Posted inExperience / Information Technology / Politics

Thanking WannaCry

seasoned_geek by seasoned_geek

Yes, the title of this post may sound odd for an IT professional, but that is just it, I’m a professional, not just someone who gets paid to write code. I run into sooo many people who want everyone to believe “professional” means getting paid for it and nothing could be further from the truth. Professional is defined by the level of architecture one provides in their solution design and the level of security they build into it. Hacking something out to complete an AGILE story within a sprint isn’t professional.

Why am I thanking WannaCry? That’s easy. Before WannaCry was unleashed on the completely obsolete Windows platform, I used to get 150-250 spam messages per day. The first day WannaCry was making news headlines, I only got 10. Even now it feels like I’m getting fewer than 50 per day and most of those are from legitimate spammers. (By legitimate spammers I mean travel and retail sites I’ve used in the past who insist on polluting my inbox, not the “Russian Bride” and “cheap Viagra” sites.) It seems that most spammers around the world were running a pirated version of a completely dead operating system and were too cheap to pay the ransom. So, that is one of the reasons I’m thanking the WannaCry ransomware.

Of course, on my desktops I run various flavors of Linux and I actually backup. For those who don’t know I started out in computer operations, mounting tapes and pulling reports. I have no fear when it comes to backing up to tape or external drive. I even cart versions of my backups “off-site” to a building which does not contain my office.

But what about the hospitals you ask? What about them? For decades they’ve been using the cheapest platform they can find and staffed it with low wage labor. You forget, I’ve worked on embedded systems for medical devices. The FDA had rigorous testing to ensure even our wifi enabled devices did not allow any inbound communication. They all had to reach out to a manually configured back end system with a proprietary data protocol. You could not login via any means other than a physical connection to the service port which was inside the device. There was no manner of delivering a virus to it because it was all raw data which got chunked off into various fields and stuff into a database. There was no inbound SQL allowed and no column could overrun because only the maximum number of characters were ever pulled from the inbound data stream. You want to send 6000+ characters for a 15 character field, fine, but everything after 15 was simply skipped.

It’s well past time the FDA and other medical regulatory agencies around the world crack down the operating systems hospitals are allowed to use and demand all system hosting medical records be air gapped from the outside world. Air gapped means it has no connection to the Internet or any other outside network. This is a simple technique used in every high security environment. It isn’t free and you can’t simply grab the first low wage worker that walks through the door to set it up, but it is secure.

We have been misdirected by the media so that we don’t look to place the blame were it really belongs. We have been provided terms like malware, identity theft and ransomware to divert our attention from the real source of the problem, upper management looking to use the cheapest puddle of poo they can find and under staff it with the lowest wage (usually visa) workers on the market. As long as they can keep us looking away, they will never be held accountable for placing us at risk.

Let’s be real. Blaming Cyberwarfare for your slipshod operations is sooooo 1990s. Hard regulations should have been passed after the T. J. Maxx breach, but they weren’t. Instead it feels like weekly, if not monthly, we hear of yet another business using cheap systems and low wage labor caring little about security having yet another breach. Unless I’ve missed a few hundred reports the Yahoo lax security incident is currently the largest.

We need to start calling these things what they are:

  • Total management failure due to incompetence
  • The ordinary outcome of low cost systems operated by low wage labor.
  • Management choosing the wrong tool for the job because it was cheaper.

That’s what they are. If you remember the Leslie Stahl piece on 60 Minutes about the T. J. Maxx or one of the other retailer breaches management had a store clerk with little to no IT training set up a wireless router for the credit card readers and they didn’t bother to generate a password for it. Most likely didn’t even know about it. Rather than pay professionals management grabbed the lowest wage worker they could find and gave the task to them, little people be damned.

Until we hold management criminally accountable for their low wage mentality, the Cyberwar can never be won.

At least WannaCry took out a whole bunch of spammers.

Roland Hughes started his IT career in the early 1980s. He quickly became a consultant and president of Logikal Solutions, a software consulting firm specializing in OpenVMS application and C++/Qt touchscreen/embedded Linux development. Early in his career he became involved in what is now called cross platform development. Given the dearth of useful books on the subject he ventured into the world of professional author in 1995 writing the first of the "Zinc It!" book series for John Gordon Burke Publisher, Inc.

A decade later he released a massive (nearly 800 pages) tome "The Minimum You Need to Know to Be an OpenVMS Application Developer" which tried to encapsulate the essential skills gained over what was nearly a 20 year career at that point. From there "The Minimum You Need to Know" book series was born.

Three years later he wrote his first novel "Infinite Exposure" which got much notice from people involved in the banking and financial security worlds. Some of the attacks predicted in that book have since come to pass. While it was not originally intended to be a trilogy, it became the first book of "The Earth That Was" trilogy:
Infinite Exposure
Lesedi - The Greatest Lie Ever Told
John Smith - Last Known Survivor of the Microsoft Wars

When he is not consulting Roland Hughes posts about technology and sometimes politics on his blog. He also has regularly scheduled Sunday posts appearing on the Interesting Authors blog.