back to article Why Microsoft's Windows game plan makes us WannaCry

In the circular firing squad of WannaCrypt, the world's largest recorded ransomware outbreak, nobody looks good. Not end-users for clinging to dated and unprotected Windows PCs despite warnings, not the government whose National Health Service saw 61 organisations compromised, and certainly not Microsoft – the actual author of …

  1. Adrian 4

    Much wringing of hands about how the NHS can't afford costs or staff to pursue proper IT management.

    How much could be done for $200 per PC ?

    1. sad_loser
      FAIL

      It is the apps tied to ActiveX that cause the problems

      [I work in NHS IT]

      Some of those places worst affected are just poorly managed but the reason why somewhere like Royal London (a new £1bn hospital) kept all these PCs with XP was that certain critical software could not be (cheaply) updated because it needed XP because the browser interface was written with a load of ActiveX that only worked in Internet Explorer 6 which is part of XP.

      The root cause of these issues is therefore Microsoft's use of non-standard extentions as part of the embrace / extend / extinguish browswer wars.

      1. Gnosis_Carmot

        Re: It is the apps tied to ActiveX that cause the problems

        Not just browser based apps.

        A metric ton of vendors deliberately wrote, and continue to write, code using undocumented APIs and such. When MS or someone else (cough Java cough) comes along and patches/updates removing those undocumented APIs the code vendors refuse to update it because it would mean either degrading or removing functionality the customers have come to expect.

        1. Cris E

          Re: It is the apps tied to ActiveX that cause the problems

          It's not just Windows and IE. We have old yet vital crap tied to a particular Java version that's keeping some very obsolete hardware and software online. MS is just the largest and least motivated OS provider.

      2. PickledAardvark

        Re: It is the apps tied to ActiveX that cause the problems

        sad_loser explains how *some* NHS IT departments were trapped into running XP. Unfortunately, that is not sufficient. We need to know *why* NHS IT departments persisted with XP and failed to dig themselves out of the hole. We also need to know why NHS IT departments failed to patch supported Windows versions.

        The bulk purchase agreement conducted by the UK government for XP support was intended to give NHS IT departments a break, to extend the window for deploying Windows 7. It wasn't intended as an indefinite "get out of gaol free" card. Microsoft made it clear that the programme's purpose was to help organisations move away from XP rather than sticking with it. Microsoft's programme was designed to run for three years (UK gov paid for one year) and I believe that period is over.

        I feel sorry for anyone running a milling machine or centrifuge which is controlled by XP, otherwise in perfect condition. I reckon every NHS organisation or large company owns a few devices that are too good to scrap which depend on outdated computer systems. I'm not keen on a mass scrapage of XP-controlled devices just because IT departments don't know how to manage them.

        1. Anonymous Coward
          Anonymous Coward

          Re: It is the apps tied to ActiveX that cause the problems

          I feel sorry for anyone running a milling machine or centrifuge which is controlled by XP, otherwise in perfect condition.

          So do I but from experience there are very few of those machines in industry that are connected to the outside world and the few that are are very carefully managed.

          As I see it the main problem with the NHS and such places is that they were/are running the full fat versions of XP rather than using a cut down version that just does what is needed. There is also the problem that it is very difficult to slim down windows no matter what version. Because of that the two engineering works we support use tailored OS/2 and custom written software for the machine tools control and since those machines have at least another 25 years life there won't be any changes there for 20 years or more.

          1. trapper

            Re: It is the apps tied to ActiveX that cause the problems

            Four or five years ago I was supporting CNC milling machines that ran from custom DOS commands loaded by 3 1/2 inch floppies or a serial cable. Good machines, but antiquated controls. The machine mfr. wanted the contents of the Royal Mint to upgrade the control hardware. I solved it with a dedicated and isolated Win7 box running Win 98SE on MS Virtual PC. It was a bit of a PITA but it worked on the cheap, same as the owners. Cheap, secure functionality means thought, glue, string, duct tape and monitoring to ensure the duct tape remains stuck down. No duct tape means spending large amounts of money. Refusing both means WannaCrypt.

        2. Anonymous Coward
          Anonymous Coward

          Re: It is the apps tied to ActiveX that cause the problems

          I feel sorry for anyone running a milling machine or centrifuge which is controlled by XP, otherwise in perfect condition. I reckon every NHS organisation or large company owns a few devices that are too good to scrap which depend on outdated computer systems. I'm not keen on a mass scrapage of XP-controlled devices just because IT departments don't know how to manage them.

          Therein lies an interesting issue: why do those machines even have access to anything on the Internet? They're not desktops, they're basically machine interfaces and analytics. Patches no longer happen, and they have a limited function, a bit like an XP based POS. Why not isolate those machines on a firewalled subnet or vlan, make sure they don't talk SMB1 and use them as before?

          1. SImon Hobson Silver badge

            Re: It is the apps tied to ActiveX that cause the problems

            ... why do those machines even have access to anything on the Internet? ... Why not isolate those machines on a firewalled subnet or vlan, make sure they don't talk SMB1 and use them as before?

            In many cases, the computers DO need some form of interaction with the rest of the business. Take the case of a precision CNC mill someone mentioned - it'll need to be on the office network so that the design engineers can upload the milling programs to it (what if one of those file transfers accidentally transfers something nasty from an infected desktop ?) In the case of (say) an MRI scanner machine, it will need to be on the network so that images can be exported from it.

            The simple fact is that yes, these devices CAN be protected, more or less, one way or another - and the rest of the network protected from them. But it's not a trivial exercise to do.

            Lets assume that for security reasons, the MRI scanner computer is party to the same security policies the rest fo the business has - that's going to mean authorised users (active directory) and the access controls that go with it. Have you tried doing the firewalling to allow AD to work across a "locked down more watertight than a duck's backside" firewall ? It's "interesting" the amount of network traffic needed for AD to work correctly.

            That's not to say this can't be done, but each device will have different requirements, and it takes time to work through how to deal with each of them. So there you are, as others have pointed out, with an IT team, limited budget - and tasked with keeping everything running as well as doing new stuff. You're barely coping with the everyday - where is this time going to come from ?

            So ultimately, it comes down to manglement (at whatever level) not providing the resources needed. And again, as someone else has already pointed out, when we are constantly told that the NHS has to save lots of money - who's going to stick their neck out and "waste" budget fixing something that "isn't broken yet" ? It's not an NHS thing - it's the same across all businesses.

          2. PaulFrederick

            Re: It is the apps tied to ActiveX that cause the problems

            My CNC controller is networked so I can move files over to it, and update it. I run LinuxCNC. I might just want to play a Quake deathmatch while it is cutting a job too. Because I can.

        3. RobHib
          Flame

          Re: It is the apps tied to ActiveX that cause the problems

          "I feel sorry for anyone running a milling machine or centrifuge which is controlled by XP, otherwise in perfect condition."

          1. A short while ago I visited a factory and saw a precision 5-axis milling machine worth about $400,000, it was still running Windows 2000. With that in mind I asked the factory manager how long it would be until they upgraded the Windows software to the latest version. His answer was "2025, the machine was purchased in 2000 and has an expected life of 25 years and the manufacturer provides no Windows upgrades—we expect W2K to be still on the machine at the end of its service life"

          Like it or not, the fact is that XP and even earlier Windows will be around for a long while yet, we have to live with that fact!

          2. The best article I've read to date on WannaCry is the New York Times one on the 13th by Zeynep Tufekci, associate professor at the School of Information and Library Science at the University of North Carolina:

          https://www.nytimes.com/2017/05/13/opinion/the-world-is-getting-hacked-why-dont-we-do-more-to-stop-it.html

          She hits the nail on the head as to why many do not upgrade/patch their systems, here's a short list of her reasons (read her article for the rest):

          * Unlike other manufacturers, software vendors are NOT responsible for manufacturing defects in their software products—like others, the law needs to make them so.

          * To get security updates, users have to upgrade to later OSes that often include features that are often unwanted (GUI changes etc.) and they are often very reluctant to do that, quote:

          "Further, upgrades almost always bring unwanted features. When I was finally forced to upgrade my Outlook mail program, it took me months to get used to the new color scheme and spacing somebody in Seattle had decided was the new look. There was no option to keep things as is. Users hate this, and often are rightfully reluctant to upgrade. But they are often unaware that these unwanted features come bundled with a security update."

          * In the case of Windows 10, users have had to sacrifice their privacy for a more secure system. This is not a palatable or acceptable option for many.

          It's time we all stopped whingeing about XP and started complaining about the many other real causes of the 'patches problem'.

          '

          1. DanceMan

            Re: The best article I've read to date on WannaCry

            Thanks, RobHib

            I join you in recommending others read it.

          2. Anonymous Coward
            Anonymous Coward

            Re: It is the apps tied to ActiveX that cause the problems

            That article tells Microsoft to do the work for free because they had money... It sounds like a disconnection between academic and commercial environment.

            There are people complaining about XP in general, but the real cause is more about incompetence. Seriously, why are XP or older pc on the internet?

            Windows XP should not be on open internet. Your example of windows 2000 for 25 years should be fine as long as that factory kept it the way it was 17 years ago, no internet. This is talking about the XP days, network licenses haven't existed yet. If this is about ActiveX or some weird 100% on IE with network plugin case, then the IT should have an enclosed network using the router to block everything else or something.

            It was because of incompetence in their organization for open internet that caused them the harm. They had a number of options including upgrade, pay support, firewall and plainly unplug the ethernet cable which all could have solved their problem. Too bad, they didn't.

            Much of this event is a very good lesson for those organizations. Fix it now or prepare to take out their wallet to pay for it again and again.

            1. RobHib
              Flame

              Re: It is the apps tied to ActiveX that cause the problems [and more important matters].

              "That article tells Microsoft to do the work for free because they had money... It sounds like a disconnection between academic and commercial environment."

              1. That's not the way I read it. Rather, my take on it is that Microsoft has made such vast sums of money simply because it opted out of its social responsibility to develop good code in the first instance (on evidence, a very deliberate decision on its part)—and that it took this course of action because it was NOT compelled by any law to ensure that its software products worked properly and securely before they were released. Certainly early on, the only things that mattered to Microsoft were its rush to market and maximizing its market share, security was hardly even on its horizon.

              2. You have not addressed the other very real issues [useability difficulties, etc.] as to why users do not upgrade. (Presumably, as an Anonymous Coward, you are a software writer or developer and these points have hit a raw nerve.) These issues are very real concerns for many users and they need to be addressed by not only Microsoft but also the software industry as a whole.

              3. As far as end users are concerned, the software industry suffers from very serious problems—major systemic issues that not only hinder software development per se but also ensure that software is much less secure than it ought to be. Specifically:

              (a) The industry obfuscates its dirty linen behind the fact that source code is compiled (i.e.: remains hidden from users and security personnel alike). Thus, as source code cannot be analysed by third parties, design errors, bugs and security faults escape independent scrutiny to the perennial disadvantage of end users.

              (b) The laws of most—probably all—countries militate against fixing these problems in any truly effective way and have done so for many decades. The lack of software 'fitness for purpose' laws essentially force end users to use software 'as-is' without any guarantee that faulty, buggy and insecure software will ever be fixed by vendors—this is especially relevant where software has been licensed for monetary profit (as in most other parts of the free market warranty laws, etc., actually apply).

              Moreover, this already inexcusable situation is aided and abetted by mad, lopsided and very unfair copyright law—the DMCA for instance—where it even stops users and or independent investigators from investigating bugs and security faults (at risk of their liberty and freedom).

              Furthermore, recently we've seen the truly detrimental effects that have resulted from the absence of appropriate software law that would require commercial software source code to be opened up to scrutiny by third parties in order to protect users against shonky and dishonest software developers; for example, the outrageous Volkswagen emissions scandal. In a democracy (or for that matter any civilised society), the fact that such laws do not already exist is nothing short of being outrageous. How many people have to die because of faulty software produced by shonky developers before legislators will act?

              (c) The lack of adequate and satisfactory law to regulate and govern both the quality and security of software has seriously hindered the technological development of software industry over many years; in fact, its lack thereof has effectively stopped it from becoming a proper engineering discipline/profession (as, for instance, chemical engineering is). For—as past decades have shown—without any such law or regulation, the industry—whose self-discipline has been demonstrated on myriads of occasions to be as rare as hens' teeth—has little or no incentive to improve itself; the only effective incentive being the default one—that of monetary profit (hence the huge and obscene profits made by companies such as Microsoft, Google etc.).

              When there are precious few if any constraints on an industry's actions (as in a world full of insects without any spiders), bad behaviour runs amok exponentially.

              With respect to the last bullet point, (c), before calling me a nark or going into flaming mode, I'd suggest that I'm far from being alone in this assessment. I refer you to the following article: Software's Chronic Crisis, W. Wayt Gibbs, Scientific American, September 1994, p 86., which is aptly prefaced by the comment: "Despite 50 years of progress, the software industry remains years-perhaps decades-short of the mature engineering discipline needed to meet the demands of an information-age society."

              Here is the PDF version and this is a HTML one.

              One must consider this SciAm article was written close to 23 years ago—that's nearly a quarter century ago, which is utterly eons in computer time. Also, now consider the many security issues that currently surround the WannaCry/WannaCrypt virus (and the various implications that arise there from), thus—as far as the end user is concerned—one is left with very little choice other than to question whether any practical (i.e.: effective) progress has been made in computer science since the time that article was written.

              With the plethora of evidence that's available and able to indict the industry on this account, there's precious little doubt that any reasonable person, even after applying the tiniest modicum of logic, could conclude other than that W. Wayt Gibbs was spot on target all those many years ago.

              It's a tragedy the software industry has made so few really relevant improvements over these intervening years.

        4. bobblestiltskin

          Re: It is the apps tied to ActiveX that cause the problems

          I'm not keen on a mass scrapage of XP-controlled devices just because IT departments don't know how to manage them.

          I wonder if it would be possible to :

          1. Attach an external drive and image the hard drive to the external.

          2. Install linux and VirtualBox on the hard drive.

          3. Create a VM and copy the data from the external drive to the VM

          4. Set the machine to run VirtualBox fullscreen at boot.

          Result would be a machine that looks the same to the user, but which has a linux interface to the external world - much more easily secured than unsupported Windows, and the users will not need re-training?

          1. Jakester

            Re: It is the apps tied to ActiveX that cause the problems

            It depends -- there may be hardware in the physical computer that won't talk with the virtual machine. Assuming that the hardware talks properly with the virtual machine and software, then possibly it may work.

            However, the unsupported version of Windows will still be unsupported and just as susceptible to infection. A big advantage of Virtualbox, and other virtual machine engines, is it is very easy to return to a previous snapshot of the operating system before an infection hits.

            On my main computer at home, I have Ubuntu running a Windows 10 virtual machine. My wife prefers Windows and I have a couple applications where I have to run Windows. If my wife or I suspect the Windows machine may have gotten hit by a virus or other malware attack, whether an infection occurs or not, I just restore to my last snapshop. I generally do a new snapshot about once a month as well as before and after new software installation, major upgrades, or major configuration changes. Periodically, I will delete snapshots that I am sure are no longer needed.

        5. Radio Wales
          WTF?

          Empty minds.

          I would have thought that the problem lay in machine interconnectivity rather than age.

          In a machining environment, or any other that is isolated from other computers, a system that uses XP or NT - or even 98, to run specialist software on specific machines that are dedicated to that task and working successfully, there is no logical reason to upgrade everything merely to continue what they were doing anyway.

          Stand-alone machines can run whatever software they want without risk.

          It makes me wonder whether malware isn't just the best way software companies have come up with so far to 'encourage' users to spend a lot of money merely to stand still.

          As far as the NHS is concerned, I have been treated perfectly adequately by machine-led medical intervention that was still using NT. In that I can understand their reluctance to upgrade, particularly when all that money is spent in re-equipping machines, software and re-training simply to continue doing what it is already successfully doing when that money could better be spent of extending its scope and capacity.

          Maybe the government should be employing expertise to write its own OS that works in its own field and eliminating its reliance on commercial software, which by definition is profit-driven.

          Being absolutely honest, outside of the computer industry, nobody really gives a damn about all the technological advances, bells and whistles new stuff does so long as it does what it was procured for, and that is most likely for a quite narrow range of tasks - that demonstrably XP is quite capable of performing.

          If Linux development can be done for free distribution, is it such a leap to use specific software for their single purpose applications a lot cheaper than relying on perpetual upgrades to nowhere?

          Who'd be writing malware for that?

      3. John Smith 19 Gold badge
        Unhappy

        "The root cause of these issues is therefore Microsoft's use of non-standard extentions"

        No. It's the developers of the software who fell for MS bull**it and did so with wild abandon.

        In 2000.

        But it's 2017 and for reasons still unexplained those developers have not got their s**t together and made their LOB apps browser neutral, which would go a very long way to making the next move (and there will be a next move with MS rule, of turning over the user base every 18-36 months).

        17 years.

        BTW People have bleated on about this being a problem with various diagnostic machines. But these are a special case. IIRC Embedded Windows XP is under support till 2019. So why didn't the suppliers use that instead?

        1. Not previously required
          Holmes

          The root cause of these issues is therefore purchasers buying poor software

          I run a diagnostic lab in the NHS. Win 7 and up since you ask.

          My employer has had some software in the past that required particular versions of IE or Java - these have been applications by big corporations that span multiple trusts. Applications like purchasing etc.

          Which government department thinks this was a good idea? The advantages of standards based software over schneaky API use have been apparent for decades

          1. Anonymous Coward
            Anonymous Coward

            Re: The root cause of these issues is therefore purchasers buying poor software

            "applications by big corporations that span multiple trusts. Applications like purchasing etc."

            Obviously not SAP or Oracle *, but maybe there are still others.

            "Which government department thinks this was a good idea? "

            The one that gets the kickbacks. It the same logic that leads corporates to use Amex for UK travel management when self-booked Travelodge (etc) would cost the *company* less overall, but Purchasing would lose the Amex benefits, so Amex it is.

            "The advantages of standards based software over schneaky API use have been apparent for decades"

            Ain't that the truth. But you have to follow the money.

      4. Anonymous Coward
        Anonymous Coward

        Re: It is the apps tied to ActiveX that cause the problems

        There are numerous solutions out there such as Browsium, application layering or application virtualisation that will allow you to run older browser versions on newer versions of Windows.

    2. oldcoder

      Complete replacement by chromebooks... :-)

      Replace the operating system with Linux :-)

      1. Mark 110

        So are Linux versions from 2001 still being supported by their vendors? I can't think of any product I have done a support review on where when I went looking for the vendors EoL staements there was anything more than 10 years old still in any kind of support.

        This isn't just a Microsoft problem. Its just the biggest problem because Microsoft have the largest installed base.

        1. billium
          WTF?

          I've had my Linux from 1999 and have still not had to pay for an upgrade.

          Nobody fears upgrading or changing their Linux in fear of data slurping.

          £5M of our tax payers money or $200 per PC only a monopolist with vendor lock in can do this.

          It is a Microsoft problem.

          Sometimes Windows will not update: KB4019472 failed to install error code 0x80832250

          1. cambsukguy

            Just because it was Linux doesn't mean you have the same version.

            Windows 10 is just another version of Windows but is not XP (which was version 6?).

            A Linux installed in 1999 does not have security patches available, it has what Windows has, OS upgrades and replacements, which include and have security updates.

            The reason that all (or most) Linux users have upgraded of course, is that it is free.

            Ironically, Linux is less likely to be attacked anyway, by several orders of magnitude I imagine.

            1. PaulFrederick

              But it is not free to upgrade Linux. It takes me a long time to install and configure everything on my system. Which is why I'm still running Debian Wheezy. OK not wanting to run Systemd has something to do with it too.

          2. Dinsdale247

            Sure thing. I dare you to stick that computer in front of a "normal" user and ask them to do their job. I don't care if you put Mate on it (which wouldn't run anyways), you are still going to have a computer that nobody but you can use.

            Software requires support. That either comes from the vendor or comes from IT.

            Windows = an OS that people can use and is easily supportable for non-technical people.

            GNU/Linux = IT hand holding and unproductive users. Just try explaining mount to someone that isn't a developer.

            There is no free lunch. Free operating systems just mean the IT department has to maintain the system. Want Linux support, you have to pay for that. Ubuntu and Redhat don't offer anywhere NEAR 15 year support.

            1. Richard Plinston

              > Just try explaining mount to someone that isn't a developer.

              You are obviously decades away from recent reality*. I plug in a DVD, USB or MicroSD and a dialog box pops up asking me what I want to do, or it simply gives me a file manager with the directories. It, however, does _not_ automatically execute any code on that device.

              Other distros options or configurations may just add other partitions or devices as icons on the desktop ready to double click to mount them, or provide a GUI program to list these and/or available shares.

              * the last 10 years or so.

            2. Anonymous Coward
              Anonymous Coward

              You have no idea !

            3. Not previously required

              The NHS does not really use Windows

              @Dinsdale247. Much of the NHS is run using applications that look like text terminals. Whether they are browser based or some other kludge. If they don't need special Java or browser versions they could just as easily run on Linux. Many of these machines only do one job (reception in outpatients for instance).

              For other systems, the changes in UI in different versions of Windows / Outlook / Office - and we have a horrible mixture - are no worse than changing to LibreOffice and your favourite flavour of Linux.

              There are some very bright, highly motivated people in the NHS. I'm sure they could cope with a sensible staged transfer to Linux. It would be a huge project so of course there would be a cost and some cockups on the way. I think the end result would be better.

              We could start with the government observing its own standards. We are meant to be using documents in OpenDocument or PDF formats only!

            4. Kiwi
              Linux

              Sure thing. I dare you to stick that computer in front of a "normal" user and ask them to do their job. I don't care if you put Mate on it (which wouldn't run anyways), you are still going to have a computer that nobody but you can use.

              My Uncle brought me a spare laptop so I could install Linux for him to have a trial of it, to see if he liked it. Took only a few minutes before he asked for an upgrade for his desktop as well.

              And he's one of those who would tell you his OS was "Firefox" and his computer was "that thing with the screen" and so on. The only "tech support" I've done since then was getting his printer working - which was actually a mechanical fault with the printer (print head wasn't moving). Now he has a secure OS that doesn't record his "typing history" (ie every single keystroke, doesn't have the multitude of security flaws. Oh, and is really easy and intuitive for someone to use as well. Unproductive? He's getting far more work done in far less time, doesn't have massively long downtimes with the "installing updates, please wait and wait and wait and wait and wait" that Windows does (updates are done in less than 5 minutes). He has owncloud to keep things sycned between the two machines, and I can see from the logs that his last Windows use was over a week ago, but daily Linux use and he even takes his laptop on the road with him now - meaning his available time for productivity has significantly increased.

              Stop spreading the fud. MS doesn't pay enough for your soul.

              1. This post has been deleted by its author

          3. Anonymous Coward
            Anonymous Coward

            Update fail

            You are correct. If you are unfortunate enough to have to clean install Windows 7 or 8.1, you will see how flaky the update process is. I wonder how many Windows 7 PCs will thus get reinfected by WannaCry.

            1. Anonymous Coward
              Anonymous Coward

              Re: Update fail

              " If you are unfortunate enough to have to clean install Windows 7 "

              I've done that quite a few times over the last few years (as informal support for neighbours etc).

              It had got to be an utter nightmare.

              And yet, the last couple of months when I've done it a few more times, it's been fine. Same hardware, same install media, but suddenly no need to wait overnight to see if Windows Update will bless me with the ability to keep patching my neighbours systems.

              What's changed? The date, and the ISP (was BT, now isn't BT).

              Odd.

              1. Jakester

                Re: Update fail

                I too have experienced the security patch updates to take days or fail completely. I don't remember the originator of the solution, but I have found that if Windows 7 has SP1 installed as well as KB3020369 and KB3172605 applied, the updates after that go smoothly. The trick is to first turn-off automatic updates, reboot the computer, download and install the two KB updates directly from Microsoft. I usually reboot after applying the KB's. After the reboot, the automatic updates can be turned back on, if desired. After applying the two KB updates (they will let you know if they were already installed), you should find that future updates will take minutes instead of days or weeks.

        2. Anonymous Coward
          Anonymous Coward

          Bovine Excrement!

          First off 2001 was 16 years ago, not 10 years ago, and yes this is just a Microsoft problem. Unix/Linux (any year any version) is not susceptible to attack in the way that Windows (any version) is. Even Mandrake circa 2001/2002 is not susceptible to this.

          1. Ragarath

            Re: Bovine Excrement! @ AC

            First off 2001 was 16 years ago, not 10 years ago, and yes this is just a Microsoft problem. Unix/Linux (any year any version) is not susceptible to attack in the way that Windows (any version) is. Even Mandrake circa 2001/2002 is not susceptible to this.

            Of course they are not susceptible to this, it was not written to attack them. They are though most likely susceptible to other things. Or are all the updates and patches for Linux just because the programs love to add bulk?

            1. Richard Plinston

              Re: Bovine Excrement! @ AC

              > Or are all the updates and patches for Linux just because the programs love to add bulk?

              Many, or most, updates are adding new features to the programs. 'Updates' for a Linux distro are not just for the operating system but also for several thousand system and application programs, not just bug fixes but new versions.

          2. Dinsdale247

            Re: Bovine Excrement!

            Heartbleed anyone?

            1. Kiwi
              Linux

              Re: Bovine Excrement!

              Heartbleed anyone?

              When HB was discovered, a patch was released within a few days. For free.

              However, this issue with SMB1 was discovered some time back. A few months back MS released a patch for paying XP customers. From what I've read the patches for non-paying customers (including 7, 8x &10) was only released after WC hit.

              So your point is what? That Linux does it far better?

        3. bombastic bob Silver badge
          Linux

          "So are Linux versions from 2001 still being supported by their vendors?"

          not directly, but since it's open source, you could fork it and do it yourself.

          Additionally, the upgrade is MUCH LESS PAINFUL for Linux than for windows. In short, to upgrade a typical Linux, a tar backup of the home dirs, and a list of installed packages is MOST of the work. That assumes you'll have to do a complete re-install. Most of the distros I've seen have a way of upgrading to a new release that's moderately painless.

          What Windows "upgrade" gives you is a bit like 'sticker shock' except it's "stick-it-to-you" shock, from removed customization to 2D FLATSO FLUGLY to SPYWARE and ADWARE and blatant ADVERTISING built into the OS.

          Wanting to stay on XP to avoid all of the "up"grades is actually a good idea. I wish _I_ could have done that...

          (I wish I could fork XP and release it to the world with a kickstarter campaign - instead, I'll have to do what I can promote Linux, as the only REAL alternative to Windows for the average desktop user, and that INCLUDES dealing with the FUD)

          1. Dinsdale247

            Until you have an app that's not compatible with systemd. Or requires a kernel feature that doesn't work as advertised anymore. Or has a driver that requires a specific kernel version. Or, or, or...

            Oh, your app was compiled against GCC 3.x? Oh, I'm sorry, it won't run unless you rebuild your software from source on the new compiler or support two runtimes.

            Oh, the application doesn't support the latest OpenSSL? No problem, I'll just tweak this and add that and oh, wait, I've now spent three developer months maintaining this application that will still only run on THIS instance of GNU/Linux so we need to build a custom image and...

            BUT before you even got here you need developers that know what GCC and OpenSSL are and how to maintain the kernel with the correct patches. No problem, I'll just find some senior C++/Linux fellows around... There's lots of those and they should be pretty cheap to come by...

            NO FREE LUNCHES

          2. jelabarre59

            (I wish I could fork XP and release it to the world with a kickstarter campaign

            Anyone who wants to do taht could just run ReactOS instead. At the rate they're developing it, it will reach full-WinXP compatibility in another 10 or so years.

        4. Colin Tree

          20 years of free upgrades

          Some files in my /home partition are 20 years old.

          My /home partition stays, and I upgrade Linux around it.

          Upgrades for free,

          different distros,

          different applications,

          new computers,

          new hard drives,

          keep and expand the /home partition.

        5. Anonymous Coward
          Anonymous Coward

          So are Linux versions from 2001 still being supported by their vendors? I can't think of any product I have done a support review on where when I went looking for the vendors EoL staements there was anything more than 10 years old still in any kind of support.

          You're like Republicans pointing at transgressions of the previous government to talk good what is happening today in the hope that anyone falls for it :).

          You're comparing apples and pears here (to avoid confusion, that's not a reference to macos).

          Updating linux generally does not require a massive update of hardware because the supplier could not code efficiently to save their life, it does not usually require a full review prior to update to cover any new privacy problems (with the exception of one version of Ubuntu) and it generally does not come with a massive exercise in license management and associated costs.

          Apropos cost, Linux will also not blow a large hole in your budget simply to buy it, and because there's no money involved there is also no need to change the UI and file formats every time to provide some argument for an upgrade. In other words, you also save a fortune on user training.

          Long story short: Linux can be kept current because there are no real barriers to upgrade when possible, but if you DO stick with an old version for embedded use it's far easier to lock down than Windows if you put in the effort. That said, idiots are everywhere and it is possible to make even Linux unsafe as many IoT devices are presently proving.

        6. PaulFrederick

          Today's Linux can still run software from 2001.

        7. Kiwi
          Linux

          So are Linux versions from 2001 still being supported by their vendors?

          Does Linux have undocumented APIs as a practice? (not counting the inability of some coders to write decent documentation). Or does Linux have, at lease for the kernel, a policy of "don't break userspace"?

      2. Dinsdale247

        Foolish

        Show me a GNU/Linux distro that provides 15+ years of long term support?

        https://www.kernel.org/category/releases.html

        Just because someone is running "Linux" doesn't mean they are able to leave systems unpatched for years and years and years and not suffer the consequences. Moreover, Linux upgrade paths can be an absolute nightmare that include custom kernel patches, custom driver software, new compilers/C libraries and incompatibility in the userland. It's not just as simple as "running Linux". Rolling releases are just as destructive.

        Regardless of vendor or operating system, IF YOU DON'T PATCH YOUR SOFTWARE, YOU HAVE UNPATCHED SOFTWARE.

        This is not the vendors issue. Microsoft has never promised unending OS support. Everyone was warned, everyone new what to expect. Everyone that ignored is suffering. Not an MS problem. Do you blame lung cancer on a government because someone smoked even though the government told them it was bad for them?

        1. Colin Tree

          Re: Foolish

          Your foolish,

          you don't upgrade,

          you partition your data from your OS

          It's all about OS design, data should be independent.

          Many years ago the venerable gurus designed Unix very carefully,

          it still works really well.

          M$ wanted your money,

          and here comes a new bucket full of money from the chumps.

      3. Field Commander A9

        And then spend trillions in rewriting applications and retraining users? Puff, Capitalism.

    3. 404

      'How much could be done for $200 per PC ?'

      Roughly, that'll get you one visit a month to physically check your machine for one year, with an emergency 4 hour response for 'other'* under an annual maintenance contract.

      *Other being like last Friday, upgrades, or users shooting themselves in the foot, doing things they shouldn't be doing. Of course, 'other' pays well but clients do get a 25% discount off the hourly rate for being under contract.

      1. Dinsdale247
        FAIL

        The Real Question

        The real question is how much would it have cost to update the software/systems that require Windows XP and was it less than $200 per PC that used it?

        Then, to see the real cost of this decision, you can add the lost opportunity cost of updating it to Windows 10 plus the cost of the malware fiasco and the cost of the new PCs that you will need to purchase (because you didn't upgrade to windows 10 for free and the PC isn't worth the $150 per license!).

        And for those that would like to say "switch to linux" I would reply that the real costs of switching to Linux are far greater than the costs of the Windows license. I wouldn't want to be the IT guy sitting on the phone for hours explaining sudo and mount to people.

        1. 889909

          Re: The Real Question

          "And for those that would like to say "switch to linux" I would reply that the real costs of switching to Linux are far greater than the costs of the Windows license. I wouldn't want to be the IT guy sitting on the phone for hours explaining sudo and mount to people."

          People do the equivalent of sudo and mount on their Windows machines at work? That should be the IT guy's job I think.

          "People" don't even need to know whether their computer runs Windows or Linux.

    4. smartermind
      Coat

      It's MEGABUCKS OR POUNDS

      $200 per PC multiplied by millions soon adds up to megabucks.

    5. jelabarre59

      Much wringing of hands about how the NHS can't afford costs or staff to pursue proper IT management.

      How much could be done for $200 per PC ?

      If all of these companies that wanted to stay on WinXP-level systems had pooled their resources and put backing behind ReactOS when they FIRST realized they couldn't/didn't want to migrate to newer MSWin versions, it might have been a usable option by the EOL for WinXP. But, as usual, corporate middle-execs and bureaucrats are chickenshit.

      Heck, that money could have been spent on Crossover Office licenses, and they could have been running their MSWin apps on top of Linux.

  2. Boris the Cockroach Silver badge

    ANd yet

    they had the patch ALREADY written before the NSA hack was leaked..............

    1. chivo243 Silver badge
      Windows

      Re: ANd yet

      @Boris the Cockroach

      Yes, those patches were written for XP 2009 POS or some other frippery that MS is still supporting...

      Had there been no WannaCry\Crypt this would not be an issue.

    2. Version 1.0 Silver badge

      Re: ANd yet

      they had the patch ALREADY written before the NSA hack was leaked

      I pointed this out yesterday and got 21 down votes ... I'm guessing the NORK hackers must read El Reg?

      But what I really want to read is the BOFH take on this when the PHB opens an email and encrypts the BOFH's network ...

    3. Naselus

      Re: ANd yet

      "they had the patch ALREADY written before the NSA hack was leaked.............."

      Yes. They have customers who pay extortionate fees for support to continue to get security updates for obsolete O/Ses. The idea is to encourage them to get off ancient systems. Microsoft don't then general-release these eye-wateringly expensive patches, since that would completely remove the motivation for anyone to pay, and everyone who could get away with it would still be on Windows 95.

      I honestly don't really see the justification for blaming MS in this, sorry. They told us years in advance that XP would be end of life in 2014. They told us to get off XP in that timescale. They even had a decent OS in Win 7 to migrate to. They then extended that support while again pointing out that you should GTFO XP. And then a bunch of organizations running XP get hit by security holes. What more do you want MS to actually do here? Keep releasing security patches for XP until the end of time?

      1. The First Dave

        Re: ANd yet

        "What more do you want MS to actually do here? Keep releasing security patches for XP until the end of time?"

        If that was a legal requirement we might see an increase in software quality going forward...

  3. wolfetone Silver badge

    "When the deal ended on April 14, 2015, it was decided CCS would not purchase government-wide support for a second year. Instead, individual government departments and agencies were told they were free to allocate budget and sign their own agreements with Redmond."

    Still managed to find £7.5 million to refurbish a stately home for a multi-millionaire though, didn't they?

    1. Anonymous Coward
      Anonymous Coward

      "Strong and stable" leadership, economic competence, "empowering" the workers, encouraging entrepreneurs through zero hours contracts, etc., etc.

  4. Anonymous Coward
    Anonymous Coward

    As for the 'Cloud'

    all the easier for the various TLA's as well as MS itself to slurp your data and keep tabs on who is doing what.

    Not gonna happen with my data. Well, perhaps when I'm kicking up daisies but by then I don't care.

    Got rid of my last Windows disaster last year. Almost 6 months MS free. My BP is not back to normal and I don't have to take the pills now. Supporting MS systems was definitely bad for my health. Perhaps they should come with a health warning?

    1. Anonymous Coward
      Anonymous Coward

      Re: As for the 'Cloud'

      Got rid of my last Windows disaster last year. Almost 6 months MS free. My BP is not back to normal and I don't have to take the pills now. Supporting MS systems was definitely bad for my health. Perhaps they should come with a health warning?

      Not gonna happen. You're dealing with the tobacco industry equivalent in IT who will bribe, bully and sue its way to profit with complete disregard for anything else. And I mean *anything*.

      1. Hargrove

        Re: As for the 'Cloud'

        You're dealing with the tobacco industry equivalent in IT who will bribe, bully and sue its way to profit with complete disregard for anything else. And I mean *anything*.

        Spot on. And when it comes to the cloud, "anything" includes that hoary elephant in the parlor called "bandwidth." Thanks to growing ignorance of the basics of mathematics and logic the myths of "Infinite Bandwidth" and "Unlimited Bandwidth" are alive and well. But the marketing smoke and mirrors only obscure an ugly reality.

        We don't have the bandwidth to sustain the current design paradigm, even in theory.

  5. toffer99

    Why didn't the alleged "Health Secretary" take action? Well, he's part of a government that wants to destroy the NHS.

  6. Ben1892

    And for those life-critical applications that can't be patched without killing people; machines that go beep, MRI scanners, etc. can we give some blame to the medical equipment manufacturers for choosing Windows in the first place - surely a different OS if you actually cared about patients. just sayin'

    1. Anonymous Coward
      Anonymous Coward

      "give some blame to the [...] equipment manufacturers for choosing Windows in the first place "

      Around a decade or so ago I returned to working in detail with sillyscopes and logic analysers and such, electronics-lab equipment which I'd not really used since late last century. Tools I was working with included an early 21st century logic analyser clearly running Windows 2000, and a slightly more recent one with similar capabilities with no visible OS but showing signs of being an embedded Linux (or maybe an RTOS). Both had network connections and capabilities. These are computers, but maybe the IT department don't see them as such. Maybe they should.

      Ten years ago. Some "equipment manufacturers" had already "got it". Windows isn't the only answer, and in some circumstances it's not the appropriate answer.

      The embedded stuff is however a tiny part of the picture, although it seems to be a handy figleaf for those who would like it to be overlooked that *up to date* systems were also affected by this latest outbreak.

    2. David Webb

      Would you really want a hospital where the many different machines ran many different OS's? You can google the tradeoff triangle, security, functionality, ease of use, in a hospital you want maximum security, maximum functionality and maximum ease of use, but you can't because each trades off against another.

      Ease of use naturally has to be one of the highest priority, the people who use the machines will have basic training, if the complexity is too high or there any many disparate systems, ease of use drops which reduces safety for the patient.

      1. Anonymous Coward
        Anonymous Coward

        "Would you really want a hospital where the many different machines ran many different OS's? "

        Why's that such a bad thing? It's extremely unlikely that any one OS fits all (hospital) requirements, that any one UI fits all requirements, and that any one application-level network protocol fits all requirements.

        What ought to be more important than a single allegedly common OS is that the various systems communicate with each other (and with humans) using documented interfaces and protocols, so that chunks can be replaced without too much upheaval if they turn out to be unfit for purpose.

        The road transport industry doesn't rely exclusively on Ford Escort vans, FFS. You do get vans and trucks that aren't identical but do have a common approach to user interface, trailer interface, etc. In some cases different classes of vehicle have different safety and licencing requirements.

        1. Naselus

          "Why's that such a bad thing?"

          You run a large estate of 600+ machines. If you have all of them on one O/S, you hire one engineer on 50k and 3 technicians on 20k. If you have them on a 12 bespoke OSes, you hire 12 specialist engineers on 50k each, and each of them spends 90% of his time doing nothing.

          That's why.

          1. Anonymous Coward
            Anonymous Coward

            "If you have them on a 12 bespoke OSes, you hire 12 specialist engineers on 50k each, and each of them spends 90% of his time doing nothing."

            Twelve OSes? Three or so ought to be more than sufficient for routine day to day needs, and anyone who can't be trained to handle more than two of the three isn't worth having. Assuming your 600 machines mostly means 600 users and a few servers and a few weird devices, you hire two competent people ("engineers" may not be the right term) and a trainee, and then you've even got holiday cover and two peers and a trainee who can bounce ideas off each other.

            "If you have all of them on one O/S, you hire one engineer on 50k and 3 technicians on 20k. "

            And some other bunch of suckers picks up the cost and the pain when, as history shows only too clearly, it inevitably all turns to pooh and the IT crowd stand there quietly laughing because they're not the ones feeling the pain, but they are the ones who can keep a straight face when they talk about "our estate".

          2. Dwarf

            You run a large estate of 600+ machines. If you have all of them on one O/S, you hire one engineer on 50k and 3 technicians on 20k. If you have them on a 12 bespoke OSes, you hire 12 specialist engineers on 50k each, and each of them spends 90% of his time doing nothing.

            That's why.

            Whereas when the vulnerability hit you had 100% of everyone doing nothing *

            * Except the IT team who were working through the weekend.

          3. John Smith 19 Gold badge
            Unhappy

            "If you have them on a 12 bespoke OSes, you hire 12 specialist engineers on 50k each, "

            That sounds pretty serious.

            Except for one small point.

            All those OS's are inside medical machines that are locked down. They can't be upgraded by on site staff.

            As long as they have standard IE not MS specific protocols and a UI people can learn to use who cares what's behind the box.

            Historical fact. At one time all CD players run on something called OS9. Never heard of it? Exactly. The "ui" was normally a set of hardware buttons, which somehow people seemed to manage with back then.

        2. Dinsdale247

          Lolz. The common OS you refer to is called Windows.

          1. Anonymous Coward
            Anonymous Coward

            You're off message, Dimsdale.

            Ballmer has decreed, in public over a year ago, that he loves Linux and that he no longer thinks it's a cancer.

            Obviously actions speak louder than words. MS's *actions* show that they're aware they have to take Linux seriously in what their fanbois (does that include you?) have historically regarded as their traditional market (e.g. mainstream x86 servers).

            https://www.wired.com/2014/10/microsoft-ceo-satya-nadella-loves-steve-ballmer-despised/

            http://www.zdnet.com/article/ballmer-i-may-have-called-linux-a-cancer-but-now-i-love-it/ (2016)

            http://www.pcworld.com/article/3142345/data-center-cloud/microsoft-doubles-down-on-linux-love-joins-foundation.html (Nov 2016: MS joins Linux Foundation)

      2. oldcoder

        "Ease of use" is not a avalid excuse to use the most insecure system ever foisted off as usable.

        Ease of use can be handled by any decent operating system - you just have to have a STANDARD that specifies what "ease of use" means.

        Microsoft doesn't have one. Their definition is "whatever we say it is", and you have no choice, and no control.

        1. David Webb

          Ease of use is for the lowest common denominator, the User, sure, us as IT people could easily hop from OS to OS, but a 50 year old nurse who is "bloody brilliant" at being a nurse but "the internet, you mean that blue e?" when it comes to tech, you really want her to have to faffle with many systems just to get the results of the tests?

          You can train the nurse to use Windows XP (which she has used for 10 years now), then you suddenly expect her to jump to Linux, OSX and Windows 10? That would cause issues at a hospital, where every job a nurse does is mission critical (btw, I love nurses, they have saved my life a fair few times now).

          Though, should we really be blaming MS? I know it's fun to (not as fun as blaming Apple though), but isn't it down to the contractors who built the apps that require Windows XP to run and won't run on 7+ and the NHS that won't pay to update the apps because "it works on XP". We can't blame MS because the NSA didn't disclose the vuln, IT tech's didn't update the OS or patch, scumbags released the vun, then more scumbags used the vuln, that's like blaming Volvo because the car whose driver never bothered fixing the brakes hit me.

          1. Anonymous Coward
            Anonymous Coward

            "We can't blame MS because the NSA didn't disclose the vuln, IT tech's didn't update the OS or patch, scumbags released the vun, then more scumbags used the vuln, that's like blaming Volvo because the car whose driver never bothered fixing the brakes hit me."

            Rubbish. There's a large element of "defective by design" in the PC software picture, on a scale which would not be permissible in any recent car.

            Cars (not just Volvos), small vans, etc, have had dual circuit brakes for a few decades by now. I assume it's a legal requirement. This dual circuit braking design concept means that if there is a plausible failure in the braking system, it cannot cause the loss of all brakes, it can only cause the loss of *some* of the braking power.

            Find a better example and try again, if you wish.

            Bear in mind that cars are things which in general are properly engineered, perhaps because they have decent regulatory requirements (and maybe a bit of inter-vendor competition), and where failure to meet the regulatory or customer requirements has until recently been the exception rather than the rule. Not sure what the equivalent statement would be for PCs and PC software.

          2. Adair Silver badge

            @David Webb

            The vast majority of hospital staff don't care what OS they are using; what they care about is the application software. they care about that on the level of: are the buttons in the same place they were yesterday, and do they do the same thing they did yesterday?

            Changing the OS is, to a large extent, a non-event as long as the software they actually use is familiar; and even when it isn't, within a few weeks the crying and the whining stops as the 'horrible changes' become the new normal, and life goes on.

            This above is written from experience---I work in a hospital. Last year we changed from XP to 7, AND changed the basic patient management system. Also in my experience changing to Linux causes non-IT literate people no more difficulty than changing from one version of Windows to another.

          3. Richard Plinston

            > you really want her to have to faffle with many [operating] systems just to get the results of the tests?

            Users don't run operating systems, they run applications designed for their needs. 'Test result' programs should look and work identically whether they are installed on Windows, Linux or Android. If they are browser based they should be identical whether on IE6, Chrome or Firefox.

            > You can train the nurse to use Windows XP (which she has used for 10 years now), then you suddenly expect her to jump to Linux, OSX and Windows 10?

            I would expect that someone familiar with Windows XP would find it easier to 'jump to' Linux than to Windows 8 or 10.

            1. Medical Cynic

              Agreed, the nurse doesn't need to 'use' windows. She/he uses the patient record system, or the lab results system, or RIS/PACS etc.

              The OS is irrelevant so long as the required systems can be run in it [or in a standard browser within it].

          4. truetalk

            "You can train the nurse to use Windows XP (which she has used for 10 years now), then you suddenly expect her to jump to Linux, OSX and Windows 10? That would cause issues at a hospital, where every job a nurse does is mission critical (btw, I love nurses, they have saved my life a fair few times now)."

            Training is provided on the application not the OS. The OS sits behind the application causing no end of security woes (if its Windows). Most people I've met that operate CT/MR/X-RAY systems don't give two hoots what the OS is. They learn and understand the application.

            And if a manufacturer of CT/MR/X-RAY/Nuclear had any sense that would avoid managements love affair with Windows and switch all such pieces of equipment to Linux. All the rest that use Microsoft Word and occasionally move a file around on their computer can live in blissful ignorance with their virus/malware infested pile of shite called Windows.

        2. Anonymous Coward
          Anonymous Coward

          "Ease of use" is not a avalid excuse to use the most insecure system ever foisted off as usable.

          Absolutely. It's also a flat out lie, but repeated so often that people believe it.

          Ease of use was what made me stay with OSX about 6 years ago instead of trying it for a month and then reverting to Windows. You only really realise just how much Microsoft software actually gets in the way of getting anything done when you switch to a Mac - it wasn't something I was expecting.

          Rubbish security and low usability, and yet it's sold as the best you can get. Microsoft sales people must have been selling second hand cars or real estate before they got this gig.

          1. Anonymous Coward
            Anonymous Coward

            "yet it's sold as the best you can get. Microsoft sales people must have been selling second hand cars or real estate before they got this gig."

            Bear in mind that Joe Public doesn't buy that much Windows any more when they have the choice. You and many others choose Apple, loads more people live with Android.

            Windows is where it is because of cosy deals between MS and large scale system vendors and (to a lesser extent) large scale IT departments and the Windows-dependent ecosystem e.g. PC retailers having their advertising budgets subsidised by MS so long as the retailer stays "on message".

            Take one or more of those out of the picture and Windows goes with them, whether it's high end (HPC) servers (MS failure) to embedded systems (MS failure) to phones (massive MS failure) to ... whatever.

      3. Dan 55 Silver badge

        Haven't we been thorough this before with browsers, office suits, and networking? All communication via open formats and protocols and then the most appropriate OS can be chosen for each case.

        That doesn't have to mean Windows and people's heads don't necessarily explode when they use things apart from Windows. I think most people would be happy to get rid of IE6 which is holding the NHS and other organisations back.

      4. Roland6 Silver badge

        "Would you really want a hospital where the many different machines ran many different OS's?"

        A question that was effectively answered back in the 1980's - remember a basic premise of Open Systems was Standard interfaces and file formats, hence the importance of full stack Open Systems Interconnect and the various profiles (eg. GOSIP, MAP/TOP) that arose to solve real-world problems of connecting systems from a comparatively large selection of vendors, each with their own (predominantly proprietary) OS and machine architecture.

        There really is no real reason why my phone needs to run the same OS, as my tablet, as my PC - in fact that is the case today: Android, iOS and Windows respectively. Similarly, I don't need desktop Word for example on a sub 8-inch screen tablet/phone, it isn't usable.

        Likewise in hospitals does the MRI scanner really need to run the same OS as the bedside vital functions monitor? No they don't, they simply need to be able to use Standard protocols and interfaces such as the UK 3-pin mains power supply and either an RJ45 or multimode SC fiber port LAN connection.

        In fact it is useful to compare and contrast the WannaCrypt attack with Richard Morris's Internet Worm (1988), to better understand why the widespread usage of a single OS, CPU and hardware platform (ie. Windows and the x86 PC architecture) is not a good thing.

      5. heyrick Silver badge

        "Would you really want a hospital where the many different machines ran many different OS's?"

        Why is that a problem? A device running a specific piece of application software ought to present an easy to use UI that takes over the screen, so it will appear that only it is running. As long as the UI is clear and logical, it shouldn't matter what the underlying OS is. You're expected to use an MRI scanner to image people's insides, not run Solitaire in a corner of the screen...

      6. Red Bren

        @David Webb

        "Ease of use naturally has to be one of the highest priority, the people who use the machines will have basic training, if the complexity is too high or there any many disparate systems, ease of use drops which reduces safety for the patient."

        You make a good argument for sticking with XP. No ribbons, no metro UI, no having to learn new keyboard shortcuts. Or migrating to a linux with an XP-like desktop interface such as LXDE or Cinnamon.

        1. David Webb

          Re: @David Webb

          @Red Bren - except the nurses/doctors/porters/technicians/etc. won't really get a say in which OS the managers pick.

          Yes, in an ideal world we'll have a standard UI with a standard library, where it's totally agnostic and doesn't give a damn what OS you're running on. But we don't live in an ideal world. Have you been to the job centre recently, or whatever it's called now? Their software is bespoke.... for hotels, it was re-purposed for their use and the UI is pre Windows 95.

          I think we live in a world of "make the best of" rather than "make the best", especially when it comes to the public purse, I guess we can always get BAE to design some software for hospitals, would totally help with their eventual budget (and make undertakers retire filthy rich)

    3. Mark 110

      So surely if you are buying a piece of medical kit for £250k you also buy a support contract from the vendor? And you put a clause in that contract that the supplier must provide software updates to ensure the software works on a supported OS?

      Just saying like . . .

      1. billat29

        Hardware Support

        "So surely if you are buying a piece of medical kit for £250k you also buy a support contract from the vendor? And you put a clause in that contract that the supplier must provide software updates to ensure the software works on a supported OS?"

        In an ideal world, yes. But in the real world, that piece of kit has some clever stuff designed and built by the vendor surrounded with a whole load of other stuff that is bought off the shelf. And so there is a chain of dependencies not only on hardware but also the software to drive it. And it takes just one of those vendors to stop producing the kit or decide that it isn't worth their while updating the drivers to the OS latest driver model and you are basically stuffed.

        1. John Smith 19 Gold badge
          Unhappy

          "in the real world, that piece of kit has some clever stuff designed and built by the vendor

          surrounded with a whole load of other stuff that is bought off the shelf."

          So in simple terms

          1)Support contracts with an upgrade clause for large pieces of medical equipment (or by extension any large industrial equipment) are not worth s**t.

          2) Developers at such companies have never heard of the concept of "regression testing" against their software module chain to ensure their new stuff (inc an OS) does not break their old stuff.

          And this is how you run a medical hardware (or software) company in the 21st century.

          Welcome to the future.

      2. Glenturret Single Malt

        @Mark 110

        All very well but what happens when the vendor goes out of business?

  7. TRT

    If I had a Ford vehicle...

    say, that I purchased in 2002, and there was a flaw in the door loc... oh wait. Not a good analogy.

    Anyway, yes, the train of thought I was having then was, for a flaw of a critical nature, with a weaponised exploit just sat there, waiting for some script kiddy to turn it into a WMD (Windows Malware Doomsday), wouldn't that really be a trigger for them to NOT differentiate between paying support customers and non-paying customers? I mean, would a car manufacturer fix a flaw that allowed an attacker access to your vehicle but ONLY if you bought the extended service deal? Despite the fact that the cost of fixing that flaw was (1) nil in real terms and (2) the unknown potential loss of paying extended support customers?

    1. wolfetone Silver badge

      Re: If I had a Ford vehicle...

      "I mean, would a car manufacturer fix a flaw that allowed an attacker access to your vehicle but ONLY if you bought the extended service deal? Despite the fact that the cost of fixing that flaw was (1) nil in real terms and (2) the unknown potential loss of paying extended support customers?"

      Well Ford calculated that the cost of compensation to likely victims of a Ford Pinto crash would cost less than fitting plastic caps to the rear axle, which would stop it puncturing the fuel tank and stop it combusting in to a fireball with the occupants inside.

      So really in answer to your question: The manufacturer really doesn't care about any flaw in a car, regardless how long you've had it. With the exception of Honda and Toyota, they'll recall cars even if they're 15 years old to fix damaged lightswitches or airbags.

      1. Anonymous Coward
        Anonymous Coward

        Re: If I had a Ford vehicle...

        they'll recall cars even if they're 15 years old to fix damaged lightswitches or airbags

        As a general rule, they only do this because of consumer protection or product liability laws in major markets, not out of any sense of duty or customer obligation. Software will remain a wild west for users and buyers until the same laws are extended to software. I'd guess in some markets the same laws do in theory already apply, but simply are not applied effectively, because when you're a tech company, all forms of law, tax, privacy, and compliance are things for other people that you can avoid.

        If Microsoft were on the hook for the costs of malware exploiting code errors, you can be sure they'd have made a much better job of fixing the problems. They thieves are sitting on a cash pile of about $116 billion. Assuming 200m lines of unique code, ten minutes to review each and every line, $50k blended annual salary, it would cost about $1bn to fix the entire Windows code base. less than 1% of the cash they're sitting on.

        1. localzuk

          Re: If I had a Ford vehicle...

          If companies were on the hook for potential bugs in their software, they simply wouldn't make that software. The risk would just be far too high. If my blender breaks after a few years, I'm on my own, consumer protection laws or not. Cars are different because they are a life and death issue. Software, on the whole, is not.

          You are also assuming that an analysis of the entire code base would actually result in fixed code. It wouldn't. You'd just end up with a bunch of new errors. The people writing Windows are not script kiddies sat in their bedrooms, they are professionals who know what they're doing. They're also human, and mistakes will always be made.

          You also have to take into account that some bugs are "never before seen", so an analysis would simply not spot the possible outcome of a determined attack.

          Then again, maybe that's too nuanced for someone who calls a company, legally bound to maximise profit, "thieves" for making a profit.

          1. Anonymous Coward
            Anonymous Coward

            Re: "maximise profits" vs "thieves" (UK specifically)

            Nuanced? Try ill-informed, it might suit you better :)

            "a company [is] legally bound to maximise profit, "

            In the UK, other factors must also be taken into consideration besides profit, though the law in question is never visibly enforced. Maybe Saint Theresa will announce she's going to fix that one too (before quietly undoing the original announcement or announcing a 'bonfire of red tape').

            Anyway, Section 172 of the 2006 Companies Act (below) specifically says company Directors must consider the interests of employees, suppliers, community, environment etc, and not just in a short term context either.

            Obviously nobody ever bothers with this, and the consequences of ignoring it are nil, but this is The Law as it has been in the UK for a few years.

            If people breaking copyright law can legitimately be called thieves, so can those who break company law. FACT!

            From e.g. http://www.legislation.gov.uk/ukpga/2006/46/section/172

            172 Duty to promote the success of the company

            (1)A director of a company must act in the way he considers, in good faith, would be most likely to promote the success of the company for the benefit of its members as a whole, and in doing so have regard (amongst other matters) to—

            (a)the likely consequences of any decision in the long term,

            (b)the interests of the company's employees,

            (c)the need to foster the company's business relationships with suppliers, customers and others,

            (d)the impact of the company's operations on the community and the environment,

            (e)the desirability of the company maintaining a reputation for high standards of business conduct, and

            (f)the need to act fairly as between members of the company.

            (2)Where or to the extent that the purposes of the company consist of or include purposes other than the benefit of its members, subsection (1) has effect as if the reference to promoting the success of the company for the benefit of its members were to achieving those purposes.

            (3)The duty imposed by this section has effect subject to any enactment or rule of law requiring directors, in certain circumstances, to consider or act in the interests of creditors of the company.

            1. localzuk

              Re: "maximise profits" vs "thieves" (UK specifically)

              Last I checked, Microsoft is a US company.

              Also, Windows is a general purpose OS. It is not a medical specific OS, or a nuclear specific OS etc... The onus is on the buyer to buy the right tool for the job. Its not Microsoft's fault if you use Windows 3.11 to run the guidance system on your nuclear missile. They sold you a product for general purpose computing purposes (in fact, last time I read their EULA there were specific clauses telling you not to use it in a variety of situations).

              I still find it hilarious that anyone thinks it is possible for a general purpose OS, that has to support decades of legacy software and hardware, can be exploit-proof, if only the creators put a bit more effort into it.

            2. Anonymous Coward
              Anonymous Coward

              Re: "maximise profits" vs "thieves" (UK specifically)

              Anyway, Section 172 of the 2006 Companies Act (below) specifically says company Directors must consider the interests of employees, suppliers, community, environment etc, and not just in a short term context either.

              Well, it obviously didn't stop Cadbury's, did it?

              1. Anonymous Coward
                Anonymous Coward

                Re: "maximise profits" vs "thieves" (UK specifically)

                "it obviously didn't stop Cadbury's, did it?"

                I assume you mean that it didn't stop the Board of Cadbury's selling out to a US company (ie Kraft), in which case (and in many other similar ones) you are of course quite right, hence my comment about this piece of legislation never being enforced.

                The Cadbury/Kraft story is a particularly disgusting one, especially the bit where Cadbury's local MP, Steve "Invisible" McCabe (New Lab, Selly Oak, which includes Bournville) rarely had anything to say on the subject and when he did he was as likely to come out on the side of the Kraft management rather than on the side of the employees who wanted Kraft to keep their commitments re no job losses and no loss of benefits.

          2. steamnut

            Re: If I had a Ford vehicle...

            What a rubbish response.

            If the people writing Windows really are professionals then shame on them! Also, "bugs never before seen" shows how naive you are.

            Those of us that have ever written serious code (eg medical, nuclear, military) will know that, before any code is written, a test harness is created, discussed, tested, reviewed and signed off. If code the code is written well and passes the test harness then it should be ok out in "the wild". BUT, this process only works if the system design is sound and the test harness test cases are signed off.

            The problem is that the whole Windows market is a mess. Apart from Microsoft, we have Adobe with it's flash mess, Oracle with Java, Even the anti-virus companies have borked Windows after declaring a good bit of code a virus.

            Like a few others writing here I switched to Linux some time ago. Yes, I still have some Windows systems but these tend to be virtualised and isolated XP systems where the software vendors (eg Quickbooks) did not update their software for Win7.

            When the media commentators tell us to upgrade our systems they don't realise the OS cost is not the problem - it's the time to re-install and re-test everything now that USoft stopped the previous upgrade paths.

            1. toughluck

              Re: If I had a Ford vehicle...

              @steamnut:

              When the media commentators tell us to upgrade our systems they don't realise the OS cost is not the problem - it's the time to re-install and re-test everything now that USoft stopped the previous upgrade paths.

              Absolute bullshit. Microsoft didn't suddenly stop previous upgrade paths. Quite the contrary, everything was clear and obvious from the start. You knew exactly how long XP was going to be supported and how much time is left for Windows 7.

              A good developer would have known that using IE6-specific features is not the smartest thing to do and that everything could have been accomplished and implemented using standard technologies and APIs.

              Sure, you might decide that dropping IE6 was a mistake and that Microsoft should have instead tried to patch every bug that they introduced there, but still have every feature working (where some features relied on the bugs, at least for more than a couple of vendors).

            2. Pascal Monett Silver badge
              Trollface

              Re: "Those of us that have ever written serious code (eg medical, nuclear, military).."

              So, what you're saying is that there are serious programmers who do the top-of-the-line stuff for the military and such and who's code is flawless, fit to withstand the test of time, and there are the doodlers that do the enterprise-grade stuff for the rest of us, code which falls over itself as soon as the wind blows.

              I take it that the guys working on the F-35 are among the doodlers then ? I get it now - the government should have insisted on serious programmers.

              1. Anonymous Coward
                Anonymous Coward

                Re: "Those of us that have ever written serious code (eg medical, nuclear, military).."

                So, what you're saying is that there are serious programmers who do the top-of-the-line stuff for the military and such and who's code is flawless, fit to withstand the test of time, and there are the doodlers that do the enterprise-grade stuff for the rest of us, code which falls over itself as soon as the wind blows.

                Come off it Pascal, it 2017, FFS!

                Are you really saying that when we're able to use virtualisation and entire DCs to fuzz test software in a few hours, that there is any reasonable excuse for the rankly amateur quality of much business software? Your example of the F35 (or any defence project) is naieve because the "business analysis" changes with the requirements every five minutes, and because there's no comparability. Windows code has been an evolution since version 3, there's no fucking excuse for Microsoft.

                The reason that crapware continues, is not because it somehow "has to" but because lazy shitbag companies like Adobe can't be arsed to fix it, and they'd rather book the income as pure profit, as opposed to paying to fix the junk they originally shipped.

                Somebody earlier wrote that "if they were held to account for all their flaws, they'd never write any code". People still make cars despite stringent quality, reliability and product safety laws, and the need for recall and rectification years after manufacture. What's more, tnd there's a total global IT spend of around $3 trillion a year. If the shrinking violets currently in the software industry want to take up candle making or garden landscaping because they're not competent to write decent code and 'fess up and fix their flaws afterwards, let 'em go, there will be plenty of people willing to plug the gap and get access to a share of that $3 trillion.

                It isn't 1991 anymore, and the US software majors need to wake and smell the coffee, LAZY FUCKERS.

                1. Pascal Monett Silver badge

                  @ledswinger

                  Um, sorry there, but I think you might want to re-read steamnut's post, then re-read mine while paying attention to the troll icon. Also, please pay attention to the first part of the phrase that you outlined, not the last part.

                  I am not saying that Microsoft has an excuse, I'm saying that there are no perfect programmers and to think that the ones working for the military are any better than the ones working for the NHS is ridiculous - mainly because of some of the points you outlined yourself : changing goalposts.

                  As for Microsoft, I am incensed that they had the patch available in February, but waited for hospitals to go down before releasing it. Way to go there, guys, pretending to be all nice and releasing for everyone now that there are lives at risk. You'd have released it when the Shadow group published the flaws then it would have been acceptable, but to know that you had the patch, knew the vulns were in the wild and still waited for the crash is, in my book, worthy of jail time at the least.

              2. John Smith 19 Gold badge
                Unhappy

                Re: "Those of us that have ever written serious code (eg medical, nuclear, military).."

                "I take it that the guys working on the F-35 are among the doodlers then ? I "

                Funny you should choose the F35.

                You may think it being a DoD programme they'd have to use Ada but you'd be wrong.

                LM said "That's too expensive, can we use C/C++ ?" DoD said yes. The rest is history.

                Ada was designed on the idea that people write a program once but may spend decades updating it and re-compiling it. It needs to be quickly understandable and stop as many stupid errors before they are even made.

                C/C++ is not.

          3. John Smith 19 Gold badge
            Coffee/keyboard

            "The people writing Windows are not script kiddies sat in their bedrooms,

            they are professionals who know what they're doing. "

            Oh well played, sir

            Been a while since I had a real LOL moment.

      2. TRT

        Re: If I had a Ford vehicle...

        Some people seem to have missed this bit in my original post " ...wouldn't that really be a trigger for them to NOT differentiate between paying support customers and non-paying customers?"

        Well the question was really, if a company developed a fix for a problem, and the deployment of that fix is at zero cost to them really, you know for like even cheaper than "bring a USB stick to your local dealer and we'll put the smart lock software on it for you to upgrade yourself", knowing that there's a tool out there that could lock the car's steering and cause consequential damage potentially loss of life, should you then withhold that fix except from people who paid for it (plus the other support that an annual fee buys you)? As people have pointed out, the cost of the consequences compared to the cost if the fix. Cost of the fix is next to nothing, because it's already been paid for by the people paying the support contracts. On top of that, it's a flaw present in the product as originally sold.

        So, if you HAVE a fix, and you know it's a fix for something pretty damned serious, and even if you know that there's no question of you being held liable for the failure of or flaw in the software, is there any reason for NOT supplying a CRITICAL security fix to all systems, paying customer or not?

  8. Doctor Syntax Silver badge

    "If anything good comes from WannaCrypt, it'll be the final death of XP."

    No, if anything good comes from WannCrypt it'll be a whole new emphasis on how OSs are designed and built, how they communicate and how the computing elements safety or health critical equipment are certified.

    1. Anonymous Coward
      Anonymous Coward

      Re: certification

      "how the computing elements safety or health critical equipment are certified."

      It'll be interesting to hear how some of this critical equipment ever got through allegedly appropriate certification processes, what risks were considered during the risk reduction part of product design, etc.

      Risk: "The correct operation of incorporated software is an essential part of correct operation of this [equipment]. Failure of major software components renders the machine inoperable and may risk the safety and security of other devices on the network. Worst case, in the event of non-operation of other protection mechanisms, the safety of those in the vicinity of the equipment may also be at risk if the controlling software is not operating in the required manner.

      Mitigation: Head in sand, fingers in ears, dollars in bank accounts. What could possibly go wrong, everybody's forgotten Stuxnet, right?

      Impact: Everybody's happy in La-La-Land. Till something goes wrong (again).

      1. oldcoder

        Re: certification

        You left out part of the "mitigation".

        The "under the table" payments to compensate for feeling bad about failures....

        1. Jellied Eel Silver badge

          Re: certification

          There's probably an MS Certification you can buy.

          But the exploit seems to rely on subtracting a 32bit DWORD from a 16bit WORD. And C is well known for it's ability to write to memory, and limited built in sanity checking. Competent programmers know this. Microsofts presumably didn't.

    2. Anonymous South African Coward Silver badge
      Headmaster

      A long, long while ago somebody wrote an article on an OS with default-deny as policy, where you (as admin) have to approve each and every bit of software that wanted to run/install itself on your purdy compootah.

      Maybe it is time to rethink default-deny as a policy that can be enabled once all the programs etc has been installed by a sysadmin, and before the PC/laptop/whatever is handed over to the end-user.

      Much less stress, no more antivirus, no more worries about worms trying to sneak in and so on.

      Pipe dream?

      1. Charles 9

        "A long, long while ago somebody wrote an article on an OS with default-deny as policy, where you (as admin) have to approve each and every bit of software that wanted to run/install itself on your purdy compootah."

        You know Windows tried to do that with Vista, with UAC. The end result was exploits STILL going through due to a psychological phenomenon once called "hoop jumping" and now better known as "click fatigue". The problem with default-deny is that it irks users to do it over and over and over again. Make something annoying enough and people either "zombie" their way through it or find ways AROUND it.

        IOW, there's just no pleasing some people. Our current situation is untenable, but so is default-deny to the average user. So what do you do?

      2. Kiwi
        Thumb Up

        Maybe it is time to rethink default-deny as a policy that can be enabled once all the programs etc has been installed by a sysadmin, and before the PC/laptop/whatever is handed over to the end-user.

        I used to try to get people to use "whitelisting" firewalls along those lines (Comodo, Zone Alarm etc), the idea being that they would deny anything "new" unless they were doing an install or an update and trusted the source.

        Instead, they click on "make this dialogue go away quickly". Think of MS's attempt with UAC with Vista, people didn't read the dialogue they clicked a button to make it go away. And if clicking "no" meant the program tried again, they found "yes" made the dialogue go away and stay away.

        Default deny means a bit of work in teaching the users when it is a good time to allow something. And sadly, I see people who are way above average intelligence still do very stupid things when desperate to fix some computing itch.

        But.. If anyone can tell me how to get around this problem, I would greatly appreciate it.

        Oh, and FTR I believe in one or two occasions I clicked on the opposite to what I wanted.

    3. I am the liquor

      If anything good comes from WannaCrypt

      And, indeed, whether organisations like the NHS should be using all-purpose desktop OSes at all for users who just need to use central shared resources like patient records, appointments or email. Some sort of thin client would be a lot safer. Booted over the network from a read-only boot image it would make patch roll-out much easier, and if the thin client OS should suffer a malware infection then disinfection is as simple as turning it off and on again.

    4. Roland6 Silver badge

      No, if anything good comes from WannCrypt it'll be a whole new emphasis on how OSs are designed and built

      But perhaps more importantly, how OS and software in general is supported and maintained.

      Whilst MS have been clear they only intend supporting their products for 10 years, with W10 they have caveated this to only cover platforms that the OEM also supports, which effectively means the duration of the OEM's extended warranty.

      So once again the question must be whether MS really are a suitable enterprise IT partner...

      However, as others have noted elsewhere, various Linux and proprietary OS distributions aren't necessarily any better Microsoft, so at the present time, it would seem enterprise IT is between a rock and a hard place.

    5. bombastic bob Silver badge
      Facepalm

      If anything good comes from WannaCrypt

      (deserves its own topic)

      and, a review of how Micro-shaft has a pretty BAD history of releasing potential zero-day vulnerabilities within their code in the FIRST place.

      I mean, they've had more than a DECADE to review their OS and fix these things. Instead they did:

      a) windows vista

      b) windows 7 (which was good, but kept a few elements of vista that I don't really like)

      c) windows "ape" and "ape point 1" (apparent re-writes, big waste of time)

      d) win-10-nic

      If they'd taken the SAME amount of effort in some serious line-by-line code review, INSTEAD of just saying "new, shiny, let's do it OUR way since it's OUR turn now" (i.e. the millenials in charge, now) then they would have FIXED this flaw [buffer overrun - duh] and we'd have XP SP8 or WIn 7 SP4 or something instead of *THAT*

      /me facepalms. no 'doh' about it.

    6. John Smith 19 Gold badge
      Unhappy

      "if anything good comes from WannCrypt it'll be a whole new emphasis

      on how OSs are designed and built, "

      What a lovely and beautiful idea.

      Thing is this is a 17YO OS so I'm sure MS will say that "Lessons were longed long ago about this."

      It can also be said that we already know ways to develop secure software. The people who used them (to write the embedded control software for the Space Shuttle) wrote a book about it ("Structured Programming" Linger, Mills, Witt) which no one reads (available for a couple of $ on Amazon).

      And basically no one is prepared to put in the money and time to do so.

      1. Jellied Eel Silver badge

        Re: "if anything good comes from WannCrypt it'll be a whole new emphasis

        Those that ignore history are condemned to repeat it. Or maybe work in software maintenance at Microsoft. From wiki on what was previously regarded as the most expensive software error, the Ariane 5/Cluster mission-

        "The greater horizontal acceleration caused a data conversion from a 64-bit floating point number to a 16-bit signed integer value to overflow and cause a hardware exception. Efficiency considerations had omitted range checks for this particular variable, though conversions of other variables in the code were protected. The exception halted the reference platforms, resulting in the destruction of the flight."

        SMB's had performance issues in the past, so perhaps range checks were omitted for the same reason, with much the same result.

  9. This post has been deleted by its author

    1. localzuk

      Re: Should We Now Invest In Linux For Important Systems

      Linux? Just another kernel created by fallible people. Gets just as many security advisories, and is just as prone to potential problems.

      Also suffers from the same issue of support ending for earlier editions. So, not really sure how this would help anything?

  10. msknight

    Hang on a minute...

    Was it one year... or three ... - http://www.theregister.co.uk/2017/05/16/microsoft_stockpiling_flaws_too/

    "Custom support is a big earner: Microsoft charged Britain's National Health Service $200 per desktop for year one, $400 for year two and $800 for a third year as part of its contract. UK Health Secretary Jeremy Hunt cancelled the contract after a year as a cost-saving measure."

    1. Anonymous Coward
      Anonymous Coward

      Re: Hang on a minute...

      And you'd have supported him paying $800 a year per machine for a few token patches, with no real guarantee that they'd keep the machines secure?

      I'll give you that Hunt is a *unt, the NHS is underfunded and mismanaged, and its IT shambolic. But that is a second order issue when the root cause is Microsoft selling fault-ridden software, and expecting the customer to shoulder the risks. Several large private sector outfits have been hit hard by Wcrypt, they will have similar second order triggers to the NHS outbreaks. But the root cause remains Redmond's poor quality product, and Microsoft's repeated and enduring failure to properly fix Windows security - FFS, they needed a patch to protect W10 from this, lord knows that gaping holes lie undetected elsewhere in W10.

      Microsoft don't take security seriously, because they believe know they can sell bug-ridden code with impunity, and where the downside risks sit with customers.

      1. localzuk

        Re: Hang on a minute...

        Its kinda hilarious how over-simplified people like you are making out this all is @Ledswinger.

        Microsoft have a problem - on one side they need to maintain security, on the other they need to maintain legacy support. Very difficult balancing act.

      2. Peter X

        Re: Hang on a minute... @Ledswinger

        From a management/planning perspective, pulling support without having some sort of migration plan was always going to end in disaster. If I was being kind, I'd say that Mr. Hunt at least got part way there in that he recognised that spending a shit-ton of money on support was a waste and needed to be solved... but simply pulling support? Nope, unquestionably, that was a bad idea.

        I'll go along with your opinion of MS however! :D

        Really, the bigger problem with all government IT is that there is no long-term plan. They've put themselves in a position where they're using an OS with a single supplier who, essentially, have them over a barrel.

        So I'm another one voting for Linux. But not so much because of any technical superiority versus Windows, but more because of the Free as in Freedom aspect... if UK.GOV sourced their own standard Linux (think of what Goobuntu is to Ubuntu), then they can pay any IT support outfit to manage it. Maybe a UK based one for example?

        Also... this isn't just the NHS is it? Aren't UK police using lots of WinXP too?

        1. Anonymous Coward
          Anonymous Coward

          Re: Hang on a minute... @Ledswinger

          "Really, the bigger problem with all government IT is that there is no long-term plan."

          Governments really CAN'T do a long-term plan without serious public support. This is because they may not BE there to see it through otherwise, and the NEXT government may well take the costs and CANCEL anything their opposition might have started.

          1. Anonymous Coward
            Anonymous Coward

            Re: Hang on a minute... @Ledswinger

            "Governments really CAN'T do a long-term plan without serious public support. "

            They can, and they do, when it suits them. Unelected civil servants are called Permanent Secretary for a reason, and there are other less visible roles too. One person that ought to be more widely known is the anti-terrorism expert from the days when Theresa May was just another Home Secretary. He still has a similar role close to her now that May has been kicked upstairs.

            It'd be interesting to hear what that particular anti-terror expert has to say about Microsoft's longstanding vulnerabilities, especially when MS is software is used in places where that software is really not appropriate, and the inevitable result of leaving those vulnerabilities open to exploitation by terrist organisations (and others).

            https://en.wikipedia.org/wiki/Charles_Farr

            1. Charles 9

              Re: Hang on a minute... @Ledswinger

              "They can, and they do, when it suits them."

              Name one (that was grossly and provably unpopular) that didn't get them voted out in the next election.

  11. Anonymous Coward
    Anonymous Coward

    Never trust a binary - and never trust a vendor who works with the NSA

    Corporate governance requires a responsible approach to risk.

    This episode proves that Microsoft has contempt for its customers, for users, and, indeed, for human life.

    The only responsible action is to migrate to Open Source as soon as practicable.

    The money spent on licences can be spent on improving and supporting the Open Source code used - a direct benefit to everybody instead of a tax paid to a US company.

    1. Anonymous Coward
      Anonymous Coward

      Re: Never trust a binary - and never trust a vendor who works with the NSA

      What about the software that ONLY works on Windows and has no alternative because medical software and equipment is an incredible niche industry?

      1. Red Bren
        Windows

        Re: Never trust a binary - and never trust a vendor who works with the NSA

        @AC

        "What about the software that ONLY works on Windows and has no alternative because medical software and equipment is an incredible niche industry?"

        If it's that niche, you're only going to have a small customer base. If that customer base starts telling you they're not buying equipment that relies on a consumer grade OS with a designed obsolescence that's shorter than the life expectancy of equipment itself, what are you going to do?

        1. Charles 9
          Devil

          Re: Never trust a binary - and never trust a vendor who works with the NSA

          Wait it out. There may be a small customer base, but an EVEN SMALLER supplier base. And more often than not it's the CUSTOMER who doesn't have time on their side since they're usually trying to replace a broken machine. Meaning it's a seller's market, not a buyer's one. What does the customer tell his/her superiors when he/she won't get a new machine when their current one is broken?

    2. Jonathan 27

      Re: Never trust a binary - and never trust a vendor who works with the NSA

      Similarly devastating bugs in apache httpd, bash and other open-source software would like to have a word with you. Open source doesn't magically prevent security issues.

  12. Anonymous Coward
    Anonymous Coward

    Conflict of interest and anti-trust

    Remember, it is a conflict of interest, for the company writing the software to make money from providing bug patches. If they write bug-free code, they lose an income stream.

    Open Source prevents this conflict because anybody can access the code, detect bugs, and fix them. There is no monopoly of support provision.

    It makes no sense for important state services to be at the mercy of a company that profits from its mistakes, and has the monopoly of fixing them. It's a threat to the security of the country for this company to have provided back doors into its software that the NSA, or any of its ex-employees or friends, can access. Why bother with a Data Protection Act when anybody with the key can extract anything they want from your confidential information, without you even knowing?

    1. Anonymous Coward
      Anonymous Coward

      Re: Conflict of interest and anti-trust

      "Open Source prevents this conflict because anybody can access the code, detect bugs, and fix them. There is no monopoly of support provision."

      There's also no GUARANTEE, either. Consider Heartbleed and Shellshock, for starters.

    2. toughluck

      Re: Conflict of interest and anti-trust

      Open Source prevents this conflict because anybody can access the code, detect bugs, and fix them. There is no monopoly of support provision.

      Sure they can. How much does it cost?

      Suppose NHS was on Linux and had a support team for that. Would they have found and patched Heartbleed or Shellshock before it went public?

      Does NHS have more resources than NSA in hiring IT? Suppose you wanted to find vulnerabilities. One outfit wants to patch them, the other wants to weaponize them.

      Do you think any public or commercial entity would be faster than NSA in finding vulnerabilities?

      Once a vulnerability found by NSA is leaked, an exploit will always come faster and be cheaper to write than a patch.

      The patch needs more careful programming and has to be tested, while you don't really care if your ransomware only encrypts data on 25% of computers, but wrecks and bricks the remaining 75% with no hope of recovery.

      You cannot hope that any independent outfit is going to be better than NSA at looking for vulnerabilities and faster at patching them than NSA at exploiting them.

      The sole fact that NSA are actually looking for vulnerabilities and weaponizing them means that it's worthwhile for them.

      If you're imagining that going to supported open source would have no trade-offs whatsoever, and would be cheaper, faster and better, you're completely off your rocker.

      1. toughluck

        Re: Conflict of interest and anti-trust

        Oh, goodie. I got two downvotes. I'm sure that a really cogent argument will now follow.

  13. Christopher Lane

    Hang on another minute...

    Microsoft have a bit of a cheek saying people should install patches more quickly. I hold my breath every time I roll out a patch Tuesday mother load just in case one of the patches breaks something else! They kind of have a bit of a record there. No wonder people are reticent to do so until it's proven to be sound, though March to May is little long, it's a defensive mind set which becomes a habit.

    1. PickledAardvark

      Re: Hang on another minute...

      March to May should have been long enough for a competent IT team to review patches, perform regression testing and negotiate change management processes. This year, however, the Easter holiday break was in mid-April. A competent IT team would have been aware of change freezes and the availability of staff to test and deploy patches, making appropriate steps to patch in a timely way. Less competent IT teams would have messed it up.

      Lots of bad things happen when Europeans and North Americans take long holidays. In July, staff at web advertising agencies take a break, handing their roles to juniors and locum tenentes. We thus experience more browser drive-by malware attacks in summer via "legitimate adverts" when advertising buyers receive less acute scrutiny. Similar things happen during holidays on the Indian sub-continent.

      Thankfully so far, most malware distributors have been so busy enjoying or preparing for the Christmas/New Year/Chinese New Year holidays that we haven't seen an outbreak when we should be pulling crackers.

      1. Peter Gathercole Silver badge

        Re: Hang on another minute...

        I do not believe March to May is an adequate time. What if you've got 200 items of software to regression test. Ignoring the time to actually patch the extensive estate, that's over 2 software packages to regression test every day (if you can use the whole three months), including weekends and public holidays. And all on a heterogeneous hardware estate with attached specialist equipment!

        What if it was 2000 software items? How many of the IT support people know the applications they support well enough to be able to perform the regression test? Or do the users have time to actually test the full functionality of their packages (Hint, a day testing a package is a day that the user can't be doing their normal job)

        For a large organization, a proper regression test of their software portfolio will take months.

        It would not be so bad if the patches were just that - patches that do not change any other function. But Microsoft do like to include functional changes in their patch bundles.

        Regression testing Windows 10 in a business environment is going to be an absolute nightmare, and I'm glad I'm not in that game.

  14. PickledAardvark

    "Adding to the bottom line"

    Gavin Clarke suggests that there is never a benefit from moving on to the next version of Windows. Switching (I reserve the word updates and upgrade for when they are genuinely deserved) for each refresh is difficult and expensive -- hence the LTS versions of Firefox and Ubuntu.

    In the case of switching from XP to Windows 7, however, there were clear benefits even during the time that XP was supported. Very little staff training would have been required; Windows 7 was more straightforward to deploy and patch in an enterprise environment; help desk usage would be lower. I'd say that the switch was a positive one financially.

    XP to Windows 7 was a real update. I'd be looking for similar benefits from a switch to Windows 10, identifying the sweet moment to wrap up concepts and turn them into an update project.

    Switching to the ribbon interface in Office? That change was very expensive in terms of training and productivity loss. Given that Microsoft weren't going to revert the interface changes, companies made an involuntary switch.

    1. Infernoz Bronze badge
      Facepalm

      Re: "Adding to the bottom line"

      As I stated in a previous article comment, Microsoft realised how poor XP was (as is not unusual for programmers less experienced work) for security, stability and functionality, so recruited experienced security staff and rebuilt substantial parts of the OS for Vista, then Windows 7. This security recruitment drive was well known back then (e.g. acquiring SysInternals), as has been the evolving threat to security defences (e.g. the need to upgrade SMB protocol, and the need to retire SSL and TLS1.0 to 1.1), so people _still_ using XP or making excuses for them are negligent and idiots!

      If businesses still needed to run XP software (as a stop-gap until application upgrade), Microsoft provided downloadable XP emulation support in proper versions of Windows 7. VMWare and VirtualBox were also possible workarounds (for strictly limited scope use), as were RDP/Citrix if the local machine had limited RAM/Storage, so had to run a lighter secure new OS e.g. an embedded version of Windows 7 or a Linux.

      All very expensive physical hardware which housed an XP instance, which negligent/disappeared suppliers failed to provide affordable upgrades for, should have been air-gapped or protected by a security gateway server between it and the LAN, possibly a specialist firewall appliance.

      All Windows Server 2003 instances should have been replace years ago, but I still saw instances belonging to a major business last year (!); even if this was difficult, there has been ample time to resolve issues!

      1. PickledAardvark

        Re: "Adding to the bottom line"

        Windows XP RTM was released generally in October 2001. As part of the NT5 family, it was a sort-of-enhancement of Windows 2000. Microsoft promoted XP RTM as a replacement for Windows 98 on consumer PCs (the application compatibility team had done a lot of work on games) and as an enterprise OS.

        XP's launch was unfortunate. Shortly afterwards, serious remote exploit vulnerabilities were exposed (for Windows 2000, too). Microsoft launched a code improvement programme for Windows.

        XP Service Pack 2 was released in August 2004. It was based on Microsoft's code improvement programme and, owing to the volume of code and feature change, should be appreciated as a new version. The jump from Windows 2000 to XP was much smaller than from Windows XP to XP SP2.

        The XP boxes out there run XP SP2 or SP3 (April 2008). Desist proclaiming that XP is 16 years old.

        "If businesses still needed to run XP software (as a stop-gap until application upgrade), Microsoft provided downloadable XP emulation support in proper versions of Windows 7."

        XP Mode in Windows 7 was a great idea and the product was an unmanageable bag of excrement. Hey -- everyone is local administrator!

        "All Windows Server 2003 instances should have been replace years ago"

        All dot net framework designs should permit updates client and server side. Old clients should work with old servers, and vice versa. That is the ideal. Or cobblers in the world where we can't patch because we don't have source code.

        Just apply an escrow agreement when you buy proprietary software; the source code exists and customers can use it when the original writer is gone.

      2. Charles 9

        Re: "Adding to the bottom line"

        "If businesses still needed to run XP software (as a stop-gap until application upgrade), Microsoft provided downloadable XP emulation support in proper versions of Windows 7. VMWare and VirtualBox were also possible workarounds (for strictly limited scope use), as were RDP/Citrix if the local machine had limited RAM/Storage, so had to run a lighter secure new OS e.g. an embedded version of Windows 7 or a Linux."

        But what about if the thing holding you back is the hardware, such as custom controllers that are ONLY supported up to XP (say because it uses the ISA bus, support of which was dropped in Vista), and the replacement of which is so expensive as to require the approval of the board or whatever? You can't virtualize custom hardware because the VM has no idea what's in it.

  15. Anonymous Coward
    Anonymous Coward

    I have been saying this for years, M$ needs to fix their sh*t! They should not be allowed to push out new OS's until they can fix and properly secure the existing ones. The fact that systems can still be owned through IE, Edge, Office and the core OS is insane and should be punishable.

    To add to the Ford analogy, If they used windows for engine management how long do you think customers and govt's would accept the kind of performance we seem to accept on the desktop?

    Sure there is no such thing as a bug free OS, but collectively as consumers should start demanding a higher quality safer product.

    1. Charles 9

      "To add to the Ford analogy, If they used windows for engine management how long do you think customers and govt's would accept the kind of performance we seem to accept on the desktop?"

      Quite a long time, as it would take something really major (and by that I mean computers physically exploding, putting actual lives at direct risk) to really get their attention. Recall, recalls really only make the news when the problems they're fixing are potentially-fatal crashes.

  16. Ugotta B. Kiddingme

    off topic questions

    what is the source of the picture at the top of the article? Better still, can anyone identify the actor on the left? I thought perhaps that might be Ian Wolfe but now am uncertain.

    1. I am the liquor

      Re: off topic questions

      Probably came from Shutterstock:

      https://www.shutterstock.com/image-photo/blame-game-227272534

      with the original source being the Everett Collection:

      http://everettcollection.com/

      They might be able to identify it for you, but I expect they'll want to charge for the "research"!

  17. FuzzyWuzzys
    Happy

    "nobody looks good.", really?

    I dunno, that kid that registered that dodgy domain and slowed it down a bit, seems to have got himself a pretty good bit of PR for his future prospects in an IT career!!

    Silver linings and all that.

    1. tiggity Silver badge

      Re: "nobody looks good.", really?

      I doubt he appreciated the doxing by the scummy UK press though.

      Doxing someone who was helping out, hassling his friends, truly is the gutter press in action.

      .. Yes, I know if the UK press could find out his identity, the malware slingers could too, but why give them the info? if he wanted his identity to remain "anonymous" (i.e. not superficially easily available) the press should have respected that, but they could not resist focusing on the whole stereotype of geek living in parents home

  18. Palpy

    It's a systemic problem with humans.

    For example: Yes, in the year 2000 we should have seen this balls-up coming, and begun -- then! -- to move to a slow-release, super-stable system. Instead of crowding onto Windows in 2000, we should have put our industrial infrastructure on BSD.

    Anyone see that coming? More important, did anyone in the industrial supply chain buck the pressure and move their products to BSD despite the competition touting their easy-to-run Windows systems?

    Is anyone in 2017 look at tablets and phones and saying, if we use systems like these for in-the-field monitoring and control, then we're going to be really effing SORRY in 2027 because our systems will be even more hackable?

    Well, just look at IoT: hot, hot, hot in industrial tech. (At least it's hot in the magazines like Automation World.) And we already know, right now, that IoT is a rat's nest of vulnerabilities. But we're going to put those consumer-grade wireless cams in the pulp-maceration building anyway because they're cheap, and put the feed on our automation network because we need the ops to see it on the control terminals, because it's convenient.

    My deep insight (about mud-puddle depth, of course): we humans are not very good at really long-range planning. Not when it is countered by short-term economy and convenience.

    1. billat29

      Re: It's a systemic problem with humans.

      "Anyone see that coming? More important, did anyone in the industrial supply chain buck the pressure and move their products to BSD despite the competition touting their easy-to-run Windows systems?"

      Of course not. At that time I was moving products TO Windows from perfectly good platforms.

      And why was I doing that? Because IT put the block on buying anything that wasn't Windows.

    2. Roland6 Silver badge

      Re: It's a systemic problem with humans.

      More important, did anyone in the industrial supply chain buck the pressure and move their products to BSD despite the competition touting their easy-to-run Windows systems?

      Back in the 1980's I worked on a product that was originally intended to run on Unix, we decided given the way the market was going, we would be well advise to port the product to the PC (MS-DOS) and save the Unix version until such time as there was real money to be made out of Unix ie. people were prepared to pay for Unix software; the company never did release a Unix version...

      I suspect that as you indicate, many companies simply rode the Windows bandwagon, even though they knew BSD or some other platform would have been better, because commercial pressures and living to fight another day were more important.

    3. Anonymous Coward
      Anonymous Coward

      Re: Anyone see that coming?

      "Anyone see that coming? More important, did anyone in the industrial supply chain buck the pressure and move their products to [a more stable platform]"

      Yes, some people saw it coming, especially those in the market where computers were being used to control longer lifecycle higher value things than are typically associated with desktop PCs.

      It just needs (0) understanding (1) planning (2) budgeting. Preferably well in advance.

      Even back in the 1990s or so, outfits like Compaq used to offer business desktop PCs in two flavours - Intel's flavour of the month, lifecycle unpredictable and rather dependent on Intel, or Compaq's managed-lifecycle equivalent, where compatibility of internals was worth paying a little extra for, Compaq would manage the internals for a few extra months and charge a little premium for it, which suited corporates who wanted to roll out a standard software image with a lifetime of more than a couple of weeks. And that was mostly about *software* stability.

      If people wanted more predictability than that, it could still be done. E.g. around the same time there was interest in "passive backplane" hardware from various vendors for various markets. Throw away the "system on a motherboard" concept, its lifecycle is too unpredictable and its software compatibility suffers as a result.

      Instead, build a system around a simple passive backplane, with as many slots (PCI) as are needed, and plug everything into it - a processor/memory card (probably also including kbd, mouse, and disk), and the usual task-specific IO goes on PCI cards plugging into the passive backplane. Hardware upgrades then become relatively manageable, and can in principle be kept relatively separate from software upgrades.

      But no, Windows systems have been sold on the basis of being cheap, PICMG (the Passive-backplane Industrial Computer Manufacturers Group) compatible products weren't as cheap as this month's flavour of the month Wintel desktop (doh!), and so bean-counters didn't like PICMG.

      PICMG later begat CompactPCI, which is arguably what should have been used by all these people whinging that "we can't touch our kit's config or it might never work again". Companies like National Instruments and friends make products for engineers bought by engineers, they understand the needs of this market segment, even if your typical PC vendor or IT department don't have a clue. There are less flash equivalents that might suit production environments where NI might (arguably) be considered to be over-engineered.

      Beancounters want cheap and vendors and IT managers have promised them cheap.

      Sensible engineers don't promise cheap.

      Sadly beancounters and IT vendors and IT managers don't understand engineering and nor do they usually pick up the cost (or the hassle) when the cheap 'solution' all turns to pooh because it wasn't properly engineered.

  19. Anonymous Coward
    Anonymous Coward

    "Cyber Security"

    "spending around £50m on the NHS cyber systems"

    HELLO! the '90s are calling and they want their buzzword back.

    Would the government and media kindly stop using the word 'cyber' to make it sound like they know what they're talking about. All it achieves is proving they're clueless.

  20. Anonymous South African Coward Silver badge

    And will smartphones, phablets, tablets and iThings be targeted next?

    Not going to worry, there's still dumb phones around.

  21. Hans 1
    Holmes

    How many "trusts"?

    The more the merrier it is not ... having centralized IT means you get volume discounts. Having IT managed in separate trusts means the gov WANTED the NHS to lose, somebody has a big fat account offshore for this somewhere (or is too incompetent to bring a pint glass to his mouth).

    Of course, spend is one thing, getting x trusts to get their act together is harder than having one do it - blame game.

    I have said time and time again, centralize NHS IT, move to Linux, billions saved for patient care ... no more offshore bank accounts, ok, AND better cheaper care for everyone involved!

    With the sums they fork to MS, they could run their own distro, with dozens of linux kernel developers!

    Worse, even, they could license their distro at a premium to our European friends, oh, wait ? We got none no more!

    1. PickledAardvark

      Re: How many "trusts"?

      "Having IT managed in separate trusts means the gov WANTED the NHS to lose, somebody has a big fat account offshore for this somewhere (or is too incompetent to bring a pint glass to his mouth)."

      NHS organisations have IT purchasing benefits. On whim or wisdom, they can pick from central purchasing contracts -- negotiated by the NHS or by other public bodies -- to get the best deal for them.

      I understand that it is a hard argument to understand, but NHS managers, on the whole, wish to do the best possible job. Separate trusts -- the ability for local decisions -- are theoretically less efficient than a central organising body, none of which is perfect. But difference* is how you create better clinical practice or management. Unless we allow hospitals and GP practices to try different things -- via decentralisation -- everything stays the same.

      *Difference is how software writers improve proprietary and open source software.

    2. Anonymous Coward
      Anonymous Coward

      Re: How many "trusts"?

      All so-called internal markets inside organisation are fake, because proper markets require entrepreneurial competition and creative destruction; this is why the internal market inside the NHS and at two corporations I've worked for, are worse than useless e.g. higher costs for internal customers than if purchased externally!

      No, all Collectivism is stupid and evil; it would only lead to even worse situations like the whole of the NHS getting security compromised. What really needs to happen is a proper affordable hybrid public(much smaller)/private health systems like in Singapore, possibly with NI credits or tokens so that people can directly chosen health care providers. The same should happen for schools and other services too which also suffer from mismanagement by stagnant and politically compromised Collectivist authorities!

      All Collectivism be it Capitalism, Socialism, Fascism, or Communism, is evil and doomed to eventually collapse. Capitalism is Rentier Collectivism for the r-type "elite" rich via fraudulent, debt-to-infinity, trickle-up, dead capital, thus debt & wage slavery, because it is not based on the real capital of various living things, where debt can be paid off via reproduction or temporary animal work.

      1. Anonymous Coward
        Anonymous Coward

        Re: How many "trusts"?

        "What really needs to happen is a proper affordable hybrid public(much smaller)/private health systems like in Singapore, possibly with NI credits or tokens so that people can directly chosen health care providers."

        The problem is that Singapore's system only really works because it's, well, Singapore, as in a tiny little island stuck out off the tip of Malaysia. IOW, it only works because it's small. Similar to how the best broadband countries are all relatively small because geography counts in these things. Lots of things don't scale well.

        "All Collectivism be it Capitalism, Socialism, Fascism, or Communism, is evil and doomed to eventually collapse."

        Trouble is, so is anarchy, so you're basically saying pick your poison because EVERY design known to man is fatally flawed in some way.

  22. cosymart
    Megaphone

    Am I Missing Something?

    Not that I am ambassador for Microsoft but:

    1) I agree that any supplier of goods/services should fix faults within a reasonable time after purchase, 12months. How old is XP?

    2) Why should any supplier fix faulty security, OK say a lock broke due to poor components. Get back to the car analogy, cars in the 60s, 70s & 80s were stupidly easy to break into. Did car manufactures upgrade the current models, did they heck! They slowly improved security in the latest models, try and nick a current car. During the 60s, 70s & 80s there was a booming industry in vehicle security add ons. Not now, you try and buy an after market alarm system.

    4) The real crims are the crims who are after easy money, if the security services kept pace with the criminals instead of pretending that the Kray twins and Crusher Smith are the de-facto targets we might have a more realistic chance of catching someone.

  23. MJI Silver badge

    Why is XP still being used?

    Because MS have been stripping features from newer versions.

    Two which have personally annoyed me

    NETBIOS going

    Full screen Command prompt

    1. James O'Shea Silver badge

      Re: Why is XP still being used?

      Err... you actually use NETBIOS? Why?

      And you can have a full screen comand prompt any time you want it. All versions of Windows from XP onwards either shipped with PowerShell or could be retrofitted with it via a simple and free download, direct from Microsoft. And Powershell is vastly more powerful and flexible than CMD.

    2. Infernoz Bronze badge
      Meh

      Re: Why is XP still being used?

      Should you really still be using a probably insecure protocol dating back to 1983, which later had to piggybacked on TCP? I doubt that it even supports adequate strength encryption tunnel and auth., something which should be considered critical on all networks now, because auth. crackers, network sniffers and worms are not going away!

      Full screen Command Prompt, Why? Just maximise a command window or use one of the numerous command line alternatives, one of which may support this already or could be adapted to do so...

      1. Anonymous Coward
        Anonymous Coward

        Re: Why is XP still being used?

        "Full screen Command Prompt, Why? Just maximise a command window or use one of the numerous command line alternatives, one of which may support this already or could be adapted to do so..."

        Full screen text mode was dropped when BIOS was migrated to EFI and monitors moved to widescreen. Without them, there's no guarantee the graphics adapter and/or monitor could grok Mode 3 (640x400 graphically, 80x25 textually). Any VM that needs to handle it emulates it. Even Linux is wise to this now and defaults to non-BIOS-based consoles (no BIOS I know has a native text mode at 1680x1050, for example).

  24. Jonathan 27

    Microsoft released a patch for this vulnerability in XP on May 13, 3 days before this article was posted. Get it if you need it.

    http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

  25. Mike Bunyan

    Still buying and developing using ancient methods

    I am still seeing purchases and investment into active x and using outdated techniques for app delivery that will not stand test of time.

    The next issue will be SilverLight, as Microsoft begins to deprecate the product.

    1. Anonymous Coward
      Anonymous Coward

      Re: Still buying and developing using ancient methods

      Thing is, what if it's your ONLY option, as in the ONLY developer who can work to your specs uses it and nothing else?

  26. Anonymous Coward
    Facepalm

    Worst tool for the job

    The irony is that the devs using XP to control MRI/CT scanners etc. likely didn't want to use XP as unlike an RTOS you've no certainty of interrupt dispatch latency, virtual memory paging, task preemption, etc.

    1. Anonymous Coward
      Anonymous Coward

      Re: Worst tool for the job

      ""The irony is that the devs using XP to control MRI/CT scanners etc. likely didn't want to use XP as unlike an RTOS "

      You don't think that the machines actually do anything important that require Windows do you ?. It's just a front end !!

  27. Anonymous Coward
    Boffin

    And why doesn't the UK invest in fantastic snow ploughs?

    One every few years, Britain grinds to a halt because of snow at Heathrow. "We must have snow-clearing equipment as good as Canada!" is the cry. Well no, the cost of a few days disruption is less than buying mega-snowploughs that sit unused for 99% of the time.

    Same with patching. It's cheaper to take the occasional outage and fix any consequences than spend money day after day on support, patching, testing, deploying etc.

    That's economics!

  28. pixelgeek
    Flame

    It's more difficult for science

    One of my biggest issues with the whole XP upgrade debacle is in Science and the Education sector. Instrument manafaturers have for YEARS been making multi-million (or at least in the tens or hundreds of thousands) dollar hardware that only runs software on XP or Windows 7.

    Want to upgrade the software? oh, sorry you'll have to buy a new Electron Microscope (1.8 million) even though the current one is working perfectly. Don't forget to by a new materials stress testing machine so it can run on win 7 (and doesn't have all the features of the previous model). The PC? $13k for one running XP from the istrument provider otherwise the warranty is void. It's the same story for numerous companies providing scientific and medical istruments worldwide.

    Just you try convincing a manager in a university/hospital/reasearch institute to replace a perfectly working instrument or PC every couple of years just to keep up with the O/S

    1. Charles 9

      Re: It's more difficult for science

      "Just you try convincing a manager in a university/hospital/reasearch institute to replace a perfectly working instrument or PC every couple of years just to keep up with the O/S"

      Simple. Just tell him it WILL break very soon if he doesn't AND that ALL the replacements have the same problem. Unless they have the resources and guts to roll their own, the words "captive market" spring to mind.

  29. Anonymous Coward
    Anonymous Coward

    "talking, and it's blaming the victim" - ah, industry Best Practice at its finest!

    I wonder if there was some kind of success here, there's be such reluctance to accept responsibility?

  30. Anonymous Coward
    Anonymous Coward

    the wrong question

    When will we all stop banging on about the user's responsibility to patch and upgrade and start talking about the vendor's responsibility not to palm us off with a buggy pack of shit in the first place?

    Considering the 16 years during which XP was patched regularly and that it is still apparently full of security holes, there any guarantee that its successors are any better?

    Are we really such sheeple that we will never join forces to demand higher standards of software quality? Not statutory patching, but software that isn’t fundamentally broken when delivered.

    1. Charles 9

      Re: the wrong question

      "Are we really such sheeple that we will never join forces to demand higher standards of software quality? Not statutory patching, but software that isn’t fundamentally broken when delivered."

      YES!

      The government doesn't like smart people because smart people come to realize they really don't need the government that much.

  31. Andy3

    It's NOT the government's fault. The information regarding the patch was passed on to all NHS Trusts in good time, but many of them didn't bother to install the patch. It's their fault, no-one else's. The Trusts who did patch their machines have had no trouble - so how is it the Government's fault?

    1. Citizen99

      "The Trusts who did patch their machines have had no trouble - so how is it the Government's fault?"

      'Cos there's an election coming up.

    2. Anonymous Coward
      Anonymous Coward

      "The Trusts who did patch their machines have had no trouble"

      But the ones who didn't probably COULDN'T without breaking things.

  32. Anonymous Coward
    Anonymous Coward

    Interesting how many people complaining that Linux is not a free lunch and that no distro supports a version for 15+ years, well I say to them is that at least with Linux you can run the hardware you bought 15 years ago and still keep using it. As for the software side things like flatpak and snaps will resolve these issues regarding keeping the "too expensive to update" software going, no worries about what version of libraries required and segmented memory space reduces security issues (depending on what the software is).

    Although the biggest headlines are NHS and others of the same ilk what about the average joe who, let's face it are not all geeky and don't feel like they want an "upgrade" every 3 years. My parents have 1 system that is 12 years old and a laptop that is 6 years old (LXDE/XFCE run great), now on its 3rd LTS version now seem to like the fact that they are not spending on new hardware, according to the average upgrade cycle they should have bought 3 PC's and 1 laptop by this point. I thought we are all supposed to be going green cause of climate change, too bad when it comes to technology that doesn't ring true.

    Don't misunderstand though there is a place for Windows in my world but maybe its time that Microsoft does something with the Lindows name they fought so hard to squash years ago and make either a Linux UI or start dabbling into the part proprietary/open source world.

    They are a for profit company and honestly I don't think they should be responsible for ever to support systems so either as mentioned above make a UI for Linux, make a distro, or pass on legacy OS's to a third party to maintain and have those who don't want to update their systems for what ever reason pay a service fee to maintain it, that is my take.

    I saw this coming by Y2K and no one listen. Actually I have been saying at least for the last 15 years that it will take trillions of dollars lost and millions of lives before we "learn" our lessons too bad that I have to be right for things to change.

  33. Tilting_at_windmills

    Two issues I see here.

    1. People decrying developers writing apps to IE6/ActiveX/etc.

    These developers write to the capabilities of the machine in front of them - expecting MS to continue to support them. Nobody performed an architectural review of the components/interfaces used prior to application deployment. The fact that the vendor was leading them up s**t creek is largely an MS issue.

    2. Upgrades not performed.

    Vendor upgrades are always carrot and stick to entice the customer to upgrade. MS has been unable to create an enticing enough carrot in all these years - so meet the stick. Customers have been warned for years about this potential - but never felt threatened enough to sign the cheque. We can only hope that equation is now somewhat rebalanced - at least for the short term.

    1. Charles 9

      The problem behind the problem for (2) is that upgrades can be DOWNgrades, too. And if your software depends on something that WILL disappear with the upgrade (like support for the ISA bus which was dropped with Vista), then you're up against the person who's sworn to stand his ground to the death, meaning no carrot is more valuable than where he stands right now and amount of stick will make him budge. The thing is that one size can't necessarily fit all and for some, there are higher priorities than anything you can provide.

  34. GX5000
    WTF?

    You can't patch away stupid

    You can't patch away stupid, stop trying.

    I'm still supporting hundred of Win7's that are only moderately patched, have malware and AV soft that will never get infected by a CLICK ME PLEASE "bug".

  35. Roland6 Silver badge

    And yet Microsoft's patience had run out...

    And yet Microsoft's patience had run out and it marked April 8 2014 as the date when it would stop writing security updates for the desktop operating system.

    An interesting choice of words. Because with whom did MS lose patience with?

    It wasn't the fault of anyone outside of Microsoft that Microsoft failed to deliver a suitable successor to XP. MS only had themselves to blame for the failed delivery of Longhorn, the poor reception of Vista, the lukewarm reception 7 got.

  36. ChaosFreak

    What we likely won't see is a change in policy from Microsoft.

    The author ends with "What we likely won't see is a change in policy from Microsoft." I'd be interested in hearing from the author as to what policy changes he would recommend to Microsoft.

    This is not meant as a criticism of the author or a defense of Microsoft, I am genuinely interested in how Microsoft could change its policies to make it less likely that un-pached XP machines will be attacked in the future.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like