The Long Tail of Legacy Technology
The Law of IT Inertia: A system in use tends to remain in use.
Here are some reasons why some technology is stickier than others:
When the technology is written into applications, it’s expensive to write it back out again. This is especially the case for applications that were written as one-offs or by small vendors that may no longer exist (like Flash used by developers in the early part of this decade). Unless you’re a software vendor selling to other organizations, you’re not going to budget to keep updating something you wrote once upon a time to fulfill a static business need.
When the software just works, it’s used by everything. Look at the long life of Windows XP, which is used in a wide variety of systems, from kiosks to road signs to medical equipment. Anything that was easy to migrate or update has been done; the remainder is both robust and embedded in ways that are expensive to change. If it were operationally flaky in a way that cost downtime, it would have been replaced — but as long as it’s functional, it’ll stay put.
Software that is hidden from the end user (that is, the functionality is not directly apparent) is considered “plumbing” and is the last to be changed, again, unless it breaks. It is often thought of as “furniture.” You buy it once, and expect to keep it forever without thinking about it. It’s hard to overstate how foreign a concept it is for non-technical people to keep changing a tool or utility that isn’t their core mission.
Software that is closest to the end user tends to change in functionally additive ways. Look! Now you can use emojis in threat intelligence! But if it changes too much in the interface itself, it’s disruptive and users don’t like it. The more expensive the support is for a system, the less it tends to change in ways that will affect the users.
When software is ensconced in a form that is cheap to manufacture and sell, the assumption is that the customer will simply discard it and buy a new one rather than update the one in place. This dovetails with planned obsolescence in household appliances and consumer electronics. When you’re faced with updating the firmware in your lightbulbs, your coffee mug, and your shoes, pretty soon you’ll just let them age out of their functionality.
What does this all imply for security?
The cost of updating or replacing software can vary widely. Part of the design should be ease of updating, although vendors typically aren’t incentivized to make their products easy to replace. On one hand, if software is too easy to update, the process becomes an attack vector in itself; on the other hand, any updates that requires physical access also raises the cost (for example, over 20,000 truck rolls to implement encryption in retail store point-of-sale systems).
In a few cases, security needs have won out over end-of-support and end-of-life announcements by vendors. Microsoft stands as an example of this trend, and others will likely follow suit. In the future, we may well see more acceptance that security updates and functionality updates need to be separated from one another, and vendors must plan for their technology to remain in use for far longer than it was ever intended -- especially if they build it well.
When you see an old version of software, don’t think of it as crufty; see it as a reliable workhorse that has given years or even decades of service.
Phishing: A Modern Guide to an Age-Old Problem
This guide gives you a detailed look into how phishing has evolved and the new tactics used to fool users, with statistics on the personas and industries phishers are targeting. Download the free guide here.Free Guide