Three Take Advantage of Windows Flaws to Attack Hospital

3 accused of inducing ill effects on computers at local hospital

By Maureen O'Hagan
Seattle Times staff reporter

http://seattletimes.nwsource.com/html/localnews/2002798414_botnet11m.html

 

Sounds far more like incompetent I.T. people at the hospital rather
than the fault of the O.S. that they are running.

 

it takes two to tango ...

 

That's silly.
You can't just dismiss the problems of the OS just because there are
some ways around the problem -- the holes are still there and need to
be protected.
In other words, there can be more than one fool for any problem.
Don't feel compelled to blame just one person.

 

In Mitch spewed forth:

Any network left open to that kind of vulnerability has only it's
administrators/operators to blame.

 

Really? No matter what OS they have, it's their fault, and the software
producer can never be blamed in any way?

I disagree strongly.
Microsoft sold a product with significant problems in it. Who is to
blame for that? Doesn't it make them necessarily included in ALL blame
related to those problems?
Worse, many are KNOWN problems, and things that could be fixed if
Microsoft went to the effort. Yet they often don't bother.

I'll give you an example of what I mean:
Let's say a guy leaves his car unlocked, then someone steals it.
He was negligent in not vigilantly protecting his property. But the
CRIMINAL is the person that takes the car.
Now, say the car was provided without any way to lock it. A normal car,
it just doesn't come with locks. You would include the car maker in the
blame, wouldn't you? You could say the owner is responsible for
building in new locks, but that doesn't mean the car maker doesn't get
any blame.

So there are three people who contributed to the problem: the car
maker, who provided no way to secure the car in spite of a known need
to do so, the car thief, who committed the actual crime, and the
negligence of the car owner.
The thief is certainly the one who committed the crime. But if you
extend the blame to the rest of the parties, it is silly to blame the
owner and not the manufacturer.

 

Really? No matter what OS they have, it's their fault, and the software
producer can never be blamed in any way?

I disagree strongly.
Microsoft sold a product with significant problems in it. Who is to
blame for that? Doesn't it make them necessarily included in ALL blame
related to those problems?
Worse, many are KNOWN problems, and things that could be fixed if
Microsoft went to the effort. Yet they often don't bother.

I'll give you an example of what I mean:
Let's say a guy leaves his car unlocked, then someone steals it.
He was negligent in not vigilantly protecting his property. But the
CRIMINAL is the person that takes the car.
Now, say the car was provided without any way to lock it. A normal car,
it just doesn't come with locks. You would include the car maker in the
blame, wouldn't you? You could say the owner is responsible for
building in new locks, but that doesn't mean the car maker doesn't get
any blame.

So there are three people who contributed to the problem: the car
maker, who provided no way to secure the car in spite of a known need
to do so, the car thief, who committed the actual crime, and the
negligence of the car owner.
The thief is certainly the one who committed the crime. But if you
extend the blame to the rest of the parties, it is silly to blame the
owner and not the manufacturer.[/QUOTE]

Unfortunately, the liability for any fallout of the hacking
belongs to the affected hospitals. In other words, the systems
should not have been penetrated in the first place. Regulations
that mandate the implementation of such protection have been in
place for close to 10 months. In your example, the car owner
should have known not to have bought a car without proper locks
and, even with proper locks, would also have to install a backup
anti-theft device, such as a fuel-pump cutoff switch.

 

In Mitch spewed forth:

Not so. If I, as a car owner with no locks knew that security was an issue,
I would be the ONLY one remiss in not taking the initiative to secure my
property. There is NO blame on the manufacturer. Like back in the early days
of autos. They shipped without seat belts. Are they to blame for all the
injuries that occured? Extending blame is not reasonable.

If the system is open, it is the administrators of the network that are
solely to blame - ESPECIALLY since so much is publicly known about the
security issues in MS products. Knowing the problems exist should cause the
administrators to be taking steps to prevent the exploitation. Just like if
I park my car in a bad neighborhood, I'd better lock it and set the alarm.

 

actual case in point
the gm/opel zafira has the spare wheel under the back of the car
it's Very Easy to steal
gm/opel know that but say theft is a "social" problem
you can buy a lock for it for £30
you know that
so what do you do if the unlocked wheel gets nicked
complain like hell to gm/opel and hope they will fit the lock for free ?
or buy a lock so the new wheel doesn't get nicked ?

or buy the lock BEFORE the wheel gets nicked and save yourself a lot of
hassle ?

dB

 

Where did Microsoft come into this? Nowhere does it say that the hospital
was running any particular OS.

 

In Zitty spewed forth:

Well, you're right, of course. But honestly I'd have to say it was implied
by the fact that the malware that infected the systems appear to be the
typical adware type of crap that infects Windows boxes.

 

The methods apparently used to take over the computers without alerting
anyone to what was happening, would only work with Windows.

 

Of course, the title of the thread refers to Xwindows

 

That's kind of my point -- restricting the liability to just the most
immediate person in charge isn't going to solve anything, it's just
making the prosecution easy. Microsoft still needs to be prosecuted as
building in the problem.

That does make the most immediate person in charge sound like he wasn't
working very hard to protect them.

So you would say that it is foolish to buy Microsoft? Certainly the
second part is what people deal with today.. patching the weaknesses
with protective tools.

 

Yes, I should have specified in my analogy that security is not an
obvious and completely well-known problem. I'm suggesting the same kind
of mix as computers; that experts all know it and how to protect from
it, but new users do nothing until something happens.
People that don't know cars come with and without locks wouldn't know
to look for this property, even though the manufacturer knows it is
needed and should be provided by them at manufacture.

I think we differ on the blame issue, though -- you say above that all
blame rests on the person who is responsible for security to know how
to fix the problems, and I am saying that the company making the
product shares the blame because it is their product, they are required
to provide a safe and reasonable product, and they know (even better)
that security is a serious issue.

 

you might want to check the EULA
you don't BUY MS products
you BUY a LICENCE to USE them "as seen",as is, flaws and all

now that would be a slick pymamid selling idea
forget the "put me on your mailing list"
just sell licences for some crap software

dB
(ooops maybe i shouldn't be giving people ideas)