Yet Another Cycling Forum
General Category => The Knowledge => Ctrl-Alt-Del => Topic started by: Pickled Onion on 13 May, 2017, 08:13:44 am
-
According to The Register (https://www.theregister.co.uk/2016/12/08/windows_xp_nhs_still/) NHS trusts decided not to bother paying for extended support for Windows XP. What did they expect to happen? :facepalm:
-
Hmmm. Amber Rudd says this will make the NHS spend money updating its systems. You'd better give it some more money then, Amber!
As for the rolling news yesterday...
I learnt from experts that no protection would have stopped this attack and that ALL operating systems were at risk from this malware. Also that the best approaches might be to restore from back-up or pay the attackers. Except they weren't clear how the NHS could get some many bitcoins together.
At least today's BBC report states it only affects Windows systems, so they seem to have grasped the nature of the threat better than the industry experts they used yesterday.
-
According to The Register (https://www.theregister.co.uk/2016/12/08/windows_xp_nhs_still/) NHS trusts decided not to bother paying for extended support for Windows XP. What did they expect to happen? :facepalm:
Whilst I agree with your sentiment, your statement is not supported by the article, which states in the final sentence "Individual government departments and agencies were free to sign their own extended support agreements with Microsoft". The missing bit of information is how many do not have a support arrangement, which is where negligence starts to creep in, rather than just poor decision making.
-
From early reports, https://www.theregister.co.uk/2017/05/12/nhs_hospital_shut_down_due_to_cyber_attack/
The attack is called WannaCrypt and rides a SMB vulnerability MS17-010.
There was a patch for Windows last month but not for XP which is out of support.
MS have now released a free patch for XP (gee, thanks!)
-
The missing bit of information is how many do not have a support arrangement, which is where negligence starts to creep in, rather than just poor decision making.
OK, The Register is maybe not the best source of impartial news, but it's clear the infected PCs either did not have extended support, or, if they did they didn't bother installing the security patch they paid for. Either way it's negligence.
Imagine an NHS Trust board meeting:
- Quite a lot of our security guards are retiring next year, what should we do?
- Security guards are really expensive to employ, and they don't appear to do a lot.
- Ok, let's not bother hiring new ones, we could spend the money on other things!
I learnt from experts that no protection would have stopped this attack and that ALL operating systems were at risk from this malware. Also that the best approaches might be to restore from back-up or pay the attackers. Except they weren't clear how the NHS could get so many bitcoins together.
There was a patch (http://gizmodo.com/today-s-massive-ransomware-attack-was-mostly-preventabl-1795179984) released two months ago. It was free to anyone with a supported OS, and available for anyone with an extended support agreement.
It's possible that a decision was taken that extended support was more expensive than 0.15 BTC per PC. It probably is. What's not clear is why *any* document would be stored on a local PC if it couldn't be replaced quickly and easily. Anything could happen; rebuilding a PC to a clean state should be quick and easy.
-
I learnt from experts that no protection would have stopped this attack and that ALL operating systems were at risk from this malware.
Sort of. All Windows operating systems were vulnerable, but only the older systems (XP, Windows Server 2003, etc) were vulnerable to infection without user interaction.
The malware can get onto your computer in one or more ways:-
1) You actively download it and run it (surprising how many people download random programs off the Internet and just run them)
2) You actively double click an attachment to an email (which may be a word doc, PDF or powerpoint presentation, etc)
3) You visit a malware ridden website using a web browser that is not fully patched
4) You visit any website that has advertising where the advertising (malvertising) has an infection vector if your browser isn't up to date
5) You computer is remotely vulnerable and is infected by another computer nearby
The latter (#5) is how 'worms' spread, and how a large number of infections of this ransomware spread. Someone double clicks on a dodgy attachment to get their local machine infected and then it tries all of the nearby machines to see if it can remotely infect them (using mostly the Samba vulnerability that was part of the NSA's arsenal [EternalBlue] ).
If you had a patched OS and followed sensible guidelines of not opening attachments from unknown people, or unexpected attachments from known people, then you'd generally be ok.
The NHS's (and general corporate IT) problem is that it has thousands of XP and Windows Server 2003 machines that are required to run legacy software. Or they don't have the funds to upgrade everything all the time.
Luckily a security researcher found that it stopped infecting any further machines if a specific domain name had been registered, so he registered it, but that doesn't help the people already infected.
It won't be long before it's picked apart and used as the basis for version after version and the variants may be even nastier. And it won't be long before malware like this start to include Mac and Linux infection vectors and codebases so it can spread regardless of the underlying operating system (this is what I would do if I was given the job of making an uber-malware).
-
MS have now released a free patch for XP (gee, thanks!)
I'm not sure I understand your sentiment—are you saying MS should provide patches for free for anyone running MS-DOS 1.0 onwards?
While not wishing to defend the bunch of MGBs* they provided a patch to anyone who paid for it in advance, either through buying a supported OS or paying for support.
*Money Grabbing Bastards
-
It's possible that a decision was taken that extended support was more expensive than 0.15 BTC per PC. It probably is. What's not clear is why *any* document would be stored on a local PC if it couldn't be replaced quickly and easily. Anything could happen; rebuilding a PC to a clean state should be quick and easy.
Exactly, at one point we used to run a semi-scorched earth policy on our desktops.
Every 2 weeks we had to reinstall the OS on our desktop. This taught us to:-
a) Store our data safely in one place (where it was easier for a centralised backup to do its job)
b) Automate the process of OS reinstallation and, more importantly, application installation and configuration
c) Not be so reliant on a specific machine, too many times we had "that's the only machine that can build X or run Y"
d) Be sure that we backed up everything we needed, otherwise you had to redo the last 2 weeks' work that you may have lost if not. It also ensure that our backup policy worked because we regularly had to use the backups.
It kind of tailed off but the principles have stuck with me.
-
According to The Register (https://www.theregister.co.uk/2016/12/08/windows_xp_nhs_still/) NHS trusts decided not to bother paying for extended support for Windows XP. What did they expect to happen? :facepalm:
IIRC the Trusts didn't decide. Jeremy Hunt decided for them. Fact check required, but I can't be arsed. :)
-
It's possible that a decision was taken that extended support was more expensive than 0.15 BTC per PC. It probably is. What's not clear is why *any* document would be stored on a local PC if it couldn't be replaced quickly and easily. Anything could happen; rebuilding a PC to a clean state should be quick and easy.
Exactly, at one point we used to run a semi-scorched earth policy on our desktops.
Every 2 weeks we had to reinstall the OS on our desktop. This taught us to:-
a) Store our data safely in one place (where it was easier for a centralised backup to do its job)
b) Automate the process of OS reinstallation and, more importantly, application installation and configuration
c) Not be so reliant on a specific machine, too many times we had "that's the only machine that can build X or run Y"
d) Be sure that we backed up everything we needed, otherwise you had to redo the last 2 weeks' work that you may have lost if not. It also ensure that our backup policy worked because we regularly had to use the backups.
It kind of tailed off but the principles have stuck with me.
MS have now released a free patch for XP (gee, thanks!)
I'm not sure I understand your sentiment—are you saying MS should provide patches for free for anyone running MS-DOS 1.0 onwards?
While not wishing to defend the bunch of MGBs* they provided a patch to anyone who paid for it in advance, either through buying a supported OS or paying for support.
*Money Grabbing Bastards
Well, honestly I'm not sure either. But given that this vuln was known, and known to be in the wild, it was pretty clear that it was going to be exploited sometime. It's all a bit "stable door" but of course the people who suffer this time round includes NHS patients. Between MS, NHS and the actual malware writers there's plenty of blame to go round :(
-
According to The Register (https://www.theregister.co.uk/2016/12/08/windows_xp_nhs_still/) NHS trusts decided not to bother paying for extended support for Windows XP. What did they expect to happen? :facepalm:
IIRC the Trusts didn't decide. Jeremy Hunt decided for them. Fact check required, but I can't be arsed. :)
LOL! You are right! (http://www.theinquirer.net/inquirer/news/2409975/uk-government-has-ended-windows-xp-support-payments)
Not necessarily a decision by Hunt himself, but surely heads should roll for this. The sub-headline on the article (written two years ago): "Migration continues, but they're risking it for a biscuit". Would they risk any other infrastructure they were warned was unsafe?
Win Server 2008 has been available for NINE years and end of support for XP was signalled ten years ago.
-
.... And it won't be long before malware like this start to include Mac and Linux infection vectors and codebases so it can spread regardless of the underlying operating system (this is what I would do if I was given the job of making an uber-malware).
With much greater impact, as the current approach is "Mac / Linux don't get virus" so (1) nobody even has the infrastructure to deal with an outbreak (2) xLinux runs the world (as opposed to MAC which is only a user platform - but significant if loads of them stop being able to be used).
Creating malware for the Linux world is obviously more challenging, but it would be a fool who would say it was impossible.
Being fairly close to the economics of the deals that set up IT support, my conclusion is there really just isn't the money in the system to provide the protection. The health services are especially vulnerable because of the nature of their organically grown systems and the lack of funds; there are moves afoot to put a better security foundation at the heart of everything Government aligned, but the size of that task is more than huge. Another group who are particularly vulnerable are retail - notably parsimonious with their spend and investment. financial institutions tend to be better protected and have a (statutory duty to) have secure systems. Industrials, are less vulnerable so as long as they are built on best principles (and most energy etc are) because of the isolation of the Process Control Network, that doesn't mean their admin systems will be safe.
It really doesn't need much imagination to realise that the major powers will be putting substantial effort not only into defeating these attacks, but creating one of their own (as appears to be the case here). With the globalisation of IT, the same problems exist trying to using this malware as a attack vector as there are in using poison gas. Doesn't stop it being made, though.
-
This attack isn't about Linux and OSX, it is about the vulnerability of the OSs that run 90% plus of the worlds desktops. Still, nothing like a smokescreen.
M$ want users to upgrade. Once a large organisation goes computerised it slams a massive capital peak into the business plan every x years. The patch should have been automatic and free. The organisations will upgrade eventually.
-
Did I say industrials were OK? Nissan appears to have succumbed, allegedly (although it could always just be desktops)
This one may not be about Linux/OSX, but imagine if it was. Yes, it is more difficult, but not impossible (eg, Apache)
-
Anything that you buy has an expected lifetime. A hospital wouldn't expect to buy a bed and have it maintained by the manufacturer for ever. Why should computers be any different?
-
It is an interesting question. You'd have to go ask the Boards.
Do beds get malware?
-
Over the years, we've had more and more security issues, due to a mixture of poorly written and implemented software, and peoples tendency to not not bother implementing any security themselves, and click on anything that's offered to them.
Slowly, people are noticing this, and gradually implementing solutions, but the black hats move faster. :(
Some security solutions have been implemented; things like Windows Defender and fairly freely available anti-Virus software from many of the commercial anti-Virus companies, but on the flip side, email clients which let you freely click on anything, poorly secured things like Shockwave via web-browsers, and Windows networking, have all made it far too easy for the average user to become infected.
Ultimately, I'm not sure what the solution is, but organisations like the NHS, ought to be quite capable of ensuring reasonable security, if they (i) back up PCs, (ii) ensure out of date vulnerable OSes and applications are replaced, (iii) update current OS and applications with patches, (iv) block most attachments to emails at their Intranet borders, and (v) have fairly stringent firewalls. I do most of that at home, so your average organisation should be capable of achieving it.
-
I would expect beds to be vulnerable, after all lightbulbs (http://fortune.com/2016/11/03/light-bulb-hacking/) are.
-
It is an interesting question. You'd have to go ask the Boards.
Do beds get malware?
They break. They get replaced. It's an expected cost, you build it in to the normal running costs.
If the manufacturer said the expected life is ten years but you decided to risk using it for longer to save money, and then the legs fell off, should the manufacturer say "we told you not to use it for more than ten years, but here's some free replacement legs"?
-
Most hospitals have failback paper for critical systems, only it ain't that simple, as this demonstrates. Those backup systems are focussed on avoiding deth by IT. Only, thats not the whole story.
There are multiple and complicated reasons why the systems are downversion, normally because of the cost associated with remediation. Most organisations get around that sort of thing by setting artificial dates by which the old systems will be decommissioned, separate from the budget needed to do so. The patching frequency is only one element of the picture. I'd hazard a guess that it's only a minority of user systems on XP, anyhow.
-
Between the NHS and MS, the computer systems that run our health service were left vulnerable to an attack that was always going to come. MS know the NHS run XP, the NHS knew they were vulnerable*. The management of each organisation should be ashamed of themselves.
*if they didn't know, they're equally culpable.
-
I would expect beds to be vulnerable, after all lightbulbs (http://fortune.com/2016/11/03/light-bulb-hacking/) are.
Let's not even think about the actual medical equipment. Security through obscurity is the standard.
-
It's possible that a decision was taken that extended support was more expensive than 0.15 BTC per PC. It probably is. What's not clear is why *any* document would be stored on a local PC if it couldn't be replaced quickly and easily. Anything could happen; rebuilding a PC to a clean state should be quick and easy.
Exactly, at one point we used to run a semi-scorched earth policy on our desktops.
[...]
It kind of tailed off but the principles have stuck with me.
This is by far the best approach, IMHO. Not so much because it prevents disasters, but because it greatly increases your immunity to them. It's much easier to robustly back up data in one place where it's looked after by competent tech people, and as soon as you've got more than a handful of desktops, everything that isn't automated becomes a massive time sink.
Plus it's a mug's game trying to recover data, be it from malware infection or hardware failure. Blow it away or replace the faulty part and restore the data from backup: One procedure that you test often enough to be sure that it works, rather than hours of fucking about and still not being sure that the malware is gone.
Anyway, the NHS IT bods already know what they're doing. They just don't have the resources to do things properly on the massive scale involved. I'm sure as much of that is structural, as well as budgetary.
It was only a matter of time before something like this happened. And the NHS is just the canary, on account of the newsworthiness of a large failure.
-
It's a lot bigger than just our NHS.
MS bear some of the blame IMO.
Many jobs can be done using software everyone can buy, but some businesses need programs that perform very specific jobs - so they build their own.
For example. a broadcaster might need specialist software to track all the satellite feeds coming into the newsroom, and a hospital might need custom-built tools to analyse X-ray images.
Developing niche but useful software like this can be very expensive - the programming, testing, maintenance and continued development all adds up.
Then along comes a new version of Windows, and the software isn't compatible.
Years ago we built an information system based on DOS. Fine until MS dropped DOS. Then our expensive application was toast. So was the company providing the intermediate programs. That would have cost millions. MS simply couldn't care less.
-
Anything that you buy has an expected lifetime. A hospital wouldn't expect to buy a bed and have it maintained by the manufacturer for ever. Why should computers be any different?
Are you saying that software wears out? Interesting. Could you explain the process, please?
I'd be happy to be able to pay a reasonable amount & have up to date security patches, instead of having to get all-new software with built-in downgrades & bugs, but I can't. I'd also like the option to buy minor upgrades at a reasonable price, but again, that's not offered.
-
[ETA: reply to Kim]
Well, yes, and if you're going to rely on computers as a core part of your operation, you have to treat them the same way as you would any other infrastructure you rely on. As you say, it's not just evil hackers, you can have a hardware failure at any point for any number of reasons.
Where I currently work, if my PC went tits-up I'd have a replacement within a maximum of 20 minutes, probably 10, and be back up and working. Granted if a few thousand PCs failed it might be a bit longer (on previous experience somewhere else, about 2 hours).
We had a big DDOS attack yesterday. Was it on the news? Well, no, because
It was only a matter of time before something like this happened.
so there were procedures in place and barely anyone outside tech operations even noticed.
ETA: Amber Rudd has just said the attack was "unprecedented". Maybe so, but it shouldn't have been "unexpected".
-
It's a lot bigger than just our NHS.
MS bear some of the blame IMO.
Many jobs can be done using software everyone can buy, but some businesses need programs that perform very specific jobs - so they build their own.
For example. a broadcaster might need specialist software to track all the satellite feeds coming into the newsroom, and a hospital might need custom-built tools to analyse X-ray images.
Developing niche but useful software like this can be very expensive - the programming, testing, maintenance and continued development all adds up.
Then along comes a new version of Windows, and the software isn't compatible.
Years ago we built an information system based on DOS. Fine until MS dropped DOS. Then our expensive application was toast. So was the company providing the intermediate programs. That would have cost millions. MS simply couldn't care less.
Actually, that isn't really true.
Windows in general, version to version, is very good at providing backwards compatibility. You want terrible support for backwards compatibility? Try any Apple OS. Or, try Linux.
Linux is *awful* at backwards compatibility. So, your application used a particular version of libusb to address that medical device? Tough shit, we've moved on to a new version in the latest Ubuntu, CentOS is still using the old version and who knows what that other version of Linux is going to load. Better get someone to write 5 sets of instructions on how to wrangle multiple versions of libusb onto *your* flavour of Linux.
Or just google it. Stackoverflow is full of questions and answers on this subject because every sysadmin around spends their nights crying or having screaming nightmares about fixing just this problem.
-
...
ETA: Amber Rudd has just said the attack was "unprecedented". Maybe so, but it shouldn't have been "unexpected".
This.
There's nothing terribly wrong with keeping old systems operational, to ensure compatibility with essential software. I have systems which are based on DOS 3, and which I need to keep available, just in case we need to test a patch for an instrument that was launched in 2000, and built and tested some time prior to that.
There's a lot wrong with keeping those sort of systems attached to the Internet, with no isolation. If you must connect an unpatched legacy system to the Internet, there are ways to do it, which admittedly are going to be complicated an expensive. That cost has to be equated against the cost of updating.
Rarely are these requirements for updating entirely unexpected, and we know that all software has a cost in maintenance, but all too often people don't want to pay these costs.
-
I once spent 6 months modifying systems for a Dutch health insurer so they'd work on a new mainframe OS. But that was in the days when systems were largely bespoke, & most of the world didn't run on software.
-
It's a lot bigger than just our NHS.
MS bear some of the blame IMO.
Many jobs can be done using software everyone can buy, but some businesses need programs that perform very specific jobs - so they build their own.
For example. a broadcaster might need specialist software to track all the satellite feeds coming into the newsroom, and a hospital might need custom-built tools to analyse X-ray images.
Developing niche but useful software like this can be very expensive - the programming, testing, maintenance and continued development all adds up.
Then along comes a new version of Windows, and the software isn't compatible.
Years ago we built an information system based on DOS. Fine until MS dropped DOS. Then our expensive application was toast. So was the company providing the intermediate programs. That would have cost millions. MS simply couldn't care less.
Actually, that isn't really true.
Windows in general, version to version, is very good at providing backwards compatibility. You want terrible support for backwards compatibility? Try any Apple OS. Or, try Linux.
Linux is *awful* at backwards compatibility. So, your application used a particular version of libusb to address that medical device? Tough shit, we've moved on to a new version in the latest Ubuntu, CentOS is still using the old version and who knows what that other version of Linux is going to load. Better get someone to write 5 sets of instructions on how to wrangle multiple versions of libusb onto *your* flavour of Linux.
Or just google it. Stackoverflow is full of questions and answers on this subject because every sysadmin around spends their nights crying or having screaming nightmares about fixing just this problem.
Just because other systems are worse..
Anyway, I read now that the vulnerability is in SMB1 (Server Message Block v1). It is a Windows Feature. Nobody should use it or run it.
The original SMB1 protocol is nearly 30 years old, and like much of the software made in the 80’s, it was designed for a world that no longer exists. A world without malicious actors, without vast sets of important data, without near-universal computer usage. Frankly, its naivete is staggering when viewed though modern eyes. I blame the West Coast hippy lifestyle.
My W10 is updated asap. The last was installed 10 May. I've just checked and SMB1 was still extant. It isn't now.
-
Maybe SMB1, a should-be-defunct, old, vulnerable service is still there because MS were requested to still include it to support old, should-be-updated-or-replaced software?
I'm not claiming MS are good, just that they actually make more effort to include backwards support and compatibility that many other OS's. That leaves the Windows OS open to exploits.
-
Anything that you buy has an expected lifetime. A hospital wouldn't expect to buy a bed and have it maintained by the manufacturer for ever. Why should computers be any different?
Are you saying that software wears out? Interesting. Could you explain the process, please?
What I said is that software requires maintenance.
It's not a secret. If you're lucky the vendor will maintain it for several years, included in the original purchase price. Or they may require an annual fee. I'm struggling to think of an example of *anything* created by a human that would last forever without maintenance.
I'd be happy to be able to pay a reasonable amount & have up to date security patches, instead of having to get all-new software with built-in downgrades & bugs, but I can't. I'd also like the option to buy minor upgrades at a reasonable price, but again, that's not offered.
Quantify "reasonable amount". If you're one of the last dozen users of Chucky Egg on FlexOS 1.31 how much would it cost to offer you up to date patches? Perhaps it would make more financial sense to use software a lot of other people are using and spread the cost? Perhaps you think my children should go barefoot because, well, software is software, it's not real stuff like food or bikes.
-
The part of all this that sticks in my throat is that MS have already offered a patch to XP now that the exploit is being abused. This suggest to me that either they had the patch ready to roll out or it was a relatively simple fix. In each case they should have released the damn thing BEFORE thousands of systems were infected with potentially life threatening effect.
MS are a company that exists to make money. I get that. They still have responsibilities and should be held to account in some way for allowing their software to be compromised on such a massive scale apparently through choice.
-
Of course they should have offered it before, and most likely most of the NHS would have installed it.
M$ want money for new installs, so they make it difficult for older users. The problem with this approach is the huge capital lumps required every so often to provide new installs. Plus the monstrous time and effort involved in a large roll-out.
I'll bet that M$ aren't so quick to hold back serious patches for legacy systems like this in the future.
-
If they're not going to support it, maybe they should be compelled to open source it?[1] Disney would never stand for that sort of abuse of copyright law, thobut.
[1] I appreciate this would cause half the world to switch to FreeXP immediately, making a huge dent in their bottom line. I wouldn't be surprised if they were sitting on a fully functional Linux version of MS Office for the same reason.
-
Well if they are serious about W10 being the final release with features being introduced as patches (that's how I read https://www.theverge.com/2015/5/7/8568473/windows-10-last-version-of-windows (https://www.theverge.com/2015/5/7/8568473/windows-10-last-version-of-windows) then hopefully the whole rigmarole of reinstalling your applications to new server builds will be a grim memory. Not that it'll help much if you don't keep your applications tested against the latest Windows Updates.
-
The issue is much simpler, and driven by each and every one of us. We all want to make happy use of Moore's law, we are all far less tolerant of issues caused by IT, we all want more for less. Functionally, DOS 2.1 with Supercalc and Wordstar would be perfect, eh?
That continual drive for faster, better, easier has a price to pay. Microsoft are dominant and therefore have to shoulder responsibility for the systems they sell, but actually they don't make too bad a fist out of it, much as I loathe, hate and despise them, up against Larry Ellison or Apple they are of a piece - possibly on slightly higher ground. But then, they make a change like removing the option to update or not making updates compulsory, and everyone is up in arms.
So anyway, systems will continue to improve and it is not unreasonable for any supplier to charge for new versions (MS is moving to a subscription model) , but that's only the OS side of the story. Over that, there's the middleware and the application, each of which will have their own vulnerabilities and upgrade path.
Right at the sharp end is the application vendor, who effectively integrates and supports the whole thing. Those applications are what you, the end user experiences. Doesn't matter how complex the system is, you just want it to work. And importantly, carry on working. That's where software maintenance comes in. Except that maintenance only covers that version, never the upgrade. And organisations like NHS would be penalised if they tried to salt away money for the next version (even if they could afford it). Simply, in public finance you use it or lose it. Plus, the overwhelming majority of businesses I see, whatever sector, never invest ahead in the "next version", if you are lucky they will cover hardware refresh.
So, why does anyone expect any different outcome?
-
Hmmm. Amber Rudd says this will make the NHS spend money updating its systems. You'd better give it some more money then, Amber!
As for the rolling news yesterday...
I learnt from experts that no protection would have stopped this attack and that ALL operating systems were at risk from this malware. Also that the best approaches might be to restore from back-up or pay the attackers. Except they weren't clear how the NHS could get some many bitcoins together.
At least today's BBC report states it only affects Windows systems, so they seem to have grasped the nature of the threat better than the industry experts they used yesterday.
So much miss-information circulating around the mainstream media. Very little mention of this attacks origins (NSA exploits called Eternalblue and Doublepulsar)
This was patched in March. The Conservatives shouldn't have ended their extended support agreement with Microsoft. Any machines running XP to support, for example, MRI scanners (legacy) should have been segmented into their own networks, with much stricter security and checks and balances on on data shared with mainstream systems .
And honestly, I don't blame Microsoft for this. XP is very old and they shouldn't support it, no matter how hard organisations beg them too. A codebase has a lifespan, over time it gets harder and more expensive to maintain/patch properly/regression test. We should accept that and move on. It wasn't a surprise when DOS disappeared. As it wasn't a surprise that XP is no longer supported. I wouldn't expect the manufacture of my similarly aged car to make a recall to address defect, what with so few of them left on the road, so why should I expect it from Microsoft?
-
So, why does anyone expect any different outcome?
It's quite simple, as you say.
If M$ would like the future HUGE business of the NHS, look after them until they are ready to change. If they don't care about that future business, then cast them adrift. Understand your customers and their needs. Don't treat them as a stupid cash cow (that's you Adobe, that is).
-
NHS should have been moving anything needing winXP onto citrix thin clients or equivalent. Then when ransomware hit, just kill the client.
But that would have required investment. Requiring money.
-
I'd be happy to be able to pay a reasonable amount & have up to date security patches, instead of having to get all-new software with built-in downgrades & bugs, but I can't. I'd also like the option to buy minor upgrades at a reasonable price, but again, that's not offered.
You can do exactly this, it's called updating your operating system. Generally it's not as expensive as buying a full blown copy of the latest Windows release each time it comes out, MS offer such upgrades at a much reduced cost, but I guess it's still probably more than you are prepared to pay (although MS recently updated many people to Windows 10 for free).
Sure, they break backwards compatibility often, it won't affect 99% of the applications/users, but sometimes it is just impossible to maintain it; it often relies upon third party software that is beyond their control.
Just remember that each new Windows release is just the same software as the previous release but with a few more features, bumped up revision numbers, tweaks to the visual components, a load of bugs fixed, a load of new bugs added and some old crap that they don't want to deal with any more deprecated. It's not a complete rewrite each time; probably >98% of the code of a new release is the same as in the previous release. The reason they had to patch every Windows version when this vulnerability was found is because they all share the same implementation that is susceptible.
The majority of people don't keep their machines up to date because the update installation mechanism represents poor user experience (long slow downloads, reboot requests at inappropriate times, long downtime during reboots, etc) and so people often disable it or put it off as much as they can. People don't upgrade the OS because they don't want to pay that cost, they're happy with what they already run and don't want to have to go through a period of getting to know the new GUI trickery.
My W10 is updated asap. The last was installed 10 May. I've just checked and SMB1 was still extant. It isn't now.
The underlying protocol isn't a problem, it was their implementation of it. They've patched their dodgy implementation so it is, in theory, safe to run. Of course, there could be yet another vulnerability out there in their implementation that no-one has discovered yet and could be used for exactly the same purpose; just as there could be plenty of undiscovered vulnerabilities in any of the parts of Windows you can't disable because they are really bits of it that you do use regularly. Minimising the attack surface is a good idea, but it doesn't render you impervious.
Some security solutions have been implemented; things like Windows Defender and fairly freely available anti-Virus software from many of the commercial anti-Virus companies, but on the flip side, email clients which let you freely click on anything, poorly secured things like Shockwave via web-browsers, and Windows networking, have all made it far too easy for the average user to become infected.
The irony is that Windows Defender and pretty much all of the anti-virus solutions are riddled with vulnerabilities. They're just as insecure as any other type of software.
Here's one from just 4 days ago that affected Windows Defender: https://arstechnica.co.uk/information-technology/2017/05/windows-defender-nscript-remote-vulnerability/
It required no user interaction at all and could compromise the machine it was running on.
Writing secure software is very very hard.
-
The majority of people don't keep their machines up to date because the update installation mechanism represents poor user experience (long slow downloads, reboot requests at inappropriate times, long downtime during reboots, etc) and so people often disable it or put it off as much as they can. People don't upgrade the OS because they don't want to pay that cost, they're happy with what they already run and don't want to have to go through a period of getting to know the new GUI trickery.
There's a lot of truth here, at least outside large organisations where the end users don't get a choice in the matter.
Windows Update was historically annoying enough that users disabled it and never applied updates. So in their infinite wisdom, instead of actually fixing the problem, Microsoft went to the other extreme and made it much harder to avoid, leading to nagging and compulsory reboot horrors.
It's not that hard. Most modern Linux distributions manage to apply updates almost completely transparently (there's obviously some resource overhead involved in downloading and installing the update, but there's generally less bloat involved, which helps). Reboots are only required for kernel updates, and those can be postponed indefinitely. Of course, Linux package managers have the distinct usability advantage of being able to manage the third-party software too. Same goes for Android and IOS, and presumably OSX.
Major updates carry a risk of breaking something on any platform. It's understandable that end users with mission critical computers and no easy way of testing avoid them...
-
I'm still trying to figure out Windows 10 updates. The PC in the Estate Office had a big update the other day, but it hasn't yet shown up on the one in the Great Hall ???
-
I have a Win 10 install with a buggered Windows Update (don't know how long for cos I only use it once every few weeks for the Scanner and ProperCraprobatTM) which I couldn't work out how to fix mid-preparing for a job interview 2 weeks ago.
I am still using a WinXP notebook cos it has the last remaining decent (accessible to me) keyboard of a portable device. I occasionally manually mount an SMB share to shove documents onto my /home on our server.
I'm waiting for Kim to be properly awake so she can disable the Samba server on our network and anything else security precaution wise so I can apply the Patch to the XP device and go and hit the Win 10 install (other half of the hard disk running my preferred Debian OS) with sticks till I can fix it without risking other stuff on the network...
-
A timely reminder for me to do some housekeeping.
All critical stuff is backed up in three places. A machine can be bombed as there are other machines available to me now should I need them.
-
Anything that you buy has an expected lifetime. A hospital wouldn't expect to buy a bed and have it maintained by the manufacturer for ever. Why should computers be any different?
To me, it's on a par with, and similarly reprehensible as, serving patients out of date food.
-
The odd thing to my mind is that the hackers demanded £300 (in bitcoin) to release all the data. Perhaps that meant £300 per machine or possibly it was a totally made up figure but it was reported (Friday) as £300 from the whole NHS. Ridiculously cheap surely?
-
The demand was per-machine. They wouldn't have known what they were infecting.
As of yesterday, they'd received all of $26000 total. Small change for the chaos caused.
https://krebsonsecurity.com/2017/05/global-wana-ransomware-outbreak-earned-perpetrators-26000-so-far/
-
Anything that you buy has an expected lifetime. A hospital wouldn't expect to buy a bed and have it maintained by the manufacturer for ever. Why should computers be any different?
To me, it's on a par with, and similarly reprehensible as, serving patients out of date food.
Stick to whatever it is you do. The comparison is risible.
-
Anything that you buy has an expected lifetime. A hospital wouldn't expect to buy a bed and have it maintained by the manufacturer for ever. Why should computers be any different?
To me, it's on a par with, and similarly reprehensible as, serving patients out of date food.
Stick to whatever it is you do. The comparison is risible.
It's not a bad metaphor for failing to keep systems up to date, thobut.
-
As has been pointed out, there are systems ( eg embedded systems ) that simply can't be kept up-to-date.
The IT managers need to build an infrastructure that keeps such internal critical systems isolated, air-gap if necessary.
Seriously. Does the MRI machine *need* to be connected to an Internet-connected network?
The military have some pretty robust protocols for this stuff.
-
Anything that you buy has an expected lifetime. A hospital wouldn't expect to buy a bed and have it maintained by the manufacturer for ever. Why should computers be any different?
To me, it's on a par with, and similarly reprehensible as, serving patients out of date food.
Stick to whatever it is you do. The comparison is risible.
It's not a bad metaphor for failing to keep systems up to date, thobut.
It is risible.
-
What's risible is if I go into a hospital, give them data about my health in good faith, and they proceed to blithely elect to input it into an operating system that's 15 years old and out of support.
-
The 15 year old operating system is not holding the data. If it was there'd be a real problem.
It is 15 years old because of the way we treat the NHS. It's a political football and people love it that way. Kick the Reds. Kick the Blues. Get votes!!
Comparing a bed with a computer is risible. Utterly risible.
-
As has been pointed out, there are systems ( eg embedded systems ) that simply can't be kept up-to-date.
The IT managers need to build an infrastructure that keeps such internal critical systems isolated, air-gap if necessary.
Seriously. Does the MRI machine *need* to be connected to an Internet-connected network?
The military have some pretty robust protocols for this stuff.
Agreed. Software can have a lifespan way beyond the rather transient versions of Microsoft's operating system. It might need to last for decades and be far too complex to undergo any form of revision.
The big idea at the moment is the 'internet of things' whereby all sorts of devices are to be controllable over the internet. It's a development with huge potential but now it's apparent it also carries huge risks unless a concerted effort is made to design systems with a coherent resistance to cyber attacks.
Microsoft, having successfully made WIndows so universal has a major obligation to fulfil in that regard. It's time for them to grow up.
-
As has been pointed out, there are systems ( eg embedded systems ) that simply can't be kept up-to-date.
The IT managers need to build an infrastructure that keeps such internal critical systems isolated, air-gap if necessary.
Seriously. Does the MRI machine *need* to be connected to an Internet-connected network?
The military have some pretty robust protocols for this stuff.
The MRI machine will be networked so that the image taken by the machine can be sent to the consultant for viewing. Should be some pretty gnarly firewalls in place between anything winXP and general network, and I'd hope that the connection is via, say, a Linux server. But setting that up requires really good planning by good IT staff. That all costs.
-
As has been pointed out, there are systems ( eg embedded systems ) that simply can't be kept up-to-date.
The IT managers need to build an infrastructure that keeps such internal critical systems isolated, air-gap if necessary.
Seriously. Does the MRI machine *need* to be connected to an Internet-connected network?
The MRI scanner doesn't need to be connected to the Internet, but the data needs to be accessed by people who do, there's your weakness. Citrix/VDI has a place here but who will pay for it? Plus, it's another layer that needs to be kept up to date. Oh, and as I touched on earlier IME most "critical" systems do have reasonable security and backup procedures. For example, they may have resilient data, backup/archive + third copy of data, "just in case". If you had to speculate that would be in the private sector, it doesn't come free.
-
As has been pointed out, there are systems ( eg embedded systems ) that simply can't be kept up-to-date.
The IT managers need to build an infrastructure that keeps such internal critical systems isolated, air-gap if necessary.
Seriously. Does the MRI machine *need* to be connected to an Internet-connected network?
The military have some pretty robust protocols for this stuff.
The MRI machine will be networked so that the image taken by the machine can be sent to the consultant for viewing. Should be some pretty gnarly firewalls in place between anything winXP and general network, and I'd hope that the connection is via, say, a Linux server. But setting that up requires really good planning by good IT staff. That all costs.
Yup, internet of things. Machine to machine interfaces (M2M):
Demand for wireless connected electronic devices is being driven by the desire for a future where every day physical objects are connected to the internet and are able to identify themselves to other devices.
Areas include
Automotive
Industrial processes
Healthcare
City management
Home management
Security
Asset management (physical assets like MRI scanners, presumably).
We seem to have a big blind spot WRT the way the internet is developing away from our own monitors. It's not just there to provide human interactions any more. Initially its development was hampered by limited IP addresses but since IPV6 massively extended the number of addresses available M2M became realistic. Within the last few years. Any sophisticated machine will be designed with that in mind.
-
As has been pointed out, there are systems ( eg embedded systems ) that simply can't be kept up-to-date.
The IT managers need to build an infrastructure that keeps such internal critical systems isolated, air-gap if necessary.
Seriously. Does the MRI machine *need* to be connected to an Internet-connected network?
The MRI scanner doesn't need to be connected to the Internet, but the data needs to be accessed by people who do, there's your weakness. Citrix/VDI has a place here but who will pay for it? Plus, it's another layer that needs to be kept up to date. Oh, and as I touched on earlier IME most "critical" systems do have reasonable security and backup procedures. For example, they may have resilient data, backup/archive + third copy of data, "just in case". If you had to speculate that would be in the private sector, it doesn't come free.
MRI scanners were a lot more secure when you could only get the data off them in some proprietary format that seems vaguely related to Philips videodisc. Even the consultants couldn't access them. (Actually, that might be a CAT scan, but the principle remains.)
Modern life innit. Several weeks back I discovered I could only approve a purchase using IE8 on Windows. Some SAP nonsense but having seen the cost for such implementations (HOW MUCH!), I can kind of understand why.
As for system updates, they're still too painful. I don't use Windows any more, but I can imagine it's not changed. I fired up a Xubuntu box the other week for a first time in a couple of months. A bazillion updates greeted me. Of course, the updates failed, presumably because they needed to be done in a particular order. Mac is a bit better for small stuff (they just happen) but it still likes to occasionally demand I download 2 GB and restart. You can see people might put that off (though it'll do in powernap, if it's in the mood and and doesn't have a headache). In the 30-odd years since we dipped our toes in with Windows 3.1 they've still not figured out a seamless update process and we're still telling users not to do things they'll obviously do (what, don't click this attachment?).
-
^
You're avatar seems appropriately apposite, given the subject matter.
-
^
You're avatar seems appropriately apposite, given the subject matter.
Health secretary Jeremy Hunt was warned last summer that NHS organisations were at risk of cyber attacks.
The national data guardian Dame Fiona Caldicott and the Care Quality Commission assessed the cybersecurity of 60 hospitals, GP surgeries and dental practices at the request of Mr Hunt.
They said the external cyber threat was becoming a “bigger consideration” as the NHS switched from paper to digital medical records and systems.
They warned of increasing numbers of unsolicited emails containing "malware" or hidden software, designed to cause harm, in global circulation.
Their report last July made a number of recommendations, including the advice that “computer hardware and software that can no longer be supported should be replaced as a matter of urgency”.
We have to treat IT a bit more seriously. One thing MS is right about, it is a 'wake up call' but in a sense they are purveyors of legalised ransome ware. i.e if you don't buy our latest software the hackers are gonna come for you.
-
I think that attacking Microsoft for "ransomware " is absurd.
They built a product, released it in 2002, and supported it (for free) until 2009. At that point, they put it in "Extended Support", meaning that it would get security patches but little else, and announced that it would go out of support completely in 2014. They built special migration tools, they had popups that say when support ended, and did everything they could to push people to migrate. For those large organisations that were unable to upgrade, they offered an extended life support package which has security updates in the same manner as supported software.
This all seems very reasonable to me?
The government decided that the NHS didn't need to pay for extended support. The government decided that the MoD did need to pay for extended support.
Those decisions caused this issue to occur in the NHS, not Microsoft.
It is entirely consistent with the spending decisions that this government has made - cutting NHS funding as a percentage of GDP while increasing defense spending as a percentage of GDP - any comment on that belongs in the Politics board (which I banned myself from many years ago in order to keep my job!).
-
Except of course circumstances dictate that not everybody can afford to migrate. The costs of replacing not just an OS but computers, peripherals and other software can make the exercise totally unaffordable.
Security trumps everything else. Microsoft cannot blame others for the holes in their colander.
-
Well, of course it's not totally unaffordable. Things cost what they cost, you gauge the risks of not making the investment. Blaming Microsoft is a bit silly, of course they want people to pay to upgrade, that's their business model. Not providing free support for the now ancient XP.
-
Except of course circumstances dictate that not everybody can afford to migrate. The costs of replacing not just an OS but computers, peripherals and other software can make the exercise totally unaffordable.
Security trumps everything else. Microsoft cannot blame others for the holes in their colander.
If the cost of upgrading all your peripherals is unaffordable, and the cost of extended support is also unaffordable, then you cannot afford to keep your systems on the internet. If security trumps everything else, then air-gap the relevant machines - the only reason an MRI scanner needs to be online is because it's a convenient way to move the results about. So in that case, convenience and responsiveness has been regarded as a higher priority than security.
The NHS is massive, and upgrading the IT infrastructure is a mammoth project. If you're going to take the view that you update IT systems as they reach the natural end of life (maybe when the MRI machine is replaced) then that means migration is going to happen over a long period and you should pay the support bill as a cost of taking that upgrade approach.
-
Except of course circumstances dictate that not everybody can afford to migrate. The costs of replacing not just an OS but computers, peripherals and other software can make the exercise totally unaffordable.
Security trumps everything else. Microsoft cannot blame others for the holes in their colander.
... convenience and responsiveness has been regarded as a higher priority than security.
..
I disagree.
I ask you to consider what an MRI scanner is for. You might change your opinion somewhat if you or somebody you love is in urgent need of such a scanner. It's not a choice of convenience at all, it's making do with the equipment available to best treat as many people in need as possible.
Of course, there will be people here who can afford or who have provision to go private. Does this mean that their lives are of greater value to humankind than those who cannot go private? Who is going to make the decision to pull the treatment and potentially sentence the patient to death? It certainly will not be one of the politicians or administrators as they will be busy distancing themselves and trying to remain out of the line of fire.
As Jaded rightly pointed out upthread, the NHS is a perfect example of how being a political football forces them to make risk decisions that are exactly that, risks. Would we prefer that a selection process based purely on ability to pay?
Well, of course it's not totally unaffordable. Things cost what they cost, you gauge the risks of not making the investment. Blaming Microsoft is a bit silly, of course they want people to pay to upgrade, that's their business model. Not providing free support for the now ancient XP.
ian tells us that in fact it's not unaffordable so perhaps we should be making choices over the next few weeks to ensure that the people in power are making the choices that we'd prefer even if it does mean ditching "a safe pair of hands".
By the way, I didn't actually blame Micro$haft:
Except of course circumstances dictate that not everybody can afford to migrate. The costs of replacing not just an OS but computers, peripherals and other software can make the exercise totally unaffordable.
Security trumps everything else. Microsoft cannot blame others for the holes in their colander.
-
So have the govt been guilty of spending mammoth amounts on IT consultants in failed patient data projects, and neglected basic new computing infrastructure?
-
Quite possibly.
More importantly, effective risk management seems to be missing. One doesn't simply do the risk assessment at the outset but it needs to be visited on an ongoing basis. I suspect that the real problem is lack of money though and the risk, if it was ever graded such became an issue.
I would be interested to know exactly what Jeremy Hunt knew about the risks faced by the NHS IT systems before this happened.
-
Quite possibly.
More importantly, effective risk management seems to be missing. One doesn't simply do the risk assessment at the outset but it needs to be visited on an ongoing basis. I suspect that the real problem is lack of money though and the risk, if it was ever graded such became an issue.
I would be interested to know exactly what Jeremy Hunt knew about the risks faced by the NHS IT systems before this happened.
It's a quite a few (~6) years since I left my NHS post which had Risk Management at its heart, but IT was - frankly - a mess in the Trust that I worked in.
The risk assessment processes associated with IT were crude, and at a basic level - possibly not helped by a very senior management approach to risk assessments in non-clinical (Ie non-patient facing) areas that 'encouraged' the assessments to be played down, possibly with an eye on the financial bottom line. Equally the IT management were somewhat insular when it came to engaging with the more holistic risk assessment systems used in the Trust - the attitude being along the lines of 'this is far too complicated for you to worry your little heads about it'.
The IT support was latterly staffed almost entirely with contract staff who always seemed to be working for our Trust 'in between jobs', leading to a lack of continuity. I got the impression that the few permanent senior staff were well-meaning, but powerless in the face of twin attacks from rapidly developing technology, and from an unsympathetic purely clinically focused board.
The staff -in this Trust, and probably most others - that managed risk, focused on learning from critical incidents, and took recommendations to the Top Table have (apparently) been cut back to almost nothing - so is it surprising that this event has, had the effects it has, and that the boards of the Trusts were so taken aback?
Tapatalk puts this signature here, not me!
-
Anything that you buy has an expected lifetime. A hospital wouldn't expect to buy a bed and have it maintained by the manufacturer for ever. Why should computers be any different?
Are you saying that software wears out? Interesting. Could you explain the process, please?
What I said is that software requires maintenance.
It's not a secret. If you're lucky the vendor will maintain it for several years, included in the original purchase price. Or they may require an annual fee. I'm struggling to think of an example of *anything* created by a human that would last forever without maintenance.
I'd be happy to be able to pay a reasonable amount & have up to date security patches, instead of having to get all-new software with built-in downgrades & bugs, but I can't. I'd also like the option to buy minor upgrades at a reasonable price, but again, that's not offered.
Quantify "reasonable amount". If you're one of the last dozen users of Chucky Egg on FlexOS 1.31 how much would it cost to offer you up to date patches? Perhaps it would make more financial sense to use software a lot of other people are using and spread the cost? Perhaps you think my children should go barefoot because, well, software is software, it's not real stuff like food or bikes.
Software needs maintenance? Really? Please explain this process. Do you mean that previously unknown faults in it need repair? I cannot believe that you mean that it suffers wear & tear.
I think that you are making what our USian friends call a category error. Software is not like a bicycle. If it does not have faults, it will continue to work as long as the hardware on which it is installed works. 'Maintenance' of software is needed because it has faults, or someone tries to use it wrongly, or it is used in an inappropriate environment.
When a software producer sends out a patch for a security weakness, it is not repairing damage. It is making good a fault, either one which was always present but was previously unknown, or one accidentally introduced by the producer in an earlier patch.
BTW, this is a view formed from the inside, from decades spent working in software development & support.
-
Except of course circumstances dictate that not everybody can afford to migrate. The costs of replacing not just an OS but computers, peripherals and other software can make the exercise totally unaffordable.
Security trumps everything else. Microsoft cannot blame others for the holes in their colander.
... convenience and responsiveness has been regarded as a higher priority than security.
..
I disagree.
I ask you to consider what an MRI scanner is for. You might change your opinion somewhat if you or somebody you love is in urgent need of such a scanner. It's not a choice of convenience at all, it's making do with the equipment available to best treat as many people in need as possible.
Responsiveness being the key item as far as the patient is concerned? You can keep the responsiveness and the scanners on XP, by for example, exposing a particular hole in their firewall and ftp all the documents the MRI scans produce to a dedicated document server while keeping the MRI network and the hospital network separate. But then you can't have every machine on the same Active Directory, and that means that password and user management becomes a big headache for IT. Fast, secure, cheap - pick 2. Some trusts picked fast and cheap (worth pointing out that this has affected 60 trusts out of >200 across England and Scotland (couldn't find the Wales numbers)).
Of course, there will be people here who can afford or who have provision to go private. Does this mean that their lives are of greater value to humankind than those who cannot go private? Who is going to make the decision to pull the treatment and potentially sentence the patient to death? It certainly will not be one of the politicians or administrators as they will be busy distancing themselves and trying to remain out of the line of fire.
As Jaded rightly pointed out upthread, the NHS is a perfect example of how being a political football forces them to make risk decisions that are exactly that, risks. Would we prefer that a selection process based purely on ability to pay?
Eh? What has that got to do with poor IT provisioning/security?
I believe in the NHS, and I'm sad that these issues have come up because it means that NHS patients have suffered at the worst possible time - it is already a service that is underfunded and suffering. Government IT projects have historically been pretty bad though, and this seems like another example of bad IT practises.
NB it's worth noting that this has caused problems for Nissan and Renault factories, Telephonica, Fedex, Hitachi, and some spanish bank I can't pronounce, let alone spell among many others:
https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
-
In practical terms its impossible for operating systems and applications to have zero bugs or exploitable weaknesses. MS or whoever writes the code does there best to find and fix problems but it can never be perfect. They are also commercial organisations and can't provide free support and patching forever. I don't particularly like MS but to be fair they gave everyone many years of warning that they would be dropping support for XP, it snot like they gave organisations a week to switch to a newer OS. No company grantees support for software indefinitely, it would be an unsustainable business model.
-
Ah Bledlow: software is at the whim of it's users who try to use it far beyond it's design spec. There are 'faults' but there are also upgrades to stretch previously unanticipated or unbudgeted functionality. Thus maintenance is an ongoing requirement of software.
MikeFromLFE,
In late 2006 I did a four month contract on the then NHS N3 National Patient Database project. I was paid handsomely to provide BT in Watford a clean audit on their software Configuration Management in their little chunk of the huge project. I achieved my target in just three months and in that time I learned so much about the mess of IT in the NHS, specifically how almost every Trust does things differently, how there is no one integrated system, no easy way to pass information between trusts or often even between GPs and hospitals in the same trust, etc., etc., etc.
The reason N3 was a huge failure imo was that there were too many individual vested interests and no central leadership from the various Health Secretaries who came and went. Given all that shit ten years back I am only surprised that there have not been more major IT incidents in the NHS.
DuncaM, it's about spending choices. Not enough money means that inevitably keeping a machine going with limited budgets and insufficient expertise on matters like IT security will mean that risks are taken. Spend the money on IT and you cannot treat so many patients.
-
Sophos's advertising took a hit. Compare their website from before and after this weekend:
(https://regmedia.co.uk/2017/05/15/sophos_nhs.jpg)
-
Software needs maintenance for the reason you have pointed out yourself...
The environment in which it is running changes.
For example, a security protocol that was regarded as good years ago may no longer be regarded as secure, and so updates are required.
This was not a flaw in the original program, it is just a consequence of the environment changing.
In other examples, the OS vendor may make changes to the OS for a variety of reasons, including security.
For example, certain directories that used to be writable by a non-admin user no longer are.
This may mean that programs that previously worked no longer do, and they will require updating.
None of these things are flaws: the programs were written correctly to a perfectly reasonable spec at the time.
But times change, and the software needs to change with it.
-
DuncaM, it's about spending choices. Not enough money means that inevitably keeping a machine going with limited budgets and insufficient expertise on matters like IT security will mean that risks are taken. Spend the money on IT and you cannot treat so many patients.
Absolutely. More money should be spent on both NHS IT and treating patients (and paying nurses and...). But money is spent on things with minimal clinical benefit, and parts of the system that everyone relies on are left to break.
http://www.lshtm.ac.uk/newsevents/news/2017/englands_cancer_drugs_fund_failing_to_deliver_value.html
A small proportion of £1.27bn over 6 years could have sorted out the IT systems, or at least paid for the ongoing support from MS to stop XP being an issue. That's not going to win any votes though...
-
It might just win some votes now though.
-
Software needs maintenance? Really? Please explain this process. Do you mean that previously unknown faults in it need repair? I cannot believe that you mean that it suffers wear & tear.
I think that you are making what our USian friends call a category error. Software is not like a bicycle. If it does not have faults, it will continue to work as long as the hardware on which it is installed works. 'Maintenance' of software is needed because it has faults, or someone tries to use it wrongly, or it is used in an inappropriate environment.
When a software producer sends out a patch for a security weakness, it is not repairing damage. It is making good a fault, either one which was always present but was previously unknown, or one accidentally introduced by the producer in an earlier patch.
BTW, this is a view formed from the inside, from decades spent working in software development & support.
That's a very telling POV, from someone who has "decades spent working in software development & support"
If it does not have faults. Can you, off the top of your head or with any amount of research think of any executable piece of software created for Windows OS that has not had any faults from its first release? Makes it a bit like saying if it wasn't for the dying thing I could live forever. Correct, but entirely pointless.
Then, the environment in which that software operates requires that it will need continual maintenance. The regulatory environment changes, the OS changes, it needs to be maintained. Things that were never right from the start need fixing when you find out what they are. That's maintenance. Maintaining the product in operation.
-
Changing OS for such a large and disparate organisation as the NHS is a huge operation.
I have experienced a situation recently where we were required to keep IE6 active in order to access certain required websites, so there are drivers from various directions encouraging and deterring change.
The key issues as I see it are:
Underfunding of NHS Trusts has delayed upgrades of IT systems - not only because of the cost of the systems, but also by stripping down IT support to beyond reasonable limits, and leaving inadequate resources.
The decision not to purchase ongoing XP support was made in 2015, not just by the DH, but by the Cabinet Office, who are in charge of cyber-security.
The Health Secretary in 2015 was Jeremy Hunt.
The Cabinet Office Secretary in 2015 was Francis Maude
-
Interestingly the very latest network switches coming out are starting to have security built into the ASICs. This will enable them to detect viruses and ransom ware on attached PCs by fingerprinting the traffic flows from them (even if teh traffic is encrypted) and then flag the problem or cut off the PC from the network to contain the problem and stop it spreading. This will be a big thing in the next few years what with IoT and the like. Mind you given how long organisations like the NHS sweat their assets for you can probably expect it to be 10 years before they have this kind of infrastructure.
-
We are a large organisation going through a significant IT upgrade. Changing the network is a two year effort for implementation, let alone planning if you want to keep the business ticking along as it goes.
Planning how to effectively manage patient confidentiality, the security of machines that are vulnerable to cyber attack (where fixing the OS is not feasible), and maintaining staff accessand authentication is a huge challenge. It doesn't help that the infrastructure tends to be monolithic and the key know-how is in private hands.
-
Interestingly the very latest network switches coming out are starting to have security built into the ASICs. This will enable them to detect viruses and ransom ware on attached PCs by fingerprinting the traffic flows from them (even if teh traffic is encrypted) and then flag the problem or cut off the PC from the network to contain the problem and stop it spreading. This will be a big thing in the next few years what with IoT and the like. Mind you given how long organisations like the NHS sweat their assets for you can probably expect it to be 10 years before they have this kind of infrastructure.
What's more, a virtualised environment can identify malware, isolate, clean and bring back online an infected image almost seamlessly.
Whether either server or network based identification/isolation/remediation would work for ransomware, where the infected host is outside the network, is doubtful.
-
We are a large organisation going through a significant IT upgrade. Changing the network is a two year effort for implementation, let alone planning if you want to keep the business ticking along as it goes.
Planning how to effectively manage patient confidentiality, the security of machines that are vulnerable to cyber attack (where fixing the OS is not feasible), and maintaining staff accessand authentication is a huge challenge. It doesn't help that the infrastructure tends to be monolithic and the key know-how is in private hands.
That's part of the problem isn't it? Batching things up. Organisations that wrap their upgrades large big projects with many moving parts and massive timescales. In my view it should be more like painting the forth bridge, a continual process that's costed up as a necessary overhead of running the business. I'm currrently moving us away from big-bang hardware refreshes in our data centres to replacing a tier of infrastructure at a time so that a few boxes get replaced each month rather then replacing the whole lot every 3-5 years.
-
We are a large organisation going through a significant IT upgrade. Changing the network is a two year effort for implementation, let alone planning if you want to keep the business ticking along as it goes.
Planning how to effectively manage patient confidentiality, the security of machines that are vulnerable to cyber attack (where fixing the OS is not feasible), and maintaining staff accessand authentication is a huge challenge. It doesn't help that the infrastructure tends to be monolithic and the key know-how is in private hands.
or, more often, just lost in the mists of time. It isn't the infrastructure that causes most of the issues but the applications.
-
I wonder if there's a fault with the way we account for IT assets. In my company, at least, they're written off over 3 or 5 years and after that "Yippee, free" when actually they should start ticking up a liability as they become harder and harder to replace.
I realise it's not a linear increase per annum but I'm sure the beancounters could come up with a generalised formula to show that a depreciated but still functional system should have the potential cost of replacement put against it in the balance sheet. I'd hope there's a DR plan in place, and it should start showing up new risks when a system is running on ancient hardware and/or an unsupported OS.
This might make it easier to justify replacing old kit when it's time to bid for budget. Perhaps?
-
Well, of course it's not totally unaffordable. Things cost what they cost, you gauge the risks of not making the investment. Blaming Microsoft is a bit silly, of course they want people to pay to upgrade, that's their business model. Not providing free support for the now ancient XP.
I have no objection to MS pursuing their business model through fair means but when they start preaching about 'wake up' calls it's a bit rich.
And it is a problem when one provider has us by the proverbials in such a big way and purveys an operating system that is a de facto standard on an increasingly vital resource without accountability and changeable at the whim of MS.
It would be preferable if the standard was set by a non-profit organisation and for there to be numerous offerings that met the standard for better or worse. It could be a variant of the virtual machine. MS would then have to toe the line instead of dictating what something as fundamentally important as an OS did or did not do. How on earth have they got away with it for so long?
-
false flag, orchestrated by governments, so as to get more funds to squash the alternative media (who tell the real news about how corrupt the governments are)
(http://static6.businessinsider.com/image/51b8e89ceab8eaa87d000009-1190-625/the-true-origin-of-the-tin-foil-hat-and-why-its-the-stupidest-thing-to-wear-if-youre-paranoid-about-the-government.jpg)
-
Well, of course it's not totally unaffordable. Things cost what they cost, you gauge the risks of not making the investment. Blaming Microsoft is a bit silly, of course they want people to pay to upgrade, that's their business model. Not providing free support for the now ancient XP.
I have no objection to MS pursuing their business model through fair means but when they start preaching about 'wake up' calls it's a bit rich.
And it is a problem when one provider has us by the proverbials in such a big way and purveys an operating system that is a de facto standard on an increasingly vital resource without accountability and changeable at the whim of MS.
It would be preferable if the standard was set by a non-profit organisation and for there to be numerous offerings that met the standard for better or worse. It could be a variant of the virtual machine. MS would then have to toe the line instead of dictating what something as fundamentally important as an OS did or did not do. How on earth have they got away with it for so long?
Really, are you suggesting that Microsoft should just keep supporting XP for no viable return? You buy Microsoft, you know when support ends. They tell you up front. Build that into your businesses and budgets, frankly. Security and threat are now co-evolving (and have been for a while). It's impossible to build a totally secure and invulnerable system.
-
I don't know what all the fuss is about. After an afternoon trying to use the NHS computer system, ransomware would surely be an improvement in performance.
How I don't just drop-kick all the PCs out the bloody window is a tribute to my patience, frankly.
-
I don't know what all the fuss is about. After an afternoon trying to use the NHS computer system, ransomware would surely be an improvement in performance.
How I don't just drop-kick all the PCs out the bloody window is a tribute to my patience, frankly.
Or did you mean tribute to my patients ;D
-
How I don't just drop-kick all the PCs out the bloody window is a tribute to my patience, frankly.
Some of that hardware can be surprisingly heavy. Wouldn't want to burden A&E with the fractures.
-
Spend the money on IT and you cannot treat so many patients.
The problem last week was by NOT spending money on IT they could not treat so many patients.
-
Spend the money on IT and you cannot treat so many patients.
The problem last week was by NOT spending money on IT they could not treat so many patients.
This is what I was picking up from the box pops on TV : Today "The NHS should have been spending more on keeping their Computers up to date" Two weeks ago "The NHS is spending too much on computers and not enough on patient care"
-
The NHS is spending too much money on reorganisations.
There'll be another one along soon. The trouble is, reorganisations don't help with inconvenient things like panning for the future,
-
We approved the magic updates (KB4012213/4012216) that resolve this issue weeks ago. I was surprised to learn over the weekend it had not been applied to any of our workstations. A bit of further poking around and we found it was one of ~15 updates on the update server not getting applied to clients. Turns out the update server itself needed a hotfix to kick it into shape.
I was also surprised to learn that a virus signature updates for our antivirus product stopped working on/after May 5th. The only thing that seemed to kick that into shape was a removal/reinstall.
So the bulk of yesterday was spent manually reinstalling anti-virus on all the Workstations/laptops (automated attempts failed) and applying Windows patches.
Today I'm rebuilding 16 webservers and 6 domain controllers. Tomorrow I suspect I'll be patching DB servers.
-
Spend the money on IT and you cannot treat so many patients.
The problem last week was by NOT spending money on IT they could not treat so many patients.
This is what I was picking up from the box pops on TV : Today "The NHS should have been spending more on keeping their Computers up to date" Two weeks ago "The NHS is spending too much on computers and not enough on patient care"
Any why isn't Jeremy Hunt taking a pasting on this? Why aren't the right wing press slaughtering him? Is there a general election in the offing? Will this be another excuse / reason for wider privatisation of the NHS? Will Theresa May go private?
For the answer to these and many more questions tune in next time ...
-
Jeremy Rhyming-Slang doesn't work weekends, unlike the junior doctors he so despises, which is why the likes of perennially thirsty expenses fiddler Michael Fallon and IT ignoramus Amber Rudd have had to be roped in to lie about it.
-
Software needs maintenance for the reason you have pointed out yourself...
The environment in which it is running changes.
For example, a security protocol that was regarded as good years ago may no longer be regarded as secure, and so updates are required.
This was not a flaw in the original program, it is just a consequence of the environment changing.
In other examples, the OS vendor may make changes to the OS for a variety of reasons, including security.
For example, certain directories that used to be writable by a non-admin user no longer are.
This may mean that programs that previously worked no longer do, and they will require updating.
None of these things are flaws: the programs were written correctly to a perfectly reasonable spec at the time.
But times change, and the software needs to change with it.
True.
But there are also very, very many vendor-driven changes which users do not ask for or want, both to applications & operating systems - & sheer bloody incompetence at the top. I could give you a very long list of development decisions taken for short-term reasons that led to long-term problems: years of patching, recovering data, etc. because someone took a short-cut, the millennium bug (I was once laughed at & publicly ridiculed by a manager for pointing out that we were building a system which would fail, & that we could prevent that cheaply by acting immediately - & of course, that firm had to take expensive measures years later), etc.
I've seen too much crap like that to assume that the reasonable grounds for maintenance you describe are all, or even most, of the need for fixes.
I've done charitable work, fixing computer problems for vulnerable & disabled people. Most of it has been implementing vendor-driven changes. I saw small organisations writing software for that sector, struggling to keep up to date because vendor-driven changes stretched their limited resources.
There's a lot of churn generated by producers, in order to force updates which they charge for. The "they're commercial businesses & have to make a profit" might be reasonable, but for their enormous operating margins. They make the much-criticised banks look like the nice side of capitalism.
-
We were missing the update too. We had to manually run Windows Update ourselves.
-
We were missing the update too. We had to manually run Windows Update ourselves.
I just found out that Windows Update is borked on my PC, and hasn't installed any updates for some time, including the one necessary to block this ! :o
After spending several hours, trying to get it to work again, I'm backing the machine up tonight. I'll probably have to let out IT bods loose on it, and their goto approach to anything vaguely involved, is to reinstall Windows, and then we have to spend the next few days fiddling with the configuration and installing software, to get it back to a useful state. ::-)
-
NHS should have been moving anything needing winXP onto citrix thin clients or equivalent. Then when ransomware hit, just kill the client.
But that would have required investment. Requiring money.
Anyone in IT that told me that kind of stuff would be soooooo sacked.
Oh wait, my computer is a Mac so on this occasion I don't have to worry.
-
The malware writers are starting to increase their focus on Macs. The "I'm safe, I have a Mac" attitude of many Mac users (I know you said "...on this occasion I don't have to worry." so I guess you're not part of that group) is exactly the attitude Malware authors want as it makes it easier to get a foothold on that platform.
The recent Handbrake (DVD ripper and re-encoding software) incident (https://www.cybereason.com/labs-proton-b-what-this-mac-malware-actually-does/) shows that you really have to be vigilant. Most people would have blindly trusted the Handbrake site for its downloads and hardly anyone would have checked the checksums (mainly because if you can change the download file on the site then changing the checksum to match it, also on the same site, should be trivial.)
If anything, something that sits silently on your machine allowing remote access, exfiltrating important files (browser password caches, keychain files, etc) and keylogging is a whole lot worse than something very visual like ransomware which announces its presence loudly.
Again, malware writers are missing a trick here. A period of logging and file exfiltration followed by a ransomware attack would give them multiple bites at the cherry, it's only time before they get more sophisticated. (This isn't Mac specific.)
-
The malware writers are starting to increase their focus on Macs. The "I'm safe, I have a Mac" attitude of many Mac users (I know you said "...on this occasion I don't have to worry." so I guess you're not part of that group) is exactly the attitude Malware authors want as it makes it easier to get a foothold on that platform.
The recent Handbrake (DVD ripper and re-encoding software) incident (https://www.cybereason.com/labs-proton-b-what-this-mac-malware-actually-does/) shows that you really have to be vigilant. Most people would have blindly trusted the Handbrake site for its downloads and hardly anyone would have checked the checksums (mainly because if you can change the download file on the site then changing the checksum to match it, also on the same site, should be trivial.)
If anything, something that sits silently on your machine allowing remote access, exfiltrating important files (browser password caches, keychain files, etc) and keylogging is a whole lot worse than something very visual like ransomware which announces its presence loudly.
Again, malware writers are missing a trick here. A period of logging and file exfiltration followed by a ransomware attack would give them multiple bites at the cherry, it's only time before they get more sophisticated. (This isn't Mac specific.)
If you come after my Mac then you need to be aware that I have the latest malware and antivirus protection, and an incremental backup system going back 7 years :)
-
If you come after my Mac then you need to be aware that I have the latest malware and antivirus protection, and an incremental backup system going back 7 years :)
Rock and a hard place.
The antivirus programs are often the easiest targets for the malware writers. They're full of security holes themselves and often run with elevated privileges solving a major hurdle after infection.
Bit old (June 2016) but highlights the point: http://www.computerworld.com/article/3089872/security/security-vulnerabilities-in-symantec-and-norton-as-bad-as-it-gets-warns-researcher.html
ESET was a more resent one with a major flaw discovered (March 2017).
-
If you come after my Mac then you need to be aware that I have the latest malware and antivirus protection, and an incremental backup system going back 7 years :)
Rock and a hard place.
The antivirus programs are often the easiest targets for the malware writers. They're full of security holes themselves and often run with elevated privileges solving a major hurdle after infection.
Bit old (June 2016) but highlights the point: http://www.computerworld.com/article/3089872/security/security-vulnerabilities-in-symantec-and-norton-as-bad-as-it-gets-warns-researcher.html
ESET was a more resent one with a major flaw discovered (March 2017).
All well and good, but noone has managed to actually attack my Mac as of yet. Nice not to need to pay for the latest OS also ;D
-
Oh look! A squirrel!
-
whilst some of you take the piss out of and generally spout about the NHS management of this I've today had to deal with the loss of a large section of an entire laboratory in a major London teaching hospital which we hope to resolve in the next few hours; we've been well aware of the vulnerability of XP and have been taking steps to ensure compliance / isolation of the XP systems in use for a couple of years; they are due to be replaced very soon so rather than waste thousands on very short term replacements we've come up with a satisfactory solution which unfortunately may have been affected by this malicious and stupid attack
NHS should have been moving anything needing winXP onto citrix thin clients or equivalent. Then when ransomware hit, just kill the client.
But that would have required investment. Requiring money.
Anyone in IT that told me that kind of stuff would be soooooo sacked.
Oh wait, my computer is a Mac so on this occasion I don't have to worry.
please do come to my Trust and show me and the rest of my team how easy it is to move the many stand-alone pc's within it to Thin client (with associated secure remote hosting / data centres) as you obviously have far more experience
-
whilst some of you take the piss out of and generally spout about the NHS management of this I've today had to deal with the loss of a large section of an entire laboratory in a major London teaching hospital which we hope to resolve in the next few hours; we've been well aware of the vulnerability of XP and have been taking steps to ensure compliance / isolation of the XP systems in use for a couple of years; they are due to be replaced very soon so rather than waste thousands on very short term replacements we've come up with a satisfactory solution which unfortunately may have been affected by this malicious and stupid attack
NHS should have been moving anything needing winXP onto citrix thin clients or equivalent. Then when ransomware hit, just kill the client.
But that would have required investment. Requiring money.
Anyone in IT that told me that kind of stuff would be soooooo sacked.
Oh wait, my computer is a Mac so on this occasion I don't have to worry.
please do come to my Trust and show me and the rest of my team how easy it is to move the many stand-alone pc's within it to Thin client (with associated secure remote hosting / data centres) as you obviously have far more experience
Wow, patronising. You assume I would not know how to do that but actually you're wrong. However you couldn't afford me ;)
-
If Martin's lab is like many others then it runs bespoke software on PCs tied to instruments that require to be networked for data transfer. Thin clients would be challenging in that respect. What typically needs doing is proper network segmentation to move vulnerable machines behind firewalls, allowing data through. Unfortunately this usually requires reworking vast quantities of legacy software, whilst ensuring the system stays functional.
-
whilst some of you take the piss out of and generally spout about the NHS management of this I've today had to deal with the loss of a large section of an entire laboratory in a major London teaching hospital which we hope to resolve in the next few hours; we've been well aware of the vulnerability of XP and have been taking steps to ensure compliance / isolation of the XP systems in use for a couple of years; they are due to be replaced very soon so rather than waste thousands on very short term replacements we've come up with a satisfactory solution which unfortunately may have been affected by this malicious and stupid attack
NHS should have been moving anything needing winXP onto citrix thin clients or equivalent. Then when ransomware hit, just kill the client.
But that would have required investment. Requiring money.
Anyone in IT that told me that kind of stuff would be soooooo sacked.
Oh wait, my computer is a Mac so on this occasion I don't have to worry.
please do come to my Trust and show me and the rest of my team how easy it is to move the many stand-alone pc's within it to Thin client (with associated secure remote hosting / data centres) as you obviously have far more experience
Wow, patronising. You assume I would not know how to do that but actually you're wrong. However you couldn't afford me ;)
It is unclear whether Martin is having a go at you or mrcharly, I think.
-
whilst some of you take the piss out of and generally spout about the NHS management of this I've today had to deal with the loss of a large section of an entire laboratory in a major London teaching hospital which we hope to resolve in the next few hours; we've been well aware of the vulnerability of XP and have been taking steps to ensure compliance / isolation of the XP systems in use for a couple of years; they are due to be replaced very soon so rather than waste thousands on very short term replacements we've come up with a satisfactory solution which unfortunately may have been affected by this malicious and stupid attack
NHS should have been moving anything needing winXP onto citrix thin clients or equivalent. Then when ransomware hit, just kill the client.
But that would have required investment. Requiring money.
Anyone in IT that told me that kind of stuff would be soooooo sacked.
Oh wait, my computer is a Mac so on this occasion I don't have to worry.
please do come to my Trust and show me and the rest of my team how easy it is to move the many stand-alone pc's within it to Thin client (with associated secure remote hosting / data centres) as you obviously have far more experience
Not having a pop, I know it would take substantial work, time and money, hence my saying it would have required investment and money that you aren't getting. I'm not naive or inexperienced about large projects.
I wish you luck in sorting out your problems.
-
If Martin's lab is like many others then it runs bespoke software on PCs tied to instruments that require to be networked for data transfer. Thin clients would be challenging in that respect.
What typically needs doing is proper network segmentation to move vulnerable machines behind firewalls, allowing data through. Unfortunately this usually requires reworking vast quantities of legacy software, whilst ensuring the system stays functional.
Having spent 35+ years in hospital pathology laboratories, before fatefully moving into 'management', I saw a couple of attempts to move at least some of the processing onto Thin Clients - these well meant endeavouvours always neglected exactly what you describe - the issues of bespoke software running complex bespoke hardware. Typically - in desperation - the hardware and the bespoke software could run standalone without being networked (eg if the network was lost), but the manual inputting and data extraction was laborious and 'not fit for purpous' given the demands on modern hospital laboratory science.
Martin - I don't think anyone's taking the piss out of your situtation (And, I'm surprised that NHS trusts don't keep a register of people like me ( no longer HPC registered)who could volunteer in extremis.
-
If you come after my Mac then you need to be aware that I have the latest malware and antivirus protection, and an incremental backup system going back 7 years :)
Rock and a hard place.
The antivirus programs are often the easiest targets for the malware writers. They're full of security holes themselves and often run with elevated privileges solving a major hurdle after infection.
Bit old (June 2016) but highlights the point: http://www.computerworld.com/article/3089872/security/security-vulnerabilities-in-symantec-and-norton-as-bad-as-it-gets-warns-researcher.html
ESET was a more resent one with a major flaw discovered (March 2017).
All well and good, but noone has managed to actually attack my Mac as of yet. Nice not to need to pay for the latest OS also ;D
This demonstrates that Macs aren't invulnerable, even when used by clueful people:
https://panic.com/blog/stolen-source-code/
Backups and such aren't going to stop someone stealing your data...
-
Yes, but there's a question of scale and balance.
No computer is invulnerable. However the most widely used desktop OS is not the most secure, by any means.
look! A squirrell!!
-
If ransomware can compromise your system then it can compromise a locally connected backup.
-
Which is why I've taken to using USB sticks and a network drive which I only connect to do the backups. I physically disconnect the computer from the network but of course nothing will protect me if the malware has already somehow snuck under the radar.
-
It looks like decryption might be possible for some wannacrypt infestations:
https://github.com/aguinet/wannakey
-
Which is why I've taken to using USB sticks and a network drive which I only connect to do the backups. I physically disconnect the computer from the network but of course nothing will protect me if the malware has already somehow snuck under the radar.
I agree with you there, and these days USB drives have become so cheap it's perfectly feasible to do monthly backups of photos and all important data ay home and file it away permanently never to be over-written. It's certainly what I do these days so all my eggs are not in the 'cloud' basket or even the network backup drive basket which can get pinched along with your laptop by actual burglars in person (or fire)! I've always stored backups off site both at home and work in case of fire. Of course NHS staff can't be marching home with important backups in their pockets, so not going to help them much.
-
If Martin's lab is like many others then it runs bespoke software on PCs tied to instruments that require to be networked for data transfer. Thin clients would be challenging in that respect.
What typically needs doing is proper network segmentation to move vulnerable machines behind firewalls, allowing data through. Unfortunately this usually requires reworking vast quantities of legacy software, whilst ensuring the system stays functional.
Having spent 35+ years in hospital pathology laboratories, before fatefully moving into 'management', I saw a couple of attempts to move at least some of the processing onto Thin Clients - these well meant endeavouvours always neglected exactly what you describe - the issues of bespoke software running complex bespoke hardware. Typically - in desperation - the hardware and the bespoke software could run standalone without being networked (eg if the network was lost), but the manual inputting and data extraction was laborious and 'not fit for purpous' given the demands on modern hospital laboratory science.
Martin - I don't think anyone's taking the piss out of your situtation (And, I'm surprised that NHS trusts don't keep a register of people like me ( no longer HPC registered)who could volunteer in extremis.
Thanks; it was some comments that suggested incompetence and penny pinching in the NHS that got my goat;
FYI my Trust knew about the XP problem for a couple of years before MS withdrew support, the DOH did indeed purchase extended support after official support ended and during that time we planned a strategic removal of all XP pc's from the network whilst replacing the networked ones with W7 in a phased approach. Remember that many of the XP pc's were all very long in the tooth anyway and would need replacement whatever. But there was the problem with the bespoke software much of which was not W7 compatible and would eventually be sunsetted. We are nearly there but due to ongoing procurement within the labs we still have to keep a few XP machines running (effectively isolated from all but the instruments they serve). It's simply not possible to move these onto Citrix etc as they are usually one off installs a few metres away from the kit with a clone box next to them as redundancy, often requiring an engineer onsite to apply fixes / patches ets where Thin Clients would not work.
-
A view from outside...
Is it not the case that most of the problem relates to PCs running out of date OSs because the bits of specialist equipment they are connected to, or specialist systems they run, won't run under a decent modern OS?
WTF is wrong with the suppliers of those systems that they don't keep updates coming so their systems can be kept safe and running on a modern OS? Things like my photo editing software, and video software regularly publish updates to keep them abreast of newer OSs, and recent issues and vulnerabilities. Surely the suppliers of very expensive specialist software and equipment, really, really ought to be supporting them properly?
In my recently ceased employment, I was well aware that Crapita, suppliers of broken software to manage many millions of pounds worth of assets, totally failed to keep up with such issues (or even care about usability), so I suppose I am being naive.
It relates to my hate of the fact that many useful bits of domestic computing equipment (such as scanners and printers), have to be replaced because the manufacturer is too bloody minded to update drivers for a current OS (yes, YOU, Canon!). I know they do it for commercial stuff just to sell more new widgets, but for serious stuff like NHS and defence things, surely its not beyond the wit of man to update driver s and maintain compatibility? Is there not a niche for a specialist firm whose business is updating drivers etc.?
-
Is there not a niche for a specialist firm whose business is updating drivers etc.?
They've been doing this and doing it well for years
https://www.hamrick.com/
-
I'm aware of Vuescan, but even they only seem to do domestic types, and don't include things like the Canon microfilm scanners at the museum I do work with, so a £3500 scanner is now effectively useless, and they've had to buy a new £4000 one instead. I was actually thinking more of obscure medical stuff that I can only guess at the function and cost of. Bearing in mind how much that sort of thing must cost (I don't know, but having seen some of it "bloody expensive" seems an inadequate term) surely either the suppliers or another firm should be on the case.
-
The original purchase costs of the equipment can range from a few tens of thousands to millions. Just thinking of our research facility, we have mass spectrometers [1], sample processing robots [2] and so on. The market for these is small and the requirement for reliability high. The cost of developing a driver and software update could be extremely high, especially if communication is via custom interface boards that are no longer supported by modern PC architecture. You either need a large enough market to ensure any development cost will be recovered, or it is cheaper to just upgrade to the new machine with all the hassle that involves.
A better option for process labs may be to lease the machines from the manufacturers - the advantages are that the manufacturers can then guarantee a market for updates, and the lab does not have periodic large budget items. However this is then seen as politically unacceptable, and carries the risk of suppliers viability impacting beyond the company itself. (ie if the company is bought up by a bigger company and they then decide that the lease/maintenance on that equipment is not sustainable and force an upgrade.) Or just go bankrupt and the machines are repossessed as assets.
It is an issue where the lifespan of the machines is much longer than the lifespan of the controlling tech, and there are no mechanisms in place to deal with that kind of obsolescence. I would expect that some hospital labs have key equipment connected via SCSI and upgradeable only by floppy disk.
tl;dr The problems are not trivial and need careful management, often in creative and politically difficult ways that can expose to a new set of risks.
[1] not the best example as mass spec tech moves very fast and the life cycle is compatible with PC life cycle.
[2] a better example. DNA sequencers are still working fine 20 years on, some of which originally were driven by OS/2
-
I can't help thinking that a large part of the problem lies with the historical developement of a basically monopoly supply of computer OSs on PCs. I am sure that if there had been ten or so viable OSs on the market 25 years ago the industry would have developed in a different and far more robust manner, making it all far less vulnerable to large scale attacks. Too late - PCs are going to be the next dinosaurs!
(Just an observation, I am not a geek!)
-
I can't help thinking that a large part of the problem lies with the historical developement of a basically monopoly supply of computer OSs on PCs. {snip}
It's not all bad. Having so few commercially successful OSs means we get economies of scale. A company can create a product for one OS knowing that it has a big enough market share for their dependent product to stand a chance of doing well. It also makes it possible to support that product over multiple OSs. Multi-OS support is a horribly difficult thing to do well, it's a hard enough problem coping with changes from one version of one OS to another, and almost impossible to do cheaply. Only having to attempt it for two, or possibly three, OSs drastically reduces the commercial and technical issues involved.
Imagine how much more expensive software would be and the gaps in application availability from one OS to another if we had Windows, MAC, Android, BeOS, FreeBSD, OS/2, CP/M, {My Favourite} Linux, AmigaOS, Acorn RiscOS and ProDOS/Apple DOS all with roughly equal market share?
-
Fundamentally competition drives cost down and increases innovation. Imagine if we could only buy a Giant or a Raleigh.
I don't think that we would be so platform limited if there were more competitors, and, it would be a much bigger job for the malicious hackers to perpetrate attacks of the sort that they have managed. As it stands organisations have to make a choice on one platform and invest spectacularly in that choice. Also, a whole industry sector of platform integration would grow from wider choice imo. A bit like getting your shimano bits to work with campag bits and vice versa. :D
I am convinced that on the whole monopolies are not in the best interests of the majority.
-
Fundamentally competition drives cost down and increases innovation. Imagine if we could only buy a Giant or a Raleigh.
Bike bits are by and large interchangeable so finding yourself tied to one particular manufacturer is less likely although even with bikes you can find incompatible systems which get you locked in to one mfr (Campagnolo or Shimano?). Software is, unfortunately, not so flexible for all sorts of reasons.
I am convinced that on the whole monopolies are not in the best interests of the majority.
I quite agree and at thankfully the moment we don't have a pure monopoly for OSs. We have 3 dominant companies (Apple, M$ and Google) so people do have some choice and there is a degree of competition which benefits consumers. The market is never truly fair but the current state of play is bearable and it gives commercial SW companies the reassurance they need that their target platform has a large enough market share to repay the amount of time and money it takes to get a good product to market and that there'll still be a market there in 3 or 4 years or however long it takes the development to go from drawing board to shrink-wrap or, these days, web download.
And for the independently minded there are a raft of Linux distros out there. :)
-
There are a number of ways of using hardware and software abstractions to write software which shouldn't care what OS it's running on.
I appreciate it's probably not that straight forward, but I think:
When spending a large sum on a piece of hardware which depends on software to be useful, software should be maintained for the expected lifetime of the hardware and that maintenance should ensure it runs on current operating systems. This is the responsibility of both the hardware supplier and purchaser.
-
That would make longer term maintenance contracts as part of the purchase exceedingly expensive, and still doesn't negate the 'we are bust, tough' possibility. The issue is market size. Designing boxes to be as portable as possible is also a good plan.
-
It is an issue where the lifespan of the machines is much longer than the lifespan of the controlling tech, and there are no mechanisms in place to deal with that kind of obsolescence. I would expect that some hospital labs have key equipment connected via SCSI and upgradeable only by floppy disk.
It you look at CNC machine tools, there are perfectly useable tools out there that need an rs232 interface, Windows 3.1 and 5inch floppies. There are people out there who will pay good money for such machines.
Sent from my XT1562 using Tapatalk
-
There are a number of ways of using hardware and software abstractions to write software which shouldn't care what OS it's running on.
I appreciate it's probably not that straight forward, but I think:
When spending a large sum on a piece of hardware which depends on software to be useful, software should be maintained for the expected lifetime of the hardware and that maintenance should ensure it runs on current operating systems. This is the responsibility of both the hardware supplier and purchaser.
That's really, really difficult to do when the software has to interact with peripheral hardware.
-
There are a number of ways of using hardware and software abstractions to write software which shouldn't care what OS it's running on.
Ah yes. Write once run anywhere. The industry has been pursuing that particular grail for a long, long time. I don't expect it to see found it in my lifetime.
All you've done is shift the problem to another layer. If your abstraction layer is found to be buggy and the people who wrote the code for the abstraction layer (and what's an O.S. but an abstraction layer?) on your particular bit of kit have decided that it is no longer supported and they won't be patching it? Sound familiar?
...maintenance should ensure it runs on current operating systems.
Yeah, it'd be nice but it's never going to work. Simple, nay simplistic, example. Pretend I have an IBM PC built around an 80286 with 16MB of RAM and 200MB HDD running Win 3.1x. A fairly common configuration 20 or so years ago. It might have coped with Windows 95, I doubt it would have coped with XP and there is no way on God's green earth that machine could be made to run Windows 7 64 bit Pro or any variant of Windows 10. The hardware just isn't up to it. You have a similar problem with expensive lab kit. Such kit can have a service life of 10 years and upwards and in that time the hardware requirements for software can change so much that there is no earthly chance that "maintenance" would be feasible short of rebuilding the machine. And at that point it's probably cheaper to get a new machine.
Put it another way. If what you suggest was technically possible and economically practical it would already be happening.
-
That would make longer term maintenance contracts as part of the purchase exceedingly expensive, and still doesn't negate the 'we are bust, tough' possibility. The issue is market size. Designing boxes to be as portable as possible is also a good plan.
The code base should be maintained in ESCROW so that in the event the manufacturer goes bust, major clients can obtain a copy of it ...
-
There are a number of ways of using hardware and software abstractions to write software which shouldn't care what OS it's running on.
Ah yes. Write once run anywhere. The industry has been pursuing that particular grail for a long, long time. I don't expect it to see found it in my lifetime.
All you've done is shift the problem to another layer. If your abstraction layer is found to be buggy and the people who wrote the code for the abstraction layer (and what's an O.S. but an abstraction layer?) on your particular bit of kit have decided that it is no longer supported and they won't be patching it? Sound familiar?
...maintenance should ensure it runs on current operating systems.
Yeah, it'd be nice but it's never going to work. Simple, nay simplistic, example. Pretend I have an IBM PC built around an 80286 with 16MB of RAM and 200MB HDD running Win 3.1x. A fairly common configuration 20 or so years ago. It might have coped with Windows 95, I doubt it would have coped with XP and there is no way on God's green earth that machine could be made to run Windows 7 64 bit Pro or any variant of Windows 10. The hardware just isn't up to it. You have a similar problem with expensive lab kit. Such kit can have a service life of 10 years and upwards and in that time the hardware requirements for software can change so much that there is no earthly chance that "maintenance" would be feasible short of rebuilding the machine. And at that point it's probably cheaper to get a new machine.
Put it another way. If what you suggest was technically possible and economically practical it would already be happening.
There are countless examples in the industry where this already *is* the case. Will the tooling available today it should be possible to compile and regression test code targeted at multiple platforms as part of an automated pipeline. Yes it takes some investment up front, but it's what software vendors should be doing.
Another way to solve the problem is to network enable these devices so they are running their own kernel/OS and software on client workstations uses web protocols to interact with them. Of course that doesn't eliminate all the complexity, but it would make the system more maintainable.
Win 3.1x was barely usable on a 286.
-
That would make longer term maintenance contracts as part of the purchase exceedingly expensive, and still doesn't negate the 'we are bust, tough' possibility. The issue is market size. Designing boxes to be as portable as possible is also a good plan.
The code base should be maintained in ESCROW so that in the event the manufacturer goes bust, major clients can obtain a copy of it ...
And they then have to spend lots of money finding the expertise to understand, debug and re-implement out of date code written for a niche embedded systems compiler (yes I am painting a worst case scenario) in an obscure assembler dialect for a processor/chipset that is no longer manufactured? Were I a bean-counter my reaction would be, "Here, take the lab cheque book and go buy a new one."*
*The idea of a bean-counter handing over a cheque book to anyone may contain elements of fantasy.
-
... it should be possible to compile and regression test code targeted at multiple platforms as part of an automated pipeline. Yes it takes some investment up front, but it's what software vendors should be doing.
Put it another way. If what you suggest was technically possible and economically practical it would already be happening.
See highlighted text.
All you've done is shift the problem to another layer. If your abstraction layer is found to be buggy and the people who wrote the code for the abstraction layer (and what's an O.S. but an abstraction layer?) on your particular bit of kit have decided that it is no longer supported and they won't be patching it? Sound familiar?
All the automated toolsets in the world will not address this problem.
Another way to solve the problem is to network enable these devices so they are running their own kernel/OS and software on client workstations uses web protocols to interact with them
You may have found the only real justification for the internet of things. It'd be the security headache from hell, but still...
And if the kernel/OS chosen was XP? *evil grin*
Win 3.1x was barely usable on a 286.
I dunno, mine used to get by OK running Turbo C++ for Windows or was it a 386? Can't remember now. :)
-
Another way to solve the problem is to network enable these devices so they are running their own kernel/OS and software on client workstations uses web protocols to interact with them. Of course that doesn't eliminate all the complexity, but it would make the system more maintainable.
But that's already what they do.
But they will network-enable them using a commercial embedded system, that will be based on a commercial OS of-the-day, like XP!
There's no good reason to re-invent your own OS when that's not your actual business.
That's likely to be far worse security-wise that a commercial embedded package, and more expensive and time consuming to develop.
And so we are back to embedded systems using out-of-date OSes.
-
... it should be possible to compile and regression test code targeted at multiple platforms as part of an automated pipeline. Yes it takes some investment up front, but it's what software vendors should be doing.
Put it another way. If what you suggest was technically possible and economically practical it would already be happening.
See highlighted text.
The upfront investment is more than recouped by shorter feedback cycles and does not necessarily add up to being economically impractical.
All you've done is shift the problem to another layer. If your abstraction layer is found to be buggy and the people who wrote the code for the abstraction layer (and what's an O.S. but an abstraction layer?) on your particular bit of kit have decided that it is no longer supported and they won't be patching it? Sound familiar?
All the automated toolsets in the world will not address this problem.
Java has been solving this problem for 23 years, and is not likely to go away any time soon. I'll grant you that it's not perfect but I interact with it on a regular basis supporting software that in two instances does very low level interaction with the hardware.
Another way to solve the problem is to network enable these devices so they are running their own kernel/OS and software on client workstations uses web protocols to interact with them
You may have found the only real justification for the internet of things. It'd be the security headache from hell, but still...
And if the kernel/OS chosen was XP? *evil grin*
Win 3.1x was barely usable on a 286.
I dunno, mine used to get by OK running Turbo C++ for Windows or was it a 386? Can't remember now. :)
I'd wager it was a 386, which although first produced in 1985, remained in production for embedded systems until 2007. And although it was 32-bit, was still able to run 16-bit code from the 8086-80286 era.
It's still allegedly possible to run 16-bit code written for the 8086 on Intel's Kaby Lake platform.
And as for supporting legacy, Microsoft does that pretty well. Hence SMBv1 is still with us.
-
But that's already what they do.
But they will network-enable them using a commercial embedded system, that will be based on a commercial OS of-the-day, like XP!
There's no good reason to re-invent your own OS when that's not your actual business.
That's likely to be far worse security-wise that a commercial embedded package, and more expensive and time consuming to develop.
And so we are back to embedded systems using out-of-date OSes.
Nearly all embedded OSs with a webby from end are Linux based these days. Why would a manufacturer pay a licence fee to MS for an embedded OS? Even Cisco data centre switches run Linux as their management/control plane and all their appliances do these days, the same for nearly everyone else.
-
Another way to solve the problem is to network enable these devices so they are running their own kernel/OS and software on client workstations uses web protocols to interact with them. Of course that doesn't eliminate all the complexity, but it would make the system more maintainable.
But that's already what they do.
But they will network-enable them using a commercial embedded system, that will be based on a commercial OS of-the-day, like XP!
There's no good reason to re-invent your own OS when that's not your actual business.
That's likely to be far worse security-wise that a commercial embedded package, and more expensive and time consuming to develop.
And so we are back to embedded systems using out-of-date OSes.
Which would probably be okay (not ideal) if the only services exposed to the network was the API for running the hardware. Possibly better if the embedded OS was a Linux kernel with the bare minimum of software/utilities.
I realise there's no panacea but I suspect in many instances that large monolithic applications, hard-wired to the OS couple and to traditional waterfall development serve to hamper the situation.
-
All you've done is shift the problem to another layer. If your abstraction layer is found to be buggy and the people who wrote the code for the abstraction layer (and what's an O.S. but an abstraction layer?) on your particular bit of kit have decided that it is no longer supported and they won't be patching it? Sound familiar?
All the automated toolsets in the world will not address this problem.
Java has been solving this problem for 23 years, and is not likely to go away any time soon. I'll grant you that it's not perfect but I interact with it on a regular basis supporting software that in two instances does very low level interaction with the hardware.
I think you missed the point about the abstraction layer not being patched and no longer being maintained. Which is where we came in with XP. If any layer in the software stack has a show stopper bug and that layer is not under your control and that layer is no longer being supported and patched then you're stuffed.
Last time I looked (some while ago I grant you) Java required JVMs written for the target platform.
Given that I'm out of touch with Java and assuming JVMs are still required how, using your proposal, do you get around the problem of a no longer maintained and unpatched custom JVM for a specialist bit of kit that you don't have the rights to modify/fix?
You're right about better automation and up front investment recouping initial investment costs and generally being a good thing, but I've been having that argument for 30 years with various levels of project manager and bean-counter and short-termism has won every single time. The bean-counters simply do not recognise or accept that argument. As far as they are concerned such things are economically impractical and unfortunately they have more clout than us. The summary is, "Has the customer asked for this? Has the customer paid for this? No? Well then, take a hike programmer." So the de-facto state of things is, "economically impractical" and us saying "should" until we're blue in the face isn't going to change a thing.
-
We seem to have drifted a bit from the original Ransomware discussion, but ultimately all software is going to ultimately become impractically unmaintainable, at a realistic cost. If nothing else, the hardware it runs on, will also probably suffer from that too.
I maintain systems that run DOS 3, and I'd never expect to have to place any of that in a position where it was exposed to any sort of hacking vector.
At some point, software is no longer maintained, and Microsoft was not subtle about no longer supporting XP, they gave plenty of warning.
If you want to run software, beyond it's lifetime, you have to choose to pay for it, or replace it. I don't expect an old car to be easy and cheap to support. If I wanted to run a Model T Ford, or VW split-screen Camper, I have to be prepared to deal with the complexities and costs. Much the same is true of PC hardware and software, except that the relatively immature technology means that the rate of change is much faster, so we find that we need to move on, more often.
Eventually we'll probably get to a position where the engineering makes it easier to not move on as often, easier to produce layers of abstraction, hardware emulation of other hardware, and more generic methods of blocking vulnerabilities. At the moment we don't have a lot of that,so we have to simply move onto the next step, which can often seem like a big and unnecessary change.
-
All you've done is shift the problem to another layer. If your abstraction layer is found to be buggy and the people who wrote the code for the abstraction layer (and what's an O.S. but an abstraction layer?) on your particular bit of kit have decided that it is no longer supported and they won't be patching it? Sound familiar?
All the automated toolsets in the world will not address this problem.
Java has been solving this problem for 23 years, and is not likely to go away any time soon. I'll grant you that it's not perfect but I interact with it on a regular basis supporting software that in two instances does very low level interaction with the hardware.
I think you missed the point about the abstraction layer not being patched and no longer being maintained. Which is where we came in with XP. If any layer in the software stack has a show stopper bug and that layer is not under your control and that layer is no longer being supported and patched then you're stuffed.
But that's kind of the point. This is how we are able to access the out-of-band management on some really old hardware - it still works with current versions of JVM even though the hardware was new well over 10 years ago.
Yes we will one day we will be stuffed (we've decommissioned almost all of this old hardware now) as we keep pace with the times.
Last time I looked (some while ago I grant you) Java required JVMs written for the target platform.
Given that I'm out of touch with Java and assuming JVMs are still required how, using your proposal, do you get around the problem of a no longer maintained and unpatched custom JVM for a specialist bit of kit that you don't have the rights to modify/fix?
You're right about better automation and up front investment recouping initial investment costs and generally being a good thing, but I've been having that argument for 30 years with various levels of project manager and bean-counter and short-termism has won every single time. The bean-counters simply do not recognise or accept that argument. As far as they are concerned such things are economically impractical and unfortunately they have more clout than us. The summary is, "Has the customer asked for this? Has the customer paid for this? No? Well then, take a hike programmer." So the de-facto state of things is, "economically impractical" and us saying "should" until we're blue in the face isn't going to change a thing.
Times and attitudes are changing. I've not lived under a rock for the last 18 years of my IT career and I know exactly what you are talking about it - I've spent half my life working with legacy hardware and legacy systems. We work with some of the biggest lenders (banks) who are the slowest to move and the reason they want to work with us is because of our approach to software development - we can do things reliably within time/cost/budget that their internal IT departments can't and they want to understand why.
-
But that's already what they do.
But they will network-enable them using a commercial embedded system, that will be based on a commercial OS of-the-day, like XP!
There's no good reason to re-invent your own OS when that's not your actual business.
That's likely to be far worse security-wise that a commercial embedded package, and more expensive and time consuming to develop.
And so we are back to embedded systems using out-of-date OSes.
Nearly all embedded OSs with a webby from end are Linux based these days. Why would a manufacturer pay a licence fee to MS for an embedded OS? Even Cisco data centre switches run Linux as their management/control plane and all their appliances do these days, the same for nearly everyone else.
Every embedded device I've seen in a crashed state has been Windows!
( Perhaps that's a self-selecting sample! )
Off the top of my head, I've seen Windows BSODs or Windows desktops with error dialogs on:
ATM machines, Self-service checkout machines, Airport arrivals/departures display screens, huge billboard display screens.
So Windows Embedded is certainly well represented in the wild.
-
I've certainly come across a few of that sort of thing (mostly advertising / video playing devices) with Linux error messages. Usually pertaining to a storage device or network problem, rather than a kernel panic. That may simply represent Linux OSes' higher level of robustness in the face of certain hardware problems. If a system disk vanishes Linux tends to politely complain while everything wanting disk IO grinds to a halt[1], while Windows is more inclined to simply BSOD.
Windows suffers from more comedy unrelated popups, which is what you get for using a desktop operating system for an embedded media display. It's much more straightforward to give your media application exclusive use of the display in Linux.
[1] DAHIKT
-
Hmmm, not sure if this has been posted before but it looks like XP wasn't the big villain here, it was Win 7
https://www.theverge.com/2017/5/19/15665488/wannacry-windows-7-version-xp-patched-victim-statistics
-
The W7 patch was released in March. It just goes to show how many people don't bother updating their Windows systems or, if they haven't disabled auto updating, how many don't bother rebooting them for the updates to complete and take effect.
-
Yes. I run W7 with auto updates but Mrs T had the "not genuine windows" bug and her W7 wasn't updating. Of course, being the goto geek in the family I should have been onto that, but I did my stint in systems support in the 80s, and mucking about in the grubby guts of Windows has always been something I equated with cleaning dog vomit out of the car, so I didn't.
Anyway, Wannacry does not seem to have struck us, but summat phunny has happened since it appeared. We both run the best email client on the planet, Eudora 7, quite simply because it doesn't do stuff like ActiveX components and other quasi-intelligent shit: it's so dumb it doesn't even do UTF8->ISO unless you select the text and dispatch it via a menu. Anyway, for the last couple of weeks, almost every time it checks mail it's been throwing up an SSL negotiation failure: destination host name does not match that in certificate. Nonetheless waiting mail gets downloaded and anything queued gets sent.
Using the same settings as for Eudora, Thunderbird under Ubuntu works quickly and cleanly. I'm moving Mrs. T permanently to Ubuntu now, but for various reasons I need to stay with W7. Don't like it much, though.
-
^^^Sussed, fixed. Orange added a new certificate. Thunderbox picked it up automatically, Eudora ran into the idiot wall.
Or maybe Thunderbox doesn't bother with certificates...
Back to Wannacry, if anyone still does.
-
And here comes the next ransomwhere attack based on the same vulnerability for all those people that didn't apply the appropriate fixes.
No simple kill switch this time either.
http://www.bbc.co.uk/news/technology-40416611
-
Ukrainian government and key industries, also Westminster: you have to wonder if the purpose is purely financial?
-
Ukrainian government and key industries, also Westminster: you have to wonder if the purpose is purely financial?
The attack at the weekend on the parliamentary email system was a completely different beast to today's global ransomware attack - you can't lump the two together beyond them both being "cyber".
https://www.theguardian.com/politics/2017/jun/25/cyber-attack-on-uk-parliament-russia-is-suspected-culprit
-
Surely these things don't specifically target anyone except those who leave their systems vulnerable to attack?
-
Surely these things don't specifically target anyone except those who leave their systems vulnerable to attack?
They don't "target" anyone at all. This one's pernicious because once on a network, it can spread by itself, without... ahem... "help".
-
Is nothing sacred?
Queen Elizabeth vulnerable to cyber-attack (https://www.theguardian.com/technology/2017/jun/27/hms-queen-elizabeth-royal-navy-vulnerable-cyber-attack)
Mark Deller, commander air, said
“We are a very sanitised procurement train. I would say compared to the NHS buying computers off the shelf, I would think we are probably better than that. If you think more Nasa and less NHS you are probably in the right place. If the Chinese want to flood the market with a particular widget and they put £30m into it, one will eventually get through to the defence procurement chain. We have got people looking at stuff like this all the time.
-
Apparently this was targeted, and not for cash.
I heard reported that the malicious code was very complex, professionally written with multiple target vectors. By contrast the ransom code is slipshod, indicating lack of interest.
I wonder who would have expertise in malicious code and a grudge against Ukrainians? Can't think of anyone that fits that description.
-
Apparently this was targeted, and not for cash.
I heard reported that the malicious code was very complex, professionally written with multiple target vectors. By contrast the ransom code is slipshod, indicating lack of interest.
I wonder who would have expertise in malicious code and a grudge against Ukrainians? Can't think of anyone that fits that description.
https://www.wired.com/story/russian-hackers-attack-ukraine/
Quite long, but interesting & scary.
-
More so when you appreciate that two prime targets, the USA and the UK are both in political turmoil. In both cases that turmoil may well have been augmented by the efforts of the Kremlin. Governments in turmoil are not going to act in a concerted fashion about anything that is not immediately necessary to stay in government. Happy days for the Kremlin.
-
https://www.bleepingcomputer.com/news/security/vaccine-not-killswitch-found-for-petya-notpetya-ransomware-outbreak/
-
I wonder if The Maybot has been infected yet ?
-
Ukrainian government and key industries, also Westminster: you have to wonder if the purpose is purely financial?
The attack at the weekend on the parliamentary email system was a completely different beast to today's global ransomware attack - you can't lump the two together beyond them both being "cyber".
https://www.theguardian.com/politics/2017/jun/25/cyber-attack-on-uk-parliament-russia-is-suspected-culprit
Our Defence Secretary seems to think 'cyber' is a noun
So here was yet more evidence that cyber is a truly global phenomenon
https://www.gov.uk/government/speeches/defence-secretarys-speech-at-cyber-2017-chatham-house-conference
Why on earth the G'ment email users were not locked out of their accounts after 3 incorrect password attempts, I do not know*
*Actually I can guess, imagining scenes from Yes Minister.
-
I wonder if The Maybot has been infected yet ?
A strong and stable attack of the brexitmeansbrexit worm complicated by a DUP contagion. Symptoms are a weak and wobbliness.
-
Our highly-esteemed and perennially thirsty defence secretary is so in need of a prolonged consultation with the Cluebat that he wants to use the RAF to go after "hackers". Even if they had any spare aircraft, this does not strike me as a good use of resources.
-
He never said that use of military force in response to a cyber attack on the UK was the sole option.
Though using special forces to sneak into a perp's house and leave a couple of fish fillets wrapped around the CPU heatsink in their computer has a certain appeal.
IGMC...
-
This is rather good
Hitler Reacts to Not-Petya
http://www.captiongenerator.com/587032/Hitler-Reacts-to-Not-Petya
-
Strangely enough, even my Chairman (the least technical person I think I have ever met) sent me an email saying I should do some employee testing on reaction to dodgy emails.
So after a little Googling I came up with this https://getgophish.com/ and ooh boy did poop hit the propeller.
It's a pretty funky little tool if you want to have a play with it :)
Just beware that people would rather be told they're bad at driving or sex than be told they really shouldn't have clicked that link. Or so it seemed last week :O
-
I'm not clicking that link at work. ;)
But I might pass it on to MrsC for use where she works. Could be useful.