Security or obscurity

after a decent chunk of the XP owning world got their asses handed to them…

I prefer that version. Probably because we are going to be continuing the sweep through (out) of old tat. A company who won’t be nameless (GE Medical) installed Win 2K based systems when XP was the standard OS. They haven’t replaced it under the PFI agreement, yet. It’s not patchable, it uses SMB.

Typical problem facing medical establishments, irresponsible manufacturers.

Typical problem facing medical establishments, irresponsible manufacturers.

I think it’s a problem with the embedded market as a whole. Then weren’t always networks, and even less likely on a WAN accessible network, so they’re unprepared. Go back to the 90s and computer security was practically non-existent. I remember you could sweep the net for IPs and scan for SMB shares to peoples C drives or telnet to an NT box on port 80 and IIS will give you a shell! Mainstream OSes weren’t prepared for the internet as security was more of a physical problem. It wasn’t till WinXP that MS thought a firewall in the OS might be a good idea. Embedded market and IoT are facing similar problems now.

after a decent chunk of the XP owning world got their asses handed to them…

Species-ism. Leave the donkeys alone!

Donkeys are often very sociable, with humans as much as with each other. Don’t leave them alone, they’ll get lonely.

after a decent chunk of the XP owning world got their asses handed to them…

I am sure Rick was using the American (mis)spelling of arse ; nowt to do with donkeys at all. A word of great antiquity, the Hittite (first half of second millennium BC) being aris .

I’m sure you’re right. Nowt wrong with a bit of wilful misinterpretation though! 8~)

Typical problem facing medical establishments, irresponsible manufacturers.

It’s part the fault of the medical establishments for not demanding better. As long as companies can cobble together something with an outdated versions of Windows, and it keeps getting purchased, there’s no impetus to do better.

I think it’s a problem with the embedded market as a whole.

It’s nothing to do with “used to be no internet, now there is”. It’s a LOT more insidious than that. Embedded devices are “black boxes”. You aren’t supposed to know, you aren’t supposed to question. You are supposed to plug it in and let it do its thing.

With that mindset, there is absolutely no reason to provide anything more than a very basic “security”. Again, look at my IP camera. It is intended for non-technical people, a sort of “plug it in and use our app” scenario. It has a service-provided DDNS, it punches a hole in the router with uPNP. Plug it in and it “just works”. And that is probably about as far as 99% of their customers will ever see.

For what it is worth, I sent a message to MCLSamar (the vendor) about a month and a half ago asking for a copy of the GPL licenced parts of the firmware. As you can expect, there wasn’t even the slightest hint of a reply.

I saw loads of security cameras in a DIY shop the other day. Prices in the three-digit range for something that looks scarily similar to my cameras. Well, I wonder how many of them are Wanscams with bug-ridden insecure firmware?

I am sure Rick was using the American (mis)spelling

I was milking a french cow.

It’s a LOT more insidious than that. Embedded devices are “black boxes”.

With the exception of open source, everything is a black box.

It has a service-provided DDNS, it punches a hole in the router with uPNP. Plug it in and it “just works”

And that is what people want. People only get angry later when they find out strangers spying on them because they didn’t change their default password. Consumers don’t see the importance until their violated, so companies wont throw money away adding features people don’t want or even check for.

With the exception of open source, everything is a black box.

Ah, but for desktop machines and some (!) mobile devices, people are getting accustomed to (sort of) periodic updates. IoT things often have update mechanisms, but where are the actual updates?

Back to my IP camera, there seems to be a (weak?) update mechanism that can update the application code or the web interface, but there seems no way of dealing with the underlying system. Parts of the filesystem are mounted as a writable flash, the rest is read only…
Also, I’m no good with shell scripts but it looks like it could execute arbitrary commands… As root. Huh.

Most Linux based embedded devices I’ve seen run uboot and are in single-user mode, so everything would be root. If you disassemble it, often you can fine UART gold pads and can flash full uboot and begin porting your own OS.

It’s part the fault of the medical establishments for not demanding better.

Probably, but you have to understand that most manufacturers come out with “the FDA won’t allow that” and myself and a few colleagues are a small voice drowned out by the crowd when we don’t accept that excuse. This incident does seem to have been a wake up call, not as MS/and manufacturers would like in accepting their bull, to kick and demand better.

As long as companies can cobble together something with an outdated versions of Windows, and it keeps getting purchased, there’s no impetus to do better.

Kick back (first wave) coming.

It has a service-provided DDNS, it punches a hole in the router with uPNP. Plug it in and it “just works”. And that is probably about as far as 99% of their customers will ever see.

Doesn’t work at home – UPnP turned off so the router isn’t listening :) And the PC’s don’t have the service installed (oh, dear did someone delete it?)
Doesn’t work at work, the service “went away” on the PC’s and the firewalls explicitly block it. Truth be told the firewalls block everything except the specific ports required. It ain’t paranoia if they are out to get you…

I was milking a french cow.

The fluid concerned is used for tanning rather than drinking. :)

“the FDA won’t allow that”

…and the FDA¹ has what relevance to British medicine? After all, I bet the FDA doesn’t want power supplies rated at 230V, so are all hospitals wired to 110V (including those insanely crap US plugs)? No? Didn’t think so…
Next excuse, please.

Kick back (first wave) coming.

Really? Sure, the world is in a tizzy right now. But in a couple of weeks the beancounters will look at how much something else costs (and even Linux will cost – training, VMs for older software, etc) and people will be “I know Windows, I don’t know or want this rubbish” and the tizzy will be forgotten and things will just resume “as normal”.

Doesn’t work at home – UPnP turned off so the router isn’t listening :)

Doesn’t work here either. The first two things I kill are UPnP and WPS. And if the device is working in anything other than WPA2/AES, it is changed. And if it can’t work in WPA2/AES, it gets binned. Like a couple of cheap WiFi dongles I picked up a while back. Oh yes, and if the router has a hardware twiddle required for associating WiFi devices, that is enabled as well (the Livebox has an option where it will ignore a new device, even with the correct passcode, until the button on the front has been pushed).
I figure that if somebody is in a position to push the button, they’re in just as good a position to defeat all of that by plugging something into the Ethernet socket (like an open WiFi sharer).

Recall, by the way, that I live rural. It’s a half kilometre to my nearest neighbours, and you’d be lucky to get decent WiFi from the other side of the house, and barely at all outside. I would probably physically deactivate WiFi when I’m not around if I had actual neighbours.

¹ I presume you’re talking of the US Food and Drug Administration, not the union for pointy-hairs.

…and the FDA1 has what relevance to British medicine?

Yeah, apparently there’s more states than everyone thinks.

The bull has it that the equipment could be moved to the US. The fact that a voltage change of 50% would result in zero functionality is of no importance in their minds.
The do also quote CE certification (which is rather negated by it not actually conforming to the requirement of having ALL critical updates)

Really? Sure, the world is in a tizzy right now.

Already started :)

But in a couple of weeks the beancounters will look at how much something else costs

Indeed, but making us pull stuff back out of the bin is a bit difficult hence the use of the phrase “strike while the iron is hot” by our director. Some of our actions started during the weekend and we’ve had two full working days to really get some movement. Some manufacturers are going with the flow at present

Indeed, but making us pull stuff back out of the bin is a bit difficult hence the use of the phrase “strike while the iron is hot” by our director. Some of our actions started during the weekend and we’ve had two full working days to really get some movement. Some manufacturers are going with the flow at present

Well I think you have less than 4 weeks and counting before you see that focus disappear for another period of say 5 years.

I hope it isn’t the case but just a hunch.

Also on your other points the general public aren’t that concerned about security until something happens as they are more concerned about how easy it is to do things and so are the companies hence why Mobile banking and virtual payments systems are being pushed all for our easy until it goes pear shaped and then you are on your own nursing your losses.

Software writers write something to run on XP (maybe even older and it works on XP too). It’s good enough and thousands of people are using it on thousands of computers.

Then MS releases W8 and W10. No need for the NHS to upgrade, as the old systems are still working well enough.

Then MS drops support for XP. W10, which is the only currently available version of Windows, is incompatible with the old software. This puts the NHS in a difficult position. In order to remain exactly where it is, the NHS must pay for thousands of new machines, must pay the software company arms and legs to port the software to W10, and must pay thousands of members of staff to use the new OS.

Remember, even if the NHS spends all this money, the systems work no better than they did originally (except maybe they give the same results a bit faster).

Part of all this is the myth of PC compatibility.

Part of it is that MS are allowed to withdraw support for their old OSs. It’s entirely legal, and it’s what almost any company would do.

That’s why I still use XP.
Stuff that I use, such as my TV capture card, don’t have drivers for versions after XP. I don’t see the point of spending €€€ to replace what I have with something that does the same thing.

Plus, I don’t think Windows itself is going in a good direction. When Windows 8 was new I played with it in a shop and really didn’t like the UI. Now, Windows 10’s data collection is infamous. I wonder if, in order to “maximise profit” an upcoming version of Windows will be released as a subscription model?

It is quite likely that when I move from the comfort zone of XP, I will move from Windows entirely. If the things I use “break” on later versions of Windows, there’s really not a lot to keep me in the ecosystem…

Part of it is that MS are allowed to withdraw support for their old OSs. It’s entirely legal, and it’s what almost any company would do.

It’s unreasonable to expect MS to support software indefinitely. Modern OSes are incredibly complicated, and MS has a lot of them, old and new. (Minix, NT, 9x, DOS, CE) Nobody should be running XP, and I can’t believe MS supported it as long as they did. MS even gave a little Pop up messaging warning users it wouldnt get updates anymore.

Plus, they’re are a few occasions MS have decided to to patch more insidious flaws, despite EoL, and SMB flaw was one of these, I believe.

MS normally give a few years notice of EoL too, I think they’ve done alright by XP.

I think they’ve done alright by XP.

Certainly. We can’t expect updates forever.

But… Have they done alright after XP?

This ought to be fairly well known, but a single change to the registry in XP means that updates and patches continue to arrive. MS must be writing them for customers who pay, you just need to pretend to be one of those. ;-) I had non-weekly patches just recently, presumably for the WannaCrypt exploit.

Although I also run W10, with nearly all the switches off, I prefer the XP interface.

But… Have they done alright after XP?

Vista had a short EoL, but no love lost there. 7 and 8 consumers had a free window to Win10 for a year, so maybe. Not a huge fan on Win10 telemetrics, though, which you cant turn off. So spyware is fine as long as MS or Google are doing it, it seems.

MS must be writing them for customers who pay

That’s a conspiracy theory if I’ve ever heard one. MS don’t support XP even to it’s subscription based customers. There are no updates. Plus Windows 10 is the last Windows. MS are moving to free upgrades/updates like iOS or Android nexus devices. This is why they tried to get as many people onto W10 in the first place.

Although I also run W10, with nearly all the switches off

That turns like 110 points of spying to like 98. Switches seem pointless

That’s a conspiracy theory if I’ve ever heard one. MS don’t support XP even to it’s subscription based customers. There are no updates.

Actually, as Steve’s statement shows, there are updates – if you pretend to be an embedded version (P.o.S machines etc). I believe the registry hack is easy to find.

7 and 8 consumers had a free window to Win10 for a year

Non-enterprise edition users, the end result has been regular swearing from the other side of the living room, or the reception desk when she’s in her business premises.

oh, and OEM editions on various family laptops didn’t offer the “update”. No idea why, I try and avoid work when I’m visiting family. Claiming it isn’t a network switch I understand mostly works.

if you pretend to be an embedded version

I missed that detail. XPe isnt same as XP, so you might get some updates, but other components will still be a risk, hence EoL.

oh, and OEM editions on various family laptops didn’t offer the “update”

First I’ve heard of this, very weird.

I try and avoid work when I’m visiting family

I never see some family unless there’s a technical problem, then they come and visit. I used to say I dont use or fix Win boxes, but in recent years I’ve adopted Windows as a gaming platform, so hard to use that excuse.

It’s great having unadopted Windoze. Unfortunately people think because I use a Mac I can fix iPads and iphones. I can’t. Can’t communicate with them at all.