WannaCry… Who Should Get The Blame?

I’ve heard Friday’s cyber attack called both “WannaCry” and “WannaCrypt”. I”ll stick with WannaCry for now.

As we know, on Friday, tens of thousands of users in about 150 countries were hit with a cyber attack that encrypted their hard drives and locked them out of their computers unless they pay $300 worth of BitCoin. After a few days, it goes up to $600 BitCoin. (I assume, for larger organizations, that’s $300 PER COMPUTER).

Obviously, governments and cybersecurity “experts” are telling those affected not to pay, and to trust those governments and experts.

My professional opinion? Pay the ransom, learn your lesson, and NEVER let it happen again. I guarantee you, $300 worth of BitCoin will be a LOT cheaper (assuming you take corrective measures) than bringing in experts to recover your systems, and of course the lost business and efficiency.

Biggest Factor

Pardon my French, but this attack was apparently VERY FUCKING EASY to prevent. The #1 factor involved was: outdated versions of Microsoft Windows, mostly Windows XP.

Background

Let’s review: Windows XP was released in 2001. I remember being very excited to get it. About that time, cybersecurity started becoming a big issue, and Microsoft had to devote a TON of resources into beefing up XP’s security rather than develop a new version of Windows. Windows XP Service Pack 2 was released in 2004. This incorporated a firewall and some new security features. Now, Microsoft was able to work on a new version of Windows, and shit out Windows Vista in 2006.

By most accounts, Vista was a flaming piece of crap. I liked it over XP, as it had some neat new productivity features, but it was a gigantic resource hog. It apparently needed 4 GB of RAM to run decently, at a time when most consumer computers came with 256-512MB. Also, Vista had some substantial changes to the system and security architecture that are still causing problems for those too stupid and cheap to upgrade from Windows XP.

The head dude in charge of Vista was fired or put aside, and Microsoft came out with Windows 7 in 2009. Windows 7 is what Vista SHOULD have been in the first place. It actually ran very well without needing a top end computer. Windows 8 followed around 2012, then Windows 10 in 2015.

I liked Windows 8, but I think I was the only person on Planet Earth who did. Most people couldn’t stand it. I’m smart enough to spend the 5 seconds I needed to on Google to figure out how to operate it, and I never had a problem. But Microsoft had to build back in the legacy features from Windows 7 because everybody else but me can’t handle change or 5 seconds on a search engine. (This includes Bill Gates, who allegedly came back to Microsoft part-time, was given a Windows 8 computer, and demanded to go back to Windows 7 because this software genius can’t handle a search engine either).

While all of these versions of Windows were going on, people got so dependent on XP that Microsoft was forced to keep supporting it. They originally intended to end support in 2008, but ended up extending a couple of times until 2013. Many companies had custom applications that were practically hard-coded to only work on XP. I knew a dentist who, in 2010, went to buy some new Windows 7 laptops. He tried to run his dental application, and it wouldn’t work. He called support, and sure enough, they didn’t support Windows 7.

I see a doctor who uses Windows Server 2003 for his application. Every freaking time I go in there, I bring this up. Sever 2k3, like XP, is long since out of support. I ask the doctor “Are you trying to get hacked? Are you trying to get my patient data, and that of all the rest of your patients, stolen?” He keeps telling me he’ll bring it up to the people who provide their IT services, but so far, nothing has happened.

I go to another doctor who does everything by paper. As much as the IT Professional in me cringes at the stacks and stacks of paper and records in his office, I realize there’s no F’ing way he’ll get hacked. Of course, an office fire, a break in, or a misplaced record will have the same effect, so you’re screwed either way. You might as well embrace IT and TAKE REASONABLE MEASURES, and yes expenses, to protect it.

Second Biggest Factor

When it comes to any type of security, your biggest threat comes from inside. It’s your users, your employees, even your family. And it’s not even because they want to be. They’re just people (or sheople) stumbling through life without paying much attention.

For a class I took last year, I had to take a cybersecurity simulation. The set up is, you’re running an IT organization for 4 quarters, and you have a budget. You can only spend so much each quarter to protect your network. You can spend it on appliances (firewall, IDS, IPS, etc.), user training, antivirus for computers, and so on. But it’s a limited budget. And I had to get at least a 95% before I could submit my certificate. I was at it for hours.

I remember one time in particular, several rounds in. I’d somewhat gotten a feel for what areas I had to cover with the limited budget. Like, you can’t just give 5 rounds of user training and forget to install a firewall. So I had two good quarters, and defeated all the cyber attacks. Then, at the end of the 3rd quarter, the simulation hit me with 3 social engineering attacks in a row. All were successful, and I had to play again. I finally got a 96% on one round, saved the certificate to pdf, and emailed it to my instructor. I was not going to try to top the score at that point.

A user can be totally subversive, or a double agent, spy, or whatever form of actively working against you. But you probably have far more to fear from casual carelessness or just not understanding security.

We’ve all had a casual friend with an email account that started throwing off spam. Suddenly you get poorly worded English from them telling you to click a link. I always catch them; most people don’t. I tell the person to change their password. They probably change it from password to password1, and keep sending off spam as soon as the spammer cracks the new password. I just mark them as spam, since I don’t normally correspond with those people by email. But most people get an email with something like “You have GOT to see this!” and they click the link, which brings malware onto your network. And if you’re still stupid enough to be running Windows XP, now you’re infected.

Or, consider this scenario, which I used to explain social engineering to my wife:

<phone rings> “Random hospital, Karen speaking.”

Social Engineer: “Hi, Karen, I’m looking for John Smith.”

Karen: “There’s nobody here by that name.”

Social Engineer: “I’m sorry about that. Must be a wrong number, but I talked to John Smith from Random Hospital. Maybe you can help me, Karen.”

Karen: “Sure, what can I do for you?”

(Most people want to be helpful.)

Social Engineer: “I’m working on a proposal to upgrade Random Hospital’s computers. I’m wondering if you can tell me what operating system you’re running. I want to give you better equipment if I can.”

Karen: “I don’t know much about computers.”

Social Engineer: “That’s OK, it’ll just take a second. I can walk you through it. I really appreciate your help, Karen. Click on Start…”

<walk through of finding OS version, maybe browser version and what antivirus>

Social Engineer: “OK, so Random Hospital runs Windows XP, Internet Explorer 7, and McAfee. Thank you, Karen, I appreciate your help”.

Now, Social Engineer knows Random Hospital is stupid enough to be running an out of date, unsupported operating system with well-documented vulnerabilities. Dis gon be gud!

That’s all it takes. Or digging through a dumpster. Social engineers can get a TON of good information from all the crap users throw away.

And that’s just from an employee who was trying to be helpful, not subversive.

For the record, I don’t tell people shit over the phone. I don’t look up numbers or give names to them unless I know who they are. And it’s not that I don’t want to be helpful or friendly, but because I know how social engineering works. And I’m not going to be the idiot who compromises my organization.

I can do this all night, but I think you get my point. WannaCry could have all been prevented IF the affected organizations were running currently supported operating systems with recent patches and updates applied, which can help mitigate user carelessness.

There’s one final factor we need to look at:

The Deep State, Unaccountable Spying Agencies

Here in America, we have the National Spying Agency and Cocaine Importing Agency. From what I’ve read, the very exploit that caused all of this was built by one of them (I don’t remember which, and it probably doesn’t matter). The recent Vault 7 leaks included some malware developed by one of them and left on an insecure directory that was apparently easy to access from outside.

Heads should roll for this. Both agencies most likely need to be gutted, involving people being fired and/or prosecuted. Proper lines of control need to be drawn and enforced.

Conclusion

I saw some claim today that this is all Microsoft’s fault. They should have left Windows XP in support forever.

Right. Should your car manufacturer be forced to support whatever car you drive indefinitely? Sooner or later, things break down and you need to buy a new one. Even if we all agreed to just freeze technology where it’s at forever, to never again develop newer hardware or software, maintenance still needs to be done. As people develop new exploits, those have to be patched. Sooner or later, the best way to defend against those vulnerabilities is going to be radical changes to the architecture of the operating system and software that runs on it. So no, this is a bad idea. Plus, how are the tech companies supposed to make money if they can’t convince you that you HAVE to buy a new phone every year?

I got into IT because I’m excited by new technology, new features, and new capabilities. I’ve spent most of my career frustrated by the baby boomers and people afraid of change forcing us to keep doing things the old way. I’m convinced that email is pretty much obsolete, but the biggest tool I still use at work is Microsoft Outlook. And I finally got Office 2013 on my work computer. I’ve been running 16 at home since last year.

(I wish I could get into independent consulting, but I don’t appear to be entrepreneurial).

A lot of people in IT need to get out of it. Go find something else to do, and stop holding the rest of us back. Or actually, start learning about it so you can do it effectively. Read some books or magazines, or watch some YouTube videos that don’t cost you anything. Learn and grow.

IT is the ultimate cargo cult. Everybody thinks it should be easy and fun. How often do you hear somebody who can barely charge their phone say “I’d like to get into IT!” My wife was saying that when I met her. I was able to make her head spin enough with my own knowledge of IT to convince her it’s not a good idea. No, of course, I’m willing to help her, but once she realized what was involved in learning it, and how getting in with no experience is a pay cut and a shitty help desk job, she changed her mind.

I guarantee a lot of IT departments need to start firing people over this WannaCry episode. If you run a business and don’t know much about IT, make sure you bring in someone who does. If you contract with a 3rd party to provide your IT support, make sure they have a plan for obsolescence. What are they going to do when Microsoft releases a new version of Windows and discontinues support for the current one? If their answer is “Oh, it’ll be fine…”, DO NOT HIRE THEM!

Arcologies

This is a technical term I didn’t know before today, although I’m familiar with the concept. An arcology refers to a self-contained building. Basically, in dystopian science fiction, it’s where the entire population is crammed into skyscrapers where they also grow their own food.

This guy takes an engineering and mathematical look at it. Very interesting. I’ll be watching more from his channel.

Android Central: The 5 Worst Things About The Galaxy S8

I have a love/hate relationship with Android. I like to skip around between the various phone platforms so I can maintain knowledge of them. But, Windows Phone is effectively dead, since nobody makes or maintains apps for it and Microsoft just can’t commit to a consumer strategy, and Apple isn’t impressing me lately. All they seem to care about anymore are iMessages and cameras. And jacking up the price point.

My last phone was the Note 5. At one point, I swore it would be my last Android phone. I found it to be buggy and unreliable, but it never blew up, so it had that going for it. The battery life was terrible. My first phone had to be replaced by warranty because the battery would be dead in 3 hours even if I shut everything down and didn’t touch the phone. My replacement didn’t do much better.

Two factors have me locked into Android, and specifically Samsung. Those are:

  1. Lastpass integration
  2. Samsung Pay

We all have so many damned logins and passwords it is impossible to keep track of them all. Everything requires an account. Everything. I have Lastpass pro, which costs $12 a year. On every other device, every time I have to log into an application or website, I have to bring up Lastpass, check my username, copy my password, switch back to the app or website, and paste the password in. On Android (when it works), I just authenticate to Lastpass with my fingerprint and it fills the details in for me. This simplifies life.

I didn’t care much about the mobile payment apps before. Most features the tech companies roll out seem to only matter to people who live in San Francisco or New York. Not so much northern Virginia. I used ApplePay once at Wegman’s when they were running a beta test. Then I found out Samsung pay used a technology called MST, which induces a magnetic field into the credit card reader and works with almost all of them (except gas pumps). So I started using my phone to pay for everything, which is a hell of a lot easier than pulling my wallet out, getting my check card out of its sleeve, swiping, and trying to fit it back into the sleeve. And for now, paying with my phone still blows people’s minds, which is kind of cool.

When it came time to decide what to do about the frustrating and unreliable Note 5, I had a few things to consider. Get an iPhone 6s+ or 7? Wait for the S8? Or get the S7 Edge?

About a month prior to the S8’s release, Samsung started selling the S7 Edge for $200 off to eliminate inventory. I decided to just buy it from them, and did. The S7 Edge had been out for a year and had a proven track record. People I know love them. So I got one.

And when I read things like this, I’m glad I did. I haven’t really heard anything good about the S8. Sure, it’s all pretty and stuff, but like most technology, it’s going backwards. They make a nice design and add a few new features (most of which are pointless), but other than a slightly newer processor, there’s nothing earth-shattering.

The video describes Bixby as a 2012 era Google Now. I’ve never had much use for Google Now. I guess it’s good if you live in San Francisco, take public transportation, care about sports, and can afford to eat at expensive, reservation requiring restaurants.

It supposedly has some feature (powered by Pinterest!) where you can use the camera to get it to show you images similar to what you’re looking at. But it doesn’t look that useful. This is another case of technology going backwards. Back in 2014, I had a Nokia 920. It came with an augmented reality app that was very useful. I don’t remember what it was called, but you could take the phone out, power it up, and scan around. Through the camera, it would give you information about your surroundings, and what was behind them with clickable links that opened in the appropriate app. I haven’t come across anything like it since. I’ve had Google Goggles on my last two phones, and it’s nowhere near as useful as that app on the Nokia 920 was three years ago.

The fingerprint scanner on the back of the phone looks like a serious pain in the ass. I’m fine with scanning my thumb on the front of the phone. It’s convenient, and I don’t have to turn the phone over to do it.

Another backwards feature: say you invite me over. You text me your address. 3 years ago, on the Nokia 920, I could click the address, it would ask me which app to open it in, and I could select Waze. Now, it automatically opens in Google Maps. So I have to manually copy the address, open Waze, and paste it in there so I can navigate over (Google Maps sucks for navigation, and it doesn’t show you where the cops are.)

I’d love to see technology start moving forward again. I’d love to see some truly revolutionary stuff. New ways of rendering the Human/Computer Interface. Augmented reality. But it seems like all we’re getting right now are dual cameras and messaging platforms. And mindless games.

Speaking of which, does anybody remember ICQ from the late 90’s? We had all these IM platforms like AIM, Yahoo, etc., and ICQ tied them all together into a single application. We don’t have that now. iMessages is about the closest thing I’m aware of, but it only works on a complete Apple platform. I’d love to be able to text from my computer and pick the conversation up on my phone, whether I’m using SMS, Signal, Telegram, or whatever.

Has Microsoft Learned Nothing From Windows RT?

Remember the launch of the Microsoft Surface in 2012? They can in two versions: the Surface RT and the Surface Pro. The Surface Pro ran a full version of Windows 8.

The Surface RT ran a version of Windows 8 that was designed for an ARM processor, and could only run apps from the Windows Store.

The Surface 2 was the last RT version. The Surface 3 ran a full version of Windows. Why? The RT wasn’t selling well, because of its tie-in to the Windows Store.

There has never been a point in time when the Windows Store didn’t suck. There are a few good apps on there like Wunderlist and Evernote, but for the most part, nobody supports Windows apps. Facebook recently pulled their app (I didn’t know it had lasted that long, but recently saw somebody complaining about it on Facebook).

Now, Microsoft is back with Windows S. It sounds great on the surface. It’s stripped down and agile. Sounds cool, right? What could go wrong?

From Microsoft’s own site:

Microsoft-verified security

Your applications are delivered via the Windows Store ensuring Microsoft-verified security and integrity. Microsoft Edge is your default browser since it’s more secure than Chrome or Firefox.1Windows Defender and all ongoing security features of Windows 10 are included.

Yep, it will once again, only run apps from the Windows Store. The same Windows Store that Microsoft just can’t encourage ANYBODY to develop for, or maintain apps they dip their feet in the water with.

Not that you need a lot of apps. Early in the days of app stores, most of us were constantly downloading and trying out new ones. For the most part, we’ve figured out what works for us, and since all they’re doing anymore are messaging apps, there’s no point in looking for new ones, unless you like mindless games.

I don’t mind Edge. I have a cheap, Windows 10 tablet that I got to play with. I only use Edge on it. Since they came out with extensions for Edge, I have the functionality I need (Lastpass, Pocket, etc). Internet Explorer 11 sucked balls. It still sucks balls. I have to use it at work, although I finally got Firefox installed on my work computer, so I only use IE for work related sites. Edge isn’t bad. I still use Chrome on my Mac because Safari sucks and Brave isn’t close to prime time yet.

I’ve seen a few headlines that if you buy one of those new Surface laptops, you can get a free upgrade to Windows 10 Pro. You probably should. The Windows Store is about useless.

Are You So Stupid That You Need An App To Keep You From Screwing With Your Phone While Driving?

Samsung is going to release a new app for idiots who can’t just pull the damn car over to check a text. Or wait until they’re stopped.

Samsung Netherlands has created a new app called In-Traffic Reply which is going to help drivers keep their attention on the road and not on their phones. Using your phone while you’re behind the wheel can be very dangerous. You might think that it’ll only take a few seconds to check that message or read what your friend just tweeted, but those few seconds can quickly prove to be fatal if you take your eyes off the road.

PanelWizard conducted a survey which found that one-third of the road users in the Netherlands have used their smartphone behind the wheel. In most situations, they felt social pressure to answer calls and reply to messages immediately. Samsung wants to bring down this statistic.

And it’s fine that this exists, and people want to download it and use it. I’m sure that’ll make us all safer. I don’t know what to make of people who lack both the common sense and discipline not to use their phones when driving. And I don’t want to live in a world where an app like this is mandatory.

I’m not saying I never use mine, but I have a few rules. First, since my truck doesn’t have a fancy BlueTooth system, I got a Go Groove BlueGate CTR. This thing is great. It’s a BlueTooth receiver with a microphone. It plugs into my aux port. I have the receiver mounted on my dashboard near my steering wheel. If I get a call, I just press the button and I can talk to the caller. I ignore most calls though unless it’s my wife or somebody from work. Otherwise, that’s why God gave me Google Voice. My Go Groove also has buttons for forward and back, so I can skip commercials on a podcast or skip to the next song. I never listen to the radio. Only content on my phone.

Second, I keep my phone on a windshield mount. It’s right there in my field of vision. I use Waze most of the time when I’m driving. I can see what’s ahead of me, and send reports for cops and hazards.

Third, other than minor interaction with Waze, I do not touch my freaking phone at highway speeds. I have never gotten a text or Facebook comment that was worth my life. Even if I got a notification that @realdonaldtrump followed me on Twitter, I’d wait until I’m stopped to make sure it’s not a joke.

OK, if traffic is below about 20 MPH, maybe I’ll clear notifications, but I don’t read anything unless I’m at a complete stop. And with my phone in the windshield mount, I know when the light turns green or when traffic is moving. Here in Northern Virginia, traffic gets so bad, I’ve read books in my Kindle app while sitting on the highway, not moving.

If you get a notification that you ABSOLUTELY HAVE TO READ RIGHT THE HELL NOW!, you won’t hit a SINGLE traffic light. It’s the best condition to be in. As soon as you check it, they’re all going to turn red, and you’ll hit every last one.

This goes back to something I said all the time several years ago when I read blog posts about families going to extremes, like burying their phones in the yard during dinner so nobody used them. Do you own your phone, or does your phone own you? Who is the boss? In my case, if I don’t want my phone bothering me, I’ll shut it off or put it in Do Not Disturb.

I’ve never understood why other people have so much trouble with that.

Is YouTube Trying To Kill Itself?

I’m hearing from several YouTube channels I follow that some strange things are going on. Consider this case that I came across:

I don’t normally watch that channel. I’d never heard of it until this video was linked. But it’s interesting.

YouTube is screwing over quite a few large channels. Many of them are forms of the alt-right, like Christopher Cantwell, Mark Dice, Paul Joseph Watson, and Bernard Chapin. They’ve demonetizing content, blocking viewers, preventing notifications, and suspending the channel entirely.

Twitter and Facebook are doing similar things.

I get it. The leftists who run (or are employed) by those sites don’t like those voices, and are happy to find any excuse to silence them. And most of them can’t do anything about it, except maybe Mark Dice, who said last year that he has a lawyer locked and loaded and is just waiting for YouTube to shut his channel down ONE MORE TIME…

The time is ripe for an alt-tech replacement for YouTube. It doesn’t deserve those voices. It doesn’t deserve the traffic those voices attract. Then the liberals can live in their happy little bubble that consists of children playing video games, MTV with their racist “White People Should…” crap, and music videos.

Unfortunately, unlike Twitter, Facebook, and Wikipedia (Replacements include gab.ai, vk.com, and infogalactic.com ), replacing YouTube will require some SERIOUS money. And most of the alt-right doesn’t have it. We have jobs, no doubt. Some have businesses. But we don’t have the serious backing of George Soros. Think about it; how many SJW voices would ever be heard? Like Eric Cartman said “They’re hippies! They don’t have any money!”

As frustration rises, I’m sure a viable alternative to YouTube will rise as well. If anything, we’re the productive class. We get things done.

I Wish “Virtual Assistants” Let You Add Custom Sources

I’ve occasionally played with the various Virtual Assistants. Siri I consider to be about useless. Cortana is probably one of the best, but still not close to “there” yet. Google isn’t bad, but is missing quite a lot.

One hallmark of VAs is to give you alerts about news items or sports or whatever. I turn off the sports stuff as best as I can, because I don’t give a crap about sports. But news alerts only come from “mainstream” sources. These are not sources I need, or trust.

Google Assistant finally showed up on my Note 5. I played around with it some, and went into the settings. As for news sources, it only gives you the typical ones: BBC, PBS, MSLGBTV, and the rest. I turned off all but Fox News. Then I tried a test. I said “Show me headlines from Breitbart.com”.

It showed me a Media Matters article ABOUT Breitbart. Total bullshit.

I’m glad for some of the alt-tech we have already. I was an early backer of Infogalactic. I got on gab.ai as soon as I heard about it. Somehow, at a time when the waiting list was two weeks, I had my account in under two hours on a Sunday. Right place, right time? There’s a new on called vk.com. So far, Matt Forney is the only person I know on there.

Gab is a replacement for Twitter. A lot of alt-right and conservatives that got kicked off Twitter have migrated over there. VK is supposedly a Facebook replacement. Both have a long way to go, but the fact that they exist is a good sign.

I doubt I’ll get kicked off Twitter, but I don’t use it much. I mostly just favorite some of President Trump’s tweets, and now Malik Obama. And a few others I see when I’m on there.

I hope we start getting some alt-right friendly software soon. I’d love a virtual assistant that can give me news alerts about President Trump that aren’t from the Huffington post. Let me select my own sources of news.

I have some Gab invites if you’re interested. Email me or leave a comment.

iPad Only?

I’ve been using Michael Sliwinski’s application Nozbe for a couple of years. It’s not perfect, but what is? Wired had an article a while back about how it’s 2016 and why can’t we have a decent productivity app? There are tons and tons of productivity apps. Those that are powerful on the desktop either aren’t present or are pathetic on mobile. (MyLifeOrganized is an example). Those that are good on mobile don’t work well on a desktop type system (I consider laptops on that category- a full fledged Windows or Mac system). Nozbe seems to hit the high points and has a consistent user experience across all platforms.

Michael and a co-author wrote a book called iPad Only. I haven’t bought the book yet. Based on user reviews, I do not perceive it to be worth $10.

I have tried over the years to figure out a true mobile experience. That’s not easy for me though. I took a class a while back where I didn’t have much desk space. I brought my MacBook Pro the first day, but after that I used my iPad Mini with a BlueTooth keyboard the rest of the week due to desk space. It got the job done all right. Thanks to the integration of cloud storage, this helps, assuming you have a consistent Internet connection.

The iPad has definitely come a long way since the beginning. At first, it was pretty much a media consumption device and still very limited at that. Along the way, better apps and technology were integrated into the platform. Now it has Microsoft Office and other productivity apps.

I think the biggest limitation on the iPad at present is the fact that it is STILL run by a mobile operating system. While Microsoft has Windows 10, which even on their phones is a full fledged OS, Apple is still running mobile.

I’m convinced that the biggest revolution in mobility is a phone sized device that is a full-fledged computer. It has a full operating system, plenty of storage (at least 1TB), and is capable of docking to a laptop sized device or a keyboard and monitor for heavier duty tasks. And it appears such as device is here, or almost here: the HP Elite X3. The Lumina 950 and 950 XL have a similar capability, but not as much on board storage. No way you could keep your music library on it.