Hey cyber techbros, smugly yelling 'patch and back-up' won't fix ransomware

Stop blaming the customers who drown in the endless torrent of repairs needed to plug the holes in your shoddy products. This week it's Microsoft, but you're all guilty.
Written by Stilgherrian , Contributor

Microsoft's official response to the current wave of ransomware calls for "urgent collective action to keep people safe online". What a glorious piece of misdirection.

"The WannaCrypt exploits used in the attack were drawn from the exploits stolen from the National Security Agency, or NSA, in the United States," wrote Brad Smith, Microsoft's president and chief legal officer.

"A month prior, on March 14, Microsoft had released a security update to patch this vulnerability and protect our customers. While this protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally. As a result, hospitals, businesses, governments, and computers at homes were affected," he wrote.

"This attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers. The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect."

Smith threw further blame at the NSA. "This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem," he wrote. Of course the NSA isn't in a position to respond to this essentially political argument.

So got the message there? The NSA made the bad thing that the criminals used. Microsoft had already fixed this problem. We did our bit, but the naughty customers hadn't done their bit.

Smith also repeated Microsoft's call for a Digital Geneva Convention, which echoes Australia's call for international cyber norms, and Eugene Kaspersky's call for cyber arms control.

Cybersecurity professionals squirted out a tsunami of victim-blaming over the weekend.

Some of the hardest-hit organisations were hospitals, including many of those run by the UK's National Health Service (NHS). Why hadn't they patched all their machines? Why wasn't everything backed up?

The owner of Pinboard had the answers: I'm a hospital not a tech company, and your updates break my software.

"Blaming people for using ancient software is really weird," Pinboard added. "There's no other context where we demand constant replacement of things that work."

When you're running a hospital full of machines that go ping, you can't afford an update to kill those pings, because that in turn can kill people. Context matters.

Another infosec professional mzbat wrote: "In my NASA [experience], patches can (and do) render specialised optics, cryo, & laser systems inoperable. The same is likely true for hospitals."

And as Rendition Infosec founder Jake Williams pointed out, "I really don't get people who are posting 'ransomware attack wouldn't happen if NHS used Mac or Linux' -- they couldn't [do their] work either," because Windows is what runs their specialist medical devices and their management software.

Real-world organisations operate in the real world. Overworked systems administrators work within limited budgets. In many organisations, sad but true, the need for constant availability trumps security.

No, the real problem here is that for decades the IT industry as a whole has been selling rubbish products. It's become fabulously wealthy by making products that are broken to begin with, and often, directly or indirectly, charging customers to fix them.

Technology is shipped so full of holes that a huge part of the industry is a massive crew of highly-trained professionals working flat out to plug all the leaks. Then, when customers inevitably slip and sink into in this torrent of faults, the vendors and cybersecurity professionals blame them for being unable to swim.

Does this seem ethical?

Operating systems aren't the only problem, of course. One does have to ask why, say, medical software is also so shoddy.

Smith's statement ended with a familiar message.

"The WannaCrypt attack is a wake-up call for all of us. We recognise our responsibility to help answer this call, and Microsoft is committed to doing its part," he wrote.

Well, we've had cyber wake-up calls since at least 2007. You could even argue that the wake-up calls started with the Morris worm some 29 years ago, though we didn't call it cyber back then.

I think it's fair to say that Microsoft really hasn't done its part. Indeed, almost no-one has been committed to doing their part, for three decades.

"At a minimum, Microsoft clearly should have provided the critical update in March to all its users, not just those paying extra. Indeed, 'pay extra money to us or we will withhold critical security updates' can be seen as its own form of ransomware," wrote Zeynep Tufekci in the New York Times.

Tufekci reckons that with more than $100 billion in cash reserves, Microsoft could afford to help institutions and users upgrade to newer software, especially those who run essential services.

"Industry norms are lousy to horrible, and it is reasonable to expect a company with a dominant market position, that made so much money selling software that runs critical infrastructure, to do more," she wrote.


Given all this, in the context of this latest wave of ransomware, the smug patch-and back-up told-ya-so from the cyber techbros isn't particularly helpful. That does nothing to address the deep structural and attitudinal problems in the IT industry.

Will this happen? Probably not.

Techbros believe that for every problem there's a purely technical solution that just happens to match their own skillset. Also, despite your own knowledge of your own specific needs, your "failure" to follow their plan is because you don't understand the technology.

Imagine if techbros built cars, and word came through that minor accidents could cause cars to explode. The techbro solution would be to cover the cars in polystyrene crash tiles -- which of course are still flammable -- upgrade the engine to four times as powerful, and add 4G connectivity so if the car explodes it can call the fire brigade. With a choice of ringtones.

Oh wait. Techbros are already building cars. Even better, they're putting their software in charge of those cars. Excellent.

Finally, consider the recent words of Jensen Huang, chief executive officer of Nvidia.

"Software is eating the world, but AI is going to eat software," Huang told the MIT Technology Review. Health care and the automotive industry are going to be "transformed" by artificial intelligence.

May God have mercy on us all.

Disclosure: Stilgherrian has previously travelled as a guest of both Microsoft and Kaspersky Lab.

Editorial standards