In reference to events this week relating the the International IT outages across the World. Not entirely sure if this belongs in security, however I’m not sure we have a category that truly reflects the nature of this incident. I feel a little sorry for the company in question, this sounds like just a software bug and “these things do happen”.
“The Net”
Just a little historical recap to set the scene, back in 1995 (nearly 30 years ago now) Sony Pictures released a film called “the Net” starring Angela Bullock and Jeremy Northam. It painted a picture of the perils of allowing a third party direct access to your systems with a view to keeping them safe. The fictional software in question was called “gatekeeper” and “the moral of this story” was, don’t trust other people with complete and immediate access to all your systems - because next time Sandra might not be available to save the day.
Now I know this was a work of fiction, however like many works of fiction it’s used to convey what should be a relatively obvious message. 30 years on, it seems that message didn’t sink in, despite many (many) people (ahem!) spending 30 years trying to re-inforce that message.
So, based on a widespread aversion to both which might be referred to as “common sense” and history, much like Thanos, the ensuing Chaos seen this week would seem to have been “inevitable”.
Why?
So if you install some software on your computer, then give that software full access to your computer (which is needed for some functionality like virus protection) and then allow that software to update itself, despite your best intentions, at this point you have lost control of your machine.
If you don’t think this is blindingly obvious, please comment below.
If you think this problem isn’t self-inflicted, again, please comment below.
If you’re still running anti-virus software on your computer … well, ignoring this specific incident for the moment, were you aware that Joe Biden just banned (before this incident) one of the leading anti-virus software suppliers in the US quoting it as a “national security threat”.
If you’ve read this and STILL have anti-virus software on your computer, this your choice (!)
Joking aside, lots of software is self-updating?
Yes it is. Some of my Wordpress instances for example will automatically install security patches and major updates automatically. How is this different? Well my Wordpress instances auto-snapshot themselves hourly, so if there’s a problem of any kind, with a few clicks I can revert to a previous snapshot and disable the auto-update facility.
This is very different to having 300 checkout terminals in an airport which refuse to boot and/or connect to the network after an anti-virus update and require an engineer to visit each machine with a floppy disk or USB key to do a manual revert, restore or patch on each machine while tens of thousands of people wait.
Yes? Again, please comment if you disagree …
But we NEED anti-virus software, don’t we?
Well, my most recent experience with a Windows PC and anti-virus software is from maybe 15 years ago. At that point, if you were to call me and say “I seem to have a problem with my Windows machine, can you take a look”, and I were to ask “what sort of anti-virus software are you running?” and you were to say “none”, then I might expect to find maybe a hundred or so bits of malware of one kind or another installed on your machine. (mentioning no names but this was a specific example!)
So if you’re running Windows, I guess there’s an argument for saying yes.
Now you might ask “why” this is the case? In order to save a little time, let me point you at one of many available articles that might help.
What is the solution?
Well, anyone reading this probably already knows the answer, at least in part. Maybe a better question is, why are we still in this position given the solution is not only known but has been known for a long time.
What do you mean we already knew about this?
Well, a long time ago in a workplace far, far away, I used to get invited to a national Cyber Security conference aimed at educating businesses about the risks of Cyber crime and how to stay safe on the Internet. I was a little surprised to find that Windows was pretty much the only topic of conversation and there was literally Zero mention of Linux as a secure alternative.
So (!) I put in an FOI request (Freedom Of Information) to the relevant government department essentially requesting details about how much per month the government was spending on sponsorship of the event (and by implication, how much was being spent promoting various Operating Systems)
Strangely this did not go down well and I received a call requesting I withdraw the FOI request. Now based on my understanding of FOI requests I was a little spooked by this call, however it was promised that if I were to withdraw the request, Linux would receive a fair showing at the next event (10 months hence). Not wanting to push my luck, this sounded like a reasonable outcome, so I dropped it.
Needless to say the following year I didn’t get an invite and none of the online materials published after the event contained the word “Linux”. Shocker eh? At this point I noticed there were also a bunch of corporate sponsors for the event, mentioning no names but the top sponsor had a “$” in their name.
So, if government sponsored education is pointing in the other direction, what do you do?
What about Linux anti-virus software?
Yes it does exist, no, most people tend not to use it. Additionally, the anti-virus software you tend to see (“ClamAV” was the top Google result for me) isn’t really anti-virus software in the way a Windows user might understand it. Typically it’s just used to scan incoming emails for viruses, it’s not designed to be intrusive or to potentially go wrong and take your system out. (or render it inoperable) Indeed typically you would see it running on a server, not on an workstation.
I think my point is that *NIX in general (including Linux) was designed (from day 1) with security in mind. I guess this is partially a product of *NIX being designed as a multi-user mainframe Operating System, rather than as a stand-alone single user desktop Operating System.
General thoughts
My perception is that there are two things driving this particular issue.
- Commercial marketing, sponsorship, influence, call it what you will
- A general perception that commercial choices are risk-averse, “nobody ever loses their job by choosing M$”
I don’t see that you can do much with the first point. Companies with money are always going to try to use that money to proliferate their products, regardless of the comparative quality of their offerings.
On the second point, a time may come when large companies get hit sufficiently hard by outages like the ones we’ve seen this week, where choices perceived as historically “safe” might be called into question.
I just worry the country might be “finished” before this happens. Just to give you a “what if” … “what if” it wasn’t just 8.5M machines but 85M, and “what if” it wasn’t just a bug, what if those 85M machines were wiped, or wiped and then used to trojans against other machines. So “what if” we lost pretty much all of our IT for government, local government, the NHS, the police, the army, airlines, supermarkets (etc), for an extended period of time? (and indeed, what if this happened all over Europe?)
Just tin-foil-hat stuff tho’, right?
1 post - 1 participant
