WannaCry [OT]

Richard Gaskin ambassador at fourthworld.com
Sat May 13 17:36:35 CEST 2017


Richmond Mathewson wrote:
 > " The WannaCry virus only infects machines running Windows"
 >
 > http://www.bbc.com/news/technology-39896393
 >
 > Err . . . Linux

While it's true that this particular exploit is dependent on a 
Windows-specific vulnerability, this is no time for smugness.  There's a 
larger issue here relevant for all of us:

IF YOUR SYSTEM US NO LONGER RECEIVING UPDATES, IT'S NO LONGER RECEIVING 
CRITICAL SECURITY PATCHES FOR KNOWN VULNERABILITIES.

Any such system, if connected to any network that connects to the 
Internet, should be considered too dangerous to use.

Doesn't matter whether it's Windows, macOS, or Linux.  Once the OS has 
reached EOL, either upgrade to a supported OS version or turn off all 
network connectivity.


This exploit has become a global tragedy, but worse is that it appears 
to have been preventable:

Microsoft issued a patch protecting against this months ago, and for the 
(shockingly large number of) machines still running XP, Microsoft spent 
literally millions over a many years reminding everyone of XP's EOL date 
and encouraging them to upgrade to a supported OS version.

Apple (for reasons only they can discern but AFAIK have not disclosed) 
are less kind to their users, often stopping updates without explicit 
notice and little if any forewarning.  They do advertise when new 
versions are available, but generally haven't provided clear notice when 
EOL is reached for a given version.  For example, when Snow Leopard 
reached EOL, even though some 19% of all Macs were still running it, no 
notification was provided that it would not be receiving patches; it 
simply stopped getting them.

With Ubuntu, EOL date is well advertised even before a version is 
released.  That project follows a fixed release cycle in which all 
long-term support versions get exactly five years of updates, and all 
interim releases get 18 months of updates.  You know even before you 
download exactly when it will reach EOL.

With all three, once you know it's reached EOL you must either upgrade, 
or put yourself and your organization at risk.

If the post-EOL exploits that occurred with Best Buy and Target a couple 
summers ago didn't drive the point home clearly enough, yesterday's 
global attack should:  "What, me worry?" is not a sound IT policy.

-- 
  Richard Gaskin
  Fourth World Systems
  Software Design and Development for the Desktop, Mobile, and the Web
  ____________________________________________________________________
  Ambassador at FourthWorld.com                http://www.FourthWorld.com



More information about the use-livecode mailing list