[Development] Windows 7 support future removal

Tue Aug 28 07:59:23 CEST 2018

On Tue, Aug 28, 2018 at 12:34 AM, Thiago Macieira
<thiago.macieira at intel.com> wrote:
> On Monday, 27 August 2018 01:50:46 PDT André Pönitz wrote:
>> On Mon, Aug 27, 2018 at 12:00:17AM -0700, Thiago Macieira wrote:
>> > I don't have a problem with that, so long as they never connect those
>> > computers to the Internet after January 2020. That would be irresponsible.
>>
>> Because of what?
>
> Because it's not receiving security updates.
>
>> Because Microsoft (or any OS vendor that's on the "newer is better" trip
>> for that matter) have scheduled the invention of the magic sauce that makes
>> their systems suddenly safe to use in public networks for December 2019?
>
> No, that sauce is already known. It's called "security updates" and they have
> to be applied on a continuous basis. You may not need to apply all fixes, but
> you need to have the ability to do so when there's a fix that is relevant to
> you.
>
> Starting in January 2020, the only company that could make those fixes will
> stop making them. It is unlikely that the next day will start with a new
> vulnerability discovered, but one will be sooner or later. And since no fix
> will ever be coming, those devices will be forever vulnerable.
>
> Sure, there are other ways to mitigate the problem, like having an external
> firewall. But all it takes is another device also vulnerable on that network
> to allow access in and now those out-of-date Windows are accessible.
>
>> "Realistically" (a term I colloquially use for "extrapolating from a number
>> of incidents in the past") we will see trading semi-working systems with a
>> certain number of known and an uncertain number of unknown deficiencies for
>> other systems with another uncertain number of the same of other, newer
>> unknown deficiencies.
>
> Right. But worse than that, you have an unknown number of devices with *known*
> deficiencies.
>
>> This might look like an advantage to some, but it isn't in any metrics
>> that I am tempted to take seriously - *especially* when there are ways
>> to mitigate some of known deficiencies in a way that don't boil down
>> to "try to use a newer random version of what we sold you last year as
>> the best thing since sliced bread".
>
> Defence in depth. You should deploy those other mitigations, like the
> firewall. But ignoring or not receiving OS fixes is a critical problem.
>
> Then again, those computers would be vulnerable without Internet connection.
> Have you ever seen what happens if you drop a USB stick in a company's parking
> lot?

This is not the case with many enterprises, finance, medical,
military, banking and even local governments
etc. where mounting of an external storage, CD/DVD or downloading is
not an option
or should pass IT people with a detailed examination of each file or package.

In such well controlled and managed environments, you can find enough computers
which are still using old systems like Win2000 and XP.

Due to the mentioned issues with Win-10, which was not the case with Win-7,
my bet is that Win-7 will have a lifetime of about 10 years with a
good share still remaining
but may be obscured from statistics since not seen over open Internet.

jm4c to add.

Kind regards,
Robert