Experience, Information Technology, Politics

Thanking WannaCry

Yes, the title of this post may sound odd for an IT professional, but that is just it, I’m a professional, not just someone who gets paid to write code. I run into sooo many people who want everyone to believe “professional” means getting paid for it and nothing could be further from the truth. Professional is defined by the level of architecture one provides in their solution design and the level of security they build into it. Hacking something out to complete an AGILE story within a sprint isn’t professional.

Why am I thanking WannaCry? That’s easy. Before WannaCry was unleashed on the completely obsolete Windows platform, I used to get 150-250 spam messages per day. The first day WannaCry was making news headlines, I only got 10. Even now it feels like I’m getting fewer than 50 per day and most of those are from legitimate spammers. (By legitimate spammers I mean travel and retail sites I’ve used in the past who insist on polluting my inbox, not the “Russian Bride” and “cheap Viagra” sites.) It seems that most spammers around the world were running a pirated version of a completely dead operating system and were too cheap to pay the ransom. So, that is one of the reasons I’m thanking the WannaCry ransomware.

Of course, on my desktops I run various flavors of Linux and I actually backup. For those who don’t know I started out in computer operations, mounting tapes and pulling reports. I have no fear when it comes to backing up to tape or external drive. I even cart versions of my backups “off-site” to a building which does not contain my office.

But what about the hospitals you ask? What about them? For decades they’ve been using the cheapest platform they can find and staffed it with low wage labor. You forget, I’ve worked on embedded systems for medical devices. The FDA had rigorous testing to ensure even our wifi enabled devices did not allow any inbound communication. They all had to reach out to a manually configured back end system with a proprietary data protocol. You could not login via any means other than a physical connection to the service port which was inside the device. There was no manner of delivering a virus to it because it was all raw data which got chunked off into various fields and stuff into a database. There was no inbound SQL allowed and no column could overrun because only the maximum number of characters were ever pulled from the inbound data stream. You want to send 6000+ characters for a 15 character field, fine, but everything after 15 was simply skipped.

It’s well past time the FDA and other medical regulatory agencies around the world crack down the operating systems hospitals are allowed to use and demand all system hosting medical records be air gapped from the outside world. Air gapped means it has no connection to the Internet or any other outside network. This is a simple technique used in every high security environment. It isn’t free and you can’t simply grab the first low wage worker that walks through the door to set it up, but it is secure.

We have been misdirected by the media so that we don’t look to place the blame were it really belongs. We have been provided terms like malware, identity theft and ransomware to divert our attention from the real source of the problem, upper management looking to use the cheapest puddle of poo they can find and under staff it with the lowest wage (usually visa) workers on the market. As long as they can keep us looking away, they will never be held accountable for placing us at risk.

Let’s be real. Blaming Cyberwarfare for your slipshod operations is sooooo 1990s. Hard regulations should have been passed after the T. J. Maxx breach, but they weren’t. Instead it feels like weekly, if not monthly, we hear of yet another business using cheap systems and low wage labor caring little about security having yet another breach. Unless I’ve missed a few hundred reports the Yahoo lax security incident is currently the largest.

We need to start calling these things what they are:

  • Total management failure due to incompetence
  • The ordinary outcome of low cost systems operated by low wage labor.
  • Management choosing the wrong tool for the job because it was cheaper.

That’s what they are. If you remember the Leslie Stahl piece on 60 Minutes about the T. J. Maxx or one of the other retailer breaches management had a store clerk with little to no IT training set up a wireless router for the credit card readers and they didn’t bother to generate a password for it. Most likely didn’t even know about it. Rather than pay professionals management grabbed the lowest wage worker they could find and gave the task to them, little people be damned.

Until we hold management criminally accountable for their low wage mentality, the Cyberwar can never be won.

At least WannaCry took out a whole bunch of spammers.