Posts by Doctor Syntax 33029 publicly visible posts • joined 16 Jun 2014
"It's possible that the patch was built in February as part of the general build process but not pushed through QA because it was unsupported code. Or perhaps it was only available to those paying for extended cover"
The second comes as has been said already. But if it was only available to paying customers why release it publicly now? The only two explanations I can think of are that they realised it was the responsible thing to do or that it's an attempt to remedy a PR disaster. You can take your pick butin reality it's a case of better late than never but better never late.
"I disagree: the principle operation of the product was to provide an O/S, which it did (rather well at the time as it happens)"
One of the functions of an operating system is to provide a degree of security.* It's not like arguing that a lock is a subsidiary function of a car. And that gains even more force when one of the products was a server rather then the desktop OS.
*Or are my expectations being warped here, coming from a Unix background?
"Supporting former customers for free is a sure-fire method to increase your expenses and reduce your profits with no gain for you."
Letting stuff like this fester until it manifests itself by large scale damage is a sure-fire way to make people ask whether they should become future customers. That's not exactly a gain especially when those "former customers" are also your current and hoped-for future customers.
Car analogy: Vehicles were sold 15 years ago and their brakes are knackered. Customers are told "you can only get them fixed if you pay a mechanic"
Car was sold 15 years ago with an egregious design fault..
We're repeatedly told here by commentards that the product was supported for 13 years. So why during those 13 years was it not found and fixed? In all conscience 13 years ought to have been long enough. It sounds like the sort of thing that any static code analysis tool should have highlighted.
"don't expect those companies to open source a lot "
No, but they do need to place their code in escrow so it can be picked up by others should they decide they don't want to support it, be taken over by someone else who doesn't want to support it or even just disappear without trace. That should be a regulatory requirement.
"2)Did it even need Windows or could it have just had a GUI that looked and worked enough like Windows that healthcare staff felt comfortable using it (IOW who cared if it couldn't run Office?)"
Originally makers of complex kit that needed to be computer driven had a number of choices. Some would be embedded controllers with their own specialist libraries. Another would be a mini such as a PDP8 or a Nova (I remember our lab having a Nova driving the X-ray fluorescence analyser on an SEM). Back in its glory days of being an instrument maker HP made an amazing variety of these for its own products.
The arrival of commodity computers and commodity OSs rendered that uneconomic. Any manufacturer taking the traditional route would have been priced out of the market. Even if they had they'd have ended up shipping kit that had even less long time support life - where are DEC and DG these days?
The trouble is that as the market for complex instrumentation matures the expected life of the product exceeds that of the computing side. Back in the '70s that XRF attachment might have become obsolete before the Nova was EoL, now a piece of equipment which represents a major investment might be expected to last well beyond the period for which the OS supplier is prepared to support their S/W and the computer H/W may outlast the S/W and yet not be supported by newer OS versions. In such instrumentation systems computer H/W is liable to be closely integrated with the rest of the instrumentation. I think the XRF was using the Nova's memory to replace what might have been an array of discrete counters in an earlier generation and the post by a_builder in a previous thread detailed some of the issues in medical imaging.
Perhaps a solution, at least with medical equipment, lies with the regulatory bodies. They could require a code escrow agreement for the OS code in order to gain approval. That would have required MS to escrow their code if they wanted to sell into that market so that someone else could take over support at EoL. For the most part FOSS already complies with that although vendors supplying drivers as binaries would need to comply or shut themselves out of that market.
For kit that needs certification upgrades are another problem. Any upgrade to S/W that operates the instrument would need recertification. Routine OS upgrades couldn't be applied without testing against a real instrument. Such S/W needs to be buffered against the wider hospital network.
This last event and the earlier attacks on US hospitals point to a need to reevaluate the way medical systems are certified. One aspect of this would be to require information systems, including the network facing aspects of imaging systems etc, to be re-certified every few years and part of that would be to require them to be running of S/W which was still within support life for the duration of the next certificate. That, had it been the norm, would have long ago weeded out system that still require ancient versions of IE; it would have driven suppliers to write standards compliant S/W from the start.
" It is totally within their right to charge for the patches"
Let's not lose sight of the fact that this is a patch for a basic design error in their product. If this was your car and not a piece of software would you expect to have to pay a maintenance contract or would you expect a manufacturer product recall?
"I'm not sure where I sit on this."
Let me provide you with a cushion.
"Microsoft is under no obligation to release patches for an OS it no longer supports without being paid."
It sold a defective product and wants to be paid to fix it. How many other industries would get away with this being standard practice?
"Yes lets put everything in the cloud, patient records, hospital appointments, drug information..."
OTOH Google seem to be getting this wholesale from some hospitals so why not?
What's more my GP's practice along with many others seems to be outsourcing all their records to some web service.
Microsoft's "crime" amounts to "not giving away their code for free to people who had made a positive choice not to pay for it".
Car analogy: Vehicles are sold with a serious brake fault. Instead of a recall customers are told "you can only get them fixed if you have a maintenance agreement".
Only the software industry can get away with this.
"Im in my 30s. I feel the same way.
It feels like the UK has skipped over my age group. People older than me seem to get loads of handouts and people younger than me seem to get easy investment cash. Meanwhile us in the middle are paying for it."
I'm in my 70s & my experience in my 30s was the same as yours now. Things don't change.
"After taking so much election punishment for not stopping all the Tories' changes - the Lib-Dems are now saying there wouldn't be another coalition."
Joining the coalition was the responsible thing to do. The consequence says much about the sense of responsibility of so many of their voters.
Unfortunately the typical Lib-Dem voter has been a protest voter. It didn't sit well with them that their party became a junior party of government. It's easy to make this and that unrealistic demand as a protest not expecting to have to deliver. It came as a nasty shock to discover that when faced with reality things weren't that easy.
Not disclosing an exploit must be an exception; it must require sign-off from the highest levels in GCHQ a cabinet minister; it must be very time limited (e.g. no more than 12 months)
And after the expiry or if it all goes pear-shaped the sign-off should be made public.
"And (this may be controversial) how easy would it be to upgrade to a 2017 version?"
A lot of pre-compiled applications got broken at 2.4 > 2.6 although I think that was changes to libc at more or less the same time.
"I have a sneaky feeling that XP -> 10 breaks much less than Redhat 6 to RHEL 7"
I doubt it. Consider, for instance, the XP in hospitals issue: dependence on specific versions of IE because Microsoft decided to throw in a helping of non-standard stuff. Generally Linux/Unix complies with standards rather better so the temptation for developers to use that wouldn't be there. And a lot of the complaints with Windows updates seem to be broken drivers. Although you'll regularly get the anti-Windows trolls saying that Linux doesn't support this bleeding edge H/W (any more than the last version of Windows does) what they omit to say is that if you have a printer a few years old that the latest version of Windows doesn't support you'll probably find that Linux does.
"Time to ditch windows"
In principle I agree. I don't use it myself. But in the real world, as a previous post made clear, there's a lot of core NHS applications that are not only Windows specific but XP specific. Windows can't be simply ditched. It needs to be phased out and that will take time and money.
You are assuming that "they" are in a position to choose what they do. In all the cases you've cited, some PHB, or committee, will have decided what projects are going on - the grunts at the coal face just get told what they are doing.
"They" applies to the PHBs and committees.
I wish more folk round here would remember that IT don't exist in isolation. They have to follow what the business wants. The best one can do is advise; strongly and in writing if necessary.
One difficulty is that the decision makers find it difficult to understand risk. They're choosing between the certainty* of a new, shiny and probably very useful development on the one hand and a list of things which you can't be certain will go wrong on the other. They'll choose the shiny almost all the time
*And ignoring any project risks.
Erm hold on - weren't Microsoft hoarding patches for "end of life" XP unless you paid to be part of a Enterprise service agreement? Sounds very similar to hoarding vunerabilities by the NSA/GCHQ. i.e. the fact XP Embedded (cash machines etc) still gets/got patches.
Got it in one.
It's very telling that on Friday Microsoft were suddenly able to release a patch. It's almost as if they suddenly realised they had a degree of responsibility.
Now they're trying to claim the moral high ground.
"The applicable software for controlling stuff like an MRI scanner isn't desktop Windows XP, it's one of the Windows Embedded family, the XP-derived ones of which can be supported (including patches) till 2019"
OK, let's deal with the specific: XP-embedded, support ending in 2019. If, in 2019 you were in a position I outlined in my question what would you do?
And go back to the more general point of which the scanner was an example: something, H/W, information system, whatever, which is still essential, but depends on XP, either the already EoLed version or not yet EoLed version makes no difference in principle. There's no point in calling out those who find themselves responsible for stuff which had a planned life in excess of what turns out to be that of its components. They are faced with real problems - if they choose to invest in a replacement then something new that was planned has to be foregone.
The original post to which I was replying was over-simplistic. So was your response. You do not solve problems by telling them, or those who remind you of the, to go away.
"Can you explain to me, with consideration for any contractual terms one might agree to in the EULA, how that proposal would work?"
It transpires that MS were very quickly able to knock out a patch for this vulnerability. They must finally have realised that they had responsibilities. So they question arises - was this EoLed because it wasn't feasible to continue maintenance or because they wanted to herd those who could be herded into upgrading?
"Do these things do anything useful?"
The updates you get today should protect you against stuff that's been known for x* days. That means that some people will be infected in the period between release and the discovery and distribution of the AV update. In the normal state of affairs this will be a small proportion of vulnerable systems. When the virus spreads as rapidly as this today's updates are already too late.
*where x is however long it takes for the vendor to confirm reports and put together their update.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
