Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Android Google IOS Microsoft Operating Systems Privacy Security Windows Apple

Slashdot Asks: In the Wake Of Ransomware Attacks, Should Tech Companies Change Policies To Support Older OSs Indefinitely? 360

In the aftermath of ransomware spread over the weekend, Zeynep Tufekci, an associate professor at the School of Information and Library Science at the University of North Carolina, writes an opinion piece for The New York Times: At a minimum, Microsoft clearly should have provided the critical update in March to all its users, not just those paying extra. Indeed, "pay extra money to us or we will withhold critical security updates" can be seen as its own form of ransomware. In its defense, Microsoft probably could point out that its operating systems have come a long way in security since Windows XP, and it has spent a lot of money updating old software, even above industry norms. However, industry norms are lousy to horrible, and it is reasonable to expect a company with a dominant market position, that made so much money selling software that runs critical infrastructure, to do more. Microsoft supported Windows XP for over a decade before finally putting it to sleep. In the wake of ransomware attacks, it stepped forward to release a patch -- a move that has been lauded by columnists. That said, do you folks think it should continue to push security updates to older operating systems as well?
This discussion has been archived. No new comments can be posted.

Slashdot Asks: In the Wake Of Ransomware Attacks, Should Tech Companies Change Policies To Support Older OSs Indefinitely?

Comments Filter:
  • No (Score:5, Insightful)

    by Anonymous Coward on Monday May 15, 2017 @10:44AM (#54418429)

    No. You can't support legacy software forever. If your customers choose to stay with it past it's notified EOL then they are SOL. Any company using XP that got hit by this can only blame themselves.

    • Re:No (Score:5, Insightful)

      by jellomizer ( 103300 ) on Monday May 15, 2017 @10:48AM (#54418451)

      I will need to agree with conditions. If the Tech company is selling service contracts for that product, they will need to update it. However like XP and older, where the company isn't selling support, and had let everyone know that it off service, they shouldn't need to keep it updated. Otherwise I am still waiting for my MS DOS 6 patch as it is still vulnerable to the stoner virus.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Or perhaps one option would be to open source the older OS's so that should someone choose to be on the hook for offering support (or the community comes together?)

        However, I think if they open sourced it, so many eyes would pour over it and find so many glaring exploits that it would actually be worse overall - at least in the beginning?

        Ahh hell, nevermind... :-)

      • From the outside, I would tend to agree with you. But Microsoft has some liability here. They created a product that is still in use on hundreds of thousands if not millions of computers. Microsoft sold more than 400 million copies, and who knows how many pirated copies are out there.

        Here's the deal, Microsoft was found to be in a monopoly as far back as 1998 [wikipedia.org]. When companies like Microsoft reach this level of operation, they usually become regulated [wikipedia.org]. I see a strong likely hood that Microsoft will suffe

        • by Bomarc ( 306716 )
          "YES" - for such critical needed updates.

          I have one system that I've been trying to upgrade for 5 years. Another system has a hardware device {and drivers} that are no longer available, which also has software form a company that is out of business. "Upgrade to Windows 10" won't work (and I'm not going to to the MS-Sell land of Win 10). I am grateful to MS for upgrading the ones that they did, and to the moron's in the "buy the latest now"; that is not an option, I've tried.
      • Re: (Score:3, Interesting)

        by Xest ( 935314 )

        The irony is that Microsoft does offer paid support for Windows XP, but that the UK's current Conservative government decided to axe the contract a year or two back to save money.

        I wonder how that £5mill saving has paid off now that they're going to have to pay a fucking fortune in sorting it all out and upgrading anyway?

      • Re:No (Score:5, Insightful)

        by AmiMoJo ( 196126 ) <mojo@world3.nBLUEet minus berry> on Monday May 15, 2017 @12:11PM (#54419217) Homepage Journal

        The people providing support should be the ones making MRI scanners, ATMs and other expensive equipment that only works with XP. Even when XP was brand new, did they really expect those machines to only have a lifetime of around 10 years? Microsoft was clear about how long support was going to be provided for.

        It seems that people are only just waking up to the fact that these machines have software and it needs on-going maintenance. The next decade or two will be littered with software bricked but mechanically sound hardware, everything from IoT lightbulbs to multi-million Euro medical equipment.

        In fact it's already happening. You can buy DNA sequencers on eBay, less than a decade old and original price $500,000, now barely worth the shipping because the manufacturer abandoned support.

    • by Luthair ( 847766 )
      Its also a cascading effect - if the vendor continues to support that software then third parties will also be expected to. Its already bad enough that we're forced to support old EOL browsers and JVMs, I can't imagine how much worse it would be if Oracle & Microsoft were still supporting them. The amount of productivity wasted supporting these luddites is astronomical.
    • by MeNeXT ( 200840 )

      The EOL on phones seems to be 2 years. 3 if you consider launch date. Some may offer updates for 5. 20 year old phones with replaceable batteries are still functional today. The question I have is why MUST we trash them? Why are they waste if they can serve their original purpose? Why must I scrap my 2 year old Nexus 5 because Google no longer supports it?

      If it is legacy and the original company no longer wishes to support it then copyright and patents should no longer apply. Not all solutions require the

  • this did not need to be fixed with an OS patch, it could have been prevented with better network security policies. I would be surprised if someone hadn't said something about addressing the vulnerability earlier but probably got ignored because of some budgetary issue.

    It would be more reasonable to call for continued money to be made available to address these vulnerabilities after a system has gone into production and a move to use more open source solutions where users can share patches

  • Silly idea (Score:5, Insightful)

    by argStyopa ( 232550 ) on Monday May 15, 2017 @10:47AM (#54418439) Journal

    Should they go back and patch Win95 while they're at it? Make Win386 rock-solid in the face of current virii and ransomware?

    By that same logic, you could insist that Ford go back and install safety glass and airbags on any existing Model T's still running.

    The simple fact is that OS's are a treadmill. It's a not a typewriter that you buy once and use until it breaks.

    Look, I think OS firms *should* support 'the last few versions' - say whatever was current 10 years ago (ie in MS's case, Win2007). But to go back further, or to MANDATE that?

    If you can't be bothered to run reasonably current OSs, then you're going to be as safe as you deserve.

    • by thsths ( 31372 )

      Exactly. Microsoft stopped selling Windows XP over 8 years ago (!). I doubt many of the affected computers are older than 8 years.

      It is more likely that people made use of the "downgrade" option in professional licensing, which allowed them to install Windows XP despite the fact that it was no longer on sale. That should be been a clear warning that support will not last forever.

      But no, organisational inertia means that IT kept setting up new Windows XP system long after the system was discontinued. I think

      • by Khyber ( 864651 )

        "I think there is clearly one party at fault, and it is IT."

        Why so? XP was far easier to lock down and fully secure than 8 or 10 with that bullshit telemetry, and it had far fewer hardware restrictions. It is smaller and faster and more capable at most of my tasks than most modern systems (example: I use ManyCam 3.0.80 - 2000/XP-Era multi-cam software. Runs like a champ on XP with 4 webcams, I go 7 [Ultimate] or higher, I can no longer use more than 2 webcams despite the software having the ability to acces

        • by thsths ( 31372 )

          Yes, there are always going to be hardware interfaces that require Windows XP. We have an electron microscope that runs Windows XP - you do not throw that away just because patches have run out. But you do isolate it: only necessary network connections are enables, for example to a file server that does run a current OS.

          But a few hardware connect PCs are not what this problem is about. This is about office machines still running Windows XP because some idiot web interface still mandates IE6. The web interfa

    • She's an idiot at best. At worst she's teaching our kids nonsense.
    • under that logic she should be responsible for every student she's ever had...all three of them
    • What happens if a Still used software isn't owned by anyone any more. The Company is out of business, There is no source code available. There is a point where the end user has some responsibility to update their system. Like the Model-T they may still keep it, and use it for a hobby, but knowing full well if you take it on the Highway and get in an accident you are probably going to get killed.

      • Bad car analogy. Firstly many old cars are banned from using critical infrastructure like highways (or in some cases any roads) for their obvious threat to third parties and their owners.

        Also this isn't hobbies we're talking about. No one gives a crap if someone's Model T toy breaks down, just like no one will cry about the Windows XP virtual machine I play with at home.

        The only complaints are against critical services, internet connected machines that operate and provide livelihoods for the owners. If the

    • by houghi ( 78078 )

      If I want to install safety glass and airbags in my Model T that still runs, could I do it? Yes. The things is that I do not need Ford to do it for me.

      They also do not prevent others to do the install. Well, that is until you start talking about software on cars. If in 25 years they find a way to hack my then classic BMW to crash it and thus killing people, should BMW provide a patch, a way for others to patch or say that I just need to buy a new car?

    • by MeNeXT ( 200840 )

      So why is Win95 protected even today by copyright? So according to you Microsoft needs to be protected but the consumer doesn't? If it's too old to be supported it should be too old to be copyrighted.

  • ... have policies in place that prevent mission-critical systems from being proprietary, dependent on one vendor, insecure, not updated and open to being messed up by clueless users who click on links and download and install everything they can lay their hands on.

    Also they should all have in place: Up and running intrusion detection on their intranets, regular automated overturning backups and regularly tested zero-fuss disaster recovery. Have all that in place and you wouldn't even notice WannaCry.

    Extra b

    • by fermion ( 181285 )
      Interesting this is Android, and Android is notorious for not provided patches to all end users, and for hardware that cannot support updates.

      MS is a good corporate solution because it has, in the past, realized that corporate solutions cannot just be updated on demand. Real production machines have to be carefully maintained. This requires funding, and the one place MS has been able to charge for services is the corporate space.They were correct, for the most part, is free is only free if your time is

      • by Khyber ( 864651 )

        " Honestly a simple backup will prevent most ransomware attacks"

        Uhhh, what? In fact, more attacks have encrypted user files recently, so you're not going to stop this any time soon.

    • Are you fucking serious? They tried to get people to transition to new OSes for years. A cynical dumb man sees a money grab. A cynical normal man sees better security, minimizing legacy expenses for MS, and a better feature set for development. They released a patch for this *exact* problem 2 months before the attack. How on god's green earth can you even get the words "MS doesn't want to help users" in your brain?

      I don't even like MS.
      • So it is the less cynical that see a good reason to migrate to OSS?

        After 40 years in the computer industry, the one key lesson that is re-enforced year after year is that you should NEVER trust your infrastructure to closed source products. Anyone that takes a commercial decision to do so should be liable to instant dismissal.

        Car analogy: It is like taking a taxi from the airport to the hotel on arriving in a country you have never visited before and don't speak the language with a blindfold on. (And a wa

      • C'mon people.

        The upgrade path from XP upward is not like the path from 7 to 10. You don't get to keep your apps without reinstalling everything, and it is very unlikely you can keep your existing computer.

        The disruption is immense, and they only way forward for me was running a USB hub to allow switching between computers piled on my desk and keeping my old XP box at the ready in case there was some critical app to which I had lost the installation. media that I needed.

        As to the people who "downgra

        • they only way forward for me was running a USB hub to allow switching between computers piled on my desk and keeping my old XP box at the ready in case there was some critical app to which I had lost the installation. media that I needed.

          You do know that you can have XP in a virtual machine, don't you? Or for that matter, other obsolete OSes such as 7 and 10.

      • by Khyber ( 864651 )

        2 months and yet despite having Windows Update enabled (yet I restrict what gets installed since I stopped the GWX BS) and yet still Microsoft is trying to add additional shit I don't want.

        How on God's green earth can you even make your argument when it's nullified by what the other company decides?

    • Most mission critical systems, are running some custom made applications, that was built for a particular OS.

  • Microsoft proved it - they released an emergency patch for XP, Server 2003, and Windows 8. So I'd say that's evidence enough that yes, they should support it forever. :)
    • There's a difference between proactive support and reactive support.

      • There's a difference between proactive support and reactive support.

        It's enough to have reactive support after EoL, although if we're forcing people to do things, we're going to have to put some limits on how long they can dick around before they have to actually get the things done.

  • hard question (Score:5, Interesting)

    by nomadic ( 141991 ) <nomadicworld AT gmail DOT com> on Monday May 15, 2017 @10:50AM (#54418475) Homepage

    I honestly can't figure out where I fall on this. I would say for major security issues, yes, though the cutoff should be when production use of that OS get below a certain point, which should be easily monitored, and I don't think XP went below that.

    In any event, that an organization the size of NHS, quite literally one of the largest employers on the planet, did such a poor job on security is disgraceful, especially considering how internetworked all their stuff was.

    • You introduce a chicken and egg problem that will only deflect the problem elsewhere. If MS continuously supported the OS then there'd be one less driver to move away from it.

      Instead of a bug breaking some ultra expensive piece of factory gear it will be a hardware failure or something else that can no longer be fixed. Simply removing one of the sources of obsolescence doesn't solve the underlying problem that is that many companies have piss poor obsolescence management or business continuity plans in plac

  • When you say "should", the real question is whether we are talking about a moral or a legal obligation. One could make a case for a moral obligation: Microsoft charge plenty for their software, they have the resources and know-how to provide these patches, and it is such a widely used system that there are likely to be cases where clients have a good reason to stick to the old OS. Patching that stuff benefits everyone.

    But I'd be very wary of making this a legal obligation. Especially since obligation
    • What about an economic obligation? Someone has to do the work; that implies time, which implies wage; wage implies cost; cost implies revenue streams; and revenue streams imply consumers actually spending money. It's easy to just dismiss Microsoft with a multi-billion-dollar net profit and push the conversation down the line to every other product that gets nickels, dimes, and dollars added to the end, until 5% or 10% of our money is going to things that don't matter.

      The real question is why haven't we

  • by fustakrakich ( 1673220 ) on Monday May 15, 2017 @10:50AM (#54418479) Journal

    Indefinitely? No, only as long as they want to keep their copyright/patent privileges on those systems.

    • Indefinitely? No, only as long as they want to keep their copyright/patent privileges on those systems.

      Indeed, once they stop making security patches, they should have to cough up the source code to the whole damned OS. They should only have to issue security patches to keep their code, though.

  • My work has the legacy patches ready for deployment even though WinXP, Win8 and Win2K3 systems got banished from the network last year. Never know when a tech is going to plug a decommissioned system into the network without verifying that it has a current Windows OS.
  • Of course not.

    Most of the ransomware could be stopped by the use of proper backup's, firewalls, networking and IDS / IPS software. Instead of companies like Microsoft supporting old software stacks, they should only be required to release updates for the current systems and rely on the IT of the companies who use their product, to properly secure themselves.
  • Forcing tech companies to start maintaining and updating legacy software that is no longer made, sold, and supported for free, is like forcing Ford to offer free seatbelt and airbag kits for Model Ts.
  • by CAOgdin ( 984672 ) on Monday May 15, 2017 @11:07AM (#54418613)

    Abandoning Operating Systems is a cruel trick played by vendors who want the new revenue from upgrades...no matter what the cost in lost-business, learning-curves, and incompatibilities with existing practices may be to the customers.. Spending money on maintaining the security (even excluding features) of superceded products distracts from development of improved products, and is not in the vendors' self-interest.

    Given that a new Operating system (retail) is in the $100-$150 range, I'd propose "Life Extension" service subscription, solely for security updates in the $30-35/year range...with a required minimum of 10,000 customers to keep maintaining the service. That provides enough revenue ($1,000,000+ per annum) to support a small, dedicated staff.

    Frankly, there's no reason that a M$ couldn't engage in a Joint Venture with a small qualified, independent security firm to provide the service, with special access to proprietary information within the O.S. vendor.

    It would be an investment in the rehabilitation of the O.S. vendors' reputation, because M$ has gotten quite high-handed in recent years, dictating (or even forcing) software on unwilling customers.who have existing businesses to run.

  • Windows Workstation on old DEC Alpha systems against any attacks? Pretty sure some of the basic Windows vulnerabilities would apply.

  • ...replace Windows with Linux, and stop using smbv1 and smbv2.

    Anyone remember nimda?

    Hell, at the very least, open source any abandoned OSes so that others can take on maintenance if they feel compelled to live in the 1990s again.

  • For the NTSHA regarding vehicular defects...

    "There is a limitation based on the age of the vehicle. In order to be eligible for a free remedy, the vehicle cannot be more than 10 years old on the date the defect or noncompliance is determined."

    OSes have the same coverage from vendors under Mainstream Support and Extended Support. This is a well known acceptance held by the industry. Expecting OS vendors to support longer than the social norm will only drive up the costs for the OS. If I was a college st
    • Vehicles are not a good analogy. Replacing some older vehicles does not cause the organization that uses them to stop functioning. A better example is industrial land pollution ("brownfields"), where US law requires the polluting company to pay for cleanup no matter how long ago it happened. Microsoft made a huge amount of money selling software it knew had defects into applications it knew would be hard to upgrade. It's not much different from companies who kept their costs down by dumping toxic waste mate
  • I think that if you got people over to the subscription model, it wouldn't be impossible to put 3 or 4 guys on a maintenance team to backport absolutely critical fixes. You'd have to be very explicit about the criticality level that triggers a fix, but the reality is that vendors introduce a lot of dependencies. Those maintenance coders wouldn't have to be your best and brightest either - it would be a very good first job for new grads. I would think that as long as customers were paying something like Soft

  • Would this approach not impact hardware development as well? And mobiles and iot?
    If Microsoft, Google, Apple and all Linux distribution organisations are expected to support older versions permanently, their software legacy grows and with it, the supported hardware combinations also grow.

    People here on /. dislike the push to upgrade to Win10, but it's what's going on elsewhere, with more mobile devices being sold than desktop format PCs. The model doesn't suit everyone all at the same time and with the same

    • Apple: most people run recent iOS versions - this shows Apple is doing well. Newer versions of OS X run well on older Macs too. Excellent Apple!

      Except that they cut the PPC macs out in the cold, many of which still have sufficient horsepower to run modern applications — only there are no applications because the application developers took their cue from Apple (reasonably) and abandoned it at the same time Apple did. So there's no for example javascript engine which has been updated for PPC, so there's a distinct dearth of modern browsers.

      But let's forget what is essentially ancient history and move on to the fact that Apple dropped support f [osxdaily.com]

  • First of all, let me state that most of my machines are Linux, or BSD. I find the whole panic over WCry absolutely hilarious.

    Something like OpenBSD, but less stringent:

    First-tier is average OS support - six months support tops, after that, you need to upgrade. You have version 4.3 while the latest version is 7? Tough luck.

    Second-tier is emergency OS support: 12 to 18 months support tops. On a specific version (meaning fubar 6.0 but not fubar 6.1 for instance ), only back-port of the most critical patches to

  • This could also be viewed as PR protection for Microsoft. If they didn't help these users, then this would dirty Windows' name even further, and many of these users would probably switch to something else, realizing MS doesn't have their back.

  • by ToTheStars ( 4807725 ) on Monday May 15, 2017 @11:29AM (#54418801)

    Slashdot generally doesn't like ludicrously-long copyright terms, right? What if we made maintenance a requirement for retaining copyright over software? If Microsoft (or whoever) wants to retain a copyright on their software for 70 years, then they'd better be prepared to commit to 70 years of support. If they want to EOL it after 5 years or 20 years or whatever, and wash their hands of responsibility, that's fine, but then it's public domain. Why should we let companies benefit from software they don't support anymore?

    This could also work for art works, as well -- because copyright exists "To promote the Progress of Science and useful Arts," we could make it a requirement that an author (or company, or whatever) needs to be distributing (or licensing for distribution) a work to have copyright on it. When it's out of print, it enters the public domain.

  • Providing free updates to old OSs means that people paying for new versions are subsidizing the people who won't upgrade.
  • If the number of older systems is large enough, then Yes, Microsoft should release patches for them.

    They should do this for two reasons:
    1) Reducing the number of infected systems helps protect others from infections
    2) It protects the innocent, like those whose Medical Care was interrupted in the UK, from collateral damage.

    Who pays for it? Microsoft. They have benefited from the sale of all those systems, and certainly have enough cash to divert some to supported old but prevalent systems. Also, the fact

  • If we made infinite support (even for just critical updates) the industry standard, would it be difficult for a budding software developer company to plan for this, before knowing how well the software will sell?
    At the other end of the spectrum, some established companies have hundreds or thousands of pieces of software deployed. how many units need to be sold/distributed before the company would need to consider it one that needs critical security support indefinitely?
    Would you think Open Source software w

  • If the answer is no then all a company has to do is tie in all it's software to the OS. If a OS is defined as the software that controls the hardware then there wouldn't be this issue in the first place. This is a service which runs on the OS.

    The systems sold at a discount today are no faster in handling the day-to-day use of the average user as some sold 15 years ago. Most peoples use is not that of a gamer. This need to create waste baffles me. If it were not for the extended term of copyright there would

  • Just put all that old crap on virtual machines. The only important parts are the data. And the easiest way to counter ransomware is with backups.
    • You're confused, virtual machines can become infected and spread infection and clog networks too. That is not a solution. Having backups and archives of infected files is not a solution either. Guess again.

      • Not to mention that often the reason why a legacy OS is still being used isn't so much software as hardware, and drivers for same. Sometimes that stuff can be connected to a VM, sometimes not.

  • There are more than enough XP users in the world for Microsoft to dedicate resources and turn a profit supporting it. Arbitrary sunset dates disconnected from reality of who is still using software amount to nothing more than sales tools intended to extort upgrade revenue.... buy this or get owned.

    I personally don't believe vendors should be allowed to walk away from safety defects in products in order to make money on upgrades. Buffer overflows are entirely preventable classes of software failures. It i

    • by Ash-Fox ( 726320 )

      There are more than enough XP users in the world for Microsoft to dedicate resources and turn a profit supporting it.

      You say that, but considering Microsoft offer services to partners (and becoming a partner is trivial) for back porting certain fixes at your own cost. You rarely see the vast majority of bug fixes and vulnerabilities getting back ported for XP these days.

      and turn a profit supporting it.

      It doesn't appear to work for the vast majority of vulnerabilities out there.

  • Personally, I think it's the wrong approach to try to compel Microsoft to support old operating systems. It's a substantial burden for them, and makes it harder for them to move forward and innovate.

    Instead, I think we should try to compel Microsoft to open the source of Windows XP. If there's a large enough number of people who want continued support, they would then be able to fund it somehow. Plus, it would push Microsoft to innovate, since they would have to make sure that Windows 10 did useful thin

  • Forever support isn't reasonable, but at the same time vendors using security update channels to push unwanted upgrades for the benefit of the vendor is equally bad.

    My guess is that we're going to be getting to the end of the road of the "nasty, brutish and short" state of nature in the software industry and start seeing more regulations.

    Vendors will be able to EOL their products, but will also have to supply security updates for N years after the product is officially ended. Vendors will be required to ma

    • by Ash-Fox ( 726320 )

      You do realize this very support is available from Microsoft for older versions of Windows? It's just rarely anybody is willing to pay for it. It's just the free patching and cheaper partnership offerings that have been terminated support wise.

  • None of us bother to learn real security. You're all so stuck on layer 4-7 you fail to understand layers 0-3.

    Your fault for not realizing the current security model is flawed as fuck.

  • Perhaps all OSs should have a kill date embedded after which they will fail to operate. Maybe nothing as drastic as the machine failing to start, but perhaps for example booting into the equivalent of safe mode with no networking, so that it's possible to move your data from the system but isn't really practical to use it.

    Why? Because such a kill date would actually force people to think about upgrading rather just keeping running because they know they can.

    It could be as simple to override as putting the

Always leave room to add an explanation if it doesn't work out.