I understand changing the structure of an OS is a phenomenal amount of work, but I have to assume Microsoft has the resources.
One of the most frustrating aspects of software engineering is this idea that we can solve problems by throwing more "resources" at it. It definitely helps, but you are trivializing the undertaking of fundamentally changing a 30 year old operating system while not breaking backwards compatibility for millions of users.
Maybe they are doing this and it just isn't working.
They most certainly are taking steps, but the internet collectively throws a fit whenever they do:
Aggressively push users to update to the latest supported version of Windows, even making it a free upgrade? Check.
Aggressively push users to patch their systems? Check.
Vend a version of their Windows that will only run applications in a sandbox? Check.
I understand Microsoft is in a very tricky position here. Part of the problem is that Windows is trying to be everything to everyone, which realistically cannot be achieved.
There's no reason a medical facility should suffer under design decisions made to enable gaming. Nor should a server suffer for design allowances made for desktop computing.
There are definitely hurdles for Microsoft to surmount, but it in no way lessens their share of the blame. I do appreciate in their release that they indicate they have a responsibility, but at the same time they are trying to shift the blame.
There's no reason a medical facility should suffer under design decisions made to enable gaming.
So let me get this straight: Windows, originally released as a consumer operating system, should cease to exist as a consumer operating system because the healthcare industry chose to adopt it for their use?
To reiterate: It's Microsoft's fault that the healthcare industry built software on a platform that might not have been the most appropriate? That's of course playing along with the premise that it's a reasonable argument to make, which it isn't.
Nor should a server suffer for design allowances made for desktop computing.
These weren't servers. These were desktop machines running Windows XP, originally released 16 years ago, which Microsoft stopped supporting 3 years ago, exploited via a vulnerability that Microsoft patched two months ago.
Microsoft actively pushes their OS into every market segment. It's not like they advertise it solely as a desktop consumer OS.
I've already excluded WinXP numerous times from my criticism, stating clearly that the techniques to mitigate this attack did not exist when it was designed. WannaCry however didn't just attack old systems. Indeed it appears an unpatched Windows 10 would have been affected as well.
I'm not blaming only Microsoft for WannCray, I'm just establishing they are not blameless, and unless they change somethign fundamental these attacks will never cease.
Yes, it's a counter to arguments being made pinning blame primarily on the NSA or users who failed to upgrade their system. Both of those are clearly part of the problem, but I'm trying to specifically highlight that Microsoft itself shares a portion of the blame.
Indeed it appears an unpatched Windows 10 would have been affected as well.
You continue to gloss over the fact that Microsoft patched the vulnerability far in advance of it being used (or at least, used widely).
With all these points being made, your argument boils down to "Microsoft is at fault because their software has vulnerabilities." Which, sure. Point me to a large C/C++ codebase that doesn't have any vulnerabilities. It's not reasonable to say that software just shouldn't have vulnerabilities.
What is reasonable to say is that vulnerabilities should be patched in an expedient manner. Which is was.
We have to assume there are vulenerabilities, precisely as you say. The goal is to design a system around this assumption. For this there are known techniques, which Windows does not appear to be using.
That is, I'm not holding anybody accountable for the particular error in SMB. This is unavoidable. What I take issue with is how this error allowed code injection and escalation.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
One of the most frustrating aspects of software engineering is this idea that we can solve problems by throwing more "resources" at it. It definitely helps, but you are trivializing the undertaking of fundamentally changing a 30 year old operating system while not breaking backwards compatibility for millions of users.
They most certainly are taking steps, but the internet collectively throws a fit whenever they do:
Aggressively push users to update to the latest supported version of Windows, even making it a free upgrade? Check.
Aggressively push users to patch their systems? Check.
Vend a version of their Windows that will only run applications in a sandbox? Check.
I understand Microsoft is in a very tricky position here. Part of the problem is that Windows is trying to be everything to everyone, which realistically cannot be achieved.
There's no reason a medical facility should suffer under design decisions made to enable gaming. Nor should a server suffer for design allowances made for desktop computing.
There are definitely hurdles for Microsoft to surmount, but it in no way lessens their share of the blame. I do appreciate in their release that they indicate they have a responsibility, but at the same time they are trying to shift the blame.
So let me get this straight: Windows, originally released as a consumer operating system, should cease to exist as a consumer operating system because the healthcare industry chose to adopt it for their use?
To reiterate: It's Microsoft's fault that the healthcare industry built software on a platform that might not have been the most appropriate? That's of course playing along with the premise that it's a reasonable argument to make, which it isn't.
These weren't servers. These were desktop machines running Windows XP, originally released 16 years ago, which Microsoft stopped supporting 3 years ago, exploited via a vulnerability that Microsoft patched two months ago.
But yes, this is totally Microsoft's fault.
Microsoft actively pushes their OS into every market segment. It's not like they advertise it solely as a desktop consumer OS.
I've already excluded WinXP numerous times from my criticism, stating clearly that the techniques to mitigate this attack did not exist when it was designed. WannaCry however didn't just attack old systems. Indeed it appears an unpatched Windows 10 would have been affected as well.
I'm not blaming only Microsoft for WannCray, I'm just establishing they are not blameless, and unless they change somethign fundamental these attacks will never cease.
The irony here is that the title of your article places blame on Microsoft.
Yes, it's a counter to arguments being made pinning blame primarily on the NSA or users who failed to upgrade their system. Both of those are clearly part of the problem, but I'm trying to specifically highlight that Microsoft itself shares a portion of the blame.
You continue to gloss over the fact that Microsoft patched the vulnerability far in advance of it being used (or at least, used widely).
With all these points being made, your argument boils down to "Microsoft is at fault because their software has vulnerabilities." Which, sure. Point me to a large C/C++ codebase that doesn't have any vulnerabilities. It's not reasonable to say that software just shouldn't have vulnerabilities.
What is reasonable to say is that vulnerabilities should be patched in an expedient manner. Which is was.
We have to assume there are vulenerabilities, precisely as you say. The goal is to design a system around this assumption. For this there are known techniques, which Windows does not appear to be using.
That is, I'm not holding anybody accountable for the particular error in SMB. This is unavoidable. What I take issue with is how this error allowed code injection and escalation.