I understand there is a real concern, even if it is the USA that shows the way.
I can only relate to my first hand experience of design and engineering in Australia. My experience of working for a large American Engineering Company is too distant, although they were far from cowboys in how they performed.
Iâm seeing
built-in object token for ISRG Root X1
signed for Let's Encrypt
signed for exposing.ai
So, assuming that your date/time is set correctly LOL, I would check that you are running the latest version of relevant software e.g. I have Firefox 85.0.1
I wouldnât import the certificate. It is still an option to visit ignoring the warning.
FF 85.0.2 (64-bit)
A little more detail of how the hack was enabled.
https://edition.cnn.com/2021/02/13/us/florida-hack-remote-access/index.html
And some broader - informed general comment. 
Absolutely right. Working From Home has been a huge problem from a security perspective, for every business, not just critical infrastructure. Attack surface x 100. Iâm surprised we havenât heard of more of these cases.
2FA probably would have stopped this particular hack dead in its tracks. Thatâs never going to happen though when we are talking about âapparently disused softwareâ on âan aging version of Microsoft Windowsâ. LOL. But itâs not really a laughing matter.
It amazes me how many businesses I see who are still operating Windows XP which has been unsupported by Microsoft for years.
People from a certain era consider software upgrades and routine hardware tests as âpunitive maintenanceâ because it was more likely to cause problems than dealing with what may otherwise come.
With software the idea was a problem you know and can work around is better than 1000 things fixed, and another 100 things broken you need to discover.
This does not seem like very smart Defence Department strategy.
What next? Huawei servers to store the data?
Once upon a time software updates and firmware updates did indeed tend to break things. We have moved towards encouraging immediate updates because of the security holes that can be uncovered by anyone reverse-engineering what just got changed - but it is possible that this may change again.
There have been several examples in the last couple of years of supply chain attacks in which malware is introduced in the channel that normally provides you with the good updates. The attack first identified by SolarWinds (yes, other entities have been attacked in the same way) is just one example - and the most terrifying so far - of these.
So at the moment we are stuck in this place where we have to update because security, but if we update how do we know weâre getting the good update. It will be interesting to observe how the industry responds over the next few years.
There are also some specialised business software which hasnât been tested or proven to work bug free on higher versions of Windows. Some businesses opt to run with Windows XP which they know rather than spending money testing and fixing bugs for other newer version operating systems.
My last job, some of the specialised design software wouldnât run on anything higher than XPâŠthe software vendor was reluctant to to a test for further versions of Windows as was canvasing with licensees that they contribute to the testing (and in return to get a working version when released). When I left they were still using a machine with Windows XP on specially for the piece of software.
As an IT person working in the technical support space, I encountered many instances of excuses for staying on older versions of hardware, or systems software, or application software.
If we upgrade, it will cost money. If we upgrade, we have to pay for testing. If we upgrade, the application vendor wants to charge us an obscene amount to âportâ their product to our new system.
Well, my response was that if the hardware / OS / application vendor couldnât support me as a technical support specialist due to out of date versions if problems arose, then I couldnât necessarily fix the problems.
So, you are on your own. Your choice. Acknowledge in writing. I will CC well up the management chain.
Whilst I did not include that in my post, I believe a lot of the instances I have seen were offices such as medical practices, Government departments and such like using specialised programs running under XP.
Russian roulette?
Windows XP was the last Windows version in 32bit, although there was a special 64bit version that I had never heard of until I looked it up.
After that, it was full on 64bit with Win7, Win8, and now Win10.
But, I run a number of very old Windows apps that run problem free in Win10.
Microsoft went to enormous efforts to provide compatibility, and in most cases nothing needs to be done.
The issue is not that apps canât run on todayâs supported hardware and software, it is that very stupid people are in charge of decision making in many organisations.
Observing as outsiders?
How the industry responds inside it might keep mostly to itself. Itâs only when it goes very obviously wrong on the outside that we are informed?
Note:
Some of the public commentary on the Solar Winds attack tried to offer reassurance data systems had remained secure. However hacks supposedly exposed email accounts/systems. How valuable is an email identity or content? Especially if as an external agent you are seeking out vulnerabilities and the ability to control those inside the business, the system or government.
Stupid or conservative? Back when I was privy to certain applications software that was a bugger to certify, and the time and cost of recertification was astronomic. It could be considered business software as it reflected the business of a certain US governmental entity. It was about little bitty things that could go boom, on purpose or by accident. Iâll say no more.
It depended on a few OS features to run properly and in those days âweâ had (drum roll) real systems programmers at each site with all the source code who could make it work.
One site continued to run an emulator running a decade old OS rather than try to get the application recertified after the OS could no longer be rationally adapted. They only made the break and moved on when the application was eventually replaced to take advantage of a newer genre of HPC systems.
I learnt to never call a manager or senior technologist stupid unless I had all the information, technical and economic and political, that they had and used to make their decision. If I did I might have considered it stupid but more often even in disagreement understood the why.
I am pretty sure I heard about British nuclear subs running Windows XP.
There are also apparently some Intranets that have had to roll back their version of Adobe Flash in order to keep everything running after Adobe issued a âkillâ command in the last update.
As long as systems that rely upon outdated and insecure software are not exposed to the Internet I can see an argument for not spending the money to upgrade. Of course, trying to keep something totally firewalled from the Internet is a big task.
Fifty years ago, the latter crowd was âbuy the IT equipment, but it has to be IBMâ. (Just to be clear, this was before my time - but I like to read history.)
Yes, the specialised design software ran as a standalone desktopâŠand files had to be manually exported to a CAD machine for final design work.
9 posts were merged into an existing topic: The great computer age. That is, before smart phones and pads
Many years ago, I had a book of funny fax headers.
The caption on one was âFigowitz, about your choice of computer systems, there are a couple of items I would like to bounce off youâ.
The drawing showed the head honcho standing behind the computer geek whilst holding a house brick in each hand behind his back.
One Company, âHeyâ that provides an email service has been checking on email security at the request of the BBC to see whatâs happening. What they found was that about 2/3rds of emails their clients received had âtracking pixelsâ or as some call them âspy pixelsâ (link to help explain what the pixels are).
While their use has been wide spread on web sites and sometimes called by other names such as âweb beaconsâ or âweb bugsâ, it seems that the use undisclosed could be a breach of the GDPR in the EU, no such protection here though. Some of the Companies caught out included âBritish Airways, TalkTalk, Vodafone, Sainsburyâs, Tesco, HSBC, Marks & Spencer, Asos, Unilever, and others were highlightedâ.
While some of these Companies are not the norm for Australian users of emails it doesnât mean that we arenât being targeted here by our Businesses. For most the question could be âWho would know?â.
To read the articles see:
And a paper about the problem
Brands here that might take advantage of the pixels could be places like Woolworths, Coles, CBA and other Bankers, Govt Departments and businesses. As it isnât disclosed back to the âWho would know?â question.
I hope not, but does CHOICE employ them?
