[Breaking News] Cyber Attack cripples UK NHS.

[dr_andus]

Well, I disagree... You can't just apply generic business logic to every business situation. There is something in economics called positive or negative externalities, e.g. side-effects that are caused by a product that might be harmful to someone or something.

A toothbrush is a product, and electricity produced by a nuclear power plant is a product, but the latter produces nuclear waste as a side-effect that will be causing a headache for our progeny for tens of thousands of years. So you can't just leave it up to the companies or the markets.

The recent economic and financial crisis is another case in point. Businesses (such as the banks) were happy to privatise the gains from being an essential service in society, but then expect to socialise the losses, relying on the taxpayer to bail them out, when things go pearshaped. They are the biggest socialists around when it comes to saving their arses.

Microsoft and its shareholders became fabulously rich by fundamentally changing the way the world operates. They literally changed reality. They have effectively changed the plumbing of the world. So when things start to go very badly wrong due to their past actions, and it is in their power to prevent things from going bad (by not abandonding support or not withholding solutions that are available and would really cost them very little, other than the opportunity cost of pretty much extorting money from those who can't upgrade for one reason or another), then they are responsible for the negative externalities they have apparently intentionally created.

Proof:

Microsoft held back free patch that could have slowed WannaCry - FT.com (sorry, paywall)

Microsoft held back from distributing a free repair for old versions of its software that could have slowed last week’s devastating ransomware attack, instead charging some customers $1,000 a year per device for protection against such threats.

....

The company issued a free patch in March that would have protected computers running recent versions of Windows from the malware. But users of older software, such as Windows XP, have to pay hefty fees for so-called “custom” support.

The cost went from $200 per device in 2014, when regular support for XP ended, to $400 the following year. It jumped to $1,000 after that, according to one person who had seen a pricing schedule that Microsoft sent to one customer, with a minimum payment of $750,000 and a ceiling of $25m.

P.S. And it's not just Windows XP:

In another controversial pricing move, meanwhile, Microsoft recently began charging customers more for extra security in the top-of-the-line version of Windows 10. The split pricing marks the first time the company has treated the highest level of security as an add-on feature of its software, drawing criticism that it has left other versions of Windows more open to attack.

[wraith808]

Well, I disagree... You can't just apply generic business logic to every business situation. There is something in economics called positive or negative externalities, e.g. side-effects that are caused by a product that might be harmful to someone or something.

A toothbrush is a product, and electricity produced by a nuclear power plant is a product, but the latter produces nuclear waste as a side-effect that will be causing a headache for our progeny for tens of thousands of years. So you can't just leave it up to the companies or the markets.

The recent economic and financial crisis is another case in point. Businesses (such as the banks) were happy to privatise the gains from being an essential service in society, but then expect to socialise the losses, relying on the taxpayer to bail them out, when things go pearshaped. They are the biggest socialists around when it comes to saving their arses.

Microsoft and its shareholders became fabulously rich by fundamentally changing the way the world operates. They literally changed reality. They have effectively changed the plumbing of the world. So when things start to go very badly wrong due to their past actions, and it is in their power to prevent things from going bad (by not abandonding support or not withholding solutions that are available and would really cost them very little, other than the opportunity cost of pretty much extorting money from those who can't upgrade for one reason or another), then they are responsible for the negative externalities they have apparently intentionally created.

-dr_andus (May 17, 2017, 06:25 PM)

If one says that such arguments apply to this situation (which I don't believe it does- this is a product previously created that they had already set forth EOL), there is a stifling effect to attempting to make one corporation responsible for the benefits of its past.  And what you posted doesn't dilute that statement - it reinforces it.  Because by that, there was already a way out if the NHS was determined to use XP.  Pay for their support.  I don't believe in socialist leaning solutions to problems; you can't force them to support an ages old OS.  Nor force someone to support anything.  What you can do is (a) give incentives, or (b) pay for the support.  Or if they are not willing to support it at all, have some sort of coalition support them.

And why the focus on Microsoft, and not the driver software companies that force them to stay on older hardware?  Because MS is the known part of this equation?  It would seem that those are the more culpable parties, i.e. if they sell such hardware/software combinations, that the source to support them should be in escrow against time/support necessary.

[Shades]

[Advocate of the devil mode]
Support for older software doesn't have to be free. And as long as there is monetary gains to be made, why would MS be so harsh?

If I may make the car analogy...You see a lot of Toyota's and Mercedes here in Paraguay. Old 15+ year models for standard cars. Buses and trucks last longer. Because they are solid and relatively easy to repair. It is also rather easy to get the parts. And if not available anymore, there are lots of machine-shops that adjust (slightly) different parts for retrofitting. Also, there is a lively 3rd party after-market for replacement parts.

This situation is common for most devices you can think of. And there is money to be made, else those markets wouldn't exist in the first place.

MS doesn't want to maintain any aftermarket "parts" by itself of allow 3rd parties to pick up their slack. As I said, support like that doesn't have to be free and why waste an aftermarket like that?

Granted, it is the right of MS to do any business how they please. Yet they deserve all the flak they get for that bull-headed stance. It is something they can afford, because of their "war-chest". But it doesn't make it right.

Not like their new stuff is so much greater than their previous products, or that much safer (as the 'WannaCry" outbreak proves).

[/Advocate of the devil mode]

[Stoic Joker]

And why the focus on Microsoft, and not the driver software companies that force them to stay on older hardware?  Because MS is the known part of this equation?  It would seem that those are the more culpable parties, i.e. if they sell such hardware/software combinations, that the source to support them should be in escrow against time/support necessary.

-wraith808 (May 17, 2017, 06:39 PM)

Bingo! They're being asked to retrofit anti-lock brakes onto a Conestoga wagon because someone won't give up on using their horse.

If the support agreement is $1,000, and the new OS is only $300...the obvious question begged is - or at least should be - WTF is the holdup here?!?

Answer: antique proprietary hardware.

e.g. The problem lies with the hardware...not the OS.

I wasn't kidding about the $30,000 XP driven X-Ray machine earlier ... One of our clients really does have one. The manufacturer could easily update their (16-bit...) software for it ... But... Cha-Ching!!!!!! ...They don't want to.

And that ain't Microsoft's fault.

[f0dder]

A toothbrush is a product, and electricity produced by a nuclear power plant is a product, but the latter produces nuclear waste as a side-effect that will be causing a headache for our progeny for tens of thousands of years. So you can't just leave it up to the companies or the markets.

-dr_andus (May 17, 2017, 06:25 PM)

The comparison of the current situation to nuclear powerplants is... bordering crazy.

Let's reiterate:

• XP has had longer general support than most Long-Time-Support OS versions.
• Product roadmap has been available for ages, EOL is no surprise to anyone.
• "Special Snowflake" support has been available at a very reasonable pricetag.
• For "can't upgrade" scenarios, third-party (irresponsible!) vendors are responsible.
• Mitigations are available for "can't upgrade" scenarios, and there's been plenty of time to implement them.

And it's not unreasonable that security patch wasn't initially released to the general public - XP is EOL, after all. And there's an insane amount of testing needed before releasing a GA patch - can you imagine the outcry if Microsoft released a patch that broke people's systems?

[Carol Haynes]

Windows XP support isn't the issue - it is available and this could have been avoided by governments and corporations making responsible decisions to get support for their ageing systems.

The big problem with the NHS is that when our current PM was Home Secretary she blocked the funding necessary to maintain secure systems by upgrading or paying MS for beyond EOL support (as the US military do!!!). The potential security risks were well known and the government repeatedly warned but they closed their ears.

There has been a lot of comment in the UK about the NHS being irresponsible in their attitude to IT security and data safety but really the fault lies squarely at government's door. There is centralised, national procuement contracts to commission bespoke software (which presumably won't run properly on Windows 10) and as always whenever government get involved in national databases scandals and incompetence follow.

What I really don't understand is why are government databases being run on consumer level Windows based software - surely a more secure system would be available by contracting out to Linux or other less targeted systems - the open source nature means it can be customised and hardened to make it work effectively and securely and at a fraction of the cost?

[anandcoral]

What I really don't understand is why are government databases being run on consumer level Windows based software - surely a more secure system would be available by contracting out to Linux or other less targeted systems - the open source nature means it can be customised and hardened to make it work effectively and securely and at a fraction of the cost?

-Carol Haynes (May 18, 2017, 06:19 AM)

+1

Many a times it seems people managing the Govt. computer database, information etc. are like common users instead of high level IT pros.

Regards,

Anand

[Stoic Joker]

And back to hardware for this one:

Since one of the MS "Patches" in response to this outbreak is actually to uninstall the (installed by default) SMB v1 protocol, it has become quite the theme around here for the week. The 'Punch Line' however is that several of the quite current systems we're running into are still make-or-break dependent on this decades old version of the protocol. SMB v2 came out with Vista in 2005, and they're now up to SMB v3 ... Yet devices made by major manufacturers, that are on the market today as brand new products, are still dependent on this antique protocol.

[wraith808]

What I really don't understand is why are government databases being run on consumer level Windows based software - surely a more secure system would be available by contracting out to Linux or other less targeted systems - the open source nature means it can be customised and hardened to make it work effectively and securely and at a fraction of the cost?

-Carol Haynes (May 18, 2017, 06:19 AM)

Implementation is less expensive, and 'certified' developers more easily available.  "No one ever got fired for going Microsoft"

[6DecadesOld]

I thought there were certain entities in possibly the commercial arena that were still able to receive updates for XP, if they had some sort of special code in the registry.  I am not sure about medical facilities, but I thought that some financial institutions had XP still in some ATM systems and that Microsoft was still giving them a kind of minimum support.
. . . truncated . . .

-6DecadesOld (May 13, 2017, 05:39 AM)

I suppose this was so low on the totem pole here that it was unseen in the mud, but I had some time today and remembered that I had asked here about this and was sure I had heard or read that something was still in a sort of support mode for XP and went looking and to my surprise I found something that was posted just a few days ago.

http://www.expertrev...with-a-registry-hack

So I guess that it is true that somebody can get certain updates for XP.  So couldn't that special anti-NSAbug update have been sent to those with XP that still were getting updates?

EDIT:  Okay, I seem to have screwed up.  Sorry about that.  I see some folks above are writing that you can pay Macrohard to provide support for your XP.  I guess this business about just stick in a registry something-something is baloney, right?

[Carol Haynes]

Seems to work reading the comments - I think MS is still supplying updates to XP running on POS terminals until 2019 - and the hack makes MS think you have a POS terminal - I suspect you need to be selective in the updates you install. Once guy said MS gave him 128 updates after the registry addition.

[Tuxman]

Fun fact: Unix and Linux systems share the same Samba security hole as Windows did.
https://www.samba.or...y/CVE-2017-7494.html

 

[f0dder]

"The same" or "a similarly bad and wormable" security hole?