Question? As
Linux is open source, is there not the chance that hackers can find
vulnerabilities more easily?
Answer: No.
Since it is open source, defects are easily found by competent engineers and
patched quickly, as you'd know had you any competence yourself.
We are
frequently told that proper architecture and solutions are too expensive and
that they need to be more "pragmatic" (i.e. cheaper) in their
approach and everything will be fine. The reality is that it doesn't work. The
direction comes from the top; project and program managers are under pressure
to reduce costs as their number one priority. Ministers take the line from
those who tell them about cost reduction, not from experts who are "just
being perfectionist" and "scaremongering".
There's a few
other things in here. Security Architecture and Data Protection strategies need
good threat and risk modelling and the application of year by year
transformation. Overwhelmingly the 80/20 rule applies and that 20% (essential,
difficult, error prone) gets descoped. We are only just getting to the point
our expertise can handle the challenges at scale. This is because the last 20
years have seen the birth of the Internet and all its attendant tech... but
even if we have reached the end of the beginning (and I would argue we haven't
quite hit that, the IoT is just birthing all around us) things will not stand
still, and our new-found powers won't keep up. Add to that the impotency of
people relying on one and only one operating system without the ability to
embrace other much safer and locked down systems and you know why IT literacy
is thriving. And this start in schools where the “OS with windows” is basically
creating a generation of young people
not knowing that knowing how Excel works is not IT knowledge.
Nevertheless, I rather resent the implication that this is a generational
problem. The fact is the tech-savvy and the tech-incompetent are
well-represented in every group. Being able to use instagram or attach a photo
to an email doesn't mean that the person doing it necessarily has the first
clue about how any of this stuff works, or indeed how to avoid security
problems. It is certainly true that few politicians seem to understand how any
of this works. Unfortunately, neither do their interlocutors in the media who
seem quite capable of pinning down a slippery spokesman like the Portuguese one
I saw on the TV this last week whose surname rhymes with “turbulent”, blaming
the previous governments and companies for this latest security breach. Things
are not so clear-cut.
If I’d built a
car which was so badly designed it not only crashed all the time but anyone
could steal it, you could call it a ShittyOS. Human nature being what it is,
what can be easily stolen will be. And rather than redesign it you just added
reinforcements, patches, bits and pieces and lock after lock after lock
(equally flawed) onto the bits and pieces you might expect that no one would
buy it and that victims of its failures would run to the courts. But
inexplicably this glutinous tangle of threads, patches and flat tires still has
a market and the idea that the maker is responsible doesn’t seem to occur to
the owners of ShittyOS products. Rather
than focusing on the very simple point that the current administrations are
culpable for both ending a support contract with some software houses I won’t
name here, and failing to provide the resources to enable all older machines to
be upgraded from older OS.
I think this
problem is endemic in the public and private sectors. How many businesses were
affected by the Dyn outage last year, the AWS S3 outage some time ago? The list
goes on.
To protect and
ensure services run smoothly, costs money, and also requires a proactive stance
rather than a reactive one. Board members often see little value (wrongly) in
upping their IT spend, and some IT professionals have apathy towards the
confrontation it takes to push forward with initiatives. Commoditisation of the
IT sector has also contributed in some way, with many providers on the 'race to
zero' and therefore devaluing such services and conversations.
We rely on our
IT, and services can crumble if there's a problem. Budgets need to reflect this
fact better. I don't see this as a generational issue, an education one maybe,
a reactive Vs proactive mentality. definitely.
By the way, do
you know who the real beneficiary of the global ransomware attack will be? No,
not the hackers. It will be none other than the software houses. I can almost
hear the champagne bottles pop, because the attack will force companies and
governments that still use WinXP, Windows Vista, Win7, Win8 (or Windows Server
2003) to switch to Win10 (or Windows Server 2012+). Incidentally, it appears it
was Win7 and not WinXp which was the bad guy in this picture.
People think IT
is a onetime spend, and it will work for its lifetime independent of
investment. This is just not the case. IT is an ongoing expense, and should be
one of the first things allocated in the budget. As much as you espouse the
free OS's, users just aren't ready to learn them, and a lot of applications do
not support them. It surprises the hell out of me they let the contract with
some software houses to end though, without renewing or updating the machines.
That is just stupid, and simply suggesting that "switch to Linux" is
a flawless solution is pure hubris, both because of compatibility (have the
diagnostic tools been written for non-Windows operating systems? It's not like
you can just copy the .exe over and expect it to work) and for the fact that
it's not 100% secure like so many people seem to fallaciously claim (remember
Heartbleed?). Regardless of this, I'd always recommend Unix or Unix base
systems because they were engineered for security from the start - for heavy
duty use - but glossy marketing hype ensures we still use effectively the same
old ropey ShittyOS that have been around for generations. Unix BSD kernel
systems were indeed built for much more resilient counter virus infection,
scalable robust operation.
Unix is used to
manage the NY stock exchange, the ATM Banking systems and so on. All.
Mission. Critical. Systems.
Any computer at
work or home based on a UNIX kernel is hard to crack. And even harder to
spread.
If you can’t go
the Unix/Linux way, Win 10 made some major advances in the field of security.
So much so that it would make my system more vulnerable if I were to install a
third party anti-virus product than if I were to only use the included Windows
Defender. Even Google engineers now recommend only using Windows Defender.
What’s the
bottom-line? It's not 'tech experts' that are necessarily needed. What is
required are senior IT managers that understand the issues and listen to the
technical experts.
I vividly recall
a period in my career when part of my brief was to oversee the implementation
of management information systems. The constant battle was against a short-term
accountancy mentality (and I knew even then that we had too many of them and
too few practical technicians) which laboured under the delusion that
computerised systems offered immediate savings for a modest one-off
expenditure. Which they don't - any decent system will take time to implement,
and will probably require a short-term rise in costs (apart from the capital
expenditure) in order to glean any long-term savings.
And then there
is the phenomenon of data growth that systems often generate, whereby what was
an impossibility becomes possible, and expands the role of a particular
activity. The syndrome illustrates poor IT management understanding - at a wider
level - of the role of investment.
What about this
specific wnacry issue? No, Microsoft doesn't have a duty of care here. If they
had suddenly stopped providing security patches with no warning, then they
would be at fault. But that's not the case. Windows XP has been unsupported
(so-called 'End of Life', or EOL) since 2014, a date that had been widely known
about since 2007. Win 7 since 2009. The reason for this is that security
patches don't write themselves, and there logically must be a cutoff point
where the software needs to be written off and upgraded (kind of like how, the
fourth or fifth time your car fails its MOT, the repair costs eventually become
higher than the value of the car and it's far more worthwhile to get a new one
instead of patching up the old one).
Windows XP has
been around for almost sixteen years now. Windows 7 for almost 8 years. This is
ancient when it comes to software. It's long been time to upgrade, and the
risks of not doing so were well known by those who decided not to. The emails
that were opened should never have got that far. It's that simple. Of course,
end-users cannot be trusted to act sensibly. Not open suspect emails. Not click
on links in them. Ignore screen messages asking, "Are you sure?".
Heck, one of mine even clicked the button when the whole page was in a foreign
language and she didn't have a clue, literally, to what she was agreeing to.
They trust the system providers to protect the system.
This isn't only a
matter of "government and company cuts"; it's IT management failure.
There should be a sudden blossoming of job adverts for IT staff and managers.
Time for the dead wood to be identified and thinned out.
Once the email
containing the worm got inside a network, it would not need any email
attachment to spread further. The worm had been quietly spreading from machine
to machine for weeks. The worm's encryption package triggered world-wide on May
12th, but it has been spreading silently for much longer. It seeks out machines
that were not patched with the Microsoft solution in the last two months. Any
Windows machine (10, 8, 7, or XP) not patched since March was vulnerable EVEN
if its user never opened any attachments. Once an un-patched machine capable of
being addressed by an infected machine on the same network or wide area network
was switched on, if there was even one infected machine elsewhere in that
network, t would become infected and would begin searching out vulnerable
machines itself.
Imagine people
take lots of LSD and keep jumping off balconies, breaking their legs, backs and
/or killing themselves. You could say: “we need lower balconies” or you could
get rid of LSD. Anyone with a degree in Computer Science will tell you that
whatever IT system you have put in place, it will be hacked - many reasons for
this, one of the simplest is that the dudes who develop the security systems
are the same ones who hack it, since they know how to. Any senior people in
industrial IT will tell you this. Modernity and its defenders will happily say
that we need to lower the balconies, whilst our LSD-stoned friends now wander
into the road and are killed by oncoming traffic. IT is the problem so we need
more IT to counter it?
No, not really.
