Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Botnet Attack Shuts Down Hospital Network

Zonk posted more than 8 years ago | from the that's-not-cool-man dept.

The Courts 360

aricusmaximus writes "A California student is now facing felony conspiracy charges after unleashing a botnet attack that shut down the network of a Seattle hospital intensive care unit. This indictment comes a few weeks after another California man pled guilty to similar charges. Both attacks were attempts to make money off of adware affiliate programs. So who's really at fault here? The students? The hospital for not securing their computers and network? Or the adware companies for providing the incentive?"

Sorry! There are no comments related to the filter you selected.

Student's Fault (4, Insightful)

eldavojohn (898314) | more than 8 years ago | (#14699488)

So who's really at fault here? The students? The hospital for not securing their computers and network? Or the adware companies for providing the incentive?
The students, clearly.

Colt manufactures guns. Man opens fire in public with a Colt pistol. Who's at fault? The shooter, of course.

I don't want to hear any psychology bullshit claiming it's not their fault--that it's society's fault for making them desire more money. I don't want to hear any bullshit that they didn't know what they were doing or the hospital should have had better security. This is an aggressive act against a public service--the internet. Computer savvy students implement code that shuts down many computers for the purpose of advertising profit. They didn't realize what they were doing? Oh, come on. Even if they didn't, it's a valuable lesson and a few less spammers to ruin the world when they graduate. Tough. You like computers? How about five to ten in federal-pound-me-in-the-ass prison?

I'll bet they wished they had enrolled in Computer Ethics 101 before going on this capital venture. As an additional punishment, they should be forced to code software to stop stuff like this from happening and tailor it for medical equipment/computers.

And what kind of intensive care unit is "shut down" when they can't use computers? It's not like their work would have to grind to a stand still. I don't want to sound like a luddite but are we really that dependent on computers? They're medical professionals, I hope they did just shut down and stop working when the computers crashed.

This student is in deep trouble. He chose actions that had grave consequences and now he'll face the charges resulting from those actions.

Inignot: Your stereo is now his stereo by way of my actions.
Shake: Yes meatwad, with actions.

Re:Student's Fault (0, Offtopic)

tehwebguy (860335) | more than 8 years ago | (#14699491)

exactly, why should it be meatwad's fault his own stereo was stolen?

actually, it was a jambox. but still..

Re:Student's Fault (4, Informative)

OffTheLip (636691) | more than 8 years ago | (#14699505)

I agree with much of what you say with exception of "And what kind of intensive care unit is "shut down" when they can't use computers?". The acute shortage of bedside nurses elevates computers and networks to a big player in short staffed ICU's. Patient to nurse ratios are improved because of computers. Sure the ICU can continue to function but things would be hectic and possibly deadly for some patients.

Re:Student's Fault (2, Interesting)

eldavojohn (898314) | more than 8 years ago | (#14699529)

I agree with you completely.

In fact, today we are treating many more patients and types of problems through the help of computers.

To me, the phrase "shut down" means to close up shop. I know they didn't do this but it makes me wonder how much have hospitals suffered in capabilities by accepting automation?

Advanced life support system may need to be on the network to send signals. But what about the EKG machine? The intravenous drip? These things should not be dependant on computers yet I know from a friend who works in a hospital that IVs have small computers on them to regulate the flow. I hope to god they are a safely restricted from internet access.

Re:Student's Fault (0)

Anonymous Coward | more than 8 years ago | (#14699614)

"Advanced life support system may need to be on the network to send signals. But what about the EKG machine? The intravenous drip? These things should not be dependant on computers yet I know from a friend who works in a hospital that IVs have small computers on them to regulate the flow. I hope to god they are a safely restricted from internet access."

Most of these sorts of things work on their own.

But beyond that, diagnostic instruments and otherwise are so complicated they need to be on some sort of computer system. For instance, a good friend of mine works in a hospital as a medical technologist and more than half the instruments she runs are based on Windows in some part -- the others still have an over the shelf OS. These instruments are used to analyse things like CO2 in the blood and presense of drugs in the system and a thousand other things that are demonstrated that while a professional could probably sit down with a microsope and chemicals could reasonally identify, but not with the accuracy or speed needed to serve their patients. Without these, it almost gets down to guess work and would be a cause to close down the hospital.

Its like in my field, it has been said that the most relyable way of identifying mental traits in patients is to use computerized testing...relyability is over 80% with computerized testing where as interrater relyability with two qualified psychologists show only about 50% -- yet most of these guys refuse to use automated systems because it seems 'inpersonal'.

So some things like EKGs and other lifesupport should not be dependant on a faulty OS or connected to a network, but others that may be potentially more lifesaving in the long run almost need to to be useful.

Re:Student's Fault (4, Insightful)

sqlrob (173498) | more than 8 years ago | (#14699826)

But beyond that, diagnostic instruments and otherwise are so complicated they need to be on some sort of computer system.

On a computer system, yes.

WTF do they need to be on the Internet for?

Re:Student's Fault (3, Insightful)

loraksus (171574) | more than 8 years ago | (#14699907)

Precisely. It sounds like (ok, this is going to be geeky as hell, but I'm going to do it anyways) someone could learn by watching a couple episodes of Battlestar Galactica.

And I suppose they might need the internet for paging their doctors - since it is probably a third party company that has a laughably bad ("Oh look, we ported our paging app to java and can run it over the web! Goodie Golly!") interface - but I'm pretty sure it can be done a bit more elegantly and can be made a bit more resilient.

What the fuck their keycard access system was doing on the same network as some of the infected computers is a complete mystery to me though.

Re:Student's Fault (0)

Anonymous Coward | more than 8 years ago | (#14699712)

I have an IPS to sell them tho. *rubs chin thoughtfully* Money..

Re:Student's Fault (1)

JulesLt (909417) | more than 8 years ago | (#14699747)

Agreed. I used to work as a clerk in a hospital back in the days of paper records. In emergency cases, getting hold of their files was one of the first steps, even while the frontline staff are trying to deal with the immediate problem.

Re:Student's Fault (3, Insightful)

tpgp (48001) | more than 8 years ago | (#14699552)

Colt manufactures guns. Man opens fire in public with a Colt pistol. Who's at fault? The shooter, of course.

Hmmmmn, nice attempt to start a flamewar. I mean there's nothing like a gun analogy to get people to discuss thing rationally is there?

Anyway, back on topic. I think you need to understand shades of grey - the students are clearly most at fault for being the ones who actually caused the damage.

However, the spy/adware companies are most certainly complicit - they operate in a manner where they encourage and facilitate botnets. To go back to your trollish example, it would be like if Colt were advertising guns as 'man killers' or 'the perfect sniper tool', selling armour piercing bullets, etc etc.

Thirdly, whilst the hospital mightn't take any of the blame for this incident, it certainly raises questions about negligence in allowing a critical network to be so open. Returning to your analogy, it would be like a gun shop not properly securing its merchandise and then shrugging its shoulders when there was a massacre using firearms stolen from said shop.

Re:Student's Fault (1)

ellem (147712) | more than 8 years ago | (#14699758)

shades of grey? oh please.

Re:Student's Fault (0)

Anonymous Coward | more than 8 years ago | (#14699780)

There are no shades of grey, only shades of gray.

Re:Student's Fault (4, Insightful)

aelbric (145391) | more than 8 years ago | (#14699811)

How can anyone even debate this? Two words. Personal responsibility. It should be a required class in all primary, secondary and higher education school systems.

Returning to your analogy, it would be like a gun shop not properly securing its merchandise and then shrugging its shoulders when there was a massacre using firearms stolen from said shop.

So the merchant is responsible for someone stealing his merchandise (an illegal act) and then psychoing out somewhere (another illegal act)? If someone steals a car during a test drive, goes out and gets hammered and plows through a line of school children, are you suggesting the dealer is at fault for not "properly securing their merchandise"? I'm having trouble seeing the logic here.

Re:Student's Fault (4, Insightful)

MysteriousPreacher (702266) | more than 8 years ago | (#14699879)

Returning to the gun shop analogy (since it seems to be popular). If the gun shop doesn't take the precautions required by law and someone steals guns to use in a crime then the gun shop is liable. The point though is that the gun shop is not to blame for the shootings but should be legally liable for the fact that it allowed it's guns to be stolen because they didn't observe their legal obligations.

If a car shop allows a visibly drunk man with no drivers licence to test drive a car then while not responsible for the deaths caused, they should bear some responsibility for fulfulling their legal obligations (assuming they have any).

Re:Student's Fault (1)

shawn(at)fsu (447153) | more than 8 years ago | (#14699837)

Shaded os gray my ass. The students commited the act they deserve all the punishment.

Little bastards.

Re:Student's Fault (1)

superflyguy (910550) | more than 8 years ago | (#14699868)

Still a bad analogy... The malware companies are the financers. The student is the attacker. The hospital is a sensitive area. The patients are the victims. It's actually more like a bombing than a gun massacre, but anyway... The companies is responsible for backing these things. The student is responsible for enacting them. The hospital is responsible for at least trying to defend itself. The patients are the ones who get hurt by them. It's mainly the malware companies and students. If the hospital was vulnerable because of their negligence, they are also partially at fault, but if they made a reasonable effort to secure their network, then it's all the companies and perpetrators.

Re:Student's Fault (5, Funny)

strider44 (650833) | more than 8 years ago | (#14699554)

Colt manufactures guns. Man opens fire in public with a Colt pistol. Who's at fault? The shooter, of course.

Haven't you been reading the summary? It's the victim's fault for not wearing a bullet proof vest!

Your analogy isn't apt. (-1, Troll)

CyricZ (887944) | more than 8 years ago | (#14699555)

Your analogy isn't an apt one. The hospital is clearly the ones at fault here as well, mainly for not taking the very basic precautions that would have protected them.

It would be more akin to a white person walking naked into 1970s Harlem, shouting racial epithets, and then getting shot. Sure, the person may not be responsible directly for doing the shooting itself, but they did put themselves into a dangerous situation that was easily avoidable. Thus they are at the very least partially responsible for what happened.

No system, be it at a hospital or a business, should every be shut down in such a fashion. Basic security precautions will go a very long way towards preventing such incidents.

Re:Student's Fault (4, Informative)

malkavian (9512) | more than 8 years ago | (#14699575)

And what kind of intensive care unit is "shut down" when they can't use computers?

I work in a hostpital as one of the business continuity team; we keep the place running in the event of something just like this, and have to evaluate the problems that'll occur in an outage if it happens.
ITU is dependant on having patient records, history, full charts and responses available in a very rapid fashion. When the computers go down, they don't stop working, just all the communications that happen near instantly suddenly have to be ordered from medical records, and use sneakernet, which is a massive time overhead. In time critical requirements, this may mean the difference between life and death.

Fair enough, the hospital should have been more secure, but there again, it all comes down to how many admins they have on the job. I know my time is allocated (still) in a very small part on security. I'm pressing to have more allocated. And my budget for security tools is small. Hell, with the NHS budget cuts next year, we'll be lucky to have much budget at all. Still, it's improving slowly. I'm still not happy with it, which gives me more incentive to work harder on it.
But anyone who would attack a hospital system has to be aware that lives are at stake here, not just a few pounds/dollars. In commercial places, I'd frequently warn people if I could work out who they were, or the admin of the sytems they came in from if I couldn't. Eventually, I'd call the police if I believed they were being too persistent, as a last resort.
In the hospital, I spot an attack, police will be warned promptly. No messing around. The place I work at saved my brother's life years back in ITU (when, by rights, his injuries should have killed him). I'm a little protective of the work they do, and the systems that let them do their job more efficiently. After all, they may just make that difference between life and death in the borderline cases, and every little win by the skin of the teeth means a lifetime to somebody.

That was just a clarification, not a dispute. I'm behind you all the way in the sentiment you express. They're in trouble, and justly so.

Re:Student's Fault (0)

CyricZ (887944) | more than 8 years ago | (#14699624)

While it may be difficult to deal with the inherent instability often present in Windows-based systems, I don't see why you should have any problems keeping your network secure without spending a bundle of cash.

You should be able to set up an OpenBSD-based firewall, at the very least, to protect the network. Depending on how much traffic you're dealing with, you may instead want a few such systems. The cost of such a system is minor, especially when you consider the massive protection and benefits it brings.

Re:Student's Fault (1)

jcr (53032) | more than 8 years ago | (#14699606)

The students, clearly.

Well, the analogy I like to use is that the perps are the arsonists, but Microsoft is the contractor who keeps building houses out of balsa wood and flash paper.

-jcr

Re:Student's Fault (4, Insightful)

TFGeditor (737839) | more than 8 years ago | (#14699871)

Bullshit.

I used to be on the "Microsoft sucks" bandwagon, but then realized that "security vulnerabilities" would not exist if there were no dirtbags exploiting them.

No, vulnerabilities or not, it is not Microsoft's/Bill Gates' or Steve Jobs' or Linus Torvald's fauly when some criminal with a computer wreaks havoc on the internet or a private network. It is ALWAYS the criminal's fault.

An unsecured system is no more an "invitation" to exploit than a short skirt is an invitation to rape.

Re:Student's Fault (0)

Anonymous Coward | more than 8 years ago | (#14699610)

The students, clearly.

Why are you assuming that all the blame must go to one party? The attackers are at fault, clearly, but whoever implemented the hospital systems had a duty to anticipate such attacks and build the systems with them in mind. It's *trivial* to avoid crap like this, as long as you don't include things like "staff must be able to check their Hotmail on lunch breaks" as part of the requirements.

The attackers should be punished to the extent that the law provides, but the people who implemented the hospital systems should be punished for negligence, because if they had done their jobs properly, this wouldn't have been possible. Unless such punishments take place, they will go on and implement similar systems that are just as vulnerable to any kiddy with a script.

Re:Student's Fault (1)

tompaulco (629533) | more than 8 years ago | (#14699875)

If the people who implemented the hospital system were capable of doing the job correctly, they most likely would have done it somewhere else. Hospital IT staff are one of the most underpaid IT staffs that you will find. Since they offer such low wages, they often have to resort to hiring IT people who don't really know IT and so are willing to use them as a stepping stone to a REAL IT job.
Regional and national hospitals tend to pay better though.

rape? (0)

Anonymous Coward | more than 8 years ago | (#14699660)

wow, you certainly are a logical, sensible person. im so admiring of your brave, brave stance against 'stupidity'.

obviously computer criminals should be raped. thats a brilliant solution to the problems of society.

thank you sir for your braveness. if only our soldiers were as brave as you, we wouldnt have lost vietnam.

Step Away From the Keyboard (1)

eldavojohn (898314) | more than 8 years ago | (#14699763)

I see you're one of the few individuals on this planet that has yet to see Office Space [imdb.com] . You should watch it, perhaps it'd make you laugh (though I can't be certain considering your statements).

I was quoting a main character from the movie. It's funny, laugh.
wow, you certainly are a logical, sensible person.
Wait a minute, I may be logical and I may be sensible but I am definitely not ... what was the third thing you called me?
if only our soldiers were as brave as you, we wouldnt have lost vietnam.
Thank you, sir, for confusing the hell out of me. Where did that last sentence come from? Remember, I'm a logical person here ... if A then B, folks--it's not that hard.

Re:Student's Fault (1, Insightful)

Anonymous Coward | more than 8 years ago | (#14699684)

I agree with you entirely, until you include the financial incentive.

If Colt were to offer $1 for each person shot, then Colt certainly is responsible in addition to the student. To make the tool available is one thing, to provide incentive to use it in an unethical/illegal manner is taking responsibility.

The nice thing is, responsibility isn't finite: both the student AND the adware provider can be equally responsible!

Re:Student's Fault (1)

m50d (797211) | more than 8 years ago | (#14699698)

If I offer ten thousand for the death of <name>, sure, the person who kills them is at fault - they're just as guilty as if they'd randomly killed them - but I am at least partly to blame too.
If I leave my door unlocked, and get burgled, sure, the burglar is at fault - they're just as guilty as if they broke through ten metres of steel plating - but I am at least partly to blame too.
What the others have done doesn't detract in any way from the guilt of the students - but it doesn't mean they're blameless either.

Re:Student's Fault (1)

tompaulco (629533) | more than 8 years ago | (#14699915)

If I leave my door unlocked, and get burgled, sure, the burglar is at fault - they're just as guilty as if they broke through ten metres of steel plating - but I am at least partly to blame too.
I disagree. The only reason we have to lock our doors is because there is some problem with our society in that some people don't seem to realize that if something belongs to someone else, that you are not supposed to mess with it. There should be no reason to lock our doors, no need to run antivirus, no need to block ports. The reason we have to do these things is that there are people who don't choose to obey our laws.
I will say that part of the blame may go on the adware/spyware companies. They are sort of like the dozens of pawn shops around my neighborhood, which essentially promise to give people a small amount of money if they steal stuff and bring it in. The amount they offer is pretty pathetic, but if you didn't pay for it, what do you care?

Re:Student's Fault (-1, Troll)

Epeeist (2682) | more than 8 years ago | (#14699749)

> Colt manufactures guns. Man opens fire in public with a Colt pistol. Who's at fault? The shooter, of course.

But if Colt or gun shops connive in selling guns to someone who is obviously intent on committing a crime then share some of the culpability.

Re:Student's Fault (0, Flamebait)

DrkSn (945879) | more than 8 years ago | (#14699768)

I'd really like to know why their computers are even online. I could see in the doctor offices and maybe a computer lab to check e-mails etc. But really they should just buy hosting from a company and wire their hospital up on a fiber optics WAN, or even just a LAN if they don't need to multiple hospitals up. Hell I'm pretty sure even wal mart just uses a fiber optic WAN to connect all the stores up (at least in canada).

Canada Vs USA (1)

eldavojohn (898314) | more than 8 years ago | (#14699796)

I'd really like to know why their computers are even online. I could see in the doctor offices and maybe a computer lab to check e-mails etc. But really they should just buy hosting from a company and wire their hospital up on a fiber optics WAN, or even just a LAN if they don't need to multiple hospitals up. Hell I'm pretty sure even wal mart just uses a fiber optic WAN to connect all the stores up (at least in canada).
I see you're confused. This happened in the United States of America. Your hospitals and health care have the money to do this. In the US, we get fined if we say "hospital" or "health care." Hell, I'm sure this hospital was just tickled pink to be able to put cat5e cables in two rocks and monitor patients while playing songs from iTunes to drown out the moans in the background.

Re:Student's Fault (2, Insightful)

basscomm (122302) | more than 8 years ago | (#14699858)

At the hospital I work at, there are any number of reasons why a computer might be connected to the Internet. Perhaps someone might wish to visit the site of the CDC [cdc.gov] to get up to date information on some disease or other. Maybe the hospital offers training services via a third-party web site. Of course, they don't have full-blown access to the Internet, but they are connected for various legitimate reasons.

Re:Student's Fault (4, Insightful)

Mistshadow2k4 (748958) | more than 8 years ago | (#14699784)

Making guns isn't really comparable to an adware company offering incentives to execute botnet attacks, imho. It would only be comparable if the gun manufacturer offered rewards for shooting people, which I've never heard of any doing. If someone takes out a contract on another person's life, we don't let them walk away and just punish the hitman.

Re:Student's Fault (4, Insightful)

v1 (525388) | more than 8 years ago | (#14699787)

So who's really at fault here? The students? The hospital for not securing their computers and network? Or the adware companies for providing the incentive?"

YES

Though not all to the same degree as I'm sure you would agree. The student is of course the one that chose to break the law, and is most directly responsible for his actions. He was influenced by the adware company that offered incentive to break the law, "conspiracy to commit felony" or some such law. It's not as severe of a punishment as the felony (usually) but it's still illegal and clearly wrong.

"blame the victim" is a more controversial issue. I believe that "gross neglegence to protect one's own best interests" should in itself place a small amount of the blame on the victim. The world is not perfect, everyone is not honest, and you cannot possibly convince me that anyone in the world believes everyone around them is a saint. By not taking basic precautions when exposed to the general public, you dramatically increase your risk of becoming a victim, and that is your fault.

If I leave my car parked for a week downtown with the doors unlocked and the keys in the ignition, I'd be quite surprised to find it there a week later when I returned for it. Am I the one that stole the car? Of course not. But did my actions (or lack of actions) knowingly contribute to the theft? Of course. Were they easily preventable? Of course. That's why many insurance companies will not insure against theft if you leave your car unlocked and keys in the ignition, they recognize that you invited unnecessary and excessive risk.

I believe that the ones who so strongly resist blaming the victim are those that either have been victims in the past or that are afraid of becoming a victim, and believe that they have no responsibility to take care of themselves, and that the world should protect them. They are living in a fantasy world.

Looked at another way, criminals prefer easy targets, and this is a known factor. By taking less precaution for your safety and security than the average person, you attract the criminals to you and increase your odds of becoming a victim. Choosing to do that has got to be considered an error in judgement.

Make Him An Example (1)

lseltzer (311306) | more than 8 years ago | (#14699803)

The government should be taking every opportunity to show that attacks like this will be handled sternly. Stick him in a dungeon and give him the Abu Ghraib treatment

Re:Student's Fault (1)

Tsu Dho Nimh (663417) | more than 8 years ago | (#14699845)

"And what kind of intensive care unit is "shut down" when they can't use computers?"

RTFA, dude. They went back to sneaker-net, visual ID and phone calls.

Every department of any hospital I have worked in has a backup plan for when the 'puters are down. It usually involves a pen and a bunch of paper.

Well... (1)

hrieke (126185) | more than 8 years ago | (#14699494)

If the hospital didn't have their network locked down (and it's in Seattle so they don't have the usual excuses) then they are in for a world of hurt from the state.
The HIPPA failures alone for allowing this to happen are mind blogglying bad.

Who's at fault? (5, Funny)

Anonymous Coward | more than 8 years ago | (#14699495)

So who's really at fault here? The students? The hospital for not securing their computers and network? Or the adware companies for providing the incentive?"

This is slashdot. The answer to that question is either Bill Gates or George Bush.

Re:Who's at fault? (0)

Anonymous Coward | more than 8 years ago | (#14699534)

BG or GB? That's interesting. I guess it's a good thing that God is dead. (http://www.imdb.com/title/tt0076489/ [imdb.com] ) Otherwise, we would have another person we could blame.

Most likely both? N/T (1)

someone1234 (830754) | more than 8 years ago | (#14699595)

Most likely both.

Re:Who's at fault? (0)

Anonymous Coward | more than 8 years ago | (#14699631)

This is slashdot. The answer to that question is either Bill Gates or George Bush.

This is the world, so expect red herrings and leg humping in lieu of rational discourse from the incompetent establishment's boot licking toadies.

Re:Who's at fault? (0, Redundant)

gwar11d2 (702724) | more than 8 years ago | (#14699908)

Hmm, And I thought Al Gore invented the internet.

Obviously student's fault (1, Flamebait)

insomnio (902123) | more than 8 years ago | (#14699498)

If someone gets mugged on the street, you dont blame the victim for carrying money. Or blame society for having to use money.

Re:Obviously student's fault (0)

Anonymous Coward | more than 8 years ago | (#14699521)

Many blaim the women when she gets raped for walking alone in a dark street with revealing clothes. Also if you carry a lot of money on a dark alley, yes I would blame to victim for being stupid.

In this case I think that both the student and hospital should be punished.

Re:Obviously student's fault (1)

petermgreen (876956) | more than 8 years ago | (#14699537)

no on the other hand if a teacher took a group of kids through a rough area and they got attacked the teacher would probablly be in trouble too.

in situations where its well known the law isn't enough to stop you getting attacked not protecting stuff you are responsible for is negligence.

Re:Obviously student's fault (0)

Anonymous Coward | more than 8 years ago | (#14699613)

Democrats blame society for for having to use money.
That's why they want to take and give it to everybody that doesn't work or deserve it.
It's called wealth redistribution.
You see, Democrats never take responsibility.

Re:Obviously student's fault (0)

Anonymous Coward | more than 8 years ago | (#14699772)

You're obviously not posting from the UK, where it would be the victims fault for having there ipod or mobile phone on display.

So who's really at fault here? (2, Insightful)

Ooblek (544753) | more than 8 years ago | (#14699502)

Sounds like a setup for a Chewbacca Defense [wikipedia.org] .

It is a pity that the US legal system is no longer about justice; it is now about what can be proven.

Re:So who's really at fault here? (5, Insightful)

Anonymous Coward | more than 8 years ago | (#14699553)

It is a pity that the US legal system is no longer about justice; it is now about what can be proven.

I don't understand your comment. If you cannot prove a person is guilty, punishing them is not justice.

Justice is about what you can prove. (0)

CyricZ (887944) | more than 8 years ago | (#14699608)

Justice is about proving guilt. That's why in many legal systems there are prosecutors, whose job is to present claims against the accused. And then there are lawyers to defend the accused. There's usually a judge, and at times juries. I'd hope you realize that this whole show is there for the sole purpose of finding the truth. That is, finding what can be proven. It's not easy an easy task, but it's what justice is all about: proving guilt beyond a reasonable doubt.

The Perpetrators Are At Fault (4, Informative)

Kurt Wall (677000) | more than 8 years ago | (#14699506)

Suggesting that the hospitals are at fault for failing to secure their networks adequately is assinine. The perpetrators are at fault. Adware companies might provide incentive and the hospitals evidently need to secure their networks, too, but culpability lies solely with the two defectives who committed the crime.

It doesn't help to rewards incompetence. (0)

CyricZ (887944) | more than 8 years ago | (#14699581)

The Internet is known to be hostile. Any networks facing the Internet need to be properly secured. And the techniques for doing so are very well known and accessible.

We shouldn't allow people to display such incompetency and/or ignorance. While we can't expect any system to work perfectly, we also can't expect them to fail so horribly, apparently due to a deficient design. This was obvious a very serious flaw with the network, to allow it to fail so easily.

If those in the various fields designing computer-related systems ever wish to be considered engineers in the same vein as mechanical and civil engineers, then they can't let incidents like this go. This is comparable to a bridge collapsing in a faster than normal windstorm, all due to negligence on the part of the designers.

Re:The Perpetrators Are At Fault (3, Insightful)

jcr (53032) | more than 8 years ago | (#14699620)

Suggesting that the hospitals are at fault for failing to secure their networks adequately is assinine

No, it's a well-established legal theory, known as "contributory negligence". The perps are the main culprits, but it's quite likely that the hospital and several of their vendors will end up tapping their liability insurance to the tune of some millions of dollars.

-jcr

Re:The Perpetrators Are At Fault (1)

KarmaMB84 (743001) | more than 8 years ago | (#14699793)

Contributory negligence prevents a negligent party from collecting damages when another more ngeligent party injures them. If you're driving in both lanes of a road and a speeding car with a drunk drive hits you, the courts aren't going to give you as much money as they would if you were in your own lane. This likely doesn't apply to this case.

Hospital administrators share the blame (0)

Anonymous Coward | more than 8 years ago | (#14699659)

Of course the perpetrators are at fault. However, don't think for one minute that should absolve hospital administrators from their gross or willful negligence in choosing an unsuitable category of technology.

Some operating systems are suitable for a networked environment and can provide a robust infrastructure. Others are suited for standalone use and only safe with an air gap [gcn.com] , that means no sneakernet either.

Re:The Perpetrators Are At Fault (1)

AchilleTalon (540925) | more than 8 years ago | (#14699716)

However, it raises the question: "Should everyone be authorized to plug anything, anyhow to the internet without a minimum of security measures?" And much more, "Should the hospital fire those IT peoples which plugged their network to the rest of the world without strong security measures?"

How do you feel about being eventually cared by an hospital which the network and computers has been hijacked? Would you trust the medical records?

And it's not to say the perpetrator is innocent, he is for sure guilty and responsible for his actions. However, an hospital cannot blindly plug its network without strong security measures to the internet in the hope of not being a target for all the vilains around the world. That is very irresponsible.

Re:The Perpetrators Are At Fault (1)

DavidTC (10147) | more than 8 years ago | (#14699798)

And, of course, it's a well-known ethical principle that only one person can be at fault in something.

That's why it's ethical to blow people up with car bombs under their car...after all, they started their car and set of off the bomb. And why I've trained dogs to maul people...who the hell cares about the morals of a dog?

Um, no. I've said it before, and I will continue to say it: People who think only one party can be fault, and that including any blame on other parties absolves, in any way, the guilt of the first party, are immoral.

It is quite possible to blame the perpetrator, the hospital, and the 'affiliate' programs. The perpetrator did it on purpose, the hospital was just negligent, and the affiliate people know that people spend spam on for them, and know that most spam is sent illegally, so feel free to assign levels of guilt based on that, but the number of other people involved is completely unrelated to the level of guilt each one has.

I.e, if botnets were some sort of natural force, and the hospital got hit, it would be exactly as responsible for failing to secure its network. If botnets were impossible to prevent, the hospital would have no responsiblity, but the perpetrator and the affiliate company would have the same guilt.

We can add another hypothetical party, the person who knowingly let the perpetrator use his compujter to do this, and, you know what? He bears some guilt, and that doesn't make anyone else less responsible for their part in this. Or any more.

Guilt is, sadly, a noun. That means in English, it is possible to talk about someone having 'more guilt' and thus someone else having 'less guilt'. It is easy to fall into the trap of treating guilt like a set amount that exists and is doled out. But guilt is a concept, not a thing. It is like 'amount of sexual attraction towards'. I being attracted to someone does not alter your level of attraction, and me having responsiblity for an action does not alter your level of responsiblity at all. (The difference between guilt and responsiblity is merely a convention based on whether you wished the actions to happen, and that said actions were bad.)

common factor .... (2, Interesting)

3seas (184403) | more than 8 years ago | (#14699508)

computer industry....software...

the analogies that others might post in this thread may not consider the possibility of doing it all different such that these problems either likley won't exist or they can't.

Want protection from internet problems? Don't connect to it.But even the International Space Station has had its computer problems.

Life support and computers......hmmmmm....

The students, of course (2, Insightful)

SoupIsGoodFood_42 (521389) | more than 8 years ago | (#14699512)

What kind of idiot would blame the other two? No matter what motivates them, or who makes their job easier, they are the ones who are ultimately responsible for their own actions.

The student (1)

ForumTroll (900233) | more than 8 years ago | (#14699514)

I'm not fond of the adware affiliate programs however, I don't believe that they're even remotely responsible for something like this. Responsibility for something like this falls directly upon the student who was launching the botnet attacks and I hope he's severely punished. Attacks like this could cost the lives of those that are receiving critical care at these hospitals.

Obviously, the network could have been more secure but that doesn't change the fact that without assholes launching illegal attacks like this there wouldn't be a problem in the first place.

In my opinion (1, Redundant)

Bazzalisk (869812) | more than 8 years ago | (#14699519)

The students are guilty of teh crime, but the adware companies are guilty of conspiricy to comit teh crime - and in this case I think that they are rather more culpable, since they are encouraging more people to do this. By all means prosecute the students (they deserve it), but if you want to fix the problem you need to chop off the monster's head.

All three + few more (3, Insightful)

luvirini (753157) | more than 8 years ago | (#14699527)

If you do not lock your network/car/house you are looking for trouble..

if you make promotions that encourage antisocial behavior you should be ashamed..

if you try to steal money frm above promitions by using above holes you are ofcourse a thing called criminal.

And the extras: Companies making unsecure products..

Re:All three + few more (0)

Anonymous Coward | more than 8 years ago | (#14699551)

If you don't lock your door, it's still illegal. It's no less defenseable and the perpetrator should be punished much harder than they are now.

As I see they are facing 250,000 and 10 years in jail?

Death penalty I say, let's show the criminals that such activity is taken seriously and comes with a consequence they do not wish to meet.

Re:All three + few more (1)

luvirini (753157) | more than 8 years ago | (#14699603)

Indeed, even if you do not lock the door it should be criminal... but some places have laws that make a big difference in what punishemnt you get of you have to actually force your way in as opposed to just going in uninvited.

So perhaps here too the punishment should depend on the protections you have to bypass...

Re:All three + few more (1)

DavidTC (10147) | more than 8 years ago | (#14699828)

Why the hell would you bearing responsiblity for your negligence in securing your property make it less of a crime?

You still, however, acted negligently. Being negligent while operating a hospital is rather frowned upon, and at least one person should get fired for this.

And, incidentally, if the prosececution can demonstrate that anyone died as a result of this, it's felony murder.

The hospital is at fault (1, Insightful)

longword (2293) | more than 8 years ago | (#14699530)

In the same way gunshot victims who don't wear body armour are at fault.

Product Liability (1, Interesting)

Anonymous Coward | more than 8 years ago | (#14699532)

If GM sold a car that didn't have locks on the door, and they were always being stolen, they would be facing a class action lawsuit.

But when Microsoft starts selling anti-virus software, and profits from the inherent insecurity of their crap operating system, shareholders applaud, and the public is silent. It's time to start holding Microsoft accountable for all the tens if not hundreds of billions of economic harm caused by their inattention to quality.

Likewise, any IT administrator for a hospital that makes a demonstrably vulnerable OS a critical part of critical hospital operations should be shown the door. Quite frankly, it really doesn't matter if you buy the argument that Windows' security is appalling (it is), or not. Empirically, for whatever reason, Windows is under constant attack. Other operating systems are not. That much, at least, is plain on the face of it. Yet MS apologists are so addicted to their MS crack that, as we see here, they will actually put people's lives in danger. Sickening.

Re:Product Liability (1)

Twisted Mind (155678) | more than 8 years ago | (#14699600)

I think there should be a law that forbids making any analogy between software and cars.

It's his parents' fault (1)

vandelais (164490) | more than 8 years ago | (#14699538)

for naming him Christopher.

Aside from whether his name gave him a Jeebus complex, every Christopher I've met has spent time in jail, so he must be guilty.

Chewbacca defense doesn't work either, since he doesn't CHOOSE to live on Endor.
He just got a bad timeshare.

Hey!!! (1)

cbiltcliffe (186293) | more than 8 years ago | (#14699565)

My name is Christopher, you insensitive clod!!!

(My first real chance to use that /. staple...)

And I haven't spent any time in jail, either, so you must know the wrong bunch of Christophers.....

It can't be networked... (2, Insightful)

caluml (551744) | more than 8 years ago | (#14699544)

Surely the actual ICU equipment isn't networked at all, and this just inconvenienced the admin and support staff in that dept?

Re:It can't be networked... (1)

ValentineMSmith (670074) | more than 8 years ago | (#14699633)

Well, define equipment. Most larger hospitals are going to electronic medical records. Say that the computers by each bed in the Urgent Care area or in the ICU that are used to review patient medical records are infected and go down. Suddenly, the clinicians no longer have the ability to see the patients'

  • current medications
  • allergies

and someone dies due to a medication problem.

It sounds like they got lucky this time, but this is first-order scary.

Maybe (1)

Create an Account (841457) | more than 8 years ago | (#14699762)

I was just visiting my father in the hospital. Many of the patients had a wireless monitor tracking their heartrates. These heartrates were displayed on a series of computer monitors at the nurse's station. I think they were networked using a bunch of PC's.

Who's at fault? (1, Insightful)

cbiltcliffe (186293) | more than 8 years ago | (#14699547)

So who's really at fault here? The students? The hospital for not securing their computers and network? Or the adware companies for providing the incentive?
Yes.

While I agree with some previous posts that most of the fault lies with the student who perpetrated the act, the adware company is an accomplice. They provided the financing to do an illegal act. That's illegal in itself in most places. Maybe they didn't know the students were going to do something illegal, which could be the technicality that gets them off, but it's still scum-of-the-earth low.

The hospital has regulations as to how much security they are required to have for personal health records. Canada has similar legislation, but it covers any personal information that's collected by any company. Now admittedly a DoS attack wouldn't expose any of this information, if that's what it was. I didn't RTFA, but I did RTFS, and it sounds like it could have been, even though it isn't stated explicitly.


So, yes. The fault lies with all of them in varying degrees.

Re:Who's at fault? (0)

Anonymous Coward | more than 8 years ago | (#14699725)

"While I agree with some previous posts that most of the fault lies with the student who perpetrated the act, the adware company is an accomplice"

No. The adware company is the driving factor in the whole situation here, by asking for services like those and actually paying for them.

To take an example : if I would reward a dog every time he would be nasty to you, who is than to blame when he, at one time or another, attacks you ? Only the dog ?

If anything, those companies are the "crime bosses", and the student the accomplice. And, as with so many of the same situations, as soon as henchmen are used the instigators will mostly stay out of the fire.

Re:Who's at fault? (1)

DavidTC (10147) | more than 8 years ago | (#14699902)

The affiliate people know damn well that people are spamming out their links.

There are two kinds of affiliate programs...those that bitchslap spammers and not only permanently disable their account, but strip away all money they've earned with any complaints.(1) And the kind that go 'Heh, oops, we'll disable this account for a few hours so he won't profit from the spam', and then undisable it, or let spammers open a new one, and give them all the cash they earned before the spam was reported.

People don't spam the first kind of affiliate links. It's too damn dangerous that someone will complain and they'll make no money at all, and even lose money they earned legitly.

Now try to figure out why a company would be the second kind, especially since if they were to change to the first kind, they wouldn't have to pay spammers, would make more money, and be filtered less. (System admins have started blocking the affiliate websites.)

It's easy...it's because they're for spammers. They are affiliate networks designed for spammers, often by spammers who went 'legit'. They pretend 'Oh, we can't control spammers', when other affiliate networks seem to have no problems, and they often direct clients to 'direct mailing' software, aka, illegally-owned machine abusing software.

This is pretending that all of them are affiliate networks. Some of them are just run by one person, with pretend affiliate links, so that when people complain they can just say 'A spammer! Damn, we've disabled his account, don't you worry.' and then change the number in their links and continue spamming.

Rule #1: Spammers lie.
Russel's Admonition: Always assume that there is a measurable chance that the entity you are dealing with is a spammer.

1) And, yes, sometimes people abusing this by faking spam from competitors...but it's harder than you think.

At fault: all three (4, Insightful)

hellfire (86129) | more than 8 years ago | (#14699550)

All three are to blame, but to different degrees.

The students should be taken out and beaten. Anyone with any level of computer knowledge these days should know such activities are both highly immoral and illegal. This isn't stealing MP3s. And to attack a hospital? How thoughtless can you get? However, it's easy to be tempted by this type of thing, while these students got caught, many more got away with it at some point.

The Hospital should be scolded, but it's hard to know just from the story to what degree. It could range from a slap on the wrist to a lawsuit. If they had good computer security, then the students were just good at getting through. If it was bad computer security, then they need to step up and admit it. In any case, they are a hospital that appears to be running Windows to control their sensitive security systems. Bad choice, and that alone warrants one finger pointed at the hospital, if it's true. However, many hospitals are notoriously underfunded. In any case, I hope the IT staff of the hospital reviews this situation and revamps their software to minimize this risk in the future.

The adware makes should all be taken out and shot. They are the immoral facilitators and the ones who should take the most blame. They are the modern day equivalent of drug dealers. They didn't kill the person taking their drugs, but they knew it eventually would come to that, and they never stopped selling. They put all the risk for the crime on the students, knowing full well they could get caught, and that someone elses computer system would be seriously damaged. Something very gruesome and painful should befall them, before execution.

Re:At fault: all three (0)

Average_Joe_Sixpack (534373) | more than 8 years ago | (#14699639)

In any case, they are a hospital that appears to be running Windows to control their sensitive security systems.

This should be the key point of the story. If you are using what is essentially a consumer grade tool for a mission critical application, then you should be held liable. At least this seems to apply to almost every other industry where lives are on the line.

Re:At fault: all three (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#14699667)

"In any case, they are a hospital that appears to be running Windows to control their sensitive security systems. Bad choice, and that alone warrants one finger pointed at the hospital, if it's true."

What utter tripe. There exist so many programs that *ONLY* run on *WINDOWS*, it isn't funny, especially in the medical field.

Oh, right, software communism hasn't developed alternatives, because medical software isn't 'sexy' like yet another unnecessary window manager.

there's an old saying in seattle (1)

jefe7777 (411081) | more than 8 years ago | (#14699564)

a seattle hospital administrator was overheard mumbling:

"There's an old saying in Seattle -- I know it's in California, probably in Seattle -- that says, fool me once, shame on -- shame on you. Fool me -- you can't get fooled again!"

Blame game (0)

Anonymous Coward | more than 8 years ago | (#14699569)

I'd blame the mind control parasites

shameful suggestion (3, Insightful)

jdwclemson (953895) | more than 8 years ago | (#14699571)

Is there no end to the chaotic suggestion that the victims are at fault? People SHOULD lock their doors, they SHOULD keep their children from strangers, they SHOULD avoid walking down dark alleys late at night. That doesn't mean they are the ones at fault with the burgler, rapist, or thug attack. When you even suggest the fault lies with anybody but the attacker, you only validate them as being victims of lose security. This breeds contemptable statements such as "it wasn't my fault I killed the man, he should of had a gun to stop me". Absurd? I agree, Zonk's suggestion certainly was.

Obvious answer (1)

McDutchie (151611) | more than 8 years ago | (#14699572)

So who's really at fault here? The students? The hospital for not securing their computers and network? Or the adware companies for providing the incentive?

All of the above.

DUH!

Re:Obvious answer (1)

jdwclemson (953895) | more than 8 years ago | (#14699601)

Its a hospital ICU. Think about this, a place where people are healed! It would appear that if a group of terrorist attacked this same place, you would say that the hospital shared some of the blame, as they were not locked up quite as well as Fort Knox. The BLAME lies entirely with those the break the law will full intent.

Good O'l Fashion, Still the most reliable (1)

layer3switch (783864) | more than 8 years ago | (#14699598)

"But the Northwest Hospital case played out differently in January 2005. ...[]... Meanwhile, the hospital used some old-fashioned backup systems. When electronic file transfers didn't work, nurses ran the files up and down hallways. When key cards wouldn't work, they stood guard and inspected ID badges themselves."

The paging system didn't work and it could have cost them lives. That's an involuntary man-slaughter.

Not sure how those hospitals got infected in the first place (normally they aren't connected to external network), but surely the attackers are clearly responsible.

Instead of punishment in prison, those offenders should learn their lesson by giving sponge bath to elderly men around the clock for life.

Stupid question (4, Insightful)

SmallFurryCreature (593017) | more than 8 years ago | (#14699629)

So who's really at fault here? The students? The hospital for not securing their computers and network? Or the adware companies for providing the incentive?

Note that what follows below is only based on RTFA wich as usuall when dealing with mainstream press reporting on tech may be wrong or inaccurate or indeed made up on the spot. Nonetheless based on this I conclude the following.

That the student used zombie computers to install adware software that would then generate 'hits' for the students account so that he would be paid. He was using computers he did not own to defraud adware companies by generating false ad hits. This is a wellknown fraud dealing mostly with pay-per-click style ad schemes.

So who takes blaim here and for what? Funny enough that the 'question' left out the first and most obvious cullprit.

  • Microsoft for creating an OS that never bothered with security. How do I know it was windows that was hacked? Because everyone know just how many ad programs there are that run on that various unix like OS'es out there.
  • The hospital for not buying proper software, anything not made by MS, and not properly securing their infrastructure. Yes criminals are to blaim for breaking in but you should still lock your house.
  • The adware companies really ain't to blaim that much. They are the victims here. The only blaim they share is like with the hospital in that they do not properly secure their operations to guard against fraud. But since they are the ones who lost money by paying for fake advertising they are the victim.
  • And finally the student. Well it is clear he is a criminal, he took computers that did not belong to him and used them to defraud a third party (the ad companies) for his own personal gain. He is not just some hacker who got caught playing around, he was doing it for the money. I doubt very much he is in fact a hacker, more likely he just used readily available tools to do the work for him. This makes him a simple criminal.

I am amazed that MS was not mentioned as one of the cullprits. How often does their software got to lead to crap like this before people will finally ban it for any serious use. Would we accept a hospital that used say oxygen bottles filled by the local scuba diver club? Use alcohol produced in someone's bathtub?

I would very much like to hear that the person responsible for that hospitals computer systems is fired and never allowed to work again. Yes the student is the criminal here who deserves jail time but a sysadmin who installs windows deserves the chair. And yes I would be happy to throw the switch. Hell I would be happy to peddle on a bike to generate the electricity.

If I sound a bit biased against MS it is because I have once again been drafted in working on some piece of crap MS setup because some MSCE idiot made a nice sales pitch. Why don't you just put a sign on your server "Own me!" and be done with it.

Re:Stupid question (1)

layer3switch (783864) | more than 8 years ago | (#14699685)

"the person responsible for that hospitals computer systems is fired and never allowed to work again."

I would do this with grandstand fashion.

"You'll never work in this town again!" .. then the ex-sysadmin walks away with empty saddle dragging against the dirt into the sunset... The camera zooms into the a stranger's face and he says, "There is a new consultant in town."

Re:Stupid question (1)

maxume (22995) | more than 8 years ago | (#14699822)

The student is to blame. He is also the culprit. Everything you mentioned is something that the hospital/providers could have done to help prevent the student from carrying out his actions.

It isn't a great idea to leave your car doors unlocked in many places. It still isn't your fault when something gets stolen from the car. Sure you could have prevented it, but the damn thief is the one who is to blame.

The is pretty much why we have laws, 'you could have stopped him' is how anarchy works, and you damn well better be able to stop them.

Re:Stupid question (1)

timmyf2371 (586051) | more than 8 years ago | (#14699831)

What nonsense.

Sure, Microsoft should be producing secure software - especially with their R&D budget and the amount of talent they have.

However, to believe that they're liable for an illegal crime committed by two greedy students wanting more money is nothing short of proposterous.

There's no reason to be susceptible. (-1, Flamebait)

CyricZ (887944) | more than 8 years ago | (#14699650)

These days, there's only one reason why a network is susceptible to spyware: the use of Microsoft Windows.

It's also well-known that the best way to avoid spyware is to not use Windows. Thankfully, alternative systems like Linux, Mac OS X, *BSD, and Solaris, among others, are available (and often for free).

Now, if for some reason a particular application requires Windows, the safest thing to do is to not connect that system to a network. At least if it does get infected, it will likely keep the infection contained.

Of course, the proper use of firewalls and other security devices is a must. Proper routers will effectively deal with the excessive network traffic such malicious software might generate.

We know exactly what the problem is. We have multiple methods of effectively dealing with it, if not preventing it outright. Thus there should never be a reason why a computer, let alone a network, becomes compromised by spyware. It's a totally preventable situation.

Re:There's no reason to be susceptible. (1)

AdamD1 (221690) | more than 8 years ago | (#14699897)

I am not a doctor, nor do I work in the medical field. However I do know people - people in Seattle even - who do work in that industry.

While it's very easy to say something like "Just don't use Windows / Microsoft products" on a site like Slashdot, that statement ignores a rather obvious issue. Exactly how much professional-level medical software is out there for Mac OS? Or Linux. I can tell you the answer to that. Zero. None. Most hospital patient tracking systems originated on DOS and then Windows computers. These are industry standard programs and have been the baseline software for the medical industry for something like 20 years now. You don't just say "You should ditch windows, that's irresponsible of you." Take a second and think of how long it would take to switch over just one hospital to a new OS and having the appropriate software running to take care of things like patient history, billing, insurance tracking, vendor management, security, etc. Now keep in mind that hospitals all around the world - not just the US - have a well-established software base that runs on, you guessed it, Windows and it becomes a bit more difficult just tell a hospital (an industry) "Stop using M$ products."

If a patient moves from Seattle to Los Angeles, their new doctor is expecting the exact same types of files on that patient, readable by the same software. So is that patient's insurance company. So are paramedics who may need to quickly assess a patient's history for things like drug allergies, etc. So are pharmacists.

I agree that Windows is a non-secure and a horrible environment to open to the Intarweb, but let's be honest here. An individual can make the decision "I hate M$ office etc. and I want something better." (And they should.) A professional industry could say that but it's a lot harder to implement that kind of change. And I doubt anyone could easily suggest alternatives at this stage. Maybe that's a good point, though. Industry-standard software of a highly professional nature *should* probably be created for an OS like Linux, or OSX, or anything besides just windows.

I'm being horribly general here but it's not a simple thing to solve just by wiping a hard drive and putting a shiny distro of Debian on instead. How that system is used besides its networking security features is a much bigger deal than protecting against any misguided adware infection. There are known ways of protecting a Windows system and they should be employed.

ad

Who is really at fault? All three! (0)

Anonymous Coward | more than 8 years ago | (#14699661)

The student, who caused all this, should be taken out and shot. He's a degenrate menace to society. There is no excuse for what he did.


The hospital, who should've secured their networks, should get a severe scolding and should be required to have thourough security audits once a year - minimum.


The adware company, who is the fuckheads that provided the technology for this idiocy - and who certainly doesn't have good intentions .. should be fined. Severely. Hopefully so the go bankrupt.


and the answer to who's at fault is... (1)

v3c7r0n (924749) | more than 8 years ago | (#14699692)

ALL OF THE ABOVE! *gasp!* that's right! ALL OF THEM! Here's why:

Student - Aside from the obvious, exploting other people's machines for things is one thing, but exploiting machines in a HOSPITAL is a horse of another color, in addition to him trying to exploit whatever "incentive" offer he was using that is, which is probably against their TOS

The hospital - I severely hope someone in that hospital's IT dept. got a whole series of books on network security shoved up their ass, because if they had secured their network, this wouldnt have happened (atleast to them)

Adware companies - Anything that installs software just to try to sell you stuff is akin to the bastards that call you at the worst possible times, like when you're about to eat, get in the shower, go to sleep, etc. the only difference is you can add your number to the national do not call registry and thus make it illegal for them to call you, but with computers such is not the case. In addition they ought to know that if they offer "incentive" programs, that people will constantly be looking for ways to exploit it to get more money than they ordinarily would (example: that program (the name escapes me) where you used to get paid for leaving a banner up on your desktop that displayed ads, and the people who registered 12 different accounts and ran 12 copies of the thing on their machine while they were at work or asleep just to get more money) and if they didnt offer them to begin with, this wouldnt have happened.

Personally I think anyone who writes adware for a living should be summarily executed for crimes against humanity. I am getting really sick of having people ask me to fix their computers because of these bastard's handywork which people who simply don't know anything about the dark corners of the internet (and I dont directly mean pr0n) where all that lovely little spyware and adware seeps into your computer until you wonder why it takes 10 minutes just to open notepad.

End of Rant

Re:Student's Fault (3, Insightful)

loraksus (171574) | more than 8 years ago | (#14699850)


The students, clearly.
Colt manufactures guns. Man opens fire in public with a Colt pistol. Who's at fault? The shooter, of course.


The difference is that colt doesn't pay people to fire their pistols in public. Now, this doesn't absolve the dumbass of any responsibility, but it sure as hell makes the adware company an accessory. Seriously, they didn't think anything was going on when someone gained 50,000 PCs in a couple of weeks? They knew and didn't give a shit because they were paid even more money by the people whose "content" (read: shit) they were serving up.

Kneecap 'em both (yes, there are more than 2 people involved) - and I mean this quite literally, this sort of shit would get nipped in the bud quite quickly if we went IRA on them and used a makita drill (or would it have to be Black and decker, you know, for the whole "made in america" thing.)
A couple hundred companies should also be knocking on the adware companies' doors, "politely" asking for a refund and leaving letters from their lawyers.

And, to be quite honest, a couple sysadmins also need a kick in the ass with a steel tipped pointy boot. Why would your keycard system be connected to your network, especially in a hospital situation? To say nothing of the fact that the pager system got owned (from what I understand, pagers are sort of important to doctors in hospitals) and it seems that pretty much everything was disrupted because ~15% of their computers were infected.
Not blaming them for the attacks, of course, but lets be serious, this was a pretty big screwup on their part. Then again, given hospital politics, it probably wasn't the sysadmin's fault, but a department head who has no training in IT, but does everything Toilet and Douche tells him to do.

Finally, id by some small chance, Christopher Maxwell is reading this, I can only hope that in 15 years you will remember your job at WalMart and recall how it was the best job you ever had.
Don't drop the soap, bud.

Re:Student's Fault (1)

The MAZZTer (911996) | more than 8 years ago | (#14699898)

Good point with the Colt example, that hadn't sprung to mind for me. it probably wasn't the sysadmin's fault, but a department head who has no training in IT, but does everything Toilet and Douche tells him to do.

From what I understand most companies have a Chief Information Officer or equivilent position who's job is to look at Information Technology and determine how it can be used to help the business.

So, there probably IS someone at the hospital who is responsible for making sure that what just happened couldn't possibly ever happen. Guess who probably got fired.

Felony murder, anyone? (1)

crc32 (133399) | more than 8 years ago | (#14699855)

Did any ICU patient die during the attack, for any reason? If so, then the prosecutor should look to see if the death was perhaps quickened by the attack itself. Felony murder may be on the table for these meat bags.

Hospital isn't clean either... (1)

Eternal Annoyance (815010) | more than 8 years ago | (#14699864)

While the student attacked the hospital (and he should be glad he got away with conspiracy and not attempted murder), the hospital is at fault for useing a insecure system where a secure and STABLE system should be in place. The hospital deserves to get sued.

Easy question (1)

fleener (140714) | more than 8 years ago | (#14699870)

We're in a pretty 'ucked up world if someone has to ask who is at fault. Lock him up.

Before you blame the admins... (4, Insightful)

NorbrookC (674063) | more than 8 years ago | (#14699909)

Yet another slashdot thread where everyone immediately starts screaming "Linux!" "BSD!" the second they hear the term "security breach". Of course, it'd be nice if there were actually a lot of applications for healthcare that run on those OSs - which there aren't. OSS is pretty thin on the ground when it comes to this field.

Why don't you look and see what's involved in hospital IT? I've been there, and it's a major headache for admins. You have administrators who don't really know much about computers and doctors who are frequently the biggest prima donnas in the world when it comes to getting what they want, in a corporate culture which caters to them.

Add in software developers who frequently have no clue as to what's actually needed, how to make a useable UI, and how information flows in a healthcare setting. But they have a hell of a sales pitch to the doctors and administrators, and you're the one who has to make it work.

Now try to secure it. Really! Wait until the first time Doctor X decides they're going to install their personal software on the workstation. Never mind that supposedly they're not allowed to do that - they'll do it anyways and then scream at you when you take it off. Take a wild guess as to who the hospital's going to back!

It's easy to blame the IT people, and the use of Windows, here. Wrong, but easy. They picked it up pretty quickly, and dealt with it. I'm sure they'd have loved to have more control, but unfortunately it's a question of what you're allowed to do, not what you want to do.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?