As usual with the MSM, the one aspect that *should* be put under the spotlight and dissected is the one aspect that is studiously ignored.
My previous gig as the Cisco Kid working on business comms and IT for every high street name you can think of and a bunch of other shit you can’t (traffic lights, military bases, hospitals etc) qualifies me rather well to comment on this shit.
The one aspect is Microsoft Windows XP, which came out after 98se and ME, and before Vista, remember that?
Don’t get me wrong, back in late 2001 when I was installing this for the first time it was a great OS, better than anything that MS had done that had come before.
Back then I was pretty cutting edge, with my 512/128 xDSL connection and alcatel frog/stingray, the vast majority of the country was still on dial up modem 44kbit thank you very much (ok a 56k modem that never got more than 44k) and of course Duke Nukem 3d had only been out 5 years.
It was a departure from 95/98/98se that at the time I could tweak with tools like 98lite and get an installed functioning windows in a footprint as small as 17 megabytes, which was great for the embedded / single board computer stuff that I was “playing” with back then.
XP far far more monolithic and “corporate” and you couldn’t rip the shit out of it nearly so much, and it’s hard to say if the chicken or the egg came first, but it was the first MS OS that got pushed in volume to corporate desktops, and boy did it ever get pushed.
In 2016 I was still going to places like the Cardiac Unit at local hospitals and doing hardware repairs to beyond obsolete hardware that was still running XP that was still used daily as an integral part of the process for every heart patient there.
I do not mean the operations were done by robots running XP, I do mean XP machines were used to collate all the data from the CAT scanners and everything else and used to produce the DVD’s that the surgeons and consultants then used to study your case and decide if when how etc to operate.
Why XP?
Well, it’s the same answer across the board, some specialist creaky crappy but we can’t function without it software that was written for the XP platform, that is still in use to this day.
Back in 2013/2014 I had a gig for IBM, who had been hired in by Friends Life, a fucking massive UK insurance etc etc etc company, basically they’d bought in 2,500 Lenovo desktops and 250 Lenovo laptops, all of which were shipped running Windows 7
The problem was, Friends were running software that was written for XP, so quite apart from the normal security issues of adding bought computers to a corporate network and choosing to solve this by deploying a new install and AD etc, we had to shunt XP to hardware designed and shipped with Win7, and it was particularly difficult with the laptops, hardware driver issues of course.
So you ended up with kit that worked after a fashion, but was maybe 50% as powerful and useful and it was with Win7, because of some legacy software written for XP.
Nobody who has not worked with corporates truly understands how big and deep and wide an issue this whole “legacy software” thing is.
Much of it is XP platform legacy software simply because XP was the first widely popular MS OS that got deployed everywhere, and if at this point you are thinking “Y2K bug all over again” you haven’t even begun to grasp the sheer scale of this.
Back when I was building machines for people I’d take the opposite approach to many, I start with what application software they had to use, then what OS that required, then what hardware was best suited to that OS.
So what we have in reality are large corporates (and by any global standards the UK NHS with 1 million plus employees is large) that have core processes that are *utterly* dependent upon legacy software that was written for the XP platform 15 or more years ago.
At this point with Win10 in the wild, the *only* practical solution is to go back to the drawing board and re-write all this legacy software from scratch, but within the corporate boardrooms this is a low priority can that has been successfully kicked down the road for 15 years already, which is longer than 99.9% of the board and manglement have had the jobs they have today…
Make no mistake, the issue here is basically re-inventing the company from the ground up, because the reality is 95% of everything the company does and does not do and how it does it in 2017 is *also* dictated by the constraints of the legacy software written for XP a decade and a half ago.
So in just the same way re-writing from scratch is in *every* single way better than trying to upgrade and update the old legacy code, re-creating these companies from scratch is in every single way better than trying to upgrade them.
Almost nobody truly understands how extensively software parameters and practices and human I/O routines defines a modern business, and the *detail* of how that business does business in day to day operations.
Tesco for example can deploy a new supermarket into a field in 48 hours, all they need are some huge tents, access roads, and electrical power and internet connectivity on site, they don’t need the aisles or gondolas or flooring or lighting or anything else, just line up the palettes from the trucks, HHT barcode scan everything, and the on site computers and network takes care of everything else, point of sale, re-order, staff clock and wages, customer tracking, inventory rotation, offers, even routine maintenance of on site equipment like when freezer cabinet #76255 requires defrosting for 6 hours and restocking.
Banking is a prime example, and if you think it is any healthier or more resilient or more modern than your local specialist teaching cardiac unit you’re in for a shock…
So let’s look at WannaWank, it targets XP, so it’s really targeting everyone who used legacy software, which means everyone who isn’t a private individual or very small business… and what is the “ransom”?
A few hundred bucks.
====================================
Now, one of the things about crime is you have to profit on it or it is pointless, with ransoms this means you have to collect and stay free, back in the mists of history one way of doing this was to have money paid into an account that anyone could draw on anywhere, like a building society savings account, and this worked back in the days of paper transactions and central mainframe computers and no cctv, ironically long long long before the days of XP..
Even assuming, for the sake of argument, that bitcoin wallets were secure and anonymous, the instant you convert any of it into regular fiat currency there is a record and you become detectable, banks monitor *every* account and notify the state by law about every single transaction over a certain threshold that more or less equates to the average weekly wage.
So these bitcoin ransoms are staying put as bitcoins for the next 20 years or so, which means they aren’t ransoms, gimme 250k or I kill your daughter is a nice distraction if she is already dead and I never had any intention of collecting any ransom, even better if the fact that I’m in no way prepared to get the ransom can be used as exculpatory evidence that I’m not the kidnapper.
So if they aren’t ransoms they are griefing.
So lets look at what happened, the 2016 IT version of the anarchists cookbook authored by various state security agencies just got released into the wild, it’s a book that someone with my level of knowledge and experience will probably keep busy studying and learning for the next ten years, and my knowledge will be *vastly* improved by then…
… in the meantime there is chapter one page 6 and we are on to “hello world” script examples.
Remember this, back in 2001 and before I knew about ways to fuck with hardware by putting obscene voltage into I/O ports that simply were not designed for it, it was something bored techs did in labs to shit that was already destined for landfill or metal shredding, now 17 years later world and dog can go on alibaba and buy USB killers that still brick 99% of everything they are plugged in to for a few bucks.
We have gone from a world where insiders thought that there may be a need for as many as six computers, worldwide, so any computers based exploit was solely within the realm of huge states or corporations, to a world where I have (counts) 2 x x86 based pc’s, 1 x x86 based laptop, one arm core tablet, 4 x arm cored modern smartphones, 2 arm cored routers, and a couple of arduino megas, IN ONE FUCKING ROOM OF MY HOUSE… so computer based exploits are effectively free.
For years people who haven’t *really* understood IT have talked about the dangers of a windows monoculture, they haven’t really understood it because all they saw was a world with white hats and black hats, and nowhere in that world model was room for a place where the blackest of all black hats were our very own security services and states.
In a world where most things such as driving cars and motorcycles requires testing and licensing, the fact this that our very states and corporates themselves should all be in the IT equivalent of the rampant internet sex offender, banned from even being in proximity to any working computer or internet connected device for life, plus 20 years…
Kevin Mitnick would have understood, because he hacked people, not computer systems, so he like me would have seen the PC the same as a gun or a knife on the table, it’s just an inert tool, *until* someone touches it.
The “NSA IT Anarchists Cookbook, 2017 edition” is just the manual to weaponise every aspect of everything with silicon or bytes in it, and it wasn’t created by “weird freaks” like Stallman, it was created by the state, and having created it they couldn’t even contain it, or distribute the knowledge wisely so that patches could be created, because the sold purpose was to weaponise it.
The USA, a country that for many years (prolly still does) considered encryption to be a military weapon not suitable for export, so you could buy two version of encryption software, depending on where on the planet you lived, if you lived in mainland USA you could buy the strong shit.
I should also stress that the NSA maybe getting the publicity but they were just a repository, most states are working on this shit, nobody’s hands are clean.
I should also stress that this “NSA IT Anarchists Cookbook, 2017 edition” isn’t even anything close to the sum total of all the shit out there, even if every single exploit were patched tomorrow it wouldn’t reduce their abilities by more than 5%, mainly it would be ah well, we can’t do it that way any more, now we do it this way.
Anecdote time.
I did have a face to face convo with one of these guys a couple of years back, I know the guy and his history and what he does and I try to take exceedingly small grains of salt with what he says, because 99.999% of the time that shit is right on the money, and because I have seen some proofs with mine own eyes, on brand new outta the box patched and updated and secured $75k boxes going into a rack that I have just generated all the crypto keys for, before plugging them into anything except the mains power supply.
I asked how long it took, and he looked at me and said you’re talking about that shit about an unpatched Win7 PC being put on the internet.. he said we don’t do that, we don’t scan randomly, we target devices.. so how long I ask… he looks at me and does the usual I’ll have to kill you if I tell you etc.. then says “don’t think in minutes or seconds, think in clock cycles… effectively instant.. the trick isn’t pwning the box, the trick is doing it under the noses of sniffers and loggers so even if they are looking they don’t see anything”
Of course, if you control the network, even microsoft.com is subject to man in the middle DNS spoofing vulns when your machine phones home which it does every few minutes.
So I’ve done the first part of my work, he pulls out a little chocolate block and a thing that looks like a small terrarium, plugs the chocolate block into the console port on the new box, tiny red led illuminates then flashes 3 time, chocolate block goes into connector in terrarium, lid is closed and sealed, button pressed, magic smoke emits from chocolate block but is contained in terrarium, and “My work here is done” and I finish up with the remote admin on the new box and we go for coffee and have our convo.
(I’m lying slightly about the above, my liberty isn’t worth the truth, but the gist of the story is good to go, as is the basis, unless it is 100% air gapped in a faraday and optical (IR comms) cage, it can be trivially pwned in mere clock cycles, the trick is pwning it so nobody knows)
So WannaShit isn’t a ransom, not to my mind, those of us who worked in the trade were all paranoid motherfuckers from day one and with reason, NOBODY who worked in the same field as me in IT would ever have anything more dodgy than an mp3 or a game trainer on any of their PC’s, no matter how desperately we craved a dose of midget donkey porn, even our regular porn was pretty tame and mainstream, if you want your kicks, get them offline, in a house with the power cut at the breaker, and after scanning for any electronics running on battery power and killing them all.
So if it isn’t a ransom, what is it?
To my mind it is someone behind the curtains saying “see you, and raise you ten” and that someone could just as easily be NSA / GCHQ as Putin / anyone else who is an “enemy” of the west…. and it could also just as easily be an Enron… a company that instigated blackouts to make a profit.
There is *always* a profit to be made, if you have insider knowledge, like re-insuring the WTC buildings before 9/11….
Which also makes it interesting chasing that particular rabbit, nobody wants to be the one that tracks something down to some other powerful agency.
My “informant” worked under those rules, he checked out with a widget and a box, he checked back in with a fried widget in a box, a widget that only worked in specific hardware, and his movements are known, and that is the entire scope of his knowledge and task, he knows nothing else, and bears no responsibility beyond doing what he has done… compartmentalized up the wazoo.
Who is to say some other guy didn’t turn up at a server farm and plug a USB stick into a mail server with a factory firmware update or software licence update, all normal shit not a million miles from what I used to do on a daily basis, and a few hours later that machine sends out a bunch of emails and then wipes that record?
In addition to the whole “legacy” shit there is a metric shit tonne of “undocumented” shit that goes on all day every day as just normal operating procedures just people doing their jobs.
Yeah man, none of this shit is working, while you are there can you update the firmware ((config-controller)#firmware filename flash:xxxxxxxxx)with the file I’ll send you and generate a new crypto key, ok that’s good, ok man now I can do the thing that I need to do so we can sign off on this job…
the thing in blue text above being the only thing that was ever documented anywhere officially.
unofficially I’ve always been a paranoid mofo so I piped all my telnet / putty files and everything else to file and kept copies of *everything* on this day in 2013 I can look at my files and see 3 site visits with full telnet logs, pics of the hardware and ports and cables in use and even copies of the files I was sent to blow to the various boxen…
Why do you think I rolled my own Win10 / stablebit NAS box instead of buying anything from Qnap / synology / etc etc etc?
No fucker is going to lock me out of my own shit so he has they key and I don’t, a low level complete disk wipe will happen first… then I’ll restore from offline media… and keep the NAS airgapped, as it is I forgo a shit load of “functionality” on the LAN as regards the internet is concerned because frankly the risks outweigh the benefits, and too bad if that means 85% of your website will never load, or if your app breaks because it can’t connect to the cloud.
To take a completely opposite view to all of this, I know someone with an industrial SBC (you can still buy legacy hardware that way) running win95a chicago and MSDOS is his business “application”, he images the system weekly, so he doesn’t mind playing some times, and it’s hilarious how much malware simply fails to run at all on that box, even when he tries to make it run… nobody codes for PIO disk controllers etc.
“IT isn’t old enough for system extinction events” is something I hear all the time, from people who got into IT with x86 computing and Windows 98 or XP, there have been plenty of extinction events before. 8 bit anyone?
Maybe we are due another one, maybe all that legacy 16 bit XP API shit needs to die, and take everyone dependent on it with them.
Evolve or die.
Turns out it doesn’t even run on XP, from infoworld:
“Why didn’t WannaCry infect Windows XP or 10 computers?
Because the responsible for Friday’s attacks used code from several sources, and researchers have determined that the code used didn’t include functions for Windows XP or Windows 10. (Britain’s National Health Service has said its WinXP PCs were not infected by WannaCry, despite initial reports that they were.)
However, that doesn’t mean WinXP and Win10 are safe. If unpatched, both have the same vulnerability as other versions of Windows that different exploit code could take advantage of, which is why Microsoft issued an emergency patch for it.”
One reason people stay with legacy Windows is because it’s closer to the metal, so to speak, you can drive machinery down to a millisecond or less over the good ol printer port, which is obviously very important for machining. Remember that modern Windows are not a real time OS, not certified for real time operations, you need expensive third party software (such as IntervalZero’s RTX) to turn Windows 10 into a real-time operating system just to match what we already had.
Comment by guest — May 18, 2017 @ 7:24 am
1/ I’ve got quite the history with CNC etc, no windows OS has ever been an RTOS or anything even close to it, and nothing you can install onto a windows platform will ever make in an RTOS, that being said you could get fairly accurate by human terms timings out of serial ports, and millisecond shit is “good enough” for people like me running Mach CNC control software at home on our DIY hobby grade CNC machinery.
2/ milliseconds are an eternity for modern hardware, take a modern galvo laser with a 0.025 mm spot size scanning at 1000 mm/sec. you have an entire off, latch on, stay on, latch off, off again event duration of 1000 / 0.025 = 40 th of a millisecond, or 25 microoseconds the latch on and off durations have to be of the order of 1 microsecond or better, in reality you’re working at nanosecond timings and this is all feedback looped to it knows precisely where galvo mirrors are at all times, as opposed to the basic DIY stepper CNC Mach kit that kind of *assumes* that all 17,725 pulses sent to the X stepper were correctly implemented… none of this shit runs windows or anything even remotely related, custom linux builds are surprisingly common as a matter of interest, big brands roll their own proprietary code.
3/ I guess you can argue that SMB isn’t “windows code” but we are way past the days where “a single bit of malware” only had a single method of implementation, oh dear, no SMB so I’ll stop playing…. back in the day I could sucessfully defeat 99.99% of malware simply by installing windows to C:/killmenow back when you routinely had that ability at install time, funnily enough about 50% of commercial software would also develop bugs ranging from annoying to total failure to run if I did that, so it wasn’t just malware writers that relied on standard parameters.
4/ the point of the article wasn’t *just* a rant at XP, when you have a fucking cardiac ward in a fucking teaching hospital that has XP machines (and I mean the OS and hardware alike) running on 10/12/14 year old legacy PC hardware that my company LITERALLY had to go on ebay to get spares for, you got fucking problems, and all those articles ^H^H^H press released from various NHS trusts all saying they don’t have any XP in house, all total fucking lies, oh yeah, technically that shit is subcontracted out to McKesson corp so it’s not our shit, even though it is the only shit in the actual cardiac unit that does that job, and without that job the surgeons have a *real* fucking hard time studying your case and planning your op…
Oh look, here is a photo I took myself in an actual cardiac unit of a pc running a windows xp desktop… https://wimminz.wordpress.com/proof/
want another pic showing the fact that it is plugged into the network ? how about ones showing the guts and dustbunnies and actual 15 year old hardware and serial numbers and everything, how about my case notes where I gut two of the machines to make one that works out of all the components, cos, you know, it’s a fucking cardiac unit and waiting 7 days for a fix may make my company money but it doesn’t really help patients or staff…
Comment by wimminz — May 18, 2017 @ 10:59 am
and for this cornucopia of technological wonderfulness McKessons billed the NHS every year enough for this 12 year old hardware to have been replaced annually with an alienware gaming PC and still shown a handsome profit…
oh the joys of IDE CD burners burning cardiac data at 4x….
Comment by wimminz — May 18, 2017 @ 11:09 am
>Oh look, here is a photo I took myself in an actual cardiac unit of a pc running a windows xp desktop…
You can get a literal blue screen of death there!
Check this, from slashdot: Almost All WannaCry Victims Were Running Windows 7
“According to data released today by Kaspersky Lab, roughly 98 percent of the computers affected by the ransomware were running some version of Windows 7”
And almost all were corporate users, those tend to have large intranets.
Or in other words, hold outs that need to upgrade
My hook, crook or wanna cry, i wouldn’t put it past MS.
Heck, most stories on WannaCry even read like PR pieces to update!
Comment by guest — May 20, 2017 @ 12:32 am
with things like intel’s me (management engine) and amt in firmware, software up the stack, like os and apps are insecure by design. as they say: good luck!
perhaps an open stack (hardware and software), like risc-v running linux has a chance to pry open the security blanket?
Comment by let it burn — May 20, 2017 @ 10:43 pm