Linked by Thom Holwerda on Mon 15th May 2017 16:18 UTC
Windows

Friday saw the largest global ransomware attack in internet history, and the world did not handle it well. We're only beginning to calculate the damage inflicted by the WannaCry program - in both dollars and lives lost from hospital downtime - but at the same time, we're also calculating blame.

There's a long list of parties responsible, including the criminals, the NSA, and the victims themselves - but the most controversial has been Microsoft itself. The attack exploited a Windows networking protocol to spread within networks, and while Microsoft released a patch nearly two months ago, it’s become painfully clear that patch didn’t reach all users. Microsoft was following the best practices for security and still left hundreds of thousands of computers vulnerable, with dire consequences. Was it good enough?

If you're still running Windows XP today and you do not pay for Microsoft's extended support, the blame for this whole thing rests solely on your shoulders - whether that be an individual still running a Windows XP production machine at home, the IT manager of a company cutting costs, or the Conservative British government purposefully underfunding the NHS with the end goal of having it collapse in on itself because they think the American healthcare model is something to aspire to.

You can pay Microsoft for support, upgrade to a secure version of Windows, or switch to a supported Linux distribution. If any one of those mean you have to fix, upgrade, or rewrite your internal software - well, deal with it, that's an investment you have to make that is part of running your business in a responsible, long-term manner. Let this attack be a lesson.

Nobody bats an eye at the idea of taking maintenance costs into account when you plan on buying a car. Tyres, oil, cleaning, scheduled check-ups, malfunctions - they're all accepted yearly expenses we all take into consideration when we visit the car dealer for either a new or a used car.

Computers are no different - they're not perfect magic boxes that never need any maintenance. Like cars, they must be cared for, maintained, upgraded, and fixed. Sometimes, such expenses are low - an oil change, new windscreen wiper rubbers. Sometimes, they are pretty expensive, such as a full tyre change and wheel alignment. And yes, after a number of years, it will be time to replace that car with a different one because the yearly maintenance costs are too high.

Computers are no different.

So no, Microsoft is not to blame for this attack. They patched this security issue two months ago, and had you been running Windows 7 (later versions were not affected) with automatic updates (as you damn well should) you would've been completely safe. Everyone else still on Windows XP without paying for extended support, or even worse, people who turn automatic updates off who was affected by this attack?

I shed no tears for you. It's your own fault.

Thread beginning with comment 644242
To read all comments associated with this story, please click here.
Responsibility
by Alfman on Mon 15th May 2017 17:41 UTC
Alfman
Member since:
2011-01-28

Thom Holwerda,

You can pay Microsoft for support, upgrade to a secure version of Windows, or switch to a supported Linux distribution. If any one of those mean you have to fix, upgrade, or rewrite your internal software - well, deal with it, that's an investment you have to make that is part of running your business in a responsible, long-term manner. Let this attack be a lesson.


There's no denying this was very bad for the hospitals and patients affected, but I don't think we have the whole picture here. Many of them may be stuck between a bureaucratic rock and hard place. Their system administrators can't just update systems willy-nilly like another business or home user could. These systems may require certifications and modifications would likely void those certifications.

For it's part, microsoft does not guaranty the suitability of windows or updates for any purpose, things can and sometimes do break. The vendors who certify machines can't realistically certify a windows system with windows updates, it would be prohibitively expensive to re-certify millions of computers every patch Tuesday when they get updates. Clearly some solution is needed, I'm not sure what it would look like. I'd like to hear the perspective of someone who's dealt with these kinds of issues.

However none of this would have likely mattered in this particular case because they were zero day exploits anyways. The NSA is directly to blame for them and the software engineers are to blame for the poor quality of software in the first place. I'm surprised you aren't blaming them (and us) more. Whoever creates these exploits, be it indy hackers or government agencies, these zero-days are a widespread problem. Updates, while important, are inherently a reactive solution. The only way to fix this once and for all is to take a proactive stance and demand safer code from project managers, software engineers, and even computer languages.


There are armies of C coders who will complain that vulnerabilities are the fault of bad programmers and not computer languages, but we can't ignore the fact that unsafe languages semantics have been enabling human mistakes for 40+ years. No language can fully save us from our high level programming mistakes, however they can protect us from many low level mistakes that continue to plague us. If we don't have a plan to replace unsafe languages or at least limit them to areas that can be fully audited and contained, then our software will still continue to be insecure 40+ years from now.

Edited 2017-05-15 17:46 UTC

Reply Score: 5

RE: Responsibility
by flav2000 on Mon 15th May 2017 19:42 in reply to "Responsibility"
flav2000 Member since:
2006-02-08

Thanks for pointing that out.
Hospitals are stuck between a rock and a hard place in particular.

Many diagnostic machines like X-Rays, MRI etc are quiet expensive and cannot be upgraded easily. Upgrading means certifying the device from top to bottom and no manufacturer is going to do that. To make things worse all the push to make data readily shareable and digitally available means that all these insecure devices are now part of the network. If there is a dollar available that money will inevitability end up on new feature rather than securing systems.

The same happens on manufacturing plants. That's why big names like Nissan and Hitachi got hit. Many old style PLCs and robotics don't have support for newer OSes (many even are still stuck on Win2k!). Shutting down a working factory for security upgrades is a non-starter both in terms of cost and potential issues (it is working fine right at this moment but you may break it by updating). A lot of these are exposed to the network b/c of need to automate monitoring and what not. Again features over security.

Consumer-wise I would say yes they're to blame - there are however many places in the world where using the latest patches is just not possible under the current schema. Hopefully there will be push to change things for the better but it's not a situation that is easily fixable.

Reply Parent Score: 4

RE[2]: Responsibility
by dionicio on Tue 16th May 2017 21:03 in reply to "RE: Responsibility"
dionicio Member since:
2006-07-12

Got some photo shots of tremendously successful Rosetta Mission. Some Instruments showing XP welcome screens. Discipline, something you can't ask to anyone.

System Engineers should always consider that one, a rare asset.

Are You sure you can't run Windows10 out the swamp? As far as noted, passing networked activation, up to You.

Edited 2017-05-16 21:07 UTC

Reply Parent Score: 2

RE: Responsibility
by mistersoft on Tue 16th May 2017 10:29 in reply to "Responsibility"
mistersoft Member since:
2011-01-05

Really?

I'm surprised Alfman - sure if computers are being "certified" for running e.g. medical imaging equipment - with Windows Update turned off - then SURELY they should not be networked !?

Have a sandboxed secondary drive that is write only used for exporting the data from the primary drive
Have a strict SOP that the IT guys supply the UUID number for the drive (and a little utility for the untrained to enter this - that mounts it write only at a specific mount point and refuses to mount elsewhere, or with other privileges - system wide)

Then physically move it to a 2nd computer terminal beside it that is networked; do this once or even twice a day with a fresh External USB each time. 1TB 2.5" drives are only $50 each now - which is relatively negligable vs cost of imaging 6 - 12 patients on MRI/PET scanners

would this not be a safe-ish workaround. If you're needing to keep to the certification model.

Reply Parent Score: 2

RE[2]: Responsibility
by Alfman on Tue 16th May 2017 14:01 in reply to "RE: Responsibility"
Alfman Member since:
2011-01-28

mistersoft,

Really?

I'm surprised Alfman - sure if computers are being "certified" for running e.g. medical imaging equipment - with Windows Update turned off - then SURELY they should not be networked !?


I'm confused what you are responding to, however I agree these computers need to be cut off from the outside world. A lot of equipment still needs to be "networked" internally though in order to provide patient care.

Have a sandboxed secondary drive that is write only used for exporting the data from the primary drive
Have a strict SOP that the IT guys supply the UUID number for the drive (and a little utility for the untrained to enter this - that mounts it write only at a specific mount point and refuses to mount elsewhere, or with other privileges - system wide)

Then physically move it to a 2nd computer terminal beside it that is networked; do this once or even twice a day with a fresh External USB each time. 1TB 2.5" drives are only $50 each now - which is relatively negligable vs cost of imaging 6 - 12 patients on MRI/PET scanners

would this not be a safe-ish workaround. If you're needing to keep to the certification model.


There are a lot of possible solutions, but ideally it shouldn't get in the way or real time data. I read somewhere that ebay or amazon (can't remember which, I wish I could find the article again) deliberately processed credit card payments through a very basic serial protocol to mitigate the risk of network and OS attack vectors. Even if the OS had known vulnerabilities it would be extremely difficult to exploit them through a basic serial protocol.

Reply Parent Score: 2