So, who is responsible for software patching?
Something like WannaCry that targets security flaws on “ancient” machines is a problem. how long do you support software, especially OS level ones, where you want to move on and just do your new thing. What’s your responsibility as a company to provide those fixes… and more importantly, how do you ensure you can deliver it and get them installed so that the fixes are in place.
With something as complex as an OS, it can become pretty hairy to “just” fix that one vulnerability without it affecting other areas. And with technical people often understaffed to make sure that any updates don’t create more problems than they fix, it’s no wonder that the easiest course of action, when things look like they’re working, is to just not bother with the hassle of an update and making sure whatever you need still works properly.
Which of course leads to problems. As with anything, maintenance is still a pretty key thing to do, whether it refers to a car or software. You want things to work, you do have to put maintenance in it, or suffer the consequences for when something dire happens. For that, I don’t quite agree with the ZDNet article.
But there is a point buried in there for showcasing why something is abandoned so quickly when it, in this case Windows XP, is still very much alive and well in quite a lot of places that are critical for it to work well. And I do think there needs to be better thought about treating software as a vital part of an infrastructure, not as the “it’s invisible so it mustn’t matter” treatment that if often gets from people outside of the industry.
Patching support needs to be longer term, it needs to work better, and needs to be ensured to be usable and non detrimental to systems that rely on it. And people using it need to treat it as something real. To need to maintain and take care of as much as all the other things that they need to take care of. Without both sides trying to get to the same goal, nothing’s going to change.
Software creation and patching isn’t necessarily easy. And neither is the concept of having to use someone else’s software and pray and hope it wont break your stuff. I think only recently in software development has the concept of breaking changes become much more important, but how that fill reflect in software support 10, 20 , 30 years down the road… I’m not sure.
There maybe something to be said about hosting everything out in the cloud and thereby removing more of the mundane physical labor of updating things, but there still will remain the concept of compatibility and breakage which no matter what will still be an issue in the foreseeable future.
Addendum
A great video to see how the virus spread via an SMB exploit:
And another great thread as to why these machines cant really be upgraded (cheaply) and that it’s not really a “Windows” issue per say, just that it happened to be a Windows machine that had an exploit available on it. It could happen to anything that develops a vulnerability over time since these machines just wont get patched that often: https://twitter.com/blowdart/status/863364192316735488
