that space, and I would very much be losing sleep over embedded XP if I worked for a bank that had it running on their ATMs. Jackpotting an ATM running embedded XP looks pretty easy if you get access to the network it's on. Yes, normally attackers shouldn't be able to get on those networks, but relying upon that without addressing the ATM's vulnerabilities is a recipe for failure.



Usability is a crucial component of a desktop operating system. When you change the paradigm, hobbyists and professionals will figure it out if they choose to. Run of the mill end-users will have a very hard time doing so, and will choose not to if they have any option. I spend my work time in enterprise IT environments and I have not seen a single Windows 8 PC on an end-user's desk. Home users have been avoiding it in droves. This is not just noise.

Name one other OS that even needs service packs in the first place. A Windows "service pack" is when you get so many patches to the OS that nobody can keep track of them all, so they have to bundle them together by the thousands and release them together as a single package. These gigantic patch bundles change the underlying OS to a massive degree. What you have is effectively a new OS.

I'm running Slackware which was first released in 1993
A new version comes maybe every year and a half.

Most any OS gets regular fixes, Microsoft's mistake was to add new features and change things in a fix pack. One of the Windows 2003 service packs came with a new feature called TCPChimney which caused all kinds of network issues which of course didn't surface in dev or UAT/performance test environments and took us a while to find and then disable across the rest of the servers. I'm amazed at the amount of $ corporate America looses to crap like that.

As far as moving off of Windows, there was an initial learning curve but its no more than the learning curve moving to a new version of Windows or moving to a mac. Once you get past that Linux is no big deal. I've gained back so many hours per week/month not having to do update/reboot/fix Windows, update the AV and antispyware, etc. The total cost of ownership is way lower.

I can't remember the last time I rebooted. And I do keep up to date. I type slackpkg update and go back to the forum I was on and check back later to see if its done.

Windows 8. Spooky familiarity to folks of a certain generation.

http://www.youtube.com/watch?v=yF0ZUXclW8Y




LOL. Cause your TCP/IP stack will go up in flames and bring down your Network!

Of course much of the MS Windows OS programming was actually done on Mac Computers!

Basically thats what happened. Microsoft somewhat acknowledged it http://support.microsoft.com/kb/945977

They basically implemented a new feature in SP2 and enabled it by default weather your hardware supported it or not and it affected many servers, not just the few specifics they list here.

BTW for those who never had an issue with MSOffice. I finished a spreadsheet in Excel 2010 and saved it, hibernated my work laptop, went home and resumed and connected to the vpn and dialed into a late meeting and Excel could not find my spreadsheet. A search finds the shortcut in the recent documents to it but it didn't exist. So I looked unprepared for my meeting and and to do my work again afterward.

I'll probably skip 8 altogether. It's not all that long til its successor will out and I'm very happy with 7.

Looks like 7 will be available as an OEM install for a while yet. The corporate crowd has spoken (incl. thumb on nose, giant raspberry, and various obscene gestures). http://arstechnica.com/information-techn...usiness-buyers/

Those of us who are computer savvy will find our way through this transition. I do worry about people who don't understand the implications. If they do critical stuff like banking online, that's blood in the water. No doubt the sharks are circling.

If you believe what you read in the tech press, there are already bot nets out there composed of tens or even hundreds of thousands of hijacked PC's, mostly used for spamming purposes or DDos attacks, a big proportion of which are probably XP machines. And that's just a single bot net! I'm not sure how MUCH worse it's going to get when XP officially stops being supported. Many of those infected XP machines could be overseas, though, so maybe it could get worse here in the US.

An average XP user who practices safe computing/email practices and doesn't have their PC connected directly to the Internet (i.e. is behind a firewall or NAT router) can be reasonably secure from infection for a long time. For these people, visiting an infected website may be their biggest risk, so trying to do as much web surfing without Java and Javascript could improve their security tremendously, although you lose a lot of functionality, but it's a price to pay for more peace of mind.

Actually, online banking is something that should really worry anyone who does commercial banking, even for a small business. Banking laws and policies provide a lot of protection for consumers, but for business accounts, the onus is really on the banking customer. If your business account gets drained because your PC is infected, you're often out of luck and the money is gone. There are stories of small business owners who had to watch helplessly as they watched some hacker take control of their PC and steal money out of their accounts as they watched. Pulling the plug on the computer would not have necessarily helped since the hacker already captured their banking login info anyway. So, if you're a small business owner and still on XP and do online banking, I would HIGHLY suggest that you get something newer.

This is the biggest issue. Sadly many average XP users still use MSIE and MSOE with all the defaults enabled. I rebuilt my MIL's PC three times because she wouldn't update adaware, used IE and played yahoo games and now she pays a local PC shop to rebuild it rather than using safer software/sites.

Switch her to Linux and this will all become past history...

If the primary use for a computer is web browsing, watching video clips, listening to streaming music, etc., I see a lot of advantages from a security standpoint to the relatively inexpensive slew of Chromebooks available now. More tech aware folks may have privacy issues with Chromebook or lament its limitations as a "browser-only" platform, but the security model of Chromebooks is probably currently the best available for "mother-in-law" level users who don't have a tech saavy person around to help them when things get inevitably messed up.

If your "mother-in-law" screws up a Chromebook (well, besides physically damaging it) and something gets wonky, a quick reboot will restore the operating system to the way it should be, automatically. Same thing if it somehow gets infected with something--a quick reboot should ensure that you're starting with a clean machine to do your online banking and such. Updates happen automatically. When somethings gets screwed up, no need to know how to roll back the operating system to some "last known good" state or go digging up restore disks to get things working again.

That said, I haven't yet owned one, but I'm seriously considering buying one in the very near future to run one through its paces. You can even tweak one to make its underlying Linux operating system accessible and you get a Linux laptop, but that's for more adventurous folks and does deny you most of the automatic security advantages of Chromium, like secure boot.

That's certainly true, but the vast majority of people who know what safe computing/email practices are and practice them are already off of WinXP.

Some people don't realize that this is something they should learn. Others refuse to learn. This is possibly why I have a job .

MSIE I recognize and dumped it back when Firefox was still Netscape except for sites that won't run without it. What's MSOE? MS Outlook Express?

Yep, Outlook Express, or the second biggest security hole to core of Windows after IE

Sadly, the vast majority of people who I've met are those who still use IE OE, etc and refuse to replace them with anything having even a hint of security. Thats one reason I got away from anything desktop related

I just installed Linux (Lubuntu) as a dual-boot on an older XP netbook. (For the uninitiated, a "dual-boot" simply means that you're given a menu to choose which operating system will load during startup.) Mostly I will run Linux (esp. when online), but by keeping XP available I have the option to handle a native Word file if I really need to. BTW, I can't say enough about the Lubuntu installer; it handled everything including partitioning the hard drive without requiring any sudo-fu. (Lubuntu also runs on systems with as little as 512MB RAM while still giving a Windows-ish graphical interface and real web browsers. Not too shabby. End of commercial.)

Apparently the next (and last) two "Patch Tuesdays" for XP machines will include a pop-up warning from Microsoft regarding end of life support. There are also hints of a skinny, ad-driven version of 8 being offered for cheap/free, but I'll believe it when I see it.

BTW, Linux folks shouldn't get too smug. Just as Apple recovers from a gaping security hole, a serious hole of similar size has been found in Linux and affects most of the major distributions: http://arstechnica.com/security/2014/03/...-eavesdropping/

Good for you, its pretty easy isn't it. Installing windows on anything takes forever between applying all the patches and updates and drivers, I'm finding Linux to be easier.



The big difference between Apple/Microsoft and Linux is not that any of the three are immune to issues, its how they react. Apple and Microsoft will spend as much time trying to hide problems as they do fixing them. The Linux world will come up with a fix quickly and you can just install it and go back to life.

Actually, it affects more than your local desktop computer. It affects the websites you connect to. I don't believe it matters what you connect from (Windows, Linux, etc.) And since the vast majority of websites you connect to are running on Linux servers, it affects everyone. There are very few Microsoft websites are out there in the grand scheme of things - sorry Bill Gates. As I read the advisory, it requires a man-in-the-middle attack, which are not necessarily easy to implement, and not on a wide scale. So while it is a security flaw, it is not one that could be widely exploited.

And the other plus with the Linux OS is its easier to patch. I can't remember the last time I've needed to reboot for any patches, security or otherwise. Its more modular so I just unload whatever needs patched, patch it and reload it. You can easily roll the patch out across your web farm.

Just got my first warning on Quickbooks running on XP (on Parallels on a mac) saying QB will not be fully functional after 5/31/14.

So, since I am running a Mac, I might try QB for mac.

Anyone use QB on a Mac and take credit cards?

I'm amused that the outcry about this GnuTLS flaw seems pretty muted, at least from what I've read, compared to the breathless "this is as bad as it gets" media coverage of Apple's similar "goto fail" flaw that was just publicized. And this is a security vulnerability in an important open source module that has potentially been around since 2005! That's like 75 years in Internet time!

Definitely a black eye for those who claim that open source software is inherently more secure JUST BECAUSE the source code is publicly available. OK, so if no one else reviews some printer driver code, I can understand that. But a major cryptographic module that "everyone" uses everyday? BIG black eye to the OS community.

And from some comments I've read, that module wasn't even written by people who truly understand crypto and how to properly implement crypto procedures anyway. Another big demerit in my opinion. Phil Zimmerman of PGP fame always emphasized that the proper IMPLEMENTATION of crypto algorithms and software so they interact with the operating system and other software in a secure manner was just as critical as selecting robust algorithms in the first place. I wouldn't trust much of the "security" software, particularly mobile apps, that are floating around these days, to be as secure as they claim.

Did Apple have a security flaw? I think I vaguely remember something like that, but no details. I trust they fixed it. Apple is quite good about that I think. I guess if Apple or opensource did have a security flaw, it might actually deserve breathless media coverage. Since these flaws are so extremely rare compared to that other closed course operating system out there. The novelty of having a security flaw in Apple/opensource would deserve some media coverage due to its rarity. Similar to someone observing a Sasquatch walking around in downtown Denver.


This statement goes to show you how difficult to exploit on a wide scale this flaw is, thus limiting potential harm. But go ahead media, scream breathlessly if you want. Just don't go mentioning that Linux used to make fine china, then furnaces, before they got into operating systems. That is about the ignorance level from mass media I've come to expect, unfortunately.


How so? A vulnerability has been found in opensource code. I don't think opensource said there would never ever be any flaw discovered. How does the quantity of these opensource vulnerabilities compare to the quantity of closed source (Microsoft, et.al.) vulnerabilities found? If you think about that, you'll have to admit that opensource *IS* inheritantly more secure. By a fantastically wide margin. I guess if you are saying one opensource flaw is equivalent to 1000 Microsoft flaws, then you could try to make your point based on that. But nobody would take you seriously if that was your basis.

Anyway, I hope the flaw is patched soon, if it hasn't been already. At least a patch to something like SSL can be applied without requiring all the servers to be rebooted, unlike that other common OS out there. Personally, I won't be throwing out opensource and running to closed source because somebody found a difficult to exploit bug. That would be silly.

What specifically are the security holes in IE and what settings are necessary to counter them, or where can I find out about them?

I just upgraded from my older XP machine to a new desktop with Win7 because of the age of my system and the discontinuation of XP support. With no security updates from MS, it's going to become a hackfest by every twerp with a internet connection and a supply of Redbull. I'm running the current (11?) version of IE and relying on Norton and basic common sense to keep the goblins out (Like not opening Canadian Vi***a ads, or going to websites that use a dictionary in the meta data).

EDIT: Also has anybody used Norton Zone cloud storage? It seems like a good place to put the most critical files.

Open source is more secure because...? The way that so many people parrot that same mantra essentially boils down to almost a circular kind of logic. "Anyone" can contribute code to an open source project and anyone can see the code, ergo, the thinking goes, it is more (pick your adjective) secure/correct/efficient/yada-yada, but as this major GnuTLS flaw so starkly illustrates, just because anyone CAN look at the code for open source software, doesn't mean that anyone actually DOES, at least with a knowledgeable and critical eye. Obviously, with this major GnuTLS vulnerability, nobody did (well, except for the bad guys who may have been exploiting this hole for years).

Actually, I think MS has come a long way since the days about a decade ago when Internet Explorer and the IIS webserver had more holes than a block of Swiss cheese. People would groan when a report about a new IE or IIS vulnerability was published because they just kept coming and coming and were often quite big holes. People were totally losing trust in MS products so Bill Gates made some big decisions.

I remember thinking that when Gates launched his Trustworthy Computing Initiative, it was a huge business and mental shift. Remember, we were coming out of the Dot Com days when "get the code out first, get it out fast" was the mantra in software development. Bill Gates essentially said that MS needed to think of our computers more like appliances or utilities--they need to "just work"--and that's the level of functionality users expected. So the mindset, the procedures, the design, the software tools, etc. were changed to emphasize the quality and security of their code. The level of vulnerabilities in code written after TCI was initiated seems light years ahead in security compared to before. (And most of Win XP was written before TCI, by the way, which is a huge reason to move on). When's the last big IE or IIS vulnerability, the kind you'd read about in the mainstream press? I can't think of one.

Can an open source developer do the same thing? Sure. Do they? Not necessarily. So which model is inherently more likely to produce secure code? A closed system that systematically checks for problems, or an open one that can/might check? There is nothing "inherently" more secure with open source. It is inherently more transparent but that only matters if someone acts on that transparency. A one-person open source project, like an app, could be riddled with security vulnerabilities, no one else bothers to review the code, and yet tons of people may merrily go about using it, feeling confident because they're using open source code and it seems to run just fine. That's akin to "walking by faith, not by sight".

Well the security holes in both are too numerous to list. You can look for all the patched ones on (Microsoft) technet then subscribe to various security lists and read about all the not yet patched.

The biggest problem with IE and OE are the tight integration with the OS so a security flaw in either becomes a flaw to the core of the OS. While other browsers/email can have security flaws they don't hook deep into the OS so those flaws generally stop at a level where they can't cause too many problems.

A number of years ago before we had so many security programs and other web browsers to choose from I mistyped a web address. A simple www.gogle instead of www.google too me to some porn site whose text was in another language and then started popping up many IE windows so fast I had to reboot to stop them. I was running as a non-admin user and still got infected with something that I tried to remove and ended up just rebuilding. Yes (Windows) security has improved since the early days of XP but the integration of end user apps the very core is still the worst thing they ever did to Windows.

I will admit ... they are trying. Some efforts have been more successful than others. I remember trying to use Vista once. Every time I hit a key, up came a popup asking if I really meant to hit that key, and asked if I was aware of the security ramifications of hitting that key. That is no way to treat a user base who probably didn't understand why they even hit that key in the first place, let alone be able to comprehend the resulting Windows popup.

What happened with Microsoft and Windows, is they targeted the "mass market". Most of the end-users of their Windows computers, were, to put it bluntly, totally computer ignorant. So they tried to make things more easy to use by trying to do everything for everybody, to support their target user base. Unfortunately, "we'll do it all for you" and "security" are at opposite ends of the spectrum. When you automate/integrate for ease of use, security goes down the drain. And when you make things secure, ease of use suffers. That is why many Windows users complain about how difficult Linux is, and complain that "Linux is not like Windows, therefore bad". They don't know any better. The target user base of Linux is the opposite of the target user base for Windows.

Open source vs. closed source definitely has something to do with security. But the effect is probably not as marked as the difference in the user base of open source products vs. Windows users. Linux/open source users tend to be much more computer literate and technically savvy than Windows users. And that difference probably has more to do with overall security than the differences in the operating systems. Although Linux and just about every other OS out there, open source or not, is more secure than Windows. Windows has indeed improved over the years. But it is still trails miles behind every other OS in the security area. Under the hood, Windows looks like a mating squid ball. Everybodies tentacles stuck into everybody elses' orifaces. While the squids seem to like it that way, it does not make for a secure and stable operating system.

Apple stubbornly refused to comment on anything related to security before eventually fixing the "goto" bug. (They KNEW, and for a very long time).

The GnuTLS community immediately publishes any information about bugs, security flaws and recommendations. (And fixes it, as soon as humanly possible)

The GnuTLS flaw meant that under some very specific circumstances the security check would indicate "OK" where it should go "Fail".

The Apple "goto" failure meant that under no circumstances would you get a red flag when visiting a https-site; the actual security verification was by-passed all together.

As for legacy code versus open source code, the quality of the code depends on the actual team and management. But would you like the worlds leading cryptographic expert to scrutinize your work? Then you need to make the code public.

I think the bigger picture is that online security is an endless thrust-and-parry business, with serious consequences. It's not one OS versus another; they are all under assault to some degree, from well organized and financed criminal/state entities. Weaknesses are systematically found, hoarded/sold, and exploited for financial (or sometimes political) gain. XP is/was a venerable OS, but it was not designed for this new reality. It's not fearmongering to anticipate some waves of nastiness following the end of support.

In practical terms, I'm wondering about the number of small-store outfits using point-of-sale equipment that may (?) be vulnerable. I might just take the approach I already use with all other online purchases -- a credit card with a $500 limit for everyday stuff. That controls my vulnerability (and the credit card issuer's) to a manageable number without a huge loss of convenience on my part.

I just had a visit with my doctor about two weeks ago and his small office was going through an upgrade to Win7 OS from XP for their medical office software.

Indication that there are likely some small business/offices that are still reliant on XP and will likely be scrambling to upgrade. I know a lot of smaller businesses tend to go with specialized/boutique firms/consultants/software 'specialized' for their needs. Let's hope for them their POS systems will run on Win 7/8/2K8.