NHS cyberattack

Seen something interesting in the news or on the intertubes? Discuss it here.

Moderators: Zamfir, Hawknc, Moderators General, Prelates

KnightExemplar
Posts: 5492
Joined: Sun Dec 26, 2010 1:58 pm UTC

Re: NHS cyberattack

Postby KnightExemplar » Sat May 13, 2017 6:14 pm UTC

elasto wrote:For critical patches, MS should release changes in such a way that they are not reverse-engineerable.


Spoiler:
Image


Uhhh... Microsoft releases code that fixes the problem. That's what a patch is. How do you fix the problem without changing any code? ALL code is reverse engineerable, because it runs on a computer. That is: a computer will always be able to run the code and therefore all code does the same thing on all computers.

EDIT: Security researchers (and virus writers) can go down to In-circuit semulation to understand any code that is released if they have to. Any public patch announcement is itself the information needed to create a virus for unpatched computers.

That's why we have IT teams whose entire job is to watch for critical releases and apply patches across an organization's computers. That's their fucking job.

for example by bundling them in with patches that makes changes to vast numbers of files.


That makes no sense. Are you saying that Microsoft should change the code across its entire OS each time a critical bug occurs? Or at least, change a thousand unrelated files just to throw off hackers?

We're talking code here. Every change you make to the OS might accidentally break something else. If you do something that obviously won't break anything (ie: NOP commands across a billion files), I can write a program in 5 minutes that looks for the part that isn't an obvious "nop" command to distract me.

Hackers are programmers to. Anything that's "regular" and "automated" can be automatically reversed. There's a lot of packer vs unpacker theory, but for the most part... the "packers" have always failed. Granted, I'm talking about video game anti-piracy protections right now... but you're basically arguing for the same thing here. The pirates have always overcome anti-piracy protections because code is code... and you can always understand code if you put enough effort into it.
Last edited by KnightExemplar on Sat May 13, 2017 6:37 pm UTC, edited 4 times in total.
First Strike +1/+1 and Indestructible.

User avatar
HES
Posts: 4796
Joined: Fri May 10, 2013 7:13 pm UTC
Location: England

Re: NHS cyberattack

Postby HES » Sat May 13, 2017 6:25 pm UTC

elasto wrote:There's plenty of blame to spread around here guys, including the Tory government for starving the NHS of funds.

Mostly this.
He/Him/His Image

morriswalters
Posts: 6949
Joined: Thu Jun 03, 2010 12:21 am UTC

Re: NHS cyberattack

Postby morriswalters » Sun May 14, 2017 12:24 am UTC

@ KnightExemplar

What I'm reading you saying is that there is no fix. Patching is fixing the barn door after the horse went on vacation. If you can't fix that then they should rethink how things are done. This is a human problem. There will never be enough money to keep everything updated. And IT people don't control budgets.

I would point out that in the world we are great about the next new thing, but we never put enough resources into what already exists. Which is why the NHS still has computers running XP.

User avatar
Dauric
Posts: 3758
Joined: Wed Aug 05, 2009 6:58 pm UTC
Location: In midair, traversing laterally over a container of sharks. No water, just sharks, with lasers.

Re: NHS cyberattack

Postby Dauric » Sun May 14, 2017 12:38 am UTC

HES wrote:
elasto wrote:There's plenty of blame to spread around here guys, including the Tory government for starving the NHS of funds.

Mostly this.

This, but I think the rabbit hole goes deeper than any one political party or company leadership.

IT tends to get lumped in to a category of "Non-core" business expenses. You work at a bank, the bank's core business products are money handling and investment. You work at a hospital, the hospital's core business competencies are healthcare, drugs, surgery, etc. IT, Facilities, Janitorial services, all are "non-core expenses", which is to say that lots of spending there doesn't directly drive the business bottom line, but it needs to be spent in order to "keep the lights on".

The problem is that the company higher-ups who advanced through the companies' core competency track don't really understand their non-core expenses, and often discount them as being .. not completely unimportant, but certainly "less important" than the core expenses. This weighting tends to mean that budget cuts hit non-core expenses first. To wit: I don't think I've ever been in an office that didn't have chairs of questionable stability or comfort (or even safety...) tucked around the office. Buying and disposing of chairs for their employees is something the company does because it has to, not because it's something with a significant impact on the bottom line (compared to core expenses).

Grand upshot is that any attempts by IT to update or modernize software run in to hurdles from the people who have to approve the expenses. "Your current chair works just fine, why do we need to get you a brand new chair with a hundred different levers." The people with the purse strings don't have the education about ergonomics, or HVAC, or IT to understand the importance of these expenses, and a half-hour meeting with that at one of many competing topics isn't really enough to impart the knowledge for them to understand the importance, at least to the degree to overcome their existing biases about the importance of core expenses.

Where I work it was discovered that a keylogger was inserted in to an audio driver on the computers that are used in our company. When my supervisor was informing -his- supervisor, she did not have an understanding of what a keylogger was, and even when what they do was briefly described she didn't seem to understand the implications of a keylogger running while you enter a username and a password.

It's not until someone gets significantly hurt in one of those chairs, or half the building gets ill because of bacteria breeding in the air ducts... or the entire company's computer systems are compromised in a highly dramatic way, that they understand the severity of not investing in their business infrastructure, but by that time the lack of investment means the fix is vastly more expensive than had they just kept up with the maintenance in the first place. However you can't convince them of the importance of maintenance without the corresponding disaster to show -why- you keep up with maintenance, and "Yes this disaster can happen here too".
We're in the traffic-chopper over the XKCD boards where there's been a thread-derailment. A Liquified Godwin spill has evacuated threads in a fourty-post radius of the accident, Lolcats and TVTropes have broken free of their containers. It is believed that the Point has perished.

KnightExemplar
Posts: 5492
Joined: Sun Dec 26, 2010 1:58 pm UTC

Re: NHS cyberattack

Postby KnightExemplar » Sun May 14, 2017 1:35 am UTC

morriswalters wrote:@ KnightExemplar

What I'm reading you saying is that there is no fix. Patching is fixing the barn door after the horse went on vacation. If you can't fix that then they should rethink how things are done. This is a human problem. There will never be enough money to keep everything updated. And IT people don't control budgets.


On the contrary. The fix is simple and easy. Put the old machines behind a firewall.

Why they kept a 15 Million pound machine with no security updates for ~10 years running Windows XP hooked up to the internet without any protection is just holy WTF levels of gross incompetence. A Cisco ASA costs $5000, while $200 routers offer firewall capabilities that could have thwarted this attack.

---------

Alternatively: they could have run Windows XP VMs inside of a NAT, which costs $0. I mean, I don't know what kind of network they have, so maybe there are technical reasons they couldn't have done this particular solution. But there are lots of ways to secure systems that are unpatched.

If things were grossly complicated for some reason, they'd maybe have to do something fancy like a private VLAN running the network of Windows XP machines separated from the main network in some fashion. There's a lot of ways to run a network and prevent attacks from propagating, even if the individual machines were unpatched.

----------------------

Or you know, have a decent upgrade process and patch the systems. It takes effort to circumvent Microsoft's mandatory "Patch Tuesdays". Someone had to go in and program all of the Windows Servers to turn off updates for this disaster to happen.

Patching is fixing the barn door after the horse went on vacation.


Wrong. I guarantee you that a new virus will come out within the next 6-months that will continue to attack MS17-010. The cat is out of the bag: hackers will continue to attack every unpatched machine for the next years. There will be more attacks, and there will be more people who still fail to patch their systems (or otherwise secure it through Firewalls or whatever)

WannaCry is dead, but the WannaCry copycats will begin to flow immediately. The MS17-010 patch permanently fixes your computer to prevent all attacks of this type. Its the easiest and most obvious way to defend yourself.

It'd be one thing if this attack were really a Zero-day attack. But it isn't. This level of attack is relatively typical. Again: attackers have known about this vulnerability for at least two months (the day when Microsoft first published the patch).

Dauric wrote:
HES wrote:
elasto wrote:There's plenty of blame to spread around here guys, including the Tory government for starving the NHS of funds.

Mostly this.

This, but I think the rabbit hole goes deeper than any one political party or company leadership.

IT tends to get lumped in to a category of "Non-core" business expenses. You work at a bank, the bank's core business products are money handling and investment. You work at a hospital, the hospital's core business competencies are healthcare, drugs, surgery, etc. IT, Facilities, Janitorial services, all are "non-core expenses", which is to say that lots of spending there doesn't directly drive the business bottom line, but it needs to be spent in order to "keep the lights on".

The problem is that the company higher-ups who advanced through the companies' core competency track don't really understand their non-core expenses, and often discount them as being .. not completely unimportant, but certainly "less important" than the core expenses. This weighting tends to mean that budget cuts hit non-core expenses first. To wit: I don't think I've ever been in an office that didn't have chairs of questionable stability or comfort (or even safety...) tucked around the office. Buying and disposing of chairs for their employees is something the company does because it has to, not because it's something with a significant impact on the bottom line (compared to core expenses).

Grand upshot is that any attempts by IT to update or modernize software run in to hurdles from the people who have to approve the expenses. "Your current chair works just fine, why do we need to get you a brand new chair with a hundred different levers." The people with the purse strings don't have the education about ergonomics, or HVAC, or IT to understand the importance of these expenses, and a half-hour meeting with that at one of many competing topics isn't really enough to impart the knowledge for them to understand the importance, at least to the degree to overcome their existing biases about the importance of core expenses.

Where I work it was discovered that a keylogger was inserted in to an audio driver on the computers that are used in our company. When my supervisor was informing -his- supervisor, she did not have an understanding of what a keylogger was, and even when what they do was briefly described she didn't seem to understand the implications of a keylogger running while you enter a username and a password.

It's not until someone gets significantly hurt in one of those chairs, or half the building gets ill because of bacteria breeding in the air ducts... or the entire company's computer systems are compromised in a highly dramatic way, that they understand the severity of not investing in their business infrastructure, but by that time the lack of investment means the fix is vastly more expensive than had they just kept up with the maintenance in the first place. However you can't convince them of the importance of maintenance without the corresponding disaster to show -why- you keep up with maintenance, and "Yes this disaster can happen here too".


This.

IT Systems need to sit in more boardrooms. At the moment, IT Teams are often hamstrung by the organizations they serve. People think that IT Teams can just "solve that computer problem", but that's not how it works. IT Teams need to have a say in the organizational structure of a business / agency.

NHS probably has the people who know how to solve this problem. But they lost the internal organizational politics game and were probably delegated to the side. It was more important for doctors to be running Windows XP and ancient software than IT Teams to have access to patches. So that organization has to live with those consequences...
First Strike +1/+1 and Indestructible.

User avatar
Thesh
Made to Fuck Dinosaurs
Posts: 5530
Joined: Tue Jan 12, 2010 1:55 am UTC
Location: Colorado

Re: NHS cyberattack

Postby Thesh » Sun May 14, 2017 2:11 am UTC

elasto wrote:
Thesh wrote:I'm scared shitless about the direction of technology as everything becomes more and more connected to the internet, and we seem to be on a race to the bottom in terms of quality as everyone rushes to get their own app on the market.

What is just as bad is that apps can't get to the market fast enough, with the NHS forced to use a 16yo O/S because they have apps that can only run on it.


In this case, the problem was the Windows XP itself. It should have been written in a programming language that protects you from common errors like memory leaks and uninitialized variables and built with a formally verified library and compiler. There should have been strong development, testing and vulnerability and auditing standards, with formally verified static analysis tools to detect and warn/fail on common vulnerabilities or deviation from coding standards.

Every single operating system Microsoft made should have been designed with strongly defined User roles, limiting access to only what is necessary for your usage (preferably with a sudo-like command). Applications should be strictly sandboxed, with priveleges restricted to only what is absolutely necessary. There are so many things that can be done to reduce the severity and frequency of vulnerabilities in code.

Instead of retiring XP, they simply should have kept developing it as long as people were willing to pay what it costs to maintain it.
Honesty replaced by greed, they gave us the reason to fight and bleed
They try to torch our faith and hope, spit at our presence and detest our goals

User avatar
Dauric
Posts: 3758
Joined: Wed Aug 05, 2009 6:58 pm UTC
Location: In midair, traversing laterally over a container of sharks. No water, just sharks, with lasers.

Re: NHS cyberattack

Postby Dauric » Sun May 14, 2017 2:20 am UTC

KnightExemplar wrote:IT Systems need to sit in more boardrooms. At the moment, IT Teams are often hamstrung by the organizations they serve. People think that IT Teams can just "solve that computer problem", but that's not how it works. IT Teams need to have a say in the organizational structure of a business / agency.

NHS probably has the people who know how to solve this problem. But they lost the internal organizational politics game and were probably delegated to the side. It was more important for doctors to be running Windows XP and ancient software than IT Teams to have access to patches. So that organization has to live with those consequences...


I wouldn't expect much positive movement in this direction. Organizations hiring outside contracting firms to provide their IT services seems to be the increasing normal. The contractee gets to tell the contractor what they want and "do what I want or we'll find a different contractor", which undercuts any authority the contracting company has to do the jobs they're asked to do. And even then you have those IT service contract companies increasingly hiring "independent contractors" as workers without converting them from contracting to direct-hire, and not paying terribly high wages or not giving raises and/or cost of living increases. For those who stay in any one contract it's demoralizing and leads to a lack of care for their work, those who burn-out and leave are constantly rebooting their careers trying to find a suitable employer, or find work in a different field.

Grand upshot is a top-level company that has no internal IT expertise, a mid-tier company driven to please the top level company rather than address actual issues, and a workforce that doesn't have a reason to give a damn about the quality of their work.
We're in the traffic-chopper over the XKCD boards where there's been a thread-derailment. A Liquified Godwin spill has evacuated threads in a fourty-post radius of the accident, Lolcats and TVTropes have broken free of their containers. It is believed that the Point has perished.

morriswalters
Posts: 6949
Joined: Thu Jun 03, 2010 12:21 am UTC

Re: NHS cyberattack

Postby morriswalters » Sun May 14, 2017 3:00 am UTC

KnightExemplar wrote:Wrong. I guarantee you that a new virus will come out within the next 6-months that will continue to attack MS17-010. The cat is out of the bag: hackers will continue to attack every unpatched machine for the next years. There will be more attacks, and there will be more people who still fail to patch their systems (or otherwise secure it through Firewalls or whatever)
Which is my point. You assume competence. I don't. I assume the opposite. Microsoft does as well or they wouldn't have made Win 10 almost impossible not to update. Here is the question I asked myself.

How many people, professionals in the field, have a comprehensive knowledge of every vulnerability? One future use of IBM's various intelligent systems deals with the human inability to to put all the pieces together for cancer treatments. Their aren't enough hours in the day for a doctor to know every treatment against every human biological variation. They can't hold all the accumulated knowledge in the forefront at all times. The IBM systems in theory can. As an example if you had complete profiles of all treatments ever done, in theory these knowledge system should be able to see patterns that a doctor can't. My original comment was that why can't these knowledge systems be used in this war. Maybe it really isn't applicable, I'm just thinking in print.

User avatar
ucim
Posts: 5640
Joined: Fri Sep 28, 2012 3:23 pm UTC
Location: The One True Thread

Re: NHS cyberattack

Postby ucim » Sun May 14, 2017 4:05 am UTC

morriswalters wrote: My original comment was that why can't these knowledge systems be used in this war.
Because they are, at their heart, computer programs. They will be targeted for viruses, and will get them.

Who you gonna call?

Jose
Order of the Sillies, Honoris Causam - bestowed by charlie_grumbles on NP 859 * OTTscar winner: Wordsmith - bestowed by yappobiscuts and the OTT on NP 1832 * Ecclesiastical Calendar of the Order of the Holy Contradiction * Please help addams if you can. She needs all of us.

User avatar
Soupspoon
You have done something you shouldn't. Or are about to.
Posts: 2544
Joined: Thu Jan 28, 2016 7:00 pm UTC
Location: 53-1

Re: NHS cyberattack

Postby Soupspoon » Sun May 14, 2017 8:23 am UTC

NB: Started this last night, got rather involved, stopped editing it, decided to sleep on it (hence the impression of an ear, half-way down) and this morning... Well, it's either pretend I didn't write anything or post asmuch as I wrote, with all due apologies for the rambling nature. Guess which I did..?

KnightExemplar wrote:NHS was running Windows XP, a system that hasn't received any updates since 2014. This is an utter failure of their organization to smoothly transition to a safer OS (like Windows Vista, Windows 7, Windows 8, Windows 8.1, or Windows 10... all of which received this patch 2 months ago). This is the risk you take when you work with obsolete OSes that no longer receive updates.

Dependencies: both real (in various senses of the term) and regulatory. At the most annoying end, if you operate with clinical data, there are all kinds of hoops that you are forced to go through that means that you cannot (indeed should not) just "update Java/LotusNotes/Windows/etc because a patch has come out, because if that patch is faulty (far from unknown) and suddenly breaks (or, worse, bends) something vital then suddenly half of the people are sending documents of the slightly updated version which don't play well with the other half, or the web applet you heretofore used to administer patient detsils now crashes becausr it suddenly doesn't have authority to change a remote document, or various other degrees of pain that arise when Big Software decides that suddenly nobody needs a feature, or add another one, or revise it just a little bit, but that's a little bit too much for some other program to handle.

That can be resolved by going through a Change Control trial, usually, looking for any problems a test system (or a whole group of trial users, running live or simulated data) brings up, identifying the cause, mitigating, retesting, loop until signoffable (then pray, as you roll out everywhere, that you aren't going to find too many of the inevitable untested-for problems). In my experience in a large company (but not so as in-depth sprawling as the NHS, even if it was global in presence), two months is not sufficient to properly analyse major changes and poke them out to everyone. Even though, via tools like ZENWorks we could, once committed to a change, rack up that change one evening and by the next morning (give or take a timezone) have in front of us a report on how we sorted 90% of the machines worldwide and (as a bonus) a list of recalcitrant hardware that needs local IT support to follow through (and/or roll-back and work out where we still went wrong). Apparently simple patches tended to get a more rapid nod, but there was still often collateral fallout in unforseen exceptions to the prior "shucks, it'll be ok" assessment.


And that's with relatively up-to-date systems. In practice, we ran our (sensitive) systems one full version of the OS behind the latest. Win 95 only started to phase in, to replace Win 3.11, when '98 was imminent (but it was also a lot looser and unhomogeneous, so the entire 9x family phased in both as early adoption and barely in time for the post-9x times). 2K became defacto standard not long before XP came to the public (and absorbed 9x and NT legacy workstations, obviously). XP got authorised for critical workstations as Vista arrived. Vista never got authorised, but Win7 took over from XP as Win8 was released. I assume (though I had left by then) that Win8 was a repeat of Vista, but they're now working on 10.

("Working on" as in generally the IT dept and (for rather dubious reasons, but hey, it helps test it!) executives and Exec PAs got first of the new upgrades, on a smattering of new machines that weren't doing the sensitive data-handling, directly at least, and this gives hands-on experience and also highlights problems with the (say) Timesheet application no longer working as it should due to having had a bug patched that had actually been (inadvertently) exploited to do something intentional and benign. This all contributes to the eventual roll-out task, fixes (and/or 'de-fixes') in place and the tech-support staff being well versed in all the strange new paradigms that are going to be encountered.)

This leads to the XP stumbling block. Not so much XP, but IE8. There's a tool which was designed to be used through IE, but that gateway software was written so long ago that it now 'breaks' under the later, actually more compliant versions of the browser. Practically, IE8 (or earlier!) must be used, and that forces XP to be used, but that's OK, because you don't want Vista and see no need for 7 (just yet). You could junk the tool (an expensive one, not yet fully amortised) and get a more modern solution - but that would worry the Finance department. Or it's possible you can mess with the system, perhaps get it working on Firefox or Chrome compatability modes, implement a kludge in hardware, software or (with training) wetware to get around the problem - it'll mean a lot of paperwork, though, not counting possibly falling foul of Licencing issues. Best, then, to let the department concerned stick with XP, IE8 and AwkwardlyRetroWebInterface for the time-being. Global support for XP coming to an end? There's still no sign of a replacement system (or revised and updated - assume the vendoris tardy, but has one by the dangly bits enough not to just find a better vendor's better system) and while even Payroll is languishing in the 'luxury' of whatever the latest OS is, the peons and grunts in various local incarnations of a vital core-business department are held back in the realms of XP (not an inherently bad place, it is a practical and work-friendly OS, without many of the unnecessary and obstructive bells and whistles of the later Windowses, and while it's no Win2K in raw honesty, the Teletubby aesthetics can be ignored (or the profile reverted) and one has to admit that some of the XP bells take the 'edge' off of 2K's unforgiving NT-like brutality) and right now the most agreeable and cheapest solution is to actually get premium XP legacy support on a pay-per-call basis and suck it up until the plate techtonics of computing have solved the entire problem by opening up a third way to avoid the problem (and the path suitably tested, authorised, financed and implemented).


And the above is for a company (let's say 20k employees) that can set its own global agenda for the most part. NHS England has 1.4 million employees in roles and locations and get-ups far more diverse, decentralised even from decentralised and sub-contracted divisions and client organisations/trusts/etc. The outfitting of a surgery or a hospital may well vary according to which branch of the organisation is holding the purse strings, the attraction of uniformity will be balanced by (often political, and by extension financial) restrictions that forces the make-do-and-mend of whatever hotch-potch of legacy equipment and software a particular locale happens to use. I know I'm where there are green screen monitors used by the 'arrivals' receptionist ('80s tech, if it's a day) because it is sufficient for the system they're connecting to, and I very much doubt they have the budget to move everyone on XP to whatever the latest authenticated environment is (with no free upgrade path, being behind the cut-off), never mind having to mess with printer drivers that don't exist and all the aforementioned...

...a point made, I think, even though I never even got to where I originally intended to go to.

KnightExemplar
Posts: 5492
Joined: Sun Dec 26, 2010 1:58 pm UTC

Re: NHS cyberattack

Postby KnightExemplar » Sun May 14, 2017 7:16 pm UTC

Soupspoon wrote:
KnightExemplar wrote:NHS was running Windows XP, a system that hasn't received any updates since 2014. This is an utter failure of their organization to smoothly transition to a safer OS (like Windows Vista, Windows 7, Windows 8, Windows 8.1, or Windows 10... all of which received this patch 2 months ago). This is the risk you take when you work with obsolete OSes that no longer receive updates.

Dependencies: both real (in various senses of the term) and regulatory. At the most annoying end, if you operate with clinical data, there are all kinds of hoops that you are forced to go through that means that you cannot (indeed should not) just "update Java/LotusNotes/Windows/etc because a patch has come out, because if that patch is faulty (far from unknown) and suddenly breaks (or, worse, bends) something vital then suddenly half of the people are sending documents of the slightly updated version which don't play well with the other half, or the web applet you heretofore used to administer patient detsils now crashes becausr it suddenly doesn't have authority to change a remote document, or various other degrees of pain that arise when Big Software decides that suddenly nobody needs a feature, or add another one, or revise it just a little bit, but that's a little bit too much for some other program to handle.

That can be resolved by going through a Change Control trial, usually, looking for any problems a test system (or a whole group of trial users, running live or simulated data) brings up, identifying the cause, mitigating, retesting, loop until signoffable (then pray, as you roll out everywhere, that you aren't going to find too many of the inevitable untested-for problems). In my experience in a large company (but not so as in-depth sprawling as the NHS, even if it was global in presence), two months is not sufficient to properly analyse major changes and poke them out to everyone. Even though, via tools like ZENWorks we could, once committed to a change, rack up that change one evening and by the next morning (give or take a timezone) have in front of us a report on how we sorted 90% of the machines worldwide and (as a bonus) a list of recalcitrant hardware that needs local IT support to follow through (and/or roll-back and work out where we still went wrong). Apparently simple patches tended to get a more rapid nod, but there was still often collateral fallout in unforseen exceptions to the prior "shucks, it'll be ok" assessment.


Yes, all your points are valid. Which is why WSUS exists.

When a "critical" update comes in, you know you should probably apply the patch immediately. If it causes issues, hit the "Remove Patch" button on your WSUS server to remove all the patches on the computers hooked up to your domain server.

See WSUS Documentation for details: https://technet.microsoft.com/en-us/lib ... 0434(WS.10).aspx

Yes, sometimes patches break things. So I can understand sitting on a patch for a few days or a week to test things out. But if you get a SECURITY CRITICAL update with REMOTE CODE EXECUTION and then decide to not update all your systems... well... what can I say really? Microsoft warned us all two months ago, provided us with the tools to select this update specifically (and ignore other updates that are arguably less necessary).

------------

Thesh wrote:
elasto wrote:
Thesh wrote:I'm scared shitless about the direction of technology as everything becomes more and more connected to the internet, and we seem to be on a race to the bottom in terms of quality as everyone rushes to get their own app on the market.

What is just as bad is that apps can't get to the market fast enough, with the NHS forced to use a 16yo O/S because they have apps that can only run on it.


In this case, the problem was the Windows XP itself. It should have been written in a programming language that protects you from common errors like memory leaks and uninitialized variables and built with a formally verified library and compiler. There should have been strong development, testing and vulnerability and auditing standards, with formally verified static analysis tools to detect and warn/fail on common vulnerabilities or deviation from coding standards.

Every single operating system Microsoft made should have been designed with strongly defined User roles, limiting access to only what is necessary for your usage (preferably with a sudo-like command). Applications should be strictly sandboxed, with priveleges restricted to only what is absolutely necessary. There are so many things that can be done to reduce the severity and frequency of vulnerabilities in code.

Instead of retiring XP, they simply should have kept developing it as long as people were willing to pay what it costs to maintain it.


Windows XP was the last version of Windows that allows any program to have direct access to the hardware. Microsoft decided the security risks of such a design were horrible, so they cut the feature. Programs are no longer allowed to just... blast anything they want to the motherboard anymore.

Windows XP was innately flawed security wise. You can't fix the fact that programs are talking directly to the hardware. So... Microsoft created a new version of Windows (called Vista) which forces all programs to talk to Windows before it obtains permission to do things. However, this new security feature broke a lot of old code (ie: older software that interacts with hardware directly for legitimate purposes. IE: UARTs / Serial Ports / Parallel Port drivers).

To interact with the hardware, you have to rewrite your code to be a "device driver", and otherwise completely change the design of your programs. So instead, a lot of people stayed on the insecure Windows XP where things were simpler. If you want to talk to some hardware... just do so. No need to check for all those permissions / device driver things that Windows Vista (and above) force you to do.

Windows XP is a real stumbling block for a lot of people. Because the original code was so fundamentally broken, there's no hope of ever providing real security over that system.
First Strike +1/+1 and Indestructible.

User avatar
Bane Harper
Posts: 30
Joined: Wed Feb 15, 2017 11:27 am UTC

Re: NHS cyberattack

Postby Bane Harper » Mon May 15, 2017 8:00 am UTC

Are the reports of mutiple deaths true due to non accessibility of data ?

User avatar
Soupspoon
You have done something you shouldn't. Or are about to.
Posts: 2544
Joined: Thu Jan 28, 2016 7:00 pm UTC
Location: 53-1

Re: NHS cyberattack

Postby Soupspoon » Mon May 15, 2017 8:27 am UTC

I haven't heard of any attributable deaths (Jeremy Hunt is missing, presumed unmissed), and I had a look on several news sites, but it'll be too early to tell anyway what deaths are fall-out of this and which are just what you'd get normally among potentially seriously ill and injured people.

Paramedics will still paramedic whoever they attend (I assume the emergency and dispatch systems, at least, are hardened against such disruption) and A&E will deal with walk-ins and roll-ins of various kinds. Repeat prescriptions might be awkwardly hit (there's usually a buffer in supplies, but if already eaten into by other factors...) and pen-based contingencies in arranging new non-emergency treatments may suppress quality of care enough to create a statistical number of terminal deteriorations of condition in the short term, but I can't see a borderline case being clearly attributable to this problem above most of the other little problems that might be normally thought worth mentioning by a coroner.

User avatar
Zamfir
I built a novelty castle, the irony was lost on some.
Posts: 7312
Joined: Wed Aug 27, 2008 2:43 pm UTC
Location: Nederland

Re: NHS cyberattack

Postby Zamfir » Mon May 15, 2017 9:21 am UTC

Windows XP is a real stumbling block for a lot of people. Because the original code was so fundamentally broken, there's no hope of ever providing real security over that system.

The other half of the story is that XP (and PC hardware) reached a "good enough" plateau. In the 90s, people assumed that there would be something much better around in a few years time. If there was some deep flaw in the current system, it would be fixed at the migration to the next, shinier system.

Then nothing much shinier came along. IT became like the HVAC systems Dauric mentions above. If it works it works, and you just want to keep it that way for the next 30 years. And apparently, XP is not quite designed for that attitude.

I don't know if newer windowses are better in that respect. Microsoft has clearly become more of a corporate infrastructure provider, that might help.

morriswalters
Posts: 6949
Joined: Thu Jun 03, 2010 12:21 am UTC

Re: NHS cyberattack

Postby morriswalters » Mon May 15, 2017 11:39 am UTC

ucim wrote:
morriswalters wrote: My original comment was that why can't these knowledge systems be used in this war.
Because they are, at their heart, computer programs. They will be targeted for viruses, and will get them.

Who you gonna call?

Jose
Perhaps I wasn't clear. NSA kept this exploit secret. Yet they found it in the first place. why can't some form of intelligent system find these exploits for Microsoft before the NSA does? Or is this just the cost of doing business?

Mutex
Posts: 1068
Joined: Wed Jan 09, 2008 10:32 pm UTC

Re: NHS cyberattack

Postby Mutex » Mon May 15, 2017 11:45 am UTC

Are you talking about using AI to find exploits? I believe there's work being done on that.

User avatar
Dauric
Posts: 3758
Joined: Wed Aug 05, 2009 6:58 pm UTC
Location: In midair, traversing laterally over a container of sharks. No water, just sharks, with lasers.

Re: NHS cyberattack

Postby Dauric » Mon May 15, 2017 12:09 pm UTC

Zamfir wrote:IT became like the HVAC systems Dauric mentions above. If it works it works, and you just want to keep it that way for the next 30 years. And apparently, XP is not quite designed for that attitude.


It's early on a Monday and I'm amused by the juxtaposition of real-world duct-work is actually too small for someone to crawl around inside to get in to a building, while networked information systems will probably always be involved in intrusion/counter-intrusion attempts.
We're in the traffic-chopper over the XKCD boards where there's been a thread-derailment. A Liquified Godwin spill has evacuated threads in a fourty-post radius of the accident, Lolcats and TVTropes have broken free of their containers. It is believed that the Point has perished.

User avatar
Zamfir
I built a novelty castle, the irony was lost on some.
Posts: 7312
Joined: Wed Aug 27, 2008 2:43 pm UTC
Location: Nederland

Re: NHS cyberattack

Postby Zamfir » Mon May 15, 2017 1:15 pm UTC

I work in industrial gas cleaning, which is a bit like HVAC except the ducts are big enough to march armies through. They do have the typical intrusion protection mechanisms from the movies. The big moving fan, the burners, the long vertical stretch, the crusher, the submerged section that ends in a slowly closing valve, acid bath, poison clouds, liquid metal pools, etc. It's typically easier to walk in through the door.

Back on topic, part of the problem seems to be that PCs are very general-purpose systems. That makes them vulnerable to exploits, and it also means that there are many similar systems out there, to spread to cost of developing exploits.

User avatar
HES
Posts: 4796
Joined: Fri May 10, 2013 7:13 pm UTC
Location: England

Re: NHS cyberattack

Postby HES » Mon May 15, 2017 1:21 pm UTC

No laser grids though?
He/Him/His Image

User avatar
Zamfir
I built a novelty castle, the irony was lost on some.
Posts: 7312
Joined: Wed Aug 27, 2008 2:43 pm UTC
Location: Nederland

Re: NHS cyberattack

Postby Zamfir » Mon May 15, 2017 1:35 pm UTC

Yeah, those are rather common actually. Only at detection strength though, not the flesh-burning kind.

User avatar
ucim
Posts: 5640
Joined: Fri Sep 28, 2012 3:23 pm UTC
Location: The One True Thread

Re: NHS cyberattack

Postby ucim » Mon May 15, 2017 2:14 pm UTC

morriswalters wrote:Perhaps I wasn't clear. NSA kept this exploit secret. Yet they found it in the first place. why can't some form of intelligent system find these exploits for Microsoft before the NSA does?
Because if there's some system like that, the NSA will have it before we do. But that's not the point; the point is that AI is a computer program, and has bugs, vulnerabilities, and exploits too.

If you want to win this, you have to do so with something that is not (dependent on) a computer program.

Jose
Order of the Sillies, Honoris Causam - bestowed by charlie_grumbles on NP 859 * OTTscar winner: Wordsmith - bestowed by yappobiscuts and the OTT on NP 1832 * Ecclesiastical Calendar of the Order of the Holy Contradiction * Please help addams if you can. She needs all of us.

KnightExemplar
Posts: 5492
Joined: Sun Dec 26, 2010 1:58 pm UTC

Re: NHS cyberattack

Postby KnightExemplar » Mon May 15, 2017 3:04 pm UTC

morriswalters wrote:
ucim wrote:
morriswalters wrote: My original comment was that why can't these knowledge systems be used in this war.
Because they are, at their heart, computer programs. They will be targeted for viruses, and will get them.

Who you gonna call?

Jose
Perhaps I wasn't clear. NSA kept this exploit secret. Yet they found it in the first place. why can't some form of intelligent system find these exploits for Microsoft before the NSA does? Or is this just the cost of doing business?


You mean fuzzing? Because I'm pretty sure everybody (well... at least Google, Amazon, and Microsoft) does that, and I'm pretty sure there's a shit-ton of money in that business. There's lots of automated exploit-discovery tools out there.

I'm sure there are exploits that Microsoft finds that the NSA never finds. And I'm also sure that the NSA finds exploits that Microsoft never finds. But that's the thing: "offense" only needs to find one exploit that "defense" doesn't know to mess them up! The game is skewed in favor of offense right now. If an AI (or other technique: such as Fuzzing, Static Analysis, Dynamic Analysis, etc.etc.) comes out that erases one class of exploits, then offense will simply stop looking for that class of exploits and spend resources looking for other kinds of problems.

EDIT: I rambled with irrelevant ranting. So I erased the irrelevant paragraphs.

I'll add one example to prove my point. A Directory Traversal is simply a program that accesses a file that it shouldn't have been able to access in the first place. I'm grossly simplifying here, but that's basically the problem in a nutshell. There are numerous ways to prevent this problem. But how is an AI supposed to know which files are allowed to be touched, and which ones aren't allowed to be touched?

Remember: modern OSes have permission lists, role-based security, and other ways for the administrator to say "Hey, this program is only allowed to touch these files". But guess what? Administrators make mistakes. And then... combined with a simple coding mistake... the programmers accidentally allow the users to access files they weren't supposed to.

But programs will touch files. That's... kind of a very common operation. The security problem of specifying which files are safe for which programs to touch is a multi-pronged problem split across multiple disciplines. The original programmer, the system administrator, the businessmen organizing the company (ie: the people who are using the system). The corporate structure: how the humans themselves are organized and the requirements of the humans.

I have my doubts that an AI would figure all that out. Instead, its the job of the system administrator to build this list of specifications... and in come cases... create groups of humans in the meatspace who are authorized to access files.
First Strike +1/+1 and Indestructible.

morriswalters
Posts: 6949
Joined: Thu Jun 03, 2010 12:21 am UTC

Re: NHS cyberattack

Postby morriswalters » Mon May 15, 2017 4:13 pm UTC

Mutex wrote:Are you talking about using AI to find exploits? I believe there's work being done on that.
The short answer is yes.
KnightExemplar wrote:But no programming language can be immune to all exploits.
Right. So what do they do? Why of course, they make tens of them in hundreds of flavors. As much as I'd like this conversation to be about technical issues it is really a human issue. Nobody has responsibility. People are more interested in making money in the short term without thinking about the longer term. Do you see the ironic humor of an infowar conducted by baby monitors?

User avatar
Thesh
Made to Fuck Dinosaurs
Posts: 5530
Joined: Tue Jan 12, 2010 1:55 am UTC
Location: Colorado

Re: NHS cyberattack

Postby Thesh » Mon May 15, 2017 4:36 pm UTC

morriswalters wrote:Right. So what do they do? Why of course, they make tens of them in hundreds of flavors.


And then continue to write anything critical in C.
Honesty replaced by greed, they gave us the reason to fight and bleed
They try to torch our faith and hope, spit at our presence and detest our goals

KnightExemplar
Posts: 5492
Joined: Sun Dec 26, 2010 1:58 pm UTC

Re: NHS cyberattack

Postby KnightExemplar » Mon May 15, 2017 4:51 pm UTC

morriswalters wrote:
KnightExemplar wrote:But no programming language can be immune to all exploits.
Right. So what do they do? Why of course, they make tens of them in hundreds of flavors. As much as I'd like this conversation to be about technical issues it is really a human issue. Nobody has responsibility. People are more interested in making money in the short term without thinking about the longer term. Do you see the ironic humor of an infowar conducted by baby monitors?


I'm fairly certain that IT Administrators are getting grilled right now by their superiors if their computers were hosed due to this virus.

The question is whether or not they're being "fairly" grilled. But you're right, this is primarily a human issue, not a technical one.
First Strike +1/+1 and Indestructible.

User avatar
Angua
Don't call her Delphine.
Posts: 5658
Joined: Tue Sep 16, 2008 12:42 pm UTC
Location: UK/[St. Kitts and] Nevis Occasionally, I migrate to the US for a bit

Re: NHS cyberattack

Postby Angua » Mon May 15, 2017 5:15 pm UTC

Soupspoon wrote:I haven't heard of any attributable deaths (Jeremy Hunt is missing, presumed unmissed), and I had a look on several news sites, but it'll be too early to tell anyway what deaths are fall-out of this and which are just what you'd get normally among potentially seriously ill and injured people.

Paramedics will still paramedic whoever they attend (I assume the emergency and dispatch systems, at least, are hardened against such disruption) and A&E will deal with walk-ins and roll-ins of various kinds. Repeat prescriptions might be awkwardly hit (there's usually a buffer in supplies, but if already eaten into by other factors...) and pen-based contingencies in arranging new non-emergency treatments may suppress quality of care enough to create a statistical number of terminal deteriorations of condition in the short term, but I can't see a borderline case being clearly attributable to this problem above most of the other little problems that might be normally thought worth mentioning by a coroner.

If it were to happen, I would imagine it would be related to not being able to get the results of a crucial blood test back fast enough - eg potassium level. I haven't heard of any in particular, but if there were it would probably be something like that.
'Look, sir, I know Angua. She's not the useless type. She doesn't stand there and scream helplessly. She makes other people do that.'
GNU Terry Pratchett

cphite
Posts: 1166
Joined: Wed Mar 30, 2011 5:27 pm UTC

Re: NHS cyberattack

Postby cphite » Mon May 15, 2017 6:00 pm UTC

KnightExemplar wrote:Yes, sometimes patches break things. So I can understand sitting on a patch for a few days or a week to test things out. But if you get a SECURITY CRITICAL update with REMOTE CODE EXECUTION and then decide to not update all your systems... well... what can I say really? Microsoft warned us all two months ago, provided us with the tools to select this update specifically (and ignore other updates that are arguably less necessary).


The problem with that is, sometimes when patches break things, they break things that are critical to your business. For example, we had a handful of people just over the past few weeks unable to work in our sales system because of a security patch, and it took several days to identify and resolve the issue. Had we allowed the entire company to be patched, we'd have been down for a week; which would mean lost sales, pissed off customers... you know, kinda the same thing if as if we'd been hit by the exploit they're supposedly protecting us from.

Administrators need to balance the risk of a critical patch with the risk of that patch screwing things up on it's own.

And sorry, but "Microsoft warned us..." just doesn't change that... Microsoft is notorious for releasing patches that muck things up, and they've actually gotten worse at it in the past few iterations of Windows.

KnightExemplar
Posts: 5492
Joined: Sun Dec 26, 2010 1:58 pm UTC

Re: NHS cyberattack

Postby KnightExemplar » Mon May 15, 2017 6:15 pm UTC

cphite wrote:Administrators need to balance the risk of a critical patch with the risk of that patch screwing things up on it's own.


I agree its a concern and your situation is realistic from my understanding. That's there's work to be done in Information Systems.

With that said, Microsoft rates patches on how critical they are. You don't have to apply every patch from Microsoft. But you probably should apply the patches that say "CRITICAL" and "REMOTE CODE EXECUTION", even if they disrupt services to some extent.

Not every security patch is "Critical", and very few patches fix a "Remote code execution" problem. You read through the patch notes and make a determination. It requires a human sitting there looking through the patch notes... but yeah... that's their job.

Fixing security problems often makes old legitimate code (that relied on the insecure behavior) to break. That's relatively common in the great scheme of things. So you need a human there to make the determination... is the vulnerability worth the loss in services? Can you change how everyone else at the company does things to mitigate the loss in services?

--------

After all, if you keep your systems insecure (because of your situation), but then just apply a Firewall to prevent the virus from entering through those means, then your systems would remain secure. They'd be stopped by the firewall even if the computers behind the firewall were insecure. But the IT-team needs to be aware of the vulnerability, and they need to continuously take active steps to mitigate those vulnerabilities as they come up.

----

Which is why its also important for Microsoft to have detailed and through patch-notes. So that defensive teams can actually understand the scope of the problem and start taking the appropriate steps (be it applying the patch... or if the patch is no good for some reason... then applying external tools to mitigate the threat). Any attempts to "negate" the virus writers who take advantage of patch notes simply backfires on the defensive community.
First Strike +1/+1 and Indestructible.

cphite
Posts: 1166
Joined: Wed Mar 30, 2011 5:27 pm UTC

Re: NHS cyberattack

Postby cphite » Mon May 15, 2017 7:08 pm UTC

KnightExemplar wrote:
cphite wrote:Administrators need to balance the risk of a critical patch with the risk of that patch screwing things up on it's own.


I agree its a concern and your situation is realistic from my understanding. That's there's work to be done in Information Systems.

With that said, Microsoft rates patches on how critical they are. You don't have to apply every patch from Microsoft. But you probably should apply the patches that say "CRITICAL" and "REMOTE CODE EXECUTION", even if they disrupt services to some extent.

Not every security patch is "Critical", and very few patches fix a "Remote code execution" problem. You read through the patch notes and make a determination. It requires a human sitting there looking through the patch notes... but yeah... that's their job.


Certainly anything that's rated critical and involves remote code execution is of the highest priority... but the reality is, if we can't process sales for a week, that's huge. And frankly, the folks at the top could give a rats ass whether it's due to malware or to the patch that was meant to stop the malware. They see only that we're losing millions in revenue from the sales we're not processing, not to mention any lost future sales because the customers decided to go elsewhere.

And as for the patch notes... yeah, it'd be awesome if the folks who write the patches could foresee every possible negative consequence of their work on every environment; or if the folks writing the notes could include them... but that isn't realistic, and it's not what happens. They include the obvious stuff (one hopes) based on the testing (one hopes) that they did.

The point is, no matter how critical a patch may be, it's still prudent to test. And unfortunately that takes time, especially in complex environments.

Mallich
Posts: 33
Joined: Sat Dec 19, 2009 1:07 pm UTC

Re: NHS cyberattack

Postby Mallich » Mon May 15, 2017 7:39 pm UTC

It would also be important for companies to provide those patches in an honest manner. E.g. don't quietly release "security" patches that are actually aimed at the user.

Tl:dr the link: HP released a patch that made it even harder to use third-party printer inks. The functionality was added in March 2016, but wasn't activated until September... which meant that by the time people heard of the dodgy patch, they had long-since applied it.

I expect that a quite a few companies use patches to "improve" their DRM, and there's a fair bit of bloatware that companies try to bundle with their updates. These actions discourage some users from getting into the habit of updating their stuff, and so even when Microsoft releases a patch that's rather transparent and convenient, people don't use it.

User avatar
sardia
Posts: 5857
Joined: Sat Apr 03, 2010 3:39 am UTC

Re: NHS cyberattack

Postby sardia » Wed May 17, 2017 2:41 am UTC

https://www.nytimes.com/2017/05/16/us/n ... okers.html
The people analyzing and using the hacked NSA weapons are all giving complements to their engineering/coding.
“These tools were beautifully made,” he said. “Hard to detect and easy to use. They were pretty much point and shoot. Even under the circumstances, you have to appreciate good engineering.”
Who says the government is terrible at making things. These weapons are a work of art, and they aren't even the best stuff the NSA has. I wonder why the NSA is so good at making these weapons but the Pentagon is so terrible at their weapons programs. Maybe it's the scale?

User avatar
Soupspoon
You have done something you shouldn't. Or are about to.
Posts: 2544
Joined: Thu Jan 28, 2016 7:00 pm UTC
Location: 53-1

Re: NHS cyberattack

Postby Soupspoon » Wed May 17, 2017 7:08 am UTC

(As an aside, I was reminded that I went for an interview for an IT role in an NHS hospital, about yen years ago. Didn't get it (best guess, fluffed the interview1) but, based upon my typical employment history, I could have still been there right now and in the middle of that mess. Rather than elsewhere, as I ended up, and experiencing other messes along the way. - Just had to get that off my chest to somebody, before I consign it back to the depths of my memory archives, again.)


1 I'm not at my best in interviews. But this was probably when they asked me a question to which they were looking for one particular (IMO stupid2!) answer, that I didn't want to give. Even after being led into it. Only worked this out later, of course. No loss. And maybe they had an internal candidate in mind, anyway.

2 And, thinking about it, portentously relevant.

User avatar
Zamfir
I built a novelty castle, the irony was lost on some.
Posts: 7312
Joined: Wed Aug 27, 2008 2:43 pm UTC
Location: Nederland

Re: NHS cyberattack

Postby Zamfir » Wed May 17, 2017 8:59 am UTC

I wonder why the NSA is so good at making these weapons but the Pentagon is so terrible at their weapons programs. Maybe it's the scale?

The pentagon isn't bad at weapons programs - in any category, they have the best weapons or something close to it. In some categories ,they have the only weapons. What people complain about is cost. And the NSA is not cheap either - they might well be spending more on these tools than the rest of the world together.

elasto
Posts: 3129
Joined: Mon May 10, 2010 1:53 am UTC

Re: NHS cyberattack

Postby elasto » Wed May 17, 2017 12:41 pm UTC

The hacking group that says they facilitated the WannaCry ransomware attack has threatened to leak a new wave of hacking tools they claim to have stolen from the US National Security Agency.

The so-called Shadow Brokers, who claimed responsibility for releasing NSA tools that spread the WannaCry ransomware through the NHS and across the world, said they have a new suite of tools and vulnerabilities in newer software. The possible targets include Microsoft’s Windows 10, which was unaffected by the initial attack and is on at least 500m devices around the world.

In a blog post written in their trademark broken English, the group said they had more so-called Ops Disks, which they said were also stolen from the NSA. They also claimed to have exploits for web browsers, routers, smartphones, data from the international money transfer network Swift and “compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs”.

In the post, which will worry security agencies and companies worldwide, the Shadow Brokers said: “In June, TheShadowBrokers is announcing ‘TheShadowBrokers Data Dump of the Month’ service. TheShadowBrokers is launching new monthly subscription model. Is being like wine of month club. Each month peoples can be paying membership fee, then getting members only data dump each month. What members doing with data after is up to members.”

The hacking group said they would release tools to subscribers each month or would “go dark permanently” if the “responsible party” bought all the tools for a lump sum, suggesting the Shadow Brokers could be willing to hand over stolen hacking tools to the NSA for a price.

I maintain my assertion that the only responsible thing for the NSA (and other intel organisations) to do is to immediately and discreetly inform Microsoft, Apple and other providers of critical infrastructures of all known flaws in their software. That will give them the time and space to fix these bugs in the most obfuscated way possible rather than having to rush out transparent patches when a crisis hits.

Yes, you can argue (with considerable merit) that the blame for this problem lies on the organisations that created software with bugs - though that's inevitable in a marketplace which prioritises low cost and high convenience over high security, say.

When the market produces negative externalities, that's when government has to step in either to mandate minimum standards or to subsidise costs. In a sense I am asking them to do the latter, by doing QC testing that the software providers should have done themselves, but to the extent that the former is practical that should be done too.

link

Chen
Posts: 5277
Joined: Fri Jul 25, 2008 6:53 pm UTC
Location: Montreal

Re: NHS cyberattack

Postby Chen » Wed May 17, 2017 1:27 pm UTC

If there ever became a mandate for the IC to provide the software manufacturer with vulnerabilities they find, I presume they'd just stop doing it or they'd ignore the mandate. Why spend effort in finding vulnerabilities to spy with if you just have to reveal them and get them fixed.

The logical government mandate would be to make the software design follow more strict guidelines. They already do it for aircraft. Of course it would also probably mean the operating system cost would skyrocket which would just piss everyone off anyways.

elasto
Posts: 3129
Joined: Mon May 10, 2010 1:53 am UTC

Re: NHS cyberattack

Postby elasto » Wed May 17, 2017 2:24 pm UTC

Chen wrote:If there ever became a mandate for the IC to provide the software manufacturer with vulnerabilities they find, I presume they'd just stop doing it or they'd ignore the mandate. Why spend effort in finding vulnerabilities to spy with if you just have to reveal them and get them fixed.

Because governments have more than one role in society? They need to protect the good guys from harm as well as investigate the bad guys. When those roles come into conflict the more important one is protecting the good guys from harm. Better a hundred guilty men go free than one innocent man suffer yadda yadda.

The logical government mandate would be to make the software design follow more strict guidelines. They already do it for aircraft. Of course it would also probably mean the operating system cost would skyrocket which would just piss everyone off anyways.

Yes, which is why in this case I advocate cure rather than prevention. The equivalent would be the government providing healthcare rather than mandate noone ever do anything unhealthy or risky.

Chen
Posts: 5277
Joined: Fri Jul 25, 2008 6:53 pm UTC
Location: Montreal

Re: NHS cyberattack

Postby Chen » Wed May 17, 2017 2:49 pm UTC

Realistically getting the government to basically do QC testing just makes the cost to the consumer less transparent. Everyone is now paying for the software quality. Mandating more firm guidelines will likely increase cost but at least it will be visible and it can at least cause competition or even separate companies that will do the special quality testing to meet said new firm guidelines. The onus should fall on the software manufacturers to produce safe code, not on the government to be constantly checking said code.

elasto
Posts: 3129
Joined: Mon May 10, 2010 1:53 am UTC

Re: NHS cyberattack

Postby elasto » Wed May 17, 2017 3:34 pm UTC

Chen wrote:Realistically getting the government to basically do QC testing just makes the cost to the consumer less transparent. Everyone is now paying for the software quality.

For infrastructure of critical national importance, everyone should be paying for the quality - whether it's the electrical grid, the road system or whatever.

Joe Bloggs might not care that his unpatched computer is part of some DDoS or spam-email botnet, it doesn't affect him. Market forces are not the answer when negative externalities are in play. It's like the argument for public vaccination: It's not just you who is at extra risk when you don't get vaccinated, it increases the risk for everyone.

Mandating more firm guidelines will likely increase cost but at least it will be visible and it can at least cause competition or even separate companies that will do the special quality testing to meet said new firm guidelines. The onus should fall on the software manufacturers to produce safe code, not on the government to be constantly checking said code.

If guidelines can be written and enforced then fine, I'm just not sure they can, because there's such a wide variety of needs and use-cases. Plus how do you enforce rules on software written in other countries? What happens when countries have conflicting standards? Are you really going to try to make foreign software that doesn't pass government guidelines illegal to download..? What about when people write their own software..? Seems like a logistical and bureaucratic nightmare.

No, I think we have to be flexible and reactive here. If software has reached a critical level of market penetration, then it is either directly or indirectly subsidised.

The government could simply hand over buckets of cash but there's no guarantee that the company will actually spend that on improving security, they might simply trouser it, so I say let white-hat hackers on the government's dime try to break the software through any and every attack vector possible, and then report the results back to the firm confidentially. Then if they don't fix the flaws at least there's a much more obvious route for enforcement and punitive measures to unroll.

(Btw, this should be a world-wide fund paying for this, not simply the US taxpayer. Software flaws hit everyone everywhere with no respect for national borders, as this attack has thoroughly made clear.)

Chen
Posts: 5277
Joined: Fri Jul 25, 2008 6:53 pm UTC
Location: Montreal

Re: NHS cyberattack

Postby Chen » Wed May 17, 2017 4:40 pm UTC

If you had mandated guidelines that would need to be followed, presumably you would need to narrow the scope considerably. Not all software but at least operating systems. If you've deemed the systems so critical that there is substantial government interest in making sure the software isn't risky, then you'd have the government intervene by not letting software that isn't qualified to X level be sold in the country. Realistically I'm not sure how you FORCE companies and the like not to use that software. Let insurance companies not cover companies and the like if they're using non X qualified software. I'll grant this gets messy. It works in existing industries (aviation, automotive) since these are already regulated by various government agencies.

Getting spy agencies to do it is not the right way, if you're going to go with a government agency to do it. It should almost certainly be a separate agency that would be dedicated to this software quality. Some cybersecurity division of homeland security I guess. I very much don't like this option since you're just providing a free service to the software manufacturers. Now, perhaps you mandate some ridiculously expensive penalties if you end up finding large vulnerabilities. You'd still need to have the agency in place, but it might force the software companies to do more internal testing before it got to your government check. Could also serve to fund the department if they put sufficiently high penalties on releasing software with said exploits. I could get on board with something like that. But definitely not on board with asking the spy agencies to reveal the exploits they find. It's just asking for huge conflicts to come up.



Return to “News & Articles”

Who is online

Users browsing this forum: ElWanderer and 23 guests