Microsoft Is PISSED OFF At The NSA Over WannaCry Attack
from the as-it-should-be dept
So, for about a day, Microsoft followed the usual course of action concerning the WannaCry malware that made the rounds last week. As we noted, this ransomware/attackware was built off some leaked NSA exploit code utilizing a vulnerability in Microsoft Windows... that the NSA failed to tell Microsoft about. Microsoft had actually patched it a few weeks prior to the code leaking online via Shadow Brokers, but, still... the NSA is supposed to disclose most of these vulnerabilities, rather than hold them for offensive use (that's the theory, at least).
Microsoft did its standard "no comment" bit for a day or so, but then on Sunday, its President and Chief Legal Officer let loose on the NSA for its failures that resulted in all of this happening. First, it officially confirmed what people were saying about the code being built off of leaked NSA code:
The WannaCrypt exploits used in the attack were drawn from the exploits stolen from the National Security Agency, or NSA, in the United States.
The post does a good job discussing what Microsoft is doing about this and what it means, but then has this:
Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.
The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them. And it’s why we’ve pledged our support for defending every customer everywhere in the face of cyberattacks, regardless of their nationality. This weekend, whether it’s in London, New York, Moscow, Delhi, Sao Paulo, or Beijing, we’re putting this principle into action and working with customers around the world.
Whatever you might think of Microsoft and privacy and such, in the last few years (in part thanks to Smith's focus on this), it has been really good about pushing back on government surveillance and interference. This blog post seems to be the next step in that effort. I'm sure that plenty of readers here have a reflexive dislike of Microsoft (no need to express it in the comments, we know already), but the company has been taking a strong stand against excessive surveillance and other efforts to weaken the public's security. Calling out the failures of the intelligence community in not disclosing these kinds of vulnerabilities is another good step, and it's good to see Microsoft make such a clear statement on it.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: exploits, nsa, ransomware, vep, vulnerabilities equities program, wannacry
Companies: microsoft
Reader Comments
Subscribe: RSS
View by: Time | Thread
Mostly...
Trust me, if this was a MAC thing, Microsoft would be quietly whistling and walking the other way.
[ link to this | view in chronology ]
Re: Mostly...
[ link to this | view in chronology ]
Re: Re: Mostly...
[ link to this | view in chronology ]
Microsoft doesn't care about security -- only reputation damage
And if they really cared, they would have coded, tested, and issued patches for Windows XP -- with an estimated 150M systems still in the field -- at the same time that they did for current Windows versions. But they didn't. See: https://www.itwire.com/open-sauce/78090-ransomware-microsoft-can-no-longer-claim-to-be-proactive.htm l
AND if they really cared, they wouldn't be calling for government-discovered vulnerabilities to be given only to vendors: they'd be calling for their immediate full public disclosure. By trying to keep them private they're not only trying to conceal the extent of their well-known incompetence and negligence, but they're creating the perfect conditions for a black market in vulnerabilities.
The only thing Microsoft is pissed about is the possible loss of profits.
[ link to this | view in chronology ]
Re: Microsoft doesn't care about security -- only reputation damage
[ link to this | view in chronology ]
Re: Microsoft doesn't care about security -- only reputation damage
[ link to this | view in chronology ]
Re: Microsoft doesn't care about security -- only reputation damage
If you sign a big enough contract they'll give you the source code (under an NDA,) and you can peruse it to your hearts' contect.
[ link to this | view in chronology ]
Re: Microsoft doesn't care about security -- only reputation damage
I think you need to have your head examined.
[ link to this | view in chronology ]
Re: Re: Microsoft doesn't care about security -- only reputation damage
Not really. The other companies like Ford you listed don't forbid people from modifying the products they bought. They can't legally stop me from distributing information about how to change those products.
[ link to this | view in chronology ]
Re: Re: Microsoft doesn't care about security -- only reputation damage
First of all, if you bought a computer in 2006, it came with XP. You can't start counting from the release date of XP; you have to start counting from when they released the *next* product, and that was Vista in 2007.
But as to the meat of your analogy: In 2009 Ford issued a recall that affected models as far back as 1992. So yes, as a matter of fact, they DO go back that far for serious defects.
Source: https://www.cars.com/recalls/ford/
[ link to this | view in chronology ]
Re: Wow, so according to your theory if I bought a ford in 2001 they should still be proving me with free service for the car.
But with property rights come property responsibilities. Therefore, Microsoft should have to accept those responsibilities for as long as they claim those rights. If their property is causing a nuisance to others, then it is their responsibility to fix it.
Since I believe copyright terms currently last 90 years in the US, that seems a reasonable interval to continue to expect updates to Windows XP.
[ link to this | view in chronology ]
Re: Re: Wow, so according to your theory if I bought a ford in 2001 they should still be proving me with free service for the car.
This should be a serious proposal: you should be required to provide security support (et cetera?) for software, for as long as you claim IP rights over it which would prevent anyone else from providing that same support.
Announcing end-of-support for a software product should be read as implicitly releasing IP rights over that product.
[ link to this | view in chronology ]
Re: Microsoft doesn't care about security -- only reputation damage
If so I think you need help.
[ link to this | view in chronology ]
Re: Microsoft doesn't care about security -- only reputation damage
[ link to this | view in chronology ]
Re: Microsoft doesn't care about security -- only reputation damage
The WinXP patch released last week wasn't a new patch they had just created, it was a patch they'd created in February.
Therefore they did create a patch for WinXP at the same time as they did the patches for other versions in February. They did release it, but only to those who had a paid post EOL-support contract.
The patch details themselves note it was created in February.
So while MS is correct in its castigation of the NSA (and the government), they are also partially to blame as they didn't do a general release of a patch they had created 2-3 months earlier.
[ link to this | view in chronology ]
Senators Feinstein and Burr Need to Pay Attention
[ link to this | view in chronology ]
Re: Senators Feinstein and Burr Need to Pay Attention
[ link to this | view in chronology ]
Re: Re: Senators Feinstein and Burr Need to Pay Attention
In order to sell in a foreign government, would {vendor} have to give them the backdoor encryption key, too? Making the product useless for US government use as well.
Who would be left to buy the product?
[ link to this | view in chronology ]
Re: Re: Senators Feinstein and Burr Need to Pay Attention
A backdoor would have the same scope of problem and magnitude as this one. Just because a backdoor is in place does not mean that other tech will not be in its way to block it. Until March this year, this was a zero-day vulnerability meaning that anyone that know about it had over a decade of time to exploit it by now.
Just because this would be less intentional than a back door does not mean it is somehow in a different category, it is not. This case makes a great argument for what any backdoor is going to become if created.
[ link to this | view in chronology ]
Microsoft
https://arstechnica.com/security/2013/06/nsa-gets-early-access-to-zero-day-data-from-microsoft-othe rs/
Seeing Microsoft rage in 2017 about governements stockpiling bugs is a bit ironic.
[ link to this | view in chronology ]
Re: Microsoft
Maybe those systems should be on newer versions of Windows, sure. But the reality is, they're not, and probably wouldn't/won't be despite these attacks.
No one comes out clean from this thing. The NSA hoarding exploits, MS not giving a shit and I'd bet almost hoping this would happen to force upgrades, these systems running on Windows versions out of support, it's a clusterfuck.
That not even one of them rises above their egotistical needs to prevent all the harm caused speaks volumes.
[ link to this | view in chronology ]
Re: Re: Microsoft
[ link to this | view in chronology ]
Many people have had major issues installing Windows updates in the past, so they make sure they're turned off. Lots of people killed Windows 7/8 updates because they wanted to avoid being forced to install Windows 10 without their permission.
MS has been really bad at separating actual critical updates from other types of changes, so there's no middle ground in a lot of areas - especially businesses where their updates have been known to kill mission critical production systems if not properly vetted. So, they don't rush to install new patches unless they're made aware of an urgent reason to do so.
Part of the reason why some places were still running XP has to do with compatibility issues for certain software and drivers. I can understand why Microsoft wants to get away from supporting such things. But, if they have introduced problems in getting legacy products to run on a new OS, then they're the reason people didn't upgrade to an OS that was protected against this attack.
All kudos due to Microsoft for coming out and saying what they have here, and taking a stance against the NSA (although a large part of that is probably self-preservation rather than altruism). But, they have to recognise that their own actions, not just recently but over most peoples' experience with their products, has led to everyone being less secure. Saying they released a patch a couple of months ago is no good when the reason why the patches weren't applied on so many machines is because of their own historical behaviour.
[ link to this | view in chronology ]
Re:
If that isn't clear, then consider that all of the systems affected by this could have just as easily been wiped. Or compelled to create corrupt/incomplete/useless backups, and THEN wiped. Or had all their data siphoned out, THEN the above.
The only reason that this isn't far worse is that the attackers have refrained from causing even a fraction of the damage that they could in favor of attempting to monetize the problem. That's a shift, as Aitel observes, from the strategies of ten or twenty years ago. But it's not been compelled by anything Microsoft has done: their "security" is still nearly entirely composed of PR, which is why things like this keep happening on a regular basis.
And frankly, there's no reason for them to do anything else: PR is cheap. Robust security engineering is expensive. So why bother with the latter when huge numbers of people will accept the former as a substitute?
[ link to this | view in chronology ]
Re: Re:
"Or had all their data siphoned out, THEN the above."
Do we know this hasn't already been done for sure? I would presume this would be the next step for encryption attacks if not.
[ link to this | view in chronology ]
Re: Re: Re:
So in this present instance, we can hope that wasn't done. We can hope that if it was done, it was detected. We can hope that if it was detected, it was stopped. But now we're quite deep into the realm of wishful thinking.
And as if this isn't bad enough: I believe it was Bruce Schneier who said, a while back: attacks never get worse; they always get better. So while there's already been considerable analysis dealing with the somewhat amateurish aspects of this particular attack, we can absolutely count on the next one, and the one after that, and the one after that, each being successively better than its predecessors.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Absolutely. There's already a version in the wild that removes the killswitch that was accidentally discovered and used to stop the majority of the attacks that started the whole thing off. The only reason we didn't see everything suddenly get reinfected is because the route it took was so well known so early on and action was taken to close that hole up with existing patches.
Next time, we probably won't be lucky enough to have it happen due to a well known leaked tool that exploits a hole that's already has a patch released... and that's the best case scenario compared to what they might do other than merely demand a couple of hundred in bitcoin.
[ link to this | view in chronology ]
Re:
Has it really?
It's been my experience that the latest version of any software (program or OS) is always hailed as the most stable and secure, but is quickly demoted to "bug-ridden, insecure, pile of shit" status after a couple later versions are released. A decade from now, people will be talking about how insecure Windows 10 is and why nobody in their right mind should still be using it.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
No, Windows is a uniquely insecure beast.
[ link to this | view in chronology ]
Re:
Doubtful. First of all, as you mention there can be a lot of variation between distros. This would work against the issue becoming quite as widespread. Unless the bug in question is present in the base kernel or a core package used across the board, it probably wouldn't be present across all major distros. You might get something that attacks X number of Ubuntu versions or Samsung handsets over Y years old, but you won't get "every version released in the last 17 years" as happened here.
Then, there's the attitude of both the OS and the typical user. They not only tend to be far more security conscious, but they haven't been burned by shoddy update cycles like Windows admin have. That means that the patches to block the spread of this are much more likely to be in place. From my experience, mostly *nix-based operations tend to have better design from a security point of view than 100% Windows shops, both on the network and internal OS security sides.
Something else worth pointing out here - Microsoft's own engineering team has advised heavily against using SMB v1. This is the protocol that's been used by WannaCry to spread internally through affected networks. A protocol that's decades old and has been superseded by v2 and lately v3, and largely left open due to defaults and legacy compatibility.
https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
Different distros would react against such advice in a number of ways, ranging from issuing their own warnings and patches to removing it completely from newer versions. They're not all perfect, of course, and some would be hit more than others. But, they wouldn't take the monolithic approach taken by Microsoft here.
Now, obviously, none of that is to say that it couldn't happen at all, but it's far less likely to happen with such extent on Linux - in part due to the distros being as fragmented as they are.
[ link to this | view in chronology ]
Re:
Your mono culture solves nothing.
[ link to this | view in chronology ]
Re: Re:
Both parties claim they are for a balanced budget, but never create one, regardless of who is in power.
Both parties claim that they are against corruption, but employ and encourage it withing both of their voters and political processes regardless of who is in power.
Both parties claim to care for the common persona and minorities, yet more and more become poorer.
Both parties claim ethical & moral superiority over the other yet both are in the news every day over very visible ethical and moral decrepitness.
They really are the same, they just disagree on how best fool people like you and get your vote. A wise person judges by the fruits of their labor. Bush created DHS and Patriot Act, Obama wasted no time with employing them for his own use as well.
I sit and watch as both corrupt and dirty parties lambaste the other for the very sins they wallow in themselves! They are the same, they produce the same inequality, they both serve big business, they both think you need to be ruled over, they both do not care about you, and both are surrounded by power and wealth of the likes you do not even understand but can only dream of.
They ARE the same, they just disagree over the details of owning your silly ass!
[ link to this | view in chronology ]
Re: Re: Re:
Owning a silly ass or fooling people is not all that difficult, just look at trump. But getting the willing and enthusiastic public cooperation is very difficult as opposed to using force. I doubt you can see the difference.
[ link to this | view in chronology ]
Re: Re: Re:AMEN
[ link to this | view in chronology ]
Re: Re: Re: Re:AMEN
/s
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Linux
Then again, some people are hellbound to have some ancient system running. "Our door controls only works with RedHat 4" (even if they don't but they were only certified for RH4). And these would be exactly the same shops that would do things like running Windows XP.
And don't even get started with Android. Now there's a lot of systems out there having the same vulnerabilities and are not updated any more.
[ link to this | view in chronology ]
Re: Linux
And that very same fragmentation is what will keep Linux from ever becoming mainstream among average users.
[ link to this | view in chronology ]
Re: Re: Linux
People would complain if their choice of car was limited to one model, yet complain when given a choice paint job and control layout in an operating system. This is strange, given that upgrading Windows to a new version can cause more problems sharing files, that a choice of Linux distro is unlikely to cause any problems, outside of sharing with proprietary applications, where the newest version often has an inbuilt comparability problem with earlier version, unless an earlier format is chosen; which is often deliberate to encourage people to buy an upgrade to avoid sharing problems.
[ link to this | view in chronology ]
Re: Linux secure
However, it's still too big...and it's still insecure.
The right question is, in the face of inevitable failures in both hardware and software, and absolutely *huge* amounts of complexity, how do we return ownership of computers to the poeple nominally in control of the machines?
That is, why the ***@#! is any program so unsafe? How do we make such programs safe?
[ link to this | view in chronology ]
Re: Re: Linux secure
You can't from an information processing perspective.
All the computer cares about when doing a check is whether or not the set of bits match another set of bits, and only for THAT SPECIFIC CLOCK CYCLE. Afterwards it's made it's determination and moved on, fetching more code from either cache or RAM to decode and execute. Even the fastest computer in the universe would be susceptible to a well timed ToC / ToU bug. Assuming you can predict (or control) the chosen code path, you can modify it in memory on the fly. Nothing you do will change this fact. It's one of the most basic concepts for a state machine. You can guard against these attacks (NX-bit, IOMMU, etc.), but in the end if the code is modified in memory prior to execution, but after any and all verification, an attacker will gain control of that context.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
So even when most of the worlds servers are running Linux (which they do), which ones are you going to target? Answer: The 20% running Microsoft products. Because it's still the biggest uniform ecosystem.
It's like the music charts. The hits on top might be the lousiest miserable excuse for music there is, but it its 15% market share is the biggest, it's still the financially most interesting segment. You get the most market penetration for the least amount of effort. It's also why pop (and Windows) sucks ;).
[ link to this | view in chronology ]
Re: Re: Re:
Why spend time attacking desktops, when you can cause much more damage and demand much more money from those using servers, a great deal more of which will be running Linux?
This kind of attack, at the moment, is going after low hanging fruit (Windows desktop users who don't update regularly through choice or ignorance). Once they've refined their tactics, they'll almost certainly go after higher value targets. Unless the inherent diversity and awareness of the Linux environment means it's still more lucrative to go after the low hanging Windows users, of course.
[ link to this | view in chronology ]
Re: Re: Re:
Yes the IOT, running Linux is often vulnerable, but usually due to bad security practice, like baked in logons, default passwords etc. rather than an easily used exploit, and only impact one manufacturers products.
[ link to this | view in chronology ]
Re:
The most obvious thing to point out is that Linux is far from the only open-source operating system. The BSD family and others offer open-source alternatives that are also peer-reviewed. And in particular, OpenBSD has been repeatedly audited in exhaustive fashion with an eye toward not only removing possible security vulnerabilities, but even removing code that's dubious or disused.
The second thing to point out is that you're conflating Linux (the operating system) with Linux (the distributions). There are of course a plethora of the latter, including quite a few that have been stripped down in order to make them more secure than some of those which haven't. (As always: you don't make a system more secure by adding code. You make it more secure by removing code.) In other words, the Linux ecosystem isn't monolithic.
The third thing is that the Linux and open source community in general are FAR more responsive to security issues than Microsoft. The reaction time is measured in minutes to hours, not months to years. Vulnerabilities are dealt with pre-emptively on a continuous basis, as careful reading of some of the numerous Linux-centric mailing lists will reveal. And those that are discovered after the fact are triaged and patched very quickly: nobody sits on them indefinitely as Microsoft did here.
The fourth is that there are fundamental architectural differences between the Windows operating system and the 'nix operating systems (including Linux, BSD, Solaris, etc.). Those differences can't be appreciated with a thorough understanding of the design and implementation of both, but the short, short version is that the latter is far more robust.
The fifth is that Microsoft has deliberately and badly undercut the security of Windows 10 by heavily embedding spyware into it. It is, as I like to say, pre-compromised at the factory. This can't be fixed, patched, or worked around: the only way to make the problem go away is to rip it all out, and Microsoft won't do that. So this is, at present, a huge and serious flaw that the vendor has no intention of fixing.
There are more -- many more -- of course. But the bottom line is that while none of these are "secure" in an absolute sense, and none of them are going to be, the 'nix family sets the bar for attackers far higher.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
Just to put an addendum:
Don't take my remark as saying open source is bad. That is far from what I believe.
What I am saying is that we should not take the misguided belief that "if Windows was open source, this wouldn't have happened." (I actually meant my note to be a reply to somebody's post saying that, not as a new thread.)
[ link to this | view in chronology ]
"Government", perhaps, rather than "Intelligence Community"
This kinda lets governments off the hook: we can refer to the Intelligence Community as distinct from government departments, or Congress, or Parliament, but all these organisations are *part* of their respective governments, and are (at least) supposed to be overseen by them.
They work on behalf of those governments. Because they act in secret, with operational details shared only with specific government officers, it's not really correct to say that they work on behalf of the people: that's the job of the government itself.
So, why should we say "Intelligence Community", when we really mean government?
"The government hoards exploits"
"The government should have brought these vulnerabilities to the attention of the vendors"
"The government failed to protect people's computers by keeping these flaws to itself."
Apologists for deeper and deeper intrusion into the lives of innocent people may find it harder to deflect criticism of these failures if they are correctly called out as government failures, rather than intelligence community failures.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
If only we could be this lucky every time...
Sure, a few hospitals and businesses are losing money and some have temporarily shut down, but most of society is rolling on.
Think if the hackers had instead integrated the vulnerability with data gathering tools, or if they had made it into a timebomb that would go off in a few days when it had been spread across the globe.
Instead they chose to loudly post across every computer screen "LOOK AT ME... I HAVE INFECTED A COMPUTER". With the ransomware they made the threat serious enough that people would pay attention.
Even if the dormant timebomb or data leaker had been discovered by security experts and anti malware companies, it would still be a huge challenge to get people to patch the vulnerability because it would be one of those silent problems that are actually the worst, but few people pay attention to.
So they gave a lot of people enough time to patch during the weekend, limiting the spreading potential of any future malware that uses the SMB vulnerability.
I don't know if it was meant as an attack, if it was incompetent hackers who did this for way to little money or if someone is trying to point to the problems of NSA hoarding, but in the end I actually think they did more good than bad.
Either way, I do hope they get caught because they deserve punishment (as well as our thanks).
[ link to this | view in chronology ]
Re: If only we could be this lucky every time...
And people will have died, or suffered a medical injury because operations have been canceled, and their medical history has not been available
[ link to this | view in chronology ]
Re: Re: If only we could be this lucky every time...
Fortunately, I've not heard of any deaths - and I would assume that the Daily Fail or similar propaganda machine would be screaming right now if they could tie a death to incompetent NHS management (while ignoring that it's Tory underfunding that's likely to be a large part of the problem, of course). Fortunately, those rags seem to have been more interested in removing the anonymity of the guy who fixed the problem.
[ link to this | view in chronology ]
Re: Re: Re: If only we could be this lucky every time...
Good luck to him, though. He did a good thing, bless him. If anyone here knows him, buy him a drink!
[ link to this | view in chronology ]
Re: Re: If only we could be this lucky every time...
My point was that it could have been much, much worse.
[ link to this | view in chronology ]
Re: Re: Re: If only we could be this lucky every time...
[ link to this | view in chronology ]
Re: Re: Re: Re: If only we could be this lucky every time...
This is not about money, but the whole infrastructure that we rely on to save us in an emergency.
This one was dangerous, not because of the ransomware, but because of the spreading potential in the vulnerability.
I do feel sorry for those who have suffered, but I still think that we were lucky.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: If only we could be this lucky every time...
Fortunately, this was the NHS that got attacked so that's not a consideration for its patients. Some identity theft or other issue might be of concern, but patients won't be worrying about a bill for their care.
"How much chaos could be caused remotely from someone on the other side of the planet?"
Well, one corporation not fixing its stuff and one government exploiting their mistake has led to attacks in over 150 countries in this instance.
"This is not about money"
Actually, I think it was. The relatively low amount demanded and the spread of the targets suggest to me that they just scanned for vulnerable systems and tried to demand an amount ($300) that even individuals would be able to cover. I think they expected to quietly get a lot of little $300 payments, not bring down healthcare institutions.
I don't think that the NHS and other affected institutions were deliberately targeted. We may not be so lucky next time, of course, but I don't think that was it in this case. They just wanted to get a nice payday from the tool they obtained before it became ineffective.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: If only we could be this lucky every time...
I was trying to elaborate on my comment about how a hypothetical major data leak would be worse than what we have seen so far from the ransomware.
"This is not about money": was meant to explain that my comment was not directed towards money versus lives.
My first comment was always about the fact that it could have been a lot worse and had a lot more victims if someone had wanted to do that. This is why I am thankful that it was "just" a ramsomware attack. It showed us how vulnerable we are in a loud and noisy way that forces people to actually do something. We have seen before how security experts have tried to gain attention to a severe threat only to be ignored because it wasn't visible enough.
It is a clear now that many have ignored this SMB vulnerability after it was released very publicly and until now.
[ link to this | view in chronology ]
Re: Re: Re: If only we could be this lucky every time...
[ link to this | view in chronology ]
Re: Re: Re: Re: If only we could be this lucky every time...
[ link to this | view in chronology ]
Re: If only we could be this lucky every time...
https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-s top-spread-of-ransomware-cyber-attack
If this had not been discovered, or a different method of disabling was used by the attackers, this could have been a lot worse across the world.
[ link to this | view in chronology ]
Re: Re: If only we could be this lucky every time...
[ link to this | view in chronology ]
Actually, they play both sides
See, it gives the Intelligence community a huge out. It conflates leaked information with a missile being stolen. It in a sense adds blame to wikileaks too. So, a person on the side of the 3 letter agencies will read this as blaming wikileaks, and that this is just another reason that anyone associated with wikileaks should be locked away, because see what they did! It's their fault people know about it, not our fault for using the tools at our disposal! Let's make sure there can never, ever be another whistleblower, even legit ones!
But at the same time, they also start with complaining about stockpiles and end with state actors, which to normal people means the NSA and CIA, which are named. But the NSA and CIA read this in order. And if you read it, it only implicates their names at the very top. It then goes on to blame hackers/leakers, then call out state actors and organized crime, and then mentions other countries. So, they can read this as "See, these are the countries that are abusing it, we HAVE TO do this, it's the new cyber cold war, we have to be ready". By the end, the key that the US Intelligence is an issue can be easily glossed over by people who don't want to accept that, and focus on other parts.
It's craftful writing. Put the hard part in the beginning, but near the end give a higher view, so it doesn't tick them all off.
The key is that in all this, it's everyone else's fault. There is nothing about then trying to work on their patch methods, especially since, again, THIS was patched earlier, so clearly the issue wasn't communicated to end users and IT staff all that well, now was it? Was there a campaign by anyone at MS to say "hey, wait, see, this leak over here is bad, update all your computers with these patches, just to be safe". It doesn't feel like there was. It was another attempt at security by obscurity, or by ostrich effect. And like those attempts always do, it burned them.
It seems almost no software is bug or exploit free, at least not modern software. The fact is, that means more vigilance, which admittedly is costly for small coding groups. But especially for OS vendors, who need to accept their own responsibility for issues, and focus on fixing some basic communications. I agree a cyber Geneva convention would be great.... but that doesn't fix people not installing patches, now does it? And that is one of the core issues here.
So, good job whoever wrote that PR, it was masterfully done. But bad job with deflection instead of admitting there was a role in it for themselves.
[ link to this | view in chronology ]
Re: Actually, they play both sides
Why would you say that? Are you just misinformed or are you doing propaganda against Wikileaks?
Because the exploit ETERNALBLUE was leaked by the Shadow Brokers. https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-re lease-yet/
[ link to this | view in chronology ]
Re: Re: Actually, they play both sides
1. It is the 3 letter agencies stockpiling
2. It theft like a missile done by bad people and they were helped by wikileaks
3. It is because of bad "other country" state actors.
Basically: "it's not our fault, it's everyone else's".
I am well aware of what happened. I think that wikileaks has shown many times that accountability and openness are lacking, but then again, this has always been the case. Some could make the argument that they went too far by releasing this source code, but I don't actually subscribe to that theory, or that they shouldn't have done expose after expose.
So, either you read what I said wrong, or you are looking for an argument that doesn't exist. I was merely opining how cleverly written this PR was, as it kind of gave them an out against pissing off completely either side.
[ link to this | view in chronology ]
red herring
[ link to this | view in chronology ]
Re: red herring
They actually fixed windows update for win7, but it does mean that the shipped version is incompatible (well incredibly slow) and you have to download a security rollup (from July/August last year?) to get it going.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
take comfort in the fallacy
if it's man made, it's already BROKEN
keep trying
[ link to this | view in chronology ]
Re: take comfort in the fallacy
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Whose side are they on, anyway?
[ link to this | view in chronology ]
Re: Whose side are they on, anyway?
[ link to this | view in chronology ]
Re: Whose side are they on, anyway?
This is just a guess, but I think that the view of the NSA/CIA/etc is that it's merely ordinary criminals that use exploits against civilians, while the government agencies use those exploits against terrorists and especially bad criminals, so the "greater good" is served by acting the way they do.
[ link to this | view in chronology ]
Deflection and scapegoating
Sure, blame the NSA...
...even though the NSA actually informed Microsoft in time for Microsoft to release an effective patch for this critical vulnerability. And Microsoft in fact did release the patch in time.
But Microsoft chose to only make such patches available to those versions of Windows that Microsoft wants people to use, and to those computers who's owners haven't (often couldn't) "upgrade" to the newer product, but who are willing (and able) to pay significant additional fees to receive the same patches that Microsoft has already released for more recent iterations of their software.
Microsoft already had the patch, even for Win XP, but only relaxed their control when the disaster became sufficiently grave and sufficiently embarrassing. Now Microsoft is vigorously casting itself as "the good guy" and slyly directing the blame and attention to other parties.
It seems to me that Microsoft is speaking out so strongly chiefly because Microsoft hopes to divert awkward questions, and to shift attention away from its own significant role in creating this mess?
[ link to this | view in chronology ]
Why yes, I will blame them
...even though the NSA actually informed Microsoft in time for Microsoft to release an effective patch for this critical vulnerability.
The NSA only informed Microsoft after the exploit was made public. Not when they had it in their box of 'toys' for years, not when it was originally copied from their servers and they knew someone else had it, they basically waited until the last minute before bothering to tell MS 'So yeah, you might want to get on patching this exploit now that we know someone else has it.'
If MS was aware of the exploit beforehand, knew it was a serious problem and ignored it then sure, they've got some blame coming their way as well, but the NSA did know about the exploit and only bothered to tell MS once it became a moot point so they absolutely deserve a heaping portion of the blame for their inaction.
[ link to this | view in chronology ]
Re: Why yes, I will blame them
Even though Microsoft ended security support for XP some time ago, they've continued to make and distribute patches for XP variants which were sold under other names; people have found ways to modify the XP Registry to trick it into accepting those patches, and they install and run without apparent issues as far as I've heard.
The claim I see being made here is that Microsoft should not be restricting those security patches to only the private release channels of the companies which pay it to support those other-name XP variants; they should be releasing them publicly, just as they had done for years.
The only reason that Microsoft isn't doing that, as far as I can see, is as a way of trying to push people off of XP and onto newer Windows.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Perhaps it is a silver lining sort of thing, in that the good part although not intentional out weighs the bad.
Or possibly it could a be a schadenfreude situation where the greedy ass gets their comeuppance.
idk, seven deadly sins ... greed is one of them.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Microsoft is pissed off at Free Software (freedom software), ie, GNU/Linux.
Microsoft only cares about money.
[ link to this | view in chronology ]
Re:
the days of Microsofft hating open source software(I'm assuming that's what you meant by "Free Software (freedom software), ie, GNU/Linux") is fairly well over, since Ballmer is no longer CEO
[ link to this | view in chronology ]
Re: Re:
Hmmm, are we in the embrace or the extend part of their SOP?
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
That won't help. Part of the problem is that they kind of are treating them like physical weapons, which means that they:
The government sees absolutely nothing wrong with stockpiling guns, missiles, bombs, tanks, and planes. Telling them to treat exploits like physical weapons only encourages the government to stockpile them, sell them, or occasionally just lose track of them.
What the government should be doing is treating exploits as security breaches or manufacturing defects. You don't stockpile holes in the base fence you fix the fucking hole. You don't stockpile vehicles that leak coolant, overheat, and catch fire, you haul the vendor in and tell them to fix the leak.
Security exploits in software aren't weapons like bombs or armored personnel carriers. They are holes in personnel carrier's armor, faulty wiring in bombs that make them randomly detonate.
[ link to this | view in chronology ]
windows N T beta 1 proves they are lying
100% blame on an OS that did all that sneaky telemetry and update crap.
there is no need of a phone operating system on desktops
they only wanted that cause it would help the already rooted phone industry that cooperates with the nsa ...
so QUIT LYING MICROSOFT
I KNOW THE TRUTH
[ link to this | view in chronology ]
adlib
( btw windows NT 5 beta 2 was xp )
go see what you can find about it
[ link to this | view in chronology ]
[ link to this | view in chronology ]
The "Golden" key
[ link to this | view in chronology ]
Re: The "Golden" key
[ link to this | view in chronology ]
If the weaponised payload gets "lost" they should release the antidote or vaxiene.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
network security penetration consulting for usa govt
the NSA has a fix for all this
DO NOT KID YOURSELF
and MS KNEW OF IT....
[ link to this | view in chronology ]
Sword to protect...
[ link to this | view in chronology ]
The phone just rang...
No, the PEOPLE of the world should treat this attack as a wake-up call.
[ link to this | view in chronology ]
Re: The phone just rang...
zzzzzzzzzzzzzzzzzzz....
[ link to this | view in chronology ]
North Korea
*(Don't forget that the U.S. military has an army of online trolls pushing stories favorable to the U.S. govt.)
[ link to this | view in chronology ]
Re: North Korea
The established narrative is that the NSA found the vulnerability, it got leaked via the Shadow Brokers, and some unknown people used it to build this ransomware.
All the stories about North Korea seem to be saying is that the "unknown people" in question are the North Korean government, not that the earlier stages of the narrative (involving the NSA) didn't happen.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
I thought the NSA lost it. Left it behind on someone else's server?
[ link to this | view in chronology ]
Re:
Haven't you heard? Copying is stealing!
[ link to this | view in chronology ]
[ link to this | view in chronology ]