Re: WannaCry [OT]

[Bob Sneidar via use-livecode]

Agreed. I didn't mean to imply that because exploitable code is difficult to 
sus out, we shouldn't do due diligence in designing things with that in mind in 
the first place. I don't think Novell has ever been hacked into from the 
outside. It was written ground up with security, especially network security in 
mind. My point was that because spotting vulnerabilities in existing code is 
really REALLY REALLY etc... difficult, both for the hacker and the developer, 
we can never take the stance that, "Now we have found all the problems". 

Bob S


> On May 25, 2017, at 02:38 , Mark Waddingham via use-livecode 
>  wrote:
> 
> The reality is that whilst exploiting a vulnerability in general is REALLY 
> HARD (seriously, when I say REALLY HARD, I mean REALLY REALLY REALLY HARD and 
> this is why you only tend to see exploits in things which have a very large 
> reward for making that exploit - hackers have to consider ROI too!) - all 
> they need is a vulnerability in the first place.


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: WannaCry [OT]

[Mark Waddingham via use-livecode]

On 2017-05-19 18:02, Bob Sneidar via use-livecode wrote:

I don't think it's a matter of programming standards. The methods used
to exploit systems are almost always something you could never have
guessed. Flaws in code can be extremeny difficult to see, as was the
case in the SSL Heartbleed bug. None of the devs saw the bug when it
was approved for merging. Seeing what it was and what it ought to have
been would be like seeing a needle in a haystack. I have thought for
some time that it is the nature of digital information and our human
minds incapacity to comprehend it in its real form that makes it
nearly impossible to produce "unhackable" code.


I'm not sure this is correct - and it is important that we don't 'lull 
ourselves into a false sense of security' by assuming that 'oh we could 
never have guessed that'.


The reality is that whilst exploiting a vulnerability in general is 
REALLY HARD (seriously, when I say REALLY HARD, I mean REALLY REALLY 
REALLY HARD and this is why you only tend to see exploits in things 
which have a very large reward for making that exploit - hackers have to 
consider ROI too!) - all they need is a vulnerability in the first 
place.


Eliminate the chance for vulnerabilities and you eliminate the 
possibility of exploits. Of course complete elimination is the ideal, 
but generally if you minimise the chance of introducing a vulnerability 
to the absolute minimum and you hugely reduce the chance of an exploit 
appearing (because finding vulnerabilities to exploit becomes much much 
harder).


Simplifying matters a bit, you can pretty much divide vulnerabilities 
into two classes:


  1) vulnerabilities introduced because of how something is written

  2) vulnerabilities introduced because of how something is done

The latter class (2), I will concede are much harder to spot. So called 
'information leakage' is a good example of (2) - this is where the 
method you use to do something causes 'secrets' to leak into an 
accessible channel. The thing is that such leakage can be caused by 
stuff the processor does (unreset registers in a call to a critical 
function, sideline data accessible due to the way HyperThreads are 
implemented in processor cores etc.). This is of critical concern in 
security stacks (such as SSL and strong encryption implementations) and 
is why the universal advice given is: never implement such things 
yourself - use a library which has the involvement of cryptography and 
security experts or employ such a person to do it for you.


The former class (1) essentially all boil down to mistakes in coding 
which mean that a suitably motivated hacker can use the mistake to 
execute arbitrary code which they have written - one of the biggest 
classes of these is 'buffer overruns':


  int main(int argc, char *argv[])
  {
 if (argc != 2)
   return 0;

 char t_buffer[32];
 sprintf(t_buffer, "Argument 1: %s", argv[1]);

 fprintf(stderr, "%s\n", t_buffer)
  }

Here I have a chance of being able to construct a string passed as a 
command line argument to my program which could execute arbitrary code 
encoded in the string I passed in - because I am potentially able to 
overwrite the stack at critical points to execute something that was not 
intended.


Another class of (1) is failure to sanitize inputs:

  int main(int argc, char *argv[])
  {
 if (argc != 2)
   return 0;

 char t_buffer[1024];
 snprintf(t_buffer, sizeof(t_buffer), "DELETE %s FROM 
MyImportantDatabase", argv[1]);


 RunSQL(t_buffer); // Mythical call for illustration only
  }

Here I've constructed an SQL query by inserting an unescaped string 
directly into an SQL statement that I execute. With this I can do 
anything to the database I like - just by using ';'.


I'd put my neck out and say that all vulnerabilities in case (1) can be 
prevented by strict programming standards and review (or better) using a 
language which doesn't let you make those kinds of mistakes in the first 
place.


So, in short, I'd perhaps suggest that all exploits we see are caused by 
one of two things:


  (1) Using tools which are too low-level for the job at hand, or people 
using tools which they are not experienced enough to use fully and 
absolutely correctly.


  (2) Writing code to do a task when you do not have enough 
domain-specific knowledge to do it correctly.


Just my two pence :)

Warmest Regards,

Mark.

--
Mark Waddingham ~ m...@livecode.com ~ http://www.livecode.com/
LiveCode: Everyone can create apps

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: WannaCry [OT]

[Bob Sneidar via use-livecode]

I don't think it's a matter of programming standards. The methods used to 
exploit systems are almost always something you could never have guessed. Flaws 
in code can be extremeny difficult to see, as was the case in the SSL 
Heartbleed bug. None of the devs saw the bug when it was approved for merging. 
Seeing what it was and what it ought to have been would be like seeing a needle 
in a haystack. I have thought for some time that it is the nature of digital 
information and our human minds incapacity to comprehend it in its real form 
that makes it nearly impossible to produce "unhackable" code. 

Bob S


> On May 18, 2017, at 19:48 , Kay C Lan via use-livecode 
>  wrote:
> 
> On Tue, May 16, 2017 at 6:46 PM, Mark Waddingham via use-livecode
>  wrote:
>> 
>> I'd at least hope that 'smart cars' software is engineered to a much
>> higher standard than other places:
>> 
> Well it may not even be 'smart' cars, even just modern cars may have
> problems depending on circumstances. This article also raises an
> interesting issue with regard to Uber and/or similar:


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: WannaCry [OT]

[Kay C Lan via use-livecode]

On Tue, May 16, 2017 at 6:46 PM, Mark Waddingham via use-livecode
 wrote:
>
> I'd at least hope that 'smart cars' software is engineered to a much
> higher standard than other places:
>
Well it may not even be 'smart' cars, even just modern cars may have
problems depending on circumstances. This article also raises an
interesting issue with regard to Uber and/or similar:

https://www.theguardian.com/technology/2015/aug/12/hack-car-brakes-sms-text

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: WannaCry [OT]

[Stephen Barncard via use-livecode]

It is not trivial that the main character in *The Matrix *is a coder.

On Tue, May 16, 2017 at 9:20 AM, Bob Sneidar via use-livecode <
use-livecode@lists.runrev.com> wrote:

> We won't all be absorbed. Some will need to work as slaves in the real
> world.
>



--
Stephen Barncard - Sebastopol Ca. USA -
mixstream.org
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: WannaCry [OT]

[Dr. Hawkins via use-livecode]

On Mon, May 15, 2017 at 10:46 PM, J. Landman Gay via use-livecode <
use-livecode@lists.runrev.com> wrote:

> Ditto. But I do want a smart home and I've had one for years. We still use
> the older X10/Insteon protocol,


wasn't that the one that had the add with the girl in the flesh-colored
tshirt bouncing around?

I remember one of my small chiodren asking why she didn't have a shirt . .
.

Home automation is another boat that apple missed begore finally getting
their act together.

The Mac IIfx (1990) had a pare of custom co-processors, essentially 10mhz
6502s with 32k each (iirc) RAM & ROM.

One of these controlled the serial ports, including AppleTalk, along with
other small tasks.

Add that appletalk worked well over existing in-house phone wiring, those
processors could have been mass produced, and used the second pair in
existing wiring.

Apple would have *owned* home automation at the time.

Then again, given their thinking at the time, they probably would have
expected to sell you your television, toaster, and front door as part of
this, so maybe not.  In that err, if they could have produced a Rolls Royce
for $1000, they would have gone broke by only selling it as  part of an
apple house to have the garage . . .

90
-- 
Dr. Richard E. Hawkins, Esq.
(702) 508-8462
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: WannaCry [OT]

[Bob Sneidar via use-livecode]

We won't all be absorbed. Some will need to work as slaves in the real world. 

Bob S


> On May 16, 2017, at 07:54 , Jonathan Lynch via use-livecode 
>  wrote:
> 
> Right before it absorbs us into the machine overlord.
> 
> Sent from my iPhone


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: WannaCry [OT]

[Bob Sneidar via use-livecode]

Agreed. 

Bob S


> On May 15, 2017, at 17:23 , Richard Gaskin via use-livecode 
>  wrote:
> 
> Good thoughts, Kay.
> 
> The DDoS last October only reinforced my inherent distrust of IoT devices.
> 
> Until we see some enforced security standards, I have no interest in "smart 
> cars", "smart TVs" or "smart homes".  When I look at those products I just 
> see one big botnet.
> 
> --
> Richard Gaskin
> Fourth World Systems


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: WannaCry [OT]

[Roger Eller via use-livecode]

http://hackaday.com/2017/05/04/google-aiy-artificial-intelligence-yourself/


On Tue, May 16, 2017 at 10:54 AM, Jonathan Lynch via use-livecode <
use-livecode@lists.runrev.com> wrote:

> Right before it absorbs us into the machine overlord.
>
> Sent from my iPhone
>
> > On May 16, 2017, at 10:45 AM, Alejandro Tejada via use-livecode <
> use-livecode@lists.runrev.com> wrote:
> >
> > Mark Waddingan wrote:
> >> the fact that there are probably not just billions
> >> but trillions of lines of C/C++ code in the world
> >> means that things are probably not going to change
> >> much soon - the cost to rewrite all of that in a language
> >> such as Rust would probably be larger than the entire
> >> economic output of the entire world.
> >
> > That is exactly the kind of work that
> > Artificial Intelligence could do without
> > breaking the bank! :-)
> >
> > Al
> > ___
> > use-livecode mailing list
> > use-livecode@lists.runrev.com
> > Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> > http://lists.runrev.com/mailman/listinfo/use-livecode
>
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: WannaCry [OT]

[Jonathan Lynch via use-livecode]

Right before it absorbs us into the machine overlord.

Sent from my iPhone

> On May 16, 2017, at 10:45 AM, Alejandro Tejada via use-livecode 
>  wrote:
> 
> Mark Waddingan wrote:
>> the fact that there are probably not just billions
>> but trillions of lines of C/C++ code in the world
>> means that things are probably not going to change
>> much soon - the cost to rewrite all of that in a language
>> such as Rust would probably be larger than the entire
>> economic output of the entire world.
> 
> That is exactly the kind of work that
> Artificial Intelligence could do without
> breaking the bank! :-)
> 
> Al
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription 
> preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: WannaCry [OT]

[Mark Waddingham via use-livecode]

On 2017-05-16 02:23, Richard Gaskin via use-livecode wrote:

Until we see some enforced security standards, I have no interest in
"smart cars", "smart TVs" or "smart homes".  When I look at those
products I just see one big botnet.


I'd at least hope that 'smart cars' software is engineered to a much
higher standard than other places:

   https://en.wikipedia.org/wiki/MISRA_C

[ Of course, it is slightly worrying that Chrome thinks that 
www.misra-c.com

is 'Not Secure' ;) ]

Such standards, processes and tooling helps to ensure that code that is
written minimizes the chance of vulnerabilities *in the code* (e.g. 
buffer

overruns). Of course it doesn't necessarily cover vulnerabilities in
design - e.g. in protocols.

There are other methods to ensure this is the case (at least in terms of
the code):

  - adequate automated testing (100% coverage being the goal - i.e. the
tests should exercise every line of code).

  - fuzz testing (giving random inputs to every module in a system
to make sure it handles any potential case gracefully).

  - extensive code review (i.e. ensuring that code does not make it into
a system unless it has been thoroughly checked by as many people as
possible).

  - use static analysis tools (e.g. Coverity).

Of course, the principal issue really is that most code which is used in
critical systems (and systems generally) tends to be C/C++ - or 
something

like Java where the VM and parts of the supporting libraries are written
in C/C++ (e.g. Smart TVs, Blu-Ray players, Android phones).

C/C++ are inherently unsafe (let you do things which are wrong) 
languages
(although it is becoming increasingly easy to write safe code in C++ - 
as
long as you use it in a specific way - you cannot yet turn off unsafe 
aspects

of the language which means they can be used).

The reason they are unsafe is because the design of them means that 
static
checking is really hard to do well (the depth of what Coverity does, for 
example
is quite astounding but it is not perfect by any means) and impossible 
to do

completely.

The solution then is to use *safe* languages - ones which don't let you 
write
code which contains the kind of exploitable vulnerability which result 
in

virii being able to be written in the first place.

However, the reality is that the number of safe-systems-languages (ones 
where
it is possible to write device drivers, kernels etc.) in existence is 
well,
negligible (Rust is probably the only one which has floated to the 
surface of
the dev community in recent years that I can think of); this combined 
with
the fact that there are probably not just billions but trillions of 
lines of
C/C++ code in the world means that things are probably not going to 
change
much soon - the cost to rewrite all of that in a language such as Rust 
would

probably be larger than the entire economic output of the entire world.

Warmest Regards,

Mark.

--
Mark Waddingham ~ m...@livecode.com ~ http://www.livecode.com/
LiveCode: Everyone can create apps

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: WannaCry [OT]

[J. Landman Gay via use-livecode]

On 5/15/17 7:23 PM, Richard Gaskin via use-livecode wrote:


Until we see some enforced security standards, I have no interest in
"smart cars", "smart TVs" or "smart homes".  When I look at those
products I just see one big botnet.


Ditto. But I do want a smart home and I've had one for years. We still 
use the older X10/Insteon protocol, which I suspect is more convenient 
than a smartphone because I don't have to speak commands or find my 
phone to launch an app. Sensors and timers manage everything, there's no 
network connection at all, and I hardly ever need to flip a light switch.


Not to mention, I don't want my refrigerator to know what I'm eating and 
I have zero interest in turning on my crockpot remotely. They're 
*supposed* to cook all day.


--
Jacqueline Landman Gay | jac...@hyperactivesw.com
HyperActive Software   | http://www.hyperactivesw.com

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: WannaCry [OT]

[Richard Gaskin via use-livecode]

Good thoughts, Kay.

The DDoS last October only reinforced my inherent distrust of IoT devices.

Until we see some enforced security standards, I have no interest in 
"smart cars", "smart TVs" or "smart homes".  When I look at those 
products I just see one big botnet.


--
 Richard Gaskin
 Fourth World Systems


Kay C Lan wrote:

On Tue, May 16, 2017 at 3:13 AM, Richard Gaskin via use-livecode
 wrote:


Might it be (again, we can't know for sure until we talk with each vendor)
that they simply soldered too little RAM onto the motherboard and provided
no means of updating the OS because they weren't thinking long-term?


Hmmm sounds so simply, but I think when you are talking about any
machine worth more than $1000, especially from any reputable provider
(i.e. one that would win a government contract) then a huge amount of
thought and design has gone into all the compromises necessary to
achieve the 'current objective' whilst achieving an acceptable ROI. In
every case, I'm sure there'd be a desire to make it more modular, add
more RAM, add more software features, or make it smaller or lighter,
but just like the other Post about Tom Pitman and his need to reduce
257bytes of code down to 256 because that was all that was physically
available; there will always be some constraint where today's
technology and hindsight make it easy to say  'if only they did
this/that/the other'.


If hardware vendors are looking for control over their platforms, perhaps
they should be looking at open source OSes so they have access to the source
code, ensuring that it will do always be able to do what they need.


Again it sounds good but my own prediction is that open source OSes
for 'the internet of everything' will be opening the floodgates for
exploitations that will effect a wider portion of the community, more
and more often. I'm particularly thinking of cheap Chinese smart
phones and TVs. My parents have gone through several cheap Chinese
smart phones (Huwei to name one brand) that have all ended up getting
to an OS version and then can no longer be upgraded. The phone still
makes phone calls; no software makes a phone conversation any better.
That's all my parents, and the vast majority of the population needs.
They are not going to buy another phone just because the OS has EOLed.
The phone gets upgraded only when it's no longer fit for purpose -
battery doesn't last long enough. Same with Smart TVs but on a much
worse scale. Few companies, and certainly no cheap Chinese brand
company has any interest, once they've sold you a TV and made a slim
margin of profit on it, in keeping the OSes up to date. How often does
Linux get a security update, yet how often does your Smart TV tell you
you need to update it's Linux based OS? You really think the
population is regularly going to check the Smart TV Firmware date and
as soon as it gets to the point it no longer can be updated, or is
6/8/12 months behind Linux, they'll trash it and buy a new one? In
most cases it's not even the device that tells you it's OS has EOLed,
it's some other vendor's software (Google Maps/Neflix) that tells you
you can't download the latest version because you aren't running the
latest OS.

Cars, cameras, fridges and a whole heap more are starting to run
Linux/Android and be network connected; unfortunately the bottom line,
not security, is the driving factor for this choice. As I said, I
predict this will increase the number of EOLed OSes available to
unscrupulous entities to exploit.



___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: WannaCry [OT]

[Kay C Lan via use-livecode]

On Tue, May 16, 2017 at 3:13 AM, Richard Gaskin via use-livecode
 wrote:
>
> Might it be (again, we can't know for sure until we talk with each vendor)
> that they simply soldered too little RAM onto the motherboard and provided
> no means of updating the OS because they weren't thinking long-term?
>
Hmmm sounds so simply, but I think when you are talking about any
machine worth more than $1000, especially from any reputable provider
(i.e. one that would win a government contract) then a huge amount of
thought and design has gone into all the compromises necessary to
achieve the 'current objective' whilst achieving an acceptable ROI. In
every case, I'm sure there'd be a desire to make it more modular, add
more RAM, add more software features, or make it smaller or lighter,
but just like the other Post about Tom Pitman and his need to reduce
257bytes of code down to 256 because that was all that was physically
available; there will always be some constraint where today's
technology and hindsight make it easy to say  'if only they did
this/that/the other'.
>
> If hardware vendors are looking for control over their platforms, perhaps
> they should be looking at open source OSes so they have access to the source
> code, ensuring that it will do always be able to do what they need.
>
Again it sounds good but my own prediction is that open source OSes
for 'the internet of everything' will be opening the floodgates for
exploitations that will effect a wider portion of the community, more
and more often. I'm particularly thinking of cheap Chinese smart
phones and TVs. My parents have gone through several cheap Chinese
smart phones (Huwei to name one brand) that have all ended up getting
to an OS version and then can no longer be upgraded. The phone still
makes phone calls; no software makes a phone conversation any better.
That's all my parents, and the vast majority of the population needs.
They are not going to buy another phone just because the OS has EOLed.
The phone gets upgraded only when it's no longer fit for purpose -
battery doesn't last long enough. Same with Smart TVs but on a much
worse scale. Few companies, and certainly no cheap Chinese brand
company has any interest, once they've sold you a TV and made a slim
margin of profit on it, in keeping the OSes up to date. How often does
Linux get a security update, yet how often does your Smart TV tell you
you need to update it's Linux based OS? You really think the
population is regularly going to check the Smart TV Firmware date and
as soon as it gets to the point it no longer can be updated, or is
6/8/12 months behind Linux, they'll trash it and buy a new one? In
most cases it's not even the device that tells you it's OS has EOLed,
it's some other vendor's software (Google Maps/Neflix) that tells you
you can't download the latest version because you aren't running the
latest OS.

Cars, cameras, fridges and a whole heap more are starting to run
Linux/Android and be network connected; unfortunately the bottom line,
not security, is the driving factor for this choice. As I said, I
predict this will increase the number of EOLed OSes available to
unscrupulous entities to exploit.

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: WannaCry [OT]

[Bob Sneidar via use-livecode]

Governments of the world are simply never going to cooperate in this regard. If 
they find an advantage they will lock it down then exploit it. The public can 
cry out all they want. Governments will simply agree that more needs to be done 
to cooperate about this sort of thing, then quietly go about business as usual. 

If I had this in the NSA, I would have kept it a secret and had a plan ready to 
deploy it if needed. Sorry, a weapon is a weapon. What we really need to do is 
make people who release this sort of thing into the wild disappear. The method 
we use is open to debate. 

Bob S



___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: WannaCry [OT]

[Richard Gaskin via use-livecode]

Mike Kerner wrote:

So back to what happened on Friday, in the western world, firms that have
large investments in large and very expensive pieces of gear (which, I
forgot to mention also carry lead times of 12-18 months in many cases), and
large and very expensive software systems weren't paranoid enough.  I can't
speak to what happened in the former Eastern Bloc, since they were hit much
harder than everyone else, but I suspect that glasnost has not been as good
for them as they may have hoped.  No one has mentioned it, but I have to
wonder what happened behind PRC's Great Firewall, and in DPRK.


Good luck getting any verifiable information about what goes on inside 
DPRK.


As for PRC, it seems the Great Firewall only protects them from 
ideological dangers, like the risks of reading the Federalist Papers, 
while leaving infrastructure vulnerable:


Tens of thousands of Chinese firms, institutes affected in WannaCry 
global cyberattack





I would also be curious to see, over the coming weeks, how severe the effect 
was in
Africa.


Less so than elsewhere:

Africa least hit by WannaCry ransomware cyber-attack


I'd guess this is likely because they have less traditional Internet 
infrastructure and fewer PCs per capita.  Like parts of S. America, many 
parts of Africa have skipped the whole POTS phase to go directly to 
mobile networks, with far more phones than PCs:



Looking ahead, one way to mitigate such risks would be to share 
information on known vulnerabilities as they're discovered.


Remember, WannaCry is a variant of a tool made by the US NSA, who 
discovered the vulnerability but chose not to disclose it to Microsoft, 
who was able to patch it shortly after it was discovered through the NSA 
hack by the "Shadow Brokers" group and the NSA toolkit posted online.


Microsoft had some words over the weekend about the need for better 
vulnerability reporting:


   Microsoft president and chief legal officer Brad Smith said by
   keeping software weaknesses secret, vendors are left in the dark,
   can't issue updates, and their customers are left vulnerable to
   attacks such as the one that exploded this weekend. He compared
   the leak of NSA exploits to the theft of missiles from the American
   military, pointing also to the Wikileaks dump of CIA hacking tools.

   "An equivalent scenario with conventional weapons would be the U.S.
   military having some of its Tomahawk missiles stolen. And this most
   recent attack represents a completely unintended but disconcerting
   link between the two most serious forms of cybersecurity threats in
   the world today – nation-state action and organized criminal
   action," Smith wrote in a blog post published Sunday.

   "The governments of the world should treat this attack as a wake-up
   call. They need to take a different approach and adhere in
   cyberspace to the same rules applied to weapons in the physical
   world. We need governments to consider the damage to civilians that
   comes from hoarding these vulnerabilities and the use of these
   exploits."

Microsoft Just Took A Swipe At NSA Over The WannaCry Ransomware Nightmare


--
 Richard Gaskin
 Fourth World Systems
 Software Design and Development for the Desktop, Mobile, and the Web
 
 ambassa...@fourthworld.comhttp://www.FourthWorld.com

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: WannaCry [OT]

[Mike Kerner via use-livecode]

So back to what happened on Friday, in the western world, firms that have
large investments in large and very expensive pieces of gear (which, I
forgot to mention also carry lead times of 12-18 months in many cases), and
large and very expensive software systems weren't paranoid enough.  I can't
speak to what happened in the former Eastern Bloc, since they were hit much
harder than everyone else, but I suspect that glasnost has not been as good
for them as they may have hoped.  No one has mentioned it, but I have to
wonder what happened behind PRC's Great Firewall, and in DPRK.  I would
also be curious to see, over the coming weeks, how severe the effect was in
Africa.

On Mon, May 15, 2017 at 1:05 PM, Richmond Mathewson via use-livecode <
use-livecode@lists.runrev.com> wrote:

> The 800 lb gorilla would died of a broken thigh-bone because while
> a gorilla's height may increase in one dimension, its volume and weight
> will increase in
> 3 dimensions, and its bone cross-section in 2 dimensions, so its
> thigh-bones will not
> be strong enough to carry its weight: hence King Kong being a
> celluloid-only
> gorilla.
>
> This may well be M$'s problem . . . .
>
> Although the way Apple behave I cannot somehow see them in the role
> of Fay Wray!
>
> Richmond.
>
>
> On 5/15/17 7:48 pm, Mike Kerner via use-livecode wrote:
>
>> First and foremost, you might expect M$ to be able to deliver an OS that
>> is
>> backward compatible, since they are the 800 lb. gorilla in this
>> conversation.  They put out the specs that all the hardware vendors built
>> to, before they decided to change the rules and go in a direction that
>> broke everything.  When all the hardware vendors were screaming, was M$
>> trying to build a compatibility layer?  No?  It's similar to what Apple
>> does every time they change the connector for their phones, just on a much
>> more severe level.
>>
>> On Mon, May 15, 2017 at 12:28 PM, Richard Gaskin via use-livecode <
>> use-livecode@lists.runrev.com> wrote:
>>
>> Mike Kerner wrote:
>>>
>>> Unfortunately, there are very expensive pieces of gear that have
 controls on them that for one reason or another cannot be controlled
 by OS's newer than XP.  I happen to have one, here.  It cost
 $750,000.  There is no dealing with the OS issue without replacing
 the control, and that is also extremely expensive, on the order of
 $400,000, so you would not replace the control without replacing the
 whole unit.  M$, when they decided to dump the XP paradigm, just like
 when they got rid of DOS, broke upgradability for ATM's, machine
 tools and CMM's, X-Ray and MRI machines, PBX's, etc.

>>> All systems eventually reach end-of-life.  If a vendor has enough
>>> technical expertise to deliver hardware worth $750k, it seems reasonable
>>> to
>>> expect that expertise would include sufficient familiarity with system
>>> life
>>> cycles to anticipate a need for modular upgrades.
>>>
>>>
>>> --
>>>   Richard Gaskin
>>>   Fourth World Systems
>>>   Software Design and Development for the Desktop, Mobile, and the Web
>>>   
>>>   ambassa...@fourthworld.comhttp://www.FourthWorld.com
>>>
>>> ___
>>> use-livecode mailing list
>>> use-livecode@lists.runrev.com
>>> Please visit this url to subscribe, unsubscribe and manage your
>>> subscription preferences:
>>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>>
>>>
>>
>>
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>



-- 
On the first day, God created the heavens and the Earth
On the second day, God created the oceans.
On the third day, God put the animals on hold for a few hours,
   and did a little diving.
And God said, "This is good."
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: WannaCry [OT]

[Richard Gaskin via use-livecode]

Mike Kerner wrote:

> First and foremost, you might expect M$ to be able to deliver an OS
> that is backward compatible, since they are the 800 lb. gorilla in
> this conversation.  They put out the specs that all the hardware
> vendors built to, before they decided to change the rules and go in
> a direction that broke everything.  When all the hardware vendors
> were screaming, was M$ trying to build a compatibility layer?  No?

Of course I don't know the details behind lost backward compatibility as 
it may relate to a specific unnamed hardware device, but I do know that 
Microsoft has earned a reputation for maintaining backward compatibility 
far better than most.  Indeed, saddling themselves with that 
responsibility has been a frequent complaint against the company, said 
to restrict their options for innovation.


And with XP specifically, IIRC Microsoft gave everyone at least 7 years' 
advance notice of XP's EOL, having announced in 2007 that it would reach 
EOL in 2014.  Key vendors may have had that disclosure even earlier than 
the public notice.


Is it possible that the APIs these vendors depended on were later found 
to present security vulnerabilities?


It is truly impossible for these devices to deliver their functionality 
using modern supported APIs?


Might it be (again, we can't know for sure until we talk with each 
vendor) that they simply soldered too little RAM onto the motherboard 
and provided no means of updating the OS because they weren't thinking 
long-term?


Lots of questions, likely unanswerable until we learn the specific 
constraints in play with each device.


If hardware vendors are looking for control over their platforms, 
perhaps they should be looking at open source OSes so they have access 
to the source code, ensuring that it will do always be able to do what 
they need.


--
 Richard Gaskin
 Fourth World Systems
 Software Design and Development for the Desktop, Mobile, and the Web
 
 ambassa...@fourthworld.comhttp://www.FourthWorld.com

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: WannaCry [OT]

[Richmond Mathewson via use-livecode]

The 800 lb gorilla would died of a broken thigh-bone because while
a gorilla's height may increase in one dimension, its volume and weight 
will increase in
3 dimensions, and its bone cross-section in 2 dimensions, so its 
thigh-bones will not

be strong enough to carry its weight: hence King Kong being a celluloid-only
gorilla.

This may well be M$'s problem . . . .

Although the way Apple behave I cannot somehow see them in the role
of Fay Wray!

Richmond.

On 5/15/17 7:48 pm, Mike Kerner via use-livecode wrote:

First and foremost, you might expect M$ to be able to deliver an OS that is
backward compatible, since they are the 800 lb. gorilla in this
conversation.  They put out the specs that all the hardware vendors built
to, before they decided to change the rules and go in a direction that
broke everything.  When all the hardware vendors were screaming, was M$
trying to build a compatibility layer?  No?  It's similar to what Apple
does every time they change the connector for their phones, just on a much
more severe level.

On Mon, May 15, 2017 at 12:28 PM, Richard Gaskin via use-livecode <
use-livecode@lists.runrev.com> wrote:


Mike Kerner wrote:


Unfortunately, there are very expensive pieces of gear that have
controls on them that for one reason or another cannot be controlled
by OS's newer than XP.  I happen to have one, here.  It cost
$750,000.  There is no dealing with the OS issue without replacing
the control, and that is also extremely expensive, on the order of
$400,000, so you would not replace the control without replacing the
whole unit.  M$, when they decided to dump the XP paradigm, just like
when they got rid of DOS, broke upgradability for ATM's, machine
tools and CMM's, X-Ray and MRI machines, PBX's, etc.

All systems eventually reach end-of-life.  If a vendor has enough
technical expertise to deliver hardware worth $750k, it seems reasonable to
expect that expertise would include sufficient familiarity with system life
cycles to anticipate a need for modular upgrades.


--
  Richard Gaskin
  Fourth World Systems
  Software Design and Development for the Desktop, Mobile, and the Web
  
  ambassa...@fourthworld.comhttp://www.FourthWorld.com

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your
subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode






___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: WannaCry [OT]

[Richmond Mathewson via use-livecode]

That happens all the time.

Try getting support for a golfball typewriter . . .

I couldn't get a new monitor for my BBC Master Compact and had to fool 
around

with SCART sockets, RGB gubbins and a soldering iron.

But, as King Camp Gillette didn't say, but certainly implied,
planned obsolescence is what drives both commerce and development.

Richmond.

On 5/15/17 7:11 pm, Mike Kerner via use-livecode wrote:

Unfortunately, there are very expensive pieces of gear that have controls
on them that for one reason or another cannot be controlled by OS's newer
than XP.  I happen to have one, here.  It cost $750,000.  There is no
dealing with the OS issue without replacing the control, and that is also
extremely expensive, on the order of $400,000, so you would not replace the
control without replacing the whole unit.  M$, when they decided to dump
the XP paradigm, just like when they got rid of DOS, broke upgradability
for ATM's, machine tools and CMM's, X-Ray and MRI machines, PBX's, etc.

On Mon, May 15, 2017 at 10:56 AM, Richard Gaskin via use-livecode <
use-livecode@lists.runrev.com> wrote:


David V Glasgow wrote:


I recently finished a fixed term contract working for a pretty IT
savvy NHS Trust.  The NHS has been forced by central government to
reallocate IT (and other infrastructure) monies to front line
services.  They are also trapped by legacy software with dependencies
on old (and proprietary) Windows systems and software. Now obviously
stupid, but actually historic stupidity which was in the 1990s
disguised  as good business and standard practice.

Not to mention the Clinical Information Systems which look and behave
as if it is still the 1990’s.

Apart from that, everything is fine.

That's the sad reality of so many security budgets: they don't become
adequate until after it's too late.

The dependency on older unsafe software versions is one that's always
mystified me.  I once worked for a vendor whose clients included several
large hospital networks, and one of them required us to deliver our app in
a way that would maintain compatibility with IE 6, years after Microsoft
warned customers to stop using it.

Subsequent versions of a software are generally supersets of features
found in earlier versions, with the only things missing as we go forward
being bugs.

When written to spec, it should move forward gracefully.  Microsoft has
done a better job of maintaining backward compatibility than most.

So if someone writes an app that doesn't work going forward, dependent on
things specific to an outdated system, in effect their app is dependent on
bugs.

For any org to consider bug-dependent software "mission critical" should
raise eyebrows.  For a hospital it seems even more serious.

But I understand how budgets tend to gloss over things like this.  And
this week, even the most reluctant orgs do too.

--
  Richard Gaskin
  Fourth World Systems
  Software Design and Development for the Desktop, Mobile, and the Web
  
  ambassa...@fourthworld.comhttp://www.FourthWorld.com

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your
subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode






___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: WannaCry [OT]

[Mike Kerner via use-livecode]

First and foremost, you might expect M$ to be able to deliver an OS that is
backward compatible, since they are the 800 lb. gorilla in this
conversation.  They put out the specs that all the hardware vendors built
to, before they decided to change the rules and go in a direction that
broke everything.  When all the hardware vendors were screaming, was M$
trying to build a compatibility layer?  No?  It's similar to what Apple
does every time they change the connector for their phones, just on a much
more severe level.

On Mon, May 15, 2017 at 12:28 PM, Richard Gaskin via use-livecode <
use-livecode@lists.runrev.com> wrote:

> Mike Kerner wrote:
>
> > Unfortunately, there are very expensive pieces of gear that have
> > controls on them that for one reason or another cannot be controlled
> > by OS's newer than XP.  I happen to have one, here.  It cost
> > $750,000.  There is no dealing with the OS issue without replacing
> > the control, and that is also extremely expensive, on the order of
> > $400,000, so you would not replace the control without replacing the
> > whole unit.  M$, when they decided to dump the XP paradigm, just like
> > when they got rid of DOS, broke upgradability for ATM's, machine
> > tools and CMM's, X-Ray and MRI machines, PBX's, etc.
>
> All systems eventually reach end-of-life.  If a vendor has enough
> technical expertise to deliver hardware worth $750k, it seems reasonable to
> expect that expertise would include sufficient familiarity with system life
> cycles to anticipate a need for modular upgrades.
>
>
> --
>  Richard Gaskin
>  Fourth World Systems
>  Software Design and Development for the Desktop, Mobile, and the Web
>  
>  ambassa...@fourthworld.comhttp://www.FourthWorld.com
>
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>



-- 
On the first day, God created the heavens and the Earth
On the second day, God created the oceans.
On the third day, God put the animals on hold for a few hours,
   and did a little diving.
And God said, "This is good."
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: WannaCry [OT]

[Bob Sneidar via use-livecode]

Agreed Richard. And yet, here we are. My Dad for years had to run an old 
Windows 98 box because he had purchased devices and DOS applications for 
integrating with his radio system which would only talk directly to the device, 
and would not access a Windows driver to do it. We pay our money and we take 
our chance. 

Bob S


> On May 15, 2017, at 09:28 , Richard Gaskin via use-livecode 
>  wrote:
> 
> All systems eventually reach end-of-life.  If a vendor has enough technical 
> expertise to deliver hardware worth $750k, it seems reasonable to expect that 
> expertise would include sufficient familiarity with system life cycles to 
> anticipate a need for modular upgrades.
> 
> -- 
> Richard Gaskin


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: WannaCry [OT]

[Richard Gaskin via use-livecode]

Mike Kerner wrote:

> Unfortunately, there are very expensive pieces of gear that have
> controls on them that for one reason or another cannot be controlled
> by OS's newer than XP.  I happen to have one, here.  It cost
> $750,000.  There is no dealing with the OS issue without replacing
> the control, and that is also extremely expensive, on the order of
> $400,000, so you would not replace the control without replacing the
> whole unit.  M$, when they decided to dump the XP paradigm, just like
> when they got rid of DOS, broke upgradability for ATM's, machine
> tools and CMM's, X-Ray and MRI machines, PBX's, etc.

All systems eventually reach end-of-life.  If a vendor has enough 
technical expertise to deliver hardware worth $750k, it seems reasonable 
to expect that expertise would include sufficient familiarity with 
system life cycles to anticipate a need for modular upgrades.


--
 Richard Gaskin
 Fourth World Systems
 Software Design and Development for the Desktop, Mobile, and the Web
 
 ambassa...@fourthworld.comhttp://www.FourthWorld.com

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: WannaCry [OT]

[Mike Kerner via use-livecode]

Unfortunately, there are very expensive pieces of gear that have controls
on them that for one reason or another cannot be controlled by OS's newer
than XP.  I happen to have one, here.  It cost $750,000.  There is no
dealing with the OS issue without replacing the control, and that is also
extremely expensive, on the order of $400,000, so you would not replace the
control without replacing the whole unit.  M$, when they decided to dump
the XP paradigm, just like when they got rid of DOS, broke upgradability
for ATM's, machine tools and CMM's, X-Ray and MRI machines, PBX's, etc.

On Mon, May 15, 2017 at 10:56 AM, Richard Gaskin via use-livecode <
use-livecode@lists.runrev.com> wrote:

> David V Glasgow wrote:
>
> > I recently finished a fixed term contract working for a pretty IT
> > savvy NHS Trust.  The NHS has been forced by central government to
> > reallocate IT (and other infrastructure) monies to front line
> > services.  They are also trapped by legacy software with dependencies
> > on old (and proprietary) Windows systems and software. Now obviously
> > stupid, but actually historic stupidity which was in the 1990s
> > disguised  as good business and standard practice.
> >
> > Not to mention the Clinical Information Systems which look and behave
> > as if it is still the 1990’s.
> >
> > Apart from that, everything is fine.
>
> That's the sad reality of so many security budgets: they don't become
> adequate until after it's too late.
>
> The dependency on older unsafe software versions is one that's always
> mystified me.  I once worked for a vendor whose clients included several
> large hospital networks, and one of them required us to deliver our app in
> a way that would maintain compatibility with IE 6, years after Microsoft
> warned customers to stop using it.
>
> Subsequent versions of a software are generally supersets of features
> found in earlier versions, with the only things missing as we go forward
> being bugs.
>
> When written to spec, it should move forward gracefully.  Microsoft has
> done a better job of maintaining backward compatibility than most.
>
> So if someone writes an app that doesn't work going forward, dependent on
> things specific to an outdated system, in effect their app is dependent on
> bugs.
>
> For any org to consider bug-dependent software "mission critical" should
> raise eyebrows.  For a hospital it seems even more serious.
>
> But I understand how budgets tend to gloss over things like this.  And
> this week, even the most reluctant orgs do too.
>
> --
>  Richard Gaskin
>  Fourth World Systems
>  Software Design and Development for the Desktop, Mobile, and the Web
>  
>  ambassa...@fourthworld.comhttp://www.FourthWorld.com
>
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>



-- 
On the first day, God created the heavens and the Earth
On the second day, God created the oceans.
On the third day, God put the animals on hold for a few hours,
   and did a little diving.
And God said, "This is good."
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: WannaCry [OT]

[Richard Gaskin via use-livecode]

David V Glasgow wrote:

> I recently finished a fixed term contract working for a pretty IT
> savvy NHS Trust.  The NHS has been forced by central government to
> reallocate IT (and other infrastructure) monies to front line
> services.  They are also trapped by legacy software with dependencies
> on old (and proprietary) Windows systems and software. Now obviously
> stupid, but actually historic stupidity which was in the 1990s
> disguised  as good business and standard practice.
>
> Not to mention the Clinical Information Systems which look and behave
> as if it is still the 1990’s.
>
> Apart from that, everything is fine.

That's the sad reality of so many security budgets: they don't become 
adequate until after it's too late.


The dependency on older unsafe software versions is one that's always 
mystified me.  I once worked for a vendor whose clients included several 
large hospital networks, and one of them required us to deliver our app 
in a way that would maintain compatibility with IE 6, years after 
Microsoft warned customers to stop using it.


Subsequent versions of a software are generally supersets of features 
found in earlier versions, with the only things missing as we go forward 
being bugs.


When written to spec, it should move forward gracefully.  Microsoft has 
done a better job of maintaining backward compatibility than most.


So if someone writes an app that doesn't work going forward, dependent 
on things specific to an outdated system, in effect their app is 
dependent on bugs.


For any org to consider bug-dependent software "mission critical" should 
raise eyebrows.  For a hospital it seems even more serious.


But I understand how budgets tend to gloss over things like this.  And 
this week, even the most reluctant orgs do too.


--
 Richard Gaskin
 Fourth World Systems
 Software Design and Development for the Desktop, Mobile, and the Web
 
 ambassa...@fourthworld.comhttp://www.FourthWorld.com

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: WannaCry [OT]

[Mark Waddingham via use-livecode]

On 2017-05-13 16:53, Richmond Mathewson via use-livecode wrote:

" The WannaCry virus only infects machines running Windows"

http://www.bbc.com/news/technology-39896393

Err . . . Linux


*cough* Heartbleed *cough* ;)

Mark.

--
Mark Waddingham ~ m...@livecode.com ~ http://www.livecode.com/
LiveCode: Everyone can create apps

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: WannaCry [OT]

[Mark Waddingham via use-livecode]

On 2017-05-13 19:05, Richmond Mathewson via use-livecode wrote:
You cannot send a virus to a BBC because the whole system resides on a 
ROM chip!


Not true - if you have any persistent storage attached to a system (e.g. 
your winchester disk),
and that system interacts with data which comes from outside (via the 
DIMM port) then 'all' an
attacker needs to do is find a vulnerability in the code which executes 
when receiving data
on that port allowing arbitrary code to be executed (which would be 
hidden in the message), and
find a place it can inject itself onto your persistent storage which is 
loaded into memory

and executed and the rest is history...

Of course, the amount of return you'd get on trying to hack such ancient 
setups is probably

zero so you are probably fine.

However, lots of legacy systems still run mission critical 
infrastructure around the globe
so age of systems has nothing to do with vulnerability - as soon as it 
connects to any external
information source whether it be humans, or the internet there is 
potential risk.


For example there was a whole raft of virii on Acorn Archimedes machines 
- usually distributed
via tweaking the boot record of floppy discs to inject malicious code; 
and around the same time
MS had to do something about AutoRun - which was the source of a great 
deal of viral infections

when people handed around USB sticks without thinking.

Warmest Regards,

Mark.

--
Mark Waddingham ~ m...@livecode.com ~ http://www.livecode.com/
LiveCode: Everyone can create apps

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: WannaCry [OT]

[David V Glasgow via use-livecode]

> On 13 May 2017, at 6:05 pm, Richmond Mathewson via use-livecode 
>  wrote:
> 
> What I do not understand is how organisations like the British State Health 
> System (NHS) cane be so bl**dy stupid to
> rely on Windows, without (obviously) all sorts of safeguards.


I recently finished a fixed term contract working for a pretty IT savvy NHS 
Trust.  The NHS has been forced by central government to reallocate IT (and 
other infrastructure) monies to front line services.  They are also trapped by 
legacy software with dependencies on old (and proprietary) Windows systems and 
software. Now obviously stupid, but actually historic stupidity which was in 
the 1990s disguised  as good business and standard practice.  

Not to mention the Clinical Information Systems which look and behave as if it 
is still the 1990’s.

Apart from that, everything is fine.

Best wishes,

David Glasgow
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

RE: WannaCry [OT]

[Ralph DiMola via use-livecode]

I still run batch processing on a pair of VAXs running Open VMS. No viruses
on these babies. They've been booted for ...

"OpenVMS V7.1  on node ALBVM1  13-MAY-2017 18:44:45.72  Uptime  921
21:52:27"
"OpenVMS V7.3-2  on node EISVM1  13-MAY-2017 19:31:56.06  Uptime  72
11:09:55"

The lame 72 days on the second VAX is only because I did not get the
generator on-line fast enough 72 days ago when I lost street power.

Ralph DiMola
IT Director
Evergreen Information Services
rdim...@evergreeninfo.net

-Original Message-
From: use-livecode [mailto:use-livecode-boun...@lists.runrev.com] On Behalf
Of Richmond Mathewson via use-livecode
Sent: Saturday, May 13, 2017 1:05 PM
To: How to use LiveCode
Cc: Richmond Mathewson
Subject: Re: WannaCry [OT]

I cannot afford to be smug as my Linux rig (Xubuntu 16.04 64-bit) was hosed
completely about 4 months ago and I only managed to reciver about 5% of my
files.

What I do not understand is how organisations like the British State Health
System (NHS) cane be so bl**dy stupid to rely on Windows, without
(obviously) all sorts of safeguards.

My "underpants" may have a few holes in them, but everyone knows that
Windows is more holes than underpants, and it has been quite adequately
demonstrated that Windows executables running under WINE on Linux tend to be
faster and less vulnerable to viruses.

In about 1985, when I was an undergraduate, the news about AIDS was suddenly
announced, and the TV and radio was banging on about "preventative
measures": obviously the British medical authorities know their stuff re
medical matters, but when it comes to computer systems they neither know
anything much about them, nor do they employ people who do.

--

  Many years ago I read a science fiction book about people living in a
ploice state on Venus, which was, for the purposes of the story, a steamy,
soggy jungle planet with lots of muddy, hummocky islands in one big bog. The
rebels started communicating via AM radio (Amplitude Modulated) because the
authorities of the dictatorship had forgotten about that "old-Tech" and were
using FM (Frequency Modulated) equipment for all their communication needs.

Three days ago I got an e-mail from a chap in Ireland using a Commodore 64!

So, the answer, for us folks who don't have "endless boodle" to constantly
upgrade/update our machines, may lie in retreating into using ancient
machines . . . . so, I suppose my Summer will be spent on getting a
Winchester disc into my BBC Master Compact and sorting out how to get the
5-pin DIMM connection at the back to let me send and recieve e-mail
messages: after all, in 1989 I was using it, via Etisalat, to communicate
with various services even before the internet started.

You cannot send a virus to a BBC because the whole system resides on a ROM
chip!

Anyway, just at the moment I'm dusting off my G3 iMac running Mac OS
9.2.2 with Classilla.

Richmond.

On 5/13/17 6:36 pm, Richard Gaskin via use-livecode wrote:
> Richmond Mathewson wrote:
> > " The WannaCry virus only infects machines running Windows"
> >
> > http://www.bbc.com/news/technology-39896393
> >
> > Err . . . Linux
>
> While it's true that this particular exploit is dependent on a 
> Windows-specific vulnerability, this is no time for smugness. There's 
> a larger issue here relevant for all of us:
>
> IF YOUR SYSTEM US NO LONGER RECEIVING UPDATES, IT'S NO LONGER 
> RECEIVING CRITICAL SECURITY PATCHES FOR KNOWN VULNERABILITIES.
>
> Any such system, if connected to any network that connects to the 
> Internet, should be considered too dangerous to use.
>
> Doesn't matter whether it's Windows, macOS, or Linux.  Once the OS has 
> reached EOL, either upgrade to a supported OS version or turn off all 
> network connectivity.
>
>
> This exploit has become a global tragedy, but worse is that it appears 
> to have been preventable:
>
> Microsoft issued a patch protecting against this months ago, and for 
> the (shockingly large number of) machines still running XP, Microsoft 
> spent literally millions over a many years reminding everyone of XP's 
> EOL date and encouraging them to upgrade to a supported OS version.
>
> Apple (for reasons only they can discern but AFAIK have not disclosed) 
> are less kind to their users, often stopping updates without explicit 
> notice and little if any forewarning.  They do advertise when new 
> versions are available, but generally haven't provided clear notice 
> when EOL is reached for a given version. For example, when Snow 
> Leopard reached EOL, even though some 19% of all Macs were still 
> running it, no notification was provided that it would not be 
> receiving patches; it simply stopped getting them.
>
> With Ubuntu, EOL date is well advertised even before a version is 
> released.  That

Re: WannaCry [OT]

[Richard Gaskin via use-livecode]

Richmond Mathewson wrote:
> What I do not understand is how organisations like the British State
> Health System (NHS) cane be so bl**dy stupid to
> rely on Windows, without (obviously) all sorts of safeguards.

While this specific exploit happened to be Windows-specific, this isn't 
really a Windows issue.


It's a "USE A SUPPORTED OS VERSION!" issue.

From the information available thus far, it looks like Microsoft did 
their job.  They provided protection against this vulnerability months 
ago, and have been warning people not to use older unsupported OS 
versions for years.


If someone switches from Windows to macOS or Linux, as long as they keep 
using OS versions beyond EOL they'll still be putting themselves (ansd 
potentially any system they connect to) at risk.



> Anyway, just at the moment I'm dusting off my G3 iMac running Mac OS
> 9.2.2 with Classilla.

...hopefully without an Internet connection, since Apple stopped 
patching that one a long time ago and criminals have learned a lot since 
then.


--
 Richard Gaskin
 Fourth World Systems
 Software Design and Development for the Desktop, Mobile, and the Web
 
 ambassa...@fourthworld.comhttp://www.FourthWorld.com

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: WannaCry [OT]

[Richmond Mathewson via use-livecode]

I cannot afford to be smug as my Linux rig (Xubuntu 16.04 64-bit) was 
hosed completely about 4 months ago and I only

managed to reciver about 5% of my files.

What I do not understand is how organisations like the British State 
Health System (NHS) cane be so bl**dy stupid to

rely on Windows, without (obviously) all sorts of safeguards.

My "underpants" may have a few holes in them, but everyone knows that 
Windows is more holes than underpants,
and it has been quite adequately demonstrated that Windows executables 
running under WINE on Linux tend to be faster and

less vulnerable to viruses.

In about 1985, when I was an undergraduate, the news about AIDS was 
suddenly announced, and the TV and radio was
banging on about "preventative measures": obviously the British medical 
authorities know their stuff re medical matters, but when it
comes to computer systems they neither know anything much about them, 
nor do they employ people who do.


--

 Many years ago I read a science fiction book about people living in a 
ploice state on Venus, which was, for the purposes
of the story, a steamy, soggy jungle planet with lots of muddy, hummocky 
islands in one big bog. The rebels started communicating
via AM radio (Amplitude Modulated) because the authorities of the 
dictatorship had forgotten about that "old-Tech" and were

using FM (Frequency Modulated) equipment for all their communication needs.

Three days ago I got an e-mail from a chap in Ireland using a Commodore 64!

So, the answer, for us folks who don't have "endless boodle" to 
constantly upgrade/update our machines, may lie in
retreating into using ancient machines . . . . so, I suppose my Summer 
will be spent on getting a Winchester disc into
my BBC Master Compact and sorting out how to get the 5-pin DIMM 
connection at the back to let me send and recieve e-mail
messages: after all, in 1989 I was using it, via Etisalat, to 
communicate with various services even before the internet started.


You cannot send a virus to a BBC because the whole system resides on a 
ROM chip!


Anyway, just at the moment I'm dusting off my G3 iMac running Mac OS 
9.2.2 with Classilla.


Richmond.

On 5/13/17 6:36 pm, Richard Gaskin via use-livecode wrote:

Richmond Mathewson wrote:
> " The WannaCry virus only infects machines running Windows"
>
> http://www.bbc.com/news/technology-39896393
>
> Err . . . Linux

While it's true that this particular exploit is dependent on a 
Windows-specific vulnerability, this is no time for smugness. There's 
a larger issue here relevant for all of us:


IF YOUR SYSTEM US NO LONGER RECEIVING UPDATES, IT'S NO LONGER 
RECEIVING CRITICAL SECURITY PATCHES FOR KNOWN VULNERABILITIES.


Any such system, if connected to any network that connects to the 
Internet, should be considered too dangerous to use.


Doesn't matter whether it's Windows, macOS, or Linux.  Once the OS has 
reached EOL, either upgrade to a supported OS version or turn off all 
network connectivity.



This exploit has become a global tragedy, but worse is that it appears 
to have been preventable:


Microsoft issued a patch protecting against this months ago, and for 
the (shockingly large number of) machines still running XP, Microsoft 
spent literally millions over a many years reminding everyone of XP's 
EOL date and encouraging them to upgrade to a supported OS version.


Apple (for reasons only they can discern but AFAIK have not disclosed) 
are less kind to their users, often stopping updates without explicit 
notice and little if any forewarning.  They do advertise when new 
versions are available, but generally haven't provided clear notice 
when EOL is reached for a given version. For example, when Snow 
Leopard reached EOL, even though some 19% of all Macs were still 
running it, no notification was provided that it would not be 
receiving patches; it simply stopped getting them.


With Ubuntu, EOL date is well advertised even before a version is 
released.  That project follows a fixed release cycle in which all 
long-term support versions get exactly five years of updates, and all 
interim releases get 18 months of updates.  You know even before you 
download exactly when it will reach EOL.


With all three, once you know it's reached EOL you must either 
upgrade, or put yourself and your organization at risk.


If the post-EOL exploits that occurred with Best Buy and Target a 
couple summers ago didn't drive the point home clearly enough, 
yesterday's global attack should:  "What, me worry?" is not a sound IT 
policy.




___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: WannaCry [OT]

[Richard Gaskin via use-livecode]

Richmond Mathewson wrote:
> " The WannaCry virus only infects machines running Windows"
>
> http://www.bbc.com/news/technology-39896393
>
> Err . . . Linux

While it's true that this particular exploit is dependent on a 
Windows-specific vulnerability, this is no time for smugness.  There's a 
larger issue here relevant for all of us:


IF YOUR SYSTEM US NO LONGER RECEIVING UPDATES, IT'S NO LONGER RECEIVING 
CRITICAL SECURITY PATCHES FOR KNOWN VULNERABILITIES.


Any such system, if connected to any network that connects to the 
Internet, should be considered too dangerous to use.


Doesn't matter whether it's Windows, macOS, or Linux.  Once the OS has 
reached EOL, either upgrade to a supported OS version or turn off all 
network connectivity.



This exploit has become a global tragedy, but worse is that it appears 
to have been preventable:


Microsoft issued a patch protecting against this months ago, and for the 
(shockingly large number of) machines still running XP, Microsoft spent 
literally millions over a many years reminding everyone of XP's EOL date 
and encouraging them to upgrade to a supported OS version.


Apple (for reasons only they can discern but AFAIK have not disclosed) 
are less kind to their users, often stopping updates without explicit 
notice and little if any forewarning.  They do advertise when new 
versions are available, but generally haven't provided clear notice when 
EOL is reached for a given version.  For example, when Snow Leopard 
reached EOL, even though some 19% of all Macs were still running it, no 
notification was provided that it would not be receiving patches; it 
simply stopped getting them.


With Ubuntu, EOL date is well advertised even before a version is 
released.  That project follows a fixed release cycle in which all 
long-term support versions get exactly five years of updates, and all 
interim releases get 18 months of updates.  You know even before you 
download exactly when it will reach EOL.


With all three, once you know it's reached EOL you must either upgrade, 
or put yourself and your organization at risk.


If the post-EOL exploits that occurred with Best Buy and Target a couple 
summers ago didn't drive the point home clearly enough, yesterday's 
global attack should:  "What, me worry?" is not a sound IT policy.


--
 Richard Gaskin
 Fourth World Systems
 Software Design and Development for the Desktop, Mobile, and the Web
 
 ambassa...@fourthworld.comhttp://www.FourthWorld.com

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode