"or else all the vendor will placed on a blacklist"
Journalism as a second language? 8)
Microsoft has got off remarkably lightly from WannaCry, as the finger pointing between Whitehall and NHS trusts began. But that might be beginning to change. The NHS had 70,000 Windows XP PCs, but only after the ransomware hit did Microsoft issue a patch. Officially, support had ended in 2014, spurring an upgrade cycle. In a …
I'll go with "NO", even though I'm not a fan of either Microsoft or proprietary software in general.
Why? Because if you choose to "buy proprietary software" (i.e. purchase a limited license to use somebody else's software) then you do so in the full knowledge that what you're actually buying is a limited term contract for a service, you're not purchasing real property that you should rightfully get to use forever (or whatever arbitrary period you deem acceptable).
The real wake-up call here should be to stop buying proprietary software, and instead invest in something that can be maintained independently of the vendor (i.e. open source).
Funny, I would use the same argument to say there is an expectancy for updates. You buy a perpetual licence (like most XP ones were) so they agreed to fix it for the length of a licence.
I outright bought my car, I don't expect GM to come and fix it every time it develops a fault.
Of course 16 years is too long to expect a company to support a product
@johnfbw: Well, your license is only "perpetual" in the sense that Microsoft will not sue you for attempting to continue using it long past the point where it ceases to be useful.
Like it or not, proprietary software is a service, not a product. Once the vendor drops support for that service (and subsequently the entire ecosystem surrounding it), the utility of the thing you paid for rapidly drops to zero.
"Perpetual licensing" is like a bus pass for service that stopped running years ago. Yes, you have the contractual right to take that bus, in theory, if it ever runs again. Which it won't.
@ac: "maintained independently" doesn't have to mean you, it can be a contactor you outsource work to, or (more likely in the case of open source) a community of volunteers. The idea that open source is only useful if you personally are a programmer is ill-considered. At the very least you have more flexibility than you do with some vendor's proprietary solution, which he can and will eventually terminate. Surely some option is better than none.
The point is that those at the NHS (and anyone else with such expectations) are incredibly naive if they think they can pay once and play forever. One way or another they will be forced to face the responsibility of maintaining a currently working solution, whether it's paying Microsoft once every few years for a platform upgrade, or paying a service company to maintain a constantly updated open source solution, or even paying in-house engineers to develop and maintain their own system.
That's just Admin 101, and yet strangely it seems to be a concept totally beyond the grasp of the NHS (and other organisations still using archaic software).
"Of course 16 years is too long to expect a company to support a product"
There's a difference between supporting a product in terms of adding new functions or drivers and fixing a defect which was present when the product shipped.
But let's not lose sight of the fact that when the shit finally hit the fan MS made a fix publicly available within hours.
If they were under no obligation, it was too long to expect them to do it etc then why did they do it?
I can think of three explanations:
1. It was to mitigate a PR disaster.
2. Events brought it home to them that they had a moral rather than a commercial responsibility.
3. They anticipate legal action and are attempting to mitigate any penalties.
I don't think the last one flies - it simply points out the fact that they'd held back something that could have been made generally available.
But let's not lose sight of the fact that for whatever reason they have done what lots of commentards have said they didn't have to do.
Windows XP is still functional as an offline Operating System, but anyone continuing to use it beyond EOL support cannot expect to remain safe online. The reality is that hackers are constantly scanning for vulnerable computers, so no device without the latest updates is safe online. Even with the latest updates your device is still vulnerable to zero-day exploits.
Rather the onus should be that anyone responsible for a critical online computer system should ensure it remains updated and fully patched, just as the driver of a vehicle that is driven on public roads is responsible for getting it serviced. Frankly anyone administering a network with Win XP machines should have configured the network to block all internet packets to/from those machines, so thay can only access local network resources.
Well if I was to go Open Source I would want it to be supported forever too, but lets be charitable and say 20 years. Is it reasonable that I should delve into the source and fix issues? Do I have the skills and the time? Probably not. Very few people do. So perhaps it should be incumbent on the people who submitted the code in the first place to maintain it? Which is absurd. Who would ever submit Open Source code if it came with a commitment to support it for 20 years.
What happens in reality is if you need Open Source and you need it supported "forever" (i.e you are a business where it is critical for you) you take out a contract with a third party vendor to support the software for you. And if you decide not to pay said vendor or they decide that its no longer economic to support the software, that's it. Game over. You have old unsupported software exactly the same as if it were proprietary unless you are prepared to throw lots and lots of money at it ..... i.e. just about the same.
I agree completely. Your last point is interesting though - if this were OSS or M$ had decided to open source the code at end of life, then governments & corporations around the world would have had the *option* to build their own in-house support for the product.
In the case of UK Gov that may well have been the cheaper way to go, but having worked in that sector I don't believe for a second it would have actually happened.
It really, really pains me but I have to side with Redmond on this one; they gave fair warning that XP was going end of life and the general poor security of that OS was well known to all of us. I'm sure every techie worth their salt has been beating the migration drum for years, but at the end of the day politics always wins......
"I agree completely. Your last point is interesting though - if this were OSS or M$ had decided to open source the code at end of life, then governments & corporations around the world would have had the *option* to build their own in-house support for the product."
It wouldn't be necessary to open it in the FOSS sense but to place it in escrow. The terms for release from escrow could place an NDA on whoever then took up maintenance. This would be a sensible provision where it's been incorporated in a product whose reasonable life expectancy exceeds the support life of the product. It's maybe something that regulatory authorities could require for medical equipment in the future. If an OS vendor was unwilling to do this then the equipment supplier would be obliged to go elsewhere.
Microsoft could agree or not as it pleased. If it judged the market too small to bother about that would be their commercial choice. If they chose not to remain in that market the equipment makers would be free to look elsewhere. Give or take proprietary drivers FOSS fits this bill automatically. There would be scope for someone to offer support well beyond the normal life of an LTS distro as a commercial proposition. An existing proprietary embedded Unix derivative such as QNX or VxWorks might also be a good fit.
Most people purchased XP with a new PC, if the machine is still running then so should the OS.
This should include any patches required to fix fault/security flaws present at time of purchase and the lifetime of the OS should be dated from the last fix.
If MS had got rid of all the problems with XP then they could reasonably step away and say "that is as good as it gets" but they never fixed the problems instead they just released a new OS with the same problems which they will only fix once they are abused.
In the UK atleast car manufactorers are required by law to maintain parts for the expected lifetime of their products, why should MS be different?
If the code for XP was public domain once MS abandoned support then the customer could source their own repairs however since MS just prettied the old OS up and resold it as a new product then the code remains proprietry and unobtainable therefore only MS can fix it.
Ultimately this means that MS operating systems are unsuitible for any application where the customer would expect the product they purchased to last as long as the hardware.
Thus MS should automatically be excluded from any state funded endevour, MS are fine for gaming but if your want a professional product then look to a professional operating system that will continue to support hardware through each revision such as your flavour of unix.
That MS are notorious for dropping hardware support between OS versions is well known in the industry and these tax payer funded projects should never have allowed MS in let alone continued paying them to support a broken OS.
[I work in the med tech industry]
I've been following this discussion for a couple of days now, seen the arguments, and am left with a couple of questions for the distinguished commentards here:
--- The discussion (or finger pointing if you will) has focussed on the Government, NHS, Microsoft... I did notice that the party shining through absence is med tech producers. I mean, sure, if the NHS buys an MRI, CT, or another software driven system from for example GE, Philips, Siemens, Toshiba, then they also have a service contract. And think about it, this doesn't include software..?
--- "OK, but this med tech is so sophisticated, you can't just change the OS on an MRI, now can you?" Humm... You think, if you buy a new machine now (which could very well be the same model as 10+ years ago, since tech turn over isn't that big as you might think), that it's supplied with XP?
--- "You can't expect a supplier to support a product for 16 years". Well, maybe this is true for cars (don't thinks so, think product recalls), but for med tech this might surprise you. After all, you don't buy a CT or MRI of a couple of million pounds to use it for just 2 years. And even if a CT has been in use for 15 years, you still don't want it to make pictures with Chernobyl levels of radiation, now do you? I invite you to lie down comfortably and let me make pics of you with such a machine, and afterwards hear me make an excuse like that...
--- And just because I'm an "old" person: I can remember times, let's say 25 years ago, when such med tech was developed (e.g. CT, MRI, automated light microscopy pathology sample scanning/ image analysis), and many were Acorn Risc based. Or had their own, unique program running on top of DOS. And please understand that I'm not saying current systems are bad. What I'm saying however is that here too the "dirt cheap" and "bottom line vs. quality" movement also made its entry. So might our (society) drive to prefer cheap over quality not come with these kind of consequences?
--- And if your argument is there that operators are (only) familiar with certain OSes, then apologise to technicians, who are educated operators, and can work anything we can develop, because of their long, indepth, and dedicated training, passion, and commitment. Physicians? You really think (all of them) can operate med tech?
--- Big, bulky, or heavy on tech equipment has been used in the aftermath of Wannacry to excuse (some trusts of) the NHS. But is this really the software we're talking about? Isn't it just a lot of accountancy software, admin systems, data storage, and these kind of systems? Aren't in-your-face-everybody-can-relate-to-that examples (like MRIs, even here on elReg) used to cover for just secretary boxen?
Big, bulky, or heavy on tech equipment has been used in the aftermath of Wannacry to excuse (some trusts of) the NHS. But is this really the software we're talking about? Isn't it just a lot of accountancy software, admin systems, data storage, and these kind of systems? Aren't in-your-face-everybody-can-relate-to-that examples (like MRIs, even here on elReg) used to cover for just secretary boxen?
A crying shame indeed, a fact that I'm not trying to water down or dispute.
But (if I get the essence of your remark correct) I ask myself whether this is because the patient can't be treated, or whether the "patient" can't be billed (please excuse the bluntness by intent).
And don't get me wrong, I've been around (within this therapeutic area) long enough to get that "treatment for cancer" can be anything from pumping people full of chemotherapy, to using a high tech Accuray kind of "radiation knife". Or could mean surgery or Ab based adjuvant therapy. Or the point focussed radiation therapy somebody else here spoke about. And yes, a lot of nifty software is used in some of these cases. But then again, in a lot of these cases there isn't...
"the NHS buys an MRI, CT, or another software driven system from for example GE, Philips, Siemens, Toshiba, then they also have a service contract. And think about it, this doesn't include software..?"
It does include the software that is proprietary written by the supplier to meet standards e.g. In imaging that is DICOM. BUT the underlying O/S isn't usually written my the supplier, it is usually a flavour of Linux or Windows and hence reliant upon the o/s vendor for patches.
An MRI shipped today will probably be on Windows7, that has the same vulnerability as XP if not patched. But the supplier has to undertake a significant amount of testing to pass CE validation. Most large suppliers are not geared up to respond quickly to zero day patches. In the majority of cases medical devices need hands on patching and then possibly several hours of testing before releasing the device back to the hospital. This could take a device out of operation for a day, cancelling appointments, so typically patches are rolled up into a single update and site visits planned upto 6 months in advance to limit both patient impact and costly engineer site visits.
As you know James, working with DICOM isn't necessarily proprietary; even free downloadable, old, simple JImage can work with DICOM. It is the software surrounding it, created by the manufacturer, the GUI of the machine if you will, that is proprietory. And done so for understandable reasons. And yes, you're right, that is created on top of Windows.
You got a very valid point about the update cycle, maintainance, and taking the machine of line. After all, a machine that doesn't do a patient, is loosing money. And this wasn't what I was trying to bring up. However, you write "An MRI shipped today will probably be on Windows7, that has the same vulnerability as XP if not patched." But that was also not what I meant. What about the (service) obligation of the manufacturer to upgrade the systems to W7, if the 10 year old system still runs on XP (as was suggested in the media - not my remark). Furthermore: "Most large suppliers are not geared up to respond quickly to zero day patches." Indeed. And still they build their proprietory GUI on top of a system that is sensitive to this. So, or they should think of a way to service it accordingly, or they made the wrong design choice. I'm not saying what's wrong or right, I'm just saying... Especially since I've seen different approaches "back in the days"...
"What about the (service) obligation of the manufacturer to upgrade the systems to W7"
Most long term contracts I've seen usually include a system refresh half way through, so replacement software and o/s and depending upon the equipment, hardware, at year 5 of a 10 year contract. So if medical devices are still running on XP, perhaps they are on the backend of the cycle and waiting for either a contract extension or full replacement. Given the NHS is strapped for cash and the red tape involved, chief execs won't support a business case to update a medical device if it's still in contract. Or should I say, wouldn't have approved a business case.
I also work in the medtec industry
Product life is required to be considered in the development and risk management for medical devices.
Large equipment manufacturers GE, Phillips Seimens etc normally have a policy of supporting products for ten years after they were last sold but in practice continue beyond this.
It is a requiresment that risks arising from medical deivces are constantly reviewed and the risk of a security issue causing damage to health must be considered by manufacturers for equipment in the field even if not currently manufactured (PMS). This would include the possibility of security related issues. if there was an issue identified it may or may not result in updates to the SW or other measures such as recommended configuration changes, firewalling, procedures etc but the risk would need to be assessed and managed.
Most medical devices have a requirment for regular maintenance but this does not necessarily need to be performed by the manufacturer.
Realistically no manufacturer of anything can give an indefinite commitment to support it. they should communicate what their policy is and when support is coming to an end. The support period should be reasonable given the nature of the product. In the case of a less massive company they could cease trading and that would end all support.
I am generallly no fan of MS but they seem to have acted quite reasonably in this case.
You're right, especially after the regulatory MDD changes in April this year. And with those changes the discussion about who should "service" might also be answered. After all, the MDD obliges the manufacturer to "monitor continuously" the performance of the device in every day use, and this is not necessarily connected to PMS studies (although could be of course, and seen as favourable). And indeed, with these changes there is now a much bigger emphasis on risk management/ avoidance. With that in mind, and the realisation that according to classification, software that drives a device is seen as an active medical device, and falls in the same device class as the device it drives, I see discussions about the "who, how, what, and when" of the obligation to service on the horizon...
@Nattrash: Thinking about your 1st & 2nd questions. That the piece of med-tec that costs millions is dependent to such a high degree on an OS that cost around 100 quid is probably a design flaw. It can be easily argued that both purchaser and supplier should be aware of this dependency, because the lifetime of the potential usefulness of this expensive equipment is limited by a commodity product beyond the control of both parties. Would it be so hard to remove OS dependency in the med-tec software if it was better built?
You could also argue the fact that the supplier is unable to support the med-tec equipment for an adequate length of time due to dependencies beyond their control shows a particular lack of foresight and due diligence in software design. You could also make the same due diligence case against the purchaser for not looking into such proprietary dependencies, especially in a public purchasing organisation.
Your fourth point about price vs quality I suspect may provide the answers.
And yes, your final point, is probably correct. It seems (only from reading the news) much of the affected systems were administrative in nature anyway. I mean, I hope network managers, operators, etc think twice about connecting a CT to the department LAN and then onward to the internet. Ahem.
in principle I agree with you, there are many health care capabilities that have VERY specialised kit, wifeys team has a cluster of whizzy Dell kit that does incredible number crunching and real-time modelling for radiotherapy treatment, what chance is there of a team of well-intentioned souls developing something to replace it???
We live in hope...
"The lawyers have more chance of getting Comey his job back that getting MS to admit to anything."
It's not the lawyers' job to get their clients' opponents to admit anything. Their job is to get a court decision in their clients' favour. An admission might be useful but not essential.
@davidp231 that is how I read it. The patch was issued to those that paid for it, as per the guidelines issued before XP support stopped.
This whole issue is insane. MS provide longer support than any other software company for its products, Heck, Google have announced that they will stop issuing updates to their own Android devices after 18 months and security patches after 2-3 years.
Apple dropped support for older Macs after only a few years - my 2007 iMac hasn't had a security update since 2014, but it still runs Windows 7, so it actually gets support from Microsoft for nearly twice as long as Apple provides for its own products!
If Microsoft had just stopped supporting XP all of a sudden, I could understand the outrage, but we are talking about users and businesses haveing over 15 years of warning that they would need to upgrade to a more modern version... And, for those that were short sighted enough not to be able to get their systems updated in time, they offered paid support.
If you are dumb enough to use out of date software and still dumber not to pay for extended support, then you are your own worst enemy.
Also, if they do change the law to make manufacturers provide support in perpetuaty, then it will have huge impacts on prices and how often new versions are released. Not an entirely bad thing, but we will see software prices climb again, as the long-term support needs to be calculated into the purchase price.
Sorry, that is horseshite.
"And most OEM vendors don't even see said updates."
The updates are posted every month on Android AOSP git repository, and patches are posted for (currently) 4.4, 5.0, 5.1, 6, 7 and 7.1
The OEM's definitely see them, and the reputable ones update devices for 2-3 years, sure they might not pickup every patch every month, but they do release patches.
NOTE: Don't believe the media, they are too stupid to understand that full-version adoption rates and security patch adoption (which isn't measured) are totally unrelated. They will pretend that just because only x% of devices run the latest Android, it means everything else is old and unpatched, which is total nonsense. Any media outlet or self proclaimed "security expert" pushing this lie really needs ignoring.
MS gave fair warning XP was going end of life. They offered an expensive option of extending support, possibly to make money, possibly to force everyone hand to upgrade.
Particular issues for the NHS have been a 'perfect storm' of a significant squeeze on finances;XP being embedded in suppliers systems that may take significant time to revalidate to get CE kite mark accreditation; significant number of bespoke systems supplied by one-man-bands, whether in-house or third party, who don't have the resources, time or inclination to redevelop and revalidate the software on a newer o/s.
So you might say we'll just stop using these systems but that is easier said than done when the government keeps increasing pressure on the NHS to improve efficiency and reduce costs. Amber Rudd was on TV saying the government has increased NHS spending and was surprised that Trust's hadn't patched.What she didn't mention is that they've also removed a lot of the centrally funded IT systems and pushed the costs onto individual Trusts, reducing their net spending power.
It's no surprise that GP's were worst affected. Under the Tories 'rationalisation' GPs are self employed. They keep any profit they make so what is their incentive to employ IT specialists to keep their systems updated or purchase new PCs every 3-4 years?
See title.. .edited Poll appeared
But I think just becasue it is running XP doesn't mean you cant treat the equipment (say MIR scanner)and the say (XP interface) like an industrial device. That means not sticking outlook on it and plugging it into the wider Internet. It shold be off by itself with little or no access to the rest of the network.
Maxsendq - Clearly you have no idea how MRIs and other diagnostic systems integrate within a health environment.
If the MRI is in it's own bit of network with no access to other systems, how does the MRI get work lists (list if patients to scan) from the RIS? Then the MRI scanner needs to send its images somewhere i.e. PACS! The PACS system needs an interface to the RIS to match patients appointments with the images, the RIS and PACS need access to the PAS to get patient information updates, clinicians need access to PACS from everywhere in the hospital(s) so they can see the images and treat the patient. NHS reporting Radiolgists and companies around the world that provide 24x7 radiology reporting services need remote access to PACS and RIS. Radiologists need access to the internet (as per Royal College of Radiologists guidelines) from their reporting wirkstations; PACS reporting monitors need to send their self diagnostic information to the supplier and/or Nuclear Medicine regulators (usually via either the internet or NHSnet) to meet legal requirements for monitoring pixels / resolution.
So closing off diagnostic equipment from all other systems isn't realistic.
All products have a support life, after that it's tough.
But we have to keep using "x" as "y" will only work on that.
Possibly you should have made a better choice than "y" or ensured it would run in a broader environment.
How much only works in IE or IE6?
All products have a support life, after that it's tough.
Let's differentiate between new functionality, and fixing flaws in what was originally built and sold. In my view MS should not have to make XP work with new peripherals, interface using new protocols or the like, but I do think they should be obligated to fix faulty code that they've already been paid for.
MS did fix the bug. Recent versions of Windows are safe.
When people bought the affected WinXP machines they were or should have been aware that support will eventually end. If they choose WinXP in this knowledge its not MS fault when these customers gambled and run an outdated software that became a target of malicious code.
And: One could argue that MS is not even at fault. The code works fine when it is used as intended. A malware attack clearly is outside the intended scope. You wouldn't claim that a car maker is at fault if a car explodes when somebody maliciously shoots it with a gun.
"You wouldn't claim that a car maker is at fault if a car explodes when somebody maliciously shoots it with a gun."
I think we would. systems should be built with some level of resliance.
I don't know how many Win98 systems are still around, but MS probably have a reasonable idea of how many there are...
WinXP is still widely deployed - and security fixes (NOT increased functionality, new drivers etc) should be maintained for a *very* long time.
OTOH should we also be looking at the suppliers of MRI scanners etc which are often blamed for being the cause of 'staying on a known OS'. They ought to be obliged to release software for newer versions of their chosen OS (whether that's MS/OSx/*nix/*BSD/....) for the expected lifetime of the machine (probably more than the expected life actually)
Windows XP does still get security patches, if you pay for them.
If you decide to continue using Windows XP, there is the option to pay Microsoft an annual fee to ensure that it get security updates. That is reasonable.
Either the price of the software needs to increase to cover the extended support costs - so, Windows would cost a couple of grand, instead of 100 UKP, because they will need to support it "forever", or the price needs to remain "affordable",with the knowledge that after a defined period of time (a period of time, which is defined in black and white before you ever buy the product, I might add) and after that period of time, you will either need to upgrade to a supported version, or you need to pay for the extended support.
Patching older versions of software is an expensive business and it needs to be paid for. If you don't like it, move to open source and patch it yourself, when the maintainers decide that your version is too old (18 months for most distributions, 5 years for some enterprise releases, I think only RedHat/CentOS and SLES offer anything approaching 10 years, and they cost real money).
OTOH should we also be looking at the suppliers of MRI scanners etc which are often blamed for being the cause of 'staying on a known OS'. They ought to be obliged to release software for newer versions of their chosen OS (whether that's MS/OSx/*nix/*BSD/....) for the expected lifetime of the machine (probably more than the expected life actually)
You could argue it's the MRI supplier's fault:
1. The MRI supplier should choose a base OS with a suitably long support lifespan - via contract negotiations with the OS supplier.
There are plenty of other OS vendors out there for embedded systems to choose from.
2. The MRI supplier should support their own customers, by providing a process for upgrading the base OS *and* associated applications on existing hardware, when the base OS is obsolete.
And in turn you could argue it's the customer's fault:
3. The customer should get the vendor to undertake to support the product for the expected lifetime of the product, by means of contractual negotiations at purchase time.
Of course, everybody is moving to a SaaS model now, including for hardware. I suspect in future you'll be able to rent your MRI scanner by the year. Of course, you end up paying more in the long run, but as long as you continue to pay, the vendor has both the incentive and the resources to continue to support it.
we see this quite a bit with scientific equipment (I work in a lab) what generally happens is boffins buy say a new HPLC cost £250k from a grant. Said HPLC comes with a PC, software to run the kit and 3yrs maintenance. Boffins run bit of kit for length of grant, say 3 years. Grant funding ends, boffins obviously still use the HPLC for other projects. PC dies year 5 so need a new one, no maintenance has been purchase so they can't upgrade the software unless they pay and software won't now run on a new OS.
@John Robson - The pinto was liable to catch fire in a rear-end collision - While collosions are not normal use, it's something that can be expected to happen during normal use (similar to a power outage in PC terms). A better analogy than shooting the car (see mythbusters results on that) would be someone cutting the brake lines. Also, the pinto was recalled during its production run, not long after it stopped being "supported".
I'd say a maximum of 12 years support for OS's, with subscription-only security-only support after 10 years, because 10 years is the longest even slower upgrading business should try to maintain machines, because computer technology design does age, and the physical hardware can age too and become increasingly more costly to maintain, if you can still get compatible parts!
Maybe require an audit of the age of computer hardware and software in a business, with warnings issued for too old equipment which is not planned and scheduled for replacement.
"WinXP is still widely deployed - and security fixes (NOT increased functionality, new drivers etc) should be maintained for a *very* long time."
Car manufacturers don't continue to produce spares or provide other support for models sold over 10 years ago. Nor do manufacturers of phones, PCs, fridges, washing machines or pretty much anything you care to mention. The military often demand long service lives for their equipment - but this is for bespoke equipment and the longevity doesn't come cheap. MS and other their ilk are quite open about the life cycle of their products - users cannot expect to ignore this, just because they feel their work is important.
Back in the 80s and 90s, if one phoned for software support on mini computers, the first question would be about your support contract and the second would be to ask the patch level of the system in question. If the system was not up to a recent level of critical patches, the support folk would suggest that the system was updated to a supported level and to call back if the problem remained. Software support was always contingent on keeping systems up to date. This seems even more worthwhile with the Internet and rapidly changing security threats.
@JohnG it is still the same today, we have support agreements on all critical hardware and software and if something breaks down, the first question is the support agreement number / they check to see if support has been paid and the second is to check what firmware / software version number is in use and if it is old, the first step is to get it on a current version, to see if that fixes the problem.
(We had that with a server, a SAN and our SuperLoader recently)
"OTOH should we also be looking at the suppliers of MRI scanners etc which are often blamed for being the cause of 'staying on a known OS'. They ought to be obliged to release software for newer versions of their chosen OS (whether that's MS/OSx/*nix/*BSD/....) for the expected lifetime of the machine (probably more than the expected life actually)"
A recent post by an engineer who's worked on such kit suggests that this is by no means straightforward and you could actually brick the instrument by getting it wrong. At the very least you'd have to re-certify the new combination.
But MS have forced the adoption of XP past its natural life.
THEIR fault not the customers.
I don't know about anyone else, but you buy an operating system to run programs.
If they kill off things we keep using OSes that run them.
As mentioned many many times before.
Vista killed full screen command prompt (VGA DOS programs) and 7 32bit NETBIOS.
If they had included 16 bit support in 64 bit, and kept NETBIOS, and still allowed full screen VGA mode applications we would have seen XP go sooner.
We have had customers FDISKing Vista and 7 PCs to use XP to run older programs.
They couldn't. AMD decided to remove Virtual86 mode when the CPU is running in 64 bit mode, so it wasn't possible (but in a VM, with all the VM requirements). The culprits is AMD, not Windows.
Besides NetBIOS, do your also need IPX and maybe something older? <G> Do you know how many vulnerabilities could lurk in those protocols, and their implementation?
The applications were written in a big selling database compiler and the best database for it used native DOS IPX, there was no IP layer in DOS.
It used NETBIOS to talk to a Windows IP interlayer to talk to the server with IP, this worked perfectly with 2000 and XP, 98 we used IPX as 99% of the servers then were NETWARE.
MSes aggresive attack on Novell caused all customers to go Windows server, and MSes depreciation of IPX forced the tool we used.
Search for ADSDOSIP and Windows 7.
And the server engine can work with all Windows languages I have come across, so at least data is safe.
The graphics mode though this was games mainly, I remember Wolf3D.
As to AMD removing 16 bit support, why not leave in for Intel and let them use it as an advertising feature. It would be nice to allow my home PC to run my favourite text editor in 7 (64) as well as XP (32).
Mind you I raised a laugh today when a customer asked us to check the specification for a server and I said my 10 year old XP PC is more than twice as powerful.
"But MS have forced the adoption of XP past its natural life."
If your customers are married to XP because of NetBEUI/NetBIOS the reason most likely is the 3rd party vendor and obsolete & unsupported software that forced them to use XP. Not MS.
"Vista killed full screen command prompt (VGA DOS programs) and 7 32bit NETBIOS."
Vista can run full screen text mode just fine if you use WinXP drivers.
Perhaps you mean NetBEUI which was dropped from Vista? It was pretty much obsolete back in 2006 when Vista premiered. Windows XP dropped Appletalk and DLC protocols. I'm sure there were a few complaints too, but to quote Spock: “The Needs of the Many Outweigh the Needs of the Few”
> MS did fix the bug. Recent versions of Windows are safe.
If a car manufacturer found a fault in the braking system of a car so that they knew it wouldn't work under certain circumstances and decided that they'd only fix the problem for new cars how do you think people would react?
Good analogy, but it doesn't lead to your desired conclusion.
Cars are built from components. If the company that makes the brake sub-assembly finds the fault and notifies the car manufacturer, it is up to the car manufacturer to issue the recall because it is the car as a whole that has to meet consumer trading standards.
Likewise, the MRI scanner vendor can say "Don't attach my scanner to the internet" and then any vulnerability in the component (XP) is not relevant to whether the whole (scanner) is deemed to be working correctly.
@jpo234 - "You wouldn't claim that a car maker is at fault if a car explodes when somebody maliciously shoots it with a gun."
I would if the car was an Armoured Personnel Carrier. MS has marketed each new version of Windows (from as far back as NT) as 'the most secure Windows ever', during a period that has included all sorts of malware and vulnerabilities, so MS knew they were designing for a hostile environment. They released the code with this vulnerability, ideally, they should have fixed it before release. So, by releasing an XP patch, they are merely fulfilling their obligations 16 years late.
Do you know how many products in later production batches get fixes which are not present in the earlier ones, often fixing faults that may be not so noticeable? A recall happens only when the fault is so risky or anyway causing enough bad marketing they can't do otherwise (or tell you you're holding it wrong).
For example I never run to but a new camera model as soon as it is released. Despite the tests, there still could be many little issue that went unnoticed, or introduced by the start of mass production. Often they get fixed later without saying anything to previous buyers. Those products that need repairing sometimes may get the fixes without even telling you (to avoid more request, especially under warranty). Better to wait enough months, and usually you got an improved model...
Cjatcti wrote "Possibly you should have made a better choice than "y" or ensured it would run in a broader environment."
You are assuming that there are options. There are some very niche NHS software requirements with only two or three suppliers, sometimes only one-man-bands.
Some time ago I worked at a Manchester trust and the IVF department were fed up with the supplier of their software. He had moved to Egypt and if the application crashed or gave a wrong result, it could take days to get him on the phone. But researching other suppliers, there were only a couple of alternatives. One had sold to 6 IVF clinics in the U.K. ie the majority at that time. He was an IVF consultant at an NHS trust in London, and he charged £200k for the software and £50k per annum for support. But wasn't available 9-5 because he had his day job!
I'm not sure whether he would have had much inclination to redevelop his software for Windows10.
Not just Windows, the whole hardware/software industry.
However one thing that does need legislating against is windows update, such a slow resource chewing pig it's untrue. The last round of updates for W10 had my Xeon/SSD machine crippled for ages awaiting a reboot for bloody ages pissing about applying patches. Meanwhile on same dual boot machine huge updates for Suse Tumbleweed are a quick and painless pleasure.
Microsoft , WU has been broken for years and is not fit for purpose.
Windows update is a disgrace. After watching it fail to finish updating for 5 consecutive days with no explanation why, I downloaded the update package and manually updated. Which is par for the course with this steaming POS.
Today I noticed my network printer wouldn't print. No panic, that's happened repeatedly after allowing Win update to run, a quick driver uninstal/reinstall/reconfigure usually fixes it. 2 hours wasted while that repeatedly failed, never showing an error, lying to me that it was actually printing while otherwise happily talking to the printer. Still don't know what actually fixed it this time. I doubt Windows installing the wrong drivers helped much.
Yet people still wonder why so many of us block updates? It's broken beyond belief, uncontrollable and deliberate withholding essential information about what it's doing and why it fails. Needs putting down with extreme prejudice.
No, if you skip updates or go for a time without updating as many people last year did thanks to GWX and telemetry, it can utterly screw itself up.
I'm trying to sort a Windows 7 machine out, I can't even install the relevant patches manually because when you run them they search for the currently installed patches and then it just sits there for hours.
"I'm trying to sort a Windows 7 machine out, I can't even install the relevant patches manually because when you run them they search for the currently installed patches and then it just sits there for hours."
There are some fixes for this issue and a specific standalone update from MS. The latter worked for me.
@big_D: I have, for many years, maintained a small collection of VM images with different versions of Windows. Whenever I work on them, I snapshot them first and revert afterwards, so as far as each VM is concerned, the only thing I have ever done to it is wake it up once a month, let it update and then put it back to bed.
Several machines (two Vistas and two Win7s) have actually just updated themselves into oblivion under this "cruel regime". That is, they reached a state where they blue-screened at startup and this was repeatable if I reverted to the previous image and let them try eating that month's updates a second time.
Of the survivors, the XP machines were taking several hours each month by the end (2014-ish) and the Win7 boxes that remain are taking quite a while each month now as well.
No. The concept of doing so is ridiculous. The blame here is firmly on those still using an operating system that is 16 years old. Microsoft gave them plenty of warning, offered specialised upgrade programs and eventually resorted to nagware to try and get people to upgrade.
If anything, the vendors of the bespoke software holding back OS upgrades should be held accountable, as well as the inept IT management that think CAPEX savings outweigh OPEX savings. In IT, they almost never do.
All very well in theory but when the vendors of the bespoke software have been acquired by multiple orgs and their inept management don't even know what they've bought (not as unusual as you might think) and decide to shitcan these products you rely on...
Being able to upgrade your drivers between versions of operating systems would be a marvellous ability but the upgrade path from Win XP just doesn't work for many hardware and software solutions.
Isolating the Win XP off "the net" would be a nice option except of course the x-ray machine needs to send its output to a server and the lack of IT resources means the simplest solution is to keep it connected rather than come up with a bespoke air-walled solution...
The real world is much more complex than all these "simple" solutions everyone keeps coming out with can handle.
"the x-ray machine needs to send its output to a server"
So it sends it to a cheap linux box containing two network ports. One port goes to the x-ray machine and the other goes to the wider network. Run a script on the linux box to move files onward as required. As far as the x-ray machine is concerned, nothing has changed. As far as malware on the wider network is concerned, it now has to break into a linux box before it can even see that there is an x-ray machine on the other side.
Yes it is slightly more complicated, but once you've worked out the details you can semi-isolate lots of similarly challenged pieces of kit. (Perhaps the chaps at http://www.nhsbuntu.org could help you set it up.) Yes, it isn't perfect isolation, but it is a perfectly valid component in a layered defence. Yes, it is a pain in the butt, but if it were my job to protect the IT of an entire hospital and I had the constraint of accomodating an XP-driven device, I'd reckon that something like this was what I was being paid for.
"Yes it is slightly more complicated, but once you've worked out the details you can semi-isolate lots of similarly challenged pieces of kit. (Perhaps the chaps at http://www.nhsbuntu.org could help you set it up.) Yes, it isn't perfect isolation, but it is a perfectly valid component in a layered defence. Yes, it is a pain in the butt,"
And yes, it it impinges on any certification the original machine requires than either you've got to hold off for a few months while that's sorted out or simply shut down for that period.
If your x-ray machine's certification depends on certain machines being present or absent elsewhere on a network then I have to question whether the certification is sane, but even so, you just provide the network environment required by the certification and then place my device outside of that.
There is simply no way that a need to transfer data from A to (eventually) B requires that A be placed on the same network as B.
The real world is much more complex than all these "simple" solutions everyone keeps coming out with can handle.
Another characteristic of the real world is that evaluating each "simple" solution for each individual case takes time. Half a dozen individual installations with unique, complex requirements could take a lot longer to update than a large office of routine desktops with a common build.
I am not so sure.
I am very firmly coming around to believe that the current approach, which for now I will term a throwaway approach to both hardware and software, is not sensibly sustainable.
We tout 'Progress' for progresses sake. But stability, especially in something that has come be deeply rooted (snigger) in most of our lives and certainly on a day to day basis, should really be a core tenet of the design approach.
Maybe it is time to think about OS stability being more of a concern in consumer, and certainly in business and definitely medical, terms and not just in the terms of where they seem to really hold it in high regard: The Military.
@ m0rt - I would tend to agree. But isn't that a buyer beware problem.
Theres numerous solutions to this. Lets take the example of that big capital investment in an MRI scanner. How longs that supposed to last? 30 years - maybe more. Long beyond any OS support lifecycle I know of.
So how do we deal with the inevitable obsolescence of the control software:
- You could do it with the support agreement when you buy with the kit. Put clauses in there around ensuring software updates are made available for a supported OS. Get some Escrow in there so you get the source code if they fail to deliver on that. And ideally get some decent penalty clauses in so they pay if you need to address this on their behalf.
- In addition I would like the control software separated from the OS its running on. A platform agnostic architecture though that's probably easier said than done in a 30 year timescale.
Just thinking out loud. Best get back to work.
> - You could do it with the support agreement you buy with the kit.
Yup and then you get a moronic Minster for Health some years down the line who cancels the support contract to save a minuscule amount of money in comparison to the overall budget and then you are back to square one and screwed.
But then they only have themselves to blame, when it all goes pear-shaped.
The same is true with Windows XP. They were told a couple of years ago, that if they hadn't moved to Windows 7 or later, they would need to pay annual support to keep Windows XP patched. They decided not to cough up and now they are paying the price.
They could have paid and they would have received the patches to keep them safe from this exploit months before it was put in the wild. They decided to save a few pounds and now they are crying fould.
> The same is true with Windows XP. They were told a couple of years ago, that if they hadn't
> moved to Windows 7 or later, they would need to pay annual support to keep Windows XP
> patched. They decided not to cough up and now they are paying the price.
They did cough up but that paragon on Ministerial competence Jeremy C-Hunt cancelled the contract to save £5 million which in comparison to the NHS budget is the loose change you find down the back of the sofa.
The blame here is firmly on those still using an operating system that is 16 years old.
Today is some 16 years after Windows XP was first released, but the important date is when machine were last sold with Windows XP - this was some time near 2010; so for those machines XP is only about 7 years old, but support ended in 2014 - when those machines were 4 years old. It seems to me that a computer that is 4 years old is still quite young, support should have continued longer.
Your average punter has zero clue about EOL date when they buy a computer, in 2010 an XP machine would have been a cheap but functional option for people on a budget (and if replacing old XP PC, chances are they would go for XP again as could guarantee all their existing software would work OK)
By that only 4 years support argument why buy Windows 10?
Mainstream support ends 2020...
@tiggity - "Your average punter has zero clue about EOL date when they buy a computer"
I think you have accidentally hit-the-nail-on-the-head!
The real problem with software and Microsoft is that MS support policy is based on the date of first release and not 10 years from the date of sale, which is the case with white goods, cars etc.
I buy a new washing machine from the high st. I don't care if the OEM has ceased production, it still comes with a 1~10 year manufacturer's/store warranty commencing on the date I purchased it.
To keep things simple, I suggest changing MS's product lifecycle so that it provides support until 10 years after the date of last official retail sale, which in the case of XP was October 22, 2010.
"By that only 4 years support argument why buy Windows 10?"
Well, yes. Why? It's not a foregone conclusion.
On the other hand, if MS stick to their stated aim of Win10 being the last Windows you will ever buy, they've adopted essentially the same model as Linux:- No given release is supported for more than a few years, but an upgrade to the latest release is free and usually runs all your stuff.
(Possibly this is why Win10 is now so annoying. MS aren't making any money out of it so they might as well use it as a public beta for all their crazy ideas. The distinction between "current branch for consumers", which makes no money and gets all the shitty experiments, and "current branch for business", which makes money and perhaps skips the experiments that didn't work, would suggest that this is exactly how MS now feel about their former cash cow.)
@tiggity - in 2010, you could only get XP as a "downgrade" on new hardware, and only for Professional and Enterprise variants of Windows, so that excludes "your average punter".
Any business buying XP would have to order that extra, or they received a Windows 7/Windows 8 PC and an XP recovery CD. Either way, they had to know that XP wasn't the wisest option.
I would agree with you, that the PCs were "only" 4 years old, when support for XP stopped, IF they hadn't been warned 10 years before that of when the end date for support was.
Those PCs were sold with Windows 7 Professional + downgrade rights to Windows XP, so there weren't even any licensing issues about upgrading and getting continued support. And if they were using Enterprise licensing with SA, versioning is irrelevant, they could have upgraded directly from XP to Windows 10, if they had wanted.
As it is, they ignored the warnings, still installed XP/ bought downgraded PCs and then, when the support period ended, they didn't take Microsoft up on the offer of extended, paid support. As the Germans say, selber Schuld.
"Those PCs were sold with Windows 7 Professional + downgrade rights to Windows XP, so there weren't even any licensing issues about upgrading and getting continued support."
The PC and its OS in such a situation is likely to have been only a component in a larger system, a system which required XP because some client/server application were the client end won't run on a later version.
You inevitably end up having to consider a more complex situation where simple solutions don't work. Yes, tou could argue that the original system shouldn't have been put together that way. Maybe it wouldn't have been if the original developers only knew what a later OS version was going to break.
But that isn't Microsoft's problem, per se. The user has been warned that support is running out and they either have to upgrade to a newer version (for free in many cases as the hardware will have had a valid license for a newer version of Windows) or they pay for ongoing support.
In this case, they did neither. They only have themselves to blame.
Microsoft maintains product for far longer than, say, Google (running at 3 years for fondleslabs, less for phones?) or Samsung (no updates issued ever). Of course, they need to...
The danger with a minimum life, though, is that it becomes a kill switch, but that can be legislated too.
And no, Microsoft should be under no obligation to release fixes to cheapskates that it has developed for paid customers. There are surely many more critical fixes that it has for paid customers that also aren't released.
Let's look at other operating systems from the same era:
Solaris 8 - released Feb 2000 - support ended March 2012
Solaris 9 - released May 2002 - support ended October 2014
AIX 5.2 - released October 2002 - support ended April 2009
HP-UX 11i - released December 2000 - support ended 2015
All seem to run to a similar end of support timeline, although AIX is considerably shorter and HP-UX is slightly longer. All in all, the XP end of support timeline isn't unreasonable, there has been plenty time and warning about migrating off of it.
In comparing Linux with Windows, there's one thing you've fotrgotten: the Linux API is far more stable than the Windows API has ever been. This is clearly a matter of design philosophy: Linux has always valued having a stable, well-designed API, so that applications will continue to run despite upgrades while MS has clearly regarded using an incompatible API in each new Windows version as a marketing tool.
I'm running C code that I last compiled in 2005 and that 'just ran' until last March despite both hardware replacements and the six monthly cycle of Fedora upgrades. In March I moved from 32bit PAE kernels to X86-64 kernels and this did require my C code to be recompiled, but that was only to be expected.
If I was buying high-value kit such as an MRI scanner, mass spectrograph or radio telescope I'd require the control software on this kit to show the same level of OS upgrade resilience that I've experienced over the last 10 years, i.e. the control software MUST have the same EOL as the hardware it controls regardless of OS upgrades, etc. I could also reasonably expect a copy of the source code to be provided under an NDA or at least to be put in escrow as protection against its vendor's failure.
At my last employer, they were still issuing servers to customers in 2015 with SUSE from 2000, because the libraries they used weren't compatible with newer versions and the company that had written the libraries had gone out of business...
But "it is Linux, so we don't need to worry about security updates," was the excuse for not finding a newer library or re-writing the software for a more modern version of Linux.
In fact, they did have to switch, because the Linux would no longer install on the current generation "low end" (i.e. Intel Pentium) servers. But security wasn't the driver.
the Linux API is far more stable than the Windows API has ever been....applications will continue to run despite upgrades while MS has clearly regarded using an incompatible API in each new Windows version as a marketing tool....I'm running C code that I last compiled in 2005 and that 'just ran' until last March...In March I moved from 32bit PAE kernels to X86-64 kernels and this did require my C code to be recompiled, but that was only to be expected.
I'm running 32 bit Windows code I last compiled under WIN 95 OSR 92 in the late 90s. (Borland C++) No need to even recompile when I switched to 64 bit OS.
Windows driver APIs have changed a lot and I'm not sure how far back Direct X compatibility goes. But bog standard Win32 API has been fairly tightly conserved.
Actually, Windows backwards compatibility is one of the best, because it is implied you have olny binaries you can't recompile.. On 32 bit versions you can still run DOS and Win16 applications (on 64 bit AMD removed the needed Virtual 86 mode).
In Linux, there's a good chance binaries for the previous version won't run on the actual one, and viceversa. Otherwise why would you need backport repositories?
"Solaris 9 - released May 2002 - support ended October 2014"
The last patches for Sol 8 and 9 that I've seen were released 2 months ago. They were hidden in a Zones or Live Upgrade patch, but they where there. There were Java for Sol 9 patches released 28 days ago. The last Sol 9 kernel was Feb/26/2015. Of course those all require an expensive support contract to even find, but they are and supported for some definitions of supported.
I guess this rather depends upon what the defect actually is.
Oh, and note, Windows (various versions) did not "develop a defect" as the question posits. The defect was always there, just not noticed until it was possibly too late.
For my money, the bad actors here are the NSA. In keeping such vulnerabilities secret, and infinitely more so for the utter utter stupidity of getting their little wizzles ripped off.
"For my money, the bad actors here are the NSA"
If you were a government spying agency and found a back door to take control of other peoples' computers, would you let on?
Keeping it secret - just doing their job.
Letting it get leaked - doing their job badly.
"If you were a government spying agency and found a back door to take control of other peoples' computers, would you let on?"
I'd have to ask whether this was the sort of vulnerability that my rival agencies might also be able to find. (Hint: much of the Windows source code has actually been made available to foreign governments at various points in history, so the answer is a bif, fact YES.) I'd also have to ask if my fellow countrymen might therefore be at risk from the activities of that rival agency.
Given that the West has, historically, made far more use of computers in their economy than the East, I'd say that the NSA *ought* to have been erring on the side of disclosure (to MS) for most of the last 30 years.
The fact that software is licensed rather than sold allows software manufacturers to get away with a great deal.
I can't think of any product which can be sold, be found to be flawed in a way that makes it unfit for the purpose for which it was sold and the vendor of which can't be compelled to repair, replace or offer a refund. However, because software is licensed the Consumer Rights Act 2015 and Sale of Goods Act 1979 don't apply.
The NHS has lawyers; I'd like to see them test this against Microsoft in court.
The very concept of software being licensed is questionable. The software industry is trying to pull a fast one on us with that idea-- trying to eat their cake and have it too. They want the power over their customers that comes with the concept of licensing, but then they want to impose all sorts of other things that are beyond what a license can do, while still calling it a license.
A license is not the same as a contract. A license is a specific exemption to specified bits of a trademark, copyright, or patent holder to certain other parties to do things that would otherwise not be allowed to under copyright law. Windows is copyrighted, so it is not permissible for anyone to just go burn a Windows DVD and install Windows on their PC without paying. When Microsoft grants a license, they are waiving the prohibition on copying Windows for that individual (the licensee), so that the Windows copyright no longer prohibits them from installing and using Windows.
A license issued by Microsoft can only reduce the restrictions imposed by the copyright law. Thus, it can only extend as far as the copyright laws go; it cannot impose additional duties or restrictions upon the customer that don't already exist in the copyright law. Microsoft tries to impose a prohibition on modifying Windows files through its so-called license, but that's not within the scope of a license. Neither is the ability for MS to give itself permission to help itself to whatever data on your hard drive that it finds that it wants. Since there's no part of the copyright law that gives the copyright holder the ability to spy on its users, there's no way for a license to grant that privilege to Microsoft.
As such, the idea that software is "licensed" is questionable... or at least the additional restrictions and duties the copyright holder tries to impose within that "license" are. Microsoft certainly does have the right to license (or not license) Windows as it sees fit, but as soon as it tries to impose restrictions not already part of copyright law, it's gone out of license-land and gone into contract-land. It remains to be seen how the industry standard misuse of the term and concept of license will flesh out.
In terms of my TomTom app for Android, lifetime meant about two years. Lifetime map updates with purchase... until they decided to replace the buy-once, use-forever product (which was quite costly as apps go) with the buy-once-a-year subscription model. They offered me one or two years of subscription to this, and that was supposed to satisfy their obligation. Well, I don't do software by subscription, and I certainly expected to live longer than two years.
Even worse, the new product was crap, and it didn't even work on my tablet.
Some CNC machines still run with their antiquated OS (DOS, Windows 95/98 and WindowsXP) on a dedicated PC, along with the drivers for that specific CNC machine.
Not so easy to upgrade those CNC machines to the latest and newer Windows as the CNC drivers cannot be copied over or will not run on the newly-installed system.
In this case it will make more sense to have the CNC suppliers dump the source code for their drivers into an escrow pool, so that in future the drivers can be recompiled for a newer operating system.
I'm torn on this one. I've been doing this crap for over twenty years and I've seen a lot of shit product from vendors that aren't Microsoft. Yes I've seen a lot of Microsoft shit too, but everyone else makes themselves a much easier target. And then we have this shit used to keep people alive and maintain "people will die if this doesn't work" systems.
Remember Java's EULA? "You acknowledge that Software is not designed, licensed or intended for use in the design, construction, operation or maintenance of any nuclear facility." And if you search that phrase, you'll see it on a lot of software EULAs, including Symantec's.
And who remembers "Windows for warships?" El Reg here even referenced the USS Yorktown a few times here.
Sad to say, but maybe Windows for desktop PCs shouldn't be used in these environments. The SE Linux folks have a place here, or maybe Windows long-term servicing branches if it really has to be Windows.
But really: This is 2017 and Vista's been out for ten years; longer if you include preleases that vendors are supposed to be testing their shit against. What are all of these vendors doing? At least locally I'm seeing hospitals and clinics using some version of Windows 7, and that's not including the places that handle money that are using Windows 10.
I've had to drag vendors kicking and screaming into running their shit on Server 2012 R2 and Windows 10, assuming support responsibility when they won't do what we pay them for support agreements. This is unacceptable.
(Wow, it took some bullshit like this to bring me out of lurking for five years.)
Really the onus should be on the vendor. They should be keeping everything working and that includes the OS. They should pay MS for extra support coverage, they should handle the upgrade to a later version of Windows, and they should even be able to change the OS if they have to keep the MRI or whatever it is running.
Very true. I am a bit disappointed that none of the finger pointing has looked at the NSA/GCHQ.
The whole question about what level of support vendors should provide is a very difficult one. I remember invoking a DR contract when a SparcServer 1000 finally gave up the ghost 20 odd years after it was bought and SUN said they didn't have any spare parts. It had Solaris 2.5.1 which had not been patched in aeons of course. I should imagine that there were any number of security holes but somehow it didn't matter in those halcyon days of the early/mid 2000s.
I have to say that I have a degree of sympathy for M$ in this case. I think a vendor has an obligation to maintain a no-longer-sold OS (or application) for a reasonable period - to use the analogy in the article I believe motor vendors have to maintain spares availabilty for 10 years. However you cannot expect a vendor to continue to support the product indefinitely since it is in no way a cost-free activity. Vendors should be obliged to state a minimum period for which they will support the OS after withdrawal from market. Past that they can offer extended support as a product if they wish.
In this case the waters are muddied by the fact that M$ apparently had a fix which they did not distribute. You can argue that one both ways. The unsafeness of XP was the best incentive for tardy users to upgrade and to launch a fix would encourage them in their behaviour. On the other hand, had they released the fix in a timely manner they would have garnered some much needed kudos as good guys.
"However you cannot expect a vendor to continue to support the product indefinitely since it is in no way a cost-free activity."
We're looking at a fault which should never have been present in a shipped product. Are you saying that if they manage to get away with it for x years they get a free pass if it brings the house down in the future?
that poll is broken.. it doesn't offer shorter life spans, current support life for Windows 10 is 2 years.
Win 10 1507 is already NO LONGER supported.. you either upgrade to a newer edition of Win 10 or you're SOL
See table 3 of this page:
The problem is not XP. This is a complete smokescreen and red herring. Additionally, people make a mistake of considering the "NHS" as being a single entity. It's not. It's a brand and billing structure comprised of a huge number of operationally independent organisations, some of which are run well and some of which that are run awfully.
This event usefully provides a census as to which are which, honestly. There is now a publically available list of trusts that were infected because they are not taking appropriate security procedures, such as patching and are running their own improperly configured mailservers instead of using NHS Mail/nhs.net
I say this, because I know what's blocked on nhs.net, information which is available publically:-
And knowing where to look...
That is unequivocal. This virus spread via email, and it was stripped from emails received by NHS Mail. NHS Digital (the central team) confirm that the virus was not received or spread through NHS Mail.
Thus, any trust infected was still running it's own improperly configured separate mail system in preference to using the centrally provided NHS Mail system (nhs.net), probably because the trusts IT department didn't meet the criteria for getting basic account management to NHS.net. (like following processes, which is sort of backed up by these trusts getting their systems shut down by virus infections...)
Coverage of this in the media, zero. Anybody fancy asking the trusts in question why they are running their own mailservers without filtering or stripping dangerous attachments and without patching their desktops? (Note, every GP practice in the country is an independent for profit business, and does not form part of then local NHS trust; they just bill the trust for services rendered, although admittedly understanding of this is practically zero among the general public.)
"GPs are on the NHS payroll - they can't make profits" ?
From a company offering advice on GP partnerships
"Advantages Of GP Partnerships
You part-OWN the business, which means that you can have a say on how it is run. How much your voice counts largely depends on the percentage of the overall business you represent as an individual.
You share the PROFITS of the practice with the other partners. If PROFITS go up, so does your share. Partners working in a successful practice can therefore hope to gain a substantial income"
your thing about GPs isn't quite correct. GPs are on the NHS payroll - they can't make profits - they don't buy their assets (the NHS does) - but they do run a little business on behalf of the NHS.
Its supposed to create an internal market but not sure it quite works.
I'm the OP AC. Your point is basically wrong. GP practices are private, for profit businesses.
Originally pre NHS doctors were essentially sole traders and did house visits because that was what people would pay for when they were sick. They became partnerships because after the NHS was formed it was discovered that a better business model was to group together, buy a building, hire a receptionist etc and then get the sick to come to you. Eliminating travel time increased the number of patients the doctor could see, and colocating two or three doctors in one house meant that they could split the costs of buying a house etc while sharing the profits. The later improvement on this in established businesses was bringing in GP's as saleried employees of a practice so they did the work but the partners of the partnership take the majority of the profits. (capitalism at it's finest, even in healthcare. ;) )
Some NHS trusts have employed a few saleried GP's directly and usually co-locate them with A&E, largely to meet the 24/7 care requirement introduced a few years ago as it was difficult to get GP practices to do it at any reasonable cost, and it saves the NHS trust money.
Say the billing rate for a GP to assess my cough is a cold and doesn't require antibiotics is 100%. If you goto your GP then they bill 100% to the NHS trust, which duly pays it. If the NHS trust runs it's own service next to A&E which you visit instead, and it only cost them 70% to provide then they bill themself 100%, and make 30% "profit" on the service they provided.
Hence why I say that the NHS is more of a brand and billing structure than an organisation. Look at how the NHS was formed and you'll start to understand it a bit.
OP AC again. In my admittedly somewhat dated experience (IM&T hands on operational management in a countywide trust) the small independent IT contractors tended to offer an excellent service to individual GP sites, often better than we did, frankly.
It probably helped that they were always geographically close to "their" surgery, and they tended to be impressed that they were working for "the NHS" (even though they weren't because as previously mentioned GP's != NHS) and they tended to treat any fault reported as a "drop everything else life or death emergency" whereas I reserved that for faults with "clinical risk" and I knew what was and wasn't really actually that urgent. And I had a lot of sites (several hundred sites in the database, though some number were closed) and far fewer mobile techs to assign to jobs so I had to prioritise. Generally I found them very happy to oblige and would in my experience bend over backwards to follow rules and procedures such as the NHS SyOps (System Operators Procedures) when given a copy of the appropriate procedures in question.
The worst sites are the ones where:-
1) They have a clueless employee "who knows IT" because they unboxed a computer once, and fights any competent outside person visiting as they don't like people pointing out grossly unprofessional messes and practices such as not doing backups are unprofessional and dangerous. Wish I still had access to the department folder of horror pictures to demonstrate some of the things they had going on...
2) They have an onsite IT manager employed part time (like 10 hours a week) who is either incompetent, or more frequently just doesn't have enough time to do everything required. Fights people encroaching on their turf to the death in fear of their job.
3) Bad contractors. More usually telecoms than IT, frankly. If the contractors were worse than county level support, the practices wouldn't have been using them.
It seems reasonable to give an alternative. Yes, and OS, like anything else, should be supported, in the sense of fixing latent defects, for ever, if it is closed source - because only the person with the source code can fix it.
If, though, a vendor releases it as Open Source, then anybody can search for and fix bugs, so it would make sense that, after a period (to prevent vendors dumping rubbish, and to check that what they have released is all the source, and that, when compiled, it behaves exactly the way the binaries did), for vendors to be relieved of the duty to repair latent defects.
"So how do they open source the code without revealing 80% (guess) of their code still used?"
They can't open source it in the FOSS sense which I think is what the OP meant.
What they can do is put the source code, including patches, into escrow. If the vendor turns their toes up or if they cease support then the source can be released to specified interested parties wrapped up with whatever conditions were mutually acceptable when the original transaction was entered into. I've seen that made a condition of an RDBMS installation.
Another option would be to make the source available to interested parties all along under NDA conditions. I've had one gig where part of the source was exposed like that, the user interface being the main part that was concealed. It served the vendor well as they got free debugging.
They can release it as FOSS. Yes, they'd have to reveal stuff that was still used. That would be the choice, do that, or support it.
Just because your code is Open Source does not mean that it is free. M$ could release XP as Open Source, but still charge people who used a more recent closed-source version called something else.
Do you really believe in a very specific devices like health or industrial one everybody has the required skills to find bugs, and fix them? How do you test your code?
Maybe in your average PHP blog, but MRI processing? Advanced CMC machines? The only one perusing your code will be your competitors to extract as much info as they can. And believe me, they won't report bugs, they will use them against you...
And the last thing you need are sorcerer's apprentices believing they can fix everything because they know how to install Linux and run vim... you know how it ends, do you?
I think the problem is not the vendors, it's the beancounters.
Microsoft: Here's a licence for your software. We're going to support it till 2015.
NHS Beancounters: Ok, it's a bit pricy, but fine.
> Forward to 2016 >
Beancounters: Well, the computers still all work ok, and licensing Windows 10 will cost lots, especially as we'll have to buy new computers to replace the ones that are not powerful enough! We didn't plan for that. Lets keep on running Windows XP till the hardware breaks. What's the worst that can happen?
Much as I enjoy Microsoft bashing, I think this is really unfair. Ubuntu LTS (Long term support) is only 5 years on their server branch, why is Microsoft always picked on when it comes to things like this? I know there will be some people who say public sector should move to Linux / OSx / Android / insert OS name here, but Microsoft's patch and support policy is already more than fair.
These other OSes suffer from security issues too, look at heart bleed etc...
Name one vendor in the world that will support that.
1. RHEL, Oracle, etc - all mainstay Unix(like) OS vendors.
2. Most telecoms software vendors
3. Most military software vendors
4. Most industrial control software vendors
Now, they also charge a pretty penny too. So if you do not like the prices you should probably make up your mind for the exact way you are going to obsolete what you are buying on day X, not drag your feet 5 years after it was supposed to be obsolete.
Again - not something public sector procurement ever does. Show me a single public procurement project which planned the obsolescence of the software they are purchasing before they bought it. I have yet to see one.
So continuing on this subject, a good idea will be to make such procurement without an obsolescence plan an automatic sackable offense.
Sure, they will sell you exactly the same crap for two decades, because every change needs an incredible number of approvals and certifications. They just have to ensure the crap is available for two decades.
Remember when USAF was hoarding floppies for its systems? And if you're afraid of the price of Windows custom support, look at the prices of a weapon system upgrade...
However, not a single software tender for public services had any long term maintenance clauses attached to it.
Wonder if things have changed at Network Rail... In the days of BR, for railway operational systems the standard expected working life and thus maintenance requirement was 20 years minimum. Which given in the 1980's they were still replacing Victorian infrastructure was a blessing...
Quite. Nobody should rely on stuff that's thrown together, in order to make a profit from licences.
You won't find aeroplanes running fly-by-wire on M$ stuff - if they did, the neighbourhood would be littered with crashed aeroplanes, and sensible people would travel by boat.
An OS, designed and built for security, written in Ada, would be the thing to use. It would have to be open source, because you can never trust a binary.
It is a failure of both purchase policy and competition regulation by governments that the IT industry is lumbered with a single near-monopoly supplier of PC OS software.
Until governments start activity promoting alternatives to Windows then cyber-attacks will remain commonplace.
With the serious amount of money companies like MS can spaff, even if there was a UK-specific law which could somehow intimidate a US based vendor (a hurdle so far unmentioned) then the tried and tested way out of this will be:
1) declare the UK subsidiary which holds the liability for patching bankrupt.
2) start up a new legal entity (shorn of any responsibilities the previous incarnation had accrued)
3) make lots of money, until liabilities start building up
4) goto 1
Create a UK subsidiary
Said company is required to escrow all source code before any more of the mother company's product is allowed to be sold.
1) declare the UK subsidiary which holds the liability for patching bankrupt.
Source code is released under escrow terms for others to fix.
Bonus points if the legislation leaves open-source authors with the liability of fixing their software. (Although figuring out who to sue in a project with lots of contributors could be fun, particularly when the bug arises from interactions between patches.)
1) Humans have faults, Humans write Software, ergo Software has faults
2) Technology changes - should I expect Ford to continue to provide spares for a 1980's Mondeo?
3) Should the NHS have a contract with the supplier of the MRI machine which dictates that the software that drives up be updated in line with it's dependencies (i.e. OS/Browsers/whatever) absolutely! Or that they open source it so that someone else can maintain it? Or that the NHS has sufficient funding to replace/maintain said software/hardware in order to remain "supported"...
because my answer would depend on the criticality of the issue being fixed. How do you define that? Is it a bug that will just cause the computer to keel over and BSOD, thus allowing DOS attacks, or is it a bug that could execute arbitrary code with full system privileges and permanently compromise a machine? What's the likelihood that this security issue is able to be weaponised? Has it been done already?
Not questions that have easy answers for the legislative machinery to grind its way through.
Fine as long as you realise that the entity analogous to the motor vehicle manufacturer in these cases is the company that makes the medical equipment, of which a Windows OS is merely a component part.
It is the job of an engineer to create a more reliable whole out of less reliable parts. Otherwise every chain would only be as good as its weakest link.
Every product has a design lifetime.
That should be clearly stated before the product is sold - including consumer products. During that time, parts, drivers, consumables, security updates etc availability should be guaranteed - with an insurance policy covering consumers in the event of supplier failure.
When a product incorporates another product, the integrator should be responsible for ensuring continuity of support for all components for the life of their product (including drivers and interfaces to other products).
Then, if someone uses a product beyond its design lifetime it is their problem when it fails.
You cannot assume that a general-purpose computer (or its operating system) will go on forever.
What all the software around, for example my ADSL router firmware has not being not getting updates for a really long time. Isn't it a "critical piece" too? (there's now a pfSense behind it, so not much of an issue, in my case).
And the real issue is: how long a company, *any* company, should support its software? Support has costs, and they will be of course charged to users, old and new. What's wrong in charging for support? Don't we pay for maintenance of cars, heating systems, etc.? Why software should be different? Most physical items have a limited warranty (and someone outside EU complains the two year mandatory warranty is too long...). Only life-threatening issue will be fixed outside of it for free, usually.
Software doesn't wear out, but surely "hidden" issues and vulnerabilities may surface. It may not work with newer devices. Old TVs were obsoleted by digital television - should Sony, Samsung & C. have upgrade their TV sets for free? (using an external topbox is no different than putting a damned firewall to protect your old device).
Also, bugs that are critical security vulnerabilities won't cause a system malfunctioning until it's attacked. In some ways, they are different from a defect that will cause issues anyway (i.e. the Intel Atom one). When people talk about cars recall, they speak about the latter. Not a thief bypassing a vulnerable car security system and killing someone while running away. If a ransomware blocks a critical system, the culprit is the ransomware writer, or the OS provider? If you kill someone because you didn't maintain your brakes - even if there are no more spare parts available, who is responsible?
Sure, they are a risk, sometimes a big one. Still we have a lot of intrinsically risky items around (guns, knives, tools, some chemicals), and believe we should manage them properly. We know software has intrinsic risks. Why we shouldn't manage them? If I drive a vintage car or bike, I perfectly know it's far from being safe as a modern one. Should I expect it to be different, and the maker upgrade it for free, in secula seculorum?
In this case, did Microsoft aimed Windows at health devices, promising longer and free support cycles than those for generic use? Or it was the device makers who chose Windows? Why they should be exempt in delivering upgrades of their software running on newer hardware (maybe your ISA card can't work in a modern PC?) and software?
In this instance, blaming MS looks really overkill to me. Sure, it had the patch for paying customers, and probably it has many others. It's how custom support works.
The real issue here is crappy coding and current versions of Windows aren't any better. Operating systems are designed to look pretty, be easy to use and function, nothing else. Security is always something that gets considered but never really tested and most of these bugs are simple buffer overflows.
How long have we been coding buffer overflows into software? WTF WTF WTF WTF WTF - you would have thought we might have learned by now but apparently not and no sign that this is going to change.
To provide full support for all its old systems MS would have to have large numbers of programmers trained up in those systems (no one person can know more than a small part of code that big).
How are you going to persuade that many skilled programmers to take on a dead end job with no future? What are they going to do to keep current when there's no known bugs to fix? What are you going to do with them after the product is finally killed off?
The motor car analogy is not directly equivalent - the engineering skills can still be used on modern cars. Detailed knowledge of ancient code is not transferable in the same way.
Of course the motor manufacturers may run into the same problems as the cars get more computerised, and a car crash can be rather more serious than a computer crash.
"To provide full support for all its old systems MS would have to have large numbers of programmers trained up in those systems (no one person can know more than a small part of code that big)."
They could save money. They could ship better code in the first place.
And your general thesis founders on a single fact. They have already issued a fix.
I agree with most of the people above in that I believe that the supported lifetime of Windows has been well above good enough.
If you factor in that Microsoft even added in the option of extra paid for support for those that really needed it and by announcing them having them pay through the nose for it incentivised the beancounters to open up wallets to replace and fix what needed to be done. That some organisations even with half a decade of warning still fail to upgrade is not Microsofts fault.
What I would point fingers at are vendors of kit with a long lifespan that just don't offer upgrades to software and drivers that work on modern systems.
While XP was only supported until 2014, Windows 7 is under support until 2020, but how does that work when some versions of Windows 7 came with XP mode which is essential a VM running XP, surely if they are offering functions such as XP mode as part of the OS Microsoft should continue supplying patches for the XP mode virtual machine until the support for Win 7 ends?
re: some versions of Windows 7 came with XP mode
No to my knowledge, MS didn't supply XP mode with Windows 7, it was a wholly separate download and so they were able to make it subject to the same EOL as XP. Remember Win7 was released in 2009, 5 years before XP went EOL and XP Mode was provided more as a way of facilitating migration than a long-term solution.
However, MS are still supporting Office 2007 on XP - last week I received a bunch of security updates through WUP; interestingly, the SMBv1 fix for XP wasn't available through WUP, it has to be manually downloaded.
The long term availability of Vendor support is a basic problem for Safety Critical and Safety Related Systems and many systems operated by the NHS will be of that nature. Due to the fully justifiable need for design assurance and length pre-service testing, it can often take up to 10 years to get this type of (software) system from initial conception to in service use - and you often want to get 20 years or so of use out of it in order to justify the investment. However, these sort of timescales just don't fit with commercial product lifetimes for a vendor such as Microsoft.
It is no accident that Linux is now widely used in areas such as ATC etc. It is not because it is free, and not just because of its reputation for stability and security, but because it is Open Source and ultimately this means that the end user can take control applying security patches for ancient versions of the Linux kernel rather than having to pay (a ransom) to the original vendor for support.
In practice this allows commercial opportunities for specialist support companies to provide long term support for those users that need to have very long in service lifetimes - even beyond those for Red Hat Enterprise.
The bottom line is that if you are happy for your vendor to dictate the upgrade lifecycle then a product such as Windows may be suitable. If this is not acceptable then Open Source is where you need to go.
Believe me, I've worked on ATC programs, and this is not the reason. Nobody I knew working on ATC software has the skill to touch the Linux kernel, or one of the many libraries implementing even basic services. Do you believe someone can jump from the kernel to Samba to Apache easily?
In many large programs lately there's been a push towards FOSS software for political and economical reason (MS is seen as a single supplier from USA...) - but not because the user can easily "take control" of code which is very far from its capabilities of changing it without creating havoc.
If needed, you would still need to pay some commercial entity to apply the changes and test all the stuff properly - just as write, and don't believe they will be cheap just because it's FOSS... when you have very few places to go, the bill will be high anyway.
"An analogy may be vehicles that develop a dangerous defect. Would we excuse the manufacturer and allow unsafe vehicles on the road?"
A better analogy is, "Should excuse the owner and blame the manufacturer, when the customer has a breakdown on the highway driving a 16-year-old saloon that hasn't been in for inspection or maintenance in five years?"
There do exist software products that have include commitments to supported lifespan of many decades. They are priced accordingly. However, this typically does not include a single desktop operating system release, and does not include Windows XP (though it was supported for enterprises extraordinarily long).
Windows writ large has been supported for 30 years, and there is a supported upgrade path at each step of the way. You cannot hold the "manufacturer" responsible when they ignore a product's specifications.
If you have an old machine, say a classic car from the 1920's, you generally can't just buy parts for it from the manufacturer nowadays. However, it is possible to get bespoke parts made to keep it running, and there are those who do exactly that, although to do so costs quite a bit more than just buying a new car.
But complex medical machines cost much, much more than a car. So what do you do with your million pound+ diagnostic machine once the manufacturer of the software that runs it decides to not support that software anymore? We're not just talking PC's here. You can't just go buy a new one for a few quid or get pissed off at MS and decide to put *nix on it. And it's a pretty tall order to try to roll your own bespoke patches when you're dealing with a closed source operating system - and trying to do so certainly would violate the license.
And even when the issue is just about PCs, just replacing them may not be a simple option. Will the old, bespoke software that they use even run properly on the new version of the OS? Do you, as a government entity, have access to the funding it would take to "upgrade" to the new OS?
The fact that complex and expensive machinery or essential bespoke software is now dependent on a closed source OS changes everything. Everyone with such machinery is at the mercy of the vendor deciding to support or not support that software. Mechanical devices can be "hacked" easily enough and solutions found to keep them going. But what can the owner do when complex software is an essential part of an expensive device, and the vendor says "F*** you"?
So should NHS (and everyone else in a similar situation) just throw out expensive machinery because MS decided that everyone should buy a new OS? Perhaps NHS could (if funding were available) put a new OS on all their PCs, but will all the old software run correctly on the new OS? How much would it cost the taxpayers to make that happen? And what about expensive diagnostic machinery? Can a new OS even be put on those machines? Or should the taxpayers be forced to spend millions upon millions of pounds to replace those as well just so MS can make a bit more profit?
Another question is how much would it really cost MS to patch XP against this kind of vulnerability? Probably not a lot. If they charged all those XP users their actual cost of developing and releasing a patch, the cost to the end user would probably be a few pennies per machine. But they'd rather force their users into "upgrades."
Legislation? How about requiring that any software used in anything purchased by government must be open source and maintainable indefinitely? That's the legislation that MS and their ilk deserves.
Most of those who are running XP systems are doing so because the bespoke software they had written/bought back in the early noughties will only run on XP. They chose NOT to pay to update that software to run on Win7/8/10 and thus exposed their nether regions for the script kiddies to maim. Don't start bitching about someone not supporting an obsolete OS when you were given PLENTY of warning that it would no longer be supported. The fault is yours, you were too cheap to get your bespoke software upgraded.
Lesson learned? I seriously doubt it. I recently saw an SQL 2000 server that still had no SA password set. Slammer anyone?
It should be "Should The Government be legally required to extend support for systems still in use in front line public services?" closely followed by "Should software suppliers to front line public services be required to update their software to be compatible with OSes <10 years old?"
Because some services will need to keep running software that simply doesn't run on Windows 7 or above with no upgrade path to one that does. That's how you get XP that won't die.
Also: For a lot of cash strapped public services, dosh earmarked for IT Infrastructure upgrades/improvements can quickly find itself being diverted into the budget for directly supplying those services. Ringfencing that cash with a legal responsibility to meet a minimum standard for IT might help concentrate minds in the right area.
Many of the systems that were hacked are still on XP because they are running a critical system that in incapable of being upgraded.
I have heard of some very expensive pieces of medical scanning equipment that are tied to XP. They cannot be upgraded without replacing the hardware, and you're not going to replace a medical scanner that costs a couple of million pounds when the one you already have works well is expected to still have another decade of use.
So why can't the version of Windows on the scanner be upgraded? Because the hardware drivers for it don't work with newer Windows versions.
They're stuck on an old version even after all this time because hardware like this goes through a years-long development and certification process before it even starts getting purchased by hospitals; upgrading to a completely new OS would also mean rewriting a lot of the core control software which means you have to start all over again with the certifications. And when hospitals do get to buy a piece of kit like this, they expect it to last long enough to pay for the investment. It's no wonder they're all still running XP.
But the problem is not so much that support was stopped for XP, it's that hardware like this should never have been based on XP in the first place. It isn't Microsoft's fault; it's the fault of the developers of the hardware. And frankly it should be they, not the NHS that should be the ones on the hook for making sure it is kept patched -- the lifetime support contract that the hospital signs with the vendor to look after the kit should include the software and operating system as much as the actual scanning hardware itself.
"But the problem is not so much that support was stopped for XP, it's that hardware like this should never have been based on XP in the first place. It isn't Microsoft's fault; it's the fault of the developers of the hardware."
The developers were probably in a bit of a bind themselves. The introduction of commodity H/W and S/W killed off the minis and Unix workstations that were used previously. Even if it hadn't it would have enabled competitors to have undercut any who still used such kit.
What would have helped would have been the certification authorities requiring long term support. That would have either required MS to offer it or, if they didn't, would have levelled the playing field and allowed specialist workstation manufacturers to survive. That in turn would have needed the certification authorities to have anticipated the situation we now have.
The life of a desktop or notebook is determined by the life of the motherboard and the solid state electronics on it. The mechanical bits, such as fans, disc drives, connectors, and the power supply with short-lived capacitors are easily replaced.
The life of a motherboard is at least 15 years, so an operating system that is sold for 5 years should be supported with regard to security and safety defects for 20 years from first availability.
Are you people all insane? Code has DEPENDENCIES. You can't just write one patch that works on every version of some code you've ever released. If you start with version 1, and then you fix a bug and you have version 1.1, and then you find another bug that someone who hasn't bothered to install 1.1 wants fixing, what do you do? Make version 1.0.1 and 1.1.1?
Then the next change is going to require you to ship
and so on until 64 patches later you have 9,223,372,036,854,775,807 versions you're trying to simultaneously support.
To install a new patch, you must first have installed all the patches that went before, otherwise who knows what will happen. And we have a name for a fully patched version of Windows with every upgrade applied: We call it Windows 10.
I'm sending a note to OPOTUS and former Cyber Czar Giuliani to the effect that we used to have Unisys mainframes and greenscreens and never once got hacked in twenty five years.
Trump shall Make Computing Great Again!
... if they played fair and provided proper upgrade/downgrade paths from one product to another. They could even charge (not too much) for it.
Have you ever tried to upgrade a WinXP PC to anything later?
The same goes for their various email clients. We've had real trouble moving emails from Outlook on XP to Outlook 2010 - it shouldn't be like that.
Don't even think about Outlook to Mail for Windows 10.
If only Microsoft were to act responsibly, this issue may never have arisen.
And I'm sure they could find a way of playing nice and still making a profit.
It's time they learnt that the big stick isn't the best solution for anyone.
MS have pushed equipment manufacturing companies to use Windows (or it's embedded variants) within their systems. So, a lot of MRI, CAT, X-Ray, etc. machines have a built-in Windows component.
It is often the case that these cannot be upgraded (especially when MS have "special" code that prevents new versions running on old hardware), but why should a multi-million $ system have to be replaced?
If an OS is marketed for use in kit like this, it should be supported for the lifetime of the product, not the OS. To be fair, that's why MS have the "embedded" range (XP embedded support runs to 2019), but that's quite often not chosen as it can be a pain to work with.
Do you recall the giant airbag recall over the past couple of years?
Turns out a bunch of car manufacturers had to replace the airbags with new ones on even those cars that were 15 years old.
So, by that law requirement, patches would be necessary to older / legacy operating systems?
Is that a flawed analogy to use?
I blame the management. I am taking info from the Cambridge news, quoting from Prof Ross Anderson, Professor of Security Engineering at the Cambridge Computer Laboratory.
“Failing to patch your computers is like failing to wash your hands after going to the toilet. It isn't the Secretary of State's fault. It's not the Chancellor's fault for not giving the NHS enough money. It's your fault. It's negligence.”
"...typical IT director is a senior clinician supported by technicians. Yet despite having their IT run by well-meaning amateurs, only 16 NHS organisations have been hit"
Basically this is the same as asking an IT guy to administer an operation.
Put a decent IT manager in EACH SITE who can take an ACTIVE part in procurement, to point out to the Clinician that the PC will require updates and include that in the contract, and not let a bean counter choose the cheaper option if it can't provide the updates for the life of the machine...
Who can force local updates, understand the implications of the legacy machines and work ways to solve them. Don't leave it to just large contracts who are tied in and are more concerned with profits for the contractor than solutions for the user.
AC as I work far too close to a Hospital.....
You are also forgetting that the vendors are assured by MS that the software they issue is new, however software people may spend 5 years on developing a program to run on say Vista and then another year testing and the programme is put on the market when MS announce the projected new software. No the blame has to be on MS. I have had this discussion with a vendor, and he is as pissed off as the end users.
MS supported XP way longer than they should have and when they did stop support that gave years worth of notice. Anyone who is running 70,000 copies of XP in 2017 should be taken out and shot. If they have some software that is XP dependent that they can't replace then they should be running it on XP VMs, if a VM is compromised you can switch to a backup copy in under a minute. In addition to being resilient to attack a VM can run on modern hardware, it's not limited to antique machine like native XP.
" In addition to being resilient to attack a VM can run on modern hardware, it's not limited to antique machine like native XP."
You do realise, don't you, that in some cases you're dealing with real time S/W that twiddles bits directly on specialised H/W?
As far as I am concerned, a vendor releasing software is obligated to ensure it is free from defects.
That means there should not be any exploits, any buffer overflows or race conditions or any such thing anywhere in that software.
The obligation to correct defects in a product that should never have been there in the first place should never expire. Although perhaps some limit, acknowledging that software does eventually become obsolete, might be considered.
Perhaps 99 years - the same time as the copyright expires? Provided the vendor releases, or has released, the source code by then?
I've been saying all along whenever the "Upgrade now" or "super whizzy windows" stories come along is
"What about us who have millions invested in safety critical stuff that runs on WinXp?"
You cant just 'upgrade' the PC to win10, install the drivers and hope it works because 10 times out of 10, it wont.
And the price of the kit is such that you need years to get back what you paid, and then make a profit.
For example, the factory next door to us bought them selves a spiffy new moulding machine , the price... about 500 000 pounds, now imagine that in 3 years time , m$ go fsck you we're not supporting your OS anymore , upgrade or else, and the machine is rendered useless.
Upgrading your desktop is easy , even throwing it out and buying a new one, but when the control is embedded and has to be proven to work......
As a side note, we have 4 windows powered machines, the manuals state "If the customer attempts to install updates to these machines, the supplier has no liability for any loss or damage that may result"
Possibly explains why we make sure the machines either have the Fanuc OS in them or the controls are based on Linux.....
"For example, the factory next door to us bought them selves a spiffy new moulding machine , the price... about 500 000 pounds, now imagine that in 3 years time , m$ go fsck you we're not supporting your OS anymore , upgrade or else, and the machine is rendered useless."
Someone bought a GBP500,000 molding machine that is tied to an obsolete operating system?
And what did the device manager pay for that operating system? If it were Windows, $25?
I think the quarrel is with a device maker ripping the customer off by providing an inappropriate operating system to save money.
"Someone bought a GBP500,000 molding machine that is tied to an obsolete operating system?"
Yes, because the alternative was probably buying a GBP600,000 molding machine tied to an obsolete operating system. IOW, this is what happens when EVERYONE uses commodity stuff to undercut the competition and win contracts.
The correct response is for the NHS and other large organisations to require application suppliers to guarantee that they will provide updated versions of their software that will work on newer versions of operating systems for ten or twenty years (or until it's replaced by something else, whichever is sooner), with source code in escrow in case they go bust, so that the base system can be upgraded much more easily. If you're not prepared to play ball then you don't get the contract.
And if NO ONE agrees, meaning the contract goes unfulfilled and machines start needing to be replaced? Remember there are very few manufacturers of this specialized and very expensive medical equipment. It's a seller's market. They can probably afford to wait it out while customers from other countries ring in.
As has been pointed out earlier - the vendors are selling this kit either with an OS embedded into the equipment itself, or with a PC sitting beside it to run the software.
Either way it is an issue for the vendor and not M$ in this case. If I were to build some kit and make sure it only works with Win98 and some sucker buys it - who's fault is that?
Support contracts need to be in place between the original vendor & the customer with the necessary guarantees of support & upgrades for the appropriate life of the product.
This will stop lazy vendors selling equipment with a soon-to-be-outdated OS unless they are willing to support it themselves. It forces them to keep their own software up-to-date so they can port it from X to Y and keep their customers satisfied.
If I buy something that has a 5 year life - then I expect 5 years out of it. If halfway through its life part of the kit dies, then I expect to the vendor to make sure they have the parts (including OS's) necessary to keep it running - and if that means upgrading to a new OS then they should be planning for it!
This then means that there should be no compatability issues with "well we cant patch/upgrade because the application wont run on OS x"... admins can then ensure equipment is patched to the latest version.
When and is there a reliable source for this figure?
I ask as a Google only shows the "70,000" figure surfacing in news articles released within the last 24 hours. Which would seem it is a media misrepresentation, just like the often quoted "90% of NHS Trusts still running XP".
the often quoted "90% of NHS Trusts still running XP".
And that in its turn seems to have come from a survey - I think a year or two ago - of trusts running at least one copy of XP. The fact that this might actually be just one is beyond the grasp of our mighty national newspapers.
Why the fuck are we even thinking about using a General Purpose OS to run specific purpose equipment? Quite honestly, I've never seen a need to create a spreadsheet, do a little desktop publishing, or browse TehInterWebTubes when using my Bridgeport CNC; my local small animal vet sees no need to do the above when running bloodwork, and my neighbor (who runs the MRI machine here at a local hospital) says he's never seen a need for the above at work, either.
And now they are putting full-blown Linux into coffee pots and Windows into Refrigerators? WTF? Where in the hell did this need to"OverOS" machinery come from, anyway? Am I the only one who remembers when small & elegant was considered de rigueur?
Me, I blame marketing running what should be engineering firms ... ANYway, is it any wonder that this entire conversation is happening? We're quite simply using the wrong tools for the job in the first place! Is anybody really all that surprised that they break?
Why the fuck are we even thinking about using a General Purpose OS to run specific purpose equipment?
Going back to the 1990's, MS was on the rise and was desperate to become more of an Enterprise IT supplier, hence the development of NT and it's successors, which resulted in the success of XP-SP2/SP3 and WS2K3. Similarly, MS made a big play into embedded, which also paid dividends in XP Embedded.
Prior to MS and to some extent prior to the consumer IT industry, it was fairly normal to pay for a licence and support and product lifecycles were more about sales than support. Hence why in the mid to late 1990's it was quite common to have businesses running mainframes and other major systems running OS's from the 60's~80's, still being maintained, but not available in the shops.
I think there was an expectation that once MS had become an enterprise supplier, it also would become more flexible about its product support lifecycle, with pre-existing customers. Instead we've seen MS deliberately take steps that have alienated it from enterprise IT such as releasing a succession of Windows versions since XP that have really been focused on the consumer market and aping Apple (badly) and only belatedly trying to retrofix W10 to the enterprise.
Which seems to support a stance I took when W8 was released, namely the time between then and EOL of W7 was the best opportunity Linux/open source had to get into the enterprise anytime soon.
"Why the fuck are we even thinking about using a General Purpose OS to run specific purpose equipment?"
Capitalism. Cost, speed to market, profit margin, market share. Why develop a bespoke o/s that you then have to support yourself, when there's a COTS available?
For, oh, about a million and one reasons, some considerably more legitimate than others. Not that I wouldn't prefer the "no more than the absolute minimum" approach - I would, I'd take a _firmware_ over an _OS_ every time; and that's exactly how it worked as long as embedded electronics - even the smartest embedded electronics - was too small, expensive and resource constrained to do anything else - and more importantly, didn't have graphic terminals and network interfaces hanging off of it left, right and center.
But these days all constraints are history, and as soon as you have graphics and images to display or configuration data to manipulate or external storage (as simple as an SD card) to access, you'll be wanting a file system implementation to read stuff from files - preferably several, if you need to accommodate different requirements. If your thing uses _any_ kind of networking, you'll want a stack implementation that will probably also include full TCP/IP and/or low power mesh stacks (some of which are already IP-based) and whatever else you might need. If your thing is expected to do several different things at once (as most things should and almost all still fail, even in spite - or maybe precisely because - being OS-driven) you'll be wanting "parallel" execution (and what a joke that still is...) and thread management. Your device might even need to juggle a non-trivial amount of data, at which point you'll be reaching for a gun if you can't use files and a database. Heck, if your hardware is voluminous enough you might even have a need to connect to a variety of peripherals like keyboards or mice / trackballs or USB webcams etc etc etc doing any of which without the benefit of an OS with all of its drivers is guaranteed to make you point said gun away from yourself and towards other people in a fit of homicidal rage.
Now, sure, any and all that _can_ be compiled into a monolithic firmware, but doing it _properly_ every time is going to be harder than writing that mythically exploit-and-bug-free software; and you'd be duplicating effort that has all been already expended - you'd be building an OS by any other name. So you'll be wanting an actual OS that already has all that instead of vendor libraries reimplementing all that (poorly) for each new product line, an OS with at least a modicum of maturity and periodic maintenance / security updates; an OS that even probably runs on a range of hardware instead of proprietary "support libs" for each.
And that brings us exactly where we are - and I'm not interested here in debating how and how long support should be done. All I'm saying is - and it pains me very much to do so because it also obsoletes me in the process - the era of making do without an OS in everything except the simplest of LED blinkers is well and truly gone; and worse, it's gone for a good reason.
"The [medical] machines can (as they should) last for decades; that the software should expire and junk everything every 10 years is not a workable solution."
(Aside: Yes, I believe the proper Brit-sprecht is "titbit" but I'm an illiterate Yank.)
The opinion piece continues:
"First, companies like Microsoft should discard the idea that they can abandon people using older software. The money they made from these customers hasn’t expired; neither has their responsibility to fix defects. Besides, Microsoft is sitting on a cash hoard estimated at more than $100 billion (the result of how little tax modern corporations pay and how profitable it is to sell a dominant operating system under monopolistic dynamics with no liability for defects). .... At a minimum, Microsoft clearly should have provided the critical update in March to all its users, not just those paying extra. Indeed, 'pay extra money to us or we will withhold critical security updates' can be seen as its own form of ransomware."
The author of this particular opinion piece is Zeynep Tufekci. The piece is well worth reading.
Slam sys-admins for not upgrading to Win 10 even though it breaks million-pound hardware/software packages if you wish. Personally, I believe the problem is far knottier than that.
You've a hospital with limited funds. Spend those funds on equipment to implement a new cardiac ablation procedure (treating potential fatal heart fibrillation) or spend those funds to replace a perfectly good MRI machine because its software package only works with Windows XP? Hire another nurse practitioner to provide better care in the woefully understaffed terminal ward, or hire an IT specialist to get legacy hardware sequestered from the rest of the hospital network?
My hat's off to the admin who has to make those decisions.
"The [medical] machines can (as they should) last for decades; that the software should expire and junk everything every 10 years is not a workable solution."
Can you give us an example of a medical device, CT scanner, MRI, etc. that runs Windows?
I think you'll find that Windows is run on things like PCs used as PCs, not $50,000+ specialist hardware.
I wrote, "a perfectly good MRI machine because its software package only works with Windows XP". I didn't imply that the machine itself runs Windows OS.
That said, it's not unusual to find a Windows RT PLC here and there. I think we have one at my facility. The others that I've worked with all show a penguin at boot-up.
I'm not in medical automation, but I do remember reading trade news about a new oil refinery which was installing a particular plant-wide automation package. That version being installed only runs on XP. And that was in 2014, when XP was already very near EOS. And mind you, the software in this case does not run just one machine but virtually every valve and pump in the plant.
(In the latter case, installing that version was a very bad decision on the part of the Chinese company building the plant, IMHO. Of course they may have specced that version so it would be fungible with existing installations, but it's still very short-sighted. Says me, who really knows nothing about the situation on the ground.)
Not years after launch, years after sale, and not MS, any operating system sold with any consumer electronics.
So Android, Windows, iOS, MacOS, ChromeOS, etc.
And this would include Linux if Linux were sold with a consumer device.
I suggest 10 years in general.
And 15 years for devices costing in excess of US$500 if there is no follow on OS that can be installed.
Nothing is sold with a warranty against vandalism.
Do you guys think your cars are warranteed against people being able to smash the windows?
Do you guys think Chrysler Warranteed the M1 Abrams main battle tank against vandalism?
If this went to a court I think the MS lawyers would be quite rightly saying, "We never promised our software would be vandal proof."
There would be no case to be brought.
But I'm not a lawyer. WHY NOT COMMISSION OUTLAW.COM TO DO A FEATURE ON THIS ISSUE?
Is there a case under US law? Under European law?
Require developers to provide fixes for security and original functionality (but not upgrades) at reasonable cost, say 10% of the original purchase price per annum. They can choose to discontinue this support, but the software becomes public domain.
This allows the developer to make a commercial choice, and may reduce the amount of electronic junk sent to landfill because it's 'too old' to support.
On the back of boxes or on installation dialogs.
"This software will be patched for general use until x date and security patches will be issued until y date". Just to make it plain and clear to the users. After all it's not just PCs that could do with this - Smart TVs, Phones, etc.....
It cannot be said that David Omand is a coward. Being chief of GCHQ (comparable to NSA) and therefor responsible for withholding known security holes to the software manufacturer, he is absolutely not in the position to point his finger to MS.
I would rather go a step further: he (his organization) facilitated that the real responsible guys (the criminals using the vulnerabilities) could commit their crimes.
Besides that: MS had made it possible to get security patches when you pay for it. This very much looks like real life: you get what you pay for.
"An analogy may be vehicles that develop a dangerous defect. Would we excuse the manufacturer and allow unsafe vehicles on the road?"
AFAIK, the longest vehicle warranty offered is currently 7 years. This is a 16 year old piece of software that has received thousands of updates during its lifetime. It should have been scrapped years ago for a newer model with the fixes baked in, and that is exactly what has happened, at least three times since XP in fact.
I'm charitable enough to assume that MS didn't *deliberately* ship with vulnerabilities, and has actually spent a huge amount of resources fixing and updating them where found. To crowbar this back to the car analogy, new vulnerabilities are discovered all the time in software. By definition, they weren't known at the time of shipping. Would you expect a car manufacturer to recall your 16 year old engine because it doesn't meet new emissions standards? Eventually you have to bite the bullet and buy a modern car.
To illustrate your car-based IT analogy with an IT-based analogy - no, you should not be required to implement SHA1 in an old product when MD5 becomes impractical to use. If your implementation of that existing MD5 is found buggy however, you absolutely should be forced to fix it well into the next millennia or until you acknowledge having abandoned it by fully releasing it as open source.
"AFAIK, the longest vehicle warranty offered is currently 7 years"
I agree the car analogy is not a like-for-like comparison, although Chrysler had to recall 14 year old Jeeps that had poorly designed fuel tanks that exploded when the vehicle was rear ended.
However, a car being hit in the rear is totally foreseeable. I'm not sure Microsoft could have foreseen the exponential growth in malicious attacks , especially from nation states, and encrypting the hard drive for ransom when they started developing XP.
@JamesPond - I don't know when MS started developing XP, but let's say it was when they released its predecessor, W2K was released in 1999, when the malware threat was well-established and growing fast. There was an encryption attack, the AIDS Diskette, much earlier, in 1989; though that was badly-planned it showed the possibility. The possibility of an asymmetric encryption extortion attack was the subject of nightmare scenario speculation among anti-virus researchers during the 1990's, as I recall. But that, and the possibility of a nation state attack, is not really relevant, the patch fixed a flaw in the SMB implementation, and MS knew their customers would be plugging into public networks so the security of their network protocols was critical.
Perhaps Omand could address the question of the morality of security services sitting on piles of zero days for critical software and allowing large parts of the world's economy to go unprotected - when they could fix it.
So long as security services know about critical weaknesses and don't inform software companies they can't claim to be keeping us safe.
But Omand won't say anything because we never comment on security matters - apart from when they want to comment on security matters.
I haven't used MS products on a personal level for well over a decade now but the furore over this is just plain ridiculous. This has been caused by upper management not taking IT seriously at all and this is not confined to civil facilities. It should be impossible to manufacture the amount of Teflon that these people have on their shoulders. MS gave 4/5? years of warnings that XP was being deprecated and then a pay extra program that got increasingly expensive to encourage people to do the right thing and deal with the issue.
At that point upper management should have been asking about the security of their computing estate and how to guarantee its future security and providing the budget for the implementation, not stuffing their snouts in the trough until the money covered their eyes.
8 years to air-gap or secure access a critical unchangeable system is more than enough time for any properly run organisation. Upper management in this country does not meet the criteria required. MS committed to support XP Embedded systems until 2020 and these patches are a function of that.
The debacle that has occurred with XP desktop is due to idle, feckless upper management and any prosecutions should start at board level and work down.
And what of the third party vendors who sell equipment that should reasonable be expected to be in service for 10+ years - and who incorporate a Windows (or Linux, etc.)?
When vendors lock down their equipment to a specific version of Windows and (by design) refuse to accept software updates (even critical updates), then hospitals (and manufacturers and research labs) are going to be caught.
Microsoft virtually gave away XP in order to get people onto it. The man on the Clapham omnibus had to pay loads; Dell was paying sub $5 per copy.
Having achieved market domination, Microsoft then went on to abuse that dominant position, and now wants to abuse it again. I wasn't caught by Wanna Cry; I don't have any XP machines; but I'm a "user". I can afford to upgrade - I don't have specialist software that has been written to run specifically under XP like the NHS had. Microsoft tried blackmailing users into upgrading (you know - much like W10) and when it failed, it abused it's market position to break their products.
I wish, I really wish, that HMG would dump MS for an in-house secure version of Linux. But they won't - too many MP's want to play on their Windows PC's.
And as for the "vote" - what did you expect when you ask a random sample of people who make their money out of fixing Windows PC's when they go wrong!
The answers I really wanted to give were not there.
1: Any vendor of any proprietary, closed-source software product absolutely should be obliged to provide support, to any legitimate user (not just government), without let or hindrance.
2: Such support should be provided, not for 5 years, not for 10 years, not for 20 years, but forever. Hardware is subject to mechanical wear and tear, and dependent upon the supply of suitable replacement parts; software is not. The first computer program ever written would still run as well today as it ever did, if only a suitable emulation environment were available.
3: O.K., not strictly forever. The vendor may, at any time, delegate their responsibility to provide patches by handing over the complete, annotated, human-readable Source Code and Build Instructions on machine-readable media to another party, who will then assume the onus to provide support in perpetuity; or by making said Source Code and Build Instructions available to every legitimate user of the software, and granting permission for any user, or anyone acting as their agent, to study and adapt the software.
Preventing someone from using software that they have purchased is tantamount to criminal damage.
I have never paid for a piece of software in my life and, unless the vendor was willing to supply me with the Source Code -- which I get, with the software I have not paid for -- I have no intention to start.
I've written my own;
I've done the job in ways that didn't involve new software.
But for most things I do (and indeed for the thing I wrote software for - I preferred my approach and it took over form some legacy software) there are people who think as I do who have made software available.
The timescale needs to be as per vehicles, at least 10 years for maintenance after last sale. It is not the launch that should be used otherwise the clever little urchins will then run the sale for the period of the maintenance and then just stop. by making it from the date of the last sale or at least the last date of 1st time registration or activation of the software.
As a lot of software for Vista was only released 2 years before the stopping of issue, and the last registrations only as recently as 5 years those people should rightly be feeling ripped off!
That vendors are required to maintain support for software while an operating instance remains in the world ... OR until they publish the full source code - all needed to compile working instances - under a licence allowing study, support, distribution of altered versions, extension and patching, which in practice is going to be a GPL.
Then if the task is onerous and no profit can be made from it, the company loses nothing by publishing, and ends its responsibility. If it is a business decision, then their ex-customers get to make a business decision as well, and people who like supporting that sort of thing, likewise.
 You might put a number higher than 1 on that, or not.
 or country, or business, or public service, or government...
When you buy a piece of infrastructure (Cat scanner, Xray, something with custom hardware etc) for $bignum currency units, One would expect to receive full support for the combined system for it's service life.
The kind of systems we're talking about aren't just some PC running XP, but effectively plant machinery, sayin too bad it's the OS is end of life is not acceptable.
The suppliers of said hardware must be held accountable, if they go bust, then the any software or documentation must be made available to their customers. In the case of the NHS, this would not be Microsoft. It would be the supplier of these critical systems.
A bit like the "Good old days" when source code was provided at installation.
Biting the hand that feeds IT © 1998–2019