WannaCry [OT]

classic Classic list List threaded Threaded
29 messages Options
12
Reply | Threaded
Open this post in threaded view
|

WannaCry [OT]

Sannyasin Brahmanathaswami via use-livecode
" The WannaCry virus only infects machines running Windows"

http://www.bbc.com/news/technology-39896393

Err . . . Linux

Richmond.
_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: WannaCry [OT]

Sannyasin Brahmanathaswami via use-livecode
Richmond Mathewson wrote:
 > " The WannaCry virus only infects machines running Windows"
 >
 > http://www.bbc.com/news/technology-39896393
 >
 > Err . . . Linux

While it's true that this particular exploit is dependent on a
Windows-specific vulnerability, this is no time for smugness.  There's a
larger issue here relevant for all of us:

IF YOUR SYSTEM US NO LONGER RECEIVING UPDATES, IT'S NO LONGER RECEIVING
CRITICAL SECURITY PATCHES FOR KNOWN VULNERABILITIES.

Any such system, if connected to any network that connects to the
Internet, should be considered too dangerous to use.

Doesn't matter whether it's Windows, macOS, or Linux.  Once the OS has
reached EOL, either upgrade to a supported OS version or turn off all
network connectivity.


This exploit has become a global tragedy, but worse is that it appears
to have been preventable:

Microsoft issued a patch protecting against this months ago, and for the
(shockingly large number of) machines still running XP, Microsoft spent
literally millions over a many years reminding everyone of XP's EOL date
and encouraging them to upgrade to a supported OS version.

Apple (for reasons only they can discern but AFAIK have not disclosed)
are less kind to their users, often stopping updates without explicit
notice and little if any forewarning.  They do advertise when new
versions are available, but generally haven't provided clear notice when
EOL is reached for a given version.  For example, when Snow Leopard
reached EOL, even though some 19% of all Macs were still running it, no
notification was provided that it would not be receiving patches; it
simply stopped getting them.

With Ubuntu, EOL date is well advertised even before a version is
released.  That project follows a fixed release cycle in which all
long-term support versions get exactly five years of updates, and all
interim releases get 18 months of updates.  You know even before you
download exactly when it will reach EOL.

With all three, once you know it's reached EOL you must either upgrade,
or put yourself and your organization at risk.

If the post-EOL exploits that occurred with Best Buy and Target a couple
summers ago didn't drive the point home clearly enough, yesterday's
global attack should:  "What, me worry?" is not a sound IT policy.

--
  Richard Gaskin
  Fourth World Systems
  Software Design and Development for the Desktop, Mobile, and the Web
  ____________________________________________________________________
  [hidden email]                http://www.FourthWorld.com

_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: WannaCry [OT]

Sannyasin Brahmanathaswami via use-livecode
I cannot afford to be smug as my Linux rig (Xubuntu 16.04 64-bit) was
hosed completely about 4 months ago and I only
managed to reciver about 5% of my files.

What I do not understand is how organisations like the British State
Health System (NHS) cane be so bl**dy stupid to
rely on Windows, without (obviously) all sorts of safeguards.

My "underpants" may have a few holes in them, but everyone knows that
Windows is more holes than underpants,
and it has been quite adequately demonstrated that Windows executables
running under WINE on Linux tend to be faster and
less vulnerable to viruses.

In about 1985, when I was an undergraduate, the news about AIDS was
suddenly announced, and the TV and radio was
banging on about "preventative measures": obviously the British medical
authorities know their stuff re medical matters, but when it
comes to computer systems they neither know anything much about them,
nor do they employ people who do.

----------

  Many years ago I read a science fiction book about people living in a
ploice state on Venus, which was, for the purposes
of the story, a steamy, soggy jungle planet with lots of muddy, hummocky
islands in one big bog. The rebels started communicating
via AM radio (Amplitude Modulated) because the authorities of the
dictatorship had forgotten about that "old-Tech" and were
using FM (Frequency Modulated) equipment for all their communication needs.

Three days ago I got an e-mail from a chap in Ireland using a Commodore 64!

So, the answer, for us folks who don't have "endless boodle" to
constantly upgrade/update our machines, may lie in
retreating into using ancient machines . . . . so, I suppose my Summer
will be spent on getting a Winchester disc into
my BBC Master Compact and sorting out how to get the 5-pin DIMM
connection at the back to let me send and recieve e-mail
messages: after all, in 1989 I was using it, via Etisalat, to
communicate with various services even before the internet started.

You cannot send a virus to a BBC because the whole system resides on a
ROM chip!

Anyway, just at the moment I'm dusting off my G3 iMac running Mac OS
9.2.2 with Classilla.

Richmond.

On 5/13/17 6:36 pm, Richard Gaskin via use-livecode wrote:

> Richmond Mathewson wrote:
> > " The WannaCry virus only infects machines running Windows"
> >
> > http://www.bbc.com/news/technology-39896393
> >
> > Err . . . Linux
>
> While it's true that this particular exploit is dependent on a
> Windows-specific vulnerability, this is no time for smugness. There's
> a larger issue here relevant for all of us:
>
> IF YOUR SYSTEM US NO LONGER RECEIVING UPDATES, IT'S NO LONGER
> RECEIVING CRITICAL SECURITY PATCHES FOR KNOWN VULNERABILITIES.
>
> Any such system, if connected to any network that connects to the
> Internet, should be considered too dangerous to use.
>
> Doesn't matter whether it's Windows, macOS, or Linux.  Once the OS has
> reached EOL, either upgrade to a supported OS version or turn off all
> network connectivity.
>
>
> This exploit has become a global tragedy, but worse is that it appears
> to have been preventable:
>
> Microsoft issued a patch protecting against this months ago, and for
> the (shockingly large number of) machines still running XP, Microsoft
> spent literally millions over a many years reminding everyone of XP's
> EOL date and encouraging them to upgrade to a supported OS version.
>
> Apple (for reasons only they can discern but AFAIK have not disclosed)
> are less kind to their users, often stopping updates without explicit
> notice and little if any forewarning.  They do advertise when new
> versions are available, but generally haven't provided clear notice
> when EOL is reached for a given version. For example, when Snow
> Leopard reached EOL, even though some 19% of all Macs were still
> running it, no notification was provided that it would not be
> receiving patches; it simply stopped getting them.
>
> With Ubuntu, EOL date is well advertised even before a version is
> released.  That project follows a fixed release cycle in which all
> long-term support versions get exactly five years of updates, and all
> interim releases get 18 months of updates.  You know even before you
> download exactly when it will reach EOL.
>
> With all three, once you know it's reached EOL you must either
> upgrade, or put yourself and your organization at risk.
>
> If the post-EOL exploits that occurred with Best Buy and Target a
> couple summers ago didn't drive the point home clearly enough,
> yesterday's global attack should:  "What, me worry?" is not a sound IT
> policy.
>

_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: WannaCry [OT]

Sannyasin Brahmanathaswami via use-livecode
Richmond Mathewson wrote:
 > What I do not understand is how organisations like the British State
 > Health System (NHS) cane be so bl**dy stupid to
 > rely on Windows, without (obviously) all sorts of safeguards.

While this specific exploit happened to be Windows-specific, this isn't
really a Windows issue.

It's a "USE A SUPPORTED OS VERSION!" issue.

 From the information available thus far, it looks like Microsoft did
their job.  They provided protection against this vulnerability months
ago, and have been warning people not to use older unsupported OS
versions for years.

If someone switches from Windows to macOS or Linux, as long as they keep
using OS versions beyond EOL they'll still be putting themselves (ansd
potentially any system they connect to) at risk.


 > Anyway, just at the moment I'm dusting off my G3 iMac running Mac OS
 > 9.2.2 with Classilla.

...hopefully without an Internet connection, since Apple stopped
patching that one a long time ago and criminals have learned a lot since
then.

--
  Richard Gaskin
  Fourth World Systems
  Software Design and Development for the Desktop, Mobile, and the Web
  ____________________________________________________________________
  [hidden email]                http://www.FourthWorld.com

_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

RE: WannaCry [OT]

Sannyasin Brahmanathaswami via use-livecode
In reply to this post by Sannyasin Brahmanathaswami via use-livecode
I still run batch processing on a pair of VAXs running Open VMS. No viruses
on these babies. They've been booted for ...

"OpenVMS V7.1  on node ALBVM1  13-MAY-2017 18:44:45.72  Uptime  921
21:52:27"
"OpenVMS V7.3-2  on node EISVM1  13-MAY-2017 19:31:56.06  Uptime  72
11:09:55"

The lame 72 days on the second VAX is only because I did not get the
generator on-line fast enough 72 days ago when I lost street power.

Ralph DiMola
IT Director
Evergreen Information Services
[hidden email]

-----Original Message-----
From: use-livecode [mailto:[hidden email]] On Behalf
Of Richmond Mathewson via use-livecode
Sent: Saturday, May 13, 2017 1:05 PM
To: How to use LiveCode
Cc: Richmond Mathewson
Subject: Re: WannaCry [OT]

I cannot afford to be smug as my Linux rig (Xubuntu 16.04 64-bit) was hosed
completely about 4 months ago and I only managed to reciver about 5% of my
files.

What I do not understand is how organisations like the British State Health
System (NHS) cane be so bl**dy stupid to rely on Windows, without
(obviously) all sorts of safeguards.

My "underpants" may have a few holes in them, but everyone knows that
Windows is more holes than underpants, and it has been quite adequately
demonstrated that Windows executables running under WINE on Linux tend to be
faster and less vulnerable to viruses.

In about 1985, when I was an undergraduate, the news about AIDS was suddenly
announced, and the TV and radio was banging on about "preventative
measures": obviously the British medical authorities know their stuff re
medical matters, but when it comes to computer systems they neither know
anything much about them, nor do they employ people who do.

----------

  Many years ago I read a science fiction book about people living in a
ploice state on Venus, which was, for the purposes of the story, a steamy,
soggy jungle planet with lots of muddy, hummocky islands in one big bog. The
rebels started communicating via AM radio (Amplitude Modulated) because the
authorities of the dictatorship had forgotten about that "old-Tech" and were
using FM (Frequency Modulated) equipment for all their communication needs.

Three days ago I got an e-mail from a chap in Ireland using a Commodore 64!

So, the answer, for us folks who don't have "endless boodle" to constantly
upgrade/update our machines, may lie in retreating into using ancient
machines . . . . so, I suppose my Summer will be spent on getting a
Winchester disc into my BBC Master Compact and sorting out how to get the
5-pin DIMM connection at the back to let me send and recieve e-mail
messages: after all, in 1989 I was using it, via Etisalat, to communicate
with various services even before the internet started.

You cannot send a virus to a BBC because the whole system resides on a ROM
chip!

Anyway, just at the moment I'm dusting off my G3 iMac running Mac OS
9.2.2 with Classilla.

Richmond.

On 5/13/17 6:36 pm, Richard Gaskin via use-livecode wrote:

> Richmond Mathewson wrote:
> > " The WannaCry virus only infects machines running Windows"
> >
> > http://www.bbc.com/news/technology-39896393
> >
> > Err . . . Linux
>
> While it's true that this particular exploit is dependent on a
> Windows-specific vulnerability, this is no time for smugness. There's
> a larger issue here relevant for all of us:
>
> IF YOUR SYSTEM US NO LONGER RECEIVING UPDATES, IT'S NO LONGER
> RECEIVING CRITICAL SECURITY PATCHES FOR KNOWN VULNERABILITIES.
>
> Any such system, if connected to any network that connects to the
> Internet, should be considered too dangerous to use.
>
> Doesn't matter whether it's Windows, macOS, or Linux.  Once the OS has
> reached EOL, either upgrade to a supported OS version or turn off all
> network connectivity.
>
>
> This exploit has become a global tragedy, but worse is that it appears
> to have been preventable:
>
> Microsoft issued a patch protecting against this months ago, and for
> the (shockingly large number of) machines still running XP, Microsoft
> spent literally millions over a many years reminding everyone of XP's
> EOL date and encouraging them to upgrade to a supported OS version.
>
> Apple (for reasons only they can discern but AFAIK have not disclosed)
> are less kind to their users, often stopping updates without explicit
> notice and little if any forewarning.  They do advertise when new
> versions are available, but generally haven't provided clear notice
> when EOL is reached for a given version. For example, when Snow
> Leopard reached EOL, even though some 19% of all Macs were still
> running it, no notification was provided that it would not be
> receiving patches; it simply stopped getting them.
>
> With Ubuntu, EOL date is well advertised even before a version is
> released.  That project follows a fixed release cycle in which all
> long-term support versions get exactly five years of updates, and all
> interim releases get 18 months of updates.  You know even before you
> download exactly when it will reach EOL.
>
> With all three, once you know it's reached EOL you must either
> upgrade, or put yourself and your organization at risk.
>
> If the post-EOL exploits that occurred with Best Buy and Target a
> couple summers ago didn't drive the point home clearly enough,
> yesterday's global attack should:  "What, me worry?" is not a sound IT
> policy.
>

_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode


_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: WannaCry [OT]

Sannyasin Brahmanathaswami via use-livecode
In reply to this post by Sannyasin Brahmanathaswami via use-livecode

> On 13 May 2017, at 6:05 pm, Richmond Mathewson via use-livecode <[hidden email]> wrote:
>
> What I do not understand is how organisations like the British State Health System (NHS) cane be so bl**dy stupid to
> rely on Windows, without (obviously) all sorts of safeguards.


I recently finished a fixed term contract working for a pretty IT savvy NHS Trust.  The NHS has been forced by central government to reallocate IT (and other infrastructure) monies to front line services.  They are also trapped by legacy software with dependencies on old (and proprietary) Windows systems and software. Now obviously stupid, but actually historic stupidity which was in the 1990s disguised  as good business and standard practice.  

Not to mention the Clinical Information Systems which look and behave as if it is still the 1990’s.

Apart from that, everything is fine.

Best wishes,

David Glasgow
_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: WannaCry [OT]

Sannyasin Brahmanathaswami via use-livecode
In reply to this post by Sannyasin Brahmanathaswami via use-livecode
On 2017-05-13 19:05, Richmond Mathewson via use-livecode wrote:
> You cannot send a virus to a BBC because the whole system resides on a
> ROM chip!

Not true - if you have any persistent storage attached to a system (e.g.
your winchester disk),
and that system interacts with data which comes from outside (via the
DIMM port) then 'all' an
attacker needs to do is find a vulnerability in the code which executes
when receiving data
on that port allowing arbitrary code to be executed (which would be
hidden in the message), and
find a place it can inject itself onto your persistent storage which is
loaded into memory
and executed and the rest is history...

Of course, the amount of return you'd get on trying to hack such ancient
setups is probably
zero so you are probably fine.

However, lots of legacy systems still run mission critical
infrastructure around the globe
so age of systems has nothing to do with vulnerability - as soon as it
connects to any external
information source whether it be humans, or the internet there is
potential risk.

For example there was a whole raft of virii on Acorn Archimedes machines
- usually distributed
via tweaking the boot record of floppy discs to inject malicious code;
and around the same time
MS had to do something about AutoRun - which was the source of a great
deal of viral infections
when people handed around USB sticks without thinking.

Warmest Regards,

Mark.

--
Mark Waddingham ~ [hidden email] ~ http://www.livecode.com/
LiveCode: Everyone can create apps

_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: WannaCry [OT]

Sannyasin Brahmanathaswami via use-livecode
In reply to this post by Sannyasin Brahmanathaswami via use-livecode
On 2017-05-13 16:53, Richmond Mathewson via use-livecode wrote:
> " The WannaCry virus only infects machines running Windows"
>
> http://www.bbc.com/news/technology-39896393
>
> Err . . . Linux

*cough* Heartbleed *cough* ;)

Mark.

--
Mark Waddingham ~ [hidden email] ~ http://www.livecode.com/
LiveCode: Everyone can create apps

_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: WannaCry [OT]

Sannyasin Brahmanathaswami via use-livecode
In reply to this post by Sannyasin Brahmanathaswami via use-livecode
David V Glasgow wrote:

 > I recently finished a fixed term contract working for a pretty IT
 > savvy NHS Trust.  The NHS has been forced by central government to
 > reallocate IT (and other infrastructure) monies to front line
 > services.  They are also trapped by legacy software with dependencies
 > on old (and proprietary) Windows systems and software. Now obviously
 > stupid, but actually historic stupidity which was in the 1990s
 > disguised  as good business and standard practice.
 >
 > Not to mention the Clinical Information Systems which look and behave
 > as if it is still the 1990’s.
 >
 > Apart from that, everything is fine.

That's the sad reality of so many security budgets: they don't become
adequate until after it's too late.

The dependency on older unsafe software versions is one that's always
mystified me.  I once worked for a vendor whose clients included several
large hospital networks, and one of them required us to deliver our app
in a way that would maintain compatibility with IE 6, years after
Microsoft warned customers to stop using it.

Subsequent versions of a software are generally supersets of features
found in earlier versions, with the only things missing as we go forward
being bugs.

When written to spec, it should move forward gracefully.  Microsoft has
done a better job of maintaining backward compatibility than most.

So if someone writes an app that doesn't work going forward, dependent
on things specific to an outdated system, in effect their app is
dependent on bugs.

For any org to consider bug-dependent software "mission critical" should
raise eyebrows.  For a hospital it seems even more serious.

But I understand how budgets tend to gloss over things like this.  And
this week, even the most reluctant orgs do too.

--
  Richard Gaskin
  Fourth World Systems
  Software Design and Development for the Desktop, Mobile, and the Web
  ____________________________________________________________________
  [hidden email]                http://www.FourthWorld.com

_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: WannaCry [OT]

Sannyasin Brahmanathaswami via use-livecode
Unfortunately, there are very expensive pieces of gear that have controls
on them that for one reason or another cannot be controlled by OS's newer
than XP.  I happen to have one, here.  It cost $750,000.  There is no
dealing with the OS issue without replacing the control, and that is also
extremely expensive, on the order of $400,000, so you would not replace the
control without replacing the whole unit.  M$, when they decided to dump
the XP paradigm, just like when they got rid of DOS, broke upgradability
for ATM's, machine tools and CMM's, X-Ray and MRI machines, PBX's, etc.

On Mon, May 15, 2017 at 10:56 AM, Richard Gaskin via use-livecode <
[hidden email]> wrote:

> David V Glasgow wrote:
>
> > I recently finished a fixed term contract working for a pretty IT
> > savvy NHS Trust.  The NHS has been forced by central government to
> > reallocate IT (and other infrastructure) monies to front line
> > services.  They are also trapped by legacy software with dependencies
> > on old (and proprietary) Windows systems and software. Now obviously
> > stupid, but actually historic stupidity which was in the 1990s
> > disguised  as good business and standard practice.
> >
> > Not to mention the Clinical Information Systems which look and behave
> > as if it is still the 1990’s.
> >
> > Apart from that, everything is fine.
>
> That's the sad reality of so many security budgets: they don't become
> adequate until after it's too late.
>
> The dependency on older unsafe software versions is one that's always
> mystified me.  I once worked for a vendor whose clients included several
> large hospital networks, and one of them required us to deliver our app in
> a way that would maintain compatibility with IE 6, years after Microsoft
> warned customers to stop using it.
>
> Subsequent versions of a software are generally supersets of features
> found in earlier versions, with the only things missing as we go forward
> being bugs.
>
> When written to spec, it should move forward gracefully.  Microsoft has
> done a better job of maintaining backward compatibility than most.
>
> So if someone writes an app that doesn't work going forward, dependent on
> things specific to an outdated system, in effect their app is dependent on
> bugs.
>
> For any org to consider bug-dependent software "mission critical" should
> raise eyebrows.  For a hospital it seems even more serious.
>
> But I understand how budgets tend to gloss over things like this.  And
> this week, even the most reluctant orgs do too.
>
> --
>  Richard Gaskin
>  Fourth World Systems
>  Software Design and Development for the Desktop, Mobile, and the Web
>  ____________________________________________________________________
>  [hidden email]                http://www.FourthWorld.com
>
> _______________________________________________
> use-livecode mailing list
> [hidden email]
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>



--
On the first day, God created the heavens and the Earth
On the second day, God created the oceans.
On the third day, God put the animals on hold for a few hours,
   and did a little diving.
And God said, "This is good."
_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: WannaCry [OT]

Sannyasin Brahmanathaswami via use-livecode
Mike Kerner wrote:

 > Unfortunately, there are very expensive pieces of gear that have
 > controls on them that for one reason or another cannot be controlled
 > by OS's newer than XP.  I happen to have one, here.  It cost
 > $750,000.  There is no dealing with the OS issue without replacing
 > the control, and that is also extremely expensive, on the order of
 > $400,000, so you would not replace the control without replacing the
 > whole unit.  M$, when they decided to dump the XP paradigm, just like
 > when they got rid of DOS, broke upgradability for ATM's, machine
 > tools and CMM's, X-Ray and MRI machines, PBX's, etc.

All systems eventually reach end-of-life.  If a vendor has enough
technical expertise to deliver hardware worth $750k, it seems reasonable
to expect that expertise would include sufficient familiarity with
system life cycles to anticipate a need for modular upgrades.

--
  Richard Gaskin
  Fourth World Systems
  Software Design and Development for the Desktop, Mobile, and the Web
  ____________________________________________________________________
  [hidden email]                http://www.FourthWorld.com

_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: WannaCry [OT]

Sannyasin Brahmanathaswami via use-livecode
Agreed Richard. And yet, here we are. My Dad for years had to run an old Windows 98 box because he had purchased devices and DOS applications for integrating with his radio system which would only talk directly to the device, and would not access a Windows driver to do it. We pay our money and we take our chance.

Bob S


> On May 15, 2017, at 09:28 , Richard Gaskin via use-livecode <[hidden email]> wrote:
>
> All systems eventually reach end-of-life.  If a vendor has enough technical expertise to deliver hardware worth $750k, it seems reasonable to expect that expertise would include sufficient familiarity with system life cycles to anticipate a need for modular upgrades.
>
> --
> Richard Gaskin


_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: WannaCry [OT]

Sannyasin Brahmanathaswami via use-livecode
In reply to this post by Sannyasin Brahmanathaswami via use-livecode
First and foremost, you might expect M$ to be able to deliver an OS that is
backward compatible, since they are the 800 lb. gorilla in this
conversation.  They put out the specs that all the hardware vendors built
to, before they decided to change the rules and go in a direction that
broke everything.  When all the hardware vendors were screaming, was M$
trying to build a compatibility layer?  No?  It's similar to what Apple
does every time they change the connector for their phones, just on a much
more severe level.

On Mon, May 15, 2017 at 12:28 PM, Richard Gaskin via use-livecode <
[hidden email]> wrote:

> Mike Kerner wrote:
>
> > Unfortunately, there are very expensive pieces of gear that have
> > controls on them that for one reason or another cannot be controlled
> > by OS's newer than XP.  I happen to have one, here.  It cost
> > $750,000.  There is no dealing with the OS issue without replacing
> > the control, and that is also extremely expensive, on the order of
> > $400,000, so you would not replace the control without replacing the
> > whole unit.  M$, when they decided to dump the XP paradigm, just like
> > when they got rid of DOS, broke upgradability for ATM's, machine
> > tools and CMM's, X-Ray and MRI machines, PBX's, etc.
>
> All systems eventually reach end-of-life.  If a vendor has enough
> technical expertise to deliver hardware worth $750k, it seems reasonable to
> expect that expertise would include sufficient familiarity with system life
> cycles to anticipate a need for modular upgrades.
>
>
> --
>  Richard Gaskin
>  Fourth World Systems
>  Software Design and Development for the Desktop, Mobile, and the Web
>  ____________________________________________________________________
>  [hidden email]                http://www.FourthWorld.com
>
> _______________________________________________
> use-livecode mailing list
> [hidden email]
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>



--
On the first day, God created the heavens and the Earth
On the second day, God created the oceans.
On the third day, God put the animals on hold for a few hours,
   and did a little diving.
And God said, "This is good."
_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: WannaCry [OT]

Sannyasin Brahmanathaswami via use-livecode
In reply to this post by Sannyasin Brahmanathaswami via use-livecode
That happens all the time.

Try getting support for a golfball typewriter . . .

I couldn't get a new monitor for my BBC Master Compact and had to fool
around
with SCART sockets, RGB gubbins and a soldering iron.

But, as King Camp Gillette didn't say, but certainly implied,
planned obsolescence is what drives both commerce and development.

Richmond.

On 5/15/17 7:11 pm, Mike Kerner via use-livecode wrote:

> Unfortunately, there are very expensive pieces of gear that have controls
> on them that for one reason or another cannot be controlled by OS's newer
> than XP.  I happen to have one, here.  It cost $750,000.  There is no
> dealing with the OS issue without replacing the control, and that is also
> extremely expensive, on the order of $400,000, so you would not replace the
> control without replacing the whole unit.  M$, when they decided to dump
> the XP paradigm, just like when they got rid of DOS, broke upgradability
> for ATM's, machine tools and CMM's, X-Ray and MRI machines, PBX's, etc.
>
> On Mon, May 15, 2017 at 10:56 AM, Richard Gaskin via use-livecode <
> [hidden email]> wrote:
>
>> David V Glasgow wrote:
>>
>>> I recently finished a fixed term contract working for a pretty IT
>>> savvy NHS Trust.  The NHS has been forced by central government to
>>> reallocate IT (and other infrastructure) monies to front line
>>> services.  They are also trapped by legacy software with dependencies
>>> on old (and proprietary) Windows systems and software. Now obviously
>>> stupid, but actually historic stupidity which was in the 1990s
>>> disguised  as good business and standard practice.
>>>
>>> Not to mention the Clinical Information Systems which look and behave
>>> as if it is still the 1990’s.
>>>
>>> Apart from that, everything is fine.
>> That's the sad reality of so many security budgets: they don't become
>> adequate until after it's too late.
>>
>> The dependency on older unsafe software versions is one that's always
>> mystified me.  I once worked for a vendor whose clients included several
>> large hospital networks, and one of them required us to deliver our app in
>> a way that would maintain compatibility with IE 6, years after Microsoft
>> warned customers to stop using it.
>>
>> Subsequent versions of a software are generally supersets of features
>> found in earlier versions, with the only things missing as we go forward
>> being bugs.
>>
>> When written to spec, it should move forward gracefully.  Microsoft has
>> done a better job of maintaining backward compatibility than most.
>>
>> So if someone writes an app that doesn't work going forward, dependent on
>> things specific to an outdated system, in effect their app is dependent on
>> bugs.
>>
>> For any org to consider bug-dependent software "mission critical" should
>> raise eyebrows.  For a hospital it seems even more serious.
>>
>> But I understand how budgets tend to gloss over things like this.  And
>> this week, even the most reluctant orgs do too.
>>
>> --
>>   Richard Gaskin
>>   Fourth World Systems
>>   Software Design and Development for the Desktop, Mobile, and the Web
>>   ____________________________________________________________________
>>   [hidden email]                http://www.FourthWorld.com
>>
>> _______________________________________________
>> use-livecode mailing list
>> [hidden email]
>> Please visit this url to subscribe, unsubscribe and manage your
>> subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>
>
>

_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: WannaCry [OT]

Sannyasin Brahmanathaswami via use-livecode
In reply to this post by Sannyasin Brahmanathaswami via use-livecode
The 800 lb gorilla would died of a broken thigh-bone because while
a gorilla's height may increase in one dimension, its volume and weight
will increase in
3 dimensions, and its bone cross-section in 2 dimensions, so its
thigh-bones will not
be strong enough to carry its weight: hence King Kong being a celluloid-only
gorilla.

This may well be M$'s problem . . . .

Although the way Apple behave I cannot somehow see them in the role
of Fay Wray!

Richmond.

On 5/15/17 7:48 pm, Mike Kerner via use-livecode wrote:

> First and foremost, you might expect M$ to be able to deliver an OS that is
> backward compatible, since they are the 800 lb. gorilla in this
> conversation.  They put out the specs that all the hardware vendors built
> to, before they decided to change the rules and go in a direction that
> broke everything.  When all the hardware vendors were screaming, was M$
> trying to build a compatibility layer?  No?  It's similar to what Apple
> does every time they change the connector for their phones, just on a much
> more severe level.
>
> On Mon, May 15, 2017 at 12:28 PM, Richard Gaskin via use-livecode <
> [hidden email]> wrote:
>
>> Mike Kerner wrote:
>>
>>> Unfortunately, there are very expensive pieces of gear that have
>>> controls on them that for one reason or another cannot be controlled
>>> by OS's newer than XP.  I happen to have one, here.  It cost
>>> $750,000.  There is no dealing with the OS issue without replacing
>>> the control, and that is also extremely expensive, on the order of
>>> $400,000, so you would not replace the control without replacing the
>>> whole unit.  M$, when they decided to dump the XP paradigm, just like
>>> when they got rid of DOS, broke upgradability for ATM's, machine
>>> tools and CMM's, X-Ray and MRI machines, PBX's, etc.
>> All systems eventually reach end-of-life.  If a vendor has enough
>> technical expertise to deliver hardware worth $750k, it seems reasonable to
>> expect that expertise would include sufficient familiarity with system life
>> cycles to anticipate a need for modular upgrades.
>>
>>
>> --
>>   Richard Gaskin
>>   Fourth World Systems
>>   Software Design and Development for the Desktop, Mobile, and the Web
>>   ____________________________________________________________________
>>   [hidden email]                http://www.FourthWorld.com
>>
>> _______________________________________________
>> use-livecode mailing list
>> [hidden email]
>> Please visit this url to subscribe, unsubscribe and manage your
>> subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>
>
>

_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: WannaCry [OT]

Sannyasin Brahmanathaswami via use-livecode
In reply to this post by Sannyasin Brahmanathaswami via use-livecode
Mike Kerner wrote:

 > First and foremost, you might expect M$ to be able to deliver an OS
 > that is backward compatible, since they are the 800 lb. gorilla in
 > this conversation.  They put out the specs that all the hardware
 > vendors built to, before they decided to change the rules and go in
 > a direction that broke everything.  When all the hardware vendors
 > were screaming, was M$ trying to build a compatibility layer?  No?

Of course I don't know the details behind lost backward compatibility as
it may relate to a specific unnamed hardware device, but I do know that
Microsoft has earned a reputation for maintaining backward compatibility
far better than most.  Indeed, saddling themselves with that
responsibility has been a frequent complaint against the company, said
to restrict their options for innovation.

And with XP specifically, IIRC Microsoft gave everyone at least 7 years'
advance notice of XP's EOL, having announced in 2007 that it would reach
EOL in 2014.  Key vendors may have had that disclosure even earlier than
the public notice.

Is it possible that the APIs these vendors depended on were later found
to present security vulnerabilities?

It is truly impossible for these devices to deliver their functionality
using modern supported APIs?

Might it be (again, we can't know for sure until we talk with each
vendor) that they simply soldered too little RAM onto the motherboard
and provided no means of updating the OS because they weren't thinking
long-term?

Lots of questions, likely unanswerable until we learn the specific
constraints in play with each device.

If hardware vendors are looking for control over their platforms,
perhaps they should be looking at open source OSes so they have access
to the source code, ensuring that it will do always be able to do what
they need.

--
  Richard Gaskin
  Fourth World Systems
  Software Design and Development for the Desktop, Mobile, and the Web
  ____________________________________________________________________
  [hidden email]                http://www.FourthWorld.com

_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: WannaCry [OT]

Sannyasin Brahmanathaswami via use-livecode
In reply to this post by Sannyasin Brahmanathaswami via use-livecode
So back to what happened on Friday, in the western world, firms that have
large investments in large and very expensive pieces of gear (which, I
forgot to mention also carry lead times of 12-18 months in many cases), and
large and very expensive software systems weren't paranoid enough.  I can't
speak to what happened in the former Eastern Bloc, since they were hit much
harder than everyone else, but I suspect that glasnost has not been as good
for them as they may have hoped.  No one has mentioned it, but I have to
wonder what happened behind PRC's Great Firewall, and in DPRK.  I would
also be curious to see, over the coming weeks, how severe the effect was in
Africa.

On Mon, May 15, 2017 at 1:05 PM, Richmond Mathewson via use-livecode <
[hidden email]> wrote:

> The 800 lb gorilla would died of a broken thigh-bone because while
> a gorilla's height may increase in one dimension, its volume and weight
> will increase in
> 3 dimensions, and its bone cross-section in 2 dimensions, so its
> thigh-bones will not
> be strong enough to carry its weight: hence King Kong being a
> celluloid-only
> gorilla.
>
> This may well be M$'s problem . . . .
>
> Although the way Apple behave I cannot somehow see them in the role
> of Fay Wray!
>
> Richmond.
>
>
> On 5/15/17 7:48 pm, Mike Kerner via use-livecode wrote:
>
>> First and foremost, you might expect M$ to be able to deliver an OS that
>> is
>> backward compatible, since they are the 800 lb. gorilla in this
>> conversation.  They put out the specs that all the hardware vendors built
>> to, before they decided to change the rules and go in a direction that
>> broke everything.  When all the hardware vendors were screaming, was M$
>> trying to build a compatibility layer?  No?  It's similar to what Apple
>> does every time they change the connector for their phones, just on a much
>> more severe level.
>>
>> On Mon, May 15, 2017 at 12:28 PM, Richard Gaskin via use-livecode <
>> [hidden email]> wrote:
>>
>> Mike Kerner wrote:
>>>
>>> Unfortunately, there are very expensive pieces of gear that have
>>>> controls on them that for one reason or another cannot be controlled
>>>> by OS's newer than XP.  I happen to have one, here.  It cost
>>>> $750,000.  There is no dealing with the OS issue without replacing
>>>> the control, and that is also extremely expensive, on the order of
>>>> $400,000, so you would not replace the control without replacing the
>>>> whole unit.  M$, when they decided to dump the XP paradigm, just like
>>>> when they got rid of DOS, broke upgradability for ATM's, machine
>>>> tools and CMM's, X-Ray and MRI machines, PBX's, etc.
>>>>
>>> All systems eventually reach end-of-life.  If a vendor has enough
>>> technical expertise to deliver hardware worth $750k, it seems reasonable
>>> to
>>> expect that expertise would include sufficient familiarity with system
>>> life
>>> cycles to anticipate a need for modular upgrades.
>>>
>>>
>>> --
>>>   Richard Gaskin
>>>   Fourth World Systems
>>>   Software Design and Development for the Desktop, Mobile, and the Web
>>>   ____________________________________________________________________
>>>   [hidden email]                http://www.FourthWorld.com
>>>
>>> _______________________________________________
>>> use-livecode mailing list
>>> [hidden email]
>>> Please visit this url to subscribe, unsubscribe and manage your
>>> subscription preferences:
>>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>>
>>>
>>
>>
> _______________________________________________
> use-livecode mailing list
> [hidden email]
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>



--
On the first day, God created the heavens and the Earth
On the second day, God created the oceans.
On the third day, God put the animals on hold for a few hours,
   and did a little diving.
And God said, "This is good."
_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: WannaCry [OT]

Sannyasin Brahmanathaswami via use-livecode
Mike Kerner wrote:
> So back to what happened on Friday, in the western world, firms that have
> large investments in large and very expensive pieces of gear (which, I
> forgot to mention also carry lead times of 12-18 months in many cases), and
> large and very expensive software systems weren't paranoid enough.  I can't
> speak to what happened in the former Eastern Bloc, since they were hit much
> harder than everyone else, but I suspect that glasnost has not been as good
> for them as they may have hoped.  No one has mentioned it, but I have to
> wonder what happened behind PRC's Great Firewall, and in DPRK.

Good luck getting any verifiable information about what goes on inside
DPRK.

As for PRC, it seems the Great Firewall only protects them from
ideological dangers, like the risks of reading the Federalist Papers,
while leaving infrastructure vulnerable:

Tens of thousands of Chinese firms, institutes affected in WannaCry
global cyberattack
<http://www.scmp.com/news/china/policies-politics/article/2094377/tens-thousands-chinese-firms-institutes-affected>


> I would also be curious to see, over the coming weeks, how severe the effect was in
> Africa.

Less so than elsewhere:

Africa least hit by WannaCry ransomware cyber-attack
<http://www.africanews.com/2017/05/15/africa-least-hit-by-wannacry-ransomware-cyber-attack/>

I'd guess this is likely because they have less traditional Internet
infrastructure and fewer PCs per capita.  Like parts of S. America, many
parts of Africa have skipped the whole POTS phase to go directly to
mobile networks, with far more phones than PCs:


Looking ahead, one way to mitigate such risks would be to share
information on known vulnerabilities as they're discovered.

Remember, WannaCry is a variant of a tool made by the US NSA, who
discovered the vulnerability but chose not to disclose it to Microsoft,
who was able to patch it shortly after it was discovered through the NSA
hack by the "Shadow Brokers" group and the NSA toolkit posted online.

Microsoft had some words over the weekend about the need for better
vulnerability reporting:

    Microsoft president and chief legal officer Brad Smith said by
    keeping software weaknesses secret, vendors are left in the dark,
    can't issue updates, and their customers are left vulnerable to
    attacks such as the one that exploded this weekend. He compared
    the leak of NSA exploits to the theft of missiles from the American
    military, pointing also to the Wikileaks dump of CIA hacking tools.

    "An equivalent scenario with conventional weapons would be the U.S.
    military having some of its Tomahawk missiles stolen. And this most
    recent attack represents a completely unintended but disconcerting
    link between the two most serious forms of cybersecurity threats in
    the world today – nation-state action and organized criminal
    action," Smith wrote in a blog post published Sunday.

    "The governments of the world should treat this attack as a wake-up
    call. They need to take a different approach and adhere in
    cyberspace to the same rules applied to weapons in the physical
    world. We need governments to consider the damage to civilians that
    comes from hoarding these vulnerabilities and the use of these
    exploits."

Microsoft Just Took A Swipe At NSA Over The WannaCry Ransomware Nightmare
<https://www.forbes.com/sites/thomasbrewster/2017/05/14/microsoft-just-took-a-swipe-at-nsa-over-wannacry-ransomware-nightmare/>

--
  Richard Gaskin
  Fourth World Systems
  Software Design and Development for the Desktop, Mobile, and the Web
  ____________________________________________________________________
  [hidden email]                http://www.FourthWorld.com

_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: WannaCry [OT]

Sannyasin Brahmanathaswami via use-livecode
<snip snip o' sniperama>

Governments of the world are simply never going to cooperate in this regard. If they find an advantage they will lock it down then exploit it. The public can cry out all they want. Governments will simply agree that more needs to be done to cooperate about this sort of thing, then quietly go about business as usual.

If I had this in the NSA, I would have kept it a secret and had a plan ready to deploy it if needed. Sorry, a weapon is a weapon. What we really need to do is make people who release this sort of thing into the wild disappear. The method we use is open to debate.

Bob S



_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: WannaCry [OT]

Sannyasin Brahmanathaswami via use-livecode
In reply to this post by Sannyasin Brahmanathaswami via use-livecode
On Tue, May 16, 2017 at 3:13 AM, Richard Gaskin via use-livecode
<[hidden email]> wrote:
>
> Might it be (again, we can't know for sure until we talk with each vendor)
> that they simply soldered too little RAM onto the motherboard and provided
> no means of updating the OS because they weren't thinking long-term?
>
Hmmm sounds so simply, but I think when you are talking about any
machine worth more than $1000, especially from any reputable provider
(i.e. one that would win a government contract) then a huge amount of
thought and design has gone into all the compromises necessary to
achieve the 'current objective' whilst achieving an acceptable ROI. In
every case, I'm sure there'd be a desire to make it more modular, add
more RAM, add more software features, or make it smaller or lighter,
but just like the other Post about Tom Pitman and his need to reduce
257bytes of code down to 256 because that was all that was physically
available; there will always be some constraint where today's
technology and hindsight make it easy to say  'if only they did
this/that/the other'.
>
> If hardware vendors are looking for control over their platforms, perhaps
> they should be looking at open source OSes so they have access to the source
> code, ensuring that it will do always be able to do what they need.
>
Again it sounds good but my own prediction is that open source OSes
for 'the internet of everything' will be opening the floodgates for
exploitations that will effect a wider portion of the community, more
and more often. I'm particularly thinking of cheap Chinese smart
phones and TVs. My parents have gone through several cheap Chinese
smart phones (Huwei to name one brand) that have all ended up getting
to an OS version and then can no longer be upgraded. The phone still
makes phone calls; no software makes a phone conversation any better.
That's all my parents, and the vast majority of the population needs.
They are not going to buy another phone just because the OS has EOLed.
The phone gets upgraded only when it's no longer fit for purpose -
battery doesn't last long enough. Same with Smart TVs but on a much
worse scale. Few companies, and certainly no cheap Chinese brand
company has any interest, once they've sold you a TV and made a slim
margin of profit on it, in keeping the OSes up to date. How often does
Linux get a security update, yet how often does your Smart TV tell you
you need to update it's Linux based OS? You really think the
population is regularly going to check the Smart TV Firmware date and
as soon as it gets to the point it no longer can be updated, or is
6/8/12 months behind Linux, they'll trash it and buy a new one? In
most cases it's not even the device that tells you it's OS has EOLed,
it's some other vendor's software (Google Maps/Neflix) that tells you
you can't download the latest version because you aren't running the
latest OS.

Cars, cameras, fridges and a whole heap more are starting to run
Linux/Android and be network connected; unfortunately the bottom line,
not security, is the driving factor for this choice. As I said, I
predict this will increase the number of EOLed OSes available to
unscrupulous entities to exploit.

_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
12