
Wannacry About Business Models - misiti3780
https://stratechery.com/2017/wannacry-and-the-power-of-business-models/
======
lowbloodsugar
>To put it another way, the alternative is not that the NSA would have
Microsoft about EternalBlue years ago, but that the underlying bug would have
remained un-patched for even longer than it was (perhaps to be discovered by
other entities like China or Russia; the NSA is not the only organization
searching for bugs).

False dichotomy. The choices are not only:

a) NSA pays lots of money to identify exploits and then hoards and uses them,
vs

b) NSA does not identify exploits, leaving it up to China or Russia to do so
and leaving us vulnerable.

There is a third choice:

c) NSA recognizes that only State actors have the money or time for this kind
of thing, and should invest the money to detect and report exploits _because
China and Russia are probably doing so_.

In fact (a) doesn't actually provide defense against China and Russia having
the exploit: we _were_ undefended _until the exploit leaked_ , and without the
leak, China or Russia could have executed an attack at any time. They didn't.

~~~
sigmar
>c) NSA recognizes that only State actors have the money or time for this kind
of thing, and should invest the money to detect and report exploits because
China and Russia are probably doing so.

China and Russia are reporting vulnerabilities? Got a source for that?

~~~
Sniffnoy
I'm pretty sure they meant "because China and Russia are probably identifying
exploits", not "because China and Russia are reporting exploits". I.e. it's a
defensive measure.

------
dreamdu5t
Elephant in the room is that the vast majority of real-world privilege
escalation and RCE is through buffer over-reads. Type errors are costing
billions in damage.

Hacks like WannaCry don't exist because of the NSA, or consumers failing to
update, they exist because programmers use languages that freely compile
buffer over-reads in the first place.

The ugly truth is WannaCry and 90% of RCE is the fault of the programming
industry for taking zero responsibility for their processes. Programmers
choose to use extremely unsafe languages and it's costing the world billions
in damage.

The only way we've gotten away with this is the public is largely ignorant to
how culpable programmers actually are. They think hackers are demi-gods when
it's really just the same damn buffer exploit over and over again.

~~~
dkarapetyan
You make some good points but it is lost in the rant.

------
Spooky23
This is a bizarre perspective.

Microsoft isn't a victim here. They made decisions that made it difficult or
impossible for customers to upgrade their software. They also print money.

Is it a pain in the ass to support a bunch of old software? Yes. Should
anyone, anywhere have any sympathy for them? No.

~~~
votepaunchy
How "old" is sufficient? Forever?

Is fixing 0-days sufficient "support", or do you think Microsoft should be
forced to actively invest in security updates for end-of-life software?

~~~
brianbreslin
My question would be how could you bake into the original cost the cost of
long term support when you have no idea how long one might use it? Windows XP
was only end of life after 14 years. Some people STILL use it. I doubt the
$139 price 14 years ago was expected to cover more than 5 years of use. Would
$5/month forever make more sense?

~~~
JustSomeNobody
You treat SW as a service and sell licenses instead of "boxed" copies.

~~~
brianbreslin
I bet a lot of the companies buying thousands of copies of windows were
treating them like assets and depreciating them over 3 years. Can't do that
when its a subscription. Also no one was doing SaaS at wide scale until 9/10
years ago.

------
mark-r
I don't think SAAS aligns the incentives the way the author claims it does.
The biggest effect is to incentivize lock-in to an even greater extent than
today. After all, if you can't switch then the money is guaranteed to keep
pouring in.

Under the old model, if you didn't like Vista then you could stick with XP or
wait for 7. Microsoft had definite incentives to make sure they were making
improvements that were valuable to people. Under SAAS, you don't like Vista?
Sucks to be you, because it's already installed - and thanks for the cash!

Finally this model doesn't account for those that can't do updates for one
reason or another. Many of the first systems hit were medical systems that
can't even do critical upgrades without going through a full requalification.
It's possible that Windows should never have been considered for those systems
in the first place, but the pressures of the marketplace almost guarantee that
it happens.

------
dkarapetyan
It is easy to say put everything in the cloud and charge a monthly fee. The
reality is there are all sorts of regulatory requirements that prevent this.
How are you going to make a SaaS model work with SCADA systems? Many of these
systems are networked and running ancient windows versions. SaaS for these
systems doesn't work.

~~~
Sophistifunk
The important part isn't moving your data to the cloud, the important part is
updating your software and paying a subscription.

------
a_b_c_d
SMB predates the internet. It is designed for the LAN.

There was a time when Windows was not internet-compatible unlike another OS I
recall using at the time: BSD UNIX.

Then Gates finally gave up trying to understand why anyone would want an
internet connection and decided he would dominate the www so he took the
TCP/IP stack from a UNIX OS and inserted it into the Windows kernel. Then came
"Internet Explorer".

From that day forward, Windows has _always_ been vulnerable. It has been
continuously vulnerable.

Unlike Windows, UNIX has never needed NetBIOS, SMB, CIFS, or whatever
Microsoft calls the additonal layers of complexity today. UNIX can directly
handle TCP and UDP. UNIX lacks the attack surface that Windows SMB provides,
by default.

Microsoft refuses to ackowledge this flaw and fix it. Windows has an an
enormous user base. No need to win user over with sensible design. They are
already locked in.

In any other industry a product with a track record like Windows would have
never been used for internet purposes. But this is no ordinary product. 80% or
more of Windows users do not _select_ and purchase Windows. They get it by
default with the purchase of a computer. There is no choice. There is no
refund for a defective Windows. Because there was no purchase. Sorry users.

As an end user, I got better "customer service" from the volunteers behind a
free open source UNIX-like OS that I ever did from Microsoft.

The best way to make Windows "safe" is to disconnect it from the internet.
"Updates" are not going to solve the problem that Microsoft itself has created
and perpetuated for over 20 years. Windows was never meant to be connected in
the first place. That was not Gates' vision.

And we are still seeing that legacy today.

Rumors of the retirement of Windows, e.g., a Midori replacement, were
apparently no more legitimate than a 1990's Microsoft vaporware announcement.
Microsoft need not do anything. Monopoly is sweet.

There are other OS besides Windows, open source and available for free, which
are better suited to be internet-facing computers. Microsoft alas will never
admit this and will continue to encourage, perhaps even _require_ , people to
connect Windows computers to the internet.

Microsoft's latest move is to replicate the userland of one of those other OS
into Windows. That way the user will get the "benefit" of SMB. (or whatever it
is called now)

If the user were using a UNIX-like OS that has no SMB layer on their internet
connected computer, then how would they experience the fun of EternalBlue?

Meanwhile a quick read about this latest worm is that it relies on common file
extensions to select files for encryption. Does this mean that if the user
renames the file extension on her important files from .docx, .xlsx, etc. to
.wannalaugh then they will not bet encrypted? Maybe she could xcopy them to
.wannalaugh in bulk.

