That ransomware attack

[Pickled Onion]

[ETA: reply to Kim]

Well, yes, and if you're going to rely on computers as a core part of your operation, you have to treat them the same way as you would any other infrastructure you rely on. As you say, it's not just evil hackers, you can have a hardware failure at any point for any number of reasons.

Where I currently work, if my PC went tits-up I'd have a replacement within a maximum of 20 minutes, probably 10, and be back up and working. Granted if a few thousand PCs failed it might be a bit longer (on previous experience somewhere else, about 2 hours).

We had a big DDOS attack yesterday. Was it on the news? Well, no, because

It was only a matter of time before something like this happened.

so there were procedures in place and barely anyone outside tech operations even noticed.

ETA: Amber Rudd has just said the attack was "unprecedented". Maybe so, but it shouldn't have been "unexpected".

[mrcharly-YHT]

It's a lot bigger than just our NHS.

MS bear some of the blame IMO. 

Many jobs can be done using software everyone can buy, but some businesses need programs that perform very specific jobs - so they build their own.
For example. a broadcaster might need specialist software to track all the satellite feeds coming into the newsroom, and a hospital might need custom-built tools to analyse X-ray images.
Developing niche but useful software like this can be very expensive - the programming, testing, maintenance and continued development all adds up.
Then along comes a new version of Windows, and the software isn't compatible.

Years ago we built an information system based on DOS.  Fine until MS dropped DOS.  Then our expensive application was toast.  So was the company providing the intermediate programs.  That would have cost millions.  MS simply couldn't care less.

Actually, that isn't really true.

Windows in general, version to version, is very good at providing backwards compatibility. You want terrible support for backwards compatibility? Try any Apple OS. Or, try Linux.

Linux is *awful* at backwards compatibility. So, your application used a particular version of libusb to address that medical device? Tough shit, we've moved on to a new version in the latest Ubuntu, CentOS is still using the old version and who knows what that other version of Linux is going to load. Better get someone to write 5 sets of instructions on how to wrangle multiple versions of libusb onto *your* flavour of Linux.
 Or just google it. Stackoverflow is full of questions and answers on this subject because every sysadmin around spends their nights crying or having screaming nightmares about fixing just this problem.

[TimO]

...

ETA: Amber Rudd has just said the attack was "unprecedented". Maybe so, but it shouldn't have been "unexpected".

This.

There's nothing terribly wrong with keeping old systems operational, to ensure compatibility with essential software.  I have systems which are based on DOS 3, and which I need to keep available, just in case we need to test a patch for an instrument that was launched in 2000, and built and tested some time prior to that.

There's a lot wrong with keeping those sort of systems attached to the Internet, with no isolation.  If you must connect an unpatched legacy system to the Internet, there are ways to do it, which admittedly are going to be complicated an expensive.  That cost has to be equated against the cost of updating.

Rarely are these requirements for updating entirely unexpected, and we know that all software has a cost in maintenance, but all too often people don't want to pay these costs.

[Bledlow]

I once spent 6 months modifying systems for a Dutch health insurer so they'd work on a new mainframe OS. But that was in the days when systems were largely bespoke, & most of the world didn't run on software.

[Asterix, the former Gaul.]

It's a lot bigger than just our NHS.

MS bear some of the blame IMO. 

Many jobs can be done using software everyone can buy, but some businesses need programs that perform very specific jobs - so they build their own.
For example. a broadcaster might need specialist software to track all the satellite feeds coming into the newsroom, and a hospital might need custom-built tools to analyse X-ray images.
Developing niche but useful software like this can be very expensive - the programming, testing, maintenance and continued development all adds up.
Then along comes a new version of Windows, and the software isn't compatible.

Years ago we built an information system based on DOS.  Fine until MS dropped DOS.  Then our expensive application was toast.  So was the company providing the intermediate programs.  That would have cost millions.  MS simply couldn't care less.

Actually, that isn't really true.

Windows in general, version to version, is very good at providing backwards compatibility. You want terrible support for backwards compatibility? Try any Apple OS. Or, try Linux.

Linux is *awful* at backwards compatibility. So, your application used a particular version of libusb to address that medical device? Tough shit, we've moved on to a new version in the latest Ubuntu, CentOS is still using the old version and who knows what that other version of Linux is going to load. Better get someone to write 5 sets of instructions on how to wrangle multiple versions of libusb onto *your* flavour of Linux.
 Or just google it. Stackoverflow is full of questions and answers on this subject because every sysadmin around spends their nights crying or having screaming nightmares about fixing just this problem.

Just because other systems are worse..

Anyway, I read now that the vulnerability is in SMB1 (Server Message Block v1).  It is a Windows Feature. Nobody should use it or run it.

The original SMB1 protocol is nearly 30 years old, and like much of the software made in the 80’s, it was designed for a world that no longer exists. A world without malicious actors, without vast sets of important data, without near-universal computer usage. Frankly, its naivete is staggering when viewed though modern eyes. I blame the West Coast hippy lifestyle.

My W10 is updated asap.  The last was installed 10 May.  I've just checked and SMB1 was still extant.  It isn't now.

[mrcharly-YHT]

Maybe SMB1, a should-be-defunct, old, vulnerable service is still there because MS were requested to still include it to support old, should-be-updated-or-replaced software?

I'm not claiming MS are good, just that they actually make more effort to include backwards support and compatibility that many other OS's. That leaves the Windows OS open to exploits.

[Pickled Onion]

Anything that you buy has an expected lifetime. A hospital wouldn't expect to buy a bed and have it maintained by the manufacturer for ever. Why should computers be any different?

Are you saying that software wears out? Interesting. Could you explain the process, please?

What I said is that software requires maintenance.

It's not a secret. If you're lucky the vendor will maintain it for several years, included in the original purchase price. Or they may require an annual fee. I'm struggling to think of an example of *anything* created by a human that would last forever without maintenance.

I'd be happy to be able to pay a reasonable amount & have up to date security patches, instead of having to get all-new software with built-in downgrades & bugs, but I can't. I'd also like the option to buy minor upgrades at a reasonable price, but again, that's not offered.

Quantify "reasonable amount". If you're one of the last dozen users of Chucky Egg on FlexOS 1.31 how much would it cost to offer you up to date patches? Perhaps it would make more financial sense to use software a lot of other people are using and spread the cost? Perhaps you think my children should go barefoot because, well, software is software, it's not real stuff like food or bikes.

[Morat]

The part of all this that sticks in my throat is that MS have already offered a patch to XP now that the exploit is being abused. This suggest to me that either they had the patch ready to roll out or it was a relatively simple fix. In each case they should have released the damn thing BEFORE thousands of systems were infected with potentially life threatening effect.
MS are a company that exists to make money. I get that. They still have responsibilities and should be held to account in some way for allowing their software to be compromised on such a massive scale apparently through choice.

[Jaded]

Of course they should have offered it before, and most likely most of the NHS would have installed it.

M$ want money for new installs, so they make it difficult for older users. The problem with this approach is the huge capital lumps required every so often to provide new installs. Plus the monstrous time and effort involved in a large roll-out.

I'll bet that M$ aren't so quick to hold back serious patches for legacy systems like this in the future.

[Kim]

If they're not going to support it, maybe they should be compelled to open source it?^[1]  Disney would never stand for that sort of abuse of copyright law, thobut.


_{[1] I appreciate this would cause half the world to switch to FreeXP immediately, making a huge dent in their bottom line.  I wouldn't be surprised if they were sitting on a fully functional Linux version of MS Office for the same reason.}

[Morat]

Well if they are serious about W10 being the final release with features being introduced as patches (that's how I read https://www.theverge.com/2015/5/7/8568473/windows-10-last-version-of-windows then hopefully the whole rigmarole of reinstalling your applications to new server builds will be a grim memory. Not that it'll help much if you don't keep your applications tested against the latest Windows Updates.

[Ham]

The issue is much simpler, and driven by each and every one of us. We all want to make happy use of Moore's law, we are all far less tolerant of issues caused by IT, we all want more for less. Functionally, DOS 2.1 with Supercalc and Wordstar would be perfect, eh?

That continual drive for faster, better, easier has a price to pay. Microsoft are dominant and therefore have to shoulder responsibility for the systems they sell, but actually they don't make too bad a fist out of it, much as I loathe, hate and despise them, up against Larry Ellison or Apple they are of a piece - possibly on slightly higher ground. But then, they make a change like removing the option to update or not making updates compulsory, and everyone is up in arms.

So anyway, systems will continue to improve and it is not unreasonable for any supplier to charge for new versions (MS is moving to a subscription model) , but that's only the OS side of the story. Over that, there's the middleware and the application, each of which will have their own vulnerabilities and upgrade path.

Right at the sharp end is the application vendor, who effectively integrates and supports the whole thing. Those applications are what you, the end user experiences. Doesn't matter how complex the system is, you just want it to work. And importantly, carry on working. That's where software maintenance comes in. Except that maintenance only covers that version, never the upgrade. And organisations like NHS would be penalised if they tried to salt away money for the next version (even if they could afford it). Simply, in public finance you use it or lose it. Plus, the overwhelming majority of businesses I see, whatever sector, never invest ahead in the "next version", if you are lucky they will cover hardware refresh.

So, why does anyone expect any different outcome?

[Afasoas]

Hmmm. Amber Rudd says this will make the NHS spend money updating its systems. You'd better give it some more money then, Amber!

As for the rolling news yesterday...
I learnt from experts that no protection would have stopped this attack and that ALL operating systems were at risk from this malware. Also that the best approaches might be to restore from back-up or pay the attackers. Except they weren't clear how the NHS could get some many bitcoins together.

At least today's BBC report states it only affects Windows systems, so they seem to have grasped the nature of the threat better than the industry experts they used yesterday.

So much miss-information circulating around the mainstream media. Very little mention of this attacks origins (NSA exploits called Eternalblue and Doublepulsar)
This was patched in March. The Conservatives shouldn't have ended their extended support agreement with Microsoft. Any machines running XP to support, for example, MRI scanners (legacy) should have been segmented into their own networks, with much stricter security and checks and balances on on data shared with mainstream systems .

And honestly, I don't blame Microsoft for this. XP is very old and they shouldn't support it, no matter how hard organisations beg them too. A codebase has a lifespan, over time it gets harder and more expensive to maintain/patch properly/regression test. We should accept that and move on. It wasn't a surprise when DOS disappeared. As it wasn't a surprise that XP is no longer supported. I wouldn't expect the manufacture of my similarly aged car to make a recall to address defect, what with so few of them left on the road, so why should I expect it from Microsoft?

[Jaded]

So, why does anyone expect any different outcome?

It's quite simple, as you say.

If M$ would like the future HUGE business of the NHS, look after them until they are ready to change. If they don't care about that future business, then cast them adrift. Understand your customers and their needs. Don't treat them as a stupid cash cow (that's you Adobe, that is).

[mrcharly-YHT]

NHS should have been moving anything needing winXP onto citrix thin clients or equivalent. Then when ransomware hit, just kill the client.

But that would have required investment. Requiring money.

[Greenbank]

I'd be happy to be able to pay a reasonable amount & have up to date security patches, instead of having to get all-new software with built-in downgrades & bugs, but I can't. I'd also like the option to buy minor upgrades at a reasonable price, but again, that's not offered.

You can do exactly this, it's called updating your operating system. Generally it's not as expensive as buying a full blown copy of the latest Windows release each time it comes out, MS offer such upgrades at a much reduced cost, but I guess it's still probably more than you are prepared to pay (although MS recently updated many people to Windows 10 for free).

Sure, they break backwards compatibility often, it won't affect 99% of the applications/users, but sometimes it is just impossible to maintain it; it often relies upon third party software that is beyond their control.

Just remember that each new Windows release is just the same software as the previous release but with a few more features, bumped up revision numbers, tweaks to the visual components, a load of bugs fixed, a load of new bugs added and some old crap that they don't want to deal with any more deprecated. It's not a complete rewrite each time; probably >98% of the code of a new release is the same as in the previous release. The reason they had to patch every Windows version when this vulnerability was found is because they all share the same implementation that is susceptible.

The majority of people don't keep their machines up to date because the update installation mechanism represents poor user experience (long slow downloads, reboot requests at inappropriate times, long downtime during reboots, etc) and so people often disable it or put it off as much as they can. People don't upgrade the OS because they don't want to pay that cost, they're happy with what they already run and don't want to have to go through a period of getting to know the new GUI trickery.

My W10 is updated asap.  The last was installed 10 May.  I've just checked and SMB1 was still extant.  It isn't now.

The underlying protocol isn't a problem, it was their implementation of it. They've patched their dodgy implementation so it is, in theory, safe to run. Of course, there could be yet another vulnerability out there in their implementation that no-one has discovered yet and could be used for exactly the same purpose; just as there could be plenty of undiscovered vulnerabilities in any of the parts of Windows you can't disable because they are really bits of it that you do use regularly. Minimising the attack surface is a good idea, but it doesn't render you impervious.

Some security solutions have been implemented; things like Windows Defender and fairly freely available anti-Virus software from many of the commercial anti-Virus companies, but on the flip side, email clients which let you freely click on anything, poorly secured things like Shockwave via web-browsers, and Windows networking, have all made it far too easy for the average user to become infected.

The irony is that Windows Defender and pretty much all of the anti-virus solutions are riddled with vulnerabilities. They're just as insecure as any other type of software.

Here's one from just 4 days ago that affected Windows Defender: https://arstechnica.co.uk/information-technology/2017/05/windows-defender-nscript-remote-vulnerability/

It required no user interaction at all and could compromise the machine it was running on.

Writing secure software is very very hard.

[Kim]

The majority of people don't keep their machines up to date because the update installation mechanism represents poor user experience (long slow downloads, reboot requests at inappropriate times, long downtime during reboots, etc) and so people often disable it or put it off as much as they can. People don't upgrade the OS because they don't want to pay that cost, they're happy with what they already run and don't want to have to go through a period of getting to know the new GUI trickery.

There's a lot of truth here, at least outside large organisations where the end users don't get a choice in the matter.

Windows Update was historically annoying enough that users disabled it and never applied updates.  So in their infinite wisdom, instead of actually fixing the problem, Microsoft went to the other extreme and made it much harder to avoid, leading to nagging and compulsory reboot horrors.

It's not that hard.  Most modern Linux distributions manage to apply updates almost completely transparently (there's obviously some resource overhead involved in downloading and installing the update, but there's generally less bloat involved, which helps).  Reboots are only required for kernel updates, and those can be postponed indefinitely.  Of course, Linux package managers have the distinct usability advantage of being able to manage the third-party software too.  Same goes for Android and IOS, and presumably OSX.

Major updates carry a risk of breaking something on any platform.  It's understandable that end users with mission critical computers and no easy way of testing avoid them...

[Mr Larrington]

I'm still trying to figure out Windows 10 updates.  The PC in the Estate Office had a big update the other day, but it hasn't yet shown up on the one in the Great Hall

[barakta]

I have a Win 10 install with a buggered Windows Update (don't know how long for cos I only use it once every few weeks for the Scanner and ProperCraprobatTM) which I couldn't work out how to fix mid-preparing for a job interview 2 weeks ago.

I am still using a WinXP notebook cos it has the last remaining decent (accessible to me) keyboard of a portable device. I occasionally manually mount an SMB share to shove documents onto my /home on our server.

I'm waiting for Kim to be properly awake so she can disable the Samba server on our network and anything else security precaution wise so I can apply the Patch to the XP device and go and hit the Win 10 install (other half of the hard disk running my preferred Debian OS) with sticks till I can fix it without risking other stuff on the network...

[Polar Bear]

A timely reminder for me to do some housekeeping.   

All critical stuff is backed up in three places.  A machine can be bombed as there are other machines available to me now should I need them.

[Ben T]

Anything that you buy has an expected lifetime. A hospital wouldn't expect to buy a bed and have it maintained by the manufacturer for ever. Why should computers be any different?

To me, it's on a par with, and similarly reprehensible as, serving patients out of date food.

[Cudzoziemiec]

The odd thing to my mind is that the hackers demanded £300 (in bitcoin) to release all the data. Perhaps that meant £300 per machine or possibly it was a totally made up figure but it was reported (Friday) as £300 from the whole NHS. Ridiculously cheap surely?

[Kim]

The demand was per-machine.  They wouldn't have known what they were infecting.

As of yesterday, they'd received all of $26000 total.  Small change for the chaos caused.

https://krebsonsecurity.com/2017/05/global-wana-ransomware-outbreak-earned-perpetrators-26000-so-far/

[Jaded]

Anything that you buy has an expected lifetime. A hospital wouldn't expect to buy a bed and have it maintained by the manufacturer for ever. Why should computers be any different?

To me, it's on a par with, and similarly reprehensible as, serving patients out of date food.

Stick to whatever it is you do. The comparison is risible.

[Kim]

Anything that you buy has an expected lifetime. A hospital wouldn't expect to buy a bed and have it maintained by the manufacturer for ever. Why should computers be any different?

To me, it's on a par with, and similarly reprehensible as, serving patients out of date food.

Stick to whatever it is you do. The comparison is risible.

It's not a bad metaphor for failing to keep systems up to date, thobut.