Linked by Thom Holwerda on Mon 15th May 2017 16:18 UTC

Friday saw the largest global ransomware attack in internet history, and the world did not handle it well. We're only beginning to calculate the damage inflicted by the WannaCry program - in both dollars and lives lost from hospital downtime - but at the same time, we're also calculating blame.

There's a long list of parties responsible, including the criminals, the NSA, and the victims themselves - but the most controversial has been Microsoft itself. The attack exploited a Windows networking protocol to spread within networks, and while Microsoft released a patch nearly two months ago, it’s become painfully clear that patch didn’t reach all users. Microsoft was following the best practices for security and still left hundreds of thousands of computers vulnerable, with dire consequences. Was it good enough?

If you're still running Windows XP today and you do not pay for Microsoft's extended support, the blame for this whole thing rests solely on your shoulders - whether that be an individual still running a Windows XP production machine at home, the IT manager of a company cutting costs, or the Conservative British government purposefully underfunding the NHS with the end goal of having it collapse in on itself because they think the American healthcare model is something to aspire to.

You can pay Microsoft for support, upgrade to a secure version of Windows, or switch to a supported Linux distribution. If any one of those mean you have to fix, upgrade, or rewrite your internal software - well, deal with it, that's an investment you have to make that is part of running your business in a responsible, long-term manner. Let this attack be a lesson.

Nobody bats an eye at the idea of taking maintenance costs into account when you plan on buying a car. Tyres, oil, cleaning, scheduled check-ups, malfunctions - they're all accepted yearly expenses we all take into consideration when we visit the car dealer for either a new or a used car.

Computers are no different - they're not perfect magic boxes that never need any maintenance. Like cars, they must be cared for, maintained, upgraded, and fixed. Sometimes, such expenses are low - an oil change, new windscreen wiper rubbers. Sometimes, they are pretty expensive, such as a full tyre change and wheel alignment. And yes, after a number of years, it will be time to replace that car with a different one because the yearly maintenance costs are too high.

Computers are no different.

So no, Microsoft is not to blame for this attack. They patched this security issue two months ago, and had you been running Windows 7 (later versions were not affected) with automatic updates (as you damn well should) you would've been completely safe. Everyone else still on Windows XP without paying for extended support, or even worse, people who turn automatic updates off who was affected by this attack?

I shed no tears for you. It's your own fault.

Thread beginning with comment 644233
To read all comments associated with this story, please click here.
Car analogy
by Kancept on Mon 15th May 2017 16:40 UTC
Member since:

I have to disagree with the car analogy. When I buy a car, sure I do consider tires and such as things I have to get. But there are two key things here.

#1 Microsoft didn't make the tires or oil.

#2 I can get those parts from others. I don't have to go to Microsoft to get them.

Automotive manufacturers have to make sure their vehicle is safe after they make it, even years after they stopped support. This mechanism fails, it is the manufacturer's responsibility to issue a recall on it. And no, they don't charge for it either.

So, while your car analogy is close, it doesn't fit this model. Or maybe it does, but you are addressing the wrong part of it. Microsoft should be making the patch available as a security and safety mechanism for all of it's customers, just as car manufacturers do.

As an aside, I'm not a Windows user. MacOS, Fedora, and Haiku at home, thanks.

Edited 2017-05-15 16:41 UTC

Reply Score: 1

RE: Car analogy
by tidux on Mon 15th May 2017 16:54 in reply to "Car analogy"
tidux Member since:

You can do all that yourself with an out of support Linux distro, assuming you can find someone to audit the code and backport patches, but if you've got the source code to your Linux applications around (and really, you should), you can just rebuild for a newer release if it stops working.

Yes, this is a hugely different model of OS and application lifecycle and deployment than the IBM and Microsoft one, but it also works. It also has the advantage of not forcing super strict binary compatibility on the OS. If the ABI changes, rebuild and redeploy.

Reply Parent Score: 3

RE[2]: Car analogy
by FlyingJester on Mon 15th May 2017 17:34 in reply to "RE: Car analogy"
FlyingJester Member since:

This can work, but just as often you will be left with some applications that randomly crash because you did not realize that some dependency existed, or because some newer version of a library is API compatible, but has different behaviour than before.

Just using a rolling release system is far better.

Gentoo is also an alternative that fits what you describe. And despite what people may think, it's easier to keep Gentoo working than to be updating and rebuilding all your software manually. Doing it manually, you will need to know everything it takes to make Gentoo work (and more), and you will find yourself it many weird situations that absolutely no one else has ever seen.

Reply Parent Score: 2

RE: Car analogy
by Kochise on Mon 15th May 2017 19:36 in reply to "Car analogy"
Kochise Member since:

When a car producer leaves security holes in their models, or use tricks to pass pollution tests, it's not because the car isn't produced anymore that the car producer should be held off its obligations and put all responsibilities on the user.

Sure the user can be a bad driver and can cause problems by itself. But if the security holes are the car producer's fault, it's its liability to provide fixes. And fixing software is not the same cost as fixing cars.

You get richer with softwares (Microsoft, Apple, Oracle) than cars (General Motors) for a reason. So claiming the users should upgrade at their expense because the software producer decided the architecture ain't worth anymore, wadda wadda, this is lies.

With the so many coders out there, with good coding practices available for years and for free, there's no excuse some softwares are still coded with the foot. Remember the 2K problem that costed users billions on software producers' incapability to provide secure and well crafted softwares in the first place ?

I'm not going to fall into this fallacy and feel at fault. Those companies gets enough money for little evolution (IE6 anyone ?) so stop believing into this mythology. You think software are top value products ? Look how flawed they are, like they are released in a rush with only little testing beforehand.

Aren't there enough white hats out there to work with/at Microsoft to test bench the softwares with a complete regression testing suites nicely handcrafted for years and decades ? Obviously the NSA doesn't have a problem to hire black hats to find exploits. Amurica Freedumb!!1! So better than the rest of the world.

Thanks for the legacy exploits, thanks for ransoming users to upgrade their softwares to correct them.

Edited 2017-05-15 19:38 UTC

Reply Parent Score: 4

RE: Car analogy
by nicubunu on Tue 16th May 2017 06:03 in reply to "Car analogy"
nicubunu Member since:

There would be also the part when after a tire change your car would suddenly start spying on you.

Reply Parent Score: 6