Posts by Doctor Syntax 40413 publicly visible posts • joined 16 Jun 2014
"I'm not sure where I sit on this."
Let me provide you with a cushion.
"Microsoft is under no obligation to release patches for an OS it no longer supports without being paid."
It sold a defective product and wants to be paid to fix it. How many other industries would get away with this being standard practice?
"Yes lets put everything in the cloud, patient records, hospital appointments, drug information..."
OTOH Google seem to be getting this wholesale from some hospitals so why not?
What's more my GP's practice along with many others seems to be outsourcing all their records to some web service.
Microsoft's "crime" amounts to "not giving away their code for free to people who had made a positive choice not to pay for it".
Car analogy: Vehicles are sold with a serious brake fault. Instead of a recall customers are told "you can only get them fixed if you have a maintenance agreement".
Only the software industry can get away with this.
"Im in my 30s. I feel the same way.
It feels like the UK has skipped over my age group. People older than me seem to get loads of handouts and people younger than me seem to get easy investment cash. Meanwhile us in the middle are paying for it."
I'm in my 70s & my experience in my 30s was the same as yours now. Things don't change.
"After taking so much election punishment for not stopping all the Tories' changes - the Lib-Dems are now saying there wouldn't be another coalition."
Joining the coalition was the responsible thing to do. The consequence says much about the sense of responsibility of so many of their voters.
Unfortunately the typical Lib-Dem voter has been a protest voter. It didn't sit well with them that their party became a junior party of government. It's easy to make this and that unrealistic demand as a protest not expecting to have to deliver. It came as a nasty shock to discover that when faced with reality things weren't that easy.
Not disclosing an exploit must be an exception; it must require sign-off from the highest levels in GCHQ a cabinet minister; it must be very time limited (e.g. no more than 12 months)
And after the expiry or if it all goes pear-shaped the sign-off should be made public.
"And (this may be controversial) how easy would it be to upgrade to a 2017 version?"
A lot of pre-compiled applications got broken at 2.4 > 2.6 although I think that was changes to libc at more or less the same time.
"I have a sneaky feeling that XP -> 10 breaks much less than Redhat 6 to RHEL 7"
I doubt it. Consider, for instance, the XP in hospitals issue: dependence on specific versions of IE because Microsoft decided to throw in a helping of non-standard stuff. Generally Linux/Unix complies with standards rather better so the temptation for developers to use that wouldn't be there. And a lot of the complaints with Windows updates seem to be broken drivers. Although you'll regularly get the anti-Windows trolls saying that Linux doesn't support this bleeding edge H/W (any more than the last version of Windows does) what they omit to say is that if you have a printer a few years old that the latest version of Windows doesn't support you'll probably find that Linux does.
"Time to ditch windows"
In principle I agree. I don't use it myself. But in the real world, as a previous post made clear, there's a lot of core NHS applications that are not only Windows specific but XP specific. Windows can't be simply ditched. It needs to be phased out and that will take time and money.
You are assuming that "they" are in a position to choose what they do. In all the cases you've cited, some PHB, or committee, will have decided what projects are going on - the grunts at the coal face just get told what they are doing.
"They" applies to the PHBs and committees.
I wish more folk round here would remember that IT don't exist in isolation. They have to follow what the business wants. The best one can do is advise; strongly and in writing if necessary.
One difficulty is that the decision makers find it difficult to understand risk. They're choosing between the certainty* of a new, shiny and probably very useful development on the one hand and a list of things which you can't be certain will go wrong on the other. They'll choose the shiny almost all the time
*And ignoring any project risks.
Erm hold on - weren't Microsoft hoarding patches for "end of life" XP unless you paid to be part of a Enterprise service agreement? Sounds very similar to hoarding vunerabilities by the NSA/GCHQ. i.e. the fact XP Embedded (cash machines etc) still gets/got patches.
Got it in one.
It's very telling that on Friday Microsoft were suddenly able to release a patch. It's almost as if they suddenly realised they had a degree of responsibility.
Now they're trying to claim the moral high ground.
"The applicable software for controlling stuff like an MRI scanner isn't desktop Windows XP, it's one of the Windows Embedded family, the XP-derived ones of which can be supported (including patches) till 2019"
OK, let's deal with the specific: XP-embedded, support ending in 2019. If, in 2019 you were in a position I outlined in my question what would you do?
And go back to the more general point of which the scanner was an example: something, H/W, information system, whatever, which is still essential, but depends on XP, either the already EoLed version or not yet EoLed version makes no difference in principle. There's no point in calling out those who find themselves responsible for stuff which had a planned life in excess of what turns out to be that of its components. They are faced with real problems - if they choose to invest in a replacement then something new that was planned has to be foregone.
The original post to which I was replying was over-simplistic. So was your response. You do not solve problems by telling them, or those who remind you of the, to go away.
"Can you explain to me, with consideration for any contractual terms one might agree to in the EULA, how that proposal would work?"
It transpires that MS were very quickly able to knock out a patch for this vulnerability. They must finally have realised that they had responsibilities. So they question arises - was this EoLed because it wasn't feasible to continue maintenance or because they wanted to herd those who could be herded into upgrading?
"The good thing about this episode is that it is so high profile that no CTO or even IT manager is going to want to be caught out by it again and can not refuse to address the problem of running obsolete OS´s and maintaining a policy of never patching anything again."
I'd like to think you're right. Cynicism says that there'll be a subset of bean counters* for whom it confirms their belief that IT is a net very good cost centre.
*Bean counters are, of course, a cost centre but they lack self-awareness.
Interesting calculation. But you've omitted the cost of testing the ability of the existing applications to run on W10 and remediation or replacement of those that won't. An OS exists to run applications. These are the very arguments used against FOSS in such circumstances.
There's no silver bullet.
They knew the code had been stolen. But they chose not to activate the "kill switch".
Not activating it immediately it was stolen was reasonable. If they had the malware operators would have noticed it because they'd have had to debug it to get it to work. However they should have been watching for a release and thrown the switch as soon as they discovered it in the wild.
The NSA have a lot to answer for here and I hope govts. around the world let the US know that.
"But it's TRAINING."
And counter-training unfortunately. You train people to use email safely. Outside of your training session marketers everywhere are counter-training them to accept HTML mail as normal. Banks and others are counter-training them to click on URLs in their HTML mail. Social networks are counter-training them to throw complex files around. Gmail and the like are training them to view their mail through a browser, described here the other day as not a single point of failure but a whole three-dimensional space of failure.
"11. Update the antivirus version on regular basis and keep the definitions updated on a daily basis."
Today's definitions won't protect against yesterday's infection. And if that infection is also an aggressive worm as this was that's not going to be much use.
"12. Keep the computers and servers up to date with Windows updates and security patches."
In 15a you go on to explain why this isn't always possible.
"MSNet ports out there waving in the breeze of the general Internet"
Assumes a fact not in evidence. If you have a system with substantial internal SMB linkages than all it takes is one person to open an email booby trapped with a worm. The externally exposed port is your email port and that isn't going to work without being open externally.
you tell me what the "most basic principles of security" are that Microsoft have missed in current Windows and we'll see if your GNU/Linux distribution of choice has or has not also missed them.
OK. MS have always been a bit obscure about what any given fix does. Given that, in the real world, fixing one problem sometimes causes another. Recently they've taken to rolling multiple patches into one so it will take longer for sysadmins* to test and roll out.
My chosen distro is Debian LTS, ie systemd-free. Over to you.
*A good sysadmin is paranoid about everything.
"does this mean we can now collectively sue the Trump administration"
Downvoted for gratuitous Trump insertion. Clearly this goes back some way beyond the current administration. There may well be good reasons for suing the NSA, assuming they're not legally protected. There are also good reasons for being critical of Trump but conflating the two issues when they don't belong together weakens your argument. Learn to stay focussed.
"Do these things do anything useful?"
The updates you get today should protect you against stuff that's been known for x* days. That means that some people will be infected in the period between release and the discovery and distribution of the AV update. In the normal state of affairs this will be a small proportion of vulnerable systems. When the virus spreads as rapidly as this today's updates are already too late.
*where x is however long it takes for the vendor to confirm reports and put together their update.
"yeah, I know it's not necessarily the sysadmins' fault, but somewhere, some people, either incompetent IT or managers, decided it was acceptable to connect an OS that is now 2 yrs out of even extended security support to wider networks."
You may have to look a little further back than that. Maybe at some business that was writing current applications but has now been bought and re-bought by some bigger business and somewhere along the chain the application development has been discontinued, maybe the source lost and runs on nothing newer than XP.
There's no silver bullet.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
