Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Learning Curve

WannaCry: How Ransomware Works

There's a missing link.


Get It

Try It

Robert McMillan posted a good piece at the WSJ on what's going on with WannaCry. The piece includes a number of recommendations so computer users can protect themselves. Unfortunately, the piece doesn't address the overriding issues in the bigger picture. Robert is a well known and respected tech writer. The missing link may very well be due to a 'comaraderie' between the Rupert rag and a certain company found somewhere near Redmond Washington that's been kicked into Spin Mode™ because of the crisis.

But a graphic provided by the WSJ can still serve to explain all.



The graphic above purports to explain how ransomware works. (There's a missing link there - can you find it?)

Point by point:

  1. Unsolicited email. A possibility. But see below anyway.
  2. Leveraging flaws. Crucial. Separates the men from the boys.
  3. The encryption. There'll be a reason to return here as well.
  4. Further propagation. Note the use of 'a Windows flaw'.

What's not explained in this otherwise successful graphic is how #4 gets back to #1. Spreading around a network doesn't explain the manner in which, if that's the case, more email can be generated.

Apple did their best to stop propagation by email by deprecating and then removing their messaging framework. The 'Mail Core' at the root of Mail.app is today in a proprietary framework instead. As if thwarting messaging would further safeguard users.

Let's review the four above points.

1. The implication here is that a mere 'click' ('tap') could lead to havoc. This has been heard before with mention of 'drive by' attacks and the like. Microsoft warned of this back in the day of ILOVEYOU, telling users to be careful when clicking attachments.

Now ask yourself: how good is an operating system when users have to be careful where they click? And how secure is computer use in general in such case?

To get anything substantial done on a single click, the system and user data have to be vulnerable to attack. Certainly user data owned by the user can be affected by processes running on that user's account - but anything else?

The path layout of a typical Unix system, seen within CLIX, which uses only paths found in read-only kernel memory:



So:

echo $PATH
/usr/bin:/bin:/usr/sbin:/sbin


Now check where those paths reside in the system.

/bin - found under root. What protections are found on root?

The root directory is owned by root:wheel, in other words 0:0, and has the mode 0755, meaning only root can modify the contents. This means that files cannot be added or removed from this directory.

The same holds for /bin, and the files in /bin all have the same ownership, and are available only for reading and executing - not for writing. So they can't be tampered with either.

Files in /bin - as the /bin directory itself - cannot be modified, or replaced, or removed.

/sbin - the same holds here.

/usr/bin, /usr/sbin - the same holds here again, but in spades, as there's another level of hierarchy, and so yet another level of protection.

Apple's system frameworks - and much of the innards of the system in general - are found in /System/Library. So once again, there are several levels of protection. Nothing there is going to be tampered with by a process running on a user account.

This segues into #2 - leveraging 'flaws' in the 'operating system'. The WSJ graphic implies that malware has to be able to get at the operating system itself. This is something expressly forbidden on secure systems, as seen above.

Note as well the use of the word 'force': it's rather hard to 'force' a Unix system to do anything.

#2 is key. This is where you find out if your system is worth running or if it's total shit. As seen from #1 above, there is no way short of a targeted attack that you can make #2 work on a secure system.

But Windows is not a secure system, never has been, never will be.

Windows is an unfortunate hybrid of an otherwise reasonably secure file server and legacy 'Windows 16' (MS-DOS).

Showstopper: Backstory

PF Zachary's excellent 'Showstopper!' tells the purportedly 'inside story' of the creation of Windows NT, the basis of all subsequent versions of Windows. Head honcho was of course the legendary Dave Cutler, who left the project in 1996.

Cutler took his DEC code crosstown, and DEC later sued Microsoft, who were forced to rewrite NT from scratch. The original 16,000,000 lines of code turned into 64,000,000 at the hands of the Microsofties.

But there's worse. Far worse. Because Cutler, who had every reason to believe he had the upper hand with Gates, was actually tricked by him. Cutler had been developing a file server, not Microsoft's next-generation operating system.

Cutler's OS interacted with requests only through the network. Ordinary users had no access to the file server. Users acquired access tokens as they logged in, and these tokens followed them around wherever they went, for all they tried to do.

There was no way to get at the file server or its file system.

Cutler loved the C programming language. He'd once suggested to DEC management that the entire VMS be rewritten in C, but they didn't see the point, as VMS would only run on their proprietary hardware, right?

Cutler hated Unix, said it had been written by a 'committee of PhDs'. One more thing Cutler hated: graphical user interfaces.

[Never mention 'Unix' or 'GUI' in his presence, they say, or suffer the consequences. Yes, the mere mention. Ed.]

Cutler's file server didn't have a graphical user interface. Why should it? It was going to sit in a secure vault and only rarely be touched by human hand. And those hands would belong to people who knew what they were doing - like Cutler himself.

Cutler and his team - the 'Tribe' - joined Microsoft in 1988. Cutler even got to bring over his DEC hardware engineers, even though Microsoft had no use for them.

Somewhere around 1990 - when Cutler had had two years to get acclimated - Microsoft called for a meeting. Bill Gates would not attend. This was a very clever move.

As the tale is told inside Microsoft, Cutler and a few others entered a room with some Microsoft execs at one end and a couple of freaky looking people at the other. The meeting began by the execs asking Cutler how things were going. Cutler told them things were going well.

With that minimal warmup, the execs launched into their pitch. They told Cutler they'd need more than a file server - they'd also need a 'workstation' version. They also told him that both versions would have to have a graphical user interface.

Cutler couldn't understand why a file server would need a graphical user interface. The execs explained that Microsoft had planned a new initiative called zero administration.

Zero administration meant that anyone - not just seasoned admins - would be able to run a file server or a network. This would be done through setup guides using the graphical user interface.

The execs introduced Cutler to the others in the room, programmers from the ordinary 16-bit Windows project.

'You've heard the stories', associates say. 'The holes in the walls and so forth. Those who were there won't say a lot more - only that things got pretty ugly.'

Cutler accommodated Gates. To an extent. He never made a separate 'workstation' version of NT as Gates may have believed - he only added background threads to prevent tampering in the Registry, to keep NT 'Server' running only as NT 'Workstation'.

As for the graphical user interface: holes in the walls...

[Cutler's 'Tribe' were very loyal. At one point, they went into Seattle to buy a picture frame and hung it over one of the holes. Ed.]

But here's the key point: Cutler's security model worked fine, but only as a model for his original file server project.

Cutler understood security, but Gates and his ilk couldn't give a shit about security. All they wanted was a 32-bit system.

Cutler had access control lists to govern file access. Windows, like MS-DOS before it, had only file attributes - no security at all.

So Gates and Microsoft took a good design - a remake of VMS, an architecture that, like Multics, immediately predates Unix, and put it atop what Bill Joy accurately described as a 'standalone system'.

And then they put it 'on the net without thinking about evildoers'.


[Of course the above is not much more than conjecture and hearsay. Redmond's version is much more accurate. Ed.]

You Can't Cure Stupid

The writing's been on the wall for a long time. At least seventeen years. The paint's gone dry. Windows 95 ushered in the web revolution, and Windows 95 was not secure. Cutler's NT, originally a file server, wasn't secure either, and everyone at Microsoft knew it.

Unfortunately, it would take years for Unix to make headway, and in that time, Microsoft introduced Windows 98SE and consolidate their position. Jobs' NeXSTEP and OPENSTEP had a chance, but Jobs had already given up the battle for the desktop, and OS X ('Jaguar') wouldn't see the light of day until 2002. The dominance of Windows was by then a fait accompli.

You can't cure stupid. Or more accurately in this context: you can't take an insecure standalone system, that doesn't even understand the word 'security', and try to make it secure after the fact - it doesn't work.

So now you have Microsofties scrambling and scurrying around, trying to plug holes as fast as others find them, a world awash in 'zero day' vulnerabilities, rushing out 'ad hoc' solutions, often pretty shabby, nothing's properly tested, there isn't any time...

They Were Warned

This is an hour-long clip with Fred Dalton Thompson and Joe Lieberman of the Government Affairs Committee on the one side, and seven members of L0pht Heavy Industries on the other. The discussion touches on a lot of things (and one hour is certainly not enough, not by a long shot) but listen how they compare open source systems (that can be vetted) with close source systems (that cannot).



For that's the issue. No one really objects to Apple holding onto their Cocoa code, but 'developer.apple.com' leads to, amongst other things, the kernel source. And 'Acknowledgements.rtf' shows you where you can locate the open source projects that have contributed.

It's open source. It can be vetted. It is vetted. No one remembers the Halloween Documents? The internal Microsoft study that admitted open source was infinitely superior?

Steve Jobs was wrong. The war for the desktop is not over - it's going on right now.

They took systems designed for isolated desktop systems and put them on the net without thinking about evildoers.
 - Bill Joy
There wouldn't be a Microsoft today without Dave.
 - Steve Ballmer

See Also
Radsoft: The Vulture and the Penguin
Learning Curve: Now in the wake of #WannaCry
New York Times: Microsoft Concern Over Free Software

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.