It's pretty clear that this completely 100% predictable and predicted attack - open source and free software people have only been talking about the incredibly obvious dangers of a proprietary IT monoculture for 20 years now - is such a damaging "welp, Stallman was right again" moment that Microsoft didn't really have much choice.
Despite being a big fan of open source software, this does not make a difference. Microsoft released patches for new windows system relatively quickly (in March if I recall correctly).
I bet there are still tons of systems that suffer from the Shellshock, or Heartbleed because they are either not updated at all or they are running old linux version which are no longer supported (I bet there are still tons of RHEL/Centos 2, 3, 4, and 5, which do no longer get security update or the companies do not have extended support contracts).
The real issue is that people are afraid of updates because they tend to break things. They do not want to invest into "slow rollout strategies" and the like.
If updates were applied immediately to 10% (or maybe even less if the company is big enough) of all machines, and if there was a way to quickly rollback the update, there would be less problems and the consequences of failed updates would be less serve. This way you can have your systems up-to-date within 48h (maybe: 1% of 'key users' who do not freak out if things break, and then after maybe 4h 10% of normal users who can call "IT support" to roll back the update, and after 24-48h, to all PCs. This would be even easier for stateless servers because you could redirect all requests to other servers if the 10% fail with 0 downtime).
I know people that still run OpenSuSE 11.2 on their internal systems. No amount of "open source" will have customers modify what they see as a working system, especially not when any upgrade comes with a week of integration followed by tests and bugfixes to ensure flawless operation in production. The difference between OpenSource and Proprietary is in this case that Windows XP exists and works well enough while GNU/Hurd doesn't and therefore will never have an outdated version in use.
I'm a FOSS supporter, but do you think FOSS systems are always updated on time? Or that distributions released in 2001 are still updated? Or that companies running critical systems on old FOSS systems always go through the pain of updating?
Just because the update is free, doesn't mean there's no risk associated with it.
I completely disagree with your reasoning, and frankly find it downright infuriating. It feels straight up partisan and political.
Isn't it entirely plausible an attack of precisely this sort could occur in a world where Linux (or macOS, or templeOS, or whateverOS) is the go-to desktop OS? Isn't Windows the preferred target for attackers because of its ubiquity? How in the world would this be mitigated by "open source"?
It seems that a root problem is not the proprietary OS, but the proprietary and abandoned drivers, hardware management tools, and patient record systems the obsolete OS is required to support.
Open source might be part of the answer to this, or some kind of legal 'right to migrate'.
If all of your patient records are in some ancient software, the new vendor would probably be happy to get them out again if there were documents or a codebase saying how.
If you need XP to run ExpensiveScannerManager95, if you had a legal right to get the code somehow, I'm sure you could find you an SME that would port the driver to windows 10.
Maybe we / our companies and governments need these legal rights now. But what exactly should they be?
> Open source might be part of the answer to this, or some kind of legal 'right to migrate'.
It isn't. Everyone who tried to decide over which version of a distribution to run should know this. It's fine as long as you run the newest or don't need new things. But once you need something specific and especially once you start installing things outside the package manager things go down hill quickly.
I wish people wouldn't use this argument in favor of open source, because if you make institutions choose between open source and proprietary solutions based on "updates" it's appstores, cloud software and subscriptions that will win.
>>Everyone who tried to decide over which version of a distribution to run should know this
I have used Linux as my primary operating system for more than 15 years, I have been using Arch as my primary distribution for more than 5 years. I do not know this.
>t's fine as long as you run the newest or don't need new things.
So which is it, I am fine if I want to run the newest, or if a do not need the newest? Your statement is a contradiction
>But once you need something specific and especially once you start installing things outside the package manager things go down hill quickly.
No, not really... I install things all the time outside the Package manager, of course I know what I am doing so...
>because if you make institutions choose between open source and proprietary solutions based on "updates" it's appstores, cloud software and subscriptions that will win.
How so? App stores to not solve the Lockin problem the OP is talking about, if anything it makes it worse
It's not very appealing to respond when you don't give any reasons. I work with making and maintaining Linux distributions for enterprise, and previously embedded, systems (including desktop). We commission open source work, buy 'support' from major vendors and upstream our own changes. I don't share your views and judging by the development in things like e.g. configuration management I don't think I'm alone.
> So which is it, I am fine if I want to run the newest, or if a do not need the newest? Your statement is a contradiction
I don't see the contradiction, maybe I didn't express myself very well. The problem is when you mix old and new software and distributions. As long as you run a single release (old or new) and all software is for that release you're fine. When you have to deal with many different versions of third party software, libraries, interpreters, shells, build systems etc. is when you run into problems. Just like in the case with "ExpensiveScannerManager95".
>>I don't share your views and judging by the development in things like e.g. configuration management I don't think I'm alone.
How does the development of Configuration Management tools for linux support any of your statements? I fail to see the connection. Linux has needed enterprise configuration management tools for awhile, it is one area where Windows is better as there are many many many many Configuration Management tools for Windows.
>>maybe I didn't express myself very well.
I think this is true, because I still do not understand
1. What you are really system
2. Why you believe windows is better at any of these things than linux
3. How it is relevant to what we are talking about.
Yes when you mix old and new things you may have problems, depending on the system. I however maintain you have LESS problems with linux than you do with Windows, having managed both systems in large enterprise environment, Windows is a finicky broken system that does not play well with anything.
I spend the majority of my time fixing broken shit on windows. The idea that Linux is worse is laughable
While I agree open source is the answer, linux as it stands isn't -- which we can see from the mess which is abandonded and un-upgradable Android phones. I'm not saying it's Linux's fault, but it certainly hasn't proved to be a magic solution either.
In case with Android things like drivers or builtin software are often closed source and it prevents community from fixing them or migrating them to newer Android versions.
While these attacks are not impossible on linux/bsd there are inherent weaknesses in design of Windows, Especially Windows XP/2003 that make these attacks more probable
Also due to the nature of Linux being a Monolithic Kernel and open source, there tends to be less issue with backward compatibility issues with Linux making it easier to update systems that today companies refuse to update windows on because it is not compatible with older hardware/software
Infact Linux often has the reverse problem in that hardware support for new technology often lags behind because hardware vendors focus on Windows first.
One argument for Linux here is that people in the know could have patched it themselves and recompiled the kernel or userland utility causing the problem. Or people after the fact, without having to wait for Microsoft. With Windows, you get what you're given, when they want to provide it (essentially).
This has almost nothing to do with proprietary vs. open source. A patch for the vulnerability exploited here had been available for months.
The real problem is that organisations had devices sufficiently connected to be vulnerable that had not the patch applied. That leads to questions about software update policies within those organisations, and that in turn leads to some quite difficult questions about regulated medical devices and how they are supplied and maintained.
I don't think Linux distributions from 2001 are receiving security updates today. The only thing going for a free(as in beer) OS is that upgrades are free, but the main reason that so many corporate systems are still on XP is compatibility, not the cost of the upgrade license which is peanuts for large orgs affected by this. And Linux distros from 2001 would still have the exact same problem.
Consider the fact that Windows has the best backward compatibility in the business, while even drivers break across relatively minor Linux kernel versions and compatibility is likely to be a bigger problem with Linux.
due to the nature of Linux being a Monolithic Kernel and open source, there tends to be less issue with backward compatibility issues with Linux making it easier to update systems that today companies refuse to update windows on because it is not compatible with older hardware/software
Infact Linux often has the reverse problem in that hardware support for new technology often lags behind because hardware vendors focus on Windows first.
>Consider the fact that Windows has the best backward compatibility in the business,
That is a complete and utter myth. Windows has terrible backwards compatibility, and changes to the Windows Driver model, and other changes require drivers and software to be completely rewritten between generations of windows.
>while even drivers break across relatively minor Linux kernel versions and compatibility is likely to be a bigger problem with Linux.
Where do you get this? Drivers are included in the Linux Kernel, it is impossible for a driver to "break" across minor version of Linux, if a driver breaks the kernel fails and is not released.
>Where do you get this? Drivers are included in the Linux Kernel, it is impossible for a driver to "break" across minor version of Linux, if a driver breaks the kernel fails and is not released.
Linux comes with a limited set of device drivers in the main source tree, just like Windows' bundled drivers. Most of this thread is about rare medical equipment or proprietary drivers/programs from companies that have gone out of business.
Also, the Linux kernel ABI routinely breaks drivers, unlike Windows which happens much more rarely.
I think it assuming you believe windows driver problems are rare. Every time I get a new model computer or hardware I have spend many many hours testing, finding, and packaging the drivers to make sure the new hardware plays nice with our system, deployment systems and does not break other shit.
I'd like to see the set of sysadmins that belong to both the group that is running a distro from 2001 and are willing to manually update the kernel on those systems to a later one.
Yes, the Linux kernel being what it is makes for good/great backwards compatibility.
But that's so far from the point it's not even funny. This is about update policies and internet security at the organisations involved.
It was reportedly available to those who were still officially supported, though, possibly as far back as February.
As others have suggested, Microsoft has historically offered support (in the sense of at least security patches) for each generation of Windows for much longer than any of the major FOSS operating systems. Obviously you don't get free, unlimited, eternal support with any version of any OS, but even then Microsoft has apparently made arrangements with those who really didn't want to update to a more recent one than XP to continue offering support in return for additional funding.
As I said before, the real problem here is how to deal with the conflict between wanting to keep connected systems up-to-date with security patches, while at the same time not breaking their essential functionality. Medical systems used in regulated environments where failures may literally be a matter of life or death are pretty much the ultimate example of this difficulty.
