
The World Is Getting Hacked. Why Don’t We Do More to Stop It? - thesagan
https://www.nytimes.com/2017/05/13/opinion/the-world-is-getting-hacked-why-dont-we-do-more-to-stop-it.html
======
geocar
The world gets hacked _because_ programmers make mistakes, and their
management cannot evaluate those mistakes -- if only for no other reason that
sometimes it isn't even obvious they made a mistake until a couple years
later.

Users have been fooled: Turn it off and on, is a reasonable and well-known
troubleshooting guide, but _nobody_ blames the software vendor. If I'm on the
phone with a company and they tell me to turn it off and on, I can't even
point out "so you sent me something defective?" _this is normal folks_.

Maybe we need to teach programming younger and younger -- and it'll take two
or three generations to become common enough that management will actually
understand what I'm doing. Or maybe we need awareness campaigns to keep users
from putting up with shit experiences!

Or maybe someone has some other idea, but the major barrier exists: We don't
know how to program computers, and _saying that out loud_ makes a lot of
people with the job-title (or description) of programmer clam right up.

~~~
sfilargi
You are dead wrong in everything. To start with, your analogy is bad. You
cannot compare psychical items with software. When you buy a car do you expect
it to run and last forever? Software does, so you can see immediately that
it's not a good analogy.

Large systems are extremely complex but even so we have process, tools and
methods to build reliable, verifiable and bug free code. What is stopping us
from using them for every piece of software is the cost.

Consumers are happy with the status quo of quality/cost.

~~~
geocar
> Consumers are happy with the status quo of quality/cost.

Consumers cannot understand the cost because they are not programmers.

I don't understand the rest of your post. I'm not making an analogy to any
psychical [sic?] items, physical items, or any other kinds of items.

~~~
qb45
Maybe not exactly "cannot", but they often don't because the really big costs
of shit software are rarely paid and to many users it hasn't happened yet, so
it is easy to miss them until you find all of your files encrypted by
ransomware and suddenly need to figure out this new bitcoin thing.

~~~
geocar
I think that's exactly the definition of "cannot".

~~~
qb45
I think I could point you to a dictionary at this point but let's agree on
"it's sufficiently hard and unlikely that in practice they pretty much
effectively cannot" :)

------
_ph_
A true disaster always has more than one cause. It took many separate problems
and mistakes to sink the titanic and cause such a large loss of human life.
Same here. There can be endless and interesting discussions about the role of
the NSA, Microsoft, the end users in this very specific incident.

But the root of the problem is, that computer security still does not get the
proper awareness and attention. This starts from how we write software, but
from a society point of view, mostly how we deal with computer systems.
Computer systems are not toasters which you can replace easily. Often they are
part of larger installations, difficult to replace as a component. We need to
deal with them as with aspects of traffic or workplace safety, or hygiene.
There should be a clear concept (I sincerely hope we don't require too strict
state regulations) that like any professional tool, a computer system has to
be reviewed in regular intervals for being fit for its intended purpose, and
maintenance for security should be done as naturally, as mechanical or
electrical checks.

So, for any computer-powered (and networked) device, this would mean, that
either there is a maintenance contract in place, which in the end would mean,
the provider has a contract with Microsoft, if Windows is used, or, like with
any other device, the machine is no longer considered fit for professional
use.

------
wwwigham
The article states this:

> The money they made from these customers hasn’t expired; neither has their
> responsibility to fix defects.

This is wrong. We don't ask for mandatory lifetime guarantees in any other
industry I'm aware of, and perhaps more importantly, much of what is done in
the field wouldn't be possible if it did (could you imagine having to continue
to maintain an IE5 webpage for another twenty years?).

It goes on:

> In its defense, Microsoft probably could point out that its operating
> systems have come a long way in security since Windows XP, and it has spent
> a lot of money updating old software, even above industry norms. However,
> industry norms are lousy to horrible, and it is reasonable to expect a
> company with a dominant market position, that made so much money selling
> software that runs critical infrastructure, to do more.

If I buy a toaster it comes with a one year warranty, maybe. A nice car might
come with a five year or two hundred thousand mile limited warranty. Microsoft
sold a product at a fraction of that cost and supported it, unconditionally,
for 8 years. 8. And they supported it for five more after that with
appropriate arrangements with enterprises (and after a select few enterprises
who somehow concluded that paying some engineering salaries at Microsoft for
dedicated support was cheaper than upgrading). That's a 13+ year lifetime of
support on what was an $80 a license product. Industry norms can only be
"horrible" insofar as there's only been a serious industry for 30 years... And
XP was supported for half of it (man, I suddenly feel old). My point is that
there is no world in which the "cash-strapped National Health Service" is not
the primary entity which was grossly negligent in its maintenance of critical
infrastructure.

Stepping back and looking at the article as a whole and less at specific
inflammatory parts, it is, well, filled with inflammatory parts. It starts as
a thin attack piece on Microsoft for being slow to provide free support for a
16 year old product, offhandedly references IoT for some added scare factor,
then starts calling for action (from both corporate and government actors)
without any serious discussion on either the merits of the proposed actions or
the impacts taking them would have on those organizations or the implications
that they would create for future actors.

But hey, if you're a fan of Bruce Schneier's more recent musings, at least
you'll enjoy the conclusion: That we must legislate software, and fast.

~~~
eveningcoffee
I think you are getting it very wrong.

What guarantee used to mean is that if product has _manufacturing defects_
then these will appear within limited period of time.

Having a 5 year guarantee for a car does not mean that it will fall apart
after this period of time. It means that defects that occur after this period
of time are due to wear and not _manufacturing defects_.

The main difference between a software product and say a car is that it
appears that _manufacturing defects_ of the software would take much longer to
appear than 2 or 5 years. Sometimes it may take even 10-20 years for a defect
to appear.

The main issue with Microsoft software is that the problem, when it becomes
apparent, can not be fixed by the owner as it could be with any other product.
This is caused by the closed nature of the Microsoft software.

Another thing you get wrong is that you call XP a $80 product. It is not. It
is a $80 x number of owners product.

~~~
falcolas
> can not be fixed by the owner as it could be with any other product

I think this is nice in theory, but impractical with our current level of
technology. If your toaster broke, would you be able to fix it? How many
owners have the analog circuit knowledge to fix even a toaster from the pre-IC
world? Would you be willing to invest the tens of hours and dollars required
to fix it? Or would you just go buy a new one for $20?

Aside from people who train to do so, even your above-average owner can not
maintain or repair a modern car drivetrain. Or an IC which has, thorough the
laws of physics, formed whiskers that have caused it to short out. Most people
couldn't even replace such an IC, even if given all the fairly specialized
tools.

Nor could they realistically learn enough about programming to realistically
find and repair defects in a 45 million LOC codebase.

Hell, as a (as called by peers in the past) above-average programmer, I
couldn't grok 45M lines of code in anything resembling a reasonable timeframe.

Just opening the source is not enough. And just as car maintenance costs money
(sometimes more than the car cost originally), if you want software patches
past a reasonable span of time, those are going to cost money.

------
louithethrid
Cause the users dont know what they are actually buying. They go for
superficial signs of quality - like weigth, design, surfacepolishing and nice
UI.

Security of a object is a thing you can only evaluate the day it turns around
and snaps at you.

Now the default american solution for this, would be to have a "Late-Adopter"
plugin, allowing to install "Additional" Gated-Comunity-Security for the rich
- and let the mob become one huge botnet, held back by aggressive campaigns of
bricking whole device classes remote should they be a threat to the "devices"
in the better neighbourhoods.

Unfortunatly the rest of the world is either too poor or unwilling to follow
this model, which means we are going to see a regulated, securty TÜV checked
model in europe and japan, state regulated devices in china & russia - and a
wild west everywhere else.

------
gmuslera
The article is wrong on timing because they choose to ignore the herd of
elephant in the room.

The world has been getting hacked since before 2013 by the NSA and related
parties. They wanted to keep it hackable (by them, but an open door is open
for everyone), not to fix what was wrong (even they asked/forced companies to
include backdoors, unsafe encryption and so on). They developed (directly, or
hired third party companies) software to hack it even more, and not just
systems but people too. They created an entire market of malware/exploit/zero
days, where was pretty profitable to find zero days and sell/hoard them
instead of warning the world.

Is not amazing that in this scenario of planned/designed insecurity at every
level even they get hacked/intruded/disclosed, and not just not to get
information but the software weapons they were already using too.

Is like the department of health has been developing all the latest years new
flu strains, are weaponizing them, and somewhat, you get sick, they get sick,
everybody else get sick and some of the people you know dies. Would you
complain about the last person that transmitted you the disease, the vaccine
makers that run behind the (designed) diseases and even are forbidden/delayed
to make a cure for them, or the root cause of it all?

Instead of asking why we don't do more to stop it, ask yourself why we did
(and keep doing) so much to make it happen.

------
chpmrc
Because most people don't give a crap? Out of the 10 people who saw the news
(on TV!) while I was there 9 reacted with "Ha! These hackers..." and 1 with
"I'm pretty sure they are not interested in a guy like me, I'm safe haha".

Until people start losing personal money they won't bother educating
themselves. They see these "hacking games" as, well, games.

------
fit2rule
I would say the reason the world is getting hacked is quite simple: OS vendors
are asleep at the wheel. Instead of actually improving their OS platforms,
they're instead turning them into web browsers and game engines - while all
the vital services that a modern OS should provide are being ignored in the
rush for control.

Take for example, the Fappening. This was possible because iCloud. iCloud is
only necessary - like Dropbox and other services like it - because OS vendors
decided they didn't want people to have control over their content, using
their local computers - that it was 'easier' to provide servers dedicated to
the purpose, than to actually add dedicated file sharing to the individuals'
computers.

(There are no really good reasons why your modern PC can't serve its own
content - especially in this era of bandwidth and monster CPU power. We hosted
the 90's Internet on far less powerful computers than your average mobile
phone, with less bandwidth too.. the point is, the protocols.)

So I honestly think that OS vendors need to be forced back behind the wheel to
make our computers better, and the "network is the computer" business model
needs to die. This was always a terrible idea, formed on the basis of an
accountants wet dream, and should be forgotten as soon as possible. Instead,
lets build better computers, simple as that. Computers that are actually safe
to use because they've been designed that way, from the get-go. The cloud must
die.

~~~
geocar
How do you force them back to the wheel?

~~~
fit2rule
The same way you handle every 'new' world order, of course .. you build
another one right on top.

i.e. IPFS, Akasha, Ethereum, etc. These need to become first-class services in
a default OS install. Then, maybe, we'll start evolving again ..

------
drinchev
Hopefully governments will one day take GNU/Linux based OS & Software. I know,
I know ... Linux for Desktop is hard, but it seems like making exploits are
harder than doing the same for Windows ( maybe hacker focus is on windows, who
knows. ).

Anyway money equation I think is quite simple :

Why buy Windows, when you can use Linux and buy backup infrastructure.

~~~
gaius
The recent attack on the NHS targeted Windows XP. I dare you to run a Linux
distro from 2001 and tell me its secure from modern attacks.

~~~
eikenberry
That's about the time I installed my Debian system that I am still using
today. I updated it continuously over the years, but have never re-installed.
I wouldn't say it is secure from all modern attacks, because no system is. But
it was never obsoleted.

~~~
vbezhenar
You can update Windows installations as well. People run Windows XP either
because they like its interface or they don't want to risk upgrading. Linux
doesn't help with either case. If I liked Debian 3.0, I don't have an easy
option to run it with all modern security updates now.

The only thing that Linux has is free as beer. Many people don't want to spend
money on buying new Windows and Windows XP works for them just fine. Linux
could certainly help here.

~~~
belorn
You are comparing upgrading a system with going to the store and buy a new
operative system and saying its the same thing. Windows vista was not a
Windows XP update, and in theory they could have nothing in common but the
name and the publisher.

There need to be a meaningful distinction between a software update for a
product and a new product. For a operative system, hardware requirement and
driver support is quite critical.

As a small testament to this, I had a server which hardware initial had 3.0
Woody as the version and ran until 6.0 Squeeze, at which point the motherboard
gave up.

------
roadbeats
> ...started, as it often does, with a defect in software, a bug.

It all started with poor ethics. Every single version of Microsoft Windows
have intentionally left backdoors for NSA and some hackers knew how to use it.
This is like you pay some money and buy a house, but the previous owner keeps
backup keys to watch you. And some others get the backup keys, kick you out of
your own home unless you pay them.

This is such a shame for Microsoft, NSA and American government. People
trusted Microsoft products and purchased them, in return, Microsoft wanted
more than money; they wanted to spy them for their ideological goals.

~~~
Buge
>Every single version of Microsoft Windows have intentionally left backdoors
for NSA and some hackers knew how to use it.

Is there any proof of this?

~~~
roadbeats
Have you followed the news at all ?

~~~
Buge
I have somewhat. I don't recall hearing "every single version of Microsoft
Windows have intentionally left backdoors for NSA".

~~~
roadbeats
For last 15 years Microsoft keeps same "bug" in their every single operating
system, even after rewriting it bunch of times. Noone except NSA knew about
this bug until their tools got leaked, for 15 years. Can you believe it ?
Somehow, only NSA discovered and used this bug. And you're gonna sit in your
chair and ask for proof. People like you easily get manipulated by shit
organizations like CIA and Microsoft because they can get proof of the color
of your poop, unlike me. I don't have a proof, but just use your critical
thinking skills. If you got any.

------
gaius
To howls of outrage, I have suggested to several companies that we simply
disconnect from the public Internet. People programmed before cut-and-paste-
from-SO was a thing after all. Obviously the web servers in the DC need to be
accessible but the desktops in the office, or the critical bits of infra like
DB, file servers and so on, nope.

Anyone who wants to surf can easily do so on their personal smartphone with no
risk to corporate systems. No one has ever been able to put together a
coherent rebuttal to my proposal, yet still the PCs remain connected and still
people click things they shouldn't...

~~~
fit2rule
> People programmed before cut-and-paste-from-SO was a thing after all.

I've always considered SO to be more a sign of devolution than anything else.
It hasn't produced better programmers - just more programmers. Is that better?

~~~
drinchev
SO, although can be misused via copy & paste to production, is one of the
greatest productivity boost I've ever had ( I'm 15+ years of experience ).

Sure I remember having lots of fun with Turbo Pascal and paper books, as well
as Perl and `man perlre`, but nevertheless there is always one weird error
that will cost you half a day of debugging, which nowadays is replaced with 5
minutes googling.

SO community are doing fine job with preventing bad code left without the
warnings, but anyway I think SO delivered more to programming than it actually
took.

~~~
fit2rule
I think the SO mentality leads to lazy developers who depend too much on the
wisdom of others and don't do enough to push their own forward. Too many times
I've seen "tech departments" sitting around, incapable of doing anything
productive, because "the internet is down". This is a real issue, and I wish
it got a bit more attention from the cognescenti .. we are producing
generations of robotic developers who can't get anything done without hand-
holding...

------
a_imho
There is not enough incentive to do so, carrot or stick.

