[German]We currently afford an IT infrastructure that is extremely vulnerable to cyber attacks. And we afford monopoles that allow manufacturers to pull users on a 'nose ring' through the arena. Here are a few thoughts.
Advertising
Security: The structural IT crisis
A few days ago I already came across a very interesting post Alarm im Datenland at German news site Brandeins. There, Konstanze Kurz and Frank Rieger from the Chaos Computer Club (CCC) deal with the question why our IT systems are so vulnerable. Every day we receive reports of security incidents in the IT sector in which data is removed or IT systems are made unusable. Their message: there is an IT crisis and it is structural. But no one is talking or writing about it.
The observation is that we have become accustomed to IT attacks or no longer even notice them, as long as we are not victims ourselves or at least indirectly affected. Then there are some interesting postulates as to why software quality and security is declining. The authors write that the culture of digital industries is based on the following dogma:
- Speed counts. To be first on the market, to beat competitors through faster development and more radical technological progress, that is the principle of the start-up culture from which our digital world was born.
- Impatience, restlessness, an obsession with speed are, along with ambition, is the characteristics of the founders of tech empires.
- To go to market with an unfinished product if necessary, the main thing is to get to market earlier than the competitors.
For a long time, Facebook had the motto "Move fast and break things", i.e. be fast and break things if necessary. The authors name another problem of the industry – here is the quote:
Reliable and binding assurances of product characteristics, clear warranty promises in case of defects and reliable liability for damages are traditionally a no-go. Software is not bought, but usually licensed or rented as a cloud service.
And we all know that if there is a problem, they say: 'Let's fix it in one of the next updates'. When the patch comes, whether it really helps or even reveals new problems, is often unkown. The article is well worth reading, as it highlights the lack of security culture of the IT industry and its structural problems with software development and quality.
Additional thoughts
But the whole thing needs to be taken one step further. This is what I was thinking about the week when I wrote the article Does Windows 10 V1803 Home/Pro still get updates? The point is that this version of Windows 10 is supposed to have been out of support since November 2019, but could still get updates in Home and Pro (until February 2020). In March 2020, this possibility was closed. This small incident shows how broken the whole IT industry and the Windows ecosystem actually is.
Advertising
Microsoft's message to its users has been for years: We are reliable and will give you information you can rely on. And we provide updates for our products to keep them safe. But it's all a big bullshit. Using Windows 10, the Windows as a service approach and Microsoft's statements as examples, I once again became aware of the 'nose ring' that we as users are dragged around.
Android, the broken ecosystem
First a small change of the point of view: There is Android from Google, which can only be described as absolutely broken in terms of security and the ecosystem. Google has been promises 18 months minimum support for new Android devices. But even this is often not true, there are Android updates often in a 3-month cycle by vendors and with a lot of luck over 18 months. But 18 months of support after the introduction of a model is nothing – the industry is creating expensive electronic waste. Exaggeratedly formulated: In terms of security updates, Android devices are already obsolete by the time they hit the stores.
A few days ago I had the post BSI recommendation for smartphones: 5 years of updates here in the blog. It should be a wake-up call that the devices must get at least 5 years of security updates (which is currently a nice wish from the users view). If you are technically fit, you can download Lineage OS to your devices and get updates and new Android versions for a while. I've brought last week a Samsung Galaxy S4 with this manual to Lineage OS 16 (Android 9). Samsung has stopped updating this model for many years. However, the community proves that even Android 9 still works on this device. If you want to be halfway secure, buy a simple mobile phone without Android, which can only make phone calls.
Redmond is (unfortunately) on the same track
Redmond they claim to have 1 billion Windows 10 systems. Windows is (on the desktop) the backbone of the industry. And Microsoft has a monopoly with almost 90% of the market. In small companies, in machine control systems, medical devices and so on, millions of Windows Pro systems are at work.
Until Windows 8.1, a version of Windows received 5 years of mainstream support and 5 years of extended support. Something you can barely live with in the industry. Since Windows 10, Microsoft marketing has been working on systematically destroying the successful basis of Windows. Since September 2018, Microsoft has been praying that the spring updates will get 18 months of support, but the fall updates 30 months (see Windows 10 Support extended to 30 months (sometimes)). The latter only applies to the Enterprise versions. Do you notice something?
Just to note: The 18 and 30 months of support are solely due to marketing decisions by Microsoft. They have set up a huge capital destruction program at Microsoft, called Windows 10. Every 6 months, millions of Windows systems run the risk of mutating into electronic trash through feature updates.
It is true that you can theoretically upgrade via feature updates to the next Windows 10 version to receive support. But: All machines that can't upgrade with a feature updates because of hardware and software issues need to be sorted out and replaced.
And if you look at the bugged Windows 10 versions from 1809 to 190x, upgrading to a new version is more of a threat than a temptation. What has Microsoft really delivered in terms of innovation in the 4.5 years of Windows 10? I can't think of anything! Stop, stop, new innovative icons are supposed to be available now 'as a new killer feature', if I believe some blogs and web sites. And we see occasionally a refreshed app (but store apps are dead).
What the customer needs is no longer delivered
If you, like me, come with an industrial background, you maybe see the problem: If you design a machine, medical or laboratory equipment with a Windows supervisory software or a SCADA system for industrial control, you will facing serious issues with the 'Windows as a service' approach. It's not practical to run such systems with Windows 10 Pro and it's semi annual feature upgrades. 10 years of support is pretty short for industrial plants, that are designed for a life time of 20 and more years.
A good approach from the past is systematically downgraded with Windows 10. And that won't be better in the future. We had decades of an ecosystem where we could be sure, that a Windows operating system will get at least 5 years of mainstream support. And there were another 5 years of extended support. With Windows 7, there's an additional 3 year support period because industrial customers demand it.
Frankly spoken: these support periods are already too short for industrial systems. Until a new Windows version arrives in new SCADA products or devices, 3 – 4 years may pass – there are still 6 – 7 years left in which products get support. If the project planning and construction of a plant still takes 1-2 years, the Windows systems are still supported for 4-5 years at the point it's getting installed.
We deserve no better
And now the Redmond marketing department is bringing this Windows ecosystem down to the rubbish level of Android, with 18-month support cycles. But the brainwashing from Redmond works. We've been pulled through the arena by Microsoft at the nose ring for years (don't take me out). And the crowd is thrilled by the newly colored icons.
Here in the blog I had written about the possibilities if ESU to keep Windows 7 secure in order to be able to use the operating system. Comment on Facebook 'Guys, switch to Windows 10, you have to look at new exiting developments'. That's what I often hear. I spontaneously asked myself the question: How naive do you have to be, to not to hear the shot?
