|Hit by WannaCry? No one to blame but yourself|
|By Thom Holwerda on 2017-05-15 16:18:18|
Friday saw the largest global ransomware attack in internet history, and the world did not handle it well. We're only beginning to calculate the damage inflicted by the WannaCry program - in both dollars and lives lost from hospital downtime - but at the same time, we're also calculating blame.
There's a long list of parties responsible, including the criminals, the NSA, and the victims themselves - but the most controversial has been Microsoft itself. The attack exploited a Windows networking protocol to spread within networks, and while Microsoft released a patch nearly two months ago, it’s become painfully clear that patch didn’t reach all users. Microsoft was following the best practices for security and still left hundreds of thousands of computers vulnerable, with dire consequences. Was it good enough?
If you're still running Windows XP today and you do not pay for Microsoft's extended support, the blame for this whole thing rests solely on your shoulders - whether that be an individual still running a Windows XP production machine at home, the IT manager of a company cutting costs, or the Conservative British government purposefully underfunding the NHS with the end goal of having it collapse in on itself because they think the American healthcare model is something to aspire to.
You can pay Microsoft for support, upgrade to a secure version of Windows, or switch to a supported Linux distribution. If any one of those mean you have to fix, upgrade, or rewrite your internal software - well, deal with it, that's an investment you have to make that is part of running your business in a responsible, long-term manner. Let this attack be a lesson.
Nobody bats an eye at the idea of taking maintenance costs into account when you plan on buying a car. Tyres, oil, cleaning, scheduled check-ups, malfunctions - they're all accepted yearly expenses we all take into consideration when we visit the car dealer for either a new or a used car.
Computers are no different - they're not perfect magic boxes that never need any maintenance. Like cars, they must be cared for, maintained, upgraded, and fixed. Sometimes, such expenses are low - an oil change, new windscreen wiper rubbers. Sometimes, they are pretty expensive, such as a full tyre change and wheel alignment. And yes, after a number of years, it will be time to replace that car with a different one because the yearly maintenance costs are too high.
Computers are no different.
So no, Microsoft is not to blame for this attack. They patched this security issue two months ago, and had you been running Windows 7 (later versions were not affected) with automatic updates (as you damn well should) you would've been completely safe. Everyone else still on Windows XP without paying for extended support, or even worse, people who turn automatic updates off who was affected by this attack?
I shed no tears for you. It's your own fault.
|By Kancept on 2017-05-15 16:40:06|
I have to disagree with the car analogy. When I buy a car, sure I do consider tires and such as things I have to get. But there are two key things here. |
#1 Microsoft didn't make the tires or oil.
#2 I can get those parts from others. I don't have to go to Microsoft to get them.
Automotive manufacturers have to make sure their vehicle is safe after they make it, even years after they stopped support. This mechanism fails, it is the manufacturer's responsibility to issue a recall on it. And no, they don't charge for it either.
So, while your car analogy is close, it doesn't fit this model. Or maybe it does, but you are addressing the wrong part of it. Microsoft should be making the patch available as a security and safety mechanism for all of it's customers, just as car manufacturers do.
As an aside, I'm not a Windows user. MacOS, Fedora, and Haiku at home, thanks.
Edited 2017-05-15 16:41 UTC
|- Score: 1|
|By raboof on 2017-05-15 16:43:26|
I agree. I do feel sorry for all those UK citizens who may not have received the appropriate healthcare in time because their hospital messed up their IT. |
Also, while this time it was an exploit for an ancient OS, it's a good opportunity to take a step back and consider: next time it could be a 0-day. Next time it could be you. Next time your data - and your employers' data? - could be stolen/exposed as well as encrypted.
Are you prepared?
|- Score: 4|
|By CruelAngel on 2017-05-15 16:48:05|
While I personally don't use Windows (I'm a Linux guy), can I get a confirmation, that only Windows 7 and older versions of Windows were affected by this vulnerability? (So Windows 8 and 10 are not.) |
I'm asking because I'm the supposed "techguy" in the eyes of my family members, so they are pestering me if they are safe.
|- Score: 1|
|RE: Car analogy|
|By tidux on 2017-05-15 16:54:35|
You can do all that yourself with an out of support Linux distro, assuming you can find someone to audit the code and backport patches, but if you've got the source code to your Linux applications around (and really, you should), you can just rebuild for a newer release if it stops working. |
Yes, this is a hugely different model of OS and application lifecycle and deployment than the IBM and Microsoft one, but it also works. It also has the advantage of not forcing super strict binary compatibility on the OS. If the ABI changes, rebuild and redeploy.
|- Score: 3|
|RE: Which version?|
|By tidux on 2017-05-15 17:13:31|
|Windows 10 isn't safe ever, thanks to Microsoft's inane spying bullshit, but if fully patched it's not vulnerable to WannaCrypt.|
|- Score: 1|
|Comment by FlyingJester|
|By FlyingJester on 2017-05-15 17:17:29|
I do understand that some embedded systems are basically not viable for upgrade. |
The irresponsible part, to me, is putting such a system on a network, or allowing data to pass into such a system from a possibly insecure source. Better yet if data can only move out from such a system, since that eliminates the biggest attack vector.
|- Score: 6|
|By dark2 on 2017-05-15 17:19:59|
DOS is still used in production in lots of places, the 3rd option no one is talking about is disconnecting these machines from the internet and plugging the networking and USB ports with glue (or setting them up on their own network where they can't talk to the internet or the main network. |
You can also mention maintenance costs as much as you want, but how many of these software companies do you think are still around? Probably 0 and that's why the can't get updated software for newer versions of Windows. They would need an entirely different solution and possibly to replace entire infrastructure. I've certainly seen old software where no replacement exists and the company behind it is long gone.
Edited 2017-05-15 17:30 UTC
|- Score: 2|
|RE: Car analogy|
|By FlyingJester on 2017-05-15 17:34:02|
This can work, but just as often you will be left with some applications that randomly crash because you did not realize that some dependency existed, or because some newer version of a library is API compatible, but has different behaviour than before. |
Just using a rolling release system is far better.
Gentoo is also an alternative that fits what you describe. And despite what people may think, it's easier to keep Gentoo working than to be updating and rebuilding all your software manually. Doing it manually, you will need to know everything it takes to make Gentoo work (and more), and you will find yourself it many weird situations that absolutely no one else has ever seen.
|- Score: 2|
|By Alfman on 2017-05-15 17:41:48|
Thom Holwerda, |
> You can pay Microsoft for support, upgrade to a secure version of Windows, or switch to a supported Linux distribution. If any one of those mean you have to fix, upgrade, or rewrite your internal software - well, deal with it, that's an investment you have to make that is part of running your business in a responsible, long-term manner. Let this attack be a lesson.
There's no denying this was very bad for the hospitals and patients affected, but I don't think we have the whole picture here. Many of them may be stuck between a bureaucratic rock and hard place. Their system administrators can't just update systems willy-nilly like another business or home user could. These systems may require certifications and modifications would likely void those certifications.
For it's part, microsoft does not guaranty the suitability of windows or updates for any purpose, things can and sometimes do break. The vendors who certify machines can't realistically certify a windows system with windows updates, it would be prohibitively expensive to re-certify millions of computers every patch Tuesday when they get updates. Clearly some solution is needed, I'm not sure what it would look like. I'd like to hear the perspective of someone who's dealt with these kinds of issues.
However none of this would have likely mattered in this particular case because they were zero day exploits anyways. The NSA is directly to blame for them and the software engineers are to blame for the poor quality of software in the first place. I'm surprised you aren't blaming them (and us) more. Whoever creates these exploits, be it indy hackers or government agencies, these zero-days are a widespread problem. Updates, while important, are inherently a reactive solution. The only way to fix this once and for all is to take a proactive stance and demand safer code from project managers, software engineers, and even computer languages.
There are armies of C coders who will complain that vulnerabilities are the fault of bad programmers and not computer languages, but we can't ignore the fact that unsafe languages semantics have been enabling human mistakes for 40+ years. No language can fully save us from our high level programming mistakes, however they can protect us from many low level mistakes that continue to plague us. If we don't have a plan to replace unsafe languages or at least limit them to areas that can be fully audited and contained, then our software will still continue to be insecure 40+ years from now.
Edited 2017-05-15 17:46 UTC
|- Score: 5|
|RE: Which version?|
|By codejockey on 2017-05-15 17:45:24|
This article identifies which unsupported OS versions did not have a patch available: |
Windows Vista was still receiving updates in March (when the patch was issued), but is now unsupported.
Windows 8 is unsupported, but Windows 7, Windows 8.1, and Windows 10 are still receiving updates.
Edited 2017-05-15 17:52 UTC
|- Score: 1|