Subject: Re: Windows 10. Horrible!
"David Taylor"<firstname.lastname@example.org> wrote
| > The chatter about older versions being unsafe is
| > also, for the most part, only chatter.
| Try telling that to the UK's NHS and others:
?? You don't seem to realize that you're illustrating
my point for me.
You clipped my explanation of why the version
is of little importance. The example you noted,
WannaCry ransomware, uses SMB to infect. SMB
should only be functional on networked machines,
and of course those should not be connected to
the Internet. The port should be blocked and the
related services should be disabled. (That's the same
idea as RPC and DCOM. On most computers those
should not be enabled. When they are enabled,
any Internet connection should be treated as
extremely high risk because the connected machines
have compromised security.)
The infected hospitals suffered because they had risky
networking enabled, didn't have backup, and somehow
allowed an unknown, foreign executable to run. Maybe
an email attachment. Maybe a driveby download enabled
by allowing script in the browser. Were employees allowed
to go online? If so, why? What about not running as Admin?
Somehow that didn't prevent the executable running.
Color me surprised.
My dentist doesn't even network,
or provide an Internet connection to, computers where
he keeps customer data. And he knows nothing about
computers. He's just worried about legal issues. So how
do police depts and hospitals manage to be such seat-
of-the-pants operations? Partly because, like everyone
else, they trade security for convenience at home and
naively believe Microsoft marketing about how safe
their latest product is.
In the particular case you linked to, Win10 with
forced updates would have been protected. But
that's not always the case. A large number of attacks
are 0-day, which is to say Microsoft have not yet
made a patch and may not even know about the
vulnerability. And I don't know about you, but I don't
consider forced, potentially destabilizing updates
to be a good tradeoff for a small improvement in
There's a reason that corporate IT people don't
allow auto-updating. They want to thoroughly test
the updates first, before allowing them onto the "fleet".
And how do we know there's not another bug in SMB,
waiting to be exploited, and not covered by Win10?
Who will suffer from that one? Probably people who
insist on enabling unsafe networking protocols, because
Do you enable file sharing? Not block port 445?
Enable the Server service? COM+? Other remote
network functionality? Maybe you want all that because
you want to be able to network computers in your
house. That makes sense, but you also need to be
aware that it's very high risk and Win10 is not going to
be a panacea. You're at far more risk than I am on
I have an old house with smoke alarms, a fire
extinguisher, and I'm careful about my use of appliances.
You have a new house, with all the latest safety
equipment. But you regularly leave the house with
the dryer running, the toaster on, or a pan heating
on the stove. Who's at greater risk of fire? How do
you know your new appliances won't have safety
recalls down the road? (There were a number of
fires caused by Bosch dishwashers at one point.
And, of course, they were all in houses owned by
wealthy people who insisted on only the newest
and best appliances. Bosch is "top of the line".)
It's interesting that ransomware has especially
targetted hospitals and police depts. I haven't
seen any explanation of why that is. My guess is
that it's because 1) they're public services that have
a lot to lose 2) they may be notoriously inept in
terms of IT and 3) they generally have public-facing
Unlike a corporation that may have valuable
business secrets to guard, police dept and hospital
IT people probably don't have much reason to
expect they might be targets... At least not up
until now. But it's increasingly surprising that these
institutions are caught without any backup. It
would be more understandable if they were hacked
and data stolen. But ransomware? There's just no
excuse for not having their records backed up.
I have a favorite story about this. In January, 2005
Bill Gates was asked in an interview why people were
(I have a link but can't find the article now, even at
"Well, no one invests more in security of their browser than what we do on
IE. The key message we have for people is they should turn on auto update
because if you turn on auto update....you can know that there are hundreds
of very smart people who are constantly improving your browser and making
sure that you're safe. And so with auto update and IE, you're getting the
top security team and the quickest response team that there is anywhere."
At the moment he was saying that, IE was being attacked
by merely visiting a webpage, on computers with the very
latest updates installed.
That's not an anomaly. It's business as usual. As the link
explains, that particular bug had been known for 2 months,
but Bill Gates's "hundreds of very smart people" somehow
hadn't got around to fixing it.