Lessons from last week’s cyberattack(blogs.microsoft.com) |
Lessons from last week’s cyberattack(blogs.microsoft.com) |
Victim blaming at its finest.
Did the Microsoft President just confirm that NSA develop the vulnerability which led to the attacks on hospitals this weekend?!
Where did he do that? He said they found it and kept it for themself, but not that they injected it into Windows.
And about the whole thing, I would rephrase it to "many users learned the hard way about why are security-updates important".
But it is nice, that microsoft advocates a " digital genvue convention" even though I doubt anything will really change.
This is a bad analogy. The solution to people stealing your Tomahawks is to guard your goddamn bombs. A better analogy would be the U.S. military seeing Al Qaeda has a bunch of Tomahawks and doing nothing because they might be aimed at ISIS.
>A month prior, on March 14, Microsoft had released a security update to patch this vulnerability and protect our customers. While this protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally.
They stopped supporting Windows XP years ago, including with security updates.
There are still around 100 million computers around the world running XP.
It seems irresponsible to just leave them to hang out to dry when there are that many machines out there running it. A virus seems inevitable if they do. And shifting the blame onto the customers is not reasonable when there are still 100 million customers who are "doing it wrong" by not upgrading to a later version of Windows.
This entire article pertains to directly shifting the blame onto their customers, and the governments of the affected countries (!)
>The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect
Again, XP systems are the most affected, and there was no patch released for XP. This is extremely irresponsible of Microsoft and this article shifting the blame onto everyone but themselves is reprehensible.
Their product design doesn't emphasize security. For example, remember the extremely convenient AUTORUN.INF feature? That has probably resulted in billions of dollars lost and that number continues to grow every day.
Rendering fonts on the kernel... fantastic idea! What's the next great Microsoft idea? Continue to buy their products and figure it out.
Customers like this is why we now have Windows 10 where you're force-fed updates and the OS will change under you instead of the change being an upgrade to a new major version that you can delay for years. (Which I'm not happy about, but I can see its benefits on that scale)
The best argument for Microsoft doing wrong here might be that they limit their (expensive) super-extended support to large organizations. Since they do the work, keeping a few boxes with special hardware patched should be an option for smaller shops as well (and is IMHO easier to defend than keeping a large network full of XP desktops running because ?)
The xp support schedule was available from day one. These companies knew exactly what they were getting into. Microsoft even extended the support period for xp on several occasions. It's galling that we as software professionals see this as malfeasance by the entities running xp still. They've had close to a decade to upgrade. Software is not a durable asset, it comes with an expiration date on the box.
This isn't just about security patches there are pieces of xp that fundamentally insecure, which is partially Microsoft's fault, but on the other hand the driver model which is one of the weakest parts of xp is the thing that kept many of these companies from upgrading.
Consider a discontinued product from another industry, like a car or an appliance. When the product is discontinued, the manufacturer only creates replacement parts for existing machines for a limited time period. After some years, it's difficult for a consumer to maintain their copy of the discontinued product because it is difficult to find replacement parts.
The point is, mass produced engineering products have lifecycles. Microsoft clearly defined (and extended) Windows XPs lifecycle and provided patches for the entirety of that lifecycle. It's hard for me to understand how that doesn't fully meet their obligations to be fair to their customers.
Maybe when cars will become more computerized(?) and connected, they will become unusable faster.
This has similarities in type, if not in horror, to the development and subsequent spread of nuclear weapons. When we lost control of those secrets, it was a BFD [0].
But the NSA are - by definition - supposed to be security experts, so what are they doing letting themselves get hacked? They have effectively given away the nuclear football.
I'm shocked we're not seeing more blame in their direction on this one.
Microsoft has done NOTHING to show that things have changed since they colluded with the NSA on PRISM (https://www.theguardian.com/world/2013/jul/11/microsoft-nsa-...), and so anyone who believes that things have changed is a moron.
Remember, head executives at Microsoft are essentially part of the "shadow government" as they were privy to 1984-style surveillance that even much of congress was unaware of until the Snowden leaks. People at MS knew and said nothing. Executives at MS are closer to the NSA than most of congress. Let that sink in.
The problem lies in our defensive infrastructure and our ability to roll out patches responding to incidents.
It also lies in our security infrastructure: that cryptoworms are a danger speaks to a fundamental lapse in permission and process management systems.
The problem is corporate IT (or management) think they can create some sort of stable environment, driven by fear of having things break. Organizationally they need to accept that they are operating in a dynamic and hostile ecosystem and that the risk of worms is higher than the risk of some random app breaking on a windows patch.
Microsoft is responsible for their shit software getting exploited first and foremost. Seriously fine Microsoft and by day after tomorrow that 3500 security engineer number will jump to something realistic.
Instead what will happen is more tightening of the walled garden, overcharging of support/security contracts and propping up of another billionaire or two. I can hear the whisky glasses clinking.
Corporations do not get to set the agenda and the narrative. When they are allowed to, the results are very predictable - in this case Microsoft will make more than they loose. Who here disagrees that is going to happen? And who here believes that is right?
The answer is simple whether its Microsoft today or Facebook and Google tomorrow win-win should not be an option when such things happen.
There's plenty of blame to go around to be sure, but giving the NSA a pass for developing zero days is batshit insane. These guys are playing god instead of helping make infrastructure more secure overall, and it will not end well, even if they outcompete the Chinese or whatever other bogeyman they cook up to justify their power grab.
You know what? I'm starting to get excited for the walled garden to get more walls.
Native desktop applications get far too many permissions by default - its crazy that any desktop application, once running can register itself at startup, see all my files (created by any application), register system-wide keyloggers, take screenshots of other applications and download my contacts list, all without my permission. We don't let web apps do that, because web app developers aren't trusted by default. We don't let mobile apps do that, because mobile app developers aren't trusted by default. Why on earth do we implicitly trust any executable file run on the desktop so much?
Telling users not to double click on executables is obviously not working. Even for experienced users I have no idea whether some random app on the internet is trustworthy. Its a reverse lottery. I also suspect ransomware like this one would have been slowed down if it needed explicit user permission to read & modify files on disk.
We even know what the sandbox should look like, because we have two working examples in the form of the web and mobile. And we have sandboxing support & APIs in most operating systems. We're just missing the UI part.
I'm imagining something like:
- All apps get signed by the developer (Lean on SSL? Not sure the chain here.)
- The app needs to request capabilities from the user, like on iOS. "App X by Y developer wants permission to read the files in your home directory". (/ Read your contacts / Register at startup / Take screenshots / Modify these files).
- Capabilities can be viewed and revoked at a system-wide level in the control panel / system preferences.
Do we fine the person who committed the faulty logic, the reviewers, the entire community who "peer reviewed" it?
The point is: the NSA caused this particular problem. Steps should be taken be everyone to ensure something like this doesn't happen ever again.
This is an absurdly naive viewpoint. How are they responsible? What is their responsibility? How is it their responsibility when a state-funded group/actor targets their software and finds an exploit?
At some point you have to realize that 0days will always exist. It is an impossible task to expect software developers to ship perfect software.
They ostensibly maintain their capability to protect us, but this is a clear example of them failing to protect us. The focus on offensive posture is all macho and typical military industrial bluster. My point is that the offensive cyber capability is more about dick length than keeping the country safer.
Nevermind that the internet is a global shared resource that works best when we work together.
Also, MS haters are doing some pretty fantastic replays of the hits in this thread. I get that you don't like them, but "kill Microsoft" isn't the answer. Maybe there needs to be a model for assigning cost to vulnerabilities like this...to Microsoft and the NSA. Make them account for this in monetary terms and you will see change.
Are you saying that the choice was made my the NSA whole failed to report it, or suggesting that Microsoft colluded in keeping a known exploit open?
The problem is Microsoft, who wrote the exploitable software in the first place.
Most of services in Windows are run under two privileged user accounts (LocalService or NetworkService). Many of them are enabled by default and are listening on ports on external interface so the potential attack surface is large.
Microsoft uses programming languages like C++ that is very complicated and a little mistake can lead to vulnerabilities like stack overflow, use-after-free, etc.
Microsoft (and most companies) prefers to patch vulnerabilities with updates rather than take measures that would reduce attack surface.
Oh, and by the way Linux has similar problems. In a typical Linux distribution a program run with user privileges is able to encrypt all of the user's files, access user's cookies and saved passwords on all websites, listen to microphone and intercept kestrokes.
It's definitely not end-users either. There's a grocery store that just went up nearby that I saw Windows XP splash screen on when one of the cashiers rebooted. No joke, new store, Windows XP computers that handle money. Microsoft may have cultivated this nightmare, but it seems everyone wants to live in it.
Windows 7 is in extended support to 2020. So as far as I know security wise still up to date.
> There's a grocery store that just went up nearby that I saw Windows XP splash screen on when one of the cashiers rebooted.
The cash register may be even running with a user interface written in VB6. Don't attach it to an external network and it will work just fine. No need to invest in new hardware/software when you can get it old, working and cheap.
> Windows XP computers that handle money.
In what way do they handle money? A computer virus isn't going to steal paper money and the device operating the card reader should have been sufficiently separated to begin with.
I would rather see it used to leverage an opinion against back doors and surveillance culture but alas this is merely administrative incompetence and failure to either upgrade or airgap systems which have had a clock ticking on them and plenty of notice from the vendor to sort. The buck should stop at the trust IT directors as this was entirely avoidable with a properly managed estate.
There are at least 50 different releases of Windows 10 alone, and it's hard enough to find which is actually used.
The "System" dialog Shows "Windows 10 2015 LTSB". "Winver" on the command line shows "Windows 10 2015 LTSB build 10240" - but there are several releases of that and only the latest ones, e.g. from 10240.17236 and up have the patch - But I can't seem to find which one I have.
I don't doubt I have a patched version, but out of curiosity I'd just like to double check.
https://support.microsoft.com/en-us/help/4013429/windows-10-...
EDIT: Or KB4012606 / KB4013198 for older Windows builds.
Further, all of the major infections are based on Windows XP. Windows XP mainstream support ended a full year before the first gen iPhone was out! It's seriously ancient and there are very few excuses for people to have this crap on a network in 2017. For the folks who dont run XP, but got infected because they didn't patch? No excuses.
If I booted a RedHat (5.2 came out in 2009ish) or FreeBSD machine from 2009 without patches, and put it on the internet, I'm pretty sure it'd be hosed just as bad (shellshock, heartbleed, ?). the difference is, everyone would tell me I'm an idiot for putting a machine online from 2009.
As a tongue in cheek (but totally true) correction, FreeBSD from 2009 would NOT be vulnerable to the shellshock vulnerability unless you explicitly install `bash` and make it the shell used by apache-cgi.
By default, FreeBSD lacks bash.
FWIW, I do hold FreeBSD in high regard. It's just that expecting perfection security-wise from complex systems is a fools errand.
Servers are much less vulnerable for a number of reasons:
1) People managing and configuring them are more security conscious than the vast majority people. Come on, nobody downloads an email attachment or connects an USB they found in the parking lot to a server.
2) It's much cheaper to keep a server updated than a thousand Windows clients.
3) Like whitefish pointed out, even in the worst case scenario you can restore a backup and keep on truckin'.
But yeah, definitely. It's pretty damned unlikely that an OpenBSD backup server would get wormed, unless an ME exploit is involved.
This whole incident is really raising the profile of the creation of "cyber weapons".
They aren't like physical weapons with physical controls -- they are digital, controls and costs to copy/distribute are more like digital music than anything a Goverment organization is used to.
In that thought experiment, what could be the possible reason for attacking themselves so hard? Well, to give themselves more plausible deniability(and the whole attack would be done as an attempt to discredit the NSA)... but also to justify an agenda of technological sovereignty. Russia is in a tug of war with American corporations over where data is stored and they've even blocked the Microsoft owned linkdin. It's impossible to find an alternative to Windows(considering Russia is such a big PC gaming country), but who knows in 10-15 years.
The real question is why a hospital is still running windows xp even though it's not supported by its own vendor.
The answer is vendor lock ins. The upgrade is not a matter of simple command. Upgrade cost involves more licenses and hardware upgrades (which is not needed as old hardware is fine, but this is how things work between microsoft and hw vendors) it's like you need a new buy watch to apply dst summer time.
Also mirosoft and old school desktop software vendors used to make sure switch or upgrade cost is really high ex by using non stanard formats.. to lock users from switching to mac or linux
If you remember active x and internet explorer specific vbscript...
If you use free software from an expensive but decent vendor like redhat you can upgrade software on same hardware
And if it software was expensive you can switch to centos, scientific linux or pay anyone to handle that for you are fair rate. There is no vendor lock in. Every thing is stardard and no vendor lock in.
I see three areas where this event provides an
opportunity for Microsoft and the industry to improve.
I see three areas where this event provides an
opportunity for Microsoft, the industry, and
government to improve.
Perhaps EOL should be literal. The software kills itself and does not function.
The lesson I'm getting is our software can become malicious, and that malice can spread like wildfire. Is a company obligated to patch any wildfire type of bug forever? Is that a cost of proprietary software? Or is setting a date for its death the cost?
I think aging proprietary software has a much greater chance of becoming a weapon than it does becoming inconveniently obsolete. So forcing a company to release the code as free and open source software upon EOL date, I think just enhances the chances that it gets weaponized. There's a greater incentive to find exploits than to fix them, in old software.
Another lesson is most people really shouldn't be using Windows. If you can't afford to pay Microsoft to keep your software up to date, then use something that's FOSS and is up to date. (Same rule applies to Apple, if you can't afford new hardware in order to run current iOS/macOS versions that are being maintained, then don't buy stuff from Apple anymore.)
Would organisations with very conservative attitudes to upgrade paths or a requirement to run an older OS version have suddenly been patching nightly?
Would the exploits used have been identified and patched prior to their malicious deployment?
Would organisations with a vested interest in stockpiling exploits have elected to immediately notify projects' maintainers?
The answer to these swings wildly between 'maybe' and 'probably not', so the eventual endpoint is likely largely the same. It's a compound issue brought about by a chain of decisions made by disparate organisations, and using it as a stick to beat Microsoft or proprietary vendors in general with is missing a very important point -
Security is the responsibility of everybody involved, from vendors and the government, all the way down through to the people innocently opening infected attachments.
Most probably it's due to the high variety in kernels, versions and the subtle differences in linux distributions.
We know they have written such things as part of research. But still they continue to release software that is unfinished.
They have trained their users that failure to update is fatal. No doubt, if they are using Windows.
They also like to conflate "update" with "upgrade". They use these security problems in Windows to scare people into upgrading.
Windows 10, whether they like it or not. As others have noted, by design the new versions are not safer than the old ones.
Retroactively fixing reported issues does not make a new version more secure by design. They could just as easily fix the issues in the older version.
Can this company get anything right the first time? Will they ever design a system that is secure?
Do they have any interest in doing so?
Are they incapable?
There is nothing wrong with releasing something simple, secure and finished.
Does MS believe Windows users are not worthy of a secure OS?
I think Microsoft Research have contributed to development of L4 systems that run on baseband.
Do these systems have the same vulnerabilities as Windows?
Fixing problems after they occur (past problems) is admirable but other free opens source OS written by volunteers accomplish the same thing. The question is whether the design of the system is such that future problems are avoided.
Does Microsoft believe Windows users deserve more security? Can Microsoft deliver it?
All indications suggest the answer to both questions is no.
With no viable alternatives, no one can blame Windows users for sticking with it despite red flag after red flag, but it makes no sense to defend the Microsoft approach to security for Windows users. The company has no respect for Windows users.
Being responsive to a constant stream of reported vulnerabilities is an improvement from 1995 but as we can see it is not enough. Their software is still full of mistakes. They need to prove they can make something that is secure by design and that they are willing to do so for users.
(Truthfully, they probably do not need to do anything.
Quotes of 80% of Windows installations being tied to purchases of hardware are probably not far off the mark.
There is no selection of OS by most computer users.
A majority of users still get Windows pre-installed on the computers they purchase.
Microsoft could completely ignore users and it would not hurt their business, as long as they continue to maintain relationships with hardware manufacturers.)
Yes, but as free software, it inherently has better solutions.
Using a proprietary operating system is like driving a car only the manufacturer is allowed to fix. You don't get to fix the flat tire, and when the manufacturer drops support, you have to buy a new car. If you don't, these situations leave you stranded.
Are you saying all of the major operating systems have poor security because they use "vulnerable" languages?
Absolutely.
You know, not too long ago, Linux used to run NFS on ring 0 too.
There was a good reason for those things, you can find them on the performance comparatives between CPU and network at the time.
https://thenextweb.com/microsoft/2015/09/11/microsoft-is-aut...
This one consumes me several gigabytes on my C drive without my permission.
https://www.tenforums.com/windows-updates-activation/55185-w...
This one acts like malware.
And this one: http://www.pcworld.com/article/3039827/windows/7-ways-window...
I don't know why I'd choose a operating system does that.
It pushed some telemetry updates, which arouses some privacy concerns (only after Microsoft's aggressive attitudes about Windows 10 promotion, before that I was OK with its telemetry updates. I'm aware sometimes telemetry tracking means good.)
And much more.
All of these behaviors make me think that I'd rather lose my data than suffer from these "features".
Me either. Stop using Windows.
And how sure are we that they didn't install security updates out of sheer laziness or hubris?
People who run systems that store sensitive information and systems should take computer seriously more serious than the people on Hacker News. I would never allow my my smartphone, let alone computers and servers to run unpatched software. Why is this acceptable for people who have critical systems and data?
Especially if the company that develops the os in question shows a track like this one: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=microsoft+w.... (Security)
I also wonder how long it will take before the shiny new anti-piracy instruments will be abused by a member of the intelligence community, a low-level politician or perhaps embedded into desktop OSes. http://pimg-fpiw.uspto.gov/fdd/50/148/096/0.pdf (You are not the owner of your files)
It's always easy to accuse the user rather than who exploited the vulnerability in the first place or who does not backport security patches when users obviously do not like the new versions of a software. - https://www.netmarketshare.com/operating-system-market-share... - https://www.extremetech.com/computing/227693-windows-drops-b...
Frankly speaking, Microsoft has gone too far into abuse, lock-ins and presumptions.
As a personal comment, I have an old Windows 7 laptop I use with some win32 software, I do not have the slightest intention of upgrading to Windows 10 (not for laziness or hubris, but because IMO the product is not worth the price). And if it was a critical system, than Microsoft Windows would not really be considered among the options.
* http://www.telegraph.co.uk/technology/microsoft/7898033/Micr...
* https://www.gov.uk/government/uploads/system/uploads/attachm...
* http://www.bbc.co.uk/news/uk-politics-24130684
* https://www.theguardian.com/society/2013/sep/18/nhs-records-...
* https://blog.venngroup.com/august-1st-marked-the-launch-of-m...
* https://www.gov.uk/government/publications/nhs-foundation-tr...
* https://www.theguardian.com/technology/2010/jan/22/internet-...
* http://www.cio.co.uk/it-applications/uks-largest-nhs-trust-d...
Yes, this is a large and complex subject.
Refusing to patch your system because of this is ridiculous (and yes some blame does lie with MS For pushing people to this)
I routinely disable services (until things stop working and I have to figure where I went too far) and luckily I'd disabled this one on my Win7 gaming box, even though the updates came through as well (I just manually vet updates, and have a bunch of them blacklisted for adding telemetry).
* Predicate the commercial viability of your software on the basis of technological illiteracy
* Blame the technologically illiterate 'luser user' when things go wrong
* Try and profit from it even as you blame said 'luser user'
The best lesson for Microsoft would be if it incurs a tremendous loss to its reputation, and more importantly its bottom line, because of some issue like this.
It is strange to see people talking about how they took an exception and released a patch for Windows XP this time. Generally, such an exception is the very definition of CYA. If not, why don't they do it for all patches? Read: if the security hole can be used as a way to convince the 'luser user' to pony up more money, don't release a patch. But if the issue is so high profile (for example linking MSFT to a three letter organization), then better issue a patch and CYA.
The reason a machine might go unpatched is because it might support some critical hardware (eg medical) for which there is only one or two vendors and only a particular combination of HW and SW are supported (eg due to a specific custom hardware driver).
To lay the blame for this at a single vendor's feet is naive.
I hear tell that server wise NHS IT will also support OpenSUSE, and their record of keeping that patched is almost as good as their record for doing so with windows.
Policy controls, poor patching and user education are the root cause of the NHS problems.
All it takes is one infected machine to get behind the permitter defenses and it is game over.
That has been the case for over a decade, and it has been getting worse over time.
The reason I recommend a free operating system is not because you are allowed to read the source (although that is a bonus), it is because you have the freedom to control your operating system.
The problem with Windows is that "updates" are done in the most inconvenient way possible, and with no control by the user. They often include changes that the user does not want bundled in with security patches. To contrast, a free operating system gives you options (liberty). If I just want an old stable version of Debian with security patches, I can get it.
The issue here stems from using proprietary software in the first place. Proprietary software is controlled by the company, not the user.
MS had a research project to rewrite the NT kernel in a C# derived language at one point. It worked, but they decided not to go ahead with it.
Also, decent AV and anti spam and don't open email attachments without some prior analysis. Backups - good backups and check them at least weekly.
Actually just do all the boring stuff that IT Security have been recommending for years.
If so, more blame lies at the feet of those that make it the only solution.
> Just click no on the windows 20 upgrade dialogue
Would that it were so simple. But Microsoft chose to mean "yes" by the "close this [annoying] window" button, with Windows 10; who knows what they'll come up with for Windows 20.
> (or just upgrade, it's pretty good)
For you, sure. Some people like to make their own choices.
> Refusing to patch
For most people that disabled updates, it wasn't a "refusal to patch", so much as a (read: the only) relief from annoyance.
1. Search for "windows smb server vuln" in Google.
2. "Microsoft Security Bulletin MS17-010 - Critical"[0] is the link I'm looking for.
3. Search for your version in the list. Mine is "Windows 10 Version 1607", listed in the table with 4013429 (right next to the Windows version, not in "Updates replaced"). That's my update number.
[0] https://technet.microsoft.com/en-us/library/security/ms17-01...
E.g.: I didn't install the so-called Creators Update so I'm not in the latest Windows 10 version.
I'm no Windows sysadmin though so I'm not really sure.
(I've disabled SMB V1 as has been suggested in this subthread. I've also run MS Defender with latest virus sigs and so far it hasn't reported anything)
I don't know about the U.S., but as far as I know were I live these card readers have to be almost completely separate systems. The connection between these two should only exist to a) set the price to pay and b) confirm that a payment was made.
> Provide a daily management report? Report inventory?
No longer managing money directly, so the possible abuse for financial gain is quite restricted. You could argue that someone manipulates the reports in order to skim some money for himself, however that would be a rather targeted attack with someone on the inside profiting and could be detected when the physical goods no longer line up with the reported values.
> Provide a Facebook interface between customers via the big blue E icon?
Are we even talking about the same thing?
The NSA likely gave MS months of lead once they determined what SB stole. A patch was pushed out before the release of the vulns.
There's no reason to suspect that people wouldn't have reverse engineered the vuln from the patch and had similar timelines of unpatched systems being exposed.
In fact, we see exactly that play out over and over with security patches.
I think that may have been the OP's point. Bash is more complex than sh has to be hence because FreeBSD choose the simpler option they avoid the inherent security implications of complex systems.
(I use bash myself and don't use FreeBSD.)
My definition of "poor" is that it must have a babysitter to maintain and patch it. Whether or not this is the case depends on the attack surface, which of course depends on the complexity of what it does. A system that has no attack surface can be very buggy without having poor security. But an internet connected machine with modern windows/posix OS that does some useful work will likely need a security patch already within the first couple of years - and that I consider pretty poor.
Except it's not. The account used by the hackers has supposedly earned about 4 Bitcoins so far. Meanwhile, many people from home users to professional IT personnel can recall incidents where Windows Update has broken something that worked fine before. Up to and including installing a completely new version of Windows, force-fed to unwilling customers with intentionally-deceptive practices.
That said, CentOS is _rock solid_. The packages are old, but maintained by Redhat upstream and do not break on updates. The only thing I recall seeing break on a CentOS update, including point releases, are Firefox and Thunderbird extensions as Mozilla apps are updated eight version numbers from one ESL release to the next.
A doctor who needs to look at an X-ray and comes up against WC is not going to pay up on her credit card. She will call the IT department to 'fix the broken computer'. But she still won't be able to look at the damn X-ray.
I do agree MS needs to shoulder a lot of the blame here, but would they have acted differently if IT departments didn't block updates?
b) I'm worried my fairly nicely working Win7 environment will not work so well after updating to 10, as much as I want to get current with some genuinely useful features.
I'm generally a Microsoft "fan", but this is one of the many reasons I hate on them as much as Linux fans.
Unfortunatelh I've been so busy with project deadlines that I haven't had a weekend I could dedicate to the new install and set up.
I guess I'm forced to now.
How many systems where actually compromised in an unrecoverable manner costing thousands or millions, maybe even billions of damage due to any of those Vulnerabilities?
All of them combined to not even come close to the damage that occured over the weekend
Shellshock, heartbleed were a inconvenience for some sysadmins and click bait for the tech press
If I give away "free lemonade", but people get sick because I've made it in dirty conditions, I will not get away just because it's free.
What's your alternative? Are you suggesting we _do_ fine all the OpenSSL contributors? Or that we do not hold anyone except end users responsible for software/hardware security?
I'm not sure metaphors or comparisons between software and lemonade are entirely helpful - although they do push the discussion along, which is at least interesting... (So if I didn't _make_ the lemonade, but published my "4 lemons pulped, 1/2 a cup of sugar, and 2 teaspoons of rat poison" lemonade recipe on github - then you made it and got sick... Who's in the firing line then? What if the README says "this recipe is satire"?)
source: https://arstechnica.co.uk/security/2017/05/wcry-microsoft-is...
So I don't really know what you mean by 'hoarding the fix'. The patch was not initially released to some OS versions because they are NO LONGER supported.
Major versions of OpenBSD are only supported for 5-6 years. Most Linux distributions only get 3-5 years. Red Hat promises 10 years of support, the same as Windows 7/8/10. None comes close to the 13 years that Windows XP was supported for.
So you're gonna have to update anyway, at roughly the same interval if not more often, as if you had used an enterprise edition of Windows.
I thought that security updates are only made for -current, the current stable release, and the previous stable release. So, 1 year of support, not 5-6.
A cursory look at the errata seems to confirm this.
If Russian government intelligence agency security researchers found that bug first would you say that they have a responsibility to disclose it to Microsoft (notably a United States company)? Would you be surprised if they felt and acted differently?
Yeah, a shitty one. Free? No they're funded by tax payer dollars. I do think we need to argue about priority of responsibilities. Was this exploit used to spy on allies?
Don't know, and unlikely to ever find out. If so, it was likely very targeted to avoid detection on modern systems. Was it ever used to spy on Iran's nuclear enrichment program?
> I do think we need to argue about priority of responsibilities.
Ok. What responsibilities does a US government agency have to disclose vulnerabilities? Should they be required to disclose all vulnerabilities found in software and equipment from US companies? Since a lot of that technology is used around the world, are you on with the corollary of it being harder for the US to spy on anyone using modern equipment?
How about disclosing problems found in tech products used by US companies? Should the NSA do that as well to keep those companies safe?
The US provides a fair amount of funding to organizations focused on finding and responsibly disclosing security problems, notably CERT[1] and US-CERT [2]. The NSA is a completely separate thing.
1: http://cert.org/about/ 2: https://www.us-cert.gov/
Edit: removed snark
I assume you know nothing about software with flippant comments like this.
Completely securing software is an incredibly difficult thing to do and merely throwing resources isn't going to change that. It is just as likely to affect well designed software as it is poorly designed. Especially given that all of us rely heavily on third party libraries and underlying infrastructure.
But should Microsoft be expected to back port patches to old OSes in perpetuity?
Again, pretending and forcing upgrades is not the solution. The practise perpetrated by Microsoft has been described again and again as an "aggressive effort to push upgrades". https://www.theguardian.com/technology/2016/mar/15/windows-1...
The issue is not the upgrade per se, but the "imperfection" of the upgrade process (wanted euphemism) and the fact that many consider W10 a worse os if compared to W7.
Otherwise nobody would complain.
I was in the same camp of you as Windows 10 vs 7 until I saw how much Windows 10 sped up an old machine of mine.
> https://www.microsoft.com/en-us/licensing/licensing-programs...
> https://en.wikipedia.org/wiki/Software_assurance
Users don't want to upgrade, many I know would rather use linux or macs. Microsoft should acknowledge the thing and fix what's wrong. IT departments these days are trying to convince the people they work with.
OS editions
- 10: Home [wipb + cb], Pro [wipb + cb + cbb], Education [wipb + cb + cbb], Enterprise [wipb + cb + cbb], Enterprise LTSB [ltsb], S
- 8: Core, Pro, Enterprise, RT
- 7: Starter, Home Basic, Home Premium, Professional, Ultimate, Enterprise
vs
- Debian: unstable, testing, stable, old-stable
- macOS: developers beta, public beta, released
- BSDs: current, stable, release, old-release
I am unsure if the Windows mess can be considered a "naming scheme", the single thing I have very clear is that there's something terribly broken (maybe the whole marketing fuss thing).
Thing is, the more of that data they have, the more likely they are to prioritise testing those use cases.
So it's a trade-off - do you want telemetry, or do you want a higher risk of bugs - you have to pick one.
Outsmarting sysadmins, developers and users is not the first need.
If one is not gathering enough data because many are not able to find the tools and/or the website for the reports, that's a usability issue and that is what should be solved.
I seriously think telemetry is the wrong solution for the matter.
Most Linux distros don't even make any fuss about minor versions, using them only as an opportunity to build fresh installation images. New minor versions are security patches for the major version and all previous minor versions.
I simply remember that Ubuntu should only be updated when I've got a spare day to fix any potential issues, whereas so far CentOS can be updated before each shutdown.
All this is from the perspective of a desktop user. I use both on various web servers and I've found both to be reliable. I'll use CentOS where I need absolute stability but on my cloud instances I'll happily use Ubuntu and get the latest PHP, etc.
But when people talk of "walled gardens", they mostly refer to the guardian at the entrance. Only Apple decides what runs on iOS, only Microsoft decides whats in the App Shop. That's NOT good for anyone (except Apple and Microsoft).
Sure, make users jump through hoops to install alternate stores, and warn them up the wazoo when they do that. But do let them, or general purpose computing as we know it is gone.
What the grandparent is suggesting is akin to UAC, which received much hate when it first debuted in Vista but has now become a mostly accepted part of the Windows user experience. It has been done before, and it can be done again, with every Windows app, not just apps from the Microsoft Store.
grandparent was suggesting UAC, but started with:
> You know what? I'm starting to get excited for the walled garden to get more walls.
It is good to have the ability to raise the walls. It is not good for apple and MS to decide what to use their OS for...
But I strongly believe that right now apps get too much access by default (read, write all my files is crazy). And if they need anything beyond that they just ask for root. There needs to be much more granular permissions, with more restrictive defaults and nice informative dialogs.
It's unsexy, and inconvenient for developers. But it's the right thing for our users. It's how I want random programs downloaded from the internet to behave.
Yep. What developer types don't like to admit is that for the average user, who doesn't use the features excluded by the walled garden anyway, the tradeoff is well worth the security gains.
But they are much hated.
Most people wouldn't even know that they are sandboxed.
But we will see for sure with Windows 10S and its optional upgrade to Pro policy.
Proprietary software makes you rely on a company to fix everything. It's like driving a car without being able to replace a flat tire.
No one expects perfect software; but this clearly happened because Microsoft's software was broken, the NSA found where, and horded and then lost control of that knowledge.
edited: I understand what you mean about people not patching and leaving themselves vulnerable. A lot of pain could have been prevented at that level.
Or just stick to CentOS and with their 11 years support period.
Sorry, open source never equals free software (most of the time). Though what you said may be true for both.
And some day, we will surely know why free software is better than open source. It's only a matter of time. But by the time, it will be late, and out of control.
What we have is a cultural issue, not a legal issue.
Any company that locks themselves into a specific operating system, and then declines investing to upgrade with each new release is entirely at fault. I can imagine the executives at these companies complaining about how their one-time outsourced application made overseas cannot possibly be migrated. Even if built locally, clearly no money was budgeted to maintain the software or infrastructure. These companies get what is coming to them when their only priority is the current quarter's bottom line, with no planning for how the company will manage to keep operations up and running in the next quarter, let alone the years ahead.
You specifically mention lock-in due to "computer controlled hardware". The idea that companies build the core of their business on hardware that can be controlled with Windows XP but not Windows 7 or Windows 10 is laughable. How is that even possible? The backwards compatibility Microsoft provides means it's nearly impossible for any application to become unusable within a decade - or even longer. The application will need to be maintained with minor changes to make use of modified APIs, or to transition from 32 to 64 bit architecture, etc. - but the amount of work needed is nowhere near infeasible. It only becomes difficult if you spend many years ignoring required upgrades, and then try to perform a single massive upgrade covering half a dozen missed release cycles all at once. Even hardware ports going out of fashion (example: serial ports) is not the end of the world. Compatibility between the latest operating system and old port standards will always be possible, as those that need such things make it happen.
No sympathy for any company still running Windows XP. None whatsoever. It sucks when it's government that is affected, whereby taxpayers' dollars take the hit for the fallout. Still not a shocking, unexpected result. In fact, this is precisely the expected result.
At some point companies need to cough up the money and upgrade their technology.
If Windows XP is proven to be untenably insecure, anyone who bought it should receive a refund.
Organisations with high value software that relies on XP still receive ongoing support from Microsoft (such as the US Navy and anyone else who wants to pay big bucks for it). The difference is none of these patches usually make it to the public.
For Microsoft to patch this current issue, there would have already been a pre-existing team working on XP patches, the only difference is this one was released publicly due to it's impact.
http://bgr.com/2015/06/24/windows-xp-support-us-navy-million...
Microsoft wants more money and push newer revisions of the same crap instead of actually improving the existing one.
Until win10 that is, win10 is now the only windows version and offers more spying, a worse UI and UX while also including ads.
I agree with the point on the NSA. there were surgeries cancelled in the UK. This materially impacted the lives of our allies. How is that supposed to work?
Luckily we've got a set of level heads running every branch of government these days...
Long term support ended in May 2013 for desktop. But Ubuntu patched the bug in March 2017 for all current supported versions of Ubuntu.
Then the NHS got his with the bug.
How does free / non-microsoft software protect against a shitty decision to not update / upgrade?
By not bundling upgrades with what is essentially malware, and making them as inconvenient as possible.
If I am running Ubuntu 10.04.4, and I hear about serious malware that relies on a security hole that is patched upstream, I have the opportunity to patch it myself, and keep running Ubuntu 10.04.4 as long as I want.
That being said, it's disingenuous to compare unpatched Windows 10 with unpatched Ubuntu 10.04. It is totally unreasonable to think you are secure using an unsupported OS, but it is a lot more reasonable to think you are secure running Windows 10 just a couple months out of date.
For cost, CentOS, on it's own, is free. Support costs you of course, but the updates are coming down from RedHat for which there is enough money flowing in already, so support in this case means a sysadmin who understands CentOS and those are not that rare, not even that expensive.
Backwards compability is another topic, especially with the rise of systemd.
If the corresponding software is not included in any official or semi-official repositories (EPEL, for example), but is distributed with source, you may need someone to recompile it every 11 years, when you change mayor versions. I think this is reasonable to expect, though there might be issues for certain, especially if it involves Gnome3.
For those that are distributed without source code - well, that is the same problem as with XP, but usually it's possible to strace why it fails and fix/replace/dosomemagic with the underlying libraries it's depending on.
When this is not possible you can still create a container image with the old code to run it with.
With all the power out there even in the office workstations we could:
- install a base, damn stupid linux as hypervisor
- run windows in virtualbox with shared folders
- use btrfs for the shared folders and keep daily snapshots for a few weeks
If you get a virus, drop the image, get a new one, restore the snapshot, done.
If anyone is already using something like this, please tell, I'm curious.
User level ABI has had no important incompatibility since the glibc released with the kernel 2.6 (don't remember the version). That was some 15 years ago. Most applications didn't even break at that time, and core libraries promise more stability now.
That's nothing similar to the compatibility break between Windows XP and Vista. That transition broke most of the older applications, at the kernel level.
1. why would anybody want to keep 10.04 alive?
2. do you think the type of people who stubbornly continue to use 10.04 would know/care enough about security to seek an alternative source for security patches?
edit: should maybe add why this pisses me off: just logged into a production server running 12.04, default install apache and updates _turned off_. the owner looked confused (and slightly bored) when I explained the problem to him.
I do think that's important to recognize that there is model under which an organization can. I'd even argue that it's a more "free market" than that of single-source proprietary software, too. If there's a market in maintaining non-proprietary software someone will pop up to fill it (even if it's just a lone-wolf consultant). With proprietary software that can't happen.
Whether or not an organization or individual chooses to maintain software is an orthogonal concern to the model under which they maintain it. Even when there is a free market for maintenance some will opt to eschew maintenance. Personally, I'd like those organizations to pay the cost by way of data loss, downtime, going out of business, etc.
I'm not overly worried about it. I think traditional regulatory and risk management will eventually catch up. Someday (hopefully sooner, rather than alter) businesses won't be able to get basic insurance policies unless they can prove they're doing IT maintenance, for example.
Even if you pay money for the windows 10, it is unlikely to even start on the hardware that XP ran on. Not only will the people have to go through the budget to pay for the software, but now you need a full upgrade plan.
To put this in a concrete example. If a hospital had a check-in system running 12.04 they could just take someone internal from IT and go and fix it. If it was Windows XP then they need to go through finance, then get a offers from competing companies, fitting the upgrading into the budget, and last have people installing it in each of the hospitals entrances. The first case has a project length of days and the other of months and in worst case years.
> Assuming these hospitals keep updating and do not get stuck at Ubuntu 10.04.
It's that simple.
If someone wants to continue using outdated software, they will want to keep supporting it. Free software lets them do that. Proprietary software specifically forbids it.
So, 1. because there is a community outside of a major corp who are active, so it isn't a burden on Canonical. 2. yes? see 1.
Should any IT professional not have upgraded from 10.04? No. It's free to upgrade, unlike Win which, remember, isn't a single upgrade, licensing is per user.
I am so happy that win10 patches are mandatory despite all the whining. In fact, I want them to take it one step further and adopt the ChromeOS update model.
First i hear of this, so MS did a damn good job of papering over it.
The only Windows breakage on the software level i have noticed is the jump from 32-bit to 64-bit, and that has more to do with CPU modes than Windows internals.
But i keep battling crazy dependencies and odd breakages related to desktop software on Linux. Never mind that devs keep reinventing the wheel (how many VFS implementations have Gnome gone through now? 3? 4?).
Eh, Never. Not even for open source. Once the source is closed, it is no longer open source (and neither free software).
For a software to be open source, the user should have a way to obtain the source code legally (That is, a stolen source code won't make a software open source).
For the software to be free software, the user should have the freedom to (modify and) replace the software with the user's version of the software (of course, source code availability is pre-requisite for this).
Say for example, your router, Android phone, TV, Car, or your espresso machine could be running Linux which is open source. You get the source code of those over the Internet or from the vendor on request. But you may not be allowed to change it. So you are always on the mercy of the vendor if something happen (like the one happening now). They are open source, but they are not free software. (GNU [A]GPLv3 enforces this freedom. Some like it, some don't).
A software can be free or non-free based on where the code is run, not just whether you get the source or not.
This is freedom 1 by free software definition:
The freedom to study how the program works, and change it so it does your computing as you wish.
See https://www.gnu.org/philosophy/free-sw.html for more details.
Open source would be the term for that. Free requires end users to receive source, open just allows you to use the source if you have a copy.
It reminds me of the story about a thirty year old Commodore Amiga running the AC system for a school district. The district finally decided to modernize the AC for $2 million, but until then it was just cheaper and easier to continue paying a person to run it every year. Replacing hardware systems is expensive and political complicated, while continuing paying an employee is just status quo.
Would you say compiled MIT programs are still "free software" when they don't come with the source code?
When I buy Windows, I agree to a warranty of sorts. They agree to supply updates to the software for a set period of time. Afterward, it is on me.
Nobody can write perfect software, it will age and break down. Nobody can engineer a perfect car, it will age and break down. Demanding infinite warranties is ridiculous.
Never. But it would be wrong for Ford to stop others to fix your car by providing no information about the car, which I believe is what Microsoft is doing with their obsolete Software pieces (including OS).
As that is the case here, They (Microsoft/Ford) are just lending you something, you won't ever own it. Would you agree with that?
(I am making no comment on the issue being discussed-- simply that this is a very poor analogy.)
And yes, I do think software can "wear out", not in the same sense as belts get worn and spark plugs physically wear away, but in the sense of threat landscapes changing over time and our understanding of how these systems are used in the world. This is why we do maintenance on our software and systems, much like we perform maintenance on things in our physical world. When you fail to perform this maintenance, bad things happen. Computers get hacked, cars have brakes fail.
Software can indeed age. Go run Windows 95 on the public internet or an early version of Android.
A decade in software engineering is a significant amount of time!
Software does wear out. New languages/frameworks are developed which makes it difficult to patch older stuff. New threats are developed, and it may be impossible to patch older stuff.
When you buy a house you have a whole battery of inspections performed to make sure that you're buying somewhere safe, but over time the small things that got overlooked (like a small crack in a roof joint) or were considered safe at the point of sale become worn, or are discovered to be unsafe (locks susceptible to bumplocking for instance).
It's a tenuous analogy to be sure, but I don't think it's reasonable to think that Microsoft should refund people who bought XP. Are there any Linux distributions that back port all fixes to version 0.1?
Given that MS even made a patch (which is generally equivalent to a recall), I'm not sure that your suggestion will be given that much credence. I mean, if we say that XP is an unsafe product, the government could stop them from selling it and to remove it from the shelves, but MS stopped selling the product in 2008 (nearly 10 years ago) and has repeated urged its customers to stop using it because it is insecure. This is all that the government generally requires in this situation as far as I can tell.
Edit: grammar
In the short term we need everyone to be better net citizens. That includes the businesses using this software to create the trillions of dollars of wealth on the global economy.
I'm going to be annoyed if my car becomes useless after 10 years because they dont have to patch it after that period. On the other hand though, can we realistically enforce lifetime guarantees? What is a car company goes out of business?