Did amanfromars beget Luther Blissett, or is it a case of software self replicating?
Staff at hospitals across Sheffield are battling a major computer worm outbreak after managers turned off Windows security updates for all 8,000 PCs on the vital network, The Register has learned. It's been confirmed that more than 800 computers have been infected with self-replicating Conficker code. Insiders at Sheffield …
From having worked in NHS tech, the probable picture is more like:
A PC reboots in an operating theatre. PCs in operating theatres tend not to have much on there apart from access to the databases of what's next, and what's going on. It's an inconvenience, but not a showstopper. The really imporant stuff is non-windows, and that's the stuff that keeps you alive.
Now, one of the consultants is likely to have been most peeved by this, and demanded an instant assurance from the trust board that this doesn't happen again. The trust board let IT know that it needs to be fixed NOW. Don't think about it, just stop it happening.
Trust IT are usually completely overworked (try 5000 users, with one sysadmin, one DBA, one Network Admin and 6 people to fix PCs, all that to support all the external vendor supported systems, plus stuff the local devs do, the security, the patching, the planning, the documentation, the management of systems etc.).
The likely event is that the decision was made to hold back updates until all the policy could be implemented to split the main load of computers apart from the Theatre ones, and the admin(s), if they had an admin team (some hospitals share people amongst several sites, and rely on vendors for support of all the machines they have; a LOT of NHS vendors keep trying to say "You don't need local admins, buy from us, and we'll look after the application on the machine for you". Without saying they won't keep machines updated or anything else like that, and some trusts, not knowing better, go with it, especially the small hospitals), being told, "Just turn it off until it can be fixed. Directive from the Directorate".
The reason Windows in in the NHS is because all the developers code for it (the amount of medical software that is Windows/SQL Server/IIS only is the huge majority). Which means it needs to be implemented. And there are also huge Microsoft deals making it cheap to install Windows.
So, because of budgetary constraints (no NHS hospital has enough funds to run well at the moment; the 'Targets Culture' has meant huge amounts of money having to be spent on ticking the boxes, or being fined by the Government when you don't manage to, Which creates a vicious circle of "Can't afford the resource to meet the arbitrary target set by the Government, so they fine you, taking what little you had away from you, making you miss more targets") , you end up with too few staff to do the real work, but because everything usually keeps pushing out the number, the Directorate consider that all is ok. And if everything just works, they cut back more on IT, making it a prime target for cuts at every stage.
NHS IT is a bind. You're overworked, understaffed, under resourced at every stage, with a group of competing Medical departments all pushing for arbitrary systems to be installed (sometimes with a day's notice if you're lucky), all wanting things to be done. Yesterday.
Yeah, this kind of thing is likely to happen in a large amount of the hospitals around. There is an easy solution (and it's not "fire the teams there"). It's called "hire the right size of team to do the job, with extra qualifications and experience to complement the existing skills".
However, that costs money. And it comes back to the NHS not having any, so requests to expand the team will be met with a resounding "No".
Oh, and for all the people out there saying NHS should use Linux.. It does. It has a standing deal with Novell, and using several other flavours in various trusts.
As well as using Solaris, AIX, Netware and a whole host of other operating systems too.
It's nice to have a big team of people looking after a homogenous network (been there, done that; it's quite comfy)..
Seriously, spend a bit of time in NHS IT, with a tiny team (if there is a team) supporting several different OSs, databases and applications with little to no time for research, testing or even basic infrastructure maintenance (that costs money for resource that isn't there). Again, been there, done that, and it's NOT very comfy at all.
The choices for IT are basically: Keep the systems secure and well maintained, but the doctors and medical staff up in arms about the maintenance outages. Or keep the place running and operational, but just barely.
Oh, and if you choose the secure and maintained, Directorate overrule you because of complaints by Medical that nothing gets done.
For a start off, if the re-booting of a PC in an operating theatre is considered dangerous, arguably, the situation that occurred should be considered a "near miss". Accident reporting process that should exist as part of Health & Policies should kick in which should lead to a investigation and detailed analysis of the problem. What should not occur is a knee-jerk reaction. Switching off updates doesn't deal with the root cause of the problem. Also, switching off updates should go through a change control process and the associated risks should be picked up at this point.
Management ignorance of IT is not the issue. The issues are about riding roughshod over proper policies and processes - if they exist at all.
This situation generally occurs because the resource to implement proper processes do not exist. There is tendency to view IT as an obstacle rather than an enabler. "Projects" tend to suck resources away from business-as-usual IT support. Public sector pay can't compete with private sector pay (well - different equation now). Etc, etc...
Most of youse otha commenters kno nuffink. Youse are just as guilty as those managers who funked up because youse can't see the real problem and look towards a TECHNICAL solution to a problem that you THINK exists. Bah.
Yet again, a deficiency in Microsoft's products results in a workaround that creates even more problems. It should be possible to set things up so that the operating system cannot reboot without user intervention. By all means install the patches - but wait for confirmation before booting. Not so for Microsoft, who knows better and will happily reboot a system in the middle of a critical task, sometimes even when you tell it not to.
For that matter, in a real operating system most patches shouldn't cause a reboot at all.
As for the other arguments about why corporations choose certain OS, the rule I've developed in my 25 years of working in the field is "if a decision makes no sense, follow the money". Probably someone who made the decision was rewarded, one way or another, for making that particular decision. Either the fact that they drained the accounts of other divisions into their own triggered a bonus (because their division is obviously "making a profit", even if it's at the expense of the rest of the enterprise), or they got a kickback from the vendor, or any number of other scenarios that I've seen played out. The OS selection rarely if ever has anything to do with the technical merit, and everything to do with who is married to whom, or who is shagging whom, or who is an boot licking arse bandit with no more ethics than a hungry weasel.
"HOWEVER - Conficker is a tricky beast. If someone logs onto an infected machine with Domain Admin rights then it's pretty much game over, even if you have the patches installed. You cannot rely on patching alone."
Erm... if that's the case, then in what way has this vuln actually been patched?.....
All that needs to be said already has.
One, only one individual on that board will have first put forward that idea and he/she will remain untouched while hiding behind the collective. One day I'll start a campaign to eek out these people!
Paris because she'd be fun to play with on that boardroom table. (High Tenuous Factor, sorry.)
PS. in sales negotiations, saying you have to consult the Board or Committee is a popular way to tell a salesperson you COULD make a decision, but you have no intention of being pushed into it.
PPS. Paris is now wriggling on that highly polished table... Sh*t, she fell off...
It just goes to show how corrupt some of the NHS deals are. Some one there made the decision to put windows on those computers, paid for with our taxes!
Im glad i dont live in that area and need urgent medical help. Of course they claim its under control - P.R. department damage control option #1 is obvious.
Also if they used an OS other than windows, where the staff didnt know to muck about with it, then the mystery entry point for such problem is removed.
The next time I'm under the knife I want to know what's running my life support system. WHY oh WHY do these people insist on using Windows in critical situations like warships and operating rooms? In particular, why are they connected to the internet? This is just asking for trouble.
"The existence of a perfect, productivity-enhancing, life-enhancing application which does not run on the already chosen OS will be of no consequence."
Then will you guys stop harping on about Linux/Open Office/Firefox at *every opportunity*, please? That's the bleating, not comments that aren't rabidly pro-Linux. And as for others taking offence at wording, tough - Linux zealots have always been quick to call Windows users 'lusers', 'stupid' and whatever else. And say they deserve to get viruses, etc. Spiteful little gits, all. You're using Linux? Fine. Think that makes you seem more intelligent? OK - kid yourself. Please just sit with the other zealots and leave normal people alone. All the ranting and rite MS jokes are old as hell now. And before someone uses the stunningly original 'MS shill' argument, don't bother. I'm not. People don't need to be paid to disagree with you, no matter how unassailable you think your arguments are.
NHS/Public Sector bods, correct me if I'm wrong, but aren't these IT Change Advisory Boards normally headed up by "senior management", which in the NHS is likeley to be made up of doctors who do not have a fucking clue? Having said that, I know of several private sector organisations that have yet to install service pack 2 on to XP. I honestly cannot think of a business reason why this is the case. Is there anybody out there that can shed light on it?
To me it just seems wholly irresposible to turn of updating wholesale. I hear the aguments for, but think they are at best misguided. If, over 8000 computers, a patch knackers 100 of them. Thats only 1.25% that are down. If they are all unpached on a LAN then 100% could potentially go down. Neither scenario is particularily acceptable, but surely the first is preferable?
Mungo. Chill the fuck out mate. Its only an OS. Get a grip. Ignore the trolls. Besides, I'm sure I've read you pointing a gaffawing finger at Mac/Linux. If I'm wrong, sorry, if not, sucks being made to look stoopid doesn't it?
You are still talking from your arse Duncan.
These 'most places that have a policy that only Windows is allowed on the desktops' organisations you talk aren't public sector. I'll stand corrected but I havent found one yet with the balls to state that they only allow windows on their production desktops because in terms of public sector procurement you aren't allowing fair competition and I will include STHT in that. Anything over 50K comes under a European Competitive Tender process which is very picky about how you dismiss tenders you dont want.
These are probably private companies that you talk of and I suspect that your company isn't even one of them cause I'll bet you use a Linux desktop at work just like me. I'll bet your outfit has a smattering of macs also, just like mine and guess what, just like STHT so I doubt that this is the case at all. So where's your Windows-only desktop policy now? Does your outfit have a Windows only desktop policy, Duncan. Of course it doesn't. So shut up you fanny.
I will concede that there are going to be companies that do have this policy but not yours, not mine and not STHT. The real reason why Linux isnt on that desktop in the theatre in STHT is that it still lacks the application development needed for it to be seen to be competing directly with windows. From an application stakeholders point of view the nice-looking but crap windows app will always beat the crap looking but good linux app.
As for the monopoly element you speak of, it has no legs. Even if windows disappeared overnight and we were all left with completely blank servers and desktops, do you really think there is enough diversity in linux applications to fill the void left in each market sector? You know there is not. If there were more development for Linux apps it would be considered more seriously as an alternative which brings me back to my point.
You have illustrated my point perfectly. The amount of effort and lines you have wrtten today would have gone someway towards writing an app for that PC in the theatre at STHT but instead you chose to use it to moan about why Linux isn't where you believe it should be.
I dont want to fight anymore. You either get it or you dont so I will agree to disagree. No hard feelings Duncan, sorry for any offence etc.
"just time and effort by the IT teams"
So the Spokesperson and the negligent Board would not object to the following costs being collectively deducted from their salaries:
Manhours x cost of internal IT staff tied up in fixing the problem
Fees arising from external consultants
Manhour cost of hospital staff disrupted by the outage.
Hell UBfus, if someone called me a 'useless fucker' things would be looking up ! I'd even have to consider it a mark of respect !
Keep it running smoothly - noone notices. The moment there's a problem you fucked up and it's your fault.
My problems are the same as for everyone else working in IT :-
1) management who do not understand the issues involved, are not really qualified to make technical decisions, but do so anyway - what I suspect has happened in the Sheffield hospital in the article.
2) wider organisational policy : thou shalt do this, and thou shalt not do that. Immediately if you try to be proactive you run the risk of a disciplinary. This even goes so far as choice of systems/platforms as others have said.
3) the difficulties of locking down systems, whilst still leaving the same systems in a state where useful work can be done by normal users. Yes this applies to any OS ! No system is totally secure. Not even one that is switched off. I still have a hammer available at all times :-).
4) the difficulties of maintaining systems, particularly core servers in a 24/7 operation that can rarely be taken offline without causing disruption of some kind. Suddenly it's bye-bye bank holidays, etc.
5) the technical side is great - continual evolution ensures no stalemate. However you are just an employee number, and a resource. One that rarely gets noticed at that. Hence the BOFH in us all.
I don't have a tank top, am clean shaven, and can't stand wearing sandals. However, I have worked alongside some of the guys who do attire themselves with these items. Every single one of them was first class, experienced, intelligent and hugely capable. I am fortunate to have worked with them. I have also worked with other good people who do not fit the above clothing description, but again feel fortunate to have done so as they were very capable too. Who cares what people look like/wear if they're good at what they do, and are decent people to boot ?
although I'd agree there is much writing to be done, the same applies to the alleged/anticipated/evaporated applications of NPfIT written for Windows.
The way Windows was sold to the NHS was far more like Bill sitting on a sofa with Tony, for a rather short time and agreeing to do it. None of the software was written by then, and well, how much of it is written now?
The NHS has a record of doing things wrong first, then scrapping it and redoing it. The X.400 email system was a case in point. relay.nhs.uk though has been running a parallel service of Exim on a commercial Unix for many years. It is only the rollout and enforcement of Exchange Server as a replacement for whatever the replacement for the Exchange X.400 stuff was that is likely to kill it off.
My coat? The one with an iPhone in one pocket and a penguin in the other.
As someone who used to work for a large IT Contractor to the NHS, I can confirm that NHS Networks are not directly connected to the Internet as assumed here...
The computers that the IT Firm I worked for were connected to the internet. And they connected to a network, that connected to a network, that connected to the hospital's network... Theoretically all 'firewalled' of course...
And the IT Contractor I worked for had a internal policy of indefinitely postponing security updates on all OSs because they didn't have the staff to do testing, and most of what we sold as an "IT Solution" was cobbled together and had a tendency to fall over if something changed. Like the cluster of NT boxes at one hospital which were in such a poor state that they were set to automatically reboot every fifteen minutes because otherwise they'd lock up.
Combined with the unofficial policy that 'permanently fixing a problem would cost us billable support hours we get from a temporary repair', and I can see exactly why things like the above story happen.
When I worked in the NHS, the only 'general-purpose' computing equipment (as opposed to monitors etc with embedded chippery) permitted in the operating theatres was special 'hardened and certified' kit (think it was running some kind of Citrix) approved by US and UK medical device agencies, and we were told CATEGORICALLY (I worked in IT) that no way would we ever get any of our standard Windows or *nix kit in there that was deployed elsewhere in the Trust. What donkey changed that policy?
I realise I'm flogging a dead horse, but the explicit policy of the entire NHS Connecting for Health or whatever that gargantuan, ineffective body is called now, is to limit support for the vast majority of its desktop functionality to Windows-based PCs. You are simply wrong about there being a level playing field in the desktop space - wrong about the NHS, and wrong about the vast majority of corporates.
The Scottish frie brigade was down as of yesterday 1100 pcs and servers on their ass.
Firewall and closed networks don't count for shit if your staff can plug in those infected USB pen drives ...
When will companies learn and users ...you are at work your equipments designation is work not as a holiday snap viewersor the latest tune player or funny you tube video.
Truning this into an Operating system arguement is like chewing house bricks , not very bright and rather unpalateable.
Dont blame the OS if your companies change control and update policy is non existent.
This is less of a microsoft problem and more of a WTF is ITIL problem.
All computers could be installed with Windows 95a or b (the version I had) as the USB ports didn't work at all. Even with the USB support pacakge they only worked with limited success. I had to stick 98 on to get 'em working, and there were only 2 to play with, so a hub costing £30 had to be bought for the emerging technology. This had the side effect of slowing the computer down to a crawl. As other posters have said, a group policy would sort this problem out, or (this may have been suggested earlier, but I haven't gone through all the replies) stick a (a hi-tech) sticky label over the USB ports and get the team leaders to check they haven't been used by more savvy admin civvies.
This post has been deleted by a moderator
"The following comment seems to show what NHS managers *really* think of IT:
"The trust argued that the consequences of its decision making had not cost public money, "just time and effort by the IT teams"."
Mat, I agree with you, *but* the thing is - if a significant percentage of people in IT weren't woman-hating socially-inept losers (evidence the pejorative word "cunt" in this thread and certain Reg readers' perpetual Paris-bashing elsewhere at this website) who probably can't get laid unless they pay for it, maybe management *would* always take IT more seriously and always listen to their suggestions.
As it is though, 'normal' people (management, other employees, etc) often view IT as a bunch of cavemen, not deserving of respect. Little wonder IT suggestions often are ignored.
Needless to say, this doesn't include everyone.
"Heh. Working in the tech industry requires a much thicker skin than that. If you want practice, I can come up with better."
Like I was saying.
Biting the hand that feeds IT © 1998–2021