[SomeStupidPoint]

MS issued a patch ahead of the usage of the lost exploit by a wide enough margin that I'm loathe to blame the government for the mere existence.

The problem lies in our defensive infrastructure and our ability to roll out patches responding to incidents.

It also lies in our security infrastructure: that cryptoworms are a danger speaks to a fundamental lapse in permission and process management systems.

[flukus]

> The problem lies in our defensive infrastructure and our ability to roll out patches responding to incidents.

The problem is corporate IT (or management) think they can create some sort of stable environment, driven by fear of having things break. Organizationally they need to accept that they are operating in a dynamic and hostile ecosystem and that the risk of worms is higher than the risk of some random app breaking on a windows patch.

[CamperBob2]

Organizationally they need to accept that they are operating in a dynamic and hostile ecosystem and that the risk of worms is higher than the risk of some random app breaking on a windows patch.

Except it's not. The account used by the hackers has supposedly earned about 4 Bitcoins so far. Meanwhile, many people from home users to professional IT personnel can recall incidents where Windows Update has broken something that worked fine before. Up to and including installing a completely new version of Windows, force-fed to unwilling customers with intentionally-deceptive practices.

[21]

I know more times when updating Ubuntu made the machine unbootable than for Windows.

[dotancohen]

I'm a CentOS desktop user at work and Ubuntu at home. I love my Linux. Objectively, the parent poster is correct. For all MS's faults, I've had no less problems updating Ubuntu systems than I've had or seen with MS systems.

That said, CentOS is _rock solid_. The packages are old, but maintained by Redhat upstream and do not break on updates. The only thing I recall seeing break on a CentOS update, including point releases, are Firefox and Thunderbird extensions as Mozilla apps are updated eight version numbers from one ESL release to the next.

[flukus]

What type of update? Dist upgrades can be broken, but I've never had issues with general updates.

[dotancohen]

Mostly problems with the graphical stuff. More than once I've had to log in via a text console and mv ~/.kde somewhere else to start X, or move some ~/.Xfoobar file. Once some ~/.Xfoobar file filled up the entire /home/ partition due to some X error. I've also had problems with some network card driver on a new install, I can go through my posts on unix.SE if you want more detail.

I simply remember that Ubuntu should only be updated when I've got a spare day to fix any potential issues, whereas so far CentOS can be updated before each shutdown.

All this is from the perspective of a desktop user. I use both on various web servers and I've found both to be reliable. I'll use CentOS where I need absolute stability but on my cloud instances I'll happily use Ubuntu and get the latest PHP, etc.

[tragic]

This is a little misleading. The cost of the attack to businesses, governments etc is vastly greater than the laughable amount of money actually raised by the criminals.

A doctor who needs to look at an X-ray and comes up against WC is not going to pay up on her credit card. She will call the IT department to 'fix the broken computer'. But she still won't be able to look at the damn X-ray.

[flukus]

This is only a single particularly large attack, the same sort of thing happens to machines everyday on a smaller scale. The future potential for attacks like this also go way beyond the current attack.

I do agree MS needs to shoulder a lot of the blame here, but would they have acted differently if IT departments didn't block updates?

[CydeWeys]

The margin would've been much wider still with responsible disclosure from the NSA, however. This means that fewer people would have been affected.

[mastax]

Unless the NSA reported it to MS back when XP was still supported, not much would change. People can (and do) reverse-engineer exploits from windows updates, and they could still take advantage of the large number of unpatched XP machines.

[muricula]

In an unusual move, after the worm statrted spreading MS released a patch to XP for this exploit.

[SomeStupidPoint]

Based on what?

The NSA likely gave MS months of lead once they determined what SB stole. A patch was pushed out before the release of the vulns.

There's no reason to suspect that people wouldn't have reverse engineered the vuln from the patch and had similar timelines of unpatched systems being exposed.

In fact, we see exactly that play out over and over with security patches.

[gutnor]

Well a US government agency in charge of US Security decided that keeping the US and its allies vulnerable. They definitively need to answer if the benefit was really worth it.

[drakonandor]

How many times do people need to be told that XP machines should not be connected to the internet, especially if they're not keeping up with patches?

[askvictor]

MS also has to share some blame here for updates that break things, and updates that restart at random times (such as when you're doing some really urgent work). This has trained a whole lot of users to believe that windows updates are a risk to their use of the computer, and now just click away any update prompts.

[tallanvor]

Honestly, though, updates breaking things are quite rare. Sure, I know of "a friend of a friend of a friend" who had something break, but honestly, aside from patch installations sometimes being started at inopportune times, I haven't personally encountered things breaking on any of my systems or those of friends or family. More things get broken because people hear that there are problems and try to stop the updates.