[Kholo]

Complete BS. This is what happens when you have top class PR at your disposal to define the narrative.

Microsoft is responsible for their shit software getting exploited first and foremost. Seriously fine Microsoft and by day after tomorrow that 3500 security engineer number will jump to something realistic.

Instead what will happen is more tightening of the walled garden, overcharging of support/security contracts and propping up of another billionaire or two. I can hear the whisky glasses clinking.

Corporations do not get to set the agenda and the narrative. When they are allowed to, the results are very predictable - in this case Microsoft will make more than they loose. Who here disagrees that is going to happen? And who here believes that is right?

The answer is simple whether its Microsoft today or Facebook and Google tomorrow win-win should not be an option when such things happen.

[dasil003]

Uh, except Microsoft had already patched the vulnerability, just not for XP that was still being run. Of course you can punish them and force them to support all legacy OSes forever, until that strangles the life out of them at which point large institutions still have to run the old OS because they have too much investment in computer controlled hardware with no forward migration. Now they are locked into an insecure technology stack with no vendor to take responsibility and no source code to even take on the problem themselves.

There's plenty of blame to go around to be sure, but giving the NSA a pass for developing zero days is batshit insane. These guys are playing god instead of helping make infrastructure more secure overall, and it will not end well, even if they outcompete the Chinese or whatever other bogeyman they cook up to justify their power grab.

[thomastjeffery]

This is why free software is necessary.

Proprietary software makes you rely on a company to fix everything. It's like driving a car without being able to replace a flat tire.

[DominikD]

It wasn't about fixing, it was about upgrading/updating. It takes people and money to upgrade large infrastructures - closed source or open source, doesn't matter. Thinking that irresponsible (or budged-constrained) organizations will somehow have a completely different mindset and or set of priorities when they switch from Windows to open source software is naive.

[unholythree]

No it is about fixing, a design flaw allowed this to happen. SMB1 (hopefully) wasn't built thinking EternalBlue would be a fun feature.

No one expects perfect software; but this clearly happened because Microsoft's​ software was broken, the NSA found where, and horded and then lost control of that knowledge.

edited: I understand what you mean about people not patching and leaving themselves vulnerable. A lot of pain could have been prevented at that level.

[philliphaydon]

So let's assume this was in Ubuntu, lets say, version Ubuntu 10.04.4 LTS (5 years of support), and the NHS decided that it didn't want to upgrade beyond 10.04.4 because some of their stuff broken...

Long term support ended in May 2013 for desktop. But Ubuntu patched the bug in March 2017 for all current supported versions of Ubuntu.

Then the NHS got his with the bug.

How does free / non-microsoft software protect against a shitty decision to not update / upgrade?

[thomastjeffery]

> How does free / non-microsoft software protect against a shitty decision to not update / upgrade?

By not bundling upgrades with what is essentially malware, and making them as inconvenient as possible.

If I am running Ubuntu 10.04.4, and I hear about serious malware that relies on a security hole that is patched upstream, I have the opportunity to patch it myself, and keep running Ubuntu 10.04.4 as long as I want.

That being said, it's disingenuous to compare unpatched Windows 10 with unpatched Ubuntu 10.04. It is totally unreasonable to think you are secure using an unsupported OS, but it is a lot more reasonable to think you are secure running Windows 10 just a couple months out of date.

[whazor]

Assuming these hospitals keep updating and do not get stuck at Ubuntu 10.04.

[EvanAnderson]

Anyone can seek help on the open market to support Ubuntu 10.04 forever if they like. You can't go to another company if you don't like the price Microsoft sets for support for Windows XP.

[pawadu]

This comment makes my blood boil. Please ask yourself:

1. why would anybody want to keep 10.04 alive?

2. do you think the type of people who stubbornly continue to use 10.04 would know/care enough about security to seek an alternative source for security patches?

edit: should maybe add why this pisses me off: just logged into a production server running 12.04, default install apache and updates _turned off_. the owner looked confused (and slightly bored) when I explained the problem to him.

[EvanAnderson]

I don't particularly care why an organization would want to maintain a piece of software indefinitely. That's not my problem.

I do think that's important to recognize that there is model under which an organization can. I'd even argue that it's a more "free market" than that of single-source proprietary software, too. If there's a market in maintaining non-proprietary software someone will pop up to fill it (even if it's just a lone-wolf consultant). With proprietary software that can't happen.

Whether or not an organization or individual chooses to maintain software is an orthogonal concern to the model under which they maintain it. Even when there is a free market for maintenance some will opt to eschew maintenance. Personally, I'd like those organizations to pay the cost by way of data loss, downtime, going out of business, etc.

I'm not overly worried about it. I think traditional regulatory and risk management will eventually catch up. Someday (hopefully sooner, rather than alter) businesses won't be able to get basic insurance policies unless they can prove they're doing IT maintenance, for example.

[belorn]

Whatever hardware that is running that 12.04 system can be upgraded, free of charge, for likely the next 20 years if the past 20 years of linux is anything to go by.

Even if you pay money for the windows 10, it is unlikely to even start on the hardware that XP ran on. Not only will the people have to go through the budget to pay for the software, but now you need a full upgrade plan.

To put this in a concrete example. If a hospital had a check-in system running 12.04 they could just take someone internal from IT and go and fix it. If it was Windows XP then they need to go through finance, then get a offers from competing companies, fitting the upgrading into the budget, and last have people installing it in each of the hospitals entrances. The first case has a project length of days and the other of months and in worst case years.

[thomastjeffery]

> why would anybody want to keep 10.04 alive?

> Assuming these hospitals keep updating and do not get stuck at Ubuntu 10.04.

It's that simple.

If someone wants to continue using outdated software, they will want to keep supporting it. Free software lets them do that. Proprietary software specifically forbids it.

[bigbugbag]

Why would anyone use ubuntu for critical operations in the first place ? AFAIK it's Red Hat or Debian.

[kagamine]

I think you missed the point being made by the person you replied to. The only 10.04 install you should encounter exists due to ignorance and not due to upgrade cost as with a non-open OS. XP/Vista/7/8/10 don't get upgraded due to them being proprietary and having a single point of support (concerning OS level exploits).

So, 1. because there is a community outside of a major corp who are active, so it isn't a burden on Canonical. 2. yes? see 1.

Should any IT professional not have upgraded from 10.04? No. It's free to upgrade, unlike Win which, remember, isn't a single upgrade, licensing is per user.

[bigbugbag]

Hospitals run life critical equipment, Ubuntu is not suited for this. AFAIK hospital running linux choose debian for stability, or red hat for support.

[pmlnr]

Install Debian with testing repositories and unattended upgrades and you're done for good.

Or just stick to CentOS and with their 11 years support period.

[ascorbic]

XP was supported for 12 years. It's now over 15 years since it was released.

[pmlnr]

XP is still in use for 2 reasons: cost and backwards compatibility.

For cost, CentOS, on it's own, is free. Support costs you of course, but the updates are coming down from RedHat for which there is enough money flowing in already, so support in this case means a sysadmin who understands CentOS and those are not that rare, not even that expensive.

Backwards compability is another topic, especially with the rise of systemd.

If the corresponding software is not included in any official or semi-official repositories (EPEL, for example), but is distributed with source, you may need someone to recompile it every 11 years, when you change mayor versions. I think this is reasonable to expect, though there might be issues for certain, especially if it involves Gnome3.

For those that are distributed without source code - well, that is the same problem as with XP, but usually it's possible to strace why it fails and fix/replace/dosomemagic with the underlying libraries it's depending on.

When this is not possible you can still create a container image with the old code to run it with.

With all the power out there even in the office workstations we could:

- install a base, damn stupid linux as hypervisor

- run windows in virtualbox with shared folders

- use btrfs for the shared folders and keep daily snapshots for a few weeks

If you get a virus, drop the image, get a new one, restore the snapshot, done.

If anyone is already using something like this, please tell, I'm curious.

[pjmlp]

The CVE database or Open SSL, are good examples how much safer open source actually is.

[pksadiq]

> ... are good examples how much safer open source actually is.

Sorry, open source never equals free software (most of the time). Though what you said may be true for both.

And some day, we will surely know why free software is better than open source. It's only a matter of time. But by the time, it will be late, and out of control.

[pjmlp]

Free software can be closed source, which is why companies love MIT style licenses.

[pksadiq]

> Free software can be closed source...

Eh, Never. Not even for open source. Once the source is closed, it is no longer open source (and neither free software).

For a software to be open source, the user should have a way to obtain the source code legally (That is, a stolen source code won't make a software open source).

For the software to be free software, the user should have the freedom to (modify and) replace the software with the user's version of the software (of course, source code availability is pre-requisite for this).

Say for example, your router, Android phone, TV, Car, or your espresso machine could be running Linux which is open source. You get the source code of those over the Internet or from the vendor on request. But you may not be allowed to change it. So you are always on the mercy of the vendor if something happen (like the one happening now). They are open source, but they are not free software. (GNU [A]GPLv3 enforces this freedom. Some like it, some don't).

A software can be free or non-free based on where the code is run, not just whether you get the source or not.

This is freedom 1 by free software definition:

The freedom to study how the program works, and change it so it does your computing as you wish.

See https://www.gnu.org/philosophy/free-sw.html for more details.

[cryptarch]

I thought MIT wasn't free software as defined by the FSF?

Open source would be the term for that. Free requires end users to receive source, open just allows you to use the source if you have a copy.

[Robin_Message]

Maybe the law should say 'security patches or open source'?

[chopin]

The law should simply put liability on the software, if it is not open source.

[thomastjeffery]

Why do you want the law involved?

What we have is a cultural issue, not a legal issue.

[developer2]

>> large institutions still have to run the old OS because they have too much investment in computer controlled hardware with no forward migration. Now they are locked into an insecure technology stack with no vendor to take responsibility

Any company that locks themselves into a specific operating system, and then declines investing to upgrade with each new release is entirely at fault. I can imagine the executives at these companies complaining about how their one-time outsourced application made overseas cannot possibly be migrated. Even if built locally, clearly no money was budgeted to maintain the software or infrastructure. These companies get what is coming to them when their only priority is the current quarter's bottom line, with no planning for how the company will manage to keep operations up and running in the next quarter, let alone the years ahead.

You specifically mention lock-in due to "computer controlled hardware". The idea that companies build the core of their business on hardware that can be controlled with Windows XP but not Windows 7 or Windows 10 is laughable. How is that even possible? The backwards compatibility Microsoft provides means it's nearly impossible for any application to become unusable within a decade - or even longer. The application will need to be maintained with minor changes to make use of modified APIs, or to transition from 32 to 64 bit architecture, etc. - but the amount of work needed is nowhere near infeasible. It only becomes difficult if you spend many years ignoring required upgrades, and then try to perform a single massive upgrade covering half a dozen missed release cycles all at once. Even hardware ports going out of fashion (example: serial ports) is not the end of the world. Compatibility between the latest operating system and old port standards will always be possible, as those that need such things make it happen.

No sympathy for any company still running Windows XP. None whatsoever. It sucks when it's government that is affected, whereby taxpayers' dollars take the hit for the fallout. Still not a shocking, unexpected result. In fact, this is precisely the expected result.

[ouid]

how much do you think it would cost Microsoft to support XP forever?

[nevir]

There's a big argument for only releasing evergreen style software, and giving the middle finger to IT orgs that want more control

[goatherders]

This. There are lots of groups to blame, but corporate IT departments are high on the list.

[Consultant32452]

What does "evergreen style software" mean? A quick search didn't return an obvious answer.

[Sammi]

Software that continually updates itself automatically. It's what Chrome popularized.

[ascagnel_]

I think MS wanted this in Win10 (hence the big push on the consumer side by giving it away for free). The problem is that plenty of people, even people who should know better, don't want to upgrade something they think is "working well" for an advantage they can't see.

[threeseed]

Allowing XP to exist forever is not a good thing for security either. There are security architectures in place within Windows 10 for example that do significantly improve security.

At some point companies need to cough up the money and upgrade their technology.

[ouid]

Is there some philosophical principle under which you believe that companies must "cough up money" for services that they have already ostensibly paid for? That sounds remarkably like extortion.

If Windows XP is proven to be untenably insecure, anyone who bought it should receive a refund.

[vel0city]

My car will break down at some point due to imperfect engineering and the realities of physics. Is Ford required to repair my car indefinitely or allow a refund on a car with 250k miles? No, when I bought the car, it came with a warranty stating if they messed up they would fix it within a certain period of time or miles.

When I buy Windows, I agree to a warranty of sorts. They agree to supply updates to the software for a set period of time. Afterward, it is on me.

Nobody can write perfect software, it will age and break down. Nobody can engineer a perfect car, it will age and break down. Demanding infinite warranties is ridiculous.

[pksadiq]

> Is Ford required to repair my car indefinitely..?

Never. But it would be wrong for Ford to stop others to fix your car by providing no information about the car, which I believe is what Microsoft is doing with their obsolete Software pieces (including OS).

As that is the case here, They (Microsoft/Ford) are just lending you something, you won't ever own it. Would you agree with that?

[ouid]

software is not subject to entropy...

[EvanAnderson]

The car analogy a very poor one. Software doesn't wear out-- physical stuff does. Defects in software are present when it's created. It doesn't "age" or "break down".

(I am making no comment on the issue being discussed-- simply that this is a very poor analogy.)

[retox]

I think the discovery of new types of exploits could be considered akin to wear-and-tear of physical things you buy. At the point of sale the software was safe, but over time problems were discovered.

When you buy a house you have a whole battery of inspections performed to make sure that you're buying somewhere safe, but over time the small things that got overlooked (like a small crack in a roof joint) or were considered safe at the point of sale become worn, or are discovered to be unsafe (locks susceptible to bumplocking for instance).

It's a tenuous analogy to be sure, but I don't think it's reasonable to think that Microsoft should refund people who bought XP. Are there any Linux distributions that back port all fixes to version 0.1?

[mercer]

Could asbestos be a good analogy? As far as I know we don't generally hold the original construction company responsible for its removal.

[gruez]

Microsoft's support policy says they will only provide security updates for 10 years. Any company who wants more than that can pay them extra for the privilege. That's not extortion anymore than extended warranties are extortion.

[ouid]

Microsoft was a monopoly when they sold that contract, which makes it subject to much stricter guidelines on what is allowable in the product they sell.

[mikekchar]

Assuming we class XP as a defective product, at what point do we stop requiring recalls? If there is a safety defect in a 2001 model car, will it be required to have a recall?

Given that MS even made a patch (which is generally equivalent to a recall), I'm not sure that your suggestion will be given that much credence. I mean, if we say that XP is an unsafe product, the government could stop them from selling it and to remove it from the shelves, but MS stopped selling the product in 2008 (nearly 10 years ago) and has repeated urged its customers to stop using it because it is insecure. This is all that the government generally requires in this situation as far as I can tell.

Edit: grammar

[youdontknowtho]

Not all markets or products are the same. You're taking about software as if it were a rotten potato. It's not. It's an incredibly complex market for incredibly complex products. I agree that there needs to be a way to value the liability that software makers should face.

In the short term we need everyone to be better net citizens. That includes the businesses using this software to create the trillions of dollars of wealth on the global economy.

[sundvor]

Yeah, I'm hoping that, if nothing else, WannaCry will prove to be the incentive required for a lot of places to stop putting the upgrade off.

[lysp]

Microsoft still are supporting XP. Just not for the the general public.

Organisations with high value software that relies on XP still receive ongoing support from Microsoft (such as the US Navy and anyone else who wants to pay big bucks for it). The difference is none of these patches usually make it to the public.

For Microsoft to patch this current issue, there would have already been a pre-existing team working on XP patches, the only difference is this one was released publicly due to it's impact.

http://bgr.com/2015/06/24/windows-xp-support-us-navy-million...

[bigbugbag]

Why would you pay to change something that works fine ? And pay more to have your software redone, and pay more to have the employees retrained.

Microsoft wants more money and push newer revisions of the same crap instead of actually improving the existing one.

Until win10 that is, win10 is now the only windows version and offers more spying, a worse UI and UX while also including ads.

[youdontknowtho]

See, but you're​ making practical sense about the real world. That's not going to fly with people using this as an opportunity to push their favorite narrative.

I agree with the point on the NSA. there were surgeries cancelled in the UK. This materially impacted the lives of our allies. How is that supposed to work?

Luckily we've got a set of level heads running every branch of government these days...

[josephg]

> Instead what will happen is more tightening of the walled garden

You know what? I'm starting to get excited for the walled garden to get more walls.

Native desktop applications get far too many permissions by default - its crazy that any desktop application, once running can register itself at startup, see all my files (created by any application), register system-wide keyloggers, take screenshots of other applications and download my contacts list, all without my permission. We don't let web apps do that, because web app developers aren't trusted by default. We don't let mobile apps do that, because mobile app developers aren't trusted by default. Why on earth do we implicitly trust any executable file run on the desktop so much?

Telling users not to double click on executables is obviously not working. Even for experienced users I have no idea whether some random app on the internet is trustworthy. Its a reverse lottery. I also suspect ransomware like this one would have been slowed down if it needed explicit user permission to read & modify files on disk.

We even know what the sandbox should look like, because we have two working examples in the form of the web and mobile. And we have sandboxing support & APIs in most operating systems. We're just missing the UI part.

I'm imagining something like:

- All apps get signed by the developer (Lean on SSL? Not sure the chain here.)

- The app needs to request capabilities from the user, like on iOS. "App X by Y developer wants permission to read the files in your home directory". (/ Read your contacts / Register at startup / Take screenshots / Modify these files).

- Capabilities can be viewed and revoked at a system-wide level in the control panel / system preferences.

[beagle3]

That's fine and dandy - I'm all for it, in fact, I configure my systems thus with 3rd party tools as much as I can. Android is mostly like this (with a less than perfect implementation)

But when people talk of "walled gardens", they mostly refer to the guardian at the entrance. Only Apple decides what runs on iOS, only Microsoft decides whats in the App Shop. That's NOT good for anyone (except Apple and Microsoft).

Sure, make users jump through hoops to install alternate stores, and warn them up the wazoo when they do that. But do let them, or general purpose computing as we know it is gone.

[youdontknowtho]

Security professionals are almost completely unanimous about how effective Apple has been with it's "walled garden". I'm not even an Apple fan, but what they have done is pretty amazing from a security perspective. Like it or not it has worked to keep people safe from many many types of attacks.

[kijin]

Sandboxing and tighter security are orthogonal to app stores. The same security policy should apply to every app, regardless of whether it was installed through the official store or from another source.

What the grandparent is suggesting is akin to UAC, which received much hate when it first debuted in Vista but has now become a mostly accepted part of the Windows user experience. It has been done before, and it can be done again, with every Windows app, not just apps from the Microsoft Store.

[beagle3]

They are orthogonal in theory, but so far not in practice - all three appstores in common use (iOS, macOS, Android) have mandated sandboxing and security.

grandparent was suggesting UAC, but started with:

> You know what? I'm starting to get excited for the walled garden to get more walls.

[panzer_wyrm]

Walled garden is fine only if you build the walls. Please let the iOS stay the only such corporate build travesty.

It is good to have the ability to raise the walls. It is not good for apple and MS to decide what to use their OS for...

[josephg]

Yeah I don't want the only distribution model to be an App Store. And I don't want to lose the ability to run things with root access.

But I strongly believe that right now apps get too much access by default (read, write all my files is crazy). And if they need anything beyond that they just ask for root. There needs to be much more granular permissions, with more restrictive defaults and nice informative dialogs.

It's unsexy, and inconvenient for developers. But it's the right thing for our users. It's how I want random programs downloaded from the internet to behave.

[pharrlax]

>You know what? I'm starting to get excited for the walled garden to get more walls.

Yep. What developer types don't like to admit is that for the average user, who doesn't use the features excluded by the walled garden anyway, the tradeoff is well worth the security gains.

[xtreme]

Why do you think people would treat them any differently from the UAC screen of Windows 7? That is, just click OK to grant whatever permission it wants, or disable it entirely to avoid the annoyance.

[eicnix]

Thats probably true but you could enforce it at a corporate level with a whitelist of apps that should have access to certain permissions.

[21]

I'm not sure if you know, but Windows already has that - Metro apps (or whatever the name is now) are sandboxed and with a permission system.

But they are much hated.

[threeseed]

> But they are much hated.

Most people wouldn't even know that they are sandboxed.

But we will see for sure with Windows 10S and its optional upgrade to Pro policy.

[shitloadofbooks]

And who do we fine for all the bugs in Open Source software then. The most serious vulnerabilities of late have all been in Open Source packages: - ShellShock - Heartbleed - etc

Do we fine the person who committed the faulty logic, the reviewers, the entire community who "peer reviewed" it?

[syshum]

>ShellShock - Heartbleed - etc

How many systems where actually compromised in an unrecoverable manner costing thousands or millions, maybe even billions of damage due to any of those Vulnerabilities?

All of them combined to not even come close to the damage that occured over the weekend

Shellshock, heartbleed were a inconvenience for some sysadmins and click bait for the tech press

[tomstockmail]

Heartbleed and ShellShock were serious but nowhere near the seriousness of WannaCrypt. Don't let the top headlines of HN and a fancy logo be how you rate vulnerabilities.

[gggmaster]

Thanks for the transparency of open source you have learnt those buzzwords. Wish you the best of luck with your black boxes.

[bigiain]

I'd be happy enough to go with "you fine whoever wrote the invoice or cashed the cheque". You wanna sell it? Take responsibility for it. You scratch your own itch and give it away for free? Good on you.

[21]

It doesn't quite work like that.

If I give away "free lemonade", but people get sick because I've made it in dirty conditions, I will not get away just because it's free.

[bigiain]

Maybe...

What's your alternative? Are you suggesting we _do_ fine all the OpenSSL contributors? Or that we do not hold anyone except end users responsible for software/hardware security?

I'm not sure metaphors or comparisons between software and lemonade are entirely helpful - although they do push the discussion along, which is at least interesting... (So if I didn't _make_ the lemonade, but published my "4 lemons pulped, 1/2 a cup of sugar, and 2 teaspoons of rat poison" lemonade recipe on github - then you made it and got sick... Who's in the firing line then? What if the README says "this recipe is satire"?)

[dotancohen]

Redhat and Canonical will be in a world of hurt.

[Shinkirou]

No system is perfect. Remember Heartbleed? Microsoft released a patch to correct this particular issue in March, however the IT infrastructure in companies is slow, the whole process is convoluted, yada yada.

The point is: the NSA caused this particular problem. Steps should be taken be everyone to ensure something like this doesn't happen ever again.

[fencepost]

The NSA did not cause this particular problem. The NSA may have identified the vulnerability, however there is certainly an argument that their other responsibilities outweigh any responsibility that they might have to act as a free security investigation team and report a security vulnerability to an outside corporation.

If Russian government intelligence agency security researchers found that bug first would you say that they have a responsibility to disclose it to Microsoft (notably a United States company)? Would you be surprised if they felt and acted differently?

[gech]

> however there is certainly an argument that their other responsibilities outweigh any responsibility that they might have to act as a free security investigation team and report a security vulnerability to an outside corporation.

Yeah, a shitty one. Free? No they're funded by tax payer dollars. I do think we need to argue about priority of responsibilities. Was this exploit used to spy on allies?

[fencepost]

> Was this exploit used to spy on allies?

Don't know, and unlikely to ever find out. If so, it was likely very targeted to avoid detection on modern systems. Was it ever used to spy on Iran's nuclear enrichment program?

> I do think we need to argue about priority of responsibilities.

Ok. What responsibilities does a US government agency have to disclose vulnerabilities? Should they be required to disclose all vulnerabilities found in software and equipment from US companies? Since a lot of that technology is used around the world, are you on with the corollary of it being harder for the US to spy on anyone using modern equipment?

How about disclosing problems found in tech products used by US companies? Should the NSA do that as well to keep those companies safe?

The US provides a fair amount of funding to organizations focused on finding and responsibly disclosing security problems, notably CERT[1] and US-CERT [2]. The NSA is a completely separate thing.

1: http://cert.org/about/ 2: https://www.us-cert.gov/

Edit: removed snark

[mrmondo]

Just because the media (including Microsoft) tagged those projects (that were maintained by small groups of core develops and are free (unpaid) software) with fancy names - those problems weren't anything like the massive, global impact of just one of Microsoft's ticking timebombs due to poor software design and lack of emphasis on security in their products. OpenSSL doesn't and didn't have the PR powerhouse of Microsoft and people didn't pay for their software let alone fund its development.

[threeseed]

> Microsoft's ticking timebombs due to poor software design and lack of emphasis on security in their products

I assume you know nothing about software with flippant comments like this.

Completely securing software is an incredibly difficult thing to do and merely throwing resources isn't going to change that. It is just as likely to affect well designed software as it is poorly designed. Especially given that all of us rely heavily on third party libraries and underlying infrastructure.

[iamaelephant]

All software has flaws. It's how we respond to them that matters.

https://twitter.com/ben_a_adams/status/863563517898747904

[ArchReaper]

>Microsoft is responsible for their shit software getting exploited

This is an absurdly naive viewpoint. How are they responsible? What is their responsibility? How is it their responsibility when a state-funded group/actor targets their software and finds an exploit?

At some point you have to realize that 0days will always exist. It is an impossible task to expect software developers to ship perfect software.

[ladzoppelin]

Fair enough but, like others have said, who do I fine when my Wordpress site gets pawned or for Shellshock, etc? I wish this problem was a simple as blaming/fining MS or Google.

[drvdevd]

I think without: 1) Open Source software AND especially 2) significant financial incentives for finding and reporting bugs, it will be business as usual for the foreseeable future.