This is the issue I have with people talking about how “you MUST always run the most up to date software”. They don’t understand that in large enterprise it is common for function and security to not update unless there is a damn good reason. The very idea that the newest version is the best is just marketing brainwashing and does not hold up to the reality of use.
25H2 is a feature update. 24H2, for now, gets all the same security fixes. When people say “always run the latest” they mean stay on a supported OS and always have as many security updates as possible within reason.
And they are laughably wrong. Its always the wannabe system admins with 4 end users spouting that nonsense. You get into any big organization and legacy becomes a larger and larger part of the way things are kept running. Hell just for shits and giggles look at the back end of blood banks, government, airports and non blood banks back end infrastructure. I would be shocked if anything was running on less then a decade old software. Hell people think that software hardened over years should just be tossed out the window because the company (who has now made it clear they don’t even know what they are doing) released a version with a bigger number.
Just what are they teaching these days? No OS is secure, exploits and vaunrabilitys are in them all. This should not be a hot take but all I see is lazy it departments offloading responsibly left and right. The correct way to handle this has always been from a risk management approach. You need to assume your not ever secure, make backups, develop a plan to recover after an event and if you have sensitive data handle it like it was sensitive. Now a days we have usernames and passwords stored in the same databases, plain text critical data, lack of redundancy at all levels and a slick sales package to justify it all.
I worked in hospital payments, they used gcc 4.4 in 2023 (but renamed 4.8 for some reason), no TLS, code is 30+ years old. Only impacts a bunch of millions of people.
But having access to the server? No no IT cannot let you have that :-D
Eh, its only scary if you don’t see how bad a new roll out normally goes. Software is a tool, and people should remember that.
But yes hospitals are the worst for legacy systems (even outside of the us). I still remember having to relearn how to fix dot matrix printers because the hospital still was using them and had them under contract in 2015.
You get into any big organization and legacy becomes a larger and larger part of the way things are kept running. Hell just for shits and giggles look at the back end of blood banks, government, airports and non blood banks back end infrastructure. I would be shocked if anything was running on less then a decade old software.
Maybe on the backend or specialized single purpose appliances. Running decade old OS’s on workstations is negligence boardering on malpractice.
I literally work for a government agency lol what you’re saying is nonsense. If they worked the way you’re describing the compliance guys heads would explode and federal agencies would be brought in to oversee upgrades for the next decade
This is the issue I have with people talking about how “you MUST always run the most up to date software”. They don’t understand that in large enterprise it is common for function and security to not update unless there is a damn good reason. The very idea that the newest version is the best is just marketing brainwashing and does not hold up to the reality of use.
25H2 is a feature update. 24H2, for now, gets all the same security fixes. When people say “always run the latest” they mean stay on a supported OS and always have as many security updates as possible within reason.
And they are laughably wrong. Its always the wannabe system admins with 4 end users spouting that nonsense. You get into any big organization and legacy becomes a larger and larger part of the way things are kept running. Hell just for shits and giggles look at the back end of blood banks, government, airports and non blood banks back end infrastructure. I would be shocked if anything was running on less then a decade old software. Hell people think that software hardened over years should just be tossed out the window because the company (who has now made it clear they don’t even know what they are doing) released a version with a bigger number.
Just what are they teaching these days? No OS is secure, exploits and vaunrabilitys are in them all. This should not be a hot take but all I see is lazy it departments offloading responsibly left and right. The correct way to handle this has always been from a risk management approach. You need to assume your not ever secure, make backups, develop a plan to recover after an event and if you have sensitive data handle it like it was sensitive. Now a days we have usernames and passwords stored in the same databases, plain text critical data, lack of redundancy at all levels and a slick sales package to justify it all.
I worked in hospital payments, they used gcc 4.4 in 2023 (but renamed 4.8 for some reason), no TLS, code is 30+ years old. Only impacts a bunch of millions of people.
But having access to the server? No no IT cannot let you have that :-D
Fascinating and a bit of scary.
Eh, its only scary if you don’t see how bad a new roll out normally goes. Software is a tool, and people should remember that.
But yes hospitals are the worst for legacy systems (even outside of the us). I still remember having to relearn how to fix dot matrix printers because the hospital still was using them and had them under contract in 2015.
Maybe on the backend or specialized single purpose appliances. Running decade old OS’s on workstations is negligence boardering on malpractice.
Ha, Welp. I don’t think you want to look then.
I literally work for a government agency lol what you’re saying is nonsense. If they worked the way you’re describing the compliance guys heads would explode and federal agencies would be brought in to oversee upgrades for the next decade