WannaCry [OT]

[Kay C Lan]

On Tue, May 16, 2017 at 3:13 AM, Richard Gaskin via use-livecode
<use-livecode at lists.runrev.com> wrote:
>
> Might it be (again, we can't know for sure until we talk with each vendor)
> that they simply soldered too little RAM onto the motherboard and provided
> no means of updating the OS because they weren't thinking long-term?
>
Hmmm sounds so simply, but I think when you are talking about any
machine worth more than $1000, especially from any reputable provider
(i.e. one that would win a government contract) then a huge amount of
thought and design has gone into all the compromises necessary to
achieve the 'current objective' whilst achieving an acceptable ROI. In
every case, I'm sure there'd be a desire to make it more modular, add
more RAM, add more software features, or make it smaller or lighter,
but just like the other Post about Tom Pitman and his need to reduce
257bytes of code down to 256 because that was all that was physically
available; there will always be some constraint where today's
technology and hindsight make it easy to say  'if only they did
this/that/the other'.
>
> If hardware vendors are looking for control over their platforms, perhaps
> they should be looking at open source OSes so they have access to the source
> code, ensuring that it will do always be able to do what they need.
>
Again it sounds good but my own prediction is that open source OSes
for 'the internet of everything' will be opening the floodgates for
exploitations that will effect a wider portion of the community, more
and more often. I'm particularly thinking of cheap Chinese smart
phones and TVs. My parents have gone through several cheap Chinese
smart phones (Huwei to name one brand) that have all ended up getting
to an OS version and then can no longer be upgraded. The phone still
makes phone calls; no software makes a phone conversation any better.
That's all my parents, and the vast majority of the population needs.
They are not going to buy another phone just because the OS has EOLed.
The phone gets upgraded only when it's no longer fit for purpose -
battery doesn't last long enough. Same with Smart TVs but on a much
worse scale. Few companies, and certainly no cheap Chinese brand
company has any interest, once they've sold you a TV and made a slim
margin of profit on it, in keeping the OSes up to date. How often does
Linux get a security update, yet how often does your Smart TV tell you
you need to update it's Linux based OS? You really think the
population is regularly going to check the Smart TV Firmware date and
as soon as it gets to the point it no longer can be updated, or is
6/8/12 months behind Linux, they'll trash it and buy a new one? In
most cases it's not even the device that tells you it's OS has EOLed,
it's some other vendor's software (Google Maps/Neflix) that tells you
you can't download the latest version because you aren't running the
latest OS.

Cars, cameras, fridges and a whole heap more are starting to run
Linux/Android and be network connected; unfortunately the bottom line,
not security, is the driving factor for this choice. As I said, I
predict this will increase the number of EOLed OSes available to
unscrupulous entities to exploit.