WannaCry and the Mechanical Pencil
I just finished remodeling our kitchen. During that journey I collected several mechanical pencils that had been scattered in sundry cups, drawers and boxes. I put them all together, recombined lead and erasers where I could, throwing out broken pencils. In the end I had about six different models of pencils, using two different sizes of lead, and sporting about six different kinds of erasers. My next step was to drop by the local office supply store. What I needed were specific erasers and .7 mm lead. As I beheld this menage of scriptic technology I could not help but compare it with the state of the computer operating system.
When will we realize that the operating system is not a matter of consumption, but of dependability? As it stands today, the desktop operating system is at about the same stature as the mechanical pencil – its useful until the eraser can no longer be replaced. Yet people depend upon it like it is the power grid.
The answer is clearly demonstrated in the outbreak of the WannaCry ransomware. It flourished on Windows XP, an operating system that had presumably suffered “end of life.” What that meant was that Microsoft would no longer be assigning its resources to patch defective software or security vulnerabilities. Like some of my mechanical pencils, no eraser was to be found.
What has surprised some people is that many big-name enterprises were still using Windows XP. From one source I heard that even the US Navy was dependent on Windows XP. How is it that such large operations as the British National Health Service, phone companies, car manufacturers and rail services cannot afford to keep up with the times? The answer is simple – “It is still needed.”
Microsoft was ingenious in designing an operating system that everyday folks could work with. People who did not live through the 70’s cannot comprehend the scale of this achievement, taking technology that was once the domain of geeks in lab coats and pocket-liners and placing it in the hands of people with none or little computer experience. But in creating such an operating system they created a monster, and Microsoft has made substantial revenues because of it yet is bedeviled by a curse. The curse is that is highly insecure and they have endeavored since the days of Windows NT to create a secure operating system. In this journey they re-invented the operating system several times. Like the mechanical pencils, each version of Windows rendered everything from games to advanced radar systems obsolete.
Take this example. My first encounter with the obsolete mechanical-pencil-O/S was while working in a medical school. Once in a while I would be asked to go outside my normal activities and help some poor soul with a very unique problem. They directed me to a lab that was packed with sophisticated equipment for chemical analysis. Mind you, this was in the days of Windows 98 and the Pentium processor. They pointed me to an IBM computer with a 286 processor. It ran on DOS 6.1. Behind it was a 25-wire RS-232 cable that connected to one of the analyzers. I raised my eyebrows and asked the doctor, “Ever considered upgrading to Windows 98?” His answer said a lot – “It only works with DOS. Want me to replace a $25,000 analyzer because a $50 serial card on a computer is not working?” They had tried Windows 98 and something was not compatible. I even tried to solve the mystery and discovered the incompatibility was embedded in one of those mysterious COM files. So back to DOS 6.1 to solve the problem.
Today I work on an enterprise network consisting of 45,000 workstations and about 3800 Linux servers. A million dollar investment in monitoring software was rendered obsolete. In this case it wasn’t totally the fault of Microsoft, but Java. For the sake of “security,” older versions of Java were no longer supported. The monitoring software was written in Java. In another case the remote console capabilities no longer worked after IE 11 was introduced. The remote console software had reached “end-of-life.” Yet the equipment they were designed to monitor was still in operation in an amazing 20 year run! One thing you can say about IBM hardware, they made it to last! Unfortunately, software is not designed so well.
This explains why some enterprises opted to remain with Windows XP. “End-of-life” for the operating system was not an option because it would entail end-of-life to mission-critical applications. Microsoft’s invocation of Windows 7 and Windows 10 have been enormously expensive for enterprises. I recall the seismic changes we encountered moving from Windows 98 to Windows 2000. It was an entirely different paradigm. Granted, Windows 2000 was a step in the right direction and Windows XP was a decent platform, it required a massive investment in training. Windows 2000 required us to re-invent deployment procedures, required new versions of security software, and broke the configuration controls we had built into Novell’s ZEN tools. Needless to say, it happened again when Windows XP rolled out. And I haven’t the space and time to describe what it did to all the underlying applications. Every enterprise has unique challenges. The return rate of investment in some technologies is in decades. EKG monitors, for example, are quite expensive. Does it make sense to throw out a quarter million dollars in medical technology because the operating system needs to change from Windows XP to Windows 7?
Yet we are still being cursed by ransomware and other viral events because we still have an operating system that runs on the same marketing strategy of the mechanical pencil. Like this pencil? You buy it, you love it, and you keep buying the lead and replacing the erasers until one day the replacements are gone. Throw it out and get another. Except in the world computers, it isn’t that simple because not every operating system is supporting word processors and games, but medical monitors, chemical analyzers, railroad control systems, and environmental controls. Combine this perspective with the lack of perspective of the NSA, you get a disaster. The NSA needs to understand that the best defense is disclosing vulnerabilities to the O/S designers.
The solution is for operating systems to grow up, along with programs such as Java and browsers. They need to discard, or at least considerably lengthen, their idea of “end-of-life.” Enterprises need to realize that if they are going to invest and use technology over a ten to twenty year period, they better stay away from Microsoft. Windows is a mechanical pencil: practical, easy to use, but will soon have an end-of-life termination. The alternative is an O/S that is scalable and respectful of the older technologies that still depend on it. It makes me wonder if the day will come when the Linux philosophy extends to on-board computers in cars, medical monitors, transportation and industrial controls?
If you find something that piques your interest, feel free to select the Contact Me menu item to send a non-spammable message.