www. O S N E W S .com
News Features Interviews
BlogContact Editorials
.
Hit by WannaCry? No one to blame but yourself
By Thom Holwerda on 2017-05-15 16:18:18

Friday saw the largest global ransomware attack in internet history, and the world did not handle it well. We're only beginning to calculate the damage inflicted by the WannaCry program - in both dollars and lives lost from hospital downtime - but at the same time, we're also calculating blame.

There's a long list of parties responsible, including the criminals, the NSA, and the victims themselves - but the most controversial has been Microsoft itself. The attack exploited a Windows networking protocol to spread within networks, and while Microsoft released a patch nearly two months ago, it’s become painfully clear that patch didn’t reach all users. Microsoft was following the best practices for security and still left hundreds of thousands of computers vulnerable, with dire consequences. Was it good enough?

If you're still running Windows XP today and you do not pay for Microsoft's extended support, the blame for this whole thing rests solely on your shoulders - whether that be an individual still running a Windows XP production machine at home, the IT manager of a company cutting costs, or the Conservative British government purposefully underfunding the NHS with the end goal of having it collapse in on itself because they think the American healthcare model is something to aspire to.

You can pay Microsoft for support, upgrade to a secure version of Windows, or switch to a supported Linux distribution. If any one of those mean you have to fix, upgrade, or rewrite your internal software - well, deal with it, that's an investment you have to make that is part of running your business in a responsible, long-term manner. Let this attack be a lesson.

Nobody bats an eye at the idea of taking maintenance costs into account when you plan on buying a car. Tyres, oil, cleaning, scheduled check-ups, malfunctions - they're all accepted yearly expenses we all take into consideration when we visit the car dealer for either a new or a used car.

Computers are no different - they're not perfect magic boxes that never need any maintenance. Like cars, they must be cared for, maintained, upgraded, and fixed. Sometimes, such expenses are low - an oil change, new windscreen wiper rubbers. Sometimes, they are pretty expensive, such as a full tyre change and wheel alignment. And yes, after a number of years, it will be time to replace that car with a different one because the yearly maintenance costs are too high.

Computers are no different.

So no, Microsoft is not to blame for this attack. They patched this security issue two months ago, and had you been running Windows 7 (later versions were not affected) with automatic updates (as you damn well should) you would've been completely safe. Everyone else still on Windows XP without paying for extended support, or even worse, people who turn automatic updates off who was affected by this attack?

I shed no tears for you. It's your own fault.

 Email a friend - Printer friendly - Related stories
.
Read Comments: 1-10 -- 11-20 -- 21-30 -- 31-40 -- 41-50 -- 51-60 -- 61-70 -- 71-80 -- 81-90 -- 91-100 -- 101-109
.
I completely disagree!
By gazwil1982 on 2017-05-16 11:41:11
So people who can't afford a new pc or hundreds on updated software are to blame? People who just use their computer for browsing the web and not much else are to blame? Charities who can't afford to update computers and software are to blame?

I'm sorry but the ivory tower you are sitting in is far too high for me. Most people don't think about their computers they just want things done. Most people don't understand how to update or turn automatic updates on or off.

Most people just want to live a happy life without being worried about having all their precious memories encrypted and extorted for money they don't have.

I won't be reading your site any more. I used to think you were down to earth but you are actually just mean.

I'll stick to getting my news from websites that don't judge their users.

For the record I'm a Linux lover who knows a thing or two about computers. But most of my family aren't. They are the "idiots" you have no sympathy for.

Shame on you!
Permalink - Score: 3
.
RE[2]: Responsibility
By Alfman on 2017-05-16 14:01:40
mistersoft,

> Really?

I'm surprised Alfman - sure if computers are being "certified" for running e.g. medical imaging equipment - with Windows Update turned off - then SURELY they should not be networked !?


I'm confused what you are responding to, however I agree these computers need to be cut off from the outside world. A lot of equipment still needs to be "networked" internally though in order to provide patient care.

> Have a sandboxed secondary drive that is write only used for exporting the data from the primary drive
Have a strict SOP that the IT guys supply the UUID number for the drive (and a little utility for the untrained to enter this - that mounts it write only at a specific mount point and refuses to mount elsewhere, or with other privileges - system wide)

Then physically move it to a 2nd computer terminal beside it that is networked; do this once or even twice a day with a fresh External USB each time. 1TB 2.5" drives are only $50 each now - which is relatively negligable vs cost of imaging 6 - 12 patients on MRI/PET scanners

would this not be a safe-ish workaround. If you're needing to keep to the certification model.


There are a lot of possible solutions, but ideally it shouldn't get in the way or real time data. I read somewhere that ebay or amazon (can't remember which, I wish I could find the article again) deliberately processed credit card payments through a very basic serial protocol to mitigate the risk of network and OS attack vectors. Even if the OS had known vulnerabilities it would be extremely difficult to exploit them through a basic serial protocol.
Permalink - Score: 2
.
RE[3]: This won't change
By Alfman on 2017-05-16 14:38:23
yerverluvinunclebert,

> Precisely. In the aero industry, a change in the development machine that provides the code that flies the plane means that plane has to be recertified. Not just that plane but every plane that might potentially use the new code. If you can retain the same machine then you have the same output and the cost is reduced by millions and possibly tens of millions.

That's a great example, the risk of botched upgrades is not acceptable for critical control systems where lots of money and lives are at stake. These systems should be hardened. Perhaps the operating systems should be on read-only media such that rebooting them brings them back into their certified state and only certified updates could be deployed with physical access.
Permalink - Score: 2
.
RE[2]: You don't understand the problem
By Chrispynutt on 2017-05-16 15:19:50
As much as I dislike the current goverment. There was a deal in place for extended XP support. However the trusts didn't take it up http://www.theregister.co.uk/201...

Now thats if you believe El Reg.

Also I agree with the analysis of our current gov's approach to destroying the NHS.
Permalink - Score: 2
.
A fresh start is needed
By sbenitezb on 2017-05-16 15:37:48
Writing bug free, compatible and performant software is both expensive and a slow process. The consumer market certainly doesn't appear to want software made with Ada and the most stringent engineering processes. Operating Systems, libraries and services are still coded in C, so go figure.

The fact is there are millions upon millions of LOC hiding all sort of bugs and 0-days waiting to be exploited, in all major OSes. That can't possibly be solved anytime soon, and won't in the future as long as our infrastructure is still developed the way it is. The only thing to be done is patch and pray. But every new LOC rushed and written in C comes with the possibility of new bugs. There's still hope Ada/Rust will catch on and newer systems to be developed with better languages, slowly replacing rotten bits.

BTW, It's been years and I keep having to double login to post a comment in OSNews. Time to fix the bug you guys!
Permalink - Score: 3
.
RE[2]: Comment by FlyingJester
By Lennie on 2017-05-16 15:59:33
Actually, Microsoft is making it harder and harder to run their operating system(s) without an Internet connection (even just Windows connecting to the Internet).
Permalink - Score: 2
.
RE: Comment by ssokolow
By Bill Shooter of Bul on 2017-05-16 16:00:10
That's a horrible counter argument. An old out of support version was too old to get the update because it hadn't been updated. Great. How is that MS fault?

I think the argument there is Don't use unsupported operating systems unless you really really have to and are supa careful on how they are used ( ie air gap them, please!)
Permalink - Score: 2
.
RE[5]: You don't understand the problem
By Bill Shooter of Bul on 2017-05-16 16:20:59
I kind of doubt you didn't have any competitors that had more up to date software.
Permalink - Score: 2
.
RE: A fresh start is needed
By Alfman on 2017-05-16 16:39:01
sbenitezb,

> Writing bug free, compatible and performant software is both expensive and a slow process. The consumer market certainly doesn't appear to want software made with Ada and the most stringent engineering processes. Operating Systems, libraries and services are still coded in C, so go figure.

The fact is there are millions upon millions of LOC hiding all sort of bugs and 0-days waiting to be exploited, in all major OSes. That can't possibly be solved anytime soon, and won't in the future as long as our infrastructure is still developed the way it is. The only thing to be done is patch and pray. But every new LOC rushed and written in C comes with the possibility of new bugs. There's still hope Ada/Rust will catch on and newer systems to be developed with better languages, slowly replacing rotten bits.


We know this, but most politicians, executives and the public at large don't know it and/or don't care. Unfortunately a large upfront investment to replace legacy platforms and code isn't politically workable even for the greater good in the long term. It's not just tech either, politics have generally been shifting towards shorter term agendas. An executive or politician is more likely to score points if they can bring costs down even if it prolongs our security problems indefinitely.


From an engineering perspective, our approaches to security are indefensible. I can't get over how inexcusably inept and stupid visa and mastercard's security for payments are. But from a business perspective the incentives are quite different, like how shifting the liability to merchants via PCI compliance programs can actually bring in more profits than fixing the flaws using robust crypto.


> BTW, It's been years and I keep having to double login to post a comment in OSNews. Time to fix the bug you guys!

I reported that years ago. The login on the top right doesn't have this bug if you use it instead.
Permalink - Score: 2
.
RE[3]: Comment by FlyingJester
By Alfman on 2017-05-16 16:50:46
Lennie,

> Actually, Microsoft is making it harder and harder to run their operating system(s) without an Internet connection (even just Windows connecting to the Internet).


Yeah, they're especially pushing it on home/pro users, it's probably going to get worse. But I would strongly hope that the specifications for hospital computers would ban "the cloud" because the internet going down is a predictable failure mode. Can you imagine a disaster like 9/11 when telecoms were disrupted and then a hospital having to deal with an IT issues at the same time. That's not really acceptable.
Permalink - Score: 2

Read Comments 1-10 -- 11-20 -- 21-30 -- 31-40 -- 41-50 -- 51-60 -- 61-70 -- 71-80 -- 81-90 -- 91-100 -- 101-109

No new comments are allowed for stories older than 10 days.
This story is now archived.

.
News Features Interviews
BlogContact Editorials
.
WAP site - RSS feed
© OSNews LLC 1997-2007. All Rights Reserved.
The readers' comments are owned and a responsibility of whoever posted them.
Prefer the desktop version of OSNews?