www. O S N E W S .com
News Features Interviews
BlogContact Editorials
.
Hit by WannaCry? No one to blame but yourself
By Thom Holwerda on 2017-05-15 16:18:18

Friday saw the largest global ransomware attack in internet history, and the world did not handle it well. We're only beginning to calculate the damage inflicted by the WannaCry program - in both dollars and lives lost from hospital downtime - but at the same time, we're also calculating blame.

There's a long list of parties responsible, including the criminals, the NSA, and the victims themselves - but the most controversial has been Microsoft itself. The attack exploited a Windows networking protocol to spread within networks, and while Microsoft released a patch nearly two months ago, it’s become painfully clear that patch didn’t reach all users. Microsoft was following the best practices for security and still left hundreds of thousands of computers vulnerable, with dire consequences. Was it good enough?

If you're still running Windows XP today and you do not pay for Microsoft's extended support, the blame for this whole thing rests solely on your shoulders - whether that be an individual still running a Windows XP production machine at home, the IT manager of a company cutting costs, or the Conservative British government purposefully underfunding the NHS with the end goal of having it collapse in on itself because they think the American healthcare model is something to aspire to.

You can pay Microsoft for support, upgrade to a secure version of Windows, or switch to a supported Linux distribution. If any one of those mean you have to fix, upgrade, or rewrite your internal software - well, deal with it, that's an investment you have to make that is part of running your business in a responsible, long-term manner. Let this attack be a lesson.

Nobody bats an eye at the idea of taking maintenance costs into account when you plan on buying a car. Tyres, oil, cleaning, scheduled check-ups, malfunctions - they're all accepted yearly expenses we all take into consideration when we visit the car dealer for either a new or a used car.

Computers are no different - they're not perfect magic boxes that never need any maintenance. Like cars, they must be cared for, maintained, upgraded, and fixed. Sometimes, such expenses are low - an oil change, new windscreen wiper rubbers. Sometimes, they are pretty expensive, such as a full tyre change and wheel alignment. And yes, after a number of years, it will be time to replace that car with a different one because the yearly maintenance costs are too high.

Computers are no different.

So no, Microsoft is not to blame for this attack. They patched this security issue two months ago, and had you been running Windows 7 (later versions were not affected) with automatic updates (as you damn well should) you would've been completely safe. Everyone else still on Windows XP without paying for extended support, or even worse, people who turn automatic updates off who was affected by this attack?

I shed no tears for you. It's your own fault.

 Email a friend - Printer friendly - Related stories
.
Read Comments: 1-10 -- 11-20 -- 21-30 -- 31-40 -- 41-50 -- 51-60 -- 61-70 -- 71-80 -- 81-90 -- 91-100 -- 101-109
.
RE[3]: If your car had a fault, the manufacturer would fix
By fmaxwell on 2017-05-18 11:36:30
Alfmanl,

> I'd point out that many software developers know more than anybody how broken things are. In many cases if you dig further there's a very good chance developers did bring up the issues before the product reached market.
Knowing about the problem and being willing to swallow the bitter pill to fix it are two different things. I talked to many software engineers in my 30+ years and, almost to a person, they were very opposed to software being held to the same standards as other consumer products.

> However management creates an environment that isn't conducive to building secure code with unrealistic timelines that omit testing and security auditing and just allocating insufficient resources. The incentives from the top of the company down the chain are to do the minimum amount of work possible.

Meanwhile the CEO is telling customers how important the company takes security, blah blah blah, but it's rarely actually true. If consumers feel they are becoming the beta testers, it is in fact because that's exactly what they've become.

That's what happens when a company has no legal obligation to make their product perform as advertised.

If Microsoft faced the same repair/replace/refund model that vendors of normal products (rather than software licenses) face, there would be a lot more time and money put into simplifying the codebase, testing, and security auditing. Feature additions would be based on a risk/reward assessment: Does this proposed feature really justify the increase in code complexity, testing time, and security auditing effort?

Looking at this in a completely heartless, GOP-esque manner, why would Microsoft issue updates to Windows XP when they can just discontinue support and wait for something like WannaCry to result in a barrage of orders for Windows 10, or extended support contracts, from panicked companies, governments, and consumers? Windows is entrenched. Microsoft knows that the UK National Health Service isn't going to convert all of their computers to OpenBSD.

If other companies operated like software companies:

Hello, Toyco Products Customer Service, Nancy speaking.

My baby is in surgery because he swallowed a plastic eye from your Huggles Bear XP stuffed toy.

I'm sorry to hear that. We became aware that the eyes were not properly attached after we had discontinued support for the Huggles Bear XP.

If you knew it was defective, why was I not notified? Why didn't you recall it?

You bought a license to use the Huggles Bear XP. It remains our property, so we are not legally obligated to fix it or notify you of flaws unless you buy a Huggles Bear XP extended service contract. If you don't want to do that, we could sell you a license for our current Huggles Bear 10.

I'm going to sue you!

I must refer you to paragraph 13 of the End-User License Agreement for the Huggles Bear XP, which reads as follows,

13. EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL TOYCO OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, PUNITIVE, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, PERSONAL INJURY, FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE PRODUCT OR OTHERWISE ARISING OUT OF THE USE OF THE PRODUCT, OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF TOYCO OR ANY SUPPLIER, AND EVEN IF TOYCO OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.


_____________

Note: The above contract paragraphy was based on the Windows XP Professional license and only lightly edited for this fair-use in this parody.
Permalink - Score: 3
.
RE[4]: If your car had a fault, the manufacturer would fix
By Alfman on 2017-05-18 12:46:46
fmaxwell,

> Knowing about the problem and being willing to swallow the bitter pill to fix it are two different things. I talked to many software engineers in my 30+ years and, almost to a person, they were very opposed to software being held to the same standards as other consumer products.

> That's what happens when a company has no legal obligation to make their product perform as advertised.

> If other companies operated like software companies:

> If you knew it was defective, why was I not notified? Why didn't you recall it?

I don't think most software developers are against holding the companies accountable, many of us have been calling for that for a long time.

I think there may have be some unintentional confusion here, when you said "software developers", it generally means someone's title, although now your post clarifies you meant the software developing companies. That changes a lot and when you go blaming "software developers" this distinction is very important. For the most part the employees who develop the software have very little authority to invest company resources into security, more often than not I've found the only time companies seriously invest in security is...you guessed it...right after a breach.
Permalink - Score: 2
.
Comment by computrius
By computrius on 2017-05-18 14:13:32
"Nobody bats an eye at the idea of taking maintenance costs into account when you plan on buying a car. Tyres, oil, cleaning, scheduled check-ups, malfunctions"

Because those are all real non self afflicted problems, as opposed to computer problems which are mostly self afflicted or imaginary.

Even if one has the most secure version of windows 10 there ever was or will be, all he/she still has to do (and will do) is ignore the million times they have been told: "No, you didn't win the Nigerian lottery... DON'T OPEN EMAIL ATTACHMENTS", or "It doesn't matter how flashy the popup was and what kind of doctor suit the guy in the ad was wearing, no program is going to defy physics and reality by creating more physical RAM than what you already have."

Its amazing how totally secure windows xp was at the time. Now everyone says your an idiot for using it and has amnesia that they ever thought otherwise. Just as windows 10 is totally secure and safe and awesome now. In 10 years it will be Microsoft's biggest most insecure disaster that was never ever secure at any time.

And a final point. That old computer runs just as well today as it did 10 years ago (unless you did something stupid). It doesn't cost more to run than it did 10 years ago. For the most part you were careless and loaded it down with crap ware by downloading anything and everything you ever encountered and now falsely claim that it is "broken" because - shocker - it is now slow. Combine that with the fact that you see new and more powerful (albiet more stripped of your control or anything useful, because taking away ownership of your own device is "progress") computers and want those.

The more correct car analogy is that you are driving a 2007 car, and now you want a 2017.

Edited 2017-05-18 14:31 UTC
Permalink - Score: 2
.
RE[5]: If your car had a fault, the manufacturer would fix
By fmaxwell on 2017-05-18 16:17:40
Alfman,

> I think there may have be some unintentional confusion here, when you said "software developers", it generally means someone's title, although now your post clarifies you meant the software developing companies. That changes a lot and when you go blaming "software developers" this distinction is very important.
I used was "software engineers" to avoid confusion. You introduced the term "software developers" and I assumed that you intended it to mean the same thing.

But you understood me correctly the first time. It's true that software engineers, the people who code for a living, almost always want more time and resources during the development process, but they still don't want the fruits of their labors treated as products, with all of the legal ramifications that entails. They don't want to have to revisit old code and make fixes years later.

And that is an area where they agree with management; software should remain in its special not-a-product niche. If a latent defect is found in something that hasn't been sold in years, management doesn't want to be in the position of being legally obligated to repair, replace, or refund. More importantly, management does not want the company to be able to be successfully sued when their security bug leads to, say, hospitals turning away patients.

> For the most part the employees who develop the software have very little authority to invest company resources into security, more often than not I've found the only time companies seriously invest in security is...you guessed it...right after a breach.
Based on the idiotic notion that you can add security on rather than having to design it in. At one point in my career, I headed up a team developing a secure workstation that went through a formal C2 evaluation conducted by a team from NSA (back before Common Criteria). Most software engineers are pretty clueless about security. Most software companies don't want to invest in training or to hire enough senior software engineers with a specialty in security. They don't want to be constrained by engineers asking "do you really need a programming language inside of a word processor that most users run with admin privileges?"
Permalink - Score: 2
.
RE[6]: If your car had a fault, the manufacturer would fix
By Alfman on 2017-05-18 21:29:45
fmaxwell,

> But you understood me correctly the first time. It's true that software engineers, the people who code for a living, almost always want more time and resources during the development process, but they still don't want the fruits of their labors treated as products, with all of the legal ramifications that entails. They don't want to have to revisit old code and make fixes years later.

Software engineers don't get to make any of those choices, who says we'd be against it? It could benefit more qualified engineers and create incentives to become more qualified. But none of this is decided by us, it's all decided on by management, executives and lawyers. To be clear, if you held the software engineers accountable without holding management or CEOs accountable you'd end up with a large number of scape goats being blamed without any authority or power to change things at the company.

Like the wells fargo fiasco:
http://www.washingtonexaminer.co...


I've been involved in projects where code was released with some known vulnerabilities over my objections. If those had been publicly exploited, you would probably blame the software engineers for it, however you would not be privy to the facts of what actually happened, and that it was a managerial decision to consider those things out of scope (another way of saying "unfunded"). I'm for accountability, but you've got to make the whole company accountable and not just those working on the software - many of us aren't in any position to demand changes from our employers.


> Most software engineers are pretty clueless about security. Most software companies don't want to invest in training or to hire enough senior software engineers with a specialty in security.

I agree, but I'd go even further and say this low investment and appreciation for security skills is quite discouraging even for those of us who have those skills.

Edited 2017-05-18 21:33 UTC
Permalink - Score: 2
.
RE[7]: If your car had a fault, the manufacturer would fix
By fmaxwell on 2017-05-19 00:20:00
Alfman,

> Software engineers don't get to make any of those choices, who says we'd be against it?
As I wrote previously, a significant majority of the software engineers I've discussed this with over the last few decades have been opposed to treating software as a product. Obviously not 100% are against it; I am an example of one who advocates for the software-as-product model.

> To be clear, if you held the software engineers accountable without holding management or CEOs accountable you'd end up with a large number of scape goats being blamed without any authority or power to change things at the company.
That's a straw man; I never proposed anything like that, which would be apparent had you included this in what you quoted:

> fmaxwell, in the post to which you replied:
> If a latent defect is found in something that hasn't been sold in years, management doesn't want to be in the position of being legally obligated to repair, replace, or refund. More importantly, management does not want the company to be able to be successfully sued when their security bug leads to, say, hospitals turning away patients.

> I've been involved in projects where code was released with some known vulnerabilities over my objections. If those had been publicly exploited, you would probably blame the software engineers for it, however you would not be privy to the facts of what actually happened, and that it was a managerial decision to consider those things out of scope (another way of saying "unfunded").
Stop presuming to tell me who I would blame -- especially since your presumption runs counter to almost everything I've written here.

> I'm for accountability, but you've got to make the whole company accountable and not just those working on the software - many of us aren't in any position to demand changes from our employers.
That's exactly what I've been advocating since the first post in our exchange.

> I agree, but I'd go even further and say this low investment and appreciation for security skills is quite discouraging even for those of us who have those skills.
You don't have to tell me. It's beyond a lack of appreciation; it is often outright hostility as we resist implementation of ill-considered features that put security at risk.

Unless the courts rule that software is a product, I don't see this bleak picture changing. Software companies have no incentive to change a model that absolves them of liability and provides them an income stream from upgrades and paid support.

Edited 2017-05-19 00:22 UTC
Permalink - Score: 2
.
RE[8]: If your car had a fault, the manufacturer would fix
By Alfman on 2017-05-19 05:34:25
fmaxwell,

> As I wrote previously, a significant majority of the software engineers I've discussed this with over the last few decades have been opposed to treating software as a product. Obviously not 100% are against it; I am an example of one who advocates for the software-as-product model.


I personally don't think software engineers would really have that big a problem if their employers were held to higher standards like in other industries. It would actually make our case a lot easier when we go to management with a problem that needs to be fixed. Also I think it would be good for us to have more of our skills in demand.


> That's a straw man; I never proposed anything like that, which would be apparent had you included this in what you quoted:

I didn't really mean for you to interpret it this way, "you" was meant generically and not personally. I think we're actually in agreement so I'll move on.

> That's exactly what I've been advocating since the first post in our exchange.

> You don't have to tell me. It's beyond a lack of appreciation; it is often outright hostility as we resist implementation of ill-considered features that put security at risk.

It got derailed because I disagreed with the view that most software engineers side with their company's position on software support (like a warranty, or lack thereof). Apart from that I think we agree on everything else.
Permalink - Score: 2
.
RE[9]: If your car had a fault, the manufacturer would fix
By fmaxwell on 2017-05-19 11:07:41
> It got derailed because I disagreed with the view that most software engineers side with their company's position on software support (like a warranty, or lack thereof). Apart from that I think we agree on everything else.

Thank you.

I can only report on my own experiences discussing this topic over the past 30 or so years with other software engineers, including W2 employees, contract employees (1099 wages), and those with their own consulting firms. I've never seen a proper survey on this topic.

The Internet is filled with websites of one-man software companies. If the notion of software-as-warranted-produ ct were popular among software engineers, I would think that many of these companies, not constrained by management, would offer their software that way. I've not found that to be the case. I've found some offers of refunds if one is dissatisfied shortly after the purchase, but that's about it.

-----

Most of my career was in embedded systems, which has some big advantages for people who share our views. Whether the company builds heart monitors, car stereos, or home alarms, they are selling products. The firmware is an integral part of the product, so if it doesn't work properly and reliably, the product is defective and must be fixed. An ECU in a car that just randomly locks up, leaving the car powerless, can't be explained away as a "known issue" and you can't direct owners to "just turn the key to the off position, wait 30 seconds, and then restart the car."

I found that aerospace took software development, testing, and quality assurance deadly seriously. When you're launching a $100million satellite, it doesn't pay to cut a few hundred hours out of the development budget. One "anomaly" can result in man-weeks of investigation to determine the cause and remedy, because "unverified failures" are something that one never wants on a bird they are trying to launch.

Thanks for the discussion and keep fighting the good fight.
Permalink - Score: 2
.
RE[3]: Responsibility
By mistersoft on 2017-05-20 13:38:33
Good point.
Re the serial connection
Permalink - Score: 2

Read Comments 1-10 -- 11-20 -- 21-30 -- 31-40 -- 41-50 -- 51-60 -- 61-70 -- 71-80 -- 81-90 -- 91-100 -- 101-109

No new comments are allowed for stories older than 10 days.
This story is now archived.

.
News Features Interviews
BlogContact Editorials
.
WAP site - RSS feed
© OSNews LLC 1997-2007. All Rights Reserved.
The readers' comments are owned and a responsibility of whoever posted them.
Prefer the desktop version of OSNews?