Monday, May 26, 2014

Release your old code please

Recently, Microsoft has stopped supporting Windows XP. This is not a surprise. They said they were going to, and its old. I believe in their right to stop releasing security patches but a problem exists. XP is still out there. It is out there for a lot of reasons, to support old hardware, to support old software, or the cost to change for individuals or organizations is just too high right now. And now, XP has vulnerabilities that are never going to be patched, which makes XP an easy target for cyber criminals.

I am a firm believer that the security of the entire Internet affects the security of all networks. There are many reasons for this, think about being a neighbor in your community, if you see someone robbing your neighbor's house, you don't, or shouldn't, think, "Serves him right, he didn't buy the most up to date security system, and locks." No, a good neighbor realizes that the robber is wrong, or at least a smart neighbor realizes with this criminal targeting his neighborhood on the loose, his house may be next.

Another reason to think about how security affects us all is to think about how much organizations spend on the security of their information systems, when all it takes is for an employee to take that information home to work on and have it compromised on his old XP machine.

I do not intend to pick on just XP or Microsoft, there are numerous products out there that are on networks, connected to the Internet or isolated that are no longer supported and no longer getting security updates. The number of such outdated products are just going to grow as we connect more and more systems to the network. One example I could think of would be a network enabled electrical control system for your home. Do you pay for a completely new system once the manufacturer stops making firmware updates?

So, we are all affected and that the easier it is to make a living as a cyber criminal, just like the non-cyber equivalent, the more likely everyone is to become victim to more crimes and more sophisticated criminal organizations will emerge.

I recently read an article, which I unfortunately lost, that suggested organizations release their source code when they stop making security patches. I agree. 100%. The clear advantage being that the open source community will be able to patch vulnerabilities, or another company will make money off of selling patches. It may also allow companies to upgrade hardware while they save money to implement an updated software system that depends on an older OS or other dependency.

The companies selling those products, however, will not like this. Many release only small upgrades between versions and are reusing the majority of their code, this may mean it will take longer for new versions of products to come out. For those type of companies, they should really extend support to the older system if there are only nominal differences in source code. Others may have functions, or routines that they consider critical to the way the products that they sell, such as voice recognition software. I would suggest they either obtain a patent for those methods or partially support updates for those key portions of the application.

I do not believe that it would stifle innovation. Even in the open source world, products are not supported forever. It would actually encourage companies to make more innovated releases to get their customers to make the jump.

It really comes down to national security, security of its citizens, and national interest that source code of these products become public domain.