Windows XP, Anyone?

D

Donald Pittendrigh

Hi All

It is simple enough to re-install windows on the machine and activate the licence correctly so this makes little difference.

>Wow, I thought they would at least leave enough system to
>log on to Microsoft and activate it.

There are 2 ways I can think of that this software can still be Running 1) It was pre-activated for you in which case I am sure
the vendor would let you know as he is providing an additional service which as a Microsoft partner, he is not obliged to do, or 2) the installed copy is "cracked" in other words the copy protection Has been bypassed (illegally)

>It must be legal, Gateway would not take a chance on
>annoying microsoft.

The software does/did/will function correctly until the windows Activation scheme shuts it down (that is once again, assuming it still requires activation) As the shutting down is the way
It is expected to work, there would not be any form of comeback On the machine supplier side.

<clip>

Regards
Donald Pittendrigh
 
V

Vladimir E. Zyubin

It is just an opinion... that somebody trys to represent as a part of the EULA. "I am not a lawyer", but an irresponsible third-part opinion has no sense in the suits against MS.

And again: please don't try to reduce the question of safety and productive efficiency to a question of ill-founded suspicions.

--
Best regards.
= Vladimir E. Zyubin mailto:[email protected]
 
Mark Hill:
> For those of you who don't trust MS's explanation of WPA, I suggest
> you visit a German company called "Fully Licensed" and see what they
> say.

We don't have a problem with MS's explanation of WPA. What we do have a problem with are the following two:

- 1 - The continued availability of WPA keys at all times, at the point
of installation, for the foreseeable future. Particularly the last
was a concern given Microsoft's four-year product support cycles.

As of 15th of October 2002, MS has changed this to seven to eight
years, which is a significant improvement, but still relatively
short as far as automation is concerned.

(Note that some of this support must be purchased within a 3-month
window at the end of five years.)

- 2 - The licence term that "upgrades or fixes ... will be automatically
downloaded to your Workstation Computer". Stated as it is with no
further qualification, it is not acceptable in situations where
consistency of performance is an issue.

Jiri
--
Jiri Baum <[email protected]> http://www.csse.monash.edu.au/~jirib
MAT LinuxPLC project --- http://mat.sf.net --- Machine Automation Tools
 
Mark Hill:
> Thanks for the link Curt.... but why on earth would any financial
> institution have a server connected to the internet with Automatic
> Update turned on?

In the case of a financial institution, it's at least as much about the paperwork as it is about what actually happens. If the fine print says
MS is allowed to do this, it's a problem in and of itself, regardless of whether or not it actually does.

I suspect it'll be a similar problem for anything the FDA has to OK.

(Once again, this isn't about Automatic Update but about the EULA.)

> The man is an idiot.

Or else he knows something about covert channels: if there's an MS box on one end, and MS on the other, it's non-trivial to actually stop them
from communicating. Military-grade covert channel analysis used to be allowed to leave holes up to 100 bit/s - a very slow modem - and few if any firewalls are up to that standard.

Jiri
--
Jiri Baum <[email protected]> http://www.csse.monash.edu.au/~jirib
MAT LinuxPLC project --- http://mat.sf.net --- Machine Automation Tools
 
C
Well, they do provide internet services these days. And that brings us back to the matter of whether it matters if you turn it on or not. And I consider MS sending data from your computer to be even worse. No matter what it relates to, their assertion that they have this right makes it an insecure system, period. But, I wouldn't be using Windows for anything important anyway. Resolving the conflict wouldn't be a problem.
Actually, my interest in this is how anyone in a position of data stewardship can possibly justify or even tolerate this. It's like leaving the vault unlocked.

Regards

cww
 
P
Hi All,

For those who wish to or are "forced" to use Windows XP for critical industrial applications the practical solutions (consider them draft guidelines on using XP in industrial applications) would seem to be:

1. WPA keys: Use an OEM version of XP rather than a retail version. OEM versions are available which are activated by the presence of the correct manufacturer ID in the motherboard BIOS and hence do not need to communicate with Microsoft to be activated and which do not depend on any
other hardware components. Site licenses may also be an option depending on the enduser. You may have to buy a name brand PC to get this but if the application's critical so be it. The extra cost for the hardware may well be compensated by the low cost of the bundled copy of XP relative to the cost of the retail version.

2. Updates: either:

a) don't connect to the Internet and install upgrades if and when you need them from a CD which you can purchase from Microsoft. Test the upgrades on an off line PC with your other applications before installing on the live PC or swapping the live PC for the upgraded PC.

b) if you must connect to the Internet, disable LiveUpdate and connect via a gateway/firewall. Configure the gateway to block access to any Microsoft sites as well as blocking all sorts of other potential nasties like ActiveX controls etc. Unless you really know what you are doing or if your application is particulalry critical, get a security expert to configure the gateway. Update the PC using a CD as per a) above.

3. Don't use XP for critical real time control applications unless you really know what you are doing. It's not designed for this.

4. If you're worried about possible breaches of the XP EULA in doing any of the above seek legal advice. If you don't know why I say this then go back and read the previous posts on this topic.

Any other suggestions which could be added to this list?

Regards

Peter Whalley
Magenta Communications Pty Ltd
Melbourne, VIC, Australia
e-mail: peter*no-spam*@magentacomm.com.au
delete *no-spam* before sending
 
R

Ranjan Acharya

Good start, I would add:

5) Replace the EXPLORER.EXE desktop with a third-party one that locks it down (make it look as least like the system they are using at home).

6) Consider anti-virus software if your machine has to have an active CD / Floppy / other drive - alternatively, disable CD, floppy et cetera as soon as the machine is plugged in.

7) Keep all industrial systems in an intranet dedicated to your particular area e.g., product A intranet (receiving, batching, processing, packaging, shipping - all linked by SCADA and then via some sort of secure link at one point to ERP, MES, OEE and so on). At all costs, keep it off the corporate network - get ready to slug it out with the IT folks.

8) Implement things like SANS Windows NT / 2000 / XP Security Guidelines and pay attention to things like "Common Criteria Security Configuration" (XP does not have this "window dressing" yet, 2000 just got it as long as you follow the rules).

9) Consider not using Windows at all :). Sounds silly but I rarely find an end user who is not aching for a viable alternative driven by a major OEM.

10) Don't use IIS. Tough one not to use if your control system OEM is tied up with M$.

RA
 
Ranjan Acharya:
> 5) Replace the EXPLORER.EXE desktop with a third-party one that locks
> it down (make it look as least like the system they are using at
> home).
...
> 7) Keep all industrial systems in an intranet dedicated to your
> particular area e.g., product A intranet (receiving, batching,
> processing, packaging, shipping - all linked by SCADA and then via
> some sort of secure link at one point to ERP, MES, OEE and so on). At
> all costs, keep it off the corporate network - get ready to slug it
> out with the IT folks.

> 8) Implement things like SANS Windows NT / 2000 / XP Security
> Guidelines and pay attention to things like "Common Criteria Security
> Configuration" (XP does not have this "window dressing" yet, 2000 just
> got it as long as you follow the rules).

Cool, this should make things like (7), (2) etc easier - CAPP assumes that the entire network is operating under the one set of security
constraints under the one management. Assuming you can push it through, of course, but being an official document from Microsoft should help.

Of course, getting a competent sysadmin assigned won't be trivial, because of the cost, even if it does say so...

> 9) Consider not using Windows at all :). Sounds silly but I rarely
> find an end user who is not aching for a viable alternative driven by
> a major OEM.

And if you're going to do (5), then it doesn't make much difference after that, does it...

> 10) Don't use IIS. Tough one not to use if your control system OEM is
> tied up with M$.

> On October 31, 2002, Peter Whalley wrote:
...
> > 2. Updates: either:

> > a) don't connect to the Internet and install upgrades if and when
> > you need them from a CD which you can purchase from Microsoft. Test
> > the upgrades on an off line PC with your other applications before
> > installing on the live PC or swapping the live PC for the upgraded
> > PC.

> > b) if you must connect to the Internet, disable LiveUpdate and
> > connect via a gateway/firewall. Configure the gateway to block
> > access to any Microsoft sites as well as blocking all sorts of other
> > potential nasties like ActiveX controls etc. Unless you really know
> > what you are doing or if your application is particulalry critical,
> > get a security expert to configure the gateway. Update the PC using
> > a CD as per a) above.

Jiri
--
Jiri Baum <[email protected]> http://www.csse.monash.edu.au/~jirib
MAT LinuxPLC project --- http://mat.sf.net --- Machine Automation Tools
 
V

Vladimir E. Zyubin

No needs to be a lawer in our case.

....I am afraid I must dissapoint you - in our case the word "may" means "will" and nothing more.

And I beleave you when you are saying "I'm not a lawyer", so I expect you will beleave me that I am not a conspiracy theorist...

(...though I agree with you there is a food for thought for the men that interesting in national security questions around the world ;-) not only
in Australia and Europe, but in the USA as well)

--
Best regards.
Vladimir E. Zyubin mailto:[email protected]
 
> From: Vladimir E. Zyubin
> ....I am afraid I must dissapoint you - in our case the word "may" means
> "will" and nothing more.

Cool ! We are now free to make a word mean whatever we feel like it should mean. I'll be stoked the next time one of those Publisher's
Clearinghouse letters comes in the mail announcing that I "may" have won a million bucks.

>From http://www.control.com/1026152593/index_html :

"It is just violation of the identity principle.
(the requirements that any correct term shell not allow double meanings).
The identity principle is one of the base methodology principles of
science and logic."

The author of this forgot to mention "MiSREP": the Microsoft Reason Exclusion Principle. The theory behind this principle is way over my head, but its effect is easy to see: any general discussion about Windows runs on forever, without a sustained connection to reality.

JK
 
V

Vladimir E. Zyubin

Hello Jay,

Collins English Dictionary I open states that the word "may" (only as a verb) has ten meanings... but I can not catch the problem with the understanding in our case...

When an End-User signs the EULA it means the End-User is in agreement that MS _will_ change his soft. I am sorry, but it is very strange I have to chew this triviality for somebody...

--
Best regards.
Vladimir E. Zyubin mailto:[email protected]
 
C
> Any other suggestions which could be added to this list?<

Yes, Please help me convince the automation vendors to port to Linux and we can avoid all this hassle and solve many other problems as well.

Regards

cww
 
J

Joe Jansen/ENGR/HQ/KEMET/US

I've been doing my part. I have convinced one of the Omron app engineers at corp HQ in Schaumburg Illinois that he needs to start running Linux on
his machine. I haven't convinced him to port CXProgrammer yet, but I can probably get him to help sniff out all the unpublished parts of FINS
protocol, if anyone wants to help write an Omron programming package!

<grin>

--Joe Jansen
 
P

Peter Whalley

Thanks Ranjan,

Any suggestions on item 5. I haven't looked at these types of products.

Re item 9, Windows XP would not be my first choice either. I think Win2000 has fewer issues to contend with and is better understood, more mature and probably more secure. This list was for those that have to use XP (or really want to).

Regards

Peter Whalley
Magenta Communications Pty Ltd
Melbourne, VIC, Australia
e-mail: peter*no-spam*@magentacomm.com.au
delete *no-spam* before sending
 
C
If everyone reading this simply _asked_ their vendor when they will be able to buy Linux based tools and took serious interest in the answer, we would have have alternatives eventually. If they also indicated the Windows infelicities were unacceptable, it would happen sooner. This whole fiasco could be avoided if people would simply use the power they have as consumers rather than bending over. Once there are viable alternatives, my guess would be that there would be an "industrial" Windows version with the problems removed. They are becoming rather sensitive to OSS competition. It would be a win/win situation. Notice what happened to Wince once there was competition from the embedded Linux folks :^)

Regards

cww
 
Peter/Ranjan;

I'm not exactly sure what you mean by replacing Explorer with a third party product that locks it down and appears like the system they're using at home.

You can place the Windows XP Explorer interface into a "classic mode" and it'll look EXACTLY like Win2K. And, with policies, you can lock down anything you'd like.
You can prevent any user from seeing, accessing or damaging anything you'd like.

Mark
 
A
Curt Wuollet wrote:
> If everyone reading this simply _asked_ their vendor when they
> will be able to buy Linux based tools and took serious interest
> in the answer, we would have have alternatives eventually.

Have you considered the fact that while Windows is a suboptimal control platform, its a decent desktop OS well suited for programming packages and the like? My new project is using Linux. However, I have no plans at this
point to spend the large effort needed to port the programming enviroment to Linux because, well:

1) I have never run into any of my customers that use Linux on their desktops
2) Selling software to the Linux market is a problem because, well, they aren't used to paying for it.

Curt, here's your problem. You sit there, tell everyone that Microsoft and all the stuff they use right now sucks, and tell everyone how you can solve all your automation problems with a 386 running Linux, a tie-wrapped ISA
board, and plenty of elbow grease. Good for you and your customers, but... err... if you can do that err.... you're aren't going to be buying any software or hardware.

The current user base of Linux is highly technically inclined, not afraid of programming, and willing to build rather than buy. Automation vendors like myself aren't going to jump until we have solid indications that people will actually BUY our software if sold for Linux.

> Notice
> what happened to Wince once there was competition from the
> embedded Linux folks :^)

Bull. Windows CE (or whatever they're calling it) was giving priority because they wanted to take the lucrative handheld market away from Palm. Linux has only shipped on, what, one PDA (Sharp Zaurus). People flashing their IPAQs with a mostly-working linux distribution competition does not make.

Alex Pavloff - [email protected]
Eason Technology -- www.eason.com
 
The trouble is most of us are suppliers not consumers.

Our customers are more interested in what the sales man and marketing people have to say (and partnership with Microsoft is often touted as a BIG plus point on the marketing front).

Our pull is negligable (though I would still advocate, and do, using whatever pull we do have).

The Linux community still has a WAY to go before they can convince the end-user of any advantages.

I have been a supporter of Linux since SuSe 6.2 and I would have a hard time convincing myself to propose a Linux solution, and certainly not without a commercial product such as Aprol or AutomationX.

I still have SuSe (8.0 know) installed on one of my PCs, but the only apps. I have any success in installing and getting to run are Kylix, JBuilder and StarOffice.

I spent half a day (time that I don't have) trying to set up apache, before giving up and installing and configuring apache 2 on Windows 2000 in fifteen minutes. I say this not in support of Windows (I really wish I could use an alternative) but because Linux applications need further development in ease of use, particularly (but not limited to) the area of installation before they will be useable by the vast majority of computer users.
 
Mark Hill:
> I'm not exactly sure what you mean by replacing Explorer with a third
> party product that locks it down and appears like the system they're
> using at home.

That'd be getting rid of Explorer altogether and replacing it with something that looks vaguely like Explorer, but only lets the operators do what they're supposed to (like, run the machine).

> And, with policies, you can lock down anything you'd like. You can
> prevent any user from seeing, accessing or damaging anything you'd
> like.

Can you lock it down so that (for instance) the user can't drag the start bar to the side of the screen? Once they do that, and it's possible to do it accidentally, (a) it will look different from the training, and (b) it may obscure some controls.

For that matter, can you set it to ignore clicking on the clock? Tooltips on the clock? Ctrl-Alt-Del? (Yes I know it's the trusted path.)

Access policies for files and the like are one thing; lock-down is quite another.

Jiri -- Jiri Baum <jiri(AT)baum.com.au> http://www.csse.monash.edu.au/~jirib MAT LinuxPLC project --- http://mat.sf.net --- Machine Automation Tools
 
Top