Ask Slashdot: How Do You Handle Hardware That Never Gets Software Updates? (hpe.com) 233
New submitter pgralla writes from a report via HPE: Many devices, designed for both long-term and short-term use, were shortsighted when it came to flexibility. How do you handle the hardware that never gets software updates, such as embedded systems and task-dedicated equipment? The article that pgralla shared provides the example of medical devices running Windows 7. "Many of the current generation, when they were first released, used Windows 7, and the devices still work well enough that they remain in service today," reports HPE. "But Microsoft ended mainstream support for Windows 7 back in January 2015, so the operating system gets updated only with an occasional security patch as part of Microsoft's extended support. In January 2020, that extended support will end as well." Many IoT devices are in a similar boat as they're powered by embedded Linux and are not designed to be updated after they enter service."
Of course, these outdated devices create all sorts of security concerns. "Hackers and their access to knowledge and computing power only go up as the years pass, which means that long-lived, fixed-firmware devices become ever more insecure over time," says Michael Barr, founder of the Barr Group, which provides engineering and consulting services for the embedded systems industry. The WannaCry ransomware hack in 2017 affected not just PCs but also medical devices, and ended up costing businesses $4 billion.
Of course, these outdated devices create all sorts of security concerns. "Hackers and their access to knowledge and computing power only go up as the years pass, which means that long-lived, fixed-firmware devices become ever more insecure over time," says Michael Barr, founder of the Barr Group, which provides engineering and consulting services for the embedded systems industry. The WannaCry ransomware hack in 2017 affected not just PCs but also medical devices, and ended up costing businesses $4 billion.
Easy.... (Score:5, Insightful)
I've seen SO many people whining about MS' forced reboots, etc. STOP!
If there is not a sensible option available, demand that your vendor make a version that can be sensibly updated. Too many purchasing decisions just don't have any sensible criteria. ("Oh, it's built on Win XP and you aren't updating it? OK - scratch!")
Re:Easy.... (Score:5, Insightful)
Linux is free. Updates only when told to. Doesn't have telemetrics by default. Never looked back except in VMs.
Re: Easy.... (Score:4, Interesting)
The issue isn't updates but people who don't apply updates at all.
Linux and osx let you schrdule them but that says the user is smart enough to do so. 20 years of Windows updates have prove that to be false for 99% of users.
The forced updates of iOS have proven to be !ore secure than the fragmented updates of Android.
How often do you update your router? If your up time is over 60 days you are missing updates and are insecure.
That is the issue. The other issue is designing software to use decraprated apis. Anyone building software using win32
Re: (Score:3)
Actually my router is also Linux. So weekly, every Sunday night. Cronie, the cron job manager handles it for me, even the rebooting if necessary; with the LTS kernel for minimal changes except bug and security fixes.
Re: Easy.... (Score:5, Insightful)
How often do you update your router? If your up time is over 60 days you are missing updates and are insecure.
I don't know any home/small business router company (TP-Link, Linksys, Netgear, ...) updating routers every 60 days. More like 1-2 times per year, for 1-2 years. And then nothing.
Asus updates (Score:3, Informative)
How often do you update your router? If your up time is over 60 days you are missing updates and are insecure.
I don't know any home/small business router company (TP-Link, Linksys, Netgear, ...) updating routers every 60 days. More like 1-2 times per year, for 1-2 years. And then nothing.
Perhaps you should look into Asus, which often updates at least quarterly, and often monthly:
* https://www.asus.com/Networking/RTAC68U/HelpDesk_BIOS/
* https://www.asus.com/microsite/2014/networks/routerfirmware_update/
And has been doing it for 4+ year-old products. Plus there is third-party code that leverages the GPL stuff that Asus releases:
* https://asuswrt.lostrealm.ca
* https://github.com/RMerl/asuswrt-merlin.ng
Re: (Score:3)
My friend's Netgear router is about 6 years old and got an update a few months back for some vulnerability.
Netgear's stuff is low end crap but at least they do seem to support it for the long term, which actually really surprised me.
Re: (Score:2)
How often do you update your router? If your up time is over 60 days you are missing updates and are insecure.
I don't know any home/small business router company (TP-Link, Linksys, Netgear, ...) updating routers every 60 days. More like 1-2 times per year, for 1-2 years. And then nothing.
My Google OnHub has received monthly-ish updates for almost three years now.
Re: (Score:3)
Hence why we have DD- and OpenWRT.
Re: (Score:2)
Hence why we have DD- and OpenWRT.
Most of the open source builds I have found are ancient. Particularly DD-WRT. Unless you are going to build them yourself, you will likely be worse off than using the stock firmware.
The most recent build for my last router (TP-Link?) was pre-heartbleed (2013 IIRC). I just gave up and bought a nice new ASUS router that gets regular updates from the manufacturer.
Re: (Score:2)
I like specifically that my operating system doesn't think it knows better than me about what I need to do. There's the old adage, "If it ain't broke, don't fix it."
I update my system on a weekend when I've got the time. I use profiled-guided optimization on many of my core packages so it takes a few days to train these as well. Sometimes I'll go a few weeks without updating my personal laptop, and that's O.K. That's my choice, and it's not an issue because I don't run shady software or host public services
Re: Easy.... (Score:5, Informative)
The issue isn't updates but people who don't apply updates at all.
This is exactly the idea behind Microsoft's forced updates: most people are never applying updates, which causes problems, so if the updates get applied without user intervention, problem solved. I don't think they're entirely wrong, but they went about implementing mandatory updates in a kind of brain dead way.
The forced updates of iOS have proven to be !ore secure than the fragmented updates of Android.
iOS doesn't have forced updates; it is always up to the user to decide to install updates or not, though Apple do a bit to encourage it. The difference between iOS and Android in terms of updates is that Apple as a matter of course rolls out security updates to every device currently supported (and they are supported for quite some time, contrary to the largely inaccurate stereotype of Apple devices getting thrown out and replaced annually) and new versions of iOS to basically all devices capable of running the new version. With android, it's left up to each hardware manufacturer to provide security updates and new versions for their devices. Many don't bother at all, many others do a couple of security updates and maybe a new version while the device in question is "current" before basically abandoning it. Even if a device is technically capable of running a new version, it's not usually an option to "go over the manufacturer's head" for updates; a build has to be tailored to the model in question, and while the wider open source community does offer some for some devices, it's very much a mixed bag of what's supported, how up-to-date it is, and even how trustworthy the third party is.
Re: (Score:3)
With android, it's left up to each hardware manufacturer to provide security updates and new versions for their devices.
This is a very persistent myth.
Since V4 back in 2013 they have been patching security issues via Google Play Services, which is mandatory for Android devices. The current version (Oreo, released last year) includes Project Treble, which allows phone manufacturers to ship updates much more quickly by separating out the hardware layer, which is what was causing most of the delays.
This is why you don't see vast Android botnets rampaging all over the internet. The OS itself is very secure already, being heavily
Re: (Score:2)
This is exactly the idea behind Microsoft's forced updates: most people are never applying updates, which causes problems...
Which I noted in another thread is mostly because of how fucking awful their updates are. They are maddeningly slow resource hogs with massive and random interruptions. They are inconsistent and provide no information about what they're doing, how long it will take, and sometimes crank so hard behind the scenes that other programs stop responding.
Why the fuck can't they do a reasonable update? Who the hell thought "Updating, don't lose power or force-shutdown or it will bork your OS" was a good idea? Why do
Re: (Score:2)
Or, as we say here on /.
If it ain't broke, it ain't Windows.
Re: (Score:2)
Medical devices though. What work with Linux? :P
Re: (Score:3, Informative)
Re: (Score:2)
Re:Easy.... (Score:4, Informative)
https://upload.wikimedia.org/w... [wikimedia.org]
https://upload.wikimedia.org/w... [wikimedia.org]
The data says very much otherwise, and there's only legacy software forcing people into Windows nowadays. The only thing garbage here is your attempt.
Re: (Score:3)
I think we might be on a tipping point where Linux can really replace Windows, even for legacy stuff. WINE has got so good now that there really isn't much you can run on it.
Level 1 Techs on YouTube are running a series of videos about gaming on Linux right now. The focus is on getting Steam for Windows and associated games working with WINE or with a VM that has a pass-through to the GPU to give near native performance.
Re: (Score:2)
The data says very much otherwise
It says nothing of the sort. Given the context of the discussion is updates and security pretty much both of the "Linux" components of those graphs (meaning mobile phones) can happily be combined with Windows.
The "Linux" in the context of this discussion hasn't really changed in market share in the past 10 years.
Re: (Score:2)
Told you your attempt was garbage, it took only 1 reply for me to do the very thing you tried. Go big or go home.
Re: (Score:3)
Very few people intentionally buy windows either, they receive it when they buy the hardware - same as android.
They buy it because it's (Score:5, Insightful)
They buy it because it's better. It's better than Windows Phone (the first, second, theirs, and fourth attempts), it's better than Symbian, it's better than everything else people have tried. Why is it better? Linux is or reason it's better. Even Microsoft is using more and more Linux now. Is that because Microsoft has a religious zealotry for Linux? No, it's because Linux is better. Better than eating their own dog food.
>> Legacy software forcing people into Windows nowadays.
> Yeah, more than a billion people.
Yeah, legacy software has a LOT of people (companies, really) still stuck on Windows. Your point is?
Re: (Score:3)
In fact Google are developing a new kernel (Magenta) and will likely replace Linux in future Google OS (Chrome OS and Android).
Of course using Linux was a pretty sensible option when Android was first developed but it might be replaced in the future with few consequences
Re: (Score:3)
Do you think there might be any reason Android, a very small company at the time, was able to quickly build better APIs and architecture than Microsoft, who while MUCH larger, had to work around the underlying Windows OS?
Android Inc spent a few million dollars on development, while Microsoft spent a few billion - roughly a thousand times as much. Android got much better results. You don't think the OS they chose might have had something to do with that?
Re:Easy.... (Score:5, Insightful)
....don't buy it.
Not an option with a patented medical device.
demand that your vendor make a version that can be sensibly updated.
Right. Sure. Because companies with millions of customers always do a complete system redesign to satisfy "demands" from one whiner.
Re: (Score:2)
Re: (Score:3)
That is utter bullshit. 99% of those 'sheep' as you call them have better things to do than scrutinizing firmware. They need a device that does what they need it to do so they take what is available.
Re:Easy.... (Score:4, Insightful)
Not really. Many more people died without them and had less than half the life expectancy. I'm pretty sure a person who, for example, needs a patented medical device like a pacemaker just to stay alive won't be very impressed by your statement.
Re:Easy.... (Score:5, Informative)
A pacemaker corrects irregular heart rhythms, that if left uncorrected may result in a heart attack, resulting in death. Hence a pacemaker can keep someone alive.
People who have pacemakers usually don't have them implanted for fun. They usually have them implanted as their other option is to die from heart failure.
Re: (Score:2)
Congrats on exposing that you don't know what a pacemaker does! ;)
The sad part is that it's function is it's name.
What precisely do you think a pacemaker does, and why d oyou think people have them?
Re:Easy.... (Score:5, Insightful)
Society got along just fine for thousands of years prior to the invention of said patented medical device.
1000 years ago people had half the life expectancy they do today, so I would not say everything was "just fine".
Do you really think it is okay to let people die so your network can be marginally more secure? This is why people roll their eyes at pedantic nerds.
Re: (Score:2)
Do you really think it is okay to let people die so your network can be marginally more secure?
A lot of hardcore ancaps here and on SoylentNews seem to think so. It's the sort of thing that leads people to say "If my ISP mistreated me, I'd move."
Re: (Score:2)
I didn't say it, I did it.
I admit that in my business finding a new job is much easier than for others, so it certainly was a lot easier for me to do than for most other people.
Re: (Score:2)
And what was it in 1940 if you exclude airforce pilots (life expectancy in service 3 months) and heavy smokers (almost all militaries provided free cigarettes - untipped)? Most of my family that survived the war died of smoking or the consequences of pollution levels that meant you could not see the end of your own arm for days on end.
Meanwhile, my ancestors who lived between 1600 and 1800 in rural Europe mostly lived to between 70 and 90 - provided they survi
Re: (Score:2)
Re: (Score:2)
Certainly!
Ok, life expectancy was around 35-40 years of age and living past the age of 60 usually entailed being a cripple in some way, but that's the price you gladly pay for "natural" life, right?
Re: (Score:2)
Society got along just fine for thousands of years prior to the invention of said patented medical device.
Yeah, but you personally wouldn't
Re: (Score:2)
Re: (Score:2)
Windows is also too flakey for someone without technical knowledge...
Re: (Score:2)
Re: (Score:2)
Have you even used Windows? This is a regular event. Not only that, the new drivers you need have to be downloaded of the Internet using your machine with no Wifi to connect to the Internet.
In reality, Windows is not only not fit for prime time, it is "unfit for the purposes for which it was advertised" - which is a crime in Europe unless you have enough money to pay the bribes, and eventually even they will get caught.
Re: (Score:2, Interesting)
Unfortunately with Microsoft it doesn't matter if I buy it or not. If I buy a new laptop, I am implicitly paying for a microsoft license. It's baked into the price. Many many years ago you used to be able to call the vendor and say you don't agree to the Microsoft terms of service and they would sell you an OEM version without windows at a savings of like $200. But I don't think this is an option anymore.
That said, I don't buy Microsoft products at all if I'm not forced to (like hardware purchase). I droppe
Re: (Score:2)
Re: (Score:3)
....don't buy it.
Hahahahaha
demand that your vendor make a version that can be sensibly updated
Aaaahahahahahahaha
+5 Funny. Now to move on to some insightful discussion that actually makes any kind of sense at all than your idealistic ideas that you or your decision matters. Actually something does matter, your indicision matters and is just likely to get you fired.
Re: (Score:2)
Except for the fact the people who buy it don't know, don't care about the long term implementations of the product. Besides those expensive lunches are nice and we want to keep on the good graces of the company sales people.
Re: (Score:2)
....don't buy it.
OK... Where can I find the open source MRI scanner.
I've been in the exact situation described in the summary, except it was about 8 years ago and it was an MRI scanner with software designed to run on Windows XP that couldn't be updated to Windows 7. Before VM's were as robust and ubiquitous as they were today. The solution was simple, an air gap.
The machine had no network connection and no WiFi (yes youngsters, there was a time where most desktop machines didn't have WiFi built in). We put silicon i
Re: (Score:2)
I guess the only way to secure them would be to isolate the machines as much as possible. The other one would be to pressure the vendors to include long term software support for their hardware
Re: (Score:2)
Re: (Score:2)
Or better, don't connect it to the network. There's no reason for most devices to be on the network. And, frankly, I'm willing to accept a lot more security holes in something if step 1 is "sit down at the device"
Don't connect it to the internet (Score:5, Insightful)
Many old tools are computer based
Some old CNC machines run on MS-DOS and a 286 processor
As long as the hardware stays alive, they continue to do the job
If they must be networked, restrict their access to the local net
Re:Don't connect it to the internet (Score:5, Insightful)
Not just the local net. Restrict their access to only trusted control devices on the local net. It may require putting insecure devices on a network segment that has strict access controls, but when the only other alternative is to discontinue a working device (In situations where that's possible), making a sandbox network isn't all THAT much work.
Re:Don't connect it to the internet (Score:5, Insightful)
This... so much this. Segregate these devices, limit access via VLANs and firewalls. Yes, it may mean only a handful of other devices and workstations can touch these older devices, but you need to reduce the attack surface as much as possible.
Exactly. Least privilege. Wireshark if needed (Score:5, Informative)
A basic principle of security is least privilege. If a piece of outdated equipment needs to send udp packets on port 411 to a monitoring station, you set the firewall to allow it to send udp on port 411 to that particular station, and nothing else. If it doesn't need to take to web servers, you don't let it talk to web servers. You allow it to do only exactly what it needs to do.
Not sure what your equipment needs to do? You could check the manual, and otherwise open up Wireshark and set the filter to the IP of the equipment. Have a look at what it is sending and receiving. Then set the firewall to allow only exactly what is needed.
This is also an area where vlans come in very handy. Vlans act like completely separate networks, but they are configured within your switch, so a single 48-port switch can handle a dozen different, totally separate vlans.
Perhaps different parts of your network should be mostly separate, but you need to allow a little bit of specific communication between two vlans. That's when you plug a router or firewall into both vlans and set it to route only specifically allowed traffic between them. This doesn't even require two network ports - the same port can be in multiple vlans and the router can control traffic between vlans issuing a single cat6 cable. This is called "router on a stick".
If some of this went over your head, here's the simple version'
Call someone who has a CCNA Security certification or better (CCNP Security or CCIE Security). Tell them you're thinking about segregating different vlans and using an internal firewall to strictly control internal traffic. They'll get you set up.
Also good ideas. (Score:2)
Agreed, alarming on a change in traffic makes sense, as does keeping a drive image of the system.
Re: (Score:2)
Only if you are attached to a trunk port...
If you are attached to an access port then the tags will be ignored and you can only send traffic to your own vlan.
End devices which only need to sit in specific vlans should never be connected to ports with trunking enabled.
Re: (Score:2)
Many of these machines DO get upgraded. A lot of times they expect the customers to pay for this service though with longer term service contracts, while at the same time demanding that they upgrade their machines for an even heftier profit. Places like hospitals or linics don't have budgets to update all their machines, they had a budget a long time ago when they bought the machines but not anymore. These were capital expenditures, you can't just replace them every 5 years, it's like a homeowner being t
The manufacturer wants you to buy a new one (Score:5, Informative)
I have a number of Rohde and Schwarz FSEB and FSEA spectrum analyzers. These cost at least $80,000 new (I bought them used for a few thousand at most). They come with an old version of windows. I similarly have other electronic test equipment with old Windows or even old Linux which the manufacturer doesn't update any longer. For the Linux-based ones I could hack in a new Linux and make it use the old ABI, forget about Windows.
But what really clued me in was that the Rohde and Schwarz equipment had a battery soldered on the CPU board, and it was an hour-and-a-half service to get to it. A lot of stuff had to be removed.
Similarly, my Tektronix 500-series oscilloscopes had two 40-pin DIP Dallas Semiconductor battery-backed memory and clock chips. The batteries in these die and they aren't socketed. When the batteries die, the 'scopes lose their calibration. The company won't give you the program to recalibrate them.
The manufacturers just want you to buy new ones.
So, obviously I back SDR-based test equipment that's Open Source. Who needs a company that wants to screw you?
Re: (Score:3)
"Tektronix 500-series oscilloscopes had two 40-pin DIP Dallas Semiconductor battery-backed memory and clock chips."
Um, no they didn't. At best, they had socketed transistors.
http://w140.com/tekwiki/wiki/5... [w140.com]
You are perhaps referring to the TM500 series, but even those are long in the tooth.
http://w140.com/tekwiki/wiki/T... [w140.com]
Re: (Score:2)
Never attribute to malice that which is adequately explained by a manager with a Gantt Chart. You could probably track down the designer of the board and he would dejectedly tell you, "Yeah, it's a shit design and we had a respin ready but, it didn't fit in the schedule". Or you could track down the embedded software guy and he'd tell you, "We had this elegant upgrade path planned out but no one could figure out how it fit into the Gantt Chart so we dropped it".
The engineers want to do The Right Thing but
Re: (Score:3)
Actually, it is dead easy.
If we go this way -- better design -- the customer wins and we make less money.
If we go that way -- planned obsolescence -- the customer loses and we make more money.
If you don't things are this bad, explain why Apple solders pretty much everything on a $1,000 iphone to the motherboard these days. The answer is...so it can be priced at $1,000.
Re:The manufacturer wants you to buy a new one (Score:5, Interesting)
I'd never buy test equipment that requires a computer connected to be usable. Never, ever.
That's as bad as my flex radio that I never use for the same reason, garbage. Every time I sit down, I just turn on my old kenwood ts-430 instead.
If it's a self contained device that requires no network connection, maybe. If there are software updates, they need to be installable offline. Mostly analog is ideal though.
Sometimes "never" is not an option. One electronic test equipment that revolutionized the industry is the Audio Precision line of Distortion Analyzers. Virtually everyone involved in electronic design, testing or repair owns one, and they are almost hobbyist-priced (a new basic unit can be had for less than $US 10,000). The revolutionary part of AP analyzers is they connect to a PC to do the math.
Now, somewhat on topic, AP is very good at updating their SW interfaces and older machines can use modern versions of the WinOS. They also are not themselves normally required to be connected to outside networks, provided you use a dedicated PC on the bench and not one used for general computing. So much of the problems are solved using good management practices.
If you want to be anywhere near current, you need an AP. I don't own one; I send my stuff to another engineer who does to test, but he charges $200/Hr. He has the most advanced unit, somewhere near or north of $US 20K. Plus a Windows PC and a printer if you want output charts, of course. My Distortion Analyzer is adequate (Keithley, a unit of Tektronix, $US 6,000) but only measures to the fifth harmonic.
It is a standalone device, but unless you want to dig around for an old 70's~80's era machine from HP, Tek, Boonton, a Sound Technology 1700B, etc that pre-date the inexpensive computing power era, the norm these days is software / PC / Appropriate Sound Card for low cost measurement. So now you need, again, a dedicated PC and most hobbyists use the same machine for general computing. But the cost is *way* lower than a standalone machine or an AP.
If you fudge the numbers, it comes down to a classic standalone machine (they still sell for almost four figures and sometimes a couple of thousand) or software like ARTA and a good sound card, maybe $400 worth of stuff total in addition to a basic working PC of some kind. You can fight with your wallet or just give up and go PC-enabled.
Medical devices with Windows 7? (Score:2)
Re: (Score:2)
At work we have 3 Spectrometers with integrated computers. One uses MSDOS with a PATA drive and a floppy. A pain when the HD dies, have one of those flash drive->floppy drives ready for when it breaks (not touching it if its working). Another with a weird Windows 2000 Embedded that it's impossible to find, and another with XP. They are too specialized and only upgraded by the company. Also new ones go for 100k or something, so unless they blow up they stay as they are.
Re: (Score:2)
Windows should have offered long term service support for some of this, isntead of yanking the plug on support whenever there's a newer version. If other smaller companies have to give 10 to 20 years of support for hardware or software, why does Microsoft get off easy? Not everything Microsoft sells is some fluffy consumer device that gets replaced as often as fashions do. If they wanted to get into the embedded market then they should have taken that seriously.
Re: (Score:2)
XP was generally available in October 2001.
XP SP3 was released in April 2008.
Extended support ended in April 2014.
If you really want to pay a large amount of money to Microsoft, you can continue support for XP today.
It had a pretty good run.
Re: (Score:2)
We have medical devices around here running Windows XP. How's that for a nightmare?
Is it connected to the network? XP is simpler than 10, maybe that device works even better with it?
Re: (Score:2)
The computer is probably generic hardware, so if it fails it can easily be replaced - there are millions of old computers and components available dirt cheap.
Debian (Score:2)
My experience tells me that if my hardware is not running Debian, then at some point there will be no more updates.
And hackers is not the only problem, often the hardware just becomes useless.
E.g., I have a perfectly good old WiFI IP phone, but it only works on open networks or networks encrypted with WEP.
I have some devices that I would like to use to browse the internet. But they fail on websites with newer certificates.
Comment removed (Score:5, Informative)
Re: (Score:2)
Re: (Score:2)
The problem is, most of them DO need to be on the Internet, whether it's the software phoning home or checking out a license or instrumentation/monitoring, or remote tech support, the documentation is only online or it needs to transfer data to/from the device.
A device that's not on the network is kind of useless these days and sneaker-netting things isn't much better because then people will find workarounds and lose unencrypted hard drives full of juicy personal data.
I've found one system on my network wh
Seriously? Treat it as safety-critical (Score:3)
Mechanical systems that keep, for example, trains from running into one another by tripping their brakes into full on, are well-understood. I took a course on doing the same thing in mixed hardware-software systems, so it's eminently possible.
The gotcha is you have to keep it really simple and run a validator like spin on it's protocol.
Most developers can do the spin part, but KISS? Distinctly less likely (;-))
Re: (Score:2)
Re: (Score:2)
I can keep the design simple, whenever the hardware is an 8 bit microcontroller.
32 bits is still safe, as long as I don't have any sort of memory controller and can stay away from the DMA.
Give me Perl, and all hope is lost.
Minimalist firewall (Score:4, Interesting)
Implement a firewall with a small microcontroller with a relatively secure TCP/IP stack (ejip if you don't want to spend money, HCC embedded if you do) and do protocol level sanity checking and filtering of all network inputs.
Comment removed (Score:3, Funny)
Enforce the law (Score:2)
We have all sorts of insecure devices. There's no need to focus on IoT, or computers or electronics at all.
We have pickable locks, unbarred windows, windshield wipers, and high-speed cars separated by nothing but a strip of paint.
There's no reason to update devices that were never designed to change. We've gone centuries with devices that were never designed to change. You can steal a hammer. Does that mean hammer manufacturers need to implement security patches and thumb scanners to ensure that no one
Re: (Score:3)
>There's no reason to update devices that were never designed to change
Unless part of their functionality is to withstand attack from attackers whose knowledge is constantly growing. And pickable locks are the only thing on your list that qualifies. And as far as that goes...
We have pickable locks because an unpickable lock is apparently impossible, at least while being remotely easy to use. And locks evolved a LOT before they reached their current state - which are secure enough to deter crimes of opp
Re: (Score:2)
Start enforcing laws. Start arresting criminals.
This looks like a really good idea until you realize that the guy breaking into your IoT crapfest isn't Bubba from the bad side of town but Ali Ben Gali from Itsnogooditisbad in Somewhereistan.
And even if you know that it was Ali, which by itself is unlikely, the police in Somewhereistan doesn't give a shit about your problem.
I love the FOSS community's cluelessness. (Score:5, Informative)
I use Slackware, along BSD, financially support projects that I use, and have followed the Linux community since Linus was still in college. It always amazes me how clueless the FOSS community is regarding issues such as this.
Just use Linux...
That's your fault for using M$..
etc.
For regulated systems, especially in pharma manufacturing, you are told what to use, how to use it, when to upgrade it, how to upgrade it, etc. Basically, once the system is certified by the FDA - you don't touch it - PERIOD. You purchase enough compute/control systems when you install it to last you through your production, which could be - 10, 15, 20+ years.
There is no, well, just upgrade to x - it's not allowed.
Before some equally clueless libertarian pinhead starts spouting off about 'over regulation' - stop and think for just one second what this system does. It controls the valves, temperatures, mixing, fermenting, refining, etc. of a chemical that people are to ingest. Where the difference between good and bad is measured in ppm, ppb, or even ppt depending on what's being made. Some endocrine chemicals are measured in 1/10ths or 1/100th of a ug!
Do you really want to apply patches to a system such as this? Doesn't matter that they are 'network', or 'mouse driver', or 'display' - the risk is WAY TOO GREAT to jack around with them.
Keep in mind that 'upgrades' require a new certification of that system, or depending on what it does, the entire production chain - which could run you a couple 10's of millions dollars.
So, before starting the typical FOSS rant, please have a clue of what you are talking about, first.
Re:I love the FOSS community's cluelessness. (Score:4, Interesting)
Before some equally clueless libertarian pinhead starts spouting off about 'over regulation' - stop and think for just one second what this system does. It controls the valves, temperatures, mixing, fermenting, refining, etc. of a chemical that people are to ingest. Where the difference between good and bad is measured in ppm, ppb, or even ppt depending on what's being made. Some endocrine chemicals are measured in 1/10ths or 1/100th of a ug!
Sounds like a great argument for mandatory system isolation. Instead of networking directly to the system, the systems should be isolated and only provide a standard interface which a simple computer terminal could interface with. Something like TCP over serial using a variant of X11. When you minimize the attack surface to basic keyboard and mouse input validation then it becomes much easier to build a defensible system.
Don't put it on the network (Score:2)
If it must be networked, you can put it behind its own router. Rely on the router's firewall to protect it from outside intrusion (and of cour
I have one laptop with win7 on it (Score:2)
Sometimes... (Score:2)
what can you do (Score:2)
Misunderstanding of Windows 7 support (Score:2)
Windows 7 gets free security updates until some time in 2020, according to the linked article. The 2015 date is for desktop support. Plus the Windows 7 embedded manufacturers get 10 years of support after the end-of-lifetime for the OS (not sure when that was).
Re: (Score:2)
Windows 7 gets free security updates until some time in 2020, according to the linked article. The 2015 date is for desktop support. Plus the Windows 7 embedded manufacturers get 10 years of support after the end-of-lifetime for the OS (not sure when that was).
Operative word here being "manufacturers". The equipment buyers have no direct access to those updates, so if the manufacturer decides they don't want to release the updates to the user, say, because they would rather you buy new equipment every 3-5 years than use the same product for a decade, you wont see those patches.
I was personally very upset when... (Score:3)
I was personally very upset when Motorola refused to provide me a software update for a device, designed for both long-term and short-term use!
It was an SN74LS139N Motorola Dual Decoder 2-4 Line Plastic TTL chip.
How dare they deny me software updates for this chip containing two inverters and four AND gates!
I don't give a damn that they designed it for embedded use, I should be able to update the software running on it!
Right?
in order (Score:2)
1. buy only well supported or open devices
2. (if you can't do that,) do not connect them to a network
3. if you must connect them to a network, make it a private network, make sure it is properly setup, closing all ports by default
4. if you can't have them on a private network and they must connect to your lan or worse, internet - hope for the best.
Follow HP's Model (Score:2)
I have a perfectly good HP Scanner I bought years ago. Still works fine, but only on XP with the software and on Windows 7 using the Windows tools; HPs software doesn't work on Windows 7. I have a Virtual Machine running Windows XP just so I can keep using my perfectly good HP Scanner and my perfectly good Sony HandyCam which also only works on XP.
[John]
How do I handle it? (Score:2)
I put the cans and bottles in, and take the receipt to the cashier. (Bottle return machines in this area still run Windows 98. Yes, I did say 98.) Except recently, the machines have been so unreliable that I've just been throwing the containers away and taking a hit on the deposit. I don't see it getting any better, because there's very little financial reason for stores to take bottles back.
I'm told by someone who services them, that a lot of POS machines are still running Windows 98. Just exactly the
Standard script from vendors: (Score:2)
"I'm sorry. We no longer support that equipment. I'll be happy to connect you with sales to purchase a new model."
Uh, yeah. It's a quarter million dollar piece of lab equipment that's 6 years old and you want us to just buy a new one in a time of tight grants.
Re: (Score:3)
That doesn't help when a particular device from a particular manufacturer contains non-free software, as do the substitute devices from all competing manufacturers.
Re: (Score:2)
Re: (Score:3)
>ANY device can be infected with a new exploit whether it's up to date or not. New fully updated equipment is no less of a risk than old out of date equipment.
Those are two very different statements. Yes, any device can be compromised by a new exploit - that's kind of the point of developing NEW exploits. But an outdated device can be compromised by a massively long list of well-known exploits - making it far more vulnerable. New exploits are generally financially valuable assets horded by those who k
Re: (Score:2)
If someone's looking to exploit they're likely going with the latest. More systems will be exposed to a new exploit than to an older, patch-able one. I suppose it's even possible that newer exploits won't even be possible on the older OS.
Yeah, no. If true that was probably with a machine with the local firewall disabled and no router or any kind of ISP filtering. In other words, not a real world case. For Joe Desktop who's careful with his browsing and email, XP security shouldn't be an issue. YMMV.
You could put the machine behind adequate defences, and it wasn't 20 minutes (exactly), if you monitored your Intrusion Detection app you'd see a long list of attacks within five minutes of being online (I've seen it). For ordinary users, who would update XP online, it might be exposed for hours to download and install the updates. Naturally no-one who knew what they were doing would update that way, but that doesn't describe ordinary users either.
Re: (Score:3)
Devices running Windows XP are already unsupported. Devices run Windows 7 will be in the same boat as devices running Windows XP come January 2020.
Re: (Score:2)
Yes, I use the word SysOp. I've been around that long.
For us with higher Slashdot IDs, could you explain the proper meaning of SysOp in its original context please? Just for my curiosity and general knowledge, thanks. :)