Beyond the Code
or, how to win friends, influence people and make a living by writing open source software. It's not just about the code.
Follow me on Twitter as @jonobennett.
Friday 8 May 2009, 4:31 PM
Infections, Conficker and preventative medicine
We hear from the US that inertia in government has prevented medical devices infected with the Conficker virus from being cured of their malady. That's missing the point entirely — which should be obvious to everyone involved. They should never have been infected in the first place.
Conficker exploited a hole in Windows' Server service, which is included and enabled by default on all standard installations. The service is used for file sharing, which isn't a necessary function on a medical device. It may need to access files on other machines, but there's no obvious reason for a medical device to share its files. If the function isn't needed, the code for that function shouldn't even be present on the device, but this isn't easy using Windows. This isn't a problem with the quality of the code in Windows as such — you can get vulnerabilities in Linux, believe it or not — it's more about the packaging and distribution model. If you're forced to include code you don't need by the distribution model — rather than a genuine software dependency — then problems like this are going to keep happening.
The virus also updated itself across the internet by retrieving the code from web sites set up for the purpose. Again, this shouldn't have been allowed to happen. While it's tedious for a desktop PC user to continually authorise applications that want to access the internet, on a device that's not a general purpose computer, it should be mandatory.
Neither should the network infrastructure these devices were plugged into have allowed unrestricted internet access. It may be easier for the network administrators to have a policy of allowing all traffic barring exceptions, but in situations where a significant number of the devices attached to the network have no business having unrestricted 'net access, keeping such a gaping security hole open is nothing short of idiocy.
Hindsight is always a wonderful thing to have, and strict security measures aren't appropriate to the risk faced by every networked device. Equally, we don't know how much damage to patient care was done by these medical instruments getting infected, but if little has been done that could just be down to luck. Nevertheless, these lessons should have been learned before now. The sad thing is they still probably won't.
Conficker exploited a hole in Windows' Server service, which is included and enabled by default on all standard installations. The service is used for file sharing, which isn't a necessary function on a medical device. It may need to access files on other machines, but there's no obvious reason for a medical device to share its files. If the function isn't needed, the code for that function shouldn't even be present on the device, but this isn't easy using Windows. This isn't a problem with the quality of the code in Windows as such — you can get vulnerabilities in Linux, believe it or not — it's more about the packaging and distribution model. If you're forced to include code you don't need by the distribution model — rather than a genuine software dependency — then problems like this are going to keep happening.
The virus also updated itself across the internet by retrieving the code from web sites set up for the purpose. Again, this shouldn't have been allowed to happen. While it's tedious for a desktop PC user to continually authorise applications that want to access the internet, on a device that's not a general purpose computer, it should be mandatory.
Neither should the network infrastructure these devices were plugged into have allowed unrestricted internet access. It may be easier for the network administrators to have a policy of allowing all traffic barring exceptions, but in situations where a significant number of the devices attached to the network have no business having unrestricted 'net access, keeping such a gaping security hole open is nothing short of idiocy.
Hindsight is always a wonderful thing to have, and strict security measures aren't appropriate to the risk faced by every networked device. Equally, we don't know how much damage to patient care was done by these medical instruments getting infected, but if little has been done that could just be down to luck. Nevertheless, these lessons should have been learned before now. The sad thing is they still probably won't.
Previous
