The honest reality is that in a very interconnected world there is not much a government can do, ....

continue funding xp support for one wld've helped, if they are going to let some still use older systems without funding the support security updates

otherwise ensure a standard o/s to be used across the board which if no longer is to be freely supported, then pay for such support, or upgrade

there are zero day vulns that pretty much noone can do much about.

as toby notes, but alot still kicking around are not zero, but still used effectively.

So NHS are using Windows XP, apparently... but what about the other companies in the 150 countries round the world that were affected - surely they too weren't using such a vulnerable system and not investing in upgrades either ?

So NHS are using Windows XP, apparently... but what about the other companies in the 150 countries round the world that were affected - surely they too weren't using such a vulnerable system and not investing in upgrades either ?

'To recap, WannaCrypt is installed on vulnerable Windows computers by a worm that spreads across networks by exploiting a vulnerability in Microsoft's SMB file-sharing services. It specifically abuses a bug designated MS17-010 that Redmond patched in March for modern versions of Windows, and today for legacy versions – all remaining unpatched systems are therefore vulnerable and can be attacked.......So, yes, Microsoft issued security fixes to address the vulnerabilities attacked by those cyber-weapons, but as is the way with users and IT departments big and small, not everyone has patched, or can patch, and are now paying the price....'

from the link posted in #13.

links posted are worth a read

ie the nhs xp systems wld've been protected (security patched) if the legacy support being paid for had continued.

Here is an idea. Make computer manufacturers and system operating software companies legally responsible for providing software updates for lifetime of computer limited to say 6 years. So in the case of Microsoft windows they would have to provide at least 6 years worth of updates to any computer registered with a version of Windows. The end user then knows what the date is when software updates may be withdrawn.

If a car manufacturer had sophisticated software that was a safety issue at some point, then you can bet Governments would make them sort it out at their cost. Why should it be different with Microsoft, given how much the world is reliant on their operating systems.

Here is an idea. Make computer manufacturers and system operating software companies legally responsible for providing software updates for lifetime of computer limited to say 6 years. So in the case of Microsoft windows they would have to provide at least 6 years worth of updates to any computer registered with a version of Windows. The end user then knows what the date is when software updates may be withdrawn.

 

If a car manufacturer had sophisticated software that was a safety issue at some point, then you can bet Governments would make them sort it out at their cost. Why should it be different with Microsoft, given how much the world is reliant on their operating systems.

I dont actually agree with that at all unc.

cyber security although clearly in the hands of the end user is also at least at this sort of level should clearly be in the hands of national security and international law enforcement.

Consider that an operating system is just that.

Security regarding what you do with it - especially what people can and do click on, can only realistically be a personal/corporation end user issue.

The criminal should be chased and their plans thwarted by national level organisations, but that does not and should not absolve the end users of responsibility.

I dont actually agree with that at all unc.

 

cyber security although clearly in the hands of the end user is also at least at this sort of level should clearly be in the hands of national security and international law enforcement.

 

Consider that an operating system is just that.

Security regarding what you do with it - especially what people can and do click on, can only realistically be a personal/corporation end user issue.

 

The criminal should be chased and their plans thwarted by national level organisations, but that does not and should not absolve the end users of responsibility.

Providing critical security or operating updates for a minimum of 6 years would be reasonable. It would be up to end user to download these. Microsoft would just have to make them available.

Providing critical security or operating updates for a minimum of 6 years would be reasonable. It would be up to end user to download these. Microsoft would just have to make them available.

Windows xp released 2001

Windows XP support end date 2014

thats 13 years unc.

I still run an xp server and it wasn't affected - as was the case with many others.

https://www.theguardian.com/commentisfree/2017/may/14/the-guardian-view-on-securing-the-internet-collective-action-needed

Up-to-date computer systems were safe, but many others were not. The NHS, which has tens of thousands of computers running the obsolete Windows XP system, had not renewed its support contract with Microsoft. Despite the demand of the national data guardian, Dame Fiona Caldicott, they had not been upgraded. It’s clear from Dame Fiona’s letter that some of the system’s insecurities are the results of its users working their way around measures they find obstructive; but some must also be the result of financial pressure, which does not just affect the cost of software licences but the enormous expense of retraining and supporting users. The blame for software failures is thus widely distributed.

 

However, the costs fall entirely on the victims. In no other industry could the manufacturers take so little legal responsibility for the safety and reliability of the goods they sell. If the NHS had bought a fleet of ambulances whose only flaw was that the left front wheel fell off every time it hit a pothole, the makers would be sued. But if the manufacturer were a software company, it would simply charge extra for upgrading the wheels.

 

 

https://www.theguardian.com/commentisfree/2017/may/14/the-guardian-view-on-securing-the-internet-collective-action-needed

Could you reasonably sue a tyre manufacturer if someone threw a tyre stinger across the road in front of your car and the tyres went down?

... particularly if the tyres were 13 years old or more ...

Surely you would be complaining to the police (as long as it wasn't them) that they had allowed scroat yobs to do this time and again

Windows xp released 2001

Windows XP support end date 2014

 

thats 13 years unc.

 

I still run an xp server and it wasn't affected - as was the case with many others.

After how many years was a new licence and payment required ? Microsoft do offer continuing updates, if you pay for them.

My argument is about how Governments might achieve a more secure internet and that needs to be thought about

Lets not forget the alleged source of these latest exploits used by the hackers in their latest versions ...

The very people (NSA and by association GCHQ) who should be protecting their nations against these issues ...

Now if they were 'sourcing' and 'storing' these exploits to protect their nations from these issues then this wouldn't have happened would it?

According to the Guardian, the other parties are blaming the government.

https://www.theguardian.com/technology/2017/may/13/cyber-attack-on-nhs-sparks-bitter-election-battle

HB

According to the Guardian, the other parties are blaming the government.

 

https://www.theguardian.com/technology/2017/may/13/cyber-attack-on-nhs-sparks-bitter-election-battle

 

HB

That does seem to quite clearly lay the loss of cyber security in the NHS at the governments door, NOT the trusts.

So it would seem its western government spook services who are the sources of the exploits,

and Mays government policies that opened the doors ....

Have you more on that, TJ?

Have you more on that, TJ?

They are apparently looking for an English bee living in a hive in France

On the XP issue according to many IT experts, the NHS has been putting off decisions to upgrade Windows version since 2009. Apparently it would be a very expensive and time consuming task, which would have caused many problems.

A case of a game of pass the hot potato !

Have you more on that, TJ?

I'm away at the moment HB, so dont have my faster connection and 'home' resources.

... But simply based on the last few posts before, including yours,

The security links and malware/spookwatch sites are saying the latest versions of the exploits came from the hack of the NSA site (and more to come including accessing your homes internet connected smart TV webcams) which hit the news and was and is still widely reported.

and your post indicates that it was a government decision not to continue with the windows security and support contract, which I have not yet separately confirmed but unless someone wants to challenge that report with some evidence supporting the challenge - I and comfortable with accepting as an accurate report from a reputable source.

SO

I am comfortable that the source of the exploits is accurately given as the NSA hacked files leak, which folk can access themselves.

I am comfortable with the report you posted that the government controls the NHS's overall security and chose not to continue with that despite large amounts of machines running XP.

I am also comfortable (from personal experience) that major companies DO NOT and SHOULD NOT spend £millions on upgrading systems just because MS wants to sell new versions of an OS,

particularly when they have invested in large and complex systems which do the job they should on the systems they are on and the people who need to use them know how to use them.

Does anyone REALLY want the NHS to spend many millions of its ever shirking (in real terms) funding and resources re-writing systems which work, just because MS has released windows Vista/7/8/10/11/12/15/35?

How many people have had problems with new MS releases even when they only do a bit of email, browseing and very very 'normal' and 'basic' stuff on their stand alone PC?

Ramp that up to metropolitan, regional and nation networks sizes.

I am also comfortable with the reports that this was an organised attack across the world - so this is a MAJOR crime issue, not some kids in a bedroom - although even if it were, this should be at the VERY least a national cyber security issue.

As the NHS do not have profits to invest in new profit making systems - this IS clearly a government issue.

Interesting, thank you TJ. I hope you're somewhere nice?

HB

Interesting, thank you TJ. I hope you're somewhere nice?

 

HB

Absolutely fabulous place

Lodge with its own private full size hot tub near Downham Market which is a great base for Cambridge area, Hunstanton, and the Nation Trust areas of Natural beauty on the coast.

Fabulous people run it and the Hot tub means that even on cold wet nights or miserable days in Britains entirely unfathomable weather - its great.

No kids allowed either

Might not be everyone's cup of tea, but we find it Peaceful and lovely - balm for the soul.

That sounds very relaxing, TJ, enjoy it.

Scottish parliament says 'brute-force' cyber-attack ongoing, has not breached defences

http://uk.reuters.com/article/uk-britain-security-scotland-idUKKCN1AW239