Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[sevenlayermuddle]

It's interesting how the blame game is being played.  Govt blame NHS incomprtence, NHS blame govt cuts.  The perpretrators of the attack are being blamed of course, but so are the NSA for knowing about the bug and not reporting it.

Yet no blame at all seems to be attributed to Microsoft, who published the buggy SMB software.   I recognise that all software has bugs and vulnerabilities.  I spent my working life writing commercial software, and was responsible for my share of bugs.   But when one of my bugs surfaced I was generally expected to accept responsibilty for it, I'd never have got away with blaming the customers who were affected by it, or blaming the testers who found it.

[Ronski]

Hasn't it already been noted in this thread that MS released a patch in March for supported operating systems? Hardly MS fault if people haven't updated their systems or are using systems no longer supported.

[sevenlayermuddle]

Ronski, I disagree, bugs don't just magically appear as a result of an OS being old, the bugs are there because they were there all along.

I'm not suggesting there should be a witch hunt to find the individual who wrote the bug or a public flogging. I'm merely pointing out that there should be better public awareness... The bug was not a result of failure to update, or failure to install AV, or by a rogue employee at NSA, it was solely a result of a mistake made by a Microsoft employee some time in the past. 

Where I do think Microsoft might benefit from a flogging is the vicious circle of OS releases that need new hardware.  That is the reason many of us still run XP. We have perfectly good hardware that runs XP, but Microsoft don't offer any supported OS that will run on that hardware.  My machine is less than nine years old, yet Microsoft seem to think I'd have been happy to throw it in the bin after 3 or 4 years.   The closest comparison, Apple, are much much better... mac hardware that is 6,7 years old or more is often fully supported with new versions of OS X, hence a lot fewer people hanging on to old versions.

[Ronski]

Yes they were there all along, but my point is thus:

But when one of my bugs surfaced I was generally expected to accept responsibilty for it, I'd never have got away with blaming the customers who were affected by it, or blaming the testers who found it.

MS released a patch in March, that to me sounds like they accepted responsibility for it. If you released a patch for one of your bugs and two months later a customer phoned up complaining it hadn't been fixed because they hadn't installed the update what would you tell them?

Yes MS are responsible for the bug in the first place, but they can hardly be responsible for people not installing the update, or running out of date Operating systems such as XP. Windows 7 will run fine on 10 year old hardware and thats still in support, but hey we're getting off topic there.

[sevenlayermuddle]

If you released a patch for one of your bugs and two months later a customer phoned up complaining it hadn't been fixed because they hadn't installed the update what would you tell them?

In my day, we'd have apologised in the first place, when the need arose to issue a patch.  We'd have aplogised for the bug, and for the inconvenience involved in fixing it.  Nowadays, vendors seem to think their bugs, fixed in 'updates', are something to boast about.

If the product was out of warranty and we were unable to patch, we'd have explained that and apologised even more profusely.   The customer would have to accept that, havng no legal remedy, embarrassing as it were for all concerned.   We'd hope he'd understand, and remain a customer, and usually he would.  But we'd never have suggested the bug was his own fault.

[c6em]

Its all very well sitting there saying this to "just upgrade"
But it ain't that easy in real life.

Someone has an £k film scanner with only XP driver available for it.
Do you tell them contemptuously to shut up, get win 7/10 and pay another £xK for a new film scanner?

How about a NHS WinXP machine running propriety bespoke written software interfacing via IE6 with an £xx million MRI scanner?
How many nurses shall we sack and how many drugs shall we not buy - just to upgrade a sodding computer and having to buy another MRI scanner on top.

Not so easy now?

[sevenlayermuddle]

Another issue, similar to c6em's comments, arose towards the end of my career.

We'd ship hardware & drivers to customers, who built products that needed expensive and exhaustive conformance testing  in 3rd party labs, before they could deploy it and start earning money.   Even the most minor change required scrutiny and cost from the conformance labs.   Moving to a new version of Windows would not be a minor change, so would likely need complete testing all over again, at huge cost...

[Ronski]

I'm completely aware of those issues c6em, my reply about installing W7 was directed to 7LMs comment about his XP system.

[petef]

I quoted Telefónica earlier who said that the original vector was phishing. Since then I have read articles by Kaspersky and F-Secure which are of the opinion that the exploit spread by SMB alone.

[sevenlayermuddle]

I'm completely aware of those issues c6em, my reply about installing W7 was directed to 7LMs comment about his XP system.

Ok, addressing that suggestion...

Would the W7 upgrade/downgrade be free, as it would with Apple, and as it would with most consume versions of Linux?

And if it caused problems, or I just didn't like it, would the licence for previous OS remain valid, as it would would with the comparisons above?

Genuinely interested in the answers, if 'Yes' I may well give it a go.

[Ronski]

You can buy Windows 7, no it's not free, but can be found quite cheap. If you'd bought an upgrade from XP to 7, no you couldn't go back to XP, but you could if you'd bought a retail version of 7, you would also have been able to move that retail version to new hardware free of charge. I don't think you can activate XP now, but I suppose if you imaged your XP installation you would not have to worry about that. If you have a spare hard drive you could install 7 FOC for 30 days before having activate it, and see how it goes.

With Apple you pay a vast premium in the first place, so don't get me going on Apple, they beat manufactures down to the bare minimum price and charge end users the absolute maximum, which unfortunately has led to the likes of MS doing the same with hardware, as is Samsung. The only thing I ever wished I'd bought of Apples was their shares a long time ago.

Linux is well Linux, and like you say free, can't beat that so why did those hardware manufactures not use Linux for their scanners???

Anyway I'm off to bed.

[sevenlayermuddle]

I quoted Telefónica earlier who said that the original vector was phishing. Since then I have read articles by Kaspersky and F-Secure which are of the opinion that the exploit spread by SMB alone.

It seems to me, the 'spread by SMB' factor is the scariest thing about this whole issue.   If I understand right, just by connecting to a LAN to which an infected machine also connects, a vulnerable device can get infected?   

Example scenario:  Most of us will connect to a Hotel's guest WiFi without much thought, but I wonder how many hotel networks enforce isolation between clients..?  And how could we tell?

[petef]

With Apple you pay a vast premium in the first place, so don't get me going on Apple, they beat manufactures down to the bare minimum price and charge end users the absolute maximum, which unfortunately has led to the likes of MS doing the same with hardware, as is Samsung.

IMHO Apple do charge a premium for iPhone but not so much for MacBooks. The latter compare favourably with a Windows PC if you look at like with like on such matters as case, display and SSD. Which? often picks Macs as best buys in laptops.

I am typing this on a 2008 MacBook Pro. In 2013 I paid £14 to upgrade to Snow Leopard but since then OS upgrades have been free. In fairness I believe that Windows 10 is now eligible for perpetual updates.

[petef]

Sophos have egg on their face. Shortly before the NHS meltdown they proclaimed that the "NHS is totally protected with Sophos". After the attack took hold that became "Sophos understands the security needs of the NHS".

In mitigation Sophos do provide products that proactively protected. NHS budgets do not stretch to those.

https://www.theregister.co.uk/2017/05/15/sophos_nhs/

[Chrysalis]

SMB should have been retired a decade ago, its insecure in its design.  But microsoft prefer to just apply bandaids.