back to article Do we need Windows patch legislation?

Microsoft has got off remarkably lightly from WannaCry, as the finger pointing between Whitehall and NHS trusts began. But that might be beginning to change. The NHS had 70,000 Windows XP PCs, but only after the ransomware hit did Microsoft issue a patch. Officially, support had ended in 2014, spurring an upgrade cycle. In a …

Silver badge

Re: It is simply a matter of procurement

Name one vendor in the world that will support that.

1. RHEL, Oracle, etc - all mainstay Unix(like) OS vendors.

2. Most telecoms software vendors

3. Most military software vendors

4. Most industrial control software vendors

Now, they also charge a pretty penny too. So if you do not like the prices you should probably make up your mind for the exact way you are going to obsolete what you are buying on day X, not drag your feet 5 years after it was supposed to be obsolete.

Again - not something public sector procurement ever does. Show me a single public procurement project which planned the obsolescence of the software they are purchasing before they bought it. I have yet to see one.

So continuing on this subject, a good idea will be to make such procurement without an obsolescence plan an automatic sackable offense.

1
0
Anonymous Coward

3. Most military software vendors

Sure, they will sell you exactly the same crap for two decades, because every change needs an incredible number of approvals and certifications. They just have to ensure the crap is available for two decades.

Remember when USAF was hoarding floppies for its systems? And if you're afraid of the price of Windows custom support, look at the prices of a weapon system upgrade...

0
0
Silver badge

Re: It is simply a matter of procurement

However, not a single software tender for public services had any long term maintenance clauses attached to it.

Wonder if things have changed at Network Rail... In the days of BR, for railway operational systems the standard expected working life and thus maintenance requirement was 20 years minimum. Which given in the 1980's they were still replacing Victorian infrastructure was a blessing...

1
0

Quality

If the software was written properly in the first place then it would not need patching.

2
7
Silver badge
FAIL

Re: Quality

Please name one bit of complex software that is flaw free.

Thought not.

3
1

Re: Quality

Are windowed operating systems complex? The technology is over 30 years old now.

1
6
Anonymous Coward

Re: Quality

Quite. Nobody should rely on stuff that's thrown together, in order to make a profit from licences.

You won't find aeroplanes running fly-by-wire on M$ stuff - if they did, the neighbourhood would be littered with crashed aeroplanes, and sensible people would travel by boat.

An OS, designed and built for security, written in Ada, would be the thing to use. It would have to be open source, because you can never trust a binary.

0
0

Competition sparks innovation

It is a failure of both purchase policy and competition regulation by governments that the IT industry is lumbered with a single near-monopoly supplier of PC OS software.

Until governments start activity promoting alternatives to Windows then cyber-attacks will remain commonplace.

3
1
Anonymous Coward

Phoenix company solution ...

With the serious amount of money companies like MS can spaff, even if there was a UK-specific law which could somehow intimidate a US based vendor (a hurdle so far unmentioned) then the tried and tested way out of this will be:

1) declare the UK subsidiary which holds the liability for patching bankrupt.

2) start up a new legal entity (shorn of any responsibilities the previous incarnation had accrued)

3) make lots of money, until liabilities start building up

4) goto 1

4
0
Silver badge

Re: Phoenix company solution ...

Create a UK subsidiary

Said company is required to escrow all source code before any more of the mother company's product is allowed to be sold.

1) declare the UK subsidiary which holds the liability for patching bankrupt.

Source code is released under escrow terms for others to fix.

2
0
Silver badge

Re: Phoenix company solution ...

Bonus points if the legislation leaves open-source authors with the liability of fixing their software. (Although figuring out who to sue in a project with lots of contributors could be fun, particularly when the bug arises from interactions between patches.)

0
0

Get Real

1) Humans have faults, Humans write Software, ergo Software has faults

2) Technology changes - should I expect Ford to continue to provide spares for a 1980's Mondeo?

3) Should the NHS have a contract with the supplier of the MRI machine which dictates that the software that drives up be updated in line with it's dependencies (i.e. OS/Browsers/whatever) absolutely! Or that they open source it so that someone else can maintain it? Or that the NHS has sufficient funding to replace/maintain said software/hardware in order to remain "supported"...

3
2
Bronze badge

Re: Get Real

4) The first Mondeo was an L reg, which puts it at '92, which is also the last reg of the Sierra..

0
0
Silver badge

Re: Get Real

I can still get parts from Ford for my '31 Model A and '32 Model B ...

3
0
Silver badge

Re: Get Real

I think there is a legal requirement for car manufacturers to provide support and spares for a certain number of years after a car's last production date. At some point they seem to release enough details for the pattern part market to continue providing support beyond that.

0
0
TRT
Silver badge

It's tricky...

because my answer would depend on the criticality of the issue being fixed. How do you define that? Is it a bug that will just cause the computer to keel over and BSOD, thus allowing DOS attacks, or is it a bug that could execute arbitrary code with full system privileges and permanently compromise a machine? What's the likelihood that this security issue is able to be weaponised? Has it been done already?

Not questions that have easy answers for the legislative machinery to grind its way through.

0
0

Motor car recall

Surely the comparison here should be with the motor vehicle industry.

if a vehicle contains a dangerous fault then it is recalled and repaired at the expense of the motor vehicle manufacturer. Why should software any different?

2
0
Gold badge

Re: Motor car recall

Fine as long as you realise that the entity analogous to the motor vehicle manufacturer in these cases is the company that makes the medical equipment, of which a Windows OS is merely a component part.

It is the job of an engineer to create a more reliable whole out of less reliable parts. Otherwise every chain would only be as good as its weakest link.

0
1
Silver badge
FAIL

Re: Motor car recall

Every chain IS as good as its weakest link. Or maybe you want to explain how one of its myriad other parts protected the Challenger from its Thiokol ring failure...

0
0

Every product has a design lifetime.

That should be clearly stated before the product is sold - including consumer products. During that time, parts, drivers, consumables, security updates etc availability should be guaranteed - with an insurance policy covering consumers in the event of supplier failure.

When a product incorporates another product, the integrator should be responsible for ensuring continuity of support for all components for the life of their product (including drivers and interfaces to other products).

Then, if someone uses a product beyond its design lifetime it is their problem when it fails.

You cannot assume that a general-purpose computer (or its operating system) will go on forever.

2
0
LDS
Silver badge

Why only Windows?

What all the software around, for example my ADSL router firmware has not being not getting updates for a really long time. Isn't it a "critical piece" too? (there's now a pfSense behind it, so not much of an issue, in my case).

And the real issue is: how long a company, *any* company, should support its software? Support has costs, and they will be of course charged to users, old and new. What's wrong in charging for support? Don't we pay for maintenance of cars, heating systems, etc.? Why software should be different? Most physical items have a limited warranty (and someone outside EU complains the two year mandatory warranty is too long...). Only life-threatening issue will be fixed outside of it for free, usually.

Software doesn't wear out, but surely "hidden" issues and vulnerabilities may surface. It may not work with newer devices. Old TVs were obsoleted by digital television - should Sony, Samsung & C. have upgrade their TV sets for free? (using an external topbox is no different than putting a damned firewall to protect your old device).

Also, bugs that are critical security vulnerabilities won't cause a system malfunctioning until it's attacked. In some ways, they are different from a defect that will cause issues anyway (i.e. the Intel Atom one). When people talk about cars recall, they speak about the latter. Not a thief bypassing a vulnerable car security system and killing someone while running away. If a ransomware blocks a critical system, the culprit is the ransomware writer, or the OS provider? If you kill someone because you didn't maintain your brakes - even if there are no more spare parts available, who is responsible?

Sure, they are a risk, sometimes a big one. Still we have a lot of intrinsically risky items around (guns, knives, tools, some chemicals), and believe we should manage them properly. We know software has intrinsic risks. Why we shouldn't manage them? If I drive a vintage car or bike, I perfectly know it's far from being safe as a modern one. Should I expect it to be different, and the maker upgrade it for free, in secula seculorum?

In this case, did Microsoft aimed Windows at health devices, promising longer and free support cycles than those for generic use? Or it was the device makers who chose Windows? Why they should be exempt in delivering upgrades of their software running on newer hardware (maybe your ISA card can't work in a modern PC?) and software?

In this instance, blaming MS looks really overkill to me. Sure, it had the patch for paying customers, and probably it has many others. It's how custom support works.

0
3
Anonymous Coward

Re: Why only Windows?

If custom support means only providing fixes to latent defects when people pay, then it is fraud.

0
1
Silver badge

Crappy coding

The real issue here is crappy coding and current versions of Windows aren't any better. Operating systems are designed to look pretty, be easy to use and function, nothing else. Security is always something that gets considered but never really tested and most of these bugs are simple buffer overflows.

How long have we been coding buffer overflows into software? WTF WTF WTF WTF WTF - you would have thought we might have learned by now but apparently not and no sign that this is going to change.

3
2
Silver badge

Who is going to do the maintenance?

To provide full support for all its old systems MS would have to have large numbers of programmers trained up in those systems (no one person can know more than a small part of code that big).

How are you going to persuade that many skilled programmers to take on a dead end job with no future? What are they going to do to keep current when there's no known bugs to fix? What are you going to do with them after the product is finally killed off?

The motor car analogy is not directly equivalent - the engineering skills can still be used on modern cars. Detailed knowledge of ancient code is not transferable in the same way.

Of course the motor manufacturers may run into the same problems as the cars get more computerised, and a car crash can be rather more serious than a computer crash.

1
0
Silver badge

Re: Who is going to do the maintenance?

"To provide full support for all its old systems MS would have to have large numbers of programmers trained up in those systems (no one person can know more than a small part of code that big)."

They could save money. They could ship better code in the first place.

And your general thesis founders on a single fact. They have already issued a fix.

1
1

I agree with most of the people above in that I believe that the supported lifetime of Windows has been well above good enough.

If you factor in that Microsoft even added in the option of extra paid for support for those that really needed it and by announcing them having them pay through the nose for it incentivised the beancounters to open up wallets to replace and fix what needed to be done. That some organisations even with half a decade of warning still fail to upgrade is not Microsofts fault.

What I would point fingers at are vendors of kit with a long lifespan that just don't offer upgrades to software and drivers that work on modern systems.

2
2
Silver badge

What I would point fingers at are vendors of kit with a long lifespan that just don't offer upgrades to software and drivers that work on modern systems.

THIS^^^^^^

0
1
Silver badge

While XP was only supported until 2014, Windows 7 is under support until 2020, but how does that work when some versions of Windows 7 came with XP mode which is essential a VM running XP, surely if they are offering functions such as XP mode as part of the OS Microsoft should continue supplying patches for the XP mode virtual machine until the support for Win 7 ends?

1
0
Silver badge

re: some versions of Windows 7 came with XP mode

No to my knowledge, MS didn't supply XP mode with Windows 7, it was a wholly separate download and so they were able to make it subject to the same EOL as XP. Remember Win7 was released in 2009, 5 years before XP went EOL and XP Mode was provided more as a way of facilitating migration than a long-term solution.

However, MS are still supporting Office 2007 on XP - last week I received a bunch of security updates through WUP; interestingly, the SMBv1 fix for XP wasn't available through WUP, it has to be manually downloaded.

0
0

Safety Related Systems

The long term availability of Vendor support is a basic problem for Safety Critical and Safety Related Systems and many systems operated by the NHS will be of that nature. Due to the fully justifiable need for design assurance and length pre-service testing, it can often take up to 10 years to get this type of (software) system from initial conception to in service use - and you often want to get 20 years or so of use out of it in order to justify the investment. However, these sort of timescales just don't fit with commercial product lifetimes for a vendor such as Microsoft.

It is no accident that Linux is now widely used in areas such as ATC etc. It is not because it is free, and not just because of its reputation for stability and security, but because it is Open Source and ultimately this means that the end user can take control applying security patches for ancient versions of the Linux kernel rather than having to pay (a ransom) to the original vendor for support.

In practice this allows commercial opportunities for specialist support companies to provide long term support for those users that need to have very long in service lifetimes - even beyond those for Red Hat Enterprise.

The bottom line is that if you are happy for your vendor to dictate the upgrade lifecycle then a product such as Windows may be suitable. If this is not acceptable then Open Source is where you need to go.

5
1
Anonymous Coward

"ultimately this means that the end user can take control"

Believe me, I've worked on ATC programs, and this is not the reason. Nobody I knew working on ATC software has the skill to touch the Linux kernel, or one of the many libraries implementing even basic services. Do you believe someone can jump from the kernel to Samba to Apache easily?

In many large programs lately there's been a push towards FOSS software for political and economical reason (MS is seen as a single supplier from USA...) - but not because the user can easily "take control" of code which is very far from its capabilities of changing it without creating havoc.

If needed, you would still need to pay some commercial entity to apply the changes and test all the stuff properly - just as write, and don't believe they will be cheap just because it's FOSS... when you have very few places to go, the bill will be high anyway.

1
0
Silver badge

Re: "ultimately this means that the end user can take control"

"Do you believe someone can jump from the kernel to Samba to Apache easily?"

Why yes. Yes I do. Not everybody, maybe ... But I know many coders who can do that kind of thing easily. And do.

2
1
Silver badge

Re: "ultimately this means that the end user can take control"

"But I know many coders who can do that kind of thing easily. And do."

And write a distributed version control application in passing.

0
1

Flawed analogy

"An analogy may be vehicles that develop a dangerous defect. Would we excuse the manufacturer and allow unsafe vehicles on the road?"

A better analogy is, "Should excuse the owner and blame the manufacturer, when the customer has a breakdown on the highway driving a 16-year-old saloon that hasn't been in for inspection or maintenance in five years?"

There do exist software products that have include commitments to supported lifespan of many decades. They are priced accordingly. However, this typically does not include a single desktop operating system release, and does not include Windows XP (though it was supported for enterprises extraordinarily long).

Windows writ large has been supported for 30 years, and there is a supported upgrade path at each step of the way. You cannot hold the "manufacturer" responsible when they ignore a product's specifications.

1
2
Silver badge
FAIL

Re: Flawed analogy

No. Your analogy is not better. Or even valid.

0
0
Silver badge
Mushroom

Complex software changes everything

If you have an old machine, say a classic car from the 1920's, you generally can't just buy parts for it from the manufacturer nowadays. However, it is possible to get bespoke parts made to keep it running, and there are those who do exactly that, although to do so costs quite a bit more than just buying a new car.

But complex medical machines cost much, much more than a car. So what do you do with your million pound+ diagnostic machine once the manufacturer of the software that runs it decides to not support that software anymore? We're not just talking PC's here. You can't just go buy a new one for a few quid or get pissed off at MS and decide to put *nix on it. And it's a pretty tall order to try to roll your own bespoke patches when you're dealing with a closed source operating system - and trying to do so certainly would violate the license.

And even when the issue is just about PCs, just replacing them may not be a simple option. Will the old, bespoke software that they use even run properly on the new version of the OS? Do you, as a government entity, have access to the funding it would take to "upgrade" to the new OS?

The fact that complex and expensive machinery or essential bespoke software is now dependent on a closed source OS changes everything. Everyone with such machinery is at the mercy of the vendor deciding to support or not support that software. Mechanical devices can be "hacked" easily enough and solutions found to keep them going. But what can the owner do when complex software is an essential part of an expensive device, and the vendor says "F*** you"?

So should NHS (and everyone else in a similar situation) just throw out expensive machinery because MS decided that everyone should buy a new OS? Perhaps NHS could (if funding were available) put a new OS on all their PCs, but will all the old software run correctly on the new OS? How much would it cost the taxpayers to make that happen? And what about expensive diagnostic machinery? Can a new OS even be put on those machines? Or should the taxpayers be forced to spend millions upon millions of pounds to replace those as well just so MS can make a bit more profit?

Another question is how much would it really cost MS to patch XP against this kind of vulnerability? Probably not a lot. If they charged all those XP users their actual cost of developing and releasing a patch, the cost to the end user would probably be a few pennies per machine. But they'd rather force their users into "upgrades."

Legislation? How about requiring that any software used in anything purchased by government must be open source and maintainable indefinitely? That's the legislation that MS and their ilk deserves.

</rant>

2
1

Bespoke software

Most of those who are running XP systems are doing so because the bespoke software they had written/bought back in the early noughties will only run on XP. They chose NOT to pay to update that software to run on Win7/8/10 and thus exposed their nether regions for the script kiddies to maim. Don't start bitching about someone not supporting an obsolete OS when you were given PLENTY of warning that it would no longer be supported. The fault is yours, you were too cheap to get your bespoke software upgraded.

Lesson learned? I seriously doubt it. I recently saw an SQL 2000 server that still had no SA password set. Slammer anyone?

1
3

The question is wrong

It should be "Should The Government be legally required to extend support for systems still in use in front line public services?" closely followed by "Should software suppliers to front line public services be required to update their software to be compatible with OSes <10 years old?"

Because some services will need to keep running software that simply doesn't run on Windows 7 or above with no upgrade path to one that does. That's how you get XP that won't die.

Also: For a lot of cash strapped public services, dosh earmarked for IT Infrastructure upgrades/improvements can quickly find itself being diverted into the budget for directly supplying those services. Ringfencing that cash with a legal responsibility to meet a minimum standard for IT might help concentrate minds in the right area.

1
0
Bronze badge

Many of the systems that were hacked are still on XP because they are running a critical system that in incapable of being upgraded.

I have heard of some very expensive pieces of medical scanning equipment that are tied to XP. They cannot be upgraded without replacing the hardware, and you're not going to replace a medical scanner that costs a couple of million pounds when the one you already have works well is expected to still have another decade of use.

So why can't the version of Windows on the scanner be upgraded? Because the hardware drivers for it don't work with newer Windows versions.

They're stuck on an old version even after all this time because hardware like this goes through a years-long development and certification process before it even starts getting purchased by hospitals; upgrading to a completely new OS would also mean rewriting a lot of the core control software which means you have to start all over again with the certifications. And when hospitals do get to buy a piece of kit like this, they expect it to last long enough to pay for the investment. It's no wonder they're all still running XP.

But the problem is not so much that support was stopped for XP, it's that hardware like this should never have been based on XP in the first place. It isn't Microsoft's fault; it's the fault of the developers of the hardware. And frankly it should be they, not the NHS that should be the ones on the hook for making sure it is kept patched -- the lifetime support contract that the hospital signs with the vendor to look after the kit should include the software and operating system as much as the actual scanning hardware itself.

2
0
Silver badge

"But the problem is not so much that support was stopped for XP, it's that hardware like this should never have been based on XP in the first place. It isn't Microsoft's fault; it's the fault of the developers of the hardware."

The developers were probably in a bit of a bind themselves. The introduction of commodity H/W and S/W killed off the minis and Unix workstations that were used previously. Even if it hadn't it would have enabled competitors to have undercut any who still used such kit.

What would have helped would have been the certification authorities requiring long term support. That would have either required MS to offer it or, if they didn't, would have levelled the playing field and allowed specialist workstation manufacturers to survive. That in turn would have needed the certification authorities to have anticipated the situation we now have.

2
1
Silver badge

"What would have helped would have been the certification authorities requiring long term support."

Then what happens when NO ONE passes because of it? Now you have NO suppliers.

0
0

It should be supported for at least the life of the motherboard

The life of a desktop or notebook is determined by the life of the motherboard and the solid state electronics on it. The mechanical bits, such as fans, disc drives, connectors, and the power supply with short-lived capacitors are easily replaced.

The life of a motherboard is at least 15 years, so an operating system that is sold for 5 years should be supported with regard to security and safety defects for 20 years from first availability.

3
3

Are you people all insane? Code has DEPENDENCIES. You can't just write one patch that works on every version of some code you've ever released. If you start with version 1, and then you fix a bug and you have version 1.1, and then you find another bug that someone who hasn't bothered to install 1.1 wants fixing, what do you do? Make version 1.0.1 and 1.1.1?

Then the next change is going to require you to ship

1.0.0.1

1.0.1.1

1.1.0.1

1.1.1.1

and so on until 64 patches later you have 9,223,372,036,854,775,807 versions you're trying to simultaneously support.

To install a new patch, you must first have installed all the patches that went before, otherwise who knows what will happen. And we have a name for a fully patched version of Windows with every upgrade applied: We call it Windows 10.

0
3
Silver badge

The a la carte patch system we've had for ~20 years has worked quite well... better, in fact, than the "end user IS the beta tester!" Windows 10 cumulative patches that are supposed to be better than the individual patches.

1
0
Silver badge

Bah!

I'm sending a note to OPOTUS and former Cyber Czar Giuliani to the effect that we used to have Unisys mainframes and greenscreens and never once got hacked in twenty five years.

One massive re-rollout later I shall have employment for the foreseeable future and all the Javascripties and C-like language scaredy cats will be sent off with a flea in their collective ear as they so richly deserve and be told to go back to school and learn proper computers and to keep off my lawn.

Trump shall Make Computing Great Again!

3
0

I might have sympathy for Microsoft if ...

... if they played fair and provided proper upgrade/downgrade paths from one product to another. They could even charge (not too much) for it.

Have you ever tried to upgrade a WinXP PC to anything later?

The same goes for their various email clients. We've had real trouble moving emails from Outlook on XP to Outlook 2010 - it shouldn't be like that.

Don't even think about Outlook to Mail for Windows 10.

If only Microsoft were to act responsibly, this issue may never have arisen.

And I'm sure they could find a way of playing nice and still making a profit.

It's time they learnt that the big stick isn't the best solution for anyone.

3
1
Anonymous Coward

Important point here...

MS have pushed equipment manufacturing companies to use Windows (or it's embedded variants) within their systems. So, a lot of MRI, CAT, X-Ray, etc. machines have a built-in Windows component.

It is often the case that these cannot be upgraded (especially when MS have "special" code that prevents new versions running on old hardware), but why should a multi-million $ system have to be replaced?

If an OS is marketed for use in kit like this, it should be supported for the lifetime of the product, not the OS. To be fair, that's why MS have the "embedded" range (XP embedded support runs to 2019), but that's quite often not chosen as it can be a pain to work with.

3
1

The car analogy has me thinking...

Do you recall the giant airbag recall over the past couple of years?

Turns out a bunch of car manufacturers had to replace the airbags with new ones on even those cars that were 15 years old.

So, by that law requirement, patches would be necessary to older / legacy operating systems?

Is that a flawed analogy to use?

2
0
Anonymous Coward

I blame the management....

I blame the management. I am taking info from the Cambridge news, quoting from Prof Ross Anderson, Professor of Security Engineering at the Cambridge Computer Laboratory.

“Failing to patch your computers is like failing to wash your hands after going to the toilet. It isn't the Secretary of State's fault. It's not the Chancellor's fault for not giving the NHS enough money. It's your fault. It's negligence.”

"...typical IT director is a senior clinician supported by technicians. Yet despite having their IT run by well-meaning amateurs, only 16 NHS organisations have been hit"

Basically this is the same as asking an IT guy to administer an operation.

Put a decent IT manager in EACH SITE who can take an ACTIVE part in procurement, to point out to the Clinician that the PC will require updates and include that in the contract, and not let a bean counter choose the cheaper option if it can't provide the updates for the life of the machine...

Who can force local updates, understand the implications of the legacy machines and work ways to solve them. Don't leave it to just large contracts who are tied in and are more concerned with profits for the contractor than solutions for the user.

AC as I work far too close to a Hospital.....

2
0
Anonymous Coward

Re: I blame the management....

It's not quite the same. More a case of going to the toilet and then finding that the means to wash your hands has been removed...

1
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018