Thread: NHS cyber attack Board: Hell / Ship of Fools.
To visit this thread, use this URL:
http://forum.ship-of-fools.com/cgi-bin/ultimatebb.cgi?ubb=get_topic;f=3;t=005678
Posted by Sipech (# 16870) on
:
To the person or people responsible for a massive hack on the NHS's computers, you are the most sickening of evil cunts. Was it some kind of joke to you? Did you think of the potential ramifications of your actions. Of the thousands of ill people in hospital, needing care and treatment from an already under-funded and strained system, staffed by people of great humanity and compassion, how many of them hurt you?
It would be understandable if someone wished to pour battery acid into your orifices as punishment for what you've done. And you know what? The NHS would be there to try to save you and treat your injuries. Because that's what good people do.
Posted by Paul. (# 37) on
:
How dare hackers hold the NHS to ransom, that's the government's job!
Though actually, it's still unclear exactly what's happened. I'm not sure this was an attack targeted at the NHS specifically. It looks more like an opportunistic bit of malware that happens to have infected a lot of NHS computers.
Of course there's a good chance that they happen to be particularly vulnerable because of the lack of resources for up to date software, for training etc.
Posted by Boogie (# 13538) on
:
It would have been excellent if the hackers became in dire need of hospital treatment on the very day they wouldn't get it.
Hopefully their dicks rotted away before their eyes while the doctors tried in vain to access their notes.
Posted by lilBuddha (# 14333) on
:
quote:
Originally posted by Paul.:
How dare hackers hold the NHS to ransom, that's the government's job!
If they hadn't attacked soon, the corpse's purse would have been empty.
quote:
Of course there's a good chance that they happen to be particularly vulnerable because of the lack of resources for up to date software, for training etc.
This is likely the case for the majority of places affected. Agencies/businesses need to constantly prepare. With the NHS budget already under threat, they will have been less prepared.
Posted by Boogie (# 13538) on
:
Don't blame the victim
Posted by Schroedinger's cat (# 64) on
:
I have been in IT for many years. Very occasionally, I have fallen foul of attacks - despite knowing the risks knowing how to keep safe.
Don't blame the NHS staff, they have enough to deal with being held to ransom by the Tories. And it is hard to see it as a targetted attack.
But the people who write these things, which are deliberately written and distributed to extort money. I hope their gonads rot off.
Posted by balaam (# 4543) on
:
It's hard to say if greed or selfishness is the motivation behind this.
Unlike Schroedinger's cat I hope their gonads stay attached. Painfully infected, but attached.
Posted by lilBuddha (# 14333) on
:
Who is blaming the victim? Certainly not me.
But I would be shocked if the NHS system was up to par.
Posted by Karl: Liberal Backslider (# 76) on
:
Guess who's still at work sorting the mess out?
Posted by lilBuddha (# 14333) on
:
quote:
Originally posted by Karl: Liberal Backslider:
Guess who's still at work sorting the mess out?
The NHS IT staff. And?
Posted by rolyn (# 16840) on
:
All this talk of dicks and gonads. I suppose one has to assume the perpetrator(s) is/are male
Totally unscrupulous criminals are a problem, total computer dependency is a problem. Here endeth the stating of the bleeding obvious.
Posted by Ricardus (# 8757) on
:
quote:
Originally posted by Paul.:
How dare hackers hold the NHS to ransom, that's the government's job!
Though actually, it's still unclear exactly what's happened. I'm not sure this was an attack targeted at the NHS specifically. It looks more like an opportunistic bit of malware that happens to have infected a lot of NHS computers.
Yes, I think if I was going to hold the NHS to ransom I'd ask for a bit more than $300. Although maybe they worked out that's how much is left in the kitty.
Posted by lilBuddha (# 14333) on
:
quote:
Originally posted by rolyn:
All this talk of dicks and gonads. I suppose one has to assume the perpetrator(s) is/are male
Totally unscrupulous criminals are a problem, total computer dependency is a problem. Here endeth the stating of the bleeding obvious.
Not sure how you would pull computers out of the equation, it would be difficult to do the job without them.
Posted by Wesley J (# 6075) on
:
It's all over the world, and not only targetting the NHS in the UK, according to Reuters!
Posted by Jay-Emm (# 11411) on
:
quote:
Originally posted by lilBuddha:
quote:
Originally posted by Karl: Liberal Backslider:
Guess who's still at work sorting the mess out?
The NHS IT staff. And?
The NHS non IT staff? (with running a hospital sans IT and catching up on a backlog)
Posted by Jay-Emm (# 11411) on
:
You do wonder if the back doors they keep wanting left the vulnerabilities exposed to more than they intended.
Posted by Jay-Emm (# 11411) on
:
[sorry for triple post]
In fact it seems that not only was it a vulnerability that was willfully left exposed. But the bandits learned of the vulnerability from them. So they really are doubly culpable.
Posted by lilBuddha (# 14333) on
:
What I've read leans towards a random attack that found weakness at the NHS as well as many other places around the world. And given that the ransom is generated per computer, from each computer. The low amount of ransom, $300 per computer further backs this.
Posted by Karl: Liberal Backslider (# 76) on
:
Just got to bed. They'll not make a penny out of it. Not on my watch.
Posted by Golden Key (# 1468) on
:
lilBuddha--
quote:
Originally posted by lilBuddha:
quote:
Originally posted by Karl: Liberal Backslider:
Guess who's still at work sorting the mess out?
The NHS IT staff. And?
And Karl, I think. Also check his post, just above this one, about working late.
[ 13. May 2017, 01:19: Message edited by: Golden Key ]
Posted by Ian Climacus (# 944) on
:
I read MS pushed out the updates to prevent this attack in March , so those impacted were slightly behind in their updates.
Still, the people who get off on this are fuckwits of the highest order. It is rather frightening how vulnerable we all are in this connected world.
Posted by Karl: Liberal Backslider (# 76) on
:
The vulnerability addressed by the March patch was not the only vector. Malicious email may have also been imvolved from what I've seen.
Posted by lilBuddha (# 14333) on
:
quote:
Originally posted by Ian Climacus:
Still, the people who get off on this are fuckwits of the highest order. It is rather frightening how vulnerable we all are in this connected world.
This doesn't a[pear to be 'people who get off on this', but rather money. Doesn't make them better for that, but it is likely a more accurate motive.
Posted by Ian Climacus (# 944) on
:
Thanks for the corrections.
Posted by Ricardus (# 8757) on
:
quote:
Originally posted by Karl: Liberal Backslider:
The vulnerability addressed by the March patch was not the only vector. Malicious email may have also been imvolved from what I've seen.
Pfft - clearly you didn't apply the necessary hashtags.
Posted by rolyn (# 16840) on
:
quote:
Originally posted by lilBuddha:
[QB Not sure how you would pull computers out of the equation, it would be difficult to do the job without them. [/QB]
Returning to the filing cabinets of yesteryear isn't going to happen, but if computers are not failsafe then it would be wise to have some backup mechanism like duplicates on paper.
For some reason the computer age makes me think of the Egyptian Pharaohs sealed in their gigantic solid stone structures with all their riches. Some fucker's gonna get in there, it's just a fact.
Posted by Alan Cresswell (# 31) on
:
The problem with a duplicate on paper is that if it's in a filing cabinet with your GP that doesn't help if you go into hospital - not only doesn't the hospital have the paper records, adding to those records to record tests & treatments is much harder. The benefit of a computerised system is that information is available wherever you are. Though the benefits of all that interconnectivity is that it opens a risk of something like this affecting more than a few stand-alone computers.
And, there was Amber Rudd on the TV this morning saying that the NHS should have invested in upgrading the computer system (presumably from a £350m per week extra cash source), and should have backed-up records so they can simply be restored (I guess she's never restored a PC from a back-up, and doesn't realise how much time it takes to do that even for a stand-alone PC let alone a national network of the necessary complexity of the NHS). She seems to be trying to outdo Jeremy Hunt in the "haven't a clue about the real world" game.
Posted by Doublethink. (# 1984) on
:
The government chose not to pay to extend support for windows xp, cos cuts, so patch updates not happening.
They were warned of the risks, by the Labour Party amongst others, last year.
Posted by Jay-Emm (# 11411) on
:
quote:
Originally posted by Doublethink.:
The government chose not to pay to extend support for windows xp, cost cuts, so patch updates not happening.
Penny wise...
Posted by Ricardus (# 8757) on
:
quote:
Originally posted by Alan Cresswell:
The problem with a duplicate on paper is that if it's in a filing cabinet with your GP that doesn't help if you go into hospital - not only doesn't the hospital have the paper records, adding to those records to record tests & treatments is much harder. The benefit of a computerised system is that information is available wherever you are. Though the benefits of all that interconnectivity is that it opens a risk of something like this affecting more than a few stand-alone computers.
My other half tells me there are paper backups, at least for the particular records she was unable to access last night, but they really are a last resort, for the reasons you say.
quote:
And, there was Amber Rudd on the TV this morning saying that the NHS should have invested in upgrading the computer system (presumably from a £350m per week extra cash source), and should have backed-up records so they can simply be restored (I guess she's never restored a PC from a back-up, and doesn't realise how much time it takes to do that even for a stand-alone PC let alone a national network of the necessary complexity of the NHS). She seems to be trying to outdo Jeremy Hunt in the "haven't a clue about the real world" game.
Amber Spiv really is a despicable human being. I might have mentioned once or twice that I don't like Jeremy Corbyn's mob, but I'll give them credit that they don't have anyone like her on board. AFAICT, she got the job of Home Secretary so that by comparison Theresa May would look successful.
Amber Spiv's career before entering Parliament.
Posted by balaam (# 4543) on
:
quote:
Originally posted by Alan Cresswell:
And, there was Amber Rudd on the TV this morning saying that the NHS should have ... backed-up records so they can simply be restored (I guess she's never restored a PC from a back-up, and doesn't realise how much time it takes to do that even for a stand-alone PC let alone a national network of the necessary complexity of the NHS).
It looks like there were backups which were not immediately available, at least on a health authority basis, whether some GP surgeries have lost data remains to be seen.
Posted by Holy Smoke (# 14866) on
:
quote:
Originally posted by Boogie:
Don't blame the victim
Oh please, cut out the PC crap. It is almost entirely the victims' fault in this case - they have had years and years to make their systems secure (extended support for Windows XP ended two years ago), and to educate themselves about the risks. There just seems to be some endemic problem with senior NHS management, in that they seem to think their jobs are just about ticking the right boxes and collecting their (grossly inflated) salaries, rather than about applying their common sense and judgement to running hospitals and health trusts.
Posted by Doc Tor (# 9748) on
:
I'd be more tempted to blame the government that terminated the maintenance contract with Microsoft so that XP was kept up to date on security issues.
But whatever floats your boat. You clearly have an axe to grind on this, and I'm glad we were here for you in your hour of need.
Posted by Penny S (# 14768) on
:
In the case of the person I have been "caring" for, with three different hospitals and two different surgeries involved, none of them have been able to access information about previous treatment. Two of the hospitals have been part of the same organisation and share nursing staff. I'm not convinced about the computer network making things easier.
[ 13. May 2017, 14:00: Message edited by: Penny S ]
Posted by Sioni Sais (# 5713) on
:
quote:
Originally posted by Penny S:
In the case of the person I have been "caring" for, with three different hospitals and two different surgeries involved, none of them have been able to access information about previous treatment. Two of the hospitals have been part of the same organisation and share nursing staff. I'm not convinced about the computer network making things easier.
A network that had been maintained with the necessary security updates would have been in a far better state.
Posted by Karl: Liberal Backslider (# 76) on
:
quote:
Originally posted by Sioni Sais:
quote:
Originally posted by Penny S:
In the case of the person I have been "caring" for, with three different hospitals and two different surgeries involved, none of them have been able to access information about previous treatment. Two of the hospitals have been part of the same organisation and share nursing staff. I'm not convinced about the computer network making things easier.
A network that had been maintained with the necessary security updates would have been in a far better state.
Yes, wouldn't it. However it's never that simple. IT professionals do not leave stuff unpatched for fun, for shniggles, or, in the main, out of imcompetence (there's always one, of course). There are a number of factors which can put a delay between patch release and implementation, in any large organisation especially. Of the top of my head:
*legacy software that was written for an OS three generations ago and which needs extensive testing on new OSes or patch levels;
*negotiation of downtime;
*experience of dodgy patches in the past leading to a desire to wait just to make sure MS doesn't pull it the next day;
*company change procedures and policies that simply take time.
All in all, I'm not really surprised a March patch wasn't universally in place.
[ 13. May 2017, 14:31: Message edited by: Karl: Liberal Backslider ]
Posted by Schroedinger's cat (# 64) on
:
quote:
Originally posted by Holy Smoke:
quote:
Originally posted by Boogie:
Don't blame the victim
Oh please, cut out the PC crap. It is almost entirely the victims' fault in this case - they have had years and years to make their systems secure (extended support for Windows XP ended two years ago), and to educate themselves about the risks. There just seems to be some endemic problem with senior NHS management, in that they seem to think their jobs are just about ticking the right boxes and collecting their (grossly inflated) salaries, rather than about applying their common sense and judgement to running hospitals and health trusts.
So your holy smoke comes out of your arse does it?
It is a lack of funding. The cost of a proper upgrade is huge - computers that need replacing, software that needs updating, not to mention the whole testing process required. It would have involved huge government investment to do that.
When people say "just keep your equipment up to date" they normally have no clue what that means. It is not the same as upgrading your home PC. It is a far more complex process.
Posted by Ricardus (# 8757) on
:
quote:
Originally posted by Holy Smoke:
Oh please, cut out the PC crap.
Proof, if any were needed, that though PC may once have referred to a real concept, it now mostly means 'I am a moron'.
quote:
There just seems to be some endemic problem with senior NHS management, in that they seem to think their jobs are just about ticking the right boxes and collecting their (grossly inflated) salaries, rather than about applying their common sense and judgement to running hospitals and health trusts.
Well, given that the likes of Nissan, Telefónica, Fedex, and Renault have all been affected, it doesn't look like the NHS management is uniquely bad.
Posted by Boogie (# 13538) on
:
quote:
Originally posted by Holy Smoke:
quote:
Originally posted by Boogie:
Don't blame the victim
Oh please, cut out the PC crap. It is almost entirely the victims' fault in this case - they have had years and years to make their systems secure (extended support for Windows XP ended two years ago), and to educate themselves about the risks. There just seems to be some endemic problem with senior NHS management, in that they seem to think their jobs are just about ticking the right boxes and collecting their (grossly inflated) salaries, rather than about applying their common sense and judgement to running hospitals and health trusts.
You leave your house unlocked and get burgled. The blame remains with the thief, not you. Yes - it's entirely sensible to lock your doors and windows and insurance companies won't pay out if you don't . But the blame lies 100% with the criminal all the same. If they are caught will the law say 'ah, but he was entitled to your stuff, after all, you didn't lock it up.
PC? Means nothing.
Posted by Jay-Emm (# 11411) on
:
quote:
Originally posted by Boogie:
You leave your house unlocked and get burgled. The blame remains with the thief, not you. Yes - it's entirely sensible to lock your doors and windows and insurance companies won't pay out if you don't . But the blame lies 100% with the criminal all the same. If they are caught will the law say 'ah, but he was entitled to your stuff, after all, you didn't lock it up.
PC? Means nothing. [/QB]
You promise to look after your neighbours house for the weekend in exchange for something decent (enough that you had to compete to look after the house). However sorting out the keys is too much bother so you continuously leave it unlocked (after all it's not your fault or your house). It gets burgled.
I think the neighbours entitled to take both you (for criminal negligence) and the burgleriser (for burgling) to court [that's more on the government rather than the NHS]
[ 13. May 2017, 16:05: Message edited by: Jay-Emm ]
Posted by lilBuddha (# 14333) on
:
I am not an IT professional though some of my work has been IT adjacent. So view this post through that filter.
- Those who have neglected to buy stone for the walls, should not complain when the barbarians come through the holes. Which is exactly what Rudd is doing.
- Even the best constructed fortress is vulnerable if someone opens the gates. No matter the level of protection, it is difficult to protect from inside attacks, which is essentially what happens when someone clicks an infected link in an e-mail.
- Win XP and legacy software
Also, in part, a funding issue. Legacy software will always be a problem, but it does take money to upgrade. Money that has been bled out by the Tories. The flip side of this is people. People don't like change and it can be difficult to get them to accept it. Change also may cause its own problems. - Large organisations (public and private) will never¹ have the best in protection because of they are large.²
- Protecting against malware is always playing with a handicap. You can know what attacks have been used, but you cannot know what will be used. There will always be vulnerability.
¹Yeah, I know, superlatives. There will be exceptions, but this is true enough to be a rule.
²This also offers protections I was going to explain the dynamics, but that is definitely its own thread. Suffice to say that small offers its own issues.
Posted by lilBuddha (# 14333) on
:
quote:
Originally posted by Boogie:
You leave your house unlocked and get burgled. The blame remains with the thief, not you. Yes - it's entirely sensible to lock your doors and windows and insurance companies won't pay out if you don't . But the blame lies 100% with the criminal all the same.
Well, no. Percentages don't mean anything here, I do wish people would not use zero-sum terminology where it does not apply.
If your home is robbed because you did not lock it, the thief is completely to blame for his actions. And you are to blame for not locking it. His sentence should not be reduced, nor his guilt mitigated in any way. It still remains your fault as well.
In this case, it is more that the government wouldn't buy a decent lock of the door to the NHS. The lock they had wasn't sufficient to the task.
Posted by mr cheesy (# 3330) on
:
It would be incredibly surprising* if patient records were not affected, as is being claimed.
Malware gets into individual computers and is able to spread into the wider network. How can that not have affected central records systems?
* of course, I know nothing. I am not an IT professional
Posted by lilBuddha (# 14333) on
:
quote:
Originally posted by mr cheesy:
It would be incredibly surprising* if patient records were not affected, as is being claimed.
Malware gets into individual computers and is able to spread into the wider network. How can that not have affected central records systems?
* of course, I know nothing. I am not an IT professional
By 'affected' they mean compromised confidentiality.
Posted by mr cheesy (# 3330) on
:
Ah OK I suppose that makes sense - the malware is making the data inaccessible, not public.
Sorry, my mistake.
Posted by Alan Cresswell (# 31) on
:
The claim, as I understand it, is that patient records remain confidential and privacy has not been compromised. There will, however, be impact on those records - entries made since the last back-up may be lost, for example. The particular bit of criminality that caused these problems has locked access to data held on a large number of computers (potentially including central records if servers were compromised), it hasn't copied any data to another location.
Posted by Amanda B. Reckondwythe (# 5521) on
:
quote:
Originally posted by Karl: Liberal Backslider:
IT professionals do not leave stuff unpatched for fun . . . . There are a number of factors which can put a delay between patch release and implementation. . . .
*experience of dodgy patches in the past leading to a desire to wait just to make sure MS doesn't pull it the next day;
Having had experience with applying a patch that broke more than it fixed, I can second that.
Add to this the effort it takes to find downtime during which to install the patches. True, large organizations probably have redundant servers that can shoulder the load of servers taken down to be patched, but smaller organizations don't have that luxury. Unless management is convinced that downtime during which to install patches is necessary, the IT staff are powerless.
And no patch is going to prevent users from opening e-mail that launches infected files, regardless of how many times they've been warned not to do so.
As for backups -- the purpose of backups is to enable restoration in the case of catastrophic failure. To complain that it takes a long time to restore a system from backups begs the question. Yes, it takes a long time, but that's the name of the game. Of course, depending on when the backups were made, you're going to lose a day or two of work, but that's better than losing the entire work product.
Posted by mr cheesy (# 3330) on
:
quote:
Originally posted by Amanda B. Reckondwythe:
As for backups -- the purpose of backups is to enable restoration in the case of catastrophic failure. To complain that it takes a long time to restore a system from backups begs the question. Yes, it takes a long time, but that's the name of the game. Of course, depending on when the backups were made, you're going to lose a day or two of work, but that's better than losing the entire work product.
It sounds like one needs a backup which is physically disconnected from the desktops and the internet to avoid spreading the malware. I wonder how many now have backups like that.
Posted by Holy Smoke (# 14866) on
:
quote:
Originally posted by Boogie:
[/qb]
You leave your house unlocked and get burgled. The blame remains with the thief, not you. Yes - it's entirely sensible to lock your doors and windows and insurance companies won't pay out if you don't . But the blame lies 100% with the criminal all the same. If they are caught will the law say 'ah, but he was entitled to your stuff, after all, you didn't lock it up.[/QUOTE]
The criminal is responsible for committing the crime, but it's not his fault that you didn't take sensible precautions, it's your fault.
quote:
PC? Means nothing.
In this case, it means that your are applying the meme "the victim is never at fault", which is a political statement, not a statement of everyday fact. In the case of the ransomware attack, the fault is almost entirely with the victims, because they failed to take basic precautions.
[ 13. May 2017, 16:39: Message edited by: Holy Smoke ]
Posted by Holy Smoke (# 14866) on
:
quote:
Originally posted by Ricardus:
Well, given that the likes of Nissan, Telefónica, Fedex, and Renault have all been affected, it doesn't look like the NHS management is uniquely bad.
I would guess that the commercial organizations have either been slow rolling out the patch, or that the patch has been rolled out, but individual workstations haven't been rebooted. What makes the NHS situation uniquely bad is that a) they have had four years to get their systems upgraded (or longer - Windows 7 was released in 2009), and b) their warped sense of priorities, whereby the units affected apparently considered that such an upgrade was purely option, if they happened to have the funds available. It should also be noted that many trusts and hospitals did get their act together, and consequently weren't affected.
Posted by Boogie (# 13538) on
:
A question - are Apple systems as susceptible to hacking as Microsoft?
Posted by lilBuddha (# 14333) on
:
quote:
Originally posted by Holy Smoke:
In the case of the ransomware attack, the fault is almost entirely with the victims, because they failed to take basic precautions.
Are you an idiot or are you at fault for not refreshing your browser and reading the posts between that one and this statement?
You want someone to blame besides the attackers, blame the fucking Tories. If the bastards had properly funded the NHS and this had happened, then you could possibly apportion blame to the NHS.
BTW, the victims are the patients.
Posted by Jay-Emm (# 11411) on
:
quote:
Originally posted by Boogie:
A question - are Apple systems as susceptible to hacking as Microsoft?
No, but...
(part of which is the proportionately smaller market giving a kind of herd immunity, that MS have to keep things consistent to let many more older programs work*, and that old vulnerable systems need to be used for the dedicated software that can't make the jump)
*there's a story about 95 and sim city.
Posted by Sioni Sais (# 5713) on
:
quote:
Originally posted by Karl: Liberal Backslider:
quote:
Originally posted by Sioni Sais:
quote:
Originally posted by Penny S:
In the case of the person I have been "caring" for, with three different hospitals and two different surgeries involved, none of them have been able to access information about previous treatment. Two of the hospitals have been part of the same organisation and share nursing staff. I'm not convinced about the computer network making things easier.
A network that had been maintained with the necessary security updates would have been in a far better state.
Yes, wouldn't it. However it's never that simple. IT professionals do not leave stuff unpatched for fun, for shniggles, or, in the main, out of imcompetence (there's always one, of course). There are a number of factors which can put a delay between patch release and implementation, in any large organisation especially. Of the top of my head:
*legacy software that was written for an OS three generations ago and which needs extensive testing on new OSes or patch levels;
*negotiation of downtime;
*experience of dodgy patches in the past leading to a desire to wait just to make sure MS doesn't pull it the next day;
*company change procedures and policies that simply take time.
All in all, I'm not really surprised a March patch wasn't universally in place.
Back in the dim and distant past I was involved in changing from an earlier version of Windows to Windows XP. That meant testing stuff under both operating systems to ensure the results were the same. It wasn't thrilling and it took months. Even then there were a few applications that wouldn't run under XP, so they had to be isolated until we replaced them. What we did do was put in place a regular maintenance regime with monthly routine update plus emergency updates as required.
If there is a problem it is that if you let things slip, it's difficult to drag yourself back to a safe place.
Posted by Holy Smoke (# 14866) on
:
quote:
Originally posted by lilBuddha:
quote:
Originally posted by Holy Smoke:
In the case of the ransomware attack, the fault is almost entirely with the victims, because they failed to take basic precautions.
Are you an idiot or are you at fault for not refreshing your browser and reading the posts between that one and this statement?
No, I think the problem is that I disagree with you.
Posted by lilBuddha (# 14333) on
:
quote:
Originally posted by Boogie:
A question - are Apple systems as susceptible to hacking as Microsoft?
The simple answer is not really.
Apple have fewer attacks primarily because there are fewer Apple computers and therefore they are a a less profitable target.
Backwards compatibility, not having control over hardware and other issues add to the vulnerability of Windows systems.
But anyone thinking that mass switching to Apple will end this sort of problem is delusional.
Besides, the cost of doing so would be massive. New computers, new servers, tons of training, new software purchases. new patient management systems, data migration, data recreation after inevitable losses in the migration, etc.
Posted by lilBuddha (# 14333) on
:
quote:
Originally posted by Holy Smoke:
quote:
Originally posted by lilBuddha:
quote:
Originally posted by Holy Smoke:
In the case of the ransomware attack, the fault is almost entirely with the victims, because they failed to take basic precautions.
Are you an idiot or are you at fault for not refreshing your browser and reading the posts between that one and this statement?
No, I think the problem is that I disagree with you.
I've outlined some of why the blame lies elsewhere. Do you have anything besides disagreement to counter that?
Posted by Net Spinster (# 16058) on
:
quote:
Originally posted by Boogie:
A question - are Apple systems as susceptible to hacking as Microsoft?
They are susceptible but in different ways. However many more business operations are run on MS so many hackers concentrate on MS.
I gather that the NHS still had a lot of computers running Windows XP which is highly vulnerable since security patches have not been released for it for several years. Why NHS did not update could be for a combination of reasons.
1. Computer just not updated to a more recent version of the operating system because of
a. time constraints (its been a few years folks)
b. cost of the upgrade
c. user doesn't like the newer versions
d. specialized legacy software that only runs on XP (I work for an organization that has a few systems like that and they are isolated on the network [to get to them remotely you need to go through a more secure gateway] and used only for the legacy software [no web browsing or email reading])
2. Computer is so old it can't be upgraded so a new one has to be bought.
a. time constraints (again few years)
b. cost of buying a new computer
3. Legacy software possibly inhouse only running on XP that can't be isolated. Replacing it would probably cost money, time, and specialized people. This is one reason why where I work replaced a lot of inhouse software with commercial software since then the cost of making the software work on new operating systems is spread among more consumers.
Where I work which is far smaller than the NHS though big locally has been going through a massive several year project to make sure things are more secure and that it will be easier to respond to new threats. Its been painful for some, but, it is working (so far).
Posted by Amanda B. Reckondwythe (# 5521) on
:
quote:
Originally posted by mr cheesy:
It sounds like one needs a backup which is physically disconnected from the desktops and the internet to avoid spreading the malware. I wonder how many now have backups like that.
The standard practice is to backup on removable media and store it offsite -- usually several days' worth of backups.
Posted by no prophet's flag is set so... (# 15560) on
:
The blame for this worldwide attack is directed most appropriately at the American spy agency, NSA, and Microsoft. NSA for developing the virus tools to do this deed. Microsoft for creating abandon-wear operating operating systems. Thankfully most large servers are running Linux.
Apple isn't reasonable solution for most users worldwide. Far too expensive. It also issues updates which deliberately wreck other-OS compatibility including simply connecting to servers and Apple devices to other OSes. For unsophisticated users Google Chrome and Android are much cheaper than Appley things.
Posted by Alan Cresswell (# 31) on
:
quote:
Originally posted by Holy Smoke:
I think the problem is that I disagree with you.
Strange, I thought the problem was that you were being an ignorant prick.
Posted by chris stiles (# 12641) on
:
quote:
Originally posted by no prophet's flag is set so...:
The blame for this worldwide attack is directed most appropriately at the American spy agency, NSA, and Microsoft. NSA for developing the virus tools to do this deed. Microsoft for creating abandon-wear operating operating systems. Thankfully most large servers are running Linux.
The problem is even in a world where all the affected organisations were running Linux on the desktop the same situation could have arisen due to the reasons Karl describes around migrations and upgrading.
Posted by no prophet's flag is set so... (# 15560) on
:
quote:
Originally posted by chris stiles:
quote:
Originally posted by no prophet's flag is set so...:
The blame for this worldwide attack is directed most appropriately at the American spy agency, NSA, and Microsoft. NSA for developing the virus tools to do this deed. Microsoft for creating abandon-wear operating operating systems. Thankfully most large servers are running Linux.
The problem is even in a world where all the affected organisations were running Linux on the desktop the same situation could have arisen due to the reasons Karl describes around migrations and upgrading.
Probably not. To install any package, an end user has to specifically become an admin user. A virus package would require at minimum a password to be given. The user would this deliberately make the package executable. Better still is requiring a full login as admin. Very explicit authorisation required for execution of a prog or installation.
Windows is too loose with this, unless deployed at business levels where end user doen't know the admin passwords. I have less experience with Windows but in gov't office I had to request permission to even get permission to open emailed documents which we unauthorised default. Which seems to indicate Microsoft could deploy decent minimal security by default.
Posted by Adeodatus (# 4992) on
:
Two quick points from me.
First, in 2010, Tory Health Secretary cancelled a contract between the NHS and Microsoft that, among other things, allowed easy bulk ordering of MS products and services. At the time he said it was something about free market yadda yadda Tory gobshite yadda yadda. The immediate effect was that some NHS IT costs almost doubled overnight. The longer term effect was that each Trust within the NHS then had to look after the maintenance and upgrading of its own systems, at hugely inflated cost.
Secondly, in 2015, Jeremy *unt scrapped the NHS's security contract with MS, because austerity yadda yadda within our means Tory gobshite 2 yadda yadda. The result of that was that NHS MS systems have been essentially defenceless - apart from whatever measures individual Trusts have put in place on a piecemeal basis - ever since.
Am I angry this has happened? Yes. Am I surprised? Given the two utter arsewipes who've held the post of Health Secretary since 2010, definitely not.
Posted by lilBuddha (# 14333) on
:
quote:
Originally posted by no prophet's flag is set so...:
The blame for this worldwide attack is directed most appropriately at the American spy agency, NSA, and Microsoft.
NSA for developing the virus tools to do this deed.
Allegedly. Given that vulnerabilities have been, and will continue to be, discovered and exploited without their help; meh.
quote:
Microsoft for creating abandon-wear operating operating systems.
Apple are the kings of abandon ware. They are the ones who gave a big 🖕🏼 to their old OS users. Microsoft has plenty of issues, but just how long are they supposed to support the old stuff? No one expects this from anyone else.
quote:
Thankfully most large servers are running Linux.
Given most merely means more than half, this is a possibility, but numbers are harder to track than often claimed. Two things to this, however:
One - Linux might be a bit more secure, but much of that is security through obscurity, just like Apple.
Two - Targets are more often the end-user, rather than the servers they connect to, so this will be Windows regardless.
Three (Three things) is that if Linux were more commonly distributed in desktop systems, it would share the old version issues just the same.
Like what you like, use what you wish. Just do it with less ignorance and many of these problems will be less widespread.
Posted by chris stiles (# 12641) on
:
quote:
Originally posted by no prophet's flag is set so...:
Probably not. To install any package, an end user has to specifically become an admin user. A virus package would require at minimum a password to be given. The user would this deliberately make the package executable. Better still is requiring a full login as admin. Very explicit authorisation required for execution of a prog or installation.
On a single user (desktop) system - all an analogous virus requires is the ability to place the an executable somewhere where a process running by the user could execute it, and access to the users data - as that's all that matters.
Besides - I bet if you go back to Debian 3.0 or RHEL 7.1 (similarly old) there'd be plenty of remote holes that could be exploited, even before you layered a similarly rich desktop system. The problem is with the difficulty and the cost of upgrading, software quality is secondary (in this case)
Posted by Ricardus (# 8757) on
:
[Total tangent]
quote:
Originally posted by lilBuddha:
🖕🏼
I have learnt a new thing about UBB today!
Posted by Ricardus (# 8757) on
:
OK, I've Googled a bit (so now I know everything) and I'm going to risk universal opprobrium by admitting Holy Smoke might have a point.
The fact that Microsoft would end support for XP in 2014 was known seven years in advance, and government departments were supposed to put in place migration plans for when this happened. What expired in 2015 was a one-off extra year's support that the Cabinet Office bought for all government systems, not just the NHS. Source.
If, in those eight years, a particular NHS Trust judged it more cost-effective to buy extended support for XP rather than migrate, there was nothing to stop them from doing so. What seems to have happened is that a number of Trusts have neither migrated nor arranged for extended XP support. Source.
Some posters are saying that the problem is that the Conservatives have underfunded the NHS. This is true* and reprehensible, but it only exculpates those Trusts' managers if the things on which they did spend their inadequate budgets bought better patient value than IT security (i.e., if they'd spent money on IT security, they'd have had to cut something even more vital elsewhere). I find this questionable. It doesn't look like this hack actually did that much damage but it had the potential to be a lot worse.
Having said that, the buck is supposed to stop with the Cabinet minister, and it is disgraceful that Mr Hunt is nowhere to be seen and Ms Rudd and Mr Fallon are busily shovelling the blame elsewhere.
* AIUI the problem isn't so much that they're withholding money from the NHS, but that they're making false economies elsewhere that nullify what they give to the NHS, as well as wasting billions on solutions in search of a problem such as GPs' consortia. But it comes to the same.
Posted by Ricardus (# 8757) on
:
To put the underfunding argument into perspective, the one-year XP support deal, for the entire public sector, cost £5.5m (source in the second link above). The NHS budget for 2015/6 was £116,400m (source).
Posted by Schroedinger's cat (# 64) on
:
I would completely accept that the situation could have been predicted something like this. And this should have been dealt with in some way.
The thing is, with cuts elsewhere, the vast cost of upgrading - not just on one Trust, because in some cases, it would require national changes - was not justified when it would mean taking money from patient care. And the Right wing would have had a field day if it had been revealed that the NHS was spending many millions of IT not on patients.
But the reason is the chronic lack of funding from central government. Users - including the IT departments - have had to manage as they can. That is the same as any business - the problem in this case is that government was not prepared to finance ongoing upgrades of IT equipment.
Holy Smoke should have a point. Inserted somewhere delicate.
Posted by Karl: Liberal Backslider (# 76) on
:
quote:
Originally posted by Ricardus:
To put the underfunding argument into perspective, the one-year XP support deal, for the entire public sector, cost £5.5m (source in the second link above). The NHS budget for 2015/6 was £116,400m (source).
116 billion.
Posted by no prophet's flag is set so... (# 15560) on
:
[tangent]
quote:
Originally posted by chris stiles:
quote:
Originally posted by no prophet's flag is set so...:
Probably not. To install any package, an end user has to specifically become an admin user. A virus package would require at minimum a password to be given. The user would this deliberately make the package executable. Better still is requiring a full login as admin. Very explicit authorisation required for execution of a prog or installation.
On a single user (desktop) system - all an analogous virus requires is the ability to place the an executable somewhere where a process running by the user could execute it, and access to the users data - as that's all that matters.
Besides - I bet if you go back to Debian 3.0 or RHEL 7.1 (similarly old) there'd be plenty of remote holes that could be exploited, even before you layered a similarly rich desktop system. The problem is with the difficulty and the cost of upgrading, software quality is secondary (in this case)
I realize that we're pursuing a bit of a tangent, but since you posted this, consider that they might be able to engineer it if Linux used only one or 2 formats for partitions. Plus, we're talking multiple distros. I suppose someone could write something that went after fairly standard partitions in some Ubuntu version or other (one of the more commonly used today). It's pretty difficult to write malicious code expecting that it will affect all Linux computers without knowing what partitions the user may have chosen. And that's just in standard installs.
[/tangent]
Back to expiry dates with Microsoft versions, such as XP. I don't know, I had a 6 volt system in a 1963 Bug (VW Beetle) which changed to 12 volt in all of them I think in 1966, and they also changed some of the engine, light hooding and other body parts, and later bumpers. But I still could get working parts for it, made by others, not part of VW right up until I sold it 6 years ago (another story, a sad one for me, I had it since 1975).
But Microsoft doesn't allow tinkering with the code, it isn't released and we can't legally patch XP or other versions ourselves. Which is ridiculous. It doesn't matter that they announced that they declared it obsolete if people are still productively using it. They should either support it or let others support it. But they don't.
(I actually have a Windows XP running in a VirtualBox I can use an old Garmin GPS for topographic maps for wilderness travel, but it doesn't have an internet connection._Yes, and it is legal because it is on the box the XP came with.
[ 15. May 2017, 03:34: Message edited by: no prophet's flag is set so... ]
Posted by Ricardus (# 8757) on
:
quote:
Originally posted by Karl: Liberal Backslider:
quote:
Originally posted by Ricardus:
To put the underfunding argument into perspective, the one-year XP support deal, for the entire public sector, cost £5.5m (source in the second link above). The NHS budget for 2015/6 was £116,400m (source).
116 billion.
I was trying to avoid this phenomenon.
Posted by Alan Cresswell (# 31) on
:
We have a variety of computers running obsolete OS. We even have two running MS-DOS on 486 processors. We think about updating them every couple of years (usually when we struggle to find a replacement power supply for a 25 year old computer, or buy a supply of floppy disks). But, that would require a) new computers, b) new interface cards, c) re-write the software that runs the devices (including porting into a new development environment) and d) extensive testing to verify that the system operates in exactly the same way as before and our procedures still satisfy our QC requirements. Basically, that would be a year of work and considerably more expense than just the new hardware. Sometimes it's simply not possible to replace an older system running an "obsolete" OS.
Posted by Baptist Trainfan (# 15128) on
:
NHS Wales managed to upgrade and standardise its systems and so avoided the attack. Today it is blocking emails from the English NHS as a precaution, which should prove "interesting".
Posted by Alan Cresswell (# 31) on
:
Though, as the number of systems affected must be much smaller than the number of vulnerable systems in the world the fact that NHS Wales escaped may be down to luck - if they're blocking emails from affected sources it does suggest that someone thinks there are still parts of their system that are not secure.
Posted by Baptist Trainfan (# 15128) on
:
Indeed - but I suppose there only needs to be one weak point for it to get stuffed.
Probably the cyber-attackers are frightened of Dragons and Leeks (or aren't willing to deduct the Severn Bridge Toll out of their ransom).
Posted by Jane R (# 331) on
:
However robust your system may be, if it has to talk to other systems it is always going to be vulnerable to some attacks. It's like a castle with a gate in the wall; however strong the wall may be, all it takes is for some idiot to open the gate. NHS Wales are taking sensible precautions against idiots opening the gate.
Posted by Karl: Liberal Backslider (# 76) on
:
quote:
Originally posted by Ricardus:
quote:
Originally posted by Karl: Liberal Backslider:
quote:
Originally posted by Ricardus:
To put the underfunding argument into perspective, the one-year XP support deal, for the entire public sector, cost £5.5m (source in the second link above). The NHS budget for 2015/6 was £116,400m (source).
116 billion.
I was trying to avoid this phenomenon.
Yeah, and I didn't read properly. Knackered. Been working 7 days straight.
Posted by chris stiles (# 12641) on
:
quote:
Originally posted by no prophet's flag is set so...:
I realize that we're pursuing a bit of a tangent, but since you posted this, consider that they might be able to engineer it if Linux used only one or 2 formats for partitions. Plus, we're talking multiple distros. I suppose someone could write something that went after fairly standard partitions in some Ubuntu version or other (one of the more commonly used today). It's pretty difficult to write malicious code expecting that it will affect all Linux computers without knowing what partitions the user may have chosen. [/tangent]
I understand this is a tangent so not going to spend much time here, but you don't need knowledge of partitions to get this to work, just have something that iterates recursively down a users home directory encrypting each file it finds block by block - there'll be cases where the filesystem re-allocates the new content to new blocks but in practice you'll make enough of a mess that they'll still need to decrypt to recover.
And most commercial environments would still be monocultures.
[ 15. May 2017, 10:28: Message edited by: chris stiles ]
Posted by chris stiles (# 12641) on
:
quote:
Originally posted by Ricardus:
Some posters are saying that the problem is that the Conservatives have underfunded the NHS. This is true* and reprehensible, but it only exculpates those Trusts' managers if the things on which they did spend their inadequate budgets bought better patient value than IT security (i.e., if they'd spent money on IT security, they'd have had to cut something even more vital elsewhere). I find this questionable. It doesn't look like this hack actually did that much damage but it had the potential to be a lot worse.
Which assumes that they were capable of measuring and accounting for all of their risks perfectly - in which case they could still get unlucky when a lower probability risk blows up.
The other issue is that due to outsourcing a number of the trusts have been hollowed out to the point where they don't retain the expertise to necessarily being able to measure the risks properly.
Posted by lilBuddha (# 14333) on
:
quote:
Originally posted by Alan Cresswell:
We have a variety of computers running obsolete OS. We even have two running MS-DOS on 486 processors. We think about updating them every couple of years (usually when we struggle to find a replacement power supply for a 25 year old computer, or buy a supply of floppy disks). But, that would require a) new computers, b) new interface cards, c) re-write the software that runs the devices (including porting into a new development environment) and d) extensive testing to verify that the system operates in exactly the same way as before and our procedures still satisfy our QC requirements. Basically, that would be a year of work and considerably more expense than just the new hardware. Sometimes it's simply not possible to replace an older system running an "obsolete" OS.
There will come a time when you cannot tape, glue and patch together what you have and it will cost even more to change.
[ 15. May 2017, 17:34: Message edited by: lilBuddha ]
Posted by no prophet's flag is set so... (# 15560) on
:
quote:
Originally posted by lilBuddha:
There will come a time when you cannot tape, glue and patch together what you have and it will cost even more to change.
Depends on the task. A RaspberryPi™ or Arduino™ can be had for very cheap (as little as $5) depending on what you need, and they do a fine job of simple repetitive tasks, e.g., making sure incremental backups occur.
Posted by Leorning Cniht (# 17564) on
:
quote:
Originally posted by lilBuddha:
There will come a time when you cannot tape, glue and patch together what you have and it will cost even more to change.
Probably true, but not helpful. Because what is true is that Alan doesn't have enough money to replace all of his obsolete crap. Sure - some of his obsolete crap will fail in the next few years, but you don't know which bits it will be, and he can't afford to replace everything.
So you wait, and fix, and patch, and eat the downtime when the thing finally implodes.
(It just so happens that I've heard the line "we no longer have the ability to build that code, so here's what we're doing instead" more than once in the last few weeks.)
Obsolete products, made by companies who ceased to exist two or three acquisition cycles ago. And so on.
There's a couple of big, budget-breaking, obsolete systems that I rely on that are going to need to be replaced in the next decade. Figuring out how to pay for it is interesting...
Posted by lilBuddha (# 14333) on
:
quote:
Originally posted by no prophet's flag is set so...:
quote:
Originally posted by lilBuddha:
There will come a time when you cannot tape, glue and patch together what you have and it will cost even more to change.
Depends on the task. A RaspberryPi™ or Arduino™ can be had for very cheap (as little as $5) depending on what you need, and they do a fine job of simple repetitive tasks, e.g., making sure incremental backups occur.
What many gov't agencies and large companies face is legacy software that cannot be migrated to newer or different systems. The cost and problems of replacing that software far exceeds the hardware issues. This is what Alan was referring to.
Posted by no prophet's flag is set so... (# 15560) on
:
This blog updates fairly regularly of progress with this virus. The entry "wannacry new variants detected" is from 14 May.
Posted by lilBuddha (# 14333) on
:
quote:
Originally posted by Leorning Cniht:
Probably true, but not helpful. Because what is true is that Alan doesn't have enough money to replace all of his obsolete crap. Sure - some of his obsolete crap will fail in the next few years, but you don't know which bits it will be, and he can't afford to replace everything.
I'm not denying this or blaming Alan.
But it is true that the crises of today are generated by policies in the past.* The whys and wherefores could be a Hell thread in themselves.
*Unfortunately, these are still in place in the present in too many places.
Posted by Wesley J (# 6075) on
:
According to the blog linked above and other news sources, such as the WaPo, it woz the North Koreans who dunnit.
© Ship of Fools 2016
UBB.classicTM
6.5.0