After all these years I am willing to admit that Microsoft has won the desktop and server wars. Thanks to VMWare Windows is spreading throughout the datacenter. And, of course, there is only one operating system to use if you are dependent on Microsoft apps like Outlook, Word, and Excel.
While I have joined the chorus of security folks who rail against the Microsoft Monoculture I still cannot believe some of the uses for Windows. Some of them are just downright silly, some you may claim are criminally negligent.
So here is the Top Ten List of Worst Uses for Windows:
1. To display a static green arrow over the open TSA security lanes at Detroit Metro.
I kid you not, at the main security checkpoint to get into Detroit Metro there are monitors over each metal detector. The ONLY thing those monitors ever display is a big green arrow pointing down. Oh, occasionally they display a blue screen with a Windows error notice.
2. Ticket scanner at Frankfurt airport
Another example of too much horse power for a simplified task. In this case I saw a Windows boot up screen on the little laser scanner for checking people on to the plane. Why not program some stripped down embedded system for that task? IT would be open source most likely and would not need to be updated every month.
3. Gift certificate dispensing kiosk
I am responsible for this one. Back before the turn of the century I needed to sell printed gift certificates from kiosks in downtown Birmingham, Michigan. All I could find was a manufacturer in Seattle who charged me $10,000 a piece including the touch screen and beautiful purple stand. The OS was Windows NT. It meant that twice a week I had to deploy a technician (me) to each kiosk to reboot them because they would freeze up due to memory leaks.
Eventually the manufacturer came up with a fix. I downloaded a script to each machine that would reboot it automatically every day at midnight. It may be hard to comprehend today but Microsoft effectively trounced Sun, DEC, HP, and IBM in the enterprise with products that were so flawed that they needed to be rebooted every 24 hours. (That’s scheduled downtime, not used in calculating five nines.)
4. Job application kiosk
Now we get into security. A little retailer in the Boston area used stand alone kiosks for presenting job application forms. Hackers found it convenient to compromise the Windows based machine and steal tens of millions of credit cards from the retailer. Yes, it was TJX.
5. Train engine controls
This one would apply just as well to any moving vehicle such as a ship, earth moving equipment, etc. I was on an Amtrak train from San Jose to San Diego a couple of years ago. As usual we had to pull off the main track to allow a freight train through. After that the train would not start again.
We were told the engineer could not reboot the computer. Now, I did not get confirmation that the train ran on Windows but it is telling that that would be anyone’s first assumption. And products like this locomotive control system do run on Windows.
6. Building controls
Listen, we all have enough trouble with heat, water, cooling, and electrical outages. Why make them worse with Windows? Luckily no one would ever rely on Windows to control elevators right?
Think again. Read the Elevator Management System product document from Otis. Not only do you need Windows 2000 or XP for the Main Station but is accessed via a web browser from anywhere on the Internet! Talk about a hacker’s dream.
7. Manufacturing controls
Now we are getting to lala land. Imagine having your manufacturing plant rely on Windows. If you are the plant manager how do you explain to your CEO that your plant is down because of a virus? But I am here to tell you that Windows on machine controllers is becoming standard. Crazy, but the truth.
I was once treated to an evening on Steve Forbe’s yacht by ISS. It was an event for industry analysts and ISS (now IBM) took the opportunity to demonstrate the end point security they were working on. One of the examples they showed us was a NEC ATM application. I could not concentrate on their add-on solution because I was so astonished that NEC was deploying cash machines all over the world running Windows.
Who at the banks makes these decisions? Don’t the RFPs have a section in them labeled: “demonstration of hardened operating system”? I guess not at Citibank who it turns out succumbed to an attack on their network where account numbers and PIN codes were stolen.
9. SCADA Networks
Imagine taking the largest networks for electrical transmission, oil and gas pipe lines and even vast underground pipes for transporting gasoline, and controlling them via Windows. Well it is happening. SCADA, the protocol for controlling critical infrastructure has moved to IP and end point pumps, switches and management stations are all running Windows.
How many of those systems harbor Trojan horses today? How many are ready to experience memory leakage that forces an unscheduled re-boot and sets off an uncontrolled ripple throughout the critical infrastructure? Wait and see.
10. Medical equipment
I really begin to doubt the intelligence of engineers today whenever I encounter a medical equipment manufacturer that has made the switch to Windows from Unix.
First of all, let me point out that the FDA requires a lengthy paper trail to be filed every time medical equipment like dialysis machines, imaging equipment, radiation therapy, and biological monitors are upgraded. That includes being patched for bugs and security updates every patch Tuesday if they are running Windows.
You know what that means. They are not updated. Therefore they are vulnerable. Critical life support systems throughout a hospital are vulnerable to viruses and worms. They could fail because of the lack of foresight of the manufacturers. People could lose their lives.
So, what’s my point? I believe that “Windows Everywhere” is a strategy that benefits only Microsoft. Everyone else should pick the best overall solution for their application. Need to run DNS? Why use a big hairy operating system like Windows for such a simple yet critical application?
Look for stripped down hardened solutions for mission critical apps. Use Windows for must-have office productivity suites, gaming if you have to, but don’t build Windows into your operations if you do not have to.
Are car manufacturers really considering Vista for autos? Is NASA putting Windows in the specifications for the STS replacement? I hope not but I have been surprised before.
Richard Stiennon is a security industry innovator. He is currently consulting, speaking and writing on all manner of security topics and has just announced the launch of Seccom Global, a Managed Security Service Provider focused on UTM.