back to article WannaCrypt: Pwnage is a fact of life but cleanup could and should be way easier

WannaCry is Microsoft's fault. Microsoft, of course, blames the victims and system administrators get fired. But every one of us is to blame because we refuse to force our governments to hold software-makers to account. Criminals are here to stay. Anyone who thinks they will somehow be defeated, go away or simply give up is …

  1. Dan 55 Silver badge
    Meh

    Shame on you... above all for not doing what Microsoft told you to do when you were told to do it.

    So how did IE6/ActiveX/COM stuff wedded to XP happen, by people not listening to MS?

    And if people listened to MS, the next greatest thing to replace that was .Net, and the next greatest thing after that was Silverlight, and the next greatest thing UWP which now turns out to be at death's door because Windows 10 Mobile has been forked from Windows 10 desktop and therefore not universal any more as it's a fork and the hardware side is practically dead.

    The problem is listening to MS. Once you've got on the treadmill you can't jump off without falling down and smacking yourself in the face.

    1. Infernoz Bronze badge
      Holmes

      Mostly prefer an OS as only a platform with abstracted access to proprietary resources.

      Most software should rejecting direct use of proprietary OS frameworks, instead via bridging/isolation layers, like OS portable OSS API implementations, to make applications OS portable i.e. not dot-Net (incomplete library portability). You can then upgrade OS, or even migrate to a different OS, with minimal work. Microsoft will hate this, but it's their fault for repeated stupid 'business friendly' hacks to try and lock people in, Active-X being the absolute worst, and their Java abuse could have become far worse if they hadn't been sued by Sun!

      There should also be wariness about using application software which has limited OS portability, or significant migration costs, like Microsoft Office, including any software dependent on these applications e.g. VBA and Excel specific scripting.

      Java and other genuinely OS portable, intermediary-code-compiled/fast-interpreted languages, and OS portable frameworks/libraries (e.g. GUI, Graphics, Filesystems, Networking, Crypto etc.), are what most applications should be using to break this lock-in to transient proprietary APIs. Some people may not like proper portable languages like Java, because they are stuck in a stagnant C and C++ dogmatic 'simplicity' delusion, or are dangerous amateurs reliant on retarded VB or VBA; but they do offer far better portability between OS's and OS versions.

      Java (and other JVM languages like Kotlin) also has some portability to Android, which further extends it's appeal.

      1. Anonymous Coward
        Anonymous Coward

        Re: Mostly prefer an OS as only a platform with abstracted access to proprietary resources.

        Thank god Java is a secure, well trusted piece of software.

    2. Mark 85 Silver badge

      Re: Shame on you...

      What the hell did we expect? MS basically via open handed marketing and underhanded tricks (I'm thinking of CorelDraw here) owns the OS market. They can now do whatever the hell they want such as force feeding Win10, any updates they feel like etc. There's really no options for Joe User or Joe Company as PC's all come packaged with the beast. Linux just hasn't got there yet... MS's marketing methods pretty much ensure that Linux won't be the OS from the maker.

  2. CAPS LOCK Silver badge

    Throw the monkey from your back people. It CAN be done...

    ... and when you have DON'T let it climb back on, I'm looking at you Munich....

    1. Detective Emil
      Unhappy

      Re: Throw the monkey from your back people. It CAN be done...

      Munich? On thin and melting ice. I can't find any English coverage of the outcome of the February vote mentioned in the article, but here's a long piece in German. Or Google Translate.

  3. John Smith 19 Gold badge
    Unhappy

    This will happen again.

    And again

    And again.

    MS are institutionally incapable of writing a secure OS and they have spent a long time convincing lots of PHB's (who actually knowledgeable people have to work for) that MS is The Way, The Truth and The Light.

    But they should have gingered up the suppliers (as in the astringent root, not the hair colour) to upgrade their SW.

    1. LittleTyke

      Re: This will happen again.

      Is this where we are urged to use Linux instead of Windows? Of course, Linux systems ~never~ get hacked, do they? What about an Apple Mac, perhaps? My nephew just forked out 2,000 euros for a new Mac laptop. Way ta go! Much more secure than cheap old Windows! Let's all buy Macs. They're like raincoats... Completely virus-proof.

      1. itzman

        Re: This will happen again.

        At least with linux you can apply what patches you need, and are not forced to take anything you don't need.

        1. handleoclast

          Re: At least with linux

          That's the tip of the iceberg.

          With Linux you can, if you have the requisite skills, create your own patches and add your own functionality. Not many people can do this, but because it can be done by some people, the whole ecosystem is more responsive to consumer needs/desires. Not perfect, just a little better.

          So Gnome eats the Windows 8 dogshit and comes up with Gnome 3 that is worse even than Win 8? Try Cinnamon. Still only marginally better? Try Mate. Still not happy? Roll your own, or persuade somebody to roll it for you.

          With Microsoft it's a case of be happy with what you have forced upon you.

          1. Doctor Syntax Silver badge

            Re: At least with linux

            "Still not happy? Roll your own, or persuade somebody to roll it for you."

            They did. It's called KDE.

      2. Pascal Monett Silver badge

        @LittleTyke

        Would you care to provide a list of Linux servers and PCs that have been hacked; pwned and encrypted from their users/owners ?

        Do you really think that list is, in any way, going to even approach just 0.01% of Windows PCs that have been zombified ?

        Compared to Windows -any version- Linux is fucking Alcatraz. Deal with it.

        1. Anonymous Coward
          Anonymous Coward

          Re: @Pascal Monett

          Well, currently, any Linux box running Samba 3.5 or later (~2010) that hasn't been patched this week is vulnerable to hijacking.

          And there there are around 100,000 of them with Samba ports open on the web.

          This will also affect those nice, Linux NAS devices and home routers running Linux and offering NAS functionality as well.

          How many have been hacked? I don't know, but it has the potential to equal Wannacry.

          No system is perfect and they all need regular patching.

          Busy checking and patching our Linux boxes at the moment. No patches available yet for our NAS devices...

          1. Glenn 6

            Re: @Pascal Monett

            And this is why I HATE using pre-canned appliances that I cannot control the back-ends to - such as your NAS box. My box LOVES boxed kit like NAS boxes, rather than me building a Samba server which I can 100% control the back-end of. In his mind, they're more cost-effective because it saves time and money by not having me do as much. But then his beloved out-of-box kit suddenly decides they are either going to "end of life" support for that model (no more patches), or drag their heals on patches - leaving us vulnerable. Now he has to spend a ton of money buying a newer NAS box, and a ton more of money having me do the painful data migration between old and new. So much for that cost savings huh?

          2. Anonymous Coward
            Anonymous Coward

            Re: @Pascal Monett

            Well, currently, any Linux box running Samba 3.5 or later (~2010) that hasn't been patched this week is vulnerable to hijacking.

            And there there are around 100,000 of them with Samba ports open on the web.

            That's rather weird, actually. For a start, most home users tend to be behind a NAT setup (pretty much a default for domestic Internet connections) and secondly, Samba is not a default service, you have to add it.

            I have no reason to doubt your figures, but if they are correct it suggests the Samba runtime defaults must be improved by, for instance, limiting service to the directly attached LAN rather than offering it WAN wide (which, tbh, I though it was but I haven't had a need for Samba for quite some time so I may have that wrong).

        2. P. Lee Silver badge

          Re: @LittleTyke

          While I love oss, the article is correct about malware being inevitable for all os types. Where nix gains is its diversity. That forces loose coupling between components, which means fewer breakages during updates.

          Now, who thinks AWS APIs are going to be stable for 13 years? With cloud you don't get to run that custom application on a dedicated pic in the corner. Once the vendor isn't interested, your application dies with the next API change.

          Especially if you are a small business, build that application rewrite cost into your plan. Elastic compute and storage may sound cool, but most businesses don't have rapidly changing requirements. Glacier may be cheap, but I'll bet they aren't using commvault so are you sure you need to?

          Keep it simple and put some common sense into whether you consolidate or preprovision.

        3. mistersaxon

          Re: @LittleTyke

          Not to derail your main point any further but all those IoT devices that are pwned into botnets are, by and large, Linux. Sure the /desktop/ OS isn't a huge attack vector (vector, note, rather than surface - crooks aren't interested in the knowledgeable ans skilled users that tend to drift to Linux) but the IoT is MASSIVE and growing.

          Remember, security through obscurity (Linux and to a lesser extent MacOS) is no security at all. You need a proactive and responsive developer community for your apps and OS. OSS helps and governments caching zero-days doesn't. So far Apple have shown themselves to have a high level of integrity (so far as anyone can tell, of course) and responsiveness that's on a par with Linux, plus the additional effort they spend on weeding their walled garden. If you can't stand the garden then you takes your chances with thistles or worse: it's your choice as an individual. With Windows you have a box full of triffids growing in the lounge of course but MS told you it was a swiss-cheese plant so that's OK.

          Neither Linux nor MacOS is really set up to provide the CONTROL that your boss wants over you - only Windows has that obsessive level of micro-management and that's the real reason it's succeeded. Oh Novell, where are you when we need you?

      3. Anonymous Coward
        Anonymous Coward

        Re: This will happen again.

        @LittleTyke

        What about an Apple Mac, perhaps? My nephew just forked out 2,000 euros for a new Mac laptop. Way ta go! Much more secure than cheap old Windows! Let's all buy Macs. They're like raincoats... Completely virus-proof.

        They are LESS prone to infection (especially the drive-by infection risk is all but absent), but like any system it still depends on users not installing things from questionable sources. As for the €2000, start adding software to that. A bare Windows laptop is not a terribly useful piece of kit, a bare Macbook is. On top of that, most of the software for Macs is *substantially* cheaper than that for Windows, and in that I include significant upgrades to the OS itself. Add to that the substantial time savings made by the macos usability and reliability of the platform itself, the little downtime for patching (to the point that it doesn't need a dedicated day in the week to ensure you still get something done and it's suddenly not that expensive anymore (caveat: not for home users who consider their own time of no value, of course).

        In addition, if you set up a boot password and Filevault, theft becomes pretty much pointless as reformatting becomes impossible. Call it a fringe benefit, although some will complain about it not being upgradeable (something I stopped considering more than a decade ago, but needs differ).

      4. Doctor Syntax Silver badge

        Re: This will happen again.

        @LittleTyke

        Nothing's perfect. You're going to have to work on constructing the best system to fit your requirements. But why start with the least secure platform you can find? That's just plain daft.

        And why set up a monoculture? Make different parts run on different platforms. It makes it harder to support? Well it also makes it a damn sight harder to attack and if you get attacked then you might find that your supposed ease of support was illusory.

        Big Tyke.

      5. Anonymous Coward
        Anonymous Coward

        Re: This will happen again.

        [apologies for late arrival; although a regular reader of TP's stuff, I missed this one till an occasional visit to Ross Anderson sent me here from

        https://www.lightbluetouchpaper.org/2017/06/01/when-safety-and-security-become-one/

        ]

        "Is this where we are urged to use Linux instead of Windows?"

        I don't know about that, but it might be a bloody good place for people to start thinking (maybe even thinking again, for some people) about building stuff that is based on open and non-proprietary standards and interfaces (APIs, protocols, whatever) rather than today's default proprietary implementations such as Win32, x86, whatever. The ability to change implementation platform without too much hassle does have some value, though it's hard to put it on a PHB's spreadsheet.

        If telephone networks had to be built on implementations rather than on standards, like computer systems allegedly have to be built on implementations rather than standards, telephones would still be in the age of dialup, and companies like TalkTalk and Freeserve would never have existed (hmmmm). Try the same line of thought with electricity supply. It's not pretty is it.

        Plenty of similar examples, e.g. cars in recent decades have been built around standardised interfaces not standard implementations, though we seem to be going backwards somewhat in the last few years in that respect.

        There have been lots of these various non-proprietary technology standards around for many decades, and until there was a de facto OS monopoly in the IT Manager's heads, it was reasonably possible to write quite complex code (not just "hello world") and build quite complex systems that could relatively simply be moved from one platform to another, so long as the relevant standards, interfaces and protocols were available (and behaved largely the same way).

        The world of popular RFCs is one such example. As might be (for example) a dusty deck of FORTRAN code. FORTRAN is FORTRAN, right?

        POSIX attempted to formalise this concept somewhat, as did Open Systems Interconnection (wow, a networking abstraction that accepts that there is more to the world than USASCII and two potential byte orderings for integers, and that standardised interfaces to multiple authentication mechanisms might one day be useful, what a set of concepts).

        The successful examples above are *engineering* examples. But IT isn't engineering. IT has somehow become a fashion-driven industry, and in particular a fashion industry where not just one size fits all, but one brand fits all too, courtesy of the PHBs in the IT Manglers office, with their spreadsheet-driven MS monoculture.

        Wise people, even those without MBAs, knew there'd be a price to pay sooner or later. And here we are, just as the wise people predicted, lots of innocent people are paying the price of "shiny but defective". Some people are paying a very big price.

    2. Anonymous Coward
      Anonymous Coward

      Re: This will happen again.

      I really need to start putting a counter on my reuse of my own comments, but my fear is that I'd feel compelled to keep it up to date, and I have other, more useful things to do (the re-use already was an effort to cut down on having to repeat myself :) ).

      I've had to suffer the rubbish emanating from Redmond since MSDOS 2.1 or thereabouts and saw in the process both Borland and IBM demonstrate that it all could be so much better - but their main failure was to be too honest (yes, even IBM).

      With Gates at the wheel, Microsoft bought, bullied and bullshitted its way to the top. Not only did it do so with every legal, illegal, immoral and deceptive trick in the book in a manner that made the Church of Scientology look like rank amateurs, it actually rewrote that book. That aggregated playbook was then later studied and implemented at Google HQ too (hence the "Do no evil" BS that a surprising amount of otherwise intelligent people fell for), but as innovation goes, Microsoft's has never been in technology.

      It was in selling bullshit.

    3. Glenn 6

      Re: This will happen again.

      The computer-illiterates (which, in 2017, I'm STUNNED still exist same as they did in the 90's!), only know Windows or Apple. They've been indoctrinated starting as children right from their own schools. When have you ever heard of a Linux-based computer lab at any school? There's no encouragement to write actual good software for Linux when so many people are on Windows, because people were all raised on Windows that's what the market uses.

      Don't ask me how to change that - I think we're stuck. I'm also not entirely convinced that these security and malware problems won't hit Linux just as hard if they held 98% of the market share.

  4. malle-herbert Silver badge
    Trollface

    An entire article blaming Microsoft...

    And not ONE mention of the fact that there are certain three-letter agencies hoarding vulnerabilities for their own nefarious purposes...

    Now I am NOT a Microsoft fanboy... but they DID put a patch out there for a long-obsolete OS...

    1. Anonymous Coward
      Anonymous Coward

      Re: An entire article blaming Microsoft...

      An entire article blaming Microsoft and not ONE mention of the fact that there are certain three-letter agencies hoarding vulnerabilities for their own nefarious purposes...

      .. who wouldn't have that ability if it wasn't for Microsoft..

      Now I am NOT a Microsoft fanboy... but they DID put a patch out there for a long-obsolete OS...

      .. because developers were otherwise certain to avoid said OS for whatever equipment they would create next. That's the problem with OEM use in equipment: the OS ends up a bit like firmware, and if you want to know how often firmware gets updates you just need to ask people how often they update the BIOS on their PC motherboards. I reckon the conclusion of such a survey would be "pretty close to never".

    2. Doctor Syntax Silver badge

      Re: An entire article blaming Microsoft...

      "but they DID put a patch out there for a long-obsolete OS..."

      AFAICS this was a belated recognition that they had no excuse for leaving an error like that unatched for so long.

  5. LDS Silver badge

    Software properly written for Windows 2000 would work on 7 and later without issue.

    It was the developers who stubbornly didn't accept 3.x/9x bad habits were no longer acceptable that created the mess - only drivers are a different issue.

    Often, Windows does too much to allow old, bad-written applications to work. Just read the "Old New Thing" blog to have a glimpse of how far it goes because some large "Fortune 500" customer has bad software that can't be rewritten.

    One issue is that many people don't like to learn - especially to learn continuously. I've seen too many refusing to understand the way they wrote software was outdated, and not secure - and there are probably many inside MS as well.

    Many documented APIs are not used because developers don't known about them and prefer to hardcode paths or the like.

    MS has its faults, but many lazy developers abused and misuses Windows, and the result is what we have now.

    And it's not related to Windows only. I've see just yesterday a blog post, from a known developer tools maker, about how to daemonize a process in Linux. It just forked - the writer had no idea about how to make a process a proper daemon, nor under System V, nor under systemd.

    Ignorant developers write bad code - under any operating system, and there's nothing the OS can do to stop them.

    1. fajensen Silver badge

      Re: Software properly written for Windows 2000 would work on 7 and later without issue.

      Many documented APIs are not used because developers don't known about them and prefer to hardcode paths or the like.

      ... and many old, crufty, should-have-died-years-ago like COM or OLE MUST still be used to perform tasks when using the very latest shiny-shiny MS development tools.

      It is one thing to keep some old crap around for other old crap depending on it to use, it is quite another to force the ongoing and continued use of the old crap because the new shiny-shiny API does not provide the full functionality!

      In my case I did a C# script to collect some production data from a database and produce PowerPoint slides with it, I am probably a bad programmer too, but, I was quite surprised that one had to dig into 1990's API's JUST to fill in some odd bits that somehow was not available from C# but needed (No, I can't remember exactly, it's 4 years ago). It took two or three OLE calls to get the game going.

      Which means that MS has no clean way of retiring the old crap. In a "clean" system, one could remove the legacy stuff (like one at least can do in windows with some of the services and protocols).

    2. PickledAardvark

      Re: Software properly written for Windows 2000 would work on 7 and later without issue.

      Things really were supposed to change when Windows 2000 was launched. There was a badge programme for Windows 2000 Certified Applications, those which ran with standard privileges and wrote their data to the right places (%appdata%, %homepath%, HKCU), but developers didn't follow it.

      Win2K had very little application compatibility bolted on. A Windows 9x application which didn't write files to the system directory etc would run with standard user privileges. If a Windows 9x application assumed that the user had admin privileges, it would probably run for a Win2K admin -- which defeated the point of using Win2K.

      Windows XP introduced application compatibility so that many crappy Win 9x apps would run with standard user privileges. MS couldn't sell XP if it didn't run Win 9x games. AppCompat works below the surface when a user application is launched. If an application is known to be incompatible, AppCompat loads shims for that application. When the application tries to read/write from a privileged area, it is redirected to a virtualised file or registry system (per user).

      If (big IF) MS had produced a compatibility module which worked as well as the current one, the company would have avoided its evil mistake: on a standard installation, all users were Administrators. If you were lucky, the installer made users into Power Users, who may not have realised how easily admin rights are acquired.

      Shame on everyone all-round. To MS for creating a poor security model. To developers for failing to update applications for the "modern" NT5 world. To system administrators for tolerating lousy products.

      I wrote the last paragraph with hesitation. I have worked with many sys admins who put up good fights when IT management or departments asked for software which did not meet any reasonable quality standard or demanded admin rights for idiots. I've been there too. I've met some jolly helpful people at MS who understood what had gone wrong there. I've even conversed with developers who went out of their way to fix things.

      1. Version 1.0 Silver badge

        Re: Software properly written for Windows 2000 would work on 7 and later without issue.

        Early on I insisted that me developers write code that was not system specific with static linked DLLs - our applications run on XP through Windows 10 without any problems - the major issue has been re-writing the installers to handle each flavour of "security" in the OS.

    3. big_D Silver badge
      Facepalm

      Re: Software properly written for Windows 2000 would work on 7 and later without issue.

      At a previous employer, I experienced Linux developers still using SUSE 7, because the software they had written wouldn't compile on anything newer and they didn't want to waste time re-working it and seeking out newer versions of libraries (or paying for newer versions of QT, for example).

      "It's just Linux, it isn't like it is running on Windows."

      1. 27escape

        Re: Software properly written for Windows 2000 would work on 7 and later without issue.

        Its just developers; being pressured to fix the problem rather than providing a solution is a way of life for developers, companies do not want to hear that I can patch in 1 day or fix for the future in 3 months, beancounters etc will always go for the 1 day patch. There is no longer a 5 year plan, or a 3 year one, hardly even a 1 year one, everyone is agile fixing what is in front of them right now!

        1. big_D Silver badge

          Re: Software properly written for Windows 2000 would work on 7 and later without issue.

          @27escape or more often, they are just ignoring any security implications until it bites them.

          Many companies know that their software is out of date, but getting it secure and running on modern operating systems costs a lot of money that they can't recoup, when they can still flog their customers old software running on old platforms.

          Just look at automotive, the "new" for 2017 in car entertainment systems are still running on Froyo or Kitkat in many cases!

    4. Anonymous Coward
      Anonymous Coward

      Re: Software properly written for Windows 2000 would work on 7 and later without issue.

      The Windows could have logged bad behaviour and regularly prompted the user to send it to the developer to nag them, or send it to Microsoft so that they could excerpt pressure for users.

      Ignorance can be a consequence of arrogance/laziness/mismanagement for 'experienced' staff, but aware programmers can also cut corners due to laziness or deadlines. I've seen enough to judge that there is no reasonable excuse for most of the poor coding I've seen, especially in commercial products, because technical debt compounds and (I know) pushed a large commercial product to EOL!

  6. Paul Woodhouse

    <quote>

    Imagine, if you will, that governments stood up clouds to enable cheap (or free) backups for critical industries. It's one possible solution to the realities that made WannaCry the international IT oopsie of the week. There are many more.

    </quote>

    MUHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!!!

    government controlled cloud/storage, what could possibly go wrong?

    1. tfewster Silver badge
      Facepalm

      My initial reaction was the same, but it's an idea. In theory, all critical industries should already have backups and disaster recovery plans. In theory, existing data protection legislation and the duty of Directors to protect the business should be sufficient. In theory, software companies should ensure their products are fit for purpose.

      In practice, it's hard to anticipate every attack vector, or to apportion blame when things go wrong. So Trevor's approach, to brainstorm/spitball/blue-sky recovery mechanisms, is an important tool in a sysadmins kit.

      Take it further - NHS owned DR DCs, with a ("secure") warm copy of a hospitals data, copied over fat pipes, fast enough for staff to use the DR systems remotely when their local system is down? When disaster strikes a hospital, just connect the data disks to a suitably powerful system and boot it. I don't know if it's practical, original, or even useful in this scenario, but I'll risk the derision and downvotes because it might just spark a better idea in someone.

      1. DMSlicer

        > Take it further - NHS owned DR DCs, with a ("secure") warm copy of a hospitals data, copied over fat pipes, fast enough for staff to use the DR systems remotely when their local system is down? When disaster strikes a hospital, just connect the data disks to a suitably powerful system and boot it. I don't know if it's practical, original, or even useful in this scenario, but I'll risk the derision and downvotes because it might just spark a better idea in someone.

        In this case it would have been largely pointless, because if the main system got infected then there's nothing to stop your DR system getting infected as soon as you spin it up, unless you spun it up on an isolation network (e.g. on an entirely different VLAN to anything in your live systems) and manually joined cleansed clients to it one by one.

        One possible solution might be a DC on a different operating system entirely (there are several Linux solutions that can act as a secondary Windows DC and at least one that can be a PDC) that wouldn't have been susceptible to WCry - to allow more vital software processes or any uncompromised clients such as firmware-based hospital equipment to still have *something* to talk back to and authenticate against.

        1. Flakk Silver badge

          In this case it would have been largely pointless, because if the main system got infected then there's nothing to stop your DR system getting infected as soon as you spin it up, unless you spun it up on an isolation network (e.g. on an entirely different VLAN to anything in your live systems) and manually joined cleansed clients to it one by one.

          You're absolutely correct about the danger of infecting the DR site. It should indeed be spun up but isolated, ready for use once the CSIRT gives the all-clear.

        2. Doctor Syntax Silver badge

          "One possible solution might be a DC on a different operating system entirely"

          A good start would be having the servers run on a different platform to the clients. Of course that means having the two work together and that means using open standards and not just "our" version of the open standard or even "our" open standard.

      2. Infernoz Bronze badge
        Facepalm

        The problem with your 'secure' remote copy idea (and daily backups) is they maybe compromised if a comprise happened before the last copy/backup...

        My better idea is, put user profile and other data on ZFS/Open-ZFS NAS, excluding the OS, with frequent, NAS-scheduled, rolling dataset snapshots (say at hourly or less intervals), with regular scanning for suspicious file type and file type specific changes (e.g. header changes or dubious contents changes). When corrupted files are detected, the nearest earlier timestamp ZFS snapshot could be used as a source for a clean file, in a small fraction of the time, especially if automated.

        * ZFS dataset (filesystem) snapshots are pinned deltas, so mostly won't take up much space, and you can have loads, but too many can reduce NAS performance.

        I already keep my Thunderbird profile on an SMB accessed FreeNAS OpenZFS dataset, because I was fed up with retarded NTFS stalls and occasional mailbox corruption on an M2 drive with Windows 10 on an fast i7 box; it has significantly better data protection because the dataset is in a ZRAID2 volume.

    2. DougS Silver badge

      So long as your data is encrypted with a key you control, using software they don't control (i.e. no black box driver to sync your filesystem to their cloud) it doesn't matter who controls the cloud your data lives on.

  7. Anonymous Coward
    Anonymous Coward

    Fast data recovery techniques......

    "Shame on you for not going back in time".

    If only people had an ability to roll back their data to a good point in time, rapidly......oh wait!

    We will continue to have issues, and the only way to minimise disruption is to stay current (last months malware detector is out of date, never mind running on an OS a decade or more old!) and have a solid & regularly tested recovery mechanism.....

  8. Anonymous Coward
    Anonymous Coward

    It's worse than that

    Today, Microsoft doesn't give us that choice [of selectively installing updates]. You will patch everything, all in one go, and if for whatever reason you need to skip a patch you can never move forward from that point.

    And patching everything, all in one go, is likely to enable yet more "telemetry" in order that Microsoft can monetize you even better.

  9. Anonymous Coward
    Anonymous Coward

    The everlasting light bulb

    I remember sitting in a very swish glass-sided office in the heart of Microsoft in London. A senior MS employee was lambasting us, the visitors, about our customer's inability to move on from whatever legacy MS OS our customer had foolishly based its enterprise on. We, or rather our customer, represented tens of thousands of licences. MS seemingly held us in the same regard a prostitute shows a punter - a source of money and minor inconveniece, nothing more.

    I understood that times and knowledge had moved on - that MS's new OS was not the brittle, leaky sieve that our customer was using. However, our customer's system was not facing the outside world - it ran inside its own microcosm. It needed to do what it did, 24/7, for the good of the nation. It struck me it was like the maker of a motor oil telling you needed to redesign and rebuild your car to change the oil.

    MS had, and probably still has, a disproportionate view of its own importance set against the time, money, and brain ache invested in large IT projects; it wanted 'in' on them, but failed to acknowlege that meant in for decades untill the next big refresh was decided upon ..and funded.

    Nobody ever got rich inventing the everlasting light bulb, but LEDs can produce huge savings in both energy and maintenance costs over the lifetime of a building. MS, and others, think on.

    1. Anonymous Coward
      Anonymous Coward

      Re: The everlasting light bulb

      " MS seemingly held us in the same regard a prostitute shows a punter - a source of money and minor inconveniece, nothing more."

      Oh come now. I suspect that the ladies who charge the sort of money that Microsoft charges for a server licence must be very good indeed at customer service. Are you suggesting that Microsoft is no better than a streetwalker?

      1. Version 1.0 Silver badge

        Re: The everlasting light bulb

        In my youth I has friends who were streetwalkers and they offered very good and friendly customer service.

        1. Anonymous Coward
          Anonymous Coward

          Re: The everlasting light bulb

          "In my youth I has friends who were streetwalkers and they offered very good and friendly customer service."

          And, just like a software vendor, you might get supplied with an unwanted virus or two.

    2. nijam

      Re: The everlasting light bulb

      ... MS's new OS was not the brittle, leaky sieve that our customer was using

      No indeed, it's a completely new leaky sieve, with specially-designed new leaks.

    3. Anonymous Coward
      Anonymous Coward

      Re: The everlasting light bulb

      " like the maker of a motor oil telling you needed to redesign and rebuild your car to change the oil."

      There are a variety of similar ones, and for good reason too.

      E.g. you have to replace your car/truck every time the white lines are repainted.

      As for how life would be if MS built bridges...

      Further pointers welcome (if anyone is still reading).

  10. LittleTyke

    I made the suggestion in a newsgroup recently to consider a derivative of QuickPAR to restore encrypted files after a ransomware attack. For those who don't know, QuickPAR is an amazing program that corrects download errors. It uses parity files. Why can't software engineers not create a kind of "QuickPAR" that will restore all the files on a drive? Obviously you'd keep the parity files needed for recovery on separate media that is never placed online.

    1. Bronek Kozicki Silver badge

      "restore" - from what? If your data had been encrypted, there are only two kinds of "restore" that make sense 1) break/payout cryptographic key or 2) restore from backup.

      1. inmypjs Silver badge

        ""restore" - from what?"

        PAR is a file based redundant storage system. 10% of PAR files generated across a whole drive could recover up to 10% of any files on that drive. It is a very efficient in storage space and inefficient in processing power method for protecting data against partial loss or corruption.

        I don't see it being very useful for protection against encrypting attacks.

    2. Anonymous Coward
      Anonymous Coward

      Yep in theory that works, however traditionally with a parity bit you are attempting to detect a one bit error in a 7 bit value. To recover from a one bit error you need a few more bits so you have moved into the realms of error correction systems like QuickPar. Unfortunately we are not talking about a single bit error here as the effects of encryption are that all 8 bits in a byte are effectively damaged so you need no less than 8 bits of error correction bits per byte of data. Storing them offline is of course essential so what you have invented is a system where all of the data is replicated offline. Most people refer to this as an offline backup. And then you don't need QuickPAR unless your offline backup is done over a very unreliable channel.

    3. Infernoz Bronze badge
      Meh

      Pointless, use something designed for _full_ end-to-end data integrity, with _multiple_ deltas like git has i.e. ZFS with its multiple cheap snapshots; backups should be considered the absolute last resort, because they will be far more out-of-date!

      FreeNAS and TrueOS provide the OS to build a _separate_ secure OpenZFS NAS and Server to maintain data and mitigate data corruption by a client; if you don't want to use an SMB share, you could still do frequent rsync delta backups to it instead.

      1. Doctor Syntax Silver badge

        "if you don't want to use an SMB share"

        SMB or anything that extends the server's file system into the clients' is part of the problem. It allows an infection in the client to wander over as much of the server's file system as it can see.

  11. sitta_europea Bronze badge

    Isn't there some other operating system we could use?

    One that has, say, a browser, a word processor, a spreadsheet package, a mail client and a cute GUI? And ten or twenty thousand other little gadgets if you want to look at the catalogue?

    Oh, I almost forgot: and is a LOT more open, stable and secure?

    Oh, yes. So there is. Seeral, in fact.

    'Sfunny, though, when I try to get customers to switch, they won't. It's too much trouble.

    So it really is their own fucking fault, and IMO they deserve all the blame and the pain that they get when what I tell them is going to happen actually does happen - it just did - and I don't have the slightest sympathy for them when I send them a big bill.

    1. DJV Silver badge

      Apparently, "Seeral" is not an operating system - it's a typo...

  12. Anonymous Coward
    Anonymous Coward

    "[...] defied society's laws and cultural norms in order to make a quick buck easier than we collectively deem should be allowed."

    It seems that many people with such antisocial behaviour actually invest more effort in them than if they did something legitimate for the same income.

    The material gain is isn't necessarily their primary motivation. Presumably they get a dopamine rush from their illegal activities. Such is human nature.

  13. Anonymous Coward
    Anonymous Coward

    "Everyone is to blame because we refuse to force our governments to hold software-makers to account"

    Corporations are the government, who are we kidding here!... Besides Governments are comprised of mostly old men from a generation that just doesn't get it. After WannaCrypt people were saying someone has to die. I agree, preferably children. Then there will be some debate at least, but still no quick change. If more dead kids arrive, then they'll move too fast and probably pass the wrong legislation which will be ineffective anyway...

    1. Doctor Syntax Silver badge

      Casual ageism is an indication of poor thinking

      "old men from a generation that just doesn't get it."

      That'll be old men from the generation that invented most of what you use. And you think they don't get it?

  14. Prst. V.Jeltz Silver badge

    Microsoft's desperation for a monopoly

    Microsoft did wrong by us all.

    Microsoft's response to this has been the most horrific possible

    Microsoft doesn't give us that choice.

    Microsoft is externalising costs on to their customers

    Microsoft is shifting the burden of support to the end users

    We not only let Microsoft get away with this,

    Microsoft goes to great lengths to avoid publicly acknowledging...

    So you're a Linux guy then? or an iPerson? UNIX? freedos?

    Are there in fact any paradigms of OS virtue that those nasty bullies rolled over?

  15. itzman
    WTF?

    Windows IS ransomware.

    nm

  16. ArchieTheAlbatross

    Hear! Hear!

    And Hear! Hear! Again.

    Most annoyingly, we have only ourselves to blame, but let's look for someone else anyway.

  17. Nick Kew Silver badge

    You're 20 years late to the party

    Why wasn't MS held to account for deliberately breaking the MIME RFCs of 1992 and '93 when that breakage unleashed Melissa and Lovebug (and left us a legacy of a 'net where MIME headers can't be used to identify and quarantine potential hazards as designed).

  18. Anonymous Coward
    Anonymous Coward

    I also blame Microsoft for not protecting WIn10/Server2016 file systems against the mass encryption that occurs during an infection. The type of IO that happens to the disk isn't a normal activity, they should have found a solution to this by now. But that would involve some real thought and change, where as underneath all the GUI, it's the same old Windows/NTFS with the same old issues with every release.

    1. Infernoz Bronze badge

      NTFS is a dinosaur FS; Microsoft should port OpenZFS or license ZFS from Oracle already!

      NTFS is not transactional, so is not thread-safe, stalls (especially for 1000's for files in a folder), can give stale file/folder results, so cause application malfunction, so the sooner it and all other non-transactional, logging FS's get replaced the better.

      All hardware and pseudo hardware RAID should just die too, because only transactional software RAID can provide true end-to-end data integrity.

  19. Michael H.F. Wilkinson Silver badge
    Coat

    "We can see if they weigh more than a duck"

    Thanks for that. I haven't said Ni! in a while. I trust you also know a lot about swallows.

    Th one with the coconut shells in the pocket please

    1. Trevor_Pott Gold badge

      Re: "We can see if they weigh more than a duck"

      African or European?

  20. gnasher729 Silver badge

    Time Machine

    You'd want a Time Machine to go back in time and restore your computer to the state it was in some time earlier. If you buy a Mac and an external hard drive, you got exactly that. It makes incremental backups, hourly, keeping them as long as you have enough storage on your external drive, and you can restore from any of those backups. So if you got infected on Friday 2:15 pm, and this thing started encrypting files like mad, and the encrypted files go to your backup, all you need to do is restore the version from Friday 1:00 pm and you are fine. Any work done since then is obviously lost.

    1. Paul Woodhouse

      Re: Time Machine

      and windows has VSS and previous versions... wannacry turned them off and deleted the previous versions as part of its payload.

      if someone develops an equivalent for the Mac it'll most likely do the same thing.

      personally, I'll advocate having something with plenty of redundant storage running backuppc on each site as a quick and dirty protection. its crap for backing up databases and things like PST files but its great at backing up documents.

      1. DougS Silver badge

        Re: Time Machine

        The problem is that it is something that can be controlled from the OS. File system versioning should be at a lower level that's set at install time, and only be changeable via group policy or a special boot like safe mode that has to be done in person.

        It should be impossible for even Administrator to delete or change old versions of files. Then ransomware is impossible, as you can just roll back to the last version before the infection.

        1. Bronek Kozicki Silver badge

          Re: Time Machine

          Actually, it should be possible for Administrator (or root) to delete old versions of files (bot not to modify them). This is one of the basic storage management tasks, very useful one if you do not have policies (or have to adjust them).

          1. DougS Silver badge

            @Bronek

            I disagree. If you want to use file versioning as a defense against malware related issues, you can't allow Administrator to delete old versions, otherwise malware just encrypts all the files and deletes the old versions.

            I think you should set the various policies controlling how many versions there are / how far back they go / how much storage they can consume at install time, and only change them via group policy or that special in-person boot mode. If Administrator has rights to delete old versions - or force old versions to be deleted by making too many changes - they are only useful for "oops I didn't mean to delete that" backups, not "crap, I got hacked" backups.

            1. Bronek Kozicki Silver badge

              Re: @Bronek

              @DougS that's what off site backups are for - i.e. a location for storing backups which is only available when backups are being made. If your backup strategy is to maintain a time-machine style snapshots only, then it is not enough, since these snapshots are taking up space. You need to be able to size the storage space taken by the snapshots, hence you need to be able to delete old snapshots, too. This might not be as explicit as "delete selected old snapshots", it might be implied in "set maximum size taken by snapshots" but the effect is the same.

      2. Doctor Syntax Silver badge

        Re: Time Machine

        "windows has VSS and previous versions... wannacry turned them off and deleted the previous versions as part of its payload."

        Don't keep them where malware on the client can see them.

  21. Stevie Silver badge

    Bah!

    And shame on the author for carefully aboiding saying that the biggest incentive to stay with XP was that the UI was pleasant and relatively easy to work with.

    I used to work for a guy who downplayed Joy of Interaction in the mainframe apps we turned out. No menus because we had manuals (which no one read). Result: no one ever became proficient with our apps and everyone hated them.

    Fortunately, MS have executed Plan Shred Own Foot with their bug-ugly flat-ass three color GUI so movng away from 10 should be a no-brainer.

    1. Trevor_Pott Gold badge

      Re: Bah!

      If we can't win a simple battle like "let us update our computers patch at a time", how the hell are we supposed to win "stop spying on us" and "gimme back a usable WIMP interface"?

      Start with the border skimishes, sirrah, then plow face first into the war...

  22. Glenn 6

    System is broken

    This is going to sound like some whack-job statement, however if you stop to think about it for a minute, you may see my point. Here we go: Our system of government does not work. It's broken.

    The problem is that we have too many decades of huge corporations being far too closely tied to government officials that it could even be called an infiltration, whereas corporations have so much influence over our elected officials that said officials are putting THEIR interests ahead of the public's.

    Most if not all people in high government positions are business people, with business interests - and investments - of their own. They have friends in business they may be inclined to help out. The bribes, er, donations they received on their campaigns to get them elected can't have possibly influenced any of their decisions could it?

    So that said, at least in my opinion, the government actually enacting laws which will impact these huge corporations by forcing them to act responsibly - even if in the public's common interest - will NEVER happen. Ever. Not as long as our systems of government allow non-elected corporations and school-buddies of elected lawmakers to so greatly influence said lawmakers.

    And given the extremely expensive circus at least US elections are, so-called unaffiliated "average joes" have no chance of running. Therefore the cycle of elite, rich, well-connected and well-bribed (I mean, donated to) business people will continue to get elected.

  23. ilmari

    The problem with formally proving a system is that by the time you've completed it, the specification turns out to be wrong and has changed 27 times over 7 different corporate/government regimes.

    Anyhow, I've often had arguments that have gone a bit like:

    "Hey what are you doing here, that results in undefined behaviour"

    - "It's okay, I tested it and X happened every time"

    "It's still undefined, it could change any time in the future"

    - "What why, surely they wouldn't make backwards incompatible changes to the OS?"

    "Undefined is undefined, they could make the compiler generate code that erases the hard drive and they'd still technically be standards compliant"

    - "You mean I have to actually read specs and learn, not just try random stuff until something works?!"

    "Yes"

    - "Being a developer sucks!"

  24. Conall O

    I hope this makes people think about alternatives.

    Finally installed Linux on my personal machine. I tinkered with it in a VM for development and messing with ElasticSearch Shards and such, but now with windows 10 causing personal headaches It feels like a nobrainer.

    moving my dad's machine back to windows 7 with a dual boot of ubuntu (windows 10 creators update borked his machine), hoping to wean him off the devilish microshaft

    hopefully the friendly penguin becomes a more popular solution for home users, but I doubt it will ever compete due to the lack of the the budget and marketing machine microsoft has to shove windows down everyone's throat's.

  25. Anonymous Coward
    Anonymous Coward

    .ZFS

    ... or another snapshotable FS ... will allow you to simply dig previous (unencrypted) versions of files out of snaphots. This is the real way to "go back in time" ... just keep every version of everything. It really doesn't even take up much space as huge files rarely change, and those with dozens or hundreds of versions are small.

  26. Herby Silver badge

    Malware proliferates because...

    ...it makes money. Same as SPAM emails. While Microsoft could make the locks better, and users could use proper protection, the real task at hand is to make malware exceedingly costly for the perpetrators. The only way to do this is for a government to go after them. The cost of the WannaCry thing was quite high, but from the looks of it, no government is going after the bad guys.

    Of course, if executables were cryptographically signed and we could trust the signing, it might go a long way in helping out.

    Unfortunately in the end, most users (I suspect present company excepted) are ill-prepared for the modern threats a computer faces, and will do stupid things given half a chance. I wish them luck.

    Life goes on.

    1. Anonymous Coward
      Anonymous Coward

      Re: Malware proliferates because...

      "from the looks of it, no government is going after the bad guys."

      Looks can be deceiving.

  27. Ian Joyner Bronze badge

    IT people also to blame

    Sure MS did the wrong thing. But the IT crowd came from the mentality of everything had to be IBM to everything had to be MS. IBM architectures were never really that good anyway. The IBM 360 a horror. It was all marketing. MS inherited that from IBM. The PC and MS-DOS were really inferior products, but IT people just wanted to go along with the lazy mainstream instead of setting up the industry to be good and secure. We are now paying the price for these lazy IT people who set this up in conjunction with MS and IBM.

    Note that while MS were encouraging developers to use undocumented hacks that Apple always discouraged developers from using anything that was not documented. This is the basis of object-oriented and modular programming (as proposed by David Parnas). Interfaces should be small and neat for both security and correctness. But IT people and developers wanted to ignore that.

    And now hackers have been the beneficiaries. But the innocent in this have been the end users that is true. They are caught between greedy monopolistic companies that have ignored quality and security and developers who did not want to be told what to do, and lazy IT people who just wanted to maintain the status quo.

  28. Ian Joyner Bronze badge

    Software AND hardware need improvement

    It is true that higher layers of software introduce system vulnerabilities which should be avoided at those levels. System development software also needs to be more secure. But we need security built in at the lower levels. We must have hardware that detects out-of-bounds accesses - that is fundamental to both security and software correctness.

    While I agree much of the blame is on MS, a lot must also be put on systems developers from the Unix background. C is an inherently flaky language. Languages developed for writing an OS should NOT be used for other applications. Much of what they provide should be forbidden at applications or even higher-level system software. But the cult-of-C has seen it used everywhere, even for some OO languages I believe. This is not a good situation. The mean look of C syntax is even used for many other languages.

    While the C philosophy of "trust the programmer" now seems at best naive, it really was stupidity, and perhaps in the future should be treated as criminal negligence. It really is time to sit up and take notice of the warnings many of us have been making about C for a long time, and the inherently weak processor architectures that are underneath C.

    http://ianjoyner.name/C++.html

  29. JJKing Silver badge
    Flame

    Ah yes Microsoft, thoughtful and generous to a fault!

    Now I am NOT a Microsoft fanboy... but they DID put a patch out there for a long-obsolete OS...

    Which Microsoft had already made for those paying through the nose for XP support and was deployed in March. Oh yes, good on generous Microsoft.

  30. Ian Joyner Bronze badge

    MS-DOS was distressing

    Interesting Quora question when someone asked why Alan Kay said MS-DOS was distressing.

    https://www.quora.com/Why-did-Alan-Kay-say-MS-DOS-was-a-distressing-thing

    We are still suffering in 2017 because MS foisted this junk on us.

    1. PickledAardvark

      Re: MS-DOS was distressing

      I respect Alan Kay a lot, However when discussing MS-DOS, he approaches from a money-no-object angle. PC-DOS/MS-DOS and the alternatives for the original PC were designed to run from a floppy disk (which might contain the user app for a task). Almost nobody had a hard disk on their PC and a proper OS would have needed one. The back pages of PC magazines were still full of adverts for twin floppy XT clones six years after the IBM PC was launched.

      The flat tyre analogy amuses me. CP/M would have been the flat tyre which MS copied to create MS-DOS, so IBM PC users had two flat tyres to choose from initially. The other OS for the PC was UCSD Pascal -- what an interesting IT world that might have created.

  31. Tom Paine Silver badge

    Imagine, if you will, that governments stood up clouds to enable cheap (or free) backups for critical industries.

    Imagine, if you will,millions of security people cried out in terror and were suddenly silenced...

    1. Paul Woodhouse

      dunno why you got a downvote for that... made me chuckle a bit...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019