Software End of Life

Keeping track of software which is going EOL is a never ending and thankless task. Never ending, because all software has a lifespan, even though it may well function long after it is officially no longer supported and thankless for a whole variety of reasons. This blog post looks at both of these two aspects.

Never ending

The relentless pace of change is keenly felt in IT, with a high turnover of hardware and software and the associated skills, knowledge, and familiarity. Tracking the EOL of different products falls in to three camps: the clearly signposted, the reasonable assumption, and the total guess.

In the ‘clearly signposted’ camp are the likes of Microsoft (http://support.microsoft.com/gp/lifeselect), Red Hat Enterprise Linux (https://access.redhat.com/site/support/policy/updates/errata/) and Oracle who publish their product EOL. This makes it easy to plan the replacement of the software and associated hardware, although the replacement date for Windows XP, despite being known for a decade, still seems to be going to catch a large number of people by surprise: http://www.theregister.co.uk/2014/03/05/windows_xp_market_share_grows_again/

All University owned computers with Windows XP on them will have Windows XP replaced by 8th April, but clearly there are going to be challenges in removing XP from personally owned devices and home users. If you are the ‘tech support’ for any such users, then please ensure that you pass on the message about its EOL.

The ‘reasonable assumption’ camp is headed by Apple. They don’t provide explicit EOL information for their software (although they do for their hardware: http://www.apple.com/support/?artnum=304210). This means that a pragmatic approach must be taken: http://arstechnica.com/apple/2014/03/snow-leopard-updates-are-probably-done-here-are-your-os-x-upgrade-options/ based on past experience and updates which have, or have not, been released. Despite the recent updates for iOS7 and iOS6, there have been no updates for iOS5 since June 2012. Given iPad1 can only run iOS5, and despite the low risk of continuing to use these devices, the time has come for a pragmatic decision to remove these devices from service. The same applies to MAC OSX 10.6 and below.

Also in the ‘reasonable assumption’ are the likes of PHP, who do not set an EOL date in stone, but hint very strongly: http://www.php.net/releases/5_3_27.php (dated 11 July 2013).

Finally there is the ‘total guess’. This is software which has been abandoned by its developers, either because they have lost interest in working on it, have re-written the program, or have taken a decision not to publish an EOL date. There are many mobile apps which fall into this category.

Thankless

No-one is likely to ever thank you for pointing out that the software they use is no longer supported. There are a number of costs involved in moving to a new version. These are not just financial – the new software may well also need new hardware to run on – but also emotional. Time has been invested in learning how to use the software, customising it to your requirements, either in the interface or in the source code. The device you are using may ‘just work’ and whilst the software is no longer supported, it does not fail to function. There are also valid environmental concerns: why should working hardware be thrown away?

The financial costs are not trivial, but must be absorbed by the University as an ongoing business cost. We are under legal obligations to our fellow staff members and students to secure their data and a moral obligation not to impact on their computer and network usage. There are also obligations within research fields and academic disciplines to ensure the confidentiality and security of research subjects and data prior to publication.

Clearly there are no logical arguments which satisfactorily answer the emotional questions. However, there are a number of risks associated with running software beyond its EOL, the primary of these is security. There are many bugs which affect versions of Windows from XP to 8. So once XP is no longer supported, it will be easy for malicious hackers to write an exploit for Windows XP based on the details of the bug fixed in the later versions. The time to exploit these bugs is shrinking: http://www.csoonline.com/article/749576/ie-zero-day-flaw-shows-kinks-in-microsoft-patching-

These risks are perceived to be lower for those using Apple software, but they are still present: http://www.csoonline.com/article/749495/a-clear-eyed-guide-to-mac-os-s-actual-security-risks?page=1
Other risks include 3rd party software which will not run on obsolete operating systems, such as browsers and antivirus and the requirement for additional resources to be spent securing the networks on which obsolete systems run.

Finally on the subject of disposal of IT assets: These are disposed of via the Estates department in accordance with WEEE waste regulations: http://www.kent.ac.uk/estates/sustainability/files/kent_login_files/Op-Proc-13_(WEEE).pdf . Devices are not to be given to staff or taken home for family members to use.

In conclusion managing EOL software and hardware is not an easy task, but one to which we need to be committed in order to maintain the security of our people, our data, and our systems.