WannaCrypt: Pwnage is a fact of life but cleanup could and should be way easier
Shame on you for not going back in time
Comment WannaCry is Microsoft's fault. Microsoft, of course, blames the victims and system administrators get fired. But every one of us is to blame because we refuse to force our governments to hold software-makers to account.
Criminals are here to stay. Anyone who thinks they will somehow be defeated, go away or simply give up is delusional. The best we, as a society, can hope to do is fight the good fights. These are fought individually, by individuals, against individuals, locally and globally. With millions working to oppose yet more millions who would break our rules, we can, for the most part, contain the disruption and get on with our lives.
This view is cold comfort to people affected by ne'er-do-wells. People are robbed, brainwashed, hoodwinked or even killed. The effects ripple outward, affecting not just the immediate victims, but all those whose lives they influence.
We hate crims. We love the spectacle of catching, trying and sentencing them. We're fuzzier, however, when the malefactor loses themselves in a crowd. Some organisations can – quite literally – get away with murder, and it seems only a small group will care.
The larger the group that engages in malign activities, the more willing we are to give them the benefit of the doubt. Governments, corporations and other large organisations can do us wrong at scale and not only do we allow it, but we turn on the victims and tell them it must be their fault somehow.
Humans are weird.
Ultimately, any given strain of malware can be blamed on the authors of that malware. They did exactly what grifters, charlatans and thieves have always done: defied society's laws and cultural norms in order to make a quick buck easier than we collectively deem should be allowed.
Shame on them, as individuals. Shame on us for somehow thinking this wouldn't happen. Again, and again, and again, and again. We have the sum total of human knowledge in a flat glass slab in our pockets. You'd think we could spare the time to learn a little something from history.
Profit before people
Let's turn the clock back to the 1980s and 1990s. Microsoft isn't quite the behemoth that it is today. It faces actual competition on the desktop. The World Wide Web is being born, and with it, the internet is going mainstream.
Microsoft puts actual effort into attracting developers. The browser wars are a thing. Microsoft is in full embrace, extend, extinguish mode. Microsoft commits unforgivable sins such as ActiveX, and sets the stage for a proprietary intranet software development "revolution" that will damage the digital fabric of our society for a generation.
In the 1990s, Windows is a moving target, and an application designed to spec one year is suddenly putting files in the wrong place the next year, and two years later is considered to be poorly designed software that's harming the ecosystem. Developers are quietly encouraged to use undocumented APIs if it helps them get software to market faster, even as they are publicly told not to.
Microsoft's desperation for a monopoly means they not only allowed developers to create long-term unsupportable nightmares, they encouraged it. The harder applications were to port to another platform, the more lock-in they could create.
This made Windows XP difficult – and in many cases spectacularly expensive – to move away from. This was not happenstance. This was design.
Microsoft did wrong by us all. Did we collectively slap their wrist? Hardly. We handed them an empire and told them that, by and large, they could get away with anything.
Making it hard to move away from Windows XP not only made it hard for alternate desktop environments to get established. Microsoft's choices made it hard for many organisations to move on to Windows 7.
Microsoft didn't dare blame developers for taking shortcuts, so it blamed its customers, and we let them. By this point Microsoft had a desktop monopoly, and most of us had Stockholm syndrome. It was easier to blame the victims than to try to hold a large organisation to account.
Shame on you for buying the software required to make your business run. Shame on you for not knowing 10 or 15 or 30 years ago that software/developer wouldn't evolve with the times. Shame on you for not having enough profit to rewrite complex industry-specific software, or customise more popular software packages to your requirements.
Shame on you all, from small businesses to healthcare trusts for not predicting the future, not spending more in the right places, and above all for not doing what Microsoft told you to do when you were told to do it. That's easy. We, who are of course without sin, we like pointing fingers.
Individuals can be persecuted, measured, sanctioned. We can see if they weigh more than a duck. Harder to put a large organisation on a scale, much less tie it to stake and start stacking up wood.
If the victims are to blame then clearly we're ready to pay more taxes to ensure that healthcare IT could port all their apps. I hear you sharpening your pitchforks at the very thought.
If government and taxes are bad then are we at least ready to pay significantly higher prices on various retail goods so that businesses that can barely make ends meet can afford to leap the digital chasm? I see you getting those torches out.
Microsoft's response to this has been the most horrific possible. Instead of using carrots to help organisations that now have insurmountable technological debts, Microsoft decided to beat us all senseless with the stick.
Microsoft's answer to the sorts of vulnerabilities that made WannaCry and other malware possible is to force all of its users to patch and remove their ability to avoid doing so. Microsoft goes to great lengths to avoid publicly acknowledging that its patches regularly break critical features in its own operating system, let alone admit that these patches even more frequently break applications that organisations around the world depend on.
Once, sysadmins could avoid one bad patch by deploying the others. This let us keep systems as up to date as possible without breaking critical bits.
Today, Microsoft doesn't give us that choice. You will patch everything, all in one go, and if for whatever reason you need to skip a patch you can never move forward from that point.
You are trapped at the monthly patch level just before Microsoft broke your tools and told you it was your fault for owning them in the first place. And now, with Windows 10, you can only even stay at that fixed patch level for a smallish number of months before Microsoft forces you to update, no matter what those updates break.
Microsoft is externalising costs on to their customers. They are externalising the financial costs of quality assurance and testing. They are externalising the political costs of setting standards, sticking to them and enforcing them amongst developers.
Microsoft is shifting the burden of support to the end users by demanding an unrealistic level of compliance with constantly evolving standards and specifications that still move faster than developers can cope.
We not only let Microsoft get away with this, millions of people regularly savage digital laggards using social media on Microsoft's behalf. There's an army of True Believers out there piling up the wood, matchbooks at the ready.
WannaCry about it?
None of this is going to change. Horrible people will keep making malware. Microsoft will keep externalising costs. The victims will be blamed and we will collectively refuse to pay the true costs of the software treadmill.
It's time to stop thinking that we can avoid getting pwned. It's time to stop thinking that organisations of any size can be, should be or are immune to digital scoundrels.
Hospitals, schools, bakeries and more will be pwned by ransomware and other digital nasties. It will happen today. It will happen tomorrow. It will happen forever. This is simply a fact of life.
We need to put our efforts towards making recovery from such events easier. Getting pwned is a violation, to be sure, but in many ways there is little difference from someone breaking into our cars.
The cops will do their best to find the hoodlums. Sometimes they'll collar someone. Most times they won't. Individually, we are highly unlikely to extract any recompense from the offender. We file our insurance claims and move on.
So too must we approach malware, individually and collectively. Let's cease the witch hunts and the victim blaming and start talking about collectivising remedies. The digital version of filing our insurance claims and moving on is reloading from backups, so maybe – just maybe – what we need to do is look at making those cheaper and easier.
Imagine, if you will, that governments stood up clouds to enable cheap (or free) backups for critical industries. It's one possible solution to the realities that made WannaCry the international IT oopsie of the week. There are many more.
What's important is that we come to terms with the fact that events like WannaCry pwning a bunch of healthcare trusts aren't acceptable. They're the new normal. Unless and until we can change a great many things about human nature they will continue.
What are we prepared to do about it? ®
Sponsored: Becoming a Pragmatic Security Leader