* NSA writes exploits for said bugs and a worm based on them
* ShadowBrokers leak the NSA exploits and worm
* Random hackers take the NSA worm and combine it with a ransomware payload
So the NSA wrote the exploits and by not reporting the vulnerabilities they found they exposed the public to others finding the vulns or their findings and/or exploits leaking.
Yeah, and when the US power grid is offline for three days due to latest NSA cyber toy to get out of fucking Fort Meade, I'm sure the priority of those people stuck in an elevator or families watching their loved ones die due to a life support system failure will be to fucking update Windows XP.
If that were to happen it would be more the fault of power companies that do not have critical systems well protected. Fort Meade is hardly the only entity developing these sorts of exploits, so you have to expect them. The patch for this has been out for a while now.
Although it is often the case that free software (or libre software, or whatever you want to call it) is available at no cost, the term "free software" generally does not refer to the price but to the given freedoms.
Let's be clear on this. No matter how secure the operating system initially, if it stays unpatched then over time it will become more and more vulnerable as uncovered exploits go unfixed.
The reason a machine might go unpatched is because it might support some critical hardware (eg medical) for which there is only one or two vendors and only a particular combination of HW and SW are supported (eg due to a specific custom hardware driver).
To lay the blame for this at a single vendor's feet is naive.
There are very few free/open-source operating systems that get security patches for as long as Windows does.
Major versions of OpenBSD are only supported for 5-6 years. Most Linux distributions only get 3-5 years. Red Hat promises 10 years of support, the same as Windows 7/8/10. None comes close to the 13 years that Windows XP was supported for.
So you're gonna have to update anyway, at roughly the same interval if not more often, as if you had used an enterprise edition of Windows.
Major versions of OpenBSD are only supported for 5-6 years.
I thought that security updates are only made for -current, the current stable release, and the previous stable release. So, 1 year of support, not 5-6.
A cursory look at the errata seems to confirm this.
Most of the time, upgrading from one minor version to the next is painless. If you installed OpenBSD 5.0, you are expected to keep updating all the way to 5.9. (For some reason, OpenBSD always makes exactly 9 minor versions for each major version.)
Most Linux distros don't even make any fuss about minor versions, using them only as an opportunity to build fresh installation images. New minor versions are security patches for the major version and all previous minor versions.
> It'd be a good start if they just didn't use Windows.
I hear tell that server wise NHS IT will also support OpenSUSE, and their record of keeping that patched is almost as good as their record for doing so with windows.
Disabled the SMB services yet? Win + R -> services.msc
I routinely disable services (until things stop working and I have to figure where I went too far) and luckily I'd disabled this one on my Win7 gaming box, even though the updates came through as well (I just manually vet updates, and have a bunch of them blacklisted for adding telemetry).
Disabling services is good, but beware that they may be re-enabled during a software update. Once a service is disabled, you have to monitor that is remains so.
To the author: it would be nice if your site had a small screens layout.
I can't read the article on my phone because too much code is cut off (and the right margin is unpleasantly close to the main text, unlike the left margin).
I tend to take the view that if the law doesn't prevent it, it's ok to do. I don't need legal permission to do something, I just need to avoid things that the law specifically bans.
If someone with a lot of money has a problem with what you're doing, they'll hire lawyers to discover some way that the law prevents you from doing it. If the ensuing lawsuit, which will bankrupt you regardless of its outcome, doesn't serve as a sufficient warning for anyone else who wants to do whatever it was you did, they'll proceed to buy a law that prevents you from doing it.
Then it turns out parent is the ransomware vendor and the linked file turns out to contain the ransomware, with a few letters in the URL substituted for Unicode lookalikes so it appears to be a legitimate Windows update.
I'm not saying that's truly what's happening, but it's easy to imagine. I'd verify I'm connecting to the right domain and double-check with e.g. VirusTotal if I were you.
That's very true. Such attacks are predicated on an ignorant and/or lazy target demographic, I guess.
Incidentally, when I copied the link out of Chrome (57) it pasted the punycode link even though it showed "apple.com" in the omnibox. So then I carefully copy-pasted just the domain and TLD to work around Chrome's link-copying magic, submitted, and... discovered that Arc punycode-ifies Unicode domains.
So that was interesting, but it kind of killed the impact of the point I was making.
