Linked by Thom Holwerda on Mon 15th May 2017 16:18 UTC
Windows

Friday saw the largest global ransomware attack in internet history, and the world did not handle it well. We're only beginning to calculate the damage inflicted by the WannaCry program - in both dollars and lives lost from hospital downtime - but at the same time, we're also calculating blame.

There's a long list of parties responsible, including the criminals, the NSA, and the victims themselves - but the most controversial has been Microsoft itself. The attack exploited a Windows networking protocol to spread within networks, and while Microsoft released a patch nearly two months ago, it’s become painfully clear that patch didn’t reach all users. Microsoft was following the best practices for security and still left hundreds of thousands of computers vulnerable, with dire consequences. Was it good enough?

If you're still running Windows XP today and you do not pay for Microsoft's extended support, the blame for this whole thing rests solely on your shoulders - whether that be an individual still running a Windows XP production machine at home, the IT manager of a company cutting costs, or the Conservative British government purposefully underfunding the NHS with the end goal of having it collapse in on itself because they think the American healthcare model is something to aspire to.

You can pay Microsoft for support, upgrade to a secure version of Windows, or switch to a supported Linux distribution. If any one of those mean you have to fix, upgrade, or rewrite your internal software - well, deal with it, that's an investment you have to make that is part of running your business in a responsible, long-term manner. Let this attack be a lesson.

Nobody bats an eye at the idea of taking maintenance costs into account when you plan on buying a car. Tyres, oil, cleaning, scheduled check-ups, malfunctions - they're all accepted yearly expenses we all take into consideration when we visit the car dealer for either a new or a used car.

Computers are no different - they're not perfect magic boxes that never need any maintenance. Like cars, they must be cared for, maintained, upgraded, and fixed. Sometimes, such expenses are low - an oil change, new windscreen wiper rubbers. Sometimes, they are pretty expensive, such as a full tyre change and wheel alignment. And yes, after a number of years, it will be time to replace that car with a different one because the yearly maintenance costs are too high.

Computers are no different.

So no, Microsoft is not to blame for this attack. They patched this security issue two months ago, and had you been running Windows 7 (later versions were not affected) with automatic updates (as you damn well should) you would've been completely safe. Everyone else still on Windows XP without paying for extended support, or even worse, people who turn automatic updates off who was affected by this attack?

I shed no tears for you. It's your own fault.

Order by: Score:
Car analogy
by Kancept on Mon 15th May 2017 16:40 UTC
Kancept
Member since:
2006-01-09

I have to disagree with the car analogy. When I buy a car, sure I do consider tires and such as things I have to get. But there are two key things here.

#1 Microsoft didn't make the tires or oil.

#2 I can get those parts from others. I don't have to go to Microsoft to get them.

Automotive manufacturers have to make sure their vehicle is safe after they make it, even years after they stopped support. This mechanism fails, it is the manufacturer's responsibility to issue a recall on it. And no, they don't charge for it either.

So, while your car analogy is close, it doesn't fit this model. Or maybe it does, but you are addressing the wrong part of it. Microsoft should be making the patch available as a security and safety mechanism for all of it's customers, just as car manufacturers do.


As an aside, I'm not a Windows user. MacOS, Fedora, and Haiku at home, thanks.

Edited 2017-05-15 16:41 UTC

Reply Score: 1

RE: Car analogy
by tidux on Mon 15th May 2017 16:54 UTC in reply to "Car analogy"
tidux Member since:
2011-08-13

You can do all that yourself with an out of support Linux distro, assuming you can find someone to audit the code and backport patches, but if you've got the source code to your Linux applications around (and really, you should), you can just rebuild for a newer release if it stops working.

Yes, this is a hugely different model of OS and application lifecycle and deployment than the IBM and Microsoft one, but it also works. It also has the advantage of not forcing super strict binary compatibility on the OS. If the ABI changes, rebuild and redeploy.

Reply Score: 3

RE[2]: Car analogy
by FlyingJester on Mon 15th May 2017 17:34 UTC in reply to "RE: Car analogy"
FlyingJester Member since:
2016-05-11

This can work, but just as often you will be left with some applications that randomly crash because you did not realize that some dependency existed, or because some newer version of a library is API compatible, but has different behaviour than before.

Just using a rolling release system is far better.

Gentoo is also an alternative that fits what you describe. And despite what people may think, it's easier to keep Gentoo working than to be updating and rebuilding all your software manually. Doing it manually, you will need to know everything it takes to make Gentoo work (and more), and you will find yourself it many weird situations that absolutely no one else has ever seen.

Reply Score: 2

RE[3]: Car analogy
by tidux on Mon 15th May 2017 18:04 UTC in reply to "RE[2]: Car analogy"
tidux Member since:
2011-08-13

For something like embedded devices, using Gentoo as a metadistribution is a better fit. Compile once, ship an image many times. ChromeOS does this.

Reply Score: 2

RE: Car analogy
by Kochise on Mon 15th May 2017 19:36 UTC in reply to "Car analogy"
Kochise Member since:
2006-03-03

When a car producer leaves security holes in their models, or use tricks to pass pollution tests, it's not because the car isn't produced anymore that the car producer should be held off its obligations and put all responsibilities on the user.

Sure the user can be a bad driver and can cause problems by itself. But if the security holes are the car producer's fault, it's its liability to provide fixes. And fixing software is not the same cost as fixing cars.

You get richer with softwares (Microsoft, Apple, Oracle) than cars (General Motors) for a reason. So claiming the users should upgrade at their expense because the software producer decided the architecture ain't worth anymore, wadda wadda, this is lies.

With the so many coders out there, with good coding practices available for years and for free, there's no excuse some softwares are still coded with the foot. Remember the 2K problem that costed users billions on software producers' incapability to provide secure and well crafted softwares in the first place ?

I'm not going to fall into this fallacy and feel at fault. Those companies gets enough money for little evolution (IE6 anyone ?) so stop believing into this mythology. You think software are top value products ? Look how flawed they are, like they are released in a rush with only little testing beforehand.

Aren't there enough white hats out there to work with/at Microsoft to test bench the softwares with a complete regression testing suites nicely handcrafted for years and decades ? Obviously the NSA doesn't have a problem to hire black hats to find exploits. Amurica Freedumb!!1! So better than the rest of the world.

Thanks for the legacy exploits, thanks for ransoming users to upgrade their softwares to correct them.

Edited 2017-05-15 19:38 UTC

Reply Score: 4

RE: Car analogy
by nicubunu on Tue 16th May 2017 06:03 UTC in reply to "Car analogy"
nicubunu Member since:
2014-01-08

There would be also the part when after a tire change your car would suddenly start spying on you.

Reply Score: 6

Still...
by raboof on Mon 15th May 2017 16:43 UTC
raboof
Member since:
2005-07-24

I agree. I do feel sorry for all those UK citizens who may not have received the appropriate healthcare in time because their hospital messed up their IT.

Also, while this time it was an exploit for an ancient OS, it's a good opportunity to take a step back and consider: next time it could be a 0-day. Next time it could be you. Next time your data - and your employers' data? - could be stolen/exposed as well as encrypted.

Are you prepared?

Reply Score: 4

Which version?
by CruelAngel on Mon 15th May 2017 16:48 UTC
CruelAngel
Member since:
2011-08-03

While I personally don't use Windows (I'm a Linux guy), can I get a confirmation, that only Windows 7 and older versions of Windows were affected by this vulnerability? (So Windows 8 and 10 are not.)
I'm asking because I'm the supposed "techguy" in the eyes of my family members, so they are pestering me if they are safe.

Reply Score: 1

RE: Which version?
by tidux on Mon 15th May 2017 17:13 UTC in reply to "Which version?"
tidux Member since:
2011-08-13

Windows 10 isn't safe ever, thanks to Microsoft's inane spying bullshit, but if fully patched it's not vulnerable to WannaCrypt.

Reply Score: 1

RE: Which version?
by codejockey on Mon 15th May 2017 17:45 UTC in reply to "Which version?"
codejockey Member since:
2010-12-31

This article identifies which unsupported OS versions did not have a patch available:
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidanc...

Windows Vista was still receiving updates in March (when the patch was issued), but is now unsupported.

Windows 8 is unsupported, but Windows 7, Windows 8.1, and Windows 10 are still receiving updates.

Edited 2017-05-15 17:52 UTC

Reply Score: 1

Comment by FlyingJester
by FlyingJester on Mon 15th May 2017 17:17 UTC
FlyingJester
Member since:
2016-05-11

I do understand that some embedded systems are basically not viable for upgrade.

The irresponsible part, to me, is putting such a system on a network, or allowing data to pass into such a system from a possibly insecure source. Better yet if data can only move out from such a system, since that eliminates the biggest attack vector.

Reply Score: 6

RE: Comment by FlyingJester
by Alfman on Mon 15th May 2017 18:09 UTC in reply to "Comment by FlyingJester"
Alfman Member since:
2011-01-28

FlyingJester,

I do understand that some embedded systems are basically not viable for upgrade.

The irresponsible part, to me, is putting such a system on a network, or allowing data to pass into such a system from a possibly insecure source. Better yet if data can only move out from such a system, since that eliminates the biggest attack vector.


Yes, it also strikes me as odd that the networks themselves were not better isolated. I guess some employees inadvertently installed the malware inside the network perimeter of critical systems, however for that to be possible it seems there wasn't enough isolation. Critical systems should not have any connectivity to the internet at all incoming or outgoing such that internet based malware could infest the inner network. They should also be physically secured.

Internet facing servers would should be kept outside the perimeter in a DMZ. Employee computers should probably have their own networks as well. They could install honeypot/trip wires to detect any unauthorized activity.

Edited 2017-05-15 18:23 UTC

Reply Score: 4

RE[2]: Comment by FlyingJester
by grandmasterphp on Mon 15th May 2017 20:54 UTC in reply to "RE: Comment by FlyingJester"
grandmasterphp Member since:
2017-05-15

80% of the systems were okay. Which means 80% are probably doing it right.

Reply Score: 1

RE[2]: Comment by FlyingJester
by Lennie on Tue 16th May 2017 15:59 UTC in reply to "RE: Comment by FlyingJester"
Lennie Member since:
2007-09-22

Actually, Microsoft is making it harder and harder to run their operating system(s) without an Internet connection (even just Windows connecting to the Internet).

Reply Score: 2

RE[3]: Comment by FlyingJester
by Alfman on Tue 16th May 2017 16:50 UTC in reply to "RE[2]: Comment by FlyingJester"
Alfman Member since:
2011-01-28

Lennie,

Actually, Microsoft is making it harder and harder to run their operating system(s) without an Internet connection (even just Windows connecting to the Internet).



Yeah, they're especially pushing it on home/pro users, it's probably going to get worse. But I would strongly hope that the specifications for hospital computers would ban "the cloud" because the internet going down is a predictable failure mode. Can you imagine a disaster like 9/11 when telecoms were disrupted and then a hospital having to deal with an IT issues at the same time. That's not really acceptable.

Reply Score: 2

RE[4]: Comment by FlyingJester
by Lennie on Tue 16th May 2017 17:11 UTC in reply to "RE[3]: Comment by FlyingJester"
Lennie Member since:
2007-09-22

Cloud services is a good example.

The experiences I had was with Windows servers.

Some of the Microsoft software is build in .net and that would use code singing and Windows is checking the certificates. To check the certificates on that code it needs an up to date Certificate Authorities-list or Internet connectivity (it does automatic downloading). Sometimes... CA-list updates are actually not included in the Windows updates (without an Internet connection, you need an updates server as well of course).

So what do you get ? If a server for example reboots, the server software won't start because the CA-list is to old and it can't automatically download an update.

In theory it should never happen, has already happened several times.

Reply Score: 3

RE[5]: Comment by FlyingJester
by Alfman on Tue 16th May 2017 17:44 UTC in reply to "RE[4]: Comment by FlyingJester"
Alfman Member since:
2011-01-28

Lennie,

Some of the Microsoft software is build in .net and that would use code singing and Windows is checking the certificates. To check the certificates on that code it needs an up to date Certificate Authorities-list or Internet connectivity (it does automatic downloading). Sometimes... CA-list updates are actually not included in the Windows updates (without an Internet connection, you need an updates server as well of course).

So what do you get ? If a server for example reboots, the server software won't start because the CA-list is to old and it can't automatically download an update.

In theory it should never happen, has already happened several times.


That's an interesting point, there are unexpected failure modes everywhere and it's easy to overlook those things when everything is working.

Sometimes we sign SSL certificates with arbitrary expiration dates in the future that we'll very likely forget about (it will probably be someone else's problem).

Several weeks ago an offsite computer wasn't responding, apparently it didn't power on automatically as it always had before. It's a few hundred miles away and I haven't gotten a chance to diagnose it yet but I am thinking it may be the cmos battery, which not many of us give much thought to.

Like many administrators, I rely on 3rd party DNS black listing for spam classification, but those could fail or get compromised causing widespread denial of services.

All these what-if's are why certification is so important and so expensive in critical systems.

Edit:
I just remembered about OpenVPN's use of SSL certificates...off to check whether it ignores the dates or if that's a potential failure mode in the future!

Oh crap, it is a failure mode, and openvpn's official stance is they won't give users an option to ignore time even on servers where there may not be a reliable time source.
https://community.openvpn.net/openvpn/ticket/199

Time validation is correct by default, but it introduces a new failure mode in routers that don't have a clock source... the VPN will work fine until there's an NTP failure.

Edited 2017-05-16 17:56 UTC

Reply Score: 2

RE[6]: Comment by FlyingJester
by Lennie on Tue 16th May 2017 18:11 UTC in reply to "RE[5]: Comment by FlyingJester"
Lennie Member since:
2007-09-22

VPNs can be 'fun', because if you have a long running VPN which route more than just a few subnets over it you might end up breaking DNS (which is might be needed for reconnecting the VPN on timeout) or NTP updates because they are also routed over the VPN.

Many embedded devices don't have any time at all.

DNSSEC on embedded devices is a real problem, if you want to use DNSSEC you need NTP, but NTP relies on DNS... oops catch 22. ;-)

Reply Score: 2

RE[7]: Comment by FlyingJester
by Alfman on Tue 16th May 2017 19:15 UTC in reply to "RE[6]: Comment by FlyingJester"
Alfman Member since:
2011-01-28

Lennie,

VPNs can be 'fun', because if you have a long running VPN which route more than just a few subnets over it you might end up breaking DNS (which is might be needed for reconnecting the VPN on timeout) or NTP updates because they are also routed over the VPN.

Many embedded devices don't have any time at all.


I know, this is why I brought it up. It creates a failure condition at some point in the future that are likely overlooked during testing. I'm less familiar with IPSEC, do you know if those are designed to stop working based on the date?

DNSSEC on embedded devices is a real problem, if you want to use DNSSEC you need NTP, but NTP relies on DNS... oops catch 22. ;-)



That's an interesting problem.

https://www.ietf.org/mail-archive/web/dnsop/current/msg19955.html

I don't think we can assume the accuracy of time on endpoints. This bootstrap would be solvable if the client were allowed to use a challenge/response protocol. Although that would come at some expense for both scalability and robustness during bootstrapping. Obviously proof of time is not going to be possible over an air gap ;)

And then you still have the issues with certificate revocation that are not really specific to DNSSEC: If you know the time, you can validate a CRL, but if you don't know the time, you have no idea if the CRL you are given is current.
https://en.wikipedia.org/wiki/Certificate_revocation_list

Reply Score: 2

Internet Disconnection
by dark2 on Mon 15th May 2017 17:19 UTC
dark2
Member since:
2014-12-30

DOS is still used in production in lots of places, the 3rd option no one is talking about is disconnecting these machines from the internet and plugging the networking and USB ports with glue (or setting them up on their own network where they can't talk to the internet or the main network.

You can also mention maintenance costs as much as you want, but how many of these software companies do you think are still around? Probably 0 and that's why the can't get updated software for newer versions of Windows. They would need an entirely different solution and possibly to replace entire infrastructure. I've certainly seen old software where no replacement exists and the company behind it is long gone.

Edited 2017-05-15 17:30 UTC

Reply Score: 2

RE: Internet Disconnection
by weckart on Mon 15th May 2017 17:46 UTC in reply to "Internet Disconnection"
weckart Member since:
2006-01-11

Obsolescence also hits equipment hospitals rely on. Companies go bust because they cannot sell enough of a niche product to keep afloat. No driver updates means that updating the OS effectively trashes perfectly serviceable equipment.

Reply Score: 2

RE: Internet Disconnection
by Bill Shooter of Bul on Mon 15th May 2017 19:57 UTC in reply to "Internet Disconnection"
Bill Shooter of Bul Member since:
2006-07-14

Yup. Had a inventory system written in a proprietary scripting language by a company that went belly up 20 years ago. We got estimates in the low 2 million range for a replacement, which wasn't affordable for a company losing 5 million a month. So we kept the obsolete one. Which luckily enough didn't have networking as an option air gapped by history.

Reply Score: 2

Responsibility
by Alfman on Mon 15th May 2017 17:41 UTC
Alfman
Member since:
2011-01-28

Thom Holwerda,

You can pay Microsoft for support, upgrade to a secure version of Windows, or switch to a supported Linux distribution. If any one of those mean you have to fix, upgrade, or rewrite your internal software - well, deal with it, that's an investment you have to make that is part of running your business in a responsible, long-term manner. Let this attack be a lesson.


There's no denying this was very bad for the hospitals and patients affected, but I don't think we have the whole picture here. Many of them may be stuck between a bureaucratic rock and hard place. Their system administrators can't just update systems willy-nilly like another business or home user could. These systems may require certifications and modifications would likely void those certifications.

For it's part, microsoft does not guaranty the suitability of windows or updates for any purpose, things can and sometimes do break. The vendors who certify machines can't realistically certify a windows system with windows updates, it would be prohibitively expensive to re-certify millions of computers every patch Tuesday when they get updates. Clearly some solution is needed, I'm not sure what it would look like. I'd like to hear the perspective of someone who's dealt with these kinds of issues.

However none of this would have likely mattered in this particular case because they were zero day exploits anyways. The NSA is directly to blame for them and the software engineers are to blame for the poor quality of software in the first place. I'm surprised you aren't blaming them (and us) more. Whoever creates these exploits, be it indy hackers or government agencies, these zero-days are a widespread problem. Updates, while important, are inherently a reactive solution. The only way to fix this once and for all is to take a proactive stance and demand safer code from project managers, software engineers, and even computer languages.


There are armies of C coders who will complain that vulnerabilities are the fault of bad programmers and not computer languages, but we can't ignore the fact that unsafe languages semantics have been enabling human mistakes for 40+ years. No language can fully save us from our high level programming mistakes, however they can protect us from many low level mistakes that continue to plague us. If we don't have a plan to replace unsafe languages or at least limit them to areas that can be fully audited and contained, then our software will still continue to be insecure 40+ years from now.

Edited 2017-05-15 17:46 UTC

Reply Score: 5

RE: Responsibility
by flav2000 on Mon 15th May 2017 19:42 UTC in reply to "Responsibility"
flav2000 Member since:
2006-02-08

Thanks for pointing that out.
Hospitals are stuck between a rock and a hard place in particular.

Many diagnostic machines like X-Rays, MRI etc are quiet expensive and cannot be upgraded easily. Upgrading means certifying the device from top to bottom and no manufacturer is going to do that. To make things worse all the push to make data readily shareable and digitally available means that all these insecure devices are now part of the network. If there is a dollar available that money will inevitability end up on new feature rather than securing systems.

The same happens on manufacturing plants. That's why big names like Nissan and Hitachi got hit. Many old style PLCs and robotics don't have support for newer OSes (many even are still stuck on Win2k!). Shutting down a working factory for security upgrades is a non-starter both in terms of cost and potential issues (it is working fine right at this moment but you may break it by updating). A lot of these are exposed to the network b/c of need to automate monitoring and what not. Again features over security.

Consumer-wise I would say yes they're to blame - there are however many places in the world where using the latest patches is just not possible under the current schema. Hopefully there will be push to change things for the better but it's not a situation that is easily fixable.

Reply Score: 4

RE[2]: Responsibility
by dionicio on Tue 16th May 2017 21:03 UTC in reply to "RE: Responsibility"
dionicio Member since:
2006-07-12

Got some photo shots of tremendously successful Rosetta Mission. Some Instruments showing XP welcome screens. Discipline, something you can't ask to anyone.

System Engineers should always consider that one, a rare asset.

Are You sure you can't run Windows10 out the swamp? As far as noted, passing networked activation, up to You.

Edited 2017-05-16 21:07 UTC

Reply Score: 2

RE: Responsibility
by mistersoft on Tue 16th May 2017 10:29 UTC in reply to "Responsibility"
mistersoft Member since:
2011-01-05

Really?

I'm surprised Alfman - sure if computers are being "certified" for running e.g. medical imaging equipment - with Windows Update turned off - then SURELY they should not be networked !?

Have a sandboxed secondary drive that is write only used for exporting the data from the primary drive
Have a strict SOP that the IT guys supply the UUID number for the drive (and a little utility for the untrained to enter this - that mounts it write only at a specific mount point and refuses to mount elsewhere, or with other privileges - system wide)

Then physically move it to a 2nd computer terminal beside it that is networked; do this once or even twice a day with a fresh External USB each time. 1TB 2.5" drives are only $50 each now - which is relatively negligable vs cost of imaging 6 - 12 patients on MRI/PET scanners

would this not be a safe-ish workaround. If you're needing to keep to the certification model.

Reply Score: 2

RE[2]: Responsibility
by Alfman on Tue 16th May 2017 14:01 UTC in reply to "RE: Responsibility"
Alfman Member since:
2011-01-28

mistersoft,

Really?

I'm surprised Alfman - sure if computers are being "certified" for running e.g. medical imaging equipment - with Windows Update turned off - then SURELY they should not be networked !?


I'm confused what you are responding to, however I agree these computers need to be cut off from the outside world. A lot of equipment still needs to be "networked" internally though in order to provide patient care.

Have a sandboxed secondary drive that is write only used for exporting the data from the primary drive
Have a strict SOP that the IT guys supply the UUID number for the drive (and a little utility for the untrained to enter this - that mounts it write only at a specific mount point and refuses to mount elsewhere, or with other privileges - system wide)

Then physically move it to a 2nd computer terminal beside it that is networked; do this once or even twice a day with a fresh External USB each time. 1TB 2.5" drives are only $50 each now - which is relatively negligable vs cost of imaging 6 - 12 patients on MRI/PET scanners

would this not be a safe-ish workaround. If you're needing to keep to the certification model.


There are a lot of possible solutions, but ideally it shouldn't get in the way or real time data. I read somewhere that ebay or amazon (can't remember which, I wish I could find the article again) deliberately processed credit card payments through a very basic serial protocol to mitigate the risk of network and OS attack vectors. Even if the OS had known vulnerabilities it would be extremely difficult to exploit them through a basic serial protocol.

Reply Score: 2

RE[3]: Responsibility
by dionicio on Tue 16th May 2017 21:14 UTC in reply to "RE[2]: Responsibility"
dionicio Member since:
2006-07-12

Security On Legacy. Ha ha, good idea. Not Worth the trouble and expenses, to most.

Reply Score: 2

RE[3]: Responsibility
by mistersoft on Sat 20th May 2017 13:38 UTC in reply to "RE[2]: Responsibility"
mistersoft Member since:
2011-01-05

Good point.
Re the serial connection

Reply Score: 2

You don't understand the problem
by grandmasterphp on Mon 15th May 2017 17:51 UTC
grandmasterphp
Member since:
2017-05-15

While those that have been running these older OSes at home should have upgraded. Hospitals simply can't just upgrade.

I used to work for a software supplier to the NHS.

The NHS has no money to update these systems to newer versions of Windows. In other some cases it simply can't for a multitude of reasons that I will discuss below.

Also before you blame it on the current government in the UK this problem has been over a decade in the making.

You cannot simply upgrade the OS either on Workstation or Server. Even intranet applications may only work correctly IE or IE in compatibility mode.

There are thousands of bespoke applications than simply either do not have any vendor support, or cannot be upgraded easily. The businesses may have closed shop, but the software is normally tied to how the hospital works, or how it deals with referrals (if it is private) from the NHS.

Sometimes this isn't just a matter of the OS it is matter of the hardware interfaces. There is hardware that needs to work over legacy ports that don't exist on newer equipment needed to run Windows 7 and above. They aren't going to throw away a piece of equipment that costs hundreds of thousands of pounds.

Re-training medical staff to use said systems is costly. Changing the OS will require retraining. I don't just mean retraining in how to use the newer version of Windows or an updated application. There maybe new procedures put in place that are offline.

The machines shouldn't have been exposed to the internet, true. However in some cases they have to because of the access to health / NHS direct that the former labour government forced through without much thought.

Most of the vendors to this applications may have since ceased trading because the investment from the previous labour government simply doesn't exist anymore since the current Conservative Government cut spending drastically.

But your unrealistic expectation that IT departments are too lazy to upgrade shows how little you know the challenges of even getting a minor update into a production environment such as a hospital.

Unfortunately it takes an event like this until management and government will invest in IT. It is rarely the fault of the IT staff on the ground.

Edited 2017-05-15 17:58 UTC

Reply Score: 12

Alfman Member since:
2011-01-28

grandmasterphp,

But your unrealistic expectation that IT departments are too lazy to upgrade shows how little you know the challenges of even getting a minor update into a production environment such as a hospital.

Unfortunately it takes an event like this until management and government will invest in IT. It is rarely the fault of the IT staff on the ground.


I know what you mean, it's not uncommon in corporate scenarios to have to wait on all the suppliers before upgrading, and the fact of the matter is microsoft is just one of many suppliers (not necessarily even the most important one at that). All these pieces have to work together...sometimes this requires contracts, a new scope of work, training, testing, scheduled downtime, etc, it's not always as simple as an outsider makes it out to be like updates on their home computer.


Also, welcome to osnews!

Reply Score: 2

Thom_Holwerda Member since:
2005-06-29

The NHS has no money to update these systems to newer versions of Windows.


You are kneejerking without reading the actual article. I didn't blame the NHS (or its hospitals and workers), but the government that funds it.

Is it really Microsoft's fault if the British government underfunds its healthcare service?

But your unrealistic expectation that IT departments are too lazy to upgrade shows how little you know the challenges of even getting a minor update into a production environment such as a hospital.


Again - I don't think you actually read the article, but just immediately got defensive. I did not say anyone was lazy - just that yes, if you choose not to fund your IT department adequately, then yes, YOU are to blame for an inadequately funded IT department, and the resulting consequences. In the case of companies, that's the manager allocating funds - and in the case of the NHS, it's the government.

Reply Score: 2

grandmasterphp Member since:
2017-05-15

You are kneejerking without reading the actual article.


No I am not.

I didn't blame the NHS (or its hospitals and workers), but the government that funds it.


I know you aren't. The situation was created by the previous Government by the access to health program that was poorly implemented. Lots of IT investment, no real plan.

I used to work in this environment, as a 2nd/3rd tier support tech back in 2007-2009, supporting one of these applications.

What I think you are doing is massively over simplifying the situation. The NHS is split into Trusts, these all work differently and get funded differently based on size and lots of other factors. Then referrals can be transferred to private clinics / hospitals etc.

These all have bespoke systems you can't just upgrade stuff. It has to go through a proper change management process and this can take years.

Even things like printers having the margins a bit wrong on the windows settings can be problem when printing patient notes to hang on the end of the bed (I forget the proper term now).

Is it really Microsoft's fault if the British government underfunds its healthcare service?


No. I never said it was. I think the problem exists because the previous labour government didn't have any proper plan for IT and just stuck money into it.

Again - I don't think you actually read the aricle, but just immediately got defensive.


I wasn't being defensive. That wasn't my intention. I just don't think you understand that it is really nobody's fault. I've worked in one of these IT suppliers and everyone was stressed out trying between support / development and deployment.

I did not say anyone was lazy - just that yes, if you choose not to fund your IT department adequately, then yes, YOU are to blame for an inadequately funded IT department, and the resulting consequences. In the case of companies, that's the manager allocating funds - and in the case of the NHS, it's the government.


It not a problem that can just be solved by chucking money at it.

I don't think you really understood what I was getting at. You are massively over simplifying the situation. The reason why these systems aren't updated as often is due to a multitude of reasons. Some of these I highlighted in my original post. Sometimes there is noway to update them.

Reply Score: 2

Bill Shooter of Bul Member since:
2006-07-14

Throwing money at the problem definitely would help. I'm certain there are several IT solution providers in the US that would love to work on solving the issues. Not cheaply, though.

The custom medical equipment does have a new version that is supported by windows. They always do. Its just a question of weather or not the upgrade is in the budget.


I do kind of wish it had hit the US a little just so we could see which Hospitals are keeping up and which are not. In reality there should be stress tests of Hospital IT outages, aside from the ones that the Hospital IT already causes on a semi regular basis.

Reply Score: 2

daedalus Member since:
2011-01-14

Not necessarily. The companies that supply custom equipment like this also have long development cycles due to certification by the relevant bodies that means they plan for, say, a ten year cycle, and the machine doesn't change in that time. I worked for a company making such equipment, and our brand spanking new system was shipping with Vista in 2012, purely because development started in 2006 and Vista was seen as the future. Switching to Windows 7 would have delayed the product to market by a year or two - something the company simply wouldn't accept. So even shelling out €200,000 to replace the three machines you might find in a typical hospital lab wouldn't have gotten you an up-to-date OS.

I believe those machines have since been updated to 7 - right about the time 10 came out.

Reply Score: 2

Bill Shooter of Bul Member since:
2006-07-14

I kind of doubt you didn't have any competitors that had more up to date software.

Reply Score: 2

dionicio Member since:
2006-07-12

Hospitals, Schools, should be built with caducity integrated, up to manpower. New ones always cheaper on maintenance.

Those wanting to extend age of retirement -well, the'll need to 'update' :-) Maybe some will prefer a career change. [recommending organic gardening]. Or go through PAID nursery school again. So easy for the true lovers of that discipline.

Just Trying to take the light side. Code wise, wasn't so grave, if well extended.

[Rosseta Mission Teams were 'reassigned' afterwards, just as example].

My point here is that the ETERNALLY TRANSMUTING INSTITUTION ends being the ETERNALLY LOW PERFORMANCE ONE.

Reply Score: 2

dionicio Member since:
2006-07-12

[Even Microsoft Get This -LOW PERFORMANCE- issue. On Going back to the Home Button]. On a now general policy of STABILIZING. Who could have bet on a Linux console?

Reply Score: 2

dionicio Member since:
2006-07-12

Hey! Teacher's Board: Needing a Generation XII. Still one available? Or, Are We the last? ;-)

Reply Score: 2

dionicio Member since:
2006-07-12

The Eternally Transmuting is a Valid Pattern of Life, but an extremely expensive one. And That is Main Issue, right now and decades into the future.

Reply Score: 2

Chrispynutt Member since:
2012-03-14

As much as I dislike the current goverment. There was a deal in place for extended XP support. However the trusts didn't take it up http://www.theregister.co.uk/2017/05/16/wannacrypt_microsoft_blame_...

Now thats if you believe El Reg.

Also I agree with the analysis of our current gov's approach to destroying the NHS.

Reply Score: 2

Windows back door proven
by cmost on Mon 15th May 2017 18:15 UTC
cmost
Member since:
2006-07-16

The fact that Microsoft had a patch so quickly, and even for Windows XP just proves what I have alleged for years that a back door exists in Windows to allow the NSA to peruse user data at its will.

Glad I switched all of my systems to Linux back in 2002.

Reply Score: 4

RE: Windows back door proven
by Thom_Holwerda on Mon 15th May 2017 18:38 UTC in reply to "Windows back door proven"
Thom_Holwerda Member since:
2005-06-29

The fact that Microsoft had a patch so quickly, and even for Windows XP just proves what I have alleged for years that a back door exists in Windows to allow the NSA to peruse user data at its will.

Glad I switched all of my systems to Linux back in 2002.


This is uninformed BS - fake news, if you will.

The patch was so readily available because customers who pay for a support contract are still getting XP patches. You just don't get these patches for free.

Please, this isn't rocket science.

Reply Score: 2

RE: Windows back door proven
by grandmasterphp on Mon 15th May 2017 20:56 UTC in reply to "Windows back door proven"
grandmasterphp Member since:
2017-05-15

I think it is more likely that Microsoft could patch the vulnerability on all platforms quite easily.

Reply Score: 2

RE: Windows back door proven
by Parry on Tue 16th May 2017 11:31 UTC in reply to "Windows back door proven"
Parry Member since:
2014-06-03

https://twitter.com/Partisangirl/status/863995226943246336

There's a lot of conspiracy theories going around, but IMO they're all BS. The reality is so much simpler.

Reply Score: 1

Comment by ssokolow
by ssokolow on Mon 15th May 2017 18:25 UTC
ssokolow
Member since:
2010-01-21

I see this article and raise you "This is why Windows users don't install updates"

http://goodbyemicrosoft.net/news.php?item.810.3

(Seriously, though, as the other commenters have pointed out in detail, this is a gross oversimplification.)

Reply Score: 4

RE: Comment by ssokolow
by loic on Mon 15th May 2017 18:49 UTC in reply to "Comment by ssokolow"
loic Member since:
2012-09-23

I would not ever boot a Windows XP system on any network-enabled machine. About any reasonably recent laptop (< 8 yo) can launch it on a virtual box virtual machine, with no networking adapter enabled. It does not even need much RAM, XP is known to run well on 512 MB.
For non-techies, of course it could make sense, but I cannot see how any user with a dual boot would not know this.

Reply Score: 2

RE[2]: Comment by ssokolow
by ssokolow on Mon 15th May 2017 21:36 UTC in reply to "RE: Comment by ssokolow"
ssokolow Member since:
2010-01-21

Hey, I'm not saying I agree with that reckless behaviour... just that it's not necessarily that simple for people who are determined to be that reckless.

My Windows 3.11/98 and XP retro-gaming machines sit alone on their own leg of my router where the only traffic allowed to cross the boundary is connections initiated by the retro PCs which are either local DNS and DHCP (to daemons running on the router itself) or NTP and SSH (to my main workstation, with the SSH being limited to a chrooted SFTP-only account which I use for quickly moving files back and forth).

I find it a nice way to balance security with the convience of having networked file transfer, NTP time sync, and automatic network setup. (I even dug up DOS NTP and SFTP clients.)

Heck, the DNS allow rule is just a convenience that I should probably drop, since I've pinned the IP address of the workstation that provides the NTP and SFTP servers.

Edited 2017-05-15 21:37 UTC

Reply Score: 2

RE[3]: Comment by ssokolow
by dionicio on Tue 16th May 2017 22:06 UTC in reply to "RE[2]: Comment by ssokolow"
dionicio Member since:
2006-07-12

Jesus Christ! ssokolow :-)

Reply Score: 2

RE: Comment by ssokolow
by Bill Shooter of Bul on Tue 16th May 2017 16:00 UTC in reply to "Comment by ssokolow"
Bill Shooter of Bul Member since:
2006-07-14

That's a horrible counter argument. An old out of support version was too old to get the update because it hadn't been updated. Great. How is that MS fault?

I think the argument there is Don't use unsupported operating systems unless you really really have to and are supa careful on how they are used ( ie air gap them, please!)

Reply Score: 2

Comment by Ikshaar
by Ikshaar on Mon 15th May 2017 18:35 UTC
Ikshaar
Member since:
2005-07-14

While I agree with OP, mostly, the fact that MS was able to release a patch for XP within hours makes me wonder why did they stopped the automatic updates of XP if not to force people to buy a newer system ?? And in that light, MS is considerably at fault. They made billions selling XP!! and still you should pay extra to get those patches now.

And to use your analogy, they not only stop offering oil change, they now say you should buy a new car instead of having an oil change ;)

Reply Score: 7

In other security news...
by Alfman on Mon 15th May 2017 20:54 UTC
Alfman
Member since:
2011-01-28

I just thought I'd post this here, it's dated today:

http://www.zdnet.com/article/apple-fixes-dozens-of-security-bugs-in...

Apple fixes dozens of security bugs for iPhones, Macs

Apple has squashed dozens of security bugs in its latest releases of its iPhone, iPad, and Mac operating systems.

The Cupertino, Calif.-based company rolled out 23 security fixes in iOS 10.3.2 and another 30 fixes in macOS 10.12.5, both of which were released on Monday.

Among the bugs, two bugs in iBooks for iOS could allow an attacker to arbitrarily open websites and execute malicious code at the kernel level. Over a dozen flaws were found in WebKit, which renders websites and pages on iPhones and iPads, that could allow several kinds of cross-site scripting (XSS) attacks.

A separate flaw in iBooks for macOS desktops and notebooks could allow an application to escape its secure sandbox, a technology used to prevent data loss or theft in the case of an app compromise.



A remainder that all platforms have vulnerabilities! Ironically it's because of these vulnerabilities that owners are "allowed" to jailbreak their own IOS devices. ;)

Reply Score: 2

RE: In other security news...
by Bill Shooter of Bul on Tue 16th May 2017 18:36 UTC in reply to "In other security news..."
Bill Shooter of Bul Member since:
2006-07-14

Yeah, there lies the rub.

I think at this point, I'm more interested in a secure device that I don't have full control over, than one that has vulnerabilities that can be exploited to allow me greater control over the device.

Reply Score: 2

RE[2]: In other security news...
by Alfman on Tue 16th May 2017 19:52 UTC in reply to "RE: In other security news..."
Alfman Member since:
2011-01-28

Bill Shooter of Bul,

I think at this point, I'm more interested in a secure device that I don't have full control over, than one that has vulnerabilities that can be exploited to allow me greater control over the device.


Yea, I understand. Although personally I don't like that manufacturers present us with such a contrived choice in the first place. Owners should never be put in a position to depend on vulnerabilities to get the most out of their devices. ;)

Reply Score: 2

winter skies Member since:
2009-08-21

[...]

Yea, I understand. Although personally I don't like that manufacturers present us with such a contrived choice in the first place. Owners should never be put in a position to depend on vulnerabilities to get the most out of their devices. ;)


Indeed. I am sick of people pushing this false dichotomy and preaching that you can be safe only if you give up your freedom. It is not like that.

Reply Score: 2

Bill Shooter of Bul Member since:
2006-07-14

Well, its certainly true that you don't have to give up freedom to have a secure device. However, the options for that in a mobile phone are very limited at this point.

Heck its difficult just to get a secure device without freedom. Right now the options are...
iphone
Nexus/Pixel
Maybe Top of the line Samsung*?


I think Nexus/Pixel will also allow most freedoms (obviously there are some binary blobs there and closed source pieces that can't be replaced).

*Samsung phones are getting Android security updates, but they also have Samsung written software in them.

Reply Score: 2

oiaohm
Member since:
2009-05-30

http://www.intel.com.au/content/www/au/en/support/processors/000006...
https://www.microsoft.com/en-us/windows/windows-10-specifications

Please note the miss match between these sites. People have install windows 10 on older CPU than what Intel support and have been forced to disable update so their system runs. Of course it would have been helpful is Microsoft on their site had reported correct information and if Microsoft tools had blocked installing windows 10 in the first place on too old of hardware. So those users not updating have been trapped by Microsoft incompetence and possible Intel incompetence for not sharing correct information with Microsoft in time.


https://support.microsoft.com/en-us/help/4012982/the-processor-is-no...

Here is Microsoft again choosing that with Windows 7 and 8.1 not to provide updates if person is using newer cpus.

There are other elephants in the room where people are failing to get updates.

So no, Microsoft is not to blame for this attack. They patched this security issue two months ago, and had you been running Windows 7 (later versions were not affected) with automatic updates (as you damn well should) you would've been completely safe.

This is also wrong.

http://www.pcworld.com/article/2953132/windows/set-windows-10s-wi-f...
If you internet connection is set as metered in windows 10 even that Windows Update is enabled your computer might have downloaded no updates for a while because automatic updates only kicks in when you connect to a non metered. Yes if you are on metered manually performing updates is required.

After allowing for the Elephants a percent of effected users have be effected by miss information that auto updates on and they are done when with metered connections not they are not. Also a percent have been effected by Microsoft and Intel information miss match. A percent has been effected by Microsoft refuse to allow old OS on new hardware.

Also there is another percentage where automatic updates with windows 7 and 8 have resulted in breaking vendor provided parts.

So there are issues here. There are a percent I will give who are guilty of turning off automatic updates out of fear caused by seeing people they know suffer from the above issues. So yes a percentage of this problem lands cleanly at Microsoft feet.

Reply Score: 3

dionicio Member since:
2006-07-12

"Here is Microsoft again choosing that with Windows 7 and 8.1 not to provide updates if person is using newer cpus."

Remember when Microsoft charged you every X years with a new Windows? Now it's a rolling release.

Also when You had your ancient Windows and danced with it along successive generations of junk? Demanding Microsoft to keep the damn thing alive and well? Well, now you can't.

[As soon as Continuum effort started, they could not keep the old scheme of asking more and more hardware stamina].

This scheme achieves an ETHICAL balance, by allowing old equipment to slip down the food chain, and taking care of the planet, by not forcing planed trash dumping. Or worst, Linux trans-personalization ;-)

Edited 2017-05-17 14:22 UTC

Reply Score: 2

Blame List
by Brendan on Mon 15th May 2017 21:56 UTC
Brendan
Member since:
2005-11-16

Hi,

The list of people that should be blamed are:

a) Every software developer that assumes "Internet connected" means that they can release buggy crap followed by a never ending plague of updates and fixes (and associated unwanted end-user hassle) as they continually try to bring their buggy crap up to "release quality" (instead of realising that "Internet connected" means that it has to be extremely secure before release).

b) People like Thom that make excuses for software developers that fail to release secure products.

- Brendan

Reply Score: 4

RE: Blame List
by Thom_Holwerda on Mon 15th May 2017 22:58 UTC in reply to "Blame List"
Thom_Holwerda Member since:
2005-06-29

b) People like Thom that make excuses for software developers that fail to release secure products.


But... But they fixed it two months ago?

Reply Score: 1

RE[2]: Blame List
by Brendan on Tue 16th May 2017 00:35 UTC in reply to "RE: Blame List"
Brendan Member since:
2005-11-16

Hi,

"b) People like Thom that make excuses for software developers that fail to release secure products.


But... But they fixed it two months ago?
"

There was a critical vulnerability in every version of Windows for a decade because Microsoft released insecure products that should never have needed to be updated in the first place.

An unknown number of people who should never have needed to update got affected by insecure products before the update existed without ever knowing they've been affected.

A huge number of people who should never have needed to update know they were affected after the update existed.

A huge number of people who should never have needed to update can't update and are still at risk.

Microsoft will not be compensating anyone that has been affected for damages that their faulty software has allowed.

Microsoft will not be reimbursing anyone that has paid for faulty software.

Microsoft will not be apologizing to anyone that has been affected or will be affected.

Microsoft won't be changing any of their practices (doing a full security audit, hiring a new security team, etc).

The developers that created the security vulnerabilities, and the quality assurance testers that failed to notice the vulnerabilities before each version of Windows was released, probably won't even get a "stern warning" and will probably be allowed to continue creating more security vulnerabilities in future Microsoft products.

Nothing that actually matters will change, it'll just be a yet another slightly different vulnerability next week, and the week after that, and ...

The reason nothing that actually matters will change is that stupid people think all of this is acceptable. There's no incentive whatsoever for Microsoft to do anything to prevent vulnerabilities.

This is not just Microsoft, it's "most" software developers. It's an entire industry where incompetence and negligence is standard practice.

Note that people who install updates are victims too - if 1 billion people spend an average of 6 minutes of their time each month installing updates and their time is worth an average of $10/hour; then that adds up to a total cost of $72,000,000,000 per year just to install updates for dodgy crap that should never have needed to be updated (and that's not including costs of anti-virus subscriptions, bandwidth consumed, etc).

- Brendan

Reply Score: 3

RE[2]: Blame List
by Alfman on Tue 16th May 2017 01:41 UTC in reply to "RE: Blame List"
Alfman Member since:
2011-01-28

Thom Holwerda,

But... But they fixed it two months ago?



Sorry Thom, but this isn't nearly as simple as you are making it out to be. I absolutely hate to make an argument from authority, but if you had more experience in IT you would see it's not this simple. If an os upgrade or update breaks a peace of software or equipment, then what?

This isn't remotely hypothetical, I've experienced several windows incompatibilities. At one company the customer ticket management system we were using for several years broke on windows 8. And so we were stuck with using windows 7 internally until the ticket management software could be replaced. The company's software licensing agreement actually entitled every employee to install windows 8, so it was never a matter of cost, but of feasibility and compatibility.

Ironically even our own software we were developing was broken by an update. Granted upgrade/update complications are usually more of an annoyance, like having to throw away a card/printer or borked wifi/usb until the manufacturer releases a new compatible driver (all of these have happened to me and my family btw), but we move on. However with specialized and certified medical equipment and software that MS doesn't even own, allowing untested/uncertified software auto updates can have life threatening repercussions. This is irresponsible! Certification is not something that should be rushed under time pressure either.

And I'm not saying you don't have valid points, but you've oversimplified the challenges that IT administrators are facing in order to push this narrative, you are wrong to think it's just a matter of updating. Don't think for a moment a lawyer wouldn't sue a hospital for gross negligence for allowing untested/rushed software to run on it's systems. The updates cut both ways.

Administrators have no authority to re-certify updated medical equipment at the hospitals, automatic updates pose too great a risk and are ineffectiveness against zero day exploits anyways. Arguably the best course of action is to focus instead on keeping them isolated. That these systems were compromised over the internet is totally unacceptable. These systems shouldn't touch the internet, not even for updates.

There may be times they need to be updated, but only through certified channels and NOT automatically while they are in commission.

Edited 2017-05-16 02:00 UTC

Reply Score: 3

RE[2]: Blame List
by Ibrahim on Tue 16th May 2017 03:14 UTC in reply to "RE: Blame List"
Ibrahim Member since:
2016-11-03

They fixed it via an ultimatum though. Didn't the group that grabbed the NSA tools, give the companies affected, a time frame to fix the security holes before they released the NSA tools and announced the vulnerabilities?

If there was no ultimatum, the holes would still be there with no update(s) in sight. Of course this is speculation on my part, but in line with the way MS and company work. So not hard at all, to imagine there would be no fixes, were not for the ultimatum.

Reply Score: 1

RE[2]: Blame List
by wa2flq on Tue 16th May 2017 18:10 UTC in reply to "RE: Blame List"
wa2flq Member since:
2006-07-22

But... But they fixed it two months ago?


That's not sufficient.

Microsoft created an ecosystem in which many of their customers do not trust their patching system or updated products. Hence they own this problem.

Apple is not perfect here either but I believe most iOS and OS X users rarely think twice about taking a patch. Okay, I usually wait 2 or 3 days after a release…

I am beginning to think that OS Vendors should be required to supply free Security Patches for NN number of years, where NN is 10, 15 or 20 years. Customer and businesses behavior is never go to match good IT Practice if requires regular support and/or major upgrade costs. Even if you legislated businesses to purchase support or update regularly, it will turn into a bureaucratic mess (example: USA: Sarbanes-Oxley).

Medical, critical infrastructure or life safety equipment with embedded computing is always going to be a challenge. It's going to take changes in the professions that use these devices to step up and demand stricter support processes from their vendors.

Reply Score: 2

Not a UK gov problem
by Adurbe on Mon 15th May 2017 22:53 UTC
Adurbe
Member since:
2005-07-06

I would challenge you to provide any heath service in the world not vulnerable to the same issues. The reality is every country buys the same equipment from the same small sets of suppliers. Dutch hospitals are just as full of MRI scanners running XP as British or American ones.

Reply Score: 2

Wait ...
by WorknMan on Mon 15th May 2017 23:53 UTC
WorknMan
Member since:
2005-11-13

So Thom is blaming the victims here?

#scandalous

Reply Score: 3

RE: Wait ...
by fmaxwell on Wed 17th May 2017 15:40 UTC in reply to "Wait ..."
fmaxwell Member since:
2005-11-13

So Thom is blaming the victims here?


They aren't the victims. The victims include the thousands of patients whose surgeries and medical appointments had to be canceled as a result of hospital computers being taken down by WannaCry. Unlike the morons that failed to secure their computers, those patients did nothing wrong.

Reply Score: 2

no big issue
by nicubunu on Tue 16th May 2017 06:21 UTC
nicubunu
Member since:
2014-01-08

WannaCry should be no big issue for individual home users: they are usually behind a router provided by their ISP, not directly exposed to the internet means no surface attack for WannaCry. Also, is less likely they have many Windows computers at home, so they will be attacked over the LAN.

This leaves as the most likely victims big corporate networks. There may be solid reasons there are still older Windows versions on a big corporate networks, but if this is the case their IT departments should have prepared accordingly.

Still, I don't accept the blame to be put solely on the victims. NSA is to be blamed, they discovered a vulnerability and they developed it into a weapon instead of pushing for a fix.

And there is blame to Microsoft: they used the [lack of] updated as a tool to force people update to an unwanted version of Windows, this making people distrust the updated at all.

Reply Score: 3

This won't change
by Darkmage on Tue 16th May 2017 07:15 UTC
Darkmage
Member since:
2006-10-20

On medical equipment this won't change until governments step in and demand change. Notice that every government in the western hemisphere has access to the Windows Source Code because of "national security"? Yet for some reason there are $20 million MRI machines in hospitals with proprietary imaging software, some which only interface with NEXT, some UNIX, or some old Apple crap? These devices never get patched, updated, or migrated to new equipment because the suppliers have got the government by the balls. Until governments refuse to do business with suppliers that don't provide source, and refuse to buy these dodgy products it will never change. A $20 million dollar device which never gets updated is a flawed device.

Edited 2017-05-16 07:16 UTC

Reply Score: 2

RE: This won't change
by daedalus on Tue 16th May 2017 08:12 UTC in reply to "This won't change"
daedalus Member since:
2011-01-14

A $20 million device which receives updates will be a $30 million device purely because of the vast amounts of extra manpower required to recertify the device every time a patch is rolled out.

Reply Score: 2

RE[2]: This won't change
by yerverluvinunclebert on Tue 16th May 2017 10:08 UTC in reply to "RE: This won't change"
yerverluvinunclebert Member since:
2014-05-03

Precisely. In the aero industry, a change in the development machine that provides the code that flies the plane means that plane has to be recertified. Not just that plane but every plane that might potentially use the new code. If you can retain the same machine then you have the same output and the cost is reduced by millions and possibly tens of millions.

Reply Score: 1

RE[3]: This won't change
by Alfman on Tue 16th May 2017 14:38 UTC in reply to "RE[2]: This won't change"
Alfman Member since:
2011-01-28

yerverluvinunclebert,

Precisely. In the aero industry, a change in the development machine that provides the code that flies the plane means that plane has to be recertified. Not just that plane but every plane that might potentially use the new code. If you can retain the same machine then you have the same output and the cost is reduced by millions and possibly tens of millions.


That's a great example, the risk of botched upgrades is not acceptable for critical control systems where lots of money and lives are at stake. These systems should be hardened. Perhaps the operating systems should be on read-only media such that rebooting them brings them back into their certified state and only certified updates could be deployed with physical access.

Reply Score: 2

RE[4]: This won't change
by yerverluvinunclebert on Tue 16th May 2017 18:39 UTC in reply to "RE[3]: This won't change"
yerverluvinunclebert Member since:
2014-05-03

One of the things I do is to maintain essential legacy systems that provide a fundamental service to aero, military, hospital, nuclear and oil industries. All these systems are still in place because the job they do is first class, they CANNOT be upgraded EVER (nuclear SCADA) and they will continue to operate forever. Imagine having to rebuild the software that supports the drawings for the whole of airbus industries. Even though those aeroplanes seem new they were actually designed decades ago in the late 70s/early 80s and the 'puters that they run on are still the originals. As well as needing recertification of all aeroplanes in the air, to redesign and rebuild the software to run on new machines would cost tens of millions and give no benefit whatsoever, except to increase the uncompetitiveness of Airbus' offerings. The nuclear industry never change ANYTHING as to do so could cause a big radioactive hole in Cumbria. Trackside and hospital systems running on Windows 10? Do you want your Blue screen of death to be your death literally? No new systems anywhere critical, no new bugs, no new back doors please... Only systems that are tried and tested, equally fault tolerant - are required. Avoid new systems like the plague if you want the world to actually operate reliably and you want to live.

Edited 2017-05-16 18:48 UTC

Reply Score: 1

RE[5]: This won't change
by dionicio on Wed 17th May 2017 15:00 UTC in reply to "RE[4]: This won't change"
dionicio Member since:
2006-07-12

Obviously the NHS nightmare happened at the "Office" side of IT. Extremely Lousy Certification [Or no Certification at all] happened there.

Judiciary assessment pending at that -would like to think- lack of professionalism.

As you said: No Hardening occurred there...

Edited 2017-05-17 15:04 UTC

Reply Score: 2

Buying a piece of kit
by yerverluvinunclebert on Tue 16th May 2017 08:20 UTC
yerverluvinunclebert
Member since:
2014-05-03

There is still the non-technical mentality in many companies like the NHS, when they are buying a new machine they forget that it is no longer a one-time purchase like it used to be. The associated processing unit is considered part of that fixed cost and when time and money is hard pressed the on-going costs are simply forgotten because the device just works... Fifteen years of largely uninterrupted operation is the justification for not upgrading. The alternative might be a new MRI scanner that costs millions and tens of thousands in retraining, not to mention possible deaths if new kit is used incorrectly. The NHS is so massive and widely distributed that it is very, very hard to ensure that all vulnerable machines are not web-facing.

The whole world literally runs on these types of legacy machines - from trackside equipment to automated cranes in nuclear power storage facilities - and if the author is still unaware of this fact then frankly he should not be writing irresponsible articles like this.

The one thing this infection scenario does point out is that none of us should be using closed source operating systems from companies that regularly abandon their recent os releases just in order to bring out something new that will sell more.

Reply Score: 1

RE: Buying a piece of kit
by dionicio on Wed 17th May 2017 16:30 UTC in reply to "Buying a piece of kit"
dionicio Member since:
2006-07-12

Agree on The Unavoidable need of VERY Long Term Kernel and OS cycles for critical systems. [Those OS use to be Real Time].

Hardened systems link exclusively through protocols [Or Unlink-able at all]. So the Open/Close shouldn't be a heavy issue here, as far as protocols fully open and market supported.

On support of closed -or preferentially IP protected code: Too many medical equipment OEM vendors confronting market realities, plausible only buying, rather than on-house developing the supporting IT frame.

Makes certification a lot easier also, because Software Houses build interacting confidence with Certifying Authorities. Remembering QNX, just as an example. [Is stupid to leave all that accumulated expertise just to browse a TV set].

I prefer fully open stacks, also. As long as not having to fight with Certifying Authorities.

Edited 2017-05-17 16:31 UTC

Reply Score: 2

Not surprised about the NHS
by Dave_K on Tue 16th May 2017 10:22 UTC
Dave_K
Member since:
2005-11-16

I'm not exactly surprised that the NHS are running out of date software like Windows XP in 2017. When I visited an NHS hospital lab in the mid 90s I was a bit shocked at the out of date and kludged together state of equipment that could literally be a matter of life and death.

There was gear in the haematology lab that still relied on CP/M software dating back to the 70s. The original hardware had been replaced with a BBC Micro + Z80 second CPU at some point to keep it functioning - I think the lab equipment connected to the BBC's analogue port, and of course used 5.25" disks to store its data.

The guy who'd re-written the code (burned to an EPROM inside the BBC) and cobbled together the hardware interface for it was long gone by that point. At least they wouldn't have to worry about malware I suppose...

As other people have pointed out, it's not as simple as them forgetting to install updates, or even lacking the budget to upgrade. The bespoke hardware and software in use makes things very different from a typical home or office, and there's also a definite reluctance to try fixing things before they're (completely) broken.

Just throwing money at it wouldn't necessarily solve all problems - under the last government the NHS blew around £12 billion failing to implement a new IT system after all.

Reply Score: 4

Everything is broken
by M.Onty on Tue 16th May 2017 11:10 UTC
M.Onty
Member since:
2009-10-23

"The number of people whose job it is to make software secure can practically fit in a large bar, and I’ve watched them drink. It’s not comforting."
--- Quinn Norton ( https://medium.com/message/everything-is-broken-81e5f33a24e1 )

Reply Score: 4

RE: Everything is broken
by dionicio on Wed 17th May 2017 16:51 UTC in reply to "Everything is broken"
dionicio Member since:
2006-07-12

[%])There. You'll feel better :-)

Reply Score: 2

RE: Everything is broken
by dionicio on Wed 17th May 2017 16:53 UTC in reply to "Everything is broken"
dionicio Member since:
2006-07-12

Will chat about Firm and Hard ware Security, latter ;-)

Edited 2017-05-17 16:54 UTC

Reply Score: 2

I completely disagree!
by gazwil1982 on Tue 16th May 2017 11:41 UTC
gazwil1982
Member since:
2017-05-16

So people who can't afford a new pc or hundreds on updated software are to blame? People who just use their computer for browsing the web and not much else are to blame? Charities who can't afford to update computers and software are to blame?

I'm sorry but the ivory tower you are sitting in is far too high for me. Most people don't think about their computers they just want things done. Most people don't understand how to update or turn automatic updates on or off.

Most people just want to live a happy life without being worried about having all their precious memories encrypted and extorted for money they don't have.

I won't be reading your site any more. I used to think you were down to earth but you are actually just mean.

I'll stick to getting my news from websites that don't judge their users.

For the record I'm a Linux lover who knows a thing or two about computers. But most of my family aren't. They are the "idiots" you have no sympathy for.

Shame on you!

Reply Score: 3

RE: I completely disagree!
by dionicio on Wed 17th May 2017 17:14 UTC in reply to "I completely disagree!"
dionicio Member since:
2006-07-12

" Charities who can't afford to update computers and software are to blame? "

From Windows10 and S upwards your updating is free. As long as genuine activated copy, and your computer doesn't drop dead.

Ask Microsoft for licenses. Who knows?

If dismissed, "vayan por la libre" go Linux. All the tools are there. Except the fancy, the shiny and the commodities. It's an spartan environment, but once you get used to, you won't want to do critical work, out of it.

Reply Score: 3

RE: I completely disagree!
by dionicio on Wed 17th May 2017 17:28 UTC in reply to "I completely disagree!"
dionicio Member since:
2006-07-12

"Most people just want to live a happy life without being worried about having all their precious memories encrypted and extorted for money they don't have."

Activated or not, genuine or not, You should teach your loved ones how to make Optical backups. Recommending you DVD-RW disk-at-once. That goes to Linux-ers also.

Been reading OSnews for years and can assure little evil here. Windows the most used desktop OS, world at large and no way We could consider every situation. You're right there. Sorry about lexicon, I'm so easily tempted to use it, also.

Reply Score: 2

RE[2]: I completely disagree!
by dionicio on Wed 17th May 2017 21:08 UTC in reply to "RE: I completely disagree!"
dionicio Member since:
2006-07-12

The Real REAL tragedy here is that WannaCry has showed Us AGAIN that Sensitive Data is out-there, sitting duck to Financial And Insurance Entities, Criminal Organizations and even repressive factions within States.

Reply Score: 2

A fresh start is needed
by sbenitezb on Tue 16th May 2017 15:37 UTC
sbenitezb
Member since:
2005-07-22

Writing bug free, compatible and performant software is both expensive and a slow process. The consumer market certainly doesn't appear to want software made with Ada and the most stringent engineering processes. Operating Systems, libraries and services are still coded in C, so go figure.

The fact is there are millions upon millions of LOC hiding all sort of bugs and 0-days waiting to be exploited, in all major OSes. That can't possibly be solved anytime soon, and won't in the future as long as our infrastructure is still developed the way it is. The only thing to be done is patch and pray. But every new LOC rushed and written in C comes with the possibility of new bugs. There's still hope Ada/Rust will catch on and newer systems to be developed with better languages, slowly replacing rotten bits.

BTW, It's been years and I keep having to double login to post a comment in OSNews. Time to fix the bug you guys!

Reply Score: 3

RE: A fresh start is needed
by Alfman on Tue 16th May 2017 16:39 UTC in reply to "A fresh start is needed"
Alfman Member since:
2011-01-28

sbenitezb,

Writing bug free, compatible and performant software is both expensive and a slow process. The consumer market certainly doesn't appear to want software made with Ada and the most stringent engineering processes. Operating Systems, libraries and services are still coded in C, so go figure.

The fact is there are millions upon millions of LOC hiding all sort of bugs and 0-days waiting to be exploited, in all major OSes. That can't possibly be solved anytime soon, and won't in the future as long as our infrastructure is still developed the way it is. The only thing to be done is patch and pray. But every new LOC rushed and written in C comes with the possibility of new bugs. There's still hope Ada/Rust will catch on and newer systems to be developed with better languages, slowly replacing rotten bits.


We know this, but most politicians, executives and the public at large don't know it and/or don't care. Unfortunately a large upfront investment to replace legacy platforms and code isn't politically workable even for the greater good in the long term. It's not just tech either, politics have generally been shifting towards shorter term agendas. An executive or politician is more likely to score points if they can bring costs down even if it prolongs our security problems indefinitely.


From an engineering perspective, our approaches to security are indefensible. I can't get over how inexcusably inept and stupid visa and mastercard's security for payments are. But from a business perspective the incentives are quite different, like how shifting the liability to merchants via PCI compliance programs can actually bring in more profits than fixing the flaws using robust crypto.


BTW, It's been years and I keep having to double login to post a comment in OSNews. Time to fix the bug you guys!


I reported that years ago. The login on the top right doesn't have this bug if you use it instead.

Reply Score: 2

quackalist
Member since:
2007-08-27

Damn stupid way at looking at the problem, lots of people/institutions are at fault. Number one being the NSA and it's ilk hoarding security vulnerabilities that eventually get out into the wild.

Course the vulnerability should have been patched and the NHS should have paid for it's XP systems to have security updates from MS etc etc

But this has impacted a lot of people (me for a start who couldn't get my blood results or prescriptions) which you should have a little empathy if not tears. It wouldn't surprise me if people didn't die because of this.

Lots of other 'bad stuff' happened ...Nissan, a couple of miles away from me, stooped car production etc

Wake up call, it could have been a lot worse, not moralising

Reply Score: 2

allanregistos
Member since:
2011-02-10

If any one of those mean you have to fix, upgrade, or rewrite your internal software - well, deal with it,


Yes and no. Yes for some small applications, but not possible with large software projects, porting maybe, given if the language is portable, but good only in theory.

THOM, you did not KNOW what you are talking about, I stop reading your post once I reached this nonsense. If you are not a software developer, stop pretending to be one.

Reply Score: 2

Pete.H.Dee
Member since:
2017-05-17

Yes - it's your fault in that it was entirely predictable. On the other hand the flaw was Microsoft's.

Today, if the car I own turns out to have a manufacturing/design flaw that's dangerous, the car company will recall and fix it - not tell me I should have bought a support contract or simply tell me to get a new model.

Bottom line software companies, for too long, have been getting away with the idea that any flaws ( no matter how serious ) in the product it sells you - is something the consumer has to simply accept with no redress. Perhaps it needs to be brough more in line with other industries.

Especially as software is becoming more critical.

Bottom line MS had the patch for XP but didn't release it - result people may have died due to delayed treatment in hospitals affected. If a car manufacturer had done that there would have been an outcry.

Yes, from a user perspective it was entirely predictable, but the flaw was Microsoft's responsibility and they had a fix and choose not to release it intially - that's not responsible.

Reply Score: 1

fmaxwell Member since:
2005-11-13

Bottom line software companies, for too long, have been getting away with the idea that any flaws ( no matter how serious ) in the product it sells you - is something the consumer has to simply accept with no redress. Perhaps it needs to be brough more in line with other industries.


That's precisely what they have been avoiding by not selling software. Instead, they sell you a license to use their software and then disclaim any responsibilities for error-free operation, security, suitability for any purpose, etc. If they sold you software, then it would be a product that was subject to all of the same FTC regulations that govern any product.

Software engineers (I used to be one) are quick to proclaim it unfair to require that they produce a reliable, secure product because 'software is so complicated.' I look at it the other way: Software is so complicated because they aren't required to make it reliable and secure. Windows is a bloated, incomprehensible mess (at the source level) precisely because Microsoft is not legally liable for the chaos that results in a case like this. Instead, they reap rewards as companies scramble to update from old versions of Windows to new ones, paying Microsoft for the updates.

Reply Score: 2

Alfman Member since:
2011-01-28

fmaxwell,

Software engineers (I used to be one) are quick to proclaim it unfair to require that they produce a reliable, secure product because 'software is so complicated.' I look at it the other way: Software is so complicated because they aren't required to make it reliable and secure. Windows is a bloated, incomprehensible mess (at the source level) precisely because Microsoft is not legally liable for the chaos that results in a case like this. Instead, they reap rewards as companies scramble to update from old versions of Windows to new ones, paying Microsoft for the updates.


I'd point out that many software developers know more than anybody how broken things are. In many cases if you dig further there's a very good chance developers did bring up the issues before the product reached market. However management creates an environment that isn't conducive to building secure code with unrealistic timelines that omit testing and security auditing and just allocating insufficient resources. The incentives from the top of the company down the chain are to do the minimum amount of work possible.

Meanwhile the CEO is telling customers how important the company takes security, blah blah blah, but it's rarely actually true. If consumers feel they are becoming the beta testers, it is in fact because that's exactly what they've become.

Reply Score: 3

fmaxwell Member since:
2005-11-13

Alfmanl,

I'd point out that many software developers know more than anybody how broken things are. In many cases if you dig further there's a very good chance developers did bring up the issues before the product reached market.

Knowing about the problem and being willing to swallow the bitter pill to fix it are two different things. I talked to many software engineers in my 30+ years and, almost to a person, they were very opposed to software being held to the same standards as other consumer products.

However management creates an environment that isn't conducive to building secure code with unrealistic timelines that omit testing and security auditing and just allocating insufficient resources. The incentives from the top of the company down the chain are to do the minimum amount of work possible.

Meanwhile the CEO is telling customers how important the company takes security, blah blah blah, but it's rarely actually true. If consumers feel they are becoming the beta testers, it is in fact because that's exactly what they've become.

That's what happens when a company has no legal obligation to make their product perform as advertised.

If Microsoft faced the same repair/replace/refund model that vendors of normal products (rather than software licenses) face, there would be a lot more time and money put into simplifying the codebase, testing, and security auditing. Feature additions would be based on a risk/reward assessment: Does this proposed feature really justify the increase in code complexity, testing time, and security auditing effort?

Looking at this in a completely heartless, GOP-esque manner, why would Microsoft issue updates to Windows XP when they can just discontinue support and wait for something like WannaCry to result in a barrage of orders for Windows 10, or extended support contracts, from panicked companies, governments, and consumers? Windows is entrenched. Microsoft knows that the UK National Health Service isn't going to convert all of their computers to OpenBSD.

If other companies operated like software companies:

Hello, Toyco Products Customer Service, Nancy speaking.

My baby is in surgery because he swallowed a plastic eye from your Huggles Bear XP stuffed toy.

I'm sorry to hear that. We became aware that the eyes were not properly attached after we had discontinued support for the Huggles Bear XP.

If you knew it was defective, why was I not notified? Why didn't you recall it?

You bought a license to use the Huggles Bear XP. It remains our property, so we are not legally obligated to fix it or notify you of flaws unless you buy a Huggles Bear XP extended service contract. If you don't want to do that, we could sell you a license for our current Huggles Bear 10.

I'm going to sue you!

I must refer you to paragraph 13 of the End-User License Agreement for the Huggles Bear XP, which reads as follows,

13. EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL TOYCO OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, PUNITIVE, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, PERSONAL INJURY, FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE PRODUCT OR OTHERWISE ARISING OUT OF THE USE OF THE PRODUCT, OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF TOYCO OR ANY SUPPLIER, AND EVEN IF TOYCO OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.


_____________

Note: The above contract paragraphy was based on the Windows XP Professional license and only lightly edited for this fair-use in this parody.

Reply Score: 3

Alfman Member since:
2011-01-28

fmaxwell,

Knowing about the problem and being willing to swallow the bitter pill to fix it are two different things. I talked to many software engineers in my 30+ years and, almost to a person, they were very opposed to software being held to the same standards as other consumer products.


That's what happens when a company has no legal obligation to make their product perform as advertised.


If other companies operated like software companies:


If you knew it was defective, why was I not notified? Why didn't you recall it?


I don't think most software developers are against holding the companies accountable, many of us have been calling for that for a long time.

I think there may have be some unintentional confusion here, when you said "software developers", it generally means someone's title, although now your post clarifies you meant the software developing companies. That changes a lot and when you go blaming "software developers" this distinction is very important. For the most part the employees who develop the software have very little authority to invest company resources into security, more often than not I've found the only time companies seriously invest in security is...you guessed it...right after a breach.

Reply Score: 2

fmaxwell Member since:
2005-11-13

Alfman,

I think there may have be some unintentional confusion here, when you said "software developers", it generally means someone's title, although now your post clarifies you meant the software developing companies. That changes a lot and when you go blaming "software developers" this distinction is very important.

I used was "software engineers" to avoid confusion. You introduced the term "software developers" and I assumed that you intended it to mean the same thing.

But you understood me correctly the first time. It's true that software engineers, the people who code for a living, almost always want more time and resources during the development process, but they still don't want the fruits of their labors treated as products, with all of the legal ramifications that entails. They don't want to have to revisit old code and make fixes years later.

And that is an area where they agree with management; software should remain in its special not-a-product niche. If a latent defect is found in something that hasn't been sold in years, management doesn't want to be in the position of being legally obligated to repair, replace, or refund. More importantly, management does not want the company to be able to be successfully sued when their security bug leads to, say, hospitals turning away patients.

For the most part the employees who develop the software have very little authority to invest company resources into security, more often than not I've found the only time companies seriously invest in security is...you guessed it...right after a breach.

Based on the idiotic notion that you can add security on rather than having to design it in. At one point in my career, I headed up a team developing a secure workstation that went through a formal C2 evaluation conducted by a team from NSA (back before Common Criteria). Most software engineers are pretty clueless about security. Most software companies don't want to invest in training or to hire enough senior software engineers with a specialty in security. They don't want to be constrained by engineers asking "do you really need a programming language inside of a word processor that most users run with admin privileges?"

Reply Score: 2

Alfman Member since:
2011-01-28

fmaxwell,

But you understood me correctly the first time. It's true that software engineers, the people who code for a living, almost always want more time and resources during the development process, but they still don't want the fruits of their labors treated as products, with all of the legal ramifications that entails. They don't want to have to revisit old code and make fixes years later.


Software engineers don't get to make any of those choices, who says we'd be against it? It could benefit more qualified engineers and create incentives to become more qualified. But none of this is decided by us, it's all decided on by management, executives and lawyers. To be clear, if you held the software engineers accountable without holding management or CEOs accountable you'd end up with a large number of scape goats being blamed without any authority or power to change things at the company.

Like the wells fargo fiasco:
http://www.washingtonexaminer.com/fired-wells-fargo-employees-sue-m...


I've been involved in projects where code was released with some known vulnerabilities over my objections. If those had been publicly exploited, you would probably blame the software engineers for it, however you would not be privy to the facts of what actually happened, and that it was a managerial decision to consider those things out of scope (another way of saying "unfunded"). I'm for accountability, but you've got to make the whole company accountable and not just those working on the software - many of us aren't in any position to demand changes from our employers.


Most software engineers are pretty clueless about security. Most software companies don't want to invest in training or to hire enough senior software engineers with a specialty in security.


I agree, but I'd go even further and say this low investment and appreciation for security skills is quite discouraging even for those of us who have those skills.

Edited 2017-05-18 21:33 UTC

Reply Score: 2

fmaxwell Member since:
2005-11-13

Alfman,

Software engineers don't get to make any of those choices, who says we'd be against it?

As I wrote previously, a significant majority of the software engineers I've discussed this with over the last few decades have been opposed to treating software as a product. Obviously not 100% are against it; I am an example of one who advocates for the software-as-product model.

To be clear, if you held the software engineers accountable without holding management or CEOs accountable you'd end up with a large number of scape goats being blamed without any authority or power to change things at the company.

That's a straw man; I never proposed anything like that, which would be apparent had you included this in what you quoted:

fmaxwell, in the post to which you replied:
"If a latent defect is found in something that hasn't been sold in years, management doesn't want to be in the position of being legally obligated to repair, replace, or refund. More importantly, management does not want the company to be able to be successfully sued when their security bug leads to, say, hospitals turning away patients.
"
I've been involved in projects where code was released with some known vulnerabilities over my objections. If those had been publicly exploited, you would probably blame the software engineers for it, however you would not be privy to the facts of what actually happened, and that it was a managerial decision to consider those things out of scope (another way of saying "unfunded").

Stop presuming to tell me who I would blame -- especially since your presumption runs counter to almost everything I've written here.

I'm for accountability, but you've got to make the whole company accountable and not just those working on the software - many of us aren't in any position to demand changes from our employers.

That's exactly what I've been advocating since the first post in our exchange.

I agree, but I'd go even further and say this low investment and appreciation for security skills is quite discouraging even for those of us who have those skills.

You don't have to tell me. It's beyond a lack of appreciation; it is often outright hostility as we resist implementation of ill-considered features that put security at risk.

Unless the courts rule that software is a product, I don't see this bleak picture changing. Software companies have no incentive to change a model that absolves them of liability and provides them an income stream from upgrades and paid support.

Edited 2017-05-19 00:22 UTC

Reply Score: 2

It's not Microsoft's fault
by lfnuke2 on Thu 18th May 2017 04:19 UTC
lfnuke2
Member since:
2010-07-26

It's not Microsoft's fault that their system is so insecure, and people are afraid to allow updates because it makes the computer reboot, stop all your work and wait for the update to finish...
Microsoft is perfect... Users are to blame for this situation...

Edited 2017-05-18 04:20 UTC

Reply Score: 2

What about Labour?
by markcres on Thu 18th May 2017 11:19 UTC
markcres
Member since:
2015-05-08

I know it is trendy amongst beard-strokers to attack the "evil Tories", but what the hell did Labour do between 2006 and 2010 when WinXP had been superseded by Vista and Win7? They didn't think it was important to upgrade NHS systems.

Reply Score: 0

Comment by computrius
by computrius on Thu 18th May 2017 14:13 UTC
computrius
Member since:
2006-03-26

"Nobody bats an eye at the idea of taking maintenance costs into account when you plan on buying a car. Tyres, oil, cleaning, scheduled check-ups, malfunctions"

Because those are all real non self afflicted problems, as opposed to computer problems which are mostly self afflicted or imaginary.

Even if one has the most secure version of windows 10 there ever was or will be, all he/she still has to do (and will do) is ignore the million times they have been told: "No, you didn't win the Nigerian lottery... DON'T OPEN EMAIL ATTACHMENTS", or "It doesn't matter how flashy the popup was and what kind of doctor suit the guy in the ad was wearing, no program is going to defy physics and reality by creating more physical RAM than what you already have."

Its amazing how totally secure windows xp was at the time. Now everyone says your an idiot for using it and has amnesia that they ever thought otherwise. Just as windows 10 is totally secure and safe and awesome now. In 10 years it will be Microsoft's biggest most insecure disaster that was never ever secure at any time.

And a final point. That old computer runs just as well today as it did 10 years ago (unless you did something stupid). It doesn't cost more to run than it did 10 years ago. For the most part you were careless and loaded it down with crap ware by downloading anything and everything you ever encountered and now falsely claim that it is "broken" because - shocker - it is now slow. Combine that with the fact that you see new and more powerful (albiet more stripped of your control or anything useful, because taking away ownership of your own device is "progress") computers and want those.

The more correct car analogy is that you are driving a 2007 car, and now you want a 2017.

Edited 2017-05-18 14:31 UTC

Reply Score: 2