Why the Windows XP Support Deadline Doesn't Matter

On April 8th, Microsoft is discontinuing support for Windows XP. XP is still used on about 30% of the PCs in the world and Microsoft has been working hard to push people to Windows 8.1 under the threat of “harmful viruses, spyware, and other malicious software” (http://windows.microsoft.com/en-us/windows/help/what-does-end-of-support-mean).

Despite this, most people aren't budging. Windows XP is comfortable and it works. And Windows 8.1 is infamous for it's Metro/Modern interface which is generally reviled. This has lead to many a tech commentator throwing out doomsday scenarios regarding the end of support. But I'd like to take a minute and debunk these:

It's the Most Patched Operating System of All Time

Windows XP was originally released in October 2001, so April will mark 12.5 years of patches and fixes. The last service pack, SP3, was released in May 2008, which marks the last time that XP got new features and new opportunities for bugs. It now has nearly 6 years worth of patches since then.

With all of these patches and fixes, XP is actually a pretty secure system. The code is mature, tested, and in wide use. Security researchers have been looking for weaknesses for over a decade and as has been said, given enough eyeballs, all bugs will be found.

It's Not that Great of a Target

At this point, there are basically two types of machines that are running XP: those who can't upgrade and those who won't. The ''those who won't” are the home and small business users who are happy with things the way they are and just don't want to upgrade. Their machines tend to be older with less CPU, hard disk, and Internet resources. In other words, there's not much worth exploiting. These computers may up to a decade old and so obsolete that even if compromised, there isn't much that can be done with them.

The second type, “those who can't” are those who are using XP in very custom applications, such as ATM's. An ATM sounds like a great target to attack, except when you realize that these machines are not accessible via the Internet, that banks have their own private security teams looking for suspicious behavior, and that they are paying Microsoft to continue support for them privately. Even though the operating system itself may be weak, the security layers around it are very strong.

Without a good target to go after, there's not much of a point in working to exploit XP. A Windows 7 exploit, with a greater user base and newer hardware is a much better target.

The End is Already Here

With less than two weeks before the April 8th deadline, now is the time when a smart criminal would release a hack that exploits an unknown weakness. At this point, even if a new threat emerges, there is not enough time left for Microsoft to find the code at fault, fix the bug, test a patch, and then release it.

If criminals have any previously unknown exploits, then we would be seeing them released into the wild now, because like all other businesses, there is a first mover advantage. The longer they wait, the higher the probability that someone else will release malware using the same exploit first. The fact that we haven't seen any such hacks suggests that there aren't any known major weaknesses in XP.

The Actual Deadline is May 13th

Microsoft releases patches on the second Tuesday of every month and if Microsoft weren't discontinuing support for XP, then the next set of patches would be released on May 13th. That's the first date when there would have possibly been patches, but now there won't be. Up until that date, the support situation for XP is identical to the way it would be if Microsoft were continuing support.

Support from Everyone Else is Continuing

Google has announced ongoing support for Chrome on XP. So have most antivirus manufacturers. Most software on XP will continue to see updates for the time being as well. Even if a major hole is found in XP, keeping the rest of the software on the PC up-to-date will help mitigate the risk.

Conclusion

The moral of the story is that sooner or later, you should upgrade. Whether it be to Windows 8.1, a version of Linux, or a Mac, it doesn't matter. However, there is no rule that says that it has to be done by April 8th. So make an informed decision, weigh the benefits and risks, and then upgrade when you're ready to.

Amazon Prime and ShopRunner

If you've ever done any online shopping, you're probably already familiar with Amazon's Prime shipping service. For $99/year (previously $79 until mid-March 2014), most of your Amazon orders are delivered within two days for free. You also get some other benefits with your membership, such as access to a lot of free TV shows and movies through their Amazon Instant Video streaming service.

Amazon Prime is a great service. While you're shopping, Amazon lets you know how much longer you have to place your order in order to make that day's cutoff time ("place your order in the next 53 minutes to get this order by Thursday"). On the final page of the ordering process, Amazon tells you exactly when the order will be delivered.

Shipping occurs Monday-Saturday; Sunday and holidays don't see deliveries. Even so, if you place an order on Sunday, it usually counts as a shipping day, so that you still receive your package on Tuesday.

In my experience with Prime, I've only had a couple of packages take three days (excluding Sundays and holidays). My best order was of a package of specialty pens that only local art stores and Staples carry. It was 11pm on a Friday night; the local stores were closed and the first wouldn't open until 9am the next morning. I placed my order and at 8:30am the next morning, a courier dropped off the package from Amazon. Not only did they get me my 2 day order within 10 hours, but they actually got me my order faster than I could have picked it up from a local store.

ShopRunner positions itself as an Amazon Prime type service for the rest of the web. The pricing is similar ($79/year) and it enables you to get free two day shipping from nearly 100 online stores. In principle, it should be just as awesome as Prime; in practice, not so much.

The first problem with ShopRunner is the poor integration between it and the partner stores. You have no indication from the store when your order needs to be placed, nor do you get a delivery estimate when you place your order.

You also don't get two day shipping. You get delivery within two days. The distinction is important. If the store determines that UPS 3 Day Select is likely to be delivered within two days, then they can use that service. However, UPS only guarantees that the order will be delivered within three days, so I've had many of my ShopRunner orders delayed.

But the biggest problem is ShopRunner's definition of "2-Day shipping". First, the order must be placed by that store's "cut-off time" in order to ship the same day. All of the times are different and the earliest ones are 7am PST. ShopRunner also doesn't consider Saturdays, Sundays, and holidays to be shipping days.

Consider the following example: you order a new USB flash drive from NewEgg.com at 10am on Friday (NewEgg's cutoff is 9am PST). The order won't ship on Saturday or Sunday. If Monday is a holiday, then it won't ship then either. On Tuesday, NewEgg actually ships your order using UPS 3 Day Select. You finally receive your order on Friday afternoon, more than a week after you ordered it. This example actually happened to me. Had I ordered from Amazon, there is a good chance I would have received my package the next day.

Another problem is that the stores aren't even aware that they offer this service. I ordered a pizza from Dominos; ShopRunner waives the delivery charge ($2.50 in my area). I had signed in with ShopRunner, but for some reason it was not applied to my order. So I called the store. The person who answered had no clue what I was talking about, so she got the store manager. The manager also had never heard about ShopRunner. Even worse, the manager was acting like I was trying to scam her into free delivery; she wouldn't even check their own website to verify what I was saying. I ended up canceling my order and went out for lunch instead.

On the plus side, if you have an American Express card, you get a complementary subscription to ShopRunner. And if you have Amazon Prime, ShopRunner will give you a one-year free subscription.

You can find out more about both services here:

Amazon Prime
ShopRunner

Just make sure you understand the benefits and limitations of each before you sign up.