July 10, 2021
The following article was first composed in July 2017. For some reason, I never published it. But upon reading it I realized it applies as much today as it did in 2017. Ransomware has bombarded computer systems throughout the US resulting in billions of dollars of damage to the economy. Ransomware dates back a decade, but it really came into focus in 2017 when several major systems were hit with a program called WannaCry.
I just finished remodeling our kitchen. During that journey I collected several mechanical pencils that had been scattered in sundry cups, drawers and boxes. I put them all together, recombined lead and erasers where I could, throwing out broken pencils. In the end I had about six different models of pencils, using two different sizes of lead, and sporting about six different kinds of erasers. My next step was to drop by the local office supply store. What I needed were specific erasers and .7 mm lead. As I beheld this menage of scriptura technology I could not help but compare it with the state of the computer operating system.
When will we realize that the operating system is not a matter of consumption, but of dependability? As it stands today, the desktop operating system is at about the same stature as the mechanical pencil – its useful until the eraser can no longer be replaced. Yet people depend upon it like it is the power grid.
The answer is clearly demonstrated in the outbreak of the WannaCry ransomware. It flourished on Windows XP, an operating system that had presumably suffered “end of life.” What that meant was that Microsoft would no longer be assigning its resources to patch defective software or security vulnerabilities. Like some of my mechanical pencils, no eraser was to be found.
What has surprised some people is that many big-name enterprises were still using Windows XP. From one source I heard that even the US Navy was dependent on Windows XP. How is it that such large operations as the British National Health Service, phone companies, car manufacturers and rail services cannot afford to keep up with the times? The answer is simple – “It is still needed.”
Microsoft was ingenious in designing an operating system that everyday folks could work with. People who did not live through the 70’s cannot comprehend the scale of this achievement, taking technology that was once the domain of geeks in lab coats and pocket-liners and placing it in the hands of people with none or little computer experience. But in creating such an operating system they created a monster, and Microsoft has made substantial revenues because of it yet is bedeviled by a curse. The curse is that it is highly insecure and they have endeavored since the days of Windows NT (1993) to create a secure operating system. In this journey they re-invented the operating system several times. Like the mechanical pencils, each version of Windows rendered everything from games to advanced radar systems obsolete.
Take this example. My first encounter with the obsolete mechanical-pencil-O/S was while working in a medical school. Once in a while I would be asked to go outside my normal activities and help some poor soul with a very unique problem. They directed me to a lab that was packed with sophisticated equipment for chemical analysis. Mind you, this was in the days of Windows 98 and the Pentium processor. They pointed me to an IBM computer with a 286 processor. It ran on DOS 6.1. Behind it was a 25-wire RS-232 cable that connected to one of the analyzers. I raised my eyebrows and asked the doctor, “Ever considered upgrading to Windows 98?” His answer said a lot – “It only works with DOS. Want me to replace a $25,000 analyzer because a $50 serial card on a computer is not working?” They had tried Windows 98 and something was not compatible. I even tried to solve the mystery and discovered the incompatibility was embedded in one of those mysterious COM files. So back to DOS 6.1 to solve the problem.
Today I work on an enterprise network consisting of 45,000 workstations and about 3800 Linux servers. A million dollar investment in monitoring software was rendered obsolete. In this case it wasn’t totally the fault of Microsoft, but Java. For the sake of “security,” older versions of Java were no longer supported. The monitoring software was written in Java. In another case the remote console capabilities no longer worked after IE 11 was introduced. The remote console software had reached “end-of-life.” Yet the equipment they were designed to monitor was still in operation in an amazing 20 year run! One thing you can say about IBM hardware, they made it to last! Unfortunately, software is not designed so well.
This explains why some enterprises opted to remain with Windows XP. “End-of-life” for the operating system was not an option because it would entail end-of-life to mission-critical applications. Microsoft’s invocation of Windows 7 and Windows 10 have been enormously expensive for enterprises. I recall the seismic changes we encountered moving from Windows 98 to Windows 2000. It was an entirely different paradigm. Granted, Windows 2000 was a step in the right direction and Windows XP was a decent platform, it still required a massive investment in training. Windows 2000 required us to re-invent deployment procedures, required new versions of security software, and broke the configuration controls we had built into Novell’s ZEN tools. Needless to say, it happened again when Windows XP rolled out. And I haven’t the space and time to describe what it did to all the underlying applications. Every enterprise has unique challenges. The return rate of investment in some technologies is in decades. EKG monitors, for example, are quite expensive. Does it make sense to throw out a quarter million dollars in medical technology because the operating system needs to change from Windows XP to Windows 7?
Yet we are still being cursed by ransomware and other viral events because we still have an operating system that runs on the same marketing strategy of the mechanical pencil. Like this pencil? You buy it, you love it, and you keep buying the lead and replacing the erasers until one day the replacements are gone. Throw it out and get another. Except in the world of computers, it isn’t that simple because not every operating system is supporting word processors and games, but medical monitors, chemical analyzers, railroad control systems, and environmental controls. Combine this perspective with the lack of perspective of the NSA, you get a disaster. There is a theory out there that WannaCry was born from the bowels of NSA. The discovered the vulnerability in Windows XP and failed to disclose it. Instead, the kept the vulnerability a secret. The code leaked out to the wild and criminals ran with it.
The solution is for operating systems to grow up, along with programs such as Java and browsers. They need to discard, or at least considerably lengthen, their idea of “end-of-life.” Enterprises need to realize that if they are going to invest and use technology over a ten to twenty year period, they better stay away from Microsoft. Windows is a mechanical pencil: practical, easy to use, but will soon have an end-of-life termination. The alternative is an O/S that is scalable and respectful of the older technologies that still depend on it. That O/S is Linux. It makes me wonder if the day will come when the Linux philosophy extends to on-board computers in cars, medical monitors, transportation and industrial controls?
The year 2021 may go down in history as a turning point in IT security. Ransomware struck at one of the vital energy supply conduits when it paralyzed the fuel pipelines run by Colonial Pipeline Corporation. Several other operations were hit subsequently. People wonder how this could happen. Unfortunately, mainstream media is not very good at providing specifics. There are usually vague references to “phishing”, the need to “update your software” and “maintain data backups.” How is it that large operations like Colonial Pipeline seem so vulnerable?
As the article explains, “updating your software” is not always as straightforward as you would think. For most of us on our home computers, a Windows upgrade may only affect us when we see our old computer games no longer work. The same, when applied to a business enterprise, can be just as devastating as a ransomware attack.
The solution is not all that simple. On the one hand, moving critical desktops over to Linux may be one step to consider. The Linux operating system is substantially more backward-compatible and provides a stable platform over decades of operation. Another solution is to isolate at-risk technologies by simply removing them from Internet access. This was done in the hospital where I worked and the same can be applied to other applications. This could have been a consideration in the management of the Colonial Pipeline attack.
Beyond question, the most at-risk systems in regards to ransomware are the average, everyday computer workstations. All ransomware attacks come over the Internet and most are delivered through “phishing” ploys, often highly sophisticated and socially engineered to fit into the workflow of the victim. There is no excuse for these systems to NOT be using the latest operating systems. They should be all current in regards to updates and anti-virus indexes. The software needs to be current. Almost all malware attacks have one common denominator – a vulnerability in the operating system or in application software. As far as criminals are concerned, these exploits require that systems be weeks, if not months, behind in upgrades.
Applications that can only run on old operating systems or programming platforms must be isolated from the Internet. For that to work, we may have to go back to the 1990’s and explore an interesting possibility. That I will save for another article.
As we move from Windows 10 to Windows 11, it is interesting to see the early reviews and once again hearing of issues that beset previous versions of Windows. Some hardware is rendered incompatible and some programs fail to run. That leaves computer users unable to upgrade and eventually exposes them to malware. Looks like it is just one more click of the mechanical pencil.
By Eric Niewoehner
© Copyright 2021 to Eric Niewoehner. Use of this document is provided at no cost as long as the recipient does not replicate this document for profit.
Want to leave comments? Please link to my Substack page, subscribe (currently at no cost) and leave your comment. You can also connect through Locals. Become a member of the Locals community (subscription required) and comment.
Learn more about Substack and Locals, as well as my other links. There is a method to the madness. :)