Slashdot Mirror
Slashdot Asks: In the Wake Of Ransomware Attacks, Should Tech Companies Change Policies To Support Older OSs Indefinitely?
In the aftermath of ransomware spread over the weekend, Zeynep Tufekci, an associate professor at the School of Information and Library Science at the University of North Carolina, writes an opinion piece for The New York Times: At a minimum, Microsoft clearly should have provided the critical update in March to all its users, not just those paying extra. Indeed, "pay extra money to us or we will withhold critical security updates" can be seen as its own form of ransomware. In its defense, Microsoft probably could point out that its operating systems have come a long way in security since Windows XP, and it has spent a lot of money updating old software, even above industry norms. However, industry norms are lousy to horrible, and it is reasonable to expect a company with a dominant market position, that made so much money selling software that runs critical infrastructure, to do more. Microsoft supported Windows XP for over a decade before finally putting it to sleep. In the wake of ransomware attacks, it stepped forward to release a patch -- a move that has been lauded by columnists. That said, do you folks think it should continue to push security updates to older operating systems as well?
No. You can't support legacy software forever. If your customers choose to stay with it past it's notified EOL then they are SOL. Any company using XP that got hit by this can only blame themselves.
this did not need to be fixed with an OS patch, it could have been prevented with better network security policies. I would be surprised if someone hadn't said something about addressing the vulnerability earlier but probably got ignored because of some budgetary issue.
It would be more reasonable to call for continued money to be made available to address these vulnerabilities after a system has gone into production and a move to use more open source solutions where users can share patches
Nullius in verba
Should they go back and patch Win95 while they're at it? Make Win386 rock-solid in the face of current virii and ransomware?
By that same logic, you could insist that Ford go back and install safety glass and airbags on any existing Model T's still running.
The simple fact is that OS's are a treadmill. It's a not a typewriter that you buy once and use until it breaks.
Look, I think OS firms *should* support 'the last few versions' - say whatever was current 10 years ago (ie in MS's case, Win2007). But to go back further, or to MANDATE that?
If you can't be bothered to run reasonably current OSs, then you're going to be as safe as you deserve.
-Styopa
... have policies in place that prevent mission-critical systems from being proprietary, dependent on one vendor, insecure, not updated and open to being messed up by clueless users who click on links and download and install everything they can lay their hands on.
Also they should all have in place: Up and running intrusion detection on their intranets, regular automated overturning backups and regularly tested zero-fuss disaster recovery. Have all that in place and you wouldn't even notice WannaCry.
Extra brownie points for building and maintaining all that with FOSS systems and giving back to the community.
WannaCry happened because of Windows which is in its sorry state because MS doesn't want to help users, they want to sell software or - better yet - software subscriptions.
My 2 cents.
We suffer more in our imagination than in reality. - Seneca
Microsoft proved it - they released an emergency patch for XP, Server 2003, and Windows 8. So I'd say that's evidence enough that yes, they should support it forever. :)
I honestly can't figure out where I fall on this. I would say for major security issues, yes, though the cutoff should be when production use of that OS get below a certain point, which should be easily monitored, and I don't think XP went below that.
In any event, that an organization the size of NHS, quite literally one of the largest employers on the planet, did such a poor job on security is disgraceful, especially considering how internetworked all their stuff was.
When you say "should", the real question is whether we are talking about a moral or a legal obligation. One could make a case for a moral obligation: Microsoft charge plenty for their software, they have the resources and know-how to provide these patches, and it is such a widely used system that there are likely to be cases where clients have a good reason to stick to the old OS. Patching that stuff benefits everyone.
But I'd be very wary of making this a legal obligation. Especially since obligation implies liability when things go south. I know that some folks would love to see software manufacturers held responsible for screw-ups in their code, but if that is extended to ancient versions, software could become expensive since you're be on the hook for supporting each version in perpetuity. As a software developer, that's not a welcoming prospect.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
Indefinitely? No, only as long as they want to keep their copyright/patent privileges on those systems.
“He’s not deformed, he’s just drunk!”
My work has the legacy patches ready for deployment even though WinXP, Win8 and Win2K3 systems got banished from the network last year. Never know when a tech is going to plug a decommissioned system into the network without verifying that it has a current Windows OS.
There's only so long you can reasonably expect support on older products. What should change is:
1. Stop using Windows for security sensitive applications.
2. Hire people to build secure systems who know how to build secure systems. Listen to them.
3. Don't volunteer for vendor lock-in. The mass Windows groupthink of the 80's and 90's was born out of incompetence. Think about the future, not just the immediate moment.
4. People who can only think in terms of "which choice requires me to understand less?" should not be in charge of decision making.
5. Air-gap the most critical systems. (Dear god, please don't let some clueless idiot post Stuxnet as if that somehow invalidates this point).
6. Keep systems up to date with latest security patches.
7. Hire technically literate staff when it is required for them to deal with technology. Anyone downloading and clicking on "CuteKittens.jpg.exe" is not competent to be let near computing devices.
Of course not.
Most of the ransomware could be stopped by the use of proper backup's, firewalls, networking and IDS / IPS software. Instead of companies like Microsoft supporting old software stacks, they should only be required to release updates for the current systems and rely on the IT of the companies who use their product, to properly secure themselves.
That is simply unreasonable. On the contrary, going forward all OS's should have mandatory secure encrypted back-up. Windows should take the 500 gb hard drive on your new cheap PC, split it in half, and use half of it as a admin-only accessible separate back-up drive. Then companies and individuals should upgrade their computer OS's.
All of these problems crop up because of the conflict between wanting software that Just Works(tm) and wanting to be on the Internet. It's probably time that we started setting up networks where each computer has a separate, dedicate piece of hardware that handles security. A little crossover-switch that's kept up-to-date, or, in big enterprise deployments like this can be upgraded without interrupting whatever software application they have that's still running on something old.
"[We'll be] really getting inside your head and making it an unpleasant place to be" -- Trent Reznor
I've installed Windows 10 on my PC and TRY BING TODAY it's not that bad.
#DeleteFacebook
Forcing tech companies to start maintaining and updating legacy software that is no longer made, sold, and supported for free, is like forcing Ford to offer free seatbelt and airbag kits for Model Ts.
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
Abandoning Operating Systems is a cruel trick played by vendors who want the new revenue from upgrades...no matter what the cost in lost-business, learning-curves, and incompatibilities with existing practices may be to the customers.. Spending money on maintaining the security (even excluding features) of superceded products distracts from development of improved products, and is not in the vendors' self-interest.
Given that a new Operating system (retail) is in the $100-$150 range, I'd propose "Life Extension" service subscription, solely for security updates in the $30-35/year range...with a required minimum of 10,000 customers to keep maintaining the service. That provides enough revenue ($1,000,000+ per annum) to support a small, dedicated staff.
Frankly, there's no reason that a M$ couldn't engage in a Joint Venture with a small qualified, independent security firm to provide the service, with special access to proprietary information within the O.S. vendor.
It would be an investment in the rehabilitation of the O.S. vendors' reputation, because M$ has gotten quite high-handed in recent years, dictating (or even forcing) software on unwilling customers.who have existing businesses to run.
It also lives on in many scientific instruments. An old mass spec that runs XP (or even older. I regularly maintain X Ray diffraction machines that still run DOS) usually can still do the day to day job just fine. The software usually hasn't been supported for many years and won't run on anything newer. But replacing the instrument could cost a large amount of money (250K or up in many cases).
Research budgets aren't growing and I work for a university in a state that can't pass a budget. We just don't have the money to throw out older systems that work well just because the software is outdated. We just take them off the network and use other means to get the data transferred off of them.
The programmers are asked to implement new features as fast as possible as opposed to improving the code that's already written.
Because crooks keep being more inventive, finding new -- heretofore unanticipated -- ways of tricking users and software.
You might as well ask, "How many law enforcement officers are out there?" There will always be some to invest their inventiveness in making a quick "killing" instead of engaging in honest, hard work of designing products that people want. Computer criminals are not interested in the niceties of business, like marketing, and advertising, and customer satisfaction...they're only interested in finding an easy way to make lots of money in a hurry.
Solve THAT problem, AC!
Windows Workstation on old DEC Alpha systems against any attacks? Pretty sure some of the basic Windows vulnerabilities would apply.
...replace Windows with Linux, and stop using smbv1 and smbv2.
Anyone remember nimda?
Hell, at the very least, open source any abandoned OSes so that others can take on maintenance if they feel compelled to live in the 1990s again.
Comment removed based on user account deletion
I have no sympathy for moneyed institutions that treat IT as a pure cost center and skimp on keeping it a well-oiled machine. If you're a hospital that wants to be cheap and leave XP-based machines on the Internet then you can have your administrators' salaries and bonuses docked to pay the fines for the social harms you cause by prioritizing compensation over "getting the job actually done." Or you can go back to the ugly days when you IT wasn't a cost center, ie back when you didn't have the efficiency gains and capabilities it brings.
I think that if you got people over to the subscription model, it wouldn't be impossible to put 3 or 4 guys on a maintenance team to backport absolutely critical fixes. You'd have to be very explicit about the criticality level that triggers a fix, but the reality is that vendors introduce a lot of dependencies. Those maintenance coders wouldn't have to be your best and brightest either - it would be a very good first job for new grads. I would think that as long as customers were paying something like Software Assurance, fixes for remotely wormable issues in components that haven't changed much since the dawn of the product might qualify. It's not just OSes eitther - look at critical stuff like SAP or Oracle products, where some of the foundations are the same as they were decades back.
Software vendors don't want to maintain old software because they aren't getting license revenue from it anymore, but not all customers remaining on old versions do so by choice. There are plenty of "run it till it dies" customers and small businesses still on very old versions of software, but others, especially in the medical field, aren't so easily migrated. Around the XP timeframe, there were a lot of embedded applications that relied on quirky Internet Explorer behavior or used components in such a way that you can't just migrate them to a new OS. Those browser ones are the absolute killer, and IE's Enterprise Mode only solves a subset of the problems.
I work in another industry with a lot of legacy cruft around, and applications that just can't be economically rewritten. Thankfully we're off of XP, but Microsoft prematurely killing support for Windows 7 is troubling and has caused us to step up our timetable for some critical application changes. I think that the only possible beneift of the subscription model for a customer is to allow the possibility of something like I talked about -- a very small maintenance team -- that doesn't cost millions of dollars a year in custom support agreements.
Because ransomware did not exist before Bitcoin. :rolleyes:
#DeleteFacebook
Would this approach not impact hardware development as well? And mobiles and iot?
If Microsoft, Google, Apple and all Linux distribution organisations are expected to support older versions permanently, their software legacy grows and with it, the supported hardware combinations also grow.
People here on /. dislike the push to upgrade to Win10, but it's what's going on elsewhere, with more mobile devices being sold than desktop format PCs. The model doesn't suit everyone all at the same time and with the same level of satisfaction, but it does work. If not, BYOD would be uncommon.
As things are, on slashdot what I get is:
Apple: most people run recent iOS versions - this shows Apple is doing well. Newer versions of OS X run well on older Macs too. Excellent Apple!
Google: there's a lot of people on older versions of Android, it would be great if Google were in charge and everyone had the opportunity to upgrade asap! It's the telco operators that are getting in the way of OS greatness! Excellent Google!
Microsoft: In my special case it is 100% reasonable that I want to run Windows XP until the end of times. Everyone who disagrees is wrong and Microsoft is bad for pushing me to Windows Vista/7/8/10. This ransomware story is 100% Microsoft's fault.
First of all, let me state that most of my machines are Linux, or BSD. I find the whole panic over WCry absolutely hilarious.
Something like OpenBSD, but less stringent:
First-tier is average OS support - six months support tops, after that, you need to upgrade. You have version 4.3 while the latest version is 7? Tough luck.
Second-tier is emergency OS support: 12 to 18 months support tops. On a specific version (meaning fubar 6.0 but not fubar 6.1 for instance ), only back-port of the most critical patches to base system.
Every 5 years, for embedded and ultra-secure needs, you get an ULTS (Ultra-Long Term Support) version, which is going to be supported - provided you sign an annual support contract with mucho dinero - as long as necessary, including backporting patches from the newest version of the OS, but only for the base system. Anything extra you add to that base system is your responsibility.
The issue here really is pretty much the same as an "Internet of Things" issue: please, dear MegaCorps, use a nice, updated AND SECURE DEFAULT CONFIGURATION for your freaking products - no, Windows XP is not nice, updated and secure out of the box, and neither is Linux if you open 200 ports and services with "admin" and "secure" as login and password, respectively.
On a more general note, if you use Windows within your product, I don't care what that product is, you are asking for trouble.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
From the outside, I would tend to agree with you. But Microsoft has some liability here. They created a product that is still in use on hundreds of thousands if not millions of computers. Microsoft sold more than 400 million copies, and who knows how many pirated copies are out there.
Here's the deal, Microsoft was found to be in a monopoly as far back as 1998. When companies like Microsoft reach this level of operation, they usually become regulated. I see a strong likely hood that Microsoft will suffer a substantial blowback from this event, and ones to follow, as Windows XP is not going to go away any time soon, not to mention the problem is only made worse by Windows 2003 and Windows Vista, as these are no longer under standard support as well.
We might be seeing the event horizon where governments mandate support for software like they do for manufactured products that come with warranties, they may even require warranties for operating systems, as insecurities in these have proven to be so dangerous.
This could also be viewed as PR protection for Microsoft. If they didn't help these users, then this would dirty Windows' name even further, and many of these users would probably switch to something else, realizing MS doesn't have their back.
Slashdot generally doesn't like ludicrously-long copyright terms, right? What if we made maintenance a requirement for retaining copyright over software? If Microsoft (or whoever) wants to retain a copyright on their software for 70 years, then they'd better be prepared to commit to 70 years of support. If they want to EOL it after 5 years or 20 years or whatever, and wash their hands of responsibility, that's fine, but then it's public domain. Why should we let companies benefit from software they don't support anymore?
This could also work for art works, as well -- because copyright exists "To promote the Progress of Science and useful Arts," we could make it a requirement that an author (or company, or whatever) needs to be distributing (or licensing for distribution) a work to have copyright on it. When it's out of print, it enters the public domain.
Providing free updates to old OSs means that people paying for new versions are subsidizing the people who won't upgrade.
do those devices NEED internet connection? serious question as i dont know. if not, no problems
have you seen my sig? there are many others like it but none that are the same
If the number of older systems is large enough, then Yes, Microsoft should release patches for them.
They should do this for two reasons:
1) Reducing the number of infected systems helps protect others from infections
2) It protects the innocent, like those whose Medical Care was interrupted in the UK, from collateral damage.
Who pays for it? Microsoft. They have benefited from the sale of all those systems, and certainly have enough cash to divert some to supported old but prevalent systems. Also, the fact that people still use MS systems, even if they're old, benefits MS in some way by helping them maintain market share (and "mindshare"). Odds are that these systems will eventually be replaced by more MS systems, representing future revenue for MS.
If we made infinite support (even for just critical updates) the industry standard, would it be difficult for a budding software developer company to plan for this, before knowing how well the software will sell?
At the other end of the spectrum, some established companies have hundreds or thousands of pieces of software deployed. how many units need to be sold/distributed before the company would need to consider it one that needs critical security support indefinitely?
Would you think Open Source software would require the same standard, since the source code is available to everyone?
--something witty
There will always be some to invest their inventiveness in making a quick "killing" instead of engaging in honest, hard work of designing products that people want.
That's not a very nice thing to say about the Vista/Longhorn development team!
It still lives in hearts of many IoT devices and especially as embedded OS in all the printers, copiers, ATMs, and hell knows where else, showing that all-too-familiar red box with cross on top right corners on displays of all these devices, notwithstanding all the familiar WinXP warning and dialogue boxes.
Are IoT devices effectively vulnerable to this particular malware? And if they do become infected, is there anything to ransom on these systems? Can't you just reset them back to factory state if needed?
If the answer is no then all a company has to do is tie in all it's software to the OS. If a OS is defined as the software that controls the hardware then there wouldn't be this issue in the first place. This is a service which runs on the OS.
The systems sold at a discount today are no faster in handling the day-to-day use of the average user as some sold 15 years ago. Most peoples use is not that of a gamer. This need to create waste baffles me. If it were not for the extended term of copyright there would be a third party market here.
The question should be why must we maintain copyright and/or patents on merchandise that the creating company no longer sees fit to maintain?
DRM? No thanks, I'll just get it somewhere else...
Just put all that old crap on virtual machines. The only important parts are the data. And the easiest way to counter ransomware is with backups.
The last time Microsoft got in the middle of security problems, It allowed Apple to break out and we had a period of time 2006-2012 where Macintosh PC were all the rage. None of the Linux Distributions have the mussel to take advantage of a misstep from Microsoft.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
For some of them, at least, network connectivity is required for some extra capabilities. Need is relative here, as some may have purchased the equipment with the intent to use said features. While I doubt they'd be actively communicating with Internet hosts, being on a network opens them to attack via worm.
There is no XUL, only WebExtensions...
There are more than enough XP users in the world for Microsoft to dedicate resources and turn a profit supporting it. Arbitrary sunset dates disconnected from reality of who is still using software amount to nothing more than sales tools intended to extort upgrade revenue.... buy this or get owned.
I personally don't believe vendors should be allowed to walk away from safety defects in products in order to make money on upgrades. Buffer overflows are entirely preventable classes of software failures. It is a tractable problem to solve. That it may not be in the case of XP isn't the end users problem.
I do not think MS should be forced to support obsolete s/w forever. It just does not make any business sense. However on the flip side, the problem for many people or organizations is that an OS upgrade implies a h/w upgrade. The h/w may cost more than the OS and required ancillary s/w updates (i.e. useful end user applications).
Thus there is an amplifier effect in the cost. A $150 OS upgrade triggers a $500 h/w upgrade, or an amplification factor of 3.33 (dollar values/amp factor are arbitrary).
I have a lot more sympathy for poor old end consumers and small businesses than I do for organizations however.
I'm *sure* if you approached M$ with enough cash, they would oblige you.. Although it's likely going to be a LOT cheaper for you to simply upgrade your OS and applications to Windows 10 (Or, if you really want to go cheap, Linux).
If you absolutely need support, you CAN get it if you are willing to pay for it. What's usually the case though is folks are unwilling to pony up the cash and choose to take their chances.
I worked for a company that had a PBX that was falling out of support by the manufacturer and although third parties supported it, they where hugely expensive. They actually dropped support for the PBX, full knowing that if it went down, it would stop the business. There was no fall back plan beyond having cell phones for some folks (back in the day when cell coverage was spotty at best.) It was stupid... Luckily I left that place before the bottom fell out, got a great severance package too...
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
"YES" - for such critical needed updates.
I have one system that I've been trying to upgrade for 5 years. Another system has a hardware device {and drivers} that are no longer available, which also has software form a company that is out of business. "Upgrade to Windows 10" won't work (and I'm not going to to the MS-Sell land of Win 10). I am grateful to MS for upgrading the ones that they did, and to the moron's in the "buy the latest now"; that is not an option, I've tried.
FTFY.
Sent from my ASR33 using ASCII
They already exist. They're called routers. Network routers can be configured to provide great deal of protection to machines that are older and cannot be patched. Many contain firewall software. Even simple ones can be configured to block traffic on vulnerable ports.
In this case, a router could be configured to keep the SMB port (445) blocked. A router, with updated software, and a firewall gateway can help protect even older devices with embedded code that may no longer be supported.
Of course, it goes to say, that you must keep the router's software updated and not use default credentials on the router.
The NHS decided to not upgrade many old systems because the threat was deemed minimal. Offices were urged to upgrade but funds were not made available and infrastructure budgets were cut again and again. Multiple bad decisions led to this result.
Many things could have prevented it. Better funding, better threat assessment, the NSA informing Microsoft of the vulnerability so it could have been patched years ago, and on and on...
In the end we are here, and hopefully threats will be re-prioritized and better protections will be put in place in the future (I could not keep a straight face while typing that and finally burst out laughing).
Personally, I think it's the wrong approach to try to compel Microsoft to support old operating systems. It's a substantial burden for them, and makes it harder for them to move forward and innovate.
Instead, I think we should try to compel Microsoft to open the source of Windows XP. If there's a large enough number of people who want continued support, they would then be able to fund it somehow. Plus, it would push Microsoft to innovate, since they would have to make sure that Windows 10 did useful things that Windows XP doesn't do (that people actually want).
I may be a bit radical here, but I personally think that, in order to attain copyright protection, software developers should be required to provide their source code to the Library of Congress (or some other governmental organization). Then, when the software is no longer being sold or supported, the source code should be made public domain.
C'mon people.
The upgrade path from XP upward is not like the path from 7 to 10. You don't get to keep your apps without reinstalling everything, and it is very unlikely you can keep your existing computer.
The disruption is immense, and they only way forward for me was running a USB hub to allow switching between computers piled on my desk and keeping my old XP box at the ready in case there was some critical app to which I had lost the installation. media that I needed.
As to the people who "downgraded" to XP, I never experienced Vista because so much shade was thrown on it. Maybe Vista was clunky slow because it was no different than 7 but it was advertised as running on hardware that you wouldn't think as being compatible with 7?
Label me cynical but dumb. Oh, noes, XP is ten . . . years . . . old! It's this stupid obsolescence culture -- Fred has been coding for us for 10 years -- fire him and get a new person.
Forever support isn't reasonable, but at the same time vendors using security update channels to push unwanted upgrades for the benefit of the vendor is equally bad.
My guess is that we're going to be getting to the end of the road of the "nasty, brutish and short" state of nature in the software industry and start seeing more regulations.
Vendors will be able to EOL their products, but will also have to supply security updates for N years after the product is officially ended. Vendors will be required to maintain a security update channel which may not be used for pushing upgrades or unrequested new products.
An interesting solution would be to let vendors "expire" a version by inserting a patch that boots the OS at a warning page requiring a firm verbal commitment ("I agree this is obsolete") before booting any further. Vendors would be REQUIRED to do this for operating systems they had obsoleted but only after their N years of post-EOL support had ended.
This way, nobody escapes the product being EOL. Customers can still use it, but must affirmatively acknowledge it is obsolete. Vendors are required to keep supporting it for a really long time after official EOL, but they can kill it more completely but only after the EOL support period.
None of us bother to learn real security. You're all so stuck on layer 4-7 you fail to understand layers 0-3.
Your fault for not realizing the current security model is flawed as fuck.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Perhaps all OSs should have a kill date embedded after which they will fail to operate. Maybe nothing as drastic as the machine failing to start, but perhaps for example booting into the equivalent of safe mode with no networking, so that it's possible to move your data from the system but isn't really practical to use it.
Why? Because such a kill date would actually force people to think about upgrading rather just keeping running because they know they can.
It could be as simple to override as putting the clock back for those who want to play with older OSs on old hardware for fun, but that wouldn't be a practical solution for most of the lazy businesses who continue to use obsolete systems and not just put themselves at risk but, by becoming vectors for attacking others, affect us all.
And for at least a year before the kill date is activated the system wallpaper would be replaced with a timer counting down to the time the system needs to be replaced.
Please read my Canon EOS tech blog at http://www.everyothershot.com
Vehicles are not a good analogy. Replacing some older vehicles does not cause the organization that uses them to stop functioning. A better example is industrial land pollution ("brownfields"), where US law requires the polluting company to pay for cleanup no matter how long ago it happened. Microsoft made a huge amount of money selling software it knew had defects into applications it knew would be hard to upgrade. It's not much different from companies who kept their costs down by dumping toxic waste materials onto nearby land. Microsoft should be responsible for cleaning up the mess they made and profited from.
It's a matter of convenience more than absolute necessity. You have to have a way of controlling the machine and getting the data the devices take off of them. There are several ways this can be done without putting the machine directly on the internet. In some cases thumb drives are adequate. In other cases the controls of the machine are largely web based and then you have to a separate network connection to a multi-homed machine on the wider network that acts as a firewall and usually will only let one or two other computers connect to the older machine.
It's not ideal, and can conceivably be subverted, but it mostly works.
IMHO, one of the best defences against malware is regular tested backups at a frequent enough interval that file encryptors and the like can't make the loss of data too damaging.
You do know that Microsoft do still offer support for Windows 3.11 even? It's just not the free kind.
If that were true, we'd see more people taking these support options from Microsoft.
Which wouldn't be covered under what you propose.
Change is certain; progress is not obligatory.
windows 10 enterprise let's you turn that stuff off but it's to bad that smaller places can't really get windows 10 enterprise. Unless they get into a long term contract for software
If you have perfectly functioning Kinesio-machines with Win95 or XP, you can use them indefinitely, but do not fucking connect them to the internet.
But for the rest, if you can't afford to upgrade, you just have to face the consequences.
This attack happened because the US Government didn't do it's job. It's primary task is national defense. It kept a vulnerability to itself to attack foreigners instead of protecting it's own infrastructure, businesses and individuals. The government had these tools taken and passed around for everyone to use.
And crap like this is why governments can never be allowed to have backdoors. The secrets will always get out. Everyone is vulnerable.
"A plan fiendishly clever in its intricacies"- Homer Simpson
Expecting a tech company to support a product that is past it's end-of-life for free is like not getting an extended warranty on your car and then getting mad because the guy who did is getting his car fixed instead of you. Seriously, why is this even a conversation?
Oh please. Update to Win10 or get Linux. Get off the XP beast. It's been over a decade, did they really think they could just stop upgrading OS?
Does it EVER occur to you people that if XP was written the correct way from the start, all it would ever need to meet the problems of the future are patches? The basic idea MS uses to construct their OSs is faulty, even before the first line of code is written. That goes for Apple too. Don't buy that crap.
That's just nonsense intended to weasel out of basic legal responsibilities.
A Pirate and a Puritan look the same on a balance sheet.
Here's my view: If you sell a product, you should fix any bugs or non-performance issues that relate to claims made when you sold it. Application, OS, driver, etc.
If I sell you a product, I don't have to fix anything. I have to give you what you paid for, which is the product in the state that it was when you bought it. Our relationship is then over.
If, in addition to the product, I entered into an agreement where you get bug fixes and updates, then yes, you are entitled to those updates. The duration of time for which you're entitled to those updates is specified in that agreement. It could be forever, but that would be very stupid on my part as a developer.
If, in addition to the update agreement, we have a support services agreement in which I've agreed to write custom fixes to the software to make sure it works for your use case, then, for as long as you pay me for that particular contract, I'm obliged to write fixes for any bugs you find. Those are generally expensive, for obvious reasons. Still worth it for many companies.
Warning: Opinions known to be heavily biased.
I suspect that what would happen instead is that the companies would put kill switches in their software, so they simply stop working after EOL. Or at least stop all networking except to their upgrade servers.
This is a terrible opinion written by an ignorant person. The ONLY way we are going to force users to update their software is to have these kinds of dangerous out in the wild. We need to create a better culture around security, and this is one (excellent!) way to do that. If anything, companies should *stop* supporting software sooner, rather than later. Windows 7 and 8 should be gone. Corporations need to re-think their IT strategy that for some bizarre reason makes it ridiculously complicated to update client operating systems. Dumping Windows would be a great first start. It makes it far too complicated a procedure to update, dealing with registry and hardware incompatibilities, etc. Updating a managed network client OS should be as simple as sending out an OTA patch on a mobile device. But Windows makes that pretty much impossible. It's time to dump it, in the name of both cost savings and security, not to mention functionality!
Comment removed based on user account deletion
I don't care what operating system (or, for that matter, software or product) you are talking about, but at some point you just can't keep patching. You need to be able to re-architect and deprecate old functionality, and take things out of production. An operating system or software package is an engineered product, just as much as an automobile, airplane or coffee maker is. I can go buy a classic car without airbags, antilock brakes, pollution controls, crumple zones or even seatbelts if I go back far enough. I can register it and drive it on the road legally. If I get an an accident and have my head smashed against the unpadded dash, get skewered by a straight steering column, am left paralyzed by the lack of crumple zones, or am thrown from the vehicle in a rollover I really have no one to blame but myself. The vehicle manufacturer long ago retired any warranty to the vehicle. I would expect a new car that I buy to have all required modern safety features and expect that they would be fixed (recalled/patched) if there was an issue found. But I would not expect the vehicle maker to patch in whatever advancements happen in the next 5-10 years.
Not only that but the fact that they released the "patch" as soon as the word was out that the NSA toolkit had been leaked into the wild is damning evidence - they knew about it all along and this patch is damage control. The REAL damage is letting them get away with shit like this for decades.
Seven puppies were harmed during the making of this post.
Not as long as they have an army of lobbyists and our dollars to buy the politicians with.
When the only tool you have is a claw hammer every problem starts to look like the back of someone's skull.
I've personally still got XP boxes and can't upgrade as the attached, expensive, hardware I use to run my business doesn't have drivers post XP. And the hardware is exteremely good, extremely reliable and just works. The software I use to control it also just works. Modern versions of both the hard and soft ware are crap in comparison (lots of removed features etc.)
Why is it Microsoft's fault that your hardware vendor refuses to release drivers for more modern versions of Windows?
Why is everybody ganging on Microsoft when Google's behaviour is much more egregious?
The Nexus 5 is vulnerable to the Broadcom wifi exploit, and yet Google will not patch it since it was released on November 2013, which is more than 3 years ago.
That's right, Google will only issue security patches for three years.
How's that for support?
The Windows XP Embedded OS is still supported by Microsoft. It still receives security updates.
"A plan fiendishly clever in its intricacies"- Homer Simpson
"YES" - for such critical needed updates
and by doing it this once, Microsoft may have just screwed itself into supporting XP again... like when the next killer worm start going around. Microsoft truly wants XP to go away, but if WCry tells us anything, it's how many crucial systems still rely on XP. We're talking banks, hospitals, factories, power-plants and stuff, all around the globe. Two things are obvious: Microsoft had or could produce a fix, but withheld it until WCry became an international catastrophe.
What's Microsoft to do? Sit back and blame it on the user and risk a massive class-action lawsuit? or save the day and risk supporting XP into perpetuity, making judgment call after judgment call whether the latest thing affecting XP is serious enough.
Take it easy, Charlie, I've got an Angle...
When your state makes the BBC news about its corruption, you know you're world class.
One of my current patients is a laser micromachining system that runs Win2K. The company that made it got out of the business, and when was the last time you saw an AGP video capture card? All with software that talks directly to the hardware. And, of course, no money to replace it.
I haven't had to deal with true S100 on an instrument. Yet.
One of the things I saved from being trashed was an Osbourne 1 that's now part of our display of old computer gear.
and by doing it this once, Microsoft may have just screwed itself into supporting XP again
No, they didn't
What is MS to do?
1. Don't make upgrading that difficult. Make the upgrade / migration path easier, not more difficult.
2. TEST THEIR SOFTWARE. Hire in (back) QA and pay them for what they are worth. MS typically will undercut pay for SDET by about 25% (or more).
As I said earlier: I would like a viable migration path. Throwing in the garbage is not a viable migration path.
Comment removed based on user account deletion
If you choose a closed non free OS, You have to stay on that treadmill. That maybe expensive updates or a forced upgrade.
Nobody forced you to buy this, you knew it would EOL.
Slightly more sympathy with embedded versions but to be honest it would be my first IT question when buying equipment with an embedded OS e.g can I just update the computer piece of your mass spectrometer?
I'm no MS fan but you knew what you were getting into. And if you didn't you do now!
I write software. Generally non-trivial application software. For instance, this is something I'm working on, and have been for some years now.
I have been fixing products for years as the bugs / errors were found. For free. Usually within hours or at most, days. I feel really good about it. For my commercial work, I charge for new features and keeping up with OS malfuckery. Not for my own errors. I am also very careful to maintain maximum compatibility with various OS releases -- rather than using the new OS features, I concentrate on using as few OS features as possible; and when they break I write my own if at all possible, thereby eliminating the dependence on the now-broken OS feature. For instance, at some point Apple's OS X file dialog began hanging the system when opened, which is pretty much a death sentence for real time signal processing software. So I wrote my own. No more hangs, plus it has some cool features the OS X dialog doesn't -- and it's highly unlikely to break, because it is coupled in as limited a manner as I could manage to OS X. But if it does, I'll fix it.
I am willing to put my best efforts forward fix every bug I can find that is "mine." I work around OS bugs if and when I manage to figure out how. I keep my documentation up to date, basically the same philosophy applies there: the docs should be as "right" as I can make them. I wrote my own documentation system to make sure I could keep control of that without my work becoming roadkill consequent to the "next cool thing" WRT someone else's documentation system.
Again: perfectly content with this. I like keeping my work as current as possible and as reliable and accurately represented as possible. I sleep very well because of it.
If the vehicle was defective with regard to features and/or capabilities touted at the time of sale, then in my opinion -- and I agree, not the law's, but the law is often bad and/or wrong, and I submit that this is one of those cases -- then the manufacturer should remain on the hook. That's not about wear; it's about it being what they said it was at the time of sale. If it isn't what they said it was, then they either owe a fix, or a refund. Simple fix: Don't sell stuff you aren't willing to put your best efforts into. I don't find that to be any problem. Then again, I'm the boss, so I get to say that. I don't need the law to tell me to do that, I do it because I am confident that it is the right thing to do.
Apples and oranges. I'm not talking about something wearing out. I'm talking about it being supplied in a defective state.
1) Company sells you a home, claims has full basement ...yes, even if it takes you fifty years to figure it out, they should still be on the hook for the deceit and the consequences of that deceit.
2) You buy it
3) Turns out there's no basement
Again, simple fix: Don't DO stuff like that.
I've fallen off your lawn, and I can't get up.
People buy a computer expecting it to last a few years. We know they're obsolete well within a decade. Nobody buys a PC, seriously expecting to still be using it 10 years from now.
If, after 10 years you *are* still using it, then it's up to you to continue to support it.
None of the Linux Distributions have the mussel to take advantage of a misstep from Microsoft.
Remember when even magazines like UNIX World said that Windows NT was the future and that UNIX was dead?
Right.
I sympathize, but in the end, it's YOUR fault for buying software and/or hardware that only works on a particular operating system and you don't have the source. There is a perfectly valid reason free software people want drivers to be open sourced. I know, I know - but they don't offer that. Then either choose something else or accept that you're buying into closed source and potentially unsupportable items. It's a choice. People make it. You choose to use this stuff. Even if it feels like you don't have a choice, you do. The choice might even be not to do that thing that requires that particular thing. It's still a choice. If it's for business reasons, it's STILL a choice. Don't do business or do business and use unsupportable items. It's still a choice. You might not like it (which is perfectly normal), but it's still a choice you made.
What's On Your Network ??? http://www.open-audit.org/
I sympathize, but in the end, it's YOUR fault
You have got to be kidding. Show me a list of software that can be upgraded before the upgrade is available.
You misconstrued what I said. If the drivers (software) are open source (eg: in the case of Linux, in the kernel and supported by the kernel dev team), then they will be supportable (essentially) forever. Choose this type of software where possible. Substitute drivers for an application. If the app is open source, it's supportable forever. A decent compromise is an agreement that if the company stops supporting the software without an upgrade path (or goes out of business), it makes the software open source. Have seen that in numerous purchasing contracts. A third party (usually lawyers) hold a copy of the source in escrow.
Granted it's not always offered, but that's my point - it's a choice.
What's On Your Network ??? http://www.open-audit.org/
You misconstrued what I said.
Actually, you don't understand the problem.
If the drivers (software) are open source (eg: in the case of Linux, in the kernel and supported by the kernel dev team), then they will be supportable (essentially) forever.
Ah... no. For one system --- there is an "open source" software option; and in this open-source I found an annoying bug. The dirty secret with open source, if the bug it isn't on someone "favorite" plate, it's not going to be looked at/fixed. And if I don't know the language that it is written in ... then it won't be fixed.
Choose this type of software where possible.
... not possible; this is why I'm stuck in WinXP hell. The hardware that I'm stuck with is no longer available as 'new' and there are no "modern" drivers as an option. The software cannot migrate (and in one instance the owner of the software is no longer in business)
A decent compromise is an agreement that if the company stops supporting the software without an upgrade path (or goes out of business)
Again not an option. I need to put in a new development process to replace one piece of equipment (the 5-year issue); I need to replace hardware / driver (company is out of business & no one else makes it) and ... the 3rd is BUGGY replacement software written in Python.
Granted it's not always offered, but that's my point - it's a choice.
This 'choice' is never offered.
FTA: Microsoft supported Windows XP for over a decade before finally putting it to sleep.
Win XP still works, and so do the apps that have run on it forever. It is enough for most people.
The computer hardware/software industries' game of constant upgrades worked for a while, while hardware was improving at an exponential rate. That is not happening any more, making it more difficult to keep customers on the treadmill.
This is behind the move to "rented" apps from MS, Adobe, Intuit, and many other companies who used to sell a stand-alone product. They have already done most everything that needs to be done. But rather than go off and conquer some new market-space, they are instead tied to juicing the one that they dominate. They end up trying to get people to rent the software that they use, often for their regular job.
An app (a computer program) is simply a recipe. Think of your mother's box of recipe cards. When she uses them, she employs her own hardware (kitchen) to run through the recipe––there is no reason why she should have to pay every time she refers to the recipe. Extend that analogy to computer programs that you have bought and paid-for. Why start renting them now? Especially if you have had to re-purchase, or purchase multiple upgrades, along the way? There is no justification for continuing payments. None.
Renting software is stupid, but I won't bother with a rant in a dead thread.
Ah... no. For one system --- there is an "open source" software option; and in this open-source I found an annoying bug. The dirty secret with open source, if the bug it isn't on someone "favorite" plate, it's not going to be looked at/fixed. And if I don't know the language that it is written in ... then it won't be fixed.
You have the source. You can determine the language (or pay someone who can). You can pay someone to fix the bug.
The hardware that I'm stuck with is no longer available as 'new' and there are no "modern" drivers as an option. The software cannot migrate (and in one instance the owner of the software is no longer in business)
Which is why I'm advocating (in the future in your case) to not buy these types of systems in the first place. I realise in this case it's after the fact. Maybe next time.
This 'choice' is never offered.
So next time ask for it. There should be little objection. If the company is worried about giving up the source - it's only it they're out of business so no money lost. I also think it's quite reasonable to ask for the source if they effectively discontinue the product. You do have to ask though. Your lawyers and management will likely be on board with at least asking, especially after seeing the consequences this time around. If the vendor is not willing to compromise, make a choice. Either accept the risk (as was done previously - please learn from this) or choose something or someone else who meets your requirements. Or even change your process to not "require" this system. There are ALWAYS choices. They may not be easy or nice, but they are there.
In this case, someone previously chose to use this system. Next time around remind the decision makers about this. They may well choose to ignore you and accept the risk. But they have chosen this option. I'm not denying you're between a rock and a hard place at the moment. I've been there (exact same thing). It sucks. Just try to educate the decision makers about this type of thing in the future.
What's On Your Network ??? http://www.open-audit.org/
How soon before payloads detect Linux, OS X and Windows on internal networks and alter their spread in real time after Windows access?
Probe the network. Release different code depending on what OS network conditions get found beyond Windows.
Domestic spying is now "Benign Information Gathering"
You have the source. You can determine the language (or pay someone who can). You can pay someone to fix the bug.
REALITY ... might want to check into it.
Which is why I'm advocating (in the future in your case) to not buy these types of systems in the first place. I realise[sic] in this case it's after the fact. Maybe next time.
So - you advocate in buying nothing. Well, it will save money, just won't accomplish anything.
So next time ask for it.
"NOT OFFERED" ... NOT AVAILABLE... BUY WHAT WE HAVE OR *NOTHING* ... NO OTHER OPTION.
No we should have longer support times for OS's but not indefinitely. Who would have thought they'd be a middle ground.
If you want to drop all support for your OS, you have to drop product activation and all that other crap that makes it difficult if not impossible for me to tweak and rebuild the system to my needs.
I don't expect support forever, but I do expect the right to continue using my license forever.
Never had a virus outside the lab. (And the lab story is still told.)
Tracy Johnson
Old fashioned text games hosted below:
http://empire.openmpe.com/
BT
20170516 I understand why folk should update and I do so on most machines, however some machine tool manufacturers - no longer in business - used XP to run the machine tools they supplied. Computer inside machine control is an XP system with drivers only for XP. Thus These machines are and will be working on XP for about next 40 years! [Machine tools have a life of upwards of 60 years in manufacturing plants.] Inability to keep XP running due to drivers for machine tools ONLY being available for Windows XP, means they have to keep XP working.
At one site. value of machine tools about USD $400,000 by 3 machines, value of XP USD 40, Value of drivers on XP specific machine tool drivers equates to machine tool replacement costs (modern equivalent) about USD 1.6 Million each at current prices. NHS has similar problems as drivers for some medical equipment are XP specific.
NHS did not learn to obtain a certified copy and source code of drivers (oh! proprietary - you can not have) so in event of supplier demise , they could rebuild the drivers onto an XP system. Likewise the machine tool using guy I support.
Regards Eion MacDonald
No problem. The projected expense of supporting the product til "much later" can be built right into the price tag.
Now your image loader costs 3 times as much and everyone is happy.
I think you underestimate just how much I just dont care.
Microsoft doesn't care about the XP systems. The reason they felt the need to push an XP update this time is because this piece of malware propagates peer to peer, and thus infected XP systems threaten the systems that Microsoft DOES care about.
Microsoft is still selling software they know has defects. Every software vendor is. Software made to NASA standards would cost far more, and it wouldn't surprise me to find defects in NASA software.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Sell a truck that does not run? Fraud
Sell a lawn mower that does not cut grass? Fraud
Sell a scalpel that will not cut flesh? Fraud
Sell an operating system with holes and NOT fix them? Fraud.
By applying this patch they agree to upgrade to Windows 10, pay Microsoft for every OS release between XP and Windows 10 at retail price. They also agree to any monitoring Microsoft deems necessary to prevent a future non payment for OS upgrade. They also have a right to any video feeds, data on any machine in the house.
Click here to agree and install
Next screen - "are you sure you agree? Yes"
No it doesn't really say this... what if it did.
Do you require the services of a hacker for your general ethical/unethical hacks?,contact leehacks92@gmail.com,he’s time conscious and reliable,he’s the best i’ve worked with so far..check him out and you won’t be disappointed,serious enquiries only!!
I have a suspicion that your Ford dealer isn't going to repair the faulty fuel system on your Pinto.
Two of my imaginary friends reproduced once