[talk] Suggest meeting topic: role of BSD in response to ransomware
bcully at gmail.com
Tue Jul 11 13:23:13 EDT 2017
> On 11-Jul-2017, at 13:01, Steven Kreuzer <skreuzer at exit2shell.com> wrote:
>> On Jul 11, 2017, at 9:31 AM, James E Keenan <jkeenan at pobox.com> wrote:
>> Suppose that you are a sysadmin or other, non-executive-level techie in such an organization. You've heard about FreeBSD and OpenBSD and you wonder, "Would using these OSes have helped us either resist a ransomware attack? Could they help us recover better from such an attack?"
> So, just like everything else I think that the answer is both yes and no. For this very particular incident the exploit vector was taking advantage of a Windows specific issue. This attack would have been mitigated if you ran a patched version of Windows as Microsoft had already provided a fix for this. If your file services for windows clients were provided by Samba running on either a BSD or Linux box, a NetApp, Isilon or some other enterprise storage solution you also would not have been vulnerable to WannaCry.
MS didn’t provide a fix for XP, which was a huge vector, until after WannaCry hit. At least if you weren’t paying for support. It’s almost its own kind of ransomware: pay us to provide you security patches we’ve already developed because it’d be a real shame if something happened to your lovely MRI machine.
> Its always really easy to point a finger at Microsoft and blame them for writing buggy, insecure software but more often than not the real underlying issue is that the company doesn't put an emphasis on security, values uptime more than upgrades or has components that are so critical to business continuity that people are afraid to touch them. In my experience its usually been a combination of all three. Unfortunately, no amount of technology can fix a broken culture.
This, very much. But there’s one other angle that Zeynep Tufecki keeps hammering home: upgrading software often breaks things or introduces unwanted “features”, such as Windows 10 deciding it’s time to spy on you for better advertising. You can’t /just/ get security updates in many cases. This is much less an issue in the *nix world, but it still happens. Throw in the thousand other constraints around a lot of software infrastructure in the wild and this becomes a really difficult to intractable issue for end-users. In the end, I gotta agree with her conclusions: it’s not the fault of the users that this stuff happens, it’s the fault of existing tech culture and processes, and it’s on us to change. After all, it’s our software that’s eating the world, so what are we doing to make sure that happens safely? The stuff we get away with would never fly in a proper engineering context.
More information about the talk