back to article Do we need Windows patch legislation?

Microsoft has got off remarkably lightly from WannaCry, as the finger pointing between Whitehall and NHS trusts began. But that might be beginning to change. The NHS had 70,000 Windows XP PCs, but only after the ransomware hit did Microsoft issue a patch. Officially, support had ended in 2014, spurring an upgrade cycle. In a …

  1. Anonymous Coward
    Anonymous Coward

    "or else all the vendor will placed on a blacklist"

    Journalism as a second language? 8)

    1. Oh Homer
      Linux

      Forced to support forever

      I'll go with "NO", even though I'm not a fan of either Microsoft or proprietary software in general.

      Why? Because if you choose to "buy proprietary software" (i.e. purchase a limited license to use somebody else's software) then you do so in the full knowledge that what you're actually buying is a limited term contract for a service, you're not purchasing real property that you should rightfully get to use forever (or whatever arbitrary period you deem acceptable).

      The real wake-up call here should be to stop buying proprietary software, and instead invest in something that can be maintained independently of the vendor (i.e. open source).

      1. johnfbw

        Re: Forced to support forever

        Funny, I would use the same argument to say there is an expectancy for updates. You buy a perpetual licence (like most XP ones were) so they agreed to fix it for the length of a licence.

        I outright bought my car, I don't expect GM to come and fix it every time it develops a fault.

        Of course 16 years is too long to expect a company to support a product

        1. Oh Homer
          Headmaster

          Re: Forced to support forever

          @johnfbw: Well, your license is only "perpetual" in the sense that Microsoft will not sue you for attempting to continue using it long past the point where it ceases to be useful.

          Like it or not, proprietary software is a service, not a product. Once the vendor drops support for that service (and subsequently the entire ecosystem surrounding it), the utility of the thing you paid for rapidly drops to zero.

          "Perpetual licensing" is like a bus pass for service that stopped running years ago. Yes, you have the contractual right to take that bus, in theory, if it ever runs again. Which it won't.

          @ac: "maintained independently" doesn't have to mean you, it can be a contactor you outsource work to, or (more likely in the case of open source) a community of volunteers. The idea that open source is only useful if you personally are a programmer is ill-considered. At the very least you have more flexibility than you do with some vendor's proprietary solution, which he can and will eventually terminate. Surely some option is better than none.

          The point is that those at the NHS (and anyone else with such expectations) are incredibly naive if they think they can pay once and play forever. One way or another they will be forced to face the responsibility of maintaining a currently working solution, whether it's paying Microsoft once every few years for a platform upgrade, or paying a service company to maintain a constantly updated open source solution, or even paying in-house engineers to develop and maintain their own system.

          That's just Admin 101, and yet strangely it seems to be a concept totally beyond the grasp of the NHS (and other organisations still using archaic software).

        2. Doctor Syntax Silver badge

          Re: Forced to support forever

          "Of course 16 years is too long to expect a company to support a product"

          There's a difference between supporting a product in terms of adding new functions or drivers and fixing a defect which was present when the product shipped.

          But let's not lose sight of the fact that when the shit finally hit the fan MS made a fix publicly available within hours.

          If they were under no obligation, it was too long to expect them to do it etc then why did they do it?

          I can think of three explanations:

          1. It was to mitigate a PR disaster.

          2. Events brought it home to them that they had a moral rather than a commercial responsibility.

          3. They anticipate legal action and are attempting to mitigate any penalties.

          I don't think the last one flies - it simply points out the fact that they'd held back something that could have been made generally available.

          But let's not lose sight of the fact that for whatever reason they have done what lots of commentards have said they didn't have to do.

          1. YARR

            Windows XP is still functional as an offline Operating System, but anyone continuing to use it beyond EOL support cannot expect to remain safe online. The reality is that hackers are constantly scanning for vulnerable computers, so no device without the latest updates is safe online. Even with the latest updates your device is still vulnerable to zero-day exploits.

            Rather the onus should be that anyone responsible for a critical online computer system should ensure it remains updated and fully patched, just as the driver of a vehicle that is driven on public roads is responsible for getting it serviced. Frankly anyone administering a network with Win XP machines should have configured the network to block all internet packets to/from those machines, so thay can only access local network resources.

      2. Anonymous Coward
        Anonymous Coward

        Re: Forced to support forever

        Well if I was to go Open Source I would want it to be supported forever too, but lets be charitable and say 20 years. Is it reasonable that I should delve into the source and fix issues? Do I have the skills and the time? Probably not. Very few people do. So perhaps it should be incumbent on the people who submitted the code in the first place to maintain it? Which is absurd. Who would ever submit Open Source code if it came with a commitment to support it for 20 years.

        What happens in reality is if you need Open Source and you need it supported "forever" (i.e you are a business where it is critical for you) you take out a contract with a third party vendor to support the software for you. And if you decide not to pay said vendor or they decide that its no longer economic to support the software, that's it. Game over. You have old unsupported software exactly the same as if it were proprietary unless you are prepared to throw lots and lots of money at it ..... i.e. just about the same.

        1. Johndoe132

          Re: Forced to support forever

          I agree completely. Your last point is interesting though - if this were OSS or M$ had decided to open source the code at end of life, then governments & corporations around the world would have had the *option* to build their own in-house support for the product.

          In the case of UK Gov that may well have been the cheaper way to go, but having worked in that sector I don't believe for a second it would have actually happened.

          It really, really pains me but I have to side with Redmond on this one; they gave fair warning that XP was going end of life and the general poor security of that OS was well known to all of us. I'm sure every techie worth their salt has been beating the migration drum for years, but at the end of the day politics always wins......

          1. Doctor Syntax Silver badge

            Re: Forced to support forever

            "I agree completely. Your last point is interesting though - if this were OSS or M$ had decided to open source the code at end of life, then governments & corporations around the world would have had the *option* to build their own in-house support for the product."

            It wouldn't be necessary to open it in the FOSS sense but to place it in escrow. The terms for release from escrow could place an NDA on whoever then took up maintenance. This would be a sensible provision where it's been incorporated in a product whose reasonable life expectancy exceeds the support life of the product. It's maybe something that regulatory authorities could require for medical equipment in the future. If an OS vendor was unwilling to do this then the equipment supplier would be obliged to go elsewhere.

            Microsoft could agree or not as it pleased. If it judged the market too small to bother about that would be their commercial choice. If they chose not to remain in that market the equipment makers would be free to look elsewhere. Give or take proprietary drivers FOSS fits this bill automatically. There would be scope for someone to offer support well beyond the normal life of an LTS distro as a commercial proposition. An existing proprietary embedded Unix derivative such as QNX or VxWorks might also be a good fit.

      3. steve hayes
        FAIL

        Re: Forced to support forever

        One could argue that poor programming which allows these worms access should always be fixed. Before they bring out their next money spinning version they should fix the last!

        1. Captain DaFt

          Re: Forced to support forever

          "Before they bring out their next money spinning version they should fix the last!"

          By that logic, MS would still be stuck with selling Dos 3.2! ☺

      4. Anonymous Coward
        Anonymous Coward

        Re: Forced to support forever

        Most people purchased XP with a new PC, if the machine is still running then so should the OS.

        This should include any patches required to fix fault/security flaws present at time of purchase and the lifetime of the OS should be dated from the last fix.

        If MS had got rid of all the problems with XP then they could reasonably step away and say "that is as good as it gets" but they never fixed the problems instead they just released a new OS with the same problems which they will only fix once they are abused.

        In the UK atleast car manufactorers are required by law to maintain parts for the expected lifetime of their products, why should MS be different?

        If the code for XP was public domain once MS abandoned support then the customer could source their own repairs however since MS just prettied the old OS up and resold it as a new product then the code remains proprietry and unobtainable therefore only MS can fix it.

        Ultimately this means that MS operating systems are unsuitible for any application where the customer would expect the product they purchased to last as long as the hardware.

        Thus MS should automatically be excluded from any state funded endevour, MS are fine for gaming but if your want a professional product then look to a professional operating system that will continue to support hardware through each revision such as your flavour of unix.

        That MS are notorious for dropping hardware support between OS versions is well known in the industry and these tax payer funded projects should never have allowed MS in let alone continued paying them to support a broken OS.

        1. Nattrash
          Holmes

          Re: Forced to support forever

          [I work in the med tech industry]

          I've been following this discussion for a couple of days now, seen the arguments, and am left with a couple of questions for the distinguished commentards here:

          --- The discussion (or finger pointing if you will) has focussed on the Government, NHS, Microsoft... I did notice that the party shining through absence is med tech producers. I mean, sure, if the NHS buys an MRI, CT, or another software driven system from for example GE, Philips, Siemens, Toshiba, then they also have a service contract. And think about it, this doesn't include software..?

          --- "OK, but this med tech is so sophisticated, you can't just change the OS on an MRI, now can you?" Humm... You think, if you buy a new machine now (which could very well be the same model as 10+ years ago, since tech turn over isn't that big as you might think), that it's supplied with XP?

          --- "You can't expect a supplier to support a product for 16 years". Well, maybe this is true for cars (don't thinks so, think product recalls), but for med tech this might surprise you. After all, you don't buy a CT or MRI of a couple of million pounds to use it for just 2 years. And even if a CT has been in use for 15 years, you still don't want it to make pictures with Chernobyl levels of radiation, now do you? I invite you to lie down comfortably and let me make pics of you with such a machine, and afterwards hear me make an excuse like that...

          --- And just because I'm an "old" person: I can remember times, let's say 25 years ago, when such med tech was developed (e.g. CT, MRI, automated light microscopy pathology sample scanning/ image analysis), and many were Acorn Risc based. Or had their own, unique program running on top of DOS. And please understand that I'm not saying current systems are bad. What I'm saying however is that here too the "dirt cheap" and "bottom line vs. quality" movement also made its entry. So might our (society) drive to prefer cheap over quality not come with these kind of consequences?

          --- And if your argument is there that operators are (only) familiar with certain OSes, then apologise to technicians, who are educated operators, and can work anything we can develop, because of their long, indepth, and dedicated training, passion, and commitment. Physicians? You really think (all of them) can operate med tech?

          --- Big, bulky, or heavy on tech equipment has been used in the aftermath of Wannacry to excuse (some trusts of) the NHS. But is this really the software we're talking about? Isn't it just a lot of accountancy software, admin systems, data storage, and these kind of systems? Aren't in-your-face-everybody-can-relate-to-that examples (like MRIs, even here on elReg) used to cover for just secretary boxen?

          1. This post has been deleted by its author

          2. Ben Liddicott

            Re: Forced to support forever

            Big, bulky, or heavy on tech equipment has been used in the aftermath of Wannacry to excuse (some trusts of) the NHS. But is this really the software we're talking about? Isn't it just a lot of accountancy software, admin systems, data storage, and these kind of systems? Aren't in-your-face-everybody-can-relate-to-that examples (like MRIs, even here on elReg) used to cover for just secretary boxen?

            This.

          3. Anonymous Coward
            Anonymous Coward

            @Nattrash: Re: Forced to support forever

            Nattrash - I know of one NHS trust that has apparnetly had to cease cancer treatment whilst they try and dig themselves out the hole they have brought upon themselves...

            1. Nattrash

              Re: @Nattrash: Forced to support forever

              A crying shame indeed, a fact that I'm not trying to water down or dispute.

              But (if I get the essence of your remark correct) I ask myself whether this is because the patient can't be treated, or whether the "patient" can't be billed (please excuse the bluntness by intent).

              And don't get me wrong, I've been around (within this therapeutic area) long enough to get that "treatment for cancer" can be anything from pumping people full of chemotherapy, to using a high tech Accuray kind of "radiation knife". Or could mean surgery or Ab based adjuvant therapy. Or the point focussed radiation therapy somebody else here spoke about. And yes, a lot of nifty software is used in some of these cases. But then again, in a lot of these cases there isn't...

          4. JamesPond

            Re: Forced to support forever

            "the NHS buys an MRI, CT, or another software driven system from for example GE, Philips, Siemens, Toshiba, then they also have a service contract. And think about it, this doesn't include software..?"

            It does include the software that is proprietary written by the supplier to meet standards e.g. In imaging that is DICOM. BUT the underlying O/S isn't usually written my the supplier, it is usually a flavour of Linux or Windows and hence reliant upon the o/s vendor for patches.

            An MRI shipped today will probably be on Windows7, that has the same vulnerability as XP if not patched. But the supplier has to undertake a significant amount of testing to pass CE validation. Most large suppliers are not geared up to respond quickly to zero day patches. In the majority of cases medical devices need hands on patching and then possibly several hours of testing before releasing the device back to the hospital. This could take a device out of operation for a day, cancelling appointments, so typically patches are rolled up into a single update and site visits planned upto 6 months in advance to limit both patient impact and costly engineer site visits.

            1. Nattrash

              Re: Forced to support forever

              As you know James, working with DICOM isn't necessarily proprietary; even free downloadable, old, simple JImage can work with DICOM. It is the software surrounding it, created by the manufacturer, the GUI of the machine if you will, that is proprietory. And done so for understandable reasons. And yes, you're right, that is created on top of Windows.

              You got a very valid point about the update cycle, maintainance, and taking the machine of line. After all, a machine that doesn't do a patient, is loosing money. And this wasn't what I was trying to bring up. However, you write "An MRI shipped today will probably be on Windows7, that has the same vulnerability as XP if not patched." But that was also not what I meant. What about the (service) obligation of the manufacturer to upgrade the systems to W7, if the 10 year old system still runs on XP (as was suggested in the media - not my remark). Furthermore: "Most large suppliers are not geared up to respond quickly to zero day patches." Indeed. And still they build their proprietory GUI on top of a system that is sensitive to this. So, or they should think of a way to service it accordingly, or they made the wrong design choice. I'm not saying what's wrong or right, I'm just saying... Especially since I've seen different approaches "back in the days"...

              1. JamesPond

                Re: Forced to support forever

                "What about the (service) obligation of the manufacturer to upgrade the systems to W7"

                Most long term contracts I've seen usually include a system refresh half way through, so replacement software and o/s and depending upon the equipment, hardware, at year 5 of a 10 year contract. So if medical devices are still running on XP, perhaps they are on the backend of the cycle and waiting for either a contract extension or full replacement. Given the NHS is strapped for cash and the red tape involved, chief execs won't support a business case to update a medical device if it's still in contract. Or should I say, wouldn't have approved a business case.

          5. Anonymous Coward
            Anonymous Coward

            Re: Forced to support forever

            I also work in the medtec industry

            Product life is required to be considered in the development and risk management for medical devices.

            Large equipment manufacturers GE, Phillips Seimens etc normally have a policy of supporting products for ten years after they were last sold but in practice continue beyond this.

            It is a requiresment that risks arising from medical deivces are constantly reviewed and the risk of a security issue causing damage to health must be considered by manufacturers for equipment in the field even if not currently manufactured (PMS). This would include the possibility of security related issues. if there was an issue identified it may or may not result in updates to the SW or other measures such as recommended configuration changes, firewalling, procedures etc but the risk would need to be assessed and managed.

            Most medical devices have a requirment for regular maintenance but this does not necessarily need to be performed by the manufacturer.

            Realistically no manufacturer of anything can give an indefinite commitment to support it. they should communicate what their policy is and when support is coming to an end. The support period should be reasonable given the nature of the product. In the case of a less massive company they could cease trading and that would end all support.

            I am generallly no fan of MS but they seem to have acted quite reasonably in this case.

            1. Nattrash

              Re: Forced to support forever

              @AC

              You're right, especially after the regulatory MDD changes in April this year. And with those changes the discussion about who should "service" might also be answered. After all, the MDD obliges the manufacturer to "monitor continuously" the performance of the device in every day use, and this is not necessarily connected to PMS studies (although could be of course, and seen as favourable). And indeed, with these changes there is now a much bigger emphasis on risk management/ avoidance. With that in mind, and the realisation that according to classification, software that drives a device is seen as an active medical device, and falls in the same device class as the device it drives, I see discussions about the "who, how, what, and when" of the obligation to service on the horizon...

          6. Anonymous Coward
            Anonymous Coward

            Re: Forced to support forever

            @Nattrash: Thinking about your 1st & 2nd questions. That the piece of med-tec that costs millions is dependent to such a high degree on an OS that cost around 100 quid is probably a design flaw. It can be easily argued that both purchaser and supplier should be aware of this dependency, because the lifetime of the potential usefulness of this expensive equipment is limited by a commodity product beyond the control of both parties. Would it be so hard to remove OS dependency in the med-tec software if it was better built?

            You could also argue the fact that the supplier is unable to support the med-tec equipment for an adequate length of time due to dependencies beyond their control shows a particular lack of foresight and due diligence in software design. You could also make the same due diligence case against the purchaser for not looking into such proprietary dependencies, especially in a public purchasing organisation.

            Your fourth point about price vs quality I suspect may provide the answers.

            And yes, your final point, is probably correct. It seems (only from reading the news) much of the affected systems were administrative in nature anyway. I mean, I hope network managers, operators, etc think twice about connecting a CT to the department LAN and then onward to the internet. Ahem.

      5. fruitoftheloon
        Stop

        @Oh homer: Re: Forced to support forever

        Oh homer,

        in principle I agree with you, there are many health care capabilities that have VERY specialised kit, wifeys team has a cluster of whizzy Dell kit that does incredible number crunching and real-time modelling for radiotherapy treatment, what chance is there of a team of well-intentioned souls developing something to replace it???

        We live in hope...

        Cheers,

        Jay

  2. Anonymous Coward
    Anonymous Coward

    Lawyers

    As MS had the patch for XP in February and withheld it, it would be prudent for XP owners to mount a class action against MS for failing to inform the market and take responsibility for the losses.

    1. Anonymous Coward
      Anonymous Coward

      Re: Lawyers

      The lawyers have more chance of getting Comey his job back that getting MS to admit to anything.

      1. Doctor Syntax Silver badge

        Re: Lawyers

        "The lawyers have more chance of getting Comey his job back that getting MS to admit to anything."

        It's not the lawyers' job to get their clients' opponents to admit anything. Their job is to get a court decision in their clients' favour. An admission might be useful but not essential.

    2. davidp231

      Re: Lawyers

      Or... the XP patch was sent out to those who are still paying for support (of which, the NHS isn't) and they just flipped the switch that lets everyone else have it.

      1. big_D Silver badge

        Re: Lawyers

        @davidp231 that is how I read it. The patch was issued to those that paid for it, as per the guidelines issued before XP support stopped.

        This whole issue is insane. MS provide longer support than any other software company for its products, Heck, Google have announced that they will stop issuing updates to their own Android devices after 18 months and security patches after 2-3 years.

        Apple dropped support for older Macs after only a few years - my 2007 iMac hasn't had a security update since 2014, but it still runs Windows 7, so it actually gets support from Microsoft for nearly twice as long as Apple provides for its own products!

        If Microsoft had just stopped supporting XP all of a sudden, I could understand the outrage, but we are talking about users and businesses haveing over 15 years of warning that they would need to upgrade to a more modern version... And, for those that were short sighted enough not to be able to get their systems updated in time, they offered paid support.

        If you are dumb enough to use out of date software and still dumber not to pay for extended support, then you are your own worst enemy.

        Also, if they do change the law to make manufacturers provide support in perpetuaty, then it will have huge impacts on prices and how often new versions are released. Not an entirely bad thing, but we will see software prices climb again, as the long-term support needs to be calculated into the purchase price.

        1. teknopaul

          Re: Lawyers

          yeah but the question was about essential public services, there are enough lazy banks out there to pay for the fix to be given free to the NHS.

        2. davidp231

          Re: Lawyers

          "Heck, Google have announced that they will stop issuing updates to their own Android devices after 18 months and security patches after 2-3 years."

          And most OEM vendors don't even see said updates.

          1. Anonymous Coward
            Anonymous Coward

            Re: Lawyers

            Sorry, that is horseshite.

            "And most OEM vendors don't even see said updates."

            The updates are posted every month on Android AOSP git repository, and patches are posted for (currently) 4.4, 5.0, 5.1, 6, 7 and 7.1

            The OEM's definitely see them, and the reputable ones update devices for 2-3 years, sure they might not pickup every patch every month, but they do release patches.

            NOTE: Don't believe the media, they are too stupid to understand that full-version adoption rates and security patch adoption (which isn't measured) are totally unrelated. They will pretend that just because only x% of devices run the latest Android, it means everything else is old and unpatched, which is total nonsense. Any media outlet or self proclaimed "security expert" pushing this lie really needs ignoring.

        3. Anonymous Coward
          Anonymous Coward

          Re: Lawyers

          As far as I can see it also went to those who used a well known registry hack to continue support for XP!

          1. Doctor Syntax Silver badge

            Re: Lawyers

            "As far as I can see it also went to those who used a well known registry hack to continue support for XP!"

            That wouldn't be a viable option for anyone who needed to maintain some sort of certification.

        4. Anonymous Coward
          Anonymous Coward

          Re: Lawyers

          18 months?

          Bliss! If only Sony were nearly as diligent.

        5. JamesPond

          Re: Lawyers

          MS gave fair warning XP was going end of life. They offered an expensive option of extending support, possibly to make money, possibly to force everyone hand to upgrade.

          Particular issues for the NHS have been a 'perfect storm' of a significant squeeze on finances;XP being embedded in suppliers systems that may take significant time to revalidate to get CE kite mark accreditation; significant number of bespoke systems supplied by one-man-bands, whether in-house or third party, who don't have the resources, time or inclination to redevelop and revalidate the software on a newer o/s.

          So you might say we'll just stop using these systems but that is easier said than done when the government keeps increasing pressure on the NHS to improve efficiency and reduce costs. Amber Rudd was on TV saying the government has increased NHS spending and was surprised that Trust's hadn't patched.What she didn't mention is that they've also removed a lot of the centrally funded IT systems and pushed the costs onto individual Trusts, reducing their net spending power.

          It's no surprise that GP's were worst affected. Under the Tories 'rationalisation' GPs are self employed. They keep any profit they make so what is their incentive to employ IT specialists to keep their systems updated or purchase new PCs every 3-4 years?

  3. Anonymous Coward
    Meh

    I can't see a poll!

    See title.. .edited Poll appeared

    But I think just becasue it is running XP doesn't mean you cant treat the equipment (say MIR scanner)and the say (XP interface) like an industrial device. That means not sticking outlook on it and plugging it into the wider Internet. It shold be off by itself with little or no access to the rest of the network.

    1. Anonymous Coward
      Anonymous Coward

      Re: I can't see a poll!

      Poll doesn't have the other pertinent options, for example:

      * Should Microsoft have used a remote kill-switch to stop XP entirely at end of support date (cf. Samsung bricking the Galaxy Note 7 remotely)

    2. JamesPond

      Re: I can't see a poll!

      Maxsendq - Clearly you have no idea how MRIs and other diagnostic systems integrate within a health environment.

      If the MRI is in it's own bit of network with no access to other systems, how does the MRI get work lists (list if patients to scan) from the RIS? Then the MRI scanner needs to send its images somewhere i.e. PACS! The PACS system needs an interface to the RIS to match patients appointments with the images, the RIS and PACS need access to the PAS to get patient information updates, clinicians need access to PACS from everywhere in the hospital(s) so they can see the images and treat the patient. NHS reporting Radiolgists and companies around the world that provide 24x7 radiology reporting services need remote access to PACS and RIS. Radiologists need access to the internet (as per Royal College of Radiologists guidelines) from their reporting wirkstations; PACS reporting monitors need to send their self diagnostic information to the supplier and/or Nuclear Medicine regulators (usually via either the internet or NHSnet) to meet legal requirements for monitoring pixels / resolution.

      So closing off diagnostic equipment from all other systems isn't realistic.

      1. Twanky

        Re: I can't see a poll!

        If an essential device has unsupported software it needs to have a wrapper around it which is supported.

        A firewall/content filter which can be updated dedicated to protecting a multi-million pound device that can't be updated should be a small price to pay.

  4. CJatCTi

    All products have a support life

    All products have a support life, after that it's tough.

    But we have to keep using "x" as "y" will only work on that.

    Possibly you should have made a better choice than "y" or ensured it would run in a broader environment.

    How much only works in IE or IE6?

    1. Anonymous Coward
      Anonymous Coward

      Re: All products have a support life

      All products have a support life, after that it's tough.

      Let's differentiate between new functionality, and fixing flaws in what was originally built and sold. In my view MS should not have to make XP work with new peripherals, interface using new protocols or the like, but I do think they should be obligated to fix faulty code that they've already been paid for.

      1. jpo234

        Re: All products have a support life

        MS did fix the bug. Recent versions of Windows are safe.

        When people bought the affected WinXP machines they were or should have been aware that support will eventually end. If they choose WinXP in this knowledge its not MS fault when these customers gambled and run an outdated software that became a target of malicious code.

        And: One could argue that MS is not even at fault. The code works fine when it is used as intended. A malware attack clearly is outside the intended scope. You wouldn't claim that a car maker is at fault if a car explodes when somebody maliciously shoots it with a gun.

        1. John Robson Silver badge

          Re: All products have a support life

          "You wouldn't claim that a car maker is at fault if a car explodes when somebody maliciously shoots it with a gun."

          Ford Pinto.

          I think we would. systems should be built with some level of resliance.

          I don't know how many Win98 systems are still around, but MS probably have a reasonable idea of how many there are...

          WinXP is still widely deployed - and security fixes (NOT increased functionality, new drivers etc) should be maintained for a *very* long time.

          OTOH should we also be looking at the suppliers of MRI scanners etc which are often blamed for being the cause of 'staying on a known OS'. They ought to be obliged to release software for newer versions of their chosen OS (whether that's MS/OSx/*nix/*BSD/....) for the expected lifetime of the machine (probably more than the expected life actually)

          1. big_D Silver badge

            Re: All products have a support life

            Windows XP does still get security patches, if you pay for them.

            If you decide to continue using Windows XP, there is the option to pay Microsoft an annual fee to ensure that it get security updates. That is reasonable.

            Either the price of the software needs to increase to cover the extended support costs - so, Windows would cost a couple of grand, instead of 100 UKP, because they will need to support it "forever", or the price needs to remain "affordable",with the knowledge that after a defined period of time (a period of time, which is defined in black and white before you ever buy the product, I might add) and after that period of time, you will either need to upgrade to a supported version, or you need to pay for the extended support.

            Patching older versions of software is an expensive business and it needs to be paid for. If you don't like it, move to open source and patch it yourself, when the maintainers decide that your version is too old (18 months for most distributions, 5 years for some enterprise releases, I think only RedHat/CentOS and SLES offer anything approaching 10 years, and they cost real money).

          2. Anonymous Coward
            Anonymous Coward

            Re: All products have a support life

            OTOH should we also be looking at the suppliers of MRI scanners etc which are often blamed for being the cause of 'staying on a known OS'. They ought to be obliged to release software for newer versions of their chosen OS (whether that's MS/OSx/*nix/*BSD/....) for the expected lifetime of the machine (probably more than the expected life actually)

            You could argue it's the MRI supplier's fault:

            1. The MRI supplier should choose a base OS with a suitably long support lifespan - via contract negotiations with the OS supplier.

            There are plenty of other OS vendors out there for embedded systems to choose from.

            OR:

            2. The MRI supplier should support their own customers, by providing a process for upgrading the base OS *and* associated applications on existing hardware, when the base OS is obsolete.

            And in turn you could argue it's the customer's fault:

            3. The customer should get the vendor to undertake to support the product for the expected lifetime of the product, by means of contractual negotiations at purchase time.

            Of course, everybody is moving to a SaaS model now, including for hardware. I suspect in future you'll be able to rent your MRI scanner by the year. Of course, you end up paying more in the long run, but as long as you continue to pay, the vendor has both the incentive and the resources to continue to support it.

            1. Anonymous Coward
              Anonymous Coward

              Re: All products have a support life

              we see this quite a bit with scientific equipment (I work in a lab) what generally happens is boffins buy say a new HPLC cost £250k from a grant. Said HPLC comes with a PC, software to run the kit and 3yrs maintenance. Boffins run bit of kit for length of grant, say 3 years. Grant funding ends, boffins obviously still use the HPLC for other projects. PC dies year 5 so need a new one, no maintenance has been purchase so they can't upgrade the software unless they pay and software won't now run on a new OS.

          3. Named coward

            Re: All products have a support life

            @John Robson - The pinto was liable to catch fire in a rear-end collision - While collosions are not normal use, it's something that can be expected to happen during normal use (similar to a power outage in PC terms). A better analogy than shooting the car (see mythbusters results on that) would be someone cutting the brake lines. Also, the pinto was recalled during its production run, not long after it stopped being "supported".

            1. fishman

              Re: All products have a support life

              Ford Pinto -

              A friend of mine had a Pinto and a Corolla wagon back then. He was an engineer, and said that the Corolla had the same problem as the Pinto. So he made a modification to his Corolla that was similar to the one Ford provided to the Pinto.

          4. Infernoz Bronze badge

            Re: All products have a support life

            I'd say a maximum of 12 years support for OS's, with subscription-only security-only support after 10 years, because 10 years is the longest even slower upgrading business should try to maintain machines, because computer technology design does age, and the physical hardware can age too and become increasingly more costly to maintain, if you can still get compatible parts!

            Maybe require an audit of the age of computer hardware and software in a business, with warnings issued for too old equipment which is not planned and scheduled for replacement.

          5. JohnG

            Re: All products have a support life

            "WinXP is still widely deployed - and security fixes (NOT increased functionality, new drivers etc) should be maintained for a *very* long time."

            Car manufacturers don't continue to produce spares or provide other support for models sold over 10 years ago. Nor do manufacturers of phones, PCs, fridges, washing machines or pretty much anything you care to mention. The military often demand long service lives for their equipment - but this is for bespoke equipment and the longevity doesn't come cheap. MS and other their ilk are quite open about the life cycle of their products - users cannot expect to ignore this, just because they feel their work is important.

            Back in the 80s and 90s, if one phoned for software support on mini computers, the first question would be about your support contract and the second would be to ask the patch level of the system in question. If the system was not up to a recent level of critical patches, the support folk would suggest that the system was updated to a supported level and to call back if the problem remained. Software support was always contingent on keeping systems up to date. This seems even more worthwhile with the Internet and rapidly changing security threats.

            1. big_D Silver badge

              Re: All products have a support life

              @JohnG it is still the same today, we have support agreements on all critical hardware and software and if something breaks down, the first question is the support agreement number / they check to see if support has been paid and the second is to check what firmware / software version number is in use and if it is old, the first step is to get it on a current version, to see if that fixes the problem.

              (We had that with a server, a SAN and our SuperLoader recently)

          6. Doctor Syntax Silver badge

            Re: All products have a support life

            "OTOH should we also be looking at the suppliers of MRI scanners etc which are often blamed for being the cause of 'staying on a known OS'. They ought to be obliged to release software for newer versions of their chosen OS (whether that's MS/OSx/*nix/*BSD/....) for the expected lifetime of the machine (probably more than the expected life actually)"

            A recent post by an engineer who's worked on such kit suggests that this is by no means straightforward and you could actually brick the instrument by getting it wrong. At the very least you'd have to re-certify the new combination.

        2. MJI Silver badge

          Re: All products have a support life

          But MS have forced the adoption of XP past its natural life.

          THEIR fault not the customers.

          I don't know about anyone else, but you buy an operating system to run programs.

          If they kill off things we keep using OSes that run them.

          As mentioned many many times before.

          Vista killed full screen command prompt (VGA DOS programs) and 7 32bit NETBIOS.

          If they had included 16 bit support in 64 bit, and kept NETBIOS, and still allowed full screen VGA mode applications we would have seen XP go sooner.

          We have had customers FDISKing Vista and 7 PCs to use XP to run older programs.

          1. Anonymous Coward
            Anonymous Coward

            "If they had included 16 bit support in 64 bit"

            They couldn't. AMD decided to remove Virtual86 mode when the CPU is running in 64 bit mode, so it wasn't possible (but in a VM, with all the VM requirements). The culprits is AMD, not Windows.

            Besides NetBIOS, do your also need IPX and maybe something older? <G> Do you know how many vulnerabilities could lurk in those protocols, and their implementation?

            1. MJI Silver badge

              Re: "If they had included 16 bit support in 64 bit"

              The applications were written in a big selling database compiler and the best database for it used native DOS IPX, there was no IP layer in DOS.

              It used NETBIOS to talk to a Windows IP interlayer to talk to the server with IP, this worked perfectly with 2000 and XP, 98 we used IPX as 99% of the servers then were NETWARE.

              MSes aggresive attack on Novell caused all customers to go Windows server, and MSes depreciation of IPX forced the tool we used.

              Search for ADSDOSIP and Windows 7.

              And the server engine can work with all Windows languages I have come across, so at least data is safe.

              The graphics mode though this was games mainly, I remember Wolf3D.

              As to AMD removing 16 bit support, why not leave in for Intel and let them use it as an advertising feature. It would be nice to allow my home PC to run my favourite text editor in 7 (64) as well as XP (32).

              Mind you I raised a laugh today when a customer asked us to check the specification for a server and I said my 10 year old XP PC is more than twice as powerful.

          2. Sandtitz Silver badge
            Stop

            Re: All products have a support life

            "But MS have forced the adoption of XP past its natural life."

            If your customers are married to XP because of NetBEUI/NetBIOS the reason most likely is the 3rd party vendor and obsolete & unsupported software that forced them to use XP. Not MS.

            "Vista killed full screen command prompt (VGA DOS programs) and 7 32bit NETBIOS."

            Vista can run full screen text mode just fine if you use WinXP drivers.

            Perhaps you mean NetBEUI which was dropped from Vista? It was pretty much obsolete back in 2006 when Vista premiered. Windows XP dropped Appletalk and DLC protocols. I'm sure there were a few complaints too, but to quote Spock: “The Needs of the Many Outweigh the Needs of the Few”

        3. Anonymous Coward
          Anonymous Coward

          Re: All products have a support life

          > MS did fix the bug. Recent versions of Windows are safe.

          If a car manufacturer found a fault in the braking system of a car so that they knew it wouldn't work under certain circumstances and decided that they'd only fix the problem for new cars how do you think people would react?

          1. Ken Hagan Gold badge

            Re: All products have a support life

            Good analogy, but it doesn't lead to your desired conclusion.

            Cars are built from components. If the company that makes the brake sub-assembly finds the fault and notifies the car manufacturer, it is up to the car manufacturer to issue the recall because it is the car as a whole that has to meet consumer trading standards.

            Likewise, the MRI scanner vendor can say "Don't attach my scanner to the internet" and then any vulnerability in the component (XP) is not relevant to whether the whole (scanner) is deemed to be working correctly.

        4. Allan George Dyer

          Re: All products have a support life

          @jpo234 - "You wouldn't claim that a car maker is at fault if a car explodes when somebody maliciously shoots it with a gun."

          I would if the car was an Armoured Personnel Carrier. MS has marketed each new version of Windows (from as far back as NT) as 'the most secure Windows ever', during a period that has included all sorts of malware and vulnerabilities, so MS knew they were designing for a hostile environment. They released the code with this vulnerability, ideally, they should have fixed it before release. So, by releasing an XP patch, they are merely fulfilling their obligations 16 years late.

      2. Anonymous Coward
        Anonymous Coward

        Re: All products have a support life

        So how about a new version of XYZ software that causes the flaw in the OS?

        Who then?

      3. Anonymous Coward
        Anonymous Coward

        "but I do think they should be obligated to fix faulty code"

        Do you know how many products in later production batches get fixes which are not present in the earlier ones, often fixing faults that may be not so noticeable? A recall happens only when the fault is so risky or anyway causing enough bad marketing they can't do otherwise (or tell you you're holding it wrong).

        For example I never run to but a new camera model as soon as it is released. Despite the tests, there still could be many little issue that went unnoticed, or introduced by the start of mass production. Often they get fixed later without saying anything to previous buyers. Those products that need repairing sometimes may get the fixes without even telling you (to avoid more request, especially under warranty). Better to wait enough months, and usually you got an improved model...

    2. Anonymous Coward
      Anonymous Coward

      Re: All products have a support life

      >How much only works in IE or IE6?

      IE6 still gets regular (almost monthly) security updates on Win CE 6 - and will (without additional support contract) until late 2018.

    3. JamesPond

      Re: All products have a support life

      Cjatcti wrote "Possibly you should have made a better choice than "y" or ensured it would run in a broader environment."

      You are assuming that there are options. There are some very niche NHS software requirements with only two or three suppliers, sometimes only one-man-bands.

      Some time ago I worked at a Manchester trust and the IVF department were fed up with the supplier of their software. He had moved to Egypt and if the application crashed or gave a wrong result, it could take days to get him on the phone. But researching other suppliers, there were only a couple of alternatives. One had sold to 6 IVF clinics in the U.K. ie the majority at that time. He was an IVF consultant at an NHS trust in London, and he charged £200k for the software and £50k per annum for support. But wasn't available 9-5 because he had his day job!

      I'm not sure whether he would have had much inclination to redevelop his software for Windows10.

  5. Anonymous Coward
    Anonymous Coward

    Not just Windows, the whole hardware/software industry.

    However one thing that does need legislating against is windows update, such a slow resource chewing pig it's untrue. The last round of updates for W10 had my Xeon/SSD machine crippled for ages awaiting a reboot for bloody ages pissing about applying patches. Meanwhile on same dual boot machine huge updates for Suse Tumbleweed are a quick and painless pleasure.

    Microsoft , WU has been broken for years and is not fit for purpose.

    1. Anonymous Coward
      Anonymous Coward

      Windows update is a disgrace. After watching it fail to finish updating for 5 consecutive days with no explanation why, I downloaded the update package and manually updated. Which is par for the course with this steaming POS.

      Today I noticed my network printer wouldn't print. No panic, that's happened repeatedly after allowing Win update to run, a quick driver uninstal/reinstall/reconfigure usually fixes it. 2 hours wasted while that repeatedly failed, never showing an error, lying to me that it was actually printing while otherwise happily talking to the printer. Still don't know what actually fixed it this time. I doubt Windows installing the wrong drivers helped much.

      Yet people still wonder why so many of us block updates? It's broken beyond belief, uncontrollable and deliberate withholding essential information about what it's doing and why it fails. Needs putting down with extreme prejudice.

    2. big_D Silver badge

      My last Windows Update for Windows 10 took around 20 seconds, on an HP Spectre x360 with a Skylake Core i5 processor, I think there is something seriously wrong with the configuration of your machine if it is taking more than a couple of minutes.

      1. This post has been deleted by its author

      2. Dan 55 Silver badge

        No, if you skip updates or go for a time without updating as many people last year did thanks to GWX and telemetry, it can utterly screw itself up.

        I'm trying to sort a Windows 7 machine out, I can't even install the relevant patches manually because when you run them they search for the currently installed patches and then it just sits there for hours.

        1. Anonymous Coward
          Anonymous Coward

          Download and install first manually the latest Windows update client. But there are issues with CPU with only one or two cores (even in a VM)

        2. JohnG

          "I'm trying to sort a Windows 7 machine out, I can't even install the relevant patches manually because when you run them they search for the currently installed patches and then it just sits there for hours."

          There are some fixes for this issue and a specific standalone update from MS. The latter worked for me.

          1. Dan 55 Silver badge

            Found the solution on ghacks in the first comment. A little bit more than one standalone update but at least it works.

            And now I'm uninstalling the telemetry, again.

            No, I will not be 'upgrading' to Windows 10.

            1. Roland6 Silver badge

              @Dan 55 - Glad to see you resolved your Win7 update problem [ref: https://forums.theregister.co.uk/forum/containing/3178008 ]

              I've added the ghacks article to my Win7 maintenance useful information file.

              1. Dan 55 Silver badge

                The most important thing was to turn off Windows Update and disconnect from the Internet before installing the patches in the right order.

      3. Ken Hagan Gold badge

        @big_D: I have, for many years, maintained a small collection of VM images with different versions of Windows. Whenever I work on them, I snapshot them first and revert afterwards, so as far as each VM is concerned, the only thing I have ever done to it is wake it up once a month, let it update and then put it back to bed.

        Several machines (two Vistas and two Win7s) have actually just updated themselves into oblivion under this "cruel regime". That is, they reached a state where they blue-screened at startup and this was repeatable if I reverted to the previous image and let them try eating that month's updates a second time.

        Of the survivors, the XP machines were taking several hours each month by the end (2014-ish) and the Win7 boxes that remain are taking quite a while each month now as well.

      4. Steve 114

        Lucky you. On my good kit Win10 updstes take half an hour. On cousins' XP POS embedded they can take all night, or not at all.

  6. Chrisni

    No. The concept of doing so is ridiculous. The blame here is firmly on those still using an operating system that is 16 years old. Microsoft gave them plenty of warning, offered specialised upgrade programs and eventually resorted to nagware to try and get people to upgrade.

    If anything, the vendors of the bespoke software holding back OS upgrades should be held accountable, as well as the inept IT management that think CAPEX savings outweigh OPEX savings. In IT, they almost never do.

    1. BoldMan

      All very well in theory but when the vendors of the bespoke software have been acquired by multiple orgs and their inept management don't even know what they've bought (not as unusual as you might think) and decide to shitcan these products you rely on...

      Being able to upgrade your drivers between versions of operating systems would be a marvellous ability but the upgrade path from Win XP just doesn't work for many hardware and software solutions.

      Isolating the Win XP off "the net" would be a nice option except of course the x-ray machine needs to send its output to a server and the lack of IT resources means the simplest solution is to keep it connected rather than come up with a bespoke air-walled solution...

      The real world is much more complex than all these "simple" solutions everyone keeps coming out with can handle.

      1. Ken Hagan Gold badge

        "the x-ray machine needs to send its output to a server"

        So it sends it to a cheap linux box containing two network ports. One port goes to the x-ray machine and the other goes to the wider network. Run a script on the linux box to move files onward as required. As far as the x-ray machine is concerned, nothing has changed. As far as malware on the wider network is concerned, it now has to break into a linux box before it can even see that there is an x-ray machine on the other side.

        Yes it is slightly more complicated, but once you've worked out the details you can semi-isolate lots of similarly challenged pieces of kit. (Perhaps the chaps at http://www.nhsbuntu.org could help you set it up.) Yes, it isn't perfect isolation, but it is a perfectly valid component in a layered defence. Yes, it is a pain in the butt, but if it were my job to protect the IT of an entire hospital and I had the constraint of accomodating an XP-driven device, I'd reckon that something like this was what I was being paid for.

        1. Doctor Syntax Silver badge

          "Yes it is slightly more complicated, but once you've worked out the details you can semi-isolate lots of similarly challenged pieces of kit. (Perhaps the chaps at http://www.nhsbuntu.org could help you set it up.) Yes, it isn't perfect isolation, but it is a perfectly valid component in a layered defence. Yes, it is a pain in the butt,"

          And yes, it it impinges on any certification the original machine requires than either you've got to hold off for a few months while that's sorted out or simply shut down for that period.

          1. Ken Hagan Gold badge

            If your x-ray machine's certification depends on certain machines being present or absent elsewhere on a network then I have to question whether the certification is sane, but even so, you just provide the network environment required by the certification and then place my device outside of that.

            There is simply no way that a need to transfer data from A to (eventually) B requires that A be placed on the same network as B.

      2. Doctor Syntax Silver badge

        The real world is much more complex than all these "simple" solutions everyone keeps coming out with can handle.

        Another characteristic of the real world is that evaluating each "simple" solution for each individual case takes time. Half a dozen individual installations with unique, complex requirements could take a lot longer to update than a large office of routine desktops with a common build.

    2. m0rt

      I am not so sure.

      I am very firmly coming around to believe that the current approach, which for now I will term a throwaway approach to both hardware and software, is not sensibly sustainable.

      We tout 'Progress' for progresses sake. But stability, especially in something that has come be deeply rooted (snigger) in most of our lives and certainly on a day to day basis, should really be a core tenet of the design approach.

      Maybe it is time to think about OS stability being more of a concern in consumer, and certainly in business and definitely medical, terms and not just in the terms of where they seem to really hold it in high regard: The Military.

      1. Mark 110

        @ m0rt - I would tend to agree. But isn't that a buyer beware problem.

        Theres numerous solutions to this. Lets take the example of that big capital investment in an MRI scanner. How longs that supposed to last? 30 years - maybe more. Long beyond any OS support lifecycle I know of.

        So how do we deal with the inevitable obsolescence of the control software:

        - You could do it with the support agreement when you buy with the kit. Put clauses in there around ensuring software updates are made available for a supported OS. Get some Escrow in there so you get the source code if they fail to deliver on that. And ideally get some decent penalty clauses in so they pay if you need to address this on their behalf.

        - In addition I would like the control software separated from the OS its running on. A platform agnostic architecture though that's probably easier said than done in a 30 year timescale.

        Just thinking out loud. Best get back to work.

        1. BoldMan

          > - You could do it with the support agreement you buy with the kit.

          Yup and then you get a moronic Minster for Health some years down the line who cancels the support contract to save a minuscule amount of money in comparison to the overall budget and then you are back to square one and screwed.

          1. big_D Silver badge
            Paris Hilton

            @BoldMan

            But then they only have themselves to blame, when it all goes pear-shaped.

            The same is true with Windows XP. They were told a couple of years ago, that if they hadn't moved to Windows 7 or later, they would need to pay annual support to keep Windows XP patched. They decided not to cough up and now they are paying the price.

            They could have paid and they would have received the patches to keep them safe from this exploit months before it was put in the wild. They decided to save a few pounds and now they are crying fould.

            1. BoldMan

              @big_D

              > The same is true with Windows XP. They were told a couple of years ago, that if they hadn't

              > moved to Windows 7 or later, they would need to pay annual support to keep Windows XP

              > patched. They decided not to cough up and now they are paying the price.

              They did cough up but that paragon on Ministerial competence Jeremy C-Hunt cancelled the contract to save £5 million which in comparison to the NHS budget is the loose change you find down the back of the sofa.

        2. HmmmYes

          AFAIK a MRI has a 10 year life time.

    3. alain williams Silver badge

      The blame here is firmly on those still using an operating system that is 16 years old.

      Today is some 16 years after Windows XP was first released, but the important date is when machine were last sold with Windows XP - this was some time near 2010; so for those machines XP is only about 7 years old, but support ended in 2014 - when those machines were 4 years old. It seems to me that a computer that is 4 years old is still quite young, support should have continued longer.

      1. Anonymous Coward
        Anonymous Coward

        "support ended in 2014 - when those machines were 4 years old"

        If you wanted your new computer to last a long while, you shouldn't buy it when there's only 4 years of support left.

        1. tiggity Silver badge

          Your average punter has zero clue about EOL date when they buy a computer, in 2010 an XP machine would have been a cheap but functional option for people on a budget (and if replacing old XP PC, chances are they would go for XP again as could guarantee all their existing software would work OK)

          By that only 4 years support argument why buy Windows 10?

          https://support.microsoft.com/en-gb/help/13853/windows-lifecycle-fact-sheet

          Mainstream support ends 2020...

          1. Roland6 Silver badge

            @tiggity - "Your average punter has zero clue about EOL date when they buy a computer"

            I think you have accidentally hit-the-nail-on-the-head!

            The real problem with software and Microsoft is that MS support policy is based on the date of first release and not 10 years from the date of sale, which is the case with white goods, cars etc.

            I buy a new washing machine from the high st. I don't care if the OEM has ceased production, it still comes with a 1~10 year manufacturer's/store warranty commencing on the date I purchased it.

            To keep things simple, I suggest changing MS's product lifecycle so that it provides support until 10 years after the date of last official retail sale, which in the case of XP was October 22, 2010.

          2. Ken Hagan Gold badge

            "By that only 4 years support argument why buy Windows 10?"

            Well, yes. Why? It's not a foregone conclusion.

            On the other hand, if MS stick to their stated aim of Win10 being the last Windows you will ever buy, they've adopted essentially the same model as Linux:- No given release is supported for more than a few years, but an upgrade to the latest release is free and usually runs all your stuff.

            (Possibly this is why Win10 is now so annoying. MS aren't making any money out of it so they might as well use it as a public beta for all their crazy ideas. The distinction between "current branch for consumers", which makes no money and gets all the shitty experiments, and "current branch for business", which makes money and perhaps skips the experiments that didn't work, would suggest that this is exactly how MS now feel about their former cash cow.)

          3. big_D Silver badge

            @tiggity - in 2010, you could only get XP as a "downgrade" on new hardware, and only for Professional and Enterprise variants of Windows, so that excludes "your average punter".

            Any business buying XP would have to order that extra, or they received a Windows 7/Windows 8 PC and an XP recovery CD. Either way, they had to know that XP wasn't the wisest option.

      2. big_D Silver badge

        @alain williams

        I would agree with you, that the PCs were "only" 4 years old, when support for XP stopped, IF they hadn't been warned 10 years before that of when the end date for support was.

        Those PCs were sold with Windows 7 Professional + downgrade rights to Windows XP, so there weren't even any licensing issues about upgrading and getting continued support. And if they were using Enterprise licensing with SA, versioning is irrelevant, they could have upgraded directly from XP to Windows 10, if they had wanted.

        As it is, they ignored the warnings, still installed XP/ bought downgraded PCs and then, when the support period ended, they didn't take Microsoft up on the offer of extended, paid support. As the Germans say, selber Schuld.

        1. Doctor Syntax Silver badge

          Re: @alain williams

          "Those PCs were sold with Windows 7 Professional + downgrade rights to Windows XP, so there weren't even any licensing issues about upgrading and getting continued support."

          The PC and its OS in such a situation is likely to have been only a component in a larger system, a system which required XP because some client/server application were the client end won't run on a later version.

          You inevitably end up having to consider a more complex situation where simple solutions don't work. Yes, tou could argue that the original system shouldn't have been put together that way. Maybe it wouldn't have been if the original developers only knew what a later OS version was going to break.

          1. big_D Silver badge

            Re: @Doctor Syntax

            But that isn't Microsoft's problem, per se. The user has been warned that support is running out and they either have to upgrade to a newer version (for free in many cases as the hardware will have had a valid license for a newer version of Windows) or they pay for ongoing support.

            In this case, they did neither. They only have themselves to blame.

  7. yoganmahew

    Minimum life..

    Microsoft maintains product for far longer than, say, Google (running at 3 years for fondleslabs, less for phones?) or Samsung (no updates issued ever). Of course, they need to...

    The danger with a minimum life, though, is that it becomes a kill switch, but that can be legislated too.

    And no, Microsoft should be under no obligation to release fixes to cheapskates that it has developed for paid customers. There are surely many more critical fixes that it has for paid customers that also aren't released.

  8. John Riddoch

    Let's look at other operating systems from the same era:

    Solaris 8 - released Feb 2000 - support ended March 2012

    Solaris 9 - released May 2002 - support ended October 2014

    AIX 5.2 - released October 2002 - support ended April 2009

    HP-UX 11i - released December 2000 - support ended 2015

    All seem to run to a similar end of support timeline, although AIX is considerably shorter and HP-UX is slightly longer. All in all, the XP end of support timeline isn't unreasonable, there has been plenty time and warning about migrating off of it.

    1. Anonymous Coward
      Anonymous Coward

      Add the support policies of Ubuntu (a LTS gets unsupported after five years) or Debian... only RedHat has longer support cycles, comparable to Microsoft. Apple macOS is also not better.

      1. Martin Gregorie

        RE: Do we need Windows patch legislation?

        In comparing Linux with Windows, there's one thing you've fotrgotten: the Linux API is far more stable than the Windows API has ever been. This is clearly a matter of design philosophy: Linux has always valued having a stable, well-designed API, so that applications will continue to run despite upgrades while MS has clearly regarded using an incompatible API in each new Windows version as a marketing tool.

        I'm running C code that I last compiled in 2005 and that 'just ran' until last March despite both hardware replacements and the six monthly cycle of Fedora upgrades. In March I moved from 32bit PAE kernels to X86-64 kernels and this did require my C code to be recompiled, but that was only to be expected.

        If I was buying high-value kit such as an MRI scanner, mass spectrograph or radio telescope I'd require the control software on this kit to show the same level of OS upgrade resilience that I've experienced over the last 10 years, i.e. the control software MUST have the same EOL as the hardware it controls regardless of OS upgrades, etc. I could also reasonably expect a copy of the source code to be provided under an NDA or at least to be put in escrow as protection against its vendor's failure.

        1. big_D Silver badge
          Facepalm

          Re: RE: Do we need Windows patch legislation?

          At my last employer, they were still issuing servers to customers in 2015 with SUSE from 2000, because the libraries they used weren't compatible with newer versions and the company that had written the libraries had gone out of business...

          But "it is Linux, so we don't need to worry about security updates," was the excuse for not finding a newer library or re-writing the software for a more modern version of Linux.

          In fact, they did have to switch, because the Linux would no longer install on the current generation "low end" (i.e. Intel Pentium) servers. But security wasn't the driver.

          1. Anonymous Coward
            Anonymous Coward

            Re: RE: Do we need Windows patch legislation?

            We once had to buy ('cos customer required physical copies) old SuSE 7 CDs off fleaBay ('cos customer wanted exactly what was shipped right back at the start of the contract)

        2. Brewster's Angle Grinder Silver badge

          Re: RE: Do we need Windows patch legislation?

          the Linux API is far more stable than the Windows API has ever been....applications will continue to run despite upgrades while MS has clearly regarded using an incompatible API in each new Windows version as a marketing tool....I'm running C code that I last compiled in 2005 and that 'just ran' until last March...In March I moved from 32bit PAE kernels to X86-64 kernels and this did require my C code to be recompiled, but that was only to be expected.

          I'm running 32 bit Windows code I last compiled under WIN 95 OSR 92 in the late 90s. (Borland C++) No need to even recompile when I switched to 64 bit OS.

          Windows driver APIs have changed a lot and I'm not sure how far back Direct X compatibility goes. But bog standard Win32 API has been fairly tightly conserved.

        3. Anonymous Coward
          Anonymous Coward

          Re: RE: Do we need Windows patch legislation?

          Actually, Windows backwards compatibility is one of the best, because it is implied you have olny binaries you can't recompile.. On 32 bit versions you can still run DOS and Win16 applications (on 64 bit AMD removed the needed Virtual 86 mode).

          In Linux, there's a good chance binaries for the previous version won't run on the actual one, and viceversa. Otherwise why would you need backport repositories?

    2. -tim

      "Solaris 9 - released May 2002 - support ended October 2014"

      The last patches for Sol 8 and 9 that I've seen were released 2 months ago. They were hidden in a Zones or Live Upgrade patch, but they where there. There were Java for Sol 9 patches released 28 days ago. The last Sol 9 kernel was Feb/26/2015. Of course those all require an expensive support contract to even find, but they are and supported for some definitions of supported.

    3. MJI Silver badge

      Out of interest.

      Do any of these OSes replacements REMOVE features these have?

      Are their replacements fit for the purpose?

  9. heyrick Silver badge

    Would we excuse the manufacturer and allow unsafe vehicles on the road?

    I guess this rather depends upon what the defect actually is.

    Oh, and note, Windows (various versions) did not "develop a defect" as the question posits. The defect was always there, just not noticed until it was possibly too late.

    For my money, the bad actors here are the NSA. In keeping such vulnerabilities secret, and infinitely more so for the utter utter stupidity of getting their little wizzles ripped off.

    1. Simon Harris

      Re: Would we excuse the manufacturer and allow unsafe vehicles on the road?

      "For my money, the bad actors here are the NSA"

      If you were a government spying agency and found a back door to take control of other peoples' computers, would you let on?

      Keeping it secret - just doing their job.

      Letting it get leaked - doing their job badly.

      1. Ken Hagan Gold badge

        Re: Would we excuse the manufacturer and allow unsafe vehicles on the road?

        "If you were a government spying agency and found a back door to take control of other peoples' computers, would you let on?"

        I'd have to ask whether this was the sort of vulnerability that my rival agencies might also be able to find. (Hint: much of the Windows source code has actually been made available to foreign governments at various points in history, so the answer is a bif, fact YES.) I'd also have to ask if my fellow countrymen might therefore be at risk from the activities of that rival agency.

        Given that the West has, historically, made far more use of computers in their economy than the East, I'd say that the NSA *ought* to have been erring on the side of disclosure (to MS) for most of the last 30 years.

  10. Sam Haine
    Go

    "Licensed" or "sold"

    The fact that software is licensed rather than sold allows software manufacturers to get away with a great deal.

    I can't think of any product which can be sold, be found to be flawed in a way that makes it unfit for the purpose for which it was sold and the vendor of which can't be compelled to repair, replace or offer a refund. However, because software is licensed the Consumer Rights Act 2015 and Sale of Goods Act 1979 don't apply.

    The NHS has lawyers; I'd like to see them test this against Microsoft in court.

    1. Updraft102

      Re: "Licensed" or "sold"

      The very concept of software being licensed is questionable. The software industry is trying to pull a fast one on us with that idea-- trying to eat their cake and have it too. They want the power over their customers that comes with the concept of licensing, but then they want to impose all sorts of other things that are beyond what a license can do, while still calling it a license.

      A license is not the same as a contract. A license is a specific exemption to specified bits of a trademark, copyright, or patent holder to certain other parties to do things that would otherwise not be allowed to under copyright law. Windows is copyrighted, so it is not permissible for anyone to just go burn a Windows DVD and install Windows on their PC without paying. When Microsoft grants a license, they are waiving the prohibition on copying Windows for that individual (the licensee), so that the Windows copyright no longer prohibits them from installing and using Windows.

      A license issued by Microsoft can only reduce the restrictions imposed by the copyright law. Thus, it can only extend as far as the copyright laws go; it cannot impose additional duties or restrictions upon the customer that don't already exist in the copyright law. Microsoft tries to impose a prohibition on modifying Windows files through its so-called license, but that's not within the scope of a license. Neither is the ability for MS to give itself permission to help itself to whatever data on your hard drive that it finds that it wants. Since there's no part of the copyright law that gives the copyright holder the ability to spy on its users, there's no way for a license to grant that privilege to Microsoft.

      As such, the idea that software is "licensed" is questionable... or at least the additional restrictions and duties the copyright holder tries to impose within that "license" are. Microsoft certainly does have the right to license (or not license) Windows as it sees fit, but as soon as it tries to impose restrictions not already part of copyright law, it's gone out of license-land and gone into contract-land. It remains to be seen how the industry standard misuse of the term and concept of license will flesh out.

  11. Richard 81

    It certainly isn't fair to expect MS to support an OS version forever. However, there could be a legal minimum length of support. That way there's a clear line beyond which the responsibility goes from the vendor to the customer.

    1. Charlie Clark Silver badge

      Windows for Workgroup was sold "with lifetime support".

      1. Richard 81

        Then I guess it comes down to how one defines "lifetime". It can't mean forever.

        1. Updraft102

          In terms of my TomTom app for Android, lifetime meant about two years. Lifetime map updates with purchase... until they decided to replace the buy-once, use-forever product (which was quite costly as apps go) with the buy-once-a-year subscription model. They offered me one or two years of subscription to this, and that was supposed to satisfy their obligation. Well, I don't do software by subscription, and I certainly expected to live longer than two years.

          Even worse, the new product was crap, and it didn't even work on my tablet.

          1. DropBear
            Devil

            Interesting - so, for a physical product, does "lifetime warranty" mean "we'll fix it for free if it breaks, from now right up to but not including the moment it does actually break, because that's the end of its life"...?

      2. Anonymous Coward
        Anonymous Coward

        Windows for Workgroup was sold "with lifetime support".

        Lifetime of Windows for Workgroup, not yours. So when it gets EoL (End of *Life*), support also terminates. What did you believe?

      3. tom dial Silver badge

        Product lifetime. Therefore a meaningless statement, as probably ought to have been obvious.

  12. Charlie Clark Silver badge

    Loaded question

    Why should public services get special treatment?

    The question should be: should the exemption from strict liability be lifted from software?

  13. Anonymous South African Coward Bronze badge

    Some CNC machines still run with their antiquated OS (DOS, Windows 95/98 and WindowsXP) on a dedicated PC, along with the drivers for that specific CNC machine.

    Not so easy to upgrade those CNC machines to the latest and newer Windows as the CNC drivers cannot be copied over or will not run on the newly-installed system.

    In this case it will make more sense to have the CNC suppliers dump the source code for their drivers into an escrow pool, so that in future the drivers can be recompiled for a newer operating system.

    1. Anonymous Coward
      Anonymous Coward

      Or just not put them on the network...

      1. Charles 9

        Then how does it get instructions? REGARDLESS of the method, it can be an inroad to infection.

  14. Gordon Fecyk

    Vendors, do your fucking jobs and fix your shit.

    I'm torn on this one. I've been doing this crap for over twenty years and I've seen a lot of shit product from vendors that aren't Microsoft. Yes I've seen a lot of Microsoft shit too, but everyone else makes themselves a much easier target. And then we have this shit used to keep people alive and maintain "people will die if this doesn't work" systems.

    Remember Java's EULA? "You acknowledge that Software is not designed, licensed or intended for use in the design, construction, operation or maintenance of any nuclear facility." And if you search that phrase, you'll see it on a lot of software EULAs, including Symantec's.

    https://www.symantec.com/connect/pages/symantec-connect-software-license

    And who remembers "Windows for warships?" El Reg here even referenced the USS Yorktown a few times here.

    Sad to say, but maybe Windows for desktop PCs shouldn't be used in these environments. The SE Linux folks have a place here, or maybe Windows long-term servicing branches if it really has to be Windows.

    But really: This is 2017 and Vista's been out for ten years; longer if you include preleases that vendors are supposed to be testing their shit against. What are all of these vendors doing? At least locally I'm seeing hospitals and clinics using some version of Windows 7, and that's not including the places that handle money that are using Windows 10.

    I've had to drag vendors kicking and screaming into running their shit on Server 2012 R2 and Windows 10, assuming support responsibility when they won't do what we pay them for support agreements. This is unacceptable.

    (Wow, it took some bullshit like this to bring me out of lurking for five years.)

    1. Dan 55 Silver badge

      Re: Vendors, do your fucking jobs and fix your shit.

      Really the onus should be on the vendor. They should be keeping everything working and that includes the OS. They should pay MS for extra support coverage, they should handle the upgrade to a later version of Windows, and they should even be able to change the OS if they have to keep the MRI or whatever it is running.

      1. Charles 9

        Re: Vendors, do your fucking jobs and fix your shit.

        But what if there's no way to upgrade the OS because Vista and up DROP support for a key piece of the HARDWARE that runs the thing (like say a custom-build ISA interface card--support for ISA was DROPPED in Vista)?

  15. Anonymous Coward
    Anonymous Coward

    I think Microsoft's support length is reasonable, at least it's not android which on many occasions is unsupported straight out of the box.

  16. smudge
    Black Helicopters

    A different question

    For former GCHQ chief Sir David Omand :

    "Should government agencies - such as NSA and GCHQ - be obliged by law to inform manufacturers about security vulnerabilities in PCs which those agencies know are used for essential public services?"

    1. Roger Kynaston

      Re: A different question

      Very true. I am a bit disappointed that none of the finger pointing has looked at the NSA/GCHQ.

      The whole question about what level of support vendors should provide is a very difficult one. I remember invoking a DR contract when a SparcServer 1000 finally gave up the ghost 20 odd years after it was bought and SUN said they didn't have any spare parts. It had Solaris 2.5.1 which had not been patched in aeons of course. I should imagine that there were any number of security holes but somehow it didn't matter in those halcyon days of the early/mid 2000s.

  17. Len Goddard

    Reluctantly

    I have to say that I have a degree of sympathy for M$ in this case. I think a vendor has an obligation to maintain a no-longer-sold OS (or application) for a reasonable period - to use the analogy in the article I believe motor vendors have to maintain spares availabilty for 10 years. However you cannot expect a vendor to continue to support the product indefinitely since it is in no way a cost-free activity. Vendors should be obliged to state a minimum period for which they will support the OS after withdrawal from market. Past that they can offer extended support as a product if they wish.

    In this case the waters are muddied by the fact that M$ apparently had a fix which they did not distribute. You can argue that one both ways. The unsafeness of XP was the best incentive for tardy users to upgrade and to launch a fix would encourage them in their behaviour. On the other hand, had they released the fix in a timely manner they would have garnered some much needed kudos as good guys.

    1. Doctor Syntax Silver badge

      Re: Reluctantly

      "However you cannot expect a vendor to continue to support the product indefinitely since it is in no way a cost-free activity."

      We're looking at a fault which should never have been present in a shipped product. Are you saying that if they manage to get away with it for x years they get a free pass if it brings the house down in the future?

  18. G2

    Win 10 1507 is already no longer supported.

    that poll is broken.. it doesn't offer shorter life spans, current support life for Windows 10 is 2 years.

    Win 10 1507 is already NO LONGER supported.. you either upgrade to a newer edition of Win 10 or you're SOL

    See table 3 of this page:

    https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet

    1. Anonymous Coward
      Anonymous Coward

      Re: Win 10 1507 is already no longer supported.

      You'll find that with most MS products since the days of 95.

      XP ended a long, long time ago.

      XP SP2 was the one that was supported until "recently"

      Windows 10 "versions" are just service packs.

  19. Anonymous Coward
    Anonymous Coward

    The problem is not XP. This is a complete smokescreen and red herring. Additionally, people make a mistake of considering the "NHS" as being a single entity. It's not. It's a brand and billing structure comprised of a huge number of operationally independent organisations, some of which are run well and some of which that are run awfully.

    This event usefully provides a census as to which are which, honestly. There is now a publically available list of trusts that were infected because they are not taking appropriate security procedures, such as patching and are running their own improperly configured mailservers instead of using NHS Mail/nhs.net

    I say this, because I know what's blocked on nhs.net, information which is available publically:-

    http://www.ipswichandeastsuffolkccg.nhs.uk/LinkClick.aspx?fileticket=IE4CvEtA3OU%3d&tabid=933&portalid=1&mid=3371

    And knowing where to look...

    https://www.digital.nhs.uk/media/1486/NHSmail-confirmation-it-is-safe-to-connect/pdf/NHSmail_150517

    That is unequivocal. This virus spread via email, and it was stripped from emails received by NHS Mail. NHS Digital (the central team) confirm that the virus was not received or spread through NHS Mail.

    Thus, any trust infected was still running it's own improperly configured separate mail system in preference to using the centrally provided NHS Mail system (nhs.net), probably because the trusts IT department didn't meet the criteria for getting basic account management to NHS.net. (like following processes, which is sort of backed up by these trusts getting their systems shut down by virus infections...)

    Coverage of this in the media, zero. Anybody fancy asking the trusts in question why they are running their own mailservers without filtering or stripping dangerous attachments and without patching their desktops? (Note, every GP practice in the country is an independent for profit business, and does not form part of then local NHS trust; they just bill the trust for services rendered, although admittedly understanding of this is practically zero among the general public.)

    1. Mark 110

      Your thing about GPs isn't quite correct. GPs are on the NHS payroll - they can't make profits - they don't buy their assets (the NHS does) - but they do run a little business on behalf of the NHS.

      Its supposed to create an internal market but not sure it quite works.

      1. Anonymous Coward
        Anonymous Coward

        "GPs are on the NHS payroll - they can't make profits" ?

        From a company offering advice on GP partnerships

        "Advantages Of GP Partnerships

        You part-OWN the business, which means that you can have a say on how it is run. How much your voice counts largely depends on the percentage of the overall business you represent as an individual.

        You share the PROFITS of the practice with the other partners. If PROFITS go up, so does your share. Partners working in a successful practice can therefore hope to gain a substantial income"

        (my emphasis)

        1. Anonymous Coward
          Anonymous Coward

          your thing about GPs isn't quite correct. GPs are on the NHS payroll - they can't make profits - they don't buy their assets (the NHS does) - but they do run a little business on behalf of the NHS.

          Its supposed to create an internal market but not sure it quite works.

          I'm the OP AC. Your point is basically wrong. GP practices are private, for profit businesses.

          Originally pre NHS doctors were essentially sole traders and did house visits because that was what people would pay for when they were sick. They became partnerships because after the NHS was formed it was discovered that a better business model was to group together, buy a building, hire a receptionist etc and then get the sick to come to you. Eliminating travel time increased the number of patients the doctor could see, and colocating two or three doctors in one house meant that they could split the costs of buying a house etc while sharing the profits. The later improvement on this in established businesses was bringing in GP's as saleried employees of a practice so they did the work but the partners of the partnership take the majority of the profits. (capitalism at it's finest, even in healthcare. ;) )

          Some NHS trusts have employed a few saleried GP's directly and usually co-locate them with A&E, largely to meet the 24/7 care requirement introduced a few years ago as it was difficult to get GP practices to do it at any reasonable cost, and it saves the NHS trust money.

          Say the billing rate for a GP to assess my cough is a cold and doesn't require antibiotics is 100%. If you goto your GP then they bill 100% to the NHS trust, which duly pays it. If the NHS trust runs it's own service next to A&E which you visit instead, and it only cost them 70% to provide then they bill themself 100%, and make 30% "profit" on the service they provided.

          Hence why I say that the NHS is more of a brand and billing structure than an organisation. Look at how the NHS was formed and you'll start to understand it a bit.

      2. This post has been deleted by its author

    2. JamieL

      a test of contractor liability?

      And no doubt many of these trusts buy in IT advice and local support from small, independent contractors who operate as limited companies. Time to test how far their negligence liability insurance will stretch?

      1. Anonymous Coward
        Anonymous Coward

        Re: a test of contractor liability?

        OP AC again. In my admittedly somewhat dated experience (IM&T hands on operational management in a countywide trust) the small independent IT contractors tended to offer an excellent service to individual GP sites, often better than we did, frankly.

        It probably helped that they were always geographically close to "their" surgery, and they tended to be impressed that they were working for "the NHS" (even though they weren't because as previously mentioned GP's != NHS) and they tended to treat any fault reported as a "drop everything else life or death emergency" whereas I reserved that for faults with "clinical risk" and I knew what was and wasn't really actually that urgent. And I had a lot of sites (several hundred sites in the database, though some number were closed) and far fewer mobile techs to assign to jobs so I had to prioritise. Generally I found them very happy to oblige and would in my experience bend over backwards to follow rules and procedures such as the NHS SyOps (System Operators Procedures) when given a copy of the appropriate procedures in question.

        The worst sites are the ones where:-

        1) They have a clueless employee "who knows IT" because they unboxed a computer once, and fights any competent outside person visiting as they don't like people pointing out grossly unprofessional messes and practices such as not doing backups are unprofessional and dangerous. Wish I still had access to the department folder of horror pictures to demonstrate some of the things they had going on...

        2) They have an onsite IT manager employed part time (like 10 hours a week) who is either incompetent, or more frequently just doesn't have enough time to do everything required. Fights people encroaching on their turf to the death in fear of their job.

        3) Bad contractors. More usually telecoms than IT, frankly. If the contractors were worse than county level support, the practices wouldn't have been using them.

  20. Anonymous Coward
    Anonymous Coward

    Support it - or Open Source it

    It seems reasonable to give an alternative. Yes, and OS, like anything else, should be supported, in the sense of fixing latent defects, for ever, if it is closed source - because only the person with the source code can fix it.

    If, though, a vendor releases it as Open Source, then anybody can search for and fix bugs, so it would make sense that, after a period (to prevent vendors dumping rubbish, and to check that what they have released is all the source, and that, when compiled, it behaves exactly the way the binaries did), for vendors to be relieved of the duty to repair latent defects.

    1. Anonymous Coward
      Anonymous Coward

      Re: Support it - or Open Source it

      So how do they open source the code without revealing 80% (guess) of their code still used?

      1. Doctor Syntax Silver badge

        Re: Support it - or Open Source it

        "So how do they open source the code without revealing 80% (guess) of their code still used?"

        They can't open source it in the FOSS sense which I think is what the OP meant.

        What they can do is put the source code, including patches, into escrow. If the vendor turns their toes up or if they cease support then the source can be released to specified interested parties wrapped up with whatever conditions were mutually acceptable when the original transaction was entered into. I've seen that made a condition of an RDBMS installation.

        Another option would be to make the source available to interested parties all along under NDA conditions. I've had one gig where part of the source was exposed like that, the user interface being the main part that was concealed. It served the vendor well as they got free debugging.

        1. Fustbariclation

          Re: Support it - or Open Source it

          They can release it as FOSS. Yes, they'd have to reveal stuff that was still used. That would be the choice, do that, or support it.

          Just because your code is Open Source does not mean that it is free. M$ could release XP as Open Source, but still charge people who used a more recent closed-source version called something else.

    2. Anonymous Coward
      Anonymous Coward

      Re: Support it - or Open Source it

      Do you really believe in a very specific devices like health or industrial one everybody has the required skills to find bugs, and fix them? How do you test your code?

      Maybe in your average PHP blog, but MRI processing? Advanced CMC machines? The only one perusing your code will be your competitors to extract as much info as they can. And believe me, they won't report bugs, they will use them against you...

      And the last thing you need are sorcerer's apprentices believing they can fix everything because they know how to install Linux and run vim... you know how it ends, do you?

  21. Real Ale is Best
    Boffin

    Beancounters

    I think the problem is not the vendors, it's the beancounters.

    Microsoft: Here's a licence for your software. We're going to support it till 2015.

    NHS Beancounters: Ok, it's a bit pricy, but fine.

    > Forward to 2016 >

    Beancounters: Well, the computers still all work ok, and licensing Windows 10 will cost lots, especially as we'll have to buy new computers to replace the ones that are not powerful enough! We didn't plan for that. Lets keep on running Windows XP till the hardware breaks. What's the worst that can happen?

    1. Doctor Syntax Silver badge

      Re: Beancounters

      What the beancounters probably choked on wasn't upgrade or replacement of client platformss. It was the rewrite of the whole client/server system so that the clients didn't depend on running on XP.

  22. Anonymous Coward
    Anonymous Coward

    Other options?

    Much as I enjoy Microsoft bashing, I think this is really unfair. Ubuntu LTS (Long term support) is only 5 years on their server branch, why is Microsoft always picked on when it comes to things like this? I know there will be some people who say public sector should move to Linux / OSx / Android / insert OS name here, but Microsoft's patch and support policy is already more than fair.

    These other OSes suffer from security issues too, look at heart bleed etc...

  23. Voland's right hand Silver badge

    It is simply a matter of procurement

    No patches after 10 years, no public tender.

    That would have solved it day one. However, not a single software tender for public services had any long term maintenance clauses attached to it.

    1. Anonymous Coward
      Anonymous Coward

      Re: It is simply a matter of procurement

      Name one vendor in the world that will support that.

      1. Voland's right hand Silver badge

        Re: It is simply a matter of procurement

        Name one vendor in the world that will support that.

        1. RHEL, Oracle, etc - all mainstay Unix(like) OS vendors.

        2. Most telecoms software vendors

        3. Most military software vendors

        4. Most industrial control software vendors

        Now, they also charge a pretty penny too. So if you do not like the prices you should probably make up your mind for the exact way you are going to obsolete what you are buying on day X, not drag your feet 5 years after it was supposed to be obsolete.

        Again - not something public sector procurement ever does. Show me a single public procurement project which planned the obsolescence of the software they are purchasing before they bought it. I have yet to see one.

        So continuing on this subject, a good idea will be to make such procurement without an obsolescence plan an automatic sackable offense.

        1. Anonymous Coward
          Anonymous Coward

          3. Most military software vendors

          Sure, they will sell you exactly the same crap for two decades, because every change needs an incredible number of approvals and certifications. They just have to ensure the crap is available for two decades.

          Remember when USAF was hoarding floppies for its systems? And if you're afraid of the price of Windows custom support, look at the prices of a weapon system upgrade...

    2. Roland6 Silver badge

      Re: It is simply a matter of procurement

      However, not a single software tender for public services had any long term maintenance clauses attached to it.

      Wonder if things have changed at Network Rail... In the days of BR, for railway operational systems the standard expected working life and thus maintenance requirement was 20 years minimum. Which given in the 1980's they were still replacing Victorian infrastructure was a blessing...

  24. Stoke the atom furnaces

    Quality

    If the software was written properly in the first place then it would not need patching.

    1. Anonymous Coward
      FAIL

      Re: Quality

      Please name one bit of complex software that is flaw free.

      Thought not.

      1. Stoke the atom furnaces

        Re: Quality

        Are windowed operating systems complex? The technology is over 30 years old now.

    2. Anonymous Coward
      Anonymous Coward

      Re: Quality

      Quite. Nobody should rely on stuff that's thrown together, in order to make a profit from licences.

      You won't find aeroplanes running fly-by-wire on M$ stuff - if they did, the neighbourhood would be littered with crashed aeroplanes, and sensible people would travel by boat.

      An OS, designed and built for security, written in Ada, would be the thing to use. It would have to be open source, because you can never trust a binary.

  25. Stoke the atom furnaces

    Competition sparks innovation

    It is a failure of both purchase policy and competition regulation by governments that the IT industry is lumbered with a single near-monopoly supplier of PC OS software.

    Until governments start activity promoting alternatives to Windows then cyber-attacks will remain commonplace.

  26. Anonymous Coward
    Anonymous Coward

    Phoenix company solution ...

    With the serious amount of money companies like MS can spaff, even if there was a UK-specific law which could somehow intimidate a US based vendor (a hurdle so far unmentioned) then the tried and tested way out of this will be:

    1) declare the UK subsidiary which holds the liability for patching bankrupt.

    2) start up a new legal entity (shorn of any responsibilities the previous incarnation had accrued)

    3) make lots of money, until liabilities start building up

    4) goto 1

    1. Paul Crawford Silver badge

      Re: Phoenix company solution ...

      Create a UK subsidiary

      Said company is required to escrow all source code before any more of the mother company's product is allowed to be sold.

      1) declare the UK subsidiary which holds the liability for patching bankrupt.

      Source code is released under escrow terms for others to fix.

    2. Brewster's Angle Grinder Silver badge

      Re: Phoenix company solution ...

      Bonus points if the legislation leaves open-source authors with the liability of fixing their software. (Although figuring out who to sue in a project with lots of contributors could be fun, particularly when the bug arises from interactions between patches.)

  27. thondwe

    Get Real

    1) Humans have faults, Humans write Software, ergo Software has faults

    2) Technology changes - should I expect Ford to continue to provide spares for a 1980's Mondeo?

    3) Should the NHS have a contract with the supplier of the MRI machine which dictates that the software that drives up be updated in line with it's dependencies (i.e. OS/Browsers/whatever) absolutely! Or that they open source it so that someone else can maintain it? Or that the NHS has sufficient funding to replace/maintain said software/hardware in order to remain "supported"...

    1. davidp231

      Re: Get Real

      4) The first Mondeo was an L reg, which puts it at '92, which is also the last reg of the Sierra..

    2. jake Silver badge

      Re: Get Real

      I can still get parts from Ford for my '31 Model A and '32 Model B ...

    3. Number6

      Re: Get Real

      I think there is a legal requirement for car manufacturers to provide support and spares for a certain number of years after a car's last production date. At some point they seem to release enough details for the pattern part market to continue providing support beyond that.

  28. TRT Silver badge

    It's tricky...

    because my answer would depend on the criticality of the issue being fixed. How do you define that? Is it a bug that will just cause the computer to keel over and BSOD, thus allowing DOS attacks, or is it a bug that could execute arbitrary code with full system privileges and permanently compromise a machine? What's the likelihood that this security issue is able to be weaponised? Has it been done already?

    Not questions that have easy answers for the legislative machinery to grind its way through.

  29. Stoke the atom furnaces

    Motor car recall

    Surely the comparison here should be with the motor vehicle industry.

    if a vehicle contains a dangerous fault then it is recalled and repaired at the expense of the motor vehicle manufacturer. Why should software any different?

    1. Ken Hagan Gold badge

      Re: Motor car recall

      Fine as long as you realise that the entity analogous to the motor vehicle manufacturer in these cases is the company that makes the medical equipment, of which a Windows OS is merely a component part.

      It is the job of an engineer to create a more reliable whole out of less reliable parts. Otherwise every chain would only be as good as its weakest link.

      1. DropBear
        FAIL

        Re: Motor car recall

        Every chain IS as good as its weakest link. Or maybe you want to explain how one of its myriad other parts protected the Challenger from its Thiokol ring failure...

  30. Ellis Birt 1

    Every product has a design lifetime.

    That should be clearly stated before the product is sold - including consumer products. During that time, parts, drivers, consumables, security updates etc availability should be guaranteed - with an insurance policy covering consumers in the event of supplier failure.

    When a product incorporates another product, the integrator should be responsible for ensuring continuity of support for all components for the life of their product (including drivers and interfaces to other products).

    Then, if someone uses a product beyond its design lifetime it is their problem when it fails.

    You cannot assume that a general-purpose computer (or its operating system) will go on forever.

  31. Anonymous Coward
    Anonymous Coward

    Why only Windows?

    What all the software around, for example my ADSL router firmware has not being not getting updates for a really long time. Isn't it a "critical piece" too? (there's now a pfSense behind it, so not much of an issue, in my case).

    And the real issue is: how long a company, *any* company, should support its software? Support has costs, and they will be of course charged to users, old and new. What's wrong in charging for support? Don't we pay for maintenance of cars, heating systems, etc.? Why software should be different? Most physical items have a limited warranty (and someone outside EU complains the two year mandatory warranty is too long...). Only life-threatening issue will be fixed outside of it for free, usually.

    Software doesn't wear out, but surely "hidden" issues and vulnerabilities may surface. It may not work with newer devices. Old TVs were obsoleted by digital television - should Sony, Samsung & C. have upgrade their TV sets for free? (using an external topbox is no different than putting a damned firewall to protect your old device).

    Also, bugs that are critical security vulnerabilities won't cause a system malfunctioning until it's attacked. In some ways, they are different from a defect that will cause issues anyway (i.e. the Intel Atom one). When people talk about cars recall, they speak about the latter. Not a thief bypassing a vulnerable car security system and killing someone while running away. If a ransomware blocks a critical system, the culprit is the ransomware writer, or the OS provider? If you kill someone because you didn't maintain your brakes - even if there are no more spare parts available, who is responsible?

    Sure, they are a risk, sometimes a big one. Still we have a lot of intrinsically risky items around (guns, knives, tools, some chemicals), and believe we should manage them properly. We know software has intrinsic risks. Why we shouldn't manage them? If I drive a vintage car or bike, I perfectly know it's far from being safe as a modern one. Should I expect it to be different, and the maker upgrade it for free, in secula seculorum?

    In this case, did Microsoft aimed Windows at health devices, promising longer and free support cycles than those for generic use? Or it was the device makers who chose Windows? Why they should be exempt in delivering upgrades of their software running on newer hardware (maybe your ISA card can't work in a modern PC?) and software?

    In this instance, blaming MS looks really overkill to me. Sure, it had the patch for paying customers, and probably it has many others. It's how custom support works.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why only Windows?

      If custom support means only providing fixes to latent defects when people pay, then it is fraud.

  32. Version 1.0 Silver badge

    Crappy coding

    The real issue here is crappy coding and current versions of Windows aren't any better. Operating systems are designed to look pretty, be easy to use and function, nothing else. Security is always something that gets considered but never really tested and most of these bugs are simple buffer overflows.

    How long have we been coding buffer overflows into software? WTF WTF WTF WTF WTF - you would have thought we might have learned by now but apparently not and no sign that this is going to change.

  33. Christoph

    Who is going to do the maintenance?

    To provide full support for all its old systems MS would have to have large numbers of programmers trained up in those systems (no one person can know more than a small part of code that big).

    How are you going to persuade that many skilled programmers to take on a dead end job with no future? What are they going to do to keep current when there's no known bugs to fix? What are you going to do with them after the product is finally killed off?

    The motor car analogy is not directly equivalent - the engineering skills can still be used on modern cars. Detailed knowledge of ancient code is not transferable in the same way.

    Of course the motor manufacturers may run into the same problems as the cars get more computerised, and a car crash can be rather more serious than a computer crash.

    1. Doctor Syntax Silver badge

      Re: Who is going to do the maintenance?

      "To provide full support for all its old systems MS would have to have large numbers of programmers trained up in those systems (no one person can know more than a small part of code that big)."

      They could save money. They could ship better code in the first place.

      And your general thesis founders on a single fact. They have already issued a fix.

  34. Terje

    I agree with most of the people above in that I believe that the supported lifetime of Windows has been well above good enough.

    If you factor in that Microsoft even added in the option of extra paid for support for those that really needed it and by announcing them having them pay through the nose for it incentivised the beancounters to open up wallets to replace and fix what needed to be done. That some organisations even with half a decade of warning still fail to upgrade is not Microsofts fault.

    What I would point fingers at are vendors of kit with a long lifespan that just don't offer upgrades to software and drivers that work on modern systems.

    1. John G Imrie

      What I would point fingers at are vendors of kit with a long lifespan that just don't offer upgrades to software and drivers that work on modern systems.

      THIS^^^^^^

  35. mark l 2 Silver badge

    While XP was only supported until 2014, Windows 7 is under support until 2020, but how does that work when some versions of Windows 7 came with XP mode which is essential a VM running XP, surely if they are offering functions such as XP mode as part of the OS Microsoft should continue supplying patches for the XP mode virtual machine until the support for Win 7 ends?

    1. Roland6 Silver badge

      re: some versions of Windows 7 came with XP mode

      No to my knowledge, MS didn't supply XP mode with Windows 7, it was a wholly separate download and so they were able to make it subject to the same EOL as XP. Remember Win7 was released in 2009, 5 years before XP went EOL and XP Mode was provided more as a way of facilitating migration than a long-term solution.

      However, MS are still supporting Office 2007 on XP - last week I received a bunch of security updates through WUP; interestingly, the SMBv1 fix for XP wasn't available through WUP, it has to be manually downloaded.

  36. tonyw2016

    Safety Related Systems

    The long term availability of Vendor support is a basic problem for Safety Critical and Safety Related Systems and many systems operated by the NHS will be of that nature. Due to the fully justifiable need for design assurance and length pre-service testing, it can often take up to 10 years to get this type of (software) system from initial conception to in service use - and you often want to get 20 years or so of use out of it in order to justify the investment. However, these sort of timescales just don't fit with commercial product lifetimes for a vendor such as Microsoft.

    It is no accident that Linux is now widely used in areas such as ATC etc. It is not because it is free, and not just because of its reputation for stability and security, but because it is Open Source and ultimately this means that the end user can take control applying security patches for ancient versions of the Linux kernel rather than having to pay (a ransom) to the original vendor for support.

    In practice this allows commercial opportunities for specialist support companies to provide long term support for those users that need to have very long in service lifetimes - even beyond those for Red Hat Enterprise.

    The bottom line is that if you are happy for your vendor to dictate the upgrade lifecycle then a product such as Windows may be suitable. If this is not acceptable then Open Source is where you need to go.

    1. Anonymous Coward
      Anonymous Coward

      "ultimately this means that the end user can take control"

      Believe me, I've worked on ATC programs, and this is not the reason. Nobody I knew working on ATC software has the skill to touch the Linux kernel, or one of the many libraries implementing even basic services. Do you believe someone can jump from the kernel to Samba to Apache easily?

      In many large programs lately there's been a push towards FOSS software for political and economical reason (MS is seen as a single supplier from USA...) - but not because the user can easily "take control" of code which is very far from its capabilities of changing it without creating havoc.

      If needed, you would still need to pay some commercial entity to apply the changes and test all the stuff properly - just as write, and don't believe they will be cheap just because it's FOSS... when you have very few places to go, the bill will be high anyway.

      1. jake Silver badge

        Re: "ultimately this means that the end user can take control"

        "Do you believe someone can jump from the kernel to Samba to Apache easily?"

        Why yes. Yes I do. Not everybody, maybe ... But I know many coders who can do that kind of thing easily. And do.

        1. Doctor Syntax Silver badge

          Re: "ultimately this means that the end user can take control"

          "But I know many coders who can do that kind of thing easily. And do."

          And write a distributed version control application in passing.

  37. d00dle

    Flawed analogy

    "An analogy may be vehicles that develop a dangerous defect. Would we excuse the manufacturer and allow unsafe vehicles on the road?"

    A better analogy is, "Should excuse the owner and blame the manufacturer, when the customer has a breakdown on the highway driving a 16-year-old saloon that hasn't been in for inspection or maintenance in five years?"

    There do exist software products that have include commitments to supported lifespan of many decades. They are priced accordingly. However, this typically does not include a single desktop operating system release, and does not include Windows XP (though it was supported for enterprises extraordinarily long).

    Windows writ large has been supported for 30 years, and there is a supported upgrade path at each step of the way. You cannot hold the "manufacturer" responsible when they ignore a product's specifications.

    1. DropBear
      FAIL

      Re: Flawed analogy

      No. Your analogy is not better. Or even valid.

  38. ma1010
    Mushroom

    Complex software changes everything

    If you have an old machine, say a classic car from the 1920's, you generally can't just buy parts for it from the manufacturer nowadays. However, it is possible to get bespoke parts made to keep it running, and there are those who do exactly that, although to do so costs quite a bit more than just buying a new car.

    But complex medical machines cost much, much more than a car. So what do you do with your million pound+ diagnostic machine once the manufacturer of the software that runs it decides to not support that software anymore? We're not just talking PC's here. You can't just go buy a new one for a few quid or get pissed off at MS and decide to put *nix on it. And it's a pretty tall order to try to roll your own bespoke patches when you're dealing with a closed source operating system - and trying to do so certainly would violate the license.

    And even when the issue is just about PCs, just replacing them may not be a simple option. Will the old, bespoke software that they use even run properly on the new version of the OS? Do you, as a government entity, have access to the funding it would take to "upgrade" to the new OS?

    The fact that complex and expensive machinery or essential bespoke software is now dependent on a closed source OS changes everything. Everyone with such machinery is at the mercy of the vendor deciding to support or not support that software. Mechanical devices can be "hacked" easily enough and solutions found to keep them going. But what can the owner do when complex software is an essential part of an expensive device, and the vendor says "F*** you"?

    So should NHS (and everyone else in a similar situation) just throw out expensive machinery because MS decided that everyone should buy a new OS? Perhaps NHS could (if funding were available) put a new OS on all their PCs, but will all the old software run correctly on the new OS? How much would it cost the taxpayers to make that happen? And what about expensive diagnostic machinery? Can a new OS even be put on those machines? Or should the taxpayers be forced to spend millions upon millions of pounds to replace those as well just so MS can make a bit more profit?

    Another question is how much would it really cost MS to patch XP against this kind of vulnerability? Probably not a lot. If they charged all those XP users their actual cost of developing and releasing a patch, the cost to the end user would probably be a few pennies per machine. But they'd rather force their users into "upgrades."

    Legislation? How about requiring that any software used in anything purchased by government must be open source and maintainable indefinitely? That's the legislation that MS and their ilk deserves.

    </rant>

  39. Big_Boomer Silver badge

    Bespoke software

    Most of those who are running XP systems are doing so because the bespoke software they had written/bought back in the early noughties will only run on XP. They chose NOT to pay to update that software to run on Win7/8/10 and thus exposed their nether regions for the script kiddies to maim. Don't start bitching about someone not supporting an obsolete OS when you were given PLENTY of warning that it would no longer be supported. The fault is yours, you were too cheap to get your bespoke software upgraded.

    Lesson learned? I seriously doubt it. I recently saw an SQL 2000 server that still had no SA password set. Slammer anyone?

  40. Sir Sham Cad

    The question is wrong

    It should be "Should The Government be legally required to extend support for systems still in use in front line public services?" closely followed by "Should software suppliers to front line public services be required to update their software to be compatible with OSes <10 years old?"

    Because some services will need to keep running software that simply doesn't run on Windows 7 or above with no upgrade path to one that does. That's how you get XP that won't die.

    Also: For a lot of cash strapped public services, dosh earmarked for IT Infrastructure upgrades/improvements can quickly find itself being diverted into the budget for directly supplying those services. Ringfencing that cash with a legal responsibility to meet a minimum standard for IT might help concentrate minds in the right area.

  41. Spudley

    Many of the systems that were hacked are still on XP because they are running a critical system that in incapable of being upgraded.

    I have heard of some very expensive pieces of medical scanning equipment that are tied to XP. They cannot be upgraded without replacing the hardware, and you're not going to replace a medical scanner that costs a couple of million pounds when the one you already have works well is expected to still have another decade of use.

    So why can't the version of Windows on the scanner be upgraded? Because the hardware drivers for it don't work with newer Windows versions.

    They're stuck on an old version even after all this time because hardware like this goes through a years-long development and certification process before it even starts getting purchased by hospitals; upgrading to a completely new OS would also mean rewriting a lot of the core control software which means you have to start all over again with the certifications. And when hospitals do get to buy a piece of kit like this, they expect it to last long enough to pay for the investment. It's no wonder they're all still running XP.

    But the problem is not so much that support was stopped for XP, it's that hardware like this should never have been based on XP in the first place. It isn't Microsoft's fault; it's the fault of the developers of the hardware. And frankly it should be they, not the NHS that should be the ones on the hook for making sure it is kept patched -- the lifetime support contract that the hospital signs with the vendor to look after the kit should include the software and operating system as much as the actual scanning hardware itself.

    1. Doctor Syntax Silver badge

      "But the problem is not so much that support was stopped for XP, it's that hardware like this should never have been based on XP in the first place. It isn't Microsoft's fault; it's the fault of the developers of the hardware."

      The developers were probably in a bit of a bind themselves. The introduction of commodity H/W and S/W killed off the minis and Unix workstations that were used previously. Even if it hadn't it would have enabled competitors to have undercut any who still used such kit.

      What would have helped would have been the certification authorities requiring long term support. That would have either required MS to offer it or, if they didn't, would have levelled the playing field and allowed specialist workstation manufacturers to survive. That in turn would have needed the certification authorities to have anticipated the situation we now have.

      1. Charles 9

        "What would have helped would have been the certification authorities requiring long term support."

        Then what happens when NO ONE passes because of it? Now you have NO suppliers.

  42. Merrill

    It should be supported for at least the life of the motherboard

    The life of a desktop or notebook is determined by the life of the motherboard and the solid state electronics on it. The mechanical bits, such as fans, disc drives, connectors, and the power supply with short-lived capacitors are easily replaced.

    The life of a motherboard is at least 15 years, so an operating system that is sold for 5 years should be supported with regard to security and safety defects for 20 years from first availability.

  43. bencurthoys

    Are you people all insane? Code has DEPENDENCIES. You can't just write one patch that works on every version of some code you've ever released. If you start with version 1, and then you fix a bug and you have version 1.1, and then you find another bug that someone who hasn't bothered to install 1.1 wants fixing, what do you do? Make version 1.0.1 and 1.1.1?

    Then the next change is going to require you to ship

    1.0.0.1

    1.0.1.1

    1.1.0.1

    1.1.1.1

    and so on until 64 patches later you have 9,223,372,036,854,775,807 versions you're trying to simultaneously support.

    To install a new patch, you must first have installed all the patches that went before, otherwise who knows what will happen. And we have a name for a fully patched version of Windows with every upgrade applied: We call it Windows 10.

    1. Updraft102

      The a la carte patch system we've had for ~20 years has worked quite well... better, in fact, than the "end user IS the beta tester!" Windows 10 cumulative patches that are supposed to be better than the individual patches.

  44. Stevie

    Bah!

    I'm sending a note to OPOTUS and former Cyber Czar Giuliani to the effect that we used to have Unisys mainframes and greenscreens and never once got hacked in twenty five years.

    One massive re-rollout later I shall have employment for the foreseeable future and all the Javascripties and C-like language scaredy cats will be sent off with a flea in their collective ear as they so richly deserve and be told to go back to school and learn proper computers and to keep off my lawn.

    Trump shall Make Computing Great Again!

  45. David McCarthy

    I might have sympathy for Microsoft if ...

    ... if they played fair and provided proper upgrade/downgrade paths from one product to another. They could even charge (not too much) for it.

    Have you ever tried to upgrade a WinXP PC to anything later?

    The same goes for their various email clients. We've had real trouble moving emails from Outlook on XP to Outlook 2010 - it shouldn't be like that.

    Don't even think about Outlook to Mail for Windows 10.

    If only Microsoft were to act responsibly, this issue may never have arisen.

    And I'm sure they could find a way of playing nice and still making a profit.

    It's time they learnt that the big stick isn't the best solution for anyone.

  46. Anonymous Coward
    Anonymous Coward

    Important point here...

    MS have pushed equipment manufacturing companies to use Windows (or it's embedded variants) within their systems. So, a lot of MRI, CAT, X-Ray, etc. machines have a built-in Windows component.

    It is often the case that these cannot be upgraded (especially when MS have "special" code that prevents new versions running on old hardware), but why should a multi-million $ system have to be replaced?

    If an OS is marketed for use in kit like this, it should be supported for the lifetime of the product, not the OS. To be fair, that's why MS have the "embedded" range (XP embedded support runs to 2019), but that's quite often not chosen as it can be a pain to work with.

  47. Packet

    The car analogy has me thinking...

    Do you recall the giant airbag recall over the past couple of years?

    Turns out a bunch of car manufacturers had to replace the airbags with new ones on even those cars that were 15 years old.

    So, by that law requirement, patches would be necessary to older / legacy operating systems?

    Is that a flawed analogy to use?

  48. Anonymous Coward
    Anonymous Coward

    I blame the management....

    I blame the management. I am taking info from the Cambridge news, quoting from Prof Ross Anderson, Professor of Security Engineering at the Cambridge Computer Laboratory.

    “Failing to patch your computers is like failing to wash your hands after going to the toilet. It isn't the Secretary of State's fault. It's not the Chancellor's fault for not giving the NHS enough money. It's your fault. It's negligence.”

    "...typical IT director is a senior clinician supported by technicians. Yet despite having their IT run by well-meaning amateurs, only 16 NHS organisations have been hit"

    Basically this is the same as asking an IT guy to administer an operation.

    Put a decent IT manager in EACH SITE who can take an ACTIVE part in procurement, to point out to the Clinician that the PC will require updates and include that in the contract, and not let a bean counter choose the cheaper option if it can't provide the updates for the life of the machine...

    Who can force local updates, understand the implications of the legacy machines and work ways to solve them. Don't leave it to just large contracts who are tied in and are more concerned with profits for the contractor than solutions for the user.

    AC as I work far too close to a Hospital.....

    1. Anonymous Coward
      Anonymous Coward

      Re: I blame the management....

      It's not quite the same. More a case of going to the toilet and then finding that the means to wash your hands has been removed...

      1. Diogenes

        Re: I blame the management....

        Nope,

        More a case of you went the toilet, and turned the tap on, and found that you had no water because you neglected to pay your water bill, and you were out of soap because the beancounters decided it was no longer necessary.

        1. Charles 9

          Re: I blame the management....

          More like you COULDN'T pay the water bill because the captive market jacked up the price beyond affordability. And water is scarce where you are so only experts know where to look: making them unavoidably expensive and risky to go it alone.

  49. plrndl
    FAIL

    Locking the Stable Door

    What's the point of mandating the provision of patches when the users refuse to install then until after there is a problem?

  50. milet

    The legislation should be very simple: software vendor is either obliged to provide security patches for its software or obliged to open source code...

    1. DropBear

      Precisely. Either keep fixing your mistakes or GTFO of the way.

  51. Anonymous Coward
    Anonymous Coward

    The NHS should have their own OS based on BSD; highly secure, highly standardized, highly specifified.

    Building critical health systems on Windows is folly.

    1. Charles 9

      Unless EVERYONE is using it, leaving you in a bind.

  52. cmcdev

    Blame custom application vendors that the NHS and other companies use. They unnecessarily tie applications to specific OS releases and refuse to support them on newer OSes. These vendors pretty much hold companies to ransom as consultantcy fees and migration fees are so high

    1. Roger Mew

      You are also forgetting that the vendors are assured by MS that the software they issue is new, however software people may spend 5 years on developing a program to run on say Vista and then another year testing and the programme is put on the market when MS announce the projected new software. No the blame has to be on MS. I have had this discussion with a vendor, and he is as pissed off as the end users.

      1. Charles 9

        If he was so ticked, why does he stick with Windows. Almost sounds masochistic.

  53. bjr

    Somebody should be fired at your NHS

    MS supported XP way longer than they should have and when they did stop support that gave years worth of notice. Anyone who is running 70,000 copies of XP in 2017 should be taken out and shot. If they have some software that is XP dependent that they can't replace then they should be running it on XP VMs, if a VM is compromised you can switch to a backup copy in under a minute. In addition to being resilient to attack a VM can run on modern hardware, it's not limited to antique machine like native XP.

    1. Doctor Syntax Silver badge

      Re: Somebody should be fired at your NHS

      " In addition to being resilient to attack a VM can run on modern hardware, it's not limited to antique machine like native XP."

      You do realise, don't you, that in some cases you're dealing with real time S/W that twiddles bits directly on specialised H/W?

  54. Robin Bradshaw

    You could supply support and updates for 200 years after end of life and it wont make a jot of difference if the end users wont apply those updates.

    If legislation is needed i'd suggest its more of the kind that makes not applying security updates in a timely fashion criminal negligence.

    1. Charles 9

      But what happens WHEN (not IF) a security update breaks your machine? Get pwned or get bricked?

  55. John Savard

    Eternity

    As far as I am concerned, a vendor releasing software is obligated to ensure it is free from defects.

    That means there should not be any exploits, any buffer overflows or race conditions or any such thing anywhere in that software.

    The obligation to correct defects in a product that should never have been there in the first place should never expire. Although perhaps some limit, acknowledging that software does eventually become obsolete, might be considered.

    Perhaps 99 years - the same time as the copyright expires? Provided the vendor releases, or has released, the source code by then?

    1. Doctor Syntax Silver badge

      Re: Eternity

      "The obligation to correct defects in a product that should never have been there in the first place should never expire."

      It's also an obligation that might substantially reduce the number of such defects in the first place.

      1. Charles 9

        Re: Eternity

        Except we're only human. You expect perfection out of us, and not even the military and airline industries are spotless.

  56. Steve 114
    Pirate

    Bootlegs?

    My elderly contacts in Russia and China are intensive XP users, never having bought or registered it. Microsoft has no responsibility to them at all, but we all have to note the huge ecosystem for virus propagation of all kinds.

  57. Boris the Cockroach Silver badge
    Holmes

    What

    I've been saying all along whenever the "Upgrade now" or "super whizzy windows" stories come along is

    "What about us who have millions invested in safety critical stuff that runs on WinXp?"

    You cant just 'upgrade' the PC to win10, install the drivers and hope it works because 10 times out of 10, it wont.

    And the price of the kit is such that you need years to get back what you paid, and then make a profit.

    For example, the factory next door to us bought them selves a spiffy new moulding machine , the price... about 500 000 pounds, now imagine that in 3 years time , m$ go fsck you we're not supporting your OS anymore , upgrade or else, and the machine is rendered useless.

    Upgrading your desktop is easy , even throwing it out and buying a new one, but when the control is embedded and has to be proven to work......

    As a side note, we have 4 windows powered machines, the manuals state "If the customer attempts to install updates to these machines, the supplier has no liability for any loss or damage that may result"

    Possibly explains why we make sure the machines either have the Fanuc OS in them or the controls are based on Linux.....

    1. WatAWorld

      Re: What

      "For example, the factory next door to us bought them selves a spiffy new moulding machine , the price... about 500 000 pounds, now imagine that in 3 years time , m$ go fsck you we're not supporting your OS anymore , upgrade or else, and the machine is rendered useless."

      Someone bought a GBP500,000 molding machine that is tied to an obsolete operating system?

      And what did the device manager pay for that operating system? If it were Windows, $25?

      I think the quarrel is with a device maker ripping the customer off by providing an inappropriate operating system to save money.

      1. Charles 9

        Re: What

        "Someone bought a GBP500,000 molding machine that is tied to an obsolete operating system?"

        Yes, because the alternative was probably buying a GBP600,000 molding machine tied to an obsolete operating system. IOW, this is what happens when EVERYONE uses commodity stuff to undercut the competition and win contracts.

    2. Robin Bradshaw

      Re: What

      Should FANUC still be supplying replacement bubble memory and paper tape readers? :P

  58. Number6

    The correct response is for the NHS and other large organisations to require application suppliers to guarantee that they will provide updated versions of their software that will work on newer versions of operating systems for ten or twenty years (or until it's replaced by something else, whichever is sooner), with source code in escrow in case they go bust, so that the base system can be upgraded much more easily. If you're not prepared to play ball then you don't get the contract.

    1. Charles 9

      And if NO ONE agrees, meaning the contract goes unfulfilled and machines start needing to be replaced? Remember there are very few manufacturers of this specialized and very expensive medical equipment. It's a seller's market. They can probably afford to wait it out while customers from other countries ring in.

  59. doug_bostrom

    Fit for purpose?

    When the deployment purposes of commercial software include life safety critical functions, surely it's necessary to have some assurances of integrity that go beyond marketing slogans and porous, permeable warranties?

    1. CentralCoasty
      Flame

      Re: Fit for purpose?

      As has been pointed out earlier - the vendors are selling this kit either with an OS embedded into the equipment itself, or with a PC sitting beside it to run the software.

      Either way it is an issue for the vendor and not M$ in this case. If I were to build some kit and make sure it only works with Win98 and some sucker buys it - who's fault is that?

      Support contracts need to be in place between the original vendor & the customer with the necessary guarantees of support & upgrades for the appropriate life of the product.

      This will stop lazy vendors selling equipment with a soon-to-be-outdated OS unless they are willing to support it themselves. It forces them to keep their own software up-to-date so they can port it from X to Y and keep their customers satisfied.

      If I buy something that has a 5 year life - then I expect 5 years out of it. If halfway through its life part of the kit dies, then I expect to the vendor to make sure they have the parts (including OS's) necessary to keep it running - and if that means upgrading to a new OS then they should be planning for it!

      This then means that there should be no compatability issues with "well we cant patch/upgrade because the application wont run on OS x"... admins can then ensure equipment is patched to the latest version.

      1. Anonymous Coward
        Anonymous Coward

        Re: Fit for purpose?

        IF you've bought a support contract, yes

        1. Charles 9

          Re: Fit for purpose?

          And IF one is offered, which may not be possible if all the manufacturers refuse as a bloc.

  60. Roland6 Silver badge

    "The NHS had 70,000 Windows XP PCs"

    When and is there a reliable source for this figure?

    I ask as a Google only shows the "70,000" figure surfacing in news articles released within the last 24 hours. Which would seem it is a media misrepresentation, just like the often quoted "90% of NHS Trusts still running XP".

    1. Doctor Syntax Silver badge

      Re: "The NHS had 70,000 Windows XP PCs"

      the often quoted "90% of NHS Trusts still running XP".

      And that in its turn seems to have come from a survey - I think a year or two ago - of trusts running at least one copy of XP. The fact that this might actually be just one is beyond the grasp of our mighty national newspapers.

  61. jake Silver badge

    I'm surprised nobody's mentioned it yet ...

    Why the fuck are we even thinking about using a General Purpose OS to run specific purpose equipment? Quite honestly, I've never seen a need to create a spreadsheet, do a little desktop publishing, or browse TehInterWebTubes when using my Bridgeport CNC; my local small animal vet sees no need to do the above when running bloodwork, and my neighbor (who runs the MRI machine here at a local hospital) says he's never seen a need for the above at work, either.

    And now they are putting full-blown Linux into coffee pots and Windows into Refrigerators? WTF? Where in the hell did this need to"OverOS" machinery come from, anyway? Am I the only one who remembers when small & elegant was considered de rigueur?

    Me, I blame marketing running what should be engineering firms ... ANYway, is it any wonder that this entire conversation is happening? We're quite simply using the wrong tools for the job in the first place! Is anybody really all that surprised that they break?

    1. Roland6 Silver badge

      Re: I'm surprised nobody's mentioned it yet ...

      Why the fuck are we even thinking about using a General Purpose OS to run specific purpose equipment?

      History?

      Going back to the 1990's, MS was on the rise and was desperate to become more of an Enterprise IT supplier, hence the development of NT and it's successors, which resulted in the success of XP-SP2/SP3 and WS2K3. Similarly, MS made a big play into embedded, which also paid dividends in XP Embedded.

      Prior to MS and to some extent prior to the consumer IT industry, it was fairly normal to pay for a licence and support and product lifecycles were more about sales than support. Hence why in the mid to late 1990's it was quite common to have businesses running mainframes and other major systems running OS's from the 60's~80's, still being maintained, but not available in the shops.

      I think there was an expectation that once MS had become an enterprise supplier, it also would become more flexible about its product support lifecycle, with pre-existing customers. Instead we've seen MS deliberately take steps that have alienated it from enterprise IT such as releasing a succession of Windows versions since XP that have really been focused on the consumer market and aping Apple (badly) and only belatedly trying to retrofix W10 to the enterprise.

      Which seems to support a stance I took when W8 was released, namely the time between then and EOL of W7 was the best opportunity Linux/open source had to get into the enterprise anytime soon.

      1. JamesPond

        Re: I'm surprised nobody's mentioned it yet ...

        "Why the fuck are we even thinking about using a General Purpose OS to run specific purpose equipment?"

        Capitalism. Cost, speed to market, profit margin, market share. Why develop a bespoke o/s that you then have to support yourself, when there's a COTS available?

    2. DropBear

      Re: I'm surprised nobody's mentioned it yet ...

      For, oh, about a million and one reasons, some considerably more legitimate than others. Not that I wouldn't prefer the "no more than the absolute minimum" approach - I would, I'd take a _firmware_ over an _OS_ every time; and that's exactly how it worked as long as embedded electronics - even the smartest embedded electronics - was too small, expensive and resource constrained to do anything else - and more importantly, didn't have graphic terminals and network interfaces hanging off of it left, right and center.

      But these days all constraints are history, and as soon as you have graphics and images to display or configuration data to manipulate or external storage (as simple as an SD card) to access, you'll be wanting a file system implementation to read stuff from files - preferably several, if you need to accommodate different requirements. If your thing uses _any_ kind of networking, you'll want a stack implementation that will probably also include full TCP/IP and/or low power mesh stacks (some of which are already IP-based) and whatever else you might need. If your thing is expected to do several different things at once (as most things should and almost all still fail, even in spite - or maybe precisely because - being OS-driven) you'll be wanting "parallel" execution (and what a joke that still is...) and thread management. Your device might even need to juggle a non-trivial amount of data, at which point you'll be reaching for a gun if you can't use files and a database. Heck, if your hardware is voluminous enough you might even have a need to connect to a variety of peripherals like keyboards or mice / trackballs or USB webcams etc etc etc doing any of which without the benefit of an OS with all of its drivers is guaranteed to make you point said gun away from yourself and towards other people in a fit of homicidal rage.

      Now, sure, any and all that _can_ be compiled into a monolithic firmware, but doing it _properly_ every time is going to be harder than writing that mythically exploit-and-bug-free software; and you'd be duplicating effort that has all been already expended - you'd be building an OS by any other name. So you'll be wanting an actual OS that already has all that instead of vendor libraries reimplementing all that (poorly) for each new product line, an OS with at least a modicum of maturity and periodic maintenance / security updates; an OS that even probably runs on a range of hardware instead of proprietary "support libs" for each.

      And that brings us exactly where we are - and I'm not interested here in debating how and how long support should be done. All I'm saying is - and it pains me very much to do so because it also obsoletes me in the process - the era of making do without an OS in everything except the simplest of LED blinkers is well and truly gone; and worse, it's gone for a good reason.

  62. Roland6 Silver badge

    Poll: If so, how long should Microsoft supply patches?

    Interestingly, the poll didn't ask whether MS should be able to charge for supplying patches beyond their normal product lifecycle EOL. It would seem there is an implicit assumption that MS should provide patches for free to all.

  63. Palpy

    A tidbit from the NY times:

    "The [medical] machines can (as they should) last for decades; that the software should expire and junk everything every 10 years is not a workable solution."

    Reffy

    (Aside: Yes, I believe the proper Brit-sprecht is "titbit" but I'm an illiterate Yank.)

    The opinion piece continues:

    "First, companies like Microsoft should discard the idea that they can abandon people using older software. The money they made from these customers hasn’t expired; neither has their responsibility to fix defects. Besides, Microsoft is sitting on a cash hoard estimated at more than $100 billion (the result of how little tax modern corporations pay and how profitable it is to sell a dominant operating system under monopolistic dynamics with no liability for defects). .... At a minimum, Microsoft clearly should have provided the critical update in March to all its users, not just those paying extra. Indeed, 'pay extra money to us or we will withhold critical security updates' can be seen as its own form of ransomware."

    The author of this particular opinion piece is Zeynep Tufekci. The piece is well worth reading.

    Slam sys-admins for not upgrading to Win 10 even though it breaks million-pound hardware/software packages if you wish. Personally, I believe the problem is far knottier than that.

    You've a hospital with limited funds. Spend those funds on equipment to implement a new cardiac ablation procedure (treating potential fatal heart fibrillation) or spend those funds to replace a perfectly good MRI machine because its software package only works with Windows XP? Hire another nurse practitioner to provide better care in the woefully understaffed terminal ward, or hire an IT specialist to get legacy hardware sequestered from the rest of the hospital network?

    My hat's off to the admin who has to make those decisions.

    1. WatAWorld

      Re: A tidbit from the NY times:

      "The [medical] machines can (as they should) last for decades; that the software should expire and junk everything every 10 years is not a workable solution."

      Can you give us an example of a medical device, CT scanner, MRI, etc. that runs Windows?

      I think you'll find that Windows is run on things like PCs used as PCs, not $50,000+ specialist hardware.

      1. Palpy

        Re: MRI running Windows

        I wrote, "a perfectly good MRI machine because its software package only works with Windows XP". I didn't imply that the machine itself runs Windows OS.

        That said, it's not unusual to find a Windows RT PLC here and there. I think we have one at my facility. The others that I've worked with all show a penguin at boot-up.

        I'm not in medical automation, but I do remember reading trade news about a new oil refinery which was installing a particular plant-wide automation package. That version being installed only runs on XP. And that was in 2014, when XP was already very near EOS. And mind you, the software in this case does not run just one machine but virtually every valve and pump in the plant.

        (In the latter case, installing that version was a very bad decision on the part of the Chinese company building the plant, IMHO. Of course they may have specced that version so it would be fungible with existing installations, but it's still very short-sighted. Says me, who really knows nothing about the situation on the ground.)

  64. WatAWorld

    Not years after launch, years after sale, and not MS, any electronics any operating system

    Not years after launch, years after sale, and not MS, any operating system sold with any consumer electronics.

    So Android, Windows, iOS, MacOS, ChromeOS, etc.

    And this would include Linux if Linux were sold with a consumer device.

    I suggest 10 years in general.

    And 15 years for devices costing in excess of US$500 if there is no follow on OS that can be installed.

  65. WatAWorld

    Let us here from OUTLAW on this. Nothing is sold with a warranty against vandalism

    Nothing is sold with a warranty against vandalism.

    Do you guys think your cars are warranteed against people being able to smash the windows?

    Do you guys think Chrysler Warranteed the M1 Abrams main battle tank against vandalism?

    If this went to a court I think the MS lawyers would be quite rightly saying, "We never promised our software would be vandal proof."

    There would be no case to be brought.

    But I'm not a lawyer. WHY NOT COMMISSION OUTLAW.COM TO DO A FEATURE ON THIS ISSUE?

    Is there a case under US law? Under European law?

  66. Allan George Dyer

    Proposal: Copyright Ceases when Support Ceases

    Require developers to provide fixes for security and original functionality (but not upgrades) at reasonable cost, say 10% of the original purchase price per annum. They can choose to discontinue this support, but the software becomes public domain.

    This allows the developer to make a commercial choice, and may reduce the amount of electronic junk sent to landfill because it's 'too old' to support.

  67. Timmy B

    Perhaps a clear use by...

    On the back of boxes or on installation dialogs.

    "This software will be patched for general use until x date and security patches will be issued until y date". Just to make it plain and clear to the users. After all it's not just PCs that could do with this - Smart TVs, Phones, etc.....

  68. d3vy

    Even if my were legally obligated to provide non-ending support for XP most of the affected machines were windows 7&10 machines that had not had the march update rolled out to them. At least the instances I have seen in my dealings with CCGs in the north west.

  69. Anonymous Coward
    Anonymous Coward

    David Omand is not a coward...

    It cannot be said that David Omand is a coward. Being chief of GCHQ (comparable to NSA) and therefor responsible for withholding known security holes to the software manufacturer, he is absolutely not in the position to point his finger to MS.

    I would rather go a step further: he (his organization) facilitated that the real responsible guys (the criminals using the vulnerabilities) could commit their crimes.

    Besides that: MS had made it possible to get security patches when you pay for it. This very much looks like real life: you get what you pay for.

  70. Dan White
    FAIL

    Car Analogy Fail

    "An analogy may be vehicles that develop a dangerous defect. Would we excuse the manufacturer and allow unsafe vehicles on the road?"

    AFAIK, the longest vehicle warranty offered is currently 7 years. This is a 16 year old piece of software that has received thousands of updates during its lifetime. It should have been scrapped years ago for a newer model with the fixes baked in, and that is exactly what has happened, at least three times since XP in fact.

    I'm charitable enough to assume that MS didn't *deliberately* ship with vulnerabilities, and has actually spent a huge amount of resources fixing and updating them where found. To crowbar this back to the car analogy, new vulnerabilities are discovered all the time in software. By definition, they weren't known at the time of shipping. Would you expect a car manufacturer to recall your 16 year old engine because it doesn't meet new emissions standards? Eventually you have to bite the bullet and buy a modern car.

    1. DropBear
      FAIL

      Fail Fail

      To illustrate your car-based IT analogy with an IT-based analogy - no, you should not be required to implement SHA1 in an old product when MD5 becomes impractical to use. If your implementation of that existing MD5 is found buggy however, you absolutely should be forced to fix it well into the next millennia or until you acknowledge having abandoned it by fully releasing it as open source.

    2. JamesPond

      Re: Car Analogy Fail

      "AFAIK, the longest vehicle warranty offered is currently 7 years"

      I agree the car analogy is not a like-for-like comparison, although Chrysler had to recall 14 year old Jeeps that had poorly designed fuel tanks that exploded when the vehicle was rear ended.

      However, a car being hit in the rear is totally foreseeable. I'm not sure Microsoft could have foreseen the exponential growth in malicious attacks , especially from nation states, and encrypting the hard drive for ransom when they started developing XP.

      1. Allan George Dyer

        Re: Car Analogy Fail

        @JamesPond - I don't know when MS started developing XP, but let's say it was when they released its predecessor, W2K was released in 1999, when the malware threat was well-established and growing fast. There was an encryption attack, the AIDS Diskette, much earlier, in 1989; though that was badly-planned it showed the possibility. The possibility of an asymmetric encryption extortion attack was the subject of nightmare scenario speculation among anti-virus researchers during the 1990's, as I recall. But that, and the possibility of a nation state attack, is not really relevant, the patch fixed a flaw in the SMB implementation, and MS knew their customers would be plugging into public networks so the security of their network protocols was critical.

  71. Anonymous Coward
    Anonymous Coward

    So does GCHQ have zero days stockpiled?

    Perhaps Omand could address the question of the morality of security services sitting on piles of zero days for critical software and allowing large parts of the world's economy to go unprotected - when they could fix it.

    So long as security services know about critical weaknesses and don't inform software companies they can't claim to be keeping us safe.

    But Omand won't say anything because we never comment on security matters - apart from when they want to comment on security matters.

  72. analyzer

    I'm no fan of Microsoft.

    I haven't used MS products on a personal level for well over a decade now but the furore over this is just plain ridiculous. This has been caused by upper management not taking IT seriously at all and this is not confined to civil facilities. It should be impossible to manufacture the amount of Teflon that these people have on their shoulders. MS gave 4/5? years of warnings that XP was being deprecated and then a pay extra program that got increasingly expensive to encourage people to do the right thing and deal with the issue.

    At that point upper management should have been asking about the security of their computing estate and how to guarantee its future security and providing the budget for the implementation, not stuffing their snouts in the trough until the money covered their eyes.

    8 years to air-gap or secure access a critical unchangeable system is more than enough time for any properly run organisation. Upper management in this country does not meet the criteria required. MS committed to support XP Embedded systems until 2020 and these patches are a function of that.

    The debacle that has occurred with XP desktop is due to idle, feckless upper management and any prosecutions should start at board level and work down.

  73. Richard Conto

    Third Party Vendors

    And what of the third party vendors who sell equipment that should reasonable be expected to be in service for 10+ years - and who incorporate a Windows (or Linux, etc.)?

    When vendors lock down their equipment to a specific version of Windows and (by design) refuse to accept software updates (even critical updates), then hospitals (and manufacturers and research labs) are going to be caught.

  74. Twanky

    Eternal vendor support.

    No. Hell no.

    The boot should be on the other foot. Those who run essential public services should be required by law to ensure they are supported.

  75. "Pike your name, pike your nature"

    Microsoft virtually gave away XP in order to get people onto it. The man on the Clapham omnibus had to pay loads; Dell was paying sub $5 per copy.

    Having achieved market domination, Microsoft then went on to abuse that dominant position, and now wants to abuse it again. I wasn't caught by Wanna Cry; I don't have any XP machines; but I'm a "user". I can afford to upgrade - I don't have specialist software that has been written to run specifically under XP like the NHS had. Microsoft tried blackmailing users into upgrading (you know - much like W10) and when it failed, it abused it's market position to break their products.

    I wish, I really wish, that HMG would dump MS for an in-house secure version of Linux. But they won't - too many MP's want to play on their Windows PC's.

    And as for the "vote" - what did you expect when you ask a random sample of people who make their money out of fixing Windows PC's when they go wrong!

  76. JulieM Silver badge

    The answer I wanted was not there

    The answers I really wanted to give were not there.

    1: Any vendor of any proprietary, closed-source software product absolutely should be obliged to provide support, to any legitimate user (not just government), without let or hindrance.

    2: Such support should be provided, not for 5 years, not for 10 years, not for 20 years, but forever. Hardware is subject to mechanical wear and tear, and dependent upon the supply of suitable replacement parts; software is not. The first computer program ever written would still run as well today as it ever did, if only a suitable emulation environment were available.

    3: O.K., not strictly forever. The vendor may, at any time, delegate their responsibility to provide patches by handing over the complete, annotated, human-readable Source Code and Build Instructions on machine-readable media to another party, who will then assume the onus to provide support in perpetuity; or by making said Source Code and Build Instructions available to every legitimate user of the software, and granting permission for any user, or anyone acting as their agent, to study and adapt the software.

    Preventing someone from using software that they have purchased is tantamount to criminal damage.

    I have never paid for a piece of software in my life and, unless the vendor was willing to supply me with the Source Code -- which I get, with the software I have not paid for -- I have no intention to start.

    1. Charles 9

      Re: The answer I wanted was not there

      So what happens when you need software and NO ONE is willing to provide the source, say for trade secret reasons? Do you go without or roll your own?

      1. Anonymous Coward
        Anonymous Coward

        Re: The answer I wanted was not there

        I've written my own;

        I've done the job in ways that didn't involve new software.

        But for most things I do (and indeed for the thing I wrote software for - I preferred my approach and it took over form some legacy software) there are people who think as I do who have made software available.

      2. JulieM Silver badge

        Re: The answer I wanted was not there

        Yes.

        I start by doing it manually. This gives me an idea of the data structures I am going to need. Then I write my own software.

        Sometimes I even release it as Open Source.

  77. Roger Mew

    The timescale needs to be as per vehicles, at least 10 years for maintenance after last sale. It is not the launch that should be used otherwise the clever little urchins will then run the sale for the period of the maintenance and then just stop. by making it from the date of the last sale or at least the last date of 1st time registration or activation of the software.

    As a lot of software for Vista was only released 2 years before the stopping of issue, and the last registrations only as recently as 5 years those people should rightly be feeling ripped off!

  78. Adrian Midgley 1

    There's a fair compromise...

    That vendors are required to maintain support for software while an[1] operating instance remains in the world[2] ... OR until they publish the full source code - all needed to compile working instances - under a licence allowing study, support, distribution of altered versions, extension and patching, which in practice is going to be a GPL.

    Then if the task is onerous and no profit can be made from it, the company loses nothing by publishing, and ends its responsibility. If it is a business decision, then their ex-customers get to make a business decision as well, and people who like supporting that sort of thing, likewise.

    [1] You might put a number higher than 1 on that, or not.

    [2] or country, or business, or public service, or government...

  79. Anonymous Coward
    Anonymous Coward

    When you buy a piece of infrastructure (Cat scanner, Xray, something with custom hardware etc) for $bignum currency units, One would expect to receive full support for the combined system for it's service life.

    The kind of systems we're talking about aren't just some PC running XP, but effectively plant machinery, sayin too bad it's the OS is end of life is not acceptable.

    The suppliers of said hardware must be held accountable, if they go bust, then the any software or documentation must be made available to their customers. In the case of the NHS, this would not be Microsoft. It would be the supplier of these critical systems.

    A bit like the "Good old days" when source code was provided at installation.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like