Sounds about right

This week it was suggested that 90 per cent of NHS trusts in the UK were using Windows XP – a 16-year-old operating system. Security experts said that computers using operating software introduced before 2007 were particularly vulnerable, leaving many NHS systems at risk.

Not, perhaps, that they should be using it, but that they are.

As with the London Hydraulic Power Company which was still powering a factory or two into the 1960s (they transmitted power around using tubes filled with compressed something or other), there’s a hell of a lot of ballast in an economy. The leading edge might change quickly but the whole of it can take up to a century to shift.

Ross Anderson, professor of security engineering at Cambridge University’s computer lab, said the incident is the “sort of thing for which the secretary of state should get roasted in Parliament.

“If large numbers of NHS organisations failed to act on a critical notice from Microsoft two months ago, then whose fault is that?” Mr Anderson told The Guardian.

And ain’t that just the problem with the political control of something? Even patching the P~Cs becomes a political matter.

27 thoughts on “Sounds about right”

  1. So Much For Subtlety

    I have always regretted the decline of the London Hydraulic Power company. The idea of a Steam Punk hydraulic network across town is appealing. A shame better technology came along.

    But it is nice to see the people who consider themselves our Elders and Betters doing so well with technology. These are people who want to put everyone’s medical records – every visit to the psychiatrist, every foreign object removed from an unusual place, every unusual rash, every abortion – on the internet. Is Windows XP even supported any more?

  2. People are still using XP because Vista was crap and 7, although it worked, required a significant improvement in the kit you ran it on. 10 is not really materially different in that effect.

    But, let’s be honest, it’s not as if NHS IT is under-funded. Enormously inept spending of the money perhaps, but they’ve been burning bundles of cash for a decade.

  3. I sort of have some sympathy with the NHS. I have a netbook runs on XP. Because I periodically reinstall the OS from the disc image, it’s not even the latest issue. The only upgrade has been a bit more memory & a solid state drive, so it boots like lightening. Oh & I’ve a stack of spare batteries, so it can operate independent of mains power for days, if necessary.
    And that machine does anything I need to do perfectly well. XP’s a lovely O/S. The final incarnation of NT. Stable. Relatively transparent. If you just install the bare bones, very compact.
    It’s probably exactly what the NHS needs to run its IT.
    But M/S insists on that bloated heap of shite, 10. Which requires twice the memory, half the hard drive & three times the processing speed. To do exactly the same things very badly..

  4. BIS

    All true, but surely the killer fact is that Microsoft don’t provide security updates for XP.
    Or am I wrong on that?

  5. The public sector, education and charities often get very large discounts on their software from the big vendors.

    The price you or your company pays is often multiples of what the folks above have to pay. Multiples!

    Microsoft is particularly generous, running special licensing and subscription programmes. Google “Microsoft government pricing” .

    Something to think about when the NHS claims it can’t afford stuff. It doesn’t need to contend with the prices business pay. Not even close.

  6. @polidorisghost

    Yep, correct, XP’s not been supported for a couple years. Vista’s just dropping off.

    7 has a few more years of “extended support”, so they’ll patch the security holes that don’t require too much work.

  7. @polidorsghost

    AFAIK Microsoft still provide (expensive) support for business users of XP, but the average punter lost support some way back.

    Microsoft have been pushing Windows 10 for all its worth; the thinking seems to be that they want to move users over to renting rather than buying an OS, a bit like Office vs Office 365.

    I’m surprised the NHS hack didn’t happen much sooner. It’s an open goal. Likewise the rest of

  8. To blame the Secretary of State for the stupidity, laziness and carelessness of the people running individual Trusts and NHS organisations is absurd, Labour or Tory.

    But that is another reason why these people like State control of their organisation – when the inevitable fuck up occurs, there’s always a scapegoat there to take the flak. The job’s safe lads, trebles all round!

  9. @cynic
    It’s not necessarily the cost of the O/S that’s the problem. It’s having to replace every machine, install all the software & files on the new ones, get it all to work …

  10. The problem isn’t so much the OS, as the business-critical bespoke software that gets run on the OS — that’s why it takes an age for anything to get updated in an “enterprise” environment : months spent on pilot projects making sure that nothing gets broken because it relied on accidental quirks that got fixed. Steve Bellovin’s take on this here —

    WinX is actually not bloated (yet) — I’m running it on 10+ year old kit that came with Vista originally, and it’s generally all around more performant after the upgrade, even having done regular re-pavings over the intervening years to clear up accumulated crud.

  11. @BiS

    Fair point to raise. I ran a project doing that. The XP machines weren’t replaced, as the only upgrade that was maybe needed sometimes was the RAM.

    For regular office use, it’s been years since we’ve worried about the CPU spec.

    There’s also disk imaging software that makes reinstalling the whole machine a matter of minutes from a clone.

    Said clone software also sold by one of those companies that offered non-corporates yuuuge discounts.

    The Sage also makes a good point: I did have a tiny number of cases where that freebie XP Mode thing was needed, where a local XP VM is run.

    It’s gonna be really interesting finding out how they got in this mess.

  12. When I left an NHS trust in 2013 most machines were XP still, plus some truely ancient stand alone machines hooked to lab equipment (I remember having a clear out and finding a cabinet full of 5 /2″ floppies with old testing results on!)

  13. Cynic, I doubt we’ll ever find out what happened, since the results of the six separate enquiries will all be different, (though most will in some way blame ‘evil tory cuts’.

    As for who is to blame for this; Well personally I would blame the evil scrotes who deliberately infect other peoples PCs with destructive malware, and in this case if I found them I would charge them with murder and publicly hang them by the balls from Westminster bridge.

    The bastards may have cost lives, but they certainly cost us a great deal of money and their psychopathic desire to shit on the rest of us deserves the ultimate punishment.

  14. What’s the problem? Most of the answers are on here! Rebuild the workstations and get on with it. The data is on the servers, not the workstations, so not compromised. Suppose they might want to look at the spam filters on their mail servers. Move on. Nothing to see here. This kind of scam is best aimed at individuals. If a corporate falls for it they deserve to fail.

  15. Disclaimer: this is just more heresay, 2nd hand and anecdotal, but I trust the source and it is worth posting for more context.

    A friend of mine worked in IT for the NHS a few years ago. Still single figures, I think, so recent enough.

    He span me such a tale of woe, waste, nepotism and malingering that I encouraged him to either blog about it or write a diary so he could tell the public about it one day. The latter option being the safer one, like some coppers do when they’ve had enough.

    It was so stereotypically public sector that for many it would be hard to believe.

    Some examples:
    – New kit piled up unused for years in cupboards, as they made sure they spunked the whole budget.
    – Staff had iPhones, Androids and Blackberries at the same time.
    – People off work half the time with “stress”.
    – Manager hired her girlfriend who wasn’t any good at IT.

    I wish he had written and published a warts n’ all account.

  16. He’s a Good Thing, Ross Anderson, but he did spend 1998 and 1999 trying to alarm the world about the Millennium Bug.

    Still, nobody’s perfect.

  17. Expecting a large and varied organisation like the NHS to be up to snuff on IT security is asking a lot. Certainly the IT part of the organisation should be aware of it and should be flagging risk issues upwards. As others have said, retaining XP is not necessarily a bad decision but if you do that, you need to consider and mitigate what additional risk it brings. Stuff like minimising volume shares, or making them read-only. Good backup strategy regularly tested so you have something to recover from. Reading El Reg, it seems that only a dozen or so trusts were hit & that suggests some trusts are better than others at this game.

    Of course Microsoft is always going to be the main target for this kind of activity so IT ought to be seriously considering alternatives from time to time. You may be stuck with it on the desktop for all sorts of reasons but that doesn’t necessarily apply in the server domain.

  18. Another relevant anecdote, while we’re on my home turf.

    I worked briefly for a charity early in my career. They had rooms full of glitchy, slow, crashy NT4 machines.

    The charity had licences for Win2000 and some disk cloning software. The folks already working there couldn’t be arsed to use them and for just did the bare minimum to get by. And took lots of sickies.

    There were weekend shifts when it was quiet, so the new boss gave new me the thumbs up to get cloning. A room or two at a time, they got clean builds of Win2000 and ran far better (whether that’s 2000 vs NT or just the clean build, I was too much of a noob to know. 2000 was just a lot easier to install). Faster and far fewer crashes, anyway.

    Now when a machine went wrong, we just re-cloned it in minutes rather than faffing about trying to understand why. Major de-skilling, but it’s whether the machines work or not that counts.

    As a result of this, I quickly became very unpopular with my colleagues and moved on within a year.

    I wonder if the NHS has some of that going on.

  19. Sorry about all the typos, BTW.

    Though slagging off the NHS while spelling “hearsay” a bit like “heresy” is kinda appropriate!

  20. “While capitalism has a visible cost – profit – that does not exist under socialism, socialism has an invisible cost – inefficiency – that gets weeded out by losses and bankruptcy under capitalism. The fact that most goods are more widely affordable in a capitalist economy implies that profit is less costly than inefficiency. Put differently, profit is a price paid for efficiency.”

    per Thomas Sowell, a black guy, the wrong kind, ie, not socialist

  21. About 10 years ago our local Canadian NHS rented an oxygen generator for my dad from a private supplier. I googled the machine up when I saw a monthly bill for over $200 from the rental company at dad’s house marked paid by the government.

    The machine was available at for just over 1,000.00. 5 month payout, fabulous.

    I was pissed off at the waste and called the rental company to ask why so much. “Service and maintenance” I was told. I expressed doubt, having never seen a serviceman, and the late middle aged female administrator I was speaking to asked why, I told her I thought here was fraud going on, and she pretty much agreed but asked me not to quote her.

    Computers, oxygen machines, any damn thing, I expect the NHS pays 3 times the price for printer paper than I get by heading for Staples when they have a sale. Fraud and stupidity.

    Don’t know about the UK, but over here in Canada much of the country’s small businesses are run with a jovial iron fist by thin, lined, energetic, strong minded, late middle aged women who smoke a lot, have whiskey-gravelly voices, know more about the business than the owner and have an extraordinary work ethic. Over there too?

  22. In April 2014, the government paid Microsoft £5.5m to support XP for another year.

    In April 2015 the government decided not to extend the agreement, on the grounds that although the NHS (and the Met) were still using XP, they shouldn’t be.

    It turns out that if you take decisions on the basis of how things ought to be, rather than how they are, stuff can go wrong.

  23. Keeping XP if it’s the only OS compatible with your medical thingummyjig seems perfectly sensible. It’s connecting anything mission-critical in a hospital to the internet which is stupid, even with the latest patched version of whatever.

Leave a Reply

Your email address will not be published. Required fields are marked *