In the wake of yet another ransomware attack—this time named NotPetya—I have a special message specifically for those of you working in organizations that continue to run Microsoft Windows as the operating system on either your servers or your desktops:
You are doing a terrible job and should probably be fired.
I know. That’s harsh.
But it’s true. If you haven’t yet replaced Windows, across the board, you absolutely stink at your job.
For years, we’ve had one trojan, worm and virus after another. And almost every single one is specifically targeting Microsoft Windows. Not MacOS. Not Linux. Not DOS. Not Unix. Windows.
Wannacry managed to infect hundreds of thousands of highly vulnerable Windows installations around the globe. It was a huge problem for many major institutions that fill their organizations with the operating system from Redmond, Washington.
But did you learn your lesson? No.
Then another bit of ransomware comes along, called NotPetya, and manages to take out critical systems at freaking Chernobyl. Also airports and banks. Oh, and hospitals. Can’t forget about the hospitals.
Sure we could freak out right now about the fact that our nuclear reactors, airports, banks and hospitals have either already had their systems compromised or are in danger of it happening soon. But what we really need to do is look at why. What decisions have been made by these organizations that allowed them to become vulnerable to these attacks.
What all these cyber attacks have in common
There is one commonality. Go ahead. Take a guess at what it is.
Yep. They decided to implement Microsoft Windows either as their server platform or as their system for desktop deployments across their organization.
I’m not going to mince words here: At this point, with all of the damage we’ve seen caused by people running Windows, there is simply no further excuse for not migrating your organization’s vital systems away from MS Windows and onto a demonstrably more secure platform.
Right now, I’m hearing many Windows apologists yelling at their screen—shouting justifications for why this is happening and why it’s not really Windows’ fault. Maybe people weren’t doing a good enough job upgrading their systems quickly. Maybe they put off patching their system because they didn’t want the downtime. Perhaps the popularity of Microsoft Windows makes it a bigger target for hackers.
The justifications are pointless. Maybe the points are true. Maybe they aren’t. But if you, personally, are responsible for deciding what platform is deployed across a company/organization and you knowingly choose the one that is measurably more likely to be hacked/compromised—you made a bad choice.
Anything is more secure than Windows—even DOS
I’m not here to tell you to use one alternative to Windows over another. I have my personal preferences, but the reality is that almost anything (and I mean ANYTHING) will likely be more secure than Microsoft Windows.
Case in point: I run a BBS (a text-based online service people used to dial into with modems before the internet was a thing) as a hobby project. The software I run for that BBS hasn’t been updated since the mid-1990s. That BBS runs on DOS (that’s right—old-school school DOS). It’s an operating system that doesn’t really have any security of any kind. People connect to it via Telnet—a protocol that is about as wide open and unprotected as a broken barn door.
Yet it has never once, in many years, been hacked into in any way. People have tried. I’ve seen script kiddies attempt to hack their way into it with their bots and l33t skillz. They always fail—despite being a system that has, quite literally, the worst security imaginable and is running software that hasn’t been updated in over two decades.
All of that means, in very real terms, that our nuclear reactors would be safer on a DOS system with zero security than running Windows.
That may be an outlandish sounding statement, but prove me wrong. Show me the massive ransomware attacks against DOS, Linux or MacOS systems. Show me it happening month after month, day after day, like it does with Windows.
Can’t do it? Then you need to migrate off of Windows and to something else. (I recommend some variation on Linux or *BSD.)
And you better hurry. Because the next major, successful attack is, if history is any guide, literally no more than a few weeks away.