Ransomware is crippling hospitals. People's lives are on the line. And the tech community is in a frenzy of excuses, whining, and hypothetical bullshit about shipping labels. Sagely pointing out to each other that hospitals aren't tech companies, like only tech companies know how to use computers.
Sometimes this industry disgusts me. "X is hard" -- what the fuck is your profession? Easy shit? Fine, step aside.
We have let our civilization down. Whining that X is hard is not going to fix anything. Take the week off and put in some pro bono consulting time with any nearby organization that got hit. Make things better. Fuck your blog posts.
Sorry, I didn't catch where your volunteer shifts are happening?
In the very first sentence you shame commentators for presuming to be more competent than hospital staff, then you go on to suggest riding in on a silver steed to bless them with your powerful expertise.
Frankly, a bunch of startup hackers showing up and trying to play hero is not going to be any more effective than this blog post. This doesn't get solved with arrogant cowboy antics, and it doesn't get solved in a week even by seasoned experts. You have no knowledge of the ecosystem of devices operating on their network, and the constellation of concerns they must balance, and thus you can't offer anything but the most general of advice with which their IT staff is certainly already familiar.
If you really want to make a difference, go apply for a job there and put in a few years of work—that is likely to have impact. Short of that, there's worse things you can do than write a blog post; at least a few of them are probably providing useful perspectives to those actually tasked with solving this problem long-term.
My shifts are happening in two elementary schools, three urgent care clinics, and a local nonprofit's office. Why did you think I was speaking hypothetically? I've already taken the next two weeks off. When I'm done with this batch I've got more to do.
Your entire second paragraph is bullshit. The affected are being affected because their existing technology deployments are broken. This isn't just some nightmare that happens to everyone, and it isn't some abstract structural issue that only affects large organizations. There are a lot of groups getting screwed here. They need help. If they didn't need help, they wouldn't have got hit. I am helping.
You can sit by and armchair-quarterback the incident response, that's fine. We don't need you anyway. Useful perspectives can go pound sand. There is work to be done.
The OP is talking about big orgs, so it's kind of a dick move to hijack the conversation and proclaim your agenda to be morally superior. You don't have to put other people down to make your point. It's childish, counter-productive, and you leave yourself open to criticism that your work is also The Wrong Thing because you're not volunteering for some greater cause like helping sick and dying people in developing nations. But I guess if a desire to be better than everyone else motivates you to do some good then I guess it's not a total loss?
Patching is not a technical problem, 90% of the time. It's a political one (in medium to big operations). We have let our civilization down? No, our civilization is still asleep believing than when we say that patching is important, that rebooting your pc to install upgrades is important, we are spewing shit.
You need to patch, but big management wants X features implemented before the fix that will actually allow you to patch stuff without creating problems. And the only thing you can do is fix stuff after it breaks and look at your manager(s) when they leave in the day shit hits the fan at 6PM, as usual. And then stay in the night restoring data and praying it's not corrupted or infected too.
And in that moment you are sure of one thing: it will happen again, next time. Our civilization does not care.
Respecting that much of what you say here is true, and acknowledging that I've got a foul mouth and attitude problem myself at times, as well as an increasing abiding contempt, bred from far too much familiarity, with information technology and the infotech commercial world, the reality is that much of this stuff is, in aggregate and in practice, hard.
For ... various reasons, including a great deal of failure-to-anticipate (or more often: Choosing To Deny) Reality and Consequences. Which Bellovin details, and has been detailing for damned near five decades now.
But that still leaves us Where We Are Now:
* With hundreds of millions of Broken Systems.
* More being shipped daily.
* Strapped organisations and staffs.
After fighting the present fire, some sensible approaches to reducing future threats, including cranking up consequential liability on the firms, and backers, and financers, and stockholders, which produced the present mess, such that future risks are properly costed in to decisionmaking, might be a useful activity.
Sometimes this industry disgusts me. "X is hard" -- what the fuck is your profession? Easy shit? Fine, step aside.
We have let our civilization down. Whining that X is hard is not going to fix anything. Take the week off and put in some pro bono consulting time with any nearby organization that got hit. Make things better. Fuck your blog posts.