back to article New edition of Windows 10 turns security nightmares into reality

Microsoft's released a new flavour of Windows 10. Windows 10 IoT Core Pro is a version of the OS destined for original equipment manufacturers cooking up connected things. Redmond says the Pro cut's big differentiator is “the ability to defer updates and control distribution of updates through Windows Server Update Services …

  1. Anonymous Coward

    Popcorn time..

    At this rate, I'll be buying shares in the stuff (and I don't even like popcorn!)

    1. Anonymous Coward
      Anonymous Coward

      Re: Popcorn time..

      The most obvious WIndows 10 opt-out is to opt out of WIndows 10 altogether.

  2. Field Commander A9

    First you bitch about not enough control given to people, now you bitch about giving control to people would allow them to shoot themselves in the feet.

    1. Anonymous Coward
      Anonymous Coward

      The previous bitching was about not allowing people to choose when to update their own systems, and yes, that meant they could choose to shoot themselves in the foot if they so wished. The difference this time is that this innovation is making it easier for typically slapdash IOT manufacturers to shoot their customers in the foot.

      1. EvilGardenGnome

        The thing is, it behooves El Reg to explain that. A nuanced position like this (forced updates, with exceptions) essentially requires it.

        At the very least, it's a good excuse for an explainer article that can be linked in subsequent posts.

    2. big_D Silver badge

      This is also no different to the Windows 7 and 8 versions of IoT, sorry, I mean Embedded Edition.

  3. WatAWorld

    They're damned if they do and damned if they don't

    People (journalists, reporters, hobbyists and a few IT pros) have been complaining for months that they can't turn off updates for the consumer PC version of Windows 10.

    So MS gives that option to Windows 10 for the internet of things.

    Now people (journalists, reporters and hobbyists) are complaining that the updates can be turned off.

    MS should have modified its original plan, compulsory updates, but allowed the selection of one to fifteen days delay in downloading and applying the updates.

    If Windows 10 for IofT updates can be turned off, then lazy vendors will turn them off. We've already seen this with Android, so there is no doubt this will happen. (Once they've sold the product and have their money, the best thing that can happen to that product is for it to become obsolete.)

    And doubtless people (journalists, reporters and hobbyists) will blame MS for the OEMs choosing to do this, despite OEMs being independent companies making their own decisions.

    And no doubt people (journalists, reporters, and hobbyists) will smear the problems of Windows 10 for IofT to all of Windows 10.

    MS should reconsider its position.

    1. Security updates for Windows IofT should be mandatory after a short delay.

    2. Since Apple's model of cost savings by compulsory integrating security and functional updates has been widely accepted in the marketplace, updates for PCs and phones should integrated.

    3. Since Windows for PCs is so much more widely used and thus is a much bigger target for hackers, those updates for PCs should become mandatory after 1 to 15 days.

    1. Mark 85

      Re: They're damned if they do and damned if they don't

      Have an upvote for a well-reasoned and logical post. OEM 's are notoriously bad for providing updates in computers. With the lower margins and pricing of IoT, I expect them to give a crap less.... if that's possible.

    2. SundogUK Silver badge

      Re: They're damned if they do and damned if they don't

      Almost no one was complaining about security updates being mandatory. The complaints were about OS functional updates being mandatory. Eliminate that straw man and your title is patent bollocks.

      1. Destroy All Monsters Silver badge

        Re: They're damned if they do and damned if they don't

        Eliminate that straw man and your title is patent bollocks


        It would be nice to stop conflating "updates that are primarily good for Microsoft's bottom line (with the concomitant cost foisted onto the customer)" and "updates that are good for Microsoft's customers" into a single concept.

    3. anonymous boring coward Silver badge

      Re: They're damned if they do and damned if they don't

      MY PC, MY target, MY problem!

      Stop this collectivist bull!

  4. Anonymous Coward

    Show me your thingy

    Are these IoT ... things still purely hypothetical? Show me a picture of one.

    And not a blury one that could be mistake for a UFO or sasquatch.

    1. hplasm

      Re: Show me your thingy

      A windows based IoT is easy to spot- it's the one that's as big as a bus.

    2. Anonymous Coward
      Anonymous Coward

      <Waves thingy>

      Does one of those Internet connected central heating thermostat wotsits count as a thingy?

    3. Eddy Ito

      Re: Show me your thingy

      Sure, internet refrigerators have been around a few years and washers and dryers with matching apps are pretty common. Come now, this is too easy did you even look?

    4. Anonymous Coward
      Anonymous Coward

      Re: Show me your thingy

      For a short period of time, my first generation Intel Galileo SBC. They dropped it from the list of targetted platforms for the current drop of Windows 10 IoT. No loss, really, as I've already got a few jobs for it and none of them involve Windows. Really now, no video equals what version of Windows?

    5. Christian Berger

      Actually there's plenty

      For example my neighbour has an Internet connectable oven. It's a bit like Internet connected TVs, nobody likes them, but at a certain price point those features seem to become mandatory.

      In a way most ATMs are IoT devices as they are connected to the Internet. Often ticket vending machines are. Even those ad-displaying devices commonly known as "smartphones" are more or less IoT devices.

      BTW, there is an easy heuristic way to spot the Windows IoT device. If you interact with it, and _you_ have to wait for _it_, it's usually a Windows device. That's not because Windows is slower, but because there is a strong correlation between people who have no idea how to design embedded interactive devices, and people who build IoT devices on Windows. (The same will probably eventually be true for Android based devices)

  5. Ken Moorhouse Silver badge

    There is another option

    Get the software right before shipping it, then updates will no longer be necessary.

    It is only because it is so easy to issue updates that manufacturers do it. Imagine having to keep popping in to John Lewis to pick up screws and other bits for a toaster you bought last month because the manufacturer made a cock-up with the design.

    This scenario of manufacturing error does of course occur and is implemented in the form of a costly and potentially reputation-damaging Product Recall. There should be a similar stigma to issuing software with bugs..

    This will obviously impact development time and potentially the final cost of the product. Lowest common denominator want the product now, at the lowest price, and that's where the problem lies.

    1. Robert Helpmann??

      Re: There is another option

      Get the software right before shipping it, then updates will no longer be necessary.

      Sorry, beyond a simple Hello World app, this is never going to happen. Even code with plenty of eyes on it and much time lavished upon getting it right still has bugs, so this is totally unrealistic. Likewise stigmatizing companies that report bugs in their software is exactly the opposite of useful. There have been too many that have relied on security by obscurity in the past and none have had great success with that approach. To make a similar analogy to the one given, imagine having to drive around with a potentially fatal flaw in your vehicle because the manufacturer chose to hide their error and cover up any incidents that resulted from it.

      Everybody makes mistakes, including developers. It's how they are dealt with that matters. What is being advocated here has been thoroughly and repeatedly debunked in the marketplace. If what was said was failure to follow a reasonable or a best practices approach to security is deserving of ridicule and penalties, I would be right there with the rest of the mob, throwing rotten tomatoes. But what was given there... not so much.

    2. Destroy All Monsters Silver badge

      Re: There is another option

      Well, software has a rather larger state space than a toaster, so good luck with that.

      And as long as people insist on "C"/"C++" and likewise impossible-to-get-it-right languages with the underlying stack-over-the-hardware flaky in any case and mathematical-proofs-of-conformance-to-specs both still rather rare (except in aerospace and then bugs occur) and often impossible-to-very-hard-to-do (dynamic languages? out goes the proof) and the specs inevitably error-prone, I will stay with the updates, thanks.

      Inb4: "I program better in C/C++ than you will ever do in Mercury/Haskell/F# my mouth breathing proves it" ...

      1. Doctor Syntax Silver badge

        Re: There is another option

        "Well, software has a rather larger state space than a toaster, so good luck with that."

        One option would be to stop cramming junk in. Make the state space smaller, spend more time testing.

      2. Cynic_999

        Re: There is another option

        Spend the time to adequately test the software under all conditions, and the product will be so out of date by the time it is ready for market that you won't sell it. Blame the customers for refusing to buy a device (no matter how bug-free) unless it has all the latest gimmicks.

        1. Ken Moorhouse Silver badge

          Re: all the latest gimmicks

          Easy come, easy go.

          If new products had compelling features on there that were well thought out and reliable, there would be a better chance that that product would have a longer life. As it is, we're seeing potentially good ideas coming out in half-baked form and they just get discarded after the novelty wears off. Quite often there's no upgrade path and things have to be re-entered from scratch.

          Yesterday I was helping someone setup email on his newly purchased Surface. The Windows Mail "app" is atrocious - I installed Thunderbird instead and "it just worked". By the time MS fine-tune their Mail app to make it work reliably people will have developed a Pavlovian response to avoid it - how useful is that kind of "reputation" to the authors of MS Mail at any stage of its development?

          To my mind there are many products out there which have a reputation for reliability which parallel the functionality of much more "visible" yet paradoxically ephemeral products. They chug along, year after year, with functionality bolted on in the same way that you might add decorative features to a piece of architecture (if you've gone past the temple in Alperton semi-regularly over the last 14 years during the time of its construction you will know what I'm talking about). Because the core design is solid, there's no need to back-track before moving forward again. I'm thinking of products such as Time & Chaos/Intellect, Thumbs Plus, Pegasus email which are underrated because they presumably have less need to seek the limelight.

          I've said it before, but the current pace of technology is moving too fast for people to understand/appreciate/use it truly productively.

      3. agatum

        Re: There is another option

        > And as long as people insist on "C"/"C++" and likewise impossible-to-get-it-right languages

        Been doing c++ for two decades and always got it right, after a few iterations. So it may be impossible for you, not for me and countless others. Maybe attend some night courses?

        1. Anonymous Coward
          Anonymous Coward

          Re: There is another option

          I was already doing assembly on the System/370 back when the PDP-11/780 with C was installed in our satellite computing centers on campus (1978). I didn't pick up C until I met the Amiga (1985), been programming it since but well turned binary still features if it's justified. The same with any language or toolkit. Constraints are a feature in engineering and rigor is what you apply to obtain those constraints. Those determine the engineering, in conjunction with the usual space, time, and budget. And if those last three can get people killed, I ain't doing it. I walk.

          Usually I'm the one tossing this red meat out there. Twenty-five year old production code still in use every day, and no bugs and you'd have heard about it on the national news if it had.

    3. Christian Berger

      The problem is complexity

      If you choose to use Windows as an underlying operating system, there's _lots_ of complexity you cannot turn off. For example you have a full network stack you may or may not need. You have a complex boot system, you have a registry or logging system, you have a shell, you have USB support, etc. All of those features may be use full for your project or they may not. In any case it's pseudo dead code which is of little use, but may turn out to be a security problem.

      If you want to have secure systems, you must have simple systems. That's more a question of your mind set rather than a question of your language... however there seems to be a correlation between people using C++-style OOP languages (C++, C#, Java, etc) and people who don't know how to simplify problems. Therefore it appears that most C++/C#/Java programs become horribly complex and unmaintainable.

  6. Zog_but_not_the_first

    The added convenience of IoT stuff...

    ... is starting to look like an added inconvenience.

    1. 080

      Re: The added convenience of IoT stuff...

      Perhaps with all the crap being developed it should be Incontinence of Things

      1. Captain DaFt

        Re: The added convenience of IoT stuff...

        When you consider the IOT consists of taking things that have functioned well for decades, and then adding magic Internet pixie dust that leaves them available to any sod on the web that wants to access them, surely The IOT stands for "The Insecuring Of Things"?

    2. anonymous boring coward Silver badge

      Re: The added convenience of IoT stuff...

      Oh, that was sooo unpredictable...

  7. Anonymous Coward
    Anonymous Coward

    "There is nothing wrong with your television set, fridge toaster, washing machine, blender etc. Do not attempt to adjust the picture interfere. We are controlling transmission. If we wish to make it louder, we will bring up the volume. If we wish to make it softer, we will tune it to a whisper. We will control the horizontal. We will control the vertical. We can roll the image, make it flutter. We can change the focus to a soft blur or sharpen it to crystal clarity. For the next hour ever, sit quietly and we will control all that you see and hear. We repeat: there is nothing wrong with your television set electronics. You are about to participate in a great adventure nightmare. You are about to experience the awe and mystery terror which reaches from the inner mind to – The Outer Limits.

  8. Prst. V.Jeltz Silver badge

    imagine if my dvr , my tv , my washing machine , my car , my hoover , my dvd player were all updating - I'd have to get my own wsus server!

  9. Hellcat

    So the professional/enterprise version of Windows for IOT gets similar patching functionality as the profesional/enterprise version of Windows for desktops?

    Thi is an OUTRAGE!

  10. Locomotion69
    Thumb Up

    Actually this makes sense. Now you can test before you deploy. Consider the unlikely event of an update being so crap that it makes your thingy unable to boot. I mean, this has never happened before and, oh wait....

    1. Anonymous Coward
      Anonymous Coward

      RE: New edition of Windows 10 turns security nightmares into reality

      The only place to test is in prod. Devs do it all the time.

  11. jelabarre59

    IoT = Internet of Trash?

    Now just *why* would you want to buy an embedded device built on/running any version of MSWin in the first place? Isn't that just asking for trouble in the first place?

    1. Christian Berger

      Re: IoT = Internet of Trash?

      Well usually that's because it makes sense in some way (think of ticket vending machines, reporting back how many tickets they have sold, or how much paper they still have and when the money needs to be emptied out), but you have no fucking clue how to design such a machine, so you slapped some VB GUI onto it running with Access as a database. You perhaps even have some self-drawn user interface eliminating all the remaining advantages of Windows. Instead of getting a competent programmer to re-implement the whole thing in a couple of days, management decides to throw good money after bad and just put the existing system onto the Internet.

  12. a_yank_lurker

    What's the point IoT

    A risk of being called a Luddite, what is the real value of IoT for most people? For most (other than the 3 people in world who need IoT) it seems to be a vanity issue not a necessity. I can only think of a handful of devices that need any access to the Internet for reasonable functionality: computers, smartphones, tablets, and e-readers are about it. Toasters, washers, microwaves, etc. work very well without any access now and will in the future.

    1. Boris the Cockroach Silver badge

      Re: What's the point IoT

      Its a gimmick to sell stuff.

      "Look at our super whizzy thingy, its got all the functions of last years super whizzy thingy , but with internet access"

      And theres people dumb enough to buy it.

      You only have to look at the ads appearing for "control your heating from your phone" type apps.

      For 99% of us, a simple clock timer is perfectly good, on for an hour in the morning, on for an hour when the kids get home from school, on for 2 hours in the evening while everyone get hypnotised by the square box, then on for 3 hrs at a time over the weekend.

      But you can control your heating via your phone...... lets hope security is uptogether otherwise someone else will be controlling your system.

      And you'll be home to a cold shower because some luser has turned off your boiler......

  13. Ken Moorhouse Silver badge

    The IoT Freezer

    I can see it now - people ringing up the helpline complaining "My system's not frozen".

  14. Ken Moorhouse Silver badge

    The IoT Cooker

    "Does it burn DVD's?"

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like