Apparently the government is urging businesses to take measures to stop ransomware attacks. My assumption, based on decades of observation, is that the probability of success of this campaign pretty much zero.
The issue isn't that most companies don't want secure infrastructure. The issue is also not a lack of regulation. The issue is most of them don't have the capacity to implement it.
It's not that it's impossible to do, mind you. Running up to date software, patching regularly, taking backups, using 2FA etc., are not particularly complicated. But solving an arbitrary quadratic equation is also straightforward and I bet most people can't manage that, either.
A great deal of the world's infrastructure, whether IT or physical, seems to be maintained on the "faith based" rather than the "reality based" way of doing things, and I don't see that ending any time soon.
So my message to everyone is this: expect a lot more power plants, pipelines, banks, and all the rest to be shut down. It's not likely to get better any time soon.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Here is my best advice for keeping your organization safe from online attacks. I've given similar advice in the past, and I suspect this advice is nearly the same that almost every security professional will give you. None of it is very deep or complicated. 1/
First, patch all vulnerabilities on all your machines as soon as possible, and never run an operating system or software version that is out of support. 2/
(Some people will tell you that your company can reasonably evaluate how important particular patches are, or that they are better able to determine if a patch is safe than Microsoft or Apple. I recommend ignoring such advice.) 3/
There is a distinction between what is something you ought to do and what is legal. It is legal to drink yourself to death. It is probably not a good idea. The distinction is not a small one. Let's apply it to the social norms many people suggest we adopt on silencing others.
I hear quite frequently arguments to the effect that private platforms are legally _allowed_ to silence people. And yes, they are, and yes, they should be. Is this a good idea, though? Let's have a quick look for a moment.
It's possible to imagine a society where every restaurant refuses service to people of the wrong political background, every supermarket checks to see if people arriving match a particular political affiliation before selling them groceries.
Hypothesis: Outlook and GMail are so terrible at handling complicated conversations (they encourage top posting and make it impossible to reply point by point) that they have caused meetings to multiply when many topics could instead have been disposed of in email threads.
One symptom of this that many people have noticed is "send many questions, get an answer to one of them" syndrome. You can't see the list of the counterparty's questions, so you have to remember what they were, and many people forget while replying.
The people who created the Outlook and Gmail style of email had no experience with the tools that came before; they did not understand the power of quoted replies, and ideas like automatic sorting of email were things they reinvented thinking they were new.
To some people, who were arguing with me about these ideas thirty years ago, or heard about them in the interim, this will be very old news. To others, this will be surprising, or perhaps unbelievable, and perhaps even more reason to question my sanity.
In our 200,000 years on earth, humanity has created more and more capable tools with time to augment our natural abilities. Tools have the interesting feature that they may be turned towards the creation of yet more sophisticated tools.
So where are we now in the #COVID19 crisis at the end of its fourth month. First, treatment. So far, pretty much everything is either still really equivocal or has failed. Remdesivir, kaletra, (probably) hydroxychloroquine, etc. either failed RCTs or are marginal. 1/
It’s possible that some of these aren’t actually terrible in some niche applications, or if given very early, but we can’t yet detect an effect from any of the proposed drugs in vivo reliably. This is of course problematic. 2/
There are a bunch of vaccines in development, and some of them are even in early phase trials. None is going to be ready in a few months, and it doesn’t look like anyone is planning human challenge trials so I don’t think any of them is showing up for mass use very quickly. 3/
When your employer cuts your pay 30% and informs you that half your peers are being furloughed, when the restaurant on the corner shutters forever, when your neighbor's body is found after a week, when you're told you have permanent pulmonary fibrosis, remember... 1/2
...all this was avoidable. The whole thing was unnecessary. Even the states that shut everything "early" were three weeks late. Even the places "ramping up testing fast" pissed eight golden weeks down the drain. Nature provided the virus, your "leaders" provided the idiocy. 2/2
Oh, what the hell. A few more points. Your manager who wouldn't approve WFH until the last moment? They endangered people's lives. That politician saying "please keep going to the bars"? Pretty close to manslaughter, that. Depraved indifference to human life and all that. 3/