For years prior to the year 2000, a massive amount of programming and other technical resources were devoted to dealing with the year 2000 'bug'. And guess what, it worked! Now a grand-scale effort is required again to secure all the systems we are even more dependent on in 2017. What it will take is wide-spread agreement among businesses and governments that this is critical. Hopefully organizations are becoming worried enough about their bottom-line and even their ability to function at all to start taking steps. If not, we really are sunk. The disasters that were predicted to result from the Year 2000 bug will occur and then some. And this does need to start from the top and the bottom. We need some kind of Federal cyber-security leader to help start the planning and see that it filters down. But organizations and individuals need to put the pressure on for the work to start. Microsoft and other software vendors should definitely own up to their responsibilities and be very very involved.
5
For public institutions, the failure to invest in maintaining and upgrading technology is just a sub-case of the overall failure to invest in our public infrastructure. Roads, bridges, schools, power grids, hospitals, airports ... etc., our public infrastructure, so much of it 50 years old now, is falling apart. And who is to blame? In large measure, it is us, the voters. Our elected officials know that campaigning on the need to maintain existing infrastructure is a losing cause vs. telling voters that they can have some shiny new public expenditure. However, there is a real cost to the decline in public infrastructure that you won't see accounted for in the public accounts. It's a series of accidents, failures and gross inefficiencies waiting to happen, but a lack of understanding on the part of the public and a willingness of our political "leaders" to kick the can down the road to serve their personal short-term interests is just making the problem worse.
22
There's a reason we haven't done anything about it. We can't. We're not as smart as we used to be. Notwithstanding all of our science and mechanical creations the intelligence level of the average human being has been declining since the days of the ancient Greeks and Romans, and it will continue because of what we're doing to ourselves and our planet. It's OK though. 200 milion years from now the planet will be just fine and the human race will have long become extinct, and hopefully a new species, at least as smart as a dog, who knows enough to not do its number two bowel movements where it eats, will have replaced it.
7
As many here have already said: "buy a Mac". We did many years ago and have never looked back. But wait, that's not buy 1 mac, it's buy 10,000 Macs, or 100,000 Macs in the case of large companies. At, say $2000 a pop, that $200,000,000! Now consider the fallout caused by the hacking of that company's old XP systems. Take Berkshire-Hathaway whose market capitalization is about $400B. If they were to lose all their computer systems, they might have to pay a ransom on the order of 10% of their market cap, about $40B. And they would then have to spend large amounts recovering their data. Meanwhile their stock would fall, say by 50% to a market cap of $200B. And their future reputation would depress their stock for much longer than it would take to return to normal operation. So it makes sense for them to spend $200M now to save at least $240B soon. They've probably already done much to protect their systems since they likely have the resources to do so. Britain's hospitals however are underfunded as are many other systems, including our own US police forces, power grids, transportation systems, air-traffic control systems, even New York and other cities' traffic lights. When those all go down we'll stand in our dark homes and businesses and look back with regret at the time when we could have spent what now is a minor amount to save our future.
13
I call it the bozocalypse.
Working in the software business for decades, the one thing I noticed most was the level of incompetence, or at least sub-competence, among a large fraction of those who actually in some sense qualified to be in the business. That more than anything else was responsible for delayed and over-budget projects, and products that contained bugs. Progress, if made at all, was due in large part to the efforts of a relative few who knew what they were doing.
So now we have ubiquitous software. Your car, your network appliances, the utilities that supply you with power, water, and waste removal, your bank, even your breakfast outlet all run on it. Add to that the impending "internet of things" where every baby monitor, web camera, thermostat, personal digital companion, fitness gadget and household appliance could be connected to the great worldwide network.
Just one thing missing: enough people who understand what has to be done to make all that work reliably and securely.
What we do have are lots of people who will prevaricate, procrastinate and obfuscate for personal reasons in the face of impending disaster. People who talk the talk but can't walk the walk, who prefer looking good to being good. As long as somebody else will be there to clean up, they're fine.
This latest episode will end badly for the perpetrators. They've made a big splash and upset powerful people. But the bozocalypse will continue until we come to our senses.
Working in the software business for decades, the one thing I noticed most was the level of incompetence, or at least sub-competence, among a large fraction of those who actually in some sense qualified to be in the business. That more than anything else was responsible for delayed and over-budget projects, and products that contained bugs. Progress, if made at all, was due in large part to the efforts of a relative few who knew what they were doing.
So now we have ubiquitous software. Your car, your network appliances, the utilities that supply you with power, water, and waste removal, your bank, even your breakfast outlet all run on it. Add to that the impending "internet of things" where every baby monitor, web camera, thermostat, personal digital companion, fitness gadget and household appliance could be connected to the great worldwide network.
Just one thing missing: enough people who understand what has to be done to make all that work reliably and securely.
What we do have are lots of people who will prevaricate, procrastinate and obfuscate for personal reasons in the face of impending disaster. People who talk the talk but can't walk the walk, who prefer looking good to being good. As long as somebody else will be there to clean up, they're fine.
This latest episode will end badly for the perpetrators. They've made a big splash and upset powerful people. But the bozocalypse will continue until we come to our senses.
22
Yesterday evening we were sitting outside at a little restaurant and happened to glance over at the next table. Six people chatting, quite a few on their phones texting. One wasn't.
A woman (Senior) was showing another younger woman something on her "steno pad," with pen in hand. And what kept running through my mind was, this lady doesn't have to worry about someone hacking into her steno pad!
Guess there is something to be said about the "good ole days".
A woman (Senior) was showing another younger woman something on her "steno pad," with pen in hand. And what kept running through my mind was, this lady doesn't have to worry about someone hacking into her steno pad!
Guess there is something to be said about the "good ole days".
19
IT departments are considered a "cost center" in corporate budgets. That's the business code phrase for an activity that doesn't produce any revenue, and just adds to the bloated corporate overhead.
To get funding, IT has to go the divisions of the company that do generate revenue, and "sell" them IT services. To the extent that IT can get money above the maintenance costs on existing systems, they have to build new features that a business unit will want. Those features get added to the "old" system.
In American business there is no budget for upgrading systems. No concept of a road map for updating IT infrastructure. No division wants to be the "sugar daddy" that pays for upgrades that will benefit other divisions if they won't contribute, and every division seems to have "different priorities".
The argument that sells new systems is that it "saves money"; not that it's "better". To be fair, large IT projects in the past didn't live up to their cost/benefit analysis. In response, Corporations put their finance guys in charge of IT. Yeah, the guys with the oldest computer systems in the company, and that aren't connected to data networks.
So, we're stuck, until, metaphorically, enough bridges collapse, and enough misery is generated to motivate a change in corporate behavior and priorities.
To get funding, IT has to go the divisions of the company that do generate revenue, and "sell" them IT services. To the extent that IT can get money above the maintenance costs on existing systems, they have to build new features that a business unit will want. Those features get added to the "old" system.
In American business there is no budget for upgrading systems. No concept of a road map for updating IT infrastructure. No division wants to be the "sugar daddy" that pays for upgrades that will benefit other divisions if they won't contribute, and every division seems to have "different priorities".
The argument that sells new systems is that it "saves money"; not that it's "better". To be fair, large IT projects in the past didn't live up to their cost/benefit analysis. In response, Corporations put their finance guys in charge of IT. Yeah, the guys with the oldest computer systems in the company, and that aren't connected to data networks.
So, we're stuck, until, metaphorically, enough bridges collapse, and enough misery is generated to motivate a change in corporate behavior and priorities.
32
Unhackable Chromebooks using web apps, Android apps and SaaS will put an end to this nonsense. No need for antivirus or huge IT departments, let's do this.
12
Bring all of the cryptocurrency accounts and transactions into the light of day (and the light of the law). That will remove the incentive.
15
Why not declare bitcoins illegal and banned so that there is no payment highway to the ransomware criminals? That should be possible if our digital wizards get busy on stopping these criminals. It seems like an obvious remedy. No bitcoins,; no ransom.
34
We could defund the NSA and other rogue agencies and nations that produce this kind of malware.
10
Go for it. Don't forget to defund the FSB and the People's Liberation Army, and the hundreds (at least) of criminal organizations that collaborate informally with governments worldwide.
5
Sometime in the 90s, I heard a joke on TV. Don't remember how it began, but the punchline was, "even Joe six-pack (presumably someone not too bright) knows the internet isn't a secure form of communication'. Everyone nodded & laughed. But the really funny thing is that everyone seems to have forgotten what we all knew & accepted back then.
37
May 14, 2017
We either get a reality check on the electronic industry of take out the Book of John and the Apocalypse - with hacking trumps blowing fire, and rage until the new computer era rises from the ashes of destruction and all the evil players that are for greed and for omniscience including the deity of A.I. and Quantum Q salvation becoming for.......
jja Manhattan, N.Y.
We either get a reality check on the electronic industry of take out the Book of John and the Apocalypse - with hacking trumps blowing fire, and rage until the new computer era rises from the ashes of destruction and all the evil players that are for greed and for omniscience including the deity of A.I. and Quantum Q salvation becoming for.......
jja Manhattan, N.Y.
1
I don't understand people who want to both immortalize and obsolete themselves.
1
the hull of the ship is rotten. decades ago internet researchers heavily underscored the importance of authentication, policy, and identity management.
they had just been given some amazing tools to accomplish this, fast symmetric cryptographic protocols and an amazingly versatile public/private key system.
but they were ignored. the US government at the time openly shut down the widespread use of encryption by the public. the only standard for public key was expensive and under patent protection.
so a widespread transition of banking, utlity, and defense systems occurred at a rapid pace, without any systematic attempt to address issues like 'who are you?', 'what is this program i'm running?', 'what is my identity being used for'.
this treadmill of patches, anti-virus software, and firewalls is consuming everyone's attention. but its like trying to paper over the grand canyon. you really can't blame microsoft for not supporting old machines. the reality is that if you cared about things like ransomware, you would never run an operating system anything like microsoft, or even the more popular unix-based systems.
could we collectively transition to the infrastructure necessary to ensure that some random person cant steal our data? yes. but there is no way given the model of incremental market-driven evolution for us to get from here to there. and just like before, i'm not sure that certain important business and government institutions dont prefer it this way.
they had just been given some amazing tools to accomplish this, fast symmetric cryptographic protocols and an amazingly versatile public/private key system.
but they were ignored. the US government at the time openly shut down the widespread use of encryption by the public. the only standard for public key was expensive and under patent protection.
so a widespread transition of banking, utlity, and defense systems occurred at a rapid pace, without any systematic attempt to address issues like 'who are you?', 'what is this program i'm running?', 'what is my identity being used for'.
this treadmill of patches, anti-virus software, and firewalls is consuming everyone's attention. but its like trying to paper over the grand canyon. you really can't blame microsoft for not supporting old machines. the reality is that if you cared about things like ransomware, you would never run an operating system anything like microsoft, or even the more popular unix-based systems.
could we collectively transition to the infrastructure necessary to ensure that some random person cant steal our data? yes. but there is no way given the model of incremental market-driven evolution for us to get from here to there. and just like before, i'm not sure that certain important business and government institutions dont prefer it this way.
5
Computer manufacturers have more incentive, but less expertise, to develop recompilers to adapt old software to run on new computers.
2
First, Mac users should spare us their smugness. Mac's are eminently hackable, but there is little incentive for it. If more companies ran on Macs, and more people did their banking with Macs, Macs would be getting hacked all the time.
Most of Zeynep Tufekci's recommendations don't hold water, but I very much do like her suggestion, "Security updates should only update security, and everything else should be optional and unbundled."
These pointless, worthless, aggravating, and constant changes to user interface have got to stop. And there is a real downside to them, as Tufekci states. These changes are so hateful that people refrain from updating their operating systems, just to avoid them, even though they put their computer security at risk.
Most of Zeynep Tufekci's recommendations don't hold water, but I very much do like her suggestion, "Security updates should only update security, and everything else should be optional and unbundled."
These pointless, worthless, aggravating, and constant changes to user interface have got to stop. And there is a real downside to them, as Tufekci states. These changes are so hateful that people refrain from updating their operating systems, just to avoid them, even though they put their computer security at risk.
22
I don't understand what the big deal is to outfits like Microsoft to recompile source code to operate identically under updated operating systems.
7
Sorry, but you have no idea what you're talking about. Yes macs can be hacked too but the underlying OS at least considered security from day 1. Macs do not get hacked less because there are fewer but because it so incredibly much easier to hit Windows users:
16
Follow the money! Surely the NSA is working on this.
Go after the Bitcoin ransomware payments and find out who is the account owner. Claw the money back.
Go after the Bitcoin ransomware payments and find out who is the account owner. Claw the money back.
11
It sure looks like time to abolish Bitcoin to me.
If you can follow the money trail back to the hackers, they will be deterred.
If you can follow the money trail back to the hackers, they will be deterred.
18
Run Linux!
12
We have watched computing develop as a private enterprise. If there's a bug, the computer software companies will will view it as an opportunity to sell us a new fix. Or if they can't fix it, they'll go broke.
However, personal computers are now a major part of our financial and social infrastructure. The federal government needs to take a fresh look at cyber-security policy.
However, personal computers are now a major part of our financial and social infrastructure. The federal government needs to take a fresh look at cyber-security policy.
17
Buy a Mac
20
I respectfully concur!
2
Professor Tufekci Back in 1942 when we and the USSR kidnaped the Scientist from Hitler who were working on a secret project for the mother of all bombs and used them to develop our own and used it on Japan even after the Japanese had agreed to surrender and killed millions – we did it in the name of achieving peace and ending the 2nd world war. Our Military Industrial Complex hasn’t changed a bit. It still is seeking the one little extra advantage on every other possible foe and that is the reason we would never be able to stop these kinds of cyber hacking by others as we (whole world) keep doing it to them (whole world). As long as we do not realize that war is not the answer we would continue on this path.
Anytime an invention is made and is useful for the military it is only a matter of time that others would have it and may experiment with it.
If we as Human Race wants to stop these actions by others we would need to get our priorities corrected. We cannot on one hand cut healthcare and education funding by billions and give Department of War another 54 Billion over a $ trillion budget- nothing. We have no money to give to UN fund for man-made famine in Yemen and then sell another $100 Billion of Military hardware to the country responsible for this atrocity- Saudi Arabia. For us it is big business and lots of money the rest do not count.
Our priorities have changed and even most American Churches are towing the same line of big business.
PEACE is the answer.
Anytime an invention is made and is useful for the military it is only a matter of time that others would have it and may experiment with it.
If we as Human Race wants to stop these actions by others we would need to get our priorities corrected. We cannot on one hand cut healthcare and education funding by billions and give Department of War another 54 Billion over a $ trillion budget- nothing. We have no money to give to UN fund for man-made famine in Yemen and then sell another $100 Billion of Military hardware to the country responsible for this atrocity- Saudi Arabia. For us it is big business and lots of money the rest do not count.
Our priorities have changed and even most American Churches are towing the same line of big business.
PEACE is the answer.
Trump was too busy threatening Comey and baiting Rosie!
8
Get a mac.
16
If you would notice Google, Amazon, Android, as well as a number of very large active users aren't affected. That is because they don't run on vulnerable Microsoft systems that require numerous expensive patches right after the hackers discover MS's flaws.
This is because they are using FREE, bulletproof, open code [look it up], system software that supplies patches and upgrades free on an almost daily basis. Named LINUX a derivative of UNIX an operating system developed by the old Bell Labs genius division [TY & RIP]. It comes in many flavors which are all available for download. My favorite is Ubuntu which comes with Libre Office, a powerful office suite similar but maybe better than MS Office, Firefox and/or Google's Chrome browser, and an excellent email program. If you are moderately technically competent you can partition your system drive and download alongside your Windows system and share existing data files.
Once Linux is up and running you can download free ad ons like Ghostery which blocks tracker websites attached to just about all of the popular websites, AdBlock+ with which you never see an ad on a website, along with Linux's inherent virus and malware detection and removal features. BTW with all of Apple's OS's, if you are supertech or hacker enough to raise the hood you'll find Linux underneath.
This is because they are using FREE, bulletproof, open code [look it up], system software that supplies patches and upgrades free on an almost daily basis. Named LINUX a derivative of UNIX an operating system developed by the old Bell Labs genius division [TY & RIP]. It comes in many flavors which are all available for download. My favorite is Ubuntu which comes with Libre Office, a powerful office suite similar but maybe better than MS Office, Firefox and/or Google's Chrome browser, and an excellent email program. If you are moderately technically competent you can partition your system drive and download alongside your Windows system and share existing data files.
Once Linux is up and running you can download free ad ons like Ghostery which blocks tracker websites attached to just about all of the popular websites, AdBlock+ with which you never see an ad on a website, along with Linux's inherent virus and malware detection and removal features. BTW with all of Apple's OS's, if you are supertech or hacker enough to raise the hood you'll find Linux underneath.
25
Hackers don't bother hacking homebrew systems because there are too few of them.
2
If we let lawyers loose on software developers, which is essentially what Tufekci is proposing, we can kiss our software upgrades goodbye. You're gonna sue XYZ Medical for publishing software? OK, XYZ Medical will stop publishing software. At least, that's what will happen for all but the very largest publishers, who will employ a large army of lawyers to evade whatever rules the feckless regulators come up with.
To suggest this is Microsoft's fault in any way, even partially, is laughable. You can't expect a for-profit software company to freely support outdated software forever. Major software releases often involve much more than cosmetic changes -- new/improved security features, new functionality, greater hardware support, and the framework necessary for current software are all important aspects.
Not only that, Microsoft DID support XP for a long time, including extending its support past the original expiration date because so many people were still using it.
Regardless of what software you use and what computer hardware it runs on, an organization needs to take responsibility for its maintenance just as it would any other important aspect of its infrastructure. If a roof is past its serviceable life and it leaks, you don't blame the roofer, you blame the owner for not replacing the roof soon enough.
Not only that, Microsoft DID support XP for a long time, including extending its support past the original expiration date because so many people were still using it.
Regardless of what software you use and what computer hardware it runs on, an organization needs to take responsibility for its maintenance just as it would any other important aspect of its infrastructure. If a roof is past its serviceable life and it leaks, you don't blame the roofer, you blame the owner for not replacing the roof soon enough.
17
At first thought I was amazed tge NHS was still using Windows XP, but then I thought back to my experience three years ago.
I had a 2002 vintage PC that performed well, but when I looked into upgrading the OS to Windows 7 I found out, to my amazement, that my PC's hardware would not support an upgrade.
Before I decided to buy a brand new PC withWindows 7 I looking into upgrading my "ancient" PC various Linux distributions. What I consistently found was bloated software that made my PC run like a Model T car. Add to that there were so many bugs that prevented various pieces of hardware from not working to the inability to run many of my favorite software programs. But, the big turnoff for me was the generally user-unfriendly environment of Linux, which assumed that in order to fix the various bugs that one needs a university degree in computer science.
So, I can perfectly understand the plight of organizations that dread upgrades, because it is not just simply upgrading the OS that is the rub. It also requires a major investment in hardware, related software applications and, most importantly, user training.
Because, whether it be Microsoft Apple or Linux OS, no developer gives a whit about the problems they create for users when functionality is changed on a whim from OS to OS (think Windows 8 and you get an idea of what I am talking about).
I had a 2002 vintage PC that performed well, but when I looked into upgrading the OS to Windows 7 I found out, to my amazement, that my PC's hardware would not support an upgrade.
Before I decided to buy a brand new PC withWindows 7 I looking into upgrading my "ancient" PC various Linux distributions. What I consistently found was bloated software that made my PC run like a Model T car. Add to that there were so many bugs that prevented various pieces of hardware from not working to the inability to run many of my favorite software programs. But, the big turnoff for me was the generally user-unfriendly environment of Linux, which assumed that in order to fix the various bugs that one needs a university degree in computer science.
So, I can perfectly understand the plight of organizations that dread upgrades, because it is not just simply upgrading the OS that is the rub. It also requires a major investment in hardware, related software applications and, most importantly, user training.
Because, whether it be Microsoft Apple or Linux OS, no developer gives a whit about the problems they create for users when functionality is changed on a whim from OS to OS (think Windows 8 and you get an idea of what I am talking about).
15
Do you also demand that old cars be repaired for free? That the supermarket replace food that has gone past its use-by in your cupboard?
Things break down over time, and it is a judgment call whether the retailer's limits are reasonable. Microsoft offered free support for *years* after they stopped selling XP. That sounds pretty reasonable to me.
Tufekci's proposals would radically increase the cost of software, which would slow innovation and make it very hard for small firms to compete. Exceptionally unrealistic, and destructive. Just silly.
Things break down over time, and it is a judgment call whether the retailer's limits are reasonable. Microsoft offered free support for *years* after they stopped selling XP. That sounds pretty reasonable to me.
Tufekci's proposals would radically increase the cost of software, which would slow innovation and make it very hard for small firms to compete. Exceptionally unrealistic, and destructive. Just silly.
14
The people who currently hook up their fridges, baby monitors, kids toys, heating/ac, cars etc. etc. because it is ever so cool and trendy remind me of the ones who put to sea in flimsy galleons after Columbus discovered the new world. For a few it ended in riches but many drowned in storms or foundered on uncharted reefs. For myself I see a distinct fifth- or sixth mover advantage there.
12
I disagree that Mac OS is more secure! I've used both Macs and PCs since the 80s and I've never had a Windows OS issue that was not repairable and usually with very simple fixes, but 2 years ago I was a victim of the Mac "keychain" virus (delivered on a brand new iMac) which wiped out files across all my company's Macs (including the back up system) and on the iCloud (which itself does not have any security or backup on Apple's end). Nothing was recoverable and Apple's position was that they "only support and warranty Apple hardware, not software, and the Mac operating system is considered software". They offered me $300 compensation but would not even return the iMac because over 30 days had passed just dealing with Apple customer support to try to fix the issue! So that was it, thousands of files simply gone forever. I sold all my Macs and Apple also lost me as a client forever. I would never, ever recommend Apple OS to a business!
20
Obviously software would have to become much more expensive again. You can't expect to buy that thing 14 years ago for 100$ and then get patches for a lifetime. Also, they are called patches for a reason - at some point you'll have to do larger, breaking changes to stay current. Linux LTS versions don't offer 15 years support either.
If you have to use legacy software, keep it as far away from the Internet as possible. Everything at the "front" should be as maintained as possible.
While I don't think that the 0815 Ubuntu is necessarily more secure than Win 10, I do think that a desktop OS is not really adequate for critical infrastructure.
If you have to use legacy software, keep it as far away from the Internet as possible. Everything at the "front" should be as maintained as possible.
While I don't think that the 0815 Ubuntu is necessarily more secure than Win 10, I do think that a desktop OS is not really adequate for critical infrastructure.
21
"Shortly after, Microsoft finally released for free the patch that they had been withholding from users that had not signed up for expensive custom support agreements"
Not good business practice, and not the best software on the market, which is why privately, I avoid that software like the plague. Agencies, business, wake up, there are alternatives!
Not good business practice, and not the best software on the market, which is why privately, I avoid that software like the plague. Agencies, business, wake up, there are alternatives!
Among software engineers, the joke about Microsoft is that it is the triumph of marketing over technology. The market dominate Windows Operating System is very poorly written and very vulnerable. There are alternatives that are much harder targets including Linux and various versions of UNIX. However those harder targets are not pushed by a large marketing machine so people keep buying the garbage being pushed by Microsoft. Sad.
1
So, if I understand it, to get safe software, I need to either pay for an upgrade, or pay for special support to Microsoft (given that I have certain applications that cannot run on another OS). It sounds like ransomware to me. Pay Microsoft the ransom, and they will protect you. And yet, I do see the other side of the situation. Upgrading to Windows 10 was free (at least when I did it). It is really a lot to expect of a company to support all of its old software forever (in spite of the fact that they can afford it).
5
The underlying problem is that our legal systems does not take these attacks seriously enough. If someone bombed a bridge, causing millions in damage, thousands to be seriously inconvenienced, and a handful to loose their lives, finding them would be the top story in the news. (Think about Boston after the marathon attack.) Why is it that when the same damage is done via malicious software we treat the situation as if it were a natural disaster. We don’t need to guard all our bridges because societal norms and the certainty of prosecution generally keep them safe. We need to create the same norms in the cyber world.
8
Why don't we do more to stop this? Money. It costs lots and people don't want to spend money to fix it for this hurts the bottom line, profits.
Most everything that is wrong in the world today is based entirely on greed.
Most everything that is wrong in the world today is based entirely on greed.
5
I realize this is not a popular or simple solution to the problem, but it seems like something should be done to prevent the anonymous use of bitcoin. Bitcoin makes it too easy to pay the perpetrators of these crimes in a way that they will not be caught.
6
While I'm sure Microsoft felt the heat of holding back the update requiring payment from customers with older OS versions, it's going to take a universal change of attitude and commitment from all OS vendors to educate and encourage updates and to provide these patches for free.
3
Computers are great until they're not. Electronic medical records should be backed up by paper medical records just in case computers crash. Doing so could be life-saving.
We're at a point where companies like Microsoft need more regulations. They have a monopoly and they exploit this lack of competition. Customers should not have to pay for necessary updates. Perhaps if the UK sued that might have an impact.
We need to do a major update to our infrastructure including our technical infrastructure. Not only would this ensure security it would create jobs.
We're at a point where companies like Microsoft need more regulations. They have a monopoly and they exploit this lack of competition. Customers should not have to pay for necessary updates. Perhaps if the UK sued that might have an impact.
We need to do a major update to our infrastructure including our technical infrastructure. Not only would this ensure security it would create jobs.
1
It seems to me that the whole security thing is an ever-escalating arms race. I don't see an alternative operating system like Linux as a fix... remember the BASH bug which made almost all Linux systems vulnerable?
It seems like the answer might be to back the data up and get the backup off the public network - an 'air gap'. I can't imagine that there will ever be perfectly secure software. Not for long anyway.
Why is all this critical, life-saving stuff on the public internet in the first place?
It seems like the answer might be to back the data up and get the backup off the public network - an 'air gap'. I can't imagine that there will ever be perfectly secure software. Not for long anyway.
Why is all this critical, life-saving stuff on the public internet in the first place?
6
I have always subscribed to the 5% rule: whenever you make a new purchase, be it a home, a car or a computer, you need to be prepared to spend 5% of the purchase price annually for maintenance and updating. We would do well to consider this rule even at a national level. Think how our bridges, roads and water and sewer systems would be had we generalized this principle.
There is no free lunch, even a virtual one on your electronic device.
There is no free lunch, even a virtual one on your electronic device.
13
I upgraded to Windows 10. Suddenly my HP printer didn't work because the company had stopped updating the driver (interface) software. So it was 'new printer time'. Some of my software didn't work either and I had to either upgrade, pay for an upgrade or buy the package all over again (Bye, Bye, Photoshop).
Then there was getting used to the new operating system. Sometimes the system seemed to 'hang' when I started it. With Windows 8.1, I would just reboot. I found out the hard way that with Windows 10, you NEVER DO THAT as you've interrupted one of the automatic updates.
And, of course, the updates happen regularly, though I have one that has been failing for the past several months. Although there seems to be all sorts of communication going on in the background, Microsoft seems totally oblivious to the fact its update is consistently failing.
Then there is how the software is configured.
I upgraded on-line from 8.1. If you got the system already installed, they may have shut off all the stupid things for you. But with me, Windows 10, for instance, was giving priority to background tasks, using my computer to upload updates to other computers and allowing all sorts of apps that I never used to communicate with the internet.
Eventually I bought some software that cleaned up the system (including editing the registry).
Windows 10 now 'seems' to be working okay. But I can see how people are still on Windows 8.1 or XP. (And note that I have an IT background)
Then there was getting used to the new operating system. Sometimes the system seemed to 'hang' when I started it. With Windows 8.1, I would just reboot. I found out the hard way that with Windows 10, you NEVER DO THAT as you've interrupted one of the automatic updates.
And, of course, the updates happen regularly, though I have one that has been failing for the past several months. Although there seems to be all sorts of communication going on in the background, Microsoft seems totally oblivious to the fact its update is consistently failing.
Then there is how the software is configured.
I upgraded on-line from 8.1. If you got the system already installed, they may have shut off all the stupid things for you. But with me, Windows 10, for instance, was giving priority to background tasks, using my computer to upload updates to other computers and allowing all sorts of apps that I never used to communicate with the internet.
Eventually I bought some software that cleaned up the system (including editing the registry).
Windows 10 now 'seems' to be working okay. But I can see how people are still on Windows 8.1 or XP. (And note that I have an IT background)
54
Excellent article and a very important topic. I wish this was the main political debate the present day, along with how we will deal with most drivers and retail people losing their jobs in 5-10.
2
Yeah, just got MS 10 and feel like I bought a box of adware instead of a computer... Last time I buy MicroSoft.
Ransomware is far too dangerous to allow the current state of affairs to continue. However: we have a president and congress who (1) neither understand technology nor (2) care about anything beyond the number of dollars lining their pockets, and (3) spy agencies who are more concerned about our emails than the security of our computer systems - so I fear nothing will change.
Ransomware is far too dangerous to allow the current state of affairs to continue. However: we have a president and congress who (1) neither understand technology nor (2) care about anything beyond the number of dollars lining their pockets, and (3) spy agencies who are more concerned about our emails than the security of our computer systems - so I fear nothing will change.
11
With 22 years in IT I have not developed a fondness for Microsoft. They offload support onto their user community in the name of hoarding of profits. This they have always done and seems to be in the company DNA. However, there is some responsibility on the part of organizations to keep somewhat current on their operating systems. Microsoft was highly vocal about their end-of-life date for XP and it never should have been live after the support expiration date.
In the case of ransomeware it is necessary to take further measures to isolate backups so they don't become encrypted as well. Even home users can buy a simple high-capacity USB key to store at least the system drive backup, which is then unplugged and kept offline just in case. No organization as large as the British NHS should ever allow their systems to fall so far behind.
In the case of ransomeware it is necessary to take further measures to isolate backups so they don't become encrypted as well. Even home users can buy a simple high-capacity USB key to store at least the system drive backup, which is then unplugged and kept offline just in case. No organization as large as the British NHS should ever allow their systems to fall so far behind.
5
This kind of crime cant exist without the support of a bitcoin infrastructure. It is impossible for me to believe that our government doesn't see that and ban its use in the US.
10
Although it might be easy to trash institutions like the NHS for not upgrading software, it's not all that easy.
For example, they likely have equipment such as MRI machines on their network that run on XP. That machine is supplied by a company that may no longer exist. As such, it is not upgradable. An upgrade to the NHS computer network to Windows 10 makes that MRI machine unusable.
For example, they likely have equipment such as MRI machines on their network that run on XP. That machine is supplied by a company that may no longer exist. As such, it is not upgradable. An upgrade to the NHS computer network to Windows 10 makes that MRI machine unusable.
6
The failure of Microsoft -- or any company -- to offer a reasonable period of security support for its older products creates a critical infrastructure hazard that should be addressed by Congress.
3
It's not necessarily true that Windows 10 is "more secure." Many security critics believe that Windows 10 is full of government back doors. The truth is that modern software is even worse because the hacking is already built in.
4
The author of this opinion is poorly informed about technology and security, and in these days of "fake news" it's a shame to see misinformation veiled as authority in the Times.
Updating software infrastructure is a lot like maintaining disaster preparedness: It is expensive, necessary and yet woefully de-prioritized until disaster strikes (see: Katrina). Support for Windows XP was discontinued (rightly) by Microsoft over 3 years ago, at which point the operating system was 13 years old. To put in perspective, XP was initially shipped 7 years before the iPhone or Facebook even existed. It's security apparatus could not possibly have been built with modern connectivity in mind.
Whether you're maintaining a massive infrastructure like the NHS or keeping your local business website up to date, all computer users need to find a balance between managing "technical debt" and staying up with the latest and newest. We should point the finger at the U.K. Government or the powers-that-be at the NHS, who clearly didn't see the need to budget for security improvements.
This isn't a problem the technology sector doesn't understand. In the recent past we've seen several negative headlines about data loss at Yahoo - something you rarely hear about at Google despite a similar "fail fast" culture to the one described about Facebook.
Perfect security is no more possible than controlling the weather, but blaming something you don't understand sounds a lot like the alt-right.
Updating software infrastructure is a lot like maintaining disaster preparedness: It is expensive, necessary and yet woefully de-prioritized until disaster strikes (see: Katrina). Support for Windows XP was discontinued (rightly) by Microsoft over 3 years ago, at which point the operating system was 13 years old. To put in perspective, XP was initially shipped 7 years before the iPhone or Facebook even existed. It's security apparatus could not possibly have been built with modern connectivity in mind.
Whether you're maintaining a massive infrastructure like the NHS or keeping your local business website up to date, all computer users need to find a balance between managing "technical debt" and staying up with the latest and newest. We should point the finger at the U.K. Government or the powers-that-be at the NHS, who clearly didn't see the need to budget for security improvements.
This isn't a problem the technology sector doesn't understand. In the recent past we've seen several negative headlines about data loss at Yahoo - something you rarely hear about at Google despite a similar "fail fast" culture to the one described about Facebook.
Perfect security is no more possible than controlling the weather, but blaming something you don't understand sounds a lot like the alt-right.
Bill Gates should take some of that foundation money he uses to fight bugs that cause malaria and use it to fight bugs that cause software to crash and hospital patients to suffer needlessly.
3
Hurray! An excellent analysis and prescription.
-- As you write, Microsoft creates "Ransomware" of its own when it knows the Wannacryptor patch but WOULD NOT DISCLOSE the patch for Win XP until very late Friday night (because I was searching for it).
-- When I purchase computer software, I expect it to work. If a new feature is invented, I understand I may need to buy new software to use it. But I expect the software I have paid for to continue to do what it was advertised as doing when I bought it. If I buy a car and the airbags become a hazard, I do not expect to get a "Notice" that I have to buy a new car!
-- Microsoft's tardy and grudging release 13May17 (EDT) of the patch for XP proves the author's point. The basic system, of marketing sloppy code and of mandating "Upgrades" that do not fix problems as much as they irritate users and impose vendors' data-thieving on us, has got to be changed. There ought to be a law.
-- As you write, Microsoft creates "Ransomware" of its own when it knows the Wannacryptor patch but WOULD NOT DISCLOSE the patch for Win XP until very late Friday night (because I was searching for it).
-- When I purchase computer software, I expect it to work. If a new feature is invented, I understand I may need to buy new software to use it. But I expect the software I have paid for to continue to do what it was advertised as doing when I bought it. If I buy a car and the airbags become a hazard, I do not expect to get a "Notice" that I have to buy a new car!
-- Microsoft's tardy and grudging release 13May17 (EDT) of the patch for XP proves the author's point. The basic system, of marketing sloppy code and of mandating "Upgrades" that do not fix problems as much as they irritate users and impose vendors' data-thieving on us, has got to be changed. There ought to be a law.
3
hacking should be treated as a crime comparable to rape or large scale drug trafficking, with mandatory sentences in the 25 or 50 year range. this a a sector of the crime world where deterrence should have some impact.
this is an area where trump can actually do some immediate good, with bipartisan support.
frankly, ransomeware is a form of terrorism and I wouldn't mind seeing life sentences meted out to perpetrators.
this is an area where trump can actually do some immediate good, with bipartisan support.
frankly, ransomeware is a form of terrorism and I wouldn't mind seeing life sentences meted out to perpetrators.
4
If a hospital uses Windows XP, that is simply gross negligence. The price of doing digital business is to stay abreast of the software security. It has been known for many years that XP is no longer considered a secure system. You're never too "cash strapped" for good security if you've got someone else's data in your care.
Part of the problem is that many (most) people have switched to on-line subscription based versions of software that used to be installed via disks and cd's directly onto the computer. Thus work could be done without being connected and dependent on the internet. The more dependent you or your business is to being online the more vulnerable you are. I still you Office 2003, Quark Xpress from 2000, Photoshop from 1998. All pre-internet based subscription. They do the job fine. Kept on a stand alone computer that is never connected to the net. All you need is a second PC/laptop to transfer any file you need to upload or email to someone and keep that one off-line until you need to send something or be on the web. Our lives and business are so on-line dependent in proportion to our vulnerability.
3
Microsoft very publicly removed Windows XP from support years ago and made a big deal out of warning everyone that staying with XP would compromise their security. It really isn't reasonable that big organizations like UK National Health are still running XP literally years after that software's end of life notice.
7
As someone born and living in the UK, I wholeheartedly agree.
1
How about taxware? If within 30? days of a patch being available, you fail to apply an update that fixes a known exploit, your system will stop functioning until you pay a government tax that goes towards cyber security infrastructure. You are guaranteed not to lose files, but your computer won't start. Microsoft would have to bear the onus of creating and managing this tax system, but would receive no revenues from it. Taxware payment for individuals are minor, $25 or such. Taxware payment for major corporations can be proportional to the gross income or such. An easily avoided tax that when paid, diverts ransom money from the bad guys to fund gov agencies to beat the bad guys.
1
Keep in mind that it doesn't help to have a president who is reversing progressing thinking, bringing back coal and denying global warming. Other countries are moving forward, while the US president does nothing to move the country forward.
This was the opinion of a cybersecurity expert I had lunch with two weeks ago.
This was the opinion of a cybersecurity expert I had lunch with two weeks ago.
2
"...somebody in Seattle had decided was the new look. There was no option to keep things as is." Spot on, Microsoft has been driving even it's core users away needlessly. With the Windows Vista debacle, I begrudging gave up and moved to the mac, and recently from Office to Google's office apps.
1
How about attacking the system of anonymous ransom payments by exerting some control over bitcoins? Have the NSA attack the payment systems hackers use for ransomeware. If the NSA could just flood the bitcoin market with counterfeits, rendering them worthless, ransomeware would disappear overnight. Bitcoin users who would be harmed by this NSA action should be working to exclude the bad apples from their community (or is the bitcoin community mostly bad actors?). Follow the money, attack the money, kill the economic incentive for ransomware.
1
Throughout history people have paid ransom for various reasons. $300 is very reasonable. Just learn to see this as the cost of doing business.
I do research in computer security. While we're slowly getting better at writing secure software, Tufekci's right that we're a long long way from guaranteeing that such attacks won't be repeated. You might think this is because the likes of Microsoft aren't trying hard enough to weed out bugs. But the reality is that it is we, the users, who are largely responsible for the mess we find ourselves in.
The fact is users don't value security. When buying computers or software, almost nobody chooses product A over product B because A is more secure. Users mostly want the cheapest, flashiest and easiest to use gadget. In fact, adding security to a product can be a money-losing proposition because security conflicts with ease of use.
The root of the problem is that humans aren't ideal and rational decision makers. We don't process uncertainty well nor do we accurately account for unlikely events. And so we regularly make unsafe decisions. If you're interested in learning more about this, I recommend this paper on the psychology of security: http://delta.cs.cinvestav.mx/~francisco/ssi/p34-west.pdf.
I want to conclude by saying this is one of those situations with no good solutions. I could write a whole essay about why Tufekci's suggestions are entirely unworkable. But I need to stop procrastinating as I have a research paper to write and so I'll stop now.
The fact is users don't value security. When buying computers or software, almost nobody chooses product A over product B because A is more secure. Users mostly want the cheapest, flashiest and easiest to use gadget. In fact, adding security to a product can be a money-losing proposition because security conflicts with ease of use.
The root of the problem is that humans aren't ideal and rational decision makers. We don't process uncertainty well nor do we accurately account for unlikely events. And so we regularly make unsafe decisions. If you're interested in learning more about this, I recommend this paper on the psychology of security: http://delta.cs.cinvestav.mx/~francisco/ssi/p34-west.pdf.
I want to conclude by saying this is one of those situations with no good solutions. I could write a whole essay about why Tufekci's suggestions are entirely unworkable. But I need to stop procrastinating as I have a research paper to write and so I'll stop now.
2
Thank you for expressing at least some path out of this Byzantine puzzle we're in at the moment
1
But I thought having a national health system was going to solve all problems? What do you mean they can't afford to maintain their computers? What happened to single payer quality we've been hearing about for years?
1
Most users don't care about security and unwilling to pay for it until the day they are hacked. Also in a world of over-regulated banking, paying criminals should make it easy to trace and prosecute them. The governments should go after hackers, the same way their go after terrorists (cyber-terrorists ?).
3
Yes, there is a solution. Don't use any microsoft product. Ever.
Nothing like this ever happens in the linux world. It is the difference between competent and incompetent programming. Why pay for incompetent when competent is free?
Nothing like this ever happens in the linux world. It is the difference between competent and incompetent programming. Why pay for incompetent when competent is free?
2
While I agree with the title of this article, but I think it is more than just computers (laptops or desktops) being hacked. In the near future, as we are more and more dependent on cell phones and other little internet devices (IoT), the same if not bigger catastrophe scale will likely to recur. Yes, we have to look hard on the eSecurity issue. Think about it, would you sit in a driverless car and let the car computer decides on your destination or destiny.
1
Stuff like this is why I don't want a smart house. Is it inconvenient to have to walk to the fridge to adjust its temperature? Maybe, I never noticed. Would it be terrible if someone hacked your internet/smartphone enabled fridge and turned its cooling function off? Most definitely.
1
Come now - there is no excuse for a national health service or an international corporation to be using a computer OS that is 15 years out of date.
Windows XP was first deployed during the Neolithic Age.
British computer magazines have warned the NHS was vulnerable to all sorts of problems for over a year.
The NHS problem was not technological, but political.
British computer magazines have warned the NHS was vulnerable to all sorts of problems for over a year.
The NHS problem was not technological, but political.
An in depth explanation of computer hacking, a never-ending problem. What is the chance of a sure way to catch these criminals at the beginning of their 'invasion', rather that at the end, with possible dead-serious consequences, as described?
Let's all remember that the NSA wanted to force Apple to make it so your iPhone could be hacked. They want it so that ALL computers can be hacked and that they can have access to all of your information. The NSA is one of the problems, not the solution.
4
Remember it was the NSA that developed these exploits but proved to be incompetent in keeping them secure.
Users who can't afford to run anything newer than 15 yo software should either maintain a backup or keep a stash of bitcoins handy.
Users who can't afford to run anything newer than 15 yo software should either maintain a backup or keep a stash of bitcoins handy.
2
How about not connecting mission-critical systems to the internet if you can't keep them properly secured? Running Windows XP on an internet-connected computer in 2017 is just asking for trouble.
Zeynep leaves out an important part of the story. Windows XP was released in 2001. I'm not saying Microsoft doesn't overprice its software, but they have a reasonable end of life policy. No software business can anticipate all the problems that might be unearthed, that is why there are regular releases. If you want to address the problem, focus on the price per computer, not on the concept of needing to pay for support.
5
How about we eliminate Bitcoin and any other way to pay people that can't be tracked. Also let's find those responsible and if they are not in the US, well eliminate them.
How about making it illegal to use a "virtual" currency? What if you risked going to jail if you used Bitcoin or any other virtual currency that cannot be traced? Wouldn't it be a lot harder to embezzle if you had to use either physical currency or a credit card to do your crimes?
And then people wonder why more and more governments switch their computer systems to Linux.
Windows problems. Linux is free, the updates are free, it has thousands of people in many countries openly looking through its code, finding flaws and fixing them for free. Nobody involved wants to invade your privacy; they care about privacy more than the users do. It runs Chrome and Firefox, which covers 95% of what you do online nowadays. Linux runs half the internet, and a billion smartphones (it's in Android), Tesla's cars, some nuclear subs and a bunch of NSA stuff because it was made for security from version 1. So few people use it on PCs that there's no money in making ransomware for it right now. You can run it from a USB stick and yank it out and boot back into Windows if you like. Try Ubuntu or Mint.
3
So Microsoft profited from the plundered NSA documents? That sounds like conspiracy to me. I've always thought that company was despicable.
Thank the stupid copyright laws. If more software was open-sourced there would be tons of people collectively invested in keeping it safe and open for all.
It's so great that we have bitcoin to enable all of this ransomware to succeed.
I'm not sure that this solution is right. While it seems like Microsoft or Apple could afford the perpetual security updates that the article seems to call for, I think that the author is misstating what that means. Is the author really calling for Microsoft to update XP so that it's as secure as Windows 10, for Apple to update OS 10.3 so that it's as secure as OS 10.12? That type of re-writing isn't affordable, desirable, or even possible. For this week’s flavor of ransomware there may be a readily available patch, but that’s not always true. A law that demands those resources in perpetuity will guarantee that only Microsoft, Google, and Apple can afford to sell operating systems in the future. (The notion that “I paid for it in 2002; therefore, you have to make it work well in 2017” is ridiculous.) Further, forcing OS writers to make every update behave the way Zeynep Tufecki wants and the way David H. wants will block interface advances, as all the resources (both of the computers and of the programmers) will be devoted to supporting countless interface iterations from the past.
6
I'm surprised this writer (or most of the other commenters) didn't realize how outrageous it is that NHS hospitals in Britain are using a 15-year old operating system and not even bothering to pay for the extra security required. I fail to see how this is Microsoft's fault.
Government agencies (and the taxpayers supporting them) need to realize that keeping IT infrastructure current is not optional; not a target for austerity.
Government agencies (and the taxpayers supporting them) need to realize that keeping IT infrastructure current is not optional; not a target for austerity.
5
The way to fix the problem would be to upgrade the darn machines, not for Microsoft to hand out patches for free. If anything, it could be argued that MS handing out the Windows XP patches at all lures people into a false sense of thinking XP is secure. It's not, even with the patches.
Concerned about security? Organizations should get Chromebooks and store everything in the Cloud. You still might lose your data, but then it'll be Google/Apple/Amazon/MS's fault, and they have far more expertise in cybersecurity than you do, so it's a lot less likely.
Concerned about security? Organizations should get Chromebooks and store everything in the Cloud. You still might lose your data, but then it'll be Google/Apple/Amazon/MS's fault, and they have far more expertise in cybersecurity than you do, so it's a lot less likely.
1
Give Microsoft a break. When they introduced Windows 10 they gave FREE upgrades to everyone running Windows 7 and 8. The provide us users with FREE upgrades and patches for a decade or so after they sell their product. Institutions using clearly obsolete technology need to assume responsibility for their own bad decisions: a raise for the NHS bureaucrats or pay to upgrade an OS more than a decade old? What kind of a warranty to you get with your car? With your house? Would you given a new phone, no strings attached, when systems moved from G2 to G3? Of course not.
Maybe if our dear government had quietly informed Microsoft years ago of the defect, it would have been repaired long ago and this disaster never would have happened. Maybe Washington should pony up compensation to all those impacted - maybe even the Russians.
Maybe if our dear government had quietly informed Microsoft years ago of the defect, it would have been repaired long ago and this disaster never would have happened. Maybe Washington should pony up compensation to all those impacted - maybe even the Russians.
5
NSA and DARPA already have the software technology to "hack-proof" IT systems. Our taxpayer dollars paid for this R&D- so we [U.S. citizens] should be allowed the same protections. Ultimately, they will license to private companies for next to nothing- who will then charge us an arm and a leg to purchase something we've already paid for..
Breaking old software with upgrades is a business model.
2
It's important for online businesses to have very good security for subscribers who have a subscription deducted from their bank accounts because if the business gets hacked then people won't subscribe to your newspaper or business. If you say your website is SECURE then make sure it is as there is 'trust' involved on the part of the user.
It's very important that the media push for big businesses like Microsoft, Apple and Facebook etc to invest more money into prevention of cyber crime. It's in the medias survival and financial interest to do so. Less people buying online subscriptions then less jobs for people at the newspaper.
I have ESET security and trust it. I pay a small annual fee for having ESET Security. I don't have Microsoft/Windows security because I don't want to put all my eggs in one basket.
It's very important that the media push for big businesses like Microsoft, Apple and Facebook etc to invest more money into prevention of cyber crime. It's in the medias survival and financial interest to do so. Less people buying online subscriptions then less jobs for people at the newspaper.
I have ESET security and trust it. I pay a small annual fee for having ESET Security. I don't have Microsoft/Windows security because I don't want to put all my eggs in one basket.
In Microsoft's defense, it offered free upgrade to Windows 10 for a while. Windows XP was released more than 15 years ago; people who are using such old operating systems are not only not doing themselves a favor, they're also enabling spread of viruses.
4
Good article but a few things missing.
Had these machines been backed up adequately, and the users given simple tools to revert back to a pre-infected state this crisis would have been a non-event. Ideally every system should automatically make hourly backups for the past 24 hours, daily backups for the past month, and weekly backups for all previous months. Does the PC have these tools by default? No.
Why are all of these computers connected to the internet? There are ways to 'sandbox' networks to keep the black hats out, while still retaining the ability to send emails and surf the net. A new fangled lightbulb has no reason to connect to the WWW, it needs to connect to my home network. The internet of things is like opening all the doors of the house and inviting the world in. Sexy, but Stupid.
Had these machines been backed up adequately, and the users given simple tools to revert back to a pre-infected state this crisis would have been a non-event. Ideally every system should automatically make hourly backups for the past 24 hours, daily backups for the past month, and weekly backups for all previous months. Does the PC have these tools by default? No.
Why are all of these computers connected to the internet? There are ways to 'sandbox' networks to keep the black hats out, while still retaining the ability to send emails and surf the net. A new fangled lightbulb has no reason to connect to the WWW, it needs to connect to my home network. The internet of things is like opening all the doors of the house and inviting the world in. Sexy, but Stupid.
4
How naive and/or ignorant. As the theoretical physics professor who teaches computer programming, with hacker acquaintances, i can say that there is virtually no computer that can't be hacked (not even air-gapped computers are safe from intrusion) . The only solution is to post a warning on every computer screen that reads "abandon any hope of privacy, all ye who enter the internet" or perhaps "if you're not paranoid about your internet privacy, then you are too naive to use the internet".
2
A truly meaningless article. Unless the author is intent is to espouse more big brother (read big government).
To begin with the software companies do not sell software. The software always remains the property of the OEM. They sell licenses which allow the purchaser to use the software. And the purchasers of these licenses are responsible for their actions. And given the hardware developments it's impossible to just link it to software. Hardware changes can create risk as well.
We already have laws and practices in place which address these security/patching issues. These organizations are responsible for their practices. Saying the OEM should be responsible is complete nonsense. That would be like making a auto leasing company responsible for a drunk drivers actions who has leased a car from them.
To begin with the software companies do not sell software. The software always remains the property of the OEM. They sell licenses which allow the purchaser to use the software. And the purchasers of these licenses are responsible for their actions. And given the hardware developments it's impossible to just link it to software. Hardware changes can create risk as well.
We already have laws and practices in place which address these security/patching issues. These organizations are responsible for their practices. Saying the OEM should be responsible is complete nonsense. That would be like making a auto leasing company responsible for a drunk drivers actions who has leased a car from them.
i assume that the current administration did not cause this problem however the problem is here so it will be interesting what will be done to correct the situation. obviously the problem can not be solved from the golf course or by a tweet.
Unix and it's spawn Linux have been design with the proper methods that make it extremely difficult to hack. Windows on the other hand is a hoge pod of ill designed code called Dynamic Link Libaries, and is so bloated it's virtually impossible manage. No wonder plugging security holes is a never ending issue.
Windows XP came out in 2001, and Microsoft ended support for it some years ago. Several improved versions of the MS operating systems have been released since then.
2
Think the author should have learned more about cyber security before writing this article. It pays a lot to find new vulnerabilities in every software that comes out. Cyber criminals will not stop and there is no attack-proof software. Of course one has to pay to put mitigation soutions into effect - how else should cmpanies be paid for developing them?
If you hadn't noticed by now, humanity has been infested with crime for thousands of years.
Try as we might, we've never gotten rid of it, never will.
Try as we might, we've never gotten rid of it, never will.
1
Create statutes that make hacking and other cyber crimes terrorist acts and acts of treason.
Find the culprits, extradite if foreign and put in jail forever.
They can take the place of non violent drug offenders one for one.
Word will get out that you had better think twice before you engage in cyber crimes. Life without parole is the call.
Find the culprits, extradite if foreign and put in jail forever.
They can take the place of non violent drug offenders one for one.
Word will get out that you had better think twice before you engage in cyber crimes. Life without parole is the call.
This author obviously hasn't spent a minute in corporate IT, where certain departments cling to obsolete systems with the ferocity of a toddler, and upgrades are often deferred for cost-saving (i.e.: dividend-increasing) reasons. What IT professionals have long known is the hidden cost of such flagrant risk: major outages such as this. Sometimes the only way a toddler can learn not to touch a hot stove is by scorching their finger.
2
So we pay Microsoft for an update to to fix a security problem in their software. They were clued into this problem by the NSA which means our tax dollars were used to help Microsoft fix it's own mistake. What a deal!
22
I feel as though I'm living out an up-dated version of On the Beach.
Not to be overly paranoid, but I find it ironic at best that one of the worlds leading cyber-security companies always mentioned in the news media is the Russian company Kaspersky...anyone else here a little wary?
1
So this is Obama's record of 8 years "It is past time that the N.S.A. shifted to a defensive posture and the United States government focused on protecting its citizens and companies from malware, hacking and ransomware — rather than focusing so much on spying".
1
A secure, identity based networking framework is essential to the survival of civilization.
1
There is a simple solution: stop using Windows. It's totally absurd for governments, hospitals and other organizations with critical information to continuing using the worlds most insecure operating system just because their IT people don't want to learn MacOs or Unix
For heaven’s sake, this article is awful. This author is indicting Microsoft for Britain’s healthcare problems. Talk about being on the loony left. Why isn’t more being done, she asks? Ask the British government! I worked as a computer programmer and IT consultant for many years. More than enough is being done about cyber-security, because the free-market demands it. The problem in Britain is with socialized medicine. Windows XP was released in 2001. The last service pack was released in 2008. The company ended extended support for the product in 2014. The only way to get support is to pay for custom services. Why should Microsoft give this to Britain for free??? The British people weren’t left out in the cold by Microsoft, they were left out in the cold by their government.
4
Get a Mac or use Linux. Microsoft was never good, worse now.
Huh. How long is MS supposed to perform free upkeep on the long since obsolete Win XP? MS themselves tells users that XP is not safe and secure on any Internet or Intranet PC
3
outlaw bicons. Leaving cash in stump is a great way to catch people. An untraciable curncey is unacceptable in the mordern age. `
othing was said about being able to trace to the orgin from where the emails came.
https whould be opened in the cumputer, scanned by anit malware and virus before the data is relased into the operational area.
othing was said about being able to trace to the orgin from where the emails came.
https whould be opened in the cumputer, scanned by anit malware and virus before the data is relased into the operational area.
1
Regarding the security of Microsoft (Windows) operating systems:
Maybe we can get that entity called Bill Gates (the richest individual in the world) to give us some insight on Microsoft's philosophy over the years and the legacy he left in place at the company—
He was so helpful at the anti-trust/monopoly hearings.
Maybe we can get that entity called Bill Gates (the richest individual in the world) to give us some insight on Microsoft's philosophy over the years and the legacy he left in place at the company—
He was so helpful at the anti-trust/monopoly hearings.
Aside from developing better soft ware has anything else been done to stop these international crimes?
A weapon of mass destruction developed by the US government was stolen and used on millions of people worldwide. A US company had a solution (for their own defective product) joined the cyber-terrorists and held up millions of people for ransom. Why does the world hate us?
2
Geez - Your argument is all of a piece. I may buy something and do stupid things with it.
a) Why doesn't the government pass regulations so I can't do such stupid things.
b) It must be the fault of the company that sold this thing to me.
a) Why doesn't the government pass regulations so I can't do such stupid things.
b) It must be the fault of the company that sold this thing to me.
2
I think the best thing to do is teach hacking to people so that they can know about how things get breached. That will drastically reduce the number of breaches and hacks.
I wrote a small guide for people who wanted to learn hacking. It was later appreciated by Matt Cutts (Google). Here's a link if you want to get into hacking:
http://fsecurify.com/how-to-learn-hacking/
I wrote a small guide for people who wanted to learn hacking. It was later appreciated by Matt Cutts (Google). Here's a link if you want to get into hacking:
http://fsecurify.com/how-to-learn-hacking/
1
I've grown quite a bit since my first introduction to a personal computer just 17 years ago. At that time I saw it as a glorified IBM Selectric Typewriter. I know better now. I am a geek.
1. Have several emails. 1->junk, 1->long term business, 1->internet purchases, 1->friends, 1->for family, 1->paid subscriptions, 1->personal finances. Move important data to a memory stick for important docs/delete the email immediately.
2. Have several pass codes and change them monthly. Never allow your computer or a site to remember your pass codes or any of your personal/financial info.
3. Never Left-Click on any link if you don't know the where it came from or where it goes. Don't believe what the link reads. Right click on it instead. A small window will open with a drop-down list of choices; choose Copy Link Location and then paste it to a note pad. The link 'not legally liable' in this article reads: https://newrepublic.com/article/115402/sad-state-software-liability-law-... l see it's from //newrepublic.com/file name/ID#/title given to that article. I'll visit the site's homepage sans the link. My first line of defense will be to check verification by hoovering my mouse over the lock icon on the address. If the site uses cookies and I'm not a subscriber I simply don't enter.
3. Always update everything. Always.
4. Do NOT ever ALLOW anyone else to use your intelligent devices. Turn them off and pass code lock them when not in use. And change the pass code often.
1. Have several emails. 1->junk, 1->long term business, 1->internet purchases, 1->friends, 1->for family, 1->paid subscriptions, 1->personal finances. Move important data to a memory stick for important docs/delete the email immediately.
2. Have several pass codes and change them monthly. Never allow your computer or a site to remember your pass codes or any of your personal/financial info.
3. Never Left-Click on any link if you don't know the where it came from or where it goes. Don't believe what the link reads. Right click on it instead. A small window will open with a drop-down list of choices; choose Copy Link Location and then paste it to a note pad. The link 'not legally liable' in this article reads: https://newrepublic.com/article/115402/sad-state-software-liability-law-... l see it's from //newrepublic.com/file name/ID#/title given to that article. I'll visit the site's homepage sans the link. My first line of defense will be to check verification by hoovering my mouse over the lock icon on the address. If the site uses cookies and I'm not a subscriber I simply don't enter.
3. Always update everything. Always.
4. Do NOT ever ALLOW anyone else to use your intelligent devices. Turn them off and pass code lock them when not in use. And change the pass code often.
2
Darien Huss is credited in this note as the man who activated the Kill switch. This is not correct as the person who stopped the spreading of this attack by registering an online domain is the anonymous tech that goes by the twitter alias @malwaretechblog. The timeline of Darien Huss' role can be read clearly on both of them twitter feeds.
1
When the companies selling the software to huge government systems stop supporting same systems in an effort to sell the next generation, and the government won't upgrade for whatever reason, this is what you get. Bootleg copies probably are the backbone of some organizations in some countries that perhaps can't afford the real deal, too, which means no support at all ever. Companies should support at least these purchased systems for years longer than they do simply to avoid the problem like we see now. It undermines the whole network and is really extortion through the threat of potential vulnerability.
The NSA connection here is a huge boondoggle as they obviously thought they were more secretive than was actually possible, an egotistical gamble that failed. Trying to get it right might be too little too late for the foreseeable future.
The NSA connection here is a huge boondoggle as they obviously thought they were more secretive than was actually possible, an egotistical gamble that failed. Trying to get it right might be too little too late for the foreseeable future.
2
Backups should be an integrated, mandatory part of the operating system.
How many families have libraries of photos, videos and financial documents that are not correctly backed up?
Microsoft has been a leader of replacing US workers with foreign guest workers. In 2007, Microsoft came up with a scam to use student visas to get around the H-1B quotas. Microsoft's plan was to increase the duration of OPT to 29 months so that OPT could serve as a substitute for H-1B visas. Microsoft presented its plan to DHS Secretary Chertoff at a dinner. From there, DHS worked in secrecy with industry lobbyists to craft regulations. The public received no notice that such regulations we being considered until DHS put them in place without notice and comment.
Microsoft needs to be held legally responsible for the damage caused by a defective product.
How many families have libraries of photos, videos and financial documents that are not correctly backed up?
Microsoft has been a leader of replacing US workers with foreign guest workers. In 2007, Microsoft came up with a scam to use student visas to get around the H-1B quotas. Microsoft's plan was to increase the duration of OPT to 29 months so that OPT could serve as a substitute for H-1B visas. Microsoft presented its plan to DHS Secretary Chertoff at a dinner. From there, DHS worked in secrecy with industry lobbyists to craft regulations. The public received no notice that such regulations we being considered until DHS put them in place without notice and comment.
Microsoft needs to be held legally responsible for the damage caused by a defective product.
7
There are millions of lines of codes. It is virtually impossible to secure all current and past software into perpetuity. The most cost effective solution is to pursue the hackers diligently and put them out of business.
7
For eight years Obama administration did nothing while foreign entities hacked our defense contractors, defense agencies and records, industrial companies and electric utilities. No deterrence and no consequences.
Speaking softly and carrying no stick at all had unintended consequences of emboldening our enemies.
Speaking softly and carrying no stick at all had unintended consequences of emboldening our enemies.
1
Thank you for this remark:
"It is past time that the N.S.A. shifted to a defensive posture and the United States government focused on protecting its citizens and companies from malware, hacking and ransomware"
Richard Clarke has been saying this for over a decade. And losing one's files to a hacker cannot compare to the vulnerability of our power grid, defense systems, and other critical infrastructure. When that gets hacked, and it will, lots of people are going to die.
And while I shy away from the Windows OS, that is only one piece is a much larger system of vulnerabilities.
"It is past time that the N.S.A. shifted to a defensive posture and the United States government focused on protecting its citizens and companies from malware, hacking and ransomware"
Richard Clarke has been saying this for over a decade. And losing one's files to a hacker cannot compare to the vulnerability of our power grid, defense systems, and other critical infrastructure. When that gets hacked, and it will, lots of people are going to die.
And while I shy away from the Windows OS, that is only one piece is a much larger system of vulnerabilities.
9
It's worth wondering, though, if closed-source operating systems (or popular applications) can ever meet the threats of a crowd-sourced network. Microsoft has come a long way with its newer products, true, but its legacy software still dominates the installed base, and amounts to massive technical debt that we're all paying, and will be for a long while to come.
3
The real scandal is that the NSA cannot secure their own networks. If they are not up to this task, neither can any other organization, and the NSA should not be developing the hacking tools that then fall into the hands of criminals.
The observations about the present deficiencies in the security upgrade process are certainly valid. But one still has to ask why the NHS is using a 16 year old operating system (XP) to manage patient records when Microsoft has offered a free upgrade to Windows 10.
The observations about the present deficiencies in the security upgrade process are certainly valid. But one still has to ask why the NHS is using a 16 year old operating system (XP) to manage patient records when Microsoft has offered a free upgrade to Windows 10.
5
We learned back in 95 in a basic computer course, "Windows is not a secure operating system." Since then Microsoft has cost consumers $billions while these consumers are misled to grovel at the feet of Bill Gates clunky software, because, well, it's Microsoft. Collusion with other vendors created the world's most onerous monopoly and completely stifled competition. If Gates had to give back $1 per hour that people have spent struggling with bugs in Windows, or fighting the OS to behave, or install, or recover from crashes and lost data, he'd be broke many times over instead of the Worlds Richest Human. Conversely his company has made so much money it could easily have afforded to spend to create a secure advanced version of Windows by now. It's the greatest ripoff since the American auto industry's "planned obsolescence" of 60s fame.
The OS that most Americans rely on for so many day to day tasks should be regulated like a utility, and it should be required to be far better at what it does, and be secure. Instead Gate's Mafia charges most Americans a couple $hundred every so often to make changes to unimportant aspects of the OS that were just fine, causing users endless headaches. How many things are you forced to repurchase every couple years where the consensus is that the "upgrade" worse than what it replaced? This is sop at MS.
The OS that most Americans rely on for so many day to day tasks should be regulated like a utility, and it should be required to be far better at what it does, and be secure. Instead Gate's Mafia charges most Americans a couple $hundred every so often to make changes to unimportant aspects of the OS that were just fine, causing users endless headaches. How many things are you forced to repurchase every couple years where the consensus is that the "upgrade" worse than what it replaced? This is sop at MS.
16
"In the current regulatory environment, the people who write the insecure software [on consumer goods] and the companies who sold the “things” bear no liability."
Honestly, do we even need internet connected baby monitors, refrigerators and thermostats (or medical machinery)! Not at all. In this case, caveat emptor should apply!
Secondly it seems that institutions like hospitals should create and practice manual backups - there should be no reason not to admit an ill patient just because your computer is down and you can't generate a name bracelet or admission form (as happened at the NHS). Paper back ups for critical functions must be available, and, perhaps as important, occasionally practiced.
Honestly, do we even need internet connected baby monitors, refrigerators and thermostats (or medical machinery)! Not at all. In this case, caveat emptor should apply!
Secondly it seems that institutions like hospitals should create and practice manual backups - there should be no reason not to admit an ill patient just because your computer is down and you can't generate a name bracelet or admission form (as happened at the NHS). Paper back ups for critical functions must be available, and, perhaps as important, occasionally practiced.
5
The article was well thought out and written looking at most if not all possible scenarios except for one and that it the biggest problem Microsoft that Microsoft refuses to address.
Microsoft is trying to serve two distinctly different markets with a single product, what do corporations and general public have in common, not much really. While both markets are headed into different directions Microsoft seems determined to keep them in a unified "Windows" environment that neither group likes. Actually I think the only thing everyone agrees on is how awful the "updates" are.
Microsoft is trying to serve two distinctly different markets with a single product, what do corporations and general public have in common, not much really. While both markets are headed into different directions Microsoft seems determined to keep them in a unified "Windows" environment that neither group likes. Actually I think the only thing everyone agrees on is how awful the "updates" are.
8
The problem is that Microsoft no longer wants to sell software but rent both the software and the updates. The new Mircrosoft 365, where people have to pay a yearly fee for the old software with "upgrades" (all unwanted and disruptive) is the most recent and unpleasant example.
When I changed my last computer, and wanted to-reinstall an extra language pack for Word 2010, the language pack was no longer available. I was forced to rent it under the 365 rental scheme or repurchase a newer Word I didn't need. Just then, it occurred to me that I had purchased the same extra language pack since 1995, every few years, each time I updated to a new Windows and MS version; the language pack itself is the same it was in 1995. Shouldn't the government allow certain basic pieces of software go "generic" like the drugs, after a while, the customers won't be forced to re-purchase the same product/feature every few years?
Most people need word for writing, and they don't need all the bells and whistles forced upon them by Microsoft.
I am not impressed if Gates's foundation gives millions to Africa if he robes working people across the globe.
This ransom attack makes the unfair system just more obvious.
When I changed my last computer, and wanted to-reinstall an extra language pack for Word 2010, the language pack was no longer available. I was forced to rent it under the 365 rental scheme or repurchase a newer Word I didn't need. Just then, it occurred to me that I had purchased the same extra language pack since 1995, every few years, each time I updated to a new Windows and MS version; the language pack itself is the same it was in 1995. Shouldn't the government allow certain basic pieces of software go "generic" like the drugs, after a while, the customers won't be forced to re-purchase the same product/feature every few years?
Most people need word for writing, and they don't need all the bells and whistles forced upon them by Microsoft.
I am not impressed if Gates's foundation gives millions to Africa if he robes working people across the globe.
This ransom attack makes the unfair system just more obvious.
25
I don't see where "we" are doing any more to stop malware listed in this article. Besides pay more taxes.
I do see a large push to have government control more in our lives, requiring more effort than necessary mostly wasted rechecking software code only understood by a few people in the world and on studies designed to prevent people from opening attachments from unknown sources.
The thinking that NSTA prevents accidents and a similar software agency can prevent ransomware attacks is just silly on its face. Smart planning and thinking about data storage can be done by the average person, but you cannot prevent the sleepy driver from crashing, no matter the government interference.
I do see a large push to have government control more in our lives, requiring more effort than necessary mostly wasted rechecking software code only understood by a few people in the world and on studies designed to prevent people from opening attachments from unknown sources.
The thinking that NSTA prevents accidents and a similar software agency can prevent ransomware attacks is just silly on its face. Smart planning and thinking about data storage can be done by the average person, but you cannot prevent the sleepy driver from crashing, no matter the government interference.
5
Is it necessarily true that software companies should be held to a higher standard than others here? Food safety has come a long way too, but it's my own fault if I don't consume food before it expires, or not refrigerate it properly.
The consumer has a responsibility when he buys a product, and organizations have a higher duty to their customers. It is just not reasonable for a hospital to use an operating system that was kept on life support for long after it's life expectancy was over to keep people on life support for long after their life expectancies are over. But, let me not change the subject....
The consumer has a responsibility when he buys a product, and organizations have a higher duty to their customers. It is just not reasonable for a hospital to use an operating system that was kept on life support for long after it's life expectancy was over to keep people on life support for long after their life expectancies are over. But, let me not change the subject....
10
In my view, Microsoft has essentially been selling a broken or defective OS for many years, so that customers have to purchase or rent an endless stream of fixes from them of third-party vendors such as McAfee. Would we accept this in a car ("sorry about that fatal crash -- you should have paid for updates!") or an aircraft ("Due to some passengers' not purchasing upgraded stability plans, we will now be encountering severe turbulence")? I think that legal measures might work -- make it illegal to sell defective merchandise, and oblige the maker to correct defects at no charge -- after all, these are the same principles applied with other goods. True, the security landscape is always changing, and no system is perfect -- but Microsoft's OS's have been a disaster from day one.
24
Who is this "we" you speak of? Microsoft's key business strategy is to keep churning their products so that users have to buy upgrades. Its baked-in. That's how they got a $100billion pile of cash. Over 80% of the market handed it over. And with a lock on the market and a tidal-wave of money, Microsoft produced... Vista. And 11 versions of Internet Explorer. And Windows 8, the one without a "Start" button. How many times did Microsoft have to disappoint and confound its users? Why would anyone pay cash money for what is self-evedently junk? Microsoft stopped supporting XP because their model required a new OS, not because users needed new OS features. VMware supported XP for years after Microsoft abandoned it. As the hackers have demonstrated, people are still using it.
When its my money, or my data, I avoid Microsoft's second rate products, third-place security and doomed-to-fail proprietary coding model I read Cliff Stoll's marvelous book, "The Cockoo's Egg", out loud, to our child, before they were 10. Our family delights in a good, long, password, one that can't be broken by a dictionary attack. We think our data and working environments are valuable, and act accordingly. Given a choice, I use Open Source freeware for office automation, in Windows, Linux and MacOS workplaces. Because I take security, and quality, and the business models of those I give my money to, seriously. Its Capitalism here, folks. Who you pay your money to is a choice and has consequences.
When its my money, or my data, I avoid Microsoft's second rate products, third-place security and doomed-to-fail proprietary coding model I read Cliff Stoll's marvelous book, "The Cockoo's Egg", out loud, to our child, before they were 10. Our family delights in a good, long, password, one that can't be broken by a dictionary attack. We think our data and working environments are valuable, and act accordingly. Given a choice, I use Open Source freeware for office automation, in Windows, Linux and MacOS workplaces. Because I take security, and quality, and the business models of those I give my money to, seriously. Its Capitalism here, folks. Who you pay your money to is a choice and has consequences.
48
Another assault on both common sense and common welfare by profit motive.
If the NSA can develop proprietary software to attack other computer systems, why can't they also develop proprietary operating system software owned only by the US Government and thus nearly impervious to hostile penetration--to distribute to all Americans for free? Where does it say the government has to use Microsoft products, or is this a question best asked by a Congressional investigative committee?
Why are countries' and corporations' most important systems online at all?! Are we about to discover how many of our infrastructure systems--things like ports, railways, airports, planes, buses, ships, police, and military are compromised?
Looking more and more like Hillary should have claimed that server as an added layer of security.
If the NSA can develop proprietary software to attack other computer systems, why can't they also develop proprietary operating system software owned only by the US Government and thus nearly impervious to hostile penetration--to distribute to all Americans for free? Where does it say the government has to use Microsoft products, or is this a question best asked by a Congressional investigative committee?
Why are countries' and corporations' most important systems online at all?! Are we about to discover how many of our infrastructure systems--things like ports, railways, airports, planes, buses, ships, police, and military are compromised?
Looking more and more like Hillary should have claimed that server as an added layer of security.
1
I've been in the field for 25 years, and I maintain that it is time to start jailing those millionaire bug-writing punks.
Seriously... If you build an airplane that causes billions of dollars of damage to the world economy, you can lose your license to practice engineering, you can go to jail, face civil penalties, criminal charges, etc.
If you build a faulty building, you can get punished.
If your bridge falls down, you can get punished.
There are flaws in all aspects of our infrastructure (pipelines, grid, vehicles, buildings, roads, bridges, software, etc). Unless and until coders are held as accountable as the rest of the disciplines that create our civilization's infrastructure, this will never be fixed.
We can wait until some defect kills a sufficient number of people that we are embarrassed into action, or we can take action before people die. This is our only choice.
In what other field of human endeavor do we mutter "defects are inevitable" and simply walk away while those responsible for the costly defects become obscenely wealthy while bearing no responsibility?
If we treated code like we treat airplanes, Bill Gates would be worth probably 1/1000 of his current accumulation of ill-gotten gains.
Seriously... If you build an airplane that causes billions of dollars of damage to the world economy, you can lose your license to practice engineering, you can go to jail, face civil penalties, criminal charges, etc.
If you build a faulty building, you can get punished.
If your bridge falls down, you can get punished.
There are flaws in all aspects of our infrastructure (pipelines, grid, vehicles, buildings, roads, bridges, software, etc). Unless and until coders are held as accountable as the rest of the disciplines that create our civilization's infrastructure, this will never be fixed.
We can wait until some defect kills a sufficient number of people that we are embarrassed into action, or we can take action before people die. This is our only choice.
In what other field of human endeavor do we mutter "defects are inevitable" and simply walk away while those responsible for the costly defects become obscenely wealthy while bearing no responsibility?
If we treated code like we treat airplanes, Bill Gates would be worth probably 1/1000 of his current accumulation of ill-gotten gains.
4
We had our chance in the 90s, before things got out of hand. What is needed is good, pervasive encryption along with digital identities (public/private key cryptography). The technology was there, but the US government made it a felony to distribute it. The very thing that could save us now was treated like munitions. It was, and is, insane.
Now, the FBI spends enormous resources fighting identity theft. That problem would have been helped by this, too. The irrational response of law enforcement and government that "criminals might use it!" has to stop. Yes, this is a big technical problem to solve, but it is also a political problem with technophobes outlawing what they don't understand.
Now, the FBI spends enormous resources fighting identity theft. That problem would have been helped by this, too. The irrational response of law enforcement and government that "criminals might use it!" has to stop. Yes, this is a big technical problem to solve, but it is also a political problem with technophobes outlawing what they don't understand.
2
This is a great article that lays out the challenges and structural disincentives associated with software upgrades. But I have to take exception with the proposition that software companies should provide security fixes for obsolete software indefinitely. That's like asking Ford to retrofit vintage Mustangs to make them as safe as a brand-new vehicle. Yes, you could add airbags and a backup camera, but features like ABS, stability control and crumple zones can't just be bolted onto car that was built with 1960s technology. Software is much the same: some vulnerabilities can be patched, while others are innate and thus require upgrading to a newer version (or replacing with a different product altogether).
2
What occurs to me in this situation is how quickly and thoroughly we have come to trust electronic communication. We trust it will store and convey the most personal of information - financial, medical, etc - in a secure way. What ever gave us that idea?
Most of us have so little understanding of the inner workings of software, computers, and the internet, yet in a very short time, we have built our worlds around these relatively new inventions, invented by mere mortals who probably never imagined the extent to which they would be used or abused.
Most of us have so little understanding of the inner workings of software, computers, and the internet, yet in a very short time, we have built our worlds around these relatively new inventions, invented by mere mortals who probably never imagined the extent to which they would be used or abused.
I had three virus protection programs on my Windows PC and I'm careful. I got a virus nonetheless. It made my data irrecoverable.
Microsoft's behavior seems criminal. It creates software that is designed to be vulnerable and to force upgrades it won't support its older products, which it has the technical and financial capability to do. It has also created a lucrative and unnecessary antivirus market (Apple manages without that).
If Bill Gates is the magnanimous character he wants us to believe he is his company needs to support its vital (expensive) products. Otherwise it's just another heartless company and he's just another greedy billionaire.
Microsoft's behavior seems criminal. It creates software that is designed to be vulnerable and to force upgrades it won't support its older products, which it has the technical and financial capability to do. It has also created a lucrative and unnecessary antivirus market (Apple manages without that).
If Bill Gates is the magnanimous character he wants us to believe he is his company needs to support its vital (expensive) products. Otherwise it's just another heartless company and he's just another greedy billionaire.
Trying to hold Microsoft accountable for institutions and individuals who are holding onto an operating system that is over a decade old is like trying to hold a car manufacturer accountable for defects in vehicles made in the 50's/60's. Technology in both hardware and software have both come a long way since the early 2000's and I don't think companies should be liable or obligated to continue trying to ensure a dozen different OSs are working in tip top shape.
Also the implication that Chrome OS and iOS are more secure because they have a smarter design team is a bunch of baloney.
The reasons why Windows PCs are targeted more often is incredibly simple and it comes down to sheer numbers and potential value from what they get. Windows is always going to be a prime target for the forseeable future because the vast majority of PCs use Windows. Any vulnerability found will open up potentially billions of computers whereas a crack in iOS will open up a fraction of that -- tens of millions. PCs are still the main piece of hardware used to keep operations and businesses going. If you take away someone's phone or e-book you're annoying -- take away the keyboard and monitor and that's something else.
Also the implication that Chrome OS and iOS are more secure because they have a smarter design team is a bunch of baloney.
The reasons why Windows PCs are targeted more often is incredibly simple and it comes down to sheer numbers and potential value from what they get. Windows is always going to be a prime target for the forseeable future because the vast majority of PCs use Windows. Any vulnerability found will open up potentially billions of computers whereas a crack in iOS will open up a fraction of that -- tens of millions. PCs are still the main piece of hardware used to keep operations and businesses going. If you take away someone's phone or e-book you're annoying -- take away the keyboard and monitor and that's something else.
1
Thank you Zeynep. This is the clearest explanation I have ever read of a humongous problem that is more serious to the survival of the planet than North Korea's nuclear tests.
I know little about software, and want to know even less. I find almost all software designed deliberately for the purpose of baffling "users." The word "user-friendly" is an oxymoron. Software is no friend of mine.
I suspect that updates and new versions of software are deliberately designed to become out-of-date the day after they are released in order to force "users" (what an ugly word) to buy the next "new, improved" version as soon as they are ready.
Planned obsolescence is the fundamental, money-making strategy of companies like Microsoft, Apple, Facebook, Google, Yahoo. They make billions and pay little in taxes.
The US Government doesn't have a chance to get these companies under control since they lobby so fiercely for their "constitutional rights" on Capital Hill and give huge campaign contributions to both Democrats and Republicans.
I am afraid that the US Government is now under "nuclear attack" by Microsoft and their rivals.
I know little about software, and want to know even less. I find almost all software designed deliberately for the purpose of baffling "users." The word "user-friendly" is an oxymoron. Software is no friend of mine.
I suspect that updates and new versions of software are deliberately designed to become out-of-date the day after they are released in order to force "users" (what an ugly word) to buy the next "new, improved" version as soon as they are ready.
Planned obsolescence is the fundamental, money-making strategy of companies like Microsoft, Apple, Facebook, Google, Yahoo. They make billions and pay little in taxes.
The US Government doesn't have a chance to get these companies under control since they lobby so fiercely for their "constitutional rights" on Capital Hill and give huge campaign contributions to both Democrats and Republicans.
I am afraid that the US Government is now under "nuclear attack" by Microsoft and their rivals.
5
This is an excellent article.
The writer noted that hosptials in London were severely effected by the cyber attack.
I might add that medical practice is often enfeebled by computer problems even when their computers are not besigned by ransomware or other viruses or worms
An article in the Times, a couple of years ago, noted that some people had gotten excessive radiation (to kill cancer cells), from advanced hospital machinery, because there were so many modifications constantly being made to the software, so many new gadgets and programs that were constantly being purchased in the name of technological "progress," and such a constant avalanche of data and information that needed to be processed that RADIOLOGISTS, who one woud think are a bright bunch of people, were simply overwhelmed and unknowingly gave their patients too much radiation.
Many of these advances are just part of planned obsolescence, a ploy to make customers constantly buy and familiarize themselves with new devices because the older ones no longer work becaujse of various unnecessary innovations. And on top of the constant, superfluous, freneitc modernizing, we have to contend with cyber crime.
We must give the anti regulatory Republicans the old heave ho and enact more regulations of the cyber industry. Among other things, the writer's proposal that venders, such as Microsoft, make their patches available to all purchasers of their products, should be enacted into Law without further delay.
The writer noted that hosptials in London were severely effected by the cyber attack.
I might add that medical practice is often enfeebled by computer problems even when their computers are not besigned by ransomware or other viruses or worms
An article in the Times, a couple of years ago, noted that some people had gotten excessive radiation (to kill cancer cells), from advanced hospital machinery, because there were so many modifications constantly being made to the software, so many new gadgets and programs that were constantly being purchased in the name of technological "progress," and such a constant avalanche of data and information that needed to be processed that RADIOLOGISTS, who one woud think are a bright bunch of people, were simply overwhelmed and unknowingly gave their patients too much radiation.
Many of these advances are just part of planned obsolescence, a ploy to make customers constantly buy and familiarize themselves with new devices because the older ones no longer work becaujse of various unnecessary innovations. And on top of the constant, superfluous, freneitc modernizing, we have to contend with cyber crime.
We must give the anti regulatory Republicans the old heave ho and enact more regulations of the cyber industry. Among other things, the writer's proposal that venders, such as Microsoft, make their patches available to all purchasers of their products, should be enacted into Law without further delay.
2
It's quite instructive that this piece glosses over the source of the malicious tools, namely the US government. As reported in the New York Times ("Hacking Group Claims N.S.A. Infiltrated Mideast Banking System," April 15, 2017), the NSA had developed hacking tools that allowed it to infiltrate and spy on financial transactions within the Middle East's banking infrastructure.
Just to recap: we have outdated American software (Windows XP) being hacked by the American government (NSA) in order to spy on the banking sector (in this case the Middle East) using that American software. The American government proves incapable of safeguarding its malicious tools and those tools are then stolen and turned against global computers running American software. It seems to me that all roads lead back to the United States on this one.
Of course, this is not what is meant by the headline of this opinion piece: "The World is Getting Hacked. Why Don't We Do More to Stop It?". The real answer to that question would involve examining American governmental agencies such as the NSA et al. and their part in committing cybercrime as well as their apparent inability to prevent it.
Just to recap: we have outdated American software (Windows XP) being hacked by the American government (NSA) in order to spy on the banking sector (in this case the Middle East) using that American software. The American government proves incapable of safeguarding its malicious tools and those tools are then stolen and turned against global computers running American software. It seems to me that all roads lead back to the United States on this one.
Of course, this is not what is meant by the headline of this opinion piece: "The World is Getting Hacked. Why Don't We Do More to Stop It?". The real answer to that question would involve examining American governmental agencies such as the NSA et al. and their part in committing cybercrime as well as their apparent inability to prevent it.
8
Let's hope something happens now, although twenty years after I began working in the computer industry, I'm skeptical. What is not well-known is that Microsoft was widely recognized as the weak link in security decades ago, but their marketing dominance was such that they had no economic reason to change. No moral conviction had much influence. Regulators need to force Microsoft to become more responsible, but that will never happen here. If Europe takes a stand, it will ripple internationally, So, we have at least one option for change.
4
One thing to understand is that, whether the culprit is a group of black hats or state sponsored, the nature of how the operating systems, WiFi, the cloud.... work is that there is a lot of money in play that can be used for these attacks. The fact is we will never achieve the nirvana of complete protection. This means that the operating systems must move quickly to issue patches (Microsoft had a patch out within 48 hours of being notified) and that both individuals and companies have a responsibility to make sure every day that there computer system whether a single computer or ones connected by proxy are updated.
An attack like this shows that computer administrators are not doing their job and making sure their system are patched with the latest update. This attack would not have been successful if people took more responsibility for their own security and if administrators took more responsibility for their network's security.
Back in March, Microsoft, Microsoft was praised for how quickly they responded. Too bad we can't say the same about individuals and administrators that failed to install the patch.
Finally, anyone telling you their operating system, WiFi, smart phone usage is immune to being compromised is selling you a bottle of snake oil.
An attack like this shows that computer administrators are not doing their job and making sure their system are patched with the latest update. This attack would not have been successful if people took more responsibility for their own security and if administrators took more responsibility for their network's security.
Back in March, Microsoft, Microsoft was praised for how quickly they responded. Too bad we can't say the same about individuals and administrators that failed to install the patch.
Finally, anyone telling you their operating system, WiFi, smart phone usage is immune to being compromised is selling you a bottle of snake oil.
4
It often seems to be academics with tenure (I'm assuming that here) that seem to have the most interesting ideas of how a business has to work. Microsoft stopped investing in WIn XP many years ago and put a lot of effort explaining just what was going to happen over time to users that decided not to update. They provided support and free patches for years after they had moved on and then, with plenty of notice, finally stopped. You can't keep every version of all the software you have written up-to-date and certainly not for free - at least not in the real world of commercial software. All the organizations that are still using older software like XP have made conscious decisions knowing the risks and all have had many chances to re-evaluate those decisions. Microsoft even offered a plan to better protect those systems, with few takers. It is disingenuous for the writer to then expect a guarantee of instant free fixes for security issues that could never have been anticipated 10-15 years ago when the software was written. As for those aging diagnostic and treatment systems, if you don't connect them to the internet, they aren't going to get hacked and you can keep using them. Many of the people affected by this exploit were warned and made choices. Maybe in the future they will make better ones.
31
It's OK for companies to have to pay more if they insist on using obsolete software. The comparison with the car industry is educational. A typical car might cost $25,000, which includes the anticipated cost of future product recalls. (You might think recalls are free, but they're not.) What would the cost of WIndows be if Microsoft were required to offer the equivalent of a free product recall for a Windows version that was released 15 years ago and became obsolete 8 years ago? The cost of such a requirement would put software out of reach for most consumers.
4
Why is Microsoft not liable for these constant failures of its systems? If they were selling food that made everyone sick they would be. I understand that under ordinary circumstances one is not required to foresee criminal conduct by third parties, but one is so obligated when such conduct is foreseeable. They make a fortune selling a concept, i.e. that we all can be interconnected. When the working parts of that concept are so flawed that any joker can hack them, they have sold us damaged goods. Nothing would motivate them to be more careful than would a little liability.
6
First, can we dispose of the idea that we can trust the government? If we had allowed a security backdoor, hackers would now have taken down everything - every cell phone, every computer, everything. Or electrical grid would now be switched off. Commerce would grind to a halt, including giant swaths of our economy such as medical.
Second, we must preserve net neutrality. Private companies must not 'own' the internet. The internet must be regulated much like any other vital utility.
Our own government has worked in other clever ways to weaken our security. They submit computer code to open source software packages to weaken them, and they've been caught a number of times. How can forget the NSAKEY in Microsoft, or that they paid RSA Security Inc. to weaken their codes? The Linux community caught them red handed weakening certain algorithms in the kernel. (There still is one in their random number generator, and certainly a number of others.)
There are bright spots. The Signal app allows end-to-end encryption of text and phone. But I'd like to see more. For example, chip-and-pin should spread to internet commerce (and gas station pumps). I should be able to purchase an off-the-rack PC with hardware data encryption. Microsoft should release a fully encrypted operating system to use same. Cloud storage should allow checkpointing, so that a PC can recover from ransomware.
Second, we must preserve net neutrality. Private companies must not 'own' the internet. The internet must be regulated much like any other vital utility.
Our own government has worked in other clever ways to weaken our security. They submit computer code to open source software packages to weaken them, and they've been caught a number of times. How can forget the NSAKEY in Microsoft, or that they paid RSA Security Inc. to weaken their codes? The Linux community caught them red handed weakening certain algorithms in the kernel. (There still is one in their random number generator, and certainly a number of others.)
There are bright spots. The Signal app allows end-to-end encryption of text and phone. But I'd like to see more. For example, chip-and-pin should spread to internet commerce (and gas station pumps). I should be able to purchase an off-the-rack PC with hardware data encryption. Microsoft should release a fully encrypted operating system to use same. Cloud storage should allow checkpointing, so that a PC can recover from ransomware.
13
No company should have to support outdated software. It's not just Microsoft - the same held true for major hardware/software vendors fifty years ago. If a software vendor announces it is no longer supporting a version, then it is the user's responsibility to decide what to do about it. Organizations are notorious for failing to spend the money to maintain and update their software because doing so is preventative in nature and a return on investment is not visible, much less measurable. The same applies to government and individuals. The responsibility and liability is on the shoulders of the user. Changing this would be tantamount to ending the software development industry. This professor does not live in the real world of IT and software development.
12
I disagree that the latest series of cyberattacks started with a software defect. Although there are a few that do start with this sort of issue, the vast majority of incidents are due to users not updating their software and/or opening an unknown email or hyperlink.
This sort of reasoning would hold a construction company responsible for home burglaries when the homeowner refused to lock their doors and windows.
Microsoft is a business, not a charity. Those businesses that refused to update their software were playing Russian roulette. Computers and data systems are a key component of almost every business and the only reason these critical systems weren't updated was so the business could spend the money elsewhere. They made a bad decision, their 'cyber-opponents' knew it and exploited their poor fiscal priorities.
This sort of reasoning would hold a construction company responsible for home burglaries when the homeowner refused to lock their doors and windows.
Microsoft is a business, not a charity. Those businesses that refused to update their software were playing Russian roulette. Computers and data systems are a key component of almost every business and the only reason these critical systems weren't updated was so the business could spend the money elsewhere. They made a bad decision, their 'cyber-opponents' knew it and exploited their poor fiscal priorities.
13
It has become clear that people have become so dependent on their computer systems and networks, that a real failure will lead to damage equal to that of a "real war" (e.g., destruction of the electric grid, rail systems, air traffic system, financial system, water system, etc). People will end up dying in large numbers.
Why do I have a sinking feeling that we will just wait for the worst to happen before anyone cares enough to do something? Could it be that profits matter more than nations or lives? The corporations want to get every dollar they can from these vulnerable systems. A terrible cyber war is probably factored into their financial model. Indeed, it would likely end up being a financial windfall since they will surely get a big infusion after the disaster loosens government wallets.
Why do I have a sinking feeling that we will just wait for the worst to happen before anyone cares enough to do something? Could it be that profits matter more than nations or lives? The corporations want to get every dollar they can from these vulnerable systems. A terrible cyber war is probably factored into their financial model. Indeed, it would likely end up being a financial windfall since they will surely get a big infusion after the disaster loosens government wallets.
Enterprises and organizations do not back up and secure their systems and networks any more than that motorists keep their tires pressurized. Finding the senior managers respnosible for these activities, and in the case of a governmental organization like the NHS, the politicians and senior civil servants, is easy. Firing them will get the message across - contrary to belief, funds and knowledgeable staff are available in abundance, and updating systems and then testing them is not rocket science. Every space vehicle launched, every jet fighter, every airliner, goes through these processes continuously. It is taking jobs and pensions and stock options away from responsible managers that would see this issue go away overnight. Been there, done that, I can tell you from experience that nothing else works - especially with Microsoft involved, which is fully capable of making its code safe and secure. This isn't to blame on the NSA or on those not paying Microsoft for support, or on those not patching their boxes, if Microsoft's code can be hacked, Microsoft alone, Satya Nadella, is responsible. Want to run with that, Mr. Trump?
When I used to take computer courses back in the 1970s, one of my professors said, "There is no such thing as bug-free programming; only bugs that haven't been discovered." I think it is as true now as it was then.
Yes, companies should try to make bug-free software, provide updates, etc., but let's not give the culprits who take advantage of the defective software a free pass. Even when the updates are made available, there are many who don't update their system.
Each country going at it alone, will not make much of dent in preventing the sort of cyber crimes that are taking place today. There should be global agreement on making cyber-crimes of the kind that wreak havoc severely punishable, perhaps with life in prison, and strict enforcement of the laws.
Barring that, the Internet will remain lawless, with unsavory characters taking advantage of software vulnerabilities, regardless of how much effort is put into providing "fixes" and updates to buggy software.
Yes, companies should try to make bug-free software, provide updates, etc., but let's not give the culprits who take advantage of the defective software a free pass. Even when the updates are made available, there are many who don't update their system.
Each country going at it alone, will not make much of dent in preventing the sort of cyber crimes that are taking place today. There should be global agreement on making cyber-crimes of the kind that wreak havoc severely punishable, perhaps with life in prison, and strict enforcement of the laws.
Barring that, the Internet will remain lawless, with unsavory characters taking advantage of software vulnerabilities, regardless of how much effort is put into providing "fixes" and updates to buggy software.
As per usual, just follow the money. The penalties for an *undisclosed* breach vary by state but once it is disclosed they are absolutely minimal. And, companies can hide behind the Secret Service claiming that breaches they just disclosed, even though they actually occurred many months before a public notification, were under investigation and they were just deferring to law enforcement by no saying anything about them.
Additionally, most corporate CEO's refuse to spend the money sought by their IT Security staffs to upgrade, patch and secure critical infrastructure. While the perception is that hackers are geniuses the reality is that they are merely exploiting well-known (but unsecured) vulnerabilities. Nor will senior management invest is training their staffs about social engineering.
Bottom line: the monetary penalties are small and reputations have become a non-issue as Congress and state legislatures merely slap breached companies on the wrist with a wink and a nod. So, CEO's figure, why bother? If non-techie Americans understood the archaic state-of-the-art in corporate IT Security they'd be shocked.
Congress talks a great game and then does, literally, nothing to help protect American citizens from billions ins losses every year ad untold personal heartaches that go along with them. The big banks and other large corporations who contribute to their campaigns make sure that's exactly the case.
Additionally, most corporate CEO's refuse to spend the money sought by their IT Security staffs to upgrade, patch and secure critical infrastructure. While the perception is that hackers are geniuses the reality is that they are merely exploiting well-known (but unsecured) vulnerabilities. Nor will senior management invest is training their staffs about social engineering.
Bottom line: the monetary penalties are small and reputations have become a non-issue as Congress and state legislatures merely slap breached companies on the wrist with a wink and a nod. So, CEO's figure, why bother? If non-techie Americans understood the archaic state-of-the-art in corporate IT Security they'd be shocked.
Congress talks a great game and then does, literally, nothing to help protect American citizens from billions ins losses every year ad untold personal heartaches that go along with them. The big banks and other large corporations who contribute to their campaigns make sure that's exactly the case.
1
The illusion of confidence...
Another set of problems is that computers, software, the Web, the infrastructure they are dependent on, the electrical grid, etc., were not designed from the ground up to function as an integrated whole. The parts have come together from many disparate sources over time. Even the phone lines and hardware at the hubs that this message is traveling over and being routed through may be 1960's technology in some place along the line.
Building in filtering and capture technology, air gap systems, bare metal restoration, "redundancy, redundancy, redundancy" (the three rules of data preservation)--none of these are secrets. It's the actual implementation on a grand scale and the logistics of doing so are where the problems lie.
Why is XP still used? Because the cost in time, money and labor of upgrading everything required, including the rewriting custom and/or dedicated software to run on newer operating systems, is prohibitive to some individuals, businesses, govt. entities, institutions, etc.
I'm waiting for a major CME to render the whole business and everything that is dependent upon it, well you know... Then what will we do?
Another set of problems is that computers, software, the Web, the infrastructure they are dependent on, the electrical grid, etc., were not designed from the ground up to function as an integrated whole. The parts have come together from many disparate sources over time. Even the phone lines and hardware at the hubs that this message is traveling over and being routed through may be 1960's technology in some place along the line.
Building in filtering and capture technology, air gap systems, bare metal restoration, "redundancy, redundancy, redundancy" (the three rules of data preservation)--none of these are secrets. It's the actual implementation on a grand scale and the logistics of doing so are where the problems lie.
Why is XP still used? Because the cost in time, money and labor of upgrading everything required, including the rewriting custom and/or dedicated software to run on newer operating systems, is prohibitive to some individuals, businesses, govt. entities, institutions, etc.
I'm waiting for a major CME to render the whole business and everything that is dependent upon it, well you know... Then what will we do?
There are a lot of points raised above and one overarching theme is that software companies should be more responsible.
I respectfully disagree though because ultimately the concept of 'caveat emptor' holds true whether you like it or not. Let the buyer beware - consumers have to take responsibility for themselves.
Users of the vulnerable XP version have been warned many times and there are other open source alternatives available. If users cannot be bothered to protect themselves stepping in to force vendors to help will not solve the problem.
I suspect consumers will take this as a lesson and do what needs to be done or else suffer the consequences. Such is life!
I respectfully disagree though because ultimately the concept of 'caveat emptor' holds true whether you like it or not. Let the buyer beware - consumers have to take responsibility for themselves.
Users of the vulnerable XP version have been warned many times and there are other open source alternatives available. If users cannot be bothered to protect themselves stepping in to force vendors to help will not solve the problem.
I suspect consumers will take this as a lesson and do what needs to be done or else suffer the consequences. Such is life!
Windows XP? Sorry, I have no sympathy, nor do I for people using pirated operating systems. Windows 10 was offered as a free upgrade for people using current, legal systems and I told my entire family to take advantage of it when it was offered. Yes there were issues, some have been addressed in patches, but it has been worth it for the additional security. We also use a third party security suite. I haven’t had to deal with a breach since we were using XP. Bringing additional legal liability into the picture won’t solve the problem, it will just make everything more expensive, not unlike our medical delivery system.
One approach would be to use an FMEA, ideally built upon FMEAs developed for every previous operating system and the breaches that they had to deal with. It serves as a kind of knowledge base for current and future systems regarding failure modes. But it doesn't address the problem of people using outdated operating systems and pirated ones which don’t get upgrades. For those systems some sort of containment might be warranted, such as not providing access to the internet due to the risk to everyone else. This would provide the incentives to keep systems current, otherwise the internet is just a castle built upon sand.
As far as hackers go they should be treated as terrorists.
One approach would be to use an FMEA, ideally built upon FMEAs developed for every previous operating system and the breaches that they had to deal with. It serves as a kind of knowledge base for current and future systems regarding failure modes. But it doesn't address the problem of people using outdated operating systems and pirated ones which don’t get upgrades. For those systems some sort of containment might be warranted, such as not providing access to the internet due to the risk to everyone else. This would provide the incentives to keep systems current, otherwise the internet is just a castle built upon sand.
As far as hackers go they should be treated as terrorists.
1
If an automaker issues a recall for their car - say for an air-bag defect - and the driver ignores the recall and is hurt by the flaw, whose fault is it?
Microsoft issues patches all the time and has made it easier to apply them. No excuse for the irresponsible operation of a PCs these days.
If one is going to blame Microsoft for being the dominant player, then the Internet Protocol that is essentially the universal OS of the Internet should be criticized too for enabling the global spread of wealth and insecurity too. At this point features and usability are extremely good, so investment should now go towards more security.
Too bad our government does not advocate or support higher security - encryption, etc. - for the masses and industry. Instead it discovers vulnerabilities without notifying anyone - wouldn't it be in the national security interest to disclose these vulnerabilities so they could be fixed?
Microsoft issues patches all the time and has made it easier to apply them. No excuse for the irresponsible operation of a PCs these days.
If one is going to blame Microsoft for being the dominant player, then the Internet Protocol that is essentially the universal OS of the Internet should be criticized too for enabling the global spread of wealth and insecurity too. At this point features and usability are extremely good, so investment should now go towards more security.
Too bad our government does not advocate or support higher security - encryption, etc. - for the masses and industry. Instead it discovers vulnerabilities without notifying anyone - wouldn't it be in the national security interest to disclose these vulnerabilities so they could be fixed?
Expecting Microsoft to provide free patches for a 15 year old operating system is as unreasonable as expecting Chevrolet to provide free parts for a 15 year old car. Certainly, there is a reasonable period for this for legitimate defects (warranties) but 15 years is not it. That the author has decided arbitrarily that Microsoft has too much money and can thus, afford it, is not a sensible argument.
I have little sympathy for the NHS, who, when warned by the government years ago to either upgrade their systems or purchase a support contract from Microsoft, did neither. Until companies see IT infrastructure not just as one time purchases, but as a constantly evolving process, we will continue to witness the fallout of these types of attacks.
I have little sympathy for the NHS, who, when warned by the government years ago to either upgrade their systems or purchase a support contract from Microsoft, did neither. Until companies see IT infrastructure not just as one time purchases, but as a constantly evolving process, we will continue to witness the fallout of these types of attacks.
2
"For example, the more secure Windows 10 comes with so many privacy concerns.....[and] ... upgrades almost always bring unwanted features..."
From what I've read about upcoming versions of Windows, it will get worse.
Many of us would pay happily for OS's that were secure, simple, lasting, and compatible with other those of others in business dealings. But no, we are dragged into using OS's with ever more frills that eat memory and processor resources, compromise our privacy, and represent nothing more than planned obsolescence.
My needs are for business, though I spend much time on the Net for personal interests. For a useful interface, Win XP was fine. I understand that security upgrades are necessary, and I am content with Win 7 as well. Win 8 and 10 represent nothing but "planned obsolescence" IMO. I got rid of Win 8 as soon as I could, out of necessity: Learning a totally inconvenient new interface in order to accomplish the same tasks made no sense at all. So I upgraded, but still everything is more complicated under Win 10 than under Win 7. And now, I read that Windows is moving toward something infinitely more complicated and resource-eating, for no apparent reason except change for the sake of change.
Meantime, the world gets crushed by a hacker who maybe couldn't have beaten a system that was committed to producing usefulness and security, rather than constantly inventing new bells and whistles and then creating a market for them.
From what I've read about upcoming versions of Windows, it will get worse.
Many of us would pay happily for OS's that were secure, simple, lasting, and compatible with other those of others in business dealings. But no, we are dragged into using OS's with ever more frills that eat memory and processor resources, compromise our privacy, and represent nothing more than planned obsolescence.
My needs are for business, though I spend much time on the Net for personal interests. For a useful interface, Win XP was fine. I understand that security upgrades are necessary, and I am content with Win 7 as well. Win 8 and 10 represent nothing but "planned obsolescence" IMO. I got rid of Win 8 as soon as I could, out of necessity: Learning a totally inconvenient new interface in order to accomplish the same tasks made no sense at all. So I upgraded, but still everything is more complicated under Win 10 than under Win 7. And now, I read that Windows is moving toward something infinitely more complicated and resource-eating, for no apparent reason except change for the sake of change.
Meantime, the world gets crushed by a hacker who maybe couldn't have beaten a system that was committed to producing usefulness and security, rather than constantly inventing new bells and whistles and then creating a market for them.
1
I recommend replacing Windows XP with a version of Linux, which is freely-available and much-more secure (because experts can examine it) and IPV6 (a way of using the Internet that is much more secure than the current IPV4). This will be extremely difficult and expensive, but it is a security solution that Internet experts have suggested for more than 20 years. I studied it in the mid-1990s as I worked on my MSc degree at Birkbeck College, University of London. Replacing the horribly insecure Windows XP (which was built upon MS-DOS, if you remember that) and IPV4 (which was designed while Internet users were still "trusted" to"do the right thing", isn't "rocket science," I believe. It's an example of organisations choosing to spend money at the spendthrift lack of security.
The issue that software running technical instrumentation can often no be updated is serious: Vendors don't see themselves obligated to provide new system software to equipment that is no longer sold. But such instruments may be used for 5-10 years, a long time in the software world. A solution: Require manufacturers that bid on purchases funded through government grants to provided current system software for the lifetime of the instrument.
3
There really is no security or privacy on the internet. It is as simple as that. No "alternative fact." Any technology developed always has been and always will be used for both good and bad purposes, whether for war, blackmail, or other. The fundamental mistake is assuming the bad guys are not as smart as the good guys. And more motivated.
To prevent effects even more catastrophic than the current ransomware attacks, it is necessary to disconnect infrastructure and security functions from the internet. One need not imagine attacks on our air control network, our electric grid, or military communications. Just imagine consumer attacks: self-driving cars become common and are suddenly disabled; drones are hacked to crash into targets; you can't access any of your non-physical "money."
Attacks can only succeed to the extent there are available targets for a particular technology. Made clear in guerrilla wars, bombing will not subdue a dispersed enemy: good strategy "defeats" technology. As in 9/11. The technology hyped by corporations is, as with banks and weapons makers, merely an effort to make greater profit. Security on the internet is as real as the tooth fairy. As with Trump, lying is merely a part of doing business.
There is no free lunch. Whether you want to resist being hacked and sold by the Soothsayers of Silicon Valleys or want to resist America being destroyed from the top down, you will have to give up something, make sacrifices, do more than complain online.
To prevent effects even more catastrophic than the current ransomware attacks, it is necessary to disconnect infrastructure and security functions from the internet. One need not imagine attacks on our air control network, our electric grid, or military communications. Just imagine consumer attacks: self-driving cars become common and are suddenly disabled; drones are hacked to crash into targets; you can't access any of your non-physical "money."
Attacks can only succeed to the extent there are available targets for a particular technology. Made clear in guerrilla wars, bombing will not subdue a dispersed enemy: good strategy "defeats" technology. As in 9/11. The technology hyped by corporations is, as with banks and weapons makers, merely an effort to make greater profit. Security on the internet is as real as the tooth fairy. As with Trump, lying is merely a part of doing business.
There is no free lunch. Whether you want to resist being hacked and sold by the Soothsayers of Silicon Valleys or want to resist America being destroyed from the top down, you will have to give up something, make sacrifices, do more than complain online.
4
First of all, a vulnerability is not a bug. Obviously, nobody wants to develop software that is vulnerable to exploits like this one, but that is not a bug, it is an imperfection. And imperfections are present in every product. There is no perfection.
While software can be modified indefinitely, it is still a product and one with a lifetime, the end of which it becomes obsolete and should not be used any more. But people and companies that buy software often want to use it as long as the hardware it runs on is still running. This is often a mistake, as sometimes old software should be abandoned, and replaced. Windows XP and even Windows 7 fall into this category.
Blaming Microsoft for not releasing updates is unfair (I am no fan of Microsoft, i don't like their products, and avoid buying them). GM does not continue to support old cars by manufacturing replacement parts, so even if you continue to drive a 50 year old Chevy, there's no guarantee you will still be able to get parts from GM. Just because they have money doesn't mean they should be obligated to update it until you decide to replace it.
The responsibility for preventing these attacks lies with the users, who should not rely on obsolete software for critical life-or-death systems.
There are errors in this opinion, but the blame and anger is misplaced. Computers and their software are not designed to last forever, and need to be removed from service before they become a danger to people.
While software can be modified indefinitely, it is still a product and one with a lifetime, the end of which it becomes obsolete and should not be used any more. But people and companies that buy software often want to use it as long as the hardware it runs on is still running. This is often a mistake, as sometimes old software should be abandoned, and replaced. Windows XP and even Windows 7 fall into this category.
Blaming Microsoft for not releasing updates is unfair (I am no fan of Microsoft, i don't like their products, and avoid buying them). GM does not continue to support old cars by manufacturing replacement parts, so even if you continue to drive a 50 year old Chevy, there's no guarantee you will still be able to get parts from GM. Just because they have money doesn't mean they should be obligated to update it until you decide to replace it.
The responsibility for preventing these attacks lies with the users, who should not rely on obsolete software for critical life-or-death systems.
There are errors in this opinion, but the blame and anger is misplaced. Computers and their software are not designed to last forever, and need to be removed from service before they become a danger to people.
Excellent article. Having been hacked myself in the past, I've had a lot of conversations about the matter with various players in the field and one group of people consistently were not interested in security issues or the dangers of hacking: software designers. All they cared about was the instant gratification of their customers, the quicker the better. They were in general so clueless about the dangers of hacking it was mind-boggling. Not only that: they honestly didn't give a hoot about the issue, shrugged their shoulders.
This raises a question not directly addressed in this article: professional education. How come none of their instructors taught them the importance of secure software and secure internet practices?
There's a pervasive culture of negligence out there: it marks companies like Microsoft, when they make security dependent on fees, careless software designers, vendors, and, apparently, certain technical educational programs. Even the sales reps in large computer chain stores, the first person many non tech customers come into contact with, are often uninformed. Not to mention government actors, who should be more proactive in helping secure traffic on the global internet.
This raises a question not directly addressed in this article: professional education. How come none of their instructors taught them the importance of secure software and secure internet practices?
There's a pervasive culture of negligence out there: it marks companies like Microsoft, when they make security dependent on fees, careless software designers, vendors, and, apparently, certain technical educational programs. Even the sales reps in large computer chain stores, the first person many non tech customers come into contact with, are often uninformed. Not to mention government actors, who should be more proactive in helping secure traffic on the global internet.
What about users and organizations, particularly in Eastern Europe and Asia who are using unlicensed, hacked versions of Microsoft software? Although the hospitals are the worst-case scenario, most of the users affected by this attack were using unlicensed -- and therefore unpatched -- software.
Our trade deficit would immediately evaporate if these dishonest actors were paying US companies for the products they've stolen. The brazen and ongoing theft of US intellectual property is part of the problem here -- and that isn't Microsoft's fault.
Don't blame US companies who are getting robbed six ways from Sunday for these vulnerabilities. If their intellectual property rights were respected, they would be much more likely to patch old software. As it is, they have to try and force people to pay to upgrade to new versions in order to protect their revenue.
Our trade deficit would immediately evaporate if these dishonest actors were paying US companies for the products they've stolen. The brazen and ongoing theft of US intellectual property is part of the problem here -- and that isn't Microsoft's fault.
Don't blame US companies who are getting robbed six ways from Sunday for these vulnerabilities. If their intellectual property rights were respected, they would be much more likely to patch old software. As it is, they have to try and force people to pay to upgrade to new versions in order to protect their revenue.
I an am IT Forensic and Incident Response specialist. There are a couple of key reason why this problem is very difficult to solve.
First. Nation States are a form of technology - invented constructs. If you don't believe me, look up "Westphalian State" in Wikipedia.
The problem is that the Internet is a non-compatible technology. It pretty much ignores borders. Big Internet companies routinely juggle the data stored on their servers, moving data across borders automatically without human intervention, or even awareness.
This makes legislation and law enforcement very difficult. These are tied to jurisdiction - i.e. The Nation State. Jurisdiction is just too inflexible a concept to keep up with cyber crimes. Treaties and legal cooperation agreements operate in time-frames of weeks and months. Hackers work in milliseconds.
Second, we do not teach people how to use computers. We teach them how they work and let them work out the rest themselves. The average user knows practically nothing about IT Security, and have little chance to find out. 25 years after the invention of the Web people still use weak passwords, don't change passwords, share passwords between sites, don't have anti-virus. Still don't patch their computers. They're still sitting ducks for the same attacks that worked 5, 10, 15 years ago.
So if you want to be safe on line, learn a little IT security, and don't expect the Cops to come to your aid.
First. Nation States are a form of technology - invented constructs. If you don't believe me, look up "Westphalian State" in Wikipedia.
The problem is that the Internet is a non-compatible technology. It pretty much ignores borders. Big Internet companies routinely juggle the data stored on their servers, moving data across borders automatically without human intervention, or even awareness.
This makes legislation and law enforcement very difficult. These are tied to jurisdiction - i.e. The Nation State. Jurisdiction is just too inflexible a concept to keep up with cyber crimes. Treaties and legal cooperation agreements operate in time-frames of weeks and months. Hackers work in milliseconds.
Second, we do not teach people how to use computers. We teach them how they work and let them work out the rest themselves. The average user knows practically nothing about IT Security, and have little chance to find out. 25 years after the invention of the Web people still use weak passwords, don't change passwords, share passwords between sites, don't have anti-virus. Still don't patch their computers. They're still sitting ducks for the same attacks that worked 5, 10, 15 years ago.
So if you want to be safe on line, learn a little IT security, and don't expect the Cops to come to your aid.
Strange that the article did not mention Bitcoins.
It's simply not reasonable that there is a secure and anonymous financial channel between criminal underground and honest world.
Belgian and French terrorists used prepaid anonymous credit cards, the ransomware attack used virtual currency.
There is an EU effort to enhance traceability of these instruments but apparently nothing really happened apart from suggestion to change the "anti corruption directive..."
The discussion about fixing software bugs, vulnerabilities disclosures, building and testing secure software are as old as the software industry and not much can improve in even medium term.
But closing criminal financing channel can be done in a very short term.
It's simply not reasonable that there is a secure and anonymous financial channel between criminal underground and honest world.
Belgian and French terrorists used prepaid anonymous credit cards, the ransomware attack used virtual currency.
There is an EU effort to enhance traceability of these instruments but apparently nothing really happened apart from suggestion to change the "anti corruption directive..."
The discussion about fixing software bugs, vulnerabilities disclosures, building and testing secure software are as old as the software industry and not much can improve in even medium term.
But closing criminal financing channel can be done in a very short term.
13
Regarding the recent ransom attacks around the world, Enough Is Enough!
Improving "security" is a nice idea (just like the idea of calling for "better policing" to prevent terror attacks by crazed religious zealots.) Instead, we need to first pass the appropriate legislation, then we need to apprehend, try (in special courts set up for hacking crimes) and convict some of the most egregious perpetrators (for instance, those who attacked the British hospitals).
Then we need to execute them... rapidly, and in public.
Oh please, Snowflakes of the world, don't tell me that this would not be nice! What they do is not nice.
These public executions would be noticed by perpetrators (both actual and potential) around the world, and would be effective in resetting their future evaluations of risk versus reward. Our current processes may be sweet and gentle, but they are totally ineffective in preventing these obnoxious crimes.
Improving "security" is a nice idea (just like the idea of calling for "better policing" to prevent terror attacks by crazed religious zealots.) Instead, we need to first pass the appropriate legislation, then we need to apprehend, try (in special courts set up for hacking crimes) and convict some of the most egregious perpetrators (for instance, those who attacked the British hospitals).
Then we need to execute them... rapidly, and in public.
Oh please, Snowflakes of the world, don't tell me that this would not be nice! What they do is not nice.
These public executions would be noticed by perpetrators (both actual and potential) around the world, and would be effective in resetting their future evaluations of risk versus reward. Our current processes may be sweet and gentle, but they are totally ineffective in preventing these obnoxious crimes.
1
Computer after computer did not freeze, most were ordered shut as precautionary measure. Delays were due to controlled restarts and backups by IT departments. Everything is back to normal now, no lives were lost, the news has completely scrolled off the pages. In other words, the virus itself did little damage other than spread panic. Which, thanks to cyber reporters eager for attention (with the exception of Mr. Scott), and U.K. election with NHS key talking point, it did beautifully. This hot-air opinion by Ms. Tufekci proof.
What hasn't been reported: the phishing email in question (haven't checked the cartoon pages, might be there), the actual number of genuine ransoms invoked, and separately, ransoms actually paid (trust me, very few).
The other problem is the bored office worker, working on outdated systems. Yes, the self-important, always mail-checking, busy double-clicker. Send a mail, any mail, and he'll happily click on every hyperlink, download every attachment, cheerfully type logon credentials on any page, then look importantly at their watch, declare morning hugely productive, and break for well-deserved lunch. Will everyone please stop looking at Podesta? I'm speaking.
That's it in a nutshell: oganizations with outdated computers, clueless office workers, headline-searching reporters, talking to security companies with global maps and flashing red dots, and the icing on the cake: headless chickens running around shutting everything in sight. Bah.
What hasn't been reported: the phishing email in question (haven't checked the cartoon pages, might be there), the actual number of genuine ransoms invoked, and separately, ransoms actually paid (trust me, very few).
The other problem is the bored office worker, working on outdated systems. Yes, the self-important, always mail-checking, busy double-clicker. Send a mail, any mail, and he'll happily click on every hyperlink, download every attachment, cheerfully type logon credentials on any page, then look importantly at their watch, declare morning hugely productive, and break for well-deserved lunch. Will everyone please stop looking at Podesta? I'm speaking.
That's it in a nutshell: oganizations with outdated computers, clueless office workers, headline-searching reporters, talking to security companies with global maps and flashing red dots, and the icing on the cake: headless chickens running around shutting everything in sight. Bah.
11
There is much I do not understand about computers and the internet, but it seems to me that offering a patch to fix things has it backwards. Why is it not possible to have a program that automatically "captures" the source of any program deliberatly or subvertly inserted into your computer? The idea being that nothing could be added without also providing a permanent record of where it came from.
27
@W.A. Spitzer: What you're describing loosely fits the motivation behind the "User Access Control" feature that has been present in Microsoft operating systems since Windows Vista. It provides an extra layer of security by prompting users before software is installed, which helps prevent unwanted software from getting onto your computer. Of course, this doesn't catch everything, and some programs can certainly get around it.
Already happens. Severs logs are a big part of forensics
But all internet connections are routed through several middlemen - hackers will set up their own middleman (or compromise someone else) and said middleman will purge all the records of the origin of the connection
Its like having the phone number for a criminal's disposable "burner" phone. Its useless.
But all internet connections are routed through several middlemen - hackers will set up their own middleman (or compromise someone else) and said middleman will purge all the records of the origin of the connection
Its like having the phone number for a criminal's disposable "burner" phone. Its useless.
1
fixing the lack of standards, such as the one you suggest, such as the one that has the threads on all light bulbs compatible, etc. required by regulation of all manufacturers, and the testing of same prior to approval (FDA style) would go a long way toward thwarting hackers, who are, now, solo, capable of launching world wide attacks, or, if you will, making war.
I'm happy with LInux, but people who are concerned with security might try a hypervisor like Qubes or Xen. You can run a Windows installe inside them with relatively little overhead.
22
Thank you for your reasonable ideas for a solution. They make sense. I guess it will take customers to demand these types of solutions before they happen. I'm rethinking how much of my information I need online and adding two-step verification to the few sites where I don't yet have it. And update, update, update will be my mantra when it comes to security systems.
7
Color me old and cranky, but the UNIX operating system has been around since the beginning of time share systems (that is pre-internet speak) and still seems to be the gold standard for security. Windows was built to be a stand-alone desktop system and never really did anything to understand security. That said, Unix in its many flavors, never understood ease of use and user friendliness. No, Apple iOS is so far away from a true Unix OS that it doesn't really count any more. And here we are today.
37
Unix the gold standard for security? In what parallel universe? There isn't a secure version of Unix anywhere in this one. Back when I worked with Unix, the only question was how long it would take to crack into virtually any Unix system, not whether we could. Some of the crack jobs I saw were pitifully quick and easy, and that included the versions from Sun, HP and IBM. One driver for the creation of Linux was the virtually useless Unix security model that created such a verdant field to play in.
And here we are indeed
I am not clear what the lesson is from this article, make software companies liable for security issues that may pop up due to the inevitability of bugs in the product? Which by extension will make it exponentially more expensive to develop software, in addition to hampering innovation and release of new products, due to the fear of a law suit if someone "breaks in"... not to mention the added expense to major institutions such as the NHS, I have a feeling there's a reason they were still using Windows XP, i.e., the cost of an upgrade and now you want to make this even more expensive? Holding software company liable for these break-ins would be similar to keeping a manufacturer of doors liable if a criminal decides to knock one of them down... NO, the answer is not more regulation of software companies, but rather a much more intense pursuit of the hackers responsible, this is a threat to National Security and needs to be treated as such by aggressively deploying cross national resources tracking down the criminal enterprises responsible...
39
I keep expecting the U.S. government and military to break off and establish its own updated version of the internet which would include much more security that allows 'transactions' to be traced back to a specific source and include some sort of verifiable ID code for each user.
The internet today is doing far more than what the original designers envisioned in the late 80's or early 90's. So at least part of the solution probably is in redesigning the internet itself to include better security features.
Meanwhile countries--Russia--that seem to be generating a lot of nefarious activity ought to be sealed off from the rest of the internet until such time that they can assure the rest of the world that they have adequate law enforcement to catch and prosecute the offenders.
The internet today is doing far more than what the original designers envisioned in the late 80's or early 90's. So at least part of the solution probably is in redesigning the internet itself to include better security features.
Meanwhile countries--Russia--that seem to be generating a lot of nefarious activity ought to be sealed off from the rest of the internet until such time that they can assure the rest of the world that they have adequate law enforcement to catch and prosecute the offenders.
There is another option outlined in the article. That Windows should continue to support the security of older systems like Windows XP. A fee of $20-30 a year would cover the cost. The inability of Microsoft to provide an e-mail set-up that works for people, that they are used to working with rather than be forcibly transitioned to an inferior product is a symptom of the mafia-like practices of Microsoft in earlier times.
The answer may be some regulation of these software industry practises.
The answer may be some regulation of these software industry practises.
1
Actually yes, software needs to both be more expensive and more secure.
Networked computers are now such critical infrastructure (look at the NHS in Britain) that we cannot afford to pretend it is OK to deploy junk, buggy software everywhere in our society.
Sure, we should pursue hackers, but they will always be ahead,. because this is a classical asymmetrical warfare issue. A few terrorists can do immense damage, and easily operate out of sight until the damage is done.
The software that is deployed throughout our society, throughout our economy must be mandated to be more secure. And that will mean it costs more, and it take a little longer for the next cool app to be deployed (we can wait). To not require the enhanced level of security is criminally insane, every bit as criminal as the hackers. It puts our entire society, economy and people's lives at risk.
Networked computers are now such critical infrastructure (look at the NHS in Britain) that we cannot afford to pretend it is OK to deploy junk, buggy software everywhere in our society.
Sure, we should pursue hackers, but they will always be ahead,. because this is a classical asymmetrical warfare issue. A few terrorists can do immense damage, and easily operate out of sight until the damage is done.
The software that is deployed throughout our society, throughout our economy must be mandated to be more secure. And that will mean it costs more, and it take a little longer for the next cool app to be deployed (we can wait). To not require the enhanced level of security is criminally insane, every bit as criminal as the hackers. It puts our entire society, economy and people's lives at risk.
1
Has nobody heard of Linux, the open-source operating system? There are only a few dozen people in the whole wide world who understand the entire inner workings of Windows from a source code perspective. In contrast, there are many thousands of people who understand the inner workings of Linux from a source code perspective. With Windows, when something like this ransomware happens, we have to wait until one of those few dozen people can figure it out. With Linux and thousands of people able to view and understand the source code, security vulnerabilities are found and fixed much quicker. Thousands of smart people will beat dozens of smart people every time! Also, Linux, using repositories, updates all installed software at the same time, not just the operating system. So if the security vulnerability is caused by something in an application, together with something in another application, essentially two bugs working together, they can both be fixed at once. Until Microsoft makes its source code public, problems like this will only get worse...
137
Yes, Micro$oft Windows is a toy operating system. No sysadmin who is seriously concerned with security would ever even consider using it. My own country, Denmark, alas is a "Microsoft country" - Windows is used everywhere within companies and in the public sector (it is like a virus in itself) and so IT-specialists with Microsoft skills are hired as sysadmins and they will implement even more Microsoft solutions. It is a problem that should probably be addressed on a political level. Especially within the public sector there is a certain tendency to do things the way they have always been done, so the decision makers there need to taken by the scruff of the neck and forced to change.
1
if they made it [public, we would probably be surprised at what garbage it really is. GIGO.
The best contribution to the Times so far by this brilliant author. When, indeed, will legislation and regulatory agencies, NSA and whoever else, force oligopoly software companies also to protect individual citizens' security and privacy both in their design and marketing practices?
149
An excellent article on an "insufficiently managed risk." In just 20 years, the entire world has been computerized to a remarkable degree. With it, human capabilities have been expanded immeasurably, but some human characteristics haven't changed: the impulse to do damage just for the sake of damaging something, the impulse to steal from others, and the lack of a sense of social responsibility on the part of some people.
Hacking of this sort, even though it's said to be somewhat easier with use of the NSA tools, requires a very high degree of skill and intent to harm. We who use and depend on computers, and systems and infrastructure that are built on computerized platforms, deserve more protection. All hardware and software producers should back their products and seek to make them as secure as possible, and act quickly to correct identified weaknesses.
And since the crimes that hackers commit are so "highly leveraged," there should be very heavy penalties for those convicted of them.
Hacking of this sort, even though it's said to be somewhat easier with use of the NSA tools, requires a very high degree of skill and intent to harm. We who use and depend on computers, and systems and infrastructure that are built on computerized platforms, deserve more protection. All hardware and software producers should back their products and seek to make them as secure as possible, and act quickly to correct identified weaknesses.
And since the crimes that hackers commit are so "highly leveraged," there should be very heavy penalties for those convicted of them.
52
The car industry is a good example of a regulated business that is still free to innovate and compete.
Federal Motor Vehicle Safety standards sets design, safety, and durability requirements for vehicles. We don't have to replace mufflers as often because of these rules and parts are mandated to be made available for any new car sold for a period of 10 years. And of course recalls are fairly frequent.
The National Institute of Standards and Technology (NIST) comes the closest to laying out guidelines for how computers and networks should be managed. Given the importance of computers, networks, and the data they manage, it would not be a stretch to suggest that mimicking how the auto industry is regulated would be a reasonable approach - NIST could be a good starting point.
Very well-written article.
Federal Motor Vehicle Safety standards sets design, safety, and durability requirements for vehicles. We don't have to replace mufflers as often because of these rules and parts are mandated to be made available for any new car sold for a period of 10 years. And of course recalls are fairly frequent.
The National Institute of Standards and Technology (NIST) comes the closest to laying out guidelines for how computers and networks should be managed. Given the importance of computers, networks, and the data they manage, it would not be a stretch to suggest that mimicking how the auto industry is regulated would be a reasonable approach - NIST could be a good starting point.
Very well-written article.
175
"The car industry is a good example of a regulated business that is still free to innovate and compete."
Smart people would be wise to disable any of the new whizbang software being markets with new vehicles.
There were demos at Defcon where cars were hacked into so control was stolen from outside.
Smart people would be wise to disable any of the new whizbang software being markets with new vehicles.
There were demos at Defcon where cars were hacked into so control was stolen from outside.
Thanks for an informative, well written essay. It's about time that the right people start taking this seriously. Your essay is full of valuable and very reasonable/do-able ideas.
Perhaps we should also be thinking of down-playing NATO, which is focused on antique tank warfare, with an international organization to deal with these more realistic threats.
Perhaps we should also be thinking of down-playing NATO, which is focused on antique tank warfare, with an international organization to deal with these more realistic threats.
25
Among other issues, this is an argument for individuals having possession and control of their own medical information. It's certainly not a panacea and has its own risks, but decentralized information is generally less vulnerable. One potential problem is that medical institutions tend to be very possessive of what they often regard as "their" information- a bit like asking Google to share your profile with you.
29
I agree with Bob Fankhauser. Medical institutions should provide complete records to patients who supply appropriately sized USB drives. These records could be used when necessary. Easy upgrade of the information should also be made available.
NSA withheld knowledge of the bug so they could use it. In a sense they should be totally responsible for all the damages caused by the hack. I don't see many news outlets covering this aspect of the hacking scandal. I also believe it is MSFT's responsibility to upgrade security on XP even though it is an old operating system. They don't have to enhance the experience of XP, just upgrade it with security patches.
127
You are so right! I just played a PSA about gun safety on my radio show tonight, which ended with the admonition that the gun owner is responsible for anything that's done with their gun. This is just what the NSA did - let a digital gun of theirs slip out of their control and fall into the hands of criminals who then used it to commit crimes and could have possibly killed people with it. They should absolutely be held liable, and I hope they drown in lawsuits over this.
Why in the world would anyone be running on Microsoft XP, or even Microsoft 7, versus Microsoft 10? Microsoft XP is no longer serviced by Microsoft. And why would you not have the PC set to add updates as they are available?
I agree with Snowden's statement that we can either have internet security for all or for none. When the NSA finds a weakness it is only a matter of time before someone else discovers the same weakness. And when the NSA leaves the how-to manual sitting out in the open, well, that is really getting our money's worth as taxpayers, right? Mayhem, brought to you by the U.S. Government.
I agree with Snowden's statement that we can either have internet security for all or for none. When the NSA finds a weakness it is only a matter of time before someone else discovers the same weakness. And when the NSA leaves the how-to manual sitting out in the open, well, that is really getting our money's worth as taxpayers, right? Mayhem, brought to you by the U.S. Government.
We've gotten very used to regulating the design of airplanes and cars for safety. Why don't we do this for computing? It would seem to be long overdue.
Here's an article from this newspaper on efforts to re-design computing with security in mind. It would be interesting to hear how these efforts are doing five years later.
http://www.nytimes.com/2012/10/30/science/rethinking-the-computer-at-80....
Here's an article from this newspaper on efforts to re-design computing with security in mind. It would be interesting to hear how these efforts are doing five years later.
http://www.nytimes.com/2012/10/30/science/rethinking-the-computer-at-80....
46
There is an interesting NSF funded program called "Deep Specification" https://deepspec.org/main
The purpose as stated on their main page is "We focus on the specification and verification of full functional correctness of software and hardware."
After spending some time glancing at some of their published papers, I get the sense this the beginning of a long journey to a world of robust hardware and software.
The purpose as stated on their main page is "We focus on the specification and verification of full functional correctness of software and hardware."
After spending some time glancing at some of their published papers, I get the sense this the beginning of a long journey to a world of robust hardware and software.
The Apple business model where users buy hardware and all future OS updates are free is the tried and proven path forward.
110
Try to find a security update for a circa 2000 iMac. supporting software into perpetuity is not feasible even for massive, cash-rich companies like Apple.
56
No reason to be using a circa 2000 iMac these days.
sorry, no. not everyone is a clone
This will never be fixed because one party doesn't want it to be. They relish the chaos it creates, will use it to their advantage, and will play it to their constituents as "the other" that is against them, even while allowing it to happen, perhaps even participating in it.
If you want proof of that, just look at the way Mitch McConnell and his Republican comrades are trying to play down Russian hacking to try to influence the US election. Any truly patriotic American would want this investigated enough to prevent it from ever happening again. But to them, despite all the evidence and conclusions from more than 20 security agencies, it's not a big deal.
It's a simple as that. One party wants to protect the country from this issue, and the other party doesn't care about their country as long as they maintain power.
If you want proof of that, just look at the way Mitch McConnell and his Republican comrades are trying to play down Russian hacking to try to influence the US election. Any truly patriotic American would want this investigated enough to prevent it from ever happening again. But to them, despite all the evidence and conclusions from more than 20 security agencies, it's not a big deal.
It's a simple as that. One party wants to protect the country from this issue, and the other party doesn't care about their country as long as they maintain power.
190
Given the fact that the malware was released during the Obama regime, your premise doesn't hold water.
1
True, except that people themselves make the mess. And some smart ones gave up on idiots and prefer make money then help.
networks can be made more secure but it is expensive and inconvenient. Some way needs to be found to balance the financial disincentives to strong security or the interconnected world we currently live in will end and we will go back to isolated private networks.
7
Most of the hacking is done on Windows systems.
Mac is much less vulnerable.
Computers that are either not connected to the internet or whose users are careful about falling victim to phishing and other malware practices are even safer.
Of course, the safest is good, old paper which I love but to many is old fashioned.
Caveat emptor.
Mac is much less vulnerable.
Computers that are either not connected to the internet or whose users are careful about falling victim to phishing and other malware practices are even safer.
Of course, the safest is good, old paper which I love but to many is old fashioned.
Caveat emptor.
Why don't we do more to stop it ?
The answer is within us and starts right here with the NSA.
I am not asking them to stop developing these technologies. But if they respected citizens' privacy and rights, these would not have been leaked to the world in the first place.
The answer is within us and starts right here with the NSA.
I am not asking them to stop developing these technologies. But if they respected citizens' privacy and rights, these would not have been leaked to the world in the first place.
30
"But if they respected citizens' privacy and rights, these would not have been leaked to the world in the first place."
If they developed these tools, did not apply them then the hackers would have said "Geeee, these are nice blokes, let's leave them alone".
I doubt it.
If they developed these tools, did not apply them then the hackers would have said "Geeee, these are nice blokes, let's leave them alone".
I doubt it.
In the best of all possible worlds, all worlds are possible. The world is going to get hacked, no doubt about that. The question is, is there an idea of enforceability of an "unhackable digital world" that can be enforced by government or corporate authorities?"
Cybersecurity CISSP Certification: 377440.
Cybersecurity CISSP Certification: 377440.
6
Hasn't software for our military been explored using unique programming languages & operating systems that maximize security and minimize bugs?
Alternatively, why can't it be mandatory for software to be checked for security vulnerabilities by certified software security companies? Or there could be the equivalent to Underwriters Lab certification for operating systems and apps.
Apple checks every app intended for its App Store before allowing it to be available there -- I don't know what Apple checks for, but such an approach could allow for security checking also.
Alternatively, why can't it be mandatory for software to be checked for security vulnerabilities by certified software security companies? Or there could be the equivalent to Underwriters Lab certification for operating systems and apps.
Apple checks every app intended for its App Store before allowing it to be available there -- I don't know what Apple checks for, but such an approach could allow for security checking also.
"While it is inevitable that software will have bugs" is a self-fulfilling prophecy. Software defects are the result of sloppy development practices, the business philosophy that time-to-market is more important than reliability, and customers misled into believing that such defects are unavoidable.
Want defect-free software? Stop purchasing software with known-but-uncorrected defects. Software providers will then get the message.
Want defect-free software? Stop purchasing software with known-but-uncorrected defects. Software providers will then get the message.
84
Dave,
You make good points. One of the issues you don't mention, though, is that humans are inherently inclined to make errors that show up as software defects. I've been doing research into software reliability for nearly 30 years, and the best we're able to do as far as figuring out how many defects of what type are going to remain in an operational software system is to provide estimates with statistical models. In other words, there will always be a non-zero probability that a residual defect triggers this kind of failure. We're working as hard as we can to solve this problem, but we don't see a general solution at this time,
You make good points. One of the issues you don't mention, though, is that humans are inherently inclined to make errors that show up as software defects. I've been doing research into software reliability for nearly 30 years, and the best we're able to do as far as figuring out how many defects of what type are going to remain in an operational software system is to provide estimates with statistical models. In other words, there will always be a non-zero probability that a residual defect triggers this kind of failure. We're working as hard as we can to solve this problem, but we don't see a general solution at this time,
2
I've been in the computer business as a developer and lately as a network administrator for nearly 40 years. Over that time I've noticed a decline in quality and general engineering professionalism in the industry, particularly over the last ten years or so. Being an administrator is no longer any fun at all. I find I spend so much time dealing with broken software that I have little time to make things better for my users.
1
Hi Dave, what software do you recommend that is bug-free? Without meaning to be cynical, tell the developers of said software, and I think they will give you a pitying smile.
Looks like we have been warned by the universe.
We are the terror, we are the snoopers.
looks like we have been led down the garden path by the disciples of the Devil, our mal, or malware, if you choose, governments, here in the "West."