It's not Microsoft's fault that people depend on Windows XP. IMHO it's the fault of companies buying hardware and software from manufacturers who are unwilling or unable to upgrade their product to run on newer versions of Windows.

To put it another way: the only reason there is a huge demand for COBOL programmers is because banks are too spendthrift to rewrite their software in more modern languages.

> IMO, Microsoft has acted irresponsibly, and the decision was only driven by money.

Welcome to the world of successful businesses. They don't do things for altruistic reasons, they do it because it makes money.

> Imagine if they devoted all of their resources to finding and fixing all of the possible security issues until it's virtually bulletproof, and the price of a zero-day gets to a billion dollars. I think it's a shame that Microsoft constantly releases unnecessary upgrades and tried to get people to keep buying new licenses.

A lot to unpack here.

1) I personally don't think it's possible for anyone to design a general purpose OS as complex as Windows that is bug free.

Just look up how small the space shuttle software was (IIRC ~600,000 LOC) and how mind bogglingly expensive it was.

2) Businesses could already avoid a lot of this if they didn't view IT as a cost centre and instead as an investment.

3) Yes Windows 10 is a privacy nightmare. But Microsoft has made real strides in OS security since XP. It's wrong to claim that all they've done is put a minimalist theme on the same old OS.

From a security perspective they absolutely are not "unnecessary upgrades"

It is Microsoft's fault. A software customer doesn't know that a vendor is going to go out of business or get bought by a competitor that discontinues their product and promotes an incompatible alternative with seven figure transition costs.

Microsoft are the ones who worked so hard to make sure that software for Windows isn't compatible with not-Windows, creating all their own alternatives to POSIX, OpenGL, Open Firmware and everything else so that it's as difficult as possible for software compatible with Windows XP to be compatible with any Unix or Linux, leaving the user out in the cold if it also isn't compatible with Vista or later.

> To put it another way: the only reason there is a huge demand for COBOL programmers is because banks are too spendthrift to rewrite their software in more modern languages.

The reason there is huge demand for COBOL programmers is that it's more reasonable to hire a COBOL programmer than to discard a working system with a multi-million dollar replacement cost. "Just throw away everything you own and start over from nothing" is only rarely cost effective.

It is categorically NOT Microsoft's fault that software vendors are bought or go out of business. It's on the software customer to ensure that they don't get stuck with vendor lock-in.

Reverse the situation: A bunch of critical systems which run Linux 2.4 are being compromised by cyber criminals via a kernel exploit. You're going to argue that it's Linus' fault for providing such a great kernel and not supporting it forever?

Or that it's Linus' fault vendor XY who hasn't existed since 2 mergers ago chose Linux 2.4 for their product and now aren't around to provide updates for legacy software?

> Microsoft are the ones who worked so hard to make sure that software for Windows isn't compatible with not-Windows, creating all their own alternatives to POSIX, OpenGL, Open Firmware and everything else so that it's as difficult as possible for software compatible with Windows XP to be compatible with any Unix or Linux, leaving the user out in the cold if it also isn't compatible with Vista or later.

And so does every other operating system on the planet. You cannot take a MacOS binary and run it on Linux. And until very recently you couldn't take a Linux binary and run it on Windows.

You could argue that with Linux, the only thing preventing it from running Win32 or MachO binaries is that those operating systems are closed source, but this is the world we live in. If you want a "universal" binary, write it in something like Java.

https://xkcd.com/927/

> The reason there is huge demand for COBOL programmers is that it's more reasonable to hire a COBOL programmer than to discard a working system with a multi-million dollar replacement cost. "Just throw away everything you own and start over from nothing" is only rarely cost effective.

Yes, and I feel that I addressed this when I said "because banks are too spendthrift to rewrite their software"

It's a business decision. Currently it's cheaper for banks to hire COBOL programmers at obscene rates to fix their software. Eventually, there either won't be COBOL programmers, or they'll be too expensive, and the bean counters will dictate it's time to rewrite.

I think there's a simpler way to think about this. Windows XP still functions for these businesses, and many of them would gladly pay an ongoing subscription fee for support. Sure, Microsoft wants to expand, but I don't see why that has to happen exclusive of supporting their well-loved early 2000s release. I run software which hasn't changed substantially for more than 20 years on a daily basis, and I don't see why Microsoft has to pretend that that's not a use case.

> > Microsoft are the ones who worked so hard to make sure that software for Windows isn't compatible with not-Windows, creating all their own alternatives to POSIX, OpenGL, Open Firmware and everything else so that it's as difficult as possible for software compatible with Windows XP to be compatible with any Unix or Linux, leaving the user out in the cold if it also isn't compatible with Vista or later.

> And so does every other operating system on the planet. You cannot take a MacOS binary and run it on Linux. And until very recently you couldn't take a Linux binary and run it on Windows.

Open Firmware, POSIX, and OpenGL are explicitly not related in any way to binary compatibility. You can run unmodified OpenGL programs (with some abstraction) on Linux and OS X out of the box, and with some fiddling, on Windows as well.

It's clear that this is an argument that Microsoft has refused to support standard APIs, not standard ABIs.

Not saying there aren't any, but nearly everything I've seen fail has been coupled to hardware drivers, where other platforms are just as bad, or other outdated APIs, e.g. ancient versions/insecure configurations of Java. This is a big problem in IT, but I don't think it's fair to blame Microsoft more than others for it. Maybe for making as much a mess of Vista as they did, but 7 was still available more than early enough for slow migration.

(And at least the NHS had an extended support contract for Windows XP, but ended that at some point, despite (as far as I know) it still being available from MS for other big customers)

I heard that medical devices are approved (by whatever regulatory body) to run an _exact_ set of software. As such, even applying a security update invalidates the approval, because it could potentially introduce bugs that place a patient's life at risk.

The software affected in the NHS was mainly in GP surgeries and admin offices to do with scheduling of procedures. Not directly life-threatening in the sense of a machine going wrong but indirectly damaging in the sense of procedures and consultations having to be cancelled, records not being available &c.

Looking decades into future I'm wondering: Web applications + fairly basic clients Chromebook style for the scheduling/records stuff.

And in any case the compromises were in the UK, which may have different rules on this subject than the FDA.

The upgrade treadmill is good for microsoft's revenue stream, but bad for customers who already have a working system. New != better, just different. I guarantee you that w10 has just as many security holes as xp, they just haven't been found yet because it's so new.

Both would continue if Windows was "perfect" feature-wise and only security updates were provided going forward.

Therefore the kernel is secure, assuming spherical cows are used in the bubble memory of the return stack.

It seems to ultimately boil down to software becoming more expensive to sell, especially when it will be used in critical situations.

Legally, they are covered.

But there is also the more abstract problem of how hospitals and the like go about using computers.

Many of the existing XP computers a big monolithic systems that have been decentralized so Microsoft could sell more licenses.

Think networks of retail stores using hundreds or thousands of PCs for their point-of-sale. Or government agencies like the DMV with locations in every rural county.

They put a PC on every not-quite-a-desk.

When XP was released, Microsoft was unarguably a monopoly. Monopolistic businesses have responsibilities that other, non-monopolistic businesses don't. The law is vague, but the FTC could reasonably force Microsoft to continue to patch security problems in windows XP forever. After all, the defects to which the support period refers existed within that support period, regardless of when they were proven to exist.

Only being a pedant because this came up in /r/soccer today about an hour beforehand. That means the opposite of what you want it to mean.

Thanks! I actually didn't know this. Do you have a suggestion of a better term for the behaviour I'm trying to describe? I was trying to be more elegant than "cheap"

My thoughts exactly. If you look outside of computers/tech, at other large pieces of infrastructure like electrical and water supply systems, you'll find plenty which are much older and still in active operation. 2001 was only 16 years ago. I have many things older than that and probably "unsupported", yet continue working with only occasional maintenance.

Thus, as computers become more integrated into our lives and a part of the infrastructure, it makes sense that they should stop "moving forward" and settle down stably at some point, yet all I've seen is the complete opposite. In fact, I'd say instability in infrastructure is immaturity --- to take an example, in the early days of electrical power, there were plenty of incompatible sockets, voltages, and frequencies. Now we have settled on a small set of standards, which have been nearly the same for the past decades.

I understand that newer versions of Windows do have stronger security

The flip-side is that some of this security isn't really helping the user, i.e. DRM. Newer version of Windows also come with other unnecessary/unwanted features like telemetry (possibly with their own vulnerabilities), regressions in UI, etc. In other words, if you upgrade you could be more secure from remote attackers and get some new features you actually want, but you're also giving away more privacy to Microsoft and moving toward a more locked-down-against-you ecosystem. It's not all positive.

If only Linux and WINE, or even ReactOS, were in a more usable state...

At a certain point, it's cheaper for businesses to rebuild their solutions with the latest tech Microsoft would prefer they are on, so they can re-license, rebuild their solution with modern tech, and start enjoying the benefits that come with free support for a new licensing period.

During the days of Windows XP, XP wasn't designed for a world of Internet threats, I think it would have been difficult for them to continue to support XP in a production environment while preserving compatibility with existing features.

Windows 10 is built for the modern world of threats. Microsoft sells a Windows 10 Enterprise LTSB (Long Term Serving Branch) with guaranteed support for 10 years to address many companies' needs. Everybody has learned from XP, Microsoft has learned that long term support is needed so the innovated their support model, and companies have learned that they can't expect an operating system to exist in a connected world for 15+ years. Hopefully with new support options and more reasonable expectations from business, Microsoft's LTSB support model is going to address everyone's needs.

If a customer wants to use Windows XP, they can, but if a customer wants support for it, they can pay Microsoft a lot of money for it (and I think some actually still do).

Besides, don't forget that businesses do need to make money. Are you suggesting that Microsoft should have supported/should support Windows XP forever, for free?

The trend in security has lately been toward isolation (sandboxing, etc.) instead of fixing security issues as they come up. Newer versions of Windows have more isolation features. Setting up a sandbox on Windows XP is a nightmare, and there's no way to shut off access to FAT drives or win32k.sys, etc.

I don't think you understand how much developer effort is required in maintaining such an old OS. In addition, these same developers need to get paid and since MS is in the business of making money, supporting a SW that massively burn cash (I assume the maintenance is not cheap) is blatantly foolish.

> Why not spend the next 50 years just maintaining Windows 10, just the way it is?

If I understand it correctly, this pretty much is the plan with Win10. It's supposed to be the last Windows OS

The best developers (the ones with the most choices) will leave because nobody wants to maintain a project.

Why isn't XP good enough to run a map kiosk in a mall? Or flight arrivals screen in the airport?

Face it, the needs of many single-use applications where solved decades ago...the need to constantly undergo the endless forced upgrade cycle waste a tremendous amount of human effort.

It is and the stripped-down versions of XP Microsoft sells to run kiosks still get updates [1]

> Windows Embedded Standard 2009. This product is an updated release of the toolkit and componentized version of Windows XP. It was originally released in 2008, and Extended Support will end on January 8, 2019.

> Windows Embedded POSReady 2009. This product for point of sale devices reflects the updates available in Windows Embedded Standard 2009. It was originally released on 2009, and extended support will end on April 9, 2019.

[1] https://support.microsoft.com/en-us/help/18581/lifecycle-faq...

However, MS makes it very difficult to acquire and manage those products. Generally speaking, you must buy their embedded products with a motherboard/cpu purchase from an authorized vendor.

MS business strategy basically mandates that a whole class of "single purpose" customers can't / won't buy via the way MS wants to sell it.

If you try to mandate that the mall buy your special (expensive) motherboard/XPe combo you will generally make no sales. Therefore the default becomes that your customers just go buy "whatever computer they can that matches specs" and run that. Hence you wind up with tens of millions of devices that aren't supported anymore.