malware

Last night I turned in my chapter on programming–just think, all of software development summarized in 55 book pages!–and am gathering my thoughts on mass storage for the chapter I’ll begin later today or tomorrow. Again, if you haven’t seen me much lately that’s the reason.

Each of my chapters has begun with a historical perspective on that chapter’s computer technology topic. This has brought lots of things to mind that I haven’t thought about in years, like IBM cards, FORTRAN, punched tape, and Bernoulli Boxes. I still have the card deck from the first program I ever wrote, in the spring of 1970. (See above.) I did some work with paper tape as well in my COSMAC days, but whatever tape I kept has been hiding well. I’d love to get a scan of a length of ASR-33 style punched tape, or a length (8″ or so) of the tape itself to scan here. Doesn’t matter what’s on it as long as it’s not greasy or physically damaged. Contact me if you have some you could spare, or least scan.

Time marches on. I have a 10MB Bernoulli Box cafeteria tray cartridge–probably in a box somewhere with the paper tape–and an original 1983 Microsoft Mouse. Obsolescence doesn’t bother me as long as I can keep functionality. I had to buy a copy of Office 2007 to keep writing commercially, since Word 2000 doesn’t understand .docx files, and Atlantis doesn’t do annotation. Yup, time marches on.

It does. Right now we’re looking down the throat of something a little unprecedented: On April 9, Microsoft turns off security updates for Windows XP.Most of my nontechnical friends seem unaware of this, and my nerd friends have long since moved on to Win7 or 8. I’m in the middle: I’ve been using Win7 on my GX620 for about a year, and have a new Win7 Optiplex 780 on the shelf ready to be populated and configured when time allows. (I’ve done almost nothing but this book for what seems like–hell, has been!–months.) I’m about to take my quadcore in for a new sled-mounted SSD and Windows 7 Pro. The 780 will become Carol’s office machine. I will keep an SX270 XP machine basically forever, because it has pop-in drives for both 3.5″ floppies and Zip cartridges, some of which are piled in odd boxes here for no compelling reason other than they’re paid for. (Yes, most of them have probably gone to bitrot by now.) However, it will no longer be on my network, and will be powered up only as needed.

Here’s an interesting wrinkle that few people seem aware of: Win7 Professional comes with a special-purpose copy of VirtualPC, with a VM containing an instance of XP. (Win7 home does not.) I’m thinking that if I don’t enable the Ethernet connection to the XP VM, it doesn’t matter whether the instance gets security updates or not. I have some stuff here that won’t run on Win8, and possibly not on Win7 either. I can install it on my poor SX270 survivor, of course, but it will be interesting to see what limitations may exist on the XP VM. If something weird turns up in the VM, I can always revert to an archival image.

The real problem with this, of course, is that a lot of nontechnical people are still using ancient machines that won’t run Win7 ever. Only five or six years ago, I still saw Windows 95 on 486 machines owned by older people at my parish. I’ll bet there are plenty of doddering Pentia XP boxes with 512MB of RAM still crunching email and (maybe) Web, along with Office 97. What happens to them? They may well get pwned. On the other hand, I’ve seen several with updates turned off that aren’t pwned. How bad is the problem, really?

I’m sure nobody knows. Sometime this spring we’re going to find out. How many exploits are likely to be left in a 12-year-old codebase? There will be some. Not all exploits are the result of bad coding practices, though I’m sure plenty can be walked back to unbounded string functions in libc, which the C community just can’t seem to give up. XP’s security model is generally lousy, especially for people who don’t understand the implications of what they do, double-especially with Internet-facing apps. That being the case, how far does Microsoft’s responsibility extend? As big as they are, can’t they keep a few security fanatics on staff to fix the exploits that do appear?

I’m thinking that questions like this may soon be asked in the courts of law. We’ll see.

Anyway. I can fix things here, and in extended family. I do worry about nontechnical retirees at our church and elsewhere. When you’re 80, a 12-year-old OS may not seem like any kind of problem, and those on fixed incomes may not feel like $500 for a new box is worthwhile to solve a problem that remains hypothetical. (Hell, my 4Runner is older than XP.) Those of us who remember Y2K hysteria can be forgiven for a strong dose of skepticism. I expect pwnage. There’s pwnage today. The only question is how bad it gets, and how much bad PR it will earn Microsoft. My prediction: If it gets bad enough, and the lawsuits get thick enough, the updates will return.

Pass the popcorn and dig your 3-D glasses out of the drawer. This is gonna be good.