32 comments

[ 0.29 ms ] story [ 62.2 ms ] thread
This is a bizarre perspective.

Microsoft isn't a victim here. They made decisions that made it difficult or impossible for customers to upgrade their software. They also print money.

Is it a pain in the ass to support a bunch of old software? Yes. Should anyone, anywhere have any sympathy for them? No.

How "old" is sufficient? Forever?

Is fixing 0-days sufficient "support", or do you think Microsoft should be forced to actively invest in security updates for end-of-life software?

What do you mean by forced? Logically Microsoft should decide ahead of time how long they are going to support a given version and publish this information so that potential buyers can decide whether its sufficient before buying. They do this, and you can read online how long they intend to support the software you are buying today.
They never seem to get an outburst of positive emotion when they do extend support for a product well beyond its original end-of-life either. Damned if you do, damned if you don't.
If they don't also fix "end-of-life" that's also in the wild, they'll get a ton of black eyes every time something like this happens.
My question would be how could you bake into the original cost the cost of long term support when you have no idea how long one might use it? Windows XP was only end of life after 14 years. Some people STILL use it. I doubt the $139 price 14 years ago was expected to cover more than 5 years of use. Would $5/month forever make more sense?
You treat SW as a service and sell licenses instead of "boxed" copies.
I bet a lot of the companies buying thousands of copies of windows were treating them like assets and depreciating them over 3 years. Can't do that when its a subscription. Also no one was doing SaaS at wide scale until 9/10 years ago.
Anyone with an EA has been paying for SA For Windows for many many years.

The subscription is just a way to get rid of the perpetual right to use and effectively raise the rent. My marginal O365 user costs like 2x more because you cannot buy Office anymore in the EA that I have.

Forced? No. But to avoid PR this bad? Probably.

At some point, the support stops being pulled from the product budget and starts being pulled from the advertising budget.

Dollars to doughnuts its worth it in the end.

Enterprise apps live for a long time. IBM stuff in production is still around from the 1970s.

Microsoft actively pursued (and screwed) this market.

IBM stuff that survives from the 70s does so because those organizations planned their future hardware and software migrations. z/OS releases are supported for 3 years after release. You then have to update to the N+1 or N+2 version. Windows releases are supported for 11 years. You then have to pay for extended support or update. This has always been the case. This is well known. If you're running an internet connected XP machine and not paying for extended support you have nobody to blame but yourself. It is not Microsoft's responsibility to support all versions of their software indefinitely and for free.
That's the PR.

Lots of that software is old junk. IBM supports at the OS level applications written in whatever technology was around in 1978 today.

If you wrote your core business application in VB6 or an early .Net Framework, Microsoft cut you off at the knees.

>How "old" is sufficient? Forever?

When the car I still drive was as old as WinXP is now, it was part of a 3.6 million vehicle recall for the cruise-control shutoff switch. The fix involved splicing in some kind of bypass in the wiring harness; so that was potentially 3.6 million parts, installed one at a time. If Ford can do that, why can't Microsoft write a patch for XP?

It doesn't seem to me that the is trying to paint microsoft as a victim. IT even says they are partially) to blame because of their poor security design.

The article suggested that most software should be delivered as a service, so that it would more directly connect the economic incentives with the bug fixing. Then they pointed out how this would have helped everyone involved in this one specific case.

Exactly. The article isn't excusing Microsoft. But it's also arguing for a subscription model that aligns incentives.
Align incentives...

That is a powerfully simple way to think about, I am going to mull that thought of. But yes, at least superficially, it puts customer and vendor on the same track.

I wonder if there are ways it could be abused? Of course there are, we just haven't found them all yet.

>To put it another way, the alternative is not that the NSA would have Microsoft about EternalBlue years ago, but that the underlying bug would have remained un-patched for even longer than it was (perhaps to be discovered by other entities like China or Russia; the NSA is not the only organization searching for bugs).

False dichotomy. The choices are not only:

a) NSA pays lots of money to identify exploits and then hoards and uses them, vs

b) NSA does not identify exploits, leaving it up to China or Russia to do so and leaving us vulnerable.

There is a third choice:

c) NSA recognizes that only State actors have the money or time for this kind of thing, and should invest the money to detect and report exploits because China and Russia are probably doing so.

In fact (a) doesn't actually provide defense against China and Russia having the exploit: we were undefended until the exploit leaked, and without the leak, China or Russia could have executed an attack at any time. They didn't.

>c) NSA recognizes that only State actors have the money or time for this kind of thing, and should invest the money to detect and report exploits because China and Russia are probably doing so.

China and Russia are reporting vulnerabilities? Got a source for that?

(comment deleted)
I'm pretty sure they meant "because China and Russia are probably identifying exploits", not "because China and Russia are reporting exploits". I.e. it's a defensive measure.
> They didn't.

How do we know? Presumably the NSA has used this exploit before, and we didn't know. Presumably Russia and China use their exploits in similar ways.

It's not about locking someone out of their computer and displaying a giant skull and crossbones to say "I was here". Isn't it more about getting information off computers without people knowing you were there?

That's why this event is so interesting. It's an obvious hazard we can point to from hording vulnerabilities. In contrast, isn't it pretty much impossible to point to some target having their system opened up so enemies can read information? It seems like there's no way for us to know how many NSA horded (or planted) vulnerabilities have been exploited by people they don't want to exploit them.

But to the NSA, reporting exploits helps opposing State actors. They want to hoard the exploits so that no one else has them.

Perhaps it's possible to only communicate exploits to US companies, but that's really unlikely to go well.

It is easy to say put everything in the cloud and charge a monthly fee. The reality is there are all sorts of regulatory requirements that prevent this. How are you going to make a SaaS model work with SCADA systems? Many of these systems are networked and running ancient windows versions. SaaS for these systems doesn't work.
The important part isn't moving your data to the cloud, the important part is updating your software and paying a subscription.
Elephant in the room is that the vast majority of real-world privilege escalation and RCE is through buffer over-reads. Type errors are costing billions in damage.

Hacks like WannaCry don't exist because of the NSA, or consumers failing to update, they exist because programmers use languages that freely compile buffer over-reads in the first place.

The ugly truth is WannaCry and 90% of RCE is the fault of the programming industry for taking zero responsibility for their processes. Programmers choose to use extremely unsafe languages and it's costing the world billions in damage.

The only way we've gotten away with this is the public is largely ignorant to how culpable programmers actually are. They think hackers are demi-gods when it's really just the same damn buffer exploit over and over again.

You make some good points but it is lost in the rant.
SMB predates the internet. It is designed for the LAN.

There was a time when Windows was not internet-compatible unlike another OS I recall using at the time: BSD UNIX.

Then Gates finally gave up trying to understand why anyone would want an internet connection and decided he would dominate the www so he took the TCP/IP stack from a UNIX OS and inserted it into the Windows kernel. Then came "Internet Explorer".

From that day forward, Windows has always been vulnerable. It has been continuously vulnerable.

Unlike Windows, UNIX has never needed NetBIOS, SMB, CIFS, or whatever Microsoft calls the additonal layers of complexity today. UNIX can directly handle TCP and UDP. UNIX lacks the attack surface that Windows SMB provides, by default.

Microsoft refuses to ackowledge this flaw and fix it. Windows has an an enormous user base. No need to win user over with sensible design. They are already locked in.

In any other industry a product with a track record like Windows would have never been used for internet purposes. But this is no ordinary product. 80% or more of Windows users do not select and purchase Windows. They get it by default with the purchase of a computer. There is no choice. There is no refund for a defective Windows. Because there was no purchase. Sorry users.

As an end user, I got better "customer service" from the volunteers behind a free open source UNIX-like OS that I ever did from Microsoft.

The best way to make Windows "safe" is to disconnect it from the internet. "Updates" are not going to solve the problem that Microsoft itself has created and perpetuated for over 20 years. Windows was never meant to be connected in the first place. That was not Gates' vision.

And we are still seeing that legacy today.

Rumors of the retirement of Windows, e.g., a Midori replacement, were apparently no more legitimate than a 1990's Microsoft vaporware announcement. Microsoft need not do anything. Monopoly is sweet.

There are other OS besides Windows, open source and available for free, which are better suited to be internet-facing computers. Microsoft alas will never admit this and will continue to encourage, perhaps even require, people to connect Windows computers to the internet.

Microsoft's latest move is to replicate the userland of one of those other OS into Windows. That way the user will get the "benefit" of SMB. (or whatever it is called now)

If the user were using a UNIX-like OS that has no SMB layer on their internet connected computer, then how would they experience the fun of EternalBlue?

Meanwhile a quick read about this latest worm is that it relies on common file extensions to select files for encryption. Does this mean that if the user renames the file extension on her important files from .docx, .xlsx, etc. to .wannalaugh then they will not bet encrypted? Maybe she could xcopy them to .wannalaugh in bulk.

I don't think SAAS aligns the incentives the way the author claims it does. The biggest effect is to incentivize lock-in to an even greater extent than today. After all, if you can't switch then the money is guaranteed to keep pouring in.

Under the old model, if you didn't like Vista then you could stick with XP or wait for 7. Microsoft had definite incentives to make sure they were making improvements that were valuable to people. Under SAAS, you don't like Vista? Sucks to be you, because it's already installed - and thanks for the cash!

Finally this model doesn't account for those that can't do updates for one reason or another. Many of the first systems hit were medical systems that can't even do critical upgrades without going through a full requalification. It's possible that Windows should never have been considered for those systems in the first place, but the pressures of the marketplace almost guarantee that it happens.