The Cost Of Arrogance
The Market Ticker - Commentary on The Capital Markets
2017-05-14 08:25 by Karl Denninger
in Editorial , 602 references Ignore this thread
The Cost Of Arrogance
[Comments enabled]  

I hate having to use this....

smiley

It wasn't that long ago that I wrote a few articles on the hubris of our government thinking they were the smartest people in the room when it came to computer hacking.  I pointed out that while we undoubtedly have very smart people working for the NSA and other three-letter agencies so do other nations and their people, along with "unaffiliated" folks who are just plain old-fashioned troublemakers, are equally smart.

Indeed, that was the focus of an article from 10/2014 in relation to one of Comey's brain-farts in which he implored Congress to basically force back doors into US-made equipment and software.

Now we get treated to the outcome without the force first, because the NSA was writing that code anyway and a group of crooks got their hands on it, perverted it to force cryptolocker software on computers and is spamming it all over the globe.

How did they get their hands on it?  That's the subject of much debate. Many are pointing to the "all Russians, all the time" narrative run by many in the so-called "security industry" (including some who have been caught lying in the past) along with half the left-leaning idiocracy parade that makes up most of the mainstream media punditry.

A more-plausible explanation is that it was an inside job, although in reality it doesn't matter because the entire point is that no matter how good you are someone's equal or better and thus whether they work for you or someone else it only takes one such person with their own motives and you're toast.

What we do know is that the "weaponization" of this apparent NSA code took mere hours after the password to the encrypted archive was posted publicly.

There's another key point here though that nobody in the media is talking about and yet it's the key point when it comes to this particular aspect of cybersecurity:

I have also said repeatedly that nobody in their right mind runs "packaged" software, say much less "cloud based" software, for critical system purposes from places like Microsoft or any of the other big vendors.  Why?  Because there are too many damned cooks in the kitchen, too many of them are incompetent and will drop a rat in the stew pot whether on accident or otherwise and too many shortcuts will be taken.

Witness Android and the repeated security problems found in its mediaserver component.  One, two, over all these years, ok.  But no! It seems that every time a new month rolls around there's another one - or six.  Exactly how many years has Google had to rewrite Android and get that horse**** out of there permanently?  Yet they haven't done it, probably never will and you have no way to compel them to do so.

Windows?  Same deal.  I've been raising hell about problems with "security" under Windows since the time of NT 3.51 which dates back to when I ran MCSNet and in fact that, plus it's resource-piggishness and baroque and impossible to audit internal code was why Microsoft's attempt to get me to port my back office systems to it resulted in their entourage being summarily dismissed.  That's roughly 20 years ago now!  Yes, I had an NT 3.51 and then 4.0 system in my building at MCSNet.  One.  It's sole purpose in life was to run Pagemaker to do prepress work (color seps and similar) for hard-copy circulars and similar and it had no access to our internal, mission-critical systems.  Yes, I'm serious.  Why the hell do you need "antivirus" software on a system unless it fundamentally blows big fat ones to start with?

It is absolutely essential that you write your own damn code for serious applications which will screw you if they're compromised, keep it close to the metal so the attack surface is small and can be audited, keep the development group responsible for it small so you can vet all of those people yourself and keep control of it in-house so you can audit and fix it FAST if you find -- or even suspect -- something is going wrong.  And yes, contrary to the howls of protest from all the IT and public company screaming you hear daily on CNBS, at trade shows, in seminars and elsewhere this means you cannot buy any of the "software as service" offers from any vendor ever nor can you use any of the "kit" rapid-development systems pushed by many for any such mission-critical application and be "reasonably safe" because every damn one of those firms and alleged "solutions" has hundreds or even thousands of people, none of whom you can personally vet, who not only wrote the freaking code but in the case of anything in the "cloud" they also have administrative access to the machines!

Violating these rules is why upwards of 50,000 entities have been staring at screens demanding Bitcoin ransoms be paid "or else" including, apparently, systems at both FedEx and England's National Health Service!

This isn't the first lesson on the consequences of American (and in fact world-wide) arrogance when it comes to this subject and I predict it also won't be the last.

Let's hope the next lesson doesn't come in the form of something aimed a bit more-precisely than a shotgun-style blast of cryptolocking extortionware.

And oh by the way, if you're wondering how this thing was contained it was simple dumb luck.  There are a number of organizations, including Microsoft, trying to at least weakly spike the football. Uh uh.  A researcher noted a host address (DNS target) in the malware that was unregistered and he registered it himself in an attempt to track the infection process; he surmised the code would "ping home" there which would give him a nice map of all the systems it got into as it progressed.  What he uncovered by accident was a "stop button" in the code and when he registered the domain and thus the DNS lookup succeeded the malware stopped trying to infect other systems.  The next round of this fun will almost-certainly either have the "stop button" stripped out of it or made far more complex to trigger.

In the meantime if you're a business or government and you are running mission-critical say much less "highly important" software on Windows or similar systems, you have said systems written using any of the so-called "rapid development" toolkit packages out there (there are too many to count these days) or worse you're running said mission-critical systems "in the cloud" on someone's software as a service offering, you are an idiot and when, not if, you get nailed by something like this you deserve it as you've been fairly warned, including by me, with a clear documentary record going back years.

Go to responses (registration required to post)
 
Main Navigation
MUST-READ Selection:
The Bill To Permanently Fix Health Care For All

Full-Text Search & Archives
Archive Access

Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.

NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.

The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.

 
Comments.......
User: Not logged on
Login Register Top Blog Top Blog Topics FAQ
User Info The Cost Of Arrogance in forum [Market-Ticker]
Nolaguy
Posts: 131
Incept: 2007-11-11

New Orleans
Report This As A Bad Post Add To Your Ignored User List
A small city I'm working with has a SCADA network for the entire city's electricity (they generate their own). A few things I learned during discovery:

The servers that connect/control the SCADA devices? Windows
Do those servers connect to the internet? Yes
The desktops that the SCADA admins connect/monitor SCADA Servers? Windows
Do those desktops connect to the internet? Yes
How is the SCADA network isolated from the core? On it's own VLAN

Oh boy...
Tickerguy
Posts: 148666
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Quote:
Oh boy...

Yep.

"Here it comes", jackasses.

----------
Winding it down.
Tsherry
Posts: 807
Incept: 2008-12-09

Spokane WA
Online
Report This As A Bad Post Add To Your Ignored User List
Now multiply that across every water system, sewage treatmen...er, "water reclamation facility" of any size, many of which are run by private companies on a 'design/build/operate' contract.

Talk about the **** hitting the fan, literally.

And traffic control systems? Yep.

Private water wells, pumps and rain catchment provisions sound better every day.

Tickerguy
Posts: 148666
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Well to be fair an awful lot of the SCADA stuff out there is only monitored via these machines. That is it's a one-way transmission of data, so loss of the monitoring computer (or compromise of it) might change what someone sees, but not what the equipment does.

For those cases where it's bidirectional, however...... oh boy.

----------
Winding it down.
Analog
Posts: 1395
Incept: 2010-12-29

arkansas ozarks
Report This As A Bad Post Add To Your Ignored User List


I retired before the IT guys got into my Nuke plant. I'd been a longtime holdout against replacing the analog controls .

Build a solid analog control system to run the machinery.
Assign a fancy computer to monitor and report on it that'll tell you what needs to be fixed or tweaked.

It's the only sane thing to do.
I hope it's what they did.

a.





----------
Never trust a computer with anything important.
Kwaldman
Posts: 2
Incept: 2010-06-10

Canton MA
Report This As A Bad Post Add To Your Ignored User List
Karl

You are spot on - it is only with ever increasing investment in security that we keep up, barely. This is known as the "Red Queen Effect" - of course most people don't understand this. The centralized computing model is probably looking at extinction for all the reasons you mention.

For now, the global IT infrastructure just dodged a major bullet due to dumb luck- that SMB vulnerability is still out there and that "bug" will quickly be fixed. And SMB is just a long list of issues with new issues being added every day.

Karl

Flappingeagle
Posts: 2582
Incept: 2011-04-14

Report This As A Bad Post Add To Your Ignored User List
Just as a matter of personal policy I limit online banking and the like to the least that I can. I also do periodic backups and pretty much just refuse to keep critical information on a computer.

My mindset is this, I have to defeat EVERY attack. The hackers only have to get through once.

Flap

----------
Here are my predictions for everyone to see:
S&P 500 at 320, DOW at 2200, Gold $300/oz, and Corn $2/bu.
No sign that housing, equities, or farmland are in a bubble- Yellen 11/14/13
Trying to leave the Rat Race to the rats...
Robc
Posts: 15
Incept: 2009-09-10

Cincinnati
Online
Report This As A Bad Post Add To Your Ignored User List
I worked for a local .gov county office for a couple years. They had a contract with MS, if any Linux or BSD machines even appeared on the network it violated their contract and something bad would happen. I really couldn't believe it. The IT culture there was beyond pathetic.

My desktop goes like this:

*base system arch linux, crypto filesystem

*primary data - 3 layer layer crypto filesystem, aes, twofish, serpent, combination of TRNGs to help generate keys manually, don't let any utils make anything to be sure, with nvme cache drives for my HDDs that only cache encrypted block data

*desktop system - arch and ubuntu and windows 10 with primary GPU passthrough depending on what i'm doing, gets access to selected primary data sources as needed only, never the whole shebang, the base system has no tainted drivers

*browsing - chrome (unfortunately) in a dedicated VM, which isn't perfect, but isn't bad, giving it accelerated graphics pretty much gives it access to low level resources, can read the screen and keyboard technically, but at least I can turn it off and keep a basic file IDS on it to watch for any weirdness without having to worry about trusting the base system so much. With no acceleration needed (no videos basically) you can just about insta spin up a fresh VM and use VNC.

*remote - no real capability or need yet, if i did i'd probably be using openvpn with 6 layers, 2 aes, 2 twofish, 2 serpent

*backups - currently just mirror my encrypted drive and rotate them to a different physical location... am actually considering using s3 with a few EncFs layers and duplicity (uses pgp up to 4096 bits)

*actual data - I'm making a video game among other software projects and design a few circuit boards, nothing to hide so to speak, but I'll be damned if anyone gets it without my permission

At some point I'll split my system into real dedicated systems, but has been pretty awesome for a single box.
Wa9jml
Posts: 1
Incept: 2017-04-29

DeKalb, Illinois
Report This As A Bad Post Add To Your Ignored User List
I wonder how many of these systems were running legacy versions of Windows? Microsoft apparently was warned about this bug, and issued Windows Updates to the versions that are still supported, but not to XP, Vista, or 8. I inherited an ancient IBM Thinkpad vintage 1999 from my cousin. It runs fairly well under XP. I plugged in the wireless network card to print some things for the Boy Scouts yesterday, and suddenly the Windows Update icon appeared on the XP taskbar. It took quite a while before it finished downloading the 100+ updates, and I also installed the update for this particular attack off of the Microsoft website. They officially stopped all updates for XP several years ago, but apparently they opened up the portals for these obsolete versions of Windows, at least for a time.

I use this old computer strictly for my word processing, and only plug it in to my wireless LAN to print. No current antivirus software will run on it, so I take the hard drive out of it periodically, and scan it by using an external USB drive setup.
Jymm
Posts: 416
Incept: 2012-01-22

Wisconsin
Report This As A Bad Post Add To Your Ignored User List
I guess I am a total cynic, but my first thought was Microsoft did it to force enterprise to Win 10. Probably not the case.

I also have worked most of my life in power plants. Our original DCS (Distributed Control System) was Unix based (Westation). It had an engineering key and only engineers could make changes. We had no fears during Y2K. Then MS started creeping in to control systems, with the inherent security risks. I was not impressed.

Remember no system is immune to begin hacked. Some are more secure than others. Linux and BSD make more sense to me.

I once read, "If man can code it, man can hack it." I keep that in mind.
Ckaminski
Posts: 4051
Incept: 2011-04-08

Mass-Hole!
Report This As A Bad Post Add To Your Ignored User List
> They officially stopped all updates for XP several years ago, but apparently they opened up the portals for these obsolete versions of Windows, at least for a time.

Windows Update should still work for these old systems, you're just not going to get patches to new exploits or any driver updates.
Emg
Posts: 79
Incept: 2012-11-20

Canada
Report This As A Bad Post Add To Your Ignored User List
From what I've read, suspicion is that that the 'kill switch' is actually intended to detect that the software is running in a sandbox, to make it harder to analyze. It requests the IP address of a nonsensical domain, and if the sandbox DNS emulator responds, it stops running. We're just lucky that, unlike some other malware, it uses a fixed domain and doesn't pick a random one every time, so registering that single domain made it shut down.

However, there's apparently an updated version out now which has that check removed.

But, yeah, it's no surprise that the customers we develop systems for that have to be up 99.9+% of the time (the kind of systems that can make international news if they're down for long) are being much more proactive about security these days. Firewalls used to be enough, now the assumption is that anyone who really wants access to the system will find a way through them.

Needless to say, none of them run on Windows.

However, that doesn't make it entirely secure. Another problem, as you touch on, is that so much of modern software uses third-party libraries, most of which have horrible bugs. Almost all of our software crashes in the last decade have been due to third-party libraries that don't validate the input properly. This, is probably the root cause of those security holes in Android's media server: someone thinking 'the spec says this field in this codec is 10 bytes, so I don't need to check the length'. That doesn't happen to us with our own code, because we don't allow people to write code that breaks if the input is incorrectly formatted. But when customers force us to use a specific closed-source protocol to talk to their systems, there's not much we can do except try to sandbox it from the rest of the software.
Ckaminski
Posts: 4051
Incept: 2011-04-08

Mass-Hole!
Report This As A Bad Post Add To Your Ignored User List
> and if the sandbox DNS emulator responds,

Except lately ISP's are always returning a result for a bad DNS entry that redirects to THEIR search pages.

Emg
Posts: 79
Incept: 2012-11-20

Canada
Report This As A Bad Post Add To Your Ignored User List
"Except lately ISP's are always returning a result for a bad DNS entry that redirects to THEIR search pages."

Good point. But, since this is ransomware, home users probably aren't the target market... a business that's losing millions of dollars a day is more likely to pay a lot of money to fix their computers than a home user who's lost their cat pictures.

Particularly if said business suddenly finds that their backup restoration doesn't work because they never tested it properly.
Highonlife
Posts: 107
Incept: 2009-02-20

Report This As A Bad Post Add To Your Ignored User List
In the context of this can I just mention three words which should scare the living daylights out of everyone?

"Internet of Things"....


Wayiwalk
Posts: 3
Incept: 2016-11-09

New Yersey
Report This As A Bad Post Add To Your Ignored User List
Amazing to me when I read that the entire UK medical system was using Windows XP.

Three or so years ago when Microsoft announced they would no longer provide new support for XP, even at my (very small business) home healthcare business we upgraded to Windows 7 right away (and we sure as heck wished we didn't have to).

Then again, I supposed their concerns with IT/security is also aligned with the other negatives I've read about their healthcare system.
Thebirddog
Posts: 87
Incept: 2015-08-06

Report This As A Bad Post Add To Your Ignored User List
Current IT thinking promotes the use of commodity hardware, open source software, and virtualized everything on leased infrastructure in the "cloud"; the reasons are sound and logical. However, the contrarian in me is curious as to when the pendulum will swing back to the other direction and proprietary on-prem hardware and software will once again be in vogue.
Tickerguy
Posts: 148666
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
The "reasons" for the latter are neither sound or logical.

----------
Winding it down.
Dennisglover
Posts: 613
Incept: 2012-12-05

Huntsville, AL
Online
Report This As A Bad Post Add To Your Ignored User List
Karl, I'm having a bit of trouble parsing your meaning in:
You wrote..
The "reasons" for the latter are neither sound or logical.
If "the latter" refers to
Thebirddog wrote..
commodity hardware, open source software, and virtualized everything on leased infrastructure in the "cloud"
then I get it. But the latter would normally refer to what occurs after a thing that was previous, so I am wondering if you meant that
Thebirddog wrote..
...when the pendulum will swing back to the other direction and proprietary on-prem hardware and software will once again be in vogue
is
You wrote..
neither sound or logical
Something doesn't scan right in all of that for me, so I still wonder.

In a "just" world, sooner or later organizations, companies, governments, etc. would come to recognize the dangers inherent to SaaS, PaaS, IaasS, and all of the rest of the current and future "magical cloud 'solutions'" and revert to the in-house, proprietary, "don't even think of screwing with my business" model. At the same time, I have to wonder if it is not the case that, far too often, the talent and expertise (and company/brand loyalty) so necessary to making "closed source" paradigms work the way they have in the past, have been "lost" and "sent to the pasture".

Over the last 30 years or so I've talked with way too many old-timer NASA, IBM, Boeing, and other companies' engineers and programmers who readily said that this Nation no longer has the sheer engineering talent and drive to mount the kind of bold and decisive move that we did in the Mercury, Gemini, and Apollo days.

You know... that's truly frightening.

----------
TANSTAAFL
Ribbit
Posts: 2437
Incept: 2007-09-10

Wales, UK
Report This As A Bad Post Add To Your Ignored User List
I'm beginning to think learning to knap flint was one of my better ideas. :(

I have been raving on about the "Internet of Things" and other stupid vulnerabilities, for years. I mean seriously, even though I would personally benefit from one (being disabled), who in their right mind would get into a driverless car, or permit even UNLOADED driverless trucks on the road?


I'm beginning to think, the only time any of this gets taken seriously, is when Society gets Switched Off, and the idiots then find, they can't reboot it. /sigh

I hope you are all keeping well.

----------
If the State was a Nanny, it would have been fired for incompetence, unreliability, and having its hands in the till, a very long time ago now.
Login Register Top Blog Top Blog Topics FAQ