I don’t doubt for a minute that on a certain level you’re sick to death of people talking about the Wanna Cry ransomware. However, bear with me, we need to go through it just a little more because it actually has some bearing on us as data professionals. OK, more than some bearing, it’s a fundamental aspect of what ought to be our jobs.
One of the more frustrating aspects of Wanna Cry is that a lot of it could have been avoided if people were just patching their OS on a regular basis. No, it wouldn’t have fixed all the issues for everyone, but it sure would have radically mitigated this from a literal global event to yet another entry into one of those lists of viruses and ransonwares discovered daily. Why aren’t people patching their systems?
The first, obvious, easy, answer to that question is because Microsoft is so intrusive and mean and rude and horrible about automatic updates that everyone turns them off. Right. That’s the answer. It’s Microsoft. They’re monsters. If we all just go to Linux (not Apple, they’re evil too), everything will be fine… Except the core problem is still right there. See, it’s not Microsoft or Apple, it’s you. You’re not ensuring that your systems get updated. I hear you “No! It’s Microsoft! See they make me have to reboot my machine when I don’t want to and….” Yes, yes. Microsoft forced you to turn off automatic updates. Then, somehow, Microsoft also forced you to not do manual updates. Wait. They didn’t do that did they. See. It’s on you.
The real issue here though goes beyond your laptop. The real issue is all your servers. A very dear friend and I were talking about Wanna Cry when he mentioned the effect it had on his company. The CEO immediately, and rightly, asked for an assessment of the patch levels on all systems. Guess what? They found that they had a lot of SQL Server instances as well as OSes all running on the RTM version. In short, maybe the company dodged the Wanna Cry bullet, but they still had their head sticking way up out of the trench waiting for the next shot. They immediately changed policy and my poor friend had to spend a really tough two days doing nothing but patching machines.
It gets worse. Another thing we can all get mad at Microsoft about is that they’re not supporting Windows XP any more with patches and fixes (although they did issue an unprecedented patch for this one). Same thing goes for all those SQL Server 2000 instances. Once again, I’m saying that the problem here is on you. If you’re using twenty year old technology, but expecting Microsoft to maintain it for you, you’re probably getting set up for pain because they’re not going to do it and (my opinion) nor should they. If they publish a reasonable support cycle that covers at least 10 years, I feel like they’ve done a good job (which is what they do). Since you know that this is the life-cycle, it’s on you to make your choices and live with the consequences. I get it. You don’t want to update the SQL Server 2000 instance because it’s working and buying a 2016 license is cost you don’t want to pay. Fine. However, you’re assuming the risk that nothing will ever go wrong with that old software. If it does, if an exploit is found, you’re the one that made that choice.
Yeah, we can argue what Microsoft, or any other software company, should be doing around this type of thing. But, until they are doing what we want, we are making the choice to turn off our updates and not upgrade our servers and our operating systems. We are making that choice with the full knowledge of the consequences. So, sure, lobby Microsoft to make changes or switch to a different OS & database system, fine. However, you’ll still be dealing with the fact that it’s you that is choosing to not update your systems regularly. As Wanna Cry just demonstrated, that’s a choice that may have rather severe consequences.