This post was originally published here: post


After a week when people learned that ransomware can take over their lives, the question must needs be asked: why is it that this kind of malware seems to attack only Windows?

There are many Microsoft apologists, astro-turfers, and so-called journalists on the make who, at times like this, keep a low profile and furiously try to spread the message in Web forums that “computers users” are at risk.

Alas, the harsh truth must at last be faced: if you do not use Windows, then the chances of a ransomware attack are close to zero.

Ransomware for the Mac is such a rarity that when one was discovered, security researchers went into literal meltdown. As for Linux, despite the efforts of all and sundry to pin ransomware on the free operating system, nothing has been found.

Windows flies in the face of the basic tenets of security. One can have convenience when using a computer system. Or one can have security. User-space and kernel-space must not be allowed to mingle, else one gets a security nightmare.

Over the years, Microsoft has sought to sell its wares by trying to be all things to all people. At a certain point along this kind of journey, one always comes to a sticky spot in the road.

Last Friday, organisations in more than 150 countries found that they were stuck in that sticky spot. It wasn’t an edifying spectacle.

James Scott, a senior fellow at the Institute for Critical Infrastucture Technology, had this to say about Microsoft’s culpability in the whole mess.

“Microsoft was quick to blame the success of the WannaCry campaign on the NSA, alleging that the agency should never have developed EternalBlue and that the vulnerability should have been disclosed sooner,” Scott wrote on the security think-tank’s blog.

“Even if the Shadow Brokers’ claims were true, the liability and responsibility for the risk remain with Microsoft for developing inherently flawed operating systems that failed to minimise exploitable vulnerabilities by incorporating security-by-design throughout the developmental lifecycle of the software according to NIST 800-160.

“Instead, Microsoft, like the vast majority of software and technology manufacturers, rushed their product to market with the intent to actively use consumers as “crash test dummies” for vulnerability discoveries.

“This systemic cultural fault in software development endangers users daily and enables the efforts of cyber-adversaries. The result of these practices is the necessity for the constant release of patches and upgrades that repair old vulnerabilities while introducing new ones.”

Exactly what Microsoft plans to do, apart from blame the NSA for creating exploits that have been leaked into the public sphere, isn’t clear.

The company is lying low as it always does after such disasters. Public memory is woefully short these days, even more so than it was previously.

But with every situation, there is a breaking point. Is WannaCry going to be that point for Microsoft?