Before I get on my soapbox and discuss the problem of old technology versus security in today’s world, I’d like to share a bit of history of my experiences on internet, security and internet security.
Like a lot of technology enthusiasts around my age, I started my life on the internet with dial-up and Windows 98SE. (Others would have used Windows 95–ME.) I’ve seen the transitions from dial-up to DSL to speeds that we used to only dream of.
I was around when Microsoft ‘enforced’ (I’ll use the term loosely here) the use of the built-in firewall for Windows XP with Service Pack 2. I saw the attacks coming through for Wannacry, ILOVEYOU, Mydoom.
With that being said, I’ve always have had an interest in ICT security and the associated knowledge domains. I can no longer remember how or why I looked into protocol binding on Windows 98 for my dial-up connections; however, I can remember going to each internet gateway computer and unbinding any and all protocols except for TCP/IP for the network interface.
Back then I didn’t follow a lot of best practices such as not reusing passwords across multiple sites and running with least privileged access as possible, and all those good things we should be doing in both the workplace and at home.
I remember when Gibson Research Corporation made the news with its Shields Up for testing your external security via port scanning, and subsequently testing my Windows 98 SE internet gateway and finding it got pretty good marks as a secure product.
This was at a time when Windows 98 SE was considered too insecure to be on the internet. All the free testing sites back then would show that it was secure, even when marking it against a standard Microsoft Windows machine connected to the internet. Yes, I knew that I could be smurfed and suffer the ping of death, but luckily as far as I knew I never experienced it.
What does this have to do with today’s security practices? A lot, actually. As I’ve shown, even the simplest and easiest security changes can make insecure OSes a lot more secure. (I won’t say that Windows 98 SE was ever secure, but I was able to protect it from the average attacker.)
As someone who has worked in most types of industries under varying levels of governmental oversight (think medical, prisons, mining, general businesses, etc) it still astounds me that the more oversight there is, the higher the chance of finding systems that are so utterly unsupported to the point where even the company that created the product hasn’t existed for at least a decade. And these systems are connected to networks (with all the configuration for access) that are connected to the internet.
Management considers this to be ‘safe’ because it either doesn’t want to spend the time working with its staff to do a proper risk assessment, or it just considers it to be beneath them (ie, “That’s what I pay you for” or “It’s IT, it’s too hard for me” or “No one would want to hack/attack us”).
For an example, a company I used to work for supported local businesses, one of which used a program written pre-1995. It was a pure DOS application that barely understood what a shared network drive was or even what Windows was (the software was able to run in Windows 3.11 but was not designed for Windows 95).
The company still used the original software reseller in Australia for support without a contract; this reseller had closed his business years beforehand and was no longer working in that space as a day job. When I began supporting the company, the reseller told me that he was happy I understood the old technology (dot matrix printers, continuous feed paper, DOS, etc). But the company was barely struggling to have the software work on Windows XP in a workgroup with a single shared drive from someone’s desktop.
Management didn’t want to upgrade because it was “too hard” and “too expensive” and anyway this one still “works” (even although they were spending a lot more in staff time, training, accountants and engaging me). They also used one of my most hated sayings: “If it ain’t broke, don’t fix it”.
So my question is, should we as an industry be more vocal about the dangers of using old software and equipment in an increasingly interconnected world with bad actors now targeting the low end (consumers, small businesses)?
Do we just say, “Hey, I’m here to earn money — it’s not my circus” and then hopefully be gone before the bucket hits the fan, leaving the new person to deal with everything (especially the blame)? Is that a morally correct action?
Or should we be pushing for workplaces, clients, friends and family to start treating their technology items as replaceable, and have them upgraded within reasonable timeframes?
After all, we wouldn’t use and abuse our cars to the point where we wouldn’t even do the minimum maintenance or update the registration, licensing and so on.
The majority of people will have their car serviced at least once a year and replace the tyres before they become unsafe.
Yet many people consider information technology to be a static item — once you buy it, you don’t have to service it or maintain any licensing for it.
It’s high time this attitude went the way of Windows XP and became obsolete.