Re: should debian comment about the recent 'ransomware' malware.

To: shirish शिरीष <shirishag75@gmail.com>
Cc: debian-project <debian-project@lists.debian.org>, debian-publicity <debian-publicity@lists.debian.org>
Subject: Re: should debian comment about the recent 'ransomware' malware.
From: Russ Allbery <rra@debian.org>
Date: Mon, 15 May 2017 17:23:14 -0700
Message-id: <[🔎] 87tw4lmyz1.fsf@hope.eyrie.org>
In-reply-to: <[🔎] CADdDZRmxhJfAmV=1jH1pBQ27An6yv9o_5fMaz9yxQaW4-iMXmw@mail.gmail.com> ("shirish शिरीष"'s message of "Tue, 16 May 2017 03:59:18 +0530")
References: <[🔎] CADdDZRmxhJfAmV=1jH1pBQ27An6yv9o_5fMaz9yxQaW4-iMXmw@mail.gmail.com>

shirish शिरीष <shirishag75@gmail.com> writes:

> while it was primarily targeted towards Windows machines, maybe we
> could tailor a response which shows how Debian is more secure and
> possibilities of such infections are low/non-existent .

I don't believe such a statement would be factually correct, so no, we
shouldn't make it.

This ransomware used a government-developed exploit that was patched by
Microsoft a month before the malware was released (only because someone
did the right thing and gave them a private heads-up), and gets a toehold
via phishing.  There is absolutely nothing about Debian that would prevent
exactly the same thing from happening to us; the reason why it doesn't is
quite simply because Debian is much less widely used than Windows, and in
particular has less penetration into markets that run obsolete operating
systems on "cannot patch" systems using older and very insecure protocols.
Which is extremely common in the health care industry.

This is not a case where Microsoft did something clearly wrong, or even
differently than we would have done, or where free software would have
helped significantly.  (Maybe if the whole SMB stack were free software
this bug would have been discovered sooner, but quite possibly not; the
free software world certainly has many security bugs that have gone
undiscovered for ten years or more.)

I'm extremely proud of Debian's security team, and we're often quickest to
patch among major Linux distributions.  Our security team does amazing
work.  But nothing a distribution or OS vendor can do can help with
unpatched systems, or against government-funded adversaries that hoard
unreleased zero-day vulnerabilities and exploit tools.  Those are very
hard problems, and we should not mistake our lack of *incidents* from
having a smaller and differently-focused user base for a lack of
*vulnerability*.

The entire computer industry is vulnerable to attacks like this, and
Debian is absolutely not an exception.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: should debian comment about the recent 'ransomware' malware.
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

References:
- should debian comment about the recent 'ransomware' malware.
  - From: shirish शिरीष <shirishag75@gmail.com>

Prev by Date: Re: should debian comment about the recent 'ransomware' malware.
Next by Date: maria's interview https://itsfoss.com/interview-with-maria-glukova/
Previous by thread: Re: should debian comment about the recent 'ransomware' malware.
Next by thread: Re: should debian comment about the recent 'ransomware' malware.
Index(es):
- Date
- Thread