www. O S N E W S .com
News Features Interviews
BlogContact Editorials
.
Hit by WannaCry? No one to blame but yourself
By Thom Holwerda on 2017-05-15 16:18:18

Friday saw the largest global ransomware attack in internet history, and the world did not handle it well. We're only beginning to calculate the damage inflicted by the WannaCry program - in both dollars and lives lost from hospital downtime - but at the same time, we're also calculating blame.

There's a long list of parties responsible, including the criminals, the NSA, and the victims themselves - but the most controversial has been Microsoft itself. The attack exploited a Windows networking protocol to spread within networks, and while Microsoft released a patch nearly two months ago, it’s become painfully clear that patch didn’t reach all users. Microsoft was following the best practices for security and still left hundreds of thousands of computers vulnerable, with dire consequences. Was it good enough?

If you're still running Windows XP today and you do not pay for Microsoft's extended support, the blame for this whole thing rests solely on your shoulders - whether that be an individual still running a Windows XP production machine at home, the IT manager of a company cutting costs, or the Conservative British government purposefully underfunding the NHS with the end goal of having it collapse in on itself because they think the American healthcare model is something to aspire to.

You can pay Microsoft for support, upgrade to a secure version of Windows, or switch to a supported Linux distribution. If any one of those mean you have to fix, upgrade, or rewrite your internal software - well, deal with it, that's an investment you have to make that is part of running your business in a responsible, long-term manner. Let this attack be a lesson.

Nobody bats an eye at the idea of taking maintenance costs into account when you plan on buying a car. Tyres, oil, cleaning, scheduled check-ups, malfunctions - they're all accepted yearly expenses we all take into consideration when we visit the car dealer for either a new or a used car.

Computers are no different - they're not perfect magic boxes that never need any maintenance. Like cars, they must be cared for, maintained, upgraded, and fixed. Sometimes, such expenses are low - an oil change, new windscreen wiper rubbers. Sometimes, they are pretty expensive, such as a full tyre change and wheel alignment. And yes, after a number of years, it will be time to replace that car with a different one because the yearly maintenance costs are too high.

Computers are no different.

So no, Microsoft is not to blame for this attack. They patched this security issue two months ago, and had you been running Windows 7 (later versions were not affected) with automatic updates (as you damn well should) you would've been completely safe. Everyone else still on Windows XP without paying for extended support, or even worse, people who turn automatic updates off who was affected by this attack?

I shed no tears for you. It's your own fault.

 Email a friend - Printer friendly - Related stories
.
Read Comments: 1-10 -- 11-20 -- 21-30 -- 31-40 -- 41-50 -- 51-60 -- 61-70 -- 71-80 -- 81-90 -- 91-100 -- 101-109
.
RE: Internet Disconnection
By weckart on 2017-05-15 17:46:48
Obsolescence also hits equipment hospitals rely on. Companies go bust because they cannot sell enough of a niche product to keep afloat. No driver updates means that updating the OS effectively trashes perfectly serviceable equipment.
Permalink - Score: 2
.
You don't understand the problem
By grandmasterphp on 2017-05-15 17:51:30
While those that have been running these older OSes at home should have upgraded. Hospitals simply can't just upgrade.

I used to work for a software supplier to the NHS.

The NHS has no money to update these systems to newer versions of Windows. In other some cases it simply can't for a multitude of reasons that I will discuss below.

Also before you blame it on the current government in the UK this problem has been over a decade in the making.

You cannot simply upgrade the OS either on Workstation or Server. Even intranet applications may only work correctly IE or IE in compatibility mode.

There are thousands of bespoke applications than simply either do not have any vendor support, or cannot be upgraded easily. The businesses may have closed shop, but the software is normally tied to how the hospital works, or how it deals with referrals (if it is private) from the NHS.

Sometimes this isn't just a matter of the OS it is matter of the hardware interfaces. There is hardware that needs to work over legacy ports that don't exist on newer equipment needed to run Windows 7 and above. They aren't going to throw away a piece of equipment that costs hundreds of thousands of pounds.

Re-training medical staff to use said systems is costly. Changing the OS will require retraining. I don't just mean retraining in how to use the newer version of Windows or an updated application. There maybe new procedures put in place that are offline.

The machines shouldn't have been exposed to the internet, true. However in some cases they have to because of the access to health / NHS direct that the former labour government forced through without much thought.

Most of the vendors to this applications may have since ceased trading because the investment from the previous labour government simply doesn't exist anymore since the current Conservative Government cut spending drastically.

But your unrealistic expectation that IT departments are too lazy to upgrade shows how little you know the challenges of even getting a minor update into a production environment such as a hospital.

Unfortunately it takes an event like this until management and government will invest in IT. It is rarely the fault of the IT staff on the ground.

Edited 2017-05-15 17:58 UTC
Permalink - Score: 12
.
RE[3]: Car analogy
By tidux on 2017-05-15 18:04:02
For something like embedded devices, using Gentoo as a metadistribution is a better fit. Compile once, ship an image many times. ChromeOS does this.
Permalink - Score: 2
.
RE: Comment by FlyingJester
By Alfman on 2017-05-15 18:09:01
FlyingJester,

> I do understand that some embedded systems are basically not viable for upgrade.

The irresponsible part, to me, is putting such a system on a network, or allowing data to pass into such a system from a possibly insecure source. Better yet if data can only move out from such a system, since that eliminates the biggest attack vector.


Yes, it also strikes me as odd that the networks themselves were not better isolated. I guess some employees inadvertently installed the malware inside the network perimeter of critical systems, however for that to be possible it seems there wasn't enough isolation. Critical systems should not have any connectivity to the internet at all incoming or outgoing such that internet based malware could infest the inner network. They should also be physically secured.

Internet facing servers would should be kept outside the perimeter in a DMZ. Employee computers should probably have their own networks as well. They could install honeypot/trip wires to detect any unauthorized activity.

Edited 2017-05-15 18:23 UTC
Permalink - Score: 4
.
Windows back door proven
By cmost on 2017-05-15 18:15:04
The fact that Microsoft had a patch so quickly, and even for Windows XP just proves what I have alleged for years that a back door exists in Windows to allow the NSA to peruse user data at its will.

Glad I switched all of my systems to Linux back in 2002.
Permalink - Score: 4
.
RE: You don't understand the problem
By Alfman on 2017-05-15 18:22:11
grandmasterphp,

> But your unrealistic expectation that IT departments are too lazy to upgrade shows how little you know the challenges of even getting a minor update into a production environment such as a hospital.

Unfortunately it takes an event like this until management and government will invest in IT. It is rarely the fault of the IT staff on the ground.


I know what you mean, it's not uncommon in corporate scenarios to have to wait on all the suppliers before upgrading, and the fact of the matter is microsoft is just one of many suppliers (not necessarily even the most important one at that). All these pieces have to work together...sometimes this requires contracts, a new scope of work, training, testing, scheduled downtime, etc, it's not always as simple as an outsider makes it out to be like updates on their home computer.


Also, welcome to osnews!
Permalink - Score: 2
.
Comment by ssokolow
By ssokolow on 2017-05-15 18:25:17
I see this article and raise you "This is why Windows users don't install updates"

http://goodbyemicrosoft.net/news...

(Seriously, though, as the other commenters have pointed out in detail, this is a gross oversimplification.)
Permalink - Score: 4
.
RE: You don't understand the problem
By Thom_Holwerda on 2017-05-15 18:26:02
> The NHS has no money to update these systems to newer versions of Windows.

You are kneejerking without reading the actual article. I didn't blame the NHS (or its hospitals and workers), but the government that funds it.

Is it really Microsoft's fault if the British government underfunds its healthcare service?

> But your unrealistic expectation that IT departments are too lazy to upgrade shows how little you know the challenges of even getting a minor update into a production environment such as a hospital.

Again - I don't think you actually read the article, but just immediately got defensive. I did not say anyone was lazy - just that yes, if you choose not to fund your IT department adequately, then yes, YOU are to blame for an inadequately funded IT department, and the resulting consequences. In the case of companies, that's the manager allocating funds - and in the case of the NHS, it's the government.
Permalink - Score: 2
.
Comment by Ikshaar
By Ikshaar on 2017-05-15 18:35:11
While I agree with OP, mostly, the fact that MS was able to release a patch for XP within hours makes me wonder why did they stopped the automatic updates of XP if not to force people to buy a newer system ?? And in that light, MS is considerably at fault. They made billions selling XP!! and still you should pay extra to get those patches now.

And to use your analogy, they not only stop offering oil change, they now say you should buy a new car instead of having an oil change :(
Permalink - Score: 7
.
RE: Windows back door proven
By Thom_Holwerda on 2017-05-15 18:38:18
> The fact that Microsoft had a patch so quickly, and even for Windows XP just proves what I have alleged for years that a back door exists in Windows to allow the NSA to peruse user data at its will.

Glad I switched all of my systems to Linux back in 2002.


This is uninformed BS - fake news, if you will.

The patch was so readily available because customers who pay for a support contract are still getting XP patches. You just don't get these patches for free.

Please, this isn't rocket science.
Permalink - Score: 2

Read Comments 1-10 -- 11-20 -- 21-30 -- 31-40 -- 41-50 -- 51-60 -- 61-70 -- 71-80 -- 81-90 -- 91-100 -- 101-109

No new comments are allowed for stories older than 10 days.
This story is now archived.

.
News Features Interviews
BlogContact Editorials
.
WAP site - RSS feed
© OSNews LLC 1997-2007. All Rights Reserved.
The readers' comments are owned and a responsibility of whoever posted them.
Prefer the desktop version of OSNews?