61 comments

[ 3.4 ms ] story [ 115 ms ] thread
Cause the users dont know what they are actually buying. They go for superficial signs of quality - like weigth, design, surfacepolishing and nice UI.

Security of a object is a thing you can only evaluate the day it turns around and snaps at you.

Now the default american solution for this, would be to have a "Late-Adopter" plugin, allowing to install "Additional" Gated-Comunity-Security for the rich - and let the mob become one huge botnet, held back by aggressive campaigns of bricking whole device classes remote should they be a threat to the "devices" in the better neighbourhoods.

Unfortunatly the rest of the world is either too poor or unwilling to follow this model, which means we are going to see a regulated, securty TÜV checked model in europe and japan, state regulated devices in china & russia - and a wild west everywhere else.

I would say the reason the world is getting hacked is quite simple: OS vendors are asleep at the wheel. Instead of actually improving their OS platforms, they're instead turning them into web browsers and game engines - while all the vital services that a modern OS should provide are being ignored in the rush for control.

Take for example, the Fappening. This was possible because iCloud. iCloud is only necessary - like Dropbox and other services like it - because OS vendors decided they didn't want people to have control over their content, using their local computers - that it was 'easier' to provide servers dedicated to the purpose, than to actually add dedicated file sharing to the individuals' computers.

(There are no really good reasons why your modern PC can't serve its own content - especially in this era of bandwidth and monster CPU power. We hosted the 90's Internet on far less powerful computers than your average mobile phone, with less bandwidth too.. the point is, the protocols.)

So I honestly think that OS vendors need to be forced back behind the wheel to make our computers better, and the "network is the computer" business model needs to die. This was always a terrible idea, formed on the basis of an accountants wet dream, and should be forgotten as soon as possible. Instead, lets build better computers, simple as that. Computers that are actually safe to use because they've been designed that way, from the get-go. The cloud must die.

How do you force them back to the wheel?
The same way you handle every 'new' world order, of course .. you build another one right on top.

i.e. IPFS, Akasha, Ethereum, etc. These need to become first-class services in a default OS install. Then, maybe, we'll start evolving again ..

Wanting smartphone providers to provide less cloud backups is an interesting suggestion, considering I usually hear the exact opposite. Usually in the context of travelers being forced to give up their phone password at the airport there are suggestions that people wipe their phone before leaving then restore after arriving. Then there are complaints that current smartphones make this too difficult.
To howls of outrage, I have suggested to several companies that we simply disconnect from the public Internet. People programmed before cut-and-paste-from-SO was a thing after all. Obviously the web servers in the DC need to be accessible but the desktops in the office, or the critical bits of infra like DB, file servers and so on, nope.

Anyone who wants to surf can easily do so on their personal smartphone with no risk to corporate systems. No one has ever been able to put together a coherent rebuttal to my proposal, yet still the PCs remain connected and still people click things they shouldn't...

> People programmed before cut-and-paste-from-SO was a thing after all.

I've always considered SO to be more a sign of devolution than anything else. It hasn't produced better programmers - just more programmers. Is that better?

SO, although can be misused via copy & paste to production, is one of the greatest productivity boost I've ever had ( I'm 15+ years of experience ).

Sure I remember having lots of fun with Turbo Pascal and paper books, as well as Perl and `man perlre`, but nevertheless there is always one weird error that will cost you half a day of debugging, which nowadays is replaced with 5 minutes googling.

SO community are doing fine job with preventing bad code left without the warnings, but anyway I think SO delivered more to programming than it actually took.

I think the SO mentality leads to lazy developers who depend too much on the wisdom of others and don't do enough to push their own forward. Too many times I've seen "tech departments" sitting around, incapable of doing anything productive, because "the internet is down". This is a real issue, and I wish it got a bit more attention from the cognescenti .. we are producing generations of robotic developers who can't get anything done without hand-holding...
Someone actually said, we can't all be super-genius programmers who can program without Google. But that was the norm when I started, and I'm only in my 40s. A copy of W Richard Stevens and a copy of K&R is all you needed for 99% of real work.
It's made more people with the job title (or description) of programmer. That's not the same thing at all.
> ...started, as it often does, with a defect in software, a bug.

It all started with poor ethics. Every single version of Microsoft Windows have intentionally left backdoors for NSA and some hackers knew how to use it. This is like you pay some money and buy a house, but the previous owner keeps backup keys to watch you. And some others get the backup keys, kick you out of your own home unless you pay them.

This is such a shame for Microsoft, NSA and American government. People trusted Microsoft products and purchased them, in return, Microsoft wanted more than money; they wanted to spy them for their ideological goals.

>Every single version of Microsoft Windows have intentionally left backdoors for NSA and some hackers knew how to use it.

Is there any proof of this?

Have you followed the news at all ?
(comment deleted)
I have somewhat. I don't recall hearing "every single version of Microsoft Windows have intentionally left backdoors for NSA".
For last 15 years Microsoft keeps same "bug" in their every single operating system, even after rewriting it bunch of times. Noone except NSA knew about this bug until their tools got leaked, for 15 years. Can you believe it ? Somehow, only NSA discovered and used this bug. And you're gonna sit in your chair and ask for proof. People like you easily get manipulated by shit organizations like CIA and Microsoft because they can get proof of the color of your poop, unlike me. I don't have a proof, but just use your critical thinking skills. If you got any.
I don't think there is any proof regarding Windows.

However, NSA is strongly suspected of (known to?) having backdoored the Dual_EC_DRBG pseudorandom generator by inserting into the standard numeric parameters which allow cracking by those who generated them (i.e. the NSA).

https://en.wikipedia.org/wiki/Dual_EC_DRBG

This algorithm ended up in certain Juniper firewalls and a year ago turned out to have been covertly re-backdoored by unknown actors who replaced NSA's parameters with their own.

https://rpw.sh/blog/2015/12/21/the-backdoored-backdoor/

There was also another low-tech backdoor in these routers, again not clear who did it.

Snowden documents show that they have a budget allocated to the backdooring of cryptographic standards and products:

http://www.nytimes.com/interactive/2013/09/05/us/documents-r...

The world gets hacked because programmers make mistakes, and their management cannot evaluate those mistakes -- if only for no other reason that sometimes it isn't even obvious they made a mistake until a couple years later.

Users have been fooled: Turn it off and on, is a reasonable and well-known troubleshooting guide, but nobody blames the software vendor. If I'm on the phone with a company and they tell me to turn it off and on, I can't even point out "so you sent me something defective?" this is normal folks.

Maybe we need to teach programming younger and younger -- and it'll take two or three generations to become common enough that management will actually understand what I'm doing. Or maybe we need awareness campaigns to keep users from putting up with shit experiences!

Or maybe someone has some other idea, but the major barrier exists: We don't know how to program computers, and saying that out loud makes a lot of people with the job-title (or description) of programmer clam right up.

You are dead wrong in everything. To start with, your analogy is bad. You cannot compare psychical items with software. When you buy a car do you expect it to run and last forever? Software does, so you can see immediately that it's not a good analogy.

Large systems are extremely complex but even so we have process, tools and methods to build reliable, verifiable and bug free code. What is stopping us from using them for every piece of software is the cost.

Consumers are happy with the status quo of quality/cost.

> Consumers are happy with the status quo of quality/cost.

Consumers cannot understand the cost because they are not programmers.

I don't understand the rest of your post. I'm not making an analogy to any psychical [sic?] items, physical items, or any other kinds of items.

Maybe not exactly "cannot", but they often don't because the really big costs of shit software are rarely paid and to many users it hasn't happened yet, so it is easy to miss them until you find all of your files encrypted by ransomware and suddenly need to figure out this new bitcoin thing.
I think that's exactly the definition of "cannot".
I think I could point you to a dictionary at this point but let's agree on "it's sufficiently hard and unlikely that in practice they pretty much effectively cannot" :)
> When you buy a car do you expect it to run and last forever? Software does, so you can see immediately that it's not a good analogy.

1. Software currently has a lot shorter life expectancy than physical items, due to how fast ecosystem changes (bitrot). SaaS model shortens that even further.

2. In fact, as a consumer, I'd expect a car to last a lifetime, if properly maintained. That I can't is a testament to throwaway economy we've created.

> if properly maintained

That maintenance is not free, in terms of both money and time. Anecdote time: the most maintainable vehicle I had the displeasure to own required a yearly investment of several dozen hours to grease the multitude of bearings via zerks located all throughout the chassis. The seats wore out, the heating system sprung a leak, consumables were consumed... all were fixable, but only when given an appropriate application of money and time.

Sure, that truck is still running to this day, but very rarely used - because it's simply 2-3x less fuel efficient than a newer (but still 5 years old) vehicle, and the cost-benefit ratio of maintaining it is far too high.

How much money are we willing to put into the maintenance of software? Reading through the comments of this thread - very little. If we were interested in paying, you can be fairly sure there would be a player in the industry willing to make those fixes for an appropriately large amount of money - commensurate with the time and effort required to understand and fix a 45M line codebase.

Hopefully governments will one day take GNU/Linux based OS & Software. I know, I know ... Linux for Desktop is hard, but it seems like making exploits are harder than doing the same for Windows ( maybe hacker focus is on windows, who knows. ).

Anyway money equation I think is quite simple :

Why buy Windows, when you can use Linux and buy backup infrastructure.

Why would anyone spend effort to develop ransomware to target OS that is used mostly on servers, by computer professionals and enthusiasts, and in organizations that are managed by admins that are willing to put extra work to support not-standard solution?
To collect a ransom from the corporations that depend on these servers, and from those well-paid computer professionals?
Not worth the effort, as end-user systems offer more gain (and the same corporations you mention also need those end-user systems for their employees to do their work).
The recent attack on the NHS targeted Windows XP. I dare you to run a Linux distro from 2001 and tell me its secure from modern attacks.
I run a distro from 1998, it's entirely secure as it has zero network access except via serial port to the CNC it controls.
... Windows XP Would be just as secure with zero network access. What's your point here?
The point made is that there are plenty of ways to secure older machines, some of them plainly obvious.
To boot, I have two machines, 2000 and XP, and they can't be touched. Why? Ports I know will not be used are locked down, both systems have their firewalls configured on top of that, and those machines only access certain sites in a non-HOSTS file that Windows cannot bypass like it can in newer versions because it's in the router, an older one which they cannot touch.

And no UEFI Windows Partition driver BS, either! Get with the old times, people, before needing Ring 5+ mitigation, when people would actually FIX THEIR HARDWARE.

Although one can argue it's a configuration feature.

Having proper multiuser envrionment is already a huge security win.

That's about the time I installed my Debian system that I am still using today. I updated it continuously over the years, but have never re-installed. I wouldn't say it is secure from all modern attacks, because no system is. But it was never obsoleted.
You can update Windows installations as well. People run Windows XP either because they like its interface or they don't want to risk upgrading. Linux doesn't help with either case. If I liked Debian 3.0, I don't have an easy option to run it with all modern security updates now.

The only thing that Linux has is free as beer. Many people don't want to spend money on buying new Windows and Windows XP works for them just fine. Linux could certainly help here.

Actually, KDE 3 is still being supported. And it was released at the same time as the Windows XP Media Center Edition (which was EOL in 2014)
Another reason people don't upgrade is because new versions obsolete old hardware. Windows XP can run fine on machines Windows 8 wouldn't even boot on, and even for me, throwing away a perfectly good piece of hardware just to upgrade to a newer OS is kind of shitty idea.
The cost of the OS license is basically a rounding error in the TCO any serious computing environment. It's simply not relevant to this discussion. BTW an enterprise RHEL license cost more than a Windows license last time I checked...
You are comparing upgrading a system with going to the store and buy a new operative system and saying its the same thing. Windows vista was not a Windows XP update, and in theory they could have nothing in common but the name and the publisher.

There need to be a meaningful distinction between a software update for a product and a new product. For a operative system, hardware requirement and driver support is quite critical.

As a small testament to this, I had a server which hardware initial had 3.0 Woody as the version and ran until 6.0 Squeeze, at which point the motherboard gave up.

There is the big difference that I am in control of my UI. My UI hasn't changed in something like 15 years, other than tweaks I made and features added that I can use or not.
Its a flawed comparison.

- The value of Linux is the very thin cost of update (OS and applications).

- 1t the cultural level, *nix users are much more tempted to find solutions rather than keep dangerous attack surface running.

- Linux runs on old hardware easier, kernel supports old arch, user space is less demanding and doesn't tie you with graphical hardware capabilities for the sake of market share. Linux Mint XFCE is my go to graphical distro for anything even from the XP days (it's butter smooth on a LV 1st gen core + 512MB)

There is not enough incentive to do so, carrot or stick.
The article states this:

> The money they made from these customers hasn’t expired; neither has their responsibility to fix defects.

This is wrong. We don't ask for mandatory lifetime guarantees in any other industry I'm aware of, and perhaps more importantly, much of what is done in the field wouldn't be possible if it did (could you imagine having to continue to maintain an IE5 webpage for another twenty years?).

It goes on:

> In its defense, Microsoft probably could point out that its operating systems have come a long way in security since Windows XP, and it has spent a lot of money updating old software, even above industry norms. However, industry norms are lousy to horrible, and it is reasonable to expect a company with a dominant market position, that made so much money selling software that runs critical infrastructure, to do more.

If I buy a toaster it comes with a one year warranty, maybe. A nice car might come with a five year or two hundred thousand mile limited warranty. Microsoft sold a product at a fraction of that cost and supported it, unconditionally, for 8 years. 8. And they supported it for five more after that with appropriate arrangements with enterprises (and after a select few enterprises who somehow concluded that paying some engineering salaries at Microsoft for dedicated support was cheaper than upgrading). That's a 13+ year lifetime of support on what was an $80 a license product. Industry norms can only be "horrible" insofar as there's only been a serious industry for 30 years... And XP was supported for half of it (man, I suddenly feel old). My point is that there is no world in which the "cash-strapped National Health Service" is not the primary entity which was grossly negligent in its maintenance of critical infrastructure.

Stepping back and looking at the article as a whole and less at specific inflammatory parts, it is, well, filled with inflammatory parts. It starts as a thin attack piece on Microsoft for being slow to provide free support for a 16 year old product, offhandedly references IoT for some added scare factor, then starts calling for action (from both corporate and government actors) without any serious discussion on either the merits of the proposed actions or the impacts taking them would have on those organizations or the implications that they would create for future actors.

But hey, if you're a fan of Bruce Schneier's more recent musings, at least you'll enjoy the conclusion: That we must legislate software, and fast.

Yes, if you buy a toaster, you can easily replace it. The problem with XP is, that it is a component of larger systems, sometimes not even user-visible. Just take ATMs or some hospital equipment. We can either patch them, or force them to be decommissioned, but I fear, without some regulations, everyone keeps just hoping for the best.
Even, if we have SambaOrg, WineHQ, ReactOS and LibreOffice.
In many (most?) countries product failures resulting from design defects are covered by consumer protection laws without time limit.
>If I buy a toaster it comes with a one year warranty, maybe. A nice car might come with a five year or two hundred thousand mile limited warranty.

The analogy falls down when you consider it's possible to fix your own toaster or car, or take it to some other engineer to do it. Cars last longer than 13 years due to servicing at garages and things like that.

I agree that the implementation at the NHS is clearly awful, but it's crazy that staying on top of security means you're essentially forced to pay Microsoft more for a newer version of Windows (as well as retraining due to changes, retesting all your software). It's a mess of a situation and I don't know the solution, but continuing your analogy Microsoft should share the Windows source when they no longer support it so that third-parties can. I know that's never going to happen btw, just that's what's reasonable by your analogy.

They wouldn't need to share the source with everyone, just with authorized software repair companies. It would be a win-win, microsoft can cut back on support duration, they can collect a rent from the repair companies, there would be a new business sector, and customers could stay on older windows versions until a time of their choosing. Like with cars the older the version you are on the more expensive the upkeep, so it would be cheaper to move to a new windows version regularly, meaning microsoft wouldn't lose much in the way of windows license revenue.
Good point, I intentionally left the phrase "open-source" out of my comment for that reason but didn't think it all the way through.

There's clearly a need for this sort of support so it makes senses. Either that, or Windows should stop being overhauled every few years, making upgrades too costly to implement, and just focus on security and bug fixes. That's obviously not going to happen though.

Maybe the old notion of business (for material artefact) is obsolete. As an open source friendly computer guy the notion of warranty is moot. Society self organized around delegation and ignorance, thus needs for warranty. Maybe it's time to redistribute knowledge and means so people can help themselves.
Okay, then an alternative suggestion.

If a company wants to stop supporting software, they have to publish the entire source, documentation, and guides for how to work in it.

So that others can then fix it.

I can fix a toaster.

I can’t fix a smart toaster with DRM.

I think you are getting it very wrong.

What guarantee used to mean is that if product has manufacturing defects then these will appear within limited period of time.

Having a 5 year guarantee for a car does not mean that it will fall apart after this period of time. It means that defects that occur after this period of time are due to wear and not manufacturing defects.

The main difference between a software product and say a car is that it appears that manufacturing defects of the software would take much longer to appear than 2 or 5 years. Sometimes it may take even 10-20 years for a defect to appear.

The main issue with Microsoft software is that the problem, when it becomes apparent, can not be fixed by the owner as it could be with any other product. This is caused by the closed nature of the Microsoft software.

Another thing you get wrong is that you call XP a $80 product. It is not. It is a $80 x number of owners product.

> can not be fixed by the owner as it could be with any other product

I think this is nice in theory, but impractical with our current level of technology. If your toaster broke, would you be able to fix it? How many owners have the analog circuit knowledge to fix even a toaster from the pre-IC world? Would you be willing to invest the tens of hours and dollars required to fix it? Or would you just go buy a new one for $20?

Aside from people who train to do so, even your above-average owner can not maintain or repair a modern car drivetrain. Or an IC which has, thorough the laws of physics, formed whiskers that have caused it to short out. Most people couldn't even replace such an IC, even if given all the fairly specialized tools.

Nor could they realistically learn enough about programming to realistically find and repair defects in a 45 million LOC codebase.

Hell, as a (as called by peers in the past) above-average programmer, I couldn't grok 45M lines of code in anything resembling a reasonable timeframe.

Just opening the source is not enough. And just as car maintenance costs money (sometimes more than the car cost originally), if you want software patches past a reasonable span of time, those are going to cost money.

Because most people don't give a crap? Out of the 10 people who saw the news (on TV!) while I was there 9 reacted with "Ha! These hackers..." and 1 with "I'm pretty sure they are not interested in a guy like me, I'm safe haha".

Until people start losing personal money they won't bother educating themselves. They see these "hacking games" as, well, games.

A true disaster always has more than one cause. It took many separate problems and mistakes to sink the titanic and cause such a large loss of human life. Same here. There can be endless and interesting discussions about the role of the NSA, Microsoft, the end users in this very specific incident.

But the root of the problem is, that computer security still does not get the proper awareness and attention. This starts from how we write software, but from a society point of view, mostly how we deal with computer systems. Computer systems are not toasters which you can replace easily. Often they are part of larger installations, difficult to replace as a component. We need to deal with them as with aspects of traffic or workplace safety, or hygiene. There should be a clear concept (I sincerely hope we don't require too strict state regulations) that like any professional tool, a computer system has to be reviewed in regular intervals for being fit for its intended purpose, and maintenance for security should be done as naturally, as mechanical or electrical checks.

So, for any computer-powered (and networked) device, this would mean, that either there is a maintenance contract in place, which in the end would mean, the provider has a contract with Microsoft, if Windows is used, or, like with any other device, the machine is no longer considered fit for professional use.

The article is wrong on timing because they choose to ignore the herd of elephant in the room.

The world has been getting hacked since before 2013 by the NSA and related parties. They wanted to keep it hackable (by them, but an open door is open for everyone), not to fix what was wrong (even they asked/forced companies to include backdoors, unsafe encryption and so on). They developed (directly, or hired third party companies) software to hack it even more, and not just systems but people too. They created an entire market of malware/exploit/zero days, where was pretty profitable to find zero days and sell/hoard them instead of warning the world.

Is not amazing that in this scenario of planned/designed insecurity at every level even they get hacked/intruded/disclosed, and not just not to get information but the software weapons they were already using too.

Is like the department of health has been developing all the latest years new flu strains, are weaponizing them, and somewhat, you get sick, they get sick, everybody else get sick and some of the people you know dies. Would you complain about the last person that transmitted you the disease, the vaccine makers that run behind the (designed) diseases and even are forbidden/delayed to make a cure for them, or the root cause of it all?

Instead of asking why we don't do more to stop it, ask yourself why we did (and keep doing) so much to make it happen.