Subscribe to:

Subscribe to :: TheGuruReview.net ::

Oracle Identifies Its Products Affected By Heartbleed, But No Estimates On Fixes

April 18, 2014 by mphillips  
Filed under Around The Net

Oracle issued a comprehensive list of its software that may or may not be impacted by the OpenSSL (secure sockets layer) vulnerability known as Heartbleed, while warning that no fixes are yet available for some likely affected products.

The list includes well over 100 products that appear to be in the clear, either because they never used the version of OpenSSL reported to be vulnerable to Heartbleed, or because they don’t use OpenSSL at all.

However, Oracle is still investigating whether another roughly 20 products, including MySQL Connector/C++, Oracle SOA Suite and Nimbula Director, are vulnerable.

Oracle determined that seven products are vulnerable and is offering fixes. These include Communications Operation Monitor, MySQL Enterprise Monitor, MySQL Enterprise Server 5.6, Oracle Communications Session Monitor, Oracle Linux 6, Oracle Mobile Security Suite and some Solaris 11.2 implementations.

Another 14 products are likely to be vulnerable, but Oracle doesn’t have fixes for them yet, according to the post. These include BlueKai, Java ME and MySQL Workbench.

Users of Oracle’s growing family of cloud services may also be able to breath easy. “It appears that both externally and internally (private) accessible applications hosted in Oracle Cloud Data Centers are currently not at risk from this vulnerability,” although Oracle continues to investigate, according to the post.

Heartbleed, which was revealed by researchers last week, can allow attackers who exploit it to steal information on systems thought to be protected by OpenSSL encryption. A fix for the vulnerable version of OpenSSL has been released and vendors and IT organizations are scrambling to patch their products and systems.

Observers consider Heartbleed one of the most serious Internet security vulnerabilities in recent times.

Meanwhile, this week Oracle also shipped 104 patches as part of its regular quarterly release.

The patch batch includes security fixes for Oracle database 11g and 12c, Fusion Middleware 11g and 12c, Fusion Applications, WebLogic Server and dozens of other products. Some 37 patches target Java SE alone.

A detailed rundown of the vulnerabilities’ relative severity has been posted to an official Oracle blog.

 

Lavaboom Offers New Encrypted Webmail Service

April 18, 2014 by mphillips  
Filed under Around The Net

A new webmail service named Lavaboom promises to provide easy-to-use email encryption without ever learning its users’ private encryption keys or message contents.

Lavaboom, based in Germany and founded by Felix MA1/4ller-Irion, is named after Lavabit, the now defunct encrypted email provider believed to have been used by former NSA contractor Edward Snowden. Lavabit decided to shut down its operations in August in response to a U.S. government request for its SSL private key that would have allowed the government to decrypt all user emails.

Lavaboom designed its system for end-to-end encryption, meaning that only users will be in possession of the secret keys needed to decrypt the messages they receive from others. The service will only act as a carrier for already encrypted emails.

Lavaboom calls this feature “zero-knowledge privacy” and implemented it in a way that allows emails to be encrypted and decrypted locally using JavaScript code inside users’ browsers instead of its own servers.

The goal of this implementation is to protect against upstream interception of email traffic as it travels over the Internet and to prevent Lavaboom to produce plain text emails or encryption keys if the government requests them. While this would protect against some passive data collection efforts by intelligence agencies like the NSA, it probably won’t protect against other attack techniques and exploits that such agencies have at their disposal to obtain data from computers and browsers after it was decrypted.

Security researchers have yet to weigh in on the strength of Lavaboom’s implementation. The service said on its website that it considers making parts of the code open source and that it has a small budget for security audits if any researchers are interested.

Those interested in trying out the service can request to be included in its beta testing period, scheduled to start in about two weeks.

Free Lavaboom accounts will come with 250MB of storage space and will use two-way authentication based on the public-private keypair and a password. A premium subscription will cost a!8 (around US$11) per month and will provide users with 1GB of storage space and a three-factor authentication option.

 

AT&T To Offer Smartwatches This Year

April 18, 2014 by mphillips  
Filed under Consumer Electronics

Smartwatches for use on AT&T’s network will be out this year, so says one of the company’s executives.

“I think you’ll see wide-area, high-bandwidth [smart]watches this year at some point,” said Glenn Lurie, president of emerging devices at AT&T, in an interview.

The company has a group working in Austin, Texas, on thousands of wearable-device prototypes, and is also looking at certifying third-party devices for use on its network, Lurie said.

“A majority of stuff you’re going to see today that’s truly wearable is going to be in a watch form factor to start,” Lurie said. If smartwatch use takes off — “and we believe it can,” Lurie said — then those devices could become hubs for wearable computing.

Right now smartwatches lack LTE capabilities, so they are largely reliant on smartphones for apps and notifications. With a mobile broadband connection, a smartwatch becomes an “independent device,” Lurie said.

“We’ve been very, very clear in our opinion that a wearable needs to be a stand-alone device,” Lurie said.

AT&T and Filip Technologies in January released the Filip child tracker wristwatch, which also allows a parent to call a child over AT&T’s network. Filip could be improved, but those are the kind of wearable products that AT&T wants to bring to market.

Wearables for home health care are also candidates for LTE connections, Lurie said, but fitness trackers may be too small for LTE connectivity, at least for now.

Lurie couldn’t say when smartglasses would be certified to work on AT&T’s network. Google last year said adding cellular capabilities to its Glass eyewear wasn’t in the plans because of battery use. But AT&T is willing to experiment with devices to see where LTE would fit.

“It’s one thing if I’m buying it to go out for a job, it’s another thing if I’m going to wear it everyday. Those are the things people are debating right now — how that’s all going to come out,” Lurie said. “There’s technology and there’s innovation happening, and those things will get solved.”

Lurie said battery issues are being resolved, but there are no network capacity issues. Wearable devices don’t use too much bandwidth as they relay short bursts of information, unless someone is, for instance, listening to Pandora radio on a smartwatch, Lurie said.

But AT&T is building out network capacity, adding Wi-Fi networks, and virtualizing networks to accommodate more devices.

“We don’t have network issues, we don’t have any capacity issues,” Lurie said. “The key element to adding these devices is a majority of [them] aren’t high-bandwidth devices.”

AT&T wants to make wearables work with its home offerings like the Digital Life home automation and security system. AT&T is also working with car makers for LTE integration, with wearables interacting with vehicles to open doors and start ignitions.

 

Ubuntu Goes 64-bit On ARM

April 18, 2014 by Michael  
Filed under Computing

Canonical has announced its latest milestone server release, Ubuntu 14.04 LTS.

The company, which is better known for its open source Ubuntu Linux desktop operating system, has been supplying a server flavor of Ubuntu since 2006 that is being used by Netflix and Snapchat.

Ubuntu 14.04 Long Term Support (LTS) claims to be the most interoperable Openstack implementation, designed to run across multiple environments using Icehouse, the latest iteration of Openstack.

Canonical product manager Mark Baker told The INQUIRER, “The days of denying Ubuntu are over, and the cloud is where we can make a difference.”

Although Canonical regular issues incremental releases of Ubuntu, LTS releases such as this one represent landmarks for the operating system, which only come about ever two years. LTS releases are also supported for a full five years.

New in this Ubuntu 14.04 LTS release are Juju and Maas orchestration and automation tools and support for hyperscale ARM 64-bit computing such as the server setup recently announced by AMD.

Baker continued, “We’re not an enterprise vendor in the traditional sense. We’ve got a pretty good idea of how to do it by now. Openstack is gaining a more formal status as enterprise evolves to adopt cloud based solutions, and we are making a commitment to support it.

“Openstack Iceberg is also considered LTS and as such will be supported for five years.”

Scalability is another key factor. Baker said, “We look at performance. For the majority of our customers it’s about efficiency – how rapidly we can scale up and scale in, and that’s something Ubuntu does incredibly well.”

Ubuntu 14.04 LTS will be available to download from Thursday.

Courtesy-TheInq

Google Glass One Day Sale Proves Successful

April 17, 2014 by mphillips  
Filed under Consumer Electronics

Google’s one-day sale of Google Glass appears to have been a success with all units sold out, a blog post by the technology titan suggests.

“All spots in the Explorer Program have been claimed for now, but if you missed it this time, don’t worry,” the Google Glass team wrote on its blog on Wednesday.

“We’ll be trying new ways to expand the Explorer program in the future.”

Google did not respond to a request for more information, but an earlier post about the one-day sale spoke of brisk sales of the $1,500 Internet-enabled headset.

“We’ve sold out of Cotton (white), so things are moving really fast,” the team wrote.

Aside from the white version, Glass was being offered in shades marketed as Charcoal, Tangerine, Shale (grey) and Sky (blue). Buyers had the choice of their favorite shade or frame. Google announced the one-day sale available to all U.S. residents over 18 last week, adding it wasn’t ready to bring the gizmo to other countries. Shoppers who missed it have to sign up for updates at the Glass website.

Only a few thousand early adopters and developers had Glass before the one-day sale, which coincided with a major software update for the heads-up display that put video calling on hold.

An official launch of Google Glass may happen later this year.

 

Red Hat Goes Atomic

April 17, 2014 by Michael  
Filed under Computing

The Red Hat Summit kicked off in San Francisco on Tuesday, and continued today with a raft of announcements.

Red Hat launched a new fork of Red Hat Enterprise Linux (RHEL) with the title “Atomic Host”. The new version is stripped down to enable lightweight deployment of software containers. Although the mainline edition also support software containers, this lightweight version improves portability.

This is part of a wider Red Hat initiative, Project Atomic, which also sees virtualisation platform Docker updated as part of the ongoing partnership between the two organisations.

Red Hat also announced a release candidate (RC) for Red Hat Enterprise Linux 7. The beta version has already been downloaded 10,000 times. The Atomic Host fork is included in the RC.

Topping all that is the news that Red Hat’s latest stable release, RHEL 6.5 has been deployed at the Organisation for European Nuclear Research – better known as CERN.

The European laboratory, which houses the Large Hadron Collider (LHC) and was birthplace of the World Wide Web has rolled out the latest versions of Red Hat Enterprise Linux, Red Hat Enterprise Virtualisation and Red Hat Technical Account Management. Although Red Hat has a long history with CERN, this has been a major rollout for the facility.

The logging server of the LHC is one of the areas covered by the rollout, as are the financial and human resources databases.

The infrastructure comprises a series of dual socket servers, virtualised on Dell Poweredge M610 servers with up to 256GB RAM per server and full redundancy to prevent the loss of mission critical data.

Niko Neufeld, deputy project leader at the Large Hadron Collider, said, “Our LHCb experiment requires a powerful, very reliable and highly available IT environment for controlling and monitoring our 70 million CHF detectors. Red Hat Enterprise Virtualization is at the core of our virtualized infrastructure and complies with our stringent requirements.”

Other news from the conference includes the launch of Openshift Marketplace, allowing customers to try solutions for cloud applications, and the release of Red Hat Jboss Fuse 6.1 and Red Hat Jboss A-MQ 6.1, which are standards based integration and messaging products designed to manage everything from cloud computing to the Internet of Things.

Courtesy-TheInq

Reddit Going After More Users, Advertisers With New Feature

April 17, 2014 by mphillips  
Filed under Around The Net

Reddit, a website with a retro-’90s look and space-alien mascot that tracks everything from online news to celebrity Q&As, is trying to attract even more followers, and advertising, by allowing members of its passionate community to post their own news more quickly and easily.

Reddit, majority owned by Conde Nast parent Advanced Publications, last month unveiled a new feature that lets users of the nine-year-old site post live updates, allowing them to report in real time.

The live updates allow selected users, dubbed “reporters” by Reddit, to instantly stream unlimited posts during the course of an event such as the conflict in the Ukraine, an earthquake in Los Angeles, or a game played in real time, without having to refresh the page.

The capability is still in testing mode. So far only users selected on a case-by-case basis can create a live thread. The feature has attracted attention. For example, live threads linked to “Twitch plays Pokemon,” in which users of the Twitch website played an old Nintendo game, garnered 2 million page views in 30 days.

“Reddit members are doing amazing things with very minimal tools and were hitting some barriers,” said Erik Martin, general manager.

Martin, who said the site is not yet profitable and declined to give specific revenue figures, added: “We want to give people a more powerful way to make updates.”

Reddit’s move toward enabling users to fluidly update is the latest move in a battle between social media sites including Facebook, Twitter and LinkedIn to use news to engage users, and attract more ad dollars.

Before, Reddit users could not update in real time. The new feature is similar to how people instantly send tweets but keeps the updates together through one thread or “subreddit.”

Reddit, which also gets revenue through e-commerce, has ramped up efforts of late to attract more advertisers. Next week, it plans to unveil city and country targeting capabilities that allow advertisers to address users by geographic market.

One recent ad, specific to Reddit, featured the actors Jeff Goldblum and Bill Murray, stars of the movie “The Grand Budapest Hotel,” as individual threads.

Some 62 percent of Reddit users get their news through the platform while about half of all Facebook and Twitter users do the same, according to a recent report on the State of the News Media from the Pew Research Center.

“Reddit is all about the community, that is the value they brought to the site as they created it,” said Kelly McBride, a senior faculty member at the Poynter Institute, who has been following Reddit since it was founded.

“News has always been really important to Reddit,” she said.

Reddit has more than 114 million unique visitors worldwide and has doubled its traffic in 12 months, said Martin. Facebook has more than 1 billion users and Twitter has more than 240 million.

 

MediaTek Shows Off New LTE SoC

April 17, 2014 by Michael  
Filed under Computing

MediaTek has shown off one of its most interesting SoC designs to date at the China Electronic Information Expo. The MT6595 was announced a while ago, but this is apparently the first time MediaTek showcased it in action.

It is a big.LITTLE octa-core with integrated LTE support. It has four Cortex A17 cores backed by four Cortex A7 cores and it can hit 2.2GHz. The GPU of choice is the PowerVR G6200. It supports 2K4K video playback and recording, as well as H.265. It can deal with a 20-megapixel camera, too.

The really interesting bit is the modem. It can handle TD-LTE/FDD-LTE/WCDMA/TD-SCDMA/GSM networks, hence the company claims it is the first octa-core with on board LTE. Qualcomm has already announced an LTE-enabled octa-core, but it won’t be ready anytime soon. The MT6595 will – it is expected to show up in actual devices very soon.

Of course, MediaTek is going after a different market. Qualcomm is building the meanest possible chip with four 64-bit Cortex A57 cores and four A53 cores, while MediaTek is keeping the MT6595 somewhat simpler, with smaller 32-bit cores.

Courtesy-Fud

Microsoft Updates Office Online

April 16, 2014 by mphillips  
Filed under Computing

Microsoft is updating its Web-based Office Online suite, closing the features gap with the main Office 365 and Office 2013 suites installed on users’ devices.

“We know you want features that allow you to move as seamlessly as possible between Office Online and the desktop,” wrote Kaberi Chowdhury, an Office Online technical product manager, in a blog post Monday.

Improvements to Excel Online include the ability to insert new comments, edit and delete existing comments, and properly open and edit spreadsheets that contain Visual Basic for Applications (VBA) code.

Meanwhile, Word Online has a new “pane” where users can see all comments in a document, and reply to them or mark them as completed. It also has a refined lists feature that is better able to recognize whether users are continuing a list or starting one. In addition, footnotes and end notes can now be added more conveniently inline.

PowerPoint Online has a revamped text editor that offers a layout view that more closely resembles the look of finished slides, according to Microsoft. It also has improved performance and video functionality, including the ability to play back embedded YouTube videos.

For users of OneNote Online, Microsoft is now adding the ability to print out the notes they’ve created with the application.

Microsoft is also making Word Online, PowerPoint Online and OneNote Online available via Google’s Chrome Web Store so that Chrome browser users can add them to their Chrome App launcher. Excel Online will be added later.

The improvements in Office Online will be rolled out to users this week, starting Monday.

Office Online, which used to be called Office Web Apps, competes directly against Google Docs and other browser-based office productivity suites. It’s meant to offer users a free, lightweight, Web-based version of these four applications if they don’t have the desktop editions on the device they’re using at that moment.

 

Google Reveals Email Scanning Practices In Revised Terms Of Service

April 16, 2014 by mphillips  
Filed under Around The Net

Google Inc updated its terms of service earlier this week, informing users that their incoming and outgoing emails are automatically analyzed by software to create targeted ads.

The revisions more explicitly spell out the manner in which Google software scans users’ emails, both when messages are stored on Google’s servers and when they are in transit, a controversial practice that has been at the heart of litigation.

Last month, a U.S. judge decided not to combine several lawsuits that accused Google of violating the privacy rights of hundreds of millions of email users into a single class action.

Users of Google’s Gmail email service have accused the company of violating federal and state privacy and wiretapping laws by scanning their messages so it could compile secret profiles and target advertising. Google has argued that users implicitly consented to its activity, recognizing it as part of the email delivery process.

Google spokesman Matt Kallman said in a statement that the changes “will give people even greater clarity and are based on feedback we’ve received over the last few months.”

Google’s updated terms of service added a paragraph stating that “our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.

 

Mt. Gox Founder Refuses To Appear In U.S. Regarding Bankruptcy

April 16, 2014 by mphillips  
Filed under Around The Net

Mark Karpeles, the founder of Mt. Gox, has refused to come to the United States to answer questions about the Japanese bitcoin exchange’s U.S. bankruptcy case, Mt. Gox lawyers told a federal judge on Monday.

In the court filing, Mt. Gox lawyers cited a subpoena from the U.S. Department of Treasury’s Financial Crimes Enforcement Network, which has closely monitored virtualcurrencies like bitcoin.

“Mr. Karpeles is now in the process of obtaining counsel to represent him with respect to the FinCEN Subpoena. Until such time as counsel is retained and has an opportunity to ‘get up to speed’ and advise Mr. Karpeles, he is not willing to travel to the U.S.”, the filing said.

The subpoena requires Karpeles to appear and provide testimony in Washington, D.C., on Friday.

The court papers also said a Japanese court had been informed of the issue and that a hearing was scheduled on Tuesday in Japan.

Bitcoin is a digital currency that, unlike conventional money, is bought and sold on a peer-to-peer network independent of central control. Its value has soared in the last year, and the total worth of bit coins minted is now about $7 billion.

Mt. Gox, once the world’s biggest bitcoin exchange, filed for bankruptcy protection in Japan last month, saying it may have lost nearly half a billion dollars worth of the virtual coins due to hacking into its computer system.

According to Monday’s court filings, the subpoena did not specify topics for discussion.

In the court filings, Karpelès’ lawyers asked the court to delay the bankruptcy deposition to May 5, 2014 but said that Mt. Gox could not guarantee that Karpeles would attend that either.

 

Intel Shows Off New Hybrid Laptop Geared Towards Schools

April 15, 2014 by mphillips  
Filed under Computing

Intel unveiled a laptop-tablet hybrid with Windows 8.1 for the education market, where Chromebooks and tablets are also vying for customers.

The Intel Education 2-in-1 hybrid has a 10.1-inch screen that can detach from a keyboard base to turn into a tablet. Intel makes reference designs, which are then replicated by device makers and sold to educational institutions.

The 2-in-1 has a quad-core Intel Atom processor Z3740D, which is based on the Bay Trail architecture. The battery lasts about eight hours in tablet mode, and three more hours when docked with the keyboard base, which has a second battery.

Intel did not immediately return requests for comment on the estimated price for the hybrid or when it would become available.

Education is a hotly contested market among computer makers, as Apple pushes its iPads and MacBooks while PC makers like Dell, Hewlett-Packard and Lenovo hawk their Chromebooks.

Some features in the Intel 2-in-1 are drawn from the company’s Education tablets, which also run on Atom processors, but have the Android OS.

The 2-in-1 hybrid has front-facing and rear-facing cameras, and a snap-on magnification lens that allows students to examine items at a microscopic level.

The computer can withstand a drop of 70 centimeters, a feature added as protection for instances in which children mishandle laptops and let them fall. The keyboard base also has a handle.

The screen can be swiveled and placed on the keyboard, giving it the capability of a classic convertible laptop. This feature has been drawn from Intel’s Classmate series of education laptops.

The 2-in-1 has software intended to make learning easier, including tools for the arts and science. Intel’s Kno app provides access to 225,000 books. Typically, some of the books available via Kno are free, while others are fee-based.

 

 

BlackBerry Plans To Release Patch For ‘Heartbleed’ Vulnerability

April 15, 2014 by mphillips  
Filed under Mobile

BlackBerry Ltd said it will release security updates for messaging software for Android and iOS devices by Friday to address vulnerabilities in programs related to the “Heartbleed” security threat.

Researchers last week warned they uncovered Heartbleed, a bug that targets the OpenSSL software commonly used to keep data secure, potentially allowing hackers to steal massive troves of information without leaving a trace.

Security experts initially told companies to focus on securing vulnerable websites, but have since warned about threats to technology used in data centers and on mobile devices running Google Inc’s Android software and Apple Inc’s iOS software.

Scott Totzke, BlackBerry senior vice president, told Reuters on Sunday that while the bulk of BlackBerry products do not use the vulnerable software, the company does need to update two widely used products: Secure Work Space corporate email and BBM messaging program for Android and iOS.

He said they are vulnerable to attacks by hackers if they gain access to those apps through either WiFi connections or carrier networks.

Still, he said, “The level of risk here is extremely small,” because BlackBerry’s security technology would make it difficult for a hacker to succeed in gaining data through an attack.

“It’s a very complex attack that has to be timed in a very small window,” he said, adding that it was safe to continue using those apps before an update is issued.

Google spokesman Christopher Katsaros declined comment. Officials with Apple could not be reached.

Security experts say that other mobile apps are also likely vulnerable because they use OpenSSL code.

Michael Shaulov, chief executive of Lacoon Mobile Security, said he suspects that apps that compete with BlackBerry in an area known as mobile device management are also susceptible to attack because they, too, typically use OpenSSL code.

He said mobile app developers have time to figure out which products are vulnerable and fix them.

“It will take the hackers a couple of weeks or even a month to move from ‘proof of concept’ to being able to exploit devices,” said Shaulov.

Technology firms and the U.S. government are taking the threat extremely seriously. Federal officials warned banks and other businesses on Friday to be on alert for hackers seeking to steal data exposed by the Heartbleed bug.

Companies including Cisco Systems Inc, Hewlett-Packard Co, International Business Machines Corp, Intel Corp, Juniper Networks Inc, Oracle Corp Red Hat Inc have warned customers they may be at risk. Some updates are out, while others, like BlackBerry, are rushing to get them ready.

 

Wi-Fi Problems Plague Apple-Samsung Trial

April 15, 2014 by mphillips  
Filed under Around The Net

There’s a new sign on the door to Courtroom 1 at the federal courthouse in San Jose, the location of the Apple v. Samsung battle that’s playing out this month: “Please turn off all cell phones.”

For a trial that centers on smartphones and the technology they use, it’s more than a little ironic. The entire case might not even be taking place if the market wasn’t so big and important, but the constant need for connectivity of everyone is causing problems in the court, hence the new sign.

The problems have centered on the system that displays the court reporter’s real-time transcription onto monitors on the desks of Judge Lucy Koh, the presiding judge in the case, and the lawyers of Apple and Samsung. The system, it seems, is connected via Wi-Fi and that connection keeps failing.

“We have a problem,” Judge Koh told the courtroom on April 4, soon after the problem first appeared. Without the system, Koh said she couldn’t do her job, so if people didn’t shut off electronics, she might have to ban them from the courtroom.

In many other courts, electronic devices are routinely banned, but the Northern District of California and Judge Koh have embraced technology more than most. While reporters and spectators are limited to a pen and paper in courts across the country, the court here permits live coverage through laptops and even provides a free Wi-Fi network.

On Monday, the problems continued and Judge Koh again asked for all cellphones to be switched off.

But not everyone listened. A scan of the courtroom revealed at least one hotspot hadn’t been switched off: It was an SK Telecom roaming device from South Korea, likely used by a member of Samsung’s team.

The hotspot was switched off by the end of the day, but on Tuesday there were more problems.

“You. Ma’am. You in the front row,” Judge Koh said sternly during a break. She’d spotted an Apple staffer using her phone and made the culprit stand, give her name and verbally agree not to use the handset again in court.

As a result of all the problems, lawyers for Apple and Samsung jointly suggested using a scheduled two-day break in the case to hardwire the transcription computers to the court’s network.

The cable wasn’t installed.

“I believe there were some issues, We’re attempting to install it,” one of the attorneys told IDG News Service during the court lunch break.

So for now, the problems continue.

The clerk opened the day with an appeal to switch phones off, “not even airplane mode.”

That still didn’t help.

The transcription screens failed at 9:09 a.m., just minutes into the first session of the morning.

 

IRS Missed Windows XP Deadline, To Pay Microsoft Millions

April 14, 2014 by mphillips  
Filed under Computing

The U.S. Internal Revenue Service (IRS) confirmed that it missed the April 8 cut-off for Windows XP support, and will be shelling out Microsoft millions for an extra year of security patches.

Microsoft terminated Windows XP support on Tuesday when it shipped the final public patches for the nearly-13-year-old operating system. Without patches for vulnerabilities discovered in the future, XP systems will be at risk from cyber criminals who hijack the machines and plant malware on them.

During an IRS budget hearing Monday before the House Financial Services and General Government subcommittee, the chairman, Rep. Ander Crenshaw (R-Fla.) wondered why the agency had not wrapped up its Windows XP-to-Windows 7 move.

“Now we find out that you’ve been struggling to come up with $30 million to finish migrating to Windows 7, even though Microsoft announced in 2008 that it would stop supporting Windows XP past 2014,” Crenshaw said at the hearing. “I know you probably wish you’d already done that.”

According to the IRS, it has approximately 110,000 Windows-powered desktops and notebooks. Of those, 52,000, or about 47%, have been upgraded to Windows 7. The remainder continue to run the aged, now retired, XP.

John Koskinen, the commissioner of the IRS, defended the unfinished migration, saying that his agency had $300 million worth of IT improvements on hold because of budget issues. One of those was the XP-to-7 migration.

“You’re exactly right,” Koskinen said of Crenshaw’s point that everyone had fair warning of XP’s retirement. “It’s been some time where people knew Windows XP was going to disappear.”

But he stressed that the migration had to continue. “Windows XP will no longer be serviced, so we are very concerned if we don’t complete that work we’re going to have an unstable environment in terms of security,” Koskinen said.

According to Crenshaw, the IRS had previously said it would take $30 million out of its enforcement budget to finish the migration.

Part of that $30 million will be payment to Microsoft for what the Redmond, Wash. developer calls “Custom Support,” the label for a program that provides patches for critical vulnerabilities in a retired operating system.

Analysts noted earlier this year that Microsoft had dramatically raised prices for Custom Support, which previously had been capped at $200,000 per customer for the first year. Instead, Microsoft negotiates each contract separately, asking for an average of $200 per PC for the first year of Custom Support.

Using that average — and the number of PCs the IRS admitted were still running XP — the IRS would pay Microsoft $11.6 million for one year of Custom Support.

The remaining $18.4 million would presumably be used to purchase new PCs to replace the oldest ones running XP. If all 58,000 remaining PCs were swapped for newer devices, the IRS would be spending an average of $317 per system.