back to article 74 countries hit by NSA-powered WannaCrypt ransomware backdoor: Emergency fixes emitted by Microsoft for WinXP+

The WannaCrypt ransomware worm, aka WanaCrypt or Wcry, today exploded across 74 countries, infecting hospitals, businesses including Fedex, rail stations, universities, at least one national telco, and more organizations. In response, Microsoft has released emergency security patches to defend against the malware for …

  1. bombastic bob Silver badge
    Boffin

    worthy of mention

    one source suggests that it spreads by accessing port 445, potentially from the internet.

    https://www.hackbusters.com/news/stories/1532486-player-3-has-entered-the-game-say-hello-to-wannacry

    and an e-mail attachment payload would give it access to your LAN. yeah, not good.

    1. Anonymous Coward
      Anonymous Coward

      Re: One Source

      Are you sure it wasn't Wikipedia?

      https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

    2. Anonymous Coward
      Anonymous Coward

      Re: worthy of mention

      Accessing Windows devices by file sharing ports (tcp/139 and tcp/445) has been a commonly used worm path for years (i.e. Sircam/Minda in 2001, more recently most cryptoware has targeted file shares) - don't open it to the Internet ever and block it outbound to the Internet to stop potentially infecting others.

      Within networks where default firewall rules allow Windows file sharing, its a little harder to control (block windows file sharing between most PC's by default and centralise your file shares, ensure that central file shares have virus protection on write and security is limited to specified users/domain users to reduce the risk from "guest" devices).

      Which leaves the e-mail side - most of these worms/virus infections are initially introduced via e-mail. On stand-alone PC's, ensure you have an adequate AV solution (i.e. scans temporary files and compressed files) and don't disable the default protections around executables. If you don't wish to manage AV, most of the big e-mail providers include pretty decent AV offerings as part of their service (i.e. all the big free email providers, EOP (was FOPE) for Office365 etc).

      Finally, read some of the cases around organisations hit by worms/viruses that include details of entry and how the outbreak evolved. Most of the issues that caused an initial infection to become an outbreak come from relying on a single method of protection that was found to not be working correctly. A little "defense in depth" goes a long way in limiting/controlling the damage.

      Oh...and assume that telling people to not open or click on "X" will result in at least 1% doing exactly that.

      1. John Smith 19 Gold badge
        FAIL

        "the SMB server bug is the result of a buffer overflow in Microsoft's code. "

        BTW People make a big thing about XP but this SMB stuff is in all versions of Windows.

        Remember when MS claimed they'd spent $Bn training their devs to not write insecure code and totally re-written the code base to eliminate these flaws?

        How do you know when you're dealing with a monopoly?

        Simple. When s**t this serious still does not force CTO level management to think "Maybe I should think about running something else on the desktop?"

        1. h4rm0ny

          Re: "the SMB server bug is the result of a buffer overflow in Microsoft's code. "

          >>BTW People make a big thing about XP but this SMB stuff is in all versions of Windows.

          Yes, and patched automatically in all supported versions before this happened. The reason people make a big deal about XP is because nobody should be using this 2001 OS in 2017. If you're running Windows 7 / 10 then unless you've somehow prevented it updating it's not vulnerable to this. You make it sound as if all versions are.

          1. HereIAmJH

            Re: "the SMB server bug is the result of a buffer overflow in Microsoft's code. "

            "Yes, and patched automatically in all supported versions before this happened. "

            I would be surprised if MS is actually fixing bugs in SMBv1. Windows 7+ and Windows 2008+ support SMBv1, but default to SMBv2. So they don't use the protocol unless the remote forces them to downgrade. The 'fix' that has been around for a while is registry setting to turn off the SMBv1 protocol. Just like we did for SSLv3 (and now the lower TLS versions). Anyone who has done PCI scans has seen this working through the system for a while.

          2. grumpy-old-person

            Re: "the SMB server bug is the result of a buffer overflow in Microsoft's code. "

            The update mechanism in windows has always been odd - I have never understood a lot of what it gets up to. Ubuntu's system is as slick as fur on a frog.

          3. Nano nano

            Re: "the SMB server bug is the result of a buffer overflow in Microsoft's code. "

            To be fair, it could be 2008 SP3 ...

        2. Snorlax Silver badge
          Holmes

          Re: "the SMB server bug is the result of a buffer overflow in Microsoft's code. "

          When s**t this serious still does not force CTO level management to think "Maybe I should think about running something else on the desktop?"

          Just curious, what's the alternative?

          ...and don't say linux because we all know that's not going to happen.

          Mac OS? Maybe, but that going to be a costly desktop refresh.

          1. jgarbo
            Linux

            Re: "the SMB server bug is the result of a buffer overflow in Microsoft's code. "

            Still say more secure OS is costly, after the ransom demands? I'm surprised any "mission critical" [expensive to fix] ops aren't running a *nix OS instead of amateur hour MS.

            My kids run Linux just for email & browsing - with only "user" privileges. Oh, and it's free. Where did I go wrong, not buying MS?

          2. Anonymous Coward
            Anonymous Coward

            Re: "the SMB server bug is the result of a buffer overflow in Microsoft's code. "

            If they jumped to Mac Mini's , which are the cheapest Mac , it might actually be cheaper in the long run, as Apple dont charge for MacOS unlike Microsoft who do for Windows which for something the size of the NHS must be an eye watering bill for MS Licences. No doubt they have software that is Windows only though.

            I am sure last time i went to my local NHS they were running Linux on the consultants PC, as the interface did not look like the usual Windows controls.

            Patching Windows in the NHS must be a right pain, they dont go home at 5pm , they run 24/7 in hospitals so rebooting clients at anytime will be painful.

          3. pogul

            Re: "the SMB server bug is the result of a buffer overflow in Microsoft's code. "

            >Just curious, what's the alternative?

            >...and don't say linux because we all know that's not going to happen.

            Linux.

            Are you one of those people who says shit in meetings like "well it would be nice to do stuff that way, but that's not the way we do it".

            So what you are saying is, tell me the answer but I'm going to disregard the answer if it is the one I don't want you to give, yet think would actually solve the problem.

        3. UncleDavid

          Re: "the SMB server bug is the result of a buffer overflow in Microsoft's code. "

          "Remember when MS claimed they'd spent $Bn training their devs to not write insecure code and totally re-written the code base to eliminate these flaws?"

          Never claimed to have rewritten the codebase. Everyone was made to own, and responsible for reviewing, part of the old crufty code, some of which was years old. So someone's name it on this. But these 16/32/64 confusions, and (especially) the byte/char confusion when moving from the ASCII to the Unicode days, are incredibly difficult to spot. During the NIMDA (I think) attack, their security bods posted the offending code and even then most people couldn't see it until it was explained.

      2. Doctor Syntax Silver badge

        Re: worthy of mention

        "On stand-alone PC's, ensure you have an adequate AV solution"

        The problem with this is that the signature for any new malware won't be available until the target has been released, infected systems and been reported. When something spreads as fast as this has done that will be much too late.

        1. bombastic bob Silver badge
          Devil

          Re: worthy of mention

          "On stand-alone PC's, ensure you have an adequate AV solution"

          The problem with this is that the signature for any new malware won't be available until the target has been released

          and this:

          http://www.theregister.co.uk/2017/05/09/microsoft_windows_defender_security_hole/

          where having "Defender" running to scan things is likely to create MORE problems than it solves...

    3. just another employee

      Risk Management

      Using windows XP is a KNOWN risk.

      1. Name the chief execs of the trusts who had this risk in their risk register with "accepted" recorded.

      2. Fire the chief execs of the trusts who don't even have it recorded as a risk.

      Simple. Won't happen again.

      1. truetalk

        Re: Risk Management

        Let me correct that for you .. You mean using Windows (whichever version) is a known risk. This vulnerability is present in 7, 8, 10 ..

        1. Def Silver badge

          Re: Risk Management

          Using a computer connected to the Internet is a known risk. Letting human beings use said computer is a bigger risk. FTFY

          And yes, this vulnerability does exist in all versions of Windows. However, it was automatically patched in 10 a couple of months ago (except for those machines either not connected to the internet or owned by someone who "knows better"), and probably in the other versions too unless they're owned by someone too lazy or too paranoid to install updates in a timely manner.

          Say what you will about newer versions of Windows automatically installing updates, but it's functionality that exists for a reason. The vast majority of computer users out there simply don't understand the security implications of keeping a computer patched and up to date.

          1. This post has been deleted by its author

            1. h4rm0ny

              Re: Risk Management

              >>Or they're simply wary of being "upgraded" to Windows 10 with the next automatic update, that curiously lacks a "No, I don't want to upgrade" button - and interprets the closure of the popup as "Yes, please upgrade me to Windows 10", even in violation of previous documented configuration policies that expressed a customer's desire to stay with their current OS.

              I see you've already been modded up twice for your reply to my post. But we are talking Enterprise Windows licences here. You have control over updates in Enterprise licences and they also don't suddenly randomly upgrade themselves to Windows 10, either. The rest of your many paragraphs all follow from not being aware that Enterprise Windows functions differently from Home and Professional licences. There is no excuse for being two months behind on updates marked Critical or for using Windows XP which is four versions out of date of the current. Neither have anything to do with home users being updated to Windows 10 making Sysadmins reluctant to apply updates. The idea is nonsense.

              1. Snorlax Silver badge

                Re: Risk Management

                @h4m0ny: Neither have anything to do with home users being updated to Windows 10 making Sysadmins reluctant to apply updates. The idea is nonsense.

                Exactly. Enterprise users have long had the ability to control updates. It's weird that some people prefer to ignore this fact.

                In any event, it's trivial to add a registry key to prevent an upgrade, or prompt to upgrade, on all versions of Windows 7 or 8/8.1

                For instance:

                [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Gwx]

                "DisableGwx"=dword:00000001

              2. This post has been deleted by its author

            2. Stevie Silver badge

              Re: Risk Management

              "What isn't being discussed is WHY so many people are not enabling automatic updates"

              Well in my case Automatic Updates were enabled on boot of my Win 7 Home Ed. laptop, but WU did nothing but spin taking up 51% of the cpu for about a year. Any time I needed to do real work I was forced to shut down the service. WU started "working" a few weeks ago when the massive Windows 10 update was rolled out.

              I just built a new Win 7 pro machine, finally managed to get the "Security Rollup" update to install after MUCH fucking about and once again I am looking at a 51% WU cpu usage for no actual gain.

              So, for me (and I suspect a nation or 74 of others) the simple fact is Windows Update has become unresponsive through no fault of the user.

              I will await the shirtstorm of victim blaming coming my way.

          2. HereIAmJH

            Re: Risk Management

            "Say what you will about newer versions of Windows automatically installing updates, but it's functionality that exists for a reason."

            Which would all be well and good, if the damn morons in charge of making corporate policy didn't hijack the security update process with marketing. I don't allow automatic updates because I don't want to deal with upgrade nag-ware or compatibility scanners digging through every file on my system for an 'upgrade' I haven't determined I even want. Automatic updates have to come from a TRUSTED source.

            1. anthonyhegedus Silver badge

              Re: Risk Management

              Damn right. Microsoft is not a trusted update source. A lot of their updates contain adverts, or simply switch defaults back to unreliable settings.

              Now that they've released a patch for XP, does this mean that people will relax and think "it's ok, microsoft IS keeping XP updated after all"? Will complacency set in?

          3. John Brown (no body) Silver badge

            Re: Risk Management

            "Say what you will about newer versions of Windows automatically installing updates, but it's functionality that exists for a reason."

            And the list of places infected in this current outbreak can safely assume that every patch issued by MS is safe and won't break anything? Or maybe they test patches before deploying them so as not to break crucial applications.

        2. h4rm0ny

          Re: Risk Management

          That's not a correction. A patch for this was issued in March. If you are two months behind on your patches that would be a problem for GNU/Linux systems as well. Or do you leave your systems unpatched for that long as well? If so, you're not fit for a job as a sysadmin.

          The greater problem here is agencies such as the NSA instructing companies to leave vulnerabilities available such as in the case of the Intel AMT bug which according to Semi-Accurate was almost certainly left in by request. What we're really seeing here is a highly visible example of why we shouldn't be allowing the government to mandate backdoors into systems such as Theresa May and Amber "we must know the necessary hashtags to combat terrorism" Rudd want us to create.

          Seriously - an unpatched OS is a security risk. Using an OS written sixteen years ago and STILL refusing to upgrade it - that's on Jeremy Hunt and his ilk. Don't try to deflect the blame elsewhere.

          1. lorisarvendu

            Re: Risk Management

            Are we sure that the Reg is correct about Jeremy Hunt cancelling WIndows XP Extended Support in 2015? According to this article in 2014 it would have only lasted a single year anyway.

            https://www.theguardian.com/technology/2014/apr/07/uk-government-microsoft-windows-xp-public-sector

            Having said that, if they continue to run XP after all patch support has well and truly gone, then yes they are asking for it.

            1. This post has been deleted by its author

          2. grumpy-old-person

            Re: Risk Management

            The point is that despite bad / stupid behaviour on the part of users the root of the problem is companies like M$ (and so many others - watch for the flash!) that despite enormous resources produce flawed software consistently. And in M$ case the update mechanism has been odd for years - how is granny supposed to deal with this?

            Go back a little and try to remember how the world and dog crucified the Heartbleed fellow - be fair and go after M$ in the same fashion now.

          3. anonymous boring coward Silver badge

            Re: Risk Management

            "Using an OS written sixteen years ago and STILL refusing to upgrade it"

            Presumably it's running on some hardware that can't handle later OSs, and has some software that only runs under XP (typically drivers). Why MS can't support it at a reasonable cost is beyond me. One could easily build a large team around supporting XP for the amount of money available, but MS takes the extortionate XP support money and obviously spends it elsewhere. Greed and stupidity in the long run (MS's fading reputation).

        3. Destroy All Monsters Silver badge

          Re: Risk Management

          Not only is using Windows a known risk (and not only technical, but also legal as the friendly Microsoft Auditor drops by), it is also often *completely* unnecessary.

          And in scenarios where machinery is embedded, not updated often, mobile, or runs special software it is also reckless.

        4. just another employee

          Re: Risk Management

          Let me correct you.

          Using a computer is a KNOWN risk (do not even think of trying to tell me Linux is 100% secure - would only prove your own incompetence)

          Using an OS where the manufacturer has stated "No more patches" is more of a risk than using an OS where the OS says "Patches available ASAP". Anyone choosing to use an unsupported OS should accept the responsibility of doing so.Thats was my point. (Why did you have to drop to the daft level of slagging of Windows?)

          FTFY

        5. Anonymous Coward
          Anonymous Coward

          Re: Risk Management

          Laughing right now at the "experts" that still continue to spread myths like it was so that it was NHS using xp that caused this. This is totally untrue.

          A) it affects all versions of Windows right upto windows 10

          B) the myth the NHS runs so came from a report that said 90% of NHS computers rum xp. Drill into details and it actually meant that out of the trust's that responded to the freedom of information act, 90% of the trust's had 1 or more computers running xp. That could just be 9 xp computers. My experience iless than 1% are running xp and 100% of these are not on the network. Anyone trotting gout the 90% figure is a clickbait joker.

        6. Bronek Kozicki Silver badge
          Joke

          Re: Risk Management

          "This vulnerability is present in 7, 8, 10 .."

          How can you be expect an average CTO to trust your assessment if you are unable to count to 10?

        7. Anonymous Coward
          Anonymous Coward

          Re: Risk Management

          Let me correct that for you, the windows 8.0 patch was release yesterday -

          https://www.microsoft.com/en-us/download/details.aspx?id=55249

      2. Doctor Syntax Silver badge

        Re: Risk Management

        "Simple."

        The word you're looking for is "simplistic".

        As has already been pointed out all unpatched versions of Windows are vulnerable. Patching itself introduces risks - patches have been known to break things and now that MS are rolling multiple patches together those risks are increased. So patching also involves testing and testing takes time.

        The specific risk for XP is that it doesn't get patches. But, again, the issues with XP aren't simple. In many cases it will have been retained because something mission-critical depends on it and replacing whatever that is may require major expenditure and further risks. If your MRI scanner, for instance, relies on a no-longer maintained piece of XP-only software do you simply put your hand in your pocket for a few million to replace it, commission a rewrite and take the risk that it may fail in some respect to emulate the existing product or do you keep using XP?

        These sorts of issues are not easily solved. Of course they only exist in the real world so please feel free to keep helping with your advice.

        1. Anonymous Coward
          Anonymous Coward

          Re: Risk Management

          If your MRI scanner, for instance, relies on a no-longer maintained piece of XP-only software do you simply put your hand in your pocket for a few million to replace it, commission a rewrite and take the risk that it may fail in some respect to emulate the existing product or do you keep using XP?

          And there you have hit the nail solidly on the head.

          In the real world MS did a wonderful PR selling job to get people to use their OS which was inferior to OS/2 at the time and quite a lot of industrial equipment control systems were converted from OS/2 to XP. In my book that makes MS responsible to keep their OS 'safe' as long as said equipment is kept in use or pay the full cost of upgrading the equipment to allow it to use their newer OS.

          1. Snorlax Silver badge

            Re: Risk Management

            @Ivan 4: "In my book that makes MS responsible to keep their OS 'safe' as long as said equipment is kept in use or pay the full cost of upgrading the equipment to allow it to use their newer OS."

            Sorry, I don't follow your logic. Should my local supermarket restock my fridge every week once I run out of food? Or should a car manufacturer replace your clapped-out 13-year-old car with a new one?

            Can you explain to me, with consideration for any contractual terms one might agree to in the EULA, how that proposal would work?

            The hypothetical MRI scanner spoken of earlier wouldn't be built by Microsoft, but rather GE or Siemens or whoever, and would normally be covered by some type of service contract which MS would not be a party to. But lets not allow that to get in the way of your hysteria.

            1. Doctor Syntax Silver badge

              Re: Risk Management

              "Can you explain to me, with consideration for any contractual terms one might agree to in the EULA, how that proposal would work?"

              It transpires that MS were very quickly able to knock out a patch for this vulnerability. They must finally have realised that they had responsibilities. So they question arises - was this EoLed because it wasn't feasible to continue maintenance or because they wanted to herd those who could be herded into upgrading?

            2. anthonyhegedus Silver badge

              Re: Risk Management

              I agree, to a point, but people are going to want to set the blame path, and it lies with the manufacturer of the MRI machine, or CT scanner, or whatever, and then quite clearly to me, with Microsoft. They put together a piece of equipment with potential vulnerabilities. Did the hospitals' risk assessments say "The MRI scanner is running code written by Microsoft which will probably have security holes revealed one day so it should be replaced within 5 years. Maybe 6. Maybe 4. Maybe 10."?

              The problem is that software "goes bad" - because the world around it changes. And to my mind at least, the problem is that a home operating system like XP, or 7 or 8 or even 10 is NOT suitable for life-critical systems like CT scanners etc. It's a question of using the right tool for the job. Windows computers cost peanuts compared to medical equipment, and people want the latest features, so something like Windows XP was ideal. It more or less did the job, it was flexible, and by the time it was unsupported by Microsoft, many of the machines were at end of life anyway. It was a simple matter to replace the computer with a new one running Windows 10 or whatever. In 15 years' time, Windows 10 will be obsolete, and those computers will definitely need to be replaced. But medical equipment costs a LOT more, and should therefore last longer. It's no use building a piece of hardware that'll last 25 years if the software goes out of date and can no longer be updated in 5 or 10 years.

              The point I'm trying to make is that systems like that need a different OS to run under. One that is really locked down, much less flexible and therefore MUCH more secure. In other words an OS that will still be usable in 25 years. Our problem is that Microsoft thinks their OS is suitable for everything, when it quite plainly is not. And people think that progress can be made by sticking to what they use at home and in the office.

              Seriously, the hospitals need to do a proper risk assessment, one involving keeping equipment going for more than a few years. Maybe this will be a wakeup call to persuade the manufacturers of machinery needing embedded systems to rethink their OS choice.

              Would you fly on a plane where the systems were all running Windows?

            3. John Brown (no body) Silver badge

              Re: Risk Management

              "Can you explain to me, with consideration for any contractual terms one might agree to in the EULA, how that proposal would work?"

              Well, it's was clearly a fault in the product at the point of purchase and in most civilised jurisdictions that trumps the EULA, especially when the manufacturer has a long term process in place for issuing fixes.

          2. LDS Silver badge

            Re: Risk Management

            Sorry, OS/2 could have been a competitor to Win 3.1, 95 and NT in 1994-1995 (when I was using it), but by the time XP/2003 came in early 2000, it had already lost. One issue was also the availability of development tools, it was far easier and quicker to develop GUI applications under Windows with one of the RAD tools available, than using one of the few C/C++ compiler under OS/2.

            Also, remember that SMB is an IBM-born protocol, not a Microsoft one... <G>.

            1. Anonymous Coward
              Anonymous Coward

              Re: developers, developers, developers

              "it was far easier and quicker to develop GUI applications under Windows with one of the RAD tools available, than using one of the few C/C++ compiler under OS/2."

              So what. Development tools are for developers. Why does the deployment environment have to be identical with the development environment, when the deployment environment is (in many cases) subject to radically different constraints? "Cost" is demonstrably no longer a valid answer.

              Look who's paying the price now for the stupidity of the "one size fits all" culture. Not the IT department, not MS and their dependents, but the rest of us., who just want to see systems that are delivered on time, to budget, and work reliably.

          3. Strahd Ivarius

            Re: Risk Management

            Did you read the article?

            It was a decision of the UK government not to pay for XP maintenance 2 years ago!

            And to provide no budget either to move to a newer system...

        2. Anonymous Coward
          Anonymous Coward

          Re: Risk Management

          "If your MRI scanner, for instance, relies on a no-longer maintained piece of XP-only software do you simply put your hand in your pocket for a few million to replace it, commission a rewrite and take the risk that it may fail in some respect to emulate the existing product or do you keep using XP?"

          I'm bored with this BS.

          How much do you think an MRI scanner costs vs the cost of a replacement computer and replacement software, when amortised across a countrywide fleet of MRI scanners.

          What if such systems had been based on open standards for device control, document interchange, etc? NB open standards .ne. open source so no religious arguments please. The replacement of any component subsystem could have been a near-transparent upgrade. In fact, do the relevant open standards already exist for healthcare imaging? HL7? DICOM? Etc. It's a long time since I looked.

          Separately, judging by the number of Scanning as a Service HGV trailers I see parked outside hospitals and elsewhere, many organisations have outsourced imaging services of that nature to commercial 3rd party organisations, so the 3rd parties (not the trusts) would be the ones doing the necessary upgrade work. Joe Public would still pay in the end.

          "These sorts of issues are not easily solved. Of course they only exist in the real world so please feel free to keep helping with your advice."

          O'Really? I think a far more common situation is that the issue is *already* solved technically (open standards or whatever) but vested interests don't want to go that way, for whatever reason.

          1. a_builder

            Re: Risk Management

            Well I used to write software for NMR and MRI scanners and it really isn't that easy with legacy kits.

            Bear in mind that superconducting magnets have a lifespan of 10's of years and the RF kit is usually built to last forever. So you may well have something that works pretty well and does a very good job and would cost fortunes to replace. Also fold in the fact that one of the major historical manufactures no longer exists and things really are not that simple.

            The biggest problem with an NMR/MRI setup is timing. The send receive has to operate with a degree of thiming precision in the MHz range - the less precise the timing is the greater the phase shifts and if these get too bad they are not correctible.

            Timing is therefore usually handled by a single quasi autonomous card that is programmed in a unique language to trigger sequences of events. It will trigger the pulse generator, amplifier and receiver gating (if you don't gate the receiver you blast the highly sensitive circuit with 500W or so of RF and saturate the ADC. Again this is highly precise, if the gating/ungating is too slow precious sensitivity is lost.

            The quasi autonomous card and the various other odds and end including frequency generator are fed their activity lists usually by an old school RISC card that is not doing anything else as you cannot afford to have multi tasking as this messes up the timing.

            The old school RISC card then sends the data by ethernet to the PC (used to be SGI or SUN up tlll about 2000) which is where the issue actually is.

            It really is not easy to get all these different computers talking to each other in a time critical environment. Many hours are spent in development puzzling over multi channel oscilloscopes as to why apparently correct commands and sequences of events are not replicated properly. It will have taken 10 PhD level scientists to get things to work properly and debug them over a period of a year plus.

            I'm afraid plugging a new PC into the front of the things and praying won't work I mean really won't work and you could end up with some very expensive bricked hardware.

            1. Stoneshop Silver badge

              Re: Risk Management

              I'm afraid plugging a new PC into the front of the things and praying won't work I mean really won't work and you could end up with some very expensive bricked hardware.

              Sorry, I have only one upvote to give.

              I've been around at Philips Medical Systems in Best when they were building the first generation of these beasts, controlled by a VAX11/750 with a custom floating-point unit bolted on. Even though there usually were at least half a dozen units being assembled and tested, this was clearly not serial production. Of course there are dedicated test rigs for the various modules and sub-assemblies that can indicate that bit working right or needing adjustment, but when you see one unit looking like the exploded view that must be in one of several binders on a nearby desk, with several high-speed scopes and pulse generators and logic analysers hooked up, it's clear that you're not dealing with "connect blue wire to terminal D3" type assembly. Subsequent generations would probably have gotten more built-in calibration routines and diagnostics, but that doesn't take away the complexity of the underlying physics, which the electronics have to deal with one way or the other.

            2. This post has been deleted by its author

            3. My Alter Ego

              Re: Risk Management

              I hope that most of us appreciate that many industries are stuck with legacy OSes, that's not unexpected. However the execution appears to be horrific. Your example of the MRI, if the machine is required to run in a fixed state then air gap it. Use portable media to copy data from it. If the controller is so time dependent, then you really don't want some SysAdmin running nmap on the network to bog down the controlling PC has it handles a network scan.

              It's nowhere near the same level, but I have a CNC router. The G-code controller is also pretty time dependent (nothing like MHz, but...), so that machine is air gapped so it doesn't chose a bad time to start updating itself and destroy what I'm working on. Quite often setting up the job takes longer than the cutting time?

              It's a pain, but what is better - losing your MRI for days on end (or if you say bricking is possible, longer) or having to copy data to removable media.

          2. Doctor Syntax Silver badge

            Re: Risk Management

            "What if such systems had been based on open standards for device control, document interchange, etc?"

            You are, of course, correct. But note the past perfect tense in your sentence. We're not where we'd like to be or ought to be. We're where we are.

            1. Anonymous Coward
              Anonymous Coward

              Re: Risk Management

              "note the past perfect tense in your sentence. We're not where we'd like to be or ought to be. We're where we are."

              Fair comment, so...

              Where do you want to go tomorrow?

              Where do others want to go tomorrow? We can't change where we are, where IT is headed is something that can be changed.

              Lessons will be learned, as always.

              Change might happen more quickly if the costs of failure are allocated more appropriately.

              If the Car Fleet Department failed to have its cars serviced appropriately, there'd be a price to pay and heads should roll (either in the fleet department or their leasing company or whatever).

              Does the same not apply to the IT Department? PCs (especially Windows PCs) have a "cost of ownership". They're not "fit and forget", whatever Compaq, Dell, HP, etc might have wanted people to believe. They're especially not "fit and forget" when directly associated with high value long lifetime critical systems (which might be hardware, and/or might just be high value long lifetime critical *data*).

        3. LDS Silver badge

          "Patching itself introduces risks"

          Yes, often to the comfortable work of sysadmin dedicated to work the less he can. First, the fact you can't patch *some* machine doesn't mean you don't patch *any* machine. Second, if you can't manage the risk of patching is time to look for a new job, events like this shows you aren't able to keep a system running.

          IMHO, each and every system need to be assessed against the risk of patching and put in an appropriate group. There will be groups that will be patched early, because even if a patch has issue it won't be a big problem. Also patches will be released in small groups first to assess any issue. Then there will be groups that will need more care and tests, and the "unpatcheable" one - which will of course require far more protection from outside threats. For example, an MRI PC needs to be open to world+dogs? There are several ways to protect those system. If they aren't protection, again, it's a sysadmin fault, and his managers.

        4. Anonymous Coward
          Anonymous Coward

          Re: Risk Management

          "The specific risk for XP is that it doesn't get patches. But, again, the issues with XP aren't simple. In many cases it will have been retained because something mission-critical depends on it and replacing whatever that is may require major expenditure and further risks. If your MRI scanner, for instance, relies on a no-longer maintained piece of XP-only software do you simply put your hand in your pocket for a few million to replace it"

          Are you ignorant or just trying to misdirect?

          https://support.microsoft.com/en-us/help/18581/lifecycle-faq-windows-products

          The applicable software for controlling stuff like an MRI scanner isn't desktop Windows XP, it's one of the Windows Embedded family, the XP-derived ones of which can be supported (including patches) till 2019:

          Just go away, right. You're really not helping anyone.

          1. Anonymous Coward
            Anonymous Coward

            Re: Risk Management

            Yes, still getting patches for an air-gapped XP box runing legacy software thanks to the well-known registry hack -- no problems with this month's batch.

            The real problem was that NHS (i.e. the ineffable Hunt) decided in 2015 that paying Microsoft for extended XP support was too expensive.

          2. anthonyhegedus Silver badge

            Re: Risk Management

            Yes, the software in MRI scanners isn't desktop XP, but it's still XP derived. Why does Microsoft or anybody else assume it's the right tool for the job? Because it's affordable probably. Not suitable, but affordable.

            1. Anonymous Coward
              Anonymous Coward

              Re: affordable

              "Why does Microsoft or anybody else assume it's the right tool for the job? Because it's affordable probably. Not suitable, but affordable."

              It's only affordable because the visible up front costs have been skewed so that the cost of failure comes out of some other sucker's budget. If organisations were held responsible for what they delivered (and often what they didn't deliver)... well the whole IT business might look rather different.

          3. Doctor Syntax Silver badge

            Re: Risk Management

            "The applicable software for controlling stuff like an MRI scanner isn't desktop Windows XP, it's one of the Windows Embedded family, the XP-derived ones of which can be supported (including patches) till 2019"

            OK, let's deal with the specific: XP-embedded, support ending in 2019. If, in 2019 you were in a position I outlined in my question what would you do?

            And go back to the more general point of which the scanner was an example: something, H/W, information system, whatever, which is still essential, but depends on XP, either the already EoLed version or not yet EoLed version makes no difference in principle. There's no point in calling out those who find themselves responsible for stuff which had a planned life in excess of what turns out to be that of its components. They are faced with real problems - if they choose to invest in a replacement then something new that was planned has to be foregone.

            The original post to which I was replying was over-simplistic. So was your response. You do not solve problems by telling them, or those who remind you of the, to go away.

        5. azaks

          Re: Risk Management

          so the 2 choices are:

          1) pay millions for the upgrade off XP and be safe

          2) leave the whole company on XP and take a huge risk

          Nothing in between? Sounds overly simple (simplistic?) to me.

          what about:

          3) block all inbound access to your MRI scanner to only what is required, don't allow surfing for pron on it, and upgrade the rest of the company to a supported, patched version?

          1. bombastic bob Silver badge
            Linux

            Re: Risk Management

            Sounds overly simple (simplistic?) to me.

            I'd add a 4th choice:

            4) switch to a Linux-based solution by taking what WOULD be the extra cost for moving to Win-10-nic and hiring a team of software developers (through the copyright owners even, as needed) to get all of that software to work in Wine or re-write it to be native Linux applications.

            Keep in mind that migrating everything to windows (which would probably end up being Win-10-nic) has its OWN costs and time associated with it. It's just as likely that XP versions of the software *WILL* need updating, at an inflated cost over "just upgrading to Win-10-nic" and/or new computers to run all of that.

            Besides, if NIH were to abandon Micro-shaft's "solutions" they'd save tax money in the long run, and help lead the way in NOT getting locked into Micro-shaft for managing medical things.

          2. jgarbo
            Coat

            Re: Risk Management

            So, are we back to a socially engineered vector? Some fool opened a nasty attachment or porn pic? So, alert, disciplined staff could have stopped this attack? Just asking.

        6. Sgt_Oddball Silver badge

          Re: Risk Management

          If the piece of hardware is xp reliant than take it off the network. That way you only have to rely on removable media that can be checked by secured machines first thus reducing attack vectors.

          I've seen ultrasound scanners treated In the same way.

          1. Dave Harvey

            Re: Risk Management

            "If the piece of hardware is xp reliant than take it off the network. That way you only have to rely on removable media that can be checked by secured machines first thus reducing attack vectors."

            Actually, scanners need to be able to get demographic and study details from the Radiology Information Systems over a networks using "DICOM modality work list" -otherwise the exam identifiers won't match up causing other problems. Of course, firewalling to outgoing port 104 only, is a no-brainer.....

          2. Anonymous Coward
            Anonymous Coward

            Re: Risk Management

            ... and how is the massive amount of data from the MRI scanner then supposed to get to the doctor- carrier pigeon?

            That's assuming the software on the scanner even has the option to not send it via an assumed network...

      3. sad_loser
        FAIL

        Re: Risk Management

        This whole episode is microsofts' fault.

        The root cause for all this is IE6's non standards compliant browser with ActiveX controls that microsoft then did not upgrade.

        A lot of NHS software was written by people at that time and now cannot be upgraded, and so we have a lot of XP systems sitting around.

        At the Royal London then the CT scanners went down so it could not take trauma / stroke / cardiac patients as these are all likely to need CT scanning.

        1. Anonymous Coward
          Anonymous Coward

          Re: Risk Management

          "This whole episode is microsofts' fault.

          The root cause for all this is IE6's non standards compliant browser with ActiveX controls that microsoft then did not upgrade."

          When you write the software and design it specifically for one single version of a browser from one vendor and decent project manager would see the potential risk in that and cost in an upgrade path or tell the supplier that is an unacceptable risk.

          It was v6 so it was well known that browser got updated, it was well known that it was using proprietary hooks and security holes were also well known.

          You can't just sit around with your fingers in your ears saying "it's too difficult to upgrade the software". You need to bite the bullet, do a complete feasibility study into upgrading the software, go for portable code if possible and pay the extra to have it well documented.

          If it was possible to write the software for the CT machine in activex and for IE6 then it should be half the time to do it in a modern IDE and with the user spec laid out in front of you in the form of a working piece of software.

        2. MOV r0,r0

          Re: Risk Management

          Of the >140,000 million NHS yearly budget, only about 40,000 million is available for things like buying drugs, new hospitals, MRI scanners and desktop refreshes. The rest goes on wages. That's a political failure.

          1. LionelB
            Facepalm

            Re: Risk Management

            Of the >140,000 million NHS yearly budget, only about 40,000 million is available for things like buying drugs, new hospitals, MRI scanners and desktop refreshes. The rest goes on wages. That's a political failure.

            Yeah right, why should we pay people to do this stuff?

          2. Doctor Syntax Silver badge

            Re: Risk Management

            "The rest goes on wages. That's a political failure."

            ?

          3. Loyal Commenter Silver badge

            Re: Risk Management

            Of the >140,000 million NHS yearly budget, only about 40,000 million is available for things like buying drugs, new hospitals, MRI scanners and desktop refreshes. The rest goes on wages. That's a political failure.

            1.3 million people work for the NHS, that makes the average wage around £75k, for people who are mostly highly qualified professionals with medical or nursing degrees, often working unsociable shift patterns. I don't think that is an unreasonable staffing cost. In fact, I think the numbers should be higher, considering how much politicians get paid (an MP gets £74k plus some juicy benefits and expenses).

        3. ShelLuser
          Stop

          @sad_loser

          "This whole episode is microsofts' fault."

          Bzzzt....

          This whole thing is courtesy of Uncle Sam. Trying to keep us safe by NOT reporting discovered exploits to Microsoft and instead using them for themselves and their "greater good". What could possibly go wrong, right?

          1. bombastic bob Silver badge
            Devil

            Re: @sad_loser

            "This whole thing is courtesy of Uncle Sam. "

            no, just a select few in key places within gummint. "drain the swamp", and plug the leaks and 'unmaskings'.

          2. Truckle The Uncivil

            Re: @sad_loser

            @ShelLuser

            Who is to say that this is not the NSA trying one last use of the software since it is now burned anyway. Looking at the level of activity in Russia and the Ukraine it seems exceptionally high. Maybe it is being directed?

          3. anonymous boring coward Silver badge

            Re: @sad_loser

            More to the point: How did weapons-grade vulns known only by NSA get leaked just like that? That's serious.

        4. Strahd Ivarius

          Re: Risk Management

          So you have IT manager who are SO derelict in their duties that they don't ever think that a computer system needs to be upgraded from time to time, which means that they HAVE TO provide a budget for maintenance and upgrades?

          What will they do when their 20 years old computers will fail and newer ones won't be able to run WinXP?

          How is it MS fault?

        5. John Smith 19 Gold badge
          Unhappy

          "A lot of NHS software was written by people at that time "

          If Amber Rudd actually gave a s**t this is what should be investigated regarding the NHS attack.

          1)Did the contractors decide to do this or did NHS management (IT or general) force them to?

          2)Why haven't they stripped this BS out of the UI code? Is the supplier extorting the NHS or are they just too incompetent (no docs on the code and all the devs have p***ed off)? My cursory look at this is that iSoft and Cerner seem to be the main culprits but I'm no expert.

          I'd suggest the real scandal is that 17 years after it's release (and 2 years after MS dropped support for it) the NHS still seems shackled to an OS that's what 2,3 generations behind the current desktop release.

          And BTW how many of those PC's actually access that core software?

        6. Loyal Commenter Silver badge

          Re: Risk Management

          The root cause for all this is IE6's non standards compliant browser with ActiveX controls that microsoft then did not upgrade.

          No. No, it isn't. You should make sure you have a clue about what you are spouting before you demonstrate your ignorance to the world. The root cause of this is reportedly a buffer overflow vulnerability in SMB. SMB (Simple Message Block) is a file-sharing protocol that allows drives etc. to be shared on a network; nothing to do with IE, nothing to do with ActiveX.

          Furthermore, if you think buffer overflows are unique to Microsoft then you are sadly mistaken (try googling 'Linux buffer overflow' for example), they are the result of programming mistakes, which can occur in any software.

          Don't get me wrong, I'm no fan of MS, some of their business practices raise ethical questions, but then again most large companies are guilty of the same; it could be considered a software flaw in capitalism. People use the tools they need to get the job done.

      4. Planty Bronze badge
        FAIL

        Re: Risk Management

        Affects all windows upto and including windows 10.

        There is no excuse for running xp, but there is also no excuse for pretending it was the cause in all of this, it wasn't...

        The only way to protect yourself is avoid the security nightmare that is Windows. If you only use web, buy a Chromebook. No malware, no key loggers, no constant intrusive updates, no need for antivirus, 2 second boot, it just gets the job done.

        1. dgc03052

          Re: Risk Management

          The only way to protect yourself is avoid the security nightmare that is Windows. If you only use web, buy a Chromebook. No malware, no key loggers, no constant intrusive updates, no need for antivirus, 2 second boot, it just gets the job done.

          While I mostly agree, conexant (etc) drivers with built-in "debug" keyloggers are equally possible in a Chromebook. TLA's have disk drive firmware, and lot's of other vectors available, and more will come out. Avoiding Windows is a good step, but should be considered just one layer of many.

      5. Amos1

        Re: Risk Management

        Hahahahaha. They'll get or already were promoted for saving money. :-)

        This is a five minute video on how risk acceptance works in the real world. It is safe for work: https://www.youtube.com/watch?v=9IG3zqvUqJY

      6. HoggertyHog

        Re: Risk Management

        I'm only familiar with ISO13485 (Risk Management for medical devices) but there should be something out there for other critical information systems in health care. We failed as a society, to impose the necessary standards required to risk access use of systems for critical operations over a long period of time.

        No wait, they raised it as a risk, realised the only way to mitigate it was a system change, requested the funds, and had it refused by Hunt. The blame must lie with him or whoever refused it.

      7. Anonymous Coward
        Anonymous Coward

        Re: Risk Management

        XP is a lame excuse wheeled out by Microsoft fanboys. All versions of Windows were affected, the NHS screenshot showed a windows 7 machine.

        Less than 1% of NHS machines are on XP, and almost all of those are not on the domain and have some form of isolation from the wider network.

      8. Loyal Commenter Silver badge

        Re: Risk Management

        3. fire the politician who told them to do this, I believe his name rhymes with Funt...

      9. grumpy-old-person

        Re: Risk Management

        using windows is a known risk . . .

    4. TheVogon Silver badge

      Re: worthy of mention

      Meanwhile, those of us that apply critical patches within a sane time scale (say max 1 month) are unaffected - who would have known?!

      1. Kiwi
        Trollface

        Re: worthy of mention

        Meanwhile, those of us that apply critical patches within a sane time scale (say max 1 month) are unaffected - who would have known?!

        Because said updates broke your networking? Took out your video drivers? Trashed your disk for you anyway? Bricked your machine?

        1. Anonymous Coward
          Anonymous Coward

          Re: "took out your video drivers"

          Let's look in a little more detail at that.

          It's not that long (August last year?) since a Windows 10 update knocked out millions of "webcams" around the world, because of some changes it made to acceptable video formats and their behaviour.

          The effects were so widespread that it even reached the mainstream press (in the UK, even the Telegraph covered it):

          http://www.telegraph.co.uk/technology/2016/08/22/windows-10-update-is-breaking-millions-of-webcams---how-to-fix-i/

          "So what, it's only a webcam", you might think to yourself. And in a lot of cases it would be a fair question.

          On the other hand, imagine that the Windows 10 systems in question have multiple video inputs that are used for citywide traffic management and road safety monitoring. Now imagine that the citywide traffic safety system falls over because the control room can't see what's happening (anyone remember the original Italian Job movie?). And the failover system which is supposed to provide resilience against hardware or software failures also fails because it's also had the same erroneous Windows Update installed.

          Actually, don't imagine it, it's happened, more than once, in more than one place. And I have a feeling it may have happened again over the last few days. Nobody bothers to report the specifics, not least because it's a Windows system failing, and that's become standard operating practice, it's only news when other things are visibly affected (as in the last few days).

          It doesn't have to be like this.

          1. Charles 9 Silver badge

            Re: "took out your video drivers"

            "It doesn't have to be like this."

            Actually, it MUST be like this, because that's how most people are. You Can't Fix Stupid.

    5. Anonymous Coward
      Anonymous Coward

      Re: worthy of mention

      I'm replying to the first comment in case anyone needs it. Microsoft has released patches for older versions of Windows and they are located here,

      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

      This includes Windows XP.

  2. redpawn Silver badge

    Needed to keep you safe from terrrists

    You would already have become a militant jihadist if the government didn't spy on you. I mean you would have killed a jihadist. No, I mean Microsoft would have become a jihadist. You better hope that there are no "tapes" of your conversations they'd prove you are a jihadist.

    Glad we are kept safe by US TLAs. Wouldn't want secure computing. That would be too dangerous.

  3. GrapeBunch Bronze badge
    Pint

    XP systems are patched in the SMB1-doublepulsar vuln if their user followed the (simple) instructions provided here by El Reg reader(s) a couple of weeks ago. XP systems are not patched if their user is waiting for MS to do anything more than follow its own short-term monetary self-interest. Thanks to Iain for pulling together a cogent summary, late into a Friday night and Saturday morning.

    1. Ole Juul Silver badge
      Thumb Up

      kudos

      "Thanks to Iain for pulling together a cogent summary, late into a Friday night and Saturday morning."

      Yeah, Iain does good work here.

    2. tfewster Silver badge
      Pint

      I'd be grateful if you could provide a link to that thread - My Google-fu is weak tonight

      ---> In anticipation

      1. m0rt Silver badge

        "In March, we provided a security update which provides additional protections against this potential attack. "

        This is the phrase that really says it all. Fixing a security hole that should never have been there should not constitute and 'additional protection' so much as 'removal of vulnerability'.

        Indeed, this kind of exploit smacks of a plant. Either Microsoft were coerced into deliberately introducing this for the NSA's pleasure, or the NSA had it inserted somehow. Yeah citation needed, but be honest, would you be surprised?

        1. Doctor Syntax Silver badge

          "Either Microsoft were coerced into deliberately introducing this for the NSA's pleasure, or the NSA had it inserted somehow."

          Or it was a genuine bug which the NSA found and didn't bother to warn anyone until it was too late.

      2. GrapeBunch Bronze badge

        It was three, not two, weeks ago. My bad. Here is the link to the advice I followed. Thank you, Doctor Evil. You get my firstborn. Since I'm a bit old to have children, this could be an empty promise, bwahaha.

        https://forums.theregister.co.uk/forum/containing/3159041

        1. This post has been deleted by its author

        2. Doctor Evil

          "Thank you, Doctor Evil. You get my firstborn. Since I'm a bit old to have children, this could be an empty promise, bwahaha."

          That's OK, Grapes -- I already have Scott. He's quite wily, like his old man.

    3. Andus McCoatover
      Windows

      "XP systems are patched in the SMB1-doublepulsar vuln if their user followed the (simple) instructions provided here by El Reg reader(s) a couple of weeks ago."

      Unfortunately, it seems the NHS' outsourced IT department doesn't read El Reg.

      More concerned with keeping flies off their sacred cow...

      1. Duffaboy

        You get what you pay for

        Plain an simple.

    4. Voland's right hand Silver badge

      You are missing the point

      Organizations which are still on XP have much bigger issues. The expectations that they will patch anything is in the realm of Sci Fi, not in reality.

      Worst part - some of them like Telefonica R&D and NHS will just reimage and we will be back to square 1.

      There is at least a funny angle. I would really love to see a fly on the wall recording of the poor sod who will be reporting to Putin that the Russian ministry of the interior (their home office) got whacked as he told them (and the rest of Russian gov) to get rid of it a few years back (when he was a prime minister). Talking of "Mr Chrisophrase is very upset..." moment.

      All in all, the worm author had no idea how successful it will be. They now are not going to get any money.

      Also, this shows what exactly happens when 3 letters decide to sit on an exploit and hoard it. Though in this case, there is a remote possibility that they will get both sued and congressionally whacked. It is unfortunately very remote.

      1. Dan 55 Silver badge

        Re: You are missing the point

        Telefonica R&D... Oxymoron overload.

        Where I work has some corporate updater that seems to be designed to keeping updates off the computer and only updates IE once every six months or so. Then people work from home and get a load of updates coming in because IT haven't worked out how to stop them when the computer is off the corporate LAN so you're safer if you work from home. If this doesn't get us it'll be pure luck more than anything else.

        1. Snorlax Silver badge
          Facepalm

          Re: You are missing the point

          @Dan 55: Then people work from home and get a load of updates coming in because IT haven't worked out how to stop them when the computer is off the corporate LAN so you're safer if you work from home.

          Remediation servers exist to bring computers connecting to the network up to some minimum standard of patching. Otherwise you have unpatched machines connecting to the network, which is not a good thing.

          It then goes from "Uhh, why do I have to download all these patches?" to "Uhh, why am I being asked for $600 to decrypt my files?" - you see the problem here?

          Can't please some people eh?

          1. Dan 55 Silver badge

            Re: You are missing the point

            The ideal thing would be if our corporate patching happened in a reasonable amount of time (1-2 weeks after release), not be so slow as to result in a huge download when you go home.

            1. Snorlax Silver badge
              Facepalm

              Re: You are missing the point

              @Dan 55: Oh please.

              You're either deliberately pretending you don't know how patch management works in an attempt to bash Windows, or

              You genuinely don't have a clue.

              Which is it? Companies have this little thing called change management, which means admins can't just throw patches onto machines as soon as they're released - that's not an MS failure, it's common sense. They need to be tested first, hence the reason Windows Update will not operate in the same fashion as your machine at home.

              1. Dan 55 Silver badge

                Re: You are missing the point

                That's why I said 1-2 weeks after the release date. Leaving it two months is too much as we have seen.

                I hope your patch management is better and more timely than your reading comprehension.

                1. Snorlax Silver badge
                  FAIL

                  Re: You are missing the point

                  @Dan 55: Your original moan was about the size of the downloads required, now you've moved on to the timing of patch release.

                  I think an Etch-A-Sketch would be more to your liking...

                  1. Dan 55 Silver badge

                    Re: You are missing the point

                    You can't see both are related? Not patching on the corporate LAN quick enough means large downloads at home when you do take it home.

                    1. frank ly Silver badge

                      Re: You are missing the point

                      Regarding patches and updates: The Independent has an interesting article:

                      http://www.independent.co.uk/news/uk/home-news/amber-rudd-nhs-cyber-attack-a7733901.html

                      I noticed the following:

                      "Speaking to Sky News, she said: “It is disappointing that they have been running Windows XP - I know that the Secretary of State for Health has instructed them not to and most have moved off it."

                      Also, get this:

                      "A former NHS trust chairman, Roy Lilley, told Sky News: “Over time, Microsoft has held us to ransom, and of course the NHS hasn't got the money to pay for it [...] "

                      Wow, just wow!

                      1. LDS Silver badge

                        "Over time, Microsoft has held us to ransom"

                        Yes, in the healthcare sector they are more used to companies paying handsome bribes to ensure their expensive products are used instead of cheaper yet fully effective ones, so a company actually *asking* money to support a 13 years old OS should have really looked bad...

            2. Anonymous Coward
              Anonymous Coward

              Re: You are missing the point

              "reasonable amount of time (1-2 weeks after release)"

              One to two weeks? Fuck that shit. 8 hours max.

              Once the update is released, any script kiddie can get that update, do a delta with an unpatched OS and work out where the vulnerability lies. You don't have the luxury of fannying about testing. In any case, the variables for testing are so many and er... variable that's it's meaningless doing so.

              Just fucking patch and ask questions later. Microsoft updates are removable because they are effectively MSIs. So once in a blue moon you might break something - so fucking what? You fuck it - you fix it - like any other IT problem you deal with on a daily basis.

              The problem is with the Dilbert managers who have such long, long memories of the day when someone installed NT Service Pack 6 and it all went monkey. Fingers were pointed and someone got the blame. But the world has moved on. Threats are very different and very real. Software is very different. You do not have the luxury of testing. You snooze... you get pwned. Where I work, they patch quarterly. Yeah, quarterly. Fucking glad I'm not on call this weekend...

              1. Snorlax Silver badge

                Re: You are missing the point

                @AC: "Just fucking patch and ask questions later. "

                Hahahahaha. Cool story bro

      2. Anonymous Coward
        Anonymous Coward

        Re: You are missing the point

        #nhscyberattack: https://pbs.twimg.com/media/C_sZjhHXcAINhl9.jpg

        1. Jonathan Richards 1
          FAIL

          Re: You are missing the point [and how!]

          Crap! Here we are going around with nerves on edge, worrying about spearfishing wannacrypt vectors, and an AC posts a text url for an anonymous JPG file, with a hashtag indicating 'cyberattack'. Hands up who thought "Oo, that looks interesting, I'll just paste that into the address bar right here..."

      3. Ken Hagan Gold badge

        Re: You are missing the point

        "They now are not going to get any money."

        Too right. It would be fair to assume that most of the world's major intelligence agencies (particularly the Russian one, which isn't noted for its light touch against Enemies of the State) are now waiting for someone to try to pick up the cash. If there's anyone with balls big enough to march in and claim it, we'd probably be able to feel their gravitational field.

    5. Snorlax Silver badge
      WTF?

      @GrapeBunch: ...if their user is waiting for MS to do anything more than follow its own short-term monetary self-interest.

      Yeah, Microsoft only supported XP for 13 years (2001-2014).

      How dare they take be so short-sighted. Not.

      Thanks for playing...

      1. stephanh Silver badge

        Indeed. The only OSes which have similar supported lifespans are RHEL and probably some proprietary IBM mainframe OSes.

      2. Doctor Syntax Silver badge

        "Yeah, Microsoft only supported XP for 13 years (2001-2014)."

        Is it too unreasonable to hope that in 13 years they'd be able to get it right?

        Yes, it is.

      3. anthonyhegedus Silver badge

        The point is that yes, XP was only supported for 13 years. So mission critical systems demand something that'll last a bit longer. If there isn't anything, then, well, now there's demand for it!

        1. Jonathan Richards 1

          Mission critical systems

          When Microsoft published EULA documents that were (a) accessible and (b) halfway comprehensible, I recall that they used to warn against deploying WindowsTM in mission critical applications. I just tried to find out whether that's still the case, and I can find any deity's amount of information on what I might need to pay in any given circumstance, but no information on what my rights and responsibilities are for licensed MS software.

      4. Charles 9 Silver badge

        "Yeah, Microsoft only supported XP for 13 years (2001-2014)."

        And your average large piece of medical equipment stays in use for a minimum of 20 years and often longer than that. Same with other pieces of heavy industrial machinery that could have XP-based computers controlling them.

    6. GrapeBunch Bronze badge

      Replying to my own post. According to csoonline.com, MS on Friday evening (Saturday morning UK time) released patches for XP and for Server 2003, reversing its no support stance, after 120,000 horses had bolted.

      I'm still unclear on the vector of infection. So the original infection requires opening a trojan email? This would presumably happen on a current Windows system, as no admin would ever let the mission-critical XP system running specialized software in 2017 be corrupted by also running a browser or email software (would he?). And then the infection spreads via LAN to XP machines which until Saturday morning all had an SMB vuln. The NHS and Telefonica networks all required SMB1 for proper operation? Or was the attitude more: "it's been working, so don't fix it." ? You don't know that you don't need it, so you keep it until bzzzt, you're dead?

  4. a_yank_lurker Silver badge

    Solution

    The US Army is considering a new rifle caliber and rifle to replace the M16. Since the Army needs some ballistic data on the performance of the ammo I suggest using some the NSA traitors for target practice. </snark>

    The various TLA are run by babes not children. None seem to have grasped that some of their exploits and methods will escape and be used against innocents. Their incompetence puts everyone at risk.

    1. Anonymous Coward
      Anonymous Coward

      Re: Solution

      The various TLA are run by babes not children. None seem to have grasped that some of their exploits and methods will escape and be used against innocents. Their incompetence puts everyone at risk.

      Not to speak of the company that after 3 decades worth of producing software STILL cannot produce something that shows signs of the most basic principles of security. Yes, Microsoft, I'm looking at you.

      Now, given that the NSA developed the core of this nasty and that that is definitely provable, does this mean we can now collectively sue the Trump administration for (a) developing this and (b) having so pathetic security that it leaked? I think we should.

      1. itzman
        Linux

        Re: after 3 decades worth of producing software

        ..and that is exactly the point.

        Each version of windows is expected to run code intended from the previous version all the way back to a time before the internet even really existed.

        What is needed of course in terms of mission critical desktop software built to industrial strength, is for all large corporates to start again, preferably with linux, unix, or BSD...and insist that their application supplier port their applications to it.

        If Microsoft wants to be part of it they can ensure their applications run on it as well via whatever wine like interfaces they choose to sell.

        The PC revolution has been a wild west ride, but its time the cowboys were eradicated. And that means Microsoft Windows.

      2. h4rm0ny

        Re: Solution

        >>Not to speak of the company that after 3 decades worth of producing software STILL cannot produce something that shows signs of the most basic principles of security. Yes, Microsoft, I'm looking at you.

        Alright, I'll take that one on - you tell me what the "most basic principles of security" are that Microsoft have missed in current Windows and we'll see if your GNU/Linux distribution of choice has or has not also missed them. My contention is that a similarly neglected GNU/Linux system would be similarly risky. If someone were running SuSE 6.4 I think you would be leaping to say the problem was the neglected state of the OS, not the GNU/Linux itself.

        So come one then - back up your statement: "Most basic security principles" that Microsoft have neglected that don't apply to other OSs.

        1. Doctor Syntax Silver badge

          Re: Solution

          you tell me what the "most basic principles of security" are that Microsoft have missed in current Windows and we'll see if your GNU/Linux distribution of choice has or has not also missed them.

          OK. MS have always been a bit obscure about what any given fix does. Given that, in the real world, fixing one problem sometimes causes another. Recently they've taken to rolling multiple patches into one so it will take longer for sysadmins* to test and roll out.

          My chosen distro is Debian LTS, ie systemd-free. Over to you.

          *A good sysadmin is paranoid about everything.

        2. Anonymous Coward
          Anonymous Coward

          Re: Solution

          So come one then - back up your statement: "Most basic security principles" that Microsoft have neglected that don't apply to other OSs.

          Off the top of my head:

          1 - safe defaults

          2 - not allowing executable content in files that have no business being executable

          3 - not starting services by default unless absolutely needed

          That's just three. I'm sure there are more. I was going to add "creating a false sense of security", but Linux/FOSS advocates as well as Apple have sinned in that respect by giving users too much unqualified confidence which is never a good idea.

        3. Dan 55 Silver badge

          Re: Solution

          @h4rm0ny: Running a thorough fuzz test on a server using the SMB1 protocol should have found this, it is after all a problem caused by a subtraction operation run on a 16-bit value and a 32-bit value. They've had a few years to do it. Same goes for a thorough code review. SMB is a known weak point for viruses.

      3. Doctor Syntax Silver badge

        Re: Solution

        "does this mean we can now collectively sue the Trump administration"

        Downvoted for gratuitous Trump insertion. Clearly this goes back some way beyond the current administration. There may well be good reasons for suing the NSA, assuming they're not legally protected. There are also good reasons for being critical of Trump but conflating the two issues when they don't belong together weakens your argument. Learn to stay focussed.

        1. Anonymous Coward
          Anonymous Coward

          Re: Solution

          Downvoted for gratuitous Trump insertion. Clearly this goes back some way beyond the current administration.

          True, but that implies you can sue a previous administration which is AFAIK not possible..

          1. Doctor Syntax Silver badge

            Re: Solution

            "True, but that implies you can sue a previous administration which is AFAIK not possible."

            No such implication. I said sue the NSA. Even given the political nature of top USA appointments institutions like that are apt to run on unchecked.

      4. a_yank_lurker Silver badge

        Re: Solution

        Technically would not be suing the current administration as this was developed well before Blowhard was sworn in.

        As far as Slurp's responsibility, they need to realize that a new OS should be released that has good security built in. This OS should be required to running any and all DOS or Bloat software; only those that will run properly on the OS.

    2. Rob D. Bronze badge

      Re: Solution

      The various TLA are run by adults in the real world not children. All of them know that their exploits and methods will escape and be used in the future by persons unknown against innocents but are unlikely to ever admit that in open debate. Their competence exceeds most other players but they are concerned with a range of risks other than the everyday risks that affect everyone.

      FTFY.

      You can assume a very high level of technical competence. The problem is the unrestrained adventuring into morally and legally dubious territory to produce the capable offensive/defensive forces necessary versus the restraint required to maintain the society desired (illusory or real).

  5. Anonymous Coward
    Anonymous Coward

    How bad will it get...?

    * The Data Wars are already lost to scammers, cybercrims, hackers... But nothing will change while aging politicians pretend to run the show... And since no one even bothered to buy the Shadow Brokers/NSA tools to keep them off the market, expect nothing but more chaos!

    * Governments in particular need to stop connecting internal systems to the net in the hope of saving pennies but actually becoming net facing 'marks'... Everyone else needs to seriously consider unplugging too, especially organizations / scada industry etc etc...

    1. jgarbo

      Re: How bad will it get...?

      What use would it be "buying the tools to keep them off the market"? They're not crowbars. They're code. They've already been copied a dozen times for further use.

      1. Anonymous Coward
        Anonymous Coward

        'They've already been copied a dozen times for further use.'

        They weren't released before Shadow Brokers failed auction:

        "The Shadow Brokers tried auctioning off the stolen cyber-weapons to the highest bidder, but when that sale flopped with no buyers, the team started releasing the gear online for free anyway."

        https://www.theregister.co.uk/2017/04/14/latest_shadow_brokers_data_dump/

        1. Doctor Syntax Silver badge

          Re: 'They've already been copied a dozen times for further use.'

          "They weren't released before Shadow Brokers failed auction"

          And what's that got to do with anything? Shadow Brokers would have sold you a copy. What guarantee would you have had that there wasn't another?

        2. GrapeBunch Bronze badge

          Re: 'They've already been copied a dozen times for further use.'

          AC: You don't know. Shadow Brokers could have had plenty of buyers, not via the auction route. The auction was plausibly a publicity stunt. Of course, "Corporation X", for any X, would get more value from buying exploit Y if World Z does not know about it. Having sold all they were going to sell (which is also how the original story goes), Shadow Brokers had no incentive to keep hiding the goodies, and credibility to gain by releasing.

    2. Voland's right hand Silver badge

      Re: How bad will it get...?

      I just noticed junior reading the Neuromancer.

      That is how it will get. Time to re-read.

    3. Anonymous Coward
      Anonymous Coward

      Re: How bad will it get...?

      You can start with using software that doesn't need a metric ton of patches to stay at best remotely safe until the next problem leaks. I reckon 75% of companies* do not absolutely need Outlook and don't run spreadsheets so complex that only Excel will do, so they could start with ditching the main attack vector, the horrifically badly locked down macro facility of Word. Next, ask yourself if you really need Adobe code, if not, ditch the Reader (and Flash, while you're at it).

      For much easier to maintain security you best dump Windows as well - it is by now really undeniable (although MS will try) that using MS code is like fitting a man sized dog flap into your secure front door.

      Here is a clue: it's not about patching when you find something, it's about layering security so that a hole does not immediately result in a full blown disaster.

      Yes, yes, I know a load of Redmond/Bracknell people will jump on this and proclaim it to be Fake News, but the problem is that the facts don't lie. This time there could not be a more direct line between Redmond's incompetence and it DIRECTLY hurting people as GPs and possible hospitals cannot access patient records. Not that I think that people dying as a result will make a difference - it's not like we haven't seen this one coming for more than a decade, and promises to do better have turned out to have as much actual intention behind them as Trump election promises.

      Not that it's just 100% Redmond, because I'd like to know why Word macros are still an issue some TWENTY TWO YEARS after the first one was discovered - there are ways to kill it off. You've been using Microsoft for so long, surely you should have worked out by now that it defaults to unsafe unless you configure it right?

      * Authentic statistic, as made up as Microsoft's usually are

      1. Dan 55 Silver badge
        Mushroom

        Re: How bad will it get...?

        Speaking of Redmond's incompetence, I manually started Windows update on the other half's laptop this morning and so far it's taken an hour and it's still searching. I'm not surprised this is spreading like wildfire since MS nobbled Windows 7's Windows Update when they released Windows 10.

        People aren't going to wait for this update to deign to download and install automatically, they're going to turn the computer on, do something, and turn it off again. This is why the March patch has not been installed yet for home users.

        1. coconuthead

          Re: How bad will it get...?

          I tried to update my Vista laptop back when this patch first came out around March (it was in the last batch of fixes before EOL) and shut the thing off after it had been "Checking for Updates" for 26 hours with no network activity. It wasn't the first time I'd attempted to get the thing up to date, either, with similar results.

          The slowness isn't Microsoft's servers, but some kind of exponential algorithm in the updater client. There's said to be a registry patch+hotfix to fix 7, but nothing for Vista.

        2. John Miles

          Re: so far it's taken an hour and it's still searching

          If it hasn't been updated for a while, then there is a bug the update that means you can take days plus to update if certain patches aren't present - I thought they broken something it when I put in measures to stop Windows 10 arriving, but when it happened on a clean build I eventually found the issue - but that is why I am typing from Linux boot now and rarely start Windows at home

          Fix is to use something like Autopatcher and disable Windows Update service (if you don't disable it then it interferers when trying to run patches manually or via another tool and you are back to days wait)

          1. Dan 55 Silver badge

            Re: so far it's taken an hour and it's still searching

            Well so far the computer's been going 24 hours and it's still searching, and that's with the hotfix that's supposed to speed it up applied. Fucking useless.

      2. mr_souter_Working

        Re: How bad will it get...?

        "the horrifically badly locked down macro facility of Word" - actually this is an issue in all MS Office apps - and it can easily be locked down by Group Policy - assuming that the Technical staff are consulted and ALLOWED to make the required changes.

        too often they are overruled or ignored because locking things down may result in some person complaining that they are not able to use X, Y or Z that worked yesterday - despite it being a gaping security hole.

        and then a lot of the in-house IT is being outsourced, often to other countries, where they don't know the internal systems well enough to make any proper recommendations, and even if they did (and were willing and skilled enough to make recommendations), they have no idea who to recommend anything to.

    4. Anonymous Coward
      Anonymous Coward

      Re: How bad will it get...?

      "The Data Wars are already lost to scammers, cybercrims, hackers..."

      I'm not so pessimistic. There are organs of state with the power to protect us. If we can get them to stop fighting on the same side as the scammers, cybercrims and hackers, then the Data Wars would look very different.

    5. Anonymous Coward
      Anonymous Coward

      'There are organs of state with the power to protect us'

      Not pessimism, the major AV firms have admitted they've pretty much lost the war! Read past articles on the Reg...

      Plus State heads just don't get IT / Security... Otherwise the HMRC wouldn't be punishing IT workers whilst the rest of the State complains they can't get the 'material'???!

      Besides, what's so wrong with a lock-down of medical / hospital PC's regardless of M$ Swiss cheese holes. In the age of Cloud why can't a medical pc-app poll / send changes from / to the Cloud on port 80?

      Everything else remains dead and off-limits! And why can't this lock-down be proprietary too, so it isn't on some NSA zero-day hit-list that hackers acquire? Its a reasonable question to ask...

  6. sanmigueelbeer Silver badge
    Facepalm

    and Health Secretary Jeremy Hunt cancelled a pricey support package in 2015 as a cost-saving measure.

    Bwaa ha ha ha ... It's like taking away fire-fighting equipment in a building because it's never had a fire before.

    1. Anonymous Coward
      Anonymous Coward

      Bwaa ha ha ha ... It's like taking away fire-fighting equipment in a building because it's never had a fire before.

      Especially since the provider insists on using extra-combustible materials to start with. It's like providing smokers with gasoline-impregnated paper ashtrays..

  7. bombastic bob Silver badge
    Unhappy

    And we'd sure appreciate it if you could stop clicking on attachments

    Don't "just open" attachments, period.

    And oh by the way, Defender has a new (patched correctly yet?) security crater that can insert an exploit just by SCANNING an infected e-mail. Just to make things worse...

    http://www.theregister.co.uk/2017/05/09/microsoft_windows_defender_security_hole/

    (more thanks to El Reg keeping us informed)

    1. BagOfSpanners

      Re: And we'd sure appreciate it if you could stop clicking on attachments

      I've never opened a hostile email attachment, but in the last 15 years, I've seen 2 of my software developer colleagues do it. Prior to the incidents, I would have rated them as average in terms of intelligence and security awareness. Sooner or later I'm going to get tired or careless and do it myself.

      1. Anonymous Coward
        Anonymous Coward

        Re: And we'd sure appreciate it if you could stop clicking on attachments

        Upvoted for sensible humility. I see many posts here from smug "I can't be scammed" types, but they're usually reliant on the poor quality of the emails. I recently received a Paypal scam email that was very high quality - no obvious errors in grammar or content, very, very convincing, it was only that I automatically assume anything supposedly from Paypal is not from them, and the domain of the link was wrong that gave it away.

        And as you say, one day when we're tired or distracted.... Or simply opening a booby trapped pdf catalogue from a company we've done business with before, because we expect to receive that. To an extent, we're all lucky that the fraudsters have not bothered to put any effort into improving the quality of their deceptions. If I temporarily pull on my conceptual black hat, I could do way better in terms of effective deception than most of the clowns currently plying their nefarious trade.

      2. Anonymous Coward
        Anonymous Coward

        Re: And we'd sure appreciate it if you could stop clicking on attachments

        Sooner or later I'm going to get tired or careless and do it myself.

        Thank you, you have just qualified for stage one of Really Good Security: you have left your ego at the door. Frankly, it's the most important step to make, the rest is knowledge and process.

        Been there, done that - exactly because I was tired or distracted.

        1. Ken Hagan Gold badge

          Re: And we'd sure appreciate it if you could stop clicking on attachments

          "stage one of Really Good Security: you have left your ego at the door."

          Stage two is to persuade all of your user base to leave their egos at the door, too. In an organisation as large as the NHS, stuffed (er, staffed) with doctors and surgeons for whom self-confidence may actually be a job requirement (who here feels brave enough to knock a person out to within a gnat's breath of death, then stick a knife into them and cut out some of what you find?), I fear that stage two may actually be impossible.

        2. BongoJoe

          Re: And we'd sure appreciate it if you could stop clicking on attachments

          The other day I ordered something over the internet from a largish company. I was waiting for the delivery notification a day or two later when in popped an email from a domain name that could have been a similar sort of company.

          It said that the link would give me tracking information for said product. I almost clicked it because I was expecting a product and from a company, as co-incidence would have it, similar in tone to the one purporting to send the message.

          I could easily have caused no end of problems here.

          I have witnessed people waiting for a delayed DHL delivery click on an 'DHL' email which took days of clearing up. Sensible people too.

      3. Adrian Midgley 1

        Do we need attachments?

        And if we need attachments, do we need them present in the email?

        PointMail looks a better idea, but if an email has an attachment stripping if at the border and dropping it into two days quarantine, turning it to plain text and generally neutering it and allowing it to be collected later seems better.

        1. Anonymous Coward
          Anonymous Coward

          Re: Do we need attachments?

          Yes, we do because there is fundamentally no simpler way, and other routes (such as webdav, Dropbox et al) do nothing to mitigate the problem of a stupid wordprocessor document that thanks to Microsoft can carry a system/company/hospital-data-destroying payload.

          The problem is not the capability to carry attachments, it is the capability of files that should not have executable components to carry those anyway, and to a depth that it can screw over a whole system.

          What is worse is that this is not a new problem, yet the company that enables this sort of idiocy is still the predominant provider of software to business, I assume mostly through abusing the ignorance of people and bribes in various guises.

          1. Anonymous Coward
            Anonymous Coward

            Re: Do we need attachments?

            You can blame Microsoft but at least they changed the file format to differentiate between document sand macro carrying documents (so trivial to block) at least 10 years ago.

            I hadn't even realised until recently that PDF files can contain and execute javascript and carry secondary, launchable documents within their payload. I had assumed any pdf nasties were just through the backdoor with specially crafted documents exploiting bugs, not through the front door using adobe reader's features.

          2. anthonyhegedus Silver badge

            Re: Do we need attachments?

            I've seen several emails recently which have a word attachment, with a Macro. The Word program sensibly tells you that the document may contain macros. The user only sees "click something to get rid of this message", because they are fed up with messages they don't understand. Once open, there is a word document that LOOKS like a system message saying "this document was created in an older version of Word. Click Enable to see the content". So the user clicks the enable button, because their computer told them to.

            What can be done?

        2. Roger Greenwood

          Re: Do we need attachments?

          Regarding "two days quarantine", this would hit one of the main uses of email for business. We transfer drawings and specifications by the bucket load every day instead of using the postal service. We also receive orders that way - and they ring up 5 minutes after pressing send to make sure you got it (yes really).

          So probably not realistic for health services either.

          1. Charles 9 Silver badge

            Re: Do we need attachments?

            (Shakes head) Not practical because medical imagery is a routine attachment to medical e-mail, and some malcontents have been able to cause malware infections THROUGH graphics files. That's right. Files that aren't MEANT to have executable content (by their spec) get mangled to have and execute them anyway.

            Now I'm just waiting for the malware that can pwn an e-mail program using nothing but embedded 7-bit ASCII code. Given the world we live in, I'm not holding out hope.

            PS. HTML-based e-mail isn't necessarily a bad thing. A little formatting doesn't hurt, but the problem is that HTML e-mail clients throw in too much of the spec. If clients were to instead pare back their HTML e-mail parsers to a spartan subset of the language (basic formatting tags, table formatting, MAYBE support for attached graphics, and NO accessible or inline external links), then it wouldn't be such a big issue.

        3. a_yank_lurker Silver badge

          Re: Do we need attachments?

          Unfortunately yes! It is a very efficient way to send documents to people who need to have them. Attachments are not the evil but certain OS defaults (not showing file extensions), allowing embedded executable code (macros) are the true evils.

      4. N2 Silver badge

        Re: And we'd sure appreciate it if you could stop clicking on attachments

        Nor me,

        But why oh why do some ignorant users have to?

      5. a_yank_lurker Silver badge

        Re: And we'd sure appreciate it if you could stop clicking on attachments

        @BagOfSpanners - Your observation that anyone can screw up is spot on. All it takes is having a bad day and you are toast. In one sense malware attacks only need a few to make a mistake and they are in. Compound this with 0-days and Sysadmins should be tossing and turning every night.

  8. Kevin McMurtrie Silver badge

    Amazing you can leave the SMB port open

    I'd like to run SMB/CIFS file sharing but that port is such a bot magnet that everything slows to a crawl servicing or blocking hacking attempts. It's like asking for a DDoS. Didn't anyone notice that their system was running really slowly and had multi-gigabyte log files?

    1. itzman

      Re: Amazing you can leave the SMB port open

      run it internally if you must, but across the internet uses sshfs...

      Also, one questions why file sharing is neceessary in these days of web and other fat client based apps.

      I was in the opticians (well known high street brand) getting new spectacles ordered. The computer was a terminal looking into what looked like and ancient Oracle database, all 80x25 and white on black..

      1. Ken Hagan Gold badge

        Re: Amazing you can leave the SMB port open

        "Also, one questions why file sharing is necessary in these days of web and other fat client based apps."

        File sharing is a client-server app. The end-user-facing client is a file browser rather than a web browser. Some programs (particularly older ones) are designed to speak http, others are designed to speak to the "local" file system. Re-writing all those programs to fetch their data over http would merely expose them to a different set of holes.

  9. Havin_it

    What the I don't even

    I'm reading through the Cisco analysis as I speak, but I'm not yet seeing what's the excuse for being vulnerable to this.

    Seems that it

    (1) Spreads through unsecured SMB ports

    Well what the fuck retard has their MSNet ports out there waving in the breeze of the general Internet in this day and age, FFS? I mean even MS don't sell you an OS any more that does such stupid things OOTB.

    (2) Drops a binary, msseseccexxxesexypoo.exe (or something)...

    Well how does it drop it and execute it without a by-your-leave? What browser/email client is allowing that to happen, because it doesn't magically happen without a parent vuln or colossally bad design decision to enable it.

    I've only skimmed this info so far but please, someone, let me know if I can get this without having my SMB ports open to the WAN and/or ignoring some permutation of Windows/browser/emailer that won't shout at me "UR ABOUT TO RUN A PROGGY OFF TEH INTERNET IT MITE BE BAD ACTULY ITS PROLLY BAD Y/N" prior to executing a downloaded binary (which, Christ, Windows itself actually does a pretty good job of doing lately).

    1. jgarbo

      Re: What the I don't even

      How does the thing install itself, change the registry when opened/activated by a (common) user, not admin?

      (I'm a Linuxer, so I don't know if ordinary users can install apps on Windows)

      1. Ledswinger Silver badge

        Re: What the I don't even

        How does the thing install itself, change the registry when opened/activated by a (common) user, not admin?

        I'd guess through a privilege escalation code flaw. There's plenty of those that are known, and I'd guess that the complete idiots of the NSA have been collecting a whole pile of additional zero-days in that area. So again, unpatched systems would be at risk, but if using a zero day there's nothing you can do if the malware can get inside your systems.

        1. John Smith 19 Gold badge
          Unhappy

          "I'd guess through a privilege escalation code flaw. "

          Not even necessary in the NHS as El Reg has reported many of those patient management systems (which IIRC are the prime reason the NHS has not updated, since they don't run on anything but XP) only run with Admin rights.

          Presumably any US hospitals that have been hit by this were in the same state.

    2. Doctor Syntax Silver badge

      Re: What the I don't even

      "MSNet ports out there waving in the breeze of the general Internet"

      Assumes a fact not in evidence. If you have a system with substantial internal SMB linkages than all it takes is one person to open an email booby trapped with a worm. The externally exposed port is your email port and that isn't going to work without being open externally.

    3. Pascal Monett Silver badge

      Re: "how does it drop it and execute it without a by-your-leave"

      I never would have known until one day I was surfing with Firefox as I usually do, save that this was way back in last millennium. I followed some URL to a web page and was greeted with a dialog box that stated something that made me do a double-take. I don't remember the wording exactly, but Firefox was warning me that this web site was trying to force a download to my machine and did I want to accept that.

      Note that I had not yet clicked any link on the page I had reached.

      I refused the file, obviously, and then an idea struck me. I started IE and went to the same page and, sure enough, found the file on my hard disk as soon as I looked. So IE blindly accepted whatever HTML instruction there was to download a file to my disk. Add some Javascript to that page that would try launching said file and you have a perfect malware portal. Obviously I scoured the computer afterwards with a full AV scan (found nothing).

      That was the day I vowed to never, ever use IE again if I did not absolutely have to. Of course, that was IE 6, back in the day, but excuse me if I am not entirely trusting of MS to not pull that kind of trick again today.

  10. Frumious Bandersnatch Silver badge

    A force of nature

    It's humbling to see such a devastating and wide-ranging attack appear as if out of nowhere. Indiscriminate, uncaring and just plain nasty in it effects. If I were a normal person (well, actually, I am, more or less) and not some puffed up politician, this would leave me speechless and basically in awe of the fact that I am basically a zero when it comes to the new normal elemental forces at play on the Internet.

    1. Ledswinger Silver badge

      Re: A force of nature

      Is it out of nowhere? Looks to me like steady but worrying evolution.

      Cryptolocker was probably the first globally successful "business model plus attached malware" some four years ago, but the history of ransomware goes back to at least 1989, and a modest resurgence in 2005. With the increasing knowledge of encryption, the options for encrypting ransomware have improved (for the crooks, that is), although there's other variants that don't use encryption, such as access control or leakware.

      The NSA's incompetent hoarding has made the crooks lives much easier (although the TLAs and politicians are too dim to understand their complicity in this), but it seems that the quality of the ransomware is improving. Crooks are learning to obfuscate code, delete traces on machines, spread via internal networks, avoid specific domains, not to use crackable encryption, avoid their own coding errors. Our worry should be that they are learning - somebody somewhere will be studying the mitigations for Wannacrypt, and thinking Version 2 will not have that error, or that kill-switch. That somebody is probably reading this very comment thread, and those on other tech sites, as well as the AV reports and press articles, KB articles, and considering how to "upgrade their asset", or how to nail together a further set of different malware plus code flaw exploits to create a completely different tool to achieve the same outcome.

      The other problem is that the state-sponsored actors will be looking at the carnage caused by Wannacrypt, and thinking "That's cool. What can we learn from that?" I'd assume they're already running a collection of latent APT, lodged in corporate and foreign government systems to be called upon when they see the need, and there's thus a binary system of TLAs and black hats, in effect working together to crap on the rest of the world - us.

      1. John Smith 19 Gold badge
        Unhappy

        "(although the TLAs and politicians are too dim to understand their complicity in this)"

        Oh they see it.

        They just don't wish to acknowledge it.

        "No man's ignorance is so great as a man whose livelihood depends on that ignorance" Upton Sinclair.

        They believe that these weapons can be secured the way nuclear, chemical and biological weapons can be secured. If you steal one of those you'll leave traces (and probably kill or injure yourself in the process).

        They are wrong.

      2. John Smith 19 Gold badge
        Unhappy

        "..a binary system of TLAs &black hats, in effect working together to crap on the rest of the world"

        From the PoV of most people who have to support IT systems there is no difference between these groups. I don't give a f**k what their motivations are.

        Developers who work for TLA's. You are not keeping the world safe for Democracy/Socialism/Islam. These are stories you tell yourself or are told to you.

        This is you

        IRL the best assurance of a "safe" world (WTF that is) is safety and privacy for everybody, rather than surveillance of all under the nebulous excuse of "protecting" society from the usual 4 Horsemen.

  11. DoctorNine

    Curses! Foiled again!

    So someone set a really nasty worm on all the old unpatched M$ boxes, huh? The ones running older legacy OS's that don't have modern 'security features' mandated by the government?

    Gee... I wonder who would do that, and why?

    1. sanmigueelbeer Silver badge
      Unhappy

      Re: Curses! Foiled again!

      Gee... I wonder who would do that, and why?

      I know what it's like to work in a Health-related IT environment.

      A lot of establishments can't help themselves. Without consulting people in the "know", they buy products with dodgy codes. Faced with the fact that they've just purchased a product that can only do a few things (or none at all) the edict is simple: JFDI (just f*ckin' do it).

      So IT administrators are faced with doing the right thing or JFDI. There are a lot of products out there that will only work in a flat Layer 2 network. Some products could NOT be patched because no one can afford to take down a system (some products don't really work will with "redunancy"). They take the risk(s) that the chance for a system (or component of a bigger system) will go down due to a virus is so small that they're willing to look the other way.

      I pity the administrator of those vulnerable (and un-patched) systems.

      It is bound to happen (and will continue to happen). The question is: How bad will the next one be?

      Worst case scenario: Someone unleashes on Christmas Eve.

      1. Anonymous Coward
        Anonymous Coward

        "Worst case scenario: Someone unleashes on Christmas Eve."

        From: Director of Operations

        To: Team Leader, Offensive Network Operations.

        Subject. Operation approval.

        I have studied the results from the laboratory test runs. I congratulate you and your team. They are excellent and I see no flaws in your deployment plan.

        Operation "Silent Night" is authorized.

      2. John Smith 19 Gold badge
        Unhappy

        "Worst case scenario: Someone unleashes on Christmas Eve."

        Indeed.

        Timing the release of a major malware event at a time when the people being targeted are least able to respond to it would clearly not be the act of a gentleman.

        OTOH since they are malware writers should you be very surprised that they would?

        1. Anonymous Coward
          Anonymous Coward

          Re: "Worst case scenario: Someone unleashes on Christmas Eve."

          Especially if the attackers were of a group that didn't honor Christmas (so to them it's just another day), AND they start attaching HARDWARE exploits in a bid to make the malate nuke-proof.

  12. Anonymous Coward
    Anonymous Coward

    Malwarebytes has a free desktop anti-ransomware available

    It's in beta, easy to find and use. Runs in the background, seems to be intended to stop malware-driven encryption from happening. Just passing it along in case its useful to anyone.

    1. Charles 9 Silver badge

      Re: Malwarebytes has a free desktop anti-ransomware available

      But doesn't the malware simply target IT first before wreaking havoc. This one is noted to try to disable countermeasures.

  13. Walter Bishop Silver badge
    Linux

    How to survive the WannaCrypt ransomware backdoor

    DistroWatch.com: 'Put the fun back into computing.'

  14. jgarbo

    How bad can it get...?

    What use would it be "buying the tools to keep them off the market"? They're not crowbars. They're code. They've already been copied a dozen times for further use.

    1. Dan 55 Silver badge

      Re: How bad can it get...?

      They have now, because they've been given away for free and everyone's going to be jumping on the bandwagon, this attack is just the first and the next one won't have a kill switch.

  15. jgarbo

    Social engineering?

    So this malware still relies on human error - opening an infected attachment? It cannot "jump" into a system from outside unless "invited"? Seems only careless (or stressed) people get infected.

    1. rik-shaw

      Re: Social engineering?

      Yes but..... a single careless person in a large networked environment then triggers the malware which will spread like fire over any connected device. That is the key "nasty" in this case.... it isn't isolated only to the machine that triggers it.

    2. Anonymous Coward
      Anonymous Coward

      Re: Social engineering?

      Only organisations containing careless or stressed people get infected. If all your employees using your network never make mistakes, your organisation will be safe.

      1. Charles 9 Silver badge

        Re: Social engineering?

        Plus the last bit about not opening attachment from UNKNOWN sources. What if the infection is a spear-phish and the attachment actually comes from a KNOWN source, and in an expected format? Don't forget, infections through image files and PDFs are possible.

    3. a_yank_lurker Silver badge

      Re: Social engineering?

      The problem is too many expect emails with attachments from outsiders, whether it is your crazy aunt sending cat pictures or a customer sending a purchase order. With proper targeting and allowing for someone to have a bad day it is fairly likely that you will eventually open an infected file.

  16. Anonymous Coward
    Anonymous Coward

    "Ban Bitcoin!"

    Cue Amber Rudd demanding that Bitcoint be "shut down" or that we put "a backdoor in the hashblock".

    1. Anonymous Coward
      Anonymous Coward

      Re: "Ban Bitcoin!"

      Speaking of Amber Rudd, I have to go parkrun in a while, so I've not read this 100%. But am I right in understanding that the very root of this are snooping tools used by government to spy on people? That 'escaped' and got out into the wider world? Is she listening? Does she realise what's happened? And that the 'backdoors' she wants built into encrypted systems can *and would* be exploited in exactly the same way as the NSA tools have been? Does she understand these hashtags?

      Edit : +1 to el reg for the best, non-hyped, sensible and informative write up on this story. Seriously : top work chaps.

      1. Truckle The Uncivil

        Ban Who?

        An interesting thought is that in Australia and other places it is a criminal act to write a virus or code that is a software attack mechanism.

        Since the NSA acknowledges they wrote this shit, they did it in direct contravention of the law of countries with which the US does have an extradition treaty.

        Does this not make the NSA a criminal conspiracy?

        Regardless, it clearly demonstrates that the argument for government backdoors is false. It has just been demonstrated that master key will not be kept secret and publishing it would have catastrophic results.

        1. Alumoi

          Re: Ban Who?

          Criminals: ordinary people/organizations who do not work for government.

          After all, the law incriminates theft because government hates competition.

        2. Anonymous Coward
          Anonymous Coward

          Re: Ban Who?

          "Does this not make the NSA a criminal conspiracy?"

          Nope, because they're agents of the government, granting them sovereign immunity, just like Australians can't arrest foreign diplomats (they can declare them persona non grata and make them leave the country, but they can't just throw them in jail).

          1. Marketing Hack Silver badge

            Re: Ban Who?

            No, if someone tried, for example, to start a class action lawsuit of the NSA, it would get quashed from on high so incredibly fast that it would cause physicists to contemplate something faster than light speed. Your not only going after the NSA, but the entire 5 Eyes, because the 5 Eyes governments rely on the NSA. Remember those Snowden documents that showed payments from the NSA to GCHQ? GCHQ depends on that money, so the British government depends on that money.

            And of course the prospect of losing intelligence alerts from the NSA will cause a freakout in every NATO government.

      2. Am I Paranoid Enough?
        Facepalm

        Re: "Ban Bitcoin!"

        No it will be a further excuse to ban encryption outside of government.

        How long before such an offence becomes criminalised.

        1. Dan 55 Silver badge

          Re: "Ban Bitcoin!"

          It'll certainly be an excuse to tie Bitcoin up in red tape and reduce or remove anonymity. It's been found in 74 countries, I'm sure the English-speaking countries and the EU can think up something.

    2. Alister Silver badge

      Re: "Ban Bitcoin!"

      Cue Amber Rudd demanding that Bitcoint be "shut down" or that we put "a backdoor in the hashblock".

      Oh, it gets better than that...

      UK Home Secretary Amber Rudd tells BBC she expects NHS trusts to learn from cyber-attack and upgrade IT systems

      Maybe she should talk to Jeremy Hunt about why he stopped paying for extended support from Microsoft in 2015, and why he vetoed any upgrade strategy from XP?

      1. Dan 55 Silver badge

        Re: "Ban Bitcoin!"

        Underfunding something (NHS, social care, education, police, local authorities) is never the problem, it's always something else.

      2. smudge Silver badge

        Re: "Ban Bitcoin!"

        Maybe she should talk to Jeremy Hunt about why he stopped paying for extended support from Microsoft in 2015, and why he vetoed any upgrade strategy from XP?

        Here is what she has said to Sky News, according to the Guardian:

        “It is disappointing that they [the NHS] have been running Windows XP - I know that the secretary of state for health has instructed them not to and most have moved off it.”

        1. Anonymous Coward
          Anonymous Coward

          Re: "Ban Bitcoin!"

          She was on the radio yesterday saying that it had affected "Window systems".

  17. Ken Moorhouse Silver badge

    Killswitch

    This intrigues me. The code went walkies earlier this year.

    (1) People involved with writing that original code should have immediately thought "aha, we've put a killswitch into that code, let's register that domain right now to minimise damage, should it be expolited 'as-is'."

    (2) "As-is". Whoever took that code and wrapped it into ransomware couldn't have pulled the code apart to any great degree, otherwise they would have changed and obfuscated in some way the killswitch domain.

    (3) Now that they know what that killswitch domain is, and its purpose in the code, they can now go through and change and obfuscate it in some way or, more likely, remove it completely, then release Mk 2 to the waiting world.

    1. tom dial Silver badge

      Re: Killswitch

      (1) It is not clear that there is reason to think the originators of the code would have been able to install a kill switch after it was public. In fact, there is good reason to think they could not; it's code, after all, as someone else mentioned, and highly malleable. It also is not clear that a kill domain like that apparently found was established by the original coders or would have been left in if it had.

      (2) I saw nothing in the writeup to indicate blind reuse and nothing to indicate otherwise. To assume that is to assume something not in evidence.

      1. Ken Moorhouse Silver badge

        Re: nothing in the writeup to indicate blind reuse

        It was the following sentence that prompted me to say what I did:-

        "Now someone has taken that tool and strapped it to ransomware"

  18. EveningComputing

    Mitigation against ransomware:

    Mitigation against ransomware:

    1. A solid versioning backup and recovery solution is #1 for ransomware protection. See iDrive

    2. Educate on the risks as much as you can.

    3. If there is an IT Policy for members of staff, volunteers and contractors; keep it up to date and enforce it.

    4. Use a proxy and/or gateway system to review all incoming and outgoing traffic, this will scan the data for viruses and malwareware and block these malicious traffic.

    5. Implement an Intrusion Detection System (IDS). See Cisco Firepower options.

    6. Implement an Intrusion Prevention System (IPS).

    7. Block known bad IP ranges such as 146.185.220.0/23 because it is associated with CryptoWall. Also default deny all outbound traffic to these IP ranges.

    8. Implement DNS Security via Cisco Umbrella formerly OpenDNS on all devices including mobile phones.

    9. Stick to the email security filters, avoid whitelisting email addresses on the servers and on the individual mailboxes.

    10. The potential dangerous emails are still delivered to the Junk folder in the mailboxes. They should be dropped instead to avoid someone from opening an infected email by mistake.

    11. Update the antivirus version on regular basis and keep the definitions updated on a daily basis. Symantec Endpoint Protection 14

    12. Keep the computers and servers up to date with Windows updates and security patches.

    13. Enforce two steps authentication with Office 365, Google Drive and Dropbox.

    14. Implement MFA for domain accounts.

    15. Update the Cisco firewall operating system on regular basis. Use the Firepower additional licenses for threats, malware and URL filtering

    a. Modern software programs contain several million lines of code, and finding all the bugs during the internal quality testing phase is impossible.

    Software vendors know that bugs exist in all software. So they’re continuously providing bug fixes.

    They do so through a process called patching – a manual or automated process that provides software bug fixes to software users.

    Patches fix some process or method in the software, but it is possible that by fixing one problem, it inadvertently changes another process or method in the software, causing something new to break. The tightly integrated relationship of operating system and business software means that a patch for the operating system, fixing a vulnerability there, may introduce a new problem for the business software. Example: http://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability

    16. Encrypt all portable devices (iPhones too)

    17. Remove the wireless service from the local network, offer the service from a different network from the servers. (Segmentation)

    18. Enable POP-Up blockers on all computers, use Google Chrome as the default browser because its seamless updates. adblockplus

    19. Review the access to the network by contractors, volunteers and temps.

    20. Ban the use of USB devices

    1. Doctor Syntax Silver badge

      Re: Mitigation against ransomware:

      "11. Update the antivirus version on regular basis and keep the definitions updated on a daily basis."

      Today's definitions won't protect against yesterday's infection. And if that infection is also an aggressive worm as this was that's not going to be much use.

      "12. Keep the computers and servers up to date with Windows updates and security patches."

      In 15a you go on to explain why this isn't always possible.

    2. Anonymous Coward
      Anonymous Coward

      Re: Mitigation against ransomware:

      TLDR.

      Easiest solution: unplug the Ethernet cable.

    3. dgc03052

      Re: Mitigation against ransomware:

      May as well add prohibit any internal software development, or workers with even the slightest disability (or just not being a generic cog), since you are going to end up prohibiting them from getting any work done.

      Rules like "20. Ban the use of USB devices" lead to policies requiring a doctor's note (and custom computer that doesn't have the USB ports epoxied) to use a trackball or vaguely ergonomic keyboard for carpal tunnel problems.

      1. Anonymous Coward
        Anonymous Coward

        Re: Mitigation against ransomware:

        "Rules like "20. Ban the use of USB devices" lead to policies requiring a doctor's note (and custom computer that doesn't have the USB ports epoxied) to use a trackball or vaguely ergonomic keyboard for carpal tunnel problems."

        What? Kit like that should be provided by the IT department and installed by them. It shouldn't be up to the user to provide their own IT kit for work.

        Also if they are expected to provide their own kit just get IT to sign if off and whitelist the device - easy.

        1. Charles 9 Silver badge

          Re: Mitigation against ransomware:

          But IT doesn't control the budget, and the board doesn't like IT as they're a cost. So now what?

          1. Anonymous Coward
            Anonymous Coward

            Re: Mitigation against ransomware:

            "IT doesn't control the budget, and the board doesn't like IT as they're a cost. So now what?"

            If the board can't see that IT brings value to the busienss, whose fault is that?

            If there was a Car Fleet department that couldn't do its job properly, e.g. keep the fleet properly maintained, what would happen to the department? Does it make any difference whether the fleet (and its management) is owned, leased, or outsourced?

            Cars have a cost of ownership, as well as a cost up front. But they do at least have a second hand value most of the time.

            Same goes for computers (apart from 2nd hand value), especially ones running Windows. Anyone who has done their best to hide the hidden costs of ownership in recent years (Compaq, Dell, HP, MS, etc) has helped sow the seeds of this weeks mess.

            A change is gonna come again, once the people in charge see what's cost effective and what's not.

          2. Anonymous Coward
            Anonymous Coward

            Re: Mitigation against ransomware:

            You work for a company where the board has to sign off the purchase of a trackball (not only might that be illegal,in the UK at least, under the DDA, but could also open them up to huge damages and fines) ?

            WTF? Move out immediately. Any normal company that doesn't allow the IT department to control their own agreed OPEX budget and submit their own CAPEX requests is a bit weird, leave and find a company that lives in the real world.

            1. Anonymous Coward
              Anonymous Coward

              Re: Mitigation against ransomware:

              "WTF? Move out immediately. Any normal company that doesn't allow the IT department to control their own agreed OPEX budget and submit their own CAPEX requests is a bit weird, leave and find a company that lives in the real world."

              Excuse me. This IS the Real World! IT is one of the most despised departments in any business that isn't IT at its core. It's even more hated than the Legal Department, which most consider a necessary evil for dealing with things like suits and trials. MOST companies are like this, so leaving just means jumping out of the frying pan and ending up in the fire.

              1. Anonymous Coward
                Anonymous Coward

                Re: Mitigation against ransomware:

                "IT is one of the most despised departments in any business that isn't IT at its core."

                Do you think there might be a reason for that, when it happens?

                Do you think that Information **Services** (as was common in the past) might actually have been a better name, and a better reflection of the role the team should be playing within the organisation?

                Rather than focusing on the size of the "estate" and the corresponding budget, focus on the service and the value delivered to the organisation outside. If you can't see it, they certainly can't see it.

          3. This post has been deleted by its author

          4. This post has been deleted by its author

  19. Anonymous Coward
    Anonymous Coward

    That domain looks suspiciously like a key to me.

    www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

    I'm guessing I'm not the only one who thought of that because who would put such effort into the entropy for a kill switch domain and a key, lazy people would use it for both.

    1. Tom Wood

      That looks like like the result of 'randomly' mashing the keyboard, not truly random. Lots of substrings formed of letters that are close together on the keyboard.

      1. Anonymous Coward
        Anonymous Coward

        Good point.

        Why did they put it there in the first place though? It's not like you are going to register a domain to stop your own ransomware from propagating because then you could potentially reveal yourself.

        1. lglethal Silver badge
          Joke

          I've got it!!!

          The malware authors are Welsh! What do you mean thats not Welsh? It's a hundred letters long, unpronouncable, and looks like gibberish, thats the very defintion of Welsh!!!

          1. uncommon_sense
            Joke

            Re: I've got it!!!

            Yes, Welsh aka KittyTyping!

          2. Captain Badmouth
            Devil

            Re: I've got it!!!

            Cer i uffern.

        2. John Smith 19 Gold badge
          Unhappy

          "Why did they put it there in the first place though?"

          Simple. The NSA does not (in theory) work for itself. Such attacks are a policy decision.

          And if the policy changes you have to be able to shut it down.

          Likewise if you target a group of businesses in order to gain access to an installation once inside and spreading any further infection is unnecessary. Ideally you want the other copies to also self destruct to prevent hardening against them (or perhaps having them used on yourself?)

          The documentary "Zero Days" on Stuxnet mentions this stuff briefly.

      2. alreadytaken

        What can people infer about who wrote the malware?

        As a little challenge to get people started, taking into account the url address that the UK accidental hero found, which of the following completely hypothetical cases do you think most likely to have written it and why?

        A) Arthur in England who has one arm.

        B) Francois in France who has a degree in Computer Science and Cryptography.

        C) Alice in Ireland, who is an Art teacher and has never programmed computers before.

        D) Walter, who works non-standard hours and travels quite a lot, spending time in the US, UK, Germany and Ukraine.

        E) Colin, who lives in Madrid, and who has never used a computer. Colin was given a laptop once, but the bottom row of letters didn't work.

        1. alreadytaken

          In the little challenge, well done to those spotting that the bottom row of letters on Colin's keyboard doesn't work and that the url address that the UK accidental hero found didn't have any of these letters in it.

          However, it is unlikely that Colin wrote the malware as he has never used a computer.

          (Even if Colin had written the malware using his laptop without the bottom row of letters, he would have had difficulty writing the rest of the code. He wouldn't even have been able to type '.com'.)

          So that narrows it down to one of the others.

        2. alreadytaken

          In the little challenge, well done to those spotting that Francois has a degree in Computer Science and Cryptography, which could have helped give him the skills needed to write the malware.

          This is in contrast to Alice, who has never programmed before and is therefore unlikely to have written the malware.

          Also, the letters in the url change from middle / upper left on the keyboard to upper / middle right and back again to the same or close-by set of letters repeatedly.

          For instance part of the url is ‘fjaposdfj’, which could be typed with four fingers on the left hand on the keys asdf and four fingers on the right hand on the keys jiop. However, (particularly if keyboard mashing / typing quickly) it appears unlikely that this was done by someone with one arm. Therefore it is unlikely that Arthur wrote the malware.

          The url also contains ‘aewrwergwea’. The ‘a’, ‘e’ and ‘w’ keys are easily covered together by the left hand on some keyboards, but not on all keyboards. Francois is in France, and assuming he is using a French keyboard, it seems unlikely that Francois typed the url. Therefore it is unlikely that Francois wrote the malware.

          Therefore as the others appear unlikely to have written the malware, of the completely hypothetical cases, this suggests Walter is the most likely to have written the malware.

    2. Truckle The Uncivil

      Re: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea

      Look at it again. It seems to have some structure, some rhythm that I cannot identify. It may not have very high entropy if you knew the structure.

      1. Ken Moorhouse Silver badge

        Re: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea

        It was second on their list as llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogochuchaf.org.uk was already taken

  20. Anonymous Coward
    Anonymous Coward

    Don't Worry. Strong and Stable High Chancellor May will save us !

    You just need to sacrifice your Liberty for a little Safety & Security, citizens.

    https://pbs.twimg.com/media/C_XQpj0XcAEg7Hu.jpg

    https://pbs.twimg.com/media/C_XP1MqXsAENwH3.jpg

    #Deadbeats - Sgt May's Damnation Army

  21. Blotto

    Hunt to blame for NHS attack

    Is the likely Guardian headline.

    After all, according to the ref link, he did cancel MS support for the NHS's ageing XP fleet.

    Hopefully this will renew pressure on NHS IT to find a solution to upgrade those ancient os's.

    1. Alister Silver badge

      Re: Hunt to blame for NHS attack

      Hopefully this will renew pressure on NHS IT to find a solution to upgrade those ancient os's.

      Yeah, great, now all you've got to do is get the government to pay for it.

      It is not "NHS IT" who are at fault, it is those that hold the purse strings.

    2. Mage Silver badge

      Re: Hunt to blame for NHS attack

      Hopefully this will renew pressure on NHS IT to find a solution to upgrade those ancient os's.

      MS does still support, if you pay, I believe NHS was paying. Besides the problem in most infections is NOT lack of AV (More often cripples due to false positive) or OS version but training. Win 10 was just as vulnerable anyway.

      Moving to Linux would only be temporary respite if the users are not properly trained and IT infrastructure isn't correct (Per site mail server with good rules and better firewall / proxy rules).

      1. My Coat

        Re: Hunt to blame for NHS attack

        Win 10 is not vulnerable if the patch from March was applied. So staying on XP and not paying MS for supporting XP since 2015 (as per the article) is the reason the NHS was so badly affected. Not blaming the NHS here - it's the fault of the person (rhymes with Jeremy Runt) who decided they shouldn't pay.

        1. SloppyJesse

          Re: Hunt to blame for NHS attack

          Seems to me that the NHS (like many organisations) viewed the XP situation as a binary choice of

          A) shell out to upgrade / replace equipment to get away from XP

          B) Stay with XP and accept risks that not upgrading brings

          What they don't seem to have done in choosing B is spent money and effort on mitigating those risks, the major one being security. Management have just stuck the risk in their register as accepted. If system changes and additional security costs were included in the 'stick with XP' option it might start looking a lot less attractive.

          1. Anonymous Coward
            Anonymous Coward

            Re: Hunt to blame for NHS attack

            "Management have just stuck the risk in their register as accepted."

            Isn't that what many risk registers are used for? Yet another CYA exercise?

            E.g. you're only allowed to record risks that don't really matter.

            Risks that do matter and can't readily be mitigated aren't allowed to be recorded, and to even mention them is potentially a career limiting move.

            One private sector safety critical outfit I'm familiar with relied exclusively on one individual for development and maintenance of critical parts of the company's product development and support process. This reliance on one person wasn't allowed onto the risk register (because it couldn't realistically be mitigated).

            Then one year the individual concerned went home one day, and never came back.

            It was a couple of years before things returned to some kind of order.

            Mitigate that, all ye paperpushers, beancounters, PHBs and MBAs.

            1. Captain Badmouth

              Re: Hunt to blame for NHS attack

              "Mitigate that, all ye paperpushers, beancounters, PHBs and MBAs."

              You missed out PPE's.

          2. sanmigueelbeer Silver badge
            Unhappy

            Re: Hunt to blame for NHS attack

            It isn't as straightforward as upgrading and it will fix the problem. The main problem with NHS (and a lot of health-related organization) is that there are a lot of equipment, servers and applications that cannot be patched and/or cannot be upgraded.

      2. Ken Hagan Gold badge

        Re: Hunt to blame for NHS attack

        "MS does still support, if you pay..."

        Not sure about that. The original offer was $200 for the first year and $400 for the second and $800 for the third, per seat. That third year ended a few weeks ago. I've not seen any mention of a fourth year, at any price, to anyone.

        Refs:

        (2017) https://www.theregister.co.uk/2017/03/17/microsoft_to_kill_windows_vista_april_11/

        (2014) https://www.theregister.co.uk/2014/01/14/win_xp_uk_gov_hacker_deadline_miss

    3. D Moss Esq

      Re: Hunt to blame for NHS attack

      Government Digital Service

      Government Technology blog

      Update on the Customer Support Agreement for Windows XP

      22 May 2015

      The Technology Leaders met last month and took a collective decision to not extend the support arrangement for 2015. The current support agreement ended in April 2015.

      1. sanmigueelbeer Silver badge
        Facepalm

        Re: Hunt to blame for NHS attack

        Y'know why I find this amusing? This is probably the second time a British minister tried to save money and it blew up on to everyone's face. Hunt is one. The other one is ex-Defense Minister John Nott.

        HMS Sheffield, Coventry, Antelope, Ardent sunk and 255 (some say 260) servicemen lost.

        I don't know which is insulting. The fact that HMS QE will be ready but won't have a full compliment of Fleet Air or the fact that the British is building a multi-billion dollar warship for US Marines use.

    4. Anonymous Coward
      Anonymous Coward

      Re: Hunt to blame for NHS attack

      His name does rhyme with...

  22. ColonelDare
    Black Helicopters

    Just fix it.

    Why doesn't M$ open-source the XP code and let good people sort out the mess?

    (Assuming there are more good people than villains in the world that is.)

    1. davidp231

      Re: Just fix it.

      Probably due to the fact a rather large mass of the source code in XP is still active in future versions - and by extension some of said code is just as it was back in NT 3.1, where it originated.

  23. Tessier-Ashpool

    Dear Donald & Theresa

    Please abandon your crazy idea to force companies to backdoor their products. This fiasco should be one big clue to you that you're barking up the wrong tree.

    1. Destroy All Monsters Silver badge

      Re: Dear Donald & Theresa

      They will probably think pressing on with mandated disaster will preclude problems like we are seeing right now.

      That's how politicians' minds work. Once a stupid idea has gelled underneath their bony domes, it must be realized by hook or by crook.

    2. Pascal Monett Silver badge
      WTF?

      Re: Dear Donald & Theresa

      I'm sorry, you're asking The Donald to get a clue ?

      Talk about doomed to fail . . .

    3. Anonymous Coward
      Anonymous Coward

      Re: Dear Donald & Theresa

      Minor detail: it's not Theresa or Amber or whoever that need to be outed as clueless puppets. It's the faceless nes pulling the strings, who have been pulling the strings at least since Theresa was at the Home Office with equally bizarre ideas, and quite possibly before that too, and are still pulling the strings of The War Against Terror even as we speak.

      No names, no pack drill. Someone might be listening.

      1. Norman Nescio Bronze badge

        Re: Dear Donald & Theresa

        ...that would be Charles Farr (1), who just happened to be in a relationship (2), with Theresa May's special adviser, Fiona Hill (3) (previously Cunningham, before divorce (4).).

        (1) https://en.wikipedia.org/wiki/Charles_Farr

        (2) http://www.dailymail.co.uk/news/article-2649035/The-discreet-affair-two-Home-Secretarys-closest-advisers-REAL-reason-bitter-split-Cabinet-colleague-Michael-Gove-Islamic-plot-schools.html

        (3) https://en.wikipedia.org/wiki/Fiona_Hill

        (4) http://www.bbc.com/news/uk-politics-36783185

      2. John Smith 19 Gold badge
        Unhappy

        "faceless nes pulling the strings,.. at least since Theresa was at the Home Office "

        Her and at least the previous 8 Home Secretaries have spouted the mass-surveillance-is-good-for-you-nothing-to-fear-if-you-have-nothing-to-hide BS.

        There is a distinct cabal within senior reaches of the Home Office. It has tentacles into the management ends of other parts of HMG. That is obvious.

        This is also the department that f**ked the UK immigration system (under several Labor and Conservative ministers) so badly that helped create the situation for the rise of UKIP and the result of the independence referendum British citizens will now sit through the mopping up operation of.

  24. Anonymous Coward
    Anonymous Coward

    When the dust settles...

    Wouldn't it be nice to have the repair bill paid by the Operating System and anti-malware providers?

    1. Tom Wood

      Re: When the dust settles...

      The OS provider who has been warning for years 'this OS is obsolete, it's unsafe, we no longer support it, stop using it'?

  25. Mage Silver badge

    Stupidity

    TWENTY years ago I was training people to avoid these attacks.

    Training is more important than AV.

    Why are big orgs not using internal mail servers that filter stuff to the minions. Why are critical files available to users that don't know how to use email.

    I know Outlook doesn't help. But it's TRAINING.

    1. Doctor Syntax Silver badge

      Re: Stupidity

      "But it's TRAINING."

      And counter-training unfortunately. You train people to use email safely. Outside of your training session marketers everywhere are counter-training them to accept HTML mail as normal. Banks and others are counter-training them to click on URLs in their HTML mail. Social networks are counter-training them to throw complex files around. Gmail and the like are training them to view their mail through a browser, described here the other day as not a single point of failure but a whole three-dimensional space of failure.

  26. ITnoob

    According to Amber Rudd XP is not secure and the NHS needs to sort it out, although they aren't going to get extra money to do it. Meanwhile getting IT advice from Amber is like your Nan asking if you have heard of "the youtube".

    1. Anonymous Coward
      Anonymous Coward

      Amber's advice

      She said it straight this morning. The NHS has back ups. They are restoring the files and normal service will be resumed. No need to change anything!

  27. This post has been deleted by its author

  28. Nano nano

    Rogue One ...

    I wonder if the killswitch domain name was put in by someone acting with the same motives as the creator of the Death Star put a vuln into that - ie we are not going to stop this thing going out, but let's embed some means of stopping it, covertly.

    1. Anonymous Coward
      Anonymous Coward

      Re: Rogue One ...

      That means someone is having a bad time right now.

    2. Ken Hagan Gold badge

      Re: Rogue One ...

      I doubt it. Since this has become a long comment thread, let me re-iterate a point that someone else made further up. If you are the NSA and intending to use this against a particular target, you want a kill switch that you can register once you've hit that target, to stop your weapon becoming any more public than it needs to.

      Also, to answer another query from further up ("why include a kill-switch when you can't register it without disclosing your identity"), if you are the NSA and you register a garbage domain name, no-one is going to know why or try to arrest you even if they do.

      It is a little odd that someone adapting this software to a very different purpose, requiring as large a target as possible, chose to leave the kill-switch in (and in the clear). Perhaps they didn't understand the code they were using.

      1. cantankerous swineherd Silver badge

        Re: Rogue One ...

        would be interesting to see a list of garbage domains registered by the spies.

  29. Nano nano

    IE 7

    What about all those "corporate" systems still stuck on IE 7 due to in-house legacy web apps ?

    1. Anonymous Coward
      Anonymous Coward

      Re: IE 7

      IE wasn't a vector in this case (for once).

    2. John Smith 19 Gold badge
      Unhappy

      "What about all those "corporate" systems still stuck on IE 7 "

      Well that's a completely different set of vulns to be exploited.

      As I'm sure we'll discover next week.

  30. Prst. V.Jeltz Silver badge

    It would be nice if the assholes who created this malware would think "you know what , this has got a bit out of hand" and anonymously release keys / source whatever.

    Or are they just rubbing their hands with glee?

    They ought to be shitting themselves really....

    1. lglethal Silver badge
      Trollface

      "They ought to be shitting themselves really...."

      Since they've massively pissed off the Russians, I'd say your right... Rendition to Siberia sounds about right, no? (and funnily enough, I dont find myself overly upset at the thought...)

      1. John Smith 19 Gold badge
        Unhappy

        "Rendition to Siberia sounds about right, no? ("

        The Russians don't really do rendition, it's expensive.

        Let's look at it from the Russian PoV

        Pros

        Disrupted the infrastructure of quite a few countries Russia does not like.

        Proven skills in understanding the NSA toolset.

        Made a few $ on the deal which I'm sure they will donate if someone held a gun to their head.

        Cons

        Most of the reported disruption was inside Russia (so now we know who's still a big XP user and why it's good to keep the old exploits handy).

        Several of those countries are quite friendly with Russia.

        The money that can be recovered probably won't cover the costs of the operation to hunt you down.

        All of which suggests those responsible have a meeting with a group of large men in body armor and automatic weapons in their future.

        This is when you find just how good the fake ID you bought really is.

  31. Anonymous Coward
    Anonymous Coward

    Yes.

    The best part of it is

    "Emergency fixes emitted by Microsoft for WinXP+"

    I think they shoot people who put shit on the market in China and put people at risk.

  32. Anonymous Coward
    Anonymous Coward

    I work at one of the affected NHS places , i wont say which, and I can tell you users can freely download and run .exe files , and im pretty sure they can be sent them through the mail too.

    Why would you let that happen?

    What possible benefit could there be?

    Also , the firewall/proxy whatever (thing that decides wich sites are allowed) can be completely sidestepped by unticking a box in your browser , allowing direct internet access.

    surely it sould be set to "proxy or nothing"

    Just a few huge obvious security problems i noticed on day one , and did in fact mention in passing , but as the new guy didnt push it . its not my job <cringe>. There are apparently highly skilled people being paid much more than me whose job it is to decide these things , what do i know?

    These are not the things that the news seems to think costs too much to implement , these are things that are free to implement on the existing systems and are common fucking sense.

    1. Mandoscottie

      Re: Not again...

      "I work at one of the affected NHS places , i wont say which, and I can tell you users can freely download and run .exe files , and im pretty sure they can be sent them through the mail too.

      Why would you let that happen?

      What possible benefit could there be?

      Also , the firewall/proxy whatever (thing that decides wich sites are allowed) can be completely sidestepped by unticking a box in your browser , allowing direct internet access.

      surely it sould be set to "proxy or nothing"

      Just a few huge obvious security problems i noticed on day one , and did in fact mention in passing , but as the new guy didnt push it . its not my job <cringe>. There are apparently highly skilled people being paid much more than me whose job it is to decide these things , what do i know?

      These are not the things that the news seems to think costs too much to implement , these are things that are free to implement on the existing systems and are common fucking sense."

      Good to see nothing has changed in the NHS since I left in disgust circa 2003. Patient Db systems built using Paradox because it was free on a cover disk......ahh those were the days....NOT!

    2. illiad

      NHS AC...

      and do the *know* about anti virus at all???

      also, though, have you *actually* tried to run a .exe?? - it LOOKS like it is running it, until a message comes up about permissions...

  33. JamieL

    Kill switch

    So, the NSA knew there was a "kill switch". They knew the code had been stolen. But they chose not to activate the "kill switch".

    Conclusion: the code was still actively working for them, and now some current "operations" will be affected....

    1. Doctor Syntax Silver badge

      Re: Kill switch

      They knew the code had been stolen. But they chose not to activate the "kill switch".

      Not activating it immediately it was stolen was reasonable. If they had the malware operators would have noticed it because they'd have had to debug it to get it to work. However they should have been watching for a release and thrown the switch as soon as they discovered it in the wild.

      The NSA have a lot to answer for here and I hope govts. around the world let the US know that.

    2. Ken Hagan Gold badge

      Re: Kill switch

      More likely, it didn't occur to them that any of these "tools" had kill-switches. Presumably now that will occur to them and they'll flick the switches for all the other exploits they've lost. It would be gross negligence not to, since part of their mission is to protect US IT systems.

    3. Paul Hovnanian Silver badge

      Re: Kill switch

      "some current "operations" will be affected"

      Perhaps. A couple of things come to mind related to this kill switch:

      1) Can we put the 'magic' URL in our hosts files?

      2) Many organizations with large intranets operate their own internal DNS. They can resolve URLs to (usually) internal IP addresses that can't be seen from the outside world. Many of these organizations have close ties to the NSA and other three letter gov't organizations. Just wondering out loud: Was this 'kill' URL distributed to such organizations in advance? So as to keep their intranets clean once the virus is released into the public?

  34. GazCBG
    Facepalm

    Linux

    Why aren't the NHS running on a Linux Platform, instead of old Windows?

    1. InNY

      Re: Linux

      Ask your local national politician or Jeremy Hunt.

    2. Anonymous Coward
      Anonymous Coward

      Re: Linux

      Why aren't the NHS running on a Linux Platform, instead of old Windows?

      Because Microsoft's marketing machine works rather well in that it spends more on wining & dining decision makers than on actually making sure that any of their crap is "of marketable quality", as Trading Standards would call it.

      Or, shorter, there's less money in Linux. The NHS runs on budget size, not on efficiency, so there is nobody there trying to do more with less (something you also see in how medication is procured - just note how often generics are skipped in favour of branded products).

      1. hmv

        Re: Linux

        a) Because when you buy a ${very expensive medical thingy}, it comes with an XP desktop for free and you don't get a choice.

        b) Because the lusers insist on Windows (because they know nothing else), and because the lusers are always right (that's not to say they're always wrong, but the cost of incidents such as this one are rarely factored into the TCO of desktop choices).

        In general, people are trying to blame something here it isn't that simple (except to say that the malware authors are ultimately the ones to blame). What puts us at risk are a number of factors :-

        1) Operating systems that are not "fit for purpose" (I'm not blaming Microsoft here; they are all to blame). Any security patch issued after the operating system is released is an admittance that the operating system was not fit for release. Harsh perhaps but also right.

        2) Lack of aggressive enough enterprise patch management. And anyone who claims you can just turn on automatic patching on Windows globally obviously knows very little about enterprise patch management.

        3) I have a special list of those I intend to rack to death, and vendors of "layered products" that refuse to support systems that have been patched go onto that list. And yes, my little list isn't so little.

        4) Lack of "security in depth". It ain't just about patching; it's also about email security, firewall security (hire a hard bastard for that one!), network segmentation (block SMB between network segments unless there is a valuable business case), etc. There's no magic bullet.

        5) Users. If someone clicks on a link and causes an infection, send 'em on a mandatory security awareness course. And keep sending them until they get the message - if anything else from a sense of self-preservation from death by powerpoint.

        1. Anonymous Coward
          Anonymous Coward

          Re: Linux

          I am conflicted..

          I want to downvote for recommending the use of powerpoint,

          whilst agreeing it is an appropriate evil punishment.

    3. deathchurch

      Re: Linux

      Because they want to do actual work rather than spending months tweaking settings and recompiling the kernel just to get Linux to even run...

      1. Anonymous Coward
        Anonymous Coward

        Re: Linux

        Because they want to do actual work rather than spending months tweaking settings and recompiling the kernel just to get Linux to even run...

        Have you actually been near Linux in the last decade? I haven't recompiled a kernel for probably some 12 or more years or so. If you want to troll, find something that's less laughably wrong and maybe throw in some capital letters.

        Honestly, I really need to write a HOWTO for trolling on El Reg..

        :)

  35. Anonymous Coward
    Anonymous Coward

    Windows in the NHS

    I used to work in an NHS Board IT department.

    The problem with working for the NHS is that every year you get bombarded with requests for suggestions on how to save money due to the continual cutbacks. I am one of those that bombards them back with suggestions, like start using open source software. The answer is always the same, "the software vendors only write software for windows". And there lies the problem. The NHS is the customer and should be only offering the business to those who will write the software for a less costly platform. There is also a problem with mindset that we have used Word and Excel for years and that is the reason we will continue. Of course it doesn't help that my Board no longer has any IT training department, preferring instead that staff rely on far cheaper online courses, which I can tell you are considerably less effective, or relying on staff who are knowledgeable to help out with problems.

    Our systems have improved. We are no longer on XP!

    My views are mine alone and not necessarily the views of my employer.

    1. Charles 9 Silver badge

      Re: Windows in the NHS

      The problem lies when you prerequisite Linux...and get no offers.

  36. Anonymous Coward
    Anonymous Coward

    Legacy systems

    IE7 - yes, we are still using that!

  37. J J Carter Silver badge
    Trollface

    Every day is a learning day

    I just hope lessons have been learned!

    1. Anonymous Coward
      Anonymous Coward

      Re: Every day is a learning day

      I just hope lessons have been learned!

      Yes. Some people really need to improve their excuses.

    2. jMcPhee

      Re: Every day is a learning day

      Yeah, we learned, yet again, that the internet is a playtoy which should be airgapped from critical systems

      1. Charles 9 Silver badge

        Re: Every day is a learning day

        "Yeah, we learned, yet again, that the internet is a playtoy which should be airgapped from critical systems."

        Which is countered by the lesson that ANY air gap can be bridged or jumped, especially if someone wants it badly enough (in particular someone UP TOP).

    3. Dan 55 Silver badge

      Re: Every day is a learning day

      Many people have already learnt to avoid MS, and I guess many more people are learning at this very moment.

      1. Anonymous Coward
        Anonymous Coward

        Re: Every day is a learning day

        "Many lessons were learnt to bring us this ransomware"

  38. Anonymous Coward
    Anonymous Coward

    Conflict of interest

    I do understand organisations being behind the curve on OSes, software and updates when there are safety-of-life or regulatory compliance requirements in system operations. I've worked in the financial sector and the time taken to certify upgrades against regulatory requirements did lead to a significant lag. The temptation to save money on upgrades can lead to a situation getting out of hand and extremely expensive to bring up to date. In an operation, like the NHS, that is being cash-starved, going to corporate management and asking for millions for upgrade work on systems that, in their eyes, "are working" is generally going to face robust push back until it becomes an emergency that can't be ignored.

    There seems, to me, to be a conflict of interest in the agencies charged with our country's cyber security. On one hand, if state hacking is legal, they are under pressure to maintain the capability to enter systems of those who might do the country harm so there is motivation to hoard vulnerabilities to aid in this work. On the other hand, they are responsible for giving advice on protecting businesses from those who might use such vulnerabilities to commit crime and harm our economic interests. In this case, the criminal threat has gone beyond economic to safety-of-life as hospitals are being targeted.

    In these circumstances, is it responsible for the hoarding of vulnerabilities to continue when waiting for them to be used in the wild before disclosure creates a window of opportunity for criminals to, intentionally or otherwise, create a threat to the public's medical well being?

    1. Emperor Zarg

      Re: Conflict of interest

      In the case of the NSA (i.e. the original source of this exploit), there is no cyber security mission and they are not responsible for providing advice or guidance to businesses or individuals. Their primary remit is to gather information and to use it as a weapon.

      I really don't think they care that the weapon can be turned on friendly assets. They think they can know everything by capturing all the data in the world. It's a seductive theory. Seductive but wrong.

  39. J J Carter Silver badge
    FAIL

    From North of the Border

    NHS Scotland annual budget - £12,200,000,000

    NHS Scotland's employees - 160,000

    Cost of Windows 10 upgrade (Govt. pricing, £78/user) for 160,000 - £12,480,000

    £12,480,000 / £12,200,000,000 = 0.102%

    That's right, a tenth of a percent of NHS Scotland's annual budget would have avoided this fiasco so lets not hear about the 'cash starved' NHS.

    1. Doctor Syntax Silver badge

      Re: From North of the Border

      Interesting calculation. But you've omitted the cost of testing the ability of the existing applications to run on W10 and remediation or replacement of those that won't. An OS exists to run applications. These are the very arguments used against FOSS in such circumstances.

      There's no silver bullet.

    2. Richard Jones 1
      Stop

      Re: From North of the Border

      Update, software does not run on the ground or in the air, it requires hardware, thus upping the cost considerably. Then it needs installing or profiling. Then it needs testing and deploying. You might even need to train staff to use it correctly. Then there are all of those lovely custom crafted funnies that all the staff know and love like CTI scanners and MRI machines, etc. Etc.

      So as a reasonable estimate the costs of deployment are probably out by a factor of 10 at a minimum.

      None of this is a reason to not act, but knee jerks are for jerks.

      1. Doctor Syntax Silver badge

        Re: From North of the Border

        "knee jerks are for jerks."

        Nice one.

    3. Anonymous Coward
      Anonymous Coward

      Re: From North of the Border

      This argument is over-simplistic, straight off the front of the Daily Mail. It neglects all the other costs involved in such an upgrade. To name a few: Planning costs for the new deployment - There are thousands of machines and users here, Production and testing costs for the new deployment images, staff costs to perform the upgrade work, replacement PCs for older-generation hardware that may not play with Windows 10, hardware disposal costs for retired hardware - expensive since medical data is involved so the disposed hardware must be sanitized, possible storage and RAM upgrades in machines kept, upgrade fees for the software that runs on the machines because the currently in use version doesn't work on Windows 10, upgrades to any central IT management systems in place, replacement of random peripherals or equipment because Windows 10 drivers/software aren't available, staff training costs for the new OS/hardware/software, increased support costs during the 'bedding in' phase for the new systems...

      How is such an upgrade going to be performed? How long an outage can the users each machine tolerate during the upgrade work? Does a whole-machine swap need to be performed on any machines to minimise downtime?

      You can deny there's a health funding crisis all you like because it doesn't fit your political world view but that doesn't make it true.

    4. mark l 2 Silver badge

      Re: From North of the Border

      Jeremy Chunt saved a few million by ending the support contract for XP but how much has this ransomware cost the NHS in lost man hours because people can't do their jobs?

      Lets say in a week all systems are restored and patched, their will be other vulnerabilities in XP that someone could take advantage of and it we could be reading the same story again in a few months time.

      If there are systems where the software will only work on XP its time to evaluate either having them air gapped, replaced or paying for new software to be written for an updated OS. Keeping the status quo is just not an option.

      On another point who knew that all it took to get some free XP patches out of MS was a massive cyber attack on one of the worlds largest employers.

      On a side note now that XP is not supported by Microsoft and therefore im assuming the EULA agreement is no longer valid, can i now sell my OEM copies of XP? (assuming anyone would want to buy it)

      1. Snorlax Silver badge

        Re: From North of the Border

        @mark I 2: On a side note now that XP is not supported by Microsoft and therefore im assuming the EULA agreement is no longer valid, can i now sell my OEM copies of XP? (assuming anyone would want to buy it)

        I think they need to be sold with qualifying hardware like a 5.25" floppy drive or a 20Gb IDE hard disk?

    5. King Jack Silver badge
      Unhappy

      Re: From North of the Border

      You forgot about privacy issues. Windows 10 reports back EVERYTHING you do with it. So all patients private details would belong to M$. One reason to go in a different direction. Windows 10 is poison.

      1. h4rm0ny

        Re: From North of the Border

        Enterprise licences don't do this. It's only Home and Professional et al. that spy on you. With Enterprise you can disable every last bit of telemetry if you choose.

        Microsoft will provide you privacy if you pay enough.

        1. Doctor Syntax Silver badge

          Re: From North of the Border

          "Enterprise licences don't do this. It's only Home and Professional et al. that spy on you."

          Neither my dentist nor optician are large enough to qualify. They're professionals but don't get treated as such by Microsoft.

    6. Blodger

      Re: From North of the Border

      The cost stated is highly unrealistic. Many XP PCs are unable to run Windows 7\10 so will need replacing; there is no cost shown for necessary software updates\replacement\substitution, training and other equipment replacement, etc.

      The NHS Trusts I have worked for appoint senior IT staff more on a 'political' level rather than effectiveness and there is rarely an IT director with both knowledge and power.

      Until governments and large institutions understand that IT is a backbone infrastructure like telecoms, not a just a 'helpful' service, funding it will never be a priority.

    7. a_yank_lurker Silver badge

      Re: From North of the Border

      Wrong analysis, it is the cost of replacing (if possible) existing hardware and software such as an MRI. The OS costs are not the problem but whether the MRI or CT Scan will be certified to use. Part of the blame goes to the regulators who drag their feet on approvals.

      1. Anonymous Coward
        Anonymous Coward

        Re: From North of the Border

        "The OS costs are not the problem but whether the MRI or CT Scan will be certified to use. Part of the blame goes to the regulators who drag their feet on approvals."

        Again - kit like hospital scanners shouldn't be sold in a state where its operation is dependent on commodity desktop PCs and/or desktop commodity OSes. How hard can that be to see? If for some reason only some flavour of Windows/x86 is acceptable, there are "embedded" versions of the desktop OSes, e.g. Windows Embedded is derived from XP and it's supported/patched till 2019.

        https://support.microsoft.com/en-gb/help/18581/lifecycle-faq-windows-products says:

        "Windows Embedded Standard 2009. This product is an updated release of the toolkit and componentized version of Windows XP. It was originally released in 2008, and Extended Support will end on January 8, 2019."

        Anyone who sold (or bought) a long-lifetime high-value system of this kind with desktop Windows as an essential part of it sold (or bought) something that was defective by design.

        That should be obvious even without the involvement of an alleged "regulator".

        The lifecycle managment issue gets a lot less troublesome if major components of systems like scanners (or whatever) talk to each other (and to the outside world) using open standards. Open source may have value too, but for vendor-independence and long term compatibility, open standards can be important too.

        Maybe vendor lock in didn't matter to some people. Maybe it should have done.

      2. Doctor Syntax Silver badge

        Re: From North of the Border

        "Part of the blame goes to the regulators who drag their feet on approvals."

        And if they move faster and let something through without thorough testing how does that work out?

    8. uncommon_sense
      Devil

      Re: From North of the Border

      Its not just about the OS!

      It is about supporting some very expensive legacy Hardware, and its associated drivers and applications.

      Exactly WHICH part of your anatomy would you like to entrust to Windows Compatibility Mode?

      "NeoNatal.exe does not work with this version of Windows. Program ABORTED!"

  40. Anonymous Coward
    Anonymous Coward

    Why is n't the true culprit being blamed?

    Its been interesting watching this trainwreck unfold but even more interesting reading all the comments blaming everyone but the true culprits. Microsoft.

    They wrote the shoddy code that the exploit used. I see that the worm uses the SMB v1 buffer overflow "bug". The buffer overflow code is not actually a bug but a piece of very shoddy coding. It seems that someone wrote some code long long ago that adds a long value offset to a short variable. So that tells me that either the code source file was compiled with warnings turned off , the type mismatch warning has been in C compilers since the mid 80's, or some bright spark typecast one or both variables to make the warning go away. I'm tempted to dig out the source code, its been in the clear and in the wild since the early 2000's, and find the guilty line of source code. Based on past experience digging though the Win32 source codebases (about 400M total) it usually does not take long to track down these type of glaring errors. Yes, MS software engineering really is that lazy and incompetent.

    So this very simple piece of programmer lazyness which has probably been compiled millions of times over the years and considered acceptable by MS is the real reason why all those NHS hospitals were disrupted yesterday.

    For all you real old timers out there if you want a really good laugh look at the Win2k/ XP WinExplorer codebase. It is easily the biggest code/project train wreck I have seen in my 30 plus years in the business. And I spent a lot of that time doing code/project turnaround in the Valley. So I've seen inside some absolutely epic disasters. WinExplorer is very much shades of Autocad R13, but with a staggeringly inept team.

    So if anyone wants to organize a pitchfork mob to attack and deal with the real culprits just let me know. I can tell you which exit on the 520 through Bellevue to take. Its the 148'th at Crossroads. Turn north at the traffic lights at the end of the offramp..

    1. Anonymous Coward
      Anonymous Coward

      Re: Why is n't the true culprit being blamed?

      But this is just the sort of thing any half competent static analysis tool will barf at straight away, regardless of explicit typecasting. Are you suggesting Microsoft never linted their production code even once? For it not to have been spotted in 20 years suggests to me it was a worked in with some care, thus an 'inside job'.

      1. jmcc

        Re: Why is n't the true culprit being blamed?

        As I said the most amazingly amateurish junk code has been shipped in Win16/32 for decades. You should see some of the Win16 code. Which is still in there. Despite what senior MS management might say. The only part of the Win32 codebase I've seen over the years that is anyway is of professional quality is the NTKernel code. Which mostly came from DEC with Cutlers team. Its actually quite well written. Much better than the tat in Linux.

        Given the way that MS operates internally for as long as I can remember, which would be late 70's, almost all their dev teams by their very nature produce buggy ill designed code. You get promoted for shipping, something, anything, not for fixing stuff or producing stuff that works. Its a toxic work environment. You dont need any kind of conspiracy theory to explain all the security exploits in MS products, just monumental arrogance and contempt for the users. They ship version after version of a totally insecure product because they dont have to care. Never did, never will.

        If you are looking for deliberate exploits and backdoors written into MS code look at the BSD stack based networking stack code. For some reason that is the one part of the OS stack build that is built on a completely separate build tree. Everything else is in one single build tree. Everything from Minesweeper, through IE to the complete security stack, cert generators and all. All of which source code has been kicking around readily available since at least 2003.

        Even if MS by local law was not required to show the full OS stack source code to all the big state players TLA's they would have little problem finding literally hundreds of exploits to use in the current Win32 codebase. Luckily for the rest of us with one or two exceptions all the virus/malware authors are just script-kiddies, technically illiterate, and based on past performance, as thick as bricks. Because the Win32 codebase is such a sticking compost heap it just needs one guy who is half way technically competent to create an extinction level event for Win32. Because the old C2 Level security joke is still true. The only real C2 Level secure version of Win32 is when the machine has all network hardware removed and all i/o ports physically disabled.

        1. Anonymous Coward
          Anonymous Coward

          Re: Why is n't the true culprit being blamed?

          Is the above true! (insert pointing Saddam Meme here)

          And will we be looking at new laws to ensure minimal software quality and fitness for purpose (as opposed to laws allowing vague assurances, security through obscurity and patent-ladening to make sure it's "all mine")

          Maybe insurers will feel a sudden money drain and pick up the phone to the Ministry of Economy?

          1. jmcc

            Re: Why is n't the true culprit being blamed?

            By an odd coincidence while digging through the stacks of multi TB drives tonight looking for ten year old project code what turns up but the Win2k/XP codebases. So what the hell, lets do a quick search for clues. Well at least some of the XP code tree is compiled with W3/WX flags on. So any type short / long mismatch would have stopped the compile dead if those flags had been turned on for the relevant SMB v1 source code. A little more digging and I find some SMB data structs in header files and lo what do we see? Some have length fields defined as unsigned shorts and other have length fields defined as unsigned ints.

            Bingo.

            The difference between a senior C programmer and a junior C programmer is that the senior guys knows that sizeof(short) is not always equal to sizeof(int). The size of a short is standard in the C language, 16 bits. But the size of an int is compiler dependent. (Puts on best Michael Caine voice..Not a lot of people know that..) Which is why that compiler setting is there. In the early years the default was int=short but for many years now it tends to be int=long. Which is 32 bits.

            Which is why since the early 1990's whenever I took over a C/C++ code base the first thing I did was go through all the structs and remove ever last int field. Changing it to short or long as required. It avoids nasty surprises.

            Another wonderful data size gotcha is just how wide is an enum datatype field. Because you see compilers have this option to have packed enums... so better to force them into longs. Always. Because if you are not careful the field width could be char, short or long depending on what the highest enum value is. And the funny thing about enums is that over the lifetime of a codebase they have this tendency to grow, add new entries. And before you know it the max value no longer fits in a char or a short and there are offset mismatches between new and old exe and stuff starts blowing up in unexpected ways.

            And that's how most exploits are begat..

            It basically all a bit like British Leyland in the 1970's I'm afraid.

  41. Mandoscottie

    can someone remind Amber Rudd why wanting back doors is BAD news.

    title says it all!

  42. Anonymous Coward
    Anonymous Coward

    Windows XP

    Why are people still using it again?

    1. jMcPhee

      Re: Windows XP

      Because most people have no interest in fattening M$'s, Dell, and Intel's bottom line

    2. Duffaboy
      FAIL

      Re: Windows XP

      I still build XP devices for big customers, its their choice and legacy systems there's your problem

    3. BongoJoe

      Re: Windows XP

      Because I am a one man company with an application written in Visual Studio 6 which extends to over 130,000 lines of code and I don't have the time to rewrite it for .Net.

      And why would I need to rewrite it? Because there seems to be a discrepency between how I and Microsoft define 'compatability' when it comes to backward compatability.

      Under the latest operating systems it simply borks loading into the VS compiler. And there was me at the turn of the century choosing that operating system and Microsoft because then back in those heady days things were steady, stable and supported.

      So, unless I stop work for a good number of months and recode everything I am stuck with XP. But I would simply just retire first and have done with it all. And if I did move to rewrite everything then it wouldn't be using .Net because I don't trust Microsoft any longer not to change things with .Net.

      Which they have done so already.

      So, what would you suggest that I do here? Seriously, what is your real world solution? And, oh, in case you ask why I haven't been slowly recoding this over the last fifteen years it's because I have been adding features to the application and things don't stop.

      1. Ken Moorhouse Silver badge

        Re: So, what would you suggest that I do here?

        I think Microsoft treat their developers very shoddily. The irony is if third party tools had been chosen your app would likely run on much later OS'es. I still have programs written pre-millennium which are still in service. I went the Borland route (Turbo Pascal) and have stuck with them and successor Embarcadero ever since. Over the years I have had to make changes to some programs written as far back as Delphi 1 and so long as there's no wacky components used (a perennial problem for many types of developers) migration is painless (notwithstanding refactoring lol). I've spent a lot on tools over the years as it is my livelihood, but casual developers can use tools such as Lazarus with similar results.

      2. John Smith 19 Gold badge
        Unhappy

        " because I have been adding features to the application and things don't stop."

        That' explains your software (what does it do BTW?)

        I did not realize that all the core hospital management systems were also written by one man bands.

        1. John Smith 19 Gold badge
          Unhappy

          @Ken Moorhouse.

          "That' explains your software "

          Being a 1 man business does indeed perfectly explain why you cannot migrate. You just don't have the developer resources.

          But AFAIK none of the healthercare software companies are one man businesses. They have dev teams. Planned migration should absolutely be an issue for their development managers.

          What I can't understand is why it does not appear to have been the case.

          1. Ken Moorhouse Silver badge

            Re: @Ken Moorhouse.

            AHEM.

            I (a on-man band) have written software for NHS Trusts (and other large organisations) - and NOT as a sub-contractor either.

            And why not? So long as there is a mechanism for dealing with the situation where I get run over by the proverbial bus, everyone benefits. There is supposed to be an obligation for organisations such as the NHS to allow small companies such as myself to win business that would hitherto go to monolithic corporations with (i) no enthusiasm to do the job properly and (ii) on a Cost Plus basis.

            If software does the job that it is set out to do, and all parties involved with it are happy with it - why should it become obsolescent? Is the newer version actually any better? In many cases, I think not.

            Old pc's should not find their way into landfill, but nevertheless there is an ecological cost involved in salvaging the materials in order to reuse them.

            "You just don't have the developer resources." The problem often is that everything is tested on a platform that is supposed to be rock solid. Developing for Windows environment is a bit like trying to build a castle on sand. This doesn't just affect one-man bands such as myself - it affects the big-boys just as much. What kind of "version-control" does Windows offer that interlocks with software written by third-parties?

            1. John Smith 19 Gold badge
              Unhappy

              Re: @Ken Moorhouse.

              "I (a on-man band) have written software for NHS Trusts (and other large organisations) - and NOT as a sub-contractor either."

              So I was wrong. Some of that NHS LOB software was written by a one man band.

              Have you been asked to upgrade off XP and what did you quote them?

              "And why not? So long as there is a mechanism for dealing with the situation where I get run over by the proverbial bus, everyone benefits. "

              Well the obvious one is you don't really have the resources to upgrade your development environment and actually migrate your products to anything more recent.

              That's not to say you're the only brake on the migration problem, but you are one of them, aren't you?

              "If software does the job that it is set out to do, and all parties involved with it are happy with it - why should it become obsolescent?"

              Have you actually been following this story and if so do you understand it?

              We know there are holes and faults in Windows. Can you certify your code is actually bug free? If you're a one person development shop that means the only person who's likely to have reviewed your code is you. No offense but studies indicate you're very unlikely to be objective.

              "There is supposed to be an obligation for organisations such as the NHS to allow small companies such as myself to win business "

              And it looks like in your case they did exactly that. Congratulations.

              However I think most people who supported that sort of thing were thinking of smaller teams (IE 10-40 staff companies) not 1 man bands.

              "Is the newer version actually any better? In many cases, I think not."

              You're entitled to your opinion but the newer versions don't have this fault in the SMB implementation so I'd say you were wrong.

              "Developing for Windows environment is a bit like trying to build a castle on sand. This doesn't just affect one-man bands such as myself - it affects the big-boys just as much. "

              "The big boys" (and in this case that means a partnership or above) can divide the task and assign someone else to it.

              "What kind of "version-control" does Windows offer that interlocks with software written by third-parties?"

              Perhaps you should find out, since your being paid to do this? You could start by checking the major and minor OS and software image version numbers in the PE modules of the installation, along with where their paths and file names. This is the sort of stuff tools exist for. Perhaps not an interlock but it gives you a much clearer idea of the environment your running on, and when some part of it has changed.

              1. Anonymous Coward
                Anonymous Coward

                Re: @Ken Moorhouse.

                "So I was wrong. Some of that NHS LOB software was written by a one man band."

                More than you think. The thing about highly-specialized, very-expensive stuff like medical equipment is that it takes a very special kind of firm to supply that need. Thus the industry is very niched; there aren't many suppliers and most tend to think alike due to the intricacies of that industry.

                "Have you been asked to upgrade off XP and what did you quote them?"

                The answer would be, "CANNOT QUOTE" because one-man bands tend to be busy sorts. The real answer would be, "Join the queue," since everyone ahead of them also has skin in the game.

                "Have you actually been following this story and if so do you understand it?"

                Yes, and why is it so relevant in the software industry as opposed to any other industry like, say, heavy machinery, which also features things with an average working life in the decades?

                ""The big boys" (and in this case that means a partnership or above) can divide the task and assign someone else to it."

                They're also a lot busier and tend to have more jobs to work with, meaning even if they divide the task, they may not be able to devote enough resources to it due to conflicting jobs and queues.

                1. John Smith 19 Gold badge
                  Unhappy

                  @AC "The thing about highly-specialized, very-expensive stuff like medical equipment "

                  He seemed to be talking about actual staff facing SW, not the embedded stuff driving some specialist machine. The logical ways to handle those AFAIK are

                  a)Implement on embedded XP which is still under support till 2019.

                  b) Dead end that box onto a modern Windows PC (we know the NHS runs Win7 boxes at least) without the SMB vuln. Run a task on that to check when the machine has produced some new results and copy them to its own storage. Everything then access that (more up to date and secure) machine.

                  I'm trying to shorten posts so I'm not going to go point by point.

                  RE: M/C tools. What makes you think they won't have problems?This will affect any big piece of capital equipment that's got a microprocessor based control system with either direct or indirect access to the internet. Today that is just about all of them.

                  Years ago the then head of Novell (remember them?) said MS likes to turn over the user base every 18 months. That may have lengthened a bit but that it's still basically true.

                  Months, not years.

                  Any developer (or their company) who signs up to the MS ecosystem (from OS to DB to Apps even to the language) had better be prepared to retrain on a regular basis (that's true of all environments, but especially MS). If you don't want to do this you have 3 options.

                  1) Run your software on the "Embedded" version, which has longer support cycles. Of course that will need your customers to be OK with this. Shouldn't be an issue with specialist machines supported by 1 PC. Not so easy if all the desktops need Embedded to run (although it may work out cheaper in the long run).

                  2) Run it in a VM (assuming there is a VM or compatibility mode that supports it and they are happy to run it) on your customers machine. We know how well that's working in the NHS.

                  And why exactly should they have to do this because you won't upgrade?

                  Trust me when I say the answer "Because there's many other companies who need to do this as well" to a customer sounds like just like an excuse to not do the work.

                  I'm sure it's perfectly true. It still sounds like an excuse to a customer. Forget what other companies need to do. Focus on your own.

                  3) Give up taking on new customers and have the company survive on supporting their existing customers till the business shuts down or they migrate off your applications.

                  Referring to the OP I'm amazed any NHS Trust entrusted an app to a 1 man band. Smaller suppliers yes, 1 man bands no. I'll skip what my instincts say about such a selection.

    4. Doctor Syntax Silver badge

      Re: Windows XP

      "Why are people still using it again?"

      Why is this question being asked again?

      Go and read through comments in many MS-related threads including this one. You'll find it explained time after time.

  43. Charlie Clark Silver badge

    Hunt the Cunt

    A large part of the organization's [NHS] systems are still using Windows XP, which is no longer supported by Microsoft, and Health Secretary Jeremy Hunt cancelled a pricey support package in 2015 as a cost-saving measure.

    And they still expect people to trust them over the NHS and security? They're having a fucking laugh!

    Maybe if Hunt had devoted more resources to IT security and less to taking on junior doctors then this would never had happened.

    1. Anonymous Coward
      Anonymous Coward

      Re: Hunt the Cunt

      Do we have some electioneering going on, surely this was worth up not down votes...unless of course you are a Tory party member?

  44. J J Carter Silver badge
    FAIL

    Inevitably, GDS had a role in the fiasco!

    https://www.theregister.co.uk/2015/05/26/uk_gov_bins_extended_windows_xp_support_contract/

    Laggard agencies understand the risks and can cope, says GDS

  45. J J Carter Silver badge
    Thumb Up

    Yes!

    I see MSFT Marketing have been quick off the mark, offering Windows !0 Upgrade for Health-care Professionals "Pooped your breeks" Edition with Bing

  46. steviebuk Silver badge

    Will this be used as an excuse.....

    ...by a certain UK government to claim "This is why we need to ban encryption or give governments backdoors".

    The answer of which should be "NO! Considering the current malware attack is looking more and more likely because the NSA leaked exploits were used, it would 100% mean that at some point, the criminals would also end up with access to your backdoors".

    1. John Smith 19 Gold badge
      Gimp

      ""This is why we need to ban encryption or give governments backdoors"."

      Absolutely.

      Yes the actual evidence is that in fact the exact opposite is true.

      Won't make a difference.

      You see an IT support train wreck.

      The data fetishist sees an opportunity.

  47. Anonymous Coward
    Anonymous Coward

    on the upside....

    I have lost count of the amount of times that I have warned companies of running unpatched OS´s and most recently I used ransomware as an example. It still fell on deaf ears.

    Most corporate 9-5 IT people in the media industry seem to be blissfully unaware of almost anything security related.

    Aside from cost, the most cited reason to never update anything is a paranoia that patches are bad and will break everything. And half way trough explaining how to mitigate this, they realise that this will mean additional workload and possibly more staff to cope and decide to do nothing.

    I am glad to be out of the last company that I worked with. I would not be surprised if they have been affected by this and are now sitting on several Petabytes of encrypted media content that cannot now be used to broadcast television channels.

    If you start seeing an unusual amount of repeats on TV, that will be why as they scramble to delete and re-ingest the vast amounts of media files which would take months.

    The good thing about this episode is that it is so high profile that no CTO or even IT manager is going to want to be caught out by it again and can not refuse to address the problem of running obsolete OS´s and maintaining a policy of never patching anything again.

    I am not embellishing this either, there really is a policy of attempting to ring fence (impossible as outside connectivity is always required) and never patching anything from the point of commissioning.

    There is also now a better reason to put pressure of three letter agencies to actually protect us like they are supposed to instead of spying on us, when they find an exploit they must now ensure that it is patched instead of sitting on it for their own nefarious purposes that might just be putting innocent lives at risk right now.

    1. Doctor Syntax Silver badge

      Re: on the upside....

      "The good thing about this episode is that it is so high profile that no CTO or even IT manager is going to want to be caught out by it again and can not refuse to address the problem of running obsolete OS´s and maintaining a policy of never patching anything again."

      I'd like to think you're right. Cynicism says that there'll be a subset of bean counters* for whom it confirms their belief that IT is a net very good cost centre.

      *Bean counters are, of course, a cost centre but they lack self-awareness.

      1. hmv

        Re: on the upside....

        It's interesting to note that since incidents like this one have started hitting mainstream TV news, the message of "must patch" has gotten easier to push. It's still like pushing a boulder up a hill, but at least it's no longer a mountain.

        (Been pushing that boulder for 27 years)

  48. steviebuk Silver badge

    Waiting on crap from the Home Secretary

    Waiting on bollocks to come from Amber Rudd now. She'll no doubt claim this is why they need backdoors or to ban encryption. Because she hasn't got a clue how IT works.

  49. Steven Jones

    Questions to ask the US government

    If this was a known vulnerability which the US government had forced upon Microsoft, then this is going to cause the most enormous international row at government levels. Or at least is ought to do.

    It will start making countries think twice about leaving national infrastructure vulnerable to the whims of a foreign power.

  50. Swiss Anton

    Political SNAFU

    Ultimately this is a political SNAFU. You can blame the health trusts for not updating their computers, the poor sod(s) who infected the IT systems in the first place, and maybe even Microsoft for everything else, but the government (or a previous government) should have put laws in place to ensure that all nationally important IT systems are fit for purpose, that they are well defended, and that they are maintained by qualified and competent people who are accountable to a professional body (just like the clinicians).

    The attack on the NHS is bad and may cost lives, but its only affecting a small, but sizeable, percentage of the population. Imagine what will happen if the organisations that we rely on are similarly attacked, organisations like the food retailers, water & power companies, and even the banks.

    1. Boris the Cockroach Silver badge

      Re: Political SNAFU

      If there was such an attack on the banks, the crooks would be had up against a wall and shot before you could say SMB bug.

      Remember , the government only cares about money .. usually belonging to its political bribers... sorry donators.

      1. Charles 9 Silver badge

        Re: Political SNAFU

        "If there was such an attack on the banks, the crooks would be had up against a wall and shot before you could say SMB bug."

        Unless, of course, the crooks were found to be protected by hostile governments. Are you willing to declare World War III over a bank hack?

    2. Sam Haine

      Re: Political SNAFU

      "the government ... should have put laws in place to ensure that all nationally important IT systems are fit for purpose..."

      It's broadly covered by the Civil Contingencies Act 2004.

  51. J J Carter Silver badge
    Holmes

    The most critical govt. IT service?

    Of course it's DWP's system for handing out benefits, there would be rioting across the country if the bennies weren't distributed.

    That's why their mainframes have triple redundancy.

    1. cantankerous swineherd Silver badge

      Re: The most critical govt. IT service?

      don't get ill, don't get old.

    2. Mr Dogshit Silver badge

      Re: The most critical govt. IT service?

      RE: "DWP's system for handing out benefits"

      Erm... that happened back in 2004, remember?

      https://www.theregister.co.uk/2004/11/26/dwp_network_outage/

  52. Anonymous Coward
    Anonymous Coward

    Is Windows 8.1 not affected, 'cause the patch I downloaded for Windows 8 can't install.

    1. davidp231

      Partially because Windows 8 and Windows 8.1 are two separate entities.

  53. Anonymous Coward
    Anonymous Coward

    The firsr rule of business is protect the business!

    I believe that can be attributed to the mafia.

  54. Anonymous Coward
    FAIL

    Executive summary

    Use Windows? Get owned.

    1. Charles 9 Silver badge

      Re: Executive summary

      So if people have no choice but to use Windows due to contracts or exclusive software, the only option is to bend over?

      1. dbtx Bronze badge
        Unhappy

        Re: Executive summary

        They have to choose to not use that software or sign those contracts. They have to PUSH BACK when they're pushed, which of course nobody does... but "crazy" people will, like RMS has been preaching that for decades. I just wish he had a tad better sense of good presentation.

        1. Charles 9 Silver badge

          Re: Executive summary

          But what if you're up against the proverbial immovable object, when no haggling whatsoever will work, and EVERY supplier's the same way? Remember, medical tech is a very niche industry.

          1. Kiwi

            Re: Executive summary

            But what if you're up against the proverbial immovable object, when no haggling whatsoever will work, and EVERY supplier's the same way? Remember, medical tech is a very niche industry.

            You're wanting to buy a $multi-million piece of kit, or several $100k, or perhaps several hundred in the $10k ranges. You demand "No MS". Vendors will be talking to the writers of the many thousands of programs that are cross-platform. Are you not aware of the many thousands of programs, a large % written by "one man bands", that are cross-platform? Or bigger orgs (Mozilla, Apache, whoever does LO to name a quick few) who would gladly lend a bit of code and expertise to such firms?

            No. No one holds a GUN to their HEAD and forces them to use MS only.

          2. dbtx Bronze badge

            Re: Executive summary

            "medical tech is a very niche industry."

            which I hope also means that customers are in short supply and losing one is that much more painful. But if nobody cares, then no one will. It's sad to say that unwilling potential future victims have to consciously create-- at their own risk-- any incentive to stop doing the stupid trendy things. Don't haggle, just tell them about your requirements, require any kind of sane platform within your own definition of sanity, and be prepared to keep shopping for a while.

  55. Anonymous Coward
    Anonymous Coward

    People deserve this. There has never been a computer that couldn't fail and effect me more than a couple of hours max.

    Back your shit up. This BS shouldn't catch you out

    Reformat restore. Done.

    1. Charles 9 Silver badge

      Unless the BACKUPS got infected, too. That's a known tactic of sleeper malware.

  56. Anonymous Coward
    Anonymous Coward

    Install FreeBSB

  57. UncleDavid

    Why connect to the killswitch server?

    One thing I don't understand about the kill switch. It seems to look up the garbage name, and then connect to the server to see it it's responding. But since the key action seems to be registering the name, then surely having DNS return a valid IP address should be enough to say "stop". There would be no need to go on with a connection; the server itself could be clogged (the more successful the spread of the malware, the more likely that it), or down for a while, so the success of the kill would be flaky.

    Or is the idea that, even after the name is registered, the kill switch can be turned back on by just shutting the service down?

    1. Ken Moorhouse Silver badge

      Re: Why connect to the killswitch server?

      The revised explanation for the purpose of the killswitch was on (I think) bbc.co.uk. The purpose of the domain lookup was to somehow detect whether or not the malware was installed into a virtual machine. If it was then it was to shut up and not do anything, the thought being that in a VM environment then it was being reverse engineered.

      Could someone here explain the difference between making those (presumably) zone edit calls within a VM and making them in a normal environment because I can't see how that would make a difference. There must be easier, non-spoofable ways of guaranteeing whether an app is executing within a VM or not. (EDIT: Unless it is working on a TTL basis, if the hop count is low perhaps then that indicates it's locally registered).

      1. Ken Moorhouse Silver badge

        Re: Why connect to the killswitch server?

        Full analysis here by MalwareTech:-

        https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

  58. Bigdecko

    Is there any point in keeping GCHQ?

    Once again the British government's much-vaunted GCHQ shows itself to be the useless and inept organisation that it is. They couldn't prevent the recent Westminster attack despite the killer being on their radar prior to the atrocity and now we have the failure to prevent this NSA-POWERED menace ( Oh, God bless America! ) from debilitating OUR hospitals???? FFS!!!! The only thing that they seem to be good at doing is shutting the barn doors after the horse has fled! Complete waste of taxpayer money ( so what else is new!? ) And btw, if the NHS is in crisis there's there's only one group of people to blame ( clue - 10 & 11 Downing Street. ) Rant over.

    1. Charles 9 Silver badge

      Re: Is there any point in keeping GCHQ?

      Yes, because any alternative could be FAR worse. Better the evil you know...

  59. a cynic writes...

    Can I just check...

    ...I'm not the only one who has been logging into work to check, despite knowing I'm up to date with patches, just to make sure.

    My youngest hasn't of course. The little git is a PFY in a linux shop. He's just wandered round looking smug.

  60. ecofeco Silver badge

    comcast in the U.S. may be affected

    Comcast internet is having national issues for the last 8 hours. Intermittent and sporadic depending on region.

    Coincidence?

    1. Marketing Hack Silver badge
      Trollface

      Re: comcast in the U.S. may be affected

      I doubt this is impacting Comcast. Based on my customer service experience with them, their computers are down at least half the time anyway, so they are used to operating (poorly) without them :)

  61. Paul

    I can imagine the following scenario being replayed many times, in many board rooms, in many businesses across the world.

    "So, the sysadmins say they need £75k to upgrade the firewalls, £45k to upgrade all the oldest computers to a new version of windows, and £30k for misc software and training. Oh, and another £100k/year for a security specialist. So we need 250K right now"

    "Meanwhile, our company cars are up for renewal, they're nearly 3 years old and we need £150k for that, plus our bonuses are £40k".

    We can't afford it all, so since we've not had any significant security incidents, let's put off most of the computer stuff, and we can still get our cars and bonuses? All agreed? carried unanimously!"

    1. Anonymous Coward
      Anonymous Coward

      I have literally seen companies refuse to update their XP systems, and instead assigned the budget to new office chairs for the C level staff at a cost of £700/chair.

      Outside of IT companies, IT updates and IT security are seen as an unnecessary cost because 'we've been OK so far' and there's no cost-benefit argument; arguing with hypotheticals like 'we might get hacked' simply turns into he-said she-said of not how to prevent it, but who's fault it will be if it happens...

      No-one cares.

      It's really that simple.

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        "No-one cares.

        It's really that simple."

        They might care, if the costs of disruption were to come directly out of the organisation's/management's budget rather than being treated as a "nothing we could have done about it" issue where the costs are passed on to anyone but those who were responsible (and those who should be held to account).

        At one time there was a role for insurers, public liability, etc in cases like this, even where software was involved. What happened? No one wants to argue with MS because they've got big money and can afford big lawyers ? Or what?

        1. Anonymous Coward
          Anonymous Coward

          "At one time there was a role for insurers, public liability, etc in cases like this, even where software was involved. What happened? No one wants to argue with MS because they've got big money and can afford big lawyers ? Or what?"

          Rainy Day funds, probably, because essentially Crap Happens (if not here then elsewhere or through Acts of Deities), so they just figure the odd disaster as The Cost of Doing Business.

    2. Tom 7 Silver badge

      RE: We can't afford it all

      I worked for one company that sadly told us it didnt have enough money for the touted 1% pay rise as the end of the world was near and a couple of days later the company accountant turned up in a new car where the wheels alone would have paid for the 1% rise. And they wonder why people dont think its worth working their arses off for them...

    3. Nano nano

      So their first step should be to see what's possible - biggest bang per buck.

  62. eesiginfo

    Head in hands or head in sands?

    Way too much crap talked about people running XP systems.

    People on very high horses telling people that they should somehow find the money to upgrade their hardware to then allow them to upgrade their software...

    ... all to fix a security flaw in the original software.

    Fine if new drivers are not supported... new programs don't work... hey that's fine.

    But when you first issue a security patch for 'paying support' users... and not issue it to everybody????

    Okay... so a few days later (like today or yesterday) they finally list the XP patch as a universal download... but it's already too late for many AND how many people read "the patch is for support paying members only"?

    That statement is still up BTW.

    However, I know many people still running XP, so I persevered until I found the downloadable patch:

    http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

    What would it have cost MS to have released this immediately?

    1. Steve 114
      Windows

      Re: Head in hands or head in sands?

      XP is around here on some old kit, because it's all that keeps ancient installed software running on the few days it's needed. Everything else is on Win10, which I reluctantly quite like (once defanged), and which insists on updates for a REASON. Microsoft's error was not to provide a user-friendly upgrade path from popular XP, with some kind of sandboxed way of running DOS-like legacies. Upgrades from 7 worked (mostly) well, upgrade from XP to 7 (despite the best efforts of paid-for 3rd parties) was very hit and miss.

      All my cousins with XP would happily pay £100 for transition to Win10 (provided they don't need new hardware) but I'd have to reassure them that all their old programs and drivers would still work. Meanwhile it's no more difficult to dual-boot them to Mint xfce for emergencies, not that they can be bovvered to use it.

      1. Anonymous Coward
        Anonymous Coward

        Re: Head in hands or head in sands?

        "All my cousins with XP would happily pay £100 for transition to Win10 (provided they don't need new hardware)"

        And therein lies your problem. XP can be run on a P2-class computer with only 512MB of memory (256MB if you go lean with your programs). Last I checked, Win7 starter needs 1GB and at least a P3-class processor. Win7 uses the more modern driver model and desktop compositor.

    2. Destroy All Monsters Silver badge

      Re: Head in hands or head in sands?

      Not a lot and maybe lawyers will smell blood in the water, enormous arse-ripping events will be observed and attitudes in the "industry" will change.

      Could be occasion for a Righteous Presidential Tweet (RPT) to start things moving.

  63. sanmigueelbeer Silver badge

    Linux as an option

    Let me put it out there that in the case of NHS Linux is not an option.

    Has anyone been in a hospital IT environment where everything runs on Linux? An office, yes it's possible. A hospital where there is a dog's-breakfast of OEM and dodgy medical equipment interconnected to one another (and some of these equipment can only operate in an "admin" rights)? In a flat, Layer 2-only network?

    Name two of them and I'll fly myself over.

    We always say that when implementing a project one has three options:

    1. It works;

    2. It's cheap; and

    3. Delivered on time

    Now pick TWO (2) options.

    1. Anonymous Coward
      Anonymous Coward

      Re: Linux as an option

      You are talking out of your backside.

      The expertise already exists within the NHS to do the necessary migration, but it requires thinking from C-level execs (about something other than their bonuses), and funding (which is currently being spent on migrating W7 systems to W10 - what a waste).

      The major problem is users, and MS's software (and third parties) encourages very bad habits, HTML emails being one outstanding example. There's no easy answer, but if no-one bothers looking...

      Can't post using my real name, too revealing.

    2. Destroy All Monsters Silver badge

      "We shall redouble our efforts to improve the basic computing infrastructure"

      Sometimes one wishes to see elegant germanic uniforms worn by highly capable people with unquestionable authority to get messes sorted out.

      Or maybe a visit by Darth Vader to make sure procurement and implementation stay on track and politics don't interfere all too much or are at least single-sourced.

    3. truetalk

      Re: Linux as an option

      Linux is used within imaging departments on some medical equipment. Unfortunately so is windows and it's usually windows that is high maintenance. GE's SPECT/Ct.. Linux acquition front end, processing stations Windows.. And you know what got infected by wanna cry, not Linux.

      Windows Sir is a ******* pain in the butt and should not be used in mission critical equipment.

  64. This post has been deleted by its author

  65. Anonymous Coward
    Anonymous Coward

    GCHQ and Patches

    Can someone explain to me why it costs a lot of money to install the patches on an NHS network when Microsoft releases them? Is there some reason why they don't want to install the patches?

    How come an amateur but hacker registered the domain and stopped the malware and GCHQ and all the other world's intelligence agencies didn't understand this would work?

    1. robidy
      Holmes

      Re: GCHQ and Patches

      You as 2 questions -

      1. It's a complex mess no one has the resources to fix as those looking after procurement seem to spend more on over priced hardware and broken systems than basic proactive maintenance. Have you ever tried to patch 10,000 machines in a live environment that can have life and death consequences...you have two competing pressures..."the system works so why fix what ain't broken" versus "these patches could stop a big problem that our firewalls and group policies don't", one costs more money than the other and breaks the golden IT security rule that is "assume everyone else has made a mistake a hacker will find".

      2. They want to know who is behind it, whilst this chap stopped the spread...it's only version 1 he stopped, now GCHQ and the like have a much tougher job of identifying them as they'll cover their tracks more effectively...this is why MS have suddenly issued patches for XP and Windows 8...oh and server 2003.

      The fact Microsoft issued patches opens an important debate, can we force Microsoft to issue patches for critical vulnerabilities for free on the grounds of national security, including previous version (note I'm referring to critical security vulnerabilities not old versions of features)?

    2. Charles 9 Silver badge

      Re: GCHQ and Patches

      Three words, repeated over and over:

      Patches BREAK Things. Do you want the computer controlling the 6-to-7-figure MRI machine to be borked by a patch? Hard to believe, but a VERY real possibility.

      1. anthonyhegedus Silver badge

        Re: GCHQ and Patches

        And that's why the choice of OS is so important. Not Windows would have been a good choice.

        1. Charles 9 Silver badge

          Re: GCHQ and Patches

          Unless there WASN'T a choice. If ALL the suppliers (and note that medical equipment is considered a niche industry: few suppliers) shipped their machines with Windows and nothing else, how would you go about with your goal, especially if the machine needs to be obtained in a timely manner because it's replacing a broken unit?

          Besides, Linux isn't immune to this, either. Hardware support CAN get borked by a kernel change (because the hardware driver requires something in the part of the kernel that got changed).

      2. a_builder

        Re: GCHQ and Patches

        Yes, I have done that. 15 years ago borked an NMR (same as MRI) machine with an update. And felt very stupid for trying to be Mr IT security. It was totally secure because nothing worked!

        It took us the best part of a week to repair the power amplifier that had self destructed as a result of the 'patch'.

        I'm afraid this is why most people in the science field leave things like this well enough alone.

        Most of the instrument architecture is in itself utterly not secure and relies on the separation of the LAN ethernet connection to the private ethernet connection to the instrument. On the other hand what goes on inside these things is so obscure that the number of people who really truly understand the workings is absolutely tiny. I still get calls from former colleagues asking how does XYZ control ABC after 15 years away from it.

        And that is the issue the number of people who understand enough of the physics and electronics and experimental needs to sort these things is measured in a few hundred on the entire planet. There are literally two labs in the UK that would really understand an NMR or MRI from one end to the other. Lots, relatively, understand the physics bit, a few understand enough of the electronics to fix bits of it and virtually nobody understands the instrument firmware.

        The best solution is to remove any browsers or email clients on the instrument control computer (and anything else that is not 100% required) and then connect the XP box via a multi LAN NAS with configurable firewalls such that the SMB1 protocols can exist private side and be actively blocked on the public side and say only SMB3 be used on the public side. Sure there are other way of doing this but a Synology NAS will do that just fine for not a lot of bucks. That was the disk can be mounted virtually and see to the network and to the XP box with minimal security risk.

        1. Anonymous Coward
          Anonymous Coward

          Re: GCHQ and Patches

          "The best solution is to remove any browsers or email clients on the instrument control computer (and anything else that is not 100% required) and then connect the XP box via a multi LAN NAS with configurable firewalls such that the SMB1 protocols can exist private side and be actively blocked on the public side and say only SMB3 be used on the public side. Sure there are other way of doing this but a Synology NAS will do that just fine for not a lot of bucks. That was the disk can be mounted virtually and see to the network and to the XP box with minimal security risk."

          What if the XP machine IS the Instrument Control Computer? Connecting to the MRI itself through a very obscure (read: impossible to virtualize) controller accessory that is ONLY supported through XP (probably because it uses the ISA bus for timing reasons; Vista dropped ISA support--don't laugh; remember the story of the XP-controlled lathe?)? As you noted, the market for these things is incredibly niche. It's entirely possible ALL of them ONLY use Windows computers for their controllers, resulting in a Captive Market.

          1. Kiwi
            FAIL

            Re: GCHQ and Patches

            What if the XP machine IS the Instrument Control Computer?

            The person you're responding to mentioned that they get support calls about MRI's 15 years after leaving the industry. I think they might have a clue about what they're talking about, don't you Xxxxxxxx, er, I mean AC?

            Pretty sure other OS's could talk to ISA etc.

            Oh, and

            (probably because it uses the ISA bus for timing reasons; Vista dropped ISA support

            There are people talking on various forums of getting Win10 to successfully talk to ISA cards, and reporting success, so it can be done (custom-built drivers/INF files..)

            Even my Win10 compatible I7 HP laptop has an ISA bus, though I've no idea why.

    3. Marketing Hack Silver badge
      Trollface

      Re: GCHQ and Patches

      @AC

      "How come an amateur but hacker registered the domain and stopped the malware and GCHQ and all the other world's intelligence agencies didn't understand this would work?"

      Considering that this hack is based on a vulnerability ID'd by the NSA, perhaps the GCHQ and other sigint agencies didn't stop them out of professional courtesy?

    4. Anonymous Coward
      Anonymous Coward

      Re: GCHQ and Patches

      Because "installing the patches" does not yet work in the world of "desired-state configuration / push a button and it's done" (which is why there is a problem in the first place). It's more planning, financing and dispatching a team of cleaners to clean every single toilet in a rickety building designed by Piranesi. And the toilets may be occupied by beancounters. Or eldritch horrors.

      For the second question, a dedicated excellent specialist having fun is better than the pondering titanics of state largesse. If the titanics would even be interested in looking in the first place (they will probably open the case folder on Monday 09:30, just after the daily donut)

      1. gryphon
        Joke

        Re: GCHQ and Patches

        "And the toilets may be occupied by beancounters. Or eldritch horrors."

        Aren't these the same thing?

  66. cantankerous swineherd Silver badge

    Kill off SMBv1

    huh?

  67. Captain Badmouth
    Holmes

    Welsh nhs

    Anyone working there care to update us on why they weren't affected?

    Enquiring minds etc.

    1. davidp231

      Re: Welsh nhs

      Maybe they paid attention to the simple advice of "Don't open suspicious looking emails, especially those with attachments - just delete them"?

      1. Nano nano

        Re: Welsh nhs

        Or it wasn't in Welsh ...

  68. Destroy All Monsters Silver badge
  69. Destroy All Monsters Silver badge

    Russian angle found in the gutter press

    Who are the Shadow Brokers? Were they behind this attack?

    In keeping with almost everything else in the world of cyberwarfare, attribution is tricky. But it seems unlikely that the Shadow Brokers were directly involved in the ransomware strike: instead, some opportunist developer seems to have spotted the utility of the information in the leaked files, and updated their own software accordingly. As for the Shadow Brokers themselves, no-one really knows, but fingers point towards Russian actors as likely culprits.

  70. Anonymous Coward
    Anonymous Coward

    Fast Forward 15-20 years

    Or imagine Driverless Cars were already here and running XP ,,,,,,,,

  71. Long John Baldrick

    This is how the NSA gets NEW backdoors on systems

    Titles says all

  72. Truckle The Uncivil

    I have been watching this (Monday Australia) morning and seems to me that there is serious concentration in the Ukraine. Is there any possibility there is some control being exercised here? Maybe the general ransomware bit is actually a furphy?

  73. Kreton

    re GCHQ and Patches

    Thanks for the insights, the last update to Windows 10 killed my wife's laptop and I had to restore Win7 from backups.

    1. Icy North

      Re: re GCHQ and Patches

      Thanks El Reg for this excellent piece - exactly what we need to read and share on Monday morning.

      You do a lot of things well, and this is what you do the best.

    2. Bob.

      Re: re GCHQ and Patches

      Many have been so bedazzled by the brilliance of Microsoft's latest all singing and dancing Operating Systems that they enter a Trance-like State where backups are no longer required.

      Seek help. Macrium is your friend.

  74. Brady's left foot

    Grounds to close down Bitcoin

    What purpose does Bitcoin have other than hiding transactions?

    Who wants to hide transactions apart from the corrupt or criminals?

    Stop the easy flow of ill-gotten money and you slow the flow of ill-gotten money and improve your chances of tracking the criminals and the corrupt..

    On the assumption that there are some honest users then we can set a rate and exchange for real currency. Of course those without a legitimate income stream to support the amount exchanged may have some explaining to do.

    1. To Mars in Man Bras!

      Re: Grounds to close down Bitcoin

      >>Who wants to hide transactions apart from the corrupt or criminals?

      Statement released by 10 Downing St. following "Panama Papers" revelations about then PM David Cameron's secret off-shore holdings:

      >> family finances are a private affair

      I rest your case!

      [unless it's only common Bitcoin-owning people wanting to keep their finances secret, that offends you?]

    2. Anonymous Coward
      Anonymous Coward

      Re: hiding transactions

      "What purpose does Bitcoin have other than hiding transactions?"

      What purpose has a numbered Swiss bank account ever had other than hiding transactions?

      What purpose do megabucks cash property transactions in the London area have other than hiding transactions?

      I don't mind if there are rules on the anonymity of transactions, and the taxability of transactions.

      I'd just prefer it if the principles (if not the implementation) were the same for the little people's transactions as they are for those with the big bucks.

      What's your view on that?

      "Stop the easy flow of ill-gotten money and you slow the flow of ill-gotten money and improve your chances of tracking the criminals and the corrupt..

      Of course those without a legitimate income stream to support the amount exchanged may have some explaining to do."

      See above.

  75. Nano nano

    Hmm, Lint, anyone ?

    " It reveals that the SMB server bug is the result of a buffer overflow in Microsoft's code. A 32-bit length is subtracted into a 16-bit length,"

    1. jmcc

      Re: Hmm, Lint, anyone ?

      Actually the compiler warnings when compiling the source file would have warned about the problem. But it looks like they were disabled for that part of the WinXP code tree.

      For all the tinfoil people going on about the TLA's getting up to nefarious deeds - they dont need to. Almost all exploits fall into about a dozen categories. Most due to sloppy coding but sometimes due to sloppy design. And MS's middle name is sloppy.

      MS has been showing the complete source code to not only the US TLA's but the TLA's of Russian and China, to name but two. Why else do you think MS is allowed to to do business in those countries.? Its a condition of doing business. MS must open the kimono. All the way.

      So all the various TLA's have to do is to build the whole Win32 codebase with all warning turned on - and with a proper heavy duty compiler like the Green Hills one (not VC) which produces exceptionally deep code analysis warnings. If you've ever seen what a heavy duty compiler does to a shipping, warning free code base of over 200K lines that used one of the more lightweight compilers you'll know exactly what I mean. Several hundred non trivial warnings and about a dozen warnings that flagged code that was actually buggy. Real bugs. Serious bugs.

      The log file of tens of thousands of warnings from a build by a heavy duty compiler of the current Win2K codebase should, with a little analysis, produce more than enough exploits to last the lifetime of that particular version of Win2K.

      With companies as lazy and arrogant as MS the TLA's really dont have to extend themselves at all when it comes to finding exploits which might come in useful sometime in the future. So no great conspiracies needed.

      1. John Smith 19 Gold badge
        Unhappy

        "So all the various TLA's have to do is to build the whole Win32 codebase with all warning turned on

        and with a proper heavy duty compiler like the Green Hills one"

        If it really is that easy to do it sounds like they will all have a source to mine for years to come on each MS OS.

  76. J1mtaylor

    So this is a complex position with I think a simplistic solution. Firstly removing the world from Windows OS' is not the answer that would just shift the goal posts and more exploits would be found in Linux or MacOS systems. However diversifying your OS for different systems would help.

    Secondly proxy all you're connection in and out between you and the internet no matter what OS you use ideally changing the ports on the way through.

    Thirdly control access to you physical endpoints don't allow just any USB device to be connected manage the WiFi you laptops can connect to. It may seem a PITA to the user base but the whinging will be nothing compared to a breach.

    At least this way you are in with a fighting chance of actually rolling out the patches as they are produced.

    1. Anonymous Coward
      Anonymous Coward

      But multiple setups complicates things, and that means having to deal MORE with the dreaded IT department, not LESS. Remember, most boards consider the IT department worse than the Legal Department (for them, the latter is a necessary evil, given the occasional trial).

      Proxies won't help much against targeted attacks and encrypted connections.

      And endpoint control is a non-starter when medican imagery and patient data has to be transferred on a regular basis. You either open networks ports or your open USB ports; you can get pwned either way, and that's so say nothing about targeted attacks where actual hardware is subverted (USB keyboard switcheroo, anyone)?

      Anyway, the BIG reason patches cannot be rolled out in a reasonable time frame is because they can break the bread-and-butter apps of your business: sometimes in an irreversible way in an environment where (a) lives are on the line and (b) there's never a budget for redundant equipment.

  77. mr_souter_Working

    my tuppence worth (as everyone else has their opinion, why not add mine) :D

    for what it's worth, here's my take on this (and all the other instances where some virus has trashed a network).

    Most viruses arrive by email, generally spoofed messages either purporting to come from another user inside the network, or from a trusted external contact. The user then opens the message, then the attachment, (or clicks the link), and then allows the attachment to run macros. This then allows the malware to download the nasty bit of itself, and possibly contact the command and control network.

    The nasty stuff then starts encrypting files on the servers - and on the local PC. it will open every drive that the user has mapped, and will create an encrypted version of every file it can see, before deleting the original. Some variants (like this one) will also seek out all other machines on the network to infect them.

    So, how do we stop this from happening? or at least slow down the spread when it does hit, or limit it's effectiveness when it arrives.

    1. Educate the users so that they stop blindly opening any and all emails they receive.

    2. Stop users from treating their work computers like their home PC's - they are not, they are for business use only, but people are very rarely held responsible for the state of their computer, and the higher up they are, the less likely they are to be held accountable.

    3. Have working email filters that can identify internal email addresses and reject them as spam (spoofed). Also some external email scanning to remove spam and viruses before it even hits the perimeter of the network.

    4. Use file filters to prevent the malware from creating its encrypted version of the file - this stops it from deleting the original. The desktop might be infected, but as long as the file servers are OK, all user data should be safe. It would actually be better to have a file filter that only allows specific file types to be saved to the server, but I am not aware of any way to do that at the moment.

    5. Stop using a single AV product across an organisation. There should be one (or more) AV engines scanning emails coming in, a second in use on client desktops, and a third for the servers.

    6. Currently the UK compliance rules (well known) are that all critical and security patches released by vendors should be installed within 3 months - this is too long (as proven here). But everyone in IT is well aware that if they install a patch and something breaks, they get the blame - so there is reluctance to force the issue, instead they use staged patching and try and limit any blame they might get.

    7. Stop using out of date Operating Systems - the excuse about testing software for compatibility only holds up for so long - Windows 7 is reaching end of life, and many organisations have not even started testing their software works on Windows 8, never mind 8.1 or 10. and to still be using Windows XP is poor.

    8. Stop having non-technical people making decisions about technology. Put some qualified people in place and give them the authority and budget they need to put proper controls in place, back them up in their decisions, and test it properly to make sure that it meets (or exceeds) their designs.

    9. Ensure that your internet connection is not allowing malware to come down - perhaps by limiting file downloads to only a few approved users or computers.

    10. Use firewalls on local machines - they are often turned off, or opened to the point of uselessness simply to make life easier for everyone.

    11. As one person found out, the original variant stopped when it attempted to contact a specific web address and got a response - this could be fairly simple, configure your network so that all unidentified URL's receive a response from a specific internal web server - as the malware gets a response, it exits. And if a user goes to an invalid URL, they will see a web site advising them what they did wrong - it becomes a win/win. (implementation may be difficult to accomplish on some environments)

    12. If for some reason you cannot replace an out of date computer - and yes, there are valid reasons to retain old OS's - then either air-gap it from the network, or put it on a very secure locked down network with very limited access to and from it. If it's important enough, then you want to do everything possible to reduce the chance that it could be affected (maybe also look at installing some sort of deepfreeze software on it to try and reduce the time required to get it back to original configuration)

    13. Have the separate teams work together to put in place effective strategies and solutions - rather than each team is responsible for only their small bit of the puzzle - this often means that things don't interact well and less than optimal decisions are often forced in place.

    There are other things that could also be done to help limit the effectiveness of malware - nothing will ever truly kill it off.

  78. JeffyPoooh Silver badge
    Pint

    "...74 countries..."

    Does this count really matter?

    Oh, one of those countries just separated into two nations. So please update your headline to "75...".

    Oh, and several folks were using Proxies, so it's actually 83.

    See?

  79. sm2017

    Stop. Using. Windows.

    1. Charles 9 Silver badge

      Tell. Us. HOW. Without us falling on our swords first.

      The very expensive medical machine you use to save lives ONLY runs Windows. And this is true of EVERY other supplier of the same equipment.

  80. Domquark

    Oops?

    Just looked through the downloads at M$ for legacy systems - they appear to have forgotten Server 2003R2.

    http://www.catalog.update.microsoft.com/search.aspx?q=4012598

    And no, the 2003 version doesn't work!

  81. Nano nano

    The Good Listener on BBC R4 (spoiler alert)

    Anyone recall this drama last year

    ... turns out (spoiler alert) our "friends" were testing their "weapons" ...

    1. Nano nano

      Re: The Good Listener on BBC R4 (spoiler alert)

      In the BBC drama,

      http://www.bbc.co.uk/programmes/b082bl0g

      it was the National Grid that was taken down ...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019