On this day in 1995, Microsoft released Windows 95 to the public. It was an important moment for the company, and it paid The Rolling Stones $3 million for the right to use Start Me Up in its marketing campaign for the revolutionary new operating system.
And start it up people did. Windows 95 was a huge commercial success for the Microsoft, with 40 million copies sold in the first year alone. The only problem is, two decades later, some people haven’t shut it down.
I spoke to Dutch security researcher Victor Gevers about the prevalence of Windows 95 in 2017. He said that there are only seven machines accessible from the outside Internet, all situated in Taiwan.
I checked one out. Shodan confirmed it ran Windows 95. It also said that it was running a SMB file server, and had been compromised with DoublePulsar — the NSA-built hacking tool that was leaked and disseminated by The Shadow Brokers earlier this year.
Given Windows 95 last received support in December, 2001, it’s a certainty that there are hundreds — if not thousands — of other unpatched security issues.
And these seven servers are just the tip of the iceberg. The researcher pointed out that there are significantly more Windows 95 machines still in use.
These might be behind firewalls, either as legacy or redundant systems, or simply as appliances. They might not even be connected to the Internet.
The enduring use of these systems is seldom due to budgetary reasons. Money is hardly ever the problem. It’s that often they run expensive and mission-critical software that only runs in particular environments.
I imagine most people would find it surprising is that Windows 95 has a home in the United States military, which had a 2015 budget of $601 billion.
According to an April 2017 post from Softpedia, 75-percent of the Pentagon’s control systems run Windows XP, or other operating systems that have long been discontinued.
“A lot of these systems are still Windows 95 or 98, and that’s OK—if they’re not connected to the internet,” one Pentagon spokesperson is on record as saying.
Software never dies, it just hides
Even to this day, a question about Windows 95 will pop up occasionally on Quora or Stack Overflow.
There’s even a semi-active Windows 95 subreddit, which feels like a self-help group for people clinging on to tech’s halcyon days. One person bragged about getting Gmail working with Outlook 97, while another took to the board to complain about difficulties in configuring the OS’s graphics.
But these people are outliers. From the perspective of most consumers, Windows 95 is long gone. It belongs to a pre-historic, era of computing that’s best forgotten.
When people think of Windows 95, it’s inevitably as a curiosity. When someone figured out how to run it in the browser, we all laughed. Similar guffaws could be heard when it was made to run on the truly-diminutive Samsung Gear Live.
Someone even made a video where they showed Windows 95 to a flock of Generation Z-ers, who were aghast, with one joking that it was “the first computer ever made.”
But none of that matters, as Windows 95 will continue to live on. We just won’t notice it. It’ll exist in the back-rooms of offices, banks, and factories, quietly ticking away without even a second thought.
And this is going to continue to present headaches to security professionals, CISOs and CIOs, who have to walk an incredible tightrope, balancing the business needs of the company, along with the fact that these machines are the infosec equivalent of a ticking timebomb.