Ask Slashdot: How Do You Handle Hardware That Never Gets Software Updates? (hpe.com)

← Back to Stories (view on slashdot.org)

Ask Slashdot: How Do You Handle Hardware That Never Gets Software Updates? (hpe.com)

Posted by BeauHD on Thursday July 26, 2018 @12:20PM from the hardware-dead-ends dept.

New submitter pgralla writes from a report via HPE: Many devices, designed for both long-term and short-term use, were shortsighted when it came to flexibility. How do you handle the hardware that never gets software updates, such as embedded systems and task-dedicated equipment? The article that pgralla shared provides the example of medical devices running Windows 7. "Many of the current generation, when they were first released, used Windows 7, and the devices still work well enough that they remain in service today," reports HPE. "But Microsoft ended mainstream support for Windows 7 back in January 2015, so the operating system gets updated only with an occasional security patch as part of Microsoft's extended support. In January 2020, that extended support will end as well." Many IoT devices are in a similar boat as they're powered by embedded Linux and are not designed to be updated after they enter service."

Of course, these outdated devices create all sorts of security concerns. "Hackers and their access to knowledge and computing power only go up as the years pass, which means that long-lived, fixed-firmware devices become ever more insecure over time," says Michael Barr, founder of the Barr Group, which provides engineering and consulting services for the embedded systems industry. The WannaCry ransomware hack in 2017 affected not just PCs but also medical devices, and ended up costing businesses $4 billion.

136 of 233 comments (clear)

Min score:

Reason:

Sort:

One Shot by Clutch+'+Nixon++X · 2018-07-26 12:20 · Score: 1

With a single shot of whiskey.

-Clutch Nixon
Easy.... by GerryGilmore · 2018-07-26 12:27 · Score: 5, Insightful

....don't buy it.

I've seen SO many people whining about MS' forced reboots, etc. STOP!
If there is not a sensible option available, demand that your vendor make a version that can be sensibly updated. Too many purchasing decisions just don't have any sensible criteria. ("Oh, it's built on Win XP and you aren't updating it? OK - scratch!")
1. Re:Easy.... by Shikaku · 2018-07-26 12:29 · Score: 5, Insightful
  
  Linux is free. Updates only when told to. Doesn't have telemetrics by default. Never looked back except in VMs.
2. Re: Easy.... by peragrin · 2018-07-26 12:48 · Score: 3, Interesting
  
  The issue isn't updates but people who don't apply updates at all.
  Linux and osx let you schrdule them but that says the user is smart enough to do so. 20 years of Windows updates have prove that to be false for 99% of users.
  The forced updates of iOS have proven to be !ore secure than the fragmented updates of Android.
  How often do you update your router? If your up time is over 60 days you are missing updates and are insecure.
  That is the issue. The other issue is designing software to use decraprated apis. Anyone building software using win32
  
  --
  i thought once I was found, but it was only a dream.
3. Re: Easy.... by Shikaku · 2018-07-26 12:56 · Score: 2
  
  Actually my router is also Linux. So weekly, every Sunday night. Cronie, the cron job manager handles it for me, even the rebooting if necessary; with the LTS kernel for minimal changes except bug and security fixes.
4. Re: Easy.... by fred6666 · 2018-07-26 13:00 · Score: 4, Insightful
  
  How often do you update your router? If your up time is over 60 days you are missing updates and are insecure.
  I don't know any home/small business router company (TP-Link, Linksys, Netgear, ...) updating routers every 60 days. More like 1-2 times per year, for 1-2 years. And then nothing.
5. Re:Easy.... by ShanghaiBill · 2018-07-26 13:22 · Score: 5, Insightful
  
  ....don't buy it.
  Not an option with a patented medical device.
  
  demand that your vendor make a version that can be sensibly updated.
  Right. Sure. Because companies with millions of customers always do a complete system redesign to satisfy "demands" from one whiner.
6. Re:Easy.... by Luthair · 2018-07-26 13:29 · Score: 1
  
  Unfortunately normal users are stuck at the moment. Macs are still very expensive (and have had a lot questionable hardware issues in the past few years) , Chromebooks have a 5-year EOL, and unfortunately Linux is still too flaky to give someone without technical knowledge.
7. Re: Easy.... by Desler · 2018-07-26 13:40 · Score: 1
  
  The forced updates of iOS have proven to be !ore secure than the fragmented updates of Android.
  What the fuck are you talking about? iOS does not have forced updates.
8. Re:Easy.... by Shikaku · 2018-07-26 13:47 · Score: 3, Informative
  
  https://upload.wikimedia.org/w...
  https://upload.wikimedia.org/w...
  The data says very much otherwise, and there's only legacy software forcing people into Windows nowadays. The only thing garbage here is your attempt.
9. Re:Easy.... by Desler · 2018-07-26 13:57 · Score: 1
  
  The data says very much otherwise,
  How so? Where is your data that says even half of Android buyers do so because it uses the Linux kernel? And supercomputers? Why is it that you Linux people always trot out supercomputers when people are talking about desktops?
  
  and there's only legacy software forcing people into Windows nowadays.
  
  Yeah, more than a billion people. That's practically no one!
10. Re:Easy.... by Shikaku · 2018-07-26 13:57 · Score: 1
  
  Told you your attempt was garbage, it took only 1 reply for me to do the very thing you tried. Go big or go home.
11. Re:Easy.... by Desler · 2018-07-26 14:04 · Score: 4, Insightful
  
  Not really. Many more people died without them and had less than half the life expectancy. I'm pretty sure a person who, for example, needs a patented medical device like a pacemaker just to stay alive won't be very impressed by your statement.
12. Re:Easy.... by antdude · 2018-07-26 14:09 · Score: 1
  
  Medical devices though. What work with Linux? :P
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
13. Re:Easy.... by ShanghaiBill · 2018-07-26 14:23 · Score: 4, Insightful
  
  Society got along just fine for thousands of years prior to the invention of said patented medical device.
  1000 years ago people had half the life expectancy they do today, so I would not say everything was "just fine".
  Do you really think it is okay to let people die so your network can be marginally more secure? This is why people roll their eyes at pedantic nerds.
14. Re:Easy.... by barbariccow · 2018-07-26 14:36 · Score: 1, Interesting
  
  Unfortunately with Microsoft it doesn't matter if I buy it or not. If I buy a new laptop, I am implicitly paying for a microsoft license. It's baked into the price. Many many years ago you used to be able to call the vendor and say you don't agree to the Microsoft terms of service and they would sell you an OEM version without windows at a savings of like $200. But I don't think this is an option anymore.
  That said, I don't buy Microsoft products at all if I'm not forced to (like hardware purchase). I dropped a college class back in the day because they had a requirement that all assignments be typed up in Times New Roman font. I used a freely available font, not having a Microsoft license, and got a 0. Yes I know about the old ttf distributable cab, but it does require that you own a Microsoft product, which I didn't. It was a law class and I explained this to the professor but she didn't care, so I dropped the class.
15. Re: Easy.... by barbariccow · 2018-07-26 14:40 · Score: 1
  
  I like specifically that my operating system doesn't think it knows better than me about what I need to do. There's the old adage, "If it ain't broke, don't fix it."
  I update my system on a weekend when I've got the time. I use profiled-guided optimization on many of my core packages so it takes a few days to train these as well. Sometimes I'll go a few weeks without updating my personal laptop, and that's O.K. That's my choice, and it's not an issue because I don't run shady software or host public services from it. On business servers I manage everything gets updated on an automatic schedule. That I decide. Because I know what's best, not some fixed generalized rule to apply to everybody because "some people do it 'wrong' and we need to force them to do it the way we like!"
16. Re:Easy.... by viperidaenz · 2018-07-26 14:51 · Score: 4, Informative
  
  A pacemaker corrects irregular heart rhythms, that if left uncorrected may result in a heart attack, resulting in death. Hence a pacemaker can keep someone alive.
  People who have pacemakers usually don't have them implanted for fun. They usually have them implanted as their other option is to die from heart failure.
17. Re:Easy.... by tepples · 2018-07-26 15:23 · Score: 1
  
  Do you really think it is okay to let people die so your network can be marginally more secure?
  A lot of hardcore ancaps here and on SoylentNews seem to think so. It's the sort of thing that leads people to say "If my ISP mistreated me, I'd move."
18. Re:Easy.... by gravewax · 2018-07-26 15:37 · Score: 1
  
  No Usually when you buy a laptop with windows on it you are paying less as the bloatware that the 3rd party vendors pay to put on with the OEM usually more than covers the $50 windows price (it isn't $200). Most laptops without an OS would actually cost more.
19. Re:Easy.... by GerryGilmore · 2018-07-26 15:44 · Score: 1
  
  If those "millions of customers" quit acting like sheep ("OK, we'll take whatever crap you have with NO input from us, your customers"), then maybe things will change. Otherwise, you deserve what you get.
20. Re: Easy.... by YukariHirai · 2018-07-26 15:48 · Score: 4, Informative
  
  The issue isn't updates but people who don't apply updates at all.
  This is exactly the idea behind Microsoft's forced updates: most people are never applying updates, which causes problems, so if the updates get applied without user intervention, problem solved. I don't think they're entirely wrong, but they went about implementing mandatory updates in a kind of brain dead way.
  
  The forced updates of iOS have proven to be !ore secure than the fragmented updates of Android.
  iOS doesn't have forced updates; it is always up to the user to decide to install updates or not, though Apple do a bit to encourage it. The difference between iOS and Android in terms of updates is that Apple as a matter of course rolls out security updates to every device currently supported (and they are supported for quite some time, contrary to the largely inaccurate stereotype of Apple devices getting thrown out and replaced annually) and new versions of iOS to basically all devices capable of running the new version. With android, it's left up to each hardware manufacturer to provide security updates and new versions for their devices. Many don't bother at all, many others do a couple of security updates and maybe a new version while the device in question is "current" before basically abandoning it. Even if a device is technically capable of running a new version, it's not usually an option to "go over the manufacturer's head" for updates; a build has to be tailored to the model in question, and while the wider open source community does offer some for some devices, it's very much a mixed bag of what's supported, how up-to-date it is, and even how trustworthy the third party is.
21. Re: Easy.... by Anonymous Coward · 2018-07-26 16:18 · Score: 1
  
  1.The issue is Windows nags you in the most critical times to update your system.
  2.You waste few hours waiting for it to be done only to realize you've been duped. 3. Drivers down work anymore, you have to setup the printers again, you have to disable and remove all the crap they're trying to push down your throat AGAIN!
  Number 1 alone can drive sane people to insanity.
  Linux begs to differ, you can upgrade everything while your system is running and only reboot if its necessary e.g. kernel upgrade, security updates.
  The longest time I've probably waited for update to finish is during the initial updates after installation. Or upgrading from 16.04 to 18.04, as you can see that's a big update pretty much new version.
  That's only for the traditional linux(debian,ubuntu,fedora,suse,centos)
  Rolling release distro are completely different animals
22. Re:Easy.... by tsa · 2018-07-26 18:05 · Score: 2
  
  That is utter bullshit. 99% of those 'sheep' as you call them have better things to do than scrutinizing firmware. They need a device that does what they need it to do so they take what is available.
  
  --
  -- Cheers!
23. Re:Easy.... by YukariHirai · 2018-07-26 18:29 · Score: 1
  
  Only in that enough people lived long enough to reproduce to keep things going. Now that we have the know-how, many deaths that would have been inevitable are now preventable. Saying "well we don't really need this because humanity has scraped by without it" is a pretty callous attitude to have.
24. Re:Easy.... by Opportunist · 2018-07-26 19:28 · Score: 1
  
  Certainly!
  Ok, life expectancy was around 35-40 years of age and living past the age of 60 usually entailed being a cripple in some way, but that's the price you gladly pay for "natural" life, right?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
25. Re:Easy.... by Opportunist · 2018-07-26 19:30 · Score: 1
  
  I didn't say it, I did it.
  I admit that in my business finding a new job is much easier than for others, so it certainly was a lot easier for me to do than for most other people.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
26. Re:Easy.... by serviscope_minor · 2018-07-26 19:49 · Score: 1
  
  Congrats on exposing that you don't know what a pacemaker does! ;)
  The sad part is that it's function is it's name.
  What precisely do you think a pacemaker does, and why d oyou think people have them?
  
  --
  SJW n. One who posts facts.
27. Re:Easy.... by jareth-0205 · 2018-07-26 21:16 · Score: 1
  
  Society got along just fine for thousands of years prior to the invention of said patented medical device.
  Yeah, but you personally wouldn't
28. Re:Easy.... by AmiMoJo · 2018-07-26 22:04 · Score: 2
  
  I think we might be on a tipping point where Linux can really replace Windows, even for legacy stuff. WINE has got so good now that there really isn't much you can run on it.
  Level 1 Techs on YouTube are running a series of videos about gaming on Linux right now. The focus is on getting Steam for Windows and associated games working with WINE or with a VM that has a pass-through to the GPU to give near native performance.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
29. Re: Easy.... by AmiMoJo · 2018-07-26 22:26 · Score: 2
  
  With android, it's left up to each hardware manufacturer to provide security updates and new versions for their devices.
  This is a very persistent myth.
  Since V4 back in 2013 they have been patching security issues via Google Play Services, which is mandatory for Android devices. The current version (Oreo, released last year) includes Project Treble, which allows phone manufacturers to ship updates much more quickly by separating out the hardware layer, which is what was causing most of the delays.
  This is why you don't see vast Android botnets rampaging all over the internet. The OS itself is very secure already, being heavily sandboxed and compartmentalized, and with Google pushing out security fixes and having their own malware scanner running constantly as part of Google Play Services it's proven impossible to mass exploit devices in that way.
  The issues we do see are malware authors using increasingly sophisticated methods to sneak malware into the Play Store (just like they sneak it into the Apple App Store), and trying to profit before Google shuts them down, and apps that are simply deceptive and user-hostile. Part of the trade off for having more freedom on Android is that sort of risk, which is easier to mitigate if you live in the iOS walled garden.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
30. Re:Easy.... by Bert64 · 2018-07-26 23:07 · Score: 2
  
  Very few people intentionally buy windows either, they receive it when they buy the hardware - same as android.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
31. Re:Easy.... by Bert64 · 2018-07-26 23:11 · Score: 1
  
  Windows is also too flakey for someone without technical knowledge...
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
32. Re:Easy.... by thegarbz · 2018-07-26 23:28 · Score: 2
  
  ....don't buy it.
  Hahahahaha
  
  demand that your vendor make a version that can be sensibly updated
  Aaaahahahahahahaha
  +5 Funny. Now to move on to some insightful discussion that actually makes any kind of sense at all than your idealistic ideas that you or your decision matters. Actually something does matter, your indicision matters and is just likely to get you fired.
33. Re:Easy.... by thegarbz · 2018-07-26 23:30 · Score: 1
  
  The data says very much otherwise
  It says nothing of the sort. Given the context of the discussion is updates and security pretty much both of the "Linux" components of those graphs (meaning mobile phones) can happily be combined with Windows.
  The "Linux" in the context of this discussion hasn't really changed in market share in the past 10 years.
34. Re:Easy.... by The+Grim+Reefer · 2018-07-26 23:40 · Score: 1
  
  If there is not a sensible option available, demand that your vendor make a version that can be sensibly updated. Too many purchasing decisions just don't have any sensible criteria.
  Yeah, that sounds great when you say it, but here in the real world it doesn't work that way. Not that I disagree with you in principle, though.
  I work in the medical industry and can tell you for a fact that there are still a few systems running Windows NT. Granted they are firewalled off and locked down as best as possible. Lots of XP systems too, and I would guess that the vast majority of systems in hospitals are on Win 7 still.
  Here's the issue. In the case of MRI scanners there are only 3 vendors for really advanced imaging, there are 5 realistic options if you are willing to lower your standards or don't want to do cutting edge work. In CT there are 2 options for the best scanners, and only 4 if you are willing to make compromises. Unless you can get a sizable number of hospital systems to band together to demand this, you will go bankrupt trying to do as you suggested. There is one vendor that uses Linux for their scanner console, but they've had a lot of quality issues in the past, and until recently have had a lot of limitations. Additionally it will cost the scanner vendors hundreds of million dollars to do this, and probably years to implement it. The FDA approvals take time.
35. Re:Easy.... by jellomizer · 2018-07-27 00:04 · Score: 1
  
  Except for the fact the people who buy it don't know, don't care about the long term implementations of the product. Besides those expensive lunches are nice and we want to keep on the good graces of the company sales people.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
36. Re: Easy.... by swillden · 2018-07-27 00:09 · Score: 1
  
  How often do you update your router? If your up time is over 60 days you are missing updates and are insecure.
  I don't know any home/small business router company (TP-Link, Linksys, Netgear, ...) updating routers every 60 days. More like 1-2 times per year, for 1-2 years. And then nothing.
  My Google OnHub has received monthly-ish updates for almost three years now.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
37. Re: Easy.... by guruevi · 2018-07-27 00:10 · Score: 2
  
  Hence why we have DD- and OpenWRT.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
38. Re:Easy.... by Xord · 2018-07-27 00:51 · Score: 3, Informative
  
  I work in the medical industry and I have never yet seen Linux as the OS used with any major medical equipment, such as CT scanners, X-Ray scanners, MRI, Ultrasound, etc. Linux is not always the answer in the real world unfortunately.
39. Re:Easy.... by Xord · 2018-07-27 00:54 · Score: 2
  
  I should probably add that our way of dealing with these horrendously outdated operating systems required for the equipment is to vlan them off from the main network and don't allow internet access.
40. Re: Easy.... by Xord · 2018-07-27 00:59 · Score: 1
  
  On the small business side, Ubiquiti Edgerouters are quite frequently updated. Mine has four upgrades already this year and the support lifecycle of the equipment seems impressive.
41. Re:Easy.... by mjwx · 2018-07-27 01:17 · Score: 1
  
  ....don't buy it.
  OK... Where can I find the open source MRI scanner.
  
  I've been in the exact situation described in the summary, except it was about 8 years ago and it was an MRI scanner with software designed to run on Windows XP that couldn't be updated to Windows 7. Before VM's were as robust and ubiquitous as they were today. The solution was simple, an air gap.
  
  The machine had no network connection and no WiFi (yes youngsters, there was a time where most desktop machines didn't have WiFi built in). We put silicon in all the USB ports including siliconing in the KB and mouse to the ports. The machine had a stack of DVD-R's next to it so files could be transferred.
  
  I'm a big fan of FOSS, but out here in the real world you're going to encounter scenarios like the one above where you have to think practically.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
42. Re:Easy.... by iampiti · 2018-07-27 02:02 · Score: 1
  
  Yeah well, that's only an option if the device you need isn't running Windows. The article includes medical devices and some others that are very specialized and you might not be able to get with an OS of your choosing.
  I guess the only way to secure them would be to isolate the machines as much as possible. The other one would be to pressure the vendors to include long term software support for their hardware
43. Re:Easy.... by Luthair · 2018-07-27 02:10 · Score: 1
  
  Its not perfect, but your wifi card also isn't going to stop working with an automatic update nor will the user need to dig through a list of random packages preventing them from upgrading.
44. Re: Easy.... by Anonymous Coward · 2018-07-27 02:31 · Score: 1
  
  Hence why we have DD- and OpenWRT.
  I'm an MD who could coil brain aneurysms as easily as you could flash DD-WRT or another firmware. But that doesn't mean coiling brain aneurysms yourself can become a mainstream solution for everyone. See how difficult a complex task is from a lay person's perspective?
45. Re: Easy.... by Thelasko · 2018-07-27 03:04 · Score: 1
  
  Hence why we have DD- and OpenWRT.
  Most of the open source builds I have found are ancient. Particularly DD-WRT. Unless you are going to build them yourself, you will likely be worse off than using the stock firmware.
  
  The most recent build for my last router (TP-Link?) was pre-heartbleed (2013 IIRC). I just gave up and bought a nice new ASUS router that gets regular updates from the manufacturer.
  
  --
  One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
46. Re:Easy.... by Actually,+I+do+RTFA · 2018-07-27 03:49 · Score: 1
  
  Or better, don't connect it to the network. There's no reason for most devices to be on the network. And, frankly, I'm willing to accept a lot more security holes in something if step 1 is "sit down at the device"
  
  --
  Your ad here. Ask me how!
47. Re: Easy.... by Anne+Thwacks · 2018-07-27 03:57 · Score: 1
  
  If it ain't broke, don't fix it".
  Or, as we say here on /.
  If it ain't broke, it ain't Windows.
  
  --
  Sent from my ASR33 using ASCII
48. Re: Easy.... by apoc.famine · 2018-07-27 04:05 · Score: 1
  
  This is exactly the idea behind Microsoft's forced updates: most people are never applying updates, which causes problems...
  Which I noted in another thread is mostly because of how fucking awful their updates are. They are maddeningly slow resource hogs with massive and random interruptions. They are inconsistent and provide no information about what they're doing, how long it will take, and sometimes crank so hard behind the scenes that other programs stop responding.
  Why the fuck can't they do a reasonable update? Who the hell thought "Updating, don't lose power or force-shutdown or it will bork your OS" was a good idea? Why do we get extra-long boots sometimes for something? Why do we reboot, and then need to install more shit, and reboot again? Why do we sometimes boot part-way and do some shit, finish booting most of the way, then reboot, then do some more shit, and finally get to a login screen 10 minutes later?
  This level of shittiness is exactly why people resist updates. If you make something obnoxious and painful, of course people will not do that thing. Unfortunately Microsoft has done this for so long that everyone is conditioned to avoid updates like the plague. Even if they made it smooth, quiet, and slick, most people won't choose to do it because of their past (and current) history of being abusive twats.
  
  --
  Velociraptor = Distiraptor / Timeraptor
49. Re:Easy.... by Anne+Thwacks · 2018-07-27 04:10 · Score: 1
  
  what was the life expectancy in 1940 vs 2018?
  And what was it in 1940 if you exclude airforce pilots (life expectancy in service 3 months) and heavy smokers (almost all militaries provided free cigarettes - untipped)? Most of my family that survived the war died of smoking or the consequences of pollution levels that meant you could not see the end of your own arm for days on end.
  Meanwhile, my ancestors who lived between 1600 and 1800 in rural Europe mostly lived to between 70 and 90 - provided they survived the age of 5 - which a lot did not. (Have just been on a genealagy website). After the industrial revolution, things got bad in the cities.
  
  --
  Sent from my ASR33 using ASCII
50. Re:Easy.... by Anne+Thwacks · 2018-07-27 04:15 · Score: 1
  
  wifi card also isn't going to stop working with an automatic update
  Have you even used Windows? This is a regular event. Not only that, the new drivers you need have to be downloaded of the Internet using your machine with no Wifi to connect to the Internet.
  In reality, Windows is not only not fit for prime time, it is "unfit for the purposes for which it was advertised" - which is a crime in Europe unless you have enough money to pay the bribes, and eventually even they will get caught.
  
  --
  Sent from my ASR33 using ASCII
51. Re:Easy.... by geekmux · 2018-07-27 05:23 · Score: 1
  
  ....don't buy it. I've seen SO many people whining about MS' forced reboots, etc. STOP! If there is not a sensible option available, demand that your vendor make a version that can be sensibly updated. Too many purchasing decisions just don't have any sensible criteria. ("Oh, it's built on Win XP and you aren't updating it? OK - scratch!")
  I'm sorry, but you really need to understand the importance of environment before dolling out advice on "sensible criteria", especially when taking into account the instability and risk that can be introduced with patching a medical device.
  If it's not broken, don't fix it should to be proven invalid instead of automatically dismissed. Sometimes the best thing to do, is nothing at all.
52. Re: Easy.... by Dragonslicer · 2018-07-27 06:23 · Score: 1
  
  Who the hell thought "Updating, don't lose power or force-shutdown or it will bork your OS" was a good idea?
  People who didn't want the OS getting borked. Updating core parts of the operating system basically needs to be a single atomic operation, and replacing a bunch of files on disk usually isn't. This isn't a trivial problem to solve, though it certainly isn't impossible either. I would say that it should be solved in current operating systems (Windows 10, any Linux distribution from this year, etc.), but for systems from 15 years ago, I'll give them a pass on it.
53. Re: Easy.... by dnaumov · 2018-07-27 06:31 · Score: 1
  
  Wrong. If you want to sell a phone and have your marketing use the word Android, it comes with the Play Store.
54. Re:Easy.... by antdude · 2018-07-27 06:43 · Score: 1
  
  All of above. :(
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
55. Re: Easy.... by guruevi · 2018-07-27 11:49 · Score: 1
  
  Many Chinese routers and Buffalo routers come pre-installed with supported versions of DD-WRT/OpenWRT. It's not that hard.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
Don't connect it to the internet by MpVpRb · 2018-07-26 12:28 · Score: 4, Insightful

Many old tools are computer based
Some old CNC machines run on MS-DOS and a 286 processor
As long as the hardware stays alive, they continue to do the job
If they must be networked, restrict their access to the local net
1. Re:Don't connect it to the internet by kwalker · 2018-07-26 12:32 · Score: 5, Insightful
  
  Not just the local net. Restrict their access to only trusted control devices on the local net. It may require putting insecure devices on a network segment that has strict access controls, but when the only other alternative is to discontinue a working device (In situations where that's possible), making a sandbox network isn't all THAT much work.
  
  --
  Improvise, adapt, and overcome.
2. Re:Don't connect it to the internet by MightyMartian · 2018-07-26 12:46 · Score: 4, Insightful
  
  This... so much this. Segregate these devices, limit access via VLANs and firewalls. Yes, it may mean only a handful of other devices and workstations can touch these older devices, but you need to reduce the attack surface as much as possible.
  
  --
  The world's burning. Moped Jesus spotted on I50. Details at 11.
3. Re:Don't connect it to the internet by Darinbob · 2018-07-26 15:53 · Score: 1
  
  Many of these machines DO get upgraded. A lot of times they expect the customers to pay for this service though with longer term service contracts, while at the same time demanding that they upgrade their machines for an even heftier profit. Places like hospitals or linics don't have budgets to update all their machines, they had a budget a long time ago when they bought the machines but not anymore. These were capital expenditures, you can't just replace them every 5 years, it's like a homeowner being told to get a new roof every five years.
  However to be sure, other machines are regularly updated. Ie, networking equipment and smart meters to big utilities, they're paying to keep the old devices running long term. But they're in a different ball game than the dentist in the strip mall using a Windows XP based imaging system (like my dentist).
4. Re:Don't connect it to the internet by ebvwfbw · 2018-07-28 14:33 · Score: 1
  
  I wouldn't think they would be still running by now. They're 30+ years old now.
  I had a guy that bought a 286 from me years ago. He tracked me down I think in the 2000s, it finally crashed. He wanted to replace the disk. He had a 20 meg disk and this was for a dentist. However after all this time I would expect the boards inside to be going bad.
The manufacturer wants you to buy a new one by Bruce+Perens · 2018-07-26 12:29 · Score: 4, Informative

I have a number of Rohde and Schwarz FSEB and FSEA spectrum analyzers. These cost at least $80,000 new (I bought them used for a few thousand at most). They come with an old version of windows. I similarly have other electronic test equipment with old Windows or even old Linux which the manufacturer doesn't update any longer. For the Linux-based ones I could hack in a new Linux and make it use the old ABI, forget about Windows.
But what really clued me in was that the Rohde and Schwarz equipment had a battery soldered on the CPU board, and it was an hour-and-a-half service to get to it. A lot of stuff had to be removed.
Similarly, my Tektronix 500-series oscilloscopes had two 40-pin DIP Dallas Semiconductor battery-backed memory and clock chips. The batteries in these die and they aren't socketed. When the batteries die, the 'scopes lose their calibration. The company won't give you the program to recalibrate them.
The manufacturers just want you to buy new ones.
So, obviously I back SDR-based test equipment that's Open Source. Who needs a company that wants to screw you?

--
Bruce Perens.
1. Re:The manufacturer wants you to buy a new one by 50000BTU_barbecue · 2018-07-26 12:35 · Score: 2
  
  "Tektronix 500-series oscilloscopes had two 40-pin DIP Dallas Semiconductor battery-backed memory and clock chips."
  Um, no they didn't. At best, they had socketed transistors.
  http://w140.com/tekwiki/wiki/5...
  You are perhaps referring to the TM500 series, but even those are long in the tooth.
  http://w140.com/tekwiki/wiki/T...
  
  --
  Mostly random stuff.
2. Re:The manufacturer wants you to buy a new one by 110010001000 · 2018-07-26 12:38 · Score: 1
  
  Exactly. If you are going to invest in something worthwhile make sure you have the source code available. Ideally that extends to open hardware too, but I am afraid that will not likely happen. With the way the tech world is going, both open source and open hardware will be unavailable in the future.
3. Re:The manufacturer wants you to buy a new one by somenickname · 2018-07-26 14:46 · Score: 1
  
  Never attribute to malice that which is adequately explained by a manager with a Gantt Chart. You could probably track down the designer of the board and he would dejectedly tell you, "Yeah, it's a shit design and we had a respin ready but, it didn't fit in the schedule". Or you could track down the embedded software guy and he'd tell you, "We had this elegant upgrade path planned out but no one could figure out how it fit into the Gantt Chart so we dropped it".
  The engineers want to do The Right Thing but, when The Right Thing is pitched to management, it's usually just crickets. I genuinely don't think it's malice, I think it's Gantt Charts.
4. Re:The manufacturer wants you to buy a new one by gordguide · 2018-07-26 16:03 · Score: 5, Interesting
  
  I'd never buy test equipment that requires a computer connected to be usable. Never, ever.
  That's as bad as my flex radio that I never use for the same reason, garbage. Every time I sit down, I just turn on my old kenwood ts-430 instead.
  If it's a self contained device that requires no network connection, maybe. If there are software updates, they need to be installable offline. Mostly analog is ideal though.
  Sometimes "never" is not an option. One electronic test equipment that revolutionized the industry is the Audio Precision line of Distortion Analyzers. Virtually everyone involved in electronic design, testing or repair owns one, and they are almost hobbyist-priced (a new basic unit can be had for less than $US 10,000). The revolutionary part of AP analyzers is they connect to a PC to do the math.
  Now, somewhat on topic, AP is very good at updating their SW interfaces and older machines can use modern versions of the WinOS. They also are not themselves normally required to be connected to outside networks, provided you use a dedicated PC on the bench and not one used for general computing. So much of the problems are solved using good management practices.
  If you want to be anywhere near current, you need an AP. I don't own one; I send my stuff to another engineer who does to test, but he charges $200/Hr. He has the most advanced unit, somewhere near or north of $US 20K. Plus a Windows PC and a printer if you want output charts, of course. My Distortion Analyzer is adequate (Keithley, a unit of Tektronix, $US 6,000) but only measures to the fifth harmonic.
  It is a standalone device, but unless you want to dig around for an old 70's~80's era machine from HP, Tek, Boonton, a Sound Technology 1700B, etc that pre-date the inexpensive computing power era, the norm these days is software / PC / Appropriate Sound Card for low cost measurement. So now you need, again, a dedicated PC and most hobbyists use the same machine for general computing. But the cost is *way* lower than a standalone machine or an AP.
  If you fudge the numbers, it comes down to a classic standalone machine (they still sell for almost four figures and sometimes a couple of thousand) or software like ARTA and a good sound card, maybe $400 worth of stuff total in addition to a basic working PC of some kind. You can fight with your wallet or just give up and go PC-enabled.
5. Re:The manufacturer wants you to buy a new one by justthinkit · 2018-07-27 01:40 · Score: 2
  
  Actually, it is dead easy.
  If we go this way -- better design -- the customer wins and we make less money.
  If we go that way -- planned obsolescence -- the customer loses and we make more money.
  If you don't things are this bad, explain why Apple solders pretty much everything on a $1,000 iphone to the motherboard these days. The answer is...so it can be priced at $1,000.
  
  --
  I come here for the love
6. Re: The manufacturer wants you to buy a new one by Bruce+Perens · 2018-07-27 07:56 · Score: 1
  
  TDS 500 series.
  
  --
  Bruce Perens.
Medical devices with Windows 7? by itsownreward · 2018-07-26 12:32 · Score: 1

Medical devices with Windows 7? That's a laugh. We have medical devices around here running Windows XP. How's that for a nightmare?
1. Re:Medical devices with Windows 7? by Faw · 2018-07-26 12:50 · Score: 1
  
  At work we have 3 Spectrometers with integrated computers. One uses MSDOS with a PATA drive and a floppy. A pain when the HD dies, have one of those flash drive->floppy drives ready for when it breaks (not touching it if its working). Another with a weird Windows 2000 Embedded that it's impossible to find, and another with XP. They are too specialized and only upgraded by the company. Also new ones go for 100k or something, so unless they blow up they stay as they are.
2. Re:Medical devices with Windows 7? by Darinbob · 2018-07-26 15:57 · Score: 1
  
  Windows should have offered long term service support for some of this, isntead of yanking the plug on support whenever there's a newer version. If other smaller companies have to give 10 to 20 years of support for hardware or software, why does Microsoft get off easy? Not everything Microsoft sells is some fluffy consumer device that gets replaced as often as fashions do. If they wanted to get into the embedded market then they should have taken that seriously.
3. Re:Medical devices with Windows 7? by hcs_$reboot · 2018-07-26 16:21 · Score: 1
  
  We have medical devices around here running Windows XP. How's that for a nightmare?
  Is it connected to the network? XP is simpler than 10, maybe that device works even better with it?
  
  --
  Slashdot, fix the reply notifications... You won't get away with it...
4. Re:Medical devices with Windows 7? by ColaMan · 2018-07-26 19:06 · Score: 1
  
  XP was generally available in October 2001.
  XP SP3 was released in April 2008.
  Extended support ended in April 2014.
  If you really want to pay a large amount of money to Microsoft, you can continue support for XP today.
  It had a pretty good run.
  
  --
  
  You are in a twisty maze of processor lines, all alike.
  There is a lot of hype here.
5. Re:Medical devices with Windows 7? by Bert64 · 2018-07-26 23:20 · Score: 1
  
  The computer is probably generic hardware, so if it fails it can easily be replaced - there are millions of old computers and components available dirt cheap.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
6. Re:Medical devices with Windows 7? by painandgreed · 2018-07-27 07:45 · Score: 1
  
  Medical devices with Windows 7? That's a laugh. We have medical devices around here running Windows XP. How's that for a nightmare?
  Shall I talk about when we actually retired the last Win95 boxen over here (running on Novell network no less).
7. Re:Medical devices with Windows 7? by Darinbob · 2018-07-27 09:27 · Score: 1
  
  So, less than ten years of support. But most buyers of medical capital equipment expect them to last 10 years or more. So XP should have been a bad choice for that equipment.
Are we back in high school again? by Anonymous Coward · 2018-07-26 12:42 · Score: 1

Seriously, ANY device can be infected with a new exploit whether it's up to date or not. New fully updated equipment is no less of a risk than old out of date equipment.
Keep it off the network. Or put away lots of money for the rainy day when it comes.
This is a lesson that should have been learned decades ago. That the question even needs to be asked just demonstrates how stupid the world has become.
1. Re:Are we back in high school again? by Immerman · 2018-07-26 13:50 · Score: 2
  
  >ANY device can be infected with a new exploit whether it's up to date or not. New fully updated equipment is no less of a risk than old out of date equipment.
  Those are two very different statements. Yes, any device can be compromised by a new exploit - that's kind of the point of developing NEW exploits. But an outdated device can be compromised by a massively long list of well-known exploits - making it far more vulnerable. New exploits are generally financially valuable assets horded by those who know of them, and they will usually be rendered useless shortly after they become public knowledge. Fewer people attacking, means lower risks that you'll be attacked.
  I don't know if it's still the case, perhaps the target is no longer as appealing, but I recall that back towards the end of Windows XP's product life, even before 7 came out, the rule of thumb was that a freshly installed copy of (non-updated) XP would be compromised within 20 minutes of being connected to the internet - considerably faster than most people could download the updates necessary to secure it. Not that it was ever 100% secure, but there's a huge difference between going into battle in imperfect armor, and going in wearing nothing but a giant bullseye painted on your chest.
  
  --
  --- Most topics have many sides worth arguing, allow me to take one opposite you.
2. Re:Are we back in high school again? by gordguide · 2018-07-26 16:12 · Score: 1
  
  making it far more vulnerable
  If someone's looking to exploit they're likely going with the latest. More systems will be exposed to a new exploit than to an older, patch-able one. I suppose it's even possible that newer exploits won't even be possible on the older OS.
  
  XP would be compromised within 20 minutes of being connected to the internet
  Yeah, no. If true that was probably with a machine with the local firewall disabled and no router or any kind of ISP filtering. In other words, not a real world case. For Joe Desktop who's careful with his browsing and email, XP security shouldn't be an issue. YMMV.
  You could put the machine behind adequate defences, and it wasn't 20 minutes (exactly), if you monitored your Intrusion Detection app you'd see a long list of attacks within five minutes of being online (I've seen it). For ordinary users, who would update XP online, it might be exposed for hours to download and install the updates. Naturally no-one who knew what they were doing would update that way, but that doesn't describe ordinary users either.
Debian by elgaard · 2018-07-26 12:42 · Score: 1

My experience tells me that if my hardware is not running Debian, then at some point there will be no more updates.
And hackers is not the only problem, often the hardware just becomes useless.
E.g., I have a perfectly good old WiFI IP phone, but it only works on open networks or networks encrypted with WEP.
I have some devices that I would like to use to browse the internet. But they fail on websites with newer certificates.
Easy, just leave them be. by CptLoRes · 2018-07-26 12:45 · Score: 4, Informative

Most dedicated systems like this does not belong on the internet, period. So unless there is some flaw or feature need, don't update and it will still work exactly as it did yesterday. And the day before, and the day before that.
1. Re:Easy, just leave them be. by Anonymous Coward · 2018-07-26 13:27 · Score: 1
  
  Finally a comment stating the bleedingly obvious. Why are these systems being updated? Why do these systems have access to the internet? They have been tested on a specific OS configuration yet some goofy sysadmin wants to update everything and have everything connected to the net.
2. Re:Easy, just leave them be. by rkordmaa · 2018-07-26 20:58 · Score: 1
  
  If it doesn't need to be connected it shouldn't be connected and that's a problem solved for you. But sometimes they need to be connected. In that case, what you do is define really well what data needs to flow and how and connect it to a separate safe gateway that handles just that data flow and permits nothing else. Then you just keep the safe gateway up to date and because it handles only one task, it's not that likely to fail at it due to some random update.
3. Re:Easy, just leave them be. by guruevi · 2018-07-27 00:19 · Score: 1
  
  The problem is, most of them DO need to be on the Internet, whether it's the software phoning home or checking out a license or instrumentation/monitoring, or remote tech support, the documentation is only online or it needs to transfer data to/from the device.
  A device that's not on the network is kind of useless these days and sneaker-netting things isn't much better because then people will find workarounds and lose unencrypted hard drives full of juicy personal data.
  I've found one system on my network where we had disconnected it from the network for being Windows XP and the idiots purchased a USB WiFi adapter because that's what tech support for the device recommended to do.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
4. Re:Easy, just leave them be. by PeterJFraser · 2018-07-27 04:50 · Score: 1
  
  If the system need to be connected, and they are important, put them on their own private sub network, and programming a gateway computer to forward the necessary connections. It would not be cheap.
5. Re:Easy, just leave them be. by geekmux · 2018-07-27 05:45 · Score: 1
  
  Most dedicated systems like this does not belong on the internet, period. So unless there is some flaw or feature need, don't update and it will still work exactly as it did yesterday. And the day before, and the day before that.
  A few years from now a medical lawsuit will award millions due to proven negligence that resulted in a death. What makes this particular case different is the fact that the patient was in your "old-fashioned" hospital, where all of your "dedicated systems" are offline and not connected to the "real-time cloud monitoring services" offered by larger hospitals.
  Of course, your hospital insurance goes up by 50% because your mentality regarding hardware went the way of the Dodo bird a decade ago. Eventually you understand that the industry driving change is capitalism itself, and you will eventually tow the line by spending tens of thousands of dollars every year supporting those businesses that need to survive by selling you the latest and greatest medical hardware.
  In case you were still completely dismissive of this theory, understand why very expensive machines now do many things a human is still capable of doing.
Seriously? Treat it as safety-critical by davecb · 2018-07-26 12:48 · Score: 2

Mechanical systems that keep, for example, trains from running into one another by tripping their brakes into full on, are well-understood. I took a course on doing the same thing in mixed hardware-software systems, so it's eminently possible.
The gotcha is you have to keep it really simple and run a validator like spin on it's protocol.
Most developers can do the spin part, but KISS? Distinctly less likely (;-))

--
davecb@spamcop.net
1. Re:Seriously? Treat it as safety-critical by phantomfive · 2018-07-26 14:33 · Score: 1
  
  Formal verification is the answer to a lot of these problems.
  
  --
  "First they came for the slanderers and i said nothing."
2. Re:Seriously? Treat it as safety-critical by Aighearach · 2018-07-26 17:56 · Score: 1
  
  I can keep the design simple, whenever the hardware is an 8 bit microcontroller.
  32 bits is still safe, as long as I don't have any sort of memory controller and can stay away from the DMA.
  Give me Perl, and all hope is lost.
Minimalist firewall by Pinky's+Brain · 2018-07-26 12:58 · Score: 3, Interesting

Implement a firewall with a small microcontroller with a relatively secure TCP/IP stack (ejip if you don't want to spend money, HCC embedded if you do) and do protocol level sanity checking and filtering of all network inputs.
1. Re:Minimalist firewall by nuckfuts · 2018-07-27 07:52 · Score: 1
  
  A number of comments here discuss firewalls, VLANs, etc. as a means to segregate equipment that doesn't need to be on the Internet. Another very simple way to segregate a device is to manually configure the TCP/IP settings and leave the default gateway address blank.
2. Re:Minimalist firewall by Pinky's+Brain · 2018-07-27 15:57 · Score: 1
  
  I'm assuming it has some application specific links the network, so it does need to be on it. You just can't trust the network stack and windows.
Obligatory response. (Sorry, everyone.) by Hallux-F-Sinister · 2018-07-26 13:00 · Score: 2, Funny

How Do You Handle Hardware That Never Gets Software Updates?
Very carefully. (Buh-DUM-Tshhhh)
Borrowed from “How do porcupines make love?”
With apologies.

--
Our reign has gone on long enough. Indeed. Summon the meteors.
Enforce the law by holophrastic · 2018-07-26 13:01 · Score: 1

We have all sorts of insecure devices. There's no need to focus on IoT, or computers or electronics at all.
We have pickable locks, unbarred windows, windshield wipers, and high-speed cars separated by nothing but a strip of paint.
There's no reason to update devices that were never designed to change. We've gone centuries with devices that were never designed to change. You can steal a hammer. Does that mean hammer manufacturers need to implement security patches and thumb scanners to ensure that no one can hijack my hammer?
Start enforcing laws. Start arresting criminals.
1. Re:Enforce the law by Immerman · 2018-07-26 14:35 · Score: 2
  
  >There's no reason to update devices that were never designed to change
  Unless part of their functionality is to withstand attack from attackers whose knowledge is constantly growing. And pickable locks are the only thing on your list that qualifies. And as far as that goes...
  We have pickable locks because an unpickable lock is apparently impossible, at least while being remotely easy to use. And locks evolved a LOT before they reached their current state - which are secure enough to deter crimes of opportunity (i.e. they keep an honest man honest). It takes hours of practice, or moderately expensive purpose-built tools, to get good enough to pick an average modern lock - too much effort for pretty much anyone without premeditated criminal intent.
  Invincibility is too expensive, even where it's possible. Security is all about lowering your risk by increasing the cost and risk to the attacker. And when any idiot who picks up the electronic version of a free set of decade old automated lockpicks from the corner website can walk into your house without even trying, take what they want, and trash the place, secure in the knowledge that they'll almost certainly never be caught - then you don't have any security worth speaking of.
  
  --
  --- Most topics have many sides worth arguing, allow me to take one opposite you.
2. Re:Enforce the law by Opportunist · 2018-07-26 22:33 · Score: 1
  
  Start enforcing laws. Start arresting criminals.
  This looks like a really good idea until you realize that the guy breaking into your IoT crapfest isn't Bubba from the bad side of town but Ali Ben Gali from Itsnogooditisbad in Somewhereistan.
  And even if you know that it was Ali, which by itself is unlikely, the police in Somewhereistan doesn't give a shit about your problem.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
3. Re:Enforce the law by holophrastic · 2018-07-27 12:40 · Score: 1
  
  ...is what makes it so much more important to enforce properly. ...is what makes it so much more important to prosecute properly.
  It's not difficult to float a balloon full of red paint onto someone's property.
  It's not difficult to toss water balloons, or fly cheap drones, either.
  It's really not difficult to drop dandelion seeds onto someone's green lawn.
  The argument that it's-easy-to-be-a-criminal isn't a reason to force non-criminals to do more work. That's DRM. It's upsetting to non-criminals.
  Try again.
4. Re:Enforce the law by holophrastic · 2018-07-27 12:43 · Score: 1
  
  Good thing Ali isn't murdering anyone in your neighbourhood.
  Yes. Law enforcement has always had problems with borders and jurisdictions. Fix that.
Exactly. Least privilege. Wireshark if needed by raymorris · 2018-07-26 13:26 · Score: 4, Informative

A basic principle of security is least privilege. If a piece of outdated equipment needs to send udp packets on port 411 to a monitoring station, you set the firewall to allow it to send udp on port 411 to that particular station, and nothing else. If it doesn't need to take to web servers, you don't let it talk to web servers. You allow it to do only exactly what it needs to do.
Not sure what your equipment needs to do? You could check the manual, and otherwise open up Wireshark and set the filter to the IP of the equipment. Have a look at what it is sending and receiving. Then set the firewall to allow only exactly what is needed.
This is also an area where vlans come in very handy. Vlans act like completely separate networks, but they are configured within your switch, so a single 48-port switch can handle a dozen different, totally separate vlans.
Perhaps different parts of your network should be mostly separate, but you need to allow a little bit of specific communication between two vlans. That's when you plug a router or firewall into both vlans and set it to route only specifically allowed traffic between them. This doesn't even require two network ports - the same port can be in multiple vlans and the router can control traffic between vlans issuing a single cat6 cable. This is called "router on a stick".
If some of this went over your head, here's the simple version'
Call someone who has a CCNA Security certification or better (CCNP Security or CCIE Security). Tell them you're thinking about segregating different vlans and using an internal firewall to strictly control internal traffic. They'll get you set up.
1. Re:Exactly. Least privilege. Wireshark if needed by Anonymous Coward · 2018-07-26 14:48 · Score: 1
  
  A basic principle of security is least privilege. If a piece of outdated equipment needs to send udp packets on port 411 to a monitoring station, you set the firewall to allow it to send udp on port 411 to that particular station, and nothing else.
  More than that, you log and alarm on any other kind of network traffic.
  Something that has been running for "x" years that suddenly exhibits new behaviour should be examined closely. Keep read-only disk images of a known good system as well, and make new ones periodically too: this way you can monitor any potential changes between images over time.
2. Re:Exactly. Least privilege. Wireshark if needed by Bert64 · 2018-07-26 23:14 · Score: 1
  
  Only if you are attached to a trunk port...
  If you are attached to an access port then the tags will be ignored and you can only send traffic to your own vlan.
  End devices which only need to sit in specific vlans should never be connected to ports with trunking enabled.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Re:Open source by 110010001000 · 2018-07-26 13:40 · Score: 2

Open source has taken off like wildfire. You are using it right now. You are just too dumb to realize it.
I love the FOSS community's cluelessness. by Anonymous Coward · 2018-07-26 13:50 · Score: 5, Informative

I use Slackware, along BSD, financially support projects that I use, and have followed the Linux community since Linus was still in college. It always amazes me how clueless the FOSS community is regarding issues such as this.
Just use Linux...
That's your fault for using M$..
etc.
For regulated systems, especially in pharma manufacturing, you are told what to use, how to use it, when to upgrade it, how to upgrade it, etc. Basically, once the system is certified by the FDA - you don't touch it - PERIOD. You purchase enough compute/control systems when you install it to last you through your production, which could be - 10, 15, 20+ years.
There is no, well, just upgrade to x - it's not allowed.
Before some equally clueless libertarian pinhead starts spouting off about 'over regulation' - stop and think for just one second what this system does. It controls the valves, temperatures, mixing, fermenting, refining, etc. of a chemical that people are to ingest. Where the difference between good and bad is measured in ppm, ppb, or even ppt depending on what's being made. Some endocrine chemicals are measured in 1/10ths or 1/100th of a ug!
Do you really want to apply patches to a system such as this? Doesn't matter that they are 'network', or 'mouse driver', or 'display' - the risk is WAY TOO GREAT to jack around with them.
Keep in mind that 'upgrades' require a new certification of that system, or depending on what it does, the entire production chain - which could run you a couple 10's of millions dollars.
So, before starting the typical FOSS rant, please have a clue of what you are talking about, first.
1. Re:I love the FOSS community's cluelessness. by Gravis+Zero · 2018-07-26 14:52 · Score: 3, Interesting
  
  Before some equally clueless libertarian pinhead starts spouting off about 'over regulation' - stop and think for just one second what this system does. It controls the valves, temperatures, mixing, fermenting, refining, etc. of a chemical that people are to ingest. Where the difference between good and bad is measured in ppm, ppb, or even ppt depending on what's being made. Some endocrine chemicals are measured in 1/10ths or 1/100th of a ug!
  Sounds like a great argument for mandatory system isolation. Instead of networking directly to the system, the systems should be isolated and only provide a standard interface which a simple computer terminal could interface with. Something like TCP over serial using a variant of X11. When you minimize the attack surface to basic keyboard and mouse input validation then it becomes much easier to build a defensible system.
  
  --
  Anons need not reply. Questions end with a question mark.
Re:Open source by tepples · 2018-07-26 13:59 · Score: 2

That doesn't help when a particular device from a particular manufacturer contains non-free software, as do the substitute devices from all competing manufacturers.
Re:XP? by tepples · 2018-07-26 14:01 · Score: 2

Devices running Windows XP are already unsupported. Devices run Windows 7 will be in the same boat as devices running Windows XP come January 2020.
Don't put it on the network by Solandri · 2018-07-26 14:25 · Score: 1

I have multiple clients with non-networked computers. The oldest is running Windows 2000 (a Win98 system was retired a couple years ago). Security is not an issue if you don't network it. If you need to transfer files off it, use a USB flash drive or HDD which is used only for that purpose (i.e. you don't use it to copy music you've downloaded via filesharing).

If it must be networked, you can put it behind its own router. Rely on the router's firewall to protect it from outside intrusion (and of course don't do anything stupid like browse the web on it). I'm actually not very confident about this one because some random employee will undoubtedly try to use the system to login to their facebook account at some point. But the client absolutely insisted on networking some old XP computers so they could upload newly-recorded data files to Dropbox every night, and this was the best idea I could come up with.
I have one laptop with win7 on it by FudRucker · 2018-07-26 14:29 · Score: 1

and since i did a clean install of win7 on it more than a year ago it ever gets to connect to the internet, it does not even have the wifi password for the internet, but it does connect to the wifi a separate router that is LAN only, no internet on that router, it just runs some security cameras, so i can keep an eye on four different directions around the outside of my house, so if a hacker wanted to hack in to it they would have to be war driving right outside my house and nobody has done that

--
Politics is Treachery, Religion is Brainwashing
Asus updates by Anonymous Coward · 2018-07-26 14:45 · Score: 3, Informative

How often do you update your router? If your up time is over 60 days you are missing updates and are insecure.
I don't know any home/small business router company (TP-Link, Linksys, Netgear, ...) updating routers every 60 days. More like 1-2 times per year, for 1-2 years. And then nothing.
Perhaps you should look into Asus, which often updates at least quarterly, and often monthly:
* https://www.asus.com/Networking/RTAC68U/HelpDesk_BIOS/
* https://www.asus.com/microsite/2014/networks/routerfirmware_update/
And has been doing it for 4+ year-old products. Plus there is third-party code that leverages the GPL stuff that Asus releases:
* https://asuswrt.lostrealm.ca
* https://github.com/RMerl/asuswrt-merlin.ng
1. Re:Asus updates by AmiMoJo · 2018-07-26 22:01 · Score: 2
  
  My friend's Netgear router is about 6 years old and got an update a few months back for some vulnerability.
  Netgear's stuff is low end crap but at least they do seem to support it for the long term, which actually really surprised me.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Also good ideas. by raymorris · 2018-07-26 15:09 · Score: 1

Agreed, alarming on a change in traffic makes sense, as does keeping a drive image of the system.
They buy it because it's by raymorris · 2018-07-26 15:16 · Score: 4, Insightful

They buy it because it's better. It's better than Windows Phone (the first, second, theirs, and fourth attempts), it's better than Symbian, it's better than everything else people have tried. Why is it better? Linux is or reason it's better. Even Microsoft is using more and more Linux now. Is that because Microsoft has a religious zealotry for Linux? No, it's because Linux is better. Better than eating their own dog food.
>> Legacy software forcing people into Windows nowadays.
> Yeah, more than a billion people.
Yeah, legacy software has a LOT of people (companies, really) still stuck on Windows. Your point is?
1. Re:They buy it because it's by iampiti · 2018-07-27 02:09 · Score: 2
  
  I disagree that Linux is what makes/might make Android special. For most apps the fact that the device runs Linux is completely irrelevant. Most only use the Android level APIs so they don't care what's underneath.
  In fact Google are developing a new kernel (Magenta) and will likely replace Linux in future Google OS (Chrome OS and Android).
  Of course using Linux was a pretty sensible option when Android was first developed but it might be replaced in the future with few consequences
2. Re:They buy it because it's by raymorris · 2018-07-27 02:43 · Score: 2
  
  Do you think there might be any reason Android, a very small company at the time, was able to quickly build better APIs and architecture than Microsoft, who while MUCH larger, had to work around the underlying Windows OS?
  Android Inc spent a few million dollars on development, while Microsoft spent a few billion - roughly a thousand times as much. Android got much better results. You don't think the OS they chose might have had something to do with that?
3. Re:They buy it because it's by iampiti · 2018-07-27 21:48 · Score: 1
  
  I agree. Using Linux was a big advantadge at the beginning since they didn't have to develop a kernel from scratch. That what I meant in my last sentence. My argument is that nowadays the kernel underneath the Android APIs is not too relevant
calendar reminder on the service entry date by sal · 2018-07-26 15:29 · Score: 1

The day I activated my current router, I put in a entry in the SysOp calendar saying "Router XYZ Active as of 20XX-XX-XX" with quarterly reminders.
I check the devices on those dates, or around those dates, and if it hasn't been updated in a year, I buy a replacement.
I do this for all the phones, tablets and other devices my family uses.
Yes, I use the word SysOp. I've been around that long.
1. Re:calendar reminder on the service entry date by Bongo · 2018-07-26 23:28 · Score: 1
  
  Yes, I use the word SysOp. I've been around that long.
  For us with higher Slashdot IDs, could you explain the proper meaning of SysOp in its original context please? Just for my curiosity and general knowledge, thanks. :)
Re:Don't connect=Business opportunity? by shoor · 2018-07-26 16:06 · Score: 1

This seems like excellent advice, and I see that a lot of the followups agree and provide some technical details. Still, I reckon a lot of owners of this old equipment may not have the technical know-how to do it right.
It seems to me somebody with appropriate energy and enterprise (which lets me out), could start a company providing just this kind of service.

--
In theory, theory and practice are the same; in practice they're different. (Yogi Berra & A. Einstein)
Sometimes... by hcs_$reboot · 2018-07-26 16:24 · Score: 1

a device not connected to the network that just works is better than something doing untimely automatic updates.

--
Slashdot, fix the reply notifications... You won't get away with it...
what can you do by schematix · 2018-07-26 16:39 · Score: 1

realistically what are you going to do with high dollar customer made capital equipment that can't get a windows update? throw it out? no you keep using it until it breaks.

--
Scott
Misunderstanding of Windows 7 support by MobyDisk · 2018-07-26 16:39 · Score: 1

Windows 7 gets free security updates until some time in 2020, according to the linked article. The 2015 date is for desktop support. Plus the Windows 7 embedded manufacturers get 10 years of support after the end-of-lifetime for the OS (not sure when that was).
1. Re:Misunderstanding of Windows 7 support by SeaFox · 2018-07-26 17:08 · Score: 1
  
  Windows 7 gets free security updates until some time in 2020, according to the linked article. The 2015 date is for desktop support. Plus the Windows 7 embedded manufacturers get 10 years of support after the end-of-lifetime for the OS (not sure when that was).
  Operative word here being "manufacturers". The equipment buyers have no direct access to those updates, so if the manufacturer decides they don't want to release the updates to the user, say, because they would rather you buy new equipment every 3-5 years than use the same product for a decade, you wont see those patches.
I was personally very upset when... by tlambert · 2018-07-26 16:46 · Score: 2

I was personally very upset when Motorola refused to provide me a software update for a device, designed for both long-term and short-term use!
It was an SN74LS139N Motorola Dual Decoder 2-4 Line Plastic TTL chip.
How dare they deny me software updates for this chip containing two inverters and four AND gates!
I don't give a damn that they designed it for embedded use, I should be able to update the software running on it!
Right?
1. Re:I was personally very upset when... by geekmux · 2018-07-27 05:57 · Score: 1
  
  I regret to inform you that if your dual decoder is old enough to have a Motorola label, it is not RoHS compliant, and may contain lead that should not be consumed.
  I regret to inform you that the consumption of dual decoders is a lot lower than you think. Hell, I had to move my oven-roasted decoders with a side of hot mercury to Two-fer Tuesdays just to keep it on the menu.
in order by sad_ · 2018-07-26 23:02 · Score: 1

1. buy only well supported or open devices
2. (if you can't do that,) do not connect them to a network
3. if you must connect them to a network, make it a private network, make sure it is properly setup, closing all ports by default
4. if you can't have them on a private network and they must connect to your lan or worse, internet - hope for the best.

--
On a long enough timeline, the survival rate for everyone drops to zero.
smartphones by p51d007 · 2018-07-27 02:05 · Score: 1

Outside of Apple, Google phones and maybe one or two, you are LUCKY to get any updates.
Follow HP's Model by Bigbutt · 2018-07-27 02:16 · Score: 1

I have a perfectly good HP Scanner I bought years ago. Still works fine, but only on XP with the software and on Windows 7 using the Windows tools; HPs software doesn't work on Windows 7. I have a Virtual Machine running Windows XP just so I can keep using my perfectly good HP Scanner and my perfectly good Sony HandyCam which also only works on XP.
[John]

--
Shit better not happen!
Comment removed by account_deleted · 2018-07-27 02:22 · Score: 1

Comment removed based on user account deletion
How do I handle it? by roc97007 · 2018-07-27 02:47 · Score: 1

I put the cans and bottles in, and take the receipt to the cashier. (Bottle return machines in this area still run Windows 98. Yes, I did say 98.) Except recently, the machines have been so unreliable that I've just been throwing the containers away and taking a hit on the deposit. I don't see it getting any better, because there's very little financial reason for stores to take bottles back.
I'm told by someone who services them, that a lot of POS machines are still running Windows 98. Just exactly the place you want an old, unpatched OS.

--
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Standard script from vendors: by Hartree · 2018-07-27 04:32 · Score: 1

"I'm sorry. We no longer support that equipment. I'll be happy to connect you with sales to purchase a new model."
Uh, yeah. It's a quarter million dollar piece of lab equipment that's 6 years old and you want us to just buy a new one in a time of tight grants.
Toss it by reanjr · 2018-07-27 05:29 · Score: 1

I throw away the device and make a note to never again buy one of their products.
Updates break things by cwsumner · 2018-07-27 09:16 · Score: 1

Allowing updates, that have not been carefully checked, breaks the equipment. The equipment can not be allowed to break, or people may die.
Do not connect the equipment to any cable that goes outside. In some installations that even includes power. In many of the installations in question, they have always been that way, anyway.
If you have to get on the internet, use your cellphone, not the equipment. Connecting critical stuff to the entire world is crazy...
Manufacturers are screaming about updates, because they can make money from them. Most of the (Windows) updates have nothing to do with security, though. Also, the new CPU faults mean that you are not secure even with updates, until you can get a new (fixed) CPU chip.
Buying new equipment is not a choice, because it is not available for any price. Or sometimes it is so different, that it can not be used within a reasonable time.
If you are just talking about your home router, that's different. Trash it and get a new one that you can configure properly.
My 1 year old civic had outdated software by eaddict · 2018-07-28 03:21 · Score: 1

My 2017 Honda Civic is running Debian. It is so outdated that even the app the comes with it won't update or run. I went to the dealership and I might as well have gone to the grocery store. All I got was blank stares. I wrote Honda and got nothing back. I fear many of these cars that have smart consoles are just IoT devices waiting to be exploited.
Yes, I tried updating it but Honda, like Samsung to phones, has their own flavor.

--
"If you are on fire you can just stop, drop, and roll. If you fall into Lava you are just dead." - my 5yr old daughter
Depends on the hardware by stikves · 2018-07-28 09:40 · Score: 1

If it is your router, you should look at OpenWRT, DD-WRT or similar alternative Linux router distributions. This way you can ensure the updates for many years. (Or better, you can invest in a low-power PC and just install pf-sense, which would be leaps and bounds more capable than a tiny ARM machine).
If it is a security system, camera, alarm, etc. you'd need to make sure they are in a separate network. If possible a distinct network for each and every device with proper router rules, so that for example your NVR recording hub can access the camera only, etc. Of course Internet access should be disabled, since they usually happen to connect to a backdoor server. You might have a temporary rule to update firmware if necessary, or setup a VPN to access for your mobile devices. (Both iOS and Android can be setup to connect to your pf-sense router from outside of your LAN, Windows and Mac require some more steps due to self signed certificate issues).
If it is a "smart" device like a fridge, thermostat, or a light controller which needs to connect to the internet, you can keep them in a separate network to minimize damage, and replace them, as soon as the manufacturer stops updating. Unfortunately it might not be easy to letting to of a functional smart power outlet with monitoring, etc. but if there are known un-patched holes, you would not want the entire internet to be able to cause damage to whatever equipment you have down that connector.
Overall use your own judgment, and learn networking basics. Also do not be lazy (I still have some cameras that I need to finish securing).
Re: ..very upset when... by tlambert · 2018-08-02 01:30 · Score: 1

I would be very surprised if you could demonstrate the existence of any modifiable software running on the internal processors of the inverters and the AND gates that has not been made freely available under extremely permissive licence.
I'd be surprised if you could demonstrate the same thing for embedded devices not designed to be modified or updated by users -- no matter their complexity.