A know vulnerability that Microsoft already had a patch for (in this case).

Predictable BS from those trying to make political capital.

Firstly “the Government” doesn’t run the NHS. The NHS decides how to spend the budget it agrees with the Government.

Secondly major corporations like FedEx, Telefonica, Renault etc have all been equally affected.

Look everyone Jamba is here.

Government decision :

Update on the Customer Support Agreement for Windows XP

Can’t help but think cases like these are good examples a why organisations that expect to run software for potentially decades should now only use Open Source software.

The advantage being they have control over the source code and will be able to keep it patched etc. Obviously might not be cheap but would avoid the risk of not being able to do much when company X goes under or stops providing support for product Y.

I know of utility companies that are going the other way and replacing some FOSS systems with MS because hiring skilled staff was easier and cheaper for the latter – IMO it seems shortsighted given these systems have a Lifetime beyond the standard MS support dates.

Predictable BS from those trying to make political capital.

So you’re denying that government policy and funding has any affect upon the resources to maintain the NHS?

Deluded.

Useful analysis for anyone interested to understand scale / how it works:

https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/

Backup / fallback / disaster recovery gets interesting at this scale.

Microsoft now rolling out a security fix for all old OS to all.

Which is all very well for this bug, but they’ve known about it and had a patch for months – what about the next exploit they find? Will they wait until that causes major damage before doing the same?

If Cougars source is right about the exploit not running on XP (even though the bug is there) it’s all irrelevant though.

IMO it seems shortsighted given these systems have a Lifetime beyond the standard MS support dates.

As I suggested above, the problem is actually with having systems reliant on a particular OS version. Most stuff written for XP (heck even stuff written for NT) will still run on 10. This should in any case become less of an issue now 10 is supposedly the last version of Windows – I’m not quite sure how future updates will work but presumably something similar to Linux updates which aren’t so fundamental (and you can update in place).

Which is all very well for this bug, but they’ve known about it and had a patch for months – what about the next exploit they find? Will they wait until that causes major damage before doing the same?

aracer, I made it clear that my comments about Microsoft holding back a patch only applied to this vulnerability. That they had a patch, had supplied it to those who have paid but not to others, and that the exploit was developed by a USA government department and then posted for all due to a leak, means that there are questions to answer by the three groups I mentioned (UK Gov, NSA & Microsoft in that order). “Should have upgraded”, while true, is shutting down the debate about why action wasn’t taken by Microsoft and other to reduce the impact of this event, and others using the same exploit.

What should they do about other exploits? Don’t know, point me to a non-hypothetical one and I can have an opinion.

Even patches can cause issues, the latest office 2016 and Skype one created issues with discharge letters in our PAS system. This needs to be tested across all critical clinical systems before release.

Of course, we could spend tens of millions upgrading our PAS system but the business case won’t get through……

Of course, we could spend tens of millions upgrading our PAS system but the business case won’t get through

Quite.

And then you’ve got the STP benchmarking stuff where they’ve compared the cost of IT per employee in each trust and the cheap ones (because in some cases they’re muddling along on old, outdated systems) are being held up as examples of “efficiency” and everyone else is told to be like them.

Did someone mention open source??

NHS LINUX

A website launched weeks before the attack. 😕

I’m going to stick up for Microsoft here. The vulnerability was shared with them, they released a fix for it on supported OS’s in April. Now people on unsupported OS’s got hit and it’s somehow MS’s fault. Sorry running an unsupported OS is like playing Russian Roulette, eventually you’re going to lose.

Fair play to MS and the security industry at large, patches have been released for unsupported legacy OS’s and details about the malware shared.

As others have said hopefully it will be a wake-up call to everyone in general. We supply software systems to the NHS. Our customers quite often have varying reasons for running old OS’s. We only support supported OS’s on our software but it will work on Windows 2000 plus. It’s certainly going to be good ammunition when a customer says “But why won’t you support your software on Windows XP?”.

Government ‘efficiency’ back in 2015:

https://www.theguardian.com/technology/2015/may/26/uk-government-pcs-open-to-hackers-as-paid-windows-xp-support-ends?CMP=Share_iOSApp_Other

I’m going to stick up for Microsoft here. The vulnerability was shared with them, they released a fix for it on supported OS’s in April. Now people on unsupported OS’s got hit and it’s somehow MS’s fault.

A reminder that Microsoft had a fix for “unsupported” OS back in April as well, but only released it to customers paying for custom support.

1) should UK government have kept paying for custom support given known reliance on old OS in key departments?
2) as NSA created the exploit, do they have a responsibility to help protect others from its use?
3) if Microsoft had a fix, but withheld it from so many customers at risk, is their approach damaging?

XP was superseded 11 years ago, there comes a point when they have to stop general support and encourage users onto more recent editions.

We only support supported OS’s on our software but it will work on Windows 2000 plus. It’s certainly going to be good ammunition when a customer says “But why won’t you support your software on Windows XP?”.

That’s fine, but conversely we’ve had suppliers tell us they are not making their systems compatible with the newer OS yet (8/10) because older OS are still on support or extended support. Same for office integration.. We have one that isn’t planning on introduce O2016 compatibility until Qtr4 2018!

Plus, vista was a nightmare… many suppliers bypassed on any development on it completely and held out for windows 7

Simple fact is we want to upgrade our OS as soon as possible, the Microsoft EA is the same whether we do or not but we are prevented from doing so by external factors

XP was superseded 11 years ago, there comes a point when they have to stop general support and encourage users onto more recent editions.

Encourage users by making the upgrade path as clean as possible, and making your new offering enticing.

The OS iterations that followed XP were best avoided by anyone creating/using critical software in a life saving/threatening environment. For ages XP was the safest bet, and now big investment is needed to catch up, in companies and organisations left behind.

While we wait for that to happen, withholding a security patch that protects users from a state sponsored exploit raises questions.

Yes, “keep your OS up to date”, is good advice… but don’t use that to stop questions about how key parties have acted on this particular exploit.

When users are “at fault” by not upgrading, it doesn’t mean no one else should look hard at the big decisions made by governments and suppliers.

That’s fine, but conversely we’ve had suppliers tell us they are not making their systems compatible with the newer OS yet (8/10) because older OS are still on support or extended support.

If a supplier isn’t making their systems compatible “yet” for a five year old OS which has been superseded twice then you need different systems. That’s an absolutely outrageous claim for a software developer to be making.

If your “older OSes” are actually Vista / W7 then it should be the work of minutes to fix any compatibility issues, assuming there even are any.

XP came out in 2002 (and as Jonny says was replaced in 2006), the notion that you should still be reliant on a 15-year old OS which is years out of mainstream support by the company who made it is utterly ludicrous.

Also, PCI compliance anyone?

XP came out in 2002 (and as Jonny says was replaced in 2006), the notion that you should still be reliant on a 15-year old OS which is years out of mainstream support by the company who made it is utterly ludicrous.

Yes. Upgrading should happen. Should be a priority. It is not finished though. Not even close.

Until that is mostly finished, what should UK government, NSA & Microsoft have done about protecting NHS systems generally, and more specifically about this exploit?

A reminder that Microsoft had a fix for “unsupported” OS back in April as well, but only released it to customers paying for custom support.

1) should UK government have kept paying for custom support given known reliance on old OS in key departments?
2) as NSA created the exploit, do they have a responsibility to help protect others from its use?
3) if Microsoft had a fix, but withheld it from so many customers at risk, is their approach damaging?

And, again, a reminder that XP has hung around for so long because of Micosoft missteps that followed it.
They bear some of the responsibility for it still being in use.

Encourage users by making the upgrade path as clean as possible, and making your new offering enticing.

The OS iterations that followed XP were best avoided by anyone creating/using critical software in a life saving/threatening environment. For ages XP was the safest bet, and now big investment is needed to catch up, in companies and organisations left behind.

While we wait for that to happen, withholding a security patch that protects users from a state sponsored exploit raises questions.

Yes, “keep your OS up to date”, is good advice… but don’t use that to stop questions about how key parties have acted on this particular exploit.

When users are “at fault” by not upgrading, it doesn’t mean no one else should look hard at the big decisions made by governments and suppliers.

If a supplier isn’t making their systems compatible “yet” for a five year old OS which has been superseded twice then you need different systems. That’s an absolutely outrageous claim for a software developer to be making.

Indeed, and the way the NHS can be seen as a cash cow by the private sector is sickening at times. You also have a legacy of mismanagement to contend with too, some of the PFI contracts in place have completely unrealistic refresh agreements for hardware and software.

What all these various points add up to is that upgrading the OS is not a simple answer to these problems, but it will probably be seen as such by the media, government etc

“Upgrade your OS” … wave your magic wand… don’t ask any questions of suppliers and government…

And, again, a reminder that XP has hung around for so long because of Micosoft missteps that followed it.

I disagree, that’s just a smoke screen for lazy devs, techs and managers. What missteps have they made to prevent companies from upgrading?

I still contend that there’s nothing (much) wrong with the much-maligned Vista, but even even if that weren’t the case Windows 7 came out in 2009 and there’s been three further major OS releases since. There’s absolutely no excuse for developers not to support NT6 platforms in 2017, and little excuse for IT infrastructure teams not to have had XP taken out and shot by now.

There’s also a financial disconnect at play here, which I’m massively oversimplifying but…. IT may support the infra and hardware, however a specialist clinical app may be funded by the service that uses it. Whilst IT highlight the risks they don’t own the funding to replace it or can force it upon the service. And it’s a brave IT director that lets a system fail to prove a point

Cougar, I content that your points are valid for a small organisation with no reliance on third party critical proprietary software, but perhaps limited when looking at a larger organisation with specific needs, funding restrictions, and complex contract and change management issues.

“Critical proprietary software” is the issue here, I’d concur. That’s what needs reviewing; if you’re beholden to something like that and it’s not being properly maintained, you’re humped. There’s surely an opening in the market for better solutions here.

In other news, Renault have just been hit. They’ve shut down manufacturing production.

Many were due to be replaced by systems that never saw the light of day… if we’re still talking NHS.

While we wait for that to happen, withholding a security patch that protects users from a state sponsored exploit raises questions.

I’ve just spotted, patches for XP and 2003 are now on general release from Microsoft.

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

. There’s surely an opening in the market for better solutions here.

Barriers to entry are huge, the first question most ask is ‘which trusts are using your software and how do we speak to them’

Bespoke development costs can exacerbate the problem,imagine the risk in moving towards a solution that no one has used before and where the long term stability of the organisation supplying it is unclear…. and they go against the drive to have interconnected data sharing and move towards a true EHCR.

EDit: I genuinely don’t know what the answer to all of this is.

I’ve just spotted, patches for XP and 2003 are now on general release from Microsoft

Er… if you’ve just spotted these, then you’re not reading the posts that you’re replying to!

A lot of the hardware we use is reliant on XP, upgrade the OS and the machines don’t work. Not allowed to replace the machines because they’re not broken. Our stock control software was only compatible with Windows 98 or 2000 (I forget which) up until last year sometime, so we had one old pc just for that.

A lot of the hardware we use is reliant on XP, upgrade the OS and the machines don’t work.

Presumably though they’re airgapped so it’s a non-issue?

Er… if you’ve just spotted these, then you’re not reading the posts that you’re replying to!

I am but may have missed a detail. I’m reading a lot of things right now!

Anyway. I’ve just had a phone call, so now I’m going to have to drive to work. Not an infection but helping to keep it that way. Wish me luck.

Good luck.

Hope it’s a quick fix!

It’s far more complicated than you can possibly imagine. More to follow when I get back.

t’s far more complicated than you can possibly imagine

An evergreen quote for any IT or NHS thread I reckon! 😉

He did try to strike it down.