back to article Guess what happened to this US agency using outdated software?

Remember earlier this year, when we found out that a bunch of baddies including at least one nation-state group broke into a US federal government agency's Microsoft Internet Information Services (IIS) web server by exploiting a critical three-year-old Telerik bug to achieve remote code execution? It turns out that this same …

  1. Zippy´s Sausage Factory

    The problem with Telerik stuff is it takes minutes to upgrade, and days to fix all the stuff that broke with the upgrade thanks to all the breaking changes.

    1. IGotOut Silver badge

      If only they had just a few more years to test, upgrade, deploy and fix.

  2. Yet Another Anonymous coward Silver badge

    Thinking smart

    The only way they can get into the IRS and VA is if they can find people who know COBOL and MUMPS - good luck hackers

    1. Clausewitz4.0 Bronze badge
      Black Helicopters

      Re: Thinking smart

      "The only way they can get into the IRS and VA is if they can find people who know COBOL and MUMPS"

      Don't forget also:

      - EBCDIC charset

      - Mainframe

      (un)Fortunately, some old-school hackers, still alive, do know these

      1. Anonymous Coward
        Anonymous Coward

        Re: Thinking smart

        Are you suggesting that there should be a "Logan's Run" type of rule for programmers, that we kill them when they turn 30? Or do you just resent the fact the old codgers can cut code much better than the current crop?

      2. An_Old_Dog Silver badge
        Windows

        Re: Thinking smart

        COBOL knowledge: Check.

        MUMPS knowledge: Check -- but trying to forget. MUMPS lives on via InterSystems' "Caché" product for x86.

        EBCDIC knowledge: Check.

        Mainframe knowledge: Check.

        Desire to penetrate US federal computer systems: None.

        So, that leaves ... what, 13,000+(?) more people besides myself with the relevant knowledge, some of them WITH the desire to penetrate said systems.

        1. Anonymous Coward
          Anonymous Coward

          Re: Thinking smart

          There might be many more people with the desire to penetrate those systems than you think. It's not out of malice or thrill-seeking, but because they were "dino-babies" fired from IBM and other companies before they could collect their pensions, and they now need another source of income.

      3. Roland6 Silver badge

        Re: Thinking smart

        Probably also still using SNA and 3270 terminal protocols…

        1. An_Old_Dog Silver badge
          Joke

          Re: Thinking smart

          ... and cathode ray tube displays, because light-pens won't work with flat-panel displays.

        2. Someone Else Silver badge

          Re: Thinking smart

          Probably also still using SNA and 3270 terminal protocols…

          Ooooh...Pain!

        3. Alistair Silver badge
          Windows

          Re: Thinking smart

          Nah, nowadays us old codgers use SNA over TCP/IP, and this wacko stuff call terminal emulation in KSH.

          {gah, I just made myself shudder at the memories of cutting tickets in that terminal emulator}

    2. Bear

      Re: Thinking smart

      Hey! we ain't senile yet. Besides, there is a real shortage of COBOL programmers so the hackers have to compete with large financial corporations and they have better pay.

  3. Anonymous Coward
    Anonymous Coward

    In Europe, however, improvement appears to be on its way

    The EU has cooked up some interesting things like NIS2 and DORA for organisations deemed even halfway important to nations, and from what I just heard from a friend it has the banking executives in Germany and Austria in a real panic because those two countries decided to augment the consequences for non-compliance with a fun aspect called jail time. The panic is mostly because the implementation deadline isn't that far when you count in banking years (they're like dog years, but with double interest charges).

    Yes, believe it or not, but the "good enough to have an excuse" budgetting of security in banks and blaming basic breaches on hackers being "sophisticated" (because they basically knew how to switch on a computer?) may finally come to an end.

    It's going to cost Microsoft an absolute fortune in lobbying to stay around despite being the one common factor of 99% of all breached and ransomware attacks. Expect a sharp uptick in revenue in restaurants near any golf course..

  4. J.G.Harston Silver badge

    I don't know. You've phrased it as a command, but you've stuck a question mark at the end. What is it? A question or a command?

  5. druck Silver badge

    Did copilot slurp fake zero days?

    The fake zero day repos may have been removed fairly quickly from github, but was that before of after copilot slurped it, and how long before it starts spitting out malware verbatim?

  6. Anonymous Coward
    Anonymous Coward

    D-word

    Don't want to play the docker fanboy here but isn't this a prime case of where a containerised environment would be better in that it "should" be easier to keep patched/updated, or is there an aspect where their stack couldn't be done this way? Interested to know as I always thought web anything was the primary use case.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like