back to article Microsoft to spooks: WannaCrypt was inevitable, quit hoarding

In the midst of the ongoing WannaCrypt attacks, Microsoft has issued an unusually strongly-worded warning to governments around the world to quit hoarding vulnerabilities. The bug exploited by the attack was hoarded by the United States national security agency (NSA), leaked earlier this year and since patched by Microsoft – …

  1. Anonymous Coward
    Anonymous Coward

    If you cannot patch it quarantine it

    If you cannot patch it, quarantine it. The reason why Wannacrypt spread like wildfire was the flat design of large enterprise networks with large number of old unpatched machines. While some of the victims fell due to plain idiocy and laziness, others (f.e. some of the NHS X-ray machines) were running XP because there was no way to upgrade them without breaking their core functionality.

    The criminal idiocy is why systems like this were widely exposed and not isolated so that their vulnerabilities are no longer exploitable by half of the world.

    Unfortunately, the criminally incompetent people running NHS IT and their bretheren in other large enterprises will never be held responsible for this and it will happen again, and again, and again.

    1. Robert Forsyth

      Re: If you cannot patch it quarantine it

      Not incompetent (many are as arrogant as you) but overworked and lacking funds.

      So you should not be able to access the X-rays from anywhere, but print them out and post them in internal mail, really?

      1. Anonymous Coward
        Anonymous Coward

        Re: If you cannot patch it quarantine it

        You don't need funds to block port 445 for machines that don't need it and to segregate VLANs - assuming you're not using domestic switch-gear in your enterprise environment.

        1. Anonymous Coward
          Anonymous Coward

          Re: If you cannot patch it quarantine it

          > "You don't need funds to block port 445 for machines that don't need it and to segregate VLANs"

          Actually, you do. It's called slack staff time. The NHS IT is run on a very constrained budget, and what you're suggesting needs someone to look at what's on the network, and work out a plan for sorting it out. From my (limited) experience with them, they don't have enough staff time to do that.

          1. Adam 52 Silver badge

            Re: If you cannot patch it quarantine it

            "From my (limited) experience with them, they don't have enough staff time to do that."

            They have enough time and budget to run an entirely pointless £10bn IT project.

            They have enough budget to replace a perfectly good phone system with one that doesn't work.

            They have enough time to bulk export patient data for Google and the Department of Health.

            The sad truth is that protecting patient confidentiality and keeping the NHS actually treating patients takes a back seat to vanity projects.

            The NHS budget is £123bn. That sort of money buys a lot of negotiating power with suppliers. Or it would if wielded properly.

            1. SImon Hobson Silver badge

              Re: If you cannot patch it quarantine it

              They have enough time and budget to ...

              You are assuming that "they" are in a position to choose what they do. In all the cases you've cited, some PHB, or committee, will have decided what projects are going on - the grunts at the coal face just get told what they are doing.

              Besides, some of the projects you have mentioned are not related to the separate projects of running the various local networks. You have to remember that there isn't "the NHS" - there is a collection of hundreds of trusts, commissioning groups, blah, blah.

              I assume by "entirely pointless £10bn IT project" you mean the national IT backbone and slurp everything project. That was a completely different group not connected to any of the trusts affected by the ransomware outbreak.

              1. Adam 52 Silver badge

                Re: If you cannot patch it quarantine it

                If you look back up the thread to the OP, "they" is the "criminally incompetent people running NHS IT and their bretheren". Criminality remains, of course, unproven.

                NHS IT covers everything I mentioned, and it's all part of the same government department. If it were one trust we were talking about you may have a point, but it isn't.

              2. Doctor Syntax Silver badge

                Re: If you cannot patch it quarantine it

                You are assuming that "they" are in a position to choose what they do. In all the cases you've cited, some PHB, or committee, will have decided what projects are going on - the grunts at the coal face just get told what they are doing.

                "They" applies to the PHBs and committees.

                I wish more folk round here would remember that IT don't exist in isolation. They have to follow what the business wants. The best one can do is advise; strongly and in writing if necessary.

                One difficulty is that the decision makers find it difficult to understand risk. They're choosing between the certainty* of a new, shiny and probably very useful development on the one hand and a list of things which you can't be certain will go wrong on the other. They'll choose the shiny almost all the time

                *And ignoring any project risks.

                1. PNGuinn
                  Megaphone

                  "the certainty* of a new, shiny and probably very useful development"

                  ... Which will be delivered by one or more of the usual suspects, very late, probably not before the perceived needs for it have expired, waaay over budget, the project reset at least 7 times, and incredibly tarnished and scratched.

                  Sadly, that's the certainty.

                  How many politicians dead in A & E will it take before the remaining few bite the bullet and REQUIRE that all NHS software moves to FOSS?

                  Triggering that and making it available worldwide would probably be worth several times our foreign aid budget.

                  NHS IT a (not the) clearing house for a vast international effort?

            2. CrazyOldCatMan Silver badge

              Re: If you cannot patch it quarantine it

              They have enough time and budget to run an entirely pointless £10bn IT project.

              Different organisations. The Trusts have their own budgets..

          2. P. Lee Silver badge

            Re: If you cannot patch it quarantine it

            >The NHS IT is run on a very constrained budget, and what you're suggesting needs someone to look at what's on the network, and work out a plan for sorting it out.

            The incompetence doesn't necessarily refer to the techies, but would more properly be assigned to those who made the decision that funds would be better allocated on something other than security.

            Now where is their cost saving?

            1. Anonymous Coward
              Anonymous Coward

              Re: better allocated on something other than security.

              Like patient care for instance?

          3. Doctor Syntax Silver badge

            Re: If you cannot patch it quarantine it

            "what you're suggesting needs someone to look at what's on the network, and work out a plan for sorting it out"

            And for a large and complex estate that's not trivial. There'll be a lot of special cases to analyse.

            1. CrazyOldCatMan Silver badge

              Re: If you cannot patch it quarantine it

              And for a large and complex estate that's not trivial. There'll be a lot of special cases to analyse.

              Even in our small (relatively) network, there are bits of specialist kit that the people out in the business *have* to be able to use. In some cases, those bits of kit are 10-15 years old and we don't have the budget to buy New! Shiney! to replace them.

              So you have to get quite creative to maintain access to business-critical stuff while trying to protect them from the network and the network from them..

        2. Paul 195

          Re: If you cannot patch it quarantine it

          You need funds to do anything. Even blocking ports requires someone to do it and then, most crucially, test that whatever piece of mission critical hardware you've just modified still does what it is supposed to. Time really is money, and doubly so in any large and overstretched organization like the NHS.

      2. Anonymous Coward
        Anonymous Coward

        Re: If you cannot patch it quarantine it

        atleast have an airgap! so what if the technician has to copy a few files to a pendrive and then onto another system(that can easily sit on the same desk and be used for general use). I just hope other vital services haven't been put online like our power plants for example... but I know common sense is a pretty rare thing.

        1. Anonymous Coward
          Anonymous Coward

          Re: If you cannot patch it quarantine it

          London's road, traffic control centres, CCTV and road tunnels are entirely running on unpatched Windoze. Their network is almost completely open to the wider Internet - they have "Firewalls", but they're frequently circumvented by the need to make access easier (and to make recalcitrant stuff actually work). There's no real security at all. The situation is similar on the Underground as well. Patching or OS upgrades aren't possible because doing either breaks the functionality of their poorly piecemeal-written crudware. It's only a matter of time before chunks of London grind to a halt because of a malware attack of some kind.

      3. RJG

        Re: If you cannot patch it quarantine it

        Yes, Incompetent.

        In every security audit I have done in the last 15 years I always included a reccomendaton that windows administrators should disable the use of SMBv1.0 beause it is extremely insecure and hasn't been requred by any windows verson after windows 98.

        most windows admins were surprised that there were different versions of SMB in use and refused to disable v1.0 in case something still needed it.

        That one change would have stopped this infestation, even on unpatched XP systems.

        1. bitmap animal

          Re: If you cannot patch it quarantine it

          -- disable the use of SMBv1.0 beause it is extremely insecure and hasn't been requred by any windows verson after windows 98.

          I thought Window XP only worked with SMB1, as does Server 2003. There are probably quite a few older print servers still solidly working away which may need SMB1

          1. This post has been deleted by its author

          2. Richard Plinston Silver badge

            Re: If you cannot patch it quarantine it

            > I thought Window XP only worked with SMB1, as does Server 2003.

            Yes. From the Samba docs:

            SMB2: Re-implementation of the SMB protocol. Used by Windows Vista and later versions of Windows. SMB2 has sub protocols available.

            SMB2_02: The earliest SMB2 version.

            SMB2_10: Windows 7 SMB2 version.

            SMB2_22: Early Windows 8 SMB2 version.

            SMB2_24: Windows 8 beta SMB2 version.

        2. Kiwi Silver badge

          Re: If you cannot patch it quarantine it

          In every security audit I have done in the last 15 years I always included a reccomendaton that windows administrators should disable the use of SMBv1.0 beause it is extremely insecure and hasn't been requred by any windows verson after windows 98.

          Given the rather lacking funding of public health service IT, would any of their staff have time to actually go through all the network-connected hardware and check whether or not certain devices actually need it or not? Yes, I realise Win98 was almost 20 years ago, but there's probably a lot of stuff that was written for that version still in use on expensive hardware today, more that crept into XP after that because people re-use old code and write to old standards and so on.

          Most of the staff will be fulltime+overtime+unpaid overtime engaged in just trying to prevent the creaks and groans in the aged hardware from outpacing the creaks and groans in the patients, knowing that a hardware failure in IT can result in a hardware failure in a patient, with somewhat fatal results.

          How many NHS-funded hospitals have been able to afford one of your audits? Why weren't they spending the money in more important areas? That's the problem many of them seem to face, at least based on reports about NZ hospitals.

    2. Anonymous Coward
      Anonymous Coward

      Let's mention Microsoft's Policy of hoarding patches unless you pay up.

      Erm hold on - weren't Microsoft hoarding patches for "end of life" XP unless you paid to be part of a Enterprise service agreement? Sounds very similar to hoarding vunerabilities by the NSA/GCHQ. i.e. the fact XP Embedded (cash machines etc) still gets/got patches.

      The only people that lose are the poor bastards using Microsoft proprietary software, but equally, it's not as though they weren't told clearly they would be held to ransom by Microsoft, once XP reached "end of life". It was, in effect Corporate "pre-payment" Ransomware.

      What's not being said, is why were in this situation, it's all commercial - an artificial situation - to sell the next new big shiny version of Microsoft Windows (the same shit, with baked in basic AV), to the next clueless NHS Manager, who thinks the Microsoft "NHS Half Billion on licences" way, or the highway.

      Also, no mention yet of all the Windows 7 SP1 machines that had Windows Update conveniently 'borked' during the first year of rollout of Windows 10, that means/meant (if you know the fix) it can take 10-12 hours+ (overnight) for Win7 Windows Update to find the relevant patches, leaving the machine exposed for many hours.

      Windows Update is, was (has always been) a very loose bag of clunky Nails.

      1. Dan 55 Silver badge

        Re: Let's mention Microsoft's Policy of hoarding patches unless you pay up.

        My Windows 7 machine at home with all the Windows 10 patches diligently blocked last year has so far spent 48 hours searching for updates. You might as well not have automatic updates, at least then people wouldn't get some false sense of security.

        1. Headley_Grange Silver badge

          Re: Let's mention Microsoft's Policy of hoarding patches unless you pay up.

          @Dan 55 - there's a fix for Win7 taking hours to decide which updates are required. I had the same problem but I can't remember the specifics of the fix. Google it; it requires you to download and run a specific update which you've skipped in the past.

          1. dbtx Bronze badge

            Re: orphan zombies moaning 'uhhhp daaytz'

            That's KB3125574, and be sure to get the April 2015 Servicing Stack update first. Hope it helps more than it helped me that one time.

            1. Dan 55 Silver badge

              Re: orphan zombies moaning 'uhhhp daaytz'

              I installed the hotfix and restarted and I'm pretty sure the computer accepted all updates before MS started pushing Windows 10... I have no interest in deleting everything and reinstalling, life is too short for that, so I'll just let it sit there until it's finished, even if it takes a week.

              1. Roland6 Silver badge

                Re: orphan zombies moaning 'uhhhp daaytz'

                @Dan 55 - so I'll just let it sit there until it's finished, even if it takes a week.

                I found with these systems, simply stop the explicit user initiated update check, change the update setting to autocheck and download but inform me when ready and leave the system running. For some reason this seems to get the first set of updates, after this the system will typically tell there are further updates waiting. Also as your system is so far behind, just get the 'Important' updates - some 'Recommended' updates seem to cause conflicts with 'Important' updates causing the updater to sit there, once you're up-todate on the Important updates then enable 'Recommended' and repeat.

                Aside:

                1. Also whilst MS have stopped the GWX, I've also found it helpful to run GWX Control Panel (run once version) to ensure all the OS update settings are set to disabled, as this will further reduce the number of updates you will get.

                2. Also turn off the customer experience programme and so avoid the telemetry/'spying' updates.

            2. Kennelly

              Re: orphan zombies moaning 'uhhhp daaytz'

              KB3125574 is the "everything since SP1" update.

              For fixing the WU process specifically, there are updates KB3102810 (fix for Installing and searching for updates is slow and high CPU usage occurs), and KB3161608, update rollup which includes KB3161647, Windows Update client refresh June 2016

              1. dbtx Bronze badge

                Re: orphan zombies moaning 'uhhhp daaytz'

                Hmm, ISTR the blogs or whatever were referring to that one bringing a major improvement to the initial waiting period, maybe as a sort of side effect. Not that I dug it up again-- I copied it out of my old comment about how the system took forever to decide it wasn't even applicable because I missed that bit about Servicing Stack. And tbh I haven't been really doing much in Windows for months, besides a couple games and LG Bridge... sorry if that was just wrong, and anyway thanks for the tip.

            3. Captain Badmouth

              Re: orphan zombies moaning 'uhhhp daaytz'

              Have a read of this article too :

              http://www.infoworld.com/article/3177323/microsoft-windows/microsoft-endorses-convoluted-technique-for-installing-win7-from-scratch.html

          2. Kiwi Silver badge
            Linux

            Re: Let's mention Microsoft's Policy of hoarding patches unless you pay up.

            it requires you to download and run a specific update which you've skipped in the past.

            The only ones I've skipped in the past have been the spyware/malware/breakware ones.

            These days I don't have 7 on that much, and can't really justify having 2 machines running just coz one has to sit for a couple of days updating 7. Easier fix : networking is turned off in 7 (and DHCP now turned off as well, my machines are static and can have manual addresses, anyone else can learn to set up their machine without DHCP or else it obviously isn't that important they connect to my network).

            Have tried various fixes, some worked some didn't. The issue is a recurring one even on a VM that has previously been allowed all updates etc it wants.

            vs apt-get update && apt-get upgrade when I can trust to do it all inside of 5 minutes.. Or use the update icon and a couple of mouse clicks &done.

        2. Richy Freeway

          Re: Let's mention Microsoft's Policy of hoarding patches unless you pay up.

          Turn off automatic updates and reboot the machine.

          Install these two updates manually in this order, no need to reboot in between.

          KB3020369

          KB3172605

          Re-enable automatic updates and reboot the machine again.

          Sorted

          1. IanMoore33

            Re: Let's mention Microsoft's Policy of hoarding patches unless you pay up.

            Bullshitte . fails 50% of the time . There is a long manual way one has to fix it on MS turd site

        3. mickaroo

          Re: Let's mention Microsoft's Policy of hoarding patches unless you pay up.

          @Dan55

          I had this very problem. I tried every suggestion on fixing broken Windows Update with zero success.

          The solution I found that worked was WSUS Offline Update. YMMV, but it worked for me.

        4. IanMoore33

          Re: Let's mention Microsoft's Policy of hoarding patches unless you pay up.

          Windows 7 has a long manual procedure released I had to do on my wife's machine .. it took an entire day

          The aholes at MS have no idea how to release patches THAT WORK to cure update problems . It should all be automated

      2. Doctor Syntax Silver badge

        Re: Let's mention Microsoft's Policy of hoarding patches unless you pay up.

        Erm hold on - weren't Microsoft hoarding patches for "end of life" XP unless you paid to be part of a Enterprise service agreement? Sounds very similar to hoarding vunerabilities by the NSA/GCHQ. i.e. the fact XP Embedded (cash machines etc) still gets/got patches.

        Got it in one.

        It's very telling that on Friday Microsoft were suddenly able to release a patch. It's almost as if they suddenly realised they had a degree of responsibility.

        Now they're trying to claim the moral high ground.

        1. Anonymous Coward
          Anonymous Coward

          Re: Let's mention Microsoft's Policy of hoarding patches unless you pay up.

          > Now they're trying to claim the moral high ground.

          Is this in any way dissimilar to e.g. our paid RHEL support? Or any other paid software support? If the $vendor needs to code a patch for a paying client, should the $vendor then release it for free for the non-paying customers as well, and not "hoard" the patches?

          Well, it would be really nice, but a) it doesn't make economical sense and who would pay for others' patches?

          1. Richard Plinston Silver badge

            Re: Let's mention Microsoft's Policy of hoarding patches unless you pay up.

            > Is this in any way dissimilar to e.g. our paid RHEL support? Or any other paid software support? If the $vendor needs to code a patch for a paying client, should the $vendor then release it for free for the non-paying customers as well,

            I run CentOS* and get RHEL patches, thank you.

            * my clients do run RHEL and pay for support (which pays for CentOS too).

        2. Emperor Zarg

          Re: Let's mention Microsoft's Policy of hoarding patches unless you pay up.

          Or the NSA was preventing Microsoft from releasing a patch for this until the exploit appeared in the wild.

          I'd imagine the NSA would want to keep harvesting as much data as possible from their use of the exploit, for as long as possible. They would only have given Microsoft a green-light to release the fix once the situation had reached a crisis point. As Microsoft will be legally prevented from ever revealing if this is true or not, we will never know.

    3. IanMoore33

      Re: If you cannot patch it quarantine it

      Millions of XP users still exist .. MILLIONS

  2. Anonymous Coward
    Anonymous Coward

    This is why winplebs must be on mandatory forced updates, unless the machine is physically disconnected from any network.

    1. bombastic bob Silver badge
      Thumb Down

      "mandatory forced updates"

      I cannot DOWN vote that enough...

    2. Anonymous Coward
      Anonymous Coward

      This is why people with no knowledge of the real world should keep their stupid mouths shut.

    3. streaky Silver badge

      This is why winplebs must be on mandatory forced updates

      No, this is why WSUS is a thing. Also linux.

      Re forced updates, it wasn't all that funny when ubuntu pushed a broken security patch last month and took out many many servers.

      1. Brewster's Angle Grinder Silver badge
        Trollface

        So how many man hours go into testing patches? How many bugs does testing catch? Is our testing regime so sclerotic that it prevented this patch being applied before exploitation began? How easily can we back out of a patch if we find it breaks something after being applied?

        Like everything else, it's a balance. Maybe we do have to pay for extra security guys so we can test patches as soon as they're released. Maybe our solutions works as is. Or maybe, for us, its best to apply patches and back out the occasional bad one. It really does depend.

        Certainly WannaCrypt-scale outbreaks are going to be rare---NSA-leaked wormable exploits of dead protocols aren't going to turn up every day---but the time from patches appearing to malware targeting them are going to keep decreasing. If Linux thinks forced security updates are, on balance, the best route, why not Windows?

        1. streaky Silver badge

          If Linux thinks forced security updates are, on balance, the best route, why not Windows?

          Because Microsoft have form for shovelling out things that aren't security patches - and FWIW that people trust Microsoft with the NSA about as far as they can be thrown. The real problem is here is arguably closed source critical infrastructure.

          There isn't much reason for 95% of NHS desktops to not be something that's more security focused and that should probably be the real discussion.

    4. CrazyOldCatMan Silver badge

      This is why winplebs must be on mandatory forced updates

      Which is all very well if you have a vendor you trust to just patch appropriately. As has been shown by the whole Win10 debacle, that vendor isn't Microsoft.

  3. mr. deadlift

    XP

    So, you've got an xp machine with core functionality.

    Why isn't it vlan'd off from the rest of the herd, like the leper it clearly is?

    So, you've got a herd of lepers? Take heed of that ditty from Dickinson et.al, Run to the hills...

    Still, it's not just xp copping the brunt is it. Bad luck if you're dealing with this one.

    1. The Nazz Silver badge

      Re: XP

      The last sentence of the article states that MS have released security patches that now include XP.

      I'd just literally seen the same thing confirmed via a BBC article and link to the NCSC.

    2. Anonymous Coward
      Anonymous Coward

      Re: XP

      So, you've got an xp a Windows machine with core functionality.

      Why isn't it vlan'd off from the rest of the herd, like the leper it clearly is?

      Fixed it for you. It's well past time to stop beating around the bush, but I guess truly admitting to root cause would collapse a whole Universe of profiteers off those weaknesses, originally left in place to incentivise victims to upgrade.

      1. Anonymous Coward
        Anonymous Coward

        Re: XP

        Why? Because it takes time for someone to do this and even more time to do this for 10s of thousands of machines and has been said MANY times the NHS doesn't have the budget or manpower to do clever techy fixes - a shoestring budget would seem luxurious to them! Blame that Jeremy C... Hunt...

        1. AlbertH

          Re: XP

          Blame that Jeremy.....

          Nope - blame T. Blair esq. He took Bill's shilling way back in the early part of the noughties and was bought a nice house in Eaton Square, Belgravia in return. Blair tied the UK into an "agreement" with Microsoft, ensuring that we would be saddled with insecure, unreliable, expensive crapware for ever more.

          Any attempts by smarter parts of government to migrate to more modern, more secure operating systems and software were (and are) stamped on by the mandarins in Whitehall (many of whom are also the recipients of nice presents from MS).

          It must be borne in mind that No UK Government IT projects have EVER worked properly

          1. fruitoftheloon
            Happy

            @AlbertH: Re: XP

            Albert,

            well matey, the London Congestion Charging Scheme achieved its' objectives, plus it started on time, with no significant variance from the contracted budget [when adjusted for additional functionality etc].

            I was part of the senior team that delivered it, ironically one of the reasons it did work, was that no Senior TFL folk had much influence on proceedings after the contract was signed, FYI the area where TFL's "Consultants" were housed was nicknamed 'the creche'...

            I don't recall many others succeeding tho!

            Cheers,

            Jay

            1. Sean 12
              Flame

              Re: @AlbertH: XP

              London Congestion Charging Scheme, wasn't that Richard Granger's project?

              Ask the majority of the NHS's IT people what they think of him????

              I have spent most of my working life in and around the NHS IT Acute for various Tier 1 tin makers.

              Most of the issues I suspect are vendor lock-in issues. Most of the core apps only work with specific versions of certain libraries and service packs. The medical kit vendors (PAS,PACS, RIS and et al) do bear some responsibility for not keeping their products updated more regularly.

              Hopefully this will kick many Acute Trusts to dump Windows at the front end completely. There are a number of enterprise versions of Linux that are secure and can run Windows apps in a wrapper securely and safely.

              Just wish which ever thoughtless muppet that wrote this doesn't require rapid treatment in any of the UK's hospitals - any time soon....

              1. fruitoftheloon
                Happy

                @Sean12: Re: @AlbertH: XP

                Sean,

                I don't ever remem hearing of or meeting a Richard Granger...

                Cheers,

                Jay

              2. CrazyOldCatMan Silver badge

                Re: @AlbertH: XP

                There are a number of enterprise versions of Linux that are secure and can run Windows apps in a wrapper securely and safely.

                My GP (last time I saw him) had an iMac. And any applications that required Windows were run under Parallels, with the VMs being shut down and backed up every night.

          2. This post has been deleted by its author

          3. Emperor Zarg
            Angel

            Re: XP

            Government IT project that works properly... how about Electronic Vehicle Licensing?

  4. a_yank_lurker Silver badge

    Note to Slurp

    The spookhauses are not the only slimes in this episode. It would help if you actually had professional programmers and testers instead the internal imbeciles releasing alpha grade software to your tester/users.

    1. Dan 55 Silver badge

      Re: Note to Slurp

      Seems One Microsoft Way doesn't include static analysis, code review, or fuzz testing. Why would it, when people buy that shit anyway?

  5. TReko
    FAIL

    Just Patch?

    Our recent Windows Updates have broken almost as much as they have fixed.

    We need to do our own in-house QA on the updates, and then patch, a process which takes time.

    We wish Microsoft would test their updates more thoroughly.

    1. illiad

      Re: Just Patch?

      hey guess what?? I have run win7 **without** patches, upgrades, etc since 2013...

      I do NOT USE IE, or other MS stuff.. office 2003 is fine thanks...

      the latest Firefox (or the open sourced PaleMoon variant is much better..) and a very good AV that does full protection!

      1. Kiwi Silver badge
        Thumb Up

        Re: Just Patch?

        hey guess what?? I have run win7 **without** patches, upgrades, etc since 2013...

        A decent firewall, turning off un-necessary services and closing un-necessary ports, and a good AV and you should be alright. Please don't say your "good av" is anything symantec though, because that lets more nasties through than the only needle at a druggie convention!

        Me.. I run 7 without patches, AV or firewall even. Have done since they started the "bundle all the updates into one blob" garbage. But then I run it without a net connection as well.

      2. IanMoore33

        Re: Just Patch?

        admit it - virus and infections come from malware injected in porn and gaming sites , email trolls , and 3rd party tor based blobs .. you have been lucky so far ... but you are not 100% protected . I installed Panda AV ( free ) and use Google Chrome which does great black listing already on my wife's computer. Once these virus get injected into corporate networks they can seek out other machines to infect . You are likely a stand alone box at home.

    2. Brewster's Angle Grinder Silver badge

      Re: Just Patch?

      What are they breaking and how?

  6. Denarius Silver badge
    Unhappy

    missing the root cause, again

    Perhaps if the PHB classes, including government ministers were made personally and individually liable for over-riding competent (shaddup back there) technical staff where life and safety is at serious risk perhaps budgets would not be cut for bonuses elsewhere.

  7. Anonymous Coward
    Anonymous Coward

    patches for everything back to XP

    What about server 2003? I've got a SBS 2003 box under my care* and feeding that didn't show any patches due a couple of hours ago. Sure, it's can't be directly reached from the Internet, but I'd still like to make sure it stays happy.

    * Care as in hospice. Have a few stubborn items to get migrated, then it can die...

    1. bitmap animal

      Re: Alternatives?

      You can download if from Microsoft, this is a catalogue list of all the variations of the patch.

      https://www.catalog.update.microsoft.com/search.aspx?q=4012598

  8. jdoe.700101

    Whilst I understand where MS is coming from, it doesn't help that they have history in (ab)using their update process to distribute unwanted changes..

    1. bombastic bob Silver badge
      Thumb Up

      "it doesn't help that they have history in (ab)using their update process to distribute unwanted changes.."

      I cannot UP vote that one enough!

    2. Anonymous Coward
      Anonymous Coward

      Nought, nil, nada, nothing, zero, zilch and zip, except the Security Update...

      "Whilst I understand where MS is coming from, it doesn't help that they have history in (ab)using their update process to distribute unwanted changes.."

      jdoe.700101

      EXACTLY - succinct, to the point. Terry Myerson / Satya Nadella - take fucking note.

      Nought, nil, nada, nothing, zero, zilch and zip, except the Security Update as part of "Security Updates".

      NSA/GCHQ stop forcing/mandating MS (and others) to put your shit in security updates. i.e. telemetry/monitoring).

      All this added stuff is just another attack vector.

  9. frank ly Silver badge

    Numbers

    Here is a small extract from an article on Sunday:

    http://www.independent.co.uk/news/uk/home-news/wannacry-wanna-detector-accident-and-emergency-patient-appointment-operation-a7734831.html

    "NHS Digital, which manages the health service cyber security, said fewer than 5% of devices within the health service still use the old system Windows XP."

    Is that a reasonable figure or is it one of those special statements where they include things like stethoscopes, thermometers and blood pressure meters in the count of 'devices'?

    1. SteveCo

      Re: Numbers

      Precisely what I thought. The use of the term 'devices' almost certainly includes the tens of thousands of tablets that are used now-a-days. Including them would just water down the XP percentage.

    2. Anonymous Coward
      Anonymous Coward

      Re: Numbers

      My wife has spent a fair amount of time in hospital over the years, so I get a lot of time to look at various machines consultants and nurses are using and while many (most) I saw are W7 machines at boot/login, they nearly all then log into XP VMs to actually do anything 'useful' with the machine (like look up blood test results, or look at X-rays, or get my wife's medical history up) - so the 'device' itself may non-XP, but it seemed to me all the actual work was being done inside VMs.

      Until my wife medically retired from the NHS two years ago, her work issued laptop was an old Dell running XP, because, as a cost saver, the NHS had closed most of her office down and 'hot desked' them, so there she was, with this old XP laptop, having to connect it to the Internet, so she could log in to the NHS network to actually do any work...

      (It was quite locked down - I couldn't install my printer drivers so she could actually print out anything she needed at home, but I could still fire up Command Prompts and poke around it from there)

      1. John Smith 19 Gold badge
        Unhappy

        "My wife.. time in hospital over the years,.. many (most) I saw are W7 machines at boot/login,"

        So just to be clear most of those machines are already capable enough to run a more modern OS?

        Then it really is just the core LoB apps that have not been ported

      2. Dan 55 Silver badge

        Re: Numbers

        So they're stuck on Windows 7 because XP Mode isn't available on newer versions of Windows?

    3. RJG

      Re: Numbers

      It is trying to re-direct blame.

      If SMBv1.0 is enabled on windows systems newer than XP, they will also be infected.

    4. Anonymous Coward
      Anonymous Coward

      Re: Numbers

      Everyone is making up numbers creating news.

      "90% are running XP" has been spread around. This came from a freedom of information request where out of the trust's that responded, 90% had 1 or more XP machine. #fail

      "Kingsley Manning, a former chairman of NHS Digital, - which provides the health service's IT systems - told the BBC on Saturday that several hundred thousand computers were still running on Windows XP.". Later on its stated 5% of machines are XP. Apparently there are 4m PCs in the NHS. According to these "experts"...

      Less than 1% seems to be the most realistic number, but it's essentially meaningless (and a scapegoat), as most if not all of these are not on the the main domain, but isolated, and the vulnerability affected ALL versions of Windows.

      Time to ditch windows, most people don't even need windows, a Chromebook would be very secure and more than adequate for vast majority of home consumers, and many businesses users. Google apps for business are not only secure (2fa, 3fa), centrally managed ACL, (no document copies mailed around), it's suprsingly cheap... £3 user/month, and before the Google haters and privacy nutters jump in: "There is no advertising in G Suite Services, period. Google does not collect, scan, or use data from the core services for advertising purposes."

      1. Doctor Syntax Silver badge

        Re: Numbers

        "Time to ditch windows"

        In principle I agree. I don't use it myself. But in the real world, as a previous post made clear, there's a lot of core NHS applications that are not only Windows specific but XP specific. Windows can't be simply ditched. It needs to be phased out and that will take time and money.

      2. Matthew 3

        Re: Numbers

        Google does not collect, scan, or use data from the core services for advertising purposes."

        Added emphasis to point out the possibility of 'non-core' services.

        1. Anonymous Coward
          Anonymous Coward

          Re: Numbers

          https://support.google.com/a/answer/6356441?hl=en

          G Suite Core Services are Gmail (including Inbox by Gmail), Calendar, Classroom, Contacts, Drive, Docs, Forms, Groups, Sheets, Sites, Slides, Talk/Hangouts and Vault.

          Additional Services (like Youtube, Maps, and Blogger) are designed for consumer users and can optionally be used with Apps for Work and apps for education.

    5. Marshalltown

      Re: Numbers

      Yep, and trying to tell some admin type that the problem is not necessarily "how many" systems are not patched due to cost savings measures, but WHERE those vulnerable systems are located that goes right past their pointy little ears without even a glimmer of dawning comprehension. It's that that can get you thinking about super-powered cattle prods, carpet rolls and quick lime.

  10. Brent Beach

    What is criminal is Microsoft deciding that millions of PCs running its software are suddenly obsolete and will no longer be given crucial security updates, as it did with Win XP machines.

    We all know this was done to try to force owners to dump the old PCs and buy new copies of Microsoft's operating system. It was a cash grab that failed. It failed for many reasons. In the NHS case, it failed because NHS could not afford to upgrade. If failed in my case because I have an old netbook (Dec 08) that still works just fine and I am not throwing it away just because MS has a quarter coming up.

    Yes, NSA and GCHQ should spend more time defending citizens and public IT infrastructure and less time on seeing who can build the biggest useless metadata database.

    But MS, as long as there are millions of XP machines out there, should still be required (if it won't do the right thing voluntarily) to distribute key security upgrades.

    1. A Non e-mouse Silver badge

      I think you're being a bit hard on Microsoft.

      XP Was released in 2001 and mainstream support ended in 2009 - that's 8 years of main official support. Then, there was extended support (Patches only) 'till 2014. So that's 13 years (give or take a few months) in which Microsoft supported XP. (I'm ignoring the custom support companies could pay large amounts of money for post 2014)

      XP's successor, Windows 7, has been out since 2009. So companies have had around 8 years to move from XP to 7, with an overlap of five years between XP & Windows 7. (Corporate tend to have a three-five year refresh cycle for desktop hardware)

      According to Google, it is estimated that around 400 million copies of XP were sold in its first five years. Estimates as to the total number of licenses sold appear to exceed 1 billion. And that's not accounting for all the dodgy versions out there. So even if there are "millions" of XP installations out there, that's possibly just a single percentage of all the XP licenses ever sold.

      In this situation, I think Microsoft have been quite fair.

      1. brianposter

        And I would suggest that Microsoft are little better than pirates. XP machines were still on sale in 2007 so in reality it is 6 years of support for a machine that might last 20 years.

        The amazing thing is that governments continue to buy from these shysters without a guarantee of continuing support.

      2. Doctor Syntax Silver badge

        "So that's 13 years (give or take a few months) in which Microsoft supported XP."

        Another way of looking at it is that Microsoft had 13 years to get it right. Did they?

    2. h4rm0ny

      >>What is criminal is Microsoft deciding that millions of PCs running its software are suddenly obsolete

      "Suddenly".

      Are you by any chance a Galapagos tortoise, a sentient giant redwood or Wowbagger the Infinitely Prolonged? I just ask because most of us are not blindsided by something that has been known about eight years in advance.

      Windows XP had fundamentally poor security. I mean conceptually in its design. These problems were not fixed until Vista (and then not usable until 7). MS have been doing everything they can to get people to move forward - they don't want to support XP systems any more than the sysadmins do. Half of the people who wrote it are probably retired by now - it was released in 2001. Goddess knows how long it was in development for!

      1. tiggity Silver badge

        @ h4rm0ny

        But things like Windows XP Embedded (quite a bit of NHS "hardware" running that) to consider, not all about PCs. And although Windows Embedded standard 2009 was (surprise) released around 2009 (so not that old for hardware which is expected to chug away for ages) its based on XP so I would assume it may well have same security issues.

        1. Anonymous Coward
          Anonymous Coward

          Embedded XP is component based, and you have to specifically include the components you want. A small footprint embedded XP will naturally have a much lower exploit vector.

          Smb and networking is entirely optional in embedded XP.

      2. AlbertH

        Windows XP had fundamentally poor security. I mean conceptually in its design.

        Sadly, the vast majority of the XP vulnerabilities still exist in their latest versions. MS never have understood the need for real security, and it was always an afterthought. Bill took the decision - way back in 1987 - to sacrifice "security" for "ease of use". This situation still pertains, which is why MS products are simply not suitable for serious use. They're "home grade" products and shouldn't be used for anything that requires security.

      3. Marshalltown

        Pointless

        "MS have been doing everything they can to get people to move forward" - meh.

        The problem is as much the fault of users as it is Microsoft, and the entire commercial approach to operating systems. Microsoft's "best effort" was to get people to PAY "to move forward." The users however received "that" OS "free" with their system and ("ooh! shiny, so pretty") expected it to "just work." Or were coerced into buying a new OS they really didn't want because some program critical to their work or simple little minds had been changed to "require" a new version of the OS. So they grudgingly spent as little as possible to get what was required, or they simply bought a new chunk of hardware with the "free" OS installed.

        1. Marshalltown

          Re: Pointless

          One thumb down, hmm. Well you may not like it, but that is the bitter truth. Microsoft capitalized on human laziness at the expense of security pretty much from the founding of the company. Then, when the inevitable problems cropped up, they wanted you to pay for something they had "persuaded" computer makers to "bundle" with the hardware. Then the new user, rather than try different OS's and interfaces, simply learned what "came with the computer." MS effectively gave away Word, Excel and even Access in order to achieve dominance in the entire PC Windows environment. Excel was so horrible that there companies that banned its use due to flaws in results and bad algorithms in its statistics routines. You can still Google "Friends don't let friends use Excel" and get over a thousand hits. Developers simply went with the current (flow), developing for what the "users" had learned, and generally avoiding the costs of developing for alternate systems and smalle,r niche markets.

          This pattern had already thoroughly distorted the PC environment by the very early '90s before WIndows. In addition, the Microsoft "tax" encouraged "piracy" - after all, if you already paid money to MS simply to buy that CPU, why should pay them twice to buy a "legitimate" copy of MSDOS on a disk? I went with PC-DOS, OS/2 and later Linux for my own systems. There were never-fixed bugs in MS-DOS. One in particular was replicated in alternative DOS's like IBM's PC-DOS, simply because developers were writing code that actually relied on that bug in order to work properly.

  11. Anonymous Coward
    Anonymous Coward

    Who's to blame?

    Microsoft write the software

    The NSA (etc) exploit it and keep it to themselves

    Eventually the exploit is leaked to the wild by Group X

    [Microsoft patch it]

    Too late, the crims have monetized it

    Users fail to apply patches

    IT budgets don't extend to upgrades

    1. Anonymous Coward
      Anonymous Coward

      Re: Who's to blame?

      Canada

      1. davidp231

        Re: Who's to blame?

        "Canada"

        What did the Spanish priest say to the Iranian gynaechologist?

      2. Anonymous Coward
        Anonymous Coward

        Re: Who's to blame?

        "Canada"

        Sorry guys, eh

    2. davidp231

      Re: Who's to blame?

      The (C)Hunt that decided not to renew the paid support agreement for WinXP machines, and then go into hiding when the excrement merged with the cooling system?

  12. allthecoolshortnamesweretaken Silver badge

    I'm far from sure, but doesn't this call for something akin to the Hague Convention?

    1. jake Silver badge

      Which one?

      There have been many "Hague Conventions" ...

  13. bombastic bob Silver badge
    Big Brother

    Microsoft is actually right this time ('slow clap' again)

    Microsoft is actually right this time - slow clap - Gummints should *NOT* hoard vulnerabilities and NOT disclose them, in order to abuse them later on for whatever reason they see fit.

    I have to wonder how long the U.S. gummint (or in particular the NSA and/or CIA) has known about THIS one. I would guess all the way back to 2003...

    1. Anonymous Coward
      Anonymous Coward

      Re: Microsoft is actually right this time ('slow clap' again)

      You're assuming that Microsoft didn't actually implement these "flaws" at the request of TLAs? Now they are public, they are yelling and screaming to deflect that may have been the case?

      1. Anonymous Coward
        Anonymous Coward

        You're assuming that Microsoft didn't actually implement these "flaws" at the request of TLAs?

        "You're assuming that Microsoft didn't actually implement these "flaws" at the request of TLAs?..."

        More likely the case than not, given what is being forced into Windows 10, regards it's privacy model (or lack of it).

        Some of the snooping measures being applied to Windows 10 just don't make sense "commercially" for Microsoft, even if they were to sell/conduit the data for others, they feel "forced"

        To the point I'd argue that Microsoft have their mouth gagged and their hands tied (and I'm not a fan). It just looks and feels like Microsoft have been given a set of monitoring APIs to implement. Do they want to do this? Probably Not. Are they been paid to do this? Very likely.

        Just look at how the NSA publicly advertised the need to penetrate Skype.

        How much they were wllling to pay at the time. Billions. How much Microsoft paid for Skype, (Billions). How the peer to peer model was dismantled and replaced, how the backend of Skype was re-engineered to use a snoopable Microsoft Data centre model.

        Microsoft have form in this area.

        Much of this work was done for a reason, and it wasn't all to provide better reliabilitiy for Skype based communications. I believe Microsoft were part-paid by the NSA to decrypt Skype's peer to peer secure model, and hence the high price Microsoft was willing to pay for Skype.

        1. h4rm0ny

          Re: You're assuming that Microsoft didn't actually implement these "flaws" at the request of TLAs?

          >>Much of this work was done for a reason, and it wasn't all to provide better reliabilitiy for Skype based communications. I believe Microsoft were part-paid by the NSA to decrypt Skype's peer to peer secure model, and hence the high price Microsoft was willing to pay for Skype.

          Quite probably. But I'd say there was also a pretty big stick held up visibly as well. I used to work in telecomms and was once interviewed for a job writing an interface to enable real-time eavesdropping on phone conversations. (Hence this will be my second or third ever Anonymous post in all the many years I've been commenting on El Reg.). I didn't know what the job was when I applied for it, only that it was in my area of expertise (Add-Drop Multiplexer controller software) and paid well. I like to think that I would have turned it down for ethical reasons but I was rejected anyway due to a poor interview performance (seems likeliest).

          Anyway, as I understand it, nobody gets away with not implementing backdoors for Intelligence Agencies. Nobody. Anybody recall when Vodafone's eavesdropping system was subverted by an unknown party to listen in on the Greek Prime Minister and cabinet? Much like this case, the hacker or hackers looked at what a State agency had done and then just repurposed it to their own benefit. I'm not sure the hackers were ever caught - somebody simply noticed some dodgy software connected to their "legal" APIs. That was ten years ago. Incidentally, the person in charge of the Vodafone networks in Greece was found hanged and Vodafone were very uncooperative in the investigation to the extent they were fined £76m for it. (Link for those who still have optimism in their hearts and need citations).

          I don't trust the spy agencies, and nor should you.

  14. Youngdog

    Its like the Millennium Bug all over again

    Because of the media coverage on Friday our Group CIO ordered ALL servers (regardless of criticality and our internal change process) to be patched by EO the weekend. In the last 2 days literally 100s of people have worked their b***ocks off to get that done - now (so far, fingers crossed, touch wood) we have seen no issues all that effort will be tomorrows chip wrapping. It's the life we've chosen I'm afraid.

    1. Bronek Kozicki Silver badge
      Coat

      Re: Its like the Millennium Bug all over again

      You have to admit that live would have been easier (in some respects) if these servers were running some different operating system. For example, something from UNIX family. I heard there are few available, some are rather popular, and also available for free (or with commercial support contracts, if you so desire).

      (walks away)

    2. Pascal Monett Silver badge

      Re: Its like the Millennium Bug all over again

      I think we should call it the Era of Insecurity.

      Somebody check with Nostradamus to find out if it ever stops . . .

    3. John Brown (no body) Silver badge
      Thumb Up

      Re: Its like the Millennium Bug all over again

      "In the last 2 days literally 100s of people have worked their b***ocks off to get that done"

      So checked for and patched the AMT f/w bugs at the same time then?

      1. Youngdog

        Re: Its like the Millennium Bug all over again

        Joined-up thinking in a huge multinational company? NEVER!!!! ;-)

  15. John Smith 19 Gold badge
    FAIL

    The root cause for the NHS is software that won't run on anything but XP.

    Or to be more specific (AIUI) Internet Explorer 6.0 specific functions.

    WTF is that about?

    8 years since MS declared EoL and 2 since it stopped any form of extended support.

    This is not an IT issue. It's a PHB issue.

    The PHB's at the health IT companies (who can't, or won't refactor their SW to be browser neutral), the NHS PHB's who can't (or won't) use their bargaining strength (47 trust is a shedload of licenses) to make them (and probably still don't get why running on a very old OS is a real bad idea) and the PHBs in the MoH who also don't seem to have pushed for versions that are easier to certify on other OS's (or indeed certified them on any other OS), lead by their PHB in Chief Mr Hunt.

    As for "Our CT/MI/Ultrasound/Kirlian aura machine uses an XP UI" SFW? How much network access does that thing need and what business does the network have dropping stuff on its local storage?

    As for "Upgrading the PC's to run Windows anything-more-recent is too expensive."

    Back in the day PCW ran a column by a doctor who ran the IT dept for a private hospital around Glasgow. It was most revealing.

    You go to PC World you pay retail.

    You go up the food chain and talk to a distributor and say you want 600-1000 off, but with this SW on and none of the usual "free sample" cruft and price per unit changes a lot. Mostly downward.

    "But there's no money for upgrades."

    I suggest every IT trust IT Manager work out how much staff time (and possible emergency hardware replacement money) has been spent cleaning up this mess and then tell their Trust Board this is what it cost this time. Or how much staff time would have to be spent implementing the fix El Reg described in the comments section a few months ago.

    There really is a time when when the support costs >> replacement costs and at that point you're not retaining stuff because it's the best cost/benefit. Every year you retain such systems you bleed (or since this is the NHS you hemorrhage) money.

    1. itzman
      Facepalm

      Re: The root cause for the NHS is software that won't run on anything but XP.

      As for "Our CT/MI/Ultrasound/Kirlian aura machine uses an XP UI" SFW? How much network access does that thing need and what business does the network have dropping stuff on its local storage?

      It needs network access so that when the car crash victim has been CT scanned, and wheeled back up to intensive care, the surgeons can see the scans as well as the patient, and their entire record of medical history. Including what drug intolerances they have, what blood thinning and anti-clot medication they are on etc.

      Medical care is enormously improved by proper networked IT.

      They are slowly getting there. This is a wakeup call to ensure that they also pay attention to security.

      At the root cause of this is the use of the file sharing paradigm as a substitute for e.g. a remote database access paradigm.

      1. Anonymous Coward
        Anonymous Coward

        Re: The root cause for the NHS is software that won't run on anything but XP.

        I find that I have to remember my medical history in order to correct deficiencies in hospital/GP records during treatment. Sometimes a particular record is missing. Occasionally the consultant has merely read the last treatment notes - and made an incorrect assumption about the root cause that necessitated that treatment.

        Even those records held on computers are often nothing more than effectively scans of documents - with no correlation. Doctors and consultants don't have time to read much of the relevant history.

        My GP once said that the patient soon becomes a relative expert on their own particular condition.

        1. Kiwi Silver badge

          Re: The root cause for the NHS is software that won't run on anything but XP.

          My GP once said that the patient soon becomes a relative expert on their own particular condition.

          That's not always the positive thing it sounds when the Doc is saying it to the patient. Sometimes it means the Doc is sick of the patient saying what is wrong, deciding they know better with all their minutes of google/WebmDouche (quoting Dr Ken) etc etc than the specialist.

          Self diagnoses is the curse of modern medicine according to some Docs, and when they say a patient is an expert on their condition, you can just about see the <sarc> tags in their speech.

  16. Anonymous Coward
    Anonymous Coward

    The lull before the next storm rolls in

    and the next

    and the next

    One can hope that eventually companies, governments and the rest realise that using MS software is more trouble than it is worth.

    I wonder if the IT Managers in Munich went out for a few beers on Friday and raised a glass or two to Linux?

    If you really, really do have to run Windows then the thing needs to be on a hardened network especially if you are in a Hospital, Oil Refinery, Nuclear Power Station.

    Security must not be paid lip service in the future.

    If you build images for say a Hospital then I really hope that you are looking at how you configure them with a microscope. Many of the infections could have been prevented if you had done your job right.

    Then the internal network needs to be sorted out. A lot more isolation of critical kit should be at the top of your 'Must Do' list. It need not be expensive or timely to introduce. Just do it!

    My Linux based firewall has a number of rules. The first and most important one is DENY ALL. no access at all to any port/service.

    Then ports/services etc are opened up as needed. SMB V1 has never been enabled and I'm gobsmacked that people still leave this gaping hole open.

    I review my Firewall logs weekly and the SMB V1 port attacks have been going on for a long,long time.

    It ain't rocket science people.

    I do run one windows system. Win 7 and that ain't going to W10. When the security patches stop then it gets airgapped.

    1. Richard Jones 1
      WTF?

      Re: The lull before the next storm rolls in

      The last thing I read about Munich and Linux was a statement that it was a disaster and that they had to change course bad to something with main stream support. I guess the IT managers and the beer halls have a few missed appointments after all. Or has it all changed again?

      1. Anonymous Coward
        Anonymous Coward

        Re: The lull before the next storm rolls in

        "The last thing I read about Munich and Linux was a statement that it was a disaster "

        Don't believe all you read on the Interwebs !

        (esp. when posted by ACs- grin)

      2. Dan 55 Silver badge

        Re: The lull before the next storm rolls in

        New mayor and known MS fan who got MS to come to Munich says he wants to go back to Windows and commissioned report from Accenture (which has offices in the same building as MS) to back him up. OTOH the head of Munich's IT says it's working fine.

        1. Planty Bronze badge
          Megaphone

          Re: The lull before the next storm rolls in

          The mayor is on the Microsoft payroll. It's elop syndrome all over again...

      3. Doctor Syntax Silver badge

        Re: The lull before the next storm rolls in

        "The last thing I read about Munich and Linux was a statement that it was a disaster and that they had to change course bad to something with main stream support."

        That's Munich local government politics.

        How do you say "told you so" in German?

    2. Adam 52 Silver badge

      Re: The lull before the next storm rolls in

      How many vulnerabilities would there be in an unpatched Linux from 2001?

      And (this may be controversial) how easy would it be to upgrade to a 2017 version? I have a sneaky feeling that XP -> 10 breaks much less than Redhat 6 to RHEL 7. That's assuming you'd move from Redhat to RHEL and suck up the cost.

      1. itzman

        Re: The lull before the next storm rolls in

        A very pertinent observation.

        What we are talking about here is the ability for legacy applications to run on modern (more?) secure operating systems that didn't exist when the applications were implemented.

        Anyway you look at it this is a costly business. All solutions are expensive. As is no solution.

        Open standards help: Linux systems support huge amounts of legacy printers for example, that Win 10 drivers do not exist for.

      2. jake Silver badge

        Re: The lull before the next storm rolls in

        I have a small handful of boxen that have been running a subset of slackware-current since 1999 (Slack 4.0) ... There were a few issues along the way, mostly having to get enough old-school RAM to run modern kernels, but it's been surprisingly painless overall.

        Why? Curiosity more than anything else at this stage of their life.

      3. Doctor Syntax Silver badge

        Re: The lull before the next storm rolls in

        "And (this may be controversial) how easy would it be to upgrade to a 2017 version?"

        A lot of pre-compiled applications got broken at 2.4 > 2.6 although I think that was changes to libc at more or less the same time.

        "I have a sneaky feeling that XP -> 10 breaks much less than Redhat 6 to RHEL 7"

        I doubt it. Consider, for instance, the XP in hospitals issue: dependence on specific versions of IE because Microsoft decided to throw in a helping of non-standard stuff. Generally Linux/Unix complies with standards rather better so the temptation for developers to use that wouldn't be there. And a lot of the complaints with Windows updates seem to be broken drivers. Although you'll regularly get the anti-Windows trolls saying that Linux doesn't support this bleeding edge H/W (any more than the last version of Windows does) what they omit to say is that if you have a printer a few years old that the latest version of Windows doesn't support you'll probably find that Linux does.

    3. Kiwi Silver badge
      Trollface

      Re: The lull before the next storm rolls in

      My Linux based firewall has a number of rules. The first and most important one is DENY ALL. no access at all to any port/service.

      As opposed to Windows which is "open wide and allow all" (for the firewall, for the customer it's "bend over and allow all"...)

  17. Charlie Clark Silver badge

    Liability question

    The blame is a lot of fun because, as the law stands at the moment, virtually no one can be held accountable for this train wreck.

    Because software companies have traditionally been exempt from product liability as long as they can produce a patch, Microsoft is in the clear. But this is also why the NSA is in the clear: had it developed a worm for something that wasn't exempt from product liability then Microsoft would have a case for seeking damages from the NSA for discovering but not disclosing the flaw and subsequently developing an exploit. The development of such exploits is, by the way, already a criminal activity in many jurisdictions, so you'd need some kind of crown immunity.

    And then there are the companies that were using an unpatched version of XP, either because they couldn't update to a newer version or afford the ransom for the supported version. If they were running an XP because they have software that won't run on newer versions of Windows then they can blame their suppliers. But these are, of course, exempt from product liability. And the government will just blame the nasty criminals and terrorists and promise that a more repressive state is the only way to solve the problem.

    Removing the exemption from product liability for software is the only credible long term solution.

    Whatever: Hunt is still a cunt.

    1. Adam 52 Silver badge

      Re: Liability question

      The NHS Trusts aren't in the clear. The medical professionals are still on the hook for professional misconduct, and that's a personal responsibility that they shouldn't (in theory, but will be able to in practice) be able to duck.

      Patient data should be secure. Running insecure software on an insecure LAN isn't in any way an "appropriate technical measure".

      1. Charlie Clark Silver badge

        Re: Liability question

        The medical professionals are still on the hook for professional misconduct

        IANAL but I thought that the NHS still had crown immunity, and doctors are accountable to the BMA and not the courts. Trust managers might possibly be liable but I can see them doing a deal with their golfing buddy Hunt. Of course a few BOFHs and PFYs might get pink-slipped to be replaced by ATOS or similar monkeys. But that's par for the course, innit?

        1. Adam 52 Silver badge

          Re: Liability question

          Crown immunity went in the 80s and doctors are answerable to the GMC (and the courts). The BMA is more of a trade union (although, ironically, more pro-patient than the GMC)

          1. Adrian 4 Silver badge
            Black Helicopters

            Re: Liability question

            And what about the procurement of those systems ?

            They bought software or equipment that relied on a specific operating system from a closed-source vendor.

            Those systems should have been guaranteed by the vendor to have a plan to outlive the OS they were shipped with. That plan might have been to scrap the machine, to update it's OS and apps, to quarantine it in a way that still kept it useful (eg copying files via a secure supported channel, whether FTP or sneakernet.)

            If the vendor had a plan and it failed, sue them.

            If the vendor had a plan and the beancounters crippled it, sack them.

            If there's anyone to blame for this mess other than the policies of the various governments that allowed a state agency to kill its citizens instead of protecting them, it's the accountants.

  18. Anonymous Coward
    Anonymous Coward

    U.S. military having some of its Tomahawk missiles stolen

    yeah, and I bet they will stop hoarding those!

    1. Anonymous Coward
      Anonymous Coward

      Re: U.S. military having some of its Tomahawk missiles stolen

      Why would anybody need to steal a Tomahawk? In the US you just sign up for a short hair cut, and get to play with them like toys. Foreigners get even higher priority treatment, and are often simply given them, with no-charge expedited delivery.

      1. Anonymous Coward
        Anonymous Coward

        Re: U.S. military having some of its Tomahawk missiles stolen

        "Foreigners get even higher priority treatment, and are often simply given them, with no-charge expedited delivery."

        Yep, but crucially, without any chance to examine the (prior - unexploded) contents beforehand, delivered right to your door, so to speak.

        1. Anonymous Coward
          Anonymous Coward

          Re: U.S. military having some of its Tomahawk missiles stolen

          without any chance to examine the contents beforehand

          If the locals are worried about not getting what they haven't paid for, the US military have them covered, they'll send several. Like launching 61 to smash 6 ageing Syrian jets the other week, thus spending about $100m dollars destroying a handful of obsolete aircraft that even if (theoretically) replaced with something comparable in capability but newly built, like a Chengdu F7, would only be worth $15m in total.

  19. DaleWV

    Back Doors?

    I'm surprised no one has picked and used this one as an argument against backdoors to encryption. This whole thing started when a backdoor known to the NSA got in to the public domain. Perhaps a perfect example of why backdoors are inherently unsafe.

    1. Anonymous Coward
      Anonymous Coward

      Re: Back Doors?

      "I'm surprised no one has picked and used this one as an argument against backdoors to encryption. This whole thing started when a backdoor known to the NSA got in to the public domain. Perhaps a perfect example of why backdoors are inherently unsafe."

      Or used as an Argument _in favor_ of backdoors ! You know, your files are encrypted, just send them to gov. agency, so they can decrypt them for you :) Of course, this is a paid Service.

    2. John Smith 19 Gold badge
      Gimp

      "Perhaps a perfect example of why backdoors are inherently unsafe."

      But those who know the idea of a backdoor that only the security services (of whatever country) can access is stupid already know it's stupid.

      Just as those data fetishists who want access to all data all the time forever don't care.

      The "willing fools" (as VI called them) who support the data fetishists (the UK's current Home Secretary, and the previous 8 or 9 sock puppets who've filled the role, May included) will say what they are told to say.

      1. Anonymous Coward
        Anonymous Coward

        Amber Rudd's had no clue technically in describing what she was dealing with.

        Even watching a marginally toned down Amber Rudd yesterday (compared to the encryption hyperbole nonsense interview on Andrew Marr (Marr was as bad), regards WhatsApp/Westminster Bridge attack).

        Amber Rudd's whole tone yesterday came across as fundamentally not having a clue (technically) to what the actual threat was, what she was dealing with. The problem is inherently unpatched Windows machines, it's underfunding by the Conservative Government, regards the NHS. It's Senior mismanagement including the likes of Hunt.

        She never once mentioned underfunding as a potential issue, which just shows deceit/manipulation of the fundamental issues here.

        I felt this was envitable (and said as much) since the Shadowplay NSA leaks and Twit's Security Now had covered the SMB issue extensively since March.

        If you work at a Senior level in the NHS IT/Security, you seriously dropped the ball, because this car crash was playing out right in front of your eyes, but the same applies to anyone working at Microsoft too.

  20. naive

    MS Marketing is brilliant

    Months ago a ton of NSA exploits was published. MS did nothing with it, until now it resembles a medieval plague outbreak, because hackers start using this leaked NSA stuff.

    Then MS Marketing wants us to believe: NSA is hoarding vulnerabilities, it is not us but the NSA to blame.

    So after doing nothing for months, all MS does is accusing the NSA.

    Well done MS, not only for leaving big holes in their OS with which they makes revenues of hundreds of billions, but then accuse others when thing go wrong.

    Maybe once upon a time, the day will come when the world ends this MS addiction, since that company is nothing more but a slimy leech, spreading diseases.

    1. Named coward

      Re: MS Marketing is brilliant

      "So after doing nothing for months"...

      MS fixed this in March for supported OSes. Asking for a patch for XP is like asking for patch for Ubun^H^H^H^H Debian 3

      1. dajames Silver badge

        Re: MS Marketing is brilliant

        MS fixed this in March for supported OSes. Asking for a patch for XP is like asking for patch for Ubun^H^H^H^H Debian 3

        If you are paying for extended support to XP (as the NHS was until HMG decided that that cost too much) then, for you, XP is a supported OS. Microsoft would have sent you the patch in March.

        So, yes, I suppose it is like asking for a patch for Debian 3 -- if you're paying someone to support Debian 3 for you. The difference is that anyone can support Debian 3, if they have a reason/desire to do so, but only Microsoft can support XP.

      2. Adrian 4 Silver badge

        Re: MS Marketing is brilliant

        I have no love for MS. But they produced a fix when made aware of the problem. This is not their fault beyond a generally shoddy product. Black hats will always make use of a security hole before patches are adequately distributed, because patches are not and should not be applied without thought.

        The blame lies with the NSA and goverments (UK has the same policy so is just as much to blame as US). Risk could have been reduced by adequate understanding of security. Which governments and civil servants resoundingly lack.

        1. the Jim bloke Silver badge
          Devil

          Re: MS Marketing is brilliant

          Yes, they produced a fix ..... back in February, according to another Reg article. I can see why they wouldnt release it until they could profit from it, but that doesnt make them in any way decent human beings.

          Expect that the next time this situation arises MS will sanitise their metadata a bit better - but otherwise same same..

  21. Cleartext

    My take on this, stop blaming others, sort out your operating systems & application software [lack of] security. It's eighteen years at least since the first PC related (boot sector/MBR) viruses appeared and it was 1994? when MC Office macro viruses appeared.

    1. Anonymous Coward
      Anonymous Coward

      1994 MS Office macro virus appeared.

      With little to no work, I'm sure those 1994 macro viruses are still compatible with MS (Full Fat) Office 2016 / Windows Registry today.

  22. Graham Cobb

    Ministers need to sort out GCHQ

    I will post here a comment I made over the weekend in a different location:

    I stand by my view that this incident sits squarely at the feet of those who are paid to protect us but played gods by treating life-threatening faults as if they were weapons and had no contingency plans in place to protect us from the fallout.

    Ministers should resign over it.

    GCHQ need to get real and dramatically change their risk assessments and decisions around exploit hoarding. Of course we won't get rid of it entirely but this impact was completely foreseeable and the policy needs to properly take the risks into account. Not disclosing an exploit must be an exception; it must require sign-off from the highest levels in GCHQ; it must be very time limited (e.g. no more than 12 months); and there must be a contingency plan in place to deal with any public emergence of the bug before they disclose it (including emergency patches prepared to fix the problem).

    And ministers need to bang heads together in GCHQ to enforce this culture change.

    1. Doctor Syntax Silver badge

      Re: Ministers need to sort out GCHQ

      Not disclosing an exploit must be an exception; it must require sign-off from the highest levels in GCHQ a cabinet minister; it must be very time limited (e.g. no more than 12 months)

      And after the expiry or if it all goes pear-shaped the sign-off should be made public.

  23. Anonymous Coward
    Anonymous Coward

    El Reg Comments on Hacks

    A 20 point cut out and keep all purpose set of El Reg comments on any hacking issue. Select from 1 to 3 items and post liberally.

    1. I warned about this in 1973

    2. It's all the Tories' fault

    3. FFS what is anyone doing in 2017 running hackme1997?

    4. Its all the PHBs fault

    5. Its all Labour's fault

    6. It wouldn't bother me because I keep my backups written out in longhand in a vault on Mars

    7. Its all the Lib Dem's fault

    8. Russia

    9. NSA

    10. Well I applied KB. 123456 - Smug prat, last month, didn't everyone?

    11. Linux

    12. I wasn't caught out, but that's because I'm brilliant and realigned the flux compensator by hand

    13. Well I applied KB. 123456 - Smug prat, last month and all my systems crashed and caught fire,

    14. Our place was hit, but that's because I have to work with that previous twit's code

    15. Criminal sys admins not patching

    16. Criminal OS vendors providing bad patches

    17. Criminal software vendors writing code that can't run on patched systems

    18. Why not run all your computers standalone and transfer data via an airgapped printer/scanner setup?

    19. Cloud.

    20. Did I mention I'm really clever?

    1. John Smith 19 Gold badge
      Coat

      Re: El Reg Comments on Hacks

      Yours to cut and paste as and when necessary. *

      *No purchase necessary.

      1. DropBear Silver badge
        Trollface

        Re: El Reg Comments on Hacks

        Cutting and pasting takes too much effort. I need a tear-off version!

    2. Nick Ryan Silver badge

      Re: El Reg Comments on Hacks

      Did I mention that I'm really clever? I noticed that it was all the Tories' fault as they encouraged, nay forced, criminal software vendors to write code that can't run on patched systems.

      Genius sir. I now no longer have to think about any posts. Ever. Let's lobby El Reg to build a real (and genuinely) AI system that can create post for us. Perhaps with a little help from the community it will produce output more intelligible than their previous attempt, AManFromMars.

      Although perhaps one could add sub-categories to the scheme and group it according to political party, vendor, supplier, cloud blame and all that. I suspect that merging it with the BofH's excuse calendar would help as well. Currently the most obvious omission is the "I build my own processors by hand using tin and copper that I mine in my own garden therefore I know my processors inside and out" type of response...

    3. Gary Heard
      Happy

      Re: El Reg Comments on Hacks

      Sorry, that's a "FLUX Capacitor", if you are using a Flux Compensator you'll never be able to complain

  24. plrndl
    Boffin

    Security Agency?

    The NSA has produced a "tool" that has been used as a weapon against the people it is supposed to be defending.

    The NSA has failed to protect itself from the inevitable hackers, enabling this tool to be released in the wild.

    The agency is clearly unfit for purpose, and counter-productive, and should be dismantled ASAP.

    This goes for GCHQ too.

    (The icon is intended ironically.)

    1. Adrian 4 Silver badge

      Re: Security Agency?

      This is the equivalent of Porton Down (or whatever the modern equivalent is .. probably big pharma) hoarding the smallpox virus while permitting inoculations to cease, so that they could use it as a biological weapon.

      And then carelessly releasing it.

    2. IanMoore33

      Re: Security Agency?

      NSA told MS about it and they never released a patch

      1. jake Silver badge

        @IanMoore33 (was: Re: Security Agency?)

        "NSA told MS about it and they never released a patch"

        Do you have proof of this assertion, or is it purely idle speculation on your part?

  25. Anonymous Coward
    Anonymous Coward

    Lack of fall back systems

    I do wonder how many extra problems are due to people being too dependent on the IT systems and some disruption may be just due to lack of alternative systems in place (always good to have a fall back system)

    e.g. I rang my GP practice today to arrange a repeat prescription, during the 4 hour window the surgery allows for repeats.

    "No we can't do that" said the receptionist, "due to all the NHS IT problems, systems being down"

    "OK", I said, "Please can you write my details down on paper, file it, and then arrange the repeat when things are working OK.

    "No"...

    "But it just means I will keep having to waste your and my time ringing you each day to see if it's possible whereas if you took my details now it would save us both time"

    "No."

    The default pharmacy for prescriptions for that practice is attached to the surgery, so it's not as if huge complexities there.

    Though of course, GP receptionist do have a reputation for being the most unhelpful "service industry" workers in the universe, so probably love the system down excuse.

    AC due to misc personal details health stuff

    1. Anonymous Coward
      Anonymous Coward

      Re: Lack of fall back systems

      "Though of course, GP receptionist do have a reputation for being the most unhelpful "service industry" workers in the universe,"

      Always find the receptionists at my GP surgery very helpful.

      YMMV

    2. John G Imrie Silver badge

      Re: Lack of fall back systems

      always good to have a fall back system.

      A fall back system is a waste of resources, The Management.

  26. cyclical

    Speaking to a friend of a friend who works in a relevant department in the NHS, the estimate for patching legacy systems was £15m, and the budget given to them was £750k. There are also a lot of million quid bits of equipment out there with software from bankrupt or disappeared companies that requires XP or similar, and YES they shouldn't be connecting these machines to SMB shares at all, but it's never just been as straightforwards as just patching some computers.

    1. Anonymous Coward
      Anonymous Coward

      Yep, that's one of the big problems. While it's popular to portray the IT guys who do the work in the NHS as incompetent they are hit with largely insurmountable problems from all sides, namely:

      * Incompetent software vendors building software that, stupidly, requires Internet Explorer 6 or some ghastly ActiveX control that only works with it to operate. Yes, calling them incompetent isn't nice, but they should never have coughed out code that worked in this way, regardless of what the MS marketing department was saying.

      * Hardware drivers, for specialist devices, that are generally entirely undocumented and only work with specific Operating System versions and, often due to supplier issues, are entirely irreplaceable. This could either be due to the supplier no longer existing or having moved on from that platform 10 years ago and have no real capability to update these drivers (hence will place a ludicrous update price on them).

      * Continous cost cutting exercises because it's far easier to slash a service department's budget than it is to purge an organisation of largely pointless management layers and external specialists (consultants) who are brought in because it was a short term saving to stop employing them, particularly with external consultants being a different budget category.

      * PFI builds. These are one of the biggest drains on NHS spending there is - lovely new hospitals, often incomplete due to specification problems, that the NHS is contractually obliged to fund for the next 50 years or so. Usually paying out a considerably higher sums within just a few years (as in just longer than an election cycle) than if the NHS had built its own hospitals.

    2. Adrian 4 Silver badge

      So they're using medical equipment which is no longer supported or maintained.

      Is that legal ?

      1. Kiwi Silver badge
        WTF?

        So they're using medical equipment which is no longer supported or maintained.

        Is that legal ?

        1) If the device does the required job to an acceptable standard, why should it not be?

        2) Do you wish to stump up with the cash to replace units that cost in excess of $10k just for the special transport arrangements, let alone the purchase cost that is many times this price?

        3) There's a reason these things are used for many many many years. See 2..

        1. cyclical

          Medical hardware often only gets 'end of lifed' about 10 years after it stops production - and they are rarely on cutting-edge software platforms to start with. There is too much disparity between the lifecycle of the very, very expensive MRI machines, and the software/OS side of things - one of the reasons these machines are so expensive is that the hospital expect to have support and updates for the lifetime of the hardware. If a company goes titsup, then your probably stuffed. Having said that, isolating anything that can't be patched from your main network would be a good idea, but once again - budget restrictions don't allow that kind of undertaking, so the risk will always remain.

    3. Kiwi Silver badge
      Joke

      but it's never just been as straightforwards as just patching some computers.

      Shhh! Facts and/or reality are NOT welcome here!

  27. GingerOne

    I do like how all the haters keep suggesting everyone ditch Windows and move to Linux. If that were to happen then all the bad guys would do the same and Linux would become the infection riddled beast while Windows was left alone to be clean and care-free.

    Be careful what you wish for little penguins. Windows is only as dirty as it is because of it's popularity!

    1. Gary Heard

      How many times have I heard a "Windowsphile" say that? It would have a greater attack vector, that I would agree with, BUT (notice it's a BIG but) the basic design differences would require MUCH more work from miscreants.

      The problem with Windows are multifaceted,

      1) Closed Code

      2) Reused code from years gone by

      3) An architecture that never had any form of Security consideration when it was conceived

      as this states for XP (for win 7 and above just prepend Windows Vista/7/8/10 64 bit extensions are.....)

      Windows XP 32 bit extensions are a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor, written by a 2 bit company, that can't stand 1 bit of competition.

      source: http://www.jokes4us.com/miscellaneousjokes/corporatejokes/microsoftjokes.html

    2. plrndl
      Linux

      @ GingerOne

      You obviously know absolutely nothing about operating systems.

    3. Anonymous Coward
      Anonymous Coward

      Linux would become the infection riddled beast

      Lol. You know over 90% of servers run on BSD or Linux? There's this thing called a security model and free software community. Apple's iOS and Google's Android are Unix-like and have massive install bases without the SNAFU that is Microsoft Windows.

    4. Richard Plinston Silver badge

      > I do like how all the haters keep suggesting everyone ditch Windows and move to Linux. If that were to happen then all the bad guys would do the same and Linux would become the infection riddled beast while Windows was left alone to be clean and care-free.

      No. The real problem is that Windows caters for malware _by_design_, and as 'convenience' features.

      For example when a USB drive was inserted* then Windows would automatically execute code on the drive which could well be malware infecting the machine. When an email was opened, or merely clicked on in order to delete it, then attachments were opened and, potentially, code was executed, such as excel macros. When a file is downloaded then it may be executable without any further action. File types are deliberately hidden which disguises the actions that may be taken if the name is clicked on.

      These, and many others, were all stupid decisions made by Microsoft which were avoided by other systems such as Linux and BSD.

      The other issue is that Windows is a virtual monoculture with only a handful of variations. This allows malware like Wannacry to spread easily to large numbers of machines. Linux distros have a large variety of differences so that malware designed to infect one brand using, say, a buffer overflow, probably won't work in other distros.

      > Windows is only as dirty as it is because of it's popularity!

      No. It is as dirty as it is because Microsoft prefer it to be 'convenient' (including for malware) instead of secure.

      * several of these issues have been fixed or avoided over the years.

    5. AlbertH
      Linux

      Be careful what you wish for little penguins. Windows is only as dirty as it is because of it's popularity!

      Nope. The fundamental structure of Unix and Unix-alike systems (including Linux) is based on rigorous permissions. I haven't come across any piece of malware that can actually guess my Administrative Password....

      Unfortunately, a Truly Stupid Decision™ was taken by Bill gates himself in the late 80s - "security doesn't matter - it's all about "Ease Of Use"". This has haunted them ever since - shipping OSs and software with any tiny vestige of security just tacked on as an afterthought.

      Windows is rather analogous to cassette tape - it's a home use medium, but not suitable for serious, high quality work!

    6. Anonymous Coward
      Anonymous Coward

      Untrue. Windows is now the 2nd most popular platform, the number 1 platform is opensource and despite the scare stories from clickbait articles, it's got a proven good track record. Much better than Windows. It's codebase is also far newer than Windows, and comes from a post internet era..

  28. cantankerous swineherd Silver badge

    Microsoft's chief lawyer seeking to deflect liability here, possibly correctly.

  29. Anonymous Coward
    Anonymous Coward

    lol Windows

  30. Baldie
    Pint

    "by then-Health Secretary Jeremy Hunt"

    Sounds good to me.

  31. Kiwi Silver badge
    Coffee/keyboard

    This just makes me feel so... icky....

    A security statement from MS that I agree with. How will I ever be able to look at myself in the mirror again? (actually I seldom do but that's beside the point).

    But yes. Those who hoard vulnerabilities rather than letting the vendors know are responsible for the result. And while it's easy to blame MS for their lax security (I do it all the time!), there are things that people simply don't think/know to test for because no one else has done so first. That this flaw has been around so long without some white/greyhat finding it earlier shows it wasn't some easy-to-find flaw sitting on the surface.

    And I thought the key responsibility for the NSA was to protect US citizens/businesses etc from "cyber attacks"? How many of their charges have been hit by this? How many said businesses will fold because they lost their data (yes, because lack of backup or whatever (although many have backups that are good for physical damage but would be lost to many of these type of attacks)? How many millions of $US has been lost because of the activities of the NSA? Given the yankee penchant for lobbing sueballs at everyone over there, can someone target the NSA for lost earnings/lost opportunities/mental suffering and so on?

    And can someone sue the NSA on my behalf for creating a situation where I have to agree with a statement from MS about security? (and you can even keep all the winnings!)

    Icon --> That's not coffee... #offtocleanupvomit

  32. Anonymous Coward
    Anonymous Coward

    I know one should rise above..

    But imagine if the crims hoping to receive funds from the NHS, got instead one of their "impossible to remove" infections instead?

    I'm not saying I'm proud of the idea, in fact I felt a little ashamed once I'd stopped chuckling.

  33. Stoke the atom furnaces

    Not fit for purpose

    Why doesn't Microsoft quite whining about the NSA and get on with the job of fixing their buggy software?

  34. JulieM Silver badge

    Digital Geneva Convention

    That's a bloody good idea. We also need a Ministry of IT with people in charge who actually know about computers. (Hey, a gal can dream, yeah?)

    The real problem is drivers. While it's been standard practice for home users to throw away their printers, scanners, cameras, graphics cards, routers and other devices and buy new when a new update renders them inoperable, that isn't exactly a viable option for something like an MRI scanner. So, obsolete Operating Systems are retained for want of any alternative. (There is even kit still in use in industry that expects DOS, or Windows 3.11.)

    Let's have a law like: If you want to sell a piece of hardware that depends on a general-purpose computer for its operation, then you have to release enough information that would allow a sufficiently-competent programmer to write a driver that would make it usable with a different computer. Source Code with comments and meaningful variable and function names should be considered sufficient for this purpose.

    And no whinging from manufacturers about revealing things to their competitors. Everyone would be in the same situation. This is the NHS we are talking about. Other people's right to live outweighs your right to hoard "intellectual property".

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019