Microsoft, it's not just the NSA. If you want to kill WannaCry, fix broken Windows

OVER THE PAST FEW YEARS, every month, I have pored over figures from Net Applications' Netmarketshare figures and tried to turn them into something meaningful. Those numbers sometimes only shift by tiny amounts and, sometimes, I find myself wondering why I spend so long analysing them.

Well, the recent WannaCry cyber attack has sort of vindicated all that for me. It's a reminder that when push comes to shove, market forces are to blame for… well, most things. Because if there's one thing we've learned it's that once operating systems are declared end-of-life, those who haven't upgraded at that point take a long time to change.

When we are just weeks out from a general election, it's not really appropriate to shove my personal political doctorine down the throats of people who have just come to INQ for a dose of tech news. I think that over the past four years, people have the cut of my 'Citizen Chris' jib, but I'm getting increasingly frustrated with the blame game that is getting thrown around towards the NHS for not updating their systems from Windows XP.

A step back for a moment. A few people, responding to my Twitter-bile (I'm nice really) have said that they work in departments where they have upgraded from XP or indeed never used it at all.

I'm using XP here as shorthand for all the affected operating systems, including the many servers still running on obsolete versions of Windows Server. A local company I noticed the other day was still running Windows 2000. There are investment banks that still use web apps that require IE6 compatibility. So don't think this is all about XP.

Fundamentally, saying you've upgraded (as far as you can see day-to-day) is fine and dandy, but the vulnerability comes from having any - and I mean any - out of date operating systems in your network - once it's in, it's in, so if any old computers remain, there's an issue.

In a lot of cases, the NHS and Met Police, the two biggest UK users of out-of-date systems have "mostly upgraded". Which is a bit like being "mostly married" but still having it away once a week behind the bins with a skanky ho after cribbage league.

But, let's be clear. It's not the fault of the NHS. After self-redacting a leftie Corbynista paragraph about years of underfunding of the NHS system, which, let's face it, needs to put all its money into, you know, healing the sick rather than fixing that which at least seems "unbroke", let's focus on the things that could have been done. And surprise, surprise, I am looking in your direction, Microsoft.

I get it. Windows XP is old. XP can't stand up to the rigours of the online lifestyle we now lead. And yes, we got plenty of warning that XP was going to go bye-bye, but I can't help feeling that The Men In The High Castle, controlling over 90 per cent of the world's computers have a bit more responsibility than to say "OK - you're on your own after this date, and it's not our problem… bye!"

Brad Smith lashed out at the world's governments and intelligence agencies in a powerful, in a for the most part, righteous blog post, in which he said: "The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world.

"We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new "Digital Geneva Convention" to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them."

BUT!

This reads to me as an attempt to absolve Microsoft from any responsibility. And the fact is, according to research from Spiceworks as of 40 days ago, there are 52 per cent of businesses worldwide running at least one instance of XP. It only takes one bad apple in each bushel.

It strikes me that there's a massive amount of hypocrisy at play here. Big pat on the back for Microsoft for releasing a patch to protect people from WannaCry, but isn't Microsoft the same company that only last month set a kill-switch on Windows 7 and 8 (with three and five years to end-of-life, respectively) for machines with Kaby Lake chips (less than two years old) because of a perceived security risk?

I said at the time, it was a ruse to force upgrades and to make more money. Meanwhile, users of XP and Vista were left vulnerable and Microsoft did nothing. And now this has happened. It was a ticking time bomb of "we told you so" (and you only have to do a search of this site to see that we've all been on this bandwagon for years, and angry as hell).

Surely, if Microsoft is really concerned, they would have either given XP and Vista users a free upgrade, as well as those of 7 and 8. They, knowing how cash-strapped public services are and how a lag could easily cause an outbreak such as this to spread, have actively helped organisations like the NHS to upgrade their systems, especially where specialist systems run on top of XP.

Or, and just hear me out here, perhaps they could consider making Windows 10, which clearly is doing badly against projections at 500 million machines, compared to an aim of 2 billion, into a free upgrade again, and using the open source model of offering a free OS, charging businesses for servicing it, but with a cost-price offer to essential services like the NHS?

In other words, perhaps Microsoft needs to come down off its high-horse. Governments and middle-managers don't understand what a big deal cybersecurity is, until it happens to them. Microsoft does. And it has a responsibility. It gets it. It could have kill-switched. It didn't.

"But wait Chris, aren't you the coiner of the term 'Updategate' and have you not spent the last few years railing against exactly this sort of behaviour from Microsoft? And therefore, Chris, aren't you a bit of a frickin' hypocrite?"

Yes. And no. I can't deny that I have not been comfortable with the way Windows 10 has enforced itself on people. But - and I can't emphasise this enough - the difference is motive and method.

It's one thing to shove your latest operating system down people's throats, without their knowledge, and before they are ready. However, if Microsoft invested in supporting the changeover, supporting those that can't afford commercial help, and holding people's hands through the process of upgrading, that would have been a different thing.

But by cutting off the users that needed the assistance the most, Microsoft failed in a duty of care, but moreover, it could have saved billions for the rest of us and probably come out of this looking like angels. And don't tell me it's not financially possible - it's exactly how the multi-billion pound open source community works. And it does so brilliantly.

Microsoft has finally got the right idea. Windows-as-a-Service will mean that either this will never happen again, or that we'll all go down together, hopefully, the former. But… and it's a big, J-Lo sized but, in order to do that, Microsoft needs to scrub the slate clean.

So here's what I propose. Pick a date, Microsoft. Say, three years time. On that date kill off everything before Windows-as-a-Service. BUT in the meantime - everyone and I mean EVERYONE, the individuals, the blue chips, the nerds, the geeks, the shops, the pirates, the fire stations, Kevin, everyone, gets a free upgrade to Windows 10, the latest version of Windows Server or whatever they need. Stop trying to make money out of Windows, at least for now. It'll be worth the hit in the long run. Can't be worse than Windows Mobile, after all.

Everyone can apply for whatever help they need in rolling it out. And yes, big multi-nationals pay. But small businesses and not-for-profits don't.

If you're serious about a wake-up-call, Microsoft - YOU need to reset the clock. You're the only ones who can. You can blame the NSA or the terrorists or the hackers or the Commodore f*cking 64 users, I don't care - but you have the power to fix it for good, for society, for the future and you are going to come out of it loaded, and having actually done something good for your fellow man, and won't that feel nice for a change?

Now. Go. µ  

• Tweet  
• Facebook  
• Google plus  
•  
•  
• Send to  

• Topics
• Security
• Security
• Windows
• Microsoft
• Hacking
• Inqdepth