Slashdot Mirror

← Back to Stories (view on slashdot.org)

Slashdot Asks: In the Wake Of Ransomware Attacks, Should Tech Companies Change Policies To Support Older OSs Indefinitely?

Posted by msmash on from the business-vs-moral-responsibility dept.

In the aftermath of ransomware spread over the weekend, Zeynep Tufekci, an associate professor at the School of Information and Library Science at the University of North Carolina, writes an opinion piece for The New York Times: At a minimum, Microsoft clearly should have provided the critical update in March to all its users, not just those paying extra. Indeed, "pay extra money to us or we will withhold critical security updates" can be seen as its own form of ransomware. In its defense, Microsoft probably could point out that its operating systems have come a long way in security since Windows XP, and it has spent a lot of money updating old software, even above industry norms. However, industry norms are lousy to horrible, and it is reasonable to expect a company with a dominant market position, that made so much money selling software that runs critical infrastructure, to do more. Microsoft supported Windows XP for over a decade before finally putting it to sleep. In the wake of ransomware attacks, it stepped forward to release a patch -- a move that has been lauded by columnists. That said, do you folks think it should continue to push security updates to older operating systems as well?

9 of 360 comments (clear)

  1. No by Anonymous Coward · · Score: 5, Insightful

    No. You can't support legacy software forever. If your customers choose to stay with it past it's notified EOL then they are SOL. Any company using XP that got hit by this can only blame themselves.

    1. Re:No by jellomizer · · Score: 4, Insightful

      I will need to agree with conditions. If the Tech company is selling service contracts for that product, they will need to update it. However like XP and older, where the company isn't selling support, and had let everyone know that it off service, they shouldn't need to keep it updated. Otherwise I am still waiting for my MS DOS 6 patch as it is still vulnerable to the stoner virus.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    2. Re:No by Anonymous Coward · · Score: 2, Insightful

      Or perhaps one option would be to open source the older OS's so that should someone choose to be on the hook for offering support (or the community comes together?)

      However, I think if they open sourced it, so many eyes would pour over it and find so many glaring exploits that it would actually be worse overall - at least in the beginning?

      Ahh hell, nevermind... :-)

    3. Re:No by AmiMoJo · · Score: 4, Insightful

      The people providing support should be the ones making MRI scanners, ATMs and other expensive equipment that only works with XP. Even when XP was brand new, did they really expect those machines to only have a lifetime of around 10 years? Microsoft was clear about how long support was going to be provided for.

      It seems that people are only just waking up to the fact that these machines have software and it needs on-going maintenance. The next decade or two will be littered with software bricked but mechanically sound hardware, everything from IoT lightbulbs to multi-million Euro medical equipment.

      In fact it's already happening. You can buy DNA sequencers on eBay, less than a decade old and original price $500,000, now barely worth the shipping because the manufacturer abandoned support.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re: No by Dread_ed · · Score: 4, Insightful

      If you own a Chevy, Dodge, or Ford and the airbag is defective and recalled it won't matter if you are out of warranty. The device will be fixed free of charge by your local dealer. Any safety recall would be handled the same way. The retailer's service facility will repair it free of charge.

      With the news of how medical records and devices were affected, one might begin to wonder if software should be subject to the same kind of recall system. Personally I think it feels a little one sided for software companies to create buggy and easily penetrated software that results in loss on the user's end and all the company has to say in return is "You need to buy this new (equally buggy and easily penetrated!) software that is more intrusive and gives us access to more of your marketable metadata."

      Is this yet another example of how dollars equal speech, leading to a loopback fucking, where our own money is used by large corporations to buy lawmakers and make sure protections for customers are never passed?

      I would like to hear dissenting opinions as well as corroborating ones.

      --
      When the only tool you have is a claw hammer every problem starts to look like the back of someone's skull.
  2. Silly idea by argStyopa · · Score: 4, Insightful

    Should they go back and patch Win95 while they're at it? Make Win386 rock-solid in the face of current virii and ransomware?

    By that same logic, you could insist that Ford go back and install safety glass and airbags on any existing Model T's still running.

    The simple fact is that OS's are a treadmill. It's a not a typewriter that you buy once and use until it breaks.

    Look, I think OS firms *should* support 'the last few versions' - say whatever was current 10 years ago (ie in MS's case, Win2007). But to go back further, or to MANDATE that?

    If you can't be bothered to run reasonably current OSs, then you're going to be as safe as you deserve.

    --
    -Styopa
  3. Support Older OSs Indefinitely? by fustakrakich · · Score: 3, Insightful

    Indefinitely? No, only as long as they want to keep their copyright/patent privileges on those systems.

    --
    “He’s not deformed, he’s just drunk!”
  4. They already exist by number6x · · Score: 3, Insightful

    They already exist. They're called routers. Network routers can be configured to provide great deal of protection to machines that are older and cannot be patched. Many contain firewall software. Even simple ones can be configured to block traffic on vulnerable ports.

    In this case, a router could be configured to keep the SMB port (445) blocked. A router, with updated software, and a firewall gateway can help protect even older devices with embedded code that may no longer be supported.

    Of course, it goes to say, that you must keep the router's software updated and not use default credentials on the router.

    The NHS decided to not upgrade many old systems because the threat was deemed minimal. Offices were urged to upgrade but funds were not made available and infrastructure budgets were cut again and again. Multiple bad decisions led to this result.

    Many things could have prevented it. Better funding, better threat assessment, the NSA informing Microsoft of the vulnerability so it could have been patched years ago, and on and on...

    In the end we are here, and hopefully threats will be re-prioritized and better protections will be put in place in the future (I could not keep a straight face while typing that and finally burst out laughing).

  5. Re: Disagree by Dunbal · · Score: 3, Insightful

    Not only that but the fact that they released the "patch" as soon as the word was out that the NSA toolkit had been leaked into the wild is damning evidence - they knew about it all along and this patch is damage control. The REAL damage is letting them get away with shit like this for decades.

    --
    Seven puppies were harmed during the making of this post.