Linked by Thom Holwerda on Mon 15th May 2017 16:18 UTC
Windows

Friday saw the largest global ransomware attack in internet history, and the world did not handle it well. We're only beginning to calculate the damage inflicted by the WannaCry program - in both dollars and lives lost from hospital downtime - but at the same time, we're also calculating blame.

There's a long list of parties responsible, including the criminals, the NSA, and the victims themselves - but the most controversial has been Microsoft itself. The attack exploited a Windows networking protocol to spread within networks, and while Microsoft released a patch nearly two months ago, it’s become painfully clear that patch didn’t reach all users. Microsoft was following the best practices for security and still left hundreds of thousands of computers vulnerable, with dire consequences. Was it good enough?

If you're still running Windows XP today and you do not pay for Microsoft's extended support, the blame for this whole thing rests solely on your shoulders - whether that be an individual still running a Windows XP production machine at home, the IT manager of a company cutting costs, or the Conservative British government purposefully underfunding the NHS with the end goal of having it collapse in on itself because they think the American healthcare model is something to aspire to.

You can pay Microsoft for support, upgrade to a secure version of Windows, or switch to a supported Linux distribution. If any one of those mean you have to fix, upgrade, or rewrite your internal software - well, deal with it, that's an investment you have to make that is part of running your business in a responsible, long-term manner. Let this attack be a lesson.

Nobody bats an eye at the idea of taking maintenance costs into account when you plan on buying a car. Tyres, oil, cleaning, scheduled check-ups, malfunctions - they're all accepted yearly expenses we all take into consideration when we visit the car dealer for either a new or a used car.

Computers are no different - they're not perfect magic boxes that never need any maintenance. Like cars, they must be cared for, maintained, upgraded, and fixed. Sometimes, such expenses are low - an oil change, new windscreen wiper rubbers. Sometimes, they are pretty expensive, such as a full tyre change and wheel alignment. And yes, after a number of years, it will be time to replace that car with a different one because the yearly maintenance costs are too high.

Computers are no different.

So no, Microsoft is not to blame for this attack. They patched this security issue two months ago, and had you been running Windows 7 (later versions were not affected) with automatic updates (as you damn well should) you would've been completely safe. Everyone else still on Windows XP without paying for extended support, or even worse, people who turn automatic updates off who was affected by this attack?

I shed no tears for you. It's your own fault.

Thread beginning with comment 644326
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[3]: Comment by FlyingJester
by Alfman on Tue 16th May 2017 16:50 UTC in reply to "RE[2]: Comment by FlyingJester"
Alfman
Member since:
2011-01-28

Lennie,

Actually, Microsoft is making it harder and harder to run their operating system(s) without an Internet connection (even just Windows connecting to the Internet).



Yeah, they're especially pushing it on home/pro users, it's probably going to get worse. But I would strongly hope that the specifications for hospital computers would ban "the cloud" because the internet going down is a predictable failure mode. Can you imagine a disaster like 9/11 when telecoms were disrupted and then a hospital having to deal with an IT issues at the same time. That's not really acceptable.

Reply Parent Score: 2

RE[4]: Comment by FlyingJester
by Lennie on Tue 16th May 2017 17:11 in reply to "RE[3]: Comment by FlyingJester"
Lennie Member since:
2007-09-22

Cloud services is a good example.

The experiences I had was with Windows servers.

Some of the Microsoft software is build in .net and that would use code singing and Windows is checking the certificates. To check the certificates on that code it needs an up to date Certificate Authorities-list or Internet connectivity (it does automatic downloading). Sometimes... CA-list updates are actually not included in the Windows updates (without an Internet connection, you need an updates server as well of course).

So what do you get ? If a server for example reboots, the server software won't start because the CA-list is to old and it can't automatically download an update.

In theory it should never happen, has already happened several times.

Reply Parent Score: 3

RE[5]: Comment by FlyingJester
by Alfman on Tue 16th May 2017 17:44 in reply to "RE[4]: Comment by FlyingJester"
Alfman Member since:
2011-01-28

Lennie,

Some of the Microsoft software is build in .net and that would use code singing and Windows is checking the certificates. To check the certificates on that code it needs an up to date Certificate Authorities-list or Internet connectivity (it does automatic downloading). Sometimes... CA-list updates are actually not included in the Windows updates (without an Internet connection, you need an updates server as well of course).

So what do you get ? If a server for example reboots, the server software won't start because the CA-list is to old and it can't automatically download an update.

In theory it should never happen, has already happened several times.


That's an interesting point, there are unexpected failure modes everywhere and it's easy to overlook those things when everything is working.

Sometimes we sign SSL certificates with arbitrary expiration dates in the future that we'll very likely forget about (it will probably be someone else's problem).

Several weeks ago an offsite computer wasn't responding, apparently it didn't power on automatically as it always had before. It's a few hundred miles away and I haven't gotten a chance to diagnose it yet but I am thinking it may be the cmos battery, which not many of us give much thought to.

Like many administrators, I rely on 3rd party DNS black listing for spam classification, but those could fail or get compromised causing widespread denial of services.

All these what-if's are why certification is so important and so expensive in critical systems.

Edit:
I just remembered about OpenVPN's use of SSL certificates...off to check whether it ignores the dates or if that's a potential failure mode in the future!

Oh crap, it is a failure mode, and openvpn's official stance is they won't give users an option to ignore time even on servers where there may not be a reliable time source.
https://community.openvpn.net/openvpn/ticket/199

Time validation is correct by default, but it introduces a new failure mode in routers that don't have a clock source... the VPN will work fine until there's an NTP failure.

Edited 2017-05-16 17:56 UTC

Reply Parent Score: 2