A few important points not featuring in the wall to wall media coverage
– This is US government security service technology, developed by the NSA. Edward Snowden has confirmed this and nobody is denying it. You might think that would be a prominent part of the story, but strangely it isn’t.
The arms race between major powers to develop cyber warfare and cyber surveillance capacity is a massive threat to the security of the internet. It is the very governments who most like to claim they need to intervene to protect us, who are in fact creating the dangers they cite. This is NSA software; WikiLeaks “Vault 7” leak has revealed the similar massive effort at the CIA in developing destructive software.
That is not to say the NSA or US government is behind this worldwide attack. But it is to say that western governments are spending billions of pounds on developing malware, which they cannot themselves keep safe. This should be viewed in the same light as chemical weapons programmes. Urgent international action to outlaw weaponised malware development should be a priority for the international community, as the danger to increasingly IT dependent services is extreme. The United States is the biggest aggressor and the biggest danger.
– Theresa May as Home Secretary was responsible for UK cyber defences for seven years. So the Tory efforts to blame everybody else today are misplaced. The buck stops with May.
Underfunded NHS Trusts have privatised IT management and outsourced the control and security of their computer systems to contractors, as part of the general rip-up of the NHS to provide private profit. These companies are more interested in maximising profits than safeguarding against contingent attacks. Very few NHS Trusts now employ their own NHS team of dedicated computer specialists maintaining and caring for their systems, including their defences.
This process has been accelerated under the Tories, but it must not be forgotten it was started by New Labour under Gordon Brown and Tony Blair. New Labour’s 2002 policy document “Developing 21st Century IT Support for the NHS” concluded that Option 2 was the way forward: “Selectively outsource major components of the NHS IT programme”. That was New Labour. The Tories have accelerated and extended it, and chronically underfunded the NHS. That is why so little money has gone into maintaining NHS IT systems, and what little has gone in has had little effect.
Corporate profits have been great though. Remember that extraordinary numbers of MPs have financial links to private healthcare firms. If the Tories win a landslide, doubtless the numbers of MPs personally profiting from NHS privatisation will increase still further.
The U.S.’s NSA and its Israeli counterpart let the genie out of the bottle with Stuxnet.
The deeply worrying aspect about this is that our health service was left hung out to dry by forcing them to use completely outdated and insecure Windows XP software. What should have happened years ago is the MILLIONS spent in keeping support on this going to 2015 should have instead been used for the NHS to produce their OWN build of Linux that would be absolutely tailored to getting the most out the available hardware both in terms of performance but also as it has now been seen, security.
This is a colossal scandal that for DECADES vested interests have denied our healthcare system the benefits that companies like Google, Twitter, Facebook and not to mention myriad Banks, Stock Exchanges and most of the Internet in fact.
90% of NHS Trust computers are still using XP, according to the numerous sources. I wonder if this has been an economically driven policy? This kind of ransomware isn’t new, it’s been around for years, it’s not even that sophisticated. If the NHS network can be so badly affected by this particular attack, we are in deep trouble. And here was me, thinking that we had paid for a state of the art, world leading computer system for the NHS.
Here’s a twing from @LabourEoin twitter page. https://pbs.twimg.com/media/C_ssU1mWAAECLJ_.jpg:large
I have read in numerous places the funding for XP support did not extend beyond 14th April 2015 including this from Guardian. https://www.theguardian.com/technology/2015/may/26/uk-government-pcs-open-to-hackers-as-paid-windows-xp-support-ends
It appears XP may still be running in other government sectors. Erm, where are May and Hunt to answer urgent questions on these matters? “Strong and stable” my arse!
What could possibly make you think that the NHS had been allowed to pay for a state of the art system? Are you insane? Hunt is determined to destroy the NHS so that private vultures can pick over its bones. That’s what Tory voters are voting for, whether you know it or not.
In a radio interview last night an ex-hacker named a few countries who funnelled enormous resources into developing viruses and malware for offensive purposes. The UK was one of them. When later asked what measures were in place to protect UK systems from such attacks he said there was practically none.
He also said that the operating system used by the target organisation was irrelevant in cases like this.
All mainstream operating systems have vulnerabilities, but that doesn’t make choice of OS irrelevant in a case like this. Parts of the NHS are using Windows XP, which has far more vulnerabilities than other current systems. The reason they’re still using XP is that they’re suffering from “customer lock-in”, a deliberate ploy by the software corporations to make it difficult, expensive or impossible to migrate to other systems.
Lock-in works via restricted file formats. When you save from, say, Microsoft Word, the file can only be opened from Microsoft Word.
– “About 3 million computers get sold every year in China, but people don’t pay for the software. Someday they will, though. As long as they are going to steal it, we want them to steal ours. They’ll get sort of addicted, and then we’ll somehow figure out how to collect sometime in the next decade”
Bill Gates, CNET News (2 July 1998)
Hmm. Most Microsoft file formats are operable by open source software. Biggest barrier in my mind is that the managers are IT illiterate and scared of ‘need things. The Microsoft operating systems and remote management software we use in the NHS are incredible. They can slow the faster computer down to a crawl. Really impressive.
Yes, publicly licensed packages such as OpenOffice can open restricted formats such as Microsoft Office documents, but only because dedicated teams of hackers (programmers) working under anonymity (to avoid legal harassment) reverse-engineer the secret Microsoft formats.
That will be why Microsoft, only hours ago, released an ‘highly unusual’ patch for the XP operating system then.
I had to leave work ten minutes early because of this. Bastards
Ten minutes earlier in the pub.
Life can be grand sometimes.
Haven’t heard much from J. Hunt in all this NHS news yet. Is he on holiday? Or just simply unconcerned with such trifling matters?
Yes-his silence/invisibility is stunning. What is his reason for being A.W.O.L.at such a time?
He’s probably in America again, chatting up the private healthcare companies. Apparently he’s there rather a lot these days.
One scandal here is how Microsoft are allowed to keep replacing operating systems every few years so as to increase their revenues and not supporting old operating systems – rather than being allowed to do this they should be required to produce, update and maintain a single operating system (which can be scaled in its functions according to the power of the computer it operates on) which lasts an awful lot longer than the current operating systems. The underlying computer hardware should be made to last with an operating system and basic software that matches – rather than having to be replaced every 4 to 5 years to suit the pocket of Microsoft and its friends. This built in obsolescence needs to be stopped – it is not good for the environment or our pockets.
Why bother with proprietary software at all? The majority of the Internet runs on software licensed to the public under the GNU GPL and similar licenses that legally protect the freedom to innovate.
Make yourself an Ubuntu boot CD, RD. It’ll take a while to break the chains that bind you, but after you have you’ll never look back. Whole governments have made the break.
Why bother with proprietary software at all?
Because like most people I just want to plug in my computer and use it – I’m not a great fan of DIY around the house either. I see one of the requirements of government as protecting us from the abuse of monopolies.
How many hours a year do you spend on playing around with your computer(s) rather than using them? Compare your answer with mine and you probably have the answer to your question.
I use GPL software because it’s MORE reliable, MORE secure. It takes me a fifth of the time to install a GPL system compared with reinstalling Windows and doing all its interminable updates because it developed a bug or picked up some virus. My current installation of Trisquel has been running for three years with no maintenance whatsoever, and it doesn’t need any anti-virus or the constant updating and scanning that go with it.
But if you can’t do it yourself, just look up your local Linux users’ group; they usually meet monthly in a local pub. Pay one of them to install a system for you, and you’ll always know where to turn if you run into a problem. You’ll also be creating employment locally.
Or just buy a computer with the system pre-installed:
https://www.google.co.uk/search?q=buy+gnu/linux+preinstalled
You realise your router probably runs GNU/Linux? And quite possibly your TV. And Security Enhanced Linux version 4 was being developed as a verified unbreachable system for the next generation of US drones. And Android is built upon the Linux kernel. Etc, etc…
Richard Stallman (writer of the GPL) says, “if the software is free, the users will fix it”. And we do, as Firefox and OpenOffice demonstrate very effectively.
The word ‘free’ refers to freedom, not price. ‘Users’ in this case would include the NHS. Under proprietary licenses such as Microsoft’s, the users are prevented by law from ‘tampering with’ (ie. improving and repairing) the software they use.
I love that term ‘tampering’ when it refers to fixing or improving something that I have bought and paid for myself.
It suggests interfering with, corrupting or having a malign influence on something. It’s outrageous that there are ‘tamper-proof’ screws on my kettle, so that when a thermal fuse worth about £0.50 fails, I have to buy a new kettle because I’m considered naughty if I want to ‘tamper’ with it by fixing it.
This approach is driven by corporations who want us to simply throw something away the moment it stops working, or “upgrade” by buying a new version for no good reason.
I don’t mind paying for software – what I want is something that lasts and which is updated automatically in the background rather than requiring extensive intervention. I also need to be able to supply the outputs (i.e. files) with others without compatibility issues – so they need to have the same or compatible software. I’m afraid “open source” just cannot deliver on this at present – I wish it could as I don’t like Microsoft as much as the next guy and it is very clear that they are exploiting their monopoly.
– “I also need to be able to supply the outputs (i.e. files) with others without compatibility issues – so they need to have the same or compatible software”
That’s because the software companies either patent their formats, or keep them secret under commercial confidentiality. If they’ve kept it secret, hackers (programmers) can reverse-engineer the format. If it’s patented, well, licenses will have to be bought.
You need to boycott the bastard software companies, or they’ll just keep on doing it. In particular, governments need to boycott them. For goodness’ sake, the government can employ programmers, can’t it? Really RD, you don’t understand the New Left. This is an entire battle you need to learn about. The potential – for regaining control from the corporations, for employment – is enormous.
ResDes,
I have been living your wish list on this for the past two and a half years. It’s called Linux Mint. Piece of piss to install on a CD disc which cost around a fiver. It tells you when any software you have on your computer has an update available which generally takes less than a minute on the press of a click and a user generated password.
It comes complete with a link to a shed load of free software including an office suite which I ‘ve recently used to construct several presentation packages which it allowed me to convert to be compatible with my previous MS PowerPoint 2003 version on another computer belonging to someone else in the house to enable upload to Dropbox in a format others who wanted to share but who had only Windows software to access and download.
For the past twenty years or so never a single year went by without the need to reinstall and or repair whatever Windows OS I was using at the time at least several times a year. I have wasted months, if not a whole year or more of my life piss in about with the shite OS which is Windows. Wasting days at a time trying to recover data, rebuild, reformat, repair and so on. Not any more.
Reason being the model and approach Microsoft uses is not to properly test any bit of software once it is written but to ensure that it captures monopoly market share straight away by “ship it on Tuesday and we will fix it in version three.” Time is money and a whole lot of other things to users of the pile of poo that is Windows. The amount of time users, captured by this monopoly approach, have wasted trying to clear up the resultant mess on their computers from this approach represents a massive subsidy transfer of money, time and resources from the end user to Bill Gates and his Corporation which makes his philanthropic contributions miniscule in comparison.
Once you make the jump you will wonder why you waited so long.
RD, there’s no restriction against buying and selling publicly licensed software. The word ‘free’ in ‘Free Software’ refers to freedom, not price. It’s just an ambiguity in the English language. We think of ‘free’ as meaning ‘without payment’, but if you ask a prisoner or someone in chains what ‘free’ means, their first thought isn’t likely to be about payment.
Confusion can be avoided by use of the Spanish word ‘gratis’ for ‘without payment’, and the French ‘libre’ for ‘without restriction’. I use libre software.
— Why bother with proprietary software at all?
Because a large organisation does not have the resources to train an entire workforce to use an alternate OS and accompanying software suites. But that’s not to say BSD/Linux shouldn’t be deployed on server gear, where possible. The problem here is that the off-the-shelf, MCSE goons at “cost-effective” firms cannot do that.
It is heartening to find myself agreeing with a perfectly sensible comment. If you pay for something and it is functional, not dangerous to others (for example cars which are no longer roadworthy) and serves its purpose, purchasers should not be penalised if they choose not to upgrade to the latest release. Later software releases are those most likely to be spying on us all.
Most cars are made with a shelf life of 10yrs plus – difficult to see why computer hardware should not have the same or longer. Could also say the same for a whole load of household appliances which are now being designed to fail. It isn’t good for the environment or our pockets – and it is something that proper regulation can fix.
I agree.
Sort of thing that should be in the Labour manifesto!
– “Sort of thing that should be in the Labour manifesto”
Well if we hadn’t been so busy fighting off attacks from out own ranks of Blairite warmongers, we might have had time.
Clark
Sorry, but who are the “we”? Are you saying that the manifesto is written by Labour Party rank and filers (but who were otherwise engaged this time)?
Labour party members participate in formulation of policy through proposals, debates and voting at constituency meetings.
Clark – we were talking about the Manifesto, not the “formulation of policy” (whatever that means). Good try though.
RD: Hardware can last a lot longer than 10 years, particularly if you take it apart to get all the dust out periodically. Trouble is, the OS it can run will not be supported for 10 years.
OK, so just upgrade the OS, right? Except the h/w you have won’t be supported by the newer OS. Then you find browsers like Firefox, Safari or Explorer won’t be updated on the old OS any longer, and half the content on the “Internets” tells you to update your browser – which you’re unable to do.
So even if your h/w runs for 20 years, it will become an insecure liability long before that, and will be considered obsolete for even the most basic functions that it used to be able to do just fine.
Solution? Throw away your working system and buy a new one. Wonderful. :/
The car I drive is a 1990 model.
Not very responsible from am environmental point of view, surely? What would Ms Jill Stein (for whom you told us you voted) think about that, I wonder?
H: “Not very responsible from am environmental point of view, surely?”
An interesting question. It surely depends on how efficient this 1990 vehicle is, and how many miles it does a year. It could be that it’s approaching the efficiency of a lot of modern vehicles, and is swapping an old but fairly economical car for a brand new SUV which does 12 mpg really a good idea?
Is it better to commission the building of an entirely new vehicle, and the scrapping of an old one, than it would be to run a less-than efficient vehicle for a few more years (particularly if mileage isn’t high)?
As ever, it’s not as simple as New = Better. Despite what the government (and car manufacturers) want us to believe.
My car has no computer. Cannot be hacked.
Also lacks the air bags that can kill.
– “Later software releases are those most likely to be spying on us all”
Seriously, read the Terms and Conditions”. You probably agreed to them spying on you (“sharing your personal data with our business partners”) when you clicked “I Agree”. They sell that information, and there’s a huge “security” budget.
This is something I have been fighting against for the last 20+ years.
What SHOULD happen is that our tax payers money gets spent on developing the best possible software in terms of functionality and security that will run well on the hardware available. It is NOT acceptable to have to replace working computers just because the overhead for running whatever the current Microsoft OS just keeps going up and up.
We already have a well proven basis on which to do this work, Linux and the whole Open Source ecosystem around it has been available for over 20 years now as a collective work of the global Internet. Big business has taken full advantage, Google for example would simply not exist without Linux, but somehow our public bodies are largely blind or incompetent. There is criminal culpability here for permitting such “Vendor Lock In” that means you are either on the hook for ever more for “protection money” or get thrown to the wolves once you stop – like the NHS did 2 years ago.
I notice the slant that the no good mainstream press is putting on it is those “naughty hackers” not the fact that these tools were developed by the NSA or the fact that NHS management shows criminal negligence in still running Windows XP.
So basically Microsoft knew that NSA exploited this bug for worldwide spying,- but refused to fix it – until now.
I don’t think that is true that Microsoft ignored a known issue.. I’ve seen it stated elsewhere, by people saying they worked in IT security, that patches were issued by Microsoft a few months ago – for supported operating systems (I’m unclear from what I’ve read as to whether or not there is still support available for Windows XP – some commentators seem to imply that it is still possible to pay for support while others say otherwise. However, I’ve seen it said that Hunt cancelled an agreement with Microsoft for that continuing support). However, given that this latest version of the ransomware is very new, I don’t think the situation lends itself to easily apportioning blame for the specifics of what’s happened. I think the real problem is a “big picture” one as alluded to in Craig’s post.
Corbyn mentioned the importance of cyber security and dangers of cyber attack to UK in his defence speech and Q & A at Chatham House yesterday, just hours before this attack on NHS! . .
The relevant clip in this article. https://skwawkbox.org/2017/05/13/corbyn-ahead-of-the-game-again-yesterday-a-m-he-talked-cyber-security/
I watched the speech live and assume this clip is full as it says and not edited. https://www.youtube.com/watch?v=eMCVV4xyNJA
I just noticed the Q & A session after Corbyn’s speech is on a separate video. https://www.youtube.com/watch?v=CISCETzUzqM
The US government is the biggest financial supporter of the malware industry. They buy malware from dodgy forums, and stockpile it for use as cyber-weapons. Of course that doesn’t prevent the same malware being sold to other buyers.
US government is now the biggest buyer of malware, Reuters reports:
https://www.theverge.com/2013/5/10/4319278/us-government-hacking-threatens-cybersecurity-former-officials-say
Windows XP hasn’t been supported in several years, and windows 2000 support ended over a decade ago.
It’s rather strange that a customer as large as the NHS could not get extended support from MS, which would prevent these exploits, yet they carried on using the systems. There is no reason to use MS at all for that matter. There appears to be no unified approach to IT systems, which makes a managed approach to threats pretty much impossible.
This ransom malware – along with plenty of others – is hardly new. Making sure your enterprise systems are proof against _known_ threats is a basic part of infrastructure security. You simply cannot have a organisation where everyone at a local level can use pretty much whatever they like, and sort out their own security (or not!) as they see fit, and according to their individual levels of competence.
I shouldn’t be surprised, but such a lax approach to security, along with a hotch-potch approach to systems – is staggering.
Didn’t I read somewhere that Trident subs run on Windows XP too?
I thought you were joking… in fact I checked whether this was a 1st April joke upon reading it:
http://www.theregister.co.uk/2008/12/16/windows_for_submarines_rollout/
Each nuclear-powered submarine has up to eight Trident II missiles and a total of 40 nuclear warheads.
The four submarines have just one critical flaw: They all run Windows XP…The submarines were commissioned in the 1990s. According to The Guardian, Windows XP was installed because it was “cheaper than alternatives.”
http://www.popularmechanics.com/military/weapons/a19061/britains-doomsday-subs-run-windows-xp/
YCMIU
A modified version called, and I’m not kidding, “Windows for Submarines”.
….ssshurely that should be “Portholes for Submarines”?
RN nuclear subs running on Windows XP, you say. I suspect that’s probably a limited hangout. They just don’t want the word to get out they’re actually running on Windows 98. 🙂
No that is truly terrifying.
Yes, you can sit at the keyboard and press buttons and play games with it, but it’s not yours, it belongs to Microsoft and it won’t do anything without Microsoft’s permission. That is the way your British submarines work too. You can sit at the controls and press buttons and play all sorts of exciting games, but the sub won’t do anything without the USA’s permission.
There is an embedded version of Windows XP which is designed for running on ‘headless’ systems, ie systems without a monitor screen. It is a very common control system, I find it very often on Vessel Control Systems. The control system is isolated from any external networks and is very much more capable than the minimum required to run the vessel.
So I am talking here about vessels which may have control systems that can position a vessel, and keep it in position well within a 2m position point.
I have also come across systems running Unix and Linux and older versions of Windows (NT), as well as later Windows systems.
To be honest the operating system is not that much of a concern as long as it is completely isolated from external networks.
So I would not in itself be worried about the presence of XP on the Trident Submarine.
…quite apart from the fact that if it goes wrong it might stop humanity from blowing itself to extinction. There’s certainly far worse to worry about in Trident. The fact is you just can’t maintain morale among people you’ve tasked with being poised to blow up their home planet; for some strange reason, they’re just not enthusiastic:
https://wikileaks.org/trident-safety/
Martin: – “…as long as it is completely isolated from external networks”
From my link above:
– “This contains references to CB8890: The instructions for the safety and security of the Trident II D5 strategic weapon system. I’m sure all the Strategic Weapon System (SWS) personnel are scratching their heads and wondering how I’m writing this on my personnel laptop and referencing a book, which is contained within a safe in the Missile Control Centre (MCC). The MCC is the compartment used to control the launch of the nuclear missiles. It can only be accessed by people on the access list, and no personnel electronics are allowed. I was on the access list but how could I have gotten a copy of every single chapter on to my phone? A hidden camera? No. Smuggled the book out then filmed it? No. What I did was walk into a room were no recording devices are allowed. I sat down; took my Samsung Galaxy SII (white) out of my pocket, and recorded the entire book word for word. I held the phone still, about a foot in front of my face and anyone who looked at the screen or used common sense, would’ve seen I was recording. There were other SWS personnel in the room; in the video you can see a SWS JR about 3 feet in front of me talking to another SWS JR sitting right beside me. You probably think that’s impossible but I’ve got the evidence to prove it. The complete lack of concern for security worries me. The fact is it would’ve been even easier for me to cause a nuclear catastrophe than to gather that information, and gathering that information was actually quite simple, due to the amount of ignorance”
The big problem with deliberately manufactured malware (including Stuxnet) is once it is there it is there, and there is nothing can be done about it. It becomes a potential danger to society in much the same way that nuclear weapons are. They cannot be uninvented. Those responsible for any such inventions have no conscience.
I have recently purchased Kaspersky total protection. It is supposed to be good but who knows. If the Yanks are concerned about it the product cannot be too bad.
http://russia-insider.com/en/politics/us-govt-lives-fear-kaspersky-anti-virus-program/ri19782
– “once it is there it is there, and there is nothing can be done about it”
Not so. All maware needs vulnerabilites – ie. flaws in the software – to exploit. Those security holes can and must be patched. But the US-corporate monster is busy infiltrating vulnerabilities into software to further their mass-surveillance programme:
https://igurublog.wordpress.com/2014/02/17/biography-of-a-cypherpunk-and-how-cryptography-affects-your-life/
https://mirror.as35701.net/video.fosdem.org/2014/Janson/Sunday/NSA_operation_ORCHESTRA_Annual_Status_Report.webm
@ John Goss May 13, 2017 at 14:31
Is Kaspersky easy to use? I bought it once, bur it seemed so complicated I never used it.
I am not technology-literate, and just want an anti-virus program I can install and let it get on with the job. I have Norton at present.
I had no difficulty setting it up Paul after paying for it. I also use RogueKiller which somebody on here recommended. Was it glenn_uk? Not sure any more but it was a sound recommendation. I don’t think any antivirus system protection product will keep you totally safe. But as you know Theresa May has approved our Cheltenham and our secret services spying on us. So the reason I am using Kaspersky is because I am almost certain they cannot instruct Mr Kaspersky to to create loopholes for their intrusions. Like most of the products of that ilk it runs in the background.
Remember Blair and the lost IT £billions?
‘Computer says no’ to Mr Blair’s botched £20bn NHS upgrade
5 Jun 2006
The Prime Minister’s dream of a ‘paperless NHS’, using 21st century, state of the art information technology, is in danger of crashing under a mountain of problems. Beezy Marsh reports
It was born in a “Wouldn’t it be great?” moment, a year after Tony Blair arrived in Downing Street. In a speech about the NHS, the Prime Minister touched on what sounded a simple, laudable vision: using computers to create a more efficient, safer, patient-friendly health service. “If I live in Bradford and fall ill in Birmingham, I want the NHS to be able to treat me,” Mr Blair said in 1998.
/..
http://www.telegraph.co.uk/news/uknews/3340457/Computer-says-no-to-Mr-Blairs-botched-20bn-NHS-upgrade.html
Private Eye kept track of the fiasco too.
Spend 50k on a diversity and equality officer instead of an IT security manager and guess what happens?
Did you ever read ‘Plundering the Public Sector’ by someone who used to work for one of the major IT/management consutants? The bigger the contractor the poorer the service they provide. This was actually mainly Tony Blair’s fault. Half an hours surfing suggests that canny organisations are moving to the open source Linux operating system, dumping Windows with all its vulnerabilities.
The really canny organisations, like Google, have been running on Linux for years. Hundreds of thousands, if not millions of computers. Just seems to be where OUR money is being spent that stupidity (or much worse) comes into play.
According to Wiki XP is still common in the medical sector because many medical devices have it installed and can’t be updated.
Yep; that’s “customer lock-in” in action.
Should that not be considered criminal negligence?
That the designers didn’t think to make their equipment compatible with software that didn’t exist at the time?
Yes what a terrible oversight.
But if the software wasn’t locked-down, or secret, or restricted by legal and other means, it could be brought up to date and made compatible by hackers (programmers) working for the NHS, at a fraction of the cost of replacing the hardware.
So many face-palm moments. From the NHS using Win XP, to Jeremy Hunt cancelling extended support (May-2015) to the NSA hoarding exploits and then letting them leak, to IT Admin staff worldwide delaying or preventing security updates.
Will we learn any lessons from this series of mistakes?
http://www.silicon.co.uk/workspace/nhs-windows-xp-foi-154335
http://www.silicon.co.uk/workspace/uk-government-support-windows-xp-169043
http://www.silicon.co.uk/security/nhs-hospitals-data-risk-outdated-windows-xp-201761
First, much thanks should go to Clark for informing and helping us to get a far more safe Linux kernel based program. The city of Munich decided to stop its expensive marriage with a well known worldwide computer company and it changed its whole municipal business and authority information to be done via open source software of the Linux type.
Then they got sued by the software company for loss of future profits and outstanding contracts etc, but the judges decided that the 10-20 million saved each year were beneficial to the wider public and that the loss of this comparatively small contract would not impinge on the future profits of that said company.
Lets not forget that Trident is essentially a museums piece and that our reluctance to spent monies wisely, i.e. with companies that produce excellence, not those who cajole us into their conveyor belt, technologically inferior handcuffs.
large multinational companies that charge local taxpayers the earth, should be fazed out, one authority after the next, the more the better for our wallets and service provision. These systems are already used by many but they can only get better with more use.
An unnamed individual apparently has found the switch in the ransomware that can fix the system and has done so in many cases yesterday, so this dance on a pinhead, as elegant as a gazelle, or whatever you call the animal with a large trunk, was a perfect political move to take the heat of from under her soles, wherever it came from.
Thank you, and thanks for the excellent news. Munich sets a fine example that other local and national governments can follow.
But the battle is already shifting. Certain major GNU/Linux contributors have deep ties within the Military Industrial Complex, and seem to be contributing bloated, needlessly complex code, presumably so that the surveillance and subversion agencies can exploit it.
Thankfully, the legal protections of licenses such as the GPL preserve users’ freedom to examine, detect and avoid such tainted packages, and stimulates the diversity necessary to provide alternatives. Moving to publicly licensed Free Software is the vital first step, not a panacea. Vigorous involvement in development from the civilian public sector would provide a very healthy counterforce.
I was wondering how long it would take Craig to use these criminal developments as a peg on which to hang some well-used themes.
The construction of the lead-in post is, as often, interesting. It starts with an identification (by implication) of those are to blame (the US, of course); then, a mere nine lines later, we read a rather luke-warm disclaimer (“That is not to say the NSA or US government is behind this worldwide attack” – thanks Craig, that’s big of you); and then, after a paragraph of good intentions (cyber-attack capability should be banned by international agreement – yes, good luck trying to get such an agreement and enforcing it – and then preventing the use of such capabilities by criminals..) we swiftly move on to a condemnation of what governments are (claimed to be) doing with the UK National Health Service, spiced by a quick kick at Mrs May (is there a general election dong up soon?) and rounded off by an attack on a number of unidentified MPs (is there a general election coming up soon?).
Now, there are several comments one could make. Let’s start the ball rolling with one.
Had the headline in the newspapers not been about this criminal cyber-attack but, instead, something like “Government to give the NHS £10 billion to update its computer systems to increase their security”, I am pretty sure that the reaction from the usually disaffected would have run something along the following lines:
“Govt wastes taxpayer’s money on filling the pockets of tax-dodging IT multinationals rather than providing for more nurses/ more hospital doctors/ more GPs / cutting NHS waiting times/ensuring more access to new life-saving drugs/ more general screening../ [ I invite readers to mix-and-match the foregoing and add new demands…].
Denials welcome.
– “the reaction from the usually disaffected would have run something along the following lines”
…and would have been absolutely correct. The answer is to stop playing by the corporations’ rules. The public sector can and should employ hackers (programmers) to hack (modify and develop) software that is licensed to the public.
This Government has cancelled and cut some 20 million of ICT upgrades from a local authority here in the East of England, so lets not pretend that they did anything but cut 22 billion of the NHS during their reign.
Public services should be run with safe OS that can be easily maintained , are less vulnerable than other systems and more robust than propriety systems from large multinational operators who’s only concern is to stay in the picture and put us into a dependent position, just as banks during freshers week like to corner the life’s of students, they try their best to invent new revenue streams for all sorts of IT apps and patches,etc.etc.etc.etc.etc. a never ending chain of etc.s.
Hab: “Had the headline in the newspapers not been about this criminal cyber-attack but, instead, something like “….blah blah blah …. “I am pretty sure that the reaction from the usually disaffected would have run something along the following lines:” blah blah blah…. “Denials welcome.”
But the headlines were not “something like” and the “disaffected” did not run “along the following lines” etc. So why bother trying to deny something that only exists in your mind? More to the point: the fact that you have to come up with this feeble straw man scenario indicates you have nothing to say.
Of course, it was a hypothetical but I’m not so sure it “only exists in my mind”.
Your choleric reply and the lack of denials from the usual moaners make me think that I was spot on.
I already told you that you were spot on, and why Craig would have been entirely correct to make the criticisms you hypothesised.
As an aside, NASA (when it was still going strong) never used any MicroSoft operating system for its missions in inner and outer space. Instead NASA used it’s own custom built operating system (built on Linux, I believe).
And as I said last night, by coincidence this ransomware attack seemed to hit the UK first and came just as Corbyn made a speech about military matters, a speech in which he was very, very critical of the USA. You’d have to go back at least 30 years before you’d hear any major British politician speaking so openly (Corbyn started his speech by invoking Eisenhower’s warning about the military-industrial complex). If interested you can find the speech here…
https://www.youtube.com/watch?v=0Q7MR9gSqV0
Crappy software with built-in backdoors another example of “self licking ice cream cones”?
Top NSA Whistleblower: Ransomware Hack Due to “Swindle of the Taxpayers” by Intelligence Agencies
Washington’s Blog asked the highest level NSA whistleblower ever* – Bill Binney – what he thinks of the (ransomeware) attacks.
Binney told us:
This is what I called short sighted finite thinking on the part of the Intelligence Community managers.
This is also what I called (for some years now) a swindle of the tax payers. First, they find or create weaknesses then they don’t fix these weaknesses so we are all vulnerable to attack.
Then, when attacks occur, they say they need more money for cyber security — a total swindle!!! [Indeed.]
This is only the second swindle of the public. The first was terror efforts by saying we need to collect everything to stop terror — another lie. They said that because to collect everything takes lots and lots of money.
Then, when the terror attack occurs, they say they need more money, people and data to stop terror. Another swindle from the start. [The war on terror is a “self-licking ice cream cone”, because it creates many more terrorists than it stops.]
http://www.washingtonsblog.com/2017/05/ransomware-hack.html#more-67547
Given that it has been over 24 hours and the USA and it’s minions are not screaming from the rooftops that it was those nasty Russians/Chinese/North Koreans/Iranians/Cartoon villain of choice to divert attention it is probably safe to say this did not originate from the US or one of its client States, like the UK.
Regardless of any reports of ransom the fact that over 100 countries were affected suggests that at least one possibility is worthy of consideration – that someone somewhere was sending a message.
A short extract from this lengthy article on computer security in the connected Internet age makes the point:
https://www.edge.org/conversation/ross_anderson-the-threat
“…….Why does this matter? If you get a safety flaw in a traditional car—say, the A-Class Mercedes, which would roll if you braked and swerved too hard to avoid an elk, they fixed that—they shipped a service pack and changed the steering geometry. Nobody died, so that’s okay. But if you’ve got a flaw that can be exploited remotely over the Internet—if you can reach out and put malware in ten million different Jeeps—then that’s serious stuff. This happened for the first time in public a couple of years ago when a couple of guys drove a Jeep Cherokee off the road. Then the industry started to sit up and pay attention.
That can also be used as a diplomatic weapon. You want sanctions on Zimbabwe? Just stop all the black Mercedes motor cars that Mr. Mugabe hands out to his henchmen as payment. We raised that with the German government. What would your reaction be to an American demand to do that? Well, it was absolute outrage! So diplomacy comes in here.
Conflict also comes in. If I’m, let’s say, the Chinese government, and I’m involved in a standoff with the American government over some islands in the South China Sea, it’s nice if I’ve got things I can threaten to do short of a nuclear exchange.
If I can threaten to cause millions of cars in America to turn right and accelerate sharply into the nearest building, causing the biggest gridlock you’ve ever seen in every American city simultaneously, maybe only killing a few hundred or a few thousand people but totally bringing traffic to a standstill in all American cities—isn’t that an interesting weapon worth developing if you’re the Chinese Armed Forces R&D lab? There’s no doubt that such weapons can be developed.
All of a sudden you start having all sorts of implications. If you’ve got a vulnerability that can be exploited remotely, it can be exploited at scale. We’ve seen this being done by criminals. We’ve seen 200,000 CCTV cameras being taken over remotely by the Mirai botnet in order to bring down Twitter for a few hours. And that’s one guy doing it in order to impress his girlfriend or boyfriend or whatever. Can you imagine what you can do if a nation-state puts its back into it?”…….
Which is why all those hanging their hats on blunt military technologies like Nuclear weapons, like kids waving their dicks around in the school playground, are like WW1 Generals still stuck in the past fixating on obsolete military technology systems, strategies and tactics. And that is not just the politicians but those amongst the citizenry who seem to think that just because they are still alive today and tomorrow should by definition be the same as yesterday because history, and therefore progress, has stopped.
I sat through a talk on Korea last night and was told that geographically both North and South Korea are a similar size to the UK with a joint population similar to that of the UK. Which is not the only similarity as both North Korea , at least, and the UK are still operating as though throwing money at nuclear armaments represents both value for money and a credible defensive offensive military defence strategy at a time when it’s now possible to cripple the vital infrastructure of a country with some bespoke computer virus or malware.
It really is way past time time a lot of people woke up and smelled the coffee.
And the mitary infrastructure can presumably be crippled in a similar way. So nuclear weapons, aircraft carriers, etc. may be doubly obsolete.
I just received my latest issue of “Proceedings of the U.S. Naval Institute” in the mail. Its cover story is entitled “Too Big to Sink”, about aircraft carriers.
@ lysias May 13, 2017 at 17:03
Perhaps “Proceedings of the U.S. Naval Institute” editor ought to read this!
‘When French Sub ‘Sank’ a US Carrier the Story Couldn’t Be Suppressed Quickly Enough’:
http://russia-insider.com/en/politics/when-french-sub-sank-us-carrier-story-couldnt-be-suppressed-quickly-enough/ri19760#.WRctf1NcQ5Y.facebook
And in the midst of all this, are Microsoft and the NSA not the jointly culpable? Both knew about the hack, both knew it was available in the public domain yet both deigned to do nothing about it.
I do not know the NHS protocols or systems, but my own employer was caught cold in 2012. Basically they lost EVERYTHING, right across the board. If the PC was powered on, it was wiped. They went back to telephones and faxes to conduct business, All because an IT worker clicked on an infected file, which then spread throughout the network before deploying its payload on the weekend, after everyone had gone home.
Worryingly, the Shamoon virus re-surfaced in January of this year in the Middle East again.
http://money.cnn.com/2015/08/05/technology/aramco-hack/
They have had a COBRA meeting.
Ms Shouty Rudd is saying that 48/248 NHS Trusts were affected and all but 6 are back to normal. So that’s alright then.
Ms shouty Rudd had something of a rude awakening as she trawled Norwich streets with the Norwich North and South candidate. She knocked on the door of a voter marked as Conservative, but was slightly taken aback when the Gentleman opened the door and told her that he would never vote Conservative again and that she should get the hell out of his doorstep, which she duly complied with.
The certain Gentleman, Vaughan Smith, is also the co owner of the Frontiers club and offered refuge to Julian A. in the past.
Sadly the story is only in the printed version and I can’t find a copy of it on their online site.
Ha, just found it, all there with pictures of Chloe, without the baby, and Mrs. Hempsall, registered partially bling cllr. from Broadland DC, without her guide dog.
http://www.edp24.co.uk/news/politics/home-secretary-told-go-away-i-m-not-voting-for-you-on-norwich-doorstep-1-5016104
While the Blairite centalisation and computerisation of health recordswas a massive boondoggle and left exposed
systems critically vulnerable(Thanks for reminder, Mary), I wonder whether the ransomware attacks demanding payment in bitcoin (currently frothing up to 1700dollars) are a convenient pretext for a crackdown on anonymous cybercurrencies and replacement by an ‘apporved’ blockchain’ traceable cybercurrency.
So, no-one mentioning the obvious thing about an attack that affected “NHS computers in England and Scotland.” Is that just typical British reporting of the UK as only those two countries or were NHS computers in Wales and Northern Ireland not affected? If so, isn’t that notable? The fact that the privatisation of NHS services has been most used in England might be relevant but if it is down to computer systems, then perhaps not? For an article looking at obvious things not being said, I thought that that one would have stood out.
And just to rub it in, the last act of Glasgow City Council was to hand a massive IT contract to a Canadian software company, CGI, with a very dubious record of delivery. Is there really no-one in Scotland, working with public institutions like the universities who can deliver a superior, stable system, without massive profits going offshore?
http://www.heraldscotland.com/news/15283993.Kevin_McKenna__Giving_huge_IT_deal_to_foreign_firm_is_a_betrayal_of_Scotland/
So who do we think is behind this ransomware attack? Could it be it is dressed up as a ransomware attack, to make us think it’s not a foreign, or worse still a domestic security service carrying out the attack.
As some have mentioned including Craig, the NHS is a soft target, with its aging IT systems. There have been reassurances from the press that no patients personal data has been compromised, should we believe that to be the case? Mind you I doubt NHS trusts would want the aggro of having to explain to MrsX or MrY that their personal medical history and conditions are now in the hands of god knows who.
So returning to my first point, I’m sure, our own security services, GCHQ or Langley, will point the finger at, yes you’ve guessed it, Russia. Afterall Russia has hacked into everything from the US elections to the French elections, and even into Hillary Clinton’s private server, if the media and certain countries security services are to be “believed” those pesky ruskies, always causing trouble.
One thing is for sure though, some IT company, possibly with a few of our own MP’s, who have lets call them interests in the companies, will make tidy sum, bolstering or renewing the NHS IT systems across Britain.
Nice work if you can create it.
“The U.S.’s NSA and its Israeli counterpart let the genie out of the bottle with Stuxnet.”
_____________________
That appears to imply that
-either no other power had anything like Stuxnet (and wouldn’t have had)
– or other powers did have (or would have had) something like Stuxnet but would never have used it.
Both of ideas are improbable and can be safely rejected. The comment is therefore otiose.
Habb.
Well the commentor does have a point, Israel modified the virus, and like a child playing with fire, the virus ended up causing considerable damage around the globe.
Maybe that was the intention all along? Though I don’t think the US was pleased.
I don’t think you’ve understood my comment, RoS.
Germany entered WWI with a small number of operational submarines. This was in part due to the Royal Navy’s wise policy of building few submarines.
So other navies that imitated the Royal Navy, like the German Kriegsmarine, were slow in building the one weapon that could have brought the British Empire to its knees.
At the time of writing, various media across the Continent are talking of 75000 reported infections spread over no fewer than 99 countries.
Why, then, this hysteria about the UK govt’s “incompetence”? Wjy the focus on the UK from this band of internationalists that make up the CM Kommentariat?
Sounds as if quite a few govts and organisations have been “incompetent”, doesn’t it.
H: “Sounds as if quite a few govts and organisations have been “incompetent”, doesn’t it.”
Yes – indeed it does. I’d have thought a leading British institution, one which is arguably more valuable and highly regarded by the British public than any other, would be a bit better than this. Wouldn’t you? Or do you think it’s OK that we’re just as crap as 99 other countries when it comes to this sort of thing?
Btw – I know you have to make the effort, but we’re in territory here (in terms of ‘puter security) where you personally have zero clue of what you’re talking about. No offence, of course.
Good points Glenn, Habb, has switched to whataboutery mode, to disguise our own security services misgivings.
I wonder if it’s occurred to the likes of Habbabkuk that this crap has hit the NHS in a big way, but not other huge organisations which actually take security seriously, and make damned sure it doesn’t happen to them?
Ransomeware might be news to some techno-slugs, but is certainly not “news” by any means – this is from about a year ago:
http://www.bbc.co.uk/news/technology-36459022
To anyone taking security seriously in a vast enterprise, it’s simply a “never” event to have a known attack of this nature take down a lot of your organisation.
Giving an “awe, shucks!” response, “It could have happened to anyone!” betrays a fundamental lack of clue.
Anyone wonder why, say, Hewlett Packard hasn’t been struck down bythis sort of crap?
I’m glad we agree, Glenn – incompetence in many countries by many govts and organisations. The UK is not unique.
BTW, on a point of methodology, the value and high regard placed on the NHS by the British public is not, objectively speaking, a criterion for determining whether the NHS could have done better or not in the matter of its IT systems. After all, the counter argument could simply be that that value and high regard were misplaced.
That’s your lot for this evening 🙂
Sure it is, Habbabkuk. Any organisation which is serious about security – and the NHS surely should be, when failures may cost lives and betray patient confidentiality – would not allow a debacle like this to take place.
I don’t blame you for not wanting to discuss it further. A man’s got to know his limits. 😉
Oh look at all the other sufferers and their incompetence…..What a feeble excuse when it was our currently PM in her first disguise as Home secretary who failed to upgrade national computer systems, who said yes to 22 billion of cuts in the NHS, without specifying any ring fencing of ICT upgrades.
why don’t you have a day off Habby, your services to other are falling on futile grounds
Well said, I recall reading Theresa May’s failure (as you put it) today or was it yesterday in the online press.
Though you won’t watch your very good point, being broadcast on the BBC news anytime soon.
By all reports, this attack started against the NHS in England (and I repeat, just as Corbyn had made a speech which included blistering criticism of the USA). The fact that this attack spread to many other countries could be ascribed to our ‘wired-up world’.
You will recall that in the aftermath of the 2008 economic crash, people were amazed to discover that their local council pensions in England and Wales were tied-in to corrupt banks in Iceland, etc.
Job done. Corbyn’s amazing anti-America speech has received very little coverage, and everyone’s talking about this hacking nonsense (which, incidentally, has received barely any news coverage in North America).
RobG, this isn’t something that can be set up and triggered in five minutes.