Readers’ comments
Your views and feedback from email and the web
Attacks from within
At the time of writing, Kaseya, the patch management and monitoring company, hasn’t managed to get its cloud or on-premises servers back online after an attack last week.
The supply chain attack, where you attack the provider of the software but then use the software running in computer networks of others to do the actual attacking, is similar to the SolarWinds attack earlier in the year. But I think that the Kaseya attack is something different and will require a different mindset to solve. Sophos tells us the Kaseya attack took six minutes from launch to infecting and encrypting the end computers – that’s fast and most people wouldn’t be able to log in and shut down a server in that time.
To protect a computer system, we typically have antivirus installed on the computers, which is centrally managed, and then a second system that manages the patching and logging and monitoring. You could then add in a SIEM and another set of acronyms, but what all these systems require is that they are in the heart of the network looking out – like a general in a castle surveying the computer systems and dictating how things will work – and this means that they can talk to everything and control them. However, with the Kaseya attack, suddenly it’s the general in the castle that is doing the damage, the “outside” parameter has been bypassed and the attack is in the centre of things.
When looking at the way that most would respond to a computer attack, the primary go-to tools are the very tools that are suddenly causing the problem, leaving two choices: turn them off and with that the ability to see and control, or leave them on and spend the time fighting the system. The Kaseya attack was a surprise: it came from an unexpected direction and then it was done, almost before you were aware it had started.
It makes me think that the “castle” nature of computer security is going to need a rethink and that the Kaseya attack will be a milestone. There’s too much trust accepted and passed on, from software vendors, via resellers, cloud providers and on to the end users, and this transitive trust is something that can be subverted. Will the answer be to have two systems watching each other? Do you accept that in under six minutes it can happen to you and hope that exfiltration and encrypted can be stopped by your antivirus? Perhaps ignoring it is a valid strategy as there’s little that can be done about it?
I suspect that dealing with the “ransomware head” will actually cure the problem – a global and political issue, which isn’t normally a quick recourse. In the meantime, I expect vendors to tell me that they have a tool that can stop the last attack, but I’m left with a feeling that I don’t have an answer to a problem that may be unsolvable. Michael Dear
Let there be Linux
Ever since first booting an Ubuntu live CD (taken from the cover of your magazine way back in 2012), I’ve been a Linux convert. At first, it was a novelty, then a curiosity, and the ability to successfully drive a Linux operating system rapidly became an essential engineering skill as my profession evolved to encompass embedded technologies that required Linux be built and deployed on host/ target systems.
Sadly, the corporate world I inhabit is Windows, and I’m typing this email on an HP ZBook that (being locked to Windows 10) is nothing more than an expensive email/SAP interface. All of my real work is done on repurposed ex-sales laptops that have fallen out of the gaze of our IT department. As you can imagine, driving to the race track in a Porsche only to be forced to race in a Model T is incredibly frustrating.
But wait, virtual machines to the rescue! Sadly not, for not only do VMs hold back vital CPU and memory
resources from the nested OS, but they also present hardware interface debugging issues. Furthermore, with development tools being an 80GB installation (per release) plus individual projects running from 20GB to 70GB each, VMs always run out of space just when you are about to complete your latest hardware/ firmware/software compilation. Here’s what that means:
On an HP ZBook running an Ubuntu VM, the software project build time is five hours.
On my son’s Ryzen 5 gaming rig (running Ubuntu off an external USB 3 drive), the software project build time is 24 minutes.
The most elegant solution is, of course, a dual-boot Windows 10/ Linux system, but this is met with the following challenges…
a) IT says no.
b) IT says no, and don’t ask again. c) The BIOS in HP laptops is so secure that making it boot anything other than Windows is a dark and poorly documented art.
d) IT says no.
e) The mystery that is Secure Boot, and driver sign-off.
As a loyal subscriber to your wonderful publication, I’ve seen the regular reviews of various Linux distributions, so here’s my plea. The next time you cast your gaze towards Linux, could one of your insightful colleagues write a side piece on how to install this vital OS in a manner that will satisfy a slightly petulant development professional, whilst mollifying the concerns of IT departments and overly zealous secure boot systems. David Evans
Editor-in-chief Tim Danton replies: We hear you, David! Although I fear that such a simple-sounding article would actually be fraught with difficulty…
Message in a box
I’m glad Barry highlighted error messages as a cause for concern in his recent column ( see issue 323, p22).
As I software developer, I have held the view for some years that users want remedy messages (“what do I do now?”) rather than error messages – and it’s our job to provide each of the separate constituencies with the appropriate data. Crispin Horsfield