www. O S N E W S .com
News Features Interviews
BlogContact Editorials
.
Hit by WannaCry? No one to blame but yourself
By Thom Holwerda on 2017-05-15 16:18:18

Friday saw the largest global ransomware attack in internet history, and the world did not handle it well. We're only beginning to calculate the damage inflicted by the WannaCry program - in both dollars and lives lost from hospital downtime - but at the same time, we're also calculating blame.

There's a long list of parties responsible, including the criminals, the NSA, and the victims themselves - but the most controversial has been Microsoft itself. The attack exploited a Windows networking protocol to spread within networks, and while Microsoft released a patch nearly two months ago, it’s become painfully clear that patch didn’t reach all users. Microsoft was following the best practices for security and still left hundreds of thousands of computers vulnerable, with dire consequences. Was it good enough?

If you're still running Windows XP today and you do not pay for Microsoft's extended support, the blame for this whole thing rests solely on your shoulders - whether that be an individual still running a Windows XP production machine at home, the IT manager of a company cutting costs, or the Conservative British government purposefully underfunding the NHS with the end goal of having it collapse in on itself because they think the American healthcare model is something to aspire to.

You can pay Microsoft for support, upgrade to a secure version of Windows, or switch to a supported Linux distribution. If any one of those mean you have to fix, upgrade, or rewrite your internal software - well, deal with it, that's an investment you have to make that is part of running your business in a responsible, long-term manner. Let this attack be a lesson.

Nobody bats an eye at the idea of taking maintenance costs into account when you plan on buying a car. Tyres, oil, cleaning, scheduled check-ups, malfunctions - they're all accepted yearly expenses we all take into consideration when we visit the car dealer for either a new or a used car.

Computers are no different - they're not perfect magic boxes that never need any maintenance. Like cars, they must be cared for, maintained, upgraded, and fixed. Sometimes, such expenses are low - an oil change, new windscreen wiper rubbers. Sometimes, they are pretty expensive, such as a full tyre change and wheel alignment. And yes, after a number of years, it will be time to replace that car with a different one because the yearly maintenance costs are too high.

Computers are no different.

So no, Microsoft is not to blame for this attack. They patched this security issue two months ago, and had you been running Windows 7 (later versions were not affected) with automatic updates (as you damn well should) you would've been completely safe. Everyone else still on Windows XP without paying for extended support, or even worse, people who turn automatic updates off who was affected by this attack?

I shed no tears for you. It's your own fault.

 Email a friend - Printer friendly - Related stories
.
Read Comments: 1-10 -- 11-20 -- 21-30 -- 31-40 -- 41-50 -- 51-60 -- 61-70 -- 71-80 -- 81-90 -- 91-100 -- 101-109
.
Blame List
By Brendan on 2017-05-15 21:56:02
Hi,

The list of people that should be blamed are:

a) Every software developer that assumes "Internet connected" means that they can release buggy crap followed by a never ending plague of updates and fixes (and associated unwanted end-user hassle) as they continually try to bring their buggy crap up to "release quality" (instead of realising that "Internet connected" means that it has to be extremely secure before release).

b) People like Thom that make excuses for software developers that fail to release secure products.

- Brendan
Permalink - Score: 4
.
RE[3]: You don't understand the problem
By Bill Shooter of Bul on 2017-05-15 22:09:24
Throwing money at the problem definitely would help. I'm certain there are several IT solution providers in the US that would love to work on solving the issues. Not cheaply, though.

The custom medical equipment does have a new version that is supported by windows. They always do. Its just a question of weather or not the upgrade is in the budget.


I do kind of wish it had hit the US a little just so we could see which Hospitals are keeping up and which are not. In reality there should be stress tests of Hospital IT outages, aside from the ones that the Hospital IT already causes on a semi regular basis.
Permalink - Score: 2
.
Not a UK gov problem
By Adurbe on 2017-05-15 22:53:47
I would challenge you to provide any heath service in the world not vulnerable to the same issues. The reality is every country buys the same equipment from the same small sets of suppliers. Dutch hospitals are just as full of MRI scanners running XP as British or American ones.
Permalink - Score: 2
.
RE: Blame List
By Thom_Holwerda on 2017-05-15 22:58:19
> b) People like Thom that make excuses for software developers that fail to release secure products.

But... But they fixed it two months ago?
Permalink - Score: 1
.
Wait ...
By WorknMan on 2017-05-15 23:53:44
So Thom is blaming the victims here?

#scandalous
Permalink - Score: 3
.
RE[2]: Blame List
By Brendan on 2017-05-16 00:35:14
Hi,

> > b) People like Thom that make excuses for software developers that fail to release secure products.

But... But they fixed it two months ago?


There was a critical vulnerability in every version of Windows for a decade because Microsoft released insecure products that should never have needed to be updated in the first place.

An unknown number of people who should never have needed to update got affected by insecure products before the update existed without ever knowing they've been affected.

A huge number of people who should never have needed to update know they were affected after the update existed.

A huge number of people who should never have needed to update can't update and are still at risk.

Microsoft will not be compensating anyone that has been affected for damages that their faulty software has allowed.

Microsoft will not be reimbursing anyone that has paid for faulty software.

Microsoft will not be apologizing to anyone that has been affected or will be affected.

Microsoft won't be changing any of their practices (doing a full security audit, hiring a new security team, etc).

The developers that created the security vulnerabilities, and the quality assurance testers that failed to notice the vulnerabilities before each version of Windows was released, probably won't even get a "stern warning" and will probably be allowed to continue creating more security vulnerabilities in future Microsoft products.

Nothing that actually matters will change, it'll just be a yet another slightly different vulnerability next week, and the week after that, and ...

The reason nothing that actually matters will change is that stupid people think all of this is acceptable. There's no incentive whatsoever for Microsoft to do anything to prevent vulnerabilities.

This is not just Microsoft, it's "most" software developers. It's an entire industry where incompetence and negligence is standard practice.

Note that people who install updates are victims too - if 1 billion people spend an average of 6 minutes of their time each month installing updates and their time is worth an average of $10/hour; then that adds up to a total cost of $72,000,000,000 per year just to install updates for dodgy crap that should never have needed to be updated (and that's not including costs of anti-virus subscriptions, bandwidth consumed, etc).

- Brendan
Permalink - Score: 3
.
RE[2]: Blame List
By Alfman on 2017-05-16 01:41:57
Thom Holwerda,

> But... But they fixed it two months ago?


Sorry Thom, but this isn't nearly as simple as you are making it out to be. I absolutely hate to make an argument from authority, but if you had more experience in IT you would see it's not this simple. If an os upgrade or update breaks a peace of software or equipment, then what?

This isn't remotely hypothetical, I've experienced several windows incompatibilities. At one company the customer ticket management system we were using for several years broke on windows 8. And so we were stuck with using windows 7 internally until the ticket management software could be replaced. The company's software licensing agreement actually entitled every employee to install windows 8, so it was never a matter of cost, but of feasibility and compatibility.

Ironically even our own software we were developing was broken by an update. Granted upgrade/update complications are usually more of an annoyance, like having to throw away a card/printer or borked wifi/usb until the manufacturer releases a new compatible driver (all of these have happened to me and my family btw), but we move on. However with specialized and certified medical equipment and software that MS doesn't even own, allowing untested/uncertified software auto updates can have life threatening repercussions. This is irresponsible! Certification is not something that should be rushed under time pressure either.

And I'm not saying you don't have valid points, but you've oversimplified the challenges that IT administrators are facing in order to push this narrative, you are wrong to think it's just a matter of updating. Don't think for a moment a lawyer wouldn't sue a hospital for gross negligence for allowing untested/rushed software to run on it's systems. The updates cut both ways.

Administrators have no authority to re-certify updated medical equipment at the hospitals, automatic updates pose too great a risk and are ineffectiveness against zero day exploits anyways. Arguably the best course of action is to focus instead on keeping them isolated. That these systems were compromised over the internet is totally unacceptable. These systems shouldn't touch the internet, not even for updates.

There may be times they need to be updated, but only through certified channels and NOT automatically while they are in commission.

Edited 2017-05-16 02:00 UTC
Permalink - Score: 3
.
RE[2]: Blame List
By Ibrahim on 2017-05-16 03:14:00
They fixed it via an ultimatum though. Didn't the group that grabbed the NSA tools, give the companies affected, a time frame to fix the security holes before they released the NSA tools and announced the vulnerabilities?

If there was no ultimatum, the holes would still be there with no update(s) in sight. Of course this is speculation on my part, but in line with the way MS and company work. So not hard at all, to imagine there would be no fixes, were not for the ultimatum.
Permalink - Score: 1
.
RE: Car analogy
By nicubunu on 2017-05-16 06:03:58
There would be also the part when after a tire change your car would suddenly start spying on you.
Permalink - Score: 6
.
no big issue
By nicubunu on 2017-05-16 06:21:03
WannaCry should be no big issue for individual home users: they are usually behind a router provided by their ISP, not directly exposed to the internet means no surface attack for WannaCry. Also, is less likely they have many Windows computers at home, so they will be attacked over the LAN.

This leaves as the most likely victims big corporate networks. There may be solid reasons there are still older Windows versions on a big corporate networks, but if this is the case their IT departments should have prepared accordingly.

Still, I don't accept the blame to be put solely on the victims. NSA is to be blamed, they discovered a vulnerability and they developed it into a weapon instead of pushing for a fix.

And there is blame to Microsoft: they used the [lack of] updated as a tool to force people update to an unwanted version of Windows, this making people distrust the updated at all.
Permalink - Score: 3

Read Comments 1-10 -- 11-20 -- 21-30 -- 31-40 -- 41-50 -- 51-60 -- 61-70 -- 71-80 -- 81-90 -- 91-100 -- 101-109

No new comments are allowed for stories older than 10 days.
This story is now archived.

.
News Features Interviews
BlogContact Editorials
.
WAP site - RSS feed
© OSNews LLC 1997-2007. All Rights Reserved.
The readers' comments are owned and a responsibility of whoever posted them.
Prefer the desktop version of OSNews?