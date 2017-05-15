Slashdot Asks: In the Wake Of Ransomware Attacks, Should Tech Companies Change Policies To Support Older OSs Indefinitely? 115
In the aftermath of ransomware spread over the weekend, Zeynep Tufekci, an associate professor at the School of Information and Library Science at the University of North Carolina, writes an opinion piece for The New York Times: At a minimum, Microsoft clearly should have provided the critical update in March to all its users, not just those paying extra. Indeed, "pay extra money to us or we will withhold critical security updates" can be seen as its own form of ransomware. In its defense, Microsoft probably could point out that its operating systems have come a long way in security since Windows XP, and it has spent a lot of money updating old software, even above industry norms. However, industry norms are lousy to horrible, and it is reasonable to expect a company with a dominant market position, that made so much money selling software that runs critical infrastructure, to do more. Microsoft supported Windows XP for over a decade before finally putting it to sleep. In the wake of ransomware attacks, it stepped forward to release a patch -- a move that has been lauded by columnists. That said, do you folks think it should continue to push security updates to older operating systems as well?
No. You can't support legacy software forever. If your customers choose to stay with it past it's notified EOL then they are SOL. Any company using XP that got hit by this can only blame themselves.
I will need to agree with conditions. If the Tech company is selling service contracts for that product, they will need to update it. However like XP and older, where the company isn't selling support, and had let everyone know that it off service, they shouldn't need to keep it updated. Otherwise I am still waiting for my MS DOS 6 patch as it is still vulnerable to the stoner virus.
Well it is there fault for not staying current. I have worked in big organizations were movement is slow... However intentionally keeping your systems dangerously out of date, is just bad management.
From the outside, I would tend to agree with you. But Microsoft has some liability here. They created a product that is still in use on hundreds of thousands if not millions of computers. Microsoft sold more than 400 million copies, and who knows how many pirated copies are out there.
Here's the deal, Microsoft was found to be in a monopoly as far back as 1998 [wikipedia.org]. When companies like Microsoft reach this level of operation, they usually become regulated [wikipedia.org]. I see a strong likely hood that Microsoft will suffe
I don't see how you can blame Microsoft if $OTHER_COMPANY uses their software in a way Microsoft doesn't support. IMO, you should be blaming Hitachi here, not Microsoft. As far as critical and irreplaceable goes, anyone who builds critical, irreplaceable services on commodity, consumer grade software, has no one to blame but themselves. Put another way, they may have accepted the risk that this would happen when they stood the service up. The risk has now materialized.
Easier said than done. Many of these closed source software are using purchased 3rd party libraries, that will not allow for the code to be open sourced. Then there is still code that is used in your current product that you may not want to share. Finally you want people to pay for the new version, and not just get a hold of a perfectly functional older version.
Also, much of the the code from Windows XP is still in operation in one form or another in Windows 10. Correct me if I'm wrong, but the Windows NT operating system has gone under revisional version updates since it's creation, it's not a complete and total re-write. Opensourcing XP would mean open sourcing Windows 10 and Server 2016.
i like the idea, but i think in practice it would be alot more complected.
OTOH this is the same cisco that makes it a PITA to get firmware updates for many products without an active service agreement.
So many small offices out there that bought a cisco 800 series or something; and once its a couple years old can't easily get updates, even if its still an active product line.
this did not need to be fixed with an OS patch, it could have been prevented with better network security policies. I would be surprised if someone hadn't said something about addressing the vulnerability earlier but probably got ignored because of some budgetary issue.
It would be more reasonable to call for continued money to be made available to address these vulnerabilities after a system has gone into production and a move to use more open source solutions where users can share patches
What I want to know is why Samba wasn't disabled already. Isn't this something that can be done with Group Policy?
Should they go back and patch Win95 while they're at it? Make Win386 rock-solid in the face of current virii and ransomware?
By that same logic, you could insist that Ford go back and install safety glass and airbags on any existing Model T's still running.
The simple fact is that OS's are a treadmill. It's a not a typewriter that you buy once and use until it breaks.
Look, I think OS firms *should* support 'the last few versions' - say whatever was current 10 years ago (ie in MS's case, Win2007). But to go back further, or to MANDATE that?
If you can't be bothered to run reasonably current OSs, then you're going to be as safe as you deserve.
Exactly. Microsoft stopped selling Windows XP over 8 years ago (!). I doubt many of the affected computers are older than 8 years.
It is more likely that people made use of the "downgrade" option in professional licensing, which allowed them to install Windows XP despite the fact that it was no longer on sale. That should be been a clear warning that support will not last forever.
But no, organisational inertia means that IT kept setting up new Windows XP system long after the system was discontinued. I think
"I think there is clearly one party at fault, and it is IT."
Why so? XP was far easier to lock down and fully secure than 8 or 10 with that bullshit telemetry, and it had far fewer hardware restrictions. It is smaller and faster and more capable at most of my tasks than most modern systems (example: I use ManyCam 3.0.80 - 2000/XP-Era multi-cam software. Runs like a champ on XP with 4 webcams, I go 7 [Ultimate] or higher, I can no longer use more than 2 webcams despite the software having the ability to acces
What happens if a Still used software isn't owned by anyone any more. The Company is out of business, There is no source code available. There is a point where the end user has some responsibility to update their system. Like the Model-T they may still keep it, and use it for a hobby, but knowing full well if you take it on the Highway and get in an accident you are probably going to get killed.
If I want to install safety glass and airbags in my Model T that still runs, could I do it? Yes. The things is that I do not need Ford to do it for me.
They also do not prevent others to do the install. Well, that is until you start talking about software on cars. If in 25 years they find a way to hack my then classic BMW to crash it and thus killing people, should BMW provide a patch, a way for others to patch or say that I just need to buy a new car?
... have policies in place that prevent mission-critical systems from being proprietary, dependent on one vendor, insecure, not updated and open to being messed up by clueless users who click on links and download and install everything they can lay their hands on.
Also they should all have in place: Up and running intrusion detection on their intranets, regular automated overturning backups and regularly tested zero-fuss disaster recovery. Have all that in place and you wouldn't even notice WannaCry.
MS is a good corporate solution because it has, in the past, realized that corporate solutions cannot just be updated on demand. Real production machines have to be carefully maintained. This requires funding, and the one place MS has been able to charge for services is the corporate space.They were correct, for the most part, is free is only free if your time is
I don't even like MS.
There's a difference between proactive support and reactive support.
Because crooks keep being more inventive, finding new -- heretofore unanticipated -- ways of tricking users and software.
You might as well ask, "How many law enforcement officers are out there?" There will always be some to invest their inventiveness in making a quick "killing" instead of engaging in honest, hard work of designing products that people want. Computer criminals are not interested in the niceties of business, like marketing, and advertising, and customer satisfaction...they're only intereste
It also lives on in many scientific instruments. An old mass spec that runs XP (or even older. I regularly maintain X Ray diffraction machines that still run DOS) usually can still do the day to day job just fine. The software usually hasn't been supported for many years and won't run on anything newer. But replacing the instrument could cost a large amount of money (250K or up in many cases).
Research budgets aren't growing and I work for a university in a state that can't pass a budget. We just don't have
I honestly can't figure out where I fall on this. I would say for major security issues, yes, though the cutoff should be when production use of that OS get below a certain point, which should be easily monitored, and I don't think XP went below that.
In any event, that an organization the size of NHS, quite literally one of the largest employers on the planet, did such a poor job on security is disgraceful, especially considering how internetworked all their stuff was.
But I'd be very wary of making this a legal obligation. Especially since obligation
What about an economic obligation? Someone has to do the work; that implies time, which implies wage; wage implies cost; cost implies revenue streams; and revenue streams imply consumers actually spending money. It's easy to just dismiss Microsoft with a multi-billion-dollar net profit and push the conversation down the line to every other product that gets nickels, dimes, and dollars added to the end, until 5% or 10% of our money is going to things that don't matter.
The real question is why haven't we
Indefinitely? No, only as long as they want to keep their copyright/patent privileges on those systems.
There's only so long you can reasonably expect support on older products. What should change is:
1. Stop using Windows for security sensitive applications.
2. Hire people to build secure systems who know how to build secure systems. Listen to them.
3. Don't volunteer for vendor lock-in. The mass Windows groupthink of the 80's and 90's was born out of incompetence. Think about the future, not just the immediate moment.
4. People who can only think in terms of "which choice requires me to understand less?" sh
Most of the ransomware could be stopped by the use of proper backup's, firewalls, networking and IDS / IPS software. Instead of companies like Microsoft supporting old software stacks, they should only be required to release updates for the current systems and rely on the IT of the companies who use their product, to properly secure themselves.
I've installed Windows 10 on my PC and TRY BING TODAY it's not that bad.
All of these problems crop up because of the conflict between wanting software that Just Works(tm) and wanting to be on the Internet. It's probably time that we started setting up networks where each computer has a separate, dedicate piece of hardware that handles security. A little crossover-switch that's kept up-to-date, or, in big enterprise deployments like this can be upgraded without interrupting whatever software application they have that's still running on something old.
No, but I will fault the copyright/patent law that prevents me from making and selling my own parts for the '64 model. At the very least, compulsory licensing should be applied for those who want to support legacy systems, and cars.
Abandoning Operating Systems is a cruel trick played by vendors who want the new revenue from upgrades...no matter what the cost in lost-business, learning-curves, and incompatibilities with existing practices may be to the customers.. Spending money on maintaining the security (even excluding features) of superceded products distracts from development of improved products, and is not in the vendors' self-interest.
Given that a new Operating system (retail) is in the $100-$150 range, I'd propose "Life Exten
Because ransomware did not exist before Bitcoin.
Windows Workstation on old DEC Alpha systems against any attacks? Pretty sure some of the basic Windows vulnerabilities would apply.
...replace Windows with Linux, and stop using smbv1 and smbv2.
Anyone remember nimda?
Hell, at the very least, open source any abandoned OSes so that others can take on maintenance if they feel compelled to live in the 1990s again.
I want to live in the 1980's [youtube.com] you insensitive clod!
"There is a limitation based on the age of the vehicle. In order to be eligible for a free remedy, the vehicle cannot be more than 10 years old on the date the defect or noncompliance is determined."
OSes have the same coverage from vendors under Mainstream Support and Extended Support. This is a well known acceptance held by the industry. Expecting OS vendors to support longer than the social norm will only drive up the costs for the OS. If I was a college st
I have no sympathy for moneyed institutions that treat IT as a pure cost center and skimp on keeping it a well-oiled machine. If you're a hospital that wants to be cheap and leave XP-based machines on the Internet then you can have your administrators' salaries and bonuses docked to pay the fines for the social harms you cause by prioritizing compensation over "getting the job actually done." Or you can go back to the ugly days when you IT wasn't a cost center, ie back when you didn't have the efficiency ga
I think that if you got people over to the subscription model, it wouldn't be impossible to put 3 or 4 guys on a maintenance team to backport absolutely critical fixes. You'd have to be very explicit about the criticality level that triggers a fix, but the reality is that vendors introduce a lot of dependencies. Those maintenance coders wouldn't have to be your best and brightest either - it would be a very good first job for new grads. I would think that as long as customers were paying something like Soft
Would this approach not impact hardware development as well? And mobiles and iot?
If Microsoft, Google, Apple and all Linux distribution organisations are expected to support older versions permanently, their software legacy grows and with it, the supported hardware combinations also grow.
People here on
/. dislike the push to upgrade to Win10, but it's what's going on elsewhere, with more mobile devices being sold than desktop format PCs. The model doesn't suit everyone all at the same time and with the same
First of all, let me state that most of my machines are Linux, or BSD. I find the whole panic over WCry absolutely hilarious.
Something like OpenBSD, but less stringent:
First-tier is average OS support - six months support tops, after that, you need to upgrade. You have version 4.3 while the latest version is 7? Tough luck.
Second-tier is emergency OS support: 12 to 18 months support tops. On a specific version (meaning fubar 6.0 but not fubar 6.1 for instance ), only back-port of the most critical patches to
This could also be viewed as PR protection for Microsoft. If they didn't help these users, then this would dirty Windows' name even further, and many of these users would probably switch to something else, realizing MS doesn't have their back.
Slashdot generally doesn't like ludicrously-long copyright terms, right? What if we made maintenance a requirement for retaining copyright over software? If Microsoft (or whoever) wants to retain a copyright on their software for 70 years, then they'd better be prepared to commit to 70 years of support. If they want to EOL it after 5 years or 20 years or whatever, and wash their hands of responsibility, that's fine, but then it's public domain. Why should we let companies benefit from software they don'
