www. O S N E W S .com
News Features Interviews
BlogContact Editorials
.
Hit by WannaCry? No one to blame but yourself
By Thom Holwerda on 2017-05-15 16:18:18

Friday saw the largest global ransomware attack in internet history, and the world did not handle it well. We're only beginning to calculate the damage inflicted by the WannaCry program - in both dollars and lives lost from hospital downtime - but at the same time, we're also calculating blame.

There's a long list of parties responsible, including the criminals, the NSA, and the victims themselves - but the most controversial has been Microsoft itself. The attack exploited a Windows networking protocol to spread within networks, and while Microsoft released a patch nearly two months ago, it’s become painfully clear that patch didn’t reach all users. Microsoft was following the best practices for security and still left hundreds of thousands of computers vulnerable, with dire consequences. Was it good enough?

If you're still running Windows XP today and you do not pay for Microsoft's extended support, the blame for this whole thing rests solely on your shoulders - whether that be an individual still running a Windows XP production machine at home, the IT manager of a company cutting costs, or the Conservative British government purposefully underfunding the NHS with the end goal of having it collapse in on itself because they think the American healthcare model is something to aspire to.

You can pay Microsoft for support, upgrade to a secure version of Windows, or switch to a supported Linux distribution. If any one of those mean you have to fix, upgrade, or rewrite your internal software - well, deal with it, that's an investment you have to make that is part of running your business in a responsible, long-term manner. Let this attack be a lesson.

Nobody bats an eye at the idea of taking maintenance costs into account when you plan on buying a car. Tyres, oil, cleaning, scheduled check-ups, malfunctions - they're all accepted yearly expenses we all take into consideration when we visit the car dealer for either a new or a used car.

Computers are no different - they're not perfect magic boxes that never need any maintenance. Like cars, they must be cared for, maintained, upgraded, and fixed. Sometimes, such expenses are low - an oil change, new windscreen wiper rubbers. Sometimes, they are pretty expensive, such as a full tyre change and wheel alignment. And yes, after a number of years, it will be time to replace that car with a different one because the yearly maintenance costs are too high.

Computers are no different.

So no, Microsoft is not to blame for this attack. They patched this security issue two months ago, and had you been running Windows 7 (later versions were not affected) with automatic updates (as you damn well should) you would've been completely safe. Everyone else still on Windows XP without paying for extended support, or even worse, people who turn automatic updates off who was affected by this attack?

I shed no tears for you. It's your own fault.

 Email a friend - Printer friendly - Related stories
.
Read Comments: 1-10 -- 11-20 -- 21-30 -- 31-40 -- 41-50 -- 51-60 -- 61-70 -- 71-80 -- 81-90 -- 91-100 -- 101-109
.
RE: Comment by ssokolow
By loic on 2017-05-15 18:49:42
I would not ever boot a Windows XP system on any network-enabled machine. About any reasonably recent laptop (< 8 yo) can launch it on a virtual box virtual machine, with no networking adapter enabled. It does not even need much RAM, XP is known to run well on 512 MB.
For non-techies, of course it could make sense, but I cannot see how any user with a dual boot would not know this.
Permalink - Score: 2
.
RE[2]: You don't understand the problem
By grandmasterphp on 2017-05-15 19:23:20
> You are kneejerking without reading the actual article.

No I am not.

> I didn't blame the NHS (or its hospitals and workers), but the government that funds it.

I know you aren't. The situation was created by the previous Government by the access to health program that was poorly implemented. Lots of IT investment, no real plan.

I used to work in this environment, as a 2nd/3rd tier support tech back in 2007-2009, supporting one of these applications.

What I think you are doing is massively over simplifying the situation. The NHS is split into Trusts, these all work differently and get funded differently based on size and lots of other factors. Then referrals can be transferred to private clinics / hospitals etc.

These all have bespoke systems you can't just upgrade stuff. It has to go through a proper change management process and this can take years.

Even things like printers having the margins a bit wrong on the windows settings can be problem when printing patient notes to hang on the end of the bed (I forget the proper term now).

> Is it really Microsoft's fault if the British government underfunds its healthcare service?

No. I never said it was. I think the problem exists because the previous labour government didn't have any proper plan for IT and just stuck money into it.

> Again - I don't think you actually read the aricle, but just immediately got defensive.

I wasn't being defensive. That wasn't my intention. I just don't think you understand that it is really nobody's fault. I've worked in one of these IT suppliers and everyone was stressed out trying between support / development and deployment.

> I did not say anyone was lazy - just that yes, if you choose not to fund your IT department adequately, then yes, YOU are to blame for an inadequately funded IT department, and the resulting consequences. In the case of companies, that's the manager allocating funds - and in the case of the NHS, it's the government.

It not a problem that can just be solved by chucking money at it.

I don't think you really understood what I was getting at. You are massively over simplifying the situation. The reason why these systems aren't updated as often is due to a multitude of reasons. Some of these I highlighted in my original post. Sometimes there is noway to update them.
Permalink - Score: 2
.
RE: Car analogy
By Kochise on 2017-05-15 19:36:47
When a car producer leaves security holes in their models, or use tricks to pass pollution tests, it's not because the car isn't produced anymore that the car producer should be held off its obligations and put all responsibilities on the user.

Sure the user can be a bad driver and can cause problems by itself. But if the security holes are the car producer's fault, it's its liability to provide fixes. And fixing software is not the same cost as fixing cars.

You get richer with softwares (Microsoft, Apple, Oracle) than cars (General Motors) for a reason. So claiming the users should upgrade at their expense because the software producer decided the architecture ain't worth anymore, wadda wadda, this is lies.

With the so many coders out there, with good coding practices available for years and for free, there's no excuse some softwares are still coded with the foot. Remember the 2K problem that costed users billions on software producers' incapability to provide secure and well crafted softwares in the first place ?

I'm not going to fall into this fallacy and feel at fault. Those companies gets enough money for little evolution (IE6 anyone ?) so stop believing into this mythology. You think software are top value products ? Look how flawed they are, like they are released in a rush with only little testing beforehand.

Aren't there enough white hats out there to work with/at Microsoft to test bench the softwares with a complete regression testing suites nicely handcrafted for years and decades ? Obviously the NSA doesn't have a problem to hire black hats to find exploits. Amurica Freedumb!!1! So better than the rest of the world.

Thanks for the legacy exploits, thanks for ransoming users to upgrade their softwares to correct them.

Edited 2017-05-15 19:38 UTC
Permalink - Score: 4
.
RE: Responsibility
By flav2000 on 2017-05-15 19:42:14
Thanks for pointing that out.
Hospitals are stuck between a rock and a hard place in particular.

Many diagnostic machines like X-Rays, MRI etc are quiet expensive and cannot be upgraded easily. Upgrading means certifying the device from top to bottom and no manufacturer is going to do that. To make things worse all the push to make data readily shareable and digitally available means that all these insecure devices are now part of the network. If there is a dollar available that money will inevitability end up on new feature rather than securing systems.

The same happens on manufacturing plants. That's why big names like Nissan and Hitachi got hit. Many old style PLCs and robotics don't have support for newer OSes (many even are still stuck on Win2k!). Shutting down a working factory for security upgrades is a non-starter both in terms of cost and potential issues (it is working fine right at this moment but you may break it by updating). A lot of these are exposed to the network b/c of need to automate monitoring and what not. Again features over security.

Consumer-wise I would say yes they're to blame - there are however many places in the world where using the latest patches is just not possible under the current schema. Hopefully there will be push to change things for the better but it's not a situation that is easily fixable.
Permalink - Score: 4
.
RE: Internet Disconnection
By Bill Shooter of Bul on 2017-05-15 19:57:39
Yup. Had a inventory system written in a proprietary scripting language by a company that went belly up 20 years ago. We got estimates in the low 2 million range for a replacement, which wasn't affordable for a company losing 5 million a month. So we kept the obsolete one. Which luckily enough didn't have networking as an option air gapped by history.
Permalink - Score: 2
.
In other security news...
By Alfman on 2017-05-15 20:54:01
I just thought I'd post this here, it's dated today:

http://www.zdnet.com/article/app...

> Apple fixes dozens of security bugs for iPhones, Macs

Apple has squashed dozens of security bugs in its latest releases of its iPhone, iPad, and Mac operating systems.

The Cupertino, Calif.-based company rolled out 23 security fixes in iOS 10.3.2 and another 30 fixes in macOS 10.12.5, both of which were released on Monday.

Among the bugs, two bugs in iBooks for iOS could allow an attacker to arbitrarily open websites and execute malicious code at the kernel level. Over a dozen flaws were found in WebKit, which renders websites and pages on iPhones and iPads, that could allow several kinds of cross-site scripting (XSS) attacks.

A separate flaw in iBooks for macOS desktops and notebooks could allow an application to escape its secure sandbox, a technology used to prevent data loss or theft in the case of an app compromise.



A remainder that all platforms have vulnerabilities! Ironically it's because of these vulnerabilities that owners are "allowed" to jailbreak their own IOS devices. :-/
Permalink - Score: 2
.
RE[2]: Comment by FlyingJester
By grandmasterphp on 2017-05-15 20:54:15
80% of the systems were okay. Which means 80% are probably doing it right.
Permalink - Score: 1
.
RE: Windows back door proven
By grandmasterphp on 2017-05-15 20:56:25
I think it is more likely that Microsoft could patch the vulnerability on all platforms quite easily.
Permalink - Score: 2
.
There is few Elephants everyone is forgetting about.
By oiaohm on 2017-05-15 21:17:52
http://www.intel.com.au/content/...
https://www.microsoft.com/en-us/w...

Please note the miss match between these sites. People have install windows 10 on older CPU than what Intel support and have been forced to disable update so their system runs. Of course it would have been helpful is Microsoft on their site had reported correct information and if Microsoft tools had blocked installing windows 10 in the first place on too old of hardware. So those users not updating have been trapped by Microsoft incompetence and possible Intel incompetence for not sharing correct information with Microsoft in time.


https://support.microsoft.com/en-...

Here is Microsoft again choosing that with Windows 7 and 8.1 not to provide updates if person is using newer cpus.

There are other elephants in the room where people are failing to get updates.

So no, Microsoft is not to blame for this attack. They patched this security issue two months ago, and had you been running Windows 7 (later versions were not affected) with automatic updates (as you damn well should) you would've been completely safe.

This is also wrong.

http://www.pcworld.com/article/2...
If you internet connection is set as metered in windows 10 even that Windows Update is enabled your computer might have downloaded no updates for a while because automatic updates only kicks in when you connect to a non metered. Yes if you are on metered manually performing updates is required.

After allowing for the Elephants a percent of effected users have be effected by miss information that auto updates on and they are done when with metered connections not they are not. Also a percent have been effected by Microsoft and Intel information miss match. A percent has been effected by Microsoft refuse to allow old OS on new hardware.

Also there is another percentage where automatic updates with windows 7 and 8 have resulted in breaking vendor provided parts.

So there are issues here. There are a percent I will give who are guilty of turning off automatic updates out of fear caused by seeing people they know suffer from the above issues. So yes a percentage of this problem lands cleanly at Microsoft feet.
Permalink - Score: 3
.
RE[2]: Comment by ssokolow
By ssokolow on 2017-05-15 21:36:10
Hey, I'm not saying I agree with that reckless behaviour... just that it's not necessarily that simple for people who are determined to be that reckless.

My Windows 3.11/98 and XP retro-gaming machines sit alone on their own leg of my router where the only traffic allowed to cross the boundary is connections initiated by the retro PCs which are either local DNS and DHCP (to daemons running on the router itself) or NTP and SSH (to my main workstation, with the SSH being limited to a chrooted SFTP-only account which I use for quickly moving files back and forth).

I find it a nice way to balance security with the convience of having networked file transfer, NTP time sync, and automatic network setup. (I even dug up DOS NTP and SFTP clients.)

Heck, the DNS allow rule is just a convenience that I should probably drop, since I've pinned the IP address of the workstation that provides the NTP and SFTP servers.

Edited 2017-05-15 21:37 UTC
Permalink - Score: 2

Read Comments 1-10 -- 11-20 -- 21-30 -- 31-40 -- 41-50 -- 51-60 -- 61-70 -- 71-80 -- 81-90 -- 91-100 -- 101-109

No new comments are allowed for stories older than 10 days.
This story is now archived.

.
News Features Interviews
BlogContact Editorials
.
WAP site - RSS feed
© OSNews LLC 1997-2007. All Rights Reserved.
The readers' comments are owned and a responsibility of whoever posted them.
Prefer the desktop version of OSNews?