It is a terrible business and business arrangement (eg, the original contracts to purchase said software or equipment that uses software) that doesn't insist that the purchased software/machine run on manufacturer (in this case Microsoft) approved OSs. If the manufacturer says upgrade, then upgrade. When you purchase software and equipment, this should be part of any standard contract.
People in the know have been complaining about this for many years, and it's corporate bean counters that collude with a sclerotic corporate IT mentality to be conservative in all things including software.
And the reality is, the overwhelming majority of IT people have no training or background in risk assessment, they are not computer security people. But the bean counters, always optimizing, without good information let alone perfect information, have assessed risk incorrectly. And now there's a wildfire in progress, and basically being incompetent at the task they were handed, are all surprised.
Many other people who have considered this eventuality are not surprised.
> "And the reality is, the overwhelming majority of IT people have no training or background in risk assessment,..."
But in this case, as in the case of credit card hacks of Target and Home Depot, it was simply a matter of following manufacturers maintenance instructions and upgrading the OS version from an unsupported version to a supported version.
As many have pointed out, in the case of Windows 10, the upgrades had been free at no charge from Microsoft.
As many others have pointed out, the software company needs to run on that OS may not run on Windows 10, may not be supported on Windows 10, or maybe require a whole new licensing scheme and fees to move to a version of the software that will run on Windows 10. And IT and bean counters have very typically taken the position of "if it's not broken don't fix it" and do not consider constant migration in their best interest.
Also, that it was free for consumers doesn't mean it was free for enterprises. That licensing is different. And even if the licensing is free, the cost to know how by your IT staff is not free. Either you're getting new staff who can support it, or you're sending the staff to currency training. Doctors, lawyers, pilots, have done such recurrency training for decades, but in IT it's not a given it's very much driven by the CTO. And some of them do not care to have a staff more capable than minions. They're cheap. That's all they care about. And then this happens and they quickly will have to look for someone to blame.
The bean counters ultimately work for the shareholders if a public corporation or the public if it is government. The shareholders empower management and the public elects their leadership.
The CEO of Target got fired for not upgrading their point of sale software from an unsupported version of Microsoft Windows embedded (XP) to a later version which caused their system to be hacked.
Ultimately, this is going to be a problem as long as firms don't treat computers as any other form of capital equipment (such as repair vehicles) that need ongoing maintenance. Boards need to be asking their management about keeping their capital equipment under maintenance.
As for software that doesn't run on Windows 10, perhaps it is best to avoid firms that produce software where they don't upgrade it to the most secure version of the OS. I think this is mostly a hypothetical for most and it is probably important that firms change vendors if the vendor isn't willing to upgrade to the latest version of the OS.
There are a class of bean-counters that specialize in assessing risk quantitatively. They would be found in the insurance industry. Though I would caveat that with the guess that the vast majority of that assessment is with models of risk attached to lines of insurance that have been long established and change fairly slowly.
It is a terrible business and business arrangement (eg, the original contracts to purchase said software or equipment that uses software) that doesn't insist that the purchased software/machine run on manufacturer (in this case Microsoft) approved OSs.
So your answer to the difficulty in making an OS secure is that anyone writing an application to run on that OS should instead be contractually required to support that application on arbitrary future OSes that don't even exist yet?
Good luck getting anyone to supply anything on that basis. You'll need it.
> So your answer to the difficulty in making an OS secure is that anyone writing an application to run on that OS should instead be contractually required to support that application on arbitrary future OSes that don't even exist yet?
A piece of software that is operating on an non-supported OS is not a functioning piece of software. Usually, when software in the corporate environment is purchased, it is with a maintenance agreement or it should be. Part of the maintenance agreement should be for future versions of the OS from the same software vendor (eg, Microsoft in this case).
Perhaps in the future with more and more apps going from Desktop to SAAS or mobile this might be less of a problem. Don't know.
A piece of software that is operating on an non-supported OS is not a functioning piece of software.
Why not, exactly? What is mysteriously going to stop working just because someone's legal arrangement expired?
Or to be blunt, how many people do you think we should kill by not using medical technology bought at great cost just because some lawyers would like a bit more money please?
Usually, when software in the corporate environment is purchased, it is with a maintenance agreement or it should be. Part of the maintenance agreement should be for future versions of the OS from the same software vendor (eg, Microsoft in this case).
That's a lovely theory, but in the real world organisations buy very useful, very expensive equipment all the time with the expectation that its useful lifetime will be longer than any currently available OS is officially supported for. Moreover, in many cases it might not be economic to purchase at all without that. This is why standards and compatibility are so important.
Perhaps in the future with more and more apps going from Desktop to SAAS or mobile this might be less of a problem.
Heaven help us if anything important ever moves to SAAS, because no-one else will. SAAS is sometimes useful for convenience or short term flexibility. Self-hosted is for professionals who need guarantees.
> "Why not, exactly? What is mysteriously going to stop working just because someone's legal arrangement expired?"
No, it is about engineering and resiliency as opposed to just getting something to work. Would you fly on a plane with unsupported software?
Firms can choose to use unsupported software at their own risk (at least in most situations -- there may be situations where it is illegal to do so such as mission critical safety systems).
> "That's a lovely theory, but in the real world organisations buy very useful, very expensive equipment all the time with the expectation that its useful lifetime will be longer than any currently available OS is officially supported for."
First, I don't know if that's true about the expectation that a very expensive piece of equipment is expected to run on unsupported software. If it truly an expensive piece of equipment that usually comes with maintenance agreements (eg, MRI scanner, CT scanner) and in that case, the vendor can't be using unsupported software. It should be part of FDA approval process that that be the case, but I don't know for certain.
Regarding SAAS, it might be a private firm server (farm) but one that is a server none-the-less which is easier on upgrades than entire sets of desktop systems.
I believe that firms that use unsupported, outdated software open themselves up to various liabilities.
