Wanna Cry? Me too

  • Comments posted to this topic are about the item Wanna Cry? Me too

    ----------------------------------------------------
    The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood...
    Theodore Roosevelt

    The Scary DBA
    Author of: SQL Server 2017 Query Performance Tuning, 5th Edition and SQL Server Execution Plans, 3rd Edition
    Product Evangelist for Red Gate Software

  • Grant, first off let me compliment you on your editorial - nice job.  Let me next tell you that my Windows 10 Pro updates itself and restarts whenever it wants to, and that pisses me off.  It seems like more often than not, I had something I was working on that I forgot to save and the most recent block of changes gets lost.  I've gotten past blaming Microsoft for it and become more aware of my saving before I hop up to do whatever it is that needs to be done.  After all, I'm the one who didn't save before stepping away from the machine.  I save frequently as a matter of habit while working on something, but not when I set it down.  I don't know how I developed that habit, but it's gone now.

    Nonetheless, I don't like the way Windows 10 forces updates on people.  I have Windows 10 Pro, so I've configured updates to wait.  The normal version (my wife's laptop) doesn't have that luxury.  I know Microsoft tests out the updates by distributing them to the public, but I strongly disagree with their approach.  I think testing should be done before releasing them to the masses and not forcing paying customers to do field testing for them before pushing them to the pro (or business) users.  What would happen if we took that approach with the software we write?  We'd be fired.  SQL 2014 SP1, anyone?  The original release was a disaster.

    That said, I'm forced to agree that we need to keep our systems up-to-date.  There's more and more hacks, ransomware, downright nasty viruses and malware being released than I can remember at any point in history.  If they keep ahead of it, or at least on top of it, then they're doing their job.

    I could make a case for designing a secure system in the first place so there wouldn't be all these security holes that need patching, but then everyone would have to configure their own systems from the ground up, everyone would suffer and eventually move away from Windows and IOS.

    The same could be said for designing secure systems for any company, but all you have to do is read or listen to the recent news to know that isn't being done either.  Either we, as an industry, get in front of the security problems plaguing our industry, or it will have to change radically.  As Jeff says "Change is inevitable.  Change for the better is not."

  • Hi,
    Always is going to be bad guys, who lilke to take advantage from others or from companies that's the point, Microsoft and other  software companies has to improve his update management, for example,  Linux has a very interesting scheme, via his repositories, but the main effort should be done in prevention and education with the power that comes with every new OS  or new software version, also comes a big responsability, sometimes you learn that as a fact of life.
    Best regards

  • Why nobody is talking about going after these ransom people. 
    Globally. 
    Just get them and punish them severely. 
    Instead of that, what happens ?
    AV market rises. 
    I wonder.

  • Ed Wagner - Saturday, June 3, 2017 1:36 PM

    Grant, first off let me compliment you on your editorial - nice job.  Let me next tell you that my Windows 10 Pro updates itself and restarts whenever it wants to, and that pisses me off.  It seems like more often than not, I had something I was working on that I forgot to save and the most recent block of changes gets lost.  I've gotten past blaming Microsoft for it and become more aware of my saving before I hop up to do whatever it is that needs to be done.  After all, I'm the one who didn't save before stepping away from the machine.  I save frequently as a matter of habit while working on something, but not when I set it down.  I don't know how I developed that habit, but it's gone now.

    Nonetheless, I don't like the way Windows 10 forces updates on people.  I have Windows 10 Pro, so I've configured updates to wait.  The normal version (my wife's laptop) doesn't have that luxury.  I know Microsoft tests out the updates by distributing them to the public, but I strongly disagree with their approach.  I think testing should be done before releasing them to the masses and not forcing paying customers to do field testing for them before pushing them to the pro (or business) users.  What would happen if we took that approach with the software we write?  We'd be fired.  SQL 2014 SP1, anyone?  The original release was a disaster.

    That said, I'm forced to agree that we need to keep our systems up-to-date.  There's more and more hacks, ransomware, downright nasty viruses and malware being released than I can remember at any point in history.  If they keep ahead of it, or at least on top of it, then they're doing their job.

    I could make a case for designing a secure system in the first place so there wouldn't be all these security holes that need patching, but then everyone would have to configure their own systems from the ground up, everyone would suffer and eventually move away from Windows and IOS.

    The same could be said for designing secure systems for any company, but all you have to do is read or listen to the recent news to know that isn't being done either.  Either we, as an industry, get in front of the security problems plaguing our industry, or it will have to change radically.  As Jeff says "Change is inevitable.  Change for the better is not."

    WRONG! Your wife can set active hours and Windows 10 won't update during those hours. I know it's a (small) cost, but if it's really that much of an issue why not do an anytime in place upgrade to Pro on her machine?
    MS do test this stuff out both internal and external. The external stuff is called Windows Insider, there are 3 rings, fast (bleeding edge expect bugs), slow (more stable, still probably bugs), release preview (stable, probably no bugs, you get it roughly 2 weeks before it goes live to everyone else so still time to send bug reports via the feedback hub app - this is what I run on both at home and work).

    For any piece of remotely complex software saying "design it securely" as if MS decided "hey you know what lets put some holes in this" is the kind of uneducated nonsense that drives me mental. MS obviously try to do but it isn't that simple if it was there wouldn't be security flaws found in Windows, macOS, Linux, Android or iOS - but there are because it's not that simple!

  • Mostly agree with you Grant.  Poor decision making and then the work effort to correct it getting ever larger over time.  A stitch in time saves 9, 81, 729 etc....

    However... some of the systems hit by WannaCry were extremely expensive bits of kit for which the control system was Windows XP.  The market for MRI scanners isn't that big so the software that runs them is unusually expensive.  In such cases does the vendor actually provide an update and if so do they provide it at a reasonable cost?
    I can well see someone balking at a £20K feed to update an MRI scanner.

    Perhaps the explosion in the IOT market will cause all hardware system vendors to make upgradeability and patchabiliity a fundamental capability of their products.

  • Hi Grant, yes I do want to cry. When? When I see the dreaded pop-up telling me there are updates for Windows. Why? Because Microsoft is still, after literally decades, unable to design a decent update system that won't take hours and f***ing disclose what the hell it is doing!!
    Sorry for the language but I am really in distress over this one, no wonder everybody out there is disabling updates. And forcing updates on you (see Windows 10) is not the solution unless you also work on streamlining and updating the horrible mess that is Windows Update! To be fair I have to say that on Windows 10 the situation is slightly better, but it is still light years behind Linux.
    Note that I am one of those who DO apply updates, especially because I know how fragile MS systems are, so I do not want to be caught off-guard when I'm forced (ouch) to use those OSes.
    Another reason is that I'm frequently the one who has to do the dirty work when friends/relatives manage to **** up their systems, and 90% of the times the first thing they do on their new computer is disable automatic updates.

    Another thing you're not considering is that, at least here in Italy, not everybody has economical broadband access to the internet. Microsoft forces you to download huge updates and there are still a lot of persons who cannot afford that.

    Last but not least: data centers. I am working in a big data center and obviously we have to be very careful about keeping our systems updated. That's not my chore fortunately, but I hear frequently from my colleagues which are tasked with that chore. The fact is that you CANNOT use automatic updates when you're working with servers in a data center. Nobody does it of course. We all have other ways to deploy fixes to dozens of servers and desktops, but that's not the point. The point is that you have to be extra-careful about what you deploy, because Microsoft (and other providers too) occasionally deploys fixes which will break havoc on your servers/desktops. So you really can't be all that up-to-date, because you have to review the updates and that takes time.

    As a Linux user, I can say you that professional Linux systems (talking RedHat and SUSE) do multi-gigabyte updates in a fraction of the time it takes for MS systems, and most of the times they don't even force you to restart the updated system! Well, actually ANY Linux system does this, but with the aforementioned systems you can also be quite sure about what is being deployed, that it won't destroy your server. And if there is a chance it will, you get warned before. And while it is updating, you actually SEE what it is doing, instead of staring hours at a window that tells you nothing, with the progress meter STALLED on an otherwise COMPLETELY IDLE system and wondering WHY OH WHY!!!

    OK, I guess you got the message 🙂
    Regards
    Cris

  • Windows Update is such a pain to go through that no one does it? Yes, clearly the customers are wrong! 

    Seriously, I had windows 10 set to update at 3 AM. So why did it restart my PC at 7 PM when I was actively playing an online game to do it's 20 minute update process? Automatic updates got turned off, now I let it download and whenever I restart I let it install them. It *IS* Microsoft's fault, 100%. My browser is always at the latest version because the update is silent and painless. Don't blame your customers if you make a bad product and they make the best use of it they can.

    Our job as tech professionals is to make technology easy for lay people. you're never going to nag normal folks into using a bad process, and it's much harder than making a better process anyways.

  • Everyone,

    Thanks for all the wonderful feedback. I appreciate the discussion.

    I will add one point to the editorial. I'm not a fan of how Microsoft handles their updates. It kinda sucks and really ought to be changed and improved. No argument.

    That said, it's the process we have. Yes, we should lobby for change (or decide to go elsewhere if Linux really does solve each and every possible problem ever presented by Microsoft), but until the change gets here, it's still on us to ensure we get the updates done, however difficult or problematic they may be. 

    However, everyone has been jumping up & down on the update process. I haven't seen but one instance of anyone addressing the fact that people are still running fifteen year old (or worse) software. Upgrades are a necessary cost of doing business in this modern age. I know companies are choosing to skip that cost, but they're just going to pay an even higher cost if they get hit with one of these viruses (or even a long resolved bug).

    ----------------------------------------------------
    The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood...
    Theodore Roosevelt

    The Scary DBA
    Author of: SQL Server 2017 Query Performance Tuning, 5th Edition and SQL Server Execution Plans, 3rd Edition
    Product Evangelist for Red Gate Software

  • ...Another thing we can all get mad at Microsoft about is that they’re not supporting Windows XP any more with patches and fixes (although they did issue an unprecedented patch for this one). Same thing goes for all those SQL Server 2000 instances. Once again, I’m saying that the problem here is on you. If you’re using twenty year old technology, but expecting Microsoft to maintain it for you, you’re probably getting set up for pain because they’re not going to do it and (my opinion) nor should they...


    Yes, a lot of folks keep kicking the upgrade can down the road, and there are a surprisingly large number of 2000 era servers and workstations still out there in production today. Back in 1998, we (or at least I) didn't see 1978 era technology in the workplace, because the digital wing of most IT departments was only a decade old, and there had been a move from command line interface based operating systems to Windows in the interim that offered an obviously superior improvement in terms of end user experience. However, there (arguably) haven't been any radical improvements in PC or server operating systems over the past 15 - 20 years or so, or at least nothing comparable to the move from MS-DOS to Windows 95. In the 21st century, Windows / iOS / Linux / Android is just a background shell, and most folks don't expect much front it other than that it host their apps and perform well. You really have to be a technology geek if you're holding your breath waiting for the next release of any vendor's OS, while most regular folks just just aren't motivated to upgrade their OS.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Tossing in my 2c worth...

    To everyone bashing on MS and the update process, what would you have them do?  If they don't force installation of updates, then you get something like WannaCry, people bash them for having an insecure OS and why don't they make is people are forced to keep it up-to-date.  If they force the installation of updates (Win10) then when the update install process gets the time to restart wrong, people bash them for forcing updates on them.
    When people don't install updates on servers because a reboot is required and that gives malware a foothold, people bash them for a piss-poor update process and updates that break systems (now be honest, when's the last time you had an MS update break a *SERVER* beyond any recovery?)

    Could the process be better?  Absolutely!  I hate having to reboot my servers once a month after updating (and we're required to have all current updates within a couple weeks of release,) but MS is stuck dealing with design decisions made back in the Windows 1.0 days (well, OK, maybe Win95 / NT3.5)  Could MS make changes to the OS and how it handles files to enable Linux-style no-reboot updates?  Probably, but then they'd likely have to change other parts of how the OS handles things, causing problems (breaking if you prefer) existing applications people use until those get updated, causing yet again people to bash the update process (what do you mean my mission-critical application won't work on Windows Don'tNeedToRebootAfterUpdates unless I buy the newest version from the vendor that supports the changes?  That's it we're going to [insert OS of choice] instead!)  Linux was able to say from the start "legacy applications?  What legacy applications, we're a brand-new OS that no one has ever seen before!"  MS is stuck with "Company XYZ who spends the GDP of Bulgaria every couple of years on MS licensing still has to be able to run this application from 1991, so we need to keep in the bits that it requires."

    Finally, to anyone saying that MS update process makes them not apply updates because it sucks / is broken / don't want to reboot / whatever.  So the update process is standing over you with a gun to your head telling you to not update?  YOU are making a conscious choice to not find the time to test and apply those updates.

    Frankly, I think Grant had the right of it, it wasn't MS fault WannaCry spread and did as much damage as it did, it was the businesses / end users / sysadmins for not keeping up-to-date on patches and keeping on an OS that is supported.  Yes, I realize medical equipment tends to be a special case (you spent $1.5M on an MRI, you're going to keep that think running until it falls apart, and any change requires re-certification with the appropriate certification body,) but even those can be kept more secure (separate, non-internet connected network maybe,) but again, it falls to the user to ensure their own security.

  • Grant is absolutely correct..

    .Microsoft could do lots to improve the update process. I've had Win10 updates that took hours when I thought it would be a few minutes; no reliable notification to know if it's still installing; annoying popups on servers.  BUT...

    This is really about PROCESS. Go ahead, turn off automatic updates. Why don't you have a PROCESS/PROCEDURE to run updates during an approved maintenance window monthly? Or bi-monthly... or even quarterly?

    WannaCry was patched in MARCH; the exploit appeared in MAY. THERE IS NO EXCUSE.

  • David.Poole - Monday, June 5, 2017 1:23 AM

    Mostly agree with you Grant.  Poor decision making and then the work effort to correct it getting ever larger over time.  A stitch in time saves 9, 81, 729 etc....

    However... some of the systems hit by WannaCry were extremely expensive bits of kit for which the control system was Windows XP.  The market for MRI scanners isn't that big so the software that runs them is unusually expensive.  In such cases does the vendor actually provide an update and if so do they provide it at a reasonable cost?
    I can well see someone balking at a £20K feed to update an MRI scanner.

    Perhaps the explosion in the IOT market will cause all hardware system vendors to make upgradeability and patchabiliity a fundamental capability of their products.

    Frankly, how is that Microsoft's problem? They didn't sell the customer anything. They sold the MRI vendor software with a known life cycle. They supported the software through the lifecycle. The MRI vendor (in the UKs case) went out of business.  Microsoft didn't buy the support contract from the now out of business vendor.

  • peter.row - Monday, June 5, 2017 1:17 AM

    Ed Wagner - Saturday, June 3, 2017 1:36 PM

    Grant, first off let me compliment you on your editorial - nice job.  Let me next tell you that my Windows 10 Pro updates itself and restarts whenever it wants to, and that pisses me off.  It seems like more often than not, I had something I was working on that I forgot to save and the most recent block of changes gets lost.  I've gotten past blaming Microsoft for it and become more aware of my saving before I hop up to do whatever it is that needs to be done.  After all, I'm the one who didn't save before stepping away from the machine.  I save frequently as a matter of habit while working on something, but not when I set it down.  I don't know how I developed that habit, but it's gone now.

    Nonetheless, I don't like the way Windows 10 forces updates on people.  I have Windows 10 Pro, so I've configured updates to wait.  The normal version (my wife's laptop) doesn't have that luxury.  I know Microsoft tests out the updates by distributing them to the public, but I strongly disagree with their approach.  I think testing should be done before releasing them to the masses and not forcing paying customers to do field testing for them before pushing them to the pro (or business) users.  What would happen if we took that approach with the software we write?  We'd be fired.  SQL 2014 SP1, anyone?  The original release was a disaster.

    That said, I'm forced to agree that we need to keep our systems up-to-date.  There's more and more hacks, ransomware, downright nasty viruses and malware being released than I can remember at any point in history.  If they keep ahead of it, or at least on top of it, then they're doing their job.

    I could make a case for designing a secure system in the first place so there wouldn't be all these security holes that need patching, but then everyone would have to configure their own systems from the ground up, everyone would suffer and eventually move away from Windows and IOS.

    The same could be said for designing secure systems for any company, but all you have to do is read or listen to the recent news to know that isn't being done either.  Either we, as an industry, get in front of the security problems plaguing our industry, or it will have to change radically.  As Jeff says "Change is inevitable.  Change for the better is not."

    WRONG! Your wife can set active hours and Windows 10 won't update during those hours. I know it's a (small) cost, but if it's really that much of an issue why not do an anytime in place upgrade to Pro on her machine?
    MS do test this stuff out both internal and external. The external stuff is called Windows Insider, there are 3 rings, fast (bleeding edge expect bugs), slow (more stable, still probably bugs), release preview (stable, probably no bugs, you get it roughly 2 weeks before it goes live to everyone else so still time to send bug reports via the feedback hub app - this is what I run on both at home and work).

    For any piece of remotely complex software saying "design it securely" as if MS decided "hey you know what lets put some holes in this" is the kind of uneducated nonsense that drives me mental. MS obviously try to do but it isn't that simple if it was there wouldn't be security flaws found in Windows, macOS, Linux, Android or iOS - but there are because it's not that simple!

    Yep, patches are very well tested before they go out. There's a massive QA test that they have to pass, then they go through the insider releases.  It's not like the developers can just commit code and push it to the world without code review, testing, etc.

  • There are a lot of folks with non-genuine (unlicensed and/or unregistered) installs of Windows. Even today, weeks after Microsoft supplied a fix for the wannacry exploit and a legitimate upgrade path to Windows 10, they'll decline the offer and choose instead to tighten up their firewall and continue living on the murky fringes of IT society. For some, free pirated software is just as addictive as heroin and no amount of education or pain will stop them.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

Viewing 15 posts - 1 through 15 (of 35 total)

You must be logged in to reply to this topic. Login to reply