Naked Science Forum
Non Life Sciences => Technology => Topic started by: chris on 26/05/2017 14:32:12
-
Joe wrote to me in response to an episode of the Naked Scientists Podcast (https://www.thenakedscientists.com/podcasts/naked-scientists/why-bother-going-moon) in which reticence to upgrade dated operating systems (OS), like Windows XP, owing to hardware dependency on said OS, causes security breaches like the WannaCry ransomware attack (https://www.thenakedscientists.com/podcasts/short/what-is-wannacry).
Joe says:
Hi Chris,
Love the show, be listening for a while, but you inadvertently put itching powder on me and I must scratch.
In the recent "Why Bother going to the Moon (https://www.thenakedscientists.com/podcasts/naked-scientists/why-bother-going-moon)" podcast you mentioned having to run XP to talk with old equipment (https://www.thenakedscientists.com/articles/interviews/cyber-attacks-nhs), and how that left things vulnerable.
A solution I'd have loved to hear you mention is that the source code for talking to the equipment should all be open. Drivers and applications. You are buying hardware anyway and the software isn't much use without the hardware.
If it was, it could be updated to run on more recent, or even different, operating systems, long after the vendor doesn't care about the product any more, or the vendor has gone bankrupt, or what ever. I'm not saying customers should be expected to be able to do this, but they should have the freedom to do it and the freedom to choose other vendors to pay others to do it for them. Port the drivers and software of old but expensive equipment from an old 486 running Windows 3.11 to a Raspberry Pi for instance.
Updating underlying infrastructure is a great way of bringing out the bugs in the code above. So MS updating XP may make it more secure, but break software too. Even if you do backwards compatibility "bug for bug" to prevent this, it still can cause issues. Things should always be isolated but at the same time they must interact with other things and implementation particulars do bleed across even when the interface itself is static.
You can isolate old machines, but that can make it hard to work with. An example is file sharing, you want to be able to share files to/from the old machine, but the sharing mechanism itself can be the vulnerability. The best solution is to be able to update everything.
This I see as a real growing issue with the internet of things, or as I like to call it, the internet of infected things...... But that is a rant in itself.
The only solution I see is have all the source in a database, with dependencies, build dependencies and conflicts, like in Linux/BSD/Unix repositories. You can then fix up everything to build against one up to date version of each lib. Plus only the libs you really need and only for the processor architecture you are running. After years on RISC OS and then Windows coming to Debian and finding this was like stumbling on some crazy computer nerd utopia. Years later, it still floors me we have this. But again, rant in itself.
Anyway, I hope I've got my point across. Just updating XP is barely a plaster on the real issue of being able to update. In a hundred years, they will be wondering what we were thinking having this un-updatable mess we have now. I think they will see the beginning of computers as largely a "digital darkage" because so much will be lost due to no source or publicly documented standards.
Sorry for the length, but now the itch is scratched. :-)
Joe
What does everyone think?
-
How wonderfully refreshing to hear your perspective, Joe, and that it should be one with which I agree totally. I had a similar Linux epiphany about 4 years ago. The line that captures it perfectly is what (I think, if I recall correctly) Debian prints on the screen as it installs "Prepare to take back control of your computer!"
You're absolutely right regarding how we future-proof hardware and software. Regrettably a lot of the stuff is locked up so tight in patents and money-making that the source code never sees the light of day. However, I think that with the next generation of computer geeks in the making, which enterprises like the Raspberry Pi are helping to nurture, we will see a step change and a regime shift towards more of this "open source" activity. Manufacturers just need to see it as beneficial to their business to do this. I think the thing that will drive it hard is the IoT and security. People will (hopefully) begin to demand more software transparency so that they can see the code that is running on whatever they have just ordered from China and they want the reassurance that it is not leaving the factory shot full of backdoors and trojans. In fact, if governments legislated towards this then it might provide the solution to the security apocalypse I see looming on the horizon.