back to article While Microsoft griped about NSA exploit stockpiles, it stockpiled patches: Friday's WinXP fix was built in February

When the WannaCrypt ransomware exploded across the world over the weekend, infecting Windows systems using a stolen NSA exploit, Microsoft president Brad Smith quickly blamed the spy agency. If the snoops hadn't stockpiled hacking tools and details of vulnerabilities, these instruments wouldn't have leaked into the wild, sparing …

  1. Anonymous Coward
    Anonymous Coward

    And they said the Piranha Brothers were ruthless

    Dinsdale!

    1. TheVogon

      Re: And they said the Piranha Brothers were ruthless

      ""Friday's WinXP fix was built in February"

      And it was released to customers running still supported versions of XP or with support contracts back in March...

  2. veti Silver badge

    Plenty of blame to go around

    But it seems to me that the number one muppet in this story is the UK government minister who told Microsoft "no, we know what we said last year, but we're not paying for your patches any more".

    Microsoft's "crime" amounts to "not giving away their code for free to people who had made a positive choice not to pay for it". Maybe it's just me, but I find it hard to fault them for that. And even then, according to this story, the patch was distributed in late April.

    The one who really needs to fall on his sword (or if he doesn't have one handy, I'm sure many others would be happy to provide one) is Jeremy Hunt. And, of course, the CEOs/boards of all those ironically-named "trusts" that left their unpatched XP machines online.

    1. Colin Millar
      Big Brother

      Re: Plenty of blame to go around

      Exactly right - Hunt is not fit to be left in charge of the department of silly walks never mind the NHS

      Seems like he had 3 choices

      1) Pay for and force through the upgrades to supported systems

      2) Pay for custom support

      3) Take the gamble - with the one government department that really could do without any extra shit

      I wonder if president May will finally sack this muppet who's life mission seems to be to wreck the NHS.

      Big Brother - he's going to fix the deficit by betting everything on a 3-legged dog

      1. lorisarvendu

        Re: Plenty of blame to go around

        This is the downside with Conservative policy of reducing State control. Make Trusts solely responsible for what they do with their own budgets, and then complain when they make the wrong (in hindsight) decision.

      2. DaddyHoggy

        Re: Plenty of blame to go around

        If Hunt quits or is forced out he'll just be given another £70,000+ ministerial position - he should be made to stay as Minister of Health - he should ring round all the Radiotherapy patients who are supposed to get their cancer treatment every day and have now gone without it for nearly a week and apologise and be made to go to the funerals of anybody who dies where such things can be attributed to this IT failure.

        He should be made to work through the night with IT techs trying to hold outdated PCs and IE6 based applications together with string and ceiling wax.

        The NHS should become his living nightmare and one he's never allowed to escape from (at least until/if the Tories are replaced as the Gov't).

        1. Anonymous Coward
          Anonymous Coward

          Re: Plenty of blame to go around

          If Hunt quits or is forced out he'll just be given another £70,000+ ministerial position

          My company's well connected political relations team tell me that Hunt is kept in Cabinet and as health minister purely and intentionally as a firewall, to isolate the PM from the various NHS screw-ups. He's got no talent, but Hunt is conveniently an unpopular man, and a head ready to be plated up, should the going get so tough in the NHS that somebody has to be fired.

          Imagine you are PM. If (hypothetically) there was a really good, strong, well connected MP, who you wanted to retain, and looking for a ministerial brief - or simply anybody who was great mates with you as PM, the last job you'd give them is minister for health, because it is such a high risk portfolio, yes? Whereas being Home Secretary is unjustifiably isolated from all the crap decisions taken by or under the authority of all post holders. Or if you're minister for the environment, or work and pensions, nobody really cares, no matter how obviously you mess up. So there you have it: Jezza Hunt does have a purpose in life. Sadly nothing that benefits society.

          On a seaprate topic, am I the only person to have thought that Hunt, Daniel Craig, and Alistair Dabbs appear to have a time-share on the same face? What do they wear the other two thirds of the time...

      3. annodomini2

        Re: Plenty of blame to go around

        @Colin Millar,

        You assume that he is not doing his job, he is (hence why he has not been removed), his job is to run the NHS into the ground to justify privatisation.

      4. Smallbrainfield

        Re: Plenty of blame to go around

        Hunt won't get the sack - he's delivering the exact NHS service the tories want.

        By running the NHS into the ground they can point to it and say, look it's shit, but look how shiny this private hospital is. Death by a thousand cuts, literally.

    2. aks

      Re: Plenty of blame to go around

      The individual trusts are certainly to blame. I assume that Hunt has been nagging them to get their act together.

    3. Anonymous Coward
      Anonymous Coward

      Re: Plenty of blame to go around

      Of course you HAVE done the cost benefit analysis to determine that the confusion caused by two or three days IT outage costs a lot more than the $ saved at what was it ? $400 a desktop?

      1. Anonymous Coward
        Anonymous Coward

        Re: Plenty of blame to go around

        I am aware of surgeries that closed their doors to all but emergency appointments because they weren't using their computers until IT had checked them over to guarantee they'd be safe to usd.

        Also trusts stripping all attachments on incoming mail as a precaution.

        Easily more costly in terms of disruption, waste of resources, missed patient care than the cost of support (circa £1 a day per computer)

        1. John Smith 19 Gold badge
          Unhappy

          "Also trusts stripping all attachments on incoming mail as a precaution."

          Here's a thought.

          Maybe doing that to begin with?

          1. Paul 76

            Re: "Also trusts stripping all attachments on incoming mail as a precaution."

            Yes, or at least something not dissimilar. Only allowing HTML, XML or zipped XML for example, or just raw text.

            Is it perhaps the case the real "villain" is a word processor which can run executables.

            1. Anonymous Coward
              Anonymous Coward

              Re: "Also trusts stripping all attachments on incoming mail as a precaution."

              "Is it perhaps the case the real "villain" is a word processor which can run executables.

              I'd also like a word with whoever thought hiding file types was a good idea.

            2. big_D Silver badge

              Re: "Also trusts stripping all attachments on incoming mail as a precaution."

              @Paul 76, there have been enough buffer overflows in XML HTML and Zip over the years, so no, the WP isn't to blame, its default is not to execute macros or to execute signed macros.

              The user has to open his machine up to attack, by allowing unsigned macros.

          2. cosmogoblin
            FAIL

            Re: "Also trusts stripping all attachments on incoming mail as a precaution."

            Seriously - are people still opening unexpected attachments?

            Or, are they still using Microsoft email programs?

            Buffer overflow bugs aren't going anywhere, and miscreants will continue to find more. But this is tantamount to rolling out the red carpet for them.

          3. Anonymous Coward
            Anonymous Coward

            Re: "Also trusts stripping all attachments on incoming mail as a precaution."

            Oh good, all attachments? The image of the pre-cancerous mole that the GP took and mailed to the dermatologist? The copy of the letter to the GP from the dermatologist? The order confirmation for the life saving widget, the invoice for the life saving widget? The CV of the doctor applying to join A&E? The rail fair confirmation so that the locum can get to work?

    4. Gordan

      Patches Built in February

      The reason patches for XP were provided publicly at all is because MS had already written them - for XP POS (Point of Sale) edition, used for embedded systems like cash registers and ATMs. XP POS is supported until 2019, and as ElReg covered 3 years ago, XP can be tweaked to change it's identity and use POS patches directly.

      So there is no conspiracy or foul play here - the patches were built in February because they were built for the POS edition. Don't expect any good will patches for XP after POS goes EOL in 2019 regardless of the outcry.

      1. Jason Bloomberg Silver badge

        Re: Patches Built in February

        there is no conspiracy or foul play here

        The foul play is in suggesting it was hoarding of exploits which had somehow limited their ability to produce patches. If one chooses a "won't pay, don't get" policy, fair enough, but at least be honest about that.

        They have done the right thing in releasing the patches now. Though I am sure that is to protect themselves as much as their customers.

    5. Anonymous Coward
      Anonymous Coward

      Re: Plenty of blame to go around

      I already wish to see *unt's head on a platter for a number of other reasons, the least of which being that he's an utter turdburger. Add this one to the list.

    6. Destroy All Monsters Silver badge
      Thumb Down

      Re: Plenty of blame to go around

      Microsoft's "crime" amounts to "not giving away their code for free to people who had made a positive choice not to pay for it".

      Now, if XP had been open sourced and Microsoft had told everyone that, given the expiry of yadda yadda, they are out in the rain but can do something if need be, I would agree.

      The actual situation is reckless endangerement of people and property by not fixing a problem in product that turns out to be rather unfit for purpose after having hit the market. I think courts might want to look into that.

      1. Anonymous Coward
        Anonymous Coward

        Re: Plenty of blame to go around

        Let's hope the courts do look into it.

        This article really is dynamite. As you say, it is deliberate, reckless endangerment. A very serious matter.

        Should anybody continue a relationship with a vendor that demonstrates such contempt for its customers, business, and human life?

        1. This post has been deleted by its author

          1. anonymous boring coward Silver badge

            Re: Plenty of blame to go around

            "This is a serious question - would Linux be a better OS in this situation ?"

            Where is the incentive to hold back security fixes from Linux users?

    7. Anonymous Coward
      Anonymous Coward

      Re: Plenty of blame to go around

      Except it wasn't the XP machines that caused the problem. So stop trying to turn this into a political issue about not paying for XP support on a diminishing number of isolated specialist applications.

      Windows 7, 8 and 10 in the NHS by far and away took the brunt, as it's the mainstream OS used in the organisation. Almost all of the XP machines weren't on the main network domain.

      If you want to blame someone, blamd the person that still thought it was 2000 and that nobody ever got fired for buying Microsoft... Clearly the days of Windows bring fit for purpose in business are long gone. In the era where most things can be done in a web app, a locked down dumb client, or Google for business would be far more secure.

      1. Anonymous Coward
        Mushroom

        Re: Plenty of blame to go around

        "or Google for business would be far more secure."

        Is that the same Google Docs that got totally owned the other week?

        Yes lets put everything in the cloud, patient records, hospital appointments, drug information...

        Fuck Off

        1. RyokuMas
          Devil

          Re: Plenty of blame to go around

          "Is that the same Google Docs that got totally owned the other week?"

          ... or the same Google that has been illegally"inappropriately" using patient data?

        2. Doctor Syntax Silver badge

          Re: Plenty of blame to go around

          "Yes lets put everything in the cloud, patient records, hospital appointments, drug information..."

          OTOH Google seem to be getting this wholesale from some hospitals so why not?

          What's more my GP's practice along with many others seems to be outsourcing all their records to some web service.

          1. This post has been deleted by its author

            1. anonymous boring coward Silver badge

              Re: Plenty of blame to go around

              The main issue is extorting the customer by hiking the price to silly levels year-by-year. Stupid.

    8. The Vociferous Time Waster

      Re: Plenty of blame to go around

      Let's not forget Thatcher2.0's role in intelligence hacking whilst Home Secretary.

    9. Doctor Syntax Silver badge

      Re: Plenty of blame to go around

      Microsoft's "crime" amounts to "not giving away their code for free to people who had made a positive choice not to pay for it".

      Car analogy: Vehicles are sold with a serious brake fault. Instead of a recall customers are told "you can only get them fixed if you have a maintenance agreement".

      Only the software industry can get away with this.

      1. Anonymous Coward
        Anonymous Coward

        >> Car analogy...

        A brake fault is today discovered on a 1957 Ford Edsel. Reckon Ford will do a recall, or laugh ruefully at the memory of bygone days?

        1. Anonymous Coward
          Anonymous Coward

          Re: >> Car analogy...

          Hmmmm an Edsel is to CP/M what a Ford Focus is to windows XP so back to the drawing board with no cigar for you.

        2. anonymous boring coward Silver badge

          Re: >> Car analogy...

          1957?

          Perhaps make your analogies more realistic?

          Perhaps a 2002 Merc bus that is used every day to transport millions of people, or some similar analogy?

        3. Kiwi

          Re: >> Car analogy...

          1957 Ford Edsel

          Do 1957 Edsel's make up a significant portion of the current vehicle fleet? Or even of Ford's currently used fleet?

          Honda and Toyota(IIRC) had a fault in their airbags in 2015 or thereabouts. They recalled vehicles for a free replacement all the way back to 2000, maybe earlier, that were affected. This is quite comparable, especially given the amount of re-write that went into XP SP3 making it closer to a new release than a service pack. And replacing code in software is orders of magnitude cheaper than replacing parts in a car, in software you only have to put the code on your update servers (which exist already) and let the update software do its job, whereas with a car you have to pay a suitably qualified mechanic (some recall work can be done by apprentices with a little training, some need a specialist) to replace the parts, which can cost several $hundred per car

          There's what, maybe a couple of hundred 1957 Edsels left in the world, of which a small handful are used on a regular basis? Whereas XP makes up what, 5% of computers still in use? (actually back of my mind I think it's closer to 15% but ICBW). That breaks your analogy somewhat.

          #reallymustgetontothesethreadssooner

      2. Anonymous Coward
        Anonymous Coward

        Fixed your car analogy

        Car analogy: Vehicles are sold with a serious brake fault. Instead of a recall customers are told "you can only get them fixed if you have a maintenance agreement".

        Car analogy: Vehicles were sold 15 years ago and their brakes are knackered. Customers are told "you can only get them fixed if you pay a mechanic".

        1. Doctor Syntax Silver badge

          Re: Fixed your car analogy

          Car analogy: Vehicles were sold 15 years ago and their brakes are knackered. Customers are told "you can only get them fixed if you pay a mechanic"

          Car was sold 15 years ago with an egregious design fault..

          We're repeatedly told here by commentards that the product was supported for 13 years. So why during those 13 years was it not found and fixed? In all conscience 13 years ought to have been long enough. It sounds like the sort of thing that any static code analysis tool should have highlighted.

          1. Archaon

            Re: Fixed your car analogy

            I would argue that something found 15 years later is not egregious. Especially as it's probably the result of numerous supported and unsupported components and work over time. Even for more modern cars that is not only beyond the 'manufacturer lifecycle' but likely also beyond the expected life of the machine.

            And regarding the fixes; if it's that easy then I look forward to seeing SyntaxOS v1 as my daily driver at some point in the near future.

            Crack on.

            1. Wensleydale Cheese

              Re: Fixed your car analogy

              "I would argue that something found 15 years later is not egregious. Especially as it's probably the result of numerous supported and unsupported components and work over time. Even for more modern cars that is not only beyond the 'manufacturer lifecycle' but likely also beyond the expected life of the machine."

              As I recall from a project long, long ago, airbag component data had to be kept for 14 years.

              Edit: I see that Patched Out in this comment has had a recall for a defective airbag on his 14 year old car.

          2. Mark 85

            Re: Fixed your car analogy

            We're repeatedly told here by commentards that the product was supported for 13 years. So why during those 13 years was it not found and fixed? In all conscience 13 years ought to have been long enough. It sounds like the sort of thing that any static code analysis tool should have highlighted.

            Oversight? Or getting some "feedback" from the agencies not to batch as this gave them access? On the MS side, I wonder how many Win10 they will now sell? Too damn many questions, plots, screw-ups, etc. to really know what's going on.

            1. anonymous boring coward Silver badge

              Re: Fixed your car analogy

              "On the MS side, I wonder how many Win10 they will now sell?"

              What? Someone has actually bought it? With real money?

          3. Patched Out

            Real world car analogy

            If you want to apply a car analogy that is closer to this, I would suggest looking at the wide-spread defective air-bag problem. An embedded defect that is not dangerous until the air-bag is needed to protect the occupant.

            And yes, my 14 year old car is part of the recall and is to be fixed for free.

        2. CRP

          Re: Fixed your car analogy

          The car analogy is interesting in the sense that if you have a problem with your car you can usually go to a number of different approved (or unapproved) mechanics or fix it yourself. With Windows (proprietary technology) you can only go to Microsoft to fix it. This seems to be a problem with monopolistic tendencies in the software industry and platform lock in. Perhaps makes a good argument for open source?

          800$ per PC per year for a service contract. For 16 year old software. Is that typical? Was there a cosy deal between MS and the UK government?

          How does the NSA reconcile its responsibility to the US citizenry for its security by withholding security flaws in its (and others) IT infrastructure. It comes across as a vested interest only concerned with maintaining its own position.

          1. Anonymous Coward
            Anonymous Coward

            Re: Fixed your car analogy

            "800$ per PC per year for a service contract. For 16 year old software. Is that typical?"

            Yes it is once it goes end of life.

            Microsoft have to keep an XP team / build process / test stack / update services etc. etc. still running just for this. It started I think @ $100 a year and the cost doubles each year due to declining number of customers requiring the above... And to incentivise customers to move to a supported platform. They did after all have several years notice to do something about it!

        3. anonymous boring coward Silver badge

          Re: Fixed your car analogy

          That's because there are real costs involved. If it's wear and tear it's obviously a maintenance issue. If it is a massive design fault that will make all cars dangerous to drive, then it's an all new ball game.

          In the MS case we don't know if NSA has told MS it mustn't release certain patches to the non-supported OSs. This is a strong possibility.

      3. Wensleydale Cheese

        Re: Plenty of blame to go around

        "Car analogy: Vehicles are sold with a serious brake fault. Instead of a recall customers are told "you can only get them fixed if you have a maintenance agreement".

        Only the software industry can get away with this."

        s/serious brake fault/cheating on diesel emissions tests/

        Judge orders Volkswagen to pay a $2.8-billion U.S. criminal penalty for cheating on diesel emissions tests

      4. Anonymous Coward
        Anonymous Coward

        Re: Plenty of blame to go around

        "Car analogy: Vehicles are sold with a serious brake fault. Instead of a recall customers are told "you can only get them fixed if you have a maintenance agreement".

        Only the software industry can get away with this."

        Not sure that analogy is strictly correct. If the brake fault could only be activated by malicious intervention then not many car companies would be rushing forward to correct it especially on vehicles that are 17 years old and well out of warranty.

        1. Ben Tasker

          Re: Plenty of blame to go around

          Not sure that analogy is strictly correct. If the brake fault could only be activated by malicious intervention then not many car companies would be rushing forward to correct it especially on vehicles that are 17 years old and well out of warranty.

          Probably depends on what the malicious bugger needs to do. If it's simply thump on your car door as he walks past, then they probably would be, particularly if there were still a high number of them in the market (or if it also affected a more popular model, as is the case with Win 7/8)

        2. anonymous boring coward Silver badge

          Re: Plenty of blame to go around

          "Not sure that analogy is strictly correct. If the brake fault could only be activated by malicious intervention then not many car companies would be rushing forward to correct it especially on vehicles that are 17 years old and well out of warranty."

          If it's an internet connected car (just wait 15 years), and it turn's out sending an email to the car can disable the brakes, I'm pretty sure they would quickly hand out patches for free.

          They wouldn't sit on the patches, wait for a few deaths, and hope that customers come flocking to buy the fix. (Well, unless it's an american car company, that is.)

      5. agurney

        Re: Plenty of blame to go around

        I can't agree with that car analogy - a more appropriate one might be that the door locks aren't strong enough to stand up to a crowbar.

      6. Glenturret Single Malt

        Re: Plenty of blame to go around

        False analogy. A car sold with a serious braking fault falls under the same kind of regulation that applies to any item that is not suitable for use when purchased (even if the flaw only becomes apparent after a period of time). A closer analogy would be the development of methods to overcome car locking and security systems which may well have been state of the art / undefeatable at the time of purchase.

      7. veti Silver badge

        Re: Plenty of blame to go around

        @Doctor Syntax: in your car analogy, there was a "recall". But lots of customers flatly refused to bring their old cars in for repair or replacement. XP was retired 3 years ago, there was plenty of publicity about that at the time, and all currently supported versions of Windows had the flaw patched 2 months ago.

        Question: if the brakes fail in my Ford Model T, manufactured 1920, is it fair to blame Ford for that?

        If not, then you've accepted that manufacturers aren't responsible for supporting their products ad infinitum, and all that remains is haggling about how long the period should be.

        1. anonymous boring coward Silver badge

          Re: Plenty of blame to go around

          " in your car analogy, there was a "recall". But lots of customers flatly refused to bring their old cars in for repair or replacement"

          First time ever a critical flaw has been repaired by giving customers completely new cars, that are incompatible with their old ones (i.e. replace flat-bed truck with a Mini), and which they also had to pay for. Nice fixing.

      8. This post has been deleted by its author

        1. big_D Silver badge

          Re: Plenty of blame to go around

          @Oliver Jones, I agree with you, apart from the 30 years (10 years is more than long enough in IT terms) and the open sourcing.

          If Microsoft hadn't offered cheap or free upgrades to newer versions of Windows or had stopped making Windows altogether, then I would agree. But they have brought out newer versions of Windows with improved security and stability, they have bent over backwards in some ways, to get people to upgrade, and for those that don't want to / can't upgrade, there is paid support.

          In the case of the NHS, they decided the money was better spent on refubishing offices and other frivolities, rather than ensuring their infrastructure was secure.

      9. Anonymous Coward
        Anonymous Coward

        Re: Car analogy

        Once upon a time, the car had a warranty. The software didn't. The software industry doesn't exactly get away with it, they just get to sigh with relief while everyone's expectations get all shot up in the all-too-common drive-by, because they claim everything and solemnly promise nothing. So did we learn anything? Some expectations are unreasonable, fix them first. And get rid of the people who are hoarding those. The power of accurate observation mumble mumble mumble got it.

    10. Amos1

      Re: Plenty of blame to go around

      If you're not buying the current version you're not a customer, you're a former customer. Supporting former customers for free is a sure-fire method to increase your expenses and reduce your profits with no gain for you.

      1. Doctor Syntax Silver badge

        Re: Plenty of blame to go around

        "Supporting former customers for free is a sure-fire method to increase your expenses and reduce your profits with no gain for you."

        Letting stuff like this fester until it manifests itself by large scale damage is a sure-fire way to make people ask whether they should become future customers. That's not exactly a gain especially when those "former customers" are also your current and hoped-for future customers.

    11. Roland6 Silver badge

      Re: Plenty of blame to go around

      Microsoft's "crime" amounts to "not giving away their code for free to people who had made a positive choice not to pay for it". Maybe it's just me, but I find it hard to fault them for that.

      Well that may apply to governments and businesses who were eligible to apply for the overpriced extended support, however, your typical Windows user wasn't given a choice: for them, support for XP ended in 2014 (ie. 10 years plus a 2 year free extension after XP was first released).

      Ignoring Windows Embedded/POS, it would seem that this will also be the case with Win7, 8, 10. So the takeaway, is if you have systems that you expect to outlive the MS support lifecycle either build in contingencies so that relevant MS-dependent system components can be upgraded or use a different OS platform who's lifecycle better fits the lifecycle of your product/application.

  3. Anonymous Coward
    Anonymous Coward

    Latent product defect??

    http://www.legalmatch.com/law-library/article/what-is-a-latent-defect.html

    I wonder if Microsoft will be liable under this.

    1. a_yank_lurker

      Re: Latent product defect??

      My non shyster answer is maybe. It probably depends on the precise details as to whether it would stick. Sitting on a patch for a known, severe vulnerability does not help but what was the damage/number of deaths directly attributable to the hack would also play a role. You would need to break the EULA which is not impossible, just a royal pain.

    2. Steve Davies 3 Silver badge
      Facepalm

      Re: Latent product defect??

      Microsoft Liable??? WTF are you smoking...

      Excuse me while I ROFL and hope I don't split my sides.

      The MS EULA absolves them of any liability for anything.

      If you can't sleep at night why not give it a read? I'm sure you will fall asleep before you get to the bit where is says that it has no responsibility for anything at all.

      Good luck in Court. If anyone wants to test the EULA in the UK/EU then I'm sure there will be an awful lot of interested parties hoping you win.

      1. Richard 12 Silver badge

        Re: Latent product defect??

        The EULA has never been tested in court.

        It is rather likely that MS would settle privately out of court to keep it that way, should an entity indicate that they were really going to go that far.

        I suspect that they already have done so a few times, but obviously the point of such settlements is to keep then off the public record.

        1. PhilipN Silver badge

          The EULA has never been tested in court.

          You can bet your bottom dollar it will be now

      2. MrDamage Silver badge

        Re: Latent product defect??

        > "The MS EULA absolves them of any liability for anything."

        When does the consumer get to see the EULA, before or after the point of sale?

        Seeing as it no longer printed out on the box like it was with Win3.x, and Win9x, it means MS are attempting to add terms and conditions to the sale of a product AFTER the consumer has paid for it.

        In a country that has consumer laws that actually look after the consumer, this makes the EULA invalid, and any attempt to enforce to terms of it would be deemed illegal.

        Take2 Interactive (Australia) learnt that the hard way when they tried EULA shenanigans with me.

        1. Doctor Syntax Silver badge

          Re: Latent product defect??

          "Seeing as it no longer printed out on the box like it was with Win3.x, and Win9x"

          If it was sold in a box big enough for that there'd be complaints about excessive packaging.

          1. Wensleydale Cheese

            Re: Latent product defect??

            "Seeing as it no longer printed out on the box like it was with Win3.x, and Win9x"

            If it was sold in a box big enough for that there'd be complaints about excessive packaging.

            That raises an interesting point. Apple and other EULAs are available to peruse online.

            When I tried to compare the Windows 7 and Windows 8 EULAs, the only place I could find the relevant text was on systems with those products already installed.

            Apple and others also allow you to print EULAs and save them to disk as part of an installation, so that you can see what they contain at your leisure. It's a more transparent process.

        2. big_D Silver badge

          Re: Latent product defect??

          @MrDamage, every user has to accept the EULA before installing the software - even on a new machine, the EULA is shown and the user has to accept.

          If they don't accept the EULA, they can take the software back and get a refund. Claiming that they hadn't read the EULA, when they have explicitly said that they have read and understood it won't stand up in court.

          I agree, in Germany (for example), that would be hard to enforce, as it is what you have read before purchase that counts - that is why using an OS X CD on a non-Apple PC is legal; that restriction is only visible after you have paid for the product and opened the packaging.

          It has also been proven in court, that for downloaded software, that the EULA must be read before installation begins, for it to be binding. Microsoft ensure that with, for example, the WIndows 10 upgrades that are downloaded, that you read the EULA before it attempts to write anything to disk.

          It will depend very much on jurisdiction, whether the EULA being agreed to before the installation takes place, but after the purchase transaction has been completed, is binding or not.

  4. Anonymous Coward
    Anonymous Coward

    I'm not sure where I sit on this.

    Microsoft is under no obligation to release patches for an OS it no longer supports without being paid.

    Microsoft should have released the patches to ensure we didn't end up in the mess.

    Even if Microsoft did release the patches how many people would have actually applied them or been aware of their existence?

    It's a tough one.

    I'm going to go with Jeremy Hunt being to blame because unless he had cast iron guarantees that the NHS would no longer be using XP he should not have cancelled the contract for upgrades.

    1. CentralCoasty
      Facepalm

      Jeremy can safely wriggle out by pointing out that whilst he cut the contract he left it up to each individual trust to decide what they do with the risk - and hence the fact they didnt upgrade the XP machines resides with them and not him.....

      The trusts obviously didnt understand the risk (if they even knew about it) and/or was just another massive red flag amongst the many that they are dealing with. (Whats more critical getting more nurses, doctors, beds or fixing a computer that may (or may not) get hit by a virus).

      All around failure - and I expect nothing will happen except a series of finger pointing at each other.

      As to Microsoft having the patches - good on them. It is totally within their right to charge for the patches - as to whether it mercenary or not - this is another question! Guess we should be thankful they still had the technical know-how - what would the situation be if we had been trying to patch OS/2,BeOS or RiscOS......

      1. Doctor Syntax Silver badge

        " It is totally within their right to charge for the patches"

        Let's not lose sight of the fact that this is a patch for a basic design error in their product. If this was your car and not a piece of software would you expect to have to pay a maintenance contract or would you expect a manufacturer product recall?

    2. Anonymous Coward
      Anonymous Coward

      Who to blame?

      Well, for one thing the NHS Trusts were given time to sort it out.

      But some of the Execs decided that more pay for them (and many already get more moolah than Jeremy H) was more important so the didn't.

      The Minister could have directed them but didn't.

      IT People warned the Trusts.

      No one listened.

      Perhaps the Trust Execs and Jeremy should face the firing squad together.

      Please do this before the election. I really don't want to see his name on the ballot paper when I go to vote next month. Yes, he's currently my local MP (or temporary rep given that parliament was dissolved) I'm sad to say.

      1. John Smith 19 Gold badge
        Unhappy

        "Yes, he's currently my local MP"

        Other Parliamentary candidates are available.

        Forget what party will come to power.

        Do you want this person as your MP?

        If you don't find out who was the runner up last time and vote for their party instead.

        With the UK's political system as it is that's the best you can do anywhere.

    3. Doctor Syntax Silver badge

      "I'm not sure where I sit on this."

      Let me provide you with a cushion.

      "Microsoft is under no obligation to release patches for an OS it no longer supports without being paid."

      It sold a defective product and wants to be paid to fix it. How many other industries would get away with this being standard practice?

      1. The Mole

        "It sold a defective product and wants to be paid to fix it. How many other industries would get away with this being standard practice?"

        I'd actually (controversially) venture a guess the answer is most other industries. The only exception are those where the issue is actually directly safety critical. I'm sure Microsoft would strongly claim that there product isn't intended for safety critical purposes (except perhaps Windows for Warships) and if people use it inappropriately then it isn't there fault. I've got a pair of walking boots where the seams have come apart on both shoes at exactly the same time (obviously a manufacturing or design flaw). If this had happened on a mountainside I could have been seriously injured or stranded over night, however I don't expect that the manufacturer is going to do a recall on them.

        Perhaps Microsoft did act wrongly in this case and should have released the patch sooner if they knew it was actively being exploited (I've got some sympathy to this argument), but backing it up with straw men about 'other industries' isn't the argument to pick. After-all if you want to compare to the car industry the more reasonable comparison isn't handbrake problems but instead the door lock being easy to jimmy and the car to hot wire. I haven't noticed the motor industry retrofit more secure locking mechanisms to all those 80s and early 90s cars which suffer from this security issue, they just design their newer releases to be more secure.

      2. Gezza

        I disagree: the principle operation of the product was to provide an O/S, which it did (rather well at the time as it happens), much as the principle operation of a car is to enable you to travel around under engine power. The bug in SMB v1 was hardly the principle operation of the software; indeed SMB V1 actually worked as it was meant to. However, it could be tricked into failing if it were deliberately fed the wrong data, much as a petrol car fails if you deliberately (or mistakenly) feed it diesel - does that make it a defective product? If a knife is used to kill a person, is that a defective product? Or a plane flown into a building?

        The deliberate misuse of a product or parts of it, to cause damage, is the issue here. Pretty much everything in the world today can be considered defective if one takes your approach.

        1. Doctor Syntax Silver badge

          "I disagree: the principle operation of the product was to provide an O/S, which it did (rather well at the time as it happens)"

          One of the functions of an operating system is to provide a degree of security.* It's not like arguing that a lock is a subsidiary function of a car. And that gains even more force when one of the products was a server rather then the desktop OS.

          *Or are my expectations being warped here, coming from a Unix background?

  5. Dan 55 Silver badge

    As always in IT, back it up

    some trusts preferred to spend the money not on IT upgrades but on executive remuneration, nicer offices, and occasionally patient care

    I presume all trusts have been asked if the money they were given was enough and if they still had XP machines left afterwards then why (technical, funding, or management decision not to upgrade) and the results are available online?

  6. Anonymous Coward
    Windows

    Eh?

    Microsoft provided the patches to those who had contracted for support of XP. No hoarding.

    1. Dan 55 Silver badge

      Re: Eh?

      The same reasoning as big pharma holding monopoly drugs and making everyone pay through the nose and those that can't pay stay sick. Classy.

    2. Displacement Activity

      Re: Eh?

      Microsoft provided the patches to those who had contracted for support of XP. No hoarding.

      Errr... the point is that MS pointed the finger at the NSA for hoarding. MS selectively disclosed, and the NSA selectively disclosed. No hoarding.

      Just in case Microsoft didn't understand: intelligence agencies and hackers all round the world spend their life looking for zero-days, for their own reasons. How MS can then blame them and whine that they're 'hoarding' is beyond me. F***tards.

      1. Dave 126

        Re: Eh?

        Just wondering - would it have been possible for the NSA to have developed a patch at the same time they wrote the exploit? I'm just thinking of old movies where the moustache-twiddling villain has the poison, but also the antidote should he or his incompetent henchman mishandle it.

        I'm thinking of an image of Dick Dastardly and Mutley.

        1. TheVogon

          Re: Eh?

          "Just wondering - would it have been possible for the NSA to have developed a patch at the same time they wrote the exploit"

          They probably just disabled SMB V1.

    3. Doctor Syntax Silver badge

      Re: Eh?

      "Microsoft provided the patches to those who had contracted for support of XP. No hoarding."

      So why have they released it publicly now?

      1. dajames

        Re: Eh?

        So why have they released it publicly now?

        Methinks it may be a public relations exercise to limit the damage done to their reputation.

  7. Chairo

    Wormable holes

    one lesson that should be learned by this mess: Make fixes available for wormable holes, even if the OS is not officially supported any more. Once the shit hit the fan it is too late.

    Edit: For systems that are still in widespread use, of course.

    1. Anonymous Coward
      Anonymous Coward

      Re: One lesson to be learnt frin this (was Wormable holes)

      ..is that if very expensive paid support doesn't net you protection, maybe free software and paying your own IT pros to support it would be cheaper,..

      ...and if MRI scanners dont run on penguinware, dont buy em till they do.

      1. Richard 12 Silver badge

        Re: One lesson to be learnt frin this (was Wormable holes)

        No.

        The OS of the very expensive MRI machine is completely irrelevant, because only the manufacturer can ever change any of its software.

        Airgap it.

        No matter what it runs, airgap it, beacuse it will receive very few patches and they will always be much later than a general purpose PC, because they always come via a 3rd party who is legally required to do very extensive testing.

        1. Mad Mike

          Re: One lesson to be learnt frin this (was Wormable holes)

          @Richard 12

          If you airgap it, how do you get the images off? Today, things like X-rays and MRIs etc.pass the images etc. into your records and can be seen on screens throughout a hospital. Making them only available on a few screens near the MRI etc. is pointless.

          1. Dan 55 Silver badge

            Re: One lesson to be learnt frin this (was Wormable holes)

            Make sure that the XP machines cannot receive incoming connections and can only connect to one SMBv1 server.

            This machine is really a UNIX machine running Samba, only accepts incoming SMBv1 connections from the list of XP IPs and only exists to send the scans on to the right place preferably via something other than SMB like SSH.

            So hopefully that is as good as air gapped.

            1. Grunt #1

              Re: One lesson to be learnt frin this (was Wormable holes)

              Hopefully ?

              1. Dan 55 Silver badge

                Re: One lesson to be learnt frin this (was Wormable holes)

                Yes, hopefully. An attacker could get round your VLAN.

            2. cosmogoblin

              Re: One lesson to be learnt frin this (was Wormable holes)

              Use a CD writer, that's how I got my chest scan images. No need for any networking at all.

              And don't use Windows. Or, in fact, any operating system most people have heard of. No version of Windows is rated for mission-critical use, in fact many EULAs specify that the software shouldn't be used for anything that can't be allowed to fail (I'm sure I have a DVD player somewhere that explicitly indemnifies the producers if it's installed in nuclear weapons). Windows is a general-purpose operating system, suitably (barely) for a GP's office but not for medical equipment.

          2. Displacement Activity

            Re: One lesson to be learnt frin this (was Wormable holes)

            @Richard 12

            If you airgap it, how do you get the images off? Today, things like X-rays and MRIs etc.pass the images etc. into your records and can be seen on screens throughout a hospital. Making them only available on a few screens near the MRI etc. is pointless.

            Don't airgap it; open one port, and write an app that retrieves images. Transer with standard sockets code; it's trivial, and the comms can be done in a couple of hundred lines of standard C.

            And you wouldn't even think about running this on XP, or Win10, or whatever, and using SMB.

            1. Anonymous Coward
              Anonymous Coward

              Re: One lesson to be learnt frin this (was Wormable holes)

              @ Displacement Activity

              Don't airgap it; open one port, and write an app that retrieves images. Transer with standard sockets code; it's trivial, and the comms can be done in a couple of hundred lines of standard C.

              From personal experience working in NHS IM&T I can say that the X-Ray machines that I have had exposure to come with a commendably secure and well certified application that does this, even if it run on XP. We considered that putting a hardware firewall between it and the rest of the network with access to that sole port provided adequate security for the devices remaining lifetime.

              And the trust I worked for was *not* one that was compromised.

              Frankly though, people make a mistake of considering the "NHS" as being a single entity. It's not. It's a brand and billing structure comprised of a huge number of operationally independent organisations, some of which are run well and some of which that are run awfully.

              This event usefully provides a census as to which are which, honestly. There is now a publically available list of trusts that were infected because they are not taking appropriate security procedures, and are running their own improperly configured mailservers instead of using NHS Mail/nhs.net

              I say this, because I know what's blocked on nhs.net, which is the following:-

              http://www.ipswichandeastsuffolkccg.nhs.uk/LinkClick.aspx?fileticket=IE4CvEtA3OU%3d&tabid=933&portalid=1&mid=3371

              And knowing where to look...

              https://www.digital.nhs.uk/media/1486/NHSmail-confirmation-it-is-safe-to-connect/pdf/NHSmail_150517

              Ergo, any trust infected was still running it's own improperly configured separate mail system in preference to using the centrally provided NHS Mail system (nhs.net), probably because the trusts IT department didn't meet the criteria for getting basic account management to NHS.net. (like following processes, which is sort of backed up by these trusts getting their systems shut down by virus infections...)

              Blaming politicians for this is frankly quite pointless. I'd suggest that astute individuals might wish to consider asking some awkward and pointed questions of the heads of the trusts involved.

              1. Displacement Activity

                Re: One lesson to be learnt frin this (was Wormable holes)

                And knowing where to look...

                https://www.digital.nhs.uk/media/1486/NHSmail-confirmation-it-is-safe-to-connect/pdf/NHSmail_150517

                Ergo, any trust infected was still running it's own improperly configured separate mail system in preference to using the centrally provided NHS Mail system (nhs.net)

                I'm not sure that this actually came in by mail. There was an IBM guy on Radio 4 this morning saying that they'd scanned a billion (literally) mails and hadn't found any with the original infection. Is the source for the mail infection angle just one statement from Telefonica?

              2. anonymous boring coward Silver badge

                Re: One lesson to be learnt frin this (was Wormable holes)

                "We considered that putting a hardware firewall between it and the rest of the network with access to that sole port provided adequate security for the devices remaining lifetime."

                What's a "hardware firewall"?

                Presumably they are all full of firmware that could be buggy?

                Perhaps there are some very simple, and therefore verifiable, hardware firewalls? I hope such things exists!

          3. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        Re: One lesson to be learnt frin this (was Wormable holes)

        I have an application that can run only on Debian 5 (it's being phased out). A good part of it are kernel modules - you wold need a developer with extensive knowledge of kernel programming to update it. And the more critical an application is, the more skilled the developer(s) need to be to touch it, and the tests need to be really extensive and complete - it may not be the average PHP application to write silly stuff on the Internet.

        Working on very-device specific applications, like the equipment you can find in hospitals, laboratories, and some production lines, requires very specific skills - and the appropriate toolsets, including test rigs.

        If you have these developers, and they have an extensive knowledge of Windows and the tools they use to build those applications (usually with a complex GUI, and Linux lacks good GUI tools and libraries), the last thing you want is to start a bloodbath trying to convert them into using Linux, different libraries and different tools - and retest everything, including the supply chain - you're not going to use the first library that comes up in a google search without any kind of support.

        Nor hospitals can really believe to set up development teams to support the different device they use. First, the device makes may object to give away all their devices IP (which would be known by competitors as well), second the costs may be quite high. And if you believe they should publish the specs, ask your mobe maker to give you the full specs of the actual model and the next one....

        1. Displacement Activity

          Re: One lesson to be learnt frin this (was Wormable holes)

          I have an application that can run only on Debian 5 (it's being phased out). A good part of it are kernel modules... etc

          Sorry, but your post makes absolutely no sense. I really hope that you're not involved in NHS commissioning.

      3. phuzz Silver badge
        Facepalm

        Re: One lesson to be learnt frin this (was Wormable holes)

        "and if MRI scanners dont run on penguinware, dont buy em till they do"

        Because once something is running on linux then it'll run on any other version/distro with no problems right? It certainly wouldn't get broken by something like a CUPS update surely? And of course, no wormable hole has ever been found in a *nix based operating system.

      4. Anonymous Coward
        Anonymous Coward

        Re: One lesson to be learnt frin this (was Wormable holes)

        Absolutely correct. You can never trust a binary.

        Any responsible organisation, under good governance, would insist on only Open Source, to reduce the risk.

        As has been mentioned, if Microsoft was a responsible agent, it would have released the code to XP as open source, so everybody would have access to it to be able to look for the trapdoors and trojans hidden in it...

    2. Doctor Syntax Silver badge

      Re: Wormable holes

      Edit: For systems that are still in widespread use, of course.

      EYEFY

  8. redpawn

    We have the antidote available...

    Lets wait to give it to them until after they are all dead, because they haven't paid up.

  9. Lomax
    Thumb Up

    Replace Windows with an open source operating system - and replace the IT support staff with people trained on how to use it. Set all machines to automatically install security updates. Do this ten years ago. Profit.

    http://news.idg.no/cw/art.cfm?id=6785E7D1-E65A-02ED-EC3FF32BA04117C0

    "By switching from Windows to LiMux, its own Linux distribution, the German city of Munich has saved over ¬11 million (US$14.3 million) to date compared to the costs of a similar migration to a more modern Microsoft-based IT infrastructure."

    1. Surur

      Munich city now planning to move ALL their Linux desktops back to Windows

      https://mspoweruser.com/munich-city-now-planning-to-move-back-all-their-linux-desktops-back-to-windows/

      The city’s human resources department (POR) is particularly critical of LiMux, saying that since 2006 when the POR started using LiMux and OpenOffice, later switching to LibreOffice, that “the efficiency and productivity of the POR-supported workplaces has decreased noticeably” – referencing crashes, display and printing errors.

      “Even 10 years after the start of the LiMuX migration, the users and users of the POR are dissatisfied,” says the letter, claiming that, even after updates, LiMux and LibreOffice are “far behind the current technical possibilities of established standard solutions”

      1. Paul 76

        Re: Munich city now planning to move ALL their Linux desktops back to Windows

        LiMux and LibreOffice are “far behind the current technical possibilities of established standard solutions”

        So, someone's bought Microsoft's cr*p then ? Probably cash involved.

        Either that or they play games on them a lot.

      2. Doctor Syntax Silver badge

        Re: Munich city now planning to move ALL their Linux desktops back to Windows

        "https://mspoweruser.com/munich-city-now-planning-to-move-back-all-their-linux-desktops-back-to-windows/"

        And who might mspoweruser.com be I wonder.

        1. Geriant

          Re: Munich city now planning to move ALL their Linux desktops back to Windows

          If you are dealing with a workplace filled with capable people for whom computers are tools they have to use, just TRY getting them to think about how to adapt to Libre/Open Office, Linux (any flavour) or anything even slightly dissimilar to the MS-based environment to which they are accustomed.

          As long as people retain the God-given right to never have to think about computers, elementary operational safety and basic responsibility, there is minimal likelihood that any innovation -- no matter how good -- will achieve a significant level of acceptance.

          1. Doctor Syntax Silver badge

            Re: Munich city now planning to move ALL their Linux desktops back to Windows

            "anything even slightly dissimilar to the MS-based environment to which they are accustomed."

            Which MS-based environment? They keep changing it at whim. <cough> Ribbon. Tiles.

        2. kain preacher

          Re: Munich city now planning to move ALL their Linux desktops back to Windows

          El reg did the same article.

      3. Lomax
        Facepalm

        Re: Munich city now planning to move ALL their Linux desktops back to Windows

        "Munich city now planning to move ALL their Linux desktops back to Windows"

        "the primary issues have been of compatibility; users in the rest of Germany that use other (Microsoft) software have had trouble with the files generated by Munich's open-source applications"

        "Microsoft's German headquarters has been committed to move to Munich as part of this issue"

        "The SPD and CSU proposal is based on recommendations in a report released by Accenture"

        Might have *something* to do with it.

        1. Anonymous Coward
          Anonymous Coward

          Re: Munich city now planning to move ALL their Linux desktops back to Windows

          ""the primary issues have been of compatibility; users in the rest of Germany that use other (Microsoft) software have had trouble with the files generated by Munich's open-source applications"

          Yes, it's quite amusing that by far the best and most standards compliant Open Document format compatible software at the moment is - Microsoft Office!

          ""Microsoft's German headquarters has been committed to move to Munich as part of this issue""

          That's utter bollox. Microsoft already completed moving to Munich before they even looked at moving away from Linux.

      4. Dan 55 Silver badge
        FAIL

        Re: Munich city now planning to move ALL their Linux desktops back to Windows

        Munich IT chief slams city's decision to dump Linux for Windows

        "We solve compatibility and interoperability problems by providing MS Office, mostly virtualised, at workplaces that need to work together with external offices on office documents."

        And not even that's necessary because by 2020 (the new politically-imposed switchover deadline) everything will be in the browser anyway. Office already runs in the browser with Office Online.

        So it's an entirely political decision. The mayor that got MS to come to Munich wants to switch to Windows and got Accenture to write a report backing him up. I wonder if he can credibly argue for switching to an OS which is routinely falls victim to ransomware attacks.

        1. Anonymous Coward
          Anonymous Coward

          Re: Munich city now planning to move ALL their Linux desktops back to Windows

          ""We solve compatibility and interoperability problems by providing MS Office"

          Translation: We give the Open Source stuff to those that don't need something that actually works.

          "because by 2020 (the new politically-imposed switchover deadline) everything will be in the browser anyway"

          No - no it wont. Businesses - and councils - need database connections, macros, add ins, data exchange with other software, etc. etc and those are largely not practical in a remotely hosted web only environment.

          "So it's an entirely political decision. "

          No, it's clearly a user driven decision as per the council records. The Open Source solution didn't work well, was painful to use, and was problematic and often incompatible with other commonly used software.

      5. Anonymous Coward
        Anonymous Coward

        Re: Munich city now planning to move ALL their Linux desktops back to Windows

        "LiMux and LibreOffice are “far behind the current technical possibilities of established standard solutions”"

        Anyone who tried a serious Linux pilot knows this. That's why near zero companies and organisations have gone down the Munich route. Linux is only really an option if all you need to do is use a web browser - and whilst online office apps might work for a few selected roles, real businesses generally need a locally installed copy of Microsoft Office that can interface with other applications and run addins, macros, etc etc...

      6. anonymous boring coward Silver badge

        Re: Munich city now planning to move ALL their Linux desktops back to Windows

        "The city’s human resources department (POR) is particularly critical of LiMux, saying that since 2006 when the POR started using LiMux and OpenOffice, later switching to LibreOffice, that “the efficiency and productivity of the POR-supported workplaces has decreased noticeably” – referencing crashes, display and printing errors."

        Yes. We all know that MS systems always work perfectly. I suppose they compared with something else that exists in real life, rather than some hypothetical perfect world?

        "LiMux and LibreOffice are “far behind the current technical possibilities of established standard solutions”"

        Wonder what amazing possibilities they might be thinking about? Must be one heck of an exiting administrative environment over in that MS world!

    2. anonymous boring coward Silver badge

      "More modern"? Huh?

      More cool-aid for the reporters?

  10. Sirius Lee

    Let me get this right

    You are having a pop at Microsoft for not releasing a fix for a product that reached end-of-life over 3 years ago after a decade-long warning period? Really? You are so desperate to sh?t on Microsoft you want to cane them for not fixing a product that users should have stopped using in April 2014 and that should have been preparing for that change since 2005.

    Surely its much better focusing your misguided ire on the lunacy of IT managers that disable Windows update or company bosses that are inflating profits by not investing enough on the maintenance of their IT infrastructure.

    1. Mad Mike

      Re: Let me get this right

      @Sirius Lee.

      I have some sympathy, but there are plenty of industries where safety critical recalls or updates have to be done regardless of age. Take the motor industry for instance. Was this a safety critical defect? Some might say so due to the potential for it to affect safety critical systems (such as NHS).

      Why should software be treated any diffferent to many other 'products'. Why should a car with many thousands of components be expected to be bug free (at least for safety critical), but software is not?

      1. Anonymous Coward
        Anonymous Coward

        Re: Let me get this right

        No, even the motor industry won't recall cars older than n years, they are not bound to support cars made twenty or thirty years ago, probably not even fifteen.

        And this is not a safety critical defect. It's just your system is more at risk about burglary - does your car alarm system get a free upgrade since it's easier to break into them now?

        1. Paul Woodhouse

          Re: Let me get this right

          can confirm they recall at least 10 years for safety critical, my 2003 3 series went back to BM for a recall last year to get the airbag replaced...

  11. This post has been deleted by its author

  12. Anonymous Coward
    Anonymous Coward

    Those two are not going to hurt each other..

    This is at best a lovers' tiff, MS and the NSA have been working together for quite some time.

  13. Anonymous Coward
    Anonymous Coward

    Blame all round

    - Microsoft for shit coding to allow the exploit

    - Microsoft for allowing Word docs arriving by email to execute code

    - Adobe for allowing PDF files to execute code

    - NSA for finding and hoarding the exploit

    - Microsoft for not patching their mistakes

    - NHS Execs for not replacing unsupported operating systems

    - Anti-virus vendors for relying on seeing the virus first before being able to stop it

    1. lorisarvendu
      Facepalm

      Re: Blame all round

      "Anti-virus vendors for relying on seeing the virus first before being able to stop it"

      Exactly!

      Software vendors for not being able to write drivers for products that don't exist yet...

      MS for relying on seeing an exploit first before be able to patch it...

      1. Doctor Syntax Silver badge

        Re: Blame all round

        "MS for relying on seeing an exploit first before be able to patch it."

        Did they not run any static analysis tool on this code? If so did it not flag this up? And if it did, did nobody stop and think what could go wrong?

  14. alain williams Silver badge

    Blame those who did not replace ancient kit

    *all* systems are capable of being 'owned' - assuming anything else is reckless. If you use such a system then you must accept that something bad could happen; air-gapping will provide a degree of protection but not a guarantee.

    So: who uses ancient hit ?

    * old desktops - not excuse; replace them

    * embedded kit (eg ATMs, Point of sale terminals, MRI scanners). How long is this expected to work for ? If the manufacturer of a £150,000 MRI scanner gives the expectation that this will work for 20 years then they *must* provide security updates for all of those 20 years - no excuses. They will provide hardware support but just shrug their shoulders when asked about operating system updates. So the needed updates do not happen and they leave their customers open to the sort of thing that happened last week. Part of the reason is that they cannot update an old operating system - they do not have access to the code to do so.

    Building long lived kit on top of Open Source software (eg Linux or a BSD) does give the maker the ability to back-port fixes to vulnerabilities. This is the only sane way of building kit that is expected to work for more than a few years.

    1. Anonymous Coward
      Anonymous Coward

      Re: Blame those who did not replace ancient kit

      I know systems that used *certified* version of Linux and these aren't patched as well. Why? Because patching would require to re-certify them, change anything, and they need to be re-certified.. Backporting a patch from a release much newer would be a true no-no. Do you really believe these companies are going to employ people to backport fixes, and take the burden to fully test them? It may be cheaper to buy custom support from the OS vendor.

      Moreover, most free OS have a shorter life than Windows - but RHEL, which you pay - so you will find yourself in the need to patch the OS yourself far earlier than using Windows.

      Also, it may be that software upgrades exist for some machinery, but the user don't want to pay for them because they are outside the plain maintenance fee - sometimes even because new software requires users to retrain, and some don't like it at all, especially when they are physicians, and believe they have already learnt everything they need, of course, unless you offer them a two week "training course" at the Bahamas with a "significant other" (sometimes hired locally).

      1. Paul 76

        Re: Blame those who did not replace ancient kit

        The absence of a patch in Linux is much less important because it isn't coded by cretins.

        Windows 'releases' are just a new paint job and enough bodging to make hardware and software not work, coupled with lock ins

        1. Anonymous Coward
          Anonymous Coward

          "The absence of a patch in Linux is much less important"

          Enjoy the Samba security updates list...

          https://www.samba.org/samba/history/security.html

          And I don't believe they are cretins at all.

          Working in cybersecurity, I can tell you Linux boxes are routinely p0wned. Because only cretins believe they are wholly safe just because....

          1. Anonymous Coward
            Anonymous Coward

            Re: "The absence of a patch in Linux is much less important"

            "Working in cybersecurity, I can tell you Linux boxes are routinely p0wned. Because only cretins believe they are wholly safe just because...."

            Internet facing Linux server boxes are actually much more likely to be hacked than Windows ones if you look at website defacement OS stats versus market share.

        2. FIA Silver badge

          Re: Blame those who did not replace ancient kit

          The absence of a patch in Linux is much less important because it isn't coded by cretins.

          Erm... no.

          In any pool of people, in this case programmers, half will be below average, and they tend to write shit code. Even the good ones sometimes have to 'get things done'.

          Shit coding is fairly OS agnostic, as is good coding.

          Windows 'releases' are just a new paint job and enough bodging to make hardware and software not work, coupled with lock ins

          Oh give it up, Windows is okay, Linux is okay, they're just software. There's some good bits in Windows and some dreck in Linux, just as the reverse is true. The days of Windows being a bug ridden graphical shell atop a bug ridden clone of a crusty old text based OS have long gone.

          As for hardware, as someone who's spent the last week recompiling Linux and various drivers to find the right combination that made 3 pieces of hardware work together I think Linux could learn a lot from a decent stable binary interface for the driver layer.

        3. Anonymous Coward
          Anonymous Coward

          Re: Blame those who did not replace ancient kit

          "The absence of a patch in Linux is much less important because it isn't coded by cretins."

          Oh right - why is it then that say SUSE Server 10 now has over 4,000 known security vulnerabilities? - That's way more than any Microsoft product ever!

    2. Anonymous Coward
      Anonymous Coward

      Re: Blame those who did not replace ancient kit

      And how, exactly, do you enforce 'if the manufacturer of a £150,000 MRI scanner gives the expectation that this will work for 20 years then they *must* provide security updates for all of those 20 years - no excuses.' ?

      In the real world, not in IT la la fantasy, the cast iron 20 year support for a £150K MRI (which btw would be a really really old second hand one at that price) would probably run to £1500K. And if you really push it, MRI Sales Plc sadly went bust last year, maybe you should think of buying a new one from MRJ Sales Plc - conveniently their phone number is the same.

      And if you build it on Open Source, someone still has to pay for the skills of someone who understands the code, with the skills to change it (and the public liability insurance policy to pay up when it goes all time machine on you and creates a vortex to the dark dimensions)

      1. Anonymous Coward
        Anonymous Coward

        Re: Blame those who did not replace ancient kit

        "And how, exactly, do you enforce 'if the manufacturer of a £150,000 MRI scanner gives the expectation that this will work for 20 years then they *must* provide security updates for all of those 20 years - no excuses.' ?"

        You make sure it's in the contract versus a defined support charge and a minimum product supported life.

  15. rvalencia

    Do you remember...

    When they said that Nadella's Microsoft would be different of the one of Ballmer or Gates...

  16. Hugh Barnard

    Time to think about monoculture. For desktop and web, most modern Linux distributions will work just as well. Push back on equipment manufacturers who embed Windows too, actually Linux or better a BSD flavour would be good business for them.

    I'm not suggesting Stallman-esque 'free everywhere', but 'Microsoft everywhere' isn't in anyone's interests except Microsoft itself.

  17. mark l 2 Silver badge

    I am far from a Windows fanboi (my day to day system run Linux) but I actually don't blame Microsoft for hoarding in this situation, It us understandable that they wrote the patches for XP when they wrote the patches for other Windows OS because some organisations pay for custom support for XP (like the NHS used to do) so would need it patching or for the embedded version of XP which is still under support. They will have written loads of XP patches since it fell out of mainstream support in 2014 which have not been released to the public. They didn't have to release the patch to fix the hole being used by Wannacrypt, they could have just put out a press release saying that you need to upgrade to a supported version of Windows to get a fix.

    Even if the NHS were running Linux on their machines, if it was a out of date distro released 15 years ago it would likely to be as vulnerable as an unpatched XP machine is today.

  18. John Smith 19 Gold badge
    Unhappy

    Microsoft being Microsoft then. Another day, another vuln to fix.

    Or in this case fix the mess left by the infection the vuln allowed.

    But TBF to MS it is a very old OS and no one should still be running (Except apparently XP Embedded, which as others have pointed out is still being supported till 2019).

    BTW that NHS contract was IIRC part of a HMG wide contract which Hunt declined to be a part of.

    So I guess no one had to answer the question (to MS) "This is how many actual PC's run a copy of XP (either native or in an a VM of some kind) in the NHS".

    "Only a couple of % minister," sounds a lot better than "About X 1000," doesn't it?

    Give the 2 apparent use cases people have been talking about that suggests 3 questions to suppliers.

    1)Since your CT/MI/Ultrasound/Drinks machine is basically an embedded system (IE with a life expectancy of decades, not years) and since you're Hell bent on using Windows why not go the whole hog and use the proper embedded Windows version, which is supported to 2019?

    2)Did it even need Windows or could it have just had a GUI that looked and worked enough like Windows that healthcare staff felt comfortable using it (IOW who cared if it couldn't run Office?)

    3) For those suppliers who haven't ported their healthcare systems to a newer OS what is stopping you? Is it the certifying authorities (if so which ones are dragging their feet), or you unwillingness to spend the money?

    In bureaucrat-speak "certification" is a process, not an event.

    It will have to happen again and again every few years.

    It seems people have trouble understanding that software care "wear out" in the sense of becoming obsolete and un-maintainable. But it does.

    This problem will keep recurring, again and again, as the next (and the next) acceptable version goes EoL.

    1. Anonymous Coward
      Anonymous Coward

      "2)Did it even need Windows or could it have just had a GUI "

      The issue is not only the GUI, even if Linux desktop development lacks good tools to develop good GUIs easily. It's all the needed libraries to develop medical applications, for example. Image processing, display, etc. They are not simple "photo viewers" or CRUD applications. And those libraries need to come from reputable suppliers with adequate support, not from the first github repo you find, developed by god knows who. A device-controlling software it's not just a simple DICOM viewer, for example. It's far more complex, and controls features that can be risky.

      Hope these situations will make people creating software for such devices re-thing their approach. But Linux talibans will need also to accept that there will be a lot of proprietary code in such systems- don't expect those companies to open source a lot - and that could bring everything to square one - system that can only be upgraded by the maker, and patches could still be an issue if any incompatibility arises...

      1. Doctor Syntax Silver badge

        Re: "2)Did it even need Windows or could it have just had a GUI "

        "don't expect those companies to open source a lot "

        No, but they do need to place their code in escrow so it can be picked up by others should they decide they don't want to support it, be taken over by someone else who doesn't want to support it or even just disappear without trace. That should be a regulatory requirement.

    2. Doctor Syntax Silver badge

      Re: Microsoft being Microsoft then. Another day, another vuln to fix.

      "2)Did it even need Windows or could it have just had a GUI that looked and worked enough like Windows that healthcare staff felt comfortable using it (IOW who cared if it couldn't run Office?)"

      Originally makers of complex kit that needed to be computer driven had a number of choices. Some would be embedded controllers with their own specialist libraries. Another would be a mini such as a PDP8 or a Nova (I remember our lab having a Nova driving the X-ray fluorescence analyser on an SEM). Back in its glory days of being an instrument maker HP made an amazing variety of these for its own products.

      The arrival of commodity computers and commodity OSs rendered that uneconomic. Any manufacturer taking the traditional route would have been priced out of the market. Even if they had they'd have ended up shipping kit that had even less long time support life - where are DEC and DG these days?

      The trouble is that as the market for complex instrumentation matures the expected life of the product exceeds that of the computing side. Back in the '70s that XRF attachment might have become obsolete before the Nova was EoL, now a piece of equipment which represents a major investment might be expected to last well beyond the period for which the OS supplier is prepared to support their S/W and the computer H/W may outlast the S/W and yet not be supported by newer OS versions. In such instrumentation systems computer H/W is liable to be closely integrated with the rest of the instrumentation. I think the XRF was using the Nova's memory to replace what might have been an array of discrete counters in an earlier generation and the post by a_builder in a previous thread detailed some of the issues in medical imaging.

      Perhaps a solution, at least with medical equipment, lies with the regulatory bodies. They could require a code escrow agreement for the OS code in order to gain approval. That would have required MS to escrow their code if they wanted to sell into that market so that someone else could take over support at EoL. For the most part FOSS already complies with that although vendors supplying drivers as binaries would need to comply or shut themselves out of that market.

      For kit that needs certification upgrades are another problem. Any upgrade to S/W that operates the instrument would need recertification. Routine OS upgrades couldn't be applied without testing against a real instrument. Such S/W needs to be buffered against the wider hospital network.

      This last event and the earlier attacks on US hospitals point to a need to reevaluate the way medical systems are certified. One aspect of this would be to require information systems, including the network facing aspects of imaging systems etc, to be re-certified every few years and part of that would be to require them to be running of S/W which was still within support life for the duration of the next certificate. That, had it been the norm, would have long ago weeded out system that still require ancient versions of IE; it would have driven suppliers to write standards compliant S/W from the start.

  19. Grunt #1

    Windows v Linux

    Diesel v Petrol sound familiar?

    Facts not opinions are needed.

  20. beanfeast

    Never attribute to malice that which is adequately explained by stupidity

    Obviously the build lab's sysadmin hasn't heard of NTP.

  21. AndrueC Silver badge
    Meh

    Fixing this programming blunder in the Windows codebase would be been easy to back port from Windows 8 to XP.

    An experienced programmer knows that there's no such thing as 'an easy back port'. Nor indeed even an 'easy fix'. Just like golfers know that there's no such thing as 'an easy tap in'.

    It's possible that the patch was built in February as part of the general build process but not pushed through QA because it was unsupported code. Or perhaps it was only available to those paying for extended cover but MS chose to make it publicly available because the attack was severe. Dealing with legacy 'unsupported' products is a minefield of complicated decisions. Personally on this occasion I'm prepared to give MS the benefit of the doubt and even a little praise for choosing to push the fix.

    1. Doctor Syntax Silver badge

      "It's possible that the patch was built in February as part of the general build process but not pushed through QA because it was unsupported code. Or perhaps it was only available to those paying for extended cover"

      The second comes as has been said already. But if it was only available to paying customers why release it publicly now? The only two explanations I can think of are that they realised it was the responsible thing to do or that it's an attempt to remedy a PR disaster. You can take your pick butin reality it's a case of better late than never but better never late.

  22. Wolfclaw

    No Excuses !!

    Any Government agency running Windows XP, should be forced to disconnect said PC from networks or upgraded. No exclusions, or sad stories of being poor. They have plenty of cash to waste and if they find one on the network, Execs get a big personal fine !

  23. mats

    Switch to Linux and stop moaning

    Few have done it before: https://en.wikipedia.org/wiki/List_of_Linux_adopters

    I am sure many will follow.

    Beyond who's to blame, we can not live in a Windows OS mono culture.

  24. Anonymous Coward
    Anonymous Coward

    Please move along, nothing to see here.

    The KB 4012598 for XP was part of the Security updates for Windows Embedded Standard - April 2017 (X21-42257.img), downloadable 21 of April.

    The Digital signature was stamped on February 12.

  25. Hans 1
    Happy

    WinXP fix February ?

    Sue the shit out of MS!

  26. Simone

    Is there hope... ?

    As you say here, I'm getting the popcorn. I listened to the coverage of this disaster last weekend, with increasing rage over the comments made with apparent lack of proper facts and the self righteous claiming that people taking a risk deserved their punishment. I tried to find some facts, and struggled. It does seem that there is a large pile of reasons why this happened, many of which can be attributed to "it costs too much to do it properly, and we would be driven out of business by our competitors" or to "if I do it properly, my boss will 'tell me off' and I need this job". Link that to the large number of people involved in this environment and it is no wonder there are so many excuses around.

    I am getting the popcorn because I think it is time to wake up and realise what has put us in this position, and how difficult it is going to be to sort it out. Consider these; find facts if you have time:

    * For years, software has been seen as a cheap way to provide functionality that used to be mechanical or electronic. It is hard to write robust software, even harder to predict problems that might appear years later, when the writing and testing tools have improved.

    * We have been taking shortcuts in software education, because we needed so much software that having 10 people who could write bad 'working' code is better than 3 people who write 'safe' code.

    * Salaries are so high, because of the shortage of developers; and support contracts are expensive; the only solution if you cannot get your own team for support.

    * Support contracts explicitly forbid changes to the software, and charge a lot for making the changes under the contract.

    * Support contracts are accepted by 'managers' because they don't know better (or, think they do know better), then cannot change them easily or have to go to court.

    * Third party suppliers write code on top of other systems or using libraries, then those are changed by the owners and the third party software is 'quickly fixed' so it works again.

    * Software companies issue updates that fix bugs, but also extend functionality or add unwanted features, because that makes it more attractive to non-users but more vulnerable to existing users. You cannot choose bug only updates because that would need too many branches in the codebase.

    * Software companies have to add functionality or they can no longer sell it, because similar software does have these features.

    * Some industries require the software they use to be certified to some law; the certification rules mean software cannnot be upgraded, and where those rules need a change of law before being changed.

    * We are increasingly reaching the point in all technologies where the mechanical elements of a machine still last for 10 years, but the software is out of date in 2 years. It costs extra to code a machine control system so that it can be upgraded; focus on selling a new machine instead, leaving your users with unsupported machines.

    * We are reaching the point where fashionable things have replaced durable things, and fashionable things need to be changed quicker, and be cheaper each time, or they will not be saleable. Nobody seems to have the time or money to understand what they want from their gadget, and does not consider what they need to do to replace it for the next one.

    * Practices and mistakes by software companies are undermining confidence of their users, who then don't trust what those companies say. It is easier to search for a simple and often wrong alternative view, then believe "you know better".

    So, it is expensive to run a software system. It is not always easy to change it, nor is it possible to see the future. Software and support companies have you where they want you, and you are stuck. Still worse, you don't have the power to change things. Fix that!

  27. damon66

    Everyone seems to be commenting as though this is an issue about upgrading Windows and doesn't comprehend the challenge within a health environment.

    I worked for a number of years in a healthcare IT environment and when I left (about 5 years ago) there were still Windows 95 laptops in use.

    Why?

    Because they were connected to specialist monitoring devices to either programme them or record data from them to then print. The software or drivers for these monitoring devices was only supported on Windows 95 (believe me I tried Windows 2000/XP etc and it would not work). Each of these monitors cost between £30-50k to replace. So the cost to upgrade 12 Windows 95 machines was almost £500k because the monitors needed to be replaced.

    The decision was taken whilst the monitors were still serviceable to keep computers running Windows 95 but simply isolate them from the network, when electronic patient records came along this meant printing the results from the Windows 95 machine and then scanning them in on another to upload into patient records.

    A Windows Upgrade in such a bespoke healthcare environment is not simple!

  28. Eduard Coli

    Just as planned

    Citizen 4 showed us that M$, Apple, Facebook and all of the rest of the usual suspects were on the dole to provide spook + dog custom built back doors. M$ and all of the others should be dragged before the beak for selling a hobbled product.

  29. davidp231

    Umm...

    Windows 8 RT (64-bit x86): Feb 13, 2017

    Windows 8 RT (32-bit x86): Feb 13, 2017

    I thought RT was the ARM version....

  30. JJKing
    FAIL

    Silly analogy

    A brake fault is today discovered on a 1957 Ford Edsel. Reckon Ford will do a recall, or laugh ruefully at the memory of bygone days?

    Silly analogy. With hardware that old I am pretty sure I could jerry rig some modern bits and pieces to make the brakes reliable.

    With software, it takes a little bit more and considering MS wrote the code and left the bloody hole then they should have supplied a fix for zero day exploits regardless of the age of the software. Yes, even for DOS.

    1. CrysTalK

      Re: Silly analogy <indeed>

      <i>With software, it takes a little bit more and considering MS wrote the code and left the bloody hole then they should have supplied a fix for zero day exploits regardless of the age of the software. Yes, even for DOS.</i>

      With software, it would be impossible for a third party to create a fix and sell them. First, creating a fix requires disassembly which is illegal, and selling fixes for a software you don't own is illegal too. Very different in the world of automobiles where any third party can create a fix or a performance kit for profit.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like