[whitefish]

Should hospitals such as UK's NHS and other such organizations use dumb terminals (or chromebooks) instead of Windows? That way data is centralized on servers where it is easy to backup and harder for hackers to hold to ransom.

[pier25]

If instead of desktop win32 applications they had used web applications none of this would have happened.

Servers are much less vulnerable for a number of reasons:

1) People managing and configuring them are more security conscious than the vast majority people. Come on, nobody downloads an email attachment or connects an USB they found in the parking lot to a server.

2) It's much cheaper to keep a server updated than a thousand Windows clients.

3) Like whitefish pointed out, even in the worst case scenario you can restore a backup and keep on truckin'.

[cryptarch]

It'd be a good start if they just didn't use Windows.

But yeah, definitely. It's pretty damned unlikely that an OpenBSD backup server would get wormed, unless an ME exploit is involved.

[phs318u]

Let's be clear on this. No matter how secure the operating system initially, if it stays unpatched then over time it will become more and more vulnerable as uncovered exploits go unfixed.

The reason a machine might go unpatched is because it might support some critical hardware (eg medical) for which there is only one or two vendors and only a particular combination of HW and SW are supported (eg due to a specific custom hardware driver).

To lay the blame for this at a single vendor's feet is naive.

[pier25]

True, but I'm sure there are a lot of cases where the OS wasn't updated because of the necessary investment to jump to a new Windows version.

[kijin]

There are very few free/open-source operating systems that get security patches for as long as Windows does.

Major versions of OpenBSD are only supported for 5-6 years. Most Linux distributions only get 3-5 years. Red Hat promises 10 years of support, the same as Windows 7/8/10. None comes close to the 13 years that Windows XP was supported for.

So you're gonna have to update anyway, at roughly the same interval if not more often, as if you had used an enterprise edition of Windows.

[microtonal]

Major versions of OpenBSD are only supported for 5-6 years.

I thought that security updates are only made for -current, the current stable release, and the previous stable release. So, 1 year of support, not 5-6.

A cursory look at the errata seems to confirm this.

[kijin]

Most of the time, upgrading from one minor version to the next is painless. If you installed OpenBSD 5.0, you are expected to keep updating all the way to 5.9. (For some reason, OpenBSD always makes exactly 9 minor versions for each major version.)

Most Linux distros don't even make any fuss about minor versions, using them only as an opportunity to build fresh installation images. New minor versions are security patches for the major version and all previous minor versions.

[mst]

> It'd be a good start if they just didn't use Windows.

I hear tell that server wise NHS IT will also support OpenSUSE, and their record of keeping that patched is almost as good as their record for doing so with windows.

[linjian]

Yes, they really should. Some important facility should not use window anymore because it is too open to the public to hold an attack. Or the hospital's computer should not be connected to the internet. Most of the time the computers within a hospital are just doing local task.

[codedokode]

Maybe they should not have connected all of the computers across the country into a single network.

[driverdan]

Maybe they should have kept their systems up to date instead of running XP.

[setq]

This affected all versions of windows, not just XP. You're right about the updates though.

[setq]

It's not actually like that. They have a heavily restricted backbone and lots of little isolated networks hanging off it. This is lots of independent cases of idiocy causing infection.

Policy controls, poor patching and user education are the root cause of the NHS problems.

[AlexeyBrin]

IMHO, best approach is to use a (hypothetical) system where all apps are sandboxed by default.