[Development] Windows 7 support future removal

Thiago Macieira thiago.macieira at intel.com
Mon Aug 27 23:34:50 CEST 2018 

On Monday, 27 August 2018 01:50:46 PDT André Pönitz wrote:
> On Mon, Aug 27, 2018 at 12:00:17AM -0700, Thiago Macieira wrote:
> > I don't have a problem with that, so long as they never connect those
> > computers to the Internet after January 2020. That would be irresponsible.
> 
> Because of what?

Because it's not receiving security updates.

> Because Microsoft (or any OS vendor that's on the "newer is better" trip
> for that matter) have scheduled the invention of the magic sauce that makes
> their systems suddenly safe to use in public networks for December 2019?

No, that sauce is already known. It's called "security updates" and they have 
to be applied on a continuous basis. You may not need to apply all fixes, but 
you need to have the ability to do so when there's a fix that is relevant to 
you.

Starting in January 2020, the only company that could make those fixes will 
stop making them. It is unlikely that the next day will start with a new 
vulnerability discovered, but one will be sooner or later. And since no fix 
will ever be coming, those devices will be forever vulnerable.

Sure, there are other ways to mitigate the problem, like having an external 
firewall. But all it takes is another device also vulnerable on that network 
to allow access in and now those out-of-date Windows are accessible.

> "Realistically" (a term I colloquially use for "extrapolating from a number
> of incidents in the past") we will see trading semi-working systems with a
> certain number of known and an uncertain number of unknown deficiencies for
> other systems with another uncertain number of the same of other, newer
> unknown deficiencies.

Right. But worse than that, you have an unknown number of devices with *known* 
deficiencies.

> This might look like an advantage to some, but it isn't in any metrics
> that I am tempted to take seriously - *especially* when there are ways
> to mitigate some of known deficiencies in a way that don't boil down
> to "try to use a newer random version of what we sold you last year as
> the best thing since sliced bread".

Defence in depth. You should deploy those other mitigations, like the 
firewall. But ignoring or not receiving OS fixes is a critical problem.

Then again, those computers would be vulnerable without Internet connection. 
Have you ever seen what happens if you drop a USB stick in a company's parking 
lot?

-- 
Thiago Macieira - thiago.macieira (AT) intel.com
  Software Architect - Intel Open Source Technology Center

More information about the Development mailing list