Do we need Windows patch legislation? Microsoft has got off remarkably lightly from WannaCry, as the finger pointing between Whitehall and NHS trusts began. But that might be beginning to change. The NHS had 70,000 Windows XP PCs, but only after the ransomware hit did Microsoft issue a patch. Officially, support had ended in 2014, spurring an upgrade cycle. In a …
I'll go with "NO", even though I'm not a fan of either Microsoft or proprietary software in general.
Why? Because if you choose to "buy proprietary software" (i.e. purchase a limited license to use somebody else's software) then you do so in the full knowledge that what you're actually buying is a limited term contract for a service, you're not purchasing real property that you should rightfully get to use forever (or whatever arbitrary period you deem acceptable).
The real wake-up call here should be to stop buying proprietary software, and instead invest in something that can be maintained independently of the vendor (i.e. open source).
Funny, I would use the same argument to say there is an expectancy for updates. You buy a perpetual licence (like most XP ones were) so they agreed to fix it for the length of a licence.
I outright bought my car, I don't expect GM to come and fix it every time it develops a fault.
Of course 16 years is too long to expect a company to support a product
@johnfbw: Well, your license is only "perpetual" in the sense that Microsoft will not sue you for attempting to continue using it long past the point where it ceases to be useful.
Like it or not, proprietary software is a service, not a product. Once the vendor drops support for that service (and subsequently the entire ecosystem surrounding it), the utility of the thing you paid for rapidly drops to zero.
"Perpetual licensing" is like a bus pass for service that stopped running years ago. Yes, you have the contractual right to take that bus, in theory, if it ever runs again. Which it won't.
@ac: "maintained independently" doesn't have to mean you, it can be a contactor you outsource work to, or (more likely in the case of open source) a community of volunteers. The idea that open source is only useful if you personally are a programmer is ill-considered. At the very least you have more flexibility than you do with some vendor's proprietary solution, which he can and will eventually terminate. Surely some option is better than none.
The point is that those at the NHS (and anyone else with such expectations) are incredibly naive if they think they can pay once and play forever. One way or another they will be forced to face the responsibility of maintaining a currently working solution, whether it's paying Microsoft once every few years for a platform upgrade, or paying a service company to maintain a constantly updated open source solution, or even paying in-house engineers to develop and maintain their own system.
That's just Admin 101, and yet strangely it seems to be a concept totally beyond the grasp of the NHS (and other organisations still using archaic software).
"Of course 16 years is too long to expect a company to support a product"
There's a difference between supporting a product in terms of adding new functions or drivers and fixing a defect which was present when the product shipped.
But let's not lose sight of the fact that when the shit finally hit the fan MS made a fix publicly available within hours.
If they were under no obligation, it was too long to expect them to do it etc then why did they do it?
I can think of three explanations:
1. It was to mitigate a PR disaster.
2. Events brought it home to them that they had a moral rather than a commercial responsibility.
3. They anticipate legal action and are attempting to mitigate any penalties.
I don't think the last one flies - it simply points out the fact that they'd held back something that could have been made generally available.
But let's not lose sight of the fact that for whatever reason they have done what lots of commentards have said they didn't have to do.
Windows XP is still functional as an offline Operating System, but anyone continuing to use it beyond EOL support cannot expect to remain safe online. The reality is that hackers are constantly scanning for vulnerable computers, so no device without the latest updates is safe online. Even with the latest updates your device is still vulnerable to zero-day exploits.
Rather the onus should be that anyone responsible for a critical online computer system should ensure it remains updated and fully patched, just as the driver of a vehicle that is driven on public roads is responsible for getting it serviced. Frankly anyone administering a network with Win XP machines should have configured the network to block all internet packets to/from those machines, so thay can only access local network resources.
Well if I was to go Open Source I would want it to be supported forever too, but lets be charitable and say 20 years. Is it reasonable that I should delve into the source and fix issues? Do I have the skills and the time? Probably not. Very few people do. So perhaps it should be incumbent on the people who submitted the code in the first place to maintain it? Which is absurd. Who would ever submit Open Source code if it came with a commitment to support it for 20 years.
What happens in reality is if you need Open Source and you need it supported "forever" (i.e you are a business where it is critical for you) you take out a contract with a third party vendor to support the software for you. And if you decide not to pay said vendor or they decide that its no longer economic to support the software, that's it. Game over. You have old unsupported software exactly the same as if it were proprietary unless you are prepared to throw lots and lots of money at it ..... i.e. just about the same.
I agree completely. Your last point is interesting though - if this were OSS or M$ had decided to open source the code at end of life, then governments & corporations around the world would have had the *option* to build their own in-house support for the product.
In the case of UK Gov that may well have been the cheaper way to go, but having worked in that sector I don't believe for a second it would have actually happened.
It really, really pains me but I have to side with Redmond on this one; they gave fair warning that XP was going end of life and the general poor security of that OS was well known to all of us. I'm sure every techie worth their salt has been beating the migration drum for years, but at the end of the day politics always wins......
"I agree completely. Your last point is interesting though - if this were OSS or M$ had decided to open source the code at end of life, then governments & corporations around the world would have had the *option* to build their own in-house support for the product."
It wouldn't be necessary to open it in the FOSS sense but to place it in escrow. The terms for release from escrow could place an NDA on whoever then took up maintenance. This would be a sensible provision where it's been incorporated in a product whose reasonable life expectancy exceeds the support life of the product. It's maybe something that regulatory authorities could require for medical equipment in the future. If an OS vendor was unwilling to do this then the equipment supplier would be obliged to go elsewhere.
Microsoft could agree or not as it pleased. If it judged the market too small to bother about that would be their commercial choice. If they chose not to remain in that market the equipment makers would be free to look elsewhere. Give or take proprietary drivers FOSS fits this bill automatically. There would be scope for someone to offer support well beyond the normal life of an LTS distro as a commercial proposition. An existing proprietary embedded Unix derivative such as QNX or VxWorks might also be a good fit.
Most people purchased XP with a new PC, if the machine is still running then so should the OS.
This should include any patches required to fix fault/security flaws present at time of purchase and the lifetime of the OS should be dated from the last fix.
If MS had got rid of all the problems with XP then they could reasonably step away and say "that is as good as it gets" but they never fixed the problems instead they just released a new OS with the same problems which they will only fix once they are abused.
In the UK atleast car manufactorers are required by law to maintain parts for the expected lifetime of their products, why should MS be different?
If the code for XP was public domain once MS abandoned support then the customer could source their own repairs however since MS just prettied the old OS up and resold it as a new product then the code remains proprietry and unobtainable therefore only MS can fix it.
Ultimately this means that MS operating systems are unsuitible for any application where the customer would expect the product they purchased to last as long as the hardware.
Thus MS should automatically be excluded from any state funded endevour, MS are fine for gaming but if your want a professional product then look to a professional operating system that will continue to support hardware through each revision such as your flavour of unix.
That MS are notorious for dropping hardware support between OS versions is well known in the industry and these tax payer funded projects should never have allowed MS in let alone continued paying them to support a broken OS.
[I work in the med tech industry]
I've been following this discussion for a couple of days now, seen the arguments, and am left with a couple of questions for the distinguished commentards here:
--- The discussion (or finger pointing if you will) has focussed on the Government, NHS, Microsoft... I did notice that the party shining through absence is med tech producers. I mean, sure, if the NHS buys an MRI, CT, or another software driven system from for example GE, Philips, Siemens, Toshiba, then they also have a service contract. And think about it, this doesn't include software..?
--- "OK, but this med tech is so sophisticated, you can't just change the OS on an MRI, now can you?" Humm... You think, if you buy a new machine now (which could very well be the same model as 10+ years ago, since tech turn over isn't that big as you might think), that it's supplied with XP?
--- "You can't expect a supplier to support a product for 16 years". Well, maybe this is true for cars (don't thinks so, think product recalls), but for med tech this might surprise you. After all, you don't buy a CT or MRI of a couple of million pounds to use it for just 2 years. And even if a CT has been in use for 15 years, you still don't want it to make pictures with Chernobyl levels of radiation, now do you? I invite you to lie down comfortably and let me make pics of you with such a machine, and afterwards hear me make an excuse like that...
--- And just because I'm an "old" person: I can remember times, let's say 25 years ago, when such med tech was developed (e.g. CT, MRI, automated light microscopy pathology sample scanning/ image analysis), and many were Acorn Risc based. Or had their own, unique program running on top of DOS. And please understand that I'm not saying current systems are bad. What I'm saying however is that here too the "dirt cheap" and "bottom line vs. quality" movement also made its entry. So might our (society) drive to prefer cheap over quality not come with these kind of consequences?
--- And if your argument is there that operators are (only) familiar with certain OSes, then apologise to technicians, who are educated operators, and can work anything we can develop, because of their long, indepth, and dedicated training, passion, and commitment. Physicians? You really think (all of them) can operate med tech?
--- Big, bulky, or heavy on tech equipment has been used in the aftermath of Wannacry to excuse (some trusts of) the NHS. But is this really the software we're talking about? Isn't it just a lot of accountancy software, admin systems, data storage, and these kind of systems? Aren't in-your-face-everybody-can-relate-to-that examples (like MRIs, even here on elReg) used to cover for just secretary boxen?
This post has been deleted by its author
Big, bulky, or heavy on tech equipment has been used in the aftermath of Wannacry to excuse (some trusts of) the NHS. But is this really the software we're talking about? Isn't it just a lot of accountancy software, admin systems, data storage, and these kind of systems? Aren't in-your-face-everybody-can-relate-to-that examples (like MRIs, even here on elReg) used to cover for just secretary boxen?
This.
A crying shame indeed, a fact that I'm not trying to water down or dispute.
But (if I get the essence of your remark correct) I ask myself whether this is because the patient can't be treated, or whether the "patient" can't be billed (please excuse the bluntness by intent).
And don't get me wrong, I've been around (within this therapeutic area) long enough to get that "treatment for cancer" can be anything from pumping people full of chemotherapy, to using a high tech Accuray kind of "radiation knife". Or could mean surgery or Ab based adjuvant therapy. Or the point focussed radiation therapy somebody else here spoke about. And yes, a lot of nifty software is used in some of these cases. But then again, in a lot of these cases there isn't...
"the NHS buys an MRI, CT, or another software driven system from for example GE, Philips, Siemens, Toshiba, then they also have a service contract. And think about it, this doesn't include software..?"
It does include the software that is proprietary written by the supplier to meet standards e.g. In imaging that is DICOM. BUT the underlying O/S isn't usually written my the supplier, it is usually a flavour of Linux or Windows and hence reliant upon the o/s vendor for patches.
An MRI shipped today will probably be on Windows7, that has the same vulnerability as XP if not patched. But the supplier has to undertake a significant amount of testing to pass CE validation. Most large suppliers are not geared up to respond quickly to zero day patches. In the majority of cases medical devices need hands on patching and then possibly several hours of testing before releasing the device back to the hospital. This could take a device out of operation for a day, cancelling appointments, so typically patches are rolled up into a single update and site visits planned upto 6 months in advance to limit both patient impact and costly engineer site visits.
As you know James, working with DICOM isn't necessarily proprietary; even free downloadable, old, simple JImage can work with DICOM. It is the software surrounding it, created by the manufacturer, the GUI of the machine if you will, that is proprietory. And done so for understandable reasons. And yes, you're right, that is created on top of Windows.
You got a very valid point about the update cycle, maintainance, and taking the machine of line. After all, a machine that doesn't do a patient, is loosing money. And this wasn't what I was trying to bring up. However, you write "An MRI shipped today will probably be on Windows7, that has the same vulnerability as XP if not patched." But that was also not what I meant. What about the (service) obligation of the manufacturer to upgrade the systems to W7, if the 10 year old system still runs on XP (as was suggested in the media - not my remark). Furthermore: "Most large suppliers are not geared up to respond quickly to zero day patches." Indeed. And still they build their proprietory GUI on top of a system that is sensitive to this. So, or they should think of a way to service it accordingly, or they made the wrong design choice. I'm not saying what's wrong or right, I'm just saying... Especially since I've seen different approaches "back in the days"...
"What about the (service) obligation of the manufacturer to upgrade the systems to W7"
Most long term contracts I've seen usually include a system refresh half way through, so replacement software and o/s and depending upon the equipment, hardware, at year 5 of a 10 year contract. So if medical devices are still running on XP, perhaps they are on the backend of the cycle and waiting for either a contract extension or full replacement. Given the NHS is strapped for cash and the red tape involved, chief execs won't support a business case to update a medical device if it's still in contract. Or should I say, wouldn't have approved a business case.
I also work in the medtec industry
Product life is required to be considered in the development and risk management for medical devices.
Large equipment manufacturers GE, Phillips Seimens etc normally have a policy of supporting products for ten years after they were last sold but in practice continue beyond this.
It is a requiresment that risks arising from medical deivces are constantly reviewed and the risk of a security issue causing damage to health must be considered by manufacturers for equipment in the field even if not currently manufactured (PMS). This would include the possibility of security related issues. if there was an issue identified it may or may not result in updates to the SW or other measures such as recommended configuration changes, firewalling, procedures etc but the risk would need to be assessed and managed.
Most medical devices have a requirment for regular maintenance but this does not necessarily need to be performed by the manufacturer.
Realistically no manufacturer of anything can give an indefinite commitment to support it. they should communicate what their policy is and when support is coming to an end. The support period should be reasonable given the nature of the product. In the case of a less massive company they could cease trading and that would end all support.
I am generallly no fan of MS but they seem to have acted quite reasonably in this case.
@AC
You're right, especially after the regulatory MDD changes in April this year. And with those changes the discussion about who should "service" might also be answered. After all, the MDD obliges the manufacturer to "monitor continuously" the performance of the device in every day use, and this is not necessarily connected to PMS studies (although could be of course, and seen as favourable). And indeed, with these changes there is now a much bigger emphasis on risk management/ avoidance. With that in mind, and the realisation that according to classification, software that drives a device is seen as an active medical device, and falls in the same device class as the device it drives, I see discussions about the "who, how, what, and when" of the obligation to service on the horizon...
@Nattrash: Thinking about your 1st & 2nd questions. That the piece of med-tec that costs millions is dependent to such a high degree on an OS that cost around 100 quid is probably a design flaw. It can be easily argued that both purchaser and supplier should be aware of this dependency, because the lifetime of the potential usefulness of this expensive equipment is limited by a commodity product beyond the control of both parties. Would it be so hard to remove OS dependency in the med-tec software if it was better built?
You could also argue the fact that the supplier is unable to support the med-tec equipment for an adequate length of time due to dependencies beyond their control shows a particular lack of foresight and due diligence in software design. You could also make the same due diligence case against the purchaser for not looking into such proprietary dependencies, especially in a public purchasing organisation.
Your fourth point about price vs quality I suspect may provide the answers.
And yes, your final point, is probably correct. It seems (only from reading the news) much of the affected systems were administrative in nature anyway. I mean, I hope network managers, operators, etc think twice about connecting a CT to the department LAN and then onward to the internet. Ahem.
Oh homer,
in principle I agree with you, there are many health care capabilities that have VERY specialised kit, wifeys team has a cluster of whizzy Dell kit that does incredible number crunching and real-time modelling for radiotherapy treatment, what chance is there of a team of well-intentioned souls developing something to replace it???
We live in hope...
Cheers,
Jay
"The lawyers have more chance of getting Comey his job back that getting MS to admit to anything."
It's not the lawyers' job to get their clients' opponents to admit anything. Their job is to get a court decision in their clients' favour. An admission might be useful but not essential.
@davidp231 that is how I read it. The patch was issued to those that paid for it, as per the guidelines issued before XP support stopped.
This whole issue is insane. MS provide longer support than any other software company for its products, Heck, Google have announced that they will stop issuing updates to their own Android devices after 18 months and security patches after 2-3 years.
Apple dropped support for older Macs after only a few years - my 2007 iMac hasn't had a security update since 2014, but it still runs Windows 7, so it actually gets support from Microsoft for nearly twice as long as Apple provides for its own products!
If Microsoft had just stopped supporting XP all of a sudden, I could understand the outrage, but we are talking about users and businesses haveing over 15 years of warning that they would need to upgrade to a more modern version... And, for those that were short sighted enough not to be able to get their systems updated in time, they offered paid support.
If you are dumb enough to use out of date software and still dumber not to pay for extended support, then you are your own worst enemy.
Also, if they do change the law to make manufacturers provide support in perpetuaty, then it will have huge impacts on prices and how often new versions are released. Not an entirely bad thing, but we will see software prices climb again, as the long-term support needs to be calculated into the purchase price.
Sorry, that is horseshite.
"And most OEM vendors don't even see said updates."
The updates are posted every month on Android AOSP git repository, and patches are posted for (currently) 4.4, 5.0, 5.1, 6, 7 and 7.1
The OEM's definitely see them, and the reputable ones update devices for 2-3 years, sure they might not pickup every patch every month, but they do release patches.
NOTE: Don't believe the media, they are too stupid to understand that full-version adoption rates and security patch adoption (which isn't measured) are totally unrelated. They will pretend that just because only x% of devices run the latest Android, it means everything else is old and unpatched, which is total nonsense. Any media outlet or self proclaimed "security expert" pushing this lie really needs ignoring.
MS gave fair warning XP was going end of life. They offered an expensive option of extending support, possibly to make money, possibly to force everyone hand to upgrade.
Particular issues for the NHS have been a 'perfect storm' of a significant squeeze on finances;XP being embedded in suppliers systems that may take significant time to revalidate to get CE kite mark accreditation; significant number of bespoke systems supplied by one-man-bands, whether in-house or third party, who don't have the resources, time or inclination to redevelop and revalidate the software on a newer o/s.
So you might say we'll just stop using these systems but that is easier said than done when the government keeps increasing pressure on the NHS to improve efficiency and reduce costs. Amber Rudd was on TV saying the government has increased NHS spending and was surprised that Trust's hadn't patched.What she didn't mention is that they've also removed a lot of the centrally funded IT systems and pushed the costs onto individual Trusts, reducing their net spending power.
It's no surprise that GP's were worst affected. Under the Tories 'rationalisation' GPs are self employed. They keep any profit they make so what is their incentive to employ IT specialists to keep their systems updated or purchase new PCs every 3-4 years?
See title.. .edited Poll appeared
But I think just becasue it is running XP doesn't mean you cant treat the equipment (say MIR scanner)and the say (XP interface) like an industrial device. That means not sticking outlook on it and plugging it into the wider Internet. It shold be off by itself with little or no access to the rest of the network.
Maxsendq - Clearly you have no idea how MRIs and other diagnostic systems integrate within a health environment.
If the MRI is in it's own bit of network with no access to other systems, how does the MRI get work lists (list if patients to scan) from the RIS? Then the MRI scanner needs to send its images somewhere i.e. PACS! The PACS system needs an interface to the RIS to match patients appointments with the images, the RIS and PACS need access to the PAS to get patient information updates, clinicians need access to PACS from everywhere in the hospital(s) so they can see the images and treat the patient. NHS reporting Radiolgists and companies around the world that provide 24x7 radiology reporting services need remote access to PACS and RIS. Radiologists need access to the internet (as per Royal College of Radiologists guidelines) from their reporting wirkstations; PACS reporting monitors need to send their self diagnostic information to the supplier and/or Nuclear Medicine regulators (usually via either the internet or NHSnet) to meet legal requirements for monitoring pixels / resolution.
So closing off diagnostic equipment from all other systems isn't realistic.
All products have a support life, after that it's tough.
But we have to keep using "x" as "y" will only work on that.
Possibly you should have made a better choice than "y" or ensured it would run in a broader environment.
How much only works in IE or IE6?
All products have a support life, after that it's tough.
Let's differentiate between new functionality, and fixing flaws in what was originally built and sold. In my view MS should not have to make XP work with new peripherals, interface using new protocols or the like, but I do think they should be obligated to fix faulty code that they've already been paid for.
MS did fix the bug. Recent versions of Windows are safe.
When people bought the affected WinXP machines they were or should have been aware that support will eventually end. If they choose WinXP in this knowledge its not MS fault when these customers gambled and run an outdated software that became a target of malicious code.
And: One could argue that MS is not even at fault. The code works fine when it is used as intended. A malware attack clearly is outside the intended scope. You wouldn't claim that a car maker is at fault if a car explodes when somebody maliciously shoots it with a gun.
"You wouldn't claim that a car maker is at fault if a car explodes when somebody maliciously shoots it with a gun."
Ford Pinto.
I think we would. systems should be built with some level of resliance.
I don't know how many Win98 systems are still around, but MS probably have a reasonable idea of how many there are...
WinXP is still widely deployed - and security fixes (NOT increased functionality, new drivers etc) should be maintained for a *very* long time.
OTOH should we also be looking at the suppliers of MRI scanners etc which are often blamed for being the cause of 'staying on a known OS'. They ought to be obliged to release software for newer versions of their chosen OS (whether that's MS/OSx/*nix/*BSD/....) for the expected lifetime of the machine (probably more than the expected life actually)
Windows XP does still get security patches, if you pay for them.
If you decide to continue using Windows XP, there is the option to pay Microsoft an annual fee to ensure that it get security updates. That is reasonable.
Either the price of the software needs to increase to cover the extended support costs - so, Windows would cost a couple of grand, instead of 100 UKP, because they will need to support it "forever", or the price needs to remain "affordable",with the knowledge that after a defined period of time (a period of time, which is defined in black and white before you ever buy the product, I might add) and after that period of time, you will either need to upgrade to a supported version, or you need to pay for the extended support.
Patching older versions of software is an expensive business and it needs to be paid for. If you don't like it, move to open source and patch it yourself, when the maintainers decide that your version is too old (18 months for most distributions, 5 years for some enterprise releases, I think only RedHat/CentOS and SLES offer anything approaching 10 years, and they cost real money).
OTOH should we also be looking at the suppliers of MRI scanners etc which are often blamed for being the cause of 'staying on a known OS'. They ought to be obliged to release software for newer versions of their chosen OS (whether that's MS/OSx/*nix/*BSD/....) for the expected lifetime of the machine (probably more than the expected life actually)
You could argue it's the MRI supplier's fault:
1. The MRI supplier should choose a base OS with a suitably long support lifespan - via contract negotiations with the OS supplier.
There are plenty of other OS vendors out there for embedded systems to choose from.
OR:
2. The MRI supplier should support their own customers, by providing a process for upgrading the base OS *and* associated applications on existing hardware, when the base OS is obsolete.
And in turn you could argue it's the customer's fault:
3. The customer should get the vendor to undertake to support the product for the expected lifetime of the product, by means of contractual negotiations at purchase time.
Of course, everybody is moving to a SaaS model now, including for hardware. I suspect in future you'll be able to rent your MRI scanner by the year. Of course, you end up paying more in the long run, but as long as you continue to pay, the vendor has both the incentive and the resources to continue to support it.
we see this quite a bit with scientific equipment (I work in a lab) what generally happens is boffins buy say a new HPLC cost £250k from a grant. Said HPLC comes with a PC, software to run the kit and 3yrs maintenance. Boffins run bit of kit for length of grant, say 3 years. Grant funding ends, boffins obviously still use the HPLC for other projects. PC dies year 5 so need a new one, no maintenance has been purchase so they can't upgrade the software unless they pay and software won't now run on a new OS.
@John Robson - The pinto was liable to catch fire in a rear-end collision - While collosions are not normal use, it's something that can be expected to happen during normal use (similar to a power outage in PC terms). A better analogy than shooting the car (see mythbusters results on that) would be someone cutting the brake lines. Also, the pinto was recalled during its production run, not long after it stopped being "supported".
I'd say a maximum of 12 years support for OS's, with subscription-only security-only support after 10 years, because 10 years is the longest even slower upgrading business should try to maintain machines, because computer technology design does age, and the physical hardware can age too and become increasingly more costly to maintain, if you can still get compatible parts!
Maybe require an audit of the age of computer hardware and software in a business, with warnings issued for too old equipment which is not planned and scheduled for replacement.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
