www. O S N E W S .com
News Features Interviews
BlogContact Editorials
Hit by WannaCry? No one to blame but yourself
By Thom Holwerda on 2017-05-15 16:18:18

Friday saw the largest global ransomware attack in internet history, and the world did not handle it well. We're only beginning to calculate the damage inflicted by the WannaCry program - in both dollars and lives lost from hospital downtime - but at the same time, we're also calculating blame.

There's a long list of parties responsible, including the criminals, the NSA, and the victims themselves - but the most controversial has been Microsoft itself. The attack exploited a Windows networking protocol to spread within networks, and while Microsoft released a patch nearly two months ago, it’s become painfully clear that patch didn’t reach all users. Microsoft was following the best practices for security and still left hundreds of thousands of computers vulnerable, with dire consequences. Was it good enough?

If you're still running Windows XP today and you do not pay for Microsoft's extended support, the blame for this whole thing rests solely on your shoulders - whether that be an individual still running a Windows XP production machine at home, the IT manager of a company cutting costs, or the Conservative British government purposefully underfunding the NHS with the end goal of having it collapse in on itself because they think the American healthcare model is something to aspire to.

You can pay Microsoft for support, upgrade to a secure version of Windows, or switch to a supported Linux distribution. If any one of those mean you have to fix, upgrade, or rewrite your internal software - well, deal with it, that's an investment you have to make that is part of running your business in a responsible, long-term manner. Let this attack be a lesson.

Nobody bats an eye at the idea of taking maintenance costs into account when you plan on buying a car. Tyres, oil, cleaning, scheduled check-ups, malfunctions - they're all accepted yearly expenses we all take into consideration when we visit the car dealer for either a new or a used car.

Computers are no different - they're not perfect magic boxes that never need any maintenance. Like cars, they must be cared for, maintained, upgraded, and fixed. Sometimes, such expenses are low - an oil change, new windscreen wiper rubbers. Sometimes, they are pretty expensive, such as a full tyre change and wheel alignment. And yes, after a number of years, it will be time to replace that car with a different one because the yearly maintenance costs are too high.

Computers are no different.

So no, Microsoft is not to blame for this attack. They patched this security issue two months ago, and had you been running Windows 7 (later versions were not affected) with automatic updates (as you damn well should) you would've been completely safe. Everyone else still on Windows XP without paying for extended support, or even worse, people who turn automatic updates off who was affected by this attack?

I shed no tears for you. It's your own fault.

 Email a friend - Printer friendly - Related stories
Read Comments: 1-10 -- 11-20 -- 21-30 -- 31-40 -- 41-50 -- 51-60 -- 61-70 -- 71-80 -- 81-90 -- 91-100 -- 101-109
This won't change
By Darkmage on 2017-05-16 07:15:19
On medical equipment this won't change until governments step in and demand change. Notice that every government in the western hemisphere has access to the Windows Source Code because of "national security"? Yet for some reason there are $20 million MRI machines in hospitals with proprietary imaging software, some which only interface with NEXT, some UNIX, or some old Apple crap? These devices never get patched, updated, or migrated to new equipment because the suppliers have got the government by the balls. Until governments refuse to do business with suppliers that don't provide source, and refuse to buy these dodgy products it will never change. A $20 million dollar device which never gets updated is a flawed device.

Edited 2017-05-16 07:16 UTC
Permalink - Score: 2
RE[4]: You don't understand the problem
By daedalus on 2017-05-16 08:09:04
Not necessarily. The companies that supply custom equipment like this also have long development cycles due to certification by the relevant bodies that means they plan for, say, a ten year cycle, and the machine doesn't change in that time. I worked for a company making such equipment, and our brand spanking new system was shipping with Vista in 2012, purely because development started in 2006 and Vista was seen as the future. Switching to Windows 7 would have delayed the product to market by a year or two - something the company simply wouldn't accept. So even shelling out €200,000 to replace the three machines you might find in a typical hospital lab wouldn't have gotten you an up-to-date OS.

I believe those machines have since been updated to 7 - right about the time 10 came out.
Permalink - Score: 2
RE: This won't change
By daedalus on 2017-05-16 08:12:23
A $20 million device which receives updates will be a $30 million device purely because of the vast amounts of extra manpower required to recertify the device every time a patch is rolled out.
Permalink - Score: 2
Buying a piece of kit
By yerverluvinunclebert on 2017-05-16 08:20:05
There is still the non-technical mentality in many companies like the NHS, when they are buying a new machine they forget that it is no longer a one-time purchase like it used to be. The associated processing unit is considered part of that fixed cost and when time and money is hard pressed the on-going costs are simply forgotten because the device just works... Fifteen years of largely uninterrupted operation is the justification for not upgrading. The alternative might be a new MRI scanner that costs millions and tens of thousands in retraining, not to mention possible deaths if new kit is used incorrectly. The NHS is so massive and widely distributed that it is very, very hard to ensure that all vulnerable machines are not web-facing.

The whole world literally runs on these types of legacy machines - from trackside equipment to automated cranes in nuclear power storage facilities - and if the author is still unaware of this fact then frankly he should not be writing irresponsible articles like this.

The one thing this infection scenario does point out is that none of us should be using closed source operating systems from companies that regularly abandon their recent os releases just in order to bring out something new that will sell more.
Permalink - Score: 1
RE[2]: Wait ...
By Kochise on 2017-05-16 09:16:21
You are free to provide your 2 cents on the question. Any advisable inputs instead than a random rant ?
Permalink - Score: 2
RE[2]: This won't change
By yerverluvinunclebert on 2017-05-16 10:08:47
Precisely. In the aero industry, a change in the development machine that provides the code that flies the plane means that plane has to be recertified. Not just that plane but every plane that might potentially use the new code. If you can retain the same machine then you have the same output and the cost is reduced by millions and possibly tens of millions.
Permalink - Score: 1
Not surprised about the NHS
By Dave_K on 2017-05-16 10:22:35
I'm not exactly surprised that the NHS are running out of date software like Windows XP in 2017. When I visited an NHS hospital lab in the mid 90s I was a bit shocked at the out of date and kludged together state of equipment that could literally be a matter of life and death.

There was gear in the haematology lab that still relied on CP/M software dating back to the 70s. The original hardware had been replaced with a BBC Micro + Z80 second CPU at some point to keep it functioning - I think the lab equipment connected to the BBC's analogue port, and of course used 5.25" disks to store its data.

The guy who'd re-written the code (burned to an EPROM inside the BBC) and cobbled together the hardware interface for it was long gone by that point. At least they wouldn't have to worry about malware I suppose...

As other people have pointed out, it's not as simple as them forgetting to install updates, or even lacking the budget to upgrade. The bespoke hardware and software in use makes things very different from a typical home or office, and there's also a definite reluctance to try fixing things before they're (completely) broken.

Just throwing money at it wouldn't necessarily solve all problems - under the last government the NHS blew around £12 billion failing to implement a new IT system after all.
Permalink - Score: 4
RE: Responsibility
By mistersoft on 2017-05-16 10:29:45

I'm surprised Alfman - sure if computers are being "certified" for running e.g. medical imaging equipment - with Windows Update turned off - then SURELY they should not be networked !?

Have a sandboxed secondary drive that is write only used for exporting the data from the primary drive
Have a strict SOP that the IT guys supply the UUID number for the drive (and a little utility for the untrained to enter this - that mounts it write only at a specific mount point and refuses to mount elsewhere, or with other privileges - system wide)

Then physically move it to a 2nd computer terminal beside it that is networked; do this once or even twice a day with a fresh External USB each time. 1TB 2.5" drives are only $50 each now - which is relatively negligable vs cost of imaging 6 - 12 patients on MRI/PET scanners

would this not be a safe-ish workaround. If you're needing to keep to the certification model.
Permalink - Score: 2
Everything is broken
By M.Onty on 2017-05-16 11:10:17
"The number of people whose job it is to make software secure can practically fit in a large bar, and I’ve watched them drink. It’s not comforting."
--- Quinn Norton ( https://medium.com/message/everyt... )
Permalink - Score: 4
RE: Windows back door proven
By Parry on 2017-05-16 11:31:04

There's a lot of conspiracy theories going around, but IMO they're all BS. The reality is so much simpler.
Permalink - Score: 1

Read Comments 1-10 -- 11-20 -- 21-30 -- 31-40 -- 41-50 -- 51-60 -- 61-70 -- 71-80 -- 81-90 -- 91-100 -- 101-109

No new comments are allowed for stories older than 10 days.
This story is now archived.

News Features Interviews
BlogContact Editorials
WAP site - RSS feed
© OSNews LLC 1997-2007. All Rights Reserved.
The readers' comments are owned and a responsibility of whoever posted them.
Prefer the desktop version of OSNews?