Wanna Cry? Me too

  • Eric M Russell - Monday, June 5, 2017 12:28 PM

    There are a lot of folks with non-genuine (unlicensed and/or unregistered) installs of Windows. Even today, weeks after Microsoft supplied a fix and legitimate upgrade path, they'll decline the offer and choose instead to tighten up their firewall and continue living on the murky fringes of IT society.

    Yeah, I wasn't even going to get into the illegal side of all this. I've been quite lucky in my employers and never even hit issues at the dot coms (although one of them did later become a criminal enterprise, it just wasn't one while I was there). They've always been compliant legally so I haven't seen that particular horror show up close.

    "The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
    - Theodore Roosevelt

    Author of:
    SQL Server Execution Plans
    SQL Server Query Performance Tuning

  • ken.romero - Monday, June 5, 2017 7:10 AM

    Windows Update is such a pain to go through that no one does it? Yes, clearly the customers are wrong! 

    Seriously, I had windows 10 set to update at 3 AM. So why did it restart my PC at 7 PM when I was actively playing an online game to do it's 20 minute update process? Automatic updates got turned off, now I let it download and whenever I restart I let it install them. It *IS* Microsoft's fault, 100%. My browser is always at the latest version because the update is silent and painless. Don't blame your customers if you make a bad product and they make the best use of it they can.

    Our job as tech professionals is to make technology easy for lay people. you're never going to nag normal folks into using a bad process, and it's much harder than making a better process anyways.

    This happened to me too a couple of times. I finally figured out the cause. It's not set to update at 3 AM, it's set to complete the updates at 3 AM including a reboot if needed. If you are online prior and the system is low on resource usage, it will download the updates and install them behind the scene leaving only the reboot to be done. When it does this, it pops up a message that includes an option to "reboot now". I was clicking on "reboot now" without bothering to read the message fully.

    User error.


    My blog: SQL Soldier[/url]
    SQL Server Best Practices:
    SQL Server Best Practices
    Twitter: @SQLSoldier
    My book: Pro SQL Server 2008 Mirroring[/url]
    Microsoft Certified Master: SQL Server, Data Platform MVP
    Database Engineer at BlueMountain Capital Management[/url]

  • As a former consultant, I am still in contact with a few of my ex-clients. I know of at least 2 very high profile companies who were not hit by WannaCry but because of it, they have started a process of regular OS updating. They got lucky and they know it and they have the good fortune of realizing they were lucky. On the positive side, a lot of people are finally doing the patching they should have been doing all alone.


    My blog: SQL Soldier[/url]
    SQL Server Best Practices:
    SQL Server Best Practices
    Twitter: @SQLSoldier
    My book: Pro SQL Server 2008 Mirroring[/url]
    Microsoft Certified Master: SQL Server, Data Platform MVP
    Database Engineer at BlueMountain Capital Management[/url]

  • Another question would be, How many time I'm supposed to remain in an unsuported OS or SQL Engine version, If I don't have the option to add presurre in this point, and the choice is only made by the bussiness that  is only thinking, it's working why I have to change or update?
    This kind of thinking is hard to beat.
    Best Regards

  • I'm torn here. On one hand, I think we need updates, and need some forcing of updates. Far, far too many people don't update and let systems languish for years. However, a couple points.

    1. Microsoft can, and should improve the process. My iOS device nags me for updates, but allows me to defer them or set a time. Windows should do this, with a cut off date. I'd prefer a few months, since work does need to be scheduled, but nag me with a final date, and give me an option to schedule.
    2.  The schedule needs to be the start time. Always. We don't think any other way.
    3. Microsoft should be liable for patches that cause issues if they're going to push them every xx time periods.
    4. There should be  some  sort of warranty for software sold that includes the need to update the software as the underlying platform changes. I don't know how to do this, and maybe this is just disclosure that we will support software through xx date, which includes updates. With Windows changing every year, maybe this will force vendors to provide some sort of lifecycle patching for their software. Or maybe get customers to demand this before buying xx software.

    I am tempted to require that software cannot be sold on unsupported platforms. That feels like government intrusion, but selling software today for Windows XP is a problem as the insecurity has community effects. It's not necessarily just an issue for the customer.

  • Steve Jones - SSC Editor - Monday, June 5, 2017 1:43 PM

    I'm torn here. On one hand, I think we need updates, and need some forcing of updates. Far, far too many people don't update and let systems languish for years. However, a couple points.

    1. Microsoft can, and should improve the process. My iOS device nags me for updates, but allows me to defer them or set a time. Windows should do this, with a cut off date. I'd prefer a few months, since work does need to be scheduled, but nag me with a final date, and give me an option to schedule.
    2.  The schedule needs to be the start time. Always. We don't think any other way.
    3. Microsoft should be liable for patches that cause issues if they're going to push them every xx time periods.
    4. There should be  some  sort of warranty for software sold that includes the need to update the software as the underlying platform changes. I don't know how to do this, and maybe this is just disclosure that we will support software through xx date, which includes updates. With Windows changing every year, maybe this will force vendors to provide some sort of lifecycle patching for their software. Or maybe get customers to demand this before buying xx software.

    I am tempted to require that software cannot be sold on unsupported platforms. That feels like government intrusion, but selling software today for Windows XP is a problem as the insecurity has community effects. It's not necessarily just an issue for the customer.

    True. It's like herd immunity through immunization. At some point, if there are too many anti-vaxxers, we could all get sick.

    As to the rest, no argument. It really does need to be a better process to get updates installed. However, a painful process just doesn't absolve people of guilt when they just stop doing updates, as lots and lots of people are doing.

    "The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
    - Theodore Roosevelt

    Author of:
    SQL Server Execution Plans
    SQL Server Query Performance Tuning

  • peter.row - Monday, June 5, 2017 1:17 AM

    Ed Wagner - Saturday, June 3, 2017 1:36 PM

    Grant, first off let me compliment you on your editorial - nice job.  Let me next tell you that my Windows 10 Pro updates itself and restarts whenever it wants to, and that pisses me off.  It seems like more often than not, I had something I was working on that I forgot to save and the most recent block of changes gets lost.  I've gotten past blaming Microsoft for it and become more aware of my saving before I hop up to do whatever it is that needs to be done.  After all, I'm the one who didn't save before stepping away from the machine.  I save frequently as a matter of habit while working on something, but not when I set it down.  I don't know how I developed that habit, but it's gone now.

    Nonetheless, I don't like the way Windows 10 forces updates on people.  I have Windows 10 Pro, so I've configured updates to wait.  The normal version (my wife's laptop) doesn't have that luxury.  I know Microsoft tests out the updates by distributing them to the public, but I strongly disagree with their approach.  I think testing should be done before releasing them to the masses and not forcing paying customers to do field testing for them before pushing them to the pro (or business) users.  What would happen if we took that approach with the software we write?  We'd be fired.  SQL 2014 SP1, anyone?  The original release was a disaster.

    That said, I'm forced to agree that we need to keep our systems up-to-date.  There's more and more hacks, ransomware, downright nasty viruses and malware being released than I can remember at any point in history.  If they keep ahead of it, or at least on top of it, then they're doing their job.

    I could make a case for designing a secure system in the first place so there wouldn't be all these security holes that need patching, but then everyone would have to configure their own systems from the ground up, everyone would suffer and eventually move away from Windows and IOS.

    The same could be said for designing secure systems for any company, but all you have to do is read or listen to the recent news to know that isn't being done either.  Either we, as an industry, get in front of the security problems plaguing our industry, or it will have to change radically.  As Jeff says "Change is inevitable.  Change for the better is not."

    WRONG! Your wife can set active hours and Windows 10 won't update during those hours. I know it's a (small) cost, but if it's really that much of an issue why not do an anytime in place upgrade to Pro on her machine?
    MS do test this stuff out both internal and external. The external stuff is called Windows Insider, there are 3 rings, fast (bleeding edge expect bugs), slow (more stable, still probably bugs), release preview (stable, probably no bugs, you get it roughly 2 weeks before it goes live to everyone else so still time to send bug reports via the feedback hub app - this is what I run on both at home and work).

    For any piece of remotely complex software saying "design it securely" as if MS decided "hey you know what lets put some holes in this" is the kind of uneducated nonsense that drives me mental. MS obviously try to do but it isn't that simple if it was there wouldn't be security flaws found in Windows, macOS, Linux, Android or iOS - but there are because it's not that simple!

    In Windows 10, working hours are a joke.  There are ways to hack around the forced updates, but I won't do it and that's not even my point.  The point is that they push them when they want to, but allow Pro users (so-called business users) to push them off until they've been out a while.  I've sat down to work from home and had to wait for a lengthy installation.  Don't misunderstand - I'm not against system updates.  I'm against them being forced when work needs to be done.

    There are other examples of better ways to do it.

  • First of all, I agree with Grant. Internet-facing machines need to be treated with a level of paranoia. They must be patched as soon as possible and only kept online for whenever necessary. Being on the Internet has on gone from living in a good neighbourhood to living in a rough one. Windows (no pun intended) need to be closed and doors need to be locked now.

     There are two things that I don't really understand - given how poorly protected many home (and business machines) are, why is sensitive material left on Internet-facing computers? We need to start moving towards functional separation. Designated machines have Internet access. They are separated from the other machines and their OS can be easily re-installed in the event of it being compromised. Other computers in the house/company have their specific uses but are not Internet-facing (or are temporarily Internet-facing for the purposes of activating software, for example).

     The second thing which boggles me is why most SQL Servers are Internet-facing. Aside from updates, what benefits does it bring? The SQL Server should be behind firewalls with extremely limited access and certainly not Internet access.

     I, personally, am dreading the day when computers become little more than dumb clients and are required to have a permanent Internet connection in order to connect to Azure, Whatever-as-a-Service and so on. It will be the worst of both worlds.

  • jasona.work - Monday, June 5, 2017 8:31 AM

    (...)
    To everyone bashing on MS and the update process, what would you have them do?  If they don't force installation of updates, then you get something like WannaCry, people
    (...)
    break systems (now be honest, when's the last time you had an MS update break a *SERVER* beyond any recovery?)

    Could the process be better?  Absolutely!  I hate having to reboot my servers once a month after updating (and we're required to have all current updates within a couple weeks of release,) but MS is stuck dealing with design decisions made back in the Windows 1.0 days (well, OK, maybe Win95 / NT3.5)  Could MS make changes to the OS and how it handles files to enable Linux-style no-reboot updates?  Probably, but then they'd likely have to change other parts of how the OS handles things, causing problems (breaking if you prefer) existing applications people use until those get updated, causing yet again people to bash the update process (what do you mean my mission-critical application won't work on Windows Don'tNeedToRebootAfterUpdates unless I buy the newest version from the vendor that supports the changes?  That's it we're going to [insert OS of choice] instead!)  Linux was able to say from the start "legacy applications?  What legacy applications, we're a brand-new OS that no one has ever seen before!"  MS is stuck with "Company XYZ who spends the GDP of Bulgaria every couple of years on MS licensing still has to be able to run this application from 1991, so we need to keep in the bits that it requires."
    (...)

    You probably didn't fully read the thread. It is absolutely clear what MS should do: they should better their system update process. No excuse here.

    And regarding you "now be honest" question: about two years ago. It was a complicated interaction between a bug in an MS library and another bug in a driver provided by a company (a BIG one) selling enterprise storage systems. Note that I'm NOT saying that MS should have catched this problem: some problems are such corner cases that they would be impossible to catch even if MS (or any other company for that matter) had years to test patches. The problem is that, when you're working in an enterprise with hundreds of servers, you can't rely on MS to test everything and you have to have an internal QA. That takes additional time and you're always behind official updates. Not only that, but you're also forced to cherry-pick the updates that you deem absolutely necessary from those that you think may be postponed. You're taking a gamble there, and there's no other choice. Two years ago we almost risked losing all our data due to the bug above, which would have meant CLOSING. That's as frigthening as a crypto-virus attack, or even more, don't you think? This has nothing to do with the system update process of MS or any other company/OS, but it has more to do with the fact that you can never really be completely up-to-date if your business is big enough. You HAVE to take your chances and you do it knowingly. I added this just because you asked, it adds nothing to the discussion.

    Desktop users are a completely different matter. But again: you can put all the blame on the users, but if the system update process is a b*tch they won't do it even if you go here and there yelling and screaming. And WE ALL LOSE, as Steve Jones wisely said. OR you can make a better update process and solve the pain of your own users.
    Yes, you can also chose the easy path and force the update down the throat of your users (see Win 10), but that won't take you far. If the process is not substantially bettered in the next releases, how long do you think it will take before someone figures out how to disable the forced update and begins distributing a software tool to do so?
    An article like Grant's one (and your reply too) does nothing to relieve what is a BIG PROBLEM with MS OSes, instead it puts blame on the users and pretends the problem does not exist!

    Cris

    p.s. Oh, and come on! Since when is MS concerned with backwards compatibility? They have been breaking everything they could break when they had a clear *financial* reason to do so! And do you really think you need to break compatibility to change the update process?

  • Cris70 - Tuesday, June 6, 2017 2:43 AM

    You probably didn't fully read the thread. It is absolutely clear what MS should do: they should better their system update process. No excuse here.

    And regarding you "now be honest" question: about two years ago. It was a complicated interaction between a bug in an MS library and another bug in a driver provided by a company (a BIG one) selling enterprise storage systems. Note that I'm NOT saying that MS should have catched this problem: some problems are such corner cases that they would be impossible to catch even if MS (or any other company for that matter) had years to test patches. The problem is that, when you're working in an enterprise with hundreds of servers, you can't rely on MS to test everything and you have to have an internal QA. That takes additional time and you're always behind official updates. Not only that, but you're also forced to cherry-pick the updates that you deem absolutely necessary from those that you think may be postponed. You're taking a gamble there, and there's no other choice. Two years ago we almost risked losing all our data due to the bug above, which would have meant CLOSING. That's as frigthening as a crypto-virus attack, or even more, don't you think? This has nothing to do with the system update process of MS or any other company/OS, but it has more to do with the fact that you can never really be completely up-to-date if your business is big enough. You HAVE to take your chances and you do it knowingly. I added this just because you asked, it adds nothing to the discussion.

    Desktop users are a completely different matter. But again: you can put all the blame on the users, but if the system update process is a b*tch they won't do it even if you go here and there yelling and screaming. And WE ALL LOSE, as Steve Jones wisely said. OR you can make a better update process and solve the pain of your own users.
    Yes, you can also chose the easy path and force the update down the throat of your users (see Win 10), but that won't take you far. If the process is not substantially bettered in the next releases, how long do you think it will take before someone figures out how to disable the forced update and begins distributing a software tool to do so?
    An article like Grant's one (and your reply too) does nothing to relieve what is a BIG PROBLEM with MS OSes, instead it puts blame on the users and pretends the problem does not exist!

    Cris

    p.s. Oh, and come on! Since when is MS concerned with backwards compatibility? They have been breaking everything they could break when they had a clear *financial* reason to do so! And do you really think you need to break compatibility to change the update process?

    I can tell we're going to have *fun*!
    🙂

    I don't disagree that the update process for Windows could stand to be improved, I'd absolutely LOVE only having to reboot for an update every once in a great while.  As for your rather interesting interaction between an MS update and a storage vendors' product, you can't blame that on MS or the vendor (which you didn't, granted.)

    Really, while there's enough blame to go around, I do agree with Grant, I think the lions' share of the blame falls on the end-user / business because they are the ones who chose to forgo the relatively brief bit of pain involved in patching systems (or the larger bit of pain of replacing non-supported OSes where possible,) which instead led to them having to deal with the much larger pain of dealing with a malware infestation.

    As for the backwards compatibility, I'd say MS has been dealing with it for some time.  Yes, they try to remove old bits of legacy code which then breaks applications that rely on it, but it's, I feel, at a fairly slow pace.  As for needing to break some compatibility to improve / change the update process?  Absolutely they will have to.  It would largely come back to how the OS handles system files and how do you update them without requiring a restart etc.  I would expect making that change would require other changes, applications which currently expect the system to behave in a certain way would break (until updated,) etc.  Sort of like if an "update" were done to your car so that turning the wheel to the left now turned the tires right and the brake and gas pedals were switched (truly horrific analogy, I know, can't think of a better one at the moment.)

  • On the tinfoil side, has anyone ever considered what happens if Microsoft's update process gets quietly hacked? Perhaps by a nation state?
    Every windows machine in the world can be made vulnerable at will.....

    ...

    -- FORTRAN manual for Xerox Computers --

  • Sean Redmond - Monday, June 5, 2017 11:26 PM

     The second thing which boggles me is why most SQL Servers are Internet-facing. Aside from updates, what benefits does it bring? The SQL Server should be behind firewalls with extremely limited access and certainly not Internet access.

    Do you have data here? I'd think most aren't.

  • jay-h - Tuesday, June 6, 2017 7:21 AM

    On the tinfoil side, has anyone ever considered what happens if Microsoft's update process gets quietly hacked? Perhaps by a nation state?
    Every windows machine in the world can be made vulnerable at will.....

    Yep

  • Steve Jones - SSC Editor - Tuesday, June 6, 2017 8:40 AM

    jay-h - Tuesday, June 6, 2017 7:21 AM

    On the tinfoil side, has anyone ever considered what happens if Microsoft's update process gets quietly hacked? Perhaps by a nation state?
    Every windows machine in the world can be made vulnerable at will.....

    Yep

    Certainly not out of the realm of possibilities.  And here I thought I was being paranoid thinking of such things. If I am, I guess I have company. 😉

  • Sean Redmond - Monday, June 5, 2017 11:26 PM

    First of all, I agree with Grant. Internet-facing machines need to be treated with a level of paranoia. They must be patched as soon as possible and only kept online for whenever necessary. Being on the Internet has on gone from living in a good neighbourhood to living in a rough one. Windows (no pun intended) need to be closed and doors need to be locked now.

     There are two things that I don't really understand - given how poorly protected many home (and business machines) are, why is sensitive material left on Internet-facing computers? We need to start moving towards functional separation. Designated machines have Internet access. They are separated from the other machines and their OS can be easily re-installed in the event of it being compromised. Other computers in the house/company have their specific uses but are not Internet-facing (or are temporarily Internet-facing for the purposes of activating software, for example).

     The second thing which boggles me is why most SQL Servers are Internet-facing. Aside from updates, what benefits does it bring? The SQL Server should be behind firewalls with extremely limited access and certainly not Internet access.

     I, personally, am dreading the day when computers become little more than dumb clients and are required to have a permanent Internet connection in order to connect to Azure, Whatever-as-a-Service and so on. It will be the worst of both worlds.

    Internet is pretty fundamental to most people's job's these days.

Viewing 15 posts - 16 through 30 (of 34 total)

You must be logged in to reply to this topic. Login to reply