www. O S N E W S .com
News Features Interviews
BlogContact Editorials
.
Hit by WannaCry? No one to blame but yourself
By Thom Holwerda on 2017-05-15 16:18:18

Friday saw the largest global ransomware attack in internet history, and the world did not handle it well. We're only beginning to calculate the damage inflicted by the WannaCry program - in both dollars and lives lost from hospital downtime - but at the same time, we're also calculating blame.

There's a long list of parties responsible, including the criminals, the NSA, and the victims themselves - but the most controversial has been Microsoft itself. The attack exploited a Windows networking protocol to spread within networks, and while Microsoft released a patch nearly two months ago, it’s become painfully clear that patch didn’t reach all users. Microsoft was following the best practices for security and still left hundreds of thousands of computers vulnerable, with dire consequences. Was it good enough?

If you're still running Windows XP today and you do not pay for Microsoft's extended support, the blame for this whole thing rests solely on your shoulders - whether that be an individual still running a Windows XP production machine at home, the IT manager of a company cutting costs, or the Conservative British government purposefully underfunding the NHS with the end goal of having it collapse in on itself because they think the American healthcare model is something to aspire to.

You can pay Microsoft for support, upgrade to a secure version of Windows, or switch to a supported Linux distribution. If any one of those mean you have to fix, upgrade, or rewrite your internal software - well, deal with it, that's an investment you have to make that is part of running your business in a responsible, long-term manner. Let this attack be a lesson.

Nobody bats an eye at the idea of taking maintenance costs into account when you plan on buying a car. Tyres, oil, cleaning, scheduled check-ups, malfunctions - they're all accepted yearly expenses we all take into consideration when we visit the car dealer for either a new or a used car.

Computers are no different - they're not perfect magic boxes that never need any maintenance. Like cars, they must be cared for, maintained, upgraded, and fixed. Sometimes, such expenses are low - an oil change, new windscreen wiper rubbers. Sometimes, they are pretty expensive, such as a full tyre change and wheel alignment. And yes, after a number of years, it will be time to replace that car with a different one because the yearly maintenance costs are too high.

Computers are no different.

So no, Microsoft is not to blame for this attack. They patched this security issue two months ago, and had you been running Windows 7 (later versions were not affected) with automatic updates (as you damn well should) you would've been completely safe. Everyone else still on Windows XP without paying for extended support, or even worse, people who turn automatic updates off who was affected by this attack?

I shed no tears for you. It's your own fault.

 Email a friend - Printer friendly - Related stories
.
Read Comments: 1-10 -- 11-20 -- 21-30 -- 31-40 -- 41-50 -- 51-60 -- 61-70 -- 71-80 -- 81-90 -- 91-100 -- 101-109
.
RE[11]: Comment by FlyingJester
By Alfman on 2017-05-17 00:17:27
Lennie,

> Hardcoded root ? Euh, no the crypto/standards people will never allow that, keys have to be able to be rolled.

I'm not sure what you are thinking, but it is how web browsers and operating systems do it today. You can obviously add and disable entries manually or via updates or CRL, but they distribute tons of SSL root certificates inside the client (in FF the hardcoded root certificates are explicitly labeled "builtin object token" under advanced->certificates).

Anyways, my point was that these built in trusted certificates could be used for secure time validation in addition to other functions.


> I know, there are other things that already have this.

They are a voluntary run 'anycast' and the routing regularly breaks. So I don't expect a new standard to adopt something like that.


I admit, it's not an ideal solution, but it does get around the catch-22. I'm sure they had the same dilemma with DNS.


> I wonder if with the popularity of GPS (every smartphone has one) GPS is now cheaper to produce.

That's true, but GPS is notoriously weak indoors, I don't get a signal unless I stand at the window. The low frequency time signals would reach indoor embedded devices better than GPS. CDMA/GSM phones have time synchronization too, that might be an option too.

I don't think any of these has a significant advantage over IP solutions, other than keeping time synced during internet outages/air gaps. If the internet's out, maybe nothing else matters, but it might be useful for merchant terminals and whatnot.
Permalink - Score: 2
.
Thom did not know anything about software
By allanregistos on 2017-05-17 00:59:04
> If any one of those mean you have to fix, upgrade, or rewrite your internal software - well, deal with it,

Yes and no. Yes for some small applications, but not possible with large software projects, porting maybe, given if the language is portable, but good only in theory.

THOM, you did not KNOW what you are talking about, I stop reading your post once I reached this nonsense. If you are not a software developer, stop pretending to be one.
Permalink - Score: 2
.
RE[3]: In other security news...
By winter skies on 2017-05-17 07:51:34
> [...]

Yea, I understand. Although personally I don't like that manufacturers present us with such a contrived choice in the first place. Owners should never be put in a position to depend on vulnerabilities to get the most out of their devices. :(


Indeed. I am sick of people pushing this false dichotomy and preaching that you can be safe only if you give up your freedom. It is not like that.
Permalink - Score: 2
.
RE[12]: Comment by FlyingJester
By Lennie on 2017-05-17 07:57:38
> Lennie,

> Hardcoded root ? Euh, no the crypto/standards people will never allow that, keys have to be able to be rolled.

I'm not sure what you are thinking, but it is how web browsers and operating systems do it today. You can obviously add and disable entries manually or via updates or CRL, but they distribute tons of SSL root certificates inside the client (in FF the hardcoded root certificates are explicitly labeled "builtin object token" under advanced->certificat es).


Ahh, like that... well browsers get more regular updates than embedded devices (and browsers are frequently connected to the Internet to get the list of invalid CAs).

Hardcoded sounded like: static, can never change.

But DNSSEC does updates too and has a process for it:

https://www.icann.org/news/blog/k...

Install simple tool which handles it, done (which depends on time as well):

https://www.unbound.net/documenta...

A device made 3 (?) years ago which isn't going to get turned on (or not Internet connected) in an other 2 year will not work though. By that time the new key is the only key the root will be using and the old 'hardcoded' key is the only one the device will have.

> Anyways, my point was that these built in trusted certificates could be used for secure time validation in addition to other functions.


> I know, there are other things that already have this.

They are a voluntary run 'anycast' and the routing regularly breaks. So I don't expect a new standard to adopt something like that.


I admit, it's not an ideal solution, but it does get around the catch-22. I'm sure they had the same dilemma with DNS.


> I wonder if with the popularity of GPS (every smartphone has one) GPS is now cheaper to produce.

That's true, but GPS is notoriously weak indoors, I don't get a signal unless I stand at the window. The low frequency time signals would reach indoor embedded devices better than GPS. CDMA/GSM phones have time synchronization too, that might be an option too.

I don't think any of these has a significant advantage over IP solutions, other than keeping time synced during internet outages/air gaps. If the internet's out, maybe nothing else matters, but it might be useful for merchant terminals and whatnot.


Anyway, the pool.ntp.org guys are saying something along the lines of:

how would you authenticate a public ntp-server pool anyone can join on a voluntary basis ?

Well, I guess you could use a CA-like set up like certificates do. It would bloat the NTP-packets a lot, would take a bit more CPU-time (thus making time less accurate ? At least for those servers under higher load). The bloated NTP-packets would also be great for DDOS reflection attacks. :-(
Permalink - Score: 2
.
If your car had a fault, the manufacturer would fix
By Pete.H.Dee on 2017-05-17 09:14:08
Yes - it's your fault in that it was entirely predictable. On the other hand the flaw was Microsoft's.

Today, if the car I own turns out to have a manufacturing/design flaw that's dangerous, the car company will recall and fix it - not tell me I should have bought a support contract or simply tell me to get a new model.

Bottom line software companies, for too long, have been getting away with the idea that any flaws ( no matter how serious ) in the product it sells you - is something the consumer has to simply accept with no redress. Perhaps it needs to be brough more in line with other industries.

Especially as software is becoming more critical.

Bottom line MS had the patch for XP but didn't release it - result people may have died due to delayed treatment in hospitals affected. If a car manufacturer had done that there would have been an outcry.

Yes, from a user perspective it was entirely predictable, but the flaw was Microsoft's responsibility and they had a fix and choose not to release it intially - that's not responsible.
Permalink - Score: 1
.
RE[4]: In other security news...
By Bill Shooter of Bul on 2017-05-17 13:29:01
Well, its certainly true that you don't have to give up freedom to have a secure device. However, the options for that in a mobile phone are very limited at this point.

Heck its difficult just to get a secure device without freedom. Right now the options are...
iphone
Nexus/Pixel
Maybe Top of the line Samsung*?


I think Nexus/Pixel will also allow most freedoms (obviously there are some binary blobs there and closed source pieces that can't be replaced).

*Samsung phones are getting Android security updates, but they also have Samsung written software in them.
Permalink - Score: 2
.
RE: There is few Elephants everyone is forgetting about.
By dionicio on 2017-05-17 14:18:30
"Here is Microsoft again choosing that with Windows 7 and 8.1 not to provide updates if person is using newer cpus."

Remember when Microsoft charged you every X years with a new Windows? Now it's a rolling release.

Also when You had your ancient Windows and danced with it along successive generations of junk? Demanding Microsoft to keep the damn thing alive and well? Well, now you can't.

[As soon as Continuum effort started, they could not keep the old scheme of asking more and more hardware stamina].

This scheme achieves an ETHICAL balance, by allowing old equipment to slip down the food chain, and taking care of the planet, by not forcing planed trash dumping. Or worst, Linux trans-personalization ;-)

Edited 2017-05-17 14:22 UTC
Permalink - Score: 2
.
RE[13]: Comment by FlyingJester
By Alfman on 2017-05-17 14:28:33
> But DNSSEC does updates too and has a process for it:

https://www.icann.org/news/blog/k...

Install simple tool which handles it, done (which depends on time as well):

https://www.unbound.net/documenta...


A device made 3 (?) years ago which isn't going to get turned on (or not Internet connected) in an other 2 year will not work though. By that time the new key is the only key the root will be using and the old 'hardcoded' key is the only one the device will have.


It's not that bad, take a look at the validity window of the root certificate used by the certificate authorities themselves: Amazon's goes from 2015 to 2038. Comodo's goes from 2010 to 2038.

So it will take a while before these hard coded certificates become invalid.

( year 2038 isn't arbitrary but is the date that UTC time wraps around, a sort of Y2K problem:
https://en.wikipedia.org/wiki/Yea... )


Anyways, for the purposes of booting DNSSEC, you could just use the same certificates to validate time regardless of where you store them or when they're updated.
Permalink - Score: 2
.
RE[5]: This won't change
By dionicio on 2017-05-17 15:00:30
Obviously the NHS nightmare happened at the "Office" side of IT. Extremely Lousy Certification [Or no Certification at all] happened there.

Judiciary assessment pending at that -would like to think- lack of professionalism.

As you said: No Hardening occurred there...

Edited 2017-05-17 15:04 UTC
Permalink - Score: 2
.
RE: Wait ...
By fmaxwell on 2017-05-17 15:40:18
> So Thom is blaming the victims here?

They aren't the victims. The victims include the thousands of patients whose surgeries and medical appointments had to be canceled as a result of hospital computers being taken down by WannaCry. Unlike the morons that failed to secure their computers, those patients did nothing wrong.
Permalink - Score: 2

Read Comments 1-10 -- 11-20 -- 21-30 -- 31-40 -- 41-50 -- 51-60 -- 61-70 -- 71-80 -- 81-90 -- 91-100 -- 101-109

No new comments are allowed for stories older than 10 days.
This story is now archived.

.
News Features Interviews
BlogContact Editorials
.
WAP site - RSS feed
© OSNews LLC 1997-2007. All Rights Reserved.
The readers' comments are owned and a responsibility of whoever posted them.
Prefer the desktop version of OSNews?