If you're in ColdFusion 9 or 10, you're still supported... BUT... your window is closing fast.

Still, the reality is that ColdFusion is a dead platform in my humble opinion. Yes, Adobe may or may not have plans for CF 11 (I honestly don't know), but that's not what a "real world" IT manager has to worry about.

As someone "out there" in the real world supporting systems AND hiring people to support systems, I can say that ColdFusion developers are extremely rare and when you do find them, they tend to be quite expensive. (Remember the laws of supply and demand from economics class.)

So, from the standpoint alone of finding resources, I would advise a client to move away from ColdFusion ASAP.

However, there's another angle. This is an angle that not being a CF expert, I am unfamiliar with as it relates to CF and it's the side of SECURITY. 

In a world of data breaches by giants like Target and Nieman Marcus (and countless others), security should not be an after thought. Yet it is many times!

Enter Brian Krebs, the respected security researcher and avid blogger. His take on CF security is interesting and alarming.

If my resource-based argument for moving away from CF is not enough for you, check out Brian's article and see for yourself.

Krebs article:

http://krebsonsecurity.com/2014/03/the-long-tail-of-coldfusion-fail/

- o -

Adobe's End of Life Time Line is here:

http://www.adobe.com/support/products/enterprise/eol/eol_matrix.html#63

As a cool example of Randy's work (who is surprisingly a Mechanical Engineer and not a designer), check out the infographic below. Did you know that the New iPad can Streamline your Digital Life? See how long it takes you to "get" the main message of the graphic... then, try to notice how much actual information is conveyed, quickly. Now, picture this same "data" but in a table - and you'll be amazed how appealing the infographic is when compared to the extremely boring table this data would otherwise be!

Learn more about Infographics at http://coolinfographics.com/. Randy's book, "Cool Infographics", is available from Amazon in paperback and kindle editions.

Personally, I've always strived for a super-simple signup (as simple as the website's own needs allows.) Even if we later allow the user to come back and add further information!

And one of my pet-peeves is NOT providing value for effort! In other words, if a website requires me to signup in order to use it, they BETTER PROVIDE ME VALUE. Just reading content is NOT value enough! Provide me BETTER ways to read content, perhaps!

See the full article on the Digital Telepathy website, UX Flows: Signup

Wickr is an app for both iOS and Android that allows its users to chat privately. Check them out at https://www.mywickr.com/en/index.php

What troubles me is the nonchalant casual nature of this request to essentially violate the privacy of customers and even worse, assist in the trampling of the US Constitution! Pursuing criminals (with lawful warrants) is one thing, but asking for a backdoor to an ENTIRE system is quite another!

It also makes me wonder how many companies are simply saying "yes" and allowing this to go on. Again, I'm all for helping law enforcement pursue individuals lawfully (warrants, due process, etc) but these requests I think are not being scrutinized enough and in some cases, are secret and therefore not subject to ANY scrutiny that we can see!

Read the complete article here: http://securitywatch.pcmag.com/security/319544-what-it-s-like-when-the-fbi-asks-you-to-backdoor-your-software

In my quest to stay "up to date", I just ran across a very cool resource.

It's a list of the Top 25 Most Dangerous Software Errors. Though dated 2011, this is their "current link" on their website, so I'm thinking this is as up-to-date as this group has been able to make it.

Interestingly and not surprisingly, at the top of the list is SQL Injection vulnerabilities, which happens (among other ways) when inputs in fields (like a form field) are not correctly inspected prior to passing them to the SQL database. A clever hacker can add characters into the field that SQL would see as a command, giving the said attacker an opportunity to run arbitrary instructions against your data! (Yikes.) This is a common error... and one I thought EVERY developer surely had learned to avoid. Apparently not!

By the way, SQL Injection attacks are super easy to prevent by simply validating input ALWAYS. There is no excuse for a system vulnerable to this!

Check out the full list at:

http://cwe.mitre.org/top25/index.html

Among many other exploits in the catalog, "CANDYGRAM", "mimics GSM tower of a target network" and costs a reported $32,000. "Typical use scenarios are... target tracking and identification..."

The content of this catalog, if true, is troubling. Assuming government is using this for "good only", the problem is how much of this technology is leaking to third parties OR how many others have figured out the same vulnerabilities the NSA has found?

In the security world of security researchers and ethical hackers (yes, they do exist), there is this concept of "responsible disclosure". This means when a security expert or white-hat hacker finds a vulnerability, they disclose the details to the organization that owns the technology. Said organization generally fixes the issue before the exploit is widely known, therefore averting harm to unsuspecting users! 

But, our NSA has no such incentive to disclose (quite the contrary.) So, they are possibly finding (and leaking, inadvertently or not) vulnerabilities AND they are NOT disclosing them to be fixed! This is, well, outrageous no matter the reason! The lack of disclosure is potentially causing people to suffer at the consequences of security issues!

Read the full article here and prepare to be outraged: http://leaksource.wordpress.com/2013/12/30/nsas-ant-division-catalog-of-exploits-for-nearly-every-major-software-hardware-firmware/

By the way, the names are HILARIOUS if not for the reality of what they are!

Note, I make no claim as to the veracity of this information. 

Windows XP is literally “ancient” technology (by technology standards), created for a completely different “time” in our technology landscape. It was released in 2001 then replaced in 2007 (nearly 7 years ago.) It has had a long and, some would argue, a good run, but it is now seriously outdated. Three completely new versions of Windows have been released following Windows XP.

Windows XP actually has been outdated for years and Microsoft dropping support for this old technology is not surprising at all. What is more surprising is that it was supported this long and that there are any users at all still depending on this operating system, which has left them exposed time and time again! Not to mention, these users have an extremely limited (and underwhelming) view of the Internet because a lot of modern software will also not run under Windows XP, and few (if any) serious commercial software companies release software optimized for Windows XP.

If you can hack it, they will come!

Will hackers come out in droves to exploit XP? Absolutely! They already do! Windows XP has had literally hundreds (thousands) of patches in its lifetime. Because it is no longer in development (and has not been in years), Microsoft does not actively look for Windows XP vulnerabilities (why would they?) Instead, they simply fix what others identify. This means that every time there is a Windows XP patch, it is very likely that the patch was driven by a LIVE EXPLOIT that someone other than Microsoft identified. Sometimes, exploits are identified by security companies or white-hat hackers and ethically disclosed to Microsoft before they cause harm. More often with an old technology, however, exploits are being identified when attacks are successful. This means someone (a real person) was affected by an exploit (read as identity theft, data breach, money fraud, malware, loss of data, etc.)

Besides the security implications, there are serious cost implications also. In an IDC study (commissioned by Microsoft in May 2012), IDC found that: supporting older Windows XP installations, compared with a modern Windows 7–based solution, saddles organizations with a dramatically higher cost. Annual cost per PC per year for Windows XP is $870, while a comparable Windows 7 installation costs $168 per PC per year. That is an incremental $701 per PC per year for IT and end-user labor costs. (http://www.microsoft.com/en-us/download/confirmation.aspx?id=29883)

Should providers migrate away from Windows XP prior to April 2014?

Yes, absolutely!

Windows XP was released in late 2001, making it over 12 years old! Microsoft stopped selling Windows XP in 2008 (nearly 6 years ago) mostly with minor exceptions. Windows XP was replaced by a more modern operating system in 2007 (nearly 7 years ago) and since then, we've actually had three new operating systems (with the latest being Windows 8, recently released.)

In technology, 12 years is a lifetime! The world of tech was vastly different 12 years ago! To put it in context, when Windows XP first came out, most users had dial-up to access the Internet, and broadband internet was a dream technology. There were no smartphones (instead we had PDAs that did not have internet access) and cellphones actually were for making calls! Even text messages (now so ubiquitous) was not generally available for most cellphone users.

Though Windows Vista was not well received, Windows 7 has been very successful in its adoption and has brought many security and usability improvements to computers.

A migration to Windows 7, even if it necessitates a hardware upgrade (and it does not always require new hardware), is a prudent (and urgent) course of action for anyone running Windows XP!

Additionally, though we have not ourselves analyzed the compliance implications in healthcare as it relates to both Meaningful Use, HIPAA and other healthcare regulations, it is very likely that Windows XP (once it is no longer supported by Microsoft in April 2014) might be the cause for failing compliance for many healthcare providers.

What about compliance with Healthcare regulations?

Using Windows XP most definitely will cause non-compliance for those that must meet certain regulations. This is not a matter for debate, but rather a simple read of the applicable Healthcare regulations.

For instance, the Meaningful Use Stage I Core Measure 14 of 14 states as it's measure (underline added for emphasis): [Eligible Professionals must] Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.

Since Windows XP is not open source, no one but Microsoft has access to the code. Once Microsoft stops issuing patches to Windows XP, it will not be possible for anyone to legally “implement security updates“ nor to “correct identified security deficiencies”. Simply put, Windows XP will not meet Core Measure 14 of MU Stage I and therefore, any provider using it will have compliance issues.

Interestingly, Microsoft Office 2003 and Windows Server 2003 (also both used extensively in medical practices) also will arrive at their “End of Life” support soon! Practices should take the opportunity when they upgrade Windows XP to also upgrade Microsoft Office at the very least. They should also strongly consider upgrading Windows Server 2003, if not at the same time, very very soon.

Conclusion

Upgrade away from Windows XP, today please! You "think" you're saving money, but you are not. Windows XP could cost you your practice, maybe more.

- o -

References:

http://www.hitechanswers.net/stat-is-meaningful-use-trouble-under-your-networks-skin/

http://www.physicianspractice.com/blog/growing-hipaa-threat-ignore-windows-xp-your-own-peril

http://jira.oncprojectracking.org/browse/CERT-976