Ah. Governmental IT. The government has been bitten a few times already about security so they take it a bit more seriously.
Just to clarify, I'm not arguing about the best practices. I'm just playing devil's advocate as to how this situation could have happened. I do contract development work. The shortcuts taken to fit the work into the budget are scary.
This is also why the concept of IoT scares the living shit out of me.
I'm guessing you work at a company that is IT related. I could be wrong but in my experience most companies that are not in the IT field see IT as a loss generator. As such, the lower the cost and inconvenience to users, the better.
And when it's the CEO that wants to share his daughter's Christmas choir video with the whole company - no I'm not kidding - that USB stick gets greenlit.
Sure. Those of us who have worked in network security long enough know that, but given a design requirement of "Share the diagnostic images with other servers on the network" and an OS that has a built in network sharing protocol, there's a very large incentive to just use what the OS provides.
Can a Windows XP machine use the SMB client protocol without allowing inbound packets? I don't remember. It's been too long. And I haven't gone over the SMB vulnerability in detail to know exactly how it worked.
Absolutely. The impact could have been lessened with proper security on the network but the people yelling "Get the latest OS!" are starting to get annoying. It's not all about desktop PCs, laptops and servers.
And I say "lessened," since I haven't gone in to the SMB vulnerability in depth. Any file server to which these devices attach may have been vulnerable since these devices couldn't communicate with a patched OS...but that's purely speculation on my part.
But too many people still think that security at the border is enough. If we keep the baddies out, we don't need internal security. The downside is if there is a breach, the whole network is screwed. Another example of this was the laptop that could shut down systems on a moving vehicle. That exploit went through the media center in the console and had full access to the rest of the vehicle's systems.
The trouble is there are perfectly valid reasons for using the older operating systems especially in the cases like hospitals.
Let's say, as an example, there is an ultrasound machine that was based around Windows XP. I know is sounds odd but there is a case to be made for taking an existing laptop motherboard design and tweaking it to add the special hardware needed for the ultrasound. Especially as the images can be sent to a central file server.
Now, 4 years later, update the OS.
Can you guarantee that the drivers for that hardware are available? Can you - as a user - update the OS on that hardware? Can the IT guys? Does the company support that hardware any more or will an update require buying a new machine?
Enterprise support contracts. Specifically the enterprise cloud support.
Large companies are completely wiling to pay to have a guaranteed response time for service calls. Especially when they don't have to buy the hardware.
Gantt charts have their uses with project planning. As long as you remember that it's a plan and plans change. And when they change the end-times and start-times of the tasks need to be adjusted.
I was at one company and they insisted on starting the testing phase based on the original chart...but development was 3 months behind schedule.
The devs were not happy about having defects raised against code that hadn't even been written yet.
Note the previous poster said "northeastern Canadian." I'm guessing he means Quebec which uses the French numeric style where the decimal mark is a comma instead of a period. The thousand's separator is also a space instead of the comma.
So the asking price of a Tesla Model 6 P100D of $186,200.00 would be 186 200,00$ in Quebec (ignoring silly Quebec tariffs and taxes...).
I know it was a joke but "Great Britain" is the island - the largest island in the British Isles - not the country. So yes, it will still be great since it's the largest.
United Kingdom is the country and includes Northern Ireland - for now - which is part of a different island: Ireland. Not to be confused with Ireland (the country), which is only part of Ireland(the island).
Except when that 50kB patch puts you over your bandwidth limit for the month -- if you have a bandwidth limit -- and costs you "up to $100 at [the providers] discretion at any time". Quoted section from a large ISP for overage charges.
And that's assuming there was only one update for the entire month. There was a reason to set the ethernet connection to metered for many people.
The trouble with using bits of entropy as the measuring stick is cracking isn't done by brute force anymore. Even as of 5 years ago they started using dictionary attacks.
Which means that if you have a real word in there to create the 10 characters, the time to crack it is significantly shorter. And quick little substitutions (leet-speak) are being added in to the more sophisticated software so changing "password" to something like "P@ssW0rd" buys you a few seconds at best.
Give me control as to when to download the update.
I have a metered connection that is unlimited between 2:00am and 6:00am. Let me schedule the download so I don't burn through my available bandwidth with OS updates!
And don't hog my bandwidth when I'm actively using the computer!
Installing and reboots are the least of my concerns.
Depends on the game. Standalone installers usually require admin to install but then you can play as a normal user. The trouble is that most of the games my kids like to play are online so require updates.
Also, some of the online games require elevated access to handle the network connections.
I actually like Go. And as run-times go, Go has a very nice one. I was simply pointing out that it still has a run-time so it can't really be used as a low level language where direct manipulation of the hardware is required.
Of course, the whole IoT argument brings up some interesting discussions as it shows what people think IoT is and should be.
Coming form an embedded side, IoT is small, specialized hardware that has a network connection bolted on to the side. In this case, we need C and assembler. Managed languages can't do bare hardware.
Coming from a web services side, IoT is just another computer on the network. This would mean that we can create the web service in any of the high level languages and we don't care what's under the hood.
Both sides are kind of correct based on their assumptions. Personally, I'm an embedded guy. C is needed to get the hardware up...and then we can start whatever run-time we can fit in the left over memory.:-)
As much as Go is "compiled" it cheats. There is a runtime in there which handles all of the memory management stuff it just gets linked in to the executable. Check out the size of the "Hello world!" in Go vs. C and you can see the difference.
By "Enterprise" I was referring more to "Enterprise development" not the size of the company. The enterprise development space is dominated by large corporations that are using the software to "streamline the work flow to achieve synergistic relations with clients and maximize..."
This field is usually dominated by languages such as SAP, Oracle, Java (EJB), and VB (6 or.Net).
As the software is defined as overhead (operations) and does not create a product, the developers are hired by cost rather than skill. The Daily WTF has quite a collection from this world.
And for those of us without your patience, watching the junior guys struggle is so painful. I know, I know. They need to learn but can't they learn a little faster? Please.
...I've worked as a developer in a few fields - engineering, defence, medical, and finance...
Well, there's the problem. Most of the complaints come from developers in the "Enterprise" development space. Big Business assumes software development is overhead. As such, it is to be minimized in any way possible. Sales are the important people.
Slashdot Mirror
... rather than running a timer you often don't even see before it expires do it...
HAH! That's exactly how I wound up running Windows 10. Left my Windows 7 machine running over the weekend and came back to Windows 10. Fuck!
Ah. Governmental IT. The government has been bitten a few times already about security so they take it a bit more seriously.
Just to clarify, I'm not arguing about the best practices. I'm just playing devil's advocate as to how this situation could have happened. I do contract development work. The shortcuts taken to fit the work into the budget are scary.
This is also why the concept of IoT scares the living shit out of me.
I'm guessing you work at a company that is IT related. I could be wrong but in my experience most companies that are not in the IT field see IT as a loss generator. As such, the lower the cost and inconvenience to users, the better.
And when it's the CEO that wants to share his daughter's Christmas choir video with the whole company - no I'm not kidding - that USB stick gets greenlit.
Sure. Those of us who have worked in network security long enough know that, but given a design requirement of "Share the diagnostic images with other servers on the network" and an OS that has a built in network sharing protocol, there's a very large incentive to just use what the OS provides.
Can a Windows XP machine use the SMB client protocol without allowing inbound packets? I don't remember. It's been too long. And I haven't gone over the SMB vulnerability in detail to know exactly how it worked.
Absolutely. The impact could have been lessened with proper security on the network but the people yelling "Get the latest OS!" are starting to get annoying. It's not all about desktop PCs, laptops and servers.
And I say "lessened," since I haven't gone in to the SMB vulnerability in depth. Any file server to which these devices attach may have been vulnerable since these devices couldn't communicate with a patched OS...but that's purely speculation on my part.
But too many people still think that security at the border is enough. If we keep the baddies out, we don't need internal security. The downside is if there is a breach, the whole network is screwed. Another example of this was the laptop that could shut down systems on a moving vehicle. That exploit went through the media center in the console and had full access to the rest of the vehicle's systems.
The trouble is there are perfectly valid reasons for using the older operating systems especially in the cases like hospitals.
Let's say, as an example, there is an ultrasound machine that was based around Windows XP. I know is sounds odd but there is a case to be made for taking an existing laptop motherboard design and tweaking it to add the special hardware needed for the ultrasound. Especially as the images can be sent to a central file server.
Now, 4 years later, update the OS.
Can you guarantee that the drivers for that hardware are available? Can you - as a user - update the OS on that hardware? Can the IT guys? Does the company support that hardware any more or will an update require buying a new machine?
Enterprise support contracts. Specifically the enterprise cloud support.
Large companies are completely wiling to pay to have a guaranteed response time for service calls. Especially when they don't have to buy the hardware.
Imitator? That's putting it lightly. I work in the telecom industry. There was a time when Huawei boards could run Nortel firmware.
Gantt charts have their uses with project planning. As long as you remember that it's a plan and plans change. And when they change the end-times and start-times of the tasks need to be adjusted.
I was at one company and they insisted on starting the testing phase based on the original chart...but development was 3 months behind schedule.
The devs were not happy about having defects raised against code that hadn't even been written yet.
Note the previous poster said "northeastern Canadian." I'm guessing he means Quebec which uses the French numeric style where the decimal mark is a comma instead of a period. The thousand's separator is also a space instead of the comma.
So the asking price of a Tesla Model 6 P100D of $186,200.00 would be 186 200,00$ in Quebec (ignoring silly Quebec tariffs and taxes...).
I know it was a joke but "Great Britain" is the island - the largest island in the British Isles - not the country. So yes, it will still be great since it's the largest.
United Kingdom is the country and includes Northern Ireland - for now - which is part of a different island: Ireland. Not to be confused with Ireland (the country), which is only part of Ireland(the island).
I've heard it called "Cardboard cut-out debugging."
I knew someone who had a life-sized cardboard cut-out of Darth Vader in his cube for debugging sessions.
Except when that 50kB patch puts you over your bandwidth limit for the month -- if you have a bandwidth limit -- and costs you "up to $100 at [the providers] discretion at any time". Quoted section from a large ISP for overage charges.
And that's assuming there was only one update for the entire month. There was a reason to set the ethernet connection to metered for many people.
This is a lesson in sanitizing inputs.
What happens is that the OGNL interpreter can get started with the HTTP headers as the input. Sepcifically the "Content-Type" header.
Why anyone thought that using a full on interpreter to parse a string attribute was a good idea is beyond me.
The trouble with using bits of entropy as the measuring stick is cracking isn't done by brute force anymore. Even as of 5 years ago they started using dictionary attacks.
Which means that if you have a real word in there to create the 10 characters, the time to crack it is significantly shorter. And quick little substitutions (leet-speak) are being added in to the more sophisticated software so changing "password" to something like "P@ssW0rd" buys you a few seconds at best.
Give me control as to when to download the update.
I have a metered connection that is unlimited between 2:00am and 6:00am. Let me schedule the download so I don't burn through my available bandwidth with OS updates!
And don't hog my bandwidth when I'm actively using the computer!
Installing and reboots are the least of my concerns.
Depends on the game. Standalone installers usually require admin to install but then you can play as a normal user. The trouble is that most of the games my kids like to play are online so require updates.
Also, some of the online games require elevated access to handle the network connections.
Many, many people. Especially anyone who plays games.
Even my kids have admin access now since online games require patches be downloaded and written to system locations.
I actually like Go. And as run-times go, Go has a very nice one. I was simply pointing out that it still has a run-time so it can't really be used as a low level language where direct manipulation of the hardware is required.
Of course, the whole IoT argument brings up some interesting discussions as it shows what people think IoT is and should be.
Coming form an embedded side, IoT is small, specialized hardware that has a network connection bolted on to the side. In this case, we need C and assembler. Managed languages can't do bare hardware.
Coming from a web services side, IoT is just another computer on the network. This would mean that we can create the web service in any of the high level languages and we don't care what's under the hood.
Both sides are kind of correct based on their assumptions. Personally, I'm an embedded guy. C is needed to get the hardware up...and then we can start whatever run-time we can fit in the left over memory. :-)
As much as Go is "compiled" it cheats. There is a runtime in there which handles all of the memory management stuff it just gets linked in to the executable. Check out the size of the "Hello world!" in Go vs. C and you can see the difference.
Great news but I live in Canada. Any battery tech needs to be testing at -30 Celsius before I care.
By "Enterprise" I was referring more to "Enterprise development" not the size of the company. The enterprise development space is dominated by large corporations that are using the software to "streamline the work flow to achieve synergistic relations with clients and maximize..."
This field is usually dominated by languages such as SAP, Oracle, Java (EJB), and VB (6 or .Net).
As the software is defined as overhead (operations) and does not create a product, the developers are hired by cost rather than skill. The Daily WTF has quite a collection from this world.
And for those of us without your patience, watching the junior guys struggle is so painful. I know, I know. They need to learn but can't they learn a little faster? Please.
...I've worked as a developer in a few fields - engineering, defence, medical, and finance...
Well, there's the problem. Most of the complaints come from developers in the "Enterprise" development space. Big Business assumes software development is overhead. As such, it is to be minimized in any way possible. Sales are the important people.
...Note that I don't have any learning deficits or other disabilities...
Umm. I hate to be the one to break this to you...