Query Windows 7 in Shodan. You can do so with if you want https://www.shodan.io/search?query=windows+7
Wow. In early 2023 China is glowing red hot with a massive concentration of Windows 7, which went General Availability in 2009 and End of Support in 2015 (Extended Support expired in 2020). China must be doing a crap job, right? I mean, the US is a tepid salmon in the image. We’re clearly winning. Here in the USA we understand the importance of staying up to date and in support better than the IT pros in China do. At face value the number of instances enumerated by Shodan and the image alone scream to the lack of cyber hygiene in China.
Now consider the populations of both nations. China has a population of 1.4 billion while the United States is around 336 million at time of writing, so the US has about a quarter of China’s population. Well, what’s 118,372/27,591?
Roughly one quarter. While most interesting for understanding scale rather than security, China and the USA have approximately the same per-capital ratio of Windows 7 instances enumerated by Shodan to national population. Well, so much for my high horse. Now, time to self-inflict a gut punch.
Take a second to guess what that one is. Time’s up. That’s Shodan-enumerated Windows Server 2003. The US has about half as many win2003 servers exposed to the internet as China, a nation four times the population of the USA.
And who do those US win2003 servers belong to? After scanning through the results for misfires, a gamut of US companies, with way too many good hits in the tech sector. The glaring one is Amazon, but a cursory looks reveals these as EC2 instances, so let’s pray it’s customers or even better, security labs. One can hope.
But the ISPs don’t have the luxury of shrugging it off. There’s a disconcerting number of ISPs in the US running win2003. Why? Probably the same excuse I’ve heard time and time again, “It runs a business critical application and we have it mitigated.”
In my experience those words are said in little more than half-truths, but that’s not the point.
Instead I’m calling out the perception that Chinese IT is inferior to Western/American IT. I’ve heard with my own ears that the Chinese aren’t as capable of a malicious actor because they don’t understand cybersecurity at the same level as American IT pros. That was said in response to me sharing the first image (win7) to a CS student friend of mine. I’m oversimplifying a little to highlight my own shock, but I ran that line by my friend and he confirmed I’m on message to his (at the time) understanding. This person is inexperienced; a professional from another field who is transitioning to the tech space, and a genuinely intelligent and capable person, but inexperienced by lack of exposure. So why is he underestimating a nation generally understood as a US tech adversary?
Because our perception of our “adversaries” (quotes because there are both genuine threats, but also awesome businesses and orgs in China) is painted by rhetoric. I googled “china information technology worker” and “america information technology worker.” These are the first two rows of images returned.
The American result looks like clean-cut independent professionals accomplishing tasks.
On the other hand, the Chinese results lean harder into groups of casually clad workers in cluttered photos. Even the datacenter and electronics lab look more chaotic.
These images are both heavy in rhetoric since they are media organizations posing an image to support each story. My personal opinion is the American result looks to highlight professional independence more than anything while the Chinese results are portray a more hacky punching-up image, though this is highly subjective. And to be clear, I can alter the image output by changing the search terms or filters. This is just what google thought was most relevant in an incognito tab.
Like I said earlier, China is considered a tech adversary, intentionally towards malicious actors but also in the greater scope of business competition. There are shady actors and awesome organizations both behind the Great Firewall. Still, the numbers don’t lie. China is 1:1 in ratio of win7:population and doing better in ratio of WindowsServer2003:population. Yes, those metrics are thin. Operating system:population is not actionable. It’s just a demonstration of the scale of peers. But, you can easily take two real messages away.
- Pride is a weakness in your cyber environment. Don’t overestimate yourself, your environment, or your capabilities.
- Humility is a strength almost everywhere. Assume your adversary is stronger than the rhetoric.
Then enrich that mentality with real, actionable intelligence.
And get rid of server 2003.