Sylheti
Posts: 28
Joined: Sat Jan 23, 2016 10:54 pm

NHS attack on WinXP; would an RP be safer?

Sat May 13, 2017 11:51 am

Dear All,

Does anyone work in or for the NHS to help comment?

NHS has been attacked by WannaCry due to unpatched/clunky/susceptible Windows OS.

Asking a frontline NHS doctor, her main functions are:
- Access to patient details, bookings, history
- Blood investigation requests and results (she says is the hardest)

BBC reporter, Chris Foxx, explains:
Many jobs can be done using software everyone can buy, but some businesses need programs that perform very specific jobs - so they build their own.
For example. a broadcaster might need specialist software to track satellite feeds coming into a newsroom or a hospital might need custom-built tools to analyse X-ray images.
Developing niche software can be very expensive: programming, testing, maintenance and continued development all adds up.
Then along comes a new version of Windows, and the software isn't compatible. Companies face the cost of upgrading computers and operating system licenses, as well as rebuilding their software from scratch.
So, some choose to keep running the old version of Windows instead. In some businesses, that's not a huge risk, but in a hospital the stakes are higher.
A few thoughts here:
- It's my understanding for general database driven applications e.g. patient records, bookings; could be migrated to web-based apps and accessed vi a browser.
- Same can be applied to communication applications: email, chat, general file access.
- For specialist, critical software such for X-Rays; perhaps these still require their older OS's. These could in theory be segregated off the network with their files securely uploaded to an internal shared server e.g. via SCP

So, here's an idea:
- Migrate all non-critical database driven apps, and communication apps, to web-based apps; then one can simply use a compatible browser: phone, tablet or even a Raspberry Pi
- Isolate specialist critical software off the network whilst providing a safe conduit to transfer necessary files
- If a Raspberry Pi was then used instead of WinXP for current Desktops (with a monitor and keyboard); surely this would be a lot more secure?

Many Thanks,
Ehsan

User avatar
bensimmo
Posts: 4182
Joined: Sun Dec 28, 2014 3:02 pm
Location: East Yorkshire

Re: NHS attack on WinXP; would an RP be safer?

Sat May 13, 2017 12:38 pm

That's comparing a modern debian Jessie OS with an old WinXP OS.
It's the risk you take using old unsupported Operating Systems.

Though I don't know the ins and out of the attack.

But I do know the task of redoing the NHS systems is huge (as I know somebody that was offered the task for an authority and after looking into it declined, it one of them systems where nothing works with anything else and each place has chosen a different setup. Basically it would never work in the way they wanted.)


While solution are possible, money to set these things up and every place wanting to use it tends not to be.

fruitoftheloom
Posts: 20907
Joined: Tue Mar 25, 2014 12:40 pm
Location: Delightful Dorset

Re: NHS attack on WinXP; would an RP be safer?

Sat May 13, 2017 1:59 pm

viewtopic.php?f=62&t=183555

Yes running a Linux or Unix System would be more secure.
Retired disgracefully.....

User avatar
DougieLawson
Posts: 36312
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: NHS attack on WinXP; would an RP be safer?

Sat May 13, 2017 2:04 pm

fruitoftheloom wrote:viewtopic.php?f=62&t=183555

Yes running a Linux or Unix System would be more secure.
But not when the organisation running the service stops spending our money on IT. They were told by Microsoft about the vulnerability but chose to leave their "corporate" platform running an unsupported and unpatched configuration. When you're that lax with things then even Linux won't have as much benefit as you're postulating. An unsupported and unpatched Linux is almost as much at risk as unsupported and unpatched Windows.

We should sack both the home secretary and health minister and replace them with some folks who aren't 100% clueless and incompetent.

Raspberries are not immune in the hands of morons https://scotthelme.co.uk/nomx-the-world ... -protocol/
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

jdb
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 2120
Joined: Thu Jul 11, 2013 2:37 pm

Re: NHS attack on WinXP; would an RP be safer?

Sat May 13, 2017 4:04 pm

Moved to OT
Rockets are loud.
https://astro-pi.org

mikerr
Posts: 2781
Joined: Thu Jan 12, 2012 12:46 pm
Location: UK
Contact: Website

Re: NHS attack on WinXP; would an RP be safer?

Sun May 14, 2017 4:29 pm

Interesting there is a distro for this:

NHSbuntu which as its name suggests is ubuntu based:
https://www.nhsbuntu.org
Android app - Raspi Card Imager - download and image SD cards - No PC required !

User avatar
r3d4
Posts: 967
Joined: Sat Jul 30, 2011 8:21 am
Location: ./

Re: NHS attack on WinXP; would an RP be safer?

Sun May 14, 2017 5:27 pm

DougieLawson wrote:
fruitoftheloom wrote:viewtopic.php?f=62&t=183555

Yes running a Linux or Unix System would be more secure.
But not when the organisation running the service stops spending our money on IT. /
While that is true , i cant help wonder who in their right mind lets xp on the internet ?

Its almost as if it is designed to break!

hippy
Posts: 6079
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: NHS attack on WinXP; would an RP be safer?

Sun May 14, 2017 5:28 pm

It is not so much whether it can be done, but having the will, plan and money to do it.

I doubt many will believe the Home Secretary or anyone else when they say everything had been done to prevent or mitigate such an attack. Such claims should be put under scrutiny and this should be a wake-up call for what happens when that isn't done.

The problem I see - no matter what the solution - is that huge undertakings often fail, take longer than planned, cost far more than expected, often fail completely, or fail to deliver as promised. One of the reasons for that is it is rarely 'just fix it', but seen as an opportunity for cost savings and doing more than just that.

One thing to remember is that this was not unexpected; it was entirely predictable, just waiting to happen. It did not have to happen; it was allowed to.

If the best thing to do is to move towards a thin client solution then it would probably be best to choose one which is most secure, something very tightly locked-down with OS and software in hard to remove and update memory.

An off-the-shelf Pi may be a front-runner on grounds of cost but it's not necessarily the best solution beyond that. A new format Pi, embedded storage, in-built mains supply, boxed with connectors on the back, might be a good option.

User avatar
DougieLawson
Posts: 36312
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: NHS attack on WinXP; would an RP be safer?

Mon May 15, 2017 8:33 pm

Do you really want to a) rewrite every application to run on Linux? b) trust mission critical systems to the life and loves of an SDCard? For a service that doesn't have enough money to pay for more nurses needed to care for patients.

The Raspberry is a tempting prospect but it brings just as much with it in terms of risk of failure as the failing WinXP junk they're running.

Whatever system the NHS runs needs to be reliable, stable and frequently patched. It doesn't work when it's seen as a buy it and forget it capital cost. It needs a budget for periodic updates of both hardware and software and a policy that removes systems from the network that are running the right level of software maintence. They also need to work harder at running intrusion detection, virus scanning, closing ports that don't need to be opened and all the related stuff that should be business as usual.

We all get annoyed when you get the virus scanner churn, the Windows auto update churn and such-like on our work laptops (I've had that in the past that left the system unusable for an hour), but as long as I get paid to twiddle thumbs while that stuff happens I won't be unhappy.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

Heater
Posts: 13611
Joined: Tue Jul 17, 2012 3:02 pm

Re: NHS attack on WinXP; would an RP be safer?

Tue May 16, 2017 6:42 am

Whoever thought it was a good idea to build critical infrastructure based on the products of a toy company in a foreign country?

It's not like people have not been warning against this for decades:
https://opensource.com/resources/what-open-source
http://www.fsf.org/
Memory in C++ is a leaky abstraction .

User avatar
RaTTuS
Posts: 10487
Joined: Tue Nov 29, 2011 11:12 am
Location: North West UK

Re: NHS attack on WinXP; would an RP be safer?

Tue May 16, 2017 6:57 am

AIUI most of the machines that where affected where not XP - the NHS has some XP but most of the front facing ones are not , the XP ones are running software that does not have later versions like for scanning equipment etc..
some NHS trusts where not affected at all - this sounds more like a IT problem - patches not installed as and when ...

the NHS could not move to linux without massive costs
something has to be done but it is not a simile move.

see also other large companies in 150 other countries
How To ask Questions :- http://www.catb.org/esr/faqs/smart-questions.html
WARNING - some parts of this post may be erroneous YMMV

1QC43qbL5FySu2Pi51vGqKqxy3UiJgukSX
Covfefe

hippy
Posts: 6079
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: NHS attack on WinXP; would an RP be safer?

Tue May 16, 2017 9:29 am

Heater wrote:Whoever thought it was a good idea to build critical infrastructure based on the products of a toy company in a foreign country?
I am not sure who you are calling a "toy company" or how products originating in foreign countries is an implicit problem. Unless one has home-grown products which are as good or better; going home-grown would appear to carry equal or greater risk.

sarahgad
Posts: 30
Joined: Fri Jan 20, 2017 12:07 pm

Re: NHS attack on WinXP; would an RP be safer?

Wed May 17, 2017 10:26 am

My colleague uses a Linux while i was using a windows 7. He is sitting with ease right now, and i am figuring out how to recover my files.
Linux a way more secure option to use.

User avatar
thagrol
Posts: 1889
Joined: Fri Jan 13, 2012 4:41 pm
Location: Darkest Somerset, UK
Contact: Website

Re: NHS attack on WinXP; would an RP be safer?

Wed May 17, 2017 10:55 am

sarahgad wrote:My colleague uses a Linux while i was using a windows 7. He is sitting with ease right now, and i am figuring out how to recover my files.
Linux a way more secure option to use.
This is a fallacy. Just because something hasn't been attacked doesn't mean it can't be. Operating systems of whatever flavour are hugely complicated beasts that are impossible to fully test prior to release. The reality of the situation is that many bugs are only found once the software is in the wild and if nobody tells the producer (I'm looking at you NSA) they can't fix them.

Windows gets attacked not because it's inherently more insecure, but because the potential reward is so big when compared to the risk and effort of doing so. For the same amount of effort expended the return from attacking other platforms is much smaller simply because there are a lot fewer of them.

There is only one way to make a computer 100% secure: never switch it on.
Attempts to contact me outside of thes forums will be ignored unless signed in triplicate, sent in, sent back, queried, lost, found, subjected to public enquiry, lost again, and finally buried in soft peat for three months and recycled as firelighters

User avatar
r3d4
Posts: 967
Joined: Sat Jul 30, 2011 8:21 am
Location: ./

Re: NHS attack on WinXP; would an RP be safer?

Wed May 17, 2017 12:00 pm

sarahgad wrote: Windows gets attacked not because it's inherently more insecure, but...
:shock: :? :o
Legion2000 | rot wrote:vDRINjHDA9Am5w57ldtbfxIENDSe/ts8QTz1uNkJOzk/0oy4z0zrgZ+VZ39W
lV5zho0vr1UEYRkC7yIWrmOGlEelI3gQi6H3BVC

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 23876
Joined: Sat Jul 30, 2011 7:41 pm

Re: NHS attack on WinXP; would an RP be safer?

Wed May 17, 2017 12:06 pm

thagrol wrote:
sarahgad wrote:My colleague uses a Linux while i was using a windows 7. He is sitting with ease right now, and i am figuring out how to recover my files.
Linux a way more secure option to use.
This is a fallacy. Just because something hasn't been attacked doesn't mean it can't be. Operating systems of whatever flavour are hugely complicated beasts that are impossible to fully test prior to release. The reality of the situation is that many bugs are only found once the software is in the wild and if nobody tells the producer (I'm looking at you NSA) they can't fix them.

Windows gets attacked not because it's inherently more insecure, but because the potential reward is so big when compared to the risk and effort of doing so. For the same amount of effort expended the return from attacking other platforms is much smaller simply because there are a lot fewer of them.

There is only one way to make a computer 100% secure: never switch it on.
I believe Windows IS inherently more insecure due to its design and maintenance regime, but happy to be proven incorrect.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed. Here's an example...
“I think it’s wrong that only one company makes the game Monopoly.” – Steven Wright

hippy
Posts: 6079
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: NHS attack on WinXP; would an RP be safer?

Wed May 17, 2017 12:16 pm

sarahgad wrote:Linux a way more secure option to use.
I would tend to agree, but I do wonder if there is someone sat in NSA HQ or elsewhere smiling to themselves; "if only they knew what we know".

fruitoftheloom
Posts: 20907
Joined: Tue Mar 25, 2014 12:40 pm
Location: Delightful Dorset

Re: NHS attack on WinXP; would an RP be safer?

Wed May 17, 2017 12:30 pm

hippy wrote:
sarahgad wrote:Linux a way more secure option to use.
I would tend to agree, but I do wonder if there is someone sat in NSA HQ or elsewhere smiling to themselves; "if only they knew what we know".
The Windows NT Kernel which is used in Windows XP and later dates back to IBM OS/2 and could of been a good OS but MS wanted to much convergence with DOS / Windows so yes I would agree that even 25 years it is a insecure OS....
Retired disgracefully.....

User avatar
thagrol
Posts: 1889
Joined: Fri Jan 13, 2012 4:41 pm
Location: Darkest Somerset, UK
Contact: Website

Re: NHS attack on WinXP; would an RP be safer?

Wed May 17, 2017 12:50 pm

hippy wrote: I would tend to agree, but I do wonder if there is someone sat in NSA HQ or elsewhere smiling to themselves; "if only they knew what we know".
Almost certainly. And if not the NSA, then GCHQ, Mossad, some dingy back room full of criminals, etc
Attempts to contact me outside of thes forums will be ignored unless signed in triplicate, sent in, sent back, queried, lost, found, subjected to public enquiry, lost again, and finally buried in soft peat for three months and recycled as firelighters

User avatar
bensimmo
Posts: 4182
Joined: Sun Dec 28, 2014 3:02 pm
Location: East Yorkshire

Re: NHS attack on WinXP; would an RP be safer?

Wed May 17, 2017 1:03 pm

To be fair they stopped supporting (normal) Win7 over two years ago though it is still on long-term security support.
Upgrade was to Win8/8.1 or 10.
If they didn't do that then it's not all Microsoft's fault.
While there are security updates and there was one for this with Windows7, it should not have been a problem, but
It does assume you install them!
As with all Operating Systems if you don't let security updates installed you are at greater risk.


My Android (Linux based) devices from Win7 end of life era are potentially vulnerable because there is no support available to them and no OS upgrade path.

At least Microsoft doesn't leave you high and dry until long after you should have updated.

I get lost in Linux land with all the distributions that come and go, but is the debian WinXP era still supported?
What about Vista era?

It's a popular target as they have a large consumer money base.

User avatar
thagrol
Posts: 1889
Joined: Fri Jan 13, 2012 4:41 pm
Location: Darkest Somerset, UK
Contact: Website

Re: NHS attack on WinXP; would an RP be safer?

Wed May 17, 2017 1:14 pm

jamesh wrote: I believe Windows IS inherently more insecure due to its design and maintenance regime, but happy to be proven incorrect.
Maybe you're right, maybe I am. I don't think there is definitive hard evidence either way. And like you \I'm willing to be corrected.

I guess my real point is that the belief I've seen expressed all over the internet the last few days that Windows=bad, Linux/MacOS/Unix=perfect is, at best, mistaken and at worst downright dangerous.

Regardless of platform it the software producer doesn't know about the vulnerability they can't patch it. If the end user/admin doesn't apply the patch they remain vulnerable.

In this specific case, though the issue is in Microsoft's code, I feel the responsibility ultimately lies with the NSA: firstly for not disclosing it until it escaped into the wild, and secondly for allowing it to escape.
Attempts to contact me outside of thes forums will be ignored unless signed in triplicate, sent in, sent back, queried, lost, found, subjected to public enquiry, lost again, and finally buried in soft peat for three months and recycled as firelighters

peterlite
Posts: 720
Joined: Sun Apr 17, 2016 4:00 am

Re: NHS attack on WinXP; would an RP be safer?

Thu May 18, 2017 6:29 am

Windows, OSX, Android, Chrome, all have proprietary code with no independent code checks.

Somebody mentioned NT. NT was supplied with an optional IE that nobody installed and NT ran forever without problems. Then Microsoft made IE compulsory by locking IE code into the NT core. NT with IE crashed every two hours just like the other versions of Windows.

User avatar
Ronaldlees
Posts: 294
Joined: Sat Apr 16, 2016 4:28 pm
Location: North Carolina, US
Contact: Website

Re: NHS attack on WinXP; would an RP be safer?

Mon May 22, 2017 7:42 pm

Yes, I read too that it was not so much XP, but Win7 that was the major break point.

I think that commercial software is held in higher esteem than open source (often hobbyist) built software. There is the thinking that big corporations spending big money on code makes it better. But, companies always look at the bottom line. The hobbyist doesn't. Commercial software companies are under pressure to build workable code in as short a time period as possible, in order to maximize the bottom line. The hobbyist can take twenty years to build an OS, out of a labor of love (see visopsys.org).

Likely, more time is spent analyzing, recoding, and testing open source projects than commercial projects. Then there is the question of the talent employed. There is the thinking that the big corporation employs the best, brightest, etc. Nope. They hire what they think it takes to get the job done. And you know what? Oftentimes those commercial coders go home and work on their "hobbyist" open source software projects, spending more time than at work, and doing it on weekends and holidays.

Hobbyists indeed!
I am the Umbrella man

User avatar
bensimmo
Posts: 4182
Joined: Sun Dec 28, 2014 3:02 pm
Location: East Yorkshire

Re: NHS attack on WinXP; would an RP be safer?

Mon May 22, 2017 7:55 pm

Isn't that just because there are (far) more Win7 than setups than WinXP (but it also shows how many people do not patch regularly as Win7 has had the security fix on the security updates for two months? ).
XP was just the NHS headline iirc in the UK.
Many more around the world.

The other part is this was an old obsolete smb protocol for part of it, where the newer smbv3 should have been in use for many years.

Microsoft Security has a lot of details iirc and an interesting read.

Have they worked out (or announced) where it started yet.

User avatar
Ronaldlees
Posts: 294
Joined: Sat Apr 16, 2016 4:28 pm
Location: North Carolina, US
Contact: Website

Re: NHS attack on WinXP; would an RP be safer?

Mon May 22, 2017 8:23 pm

bensimmo wrote:Isn't that just because there are (far) more Win7 than setups than WinXP (but it also shows how many people do not patch regularly as Win7 has had the security fix on the security updates for two months? ).
XP was just the NHS headline iirc in the UK.
Many more around the world.

The other part is this was an old obsolete smb protocol for part of it, where the newer smbv3 should have been in use for many years.

Microsoft Security has a lot of details iirc and an interesting read.

Have they worked out (or announced) where it started yet.
Yes, I'm sure it's a matter of the number of machines running each of the different OS versions. XP would be pretty sketchy, unpatched, and connected to the internet these days! There it is, sitting back in a corner somewhere, scanning this or that thing, but largely forgotten about, and in spite of no availalbe patches, still doing its job. Maybe patched in 2001? Just kidding. But, food for thought.

Then again, I had Windows 95 connected to the internet a couple years ago, just for grins.
I am the Umbrella man

Return to “Off topic discussion”