Slashdot Asks: In the Wake Of Ransomware Attacks, Should Tech Companies Change Policies To Support Older OSs Indefinitely?

In the aftermath of ransomware spread over the weekend, Zeynep Tufekci, an associate professor at the School of Information and Library Science at the University of North Carolina, writes an opinion piece for The New York Times: At a minimum, Microsoft clearly should have provided the critical update in March to all its users, not just those paying extra. Indeed, "pay extra money to us or we will withhold critical security updates" can be seen as its own form of ransomware. In its defense, Microsoft probably could point out that its operating systems have come a long way in security since Windows XP, and it has spent a lot of money updating old software, even above industry norms. However, industry norms are lousy to horrible, and it is reasonable to expect a company with a dominant market position, that made so much money selling software that runs critical infrastructure, to do more. Microsoft supported Windows XP for over a decade before finally putting it to sleep. In the wake of ransomware attacks, it stepped forward to release a patch -- a move that has been lauded by columnists. That said, do you folks think it should continue to push security updates to older operating systems as well?

No

No. You can't support legacy software forever. If your customers choose to stay with it past it's notified EOL then they are SOL. Any company using XP that got hit by this can only blame themselves.

Re:No

[jellomizer]

I will need to agree with conditions. If the Tech company is selling service contracts for that product, they will need to update it. However like XP and older, where the company isn't selling support, and had let everyone know that it off service, they shouldn't need to keep it updated. Otherwise I am still waiting for my MS DOS 6 patch as it is still vulnerable to the stoner virus.

Re:No

[jellomizer]

Easier said than done. Many of these closed source software are using purchased 3rd party libraries, that will not allow for the code to be open sourced. Then there is still code that is used in your current product that you may not want to share. Finally you want people to pay for the new version, and not just get a hold of a perfectly functional older version.

Re:No

Or perhaps one option would be to open source the older OS's so that should someone choose to be on the hook for offering support (or the community comes together?)

However, I think if they open sourced it, so many eyes would pour over it and find so many glaring exploits that it would actually be worse overall - at least in the beginning?

Ahh hell, nevermind... :-)

Re:No

[vux984]

OTOH this is the same cisco that makes it a PITA to get firmware updates for many products without an active service agreement.

So many small offices out there that bought a cisco 800 series or something; and once its a couple years old can't easily get updates, even if its still an active product line.

Re:No

[SecurityGuy]

I don't see how you can blame Microsoft if $OTHER_COMPANY uses their software in a way Microsoft doesn't support. IMO, you should be blaming Hitachi here, not Microsoft. As far as critical and irreplaceable goes, anyone who builds critical, irreplaceable services on commodity, consumer grade software, has no one to blame but themselves. Put another way, they may have accepted the risk that this would happen when they stood the service up. The risk has now materialized.

Re:No

[thegarbz]

Nope. I'd be telling factories on razor thin margins to focus on gear from vendors that offer a design not susceptible to 3rd party obsolescence. Or at the very least then proceed to design around potential security issues in their own way. Remember this isn't a case of Windows XP embedded running on systems. It's a case of:

- Windows XP embedded running on systems.
- Systems open to external interface to another machine
- Systems connecting to another machine without protection against attacks on ports they do not require to operate.

To be clear I manage quite a few Windows XP machines in such an unupgradable situation. None of the machines had the patch sanctioned so far except for one by Schneider Electric, and we haven't gotten around to patching that one. Yet I'm not losing a single night sleep over this.

Re:No

[Xest]

The irony is that Microsoft does offer paid support for Windows XP, but that the UK's current Conservative government decided to axe the contract a year or two back to save money.

I wonder how that £5mill saving has paid off now that they're going to have to pay a fucking fortune in sorting it all out and upgrading anyway?

Re:No

[AmiMoJo]

The people providing support should be the ones making MRI scanners, ATMs and other expensive equipment that only works with XP. Even when XP was brand new, did they really expect those machines to only have a lifetime of around 10 years? Microsoft was clear about how long support was going to be provided for.

It seems that people are only just waking up to the fact that these machines have software and it needs on-going maintenance. The next decade or two will be littered with software bricked but mechanically sound hardware, everything from IoT lightbulbs to multi-million Euro medical equipment.

In fact it's already happening. You can buy DNA sequencers on eBay, less than a decade old and original price $500,000, now barely worth the shipping because the manufacturer abandoned support.

Re: No

[darkain]

While it is Windows XP today, it wont be long before it is Windows 7 that is totally screwed by these same policies... which is extremely worrisome considering how much hardware and software DOESNT work on Windows 10 (let alone the spying bullshit). Win10 is even worse in that hardware/software supported at initial release has been removed since then by updates, meaning users literally have to choose between security or functionality at this point.

Re: No

[Dread_ed]

If you own a Chevy, Dodge, or Ford and the airbag is defective and recalled it won't matter if you are out of warranty. The device will be fixed free of charge by your local dealer. Any safety recall would be handled the same way. The retailer's service facility will repair it free of charge.

With the news of how medical records and devices were affected, one might begin to wonder if software should be subject to the same kind of recall system. Personally I think it feels a little one sided for software companies to create buggy and easily penetrated software that results in loss on the user's end and all the company has to say in return is "You need to buy this new (equally buggy and easily penetrated!) software that is more intrusive and gives us access to more of your marketable metadata."

Is this yet another example of how dollars equal speech, leading to a loopback fucking, where our own money is used by large corporations to buy lawmakers and make sure protections for customers are never passed?

I would like to hear dissenting opinions as well as corroborating ones.

Re:No

[Gadget_Guy]

The embedded version of Windows XP is a separate product and still does get support (including updates) until April 2019, a fact XP users can use to their advantage to continue getting updates.

Silly idea

[argStyopa]

Should they go back and patch Win95 while they're at it? Make Win386 rock-solid in the face of current virii and ransomware?

By that same logic, you could insist that Ford go back and install safety glass and airbags on any existing Model T's still running.

The simple fact is that OS's are a treadmill. It's a not a typewriter that you buy once and use until it breaks.

Look, I think OS firms *should* support 'the last few versions' - say whatever was current 10 years ago (ie in MS's case, Win2007). But to go back further, or to MANDATE that?

If you can't be bothered to run reasonably current OSs, then you're going to be as safe as you deserve.

Re:Silly idea

[thsths]

Exactly. Microsoft stopped selling Windows XP over 8 years ago (!). I doubt many of the affected computers are older than 8 years.

It is more likely that people made use of the "downgrade" option in professional licensing, which allowed them to install Windows XP despite the fact that it was no longer on sale. That should be been a clear warning that support will not last forever.

But no, organisational inertia means that IT kept setting up new Windows XP system long after the system was discontinued. I think there is clearly one party at fault, and it is IT.

Re:Silly idea

[Anne+Thwacks]

No one is using Win95.

When did you last visit an NHS hospital? I am fairly certain that the ward my mum was in two years ago had "entertainment centres" showing a Win95 desktop, powered up, but not functional because the hospital app did not support 95! Perfect for hosting malware.

I get the impression the mains plugs have PAT tests, but no one has the job of auditing the PCs for sane software.

All the signs are that decisions are taken by the congenitally incompetent - probably Mr Potato head in the case of King Edwards Hospital. Surely the "Friends of King Edwards Hospital" could go round and install Linux on them, and for the price of the support contract for the piss-poor entertainment software, a local computer club could cobble up an OpenSource solution to entertaining the over 1,000 patients.

Re:Silly idea

[thegarbz]

Bad car analogy. Firstly many old cars are banned from using critical infrastructure like highways (or in some cases any roads) for their obvious threat to third parties and their owners.

Also this isn't hobbies we're talking about. No one gives a crap if someone's Model T toy breaks down, just like no one will cry about the Windows XP virtual machine I play with at home.

The only complaints are against critical services, internet connected machines that operate and provide livelihoods for the owners. If the software isn't owned by anyone, ... well I'm sure the owner provided an unbiased risk assessment as to whether they should migrate to something that is supported by someone right? Didn't think so.

The end user has 100% of the responsibility, and dollars don't change that.

Re:Silly idea

[Khyber]

"Unless, of course, you're insinuating that the poor and economically disadvantaged (companies included) deserve to suffer the ill effects of operating outdated systems."

In some cases, yes, those companies DO deserve such ill effects. Especially those that simply refuse to embrace technology at all.

Recently, in the rock club I'm a member of (and in running for VP position) I learned that these older people are so set in their ways that they actually voted to remove all computers from their shop back in 2000. Now they have field trips where about 7 times out of 10 they're violating someone's current valid mining claim. I donated a computer loaded with every tool they'd need to check out land before going on a field trip, and the usage/search instructions were so clear and simple that I had the entire training video cut down to 40 seconds.

Only one of those older people took to the computer. Everyone else shunned it because someone back in 2000 used it to access porn sites and jeopardized the shop's non-profit geology educational charter, which is why the board voted to have no computers. Well, when you're given the access to such information, and the person supplying that access knows how to restrict access to non-organizational material, you have no reason to ignore it, and to restrict it when it's part of your club's interest goes against the educational non-profit charter rules.

This particular club is now facing dissolution. It is California's oldest non-profit, almost 100 years old. They have refused to get with the times, and I can guarantee within a decade this club will no longer exist as long as it continues to operate in this fashion.

And in this case, they deserve every fucking bit of it. They have no excuse to ignore the experience or expertise of someone more qualified than they are in this field. This is where jurisprudence comes into play.

Re:Silly idea

[Ty]

If IT hasn't convinced management that they need to keep up with security updates, via paying for software upgrades if required, it has failed one of its core functions.

Re:Silly idea

[FaxeTheCat]

It is actually management who hace failed by not ensuring that the people that run their IT systems do it in a secure way.

hard question

[nomadic]

I honestly can't figure out where I fall on this. I would say for major security issues, yes, though the cutoff should be when production use of that OS get below a certain point, which should be easily monitored, and I don't think XP went below that.

In any event, that an organization the size of NHS, quite literally one of the largest employers on the planet, did such a poor job on security is disgraceful, especially considering how internetworked all their stuff was.

Re:hard question

[thegarbz]

You introduce a chicken and egg problem that will only deflect the problem elsewhere. If MS continuously supported the OS then there'd be one less driver to move away from it.

Instead of a bug breaking some ultra expensive piece of factory gear it will be a hardware failure or something else that can no longer be fixed. Simply removing one of the sources of obsolescence doesn't solve the underlying problem that is that many companies have piss poor obsolescence management or business continuity plans in place.

Support Older OSs Indefinitely?

[fustakrakich]

Indefinitely? No, only as long as they want to keep their copyright/patent privileges on those systems.

Re:Blame Windows 10, in Part

[DontBeAMoran]

I've installed Windows 10 on my PC and TRY BING TODAY it's not that bad.

I recommend a Subscription model...

[CAOgdin]

Abandoning Operating Systems is a cruel trick played by vendors who want the new revenue from upgrades...no matter what the cost in lost-business, learning-curves, and incompatibilities with existing practices may be to the customers.. Spending money on maintaining the security (even excluding features) of superceded products distracts from development of improved products, and is not in the vendors' self-interest.

Given that a new Operating system (retail) is in the $100-$150 range, I'd propose "Life Extension" service subscription, solely for security updates in the $30-35/year range...with a required minimum of 10,000 customers to keep maintaining the service. That provides enough revenue ($1,000,000+ per annum) to support a small, dedicated staff.

Frankly, there's no reason that a M$ couldn't engage in a Joint Venture with a small qualified, independent security firm to provide the service, with special access to proprietary information within the O.S. vendor.

It would be an investment in the rehabilitation of the O.S. vendors' reputation, because M$ has gotten quite high-handed in recent years, dictating (or even forcing) software on unwilling customers.who have existing businesses to run.

Re:How about you learn to program?

[CAOgdin]

Because crooks keep being more inventive, finding new -- heretofore unanticipated -- ways of tricking users and software.

You might as well ask, "How many law enforcement officers are out there?" There will always be some to invest their inventiveness in making a quick "killing" instead of engaging in honest, hard work of designing products that people want. Computer criminals are not interested in the niceties of business, like marketing, and advertising, and customer satisfaction...they're only interested in finding an easy way to make lots of money in a hurry.

Solve THAT problem, AC!

What if we tied support to copyright?

[ToTheStars]

Slashdot generally doesn't like ludicrously-long copyright terms, right? What if we made maintenance a requirement for retaining copyright over software? If Microsoft (or whoever) wants to retain a copyright on their software for 70 years, then they'd better be prepared to commit to 70 years of support. If they want to EOL it after 5 years or 20 years or whatever, and wash their hands of responsibility, that's fine, but then it's public domain. Why should we let companies benefit from software they don't support anymore?

This could also work for art works, as well -- because copyright exists "To promote the Progress of Science and useful Arts," we could make it a requirement that an author (or company, or whatever) needs to be distributing (or licensing for distribution) a work to have copyright on it. When it's out of print, it enters the public domain.

Re:What if we tied support to copyright?

[drinkypoo]

Optimally, the law would also require a source release so customers using the unsupported software could find another vendor for their patches.

The Open Source release could simply be a requirement for copyright protection. They don't have to do it, but if they don't and their code gets out after they stop support then it enters into the public domain, even if they then later go on to start supporting it again. And of course, they also lose copyright protection over the binaries at the point at which they stop support, and should have to provide a universal reg code that bypasses any activation, or a similar patch, etc.

The code release is going to have to be on an approved license, and there is plenty of room for shenanigans there. But it's still a good idea.

Re:What if we tied support to copyright?

[ToTheStars]

If Microsoft did have software they were going to support for 70 years, and priced it accordingly, probably it would be too expensive for you or me, but there might be corporate users interested in that kind of long-term stability and commitment. Nothing would stop them from releasing software that is supported for only five years (and that would probably have a low enough price tag that personal users like us would be willing to pay), but once it hits EOL, their copyright on that OS expires as well.

Re:What if we tied support to copyright?

[swillden]

The Open Source release could simply be a requirement for copyright protection.

IMO, there should be no copyright protection on binary-only releases. If there are such secrets in your source code that you don't want to publish it, you should use contract and trade secret law to protect your product. If you want copyright protection, you should have to publish the source code so that it's truly usable when it eventually falls into the public domain. That doesn't mean that you have to give anyone legal rights to redistribute, modify, create derivative works, etc. -- you can still reserve all rights, but people can read the code, and they can do whatever they like with it when the copyright expires (granted, that's essentially forever in software terms, but it's the principle of the thing).

If that were the law of the land, it seems very easy to tie support to it: If you stop supporting your product, you don't lose copyright protection entirely, but you must give your licensed customers the right to create derivative works to fix security vulnerabilities, or to hire a third party to do it. We could even maintain the restriction on the creation of derivative works for any purpose other than fixing vulnerabilities... customers still could not add features or modify in other ways; they could only perform minimal changes to address security problems.

Re:What if we tied support to copyright?

[ToTheStars]

If I didn't want to support version 1.0 anymore, I'd EOL it and give it up into the public domain, but I'd still have copyright over version 30 (which is actively supported).

And if someone else wanted to 'pirate' v1.0 and release it and build on it themselves, they'd be legal in doing so, but unless they were supporting it themselves, then their modifications would be public-domain as well.

(Of course, my logos and such would be trademarked, not copyrighted, so they'd have to do something like IceWeasel vs. Firefox.)

Re:What if we tied support to copyright?

[ToTheStars]

swillden has an interesting comment (https://ask.slashdot.org/comments.pl?sid=10611915&cid=54420295) that if a company is serious about keeping their code secret, they should probably use trade secret and contract law, not copyright. He's of the opinion that copyright should only apply to works that are fully 'published', i.e. not applicable to binary-only releases, because even if a binary blob technically times out of copyright, it's not really modifiable and fully-usable by the public without the source. (And even if an entity does seek copyright protection for software and publishes their source accordingly, they don't necessarily have to license it to permit redistribution until support lapses.)

You're probably right about the choice of license -- PD != GPL.

Re:Don't be silly

[newcastlejon]

What I want to know is why Samba wasn't disabled already. Isn't this something that can be done with Group Policy?

Re:Virtual machines + backup

[iggymanz]

You're confused, virtual machines can become infected and spread infection and clog networks too. That is not a solution. Having backups and archives of infected files is not a solution either. Guess again.

They already exist

[number6x]

They already exist. They're called routers. Network routers can be configured to provide great deal of protection to machines that are older and cannot be patched. Many contain firewall software. Even simple ones can be configured to block traffic on vulnerable ports.

In this case, a router could be configured to keep the SMB port (445) blocked. A router, with updated software, and a firewall gateway can help protect even older devices with embedded code that may no longer be supported.

Of course, it goes to say, that you must keep the router's software updated and not use default credentials on the router.

The NHS decided to not upgrade many old systems because the threat was deemed minimal. Offices were urged to upgrade but funds were not made available and infrastructure budgets were cut again and again. Multiple bad decisions led to this result.

Many things could have prevented it. Better funding, better threat assessment, the NSA informing Microsoft of the vulnerability so it could have been patched years ago, and on and on...

In the end we are here, and hopefully threats will be re-prioritized and better protections will be put in place in the future (I could not keep a straight face while typing that and finally burst out laughing).

Re:No. *All* companies should ...

[Khyber]

" Honestly a simple backup will prevent most ransomware attacks"

Uhhh, what? In fact, more attacks have encrypted user files recently, so you're not going to stop this any time soon.

Re:Virtual machines + backup

[drinkypoo]

Not to mention that often the reason why a legacy OS is still being used isn't so much software as hardware, and drivers for same. Sometimes that stuff can be connected to a VM, sometimes not.

windows 10 enterprise

[Joe_Dragon]

windows 10 enterprise let's you turn that stuff off but it's to bad that smaller places can't really get windows 10 enterprise. Unless they get into a long term contract for software

Re:It's about the hardware (and apps), not the OS

[KiloByte]

they only way forward for me was running a USB hub to allow switching between computers piled on my desk and keeping my old XP box at the ready in case there was some critical app to which I had lost the installation. media that I needed.

You do know that you can have XP in a virtual machine, don't you? Or for that matter, other obsolete OSes such as 7 and 10.

Re:Wrong Approach

[Last_Available_Usern]

The secrets will always get out.

To be fair, this would have happened either way. Maybe (and this is a big maybe) that it would be found out so far down the line a lot less people would be affected, but odds are that someone would have found it anyway. Also, if you think the Chinese and other nations with big cyber divisions aren't sitting on their own vulnerabilities I think you're kidding yourself.

Re: Disagree

[Dunbal]

Not only that but the fact that they released the "patch" as soon as the word was out that the NSA toolkit had been leaked into the wild is damning evidence - they knew about it all along and this patch is damage control. The REAL damage is letting them get away with shit like this for decades.