www. O S N E W S .com
News Features Interviews
BlogContact Editorials
.
Hit by WannaCry? No one to blame but yourself
By Thom Holwerda on 2017-05-15 16:18:18

Friday saw the largest global ransomware attack in internet history, and the world did not handle it well. We're only beginning to calculate the damage inflicted by the WannaCry program - in both dollars and lives lost from hospital downtime - but at the same time, we're also calculating blame.

There's a long list of parties responsible, including the criminals, the NSA, and the victims themselves - but the most controversial has been Microsoft itself. The attack exploited a Windows networking protocol to spread within networks, and while Microsoft released a patch nearly two months ago, it’s become painfully clear that patch didn’t reach all users. Microsoft was following the best practices for security and still left hundreds of thousands of computers vulnerable, with dire consequences. Was it good enough?

If you're still running Windows XP today and you do not pay for Microsoft's extended support, the blame for this whole thing rests solely on your shoulders - whether that be an individual still running a Windows XP production machine at home, the IT manager of a company cutting costs, or the Conservative British government purposefully underfunding the NHS with the end goal of having it collapse in on itself because they think the American healthcare model is something to aspire to.

You can pay Microsoft for support, upgrade to a secure version of Windows, or switch to a supported Linux distribution. If any one of those mean you have to fix, upgrade, or rewrite your internal software - well, deal with it, that's an investment you have to make that is part of running your business in a responsible, long-term manner. Let this attack be a lesson.

Nobody bats an eye at the idea of taking maintenance costs into account when you plan on buying a car. Tyres, oil, cleaning, scheduled check-ups, malfunctions - they're all accepted yearly expenses we all take into consideration when we visit the car dealer for either a new or a used car.

Computers are no different - they're not perfect magic boxes that never need any maintenance. Like cars, they must be cared for, maintained, upgraded, and fixed. Sometimes, such expenses are low - an oil change, new windscreen wiper rubbers. Sometimes, they are pretty expensive, such as a full tyre change and wheel alignment. And yes, after a number of years, it will be time to replace that car with a different one because the yearly maintenance costs are too high.

Computers are no different.

So no, Microsoft is not to blame for this attack. They patched this security issue two months ago, and had you been running Windows 7 (later versions were not affected) with automatic updates (as you damn well should) you would've been completely safe. Everyone else still on Windows XP without paying for extended support, or even worse, people who turn automatic updates off who was affected by this attack?

I shed no tears for you. It's your own fault.

 Email a friend - Printer friendly - Related stories
.
Read Comments: 1-10 -- 11-20 -- 21-30 -- 31-40 -- 41-50 -- 51-60 -- 61-70 -- 71-80 -- 81-90 -- 91-100 -- 101-109
.
RE[8]: Comment by FlyingJester
By Lennie on 2017-05-16 20:49:29
Both IPSEC and OpenVPN have a periodic re-keying of the temporary session keys. So time is clearly used (but that is relative time, not absolute time. It's a timer).

You can do both OpenVPN and IPSEC with pre-shared keys or with certificates.

If time is a big issue, maybe a large pre-shared key can be done safely. Depending on the crypto used, pre-shared keys can be less safe than certificates if I'm not mistaken.

I ones thought really long and hard about the embedded device problem. One thing that could help is to periodically save a timestamp. So you can't replay very old data. And obviously, don't use DNS for NTP. ;-)
Permalink - Score: 2
.
RE[2]: Responsibility
By dionicio on 2017-05-16 21:03:08
Got some photo shots of tremendously successful Rosetta Mission. Some Instruments showing XP welcome screens. Discipline, something you can't ask to anyone.

System Engineers should always consider that one, a rare asset.

Are You sure you can't run Windows10 out the swamp? As far as noted, passing networked activation, up to You.

Edited 2017-05-16 21:07 UTC
Permalink - Score: 2
.
RE[3]: Responsibility
By dionicio on 2017-05-16 21:14:47
Security On Legacy. Ha ha, good idea. Not Worth the trouble and expenses, to most.
Permalink - Score: 2
.
RE[3]: You don't understand the problem
By dionicio on 2017-05-16 21:37:14
Hospitals, Schools, should be built with caducity integrated, up to manpower. New ones always cheaper on maintenance.

Those wanting to extend age of retirement -well, the'll need to 'update' :-) Maybe some will prefer a career change. [recommending organic gardening]. Or go through PAID nursery school again. So easy for the true lovers of that discipline.

Just Trying to take the light side. Code wise, wasn't so grave, if well extended.

[Rosseta Mission Teams were 'reassigned' afterwards, just as example].

My point here is that the ETERNALLY TRANSMUTING INSTITUTION ends being the ETERNALLY LOW PERFORMANCE ONE.
Permalink - Score: 2
.
RE[4]: You don't understand the problem
By dionicio on 2017-05-16 21:44:42
[Even Microsoft Get This -LOW PERFORMANCE- issue. On Going back to the Home Button]. On a now general policy of STABILIZING. Who could have bet on a Linux console?
Permalink - Score: 2
.
RE[4]: You don't understand the problem
By dionicio on 2017-05-16 21:54:06
Hey! Teacher's Board: Needing a Generation XII. Still one available? Or, Are We the last? ;-)
Permalink - Score: 2
.
RE[4]: You don't understand the problem
By dionicio on 2017-05-16 21:59:32
The Eternally Transmuting is a Valid Pattern of Life, but an extremely expensive one. And That is Main Issue, right now and decades into the future.
Permalink - Score: 2
.
RE[3]: Comment by ssokolow
By dionicio on 2017-05-16 22:06:38
Jesus Christ! ssokolow :-)
Permalink - Score: 2
.
RE[9]: Comment by FlyingJester
By Alfman on 2017-05-16 22:26:52
Lennie,

> Both IPSEC and OpenVPN have a periodic re-keying of the temporary session keys. So time is clearly used (but that is relative time, not absolute time. It's a timer).

Relative time isn't a problem. It's that a network that's been running for years suddenly stops working because some battery died or NTP service became inaccessible or arbitrary date expiration on a certificate.


> I ones thought really long and hard about the embedded device problem. One thing that could help is to periodically save a timestamp. So you can't replay very old data. And obviously, don't use DNS for NTP. ;-)

There is a way to avoid that, the client could use the hard coded root certificates to securely obtain the time from the root name servers. This would work and be secure. The main problem is scalability: a root server can't delegate the time function to other servers as with other normal DNS requests because the validity of delegation depends on having the correct time.

Using the root name servers to bootstrap time is not ideal, but it ought to be secure and technically feasible. They might even reduce the accuracy to +/- an hour to discourage their use for anything other than bootstrapping.


Another idea would be for IANA to designate some permanent IP addresses for dozens of time servers. This sounds like a hack on the surface, but when you think about it, this is how the DNS root nameservers themselves gets bootstrapped. So it could be a pragmatic solution.

Another idea would be for computers to have built in time receivers
http://www.cl.cam.ac.uk/~mgk25/t...


We should always plan that the internet to break, for scenarios that can't fail, get a local battery backup time source :)
Permalink - Score: 2
.
RE[10]: Comment by FlyingJester
By Lennie on 2017-05-16 23:09:07
> Lennie,

> Both IPSEC and OpenVPN have a periodic re-keying of the temporary session keys. So time is clearly used (but that is relative time, not absolute time. It's a timer).

Relative time isn't a problem.


That was also what I was implying.

> It's that a network that's been running for years suddenly stops working because some battery died or NTP service became inaccessible or arbitrary date expiration on a certificate.


> I ones thought really long and hard about the embedded device problem. One thing that could help is to periodically save a timestamp. So you can't replay very old data. And obviously, don't use DNS for NTP. ;-)

There is a way to avoid that, the client could use the hard coded root certificates to securely obtain the time from the root name servers. This would work and be secure. The main problem is scalability: a root server can't delegate the time function to other servers as with other normal DNS requests because the validity of delegation depends on having the correct time.

Using the root name servers to bootstrap time is not ideal, but it ought to be secure and technically feasible. They might even reduce the accuracy to +/- an hour to discourage their use for anything other than bootstrapping.


Hardcoded root ? Euh, no the crypto/standards people will never allow that, keys have to be able to be rolled.

> Another idea would be for IANA to designate some permanent IP addresses for dozens of time servers. This sounds like a hack on the surface, but when you think about it, this is how the DNS root nameservers themselves gets bootstrapped. So it could be a pragmatic solution.

I know, there are other things that already have this.

They are a voluntary run 'anycast' and the routing regularly breaks. So I don't expect a new standard to adopt something like that.

> Another idea would be for computers to have built in time receivers
http://www.cl.cam.ac.uk/~mgk25/t...

I wonder if with the popularity of GPS (every smartphone has one) GPS is now cheaper to produce.

> We should always plan that the internet to break, for scenarios that can't fail, get a local battery backup time source :)

When you think about it, probably more than 95% of Internet runs on 2 time sources:

- pool.ntp.org (& depends on DNS)

- Windows default time source (& depends on DNS, I forgot the hostname)
Permalink - Score: 2

Read Comments 1-10 -- 11-20 -- 21-30 -- 31-40 -- 41-50 -- 51-60 -- 61-70 -- 71-80 -- 81-90 -- 91-100 -- 101-109

No new comments are allowed for stories older than 10 days.
This story is now archived.

.
News Features Interviews
BlogContact Editorials
.
WAP site - RSS feed
© OSNews LLC 1997-2007. All Rights Reserved.
The readers' comments are owned and a responsibility of whoever posted them.
Prefer the desktop version of OSNews?