13 May
2017
13 May
'17
7:08 a.m.
On 13 May 2017, at 03:23, Brian Kantor
<Brian(a)UCSD.Edu> wrote:
Note that they recommend blocking ports 139 and 445 to help prevent the
spread of the worm infection. Amprgw has been blocking those ports for
quite some time, but that doesn't prevent the infection from spreading
within a group of computers or an organization. It is strongly suggested
that people running Windows should be sure that all issued patches have
been applied.
Blocking 139 and 445 would prevent the direct propagation between nodes with direct
connection, not using NAT.
Almost all of the affected networks are behind NAT. It takes just one user to open an
attachment, visit a web page included in a spam or, say, plugging a hostile memory stick
to have one compromised computer attacking the internal network.
Local area networks are usually flat. Most network hardware doesn't have the
capability to apply usable port filters, and even that is hard to manage.
And even if preventing p2p local traffic would have helped, guess what the affected
organizations are using in their servers? Yes, the same OS.
This is actually pretty similar to the worm incidents in the early 2000s. At some point it
took like 5 minutes for a freshly connected computer to get infected. But this time the
crazy spread has happened within local networks.
There are several already known lessons. Unfortunately the measures are really complicated
to deploy.
And the elephant in the room is: is it still reasonable for a software maker whose
products are ubiquitous thanks t illegal monopoly actions to avert responsibility?
Patches are often applied late because it's not rare to experience serious disruption.
Anyway the software being patched is poorly made in the first place. The problems caused
by patches are actually another sign of very poor software design.
To make it worse, monoculture has always been a really bad idea. Diversity helps.
And of course I don't know what the idiots of the US government agencies have in mind.
One of the three letter agencies has reportedly been hoarding serious security bugs with
the hope of exploiting them. Maybe this has been useful to them, but they are severely
hurting users in their own country and allied countries. Moreover, how do I know that
Microsoft or Apple haven't been helping the US government in some way?
I am very wary of Chinese software (if only because it's really atrocious!) but the
doomsday scenarios I imagined coming from products controlled by the Chinese government
are actually coming from US companies.
Borja - EA2EKH