Main Area and Open Discussion > Living Room
[Breaking News] Cyber Attack cripples UK NHS.
xtabber:
If I was a non-US large organisation such as the NHS, I would think twice about continuing to invest into MS products and would start very quickly to consider alternatives (such as the French police that went with Linux). There are also national security issues for a non-US country to have such a total reliance on the product of a single US corporation:
Europe's reliance on Microsoft has governments under a worrying digital 'killswitch'
-dr_andus (May 14, 2017, 06:37 AM)
--- End quote ---
This is not a US vs. the world issue. It is just as much of an issue for US institutions. In particular, it affects poorer individuals and organizations like non-profits more than anyone else, since those are the ones who must stretch their technology funds to the greatest extent.
More important, it jeopardizes even those who are up-to-date on their security patches because they rely on the same network as those who aren't, and any network is only as secure as its weakest links. These hackers were looking for a quick buck, but someone else could exploit this kind of vulnerability to obtain information that would allow them to penetrate other, nominally more secure, systems. This is a major method used by state organizations, who are not in it for monetary gain, for hacking their opponents.
Carol Haynes:
NSA does what National Security Agencies do - I'm appalled at how they're doing mass surveillance of honest citizens, but NSA doing offensive malware research is not a problem - the bugs were there, it's only a matter of time before somebody found and exploited them.
-f0dder (May 14, 2017, 11:12 AM)
--- End quote ---
It isn't malware research - they actually produced the malware that was used by the hackers. As far as I am aware they weren't reporting the security issue to MS but rather keeping it quiet so that they could illegally exploit it themselves.
The UK government is arguing that GCHQ should have the tools to access anyone's computer, browsing history, email (basically ANYTHING you do online) as a matter of law and expecting companies including MS and Apple to hand over sufficient info to allow them to do that. They even want methods to break online encryption used for shopping.
So far American companies have resisted but UK ISPs are already forced to hold data on every customer for 2 years - including all the above data.
In the US the NSA & Co seem to have a carte blanche to do anything they want without any sort of scrutiny or oversight. If they can't get legal access to things they just build tools to hack them.
As for funding issue, that's both yes and no, up until very recently - and in some cases still - bank ATMs and commercial POS ran XP .... at multi million and sometimes billion companies. Not restricted to government entities.
-rgdot (May 14, 2017, 10:17 AM)
--- End quote ---
For commercial companies that is bordering on criminal negligence.
For government funded bodies like the NHS it is a political decision. The current (and last) UK government actively wants to destroy the NHS. The secretary of state for health even wrote a book arguing it should be scrapped and based on private insurance and we know how well that works in the US!!! The non-funding of IT maintenance and upgrades was a political decision which not only verges on the criminal but given that the public have been put at risk and confidential data that should be protected potentially leaked (nobody actually knows if data has been stolen) it is actually criminal because they have not taken steps to comply with their own data protection legislation/laws.
f0dder:
It isn't malware research - they actually produced the malware that was used by the hackers. As far as I am aware they weren't reporting the security issue to MS but rather keeping it quiet so that they could illegally exploit it themselves.-Carol Haynes (May 14, 2017, 08:18 PM)
--- End quote ---
Oh, but it *is* malware research - and weaponization of the bugs found. And that's fine, really, it's part of what a national security agency should be doing. We're a lot better off with this model than having intentional backdoors inserted by government agencies.
Of course it's bloody bad that agencies have had their malware treasure troves robbed and leaked by bad actors, but there's no guarantee that the exploits wouldn't have been found by somebody else. You can be sure that the cybercriminals have people hunting for 0days.
Your "govt must have access to everybody's data" worries is something I share, but it's a different issue from TLAs hunting for bugs and weaponizing them.
IainB:
...If I was a non-US large organisation such as the NHS, I would think twice about continuing to invest into MS products and would start very quickly to consider alternatives (such as the French police that went with Linux). There are also national security issues for a non-US country to have such a total reliance on the product of a single US corporation:
Europe's reliance on Microsoft has governments under a worrying digital 'killswitch'
____________________________
-dr_andus (May 14, 2017, 06:37 AM)
--- End quote ---
That's evidently a valid point - or at least, the French police would have presumably thought so, anyway. How did that Linux thing work out for the French police, by the way? Was that project completed on time and budget, having delivered to its objectives, or was it sabotaged from within and turned into an expensive trainwreck? (I have no idea, but it might be interesting to find out.)
Whenever I read of some strategic IT project that breaks "new" territory - a potential trainwreck - it reminds me of a New Zealand project that did notoriously become an expensive trainwreck. It was the NZ police INCIS project in New Zealand, in the early '90s. I saw it happen, and it was like watching a trainwreck in slow-motion, and one knew that it was wrecking and that the taxpayers were going to have to foot the bill (cost overruns).
What happened was that the NZ Police put out a tender for project INCIS (Integrated National Crime Information System) as their IT platform to deliver IT services for the '90's and beyond.
A lot of their existing technology at the time was delivering services to online terminals from IBM and/or Univac mainframes hosted in a high-security data centre in Wanganui (New Zealand) by GCS Ltd. (Government Computing Services), which was the first of the SOEs (State-Owned Enterprises) to be privatised by the NZ Government and put up for sale (EDS Corp. eventually bought GCS Ltd.).
There were 2 major competitors for the INCIS tender - IBM and Microsoft. GCS also could have easily done the business, but, as the incumbent supplier, their bid was largely unwanted/rejected. The tender was won by IBM, whose response to the tender (as I vaguely recall) had proposed the general approach of a fairly conventional distributed 3-tier client-server architecture based on IBM OS/2 (Surprise!), with maybe some IBM mainframes/minis acting as central or distributed local servers for some services. I thought it was a pretty solid and feasible proposal, though it required detailed planning. At the time, OS/2 was recognised as being a stable OS that was technically way ahead of and out-performed the then current Windows OS in almost all benchmarks.
Then the fun began.
For some inexplicable reason, an ICIS project manager was appointed who apparently favoured Microsoft and was apparently openly critical of the IBM contract and the OS/2 technological direction and approach, or something. An antithetical schism rapidly formed within the project team(s), between the OS/2 camp and the Windows camp, and it was all downhill from thereon, and the project eventually (inevitably) failed.
A LOT of obvious conventional risks and lessons were re-learned from that project failure (see the links below). One of the main ones - straight out of Project Management 101 Risk Management - is the risk of staffing-up with inexperienced resources. The PSC (Project Steering Committee) needs to monitor and avoid the risk of staffing the project with human resources (people) who are not experienced in/with, or capable with, or who may be hostile to, the IT technology they will be required to use to implement the project according to the project technology implementation plan.
I have personally been put in a similar position, where I was assigned to recover a failed strategic $multi-million project which had run foul of exactly that risk - the risk of staffing-up with inexperienced resources - some of whom were openly hostile to the technology they were required to implement. The technology was not what was "conventionally acceptable" to the bulk of the IT project personnel assigned to the project.
I knew nothing about the technology, but I agreed to undertake the role, but only on condition that I was allowed to cast a new budget and plan, and that I was fully authorised to replace those personnel in the project team of 10 people whom I felt it was necessary to replace. I replaced 8 of them within about two weeks, and the project ran smoothly and was recovered on-time and on-budget, exceeding its delivery objectives - all enabled because I had a superb project team that knew what it was doing and pulled together collaboratively all the way.
The rule is: If you are going to undertake an important and potentially costly strategic IT project, using a new or potentially controversial technology, then prepare for war. Provide the project with all the resources necessary to support it and to enable it to deliver and survive and protect itself for the duration of the project, in what will probably inevitably be an almost palpably hostile political environment - an environment that may ensue, where landmines, grenades, torpedoes, homing missiles, flack and nay-saying could well be the order of the day for months on end. And stick to a regularly-reviewed plan.
For all the above reasons, and though I could be wrong, of course, I would suggest that the UK NHS IT opportunities could very much belong to the Microsoft monopoly already and that it could thus cost potentially too much in terms of $money and political aggro to pull away and be put on a war footing by going down the Linux (or other) technology path, no matter how good that technology path may be.
Refer:
* Insights into Incis debacle
* INCIS - Wikipedia
* INCIS: NZ Police
dr_andus:
f you have a product (e.g. Win XP) that has fundamentally changed the world and the world in its current form still relies on it to function, then you (MS) can't just decide for commercial reasons to entirely abandon it (and the world). I mean you can, but it is not right and it will have consequences, including commercial ones.-dr_andus (May 14, 2017, 06:37 AM)
--- End quote ---
I quite disagree.
Windows XP is 15+ years old, has had way longer support lifetime than you get for LTS version of other software, and there's been a very clearly planned and communicated timeline for support EOL.
-f0dder (May 14, 2017, 11:12 AM)
--- End quote ---
I'm not sure if we're talking about the same thing. My point is that here we are no longer dealing with just any software of any private company. If Win XP has become a mission-critical part of vital infrastructures around the world, MS can no longer wash its hands by saying "I told you so, you should have upgraded." If people die because their operations were cancelled or other critical infrastructures fail as a result, it's beside the point whose fault it was and whether usual rules of business markets apply. It becomes a public and social issue. Even if MS doesn't think so, if they mishandle it, it could backfire on them very badly.
On another note, I think a lot of people and organisations have been sticking with XP and Win7 because they are actually pretty good products. The other day I turned back on an old PC of mine with Win95, and I was amazed how snappy the system was on some very old hardware (that was not turned on for years). So maybe that's why MS changed strategy and started producing crappier products, so customers have more motivation to keep upgrading to newer versions. :D
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version