The ransomware cyber attack on the NHS is horrifying — and as a computer scientist I feel ashamed that the world my field helped create is now at the mercy of such destructive scammers. It didn’t have to be this way!

This note looks at the context of the attack — why did the NSA help the attackers?![1] — and explains the “kill switch” and how it slowed the spread of the WannaCry worm. It concludes with ways we can avoid this type of nightmare in the future.

Please leave your keys under the mat

First, the spooks: the NSA (and GCHQ) believe that they need (and have the right) to see every piece of digital communication made by any citizen at any time under any circumstances. More than that — they also believe that they’re entitled to turn on your computer or phone or TV and listen on its microphone or watch on its camera. (That’s why Facebook’s Mark Zuckerberg tapes over his laptop’s webcam!)

There’s a problem: just as we don’t leave home without locking our doors, we don’t leave our computer systems unguarded. How are the spies to cope? They do two things:

  1. “Persuade” software companies to leave deliberate holes in their security. (This is a little like convincing all lock installers to post a copy of every key to the local constabulary, only worse: digital keys are much easier to copy or steal. When Amber Rudd says WhatsApp needs a handy backdoor for law enforcement purposes[2], this is what she means!)
  2. Break into computer systems, subvert their security mechanisms and suck up the data from your email, chats, documents, etc. etc.

This second activity is what has helped bring the NHS’s computer systems to their knees. One of the NSA’s programs for breaking into Microsoft software (codenamed Eternalblue) was stolen and publicly released in April. The black hat hackers behind WannaCry adapted it to their own nefarious purposes, and we’re now suffering the results.

Government not only supports the spies in these efforts, they allow them to do their worst in total secrecy, even in the courts. In the UK we’re now banned by the Investigatory Powers Act from hearing in court about what evidence was collected in this way and how — giving a whole range of government agencies and employees carte blanche to compromise our online security with impunity.

Microsoft’s role: the lock we sold you is faulty, but we’re not going to fix it

Incidentally, Microsoft also bears a lot of the blame for the spread of the problem. The company knew the solution to stopping WannaCry and related exploits, and published a patch for it in March — but only for recent versions of Windows. They only released a patch for Windows XP — still in use at many NHS sites — today, quite some time after the horse has bolted.

In other words, one of the richest corporations in the world no longer fixes security holes in some of their most popular products. Why? Because they want users to migrate to more recent versions of their software, spending money in the process. Incidentally, this makes Microsoft vulnerable to the spies’ tricks — and they’re showing more and more signs of serious annoyance as a result![3]

The “kill switch”: a day in the life of a white hat hacker

At the sharp end of these attacks is another breed of hacker, less prominent in the media coverage, but essential to the security of our systems. One of these[4], working on an analysis of WannaCry, noticed on Friday[5] that the worm was trying to connect to an internet address that didn’t currently exist. He decided to create that address, and in doing so triggered the worm to stop spreading. Evidently the original authors (quite possibly the NSA) had put a safety mechanism in their code to allow them to turn it off if it started spreading uncontrollably[6]. This mechanism first checked to see if a very unusual machine address was accessible on the internet (e.g. 123.thismachinedoesnotexist.com or the like). If it manages to connect, it stops trying to spread to other machines — effectively turning off new infections.

This was a good thing, and helped slow the spread of the virus — but it hasn’t made us safe. Today a new “Uiwix” strain of the worm has been reported[7] that doesn’t include the kill switch (although accounts vary[8]). This story isn’t over yet :-(

Fixes for the future: the right to whisper, and open source software

What can we do? Two things:

First, government has to accept that we can’t leave all the doors in the virtual world hanging open without inviting the bad guys in. We have a right to security, and a right to privacy, and no matter what bad stuff goes on behind closed doors we can’t monitor everyone all of the time. (Remember Orwell’s 1984 anyone?!)

Second, anything that isn't open source must now be assumed to be compromised, by definition[9]. Everything else (Microsoft Windows, Apple iOS, Google's Android services) is subject to this scenario:

Man (almost always) in dark suit knocks on door of software corp. Sincere and nice person answers: "Yes?"

"Sign here: I promise to open all my data to The Secret Policeman whenever he so desires or spend the rest of my natural life behind bars. And I promise not to tell anyone."

And off they go, hand in hand (willing or otherwise) to code backdoors into the products of said software corp and enable the spies to subvert their security protocols.

This scenario has happened and is documented (straight from the horse's mouth!) in the NSA and GCHQ documents which Edward Snowden released to the world last year. So: any software you use that is closed source is in principle insecure.

For nerds like me, though, this wasn't really news — we already knew that closed source was A Bad Thing and have smugly enjoyed our schadenfreude in larger than usual quantities in recent times (though with the current state of the NHS IT systems any enjoyment stage has definitely passed!) We use open source software, and we therefore know that even when security holes are present they get discovered pretty quickly and, more to the point, fixed. Mr. Nasty Spook and his friends have a much harder time of it with open source, and this is what we should be installing on our public service systems. (Check out the Free Software Foundation for more details.)

In the meantime? Install all the security patches for your software, don’t click on links in email, and try not to need a doctor!


[6] Alternatively, the mechanism was a failed attempt to make analysis of the worm more difficult. Several indicators suggest that the worm’s distributors are relatively inexperienced developers.