When sec stops being secsy

Today you will have seen a lot of words you don’t understand. You will have seen the future, now. You will have understood, finally, how vulnerable we are, and you will be scared.


Now you’re paying attention. That’s good. So here’s what we’re going to do. We, the people who stand between the people who really have a clue, and you who have no clue at all but now want one, we are going to explain how it is to you in the new world order.

And you are going to listen to us this time.

We are too far down the path of IT systems to turn back. We can’t switch the routers, the networks or the servers off. The box is open and Pandora is out there, dancing like a Las Vegas pole dancer, hips enticing you in, while taking your money with her grabby hands.

Today, a virus brought multiple hospitals, GP surgeries and Clinical Commissioning Groups to their knees before rampaging off across Europe via Telefonica then jumping over to Russia and other parts of the big wide world.

You’re confused aren’t you. I can tell. It’s okay. So are all the clueful people. Because you see this didn’t have to happen.

Declaration. I am not in infosec (information security – stopping the bad guys getting your data) nor am a pentester (penetration tester, someone, usually an ex-hacker who decided to make legitimate above board money being paid to test the security of organisations by trying to hack into them). I’m a nerd, a dork, a geek. I am an interested party who’s never hacked anything but knows a whole hell of a lot of people who do, to varying levels of past intimacy.

So basically here’s what happened.

  • The NSA built some scary ass stuff that got released into the wild accidentally. Sort of think of it like…silencers on a gun. They didn’t build the gun and the gun was lethal enough as it was but they basically created silencers and laser sights and made that gun even more deadly and badass. And they didn’t secure those gun modifications well enough and now every damn bad guy in the world can use those modifications and kill more people. Or in this case, hack more stuff and create more chaos.
  • Microsoft missed their weekly patch day. I think it’s weekly. I think it’s a Tuesday. It doesn’t matter. The above broke Maundy Thursday. MS didn’t issue patches 2 days before like they should have done if they were sticking to their schedule. It’s Microsoft, they don’t ever skip out on schedules.
  • By Good Friday everyone who knew anything was looking nervously at everyone else who knew anything and a very bad feeling was starting to spread.

They were also accusing the NSA of warning Microsoft that their toys had got out into the wild so that MS could patch to respond.

A patch, by the way, is sort of what it sounds like. So Windows has evolved and evolved and it’s built by humans. Every version built by humans. And then humans understanding evolves and pesky little curious other humans come and poke holes and find security holes in Windows and the humans who built Windows then issue patches to fix those holes that either they never noticed or have only become apparent over time. They’re sticking plasters. They’re released on a schedule so that server admins know what they’re supposed to be patching and when and can then warn their organisations if the process of patching impacts on business.


  • By the Saturday everyone was all like, oh it’s okay, MS will patch it.

This was where some of us just gave up and went home. Because some of us know that small parts of the government estate which yes, includes the NHS, are using versions of Windows which are supported by Microsoft any more. Why? Because Microsoft are a business and lest you forgot that in the bullet points above, hello yes there are some serious issues with a Government Department having to tell a commercial organisation they screwed up and need their help to fix it. So Microsoft are a business and they want to make money and supporting 15 year old versions of their Operating System isn’t how they do that.

So they stopped. And government went…

Can you guess?

‘It’s okay it’s only a small percentage, what are you making a fuss about?’ I paraphrase but that’s exactly what was said to me when I tweeted about this years ago.

Yeah. Whoever sent that, and I can’t remember who you are? Sucks to be in your head today, doesn’t it.

Because, you see, when Microsoft stop supporting an operating system version, they stop releasing patches for it. Yes, those very same patches which are needed as defences against the dark arts of the lovely malicious hackers who are intent on wreaking havoc for profit and LOL’s.

LOL’s I hear you cry? Against hospitals and doctors? That’s not funny. What a scumbag. Yep even I said that exact same thing before I knew what the attack was.

The fundamental problem here is that the stupid little idiot who set this thing off around the world to cause destruction and mayhem will have had absolutely no idea, NO IDEA AT ALL what the ultimate outcome of his attack would be.

Chances are he’s not in this country. He has no idea we’re still running crucial government systems on outdated servers and operating systems no longer supported by Microsoft.

Because who the hell would do something so stupid, right?

Oh wait.

So what’s the solution?

The clueful. The clueful, who have come out of the woodwork in droves today, need to be listened to. Don’t listen to me. I’m just explaining. Listen to them. Ask them to a round table. Invite them into your worlds. Ask them how to secure yourself against future attacks. Start to unpick and unravel the horrors that lie hidden in the government IT estate. And trust me there are some horrors. Spend some money where it’s needed. Dump legacy systems. Work quickly, cheaply and smartly to spin up solutions that are modern, work, meet user needs…

You know all this. The people I’m talking to, you know all this don’t you. You just didn’t think it could ever be this bad. We told you. Over and over again we told you and you dismissed us as hysterical little children.

Well you know what, when you’re ready to walk through the crèche door, give me or any of the other clueful folk a call. We’ll be there like a shot, helping, directing you to people who know, suggesting ways to prevent and secure.

Until then, watch everything you’ve built, everything you are paid to protect, be shut down by, more than likely, some teenager in a bedroom somewhere.

Sleep well.