* Posts by Doctor Syntax

16449 posts • joined 16 Jun 2014

Do we need Windows patch legislation?

Doctor Syntax Silver badge

Re: Forced to support forever

"Of course 16 years is too long to expect a company to support a product"

There's a difference between supporting a product in terms of adding new functions or drivers and fixing a defect which was present when the product shipped.

But let's not lose sight of the fact that when the shit finally hit the fan MS made a fix publicly available within hours.

If they were under no obligation, it was too long to expect them to do it etc then why did they do it?

I can think of three explanations:

1. It was to mitigate a PR disaster.

2. Events brought it home to them that they had a moral rather than a commercial responsibility.

3. They anticipate legal action and are attempting to mitigate any penalties.

I don't think the last one flies - it simply points out the fact that they'd held back something that could have been made generally available.

But let's not lose sight of the fact that for whatever reason they have done what lots of commentards have said they didn't have to do.

Doctor Syntax Silver badge

Re: All products have a support life

"OTOH should we also be looking at the suppliers of MRI scanners etc which are often blamed for being the cause of 'staying on a known OS'. They ought to be obliged to release software for newer versions of their chosen OS (whether that's MS/OSx/*nix/*BSD/....) for the expected lifetime of the machine (probably more than the expected life actually)"

A recent post by an engineer who's worked on such kit suggests that this is by no means straightforward and you could actually brick the instrument by getting it wrong. At the very least you'd have to re-certify the new combination.

Doctor Syntax Silver badge

Re: Lawyers

"As far as I can see it also went to those who used a well known registry hack to continue support for XP!"

That wouldn't be a viable option for anyone who needed to maintain some sort of certification.

Doctor Syntax Silver badge

Re: Lawyers

"The lawyers have more chance of getting Comey his job back that getting MS to admit to anything."

It's not the lawyers' job to get their clients' opponents to admit anything. Their job is to get a court decision in their clients' favour. An admission might be useful but not essential.

Doctor Syntax Silver badge

Re: Forced to support forever

"I agree completely. Your last point is interesting though - if this were OSS or M$ had decided to open source the code at end of life, then governments & corporations around the world would have had the *option* to build their own in-house support for the product."

It wouldn't be necessary to open it in the FOSS sense but to place it in escrow. The terms for release from escrow could place an NDA on whoever then took up maintenance. This would be a sensible provision where it's been incorporated in a product whose reasonable life expectancy exceeds the support life of the product. It's maybe something that regulatory authorities could require for medical equipment in the future. If an OS vendor was unwilling to do this then the equipment supplier would be obliged to go elsewhere.

Microsoft could agree or not as it pleased. If it judged the market too small to bother about that would be their commercial choice. If they chose not to remain in that market the equipment makers would be free to look elsewhere. Give or take proprietary drivers FOSS fits this bill automatically. There would be scope for someone to offer support well beyond the normal life of an LTS distro as a commercial proposition. An existing proprietary embedded Unix derivative such as QNX or VxWorks might also be a good fit.

IBM's pension fund sells most of its IBM shares

Doctor Syntax Silver badge

Re: Possibly good strategy

"Remember it's those who are paid the most who get to gain the most from the pension fund."

The staff, especially those at a senior level, should be isolated from those making the investment decisions if only to avoid charges of insider trading.

How to reward an IBM exec for lower sales and shrinking profits? Promotion

Doctor Syntax Silver badge

"IBM’s UK overlord David Stokes is getting his just deserts for presiding over a sustained period of sliding sales and plummeting profits - he’s being promoted."

No doubt he won out over strong competition from other IBM execs who even now are wondering "how much more do I have to lose?".

Why Microsoft's Windows game plan makes us WannaCry

Doctor Syntax Silver badge

"If anything good comes from WannaCrypt, it'll be the final death of XP."

No, if anything good comes from WannCrypt it'll be a whole new emphasis on how OSs are designed and built, how they communicate and how the computing elements safety or health critical equipment are certified.

While Microsoft griped about NSA exploit stockpiles, it stockpiled patches: Friday's WinXP fix was built in February

Doctor Syntax Silver badge

Re: Eh?

"Microsoft provided the patches to those who had contracted for support of XP. No hoarding."

So why have they released it publicly now?

Doctor Syntax Silver badge

"It's possible that the patch was built in February as part of the general build process but not pushed through QA because it was unsupported code. Or perhaps it was only available to those paying for extended cover"

The second comes as has been said already. But if it was only available to paying customers why release it publicly now? The only two explanations I can think of are that they realised it was the responsible thing to do or that it's an attempt to remedy a PR disaster. You can take your pick butin reality it's a case of better late than never but better never late.

Doctor Syntax Silver badge

Re: Blame all round

"MS for relying on seeing an exploit first before be able to patch it."

Did they not run any static analysis tool on this code? If so did it not flag this up? And if it did, did nobody stop and think what could go wrong?

Doctor Syntax Silver badge

Re: Munich city now planning to move ALL their Linux desktops back to Windows

"anything even slightly dissimilar to the MS-based environment to which they are accustomed."

Which MS-based environment? They keep changing it at whim. <cough> Ribbon. Tiles.

Doctor Syntax Silver badge

"I disagree: the principle operation of the product was to provide an O/S, which it did (rather well at the time as it happens)"

One of the functions of an operating system is to provide a degree of security.* It's not like arguing that a lock is a subsidiary function of a car. And that gains even more force when one of the products was a server rather then the desktop OS.

*Or are my expectations being warped here, coming from a Unix background?

Doctor Syntax Silver badge

Re: Plenty of blame to go around

"Supporting former customers for free is a sure-fire method to increase your expenses and reduce your profits with no gain for you."

Letting stuff like this fester until it manifests itself by large scale damage is a sure-fire way to make people ask whether they should become future customers. That's not exactly a gain especially when those "former customers" are also your current and hoped-for future customers.

Doctor Syntax Silver badge

Re: Fixed your car analogy

Car analogy: Vehicles were sold 15 years ago and their brakes are knackered. Customers are told "you can only get them fixed if you pay a mechanic"

Car was sold 15 years ago with an egregious design fault..

We're repeatedly told here by commentards that the product was supported for 13 years. So why during those 13 years was it not found and fixed? In all conscience 13 years ought to have been long enough. It sounds like the sort of thing that any static code analysis tool should have highlighted.

Doctor Syntax Silver badge

Re: "2)Did it even need Windows or could it have just had a GUI "

"don't expect those companies to open source a lot "

No, but they do need to place their code in escrow so it can be picked up by others should they decide they don't want to support it, be taken over by someone else who doesn't want to support it or even just disappear without trace. That should be a regulatory requirement.

Doctor Syntax Silver badge

Re: Microsoft being Microsoft then. Another day, another vuln to fix.

"2)Did it even need Windows or could it have just had a GUI that looked and worked enough like Windows that healthcare staff felt comfortable using it (IOW who cared if it couldn't run Office?)"

Originally makers of complex kit that needed to be computer driven had a number of choices. Some would be embedded controllers with their own specialist libraries. Another would be a mini such as a PDP8 or a Nova (I remember our lab having a Nova driving the X-ray fluorescence analyser on an SEM). Back in its glory days of being an instrument maker HP made an amazing variety of these for its own products.

The arrival of commodity computers and commodity OSs rendered that uneconomic. Any manufacturer taking the traditional route would have been priced out of the market. Even if they had they'd have ended up shipping kit that had even less long time support life - where are DEC and DG these days?

The trouble is that as the market for complex instrumentation matures the expected life of the product exceeds that of the computing side. Back in the '70s that XRF attachment might have become obsolete before the Nova was EoL, now a piece of equipment which represents a major investment might be expected to last well beyond the period for which the OS supplier is prepared to support their S/W and the computer H/W may outlast the S/W and yet not be supported by newer OS versions. In such instrumentation systems computer H/W is liable to be closely integrated with the rest of the instrumentation. I think the XRF was using the Nova's memory to replace what might have been an array of discrete counters in an earlier generation and the post by a_builder in a previous thread detailed some of the issues in medical imaging.

Perhaps a solution, at least with medical equipment, lies with the regulatory bodies. They could require a code escrow agreement for the OS code in order to gain approval. That would have required MS to escrow their code if they wanted to sell into that market so that someone else could take over support at EoL. For the most part FOSS already complies with that although vendors supplying drivers as binaries would need to comply or shut themselves out of that market.

For kit that needs certification upgrades are another problem. Any upgrade to S/W that operates the instrument would need recertification. Routine OS upgrades couldn't be applied without testing against a real instrument. Such S/W needs to be buffered against the wider hospital network.

This last event and the earlier attacks on US hospitals point to a need to reevaluate the way medical systems are certified. One aspect of this would be to require information systems, including the network facing aspects of imaging systems etc, to be re-certified every few years and part of that would be to require them to be running of S/W which was still within support life for the duration of the next certificate. That, had it been the norm, would have long ago weeded out system that still require ancient versions of IE; it would have driven suppliers to write standards compliant S/W from the start.

Doctor Syntax Silver badge

Re: Munich city now planning to move ALL their Linux desktops back to Windows

"https://mspoweruser.com/munich-city-now-planning-to-move-back-all-their-linux-desktops-back-to-windows/"

And who might mspoweruser.com be I wonder.

Doctor Syntax Silver badge

Re: Wormable holes

Edit: For systems that are still in widespread use, of course.

EYEFY

Doctor Syntax Silver badge

" It is totally within their right to charge for the patches"

Let's not lose sight of the fact that this is a patch for a basic design error in their product. If this was your car and not a piece of software would you expect to have to pay a maintenance contract or would you expect a manufacturer product recall?

Doctor Syntax Silver badge

"I'm not sure where I sit on this."

Let me provide you with a cushion.

"Microsoft is under no obligation to release patches for an OS it no longer supports without being paid."

It sold a defective product and wants to be paid to fix it. How many other industries would get away with this being standard practice?

Doctor Syntax Silver badge

Re: Latent product defect??

"Seeing as it no longer printed out on the box like it was with Win3.x, and Win9x"

If it was sold in a box big enough for that there'd be complaints about excessive packaging.

Doctor Syntax Silver badge

Re: Plenty of blame to go around

"Yes lets put everything in the cloud, patient records, hospital appointments, drug information..."

OTOH Google seem to be getting this wholesale from some hospitals so why not?

What's more my GP's practice along with many others seems to be outsourcing all their records to some web service.

Doctor Syntax Silver badge

Re: Plenty of blame to go around

Microsoft's "crime" amounts to "not giving away their code for free to people who had made a positive choice not to pay for it".

Car analogy: Vehicles are sold with a serious brake fault. Instead of a recall customers are told "you can only get them fixed if you have a maintenance agreement".

Only the software industry can get away with this.

Blighty bloke: PC World lost my Mac Mini – and trolled my blog!

Doctor Syntax Silver badge

Re: Quite simple...

"Appears he'd placed the order against the wrong address"

What TFA says is "After learning his business account was set up to ship to the wrong address" but doesn't say who'd set it up that way. If it was PC World then it's still on them.

Romney tax return 'hacker' Dr Evil gets his sentence reviewed

Doctor Syntax Silver badge

These stories always remind me of an old colleague dealing with a particularly inept lot of supposedly professional bank robbers: "It's hard to get good staff these days.".

Uber red-faced from Waymo legal row judge's repeated slapping

Doctor Syntax Silver badge

"It's nice to hear from a clueful judge for a change, especially in such technical matters."

Don't underestimate judges. Their careers have usually been built on an ability to master complex cases.

Volvo is letting Android 'take over underlying car software' – report

Doctor Syntax Silver badge

"its level of access to anything internal should be properly firewalled off"

Air-gapped would be even better.

WannaCrypt outbreak contained as hunt for masterminds kicks in

Doctor Syntax Silver badge

Re: 5% of 1000 000 is 50 000 desktops.

"So just exactly why is getting a health app to run on a current OS so f**king difficult?"

Try reading this and maybe you'll understand at least one of the issues. https://m.forums.theregister.co.uk/user/84511/

Doctor Syntax Silver badge

"UK Health Secretary Jeremy Hunt and Home Secretary Amber Rudd are attending a meeting of COBRA, the Cabinet's rarely convened crisis response committee."

The blind leading the blind.

Lib Dems pledge to end 'Orwellian' snooping powers in manifesto

Doctor Syntax Silver badge

Re: No one cares...

"It'll keep all the muslim terrorist nutters and peados under control that the Sun and Daily Mail keep telling us are living in every street!"

If a terrorist is one who terrorises what does that make those pillars of the 3rd estate?

Doctor Syntax Silver badge

Re: It's what the people want

"Im in my 30s. I feel the same way.

It feels like the UK has skipped over my age group. People older than me seem to get loads of handouts and people younger than me seem to get easy investment cash. Meanwhile us in the middle are paying for it."

I'm in my 70s & my experience in my 30s was the same as yours now. Things don't change.

Doctor Syntax Silver badge

Re: shame

"The EU dictated it."

No, it was the Brexit vote that dictated it. OTOH you're right about why we're in an economic mess so an upvote from me.

Doctor Syntax Silver badge

Re: given their record

"I distrust all of them equally and believe that there will be no change until the whole system is scrapped, it doesn't work."

Yes, democracy is the worst possible system of government apart from all the others.

Doctor Syntax Silver badge

Re: given their record

"After taking so much election punishment for not stopping all the Tories' changes - the Lib-Dems are now saying there wouldn't be another coalition."

Joining the coalition was the responsible thing to do. The consequence says much about the sense of responsibility of so many of their voters.

Unfortunately the typical Lib-Dem voter has been a protest voter. It didn't sit well with them that their party became a junior party of government. It's easy to make this and that unrealistic demand as a protest not expecting to have to deliver. It came as a nasty shock to discover that when faced with reality things weren't that easy.

Microsoft to spooks: WannaCrypt was inevitable, quit hoarding

Doctor Syntax Silver badge

Re: Ministers need to sort out GCHQ

Not disclosing an exploit must be an exception; it must require sign-off from the highest levels in GCHQ a cabinet minister; it must be very time limited (e.g. no more than 12 months)

And after the expiry or if it all goes pear-shaped the sign-off should be made public.

Doctor Syntax Silver badge

Re: The lull before the next storm rolls in

"And (this may be controversial) how easy would it be to upgrade to a 2017 version?"

A lot of pre-compiled applications got broken at 2.4 > 2.6 although I think that was changes to libc at more or less the same time.

"I have a sneaky feeling that XP -> 10 breaks much less than Redhat 6 to RHEL 7"

I doubt it. Consider, for instance, the XP in hospitals issue: dependence on specific versions of IE because Microsoft decided to throw in a helping of non-standard stuff. Generally Linux/Unix complies with standards rather better so the temptation for developers to use that wouldn't be there. And a lot of the complaints with Windows updates seem to be broken drivers. Although you'll regularly get the anti-Windows trolls saying that Linux doesn't support this bleeding edge H/W (any more than the last version of Windows does) what they omit to say is that if you have a printer a few years old that the latest version of Windows doesn't support you'll probably find that Linux does.

Doctor Syntax Silver badge

Re: The lull before the next storm rolls in

"The last thing I read about Munich and Linux was a statement that it was a disaster and that they had to change course bad to something with main stream support."

That's Munich local government politics.

How do you say "told you so" in German?

Doctor Syntax Silver badge

"So that's 13 years (give or take a few months) in which Microsoft supported XP."

Another way of looking at it is that Microsoft had 13 years to get it right. Did they?

Doctor Syntax Silver badge

Re: Numbers

"Time to ditch windows"

In principle I agree. I don't use it myself. But in the real world, as a previous post made clear, there's a lot of core NHS applications that are not only Windows specific but XP specific. Windows can't be simply ditched. It needs to be phased out and that will take time and money.

Doctor Syntax Silver badge

Re: If you cannot patch it quarantine it

"what you're suggesting needs someone to look at what's on the network, and work out a plan for sorting it out"

And for a large and complex estate that's not trivial. There'll be a lot of special cases to analyse.

Doctor Syntax Silver badge

Re: If you cannot patch it quarantine it

You are assuming that "they" are in a position to choose what they do. In all the cases you've cited, some PHB, or committee, will have decided what projects are going on - the grunts at the coal face just get told what they are doing.

"They" applies to the PHBs and committees.

I wish more folk round here would remember that IT don't exist in isolation. They have to follow what the business wants. The best one can do is advise; strongly and in writing if necessary.

One difficulty is that the decision makers find it difficult to understand risk. They're choosing between the certainty* of a new, shiny and probably very useful development on the one hand and a list of things which you can't be certain will go wrong on the other. They'll choose the shiny almost all the time

*And ignoring any project risks.

Doctor Syntax Silver badge

Re: Let's mention Microsoft's Policy of hoarding patches unless you pay up.

Erm hold on - weren't Microsoft hoarding patches for "end of life" XP unless you paid to be part of a Enterprise service agreement? Sounds very similar to hoarding vunerabilities by the NSA/GCHQ. i.e. the fact XP Embedded (cash machines etc) still gets/got patches.

Got it in one.

It's very telling that on Friday Microsoft were suddenly able to release a patch. It's almost as if they suddenly realised they had a degree of responsibility.

Now they're trying to claim the moral high ground.

Ransomware scum have already unleashed kill-switch-free WannaCry‬pt‪ variant

Doctor Syntax Silver badge

I can't help thinking that announcing the discovery of the kill switch might not have been a good idea.

Doctor Syntax Silver badge

Re: A dish best served cold

"collateral damage amongst their allies, but that's the new normal."

When the Germans open fire the British duck

When the British open fire the Germans duck

When the Americans open fire everybody ducks.

Doctor Syntax Silver badge

If they're within reach or Russian special forces it's not their S/W being killed they should worry about.

Japanese researchers spin up toilet paper gyroscopes for science

Doctor Syntax Silver badge

Obligatory youtube

https://www.youtube.com/watch?v=MkrKkBhsMiA

Doctor Syntax Silver badge

"The paper was put together for a Pervasive Smart Living Spaces workshop"

That's an odd way to spell "invasive".

74 countries hit by NSA-powered WannaCrypt ransomware backdoor: Emergency fixes emitted by Microsoft for WinXP+

Doctor Syntax Silver badge

Re: Risk Management

"The applicable software for controlling stuff like an MRI scanner isn't desktop Windows XP, it's one of the Windows Embedded family, the XP-derived ones of which can be supported (including patches) till 2019"

OK, let's deal with the specific: XP-embedded, support ending in 2019. If, in 2019 you were in a position I outlined in my question what would you do?

And go back to the more general point of which the scanner was an example: something, H/W, information system, whatever, which is still essential, but depends on XP, either the already EoLed version or not yet EoLed version makes no difference in principle. There's no point in calling out those who find themselves responsible for stuff which had a planned life in excess of what turns out to be that of its components. They are faced with real problems - if they choose to invest in a replacement then something new that was planned has to be foregone.

The original post to which I was replying was over-simplistic. So was your response. You do not solve problems by telling them, or those who remind you of the, to go away.

Amazon's Alexa is worst receptionist ever: Crazy exes, stalkers' calls put through automatically

Doctor Syntax Silver badge

"Surely the device should be designed to make using it easy for the user."

It is. You just need to remember who's the user. They've made it easier to remember because the name of the service, Alexa, starts with the same letter...

Biting the hand that feeds IT © 1998–2019