Wednesday, 9 April 2014

How to continue living with the XP zombie

In a previous post I tried to demystify the need to upgrade from the freshly retired Windows XP to a newer version, now that Micro$oft's support has been finally stopped.

But what can I do to protect myself, the "small office, home office" user, from the evil hacker that will attack XP computers, like a maniac, from now on?

First, you need to relax and to understand that you have never been completely protected anyway, unless your computer is not connected to the internet and you don't bring any files from the outside world, which is quite unlikely these days.

At most, you have been as protected as possible in a particular moment of time (and few minutes later you could have been exposed again by a new threat that no antivirus could catch for few days, before the next update).

So, we can continue to do our "best effort" in protecting our XP computer, as follows:
  • Install an antivirus and keep it updated.
    (In fact, if you had no Windows antivirus installed until now, please ignore this whole writing and Micro$oft's urge to switch to a newer operating system. It either means that you're an incredibly careful user, or that your don't care if you computer is already infected and you find "normal" the way it behaves.)

    When choosing an antivirus, ignore the marketing crap they throw at you and pre-installed trial versions that came with Windows, and ask yourself relevant questions like: what antivirus has the best detection rate? (i.e. which one finds the most of the viruses in the wild)
    You can search the net for this and you'll find out there are some independent testing bodies that test periodically the detection rate of all antiviruses on the market. Here is one but do your own homework. Then choose an antivirus that is in top 3 each month.
  • Sometimes, antiviruses cannot detect annoying malware (like that one that hijacks your home page in your browser). For this, there is a different category of programs, named anti-malware.
    Malwarebites anti-malware has (also) a free version for home use, that had great results for disinfecting already infected Windows, but I'm sure there are some others with good results out there. Beware though that some anti-malware programs are in fact malware themselves... so research a bit to see if it is legit or not, before installing.
  • Backup your files now and then (or even regularly)

    Don't overwrite the last backup with the current one, better keep 2-3 backups on your backup disk or usb stick; if the last backup is compromised by viruses, at least you'll have the one before that's clean.

    Simply copying the files onto a stick from time to time is the basic form of backup but you can also use free tools like Micro$oft's SyncToy. Also, keep in mind to backup your emails and your browser history, bookmarks and saved passwords. Do a bit of research to learn out how for your specific set of programs.
  • Have a firewall installed.

    If you're at home and using a router given by your ISP, then probably you already have a firewall on that router and you're protected, since they come preconfigured this way.
  • If on the road and connecting to various hotel/airport/public networks, then you should install your own firewall product or, at least, activate the one that comes with Windows.

    Test your firewall by searching for "online firewall test" on the web. My choice is the one at Gibson Research Corporation (choose "Shields Up!" service, then click "Proceed" button and test your "Common ports" or "All service ports") but you can use others too.
  • Use anything but Internet Explorer, use anything but Outlook.

    Firefox and Thunderbird to name two, are as intuitive to use as their Micro$oft counterparts (if not more), and inherently more secure.

    Maybe even use OpenOffice (or LibreOffice) instead of Microsoft Office? I'll write more about this and Linux in another post.
  • Finally, educate yourself NOT to:
    • enter websites that are not well known (unless your XP installation is not so important for you and you keep it mainly for these purposes)
    • click "yes" or "OK" or "Download" buttons in any popup window offering to install search bars, emoticons etc. You can surely live without any of those.
    • double click any files received by email or any messenger, if you don't expect them, even if they come from a known friend. If your friend's computer is virused, it might be that the virus sent himself to you by email, without the human suspecting anything.
      So, save the attachment somewhere first and then right click on it and scan it with your antivirus. If ok, you can open it.
    • double click any executable file received by email or any messenger. I'd suggest you simply delete that email; almost nobody should send you executable files these days.
So, my proposal to all of you having Windows XP is: respect the above and resist the emotional pressure induced by the media to upgrade XP. Just out of curiosity (and for the sake of "science"), let's see how much time can we resist spending additional money if we're happy with what we have now. 

Think about it this way: If you switch now to Windows 8, it means you have to reinstall your computer and change your habits. Postpone this operation until something starts to go wrong indeed, if ever.

Need more incentives? For those more frugal, like me (and I know there are some out there), here are some direct costs for switching to newer Windows:
  • An upgrade from XP to Windows 8 costs 120$ but your computer might not support it or can become be very slow after, that means they push you implicitly to buy a new computer.
  • A new laptop that has the hardware for windows 8 (and windows 8 pre-installed) starts at of 446$ on Amazon.
  • A full Windows 8 license (no upgrade) costs around 120$.
  • Office 2013 Home and Business costs 279 $ whilst professional (with Access) is an incredible 500$ !!!
Depending on community response, I intend to build a small website where XP users can record their achieved XP afterlife duration, i.e. how many days/weeks/month/years their XP computers worked ok even if updates were no more provided by Micro$oft.

Myths about Windows XP's death

There is a lot of fuss these days about the end of XP's support on 8th of April, 2014. An almost apocalyptic image is created by many content writers and lots of specialists around the world have been invited in Micro$oft's flashmob, to scare the hell out of people and make them pay their dues to the software giant.
Fabulous amounts of money started to reveal, to give more weight to the whole problem:

"The UK government announced last week that it had negotiated a special deal with Microsoft to provide Windows XP support and security updates across the whole UK public sector for the next 12 months, at a cost of £5.548 million."
(I wonder if an investigation will follow and some important persons will be beheaded, since this 5.5 million transferred to Micro$oft are paid from the UK's budget due to someone's negligence and incapacity to migrate the public sector's computers to something else, in due time) 

"Microsoft has offered to provide special custom support for Windows XP after 8 April at a cost of $200 per device, which doubles to $400 per device after 12 months, and then doubles again to $800 the following year."

Seeing all these, I have researched the web on this major piece of news in a try to understand if getting rid of Windows XP is indeed "a must" in the coming days or months, and what are the real risks of keeping Windows XP still running. 

Here is a list of the most frequent and major "Boo-hoou-hoous" I could find in a couple of hours (and some personal comments on each):

  • "As late as June 2013, Windows XP still held onto more than 30% of the world’s computers. It’s on 95% of American ATMs"

    Anyone knowing a bit about ATMs and banking knows that they're not exposed to the internet at all, and have dedicated lines (or VPNs) to connect to their bank. So, susceptibility to attacks is really low not to mention that the XP present on ATMs is a trimmed down version of the regular one.
    Still, bad choice of operating system, banks! Not paying licences to M$ would've lower your fees and could have attract more clients!
  • "Estimates vary but it’s thought that as many as a third of the world’s computers are still running the operating system and Microsoft themselves have said that infections for XP will rise 66 per cent after 8 April."

    This sounds bullshitting to me. It's either that M$ put some time bomb in the latest XP update to affect exactly 66% and exactly after 8th of April, or they simply try to seed panic in the XP users. In both scenarios they want the users flocking-in, in an orderly fashion to the new Windows 8.
  • "There's certainly a possibility of some vulnerabilities that were already known that haven't been exploited yet. From 8 April or 9 April you could see a number of attacks that people have been holding back"

    Judging the response time Microsoft historically had to vulnerabilities, I'd say this is a fake problem too. Besides, any evil attacker would launch his exploits as soon as possible, before someone else would do it instead of them, or the users would upgrade to the latest Windows.
  • "Internet Explorer 8 is also no longer supported, so if your Windows XP PC is connected to the Internet and you use Internet Explorer 8 to surf the web, you might be exposing your PC to additional threats."

    Let's face it: this was the situation with the Internet Explorer since version 3 (that notably allowed hackers to take full control of your Windows computer). The problem is not only that Internet Explorer was historically badly designed and allowed attacks, but also that Micro$oft tried to give unfair competitive advantage to it over any other browser running on their operating system, by integrating it in the Windows itself (maybe you know that actually Windows Explorer IS Internet Explorer in fact). Through this "nice" move, the M$ specialists exposed the whole Windows system to attacks.
    So, whoever is seriously concerned about security, is not using Internet Explorer for ages anyway. I mean, I know there is a lot of marketing about how good and fast the new versions of IE are (but still...), but due to the horrible errors in its past, I prefer to use anything else: Firefox, Chrome, Chromium, Opera etc. Not that the others are completely protected but at least I believe that a big community of developers can react faster to a new bug than a bureaucratic corporation.
  • "The antivirus is not enough to protect your unsupported XP"

    Actually the antivirus was never enough, never mind if Windows is supported or not.
    I wonder if Windows would be so popular these days if no antivirus exists. Think about it: Windows survived mainly thanks to the antiviruses on the market; antiviruses sprung into life and proliferated due to bad design of Micro$oft Windows, Micro$oft Internet Explorer and Micro$oft Office. Another factor is that people are too obedient and don't ask why they need to pay additional money on a 3-rd party program to protect Windows if they already paid for Windows.
    (Micro$oft had a fake attempt to integrate their own antivirus in Windows when acquiring RAV antivirus in 2004, but over a decade now, it's proved it was just a "kill the competition" move: RAV was the only antivirus on the market that ran on most popular Linux email servers. No RAV meant big punch to the penguin world.)
    Nevertheless, a good antivirus coupled with a firewall and some user education should be enough for any old and unsupported operating system. See the next post.
  • "The new hardware (printers, scanners, etc) will not have have drivers for your old XP"

    This is unfortunately already true and the ones to blame are the hardware manufacturers that play along with Micro$oft to squeeze money out of people as much and as often as possible.
    Still, if your office setup (laptop, printer, scanner, webcam etc) functions perfectly right now and you have your hardware for years working ok, you might ignore for a while more these calls for spending money. Think about it when your printers break down for natural causes or due to planned obsolescence.
  • "[...] technical assistance for Windows XP is no longer available"

    Hmm... that's a tough one. I'm sure I'll miss it...
    Have you ever been in contact with Micro$oft directly in a try to fix an issue with your computer? If so, maybe for one time only, and then you got the idea that it's a waste of time 'cause the technical support is inept and they just serve you boilerplate answers from their scripts.
    The best & more efficient way to fix anything with your Windows computer was always to search the internet because the power of people in need is always greater than of those call center scripts readers.
So... vat to do, vat to do?