Hang on though. I don't actually know if there are any systems like this, but indulge me a hypothetical (that I think likely is not hypothetical somewhere, because bad software is everywhere). What if there was software for a defunct brand of MRI machines that, as written, actually requires some sort of sanctioned remote code execution?
It would be easy to say "the MRI manufacturer should pay for new software to be written that isn't terrible" but what if they don't exist anymore? Perhaps a very clever programmer could be hired to reverse engineer the machines and rewrite their code, but who would hire them? In the case of a greedy, or worse, actively malicious rights holder controlling the old company, how would you grant them legal protection?
Should Microsoft go for broke and remove the entire capability for remote code execution via your second line of defense, forcing hospitals to buy new MRI machines, which range in cost from the low hundred thousand to multiple million dollar range?
Or perhaps when Windows 11 comes out and is fully immune from code injection via SMB, the hospital will simply stay on Windows 10 to avoid that cost, and in 2040 will suffer a GonnaCry ransomware attack via an RCE only discovered after Windows 10 is EoL?
In an ideal world, everyone would update their software and everything would be fine. What should we do in our non-ideal world, where breaking backwards compatibility in the name of future proofed security might cripple businesses working towards bringing about a more ideal world?
I love this because it is, in essence, why having a good cyber security program in place in so important. Not allowing outbound/inbound connections through a firewall over certain ports, having a good endpoint protection software, having good IDS & IPS systems, having a good incident response plan and team in place, etc.. all of these things along with patching and updating software are important to minimize the impact of an infection or breach. You're so right, there isn't a perfect world and when it comes to security it's not an "if" but "when". So having the proper staff and processes in place is crucial.
I hesitate to ever defend Microsoft, but how would Microsoft be "forcing hospitals to buy new MRI machines", how are they responsible for increased security on their operating systems resulting in the breakage of insecure software? Even if the MRI software can't be re-written or upgraded, how is Microsoft responsible for that?
Sorry, may not have made my position clear there. If Microsoft decided to patch out remote execution entirely, both legitimately and illegitimately, that would be a hard decision with both pros and cons, and in some cases where I think the former outweighs the latter, I would applaud them for it.
But if they did, that still puts the hospitals between a rock and several hard places if their MRI machines depend on legitimate remote code execution. Do they not ever install the patch, leaving them open to RCE exploits that would likely never be patched?
Do they buy new MRI machines, which might be millions of dollars of one time investment, over something that only doesn't work because of a patch?
Do they risk who-knows-what legal trouble trying to get an unofficial patch for their machines, if the maker will not provide?
Do they spend the money on a top notch InfoSec team that can mitigate the risks, investing less up front but needing them around forever to keep the ship floating?
I don't blame Microsoft, but that doesn't erase the challenge for the hospital.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Hang on though. I don't actually know if there are any systems like this, but indulge me a hypothetical (that I think likely is not hypothetical somewhere, because bad software is everywhere). What if there was software for a defunct brand of MRI machines that, as written, actually requires some sort of sanctioned remote code execution?
It would be easy to say "the MRI manufacturer should pay for new software to be written that isn't terrible" but what if they don't exist anymore? Perhaps a very clever programmer could be hired to reverse engineer the machines and rewrite their code, but who would hire them? In the case of a greedy, or worse, actively malicious rights holder controlling the old company, how would you grant them legal protection?
Should Microsoft go for broke and remove the entire capability for remote code execution via your second line of defense, forcing hospitals to buy new MRI machines, which range in cost from the low hundred thousand to multiple million dollar range?
Or perhaps when Windows 11 comes out and is fully immune from code injection via SMB, the hospital will simply stay on Windows 10 to avoid that cost, and in 2040 will suffer a GonnaCry ransomware attack via an RCE only discovered after Windows 10 is EoL?
In an ideal world, everyone would update their software and everything would be fine. What should we do in our non-ideal world, where breaking backwards compatibility in the name of future proofed security might cripple businesses working towards bringing about a more ideal world?
I love this because it is, in essence, why having a good cyber security program in place in so important. Not allowing outbound/inbound connections through a firewall over certain ports, having a good endpoint protection software, having good IDS & IPS systems, having a good incident response plan and team in place, etc.. all of these things along with patching and updating software are important to minimize the impact of an infection or breach. You're so right, there isn't a perfect world and when it comes to security it's not an "if" but "when". So having the proper staff and processes in place is crucial.
I hesitate to ever defend Microsoft, but how would Microsoft be "forcing hospitals to buy new MRI machines", how are they responsible for increased security on their operating systems resulting in the breakage of insecure software? Even if the MRI software can't be re-written or upgraded, how is Microsoft responsible for that?
Sorry, may not have made my position clear there. If Microsoft decided to patch out remote execution entirely, both legitimately and illegitimately, that would be a hard decision with both pros and cons, and in some cases where I think the former outweighs the latter, I would applaud them for it.
But if they did, that still puts the hospitals between a rock and several hard places if their MRI machines depend on legitimate remote code execution. Do they not ever install the patch, leaving them open to RCE exploits that would likely never be patched?
Do they buy new MRI machines, which might be millions of dollars of one time investment, over something that only doesn't work because of a patch?
Do they risk who-knows-what legal trouble trying to get an unofficial patch for their machines, if the maker will not provide?
Do they spend the money on a top notch InfoSec team that can mitigate the risks, investing less up front but needing them around forever to keep the ship floating?
I don't blame Microsoft, but that doesn't erase the challenge for the hospital.