Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Government Microsoft Crime Security United States Windows

Microsoft Blasts Spy Agencies For Leaked Exploits Used By WanaDecrypt0r (engadget.com) 324

An anonymous reader shares Engadget's report about Microsoft's response to the massive WanaDecrypt0r ransomware attack: Company president Brad Smith has posted a response to the attack that roasts the NSA, CIA and other intelligence agencies for hogging security vulnerabilities instead of disclosing them to be fixed. There's an "emerging pattern" of these stockpiles leaking out, he says, and they cause "widespread damage" when that happens. He goes so far as to liken it to a physical weapons leak -- it's as if the US military had "some of its Tomahawk missiles stolen"... Microsoft had already floated the concept of a "Digital Geneva Convention" that required governments to report security holes, but the idea has gained a new sense of urgency in light of the recent ransomware chaos... While Microsoft makes its own efforts by rushing out patches and sharing concerns with other companies, it also chastises customers who could have closed the WannaCry hole two months earlier but didn't.
BrianFagioli shared a BetaNews article arguing Microsoft "should absolutely not shoulder any of the responsibility. After all, the vulnerability that led to the disaster was patched back in March." But troublemaker_23 notes that ITwire still faults Microsoft for not planning ahead, since in February 150 million people were still using Windows XP.
This discussion has been archived. No new comments can be posted.

Microsoft Blasts Spy Agencies For Leaked Exploits Used By WanaDecrypt0r

Comments Filter:
  • by JoshuaZ ( 1134087 ) on Sunday May 14, 2017 @08:48PM (#54416185) Homepage
    Any weapon ban treaty has a problem of detecting violations. If one cannot easily detect violations, one cannot enforce the treaty effectively. For pretty much every nuclear weapons treaty the biggest stumbling block has almost always been verification that people are adhering to it. At least there, there's infrastructure to look at. Trying to determine that governments aren't holding back tiny little files stored away somewhere would be much more difficult. In that context, such a treaty would be unlikely to succeed.
    • by Anonymous Coward on Sunday May 14, 2017 @09:06PM (#54416229)

      House rules:

      - The guy with the gun always wins.
      - Only the government gets to have guns.

      The government only needs to hold up a flimsiest facade that they're "good people", and that's only to keep the house of cards that is the American economy from collapsing into a heap. We're all taught from the youngest age that Mr Policeman is good and you should go to him if you need help. Fast-forward 20 years and you start to understand why you shouldn't. We all need to stop pretending that the government is here for our interests; it isn't.

    • TELEMETRY (Score:2, Insightful)

      by Anonymous Coward

      the spier whinning about spying

    • by Kjella ( 173770 ) on Monday May 15, 2017 @01:20AM (#54416855) Homepage

      Nothing is going to make IS adhere to the real-world Geneva convention either. The point of such treaties aren't direct enforcement, they're to establish a standard for civilized warfare so that you can apply pressure to other nations to join, be able to chastise those who break it and give reasons to impose sanctions, intervene or join the opposing forces. Take for example the treaty on anti-personnel landmines, if you've promised to disarm it would be a pretty big scandal if you were secretly stockpiling and/or deploying them anyway. Assad kills people every day but start a chemical attack and he got a rather swift response.

      If there was a treaty to disclose vulnerabilities in mass market consumer software (because face it they won't give up everything) then leaks like these would show that the US are lying sacks of shit whose words are worth nothing. Being a man of your words and having credibility are very real currencies in international politics. Breaking one treaty would put into question every other treaty the US has signed too. There's no real other force behind it than your own country's promise, there wouldn't be any other direct consequences than a loss of reputation. But that is usually sufficient to do some good, at least it puts a cost on violating it. Today the NSA can just shrug and say they're doing their job.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        "Civilized warfare"

        Sounds like "military" and "intelligence". Two words that cannot be part of the same sentence.

    • As with any law or convention, there's a balance between probability of detection and penalty. Nuclear weapons are an interesting one, because for a small country having nuclear weapons has often been the difference between being invaded by a superpower and not being. The worst-case penalty for not having nuclear weapons is an invasion, the penalty for having them is economic sanctions. There's therefore a big problem in enforcement. Heinlein's (fictional) Space Patrol was a non-national entity that had

  • Why? (Score:4, Funny)

    by nospam007 ( 722110 ) * on Sunday May 14, 2017 @08:55PM (#54416205)

    I don't see it.
    MS tried everything short or threats to get people to upgrade to a secure Win10 version to no avail.

    This will bring millions of new licenses for MS.

    • Re:Why? (Score:4, Interesting)

      by Dunbal ( 464142 ) * on Sunday May 14, 2017 @10:26PM (#54416465)

      secure Win10

      +1 Funny

      You're also ignoring the huge elephant in the room - that Microsoft probably knew about that vulnerability or even better, created it in conjunction with the NSA et al. By the way - WINDOWS 10 ALSO REQUIRED A "FIX". This is not a "zero day vulnerability", it's a back-door plain and simple.

      • Another elephant (Score:5, Interesting)

        by Okian Warrior ( 537106 ) on Sunday May 14, 2017 @11:59PM (#54416691) Homepage Journal

        secure Win10

        +1 Funny

        You're also ignoring the huge elephant in the room - that Microsoft probably knew about that vulnerability or even better, created it in conjunction with the NSA et al. By the way - WINDOWS 10 ALSO REQUIRED A "FIX". This is not a "zero day vulnerability", it's a back-door plain and simple.

        The other elephant is that a lot of very expensive hardware still runs on WinXP (and other less-recent but still old versions), can't be upgraded to the new version, and is too expensive to replace.

        Microsoft will still support WinXP, but basically it means a) they have the patches to prevent malware, but b) they'll only give it to you if you pay them.

        Oh, and the price for WinXP support doubles yearly (someone else said that - don't know if it's true).

        So effectively Microsoft is saying that you have to throw out and repurchase all of your medical equipment, all of your research equipment, and all of your manufacturing equipment - even if it's still working - because they want you to purchase a new version of their OS.

        Oh, and the new version pushes adware on you and installs whatever the fuck Microsoft wants and reboots the system whenever it damn well pleases.

        Yeah, I think Microsoft can shoulder at least *some* of the blame for this.

        • Re:Another elephant (Score:5, Interesting)

          by richy freeway ( 623503 ) on Monday May 15, 2017 @03:45AM (#54417161)

          The other elephant is that a lot of very expensive hardware still runs on WinXP (and other less-recent but still old versions), can't be upgraded to the new version, and is too expensive to replace.

          Microsoft will still support WinXP, but basically it means a) they have the patches to prevent malware, but b) they'll only give it to you if you pay them.

          Oh, and the price for WinXP support doubles yearly (someone else said that - don't know if it's true).

          So effectively Microsoft is saying that you have to throw out and repurchase all of your medical equipment, all of your research equipment, and all of your manufacturing equipment - even if it's still working - because they want you to purchase a new version of their OS.

          Or the manufacturers of the expensive hardware could update their software to work on a more modern up to date operating system, be that Windows 10, Linux or whatever.

          But yeah, let's just blame Microsoft. It's the easy target.

    • Re:Why? (Score:5, Interesting)

      by Dutch Gun ( 899105 ) on Sunday May 14, 2017 @11:16PM (#54416609)

      One of the problems is that MS poisoned any good will about upgrading with their own actions... first by more or less tricking people into upgrading to Windows 10, and second, by making that upgrade (and all other upgrades) less trusted by pushing telemetry as required updates, and by making Windows 10 updates incredibly annoying, disruptive, and on occasion, simply broken.

      I don't blame MS for not writing perfect code, especially older code. No OS used today has zero exploits, so I think it's disingenuous to bash Microsoft with each new bug found but somehow give Linux a pass when the same damned things happen. But I'm sure as hell going to blame them for encouraging so many people to distrust Microsoft's own security patches in the first place, even going so far as to actively block them. That was all because of their OWN tone-deaf policies of "we know what's best for you, so shut up and update. Oh, and don't mind the telemetry we're slurping up. We promise its benign. What? No, there's no way to turn it off."

    • So the blame is 100% on Microsoft. The whole Windows 10 debacle shows that Microsoft's updates cannot be trusted. So the Windows population now consists of mainly two groups: those who could not switch updates off on time (and now never can switch off again because they have windows 10 involuntarily) and those who could switch them off and dare not install anything from Microsoft ever again. Microsoft itself has made terribly sure that updates are not installed if it can be avoided.
  • by Snotnose ( 212196 ) on Sunday May 14, 2017 @09:00PM (#54416215)
    Nobody is perfect, all software has vulnerabilities. Had our relevant TLAs bothered to tell the relevant companies about the holes they found we would all be a hundredfold safer. But no, they kept them secret, figuring they could hack Some Bad Guy's computer and Stop Some Low Level Bad Thing.

    The fault here lies in our countries TLA's deciding it was better to leave 100% of the country at risk hoping they would be able to exploit a hole before someone else could exploit that same hole against us.

    Fuck the NSA, CIA, FBI, and everyone else that finds security issues and keeps them private. They are the problem, not Microsoft.
    • by TWX ( 665546 )

      Microsoft is not 100% right; they created something with this vulnerability and sold it for a very long period of time. They're patching XP for chrissakes.

      • by ScentCone ( 795499 ) on Sunday May 14, 2017 @10:32PM (#54416489)

        They're patching XP for chrissakes.

        No, they're patching a very old product that they told people - for years straight - to stop using, and they explained why. You do get this, right?

        • Hard to do (Score:5, Insightful)

          by Okian Warrior ( 537106 ) on Monday May 15, 2017 @12:11AM (#54416717) Homepage Journal

          They're patching XP for chrissakes.

          No, they're patching a very old product that they told people - for years straight - to stop using, and they explained why. You do get this, right?

          It's hard to stop using a system when it requires repurchasing the $100,000 hospital X-ray machine that it runs.

          Did you think every hospital should just throw out all it's working equipment and purchase new ones? For hospitals in Africa and India as well?

          • But it's not all that hard for the manufacturer of that radiology equipment to port their app over to something like Win 7. Come on, just think about it. Who says you have to scrap an expensive piece of equipment just because you'll have to sort out some DLL issues?
            • by gtall ( 79522 )

              Yes, maybe porting is easy. And...errr...who is going to pay for this port? The hospital already has a running system and security it the manufacturer's job. The manufacturer has already sold the system and won't get any more money for an upgrade in security. MS won't pay because they don't have to. There is no case law that says MS, the manufacturer, or the hospital should pay.

              Now, please go explain to the manufacture why they should update their old software and hand it out for free. I'm sure they'd liste

              • This sort of support from a manufacturer is usually in the support agreements for the hardware. Customers can skip the support packages but it's like buying it used on eBay: might work out ok, but if you'll be pissed if it breaks in 6 months maybe get it from a reliable source. If the hospital is hosed because their expensive X Ray machines depend on outdated computers it is their own fault. Worst case scenario they just take the computers off the network and walk the files to an updated network machine
          • Re: (Score:2, Insightful)

            by Anonymous Coward

            The supplier of that X-ray machine is the one that is negligent. The hospital itself is negligent if it doesn't demand that the supplier supports a supported OS. If the suppliers ignores those demands they should join forces with other customers. They should also isolate vulnerable equipment from the network, and accept any inconveniences that causes as a lesser evil than risking a total shutdown of the machine, or of an attacker taking over the machine, or leaks of highly private data.

            IT doesn't just happe

          • Re:Hard to do (Score:4, Interesting)

            by oobayly ( 1056050 ) on Monday May 15, 2017 @04:43AM (#54417321)

            I read a comment by a guy who develops MRIs - he made a very strong case for why hospitals are stuck using XP. Timing is critical, so simply shoving the controller card into a new machine with a new OS isn't an option as physical damage can be done to the machine.

            However, if an MRI takes an average of 45 minutes, that's only 32 per day if used continuously. If timing is so critical, then it makes sense to keep XP on the controller. But if the machine is critical, then air-gap it, and use removable media. Transferring the data 30 times a day isn't an onerous task.

            • Re:Hard to do (Score:5, Informative)

              by swb ( 14022 ) on Monday May 15, 2017 @06:03AM (#54417535)

              But if the machine is critical, then air-gap it, and use removable media. Transferring the data 30 times a day isn't an onerous task.

              Sounds easy, until you realize that they've been pushing radiology imagery over the network for years and the entire radiology workflow has been designed around this. The machines don't have external media drives, the staff doesn't know how to do this in a way that insures your "nothing is wrong" imagery is associated with your chart doesn't get conflated with the "stage 4 cancer" imagery of someone else, there's just an entire laundry list of shit that has to happen right, be supported, etc.

              I've seen a similar phenomenon in machine shops and metal fabricators where the tooling is controlled by ancient Windows versions and there just is no update for the driver software that isn't a extremely expensive machine upgrade. I don't know how the machine OEMs get away with this, really, but I'm sure at least in the medical field it has something to do with certification and probably there's a similar amount of BS associated with machine tools (ie, the PE signoff required for safety liability includes the entire control chain).

              I have no idea what the solution is short of machine system vendors producing way more of their own code which would make the machines more expensive.

              • Re:Hard to do (Score:4, Interesting)

                by AmiMoJo ( 196126 ) on Monday May 15, 2017 @06:50AM (#54417671) Homepage Journal

                This problem was solved decades ago. VLAN, or even separate ethernet cards. Hardened BSD box in the middle that just acts as a temporary file storage unit. The XP machine has write access only, it can't read files off the server, making transfer a one way process.

                We know how to secure these systems, but people with that knowledge cost money. Maybe there is a market for a box with this set up built in, that can be easily deployed and swapped out by grunt level IT techs.

                • by swb ( 14022 )

                  I don't disagree that the problem is conceptually solved, but implementing the solution so it works seamlessly probably isn't "solved".

                  The vendor that does technical support for the MRI machine wouldn't know shit about the inserted security system and anything and everything wrong with the radiology equipment would be blamed on any third party data connections inserted downstream. Solves a security problem which may seldom be seen for IT, but whenever the imaging system doesn't work right it's now high-lev

              • This isn't Microsoft's problem. This is OEMs racing to get something out the door and get paid, and not giving a shit about after-sales support.

                If you're paying $200,000 for a piece of equipment, maybe read the small print first? Like the stuff that says "We take no responsibility for keeping this hastily cobbled-together collection of random components working past the EoL of Windows Whatever."

          • If your $100000 hospital X-ray machine managed to get infected by this then bugs in the OS are the least of your concern.

            Physician heal thyself.

        • Re: (Score:2, Insightful)

          by drinkypoo ( 153816 )

          No, they're patching a very old product that they told people - for years straight - to stop using,

          Yes, after they spent years doing their best to force them to use it. I call shenanigans. Microsoft wants to embrace and extend so they can have vendor lock-in? Let them be held responsible for the situation they have created.

    • by rsmith-mac ( 639075 ) on Sunday May 14, 2017 @10:02PM (#54416389)

      I know this isn't a popular opinion around here, but hear me out.

      The NSA is the US's SIGINT operation. Their job is to be both the offense and the defense when it comes to dealing with electronic systems. So developing attacks against other systems is part of their purview, and we want them to continue doing so such that we can spy on, and if necessary attack other nations. The need for an offensive SIGINT group will always exist, even if it's not the NSA.

      Back in the days of yore, it used to be that exporting valuable software was restricted. If the Soviets wanted software for controlling gas pipelines, for example, they either had to develop their own or steal it [wikipedia.org]. And exporting useful encryption was right-out banned [wikipedia.org]. The end result was that for SIGINT purposes, there was a very clear line between "us" and "them" in what each side's systems could do, how they worked, and what they ran.

      The Internet has put an end to national borders for software. Now everyone runs the same Oracle database, the same Cisco/Juniper routers, the same Microsoft OS, etc. It's allowed commerce to explode on our end by exporting valuable software to new market. However the flip side of that is that the line between "us" and "them" has almost entirely been erased. Now the nations we spy on run much the same software we do; now the nations that we need to be able to attack don't run antiquated little systems that are easy for us to break into. How do you balance offense and defense in that situation, when any weapon you make can be used against you, and any defense to develop can be used by your enemies to shield themselves from you?

      Had our relevant TLAs bothered to tell the relevant companies about the holes they found we would all be a hundredfold safer. But no, they kept them secret, figuring they could hack Some Bad Guy's computer and Stop Some Low Level Bad Thing.

      If our relevant TLAs informed software vendors about every exploit they found, it would improve the quality of software to be sure. And that definitely has some benefits. But then we'd be committing to an entirely defensive operation, due to the fact that everyone else is running this better-hardened software.

      Meanwhile when it comes to offense, we'd have no exploits let which to use to spy on or attack other nations with. But the same is not true for other nations. Their own SIGINT groups would be searching for exploits as well, and since they wouldn't be bound by what we're doing, they'd continue stockpiling them and using them against us as they deem necessary. Our software-hardening efforts would make this task a lot harder, but not even the NSA is going to find every bug in Windows. So at the end of the day, other nations would still be able to attack us, even if we did report all exploits we found.

      The problem with a purely defensive operation then, especially in the software sense, is that your defense only has to fail once for you to lose. Once they're in your systems you have no ability to retaliate (since you have no exploits to use as weapons), so hostile forces have very little incentive not to attack you. And while you can clean up afterwards, the damage is done: the blueprints have been stolen, the cyclotron has been busted, and Amazon is shipping everyone 50 gallon drums of lube.

      Ultimately Cyber security when both sides have the same systems is little more than a new variant on the Prisoner's Dilemma. We can stop ratting on the other prisoner, but they're not going to stop ratting on us. No matter what we do, it's in the best interests of foreign powers to be able to attack our systems. And that means we need to keep exploits of our own in order to be able to mount a credible (if not overwhelming) offense.

      The one problem here - and not to discount it, because it is a real problem - is that the NSA obviously didn't secure

      • by Dutch Gun ( 899105 ) on Sunday May 14, 2017 @10:51PM (#54416541)

        Well, you're brave to defend the TLAs. Hopefully you don't get unfairly mod-bombed because of it, as too often happens to unpopular posts.

        The core problem with your scenario is the implicit assumption that only the TLAs know about those particular exploits. There could very well have been other countries' agencies that knew about them as well, or criminals using them judiciously for their own zero-day exploits. Why assume that any other major state player couldn't collect these same bugs? We may know more in the months ahead if anyone discovers new information in old logs relating to these exploits.

        The other faulty assumption is that the only way to do offensive intelligence operations is with software exploits. Plenty of attacks, from many different criminal and/or government groups have shown that to absolutely not be the case. Human operators can be fooled into installing malware in targeted phishing attacks, or maybe even bribed into installing it. Or you can use more traditional bugging methods, installing hardware that intercepts information pre-encryption. Etc, etc...

        Holding onto an exploit that affects your own country's software (and the world's in fact), is playing a very risky game. And, as you rightly acknowledged, it just blew up in their faces. Given the proven inability of these agencies to hold onto secrets, I think playing a little more defense isn't a bad thing, at least until its been established that they don't leak their own secrets like a sieve.

        I fully understand and acknowledge that there are very bad people in the world, and these agencies help to protect the US from them. But I do wonder if, at the moment, that price is becoming a little too steep for what we're getting out of the deal. The problems is, though, that we'll never really know. The leaders at the top of that agency know, but sure as hell they're never going to admit to anyone anything that has a chance of ever reducing the power of their own little government fiefdom.

      • by buss_error ( 142273 ) on Sunday May 14, 2017 @11:51PM (#54416673) Homepage Journal

        I know this isn't a popular opinion around here, but hear me out.

        I know this isn't a popular opinion, but hear -me- out.

        The statue clearly states that US intelligence services are required to divulge security vulnerabilities to vendors in a timely manner. It is blindingly obvious this was not done. So my question is very simple.

        Who is going to jail for violating Federal statues?

        Oh - silly me. Only chumps and civilians go to jail for violating the law.

        Here is the real problem - being able to access a computer is like being able to read their diary or eavesdrop on them. Before computers, this was also done. With computers, it's just easier. So what we are seeing the the degradation of everyone's privacy because it's easier to steal secrets from a computer that it is to, you know, actually do your fsck'ing job.

        Enforcing the law isn't about sitting on your fat ass in Virginia - it's about doing the work, the right way, within not just the letter of the law but the spirit of it. Only then is our system of government consistent, valuable, and worth dying to preserve.

        Otherwise it's just another big lie.

        • Re: (Score:3, Informative)

          by Cyryathorn ( 6591 )

          Ah yes, here it is:

          https://epic.org/privacy/cyber... [epic.org]

          There's no Federal statute such as you describe. It's not even an Executive Order -- it's just a matter of policy. The "Vulnerabilities Equities Process" allows this: "the government may choose to withhold the information to use it for purposes including law enforcement, intelligence gathering, and 'offensive' exploitation".

      • You make some interesting points. However I think one major problem with your argument is that it assumes the only way to be offensive is by exploiting flaws in the system. There are other ways to be offensive, and one of the most effective of those has been exploiting flaws in the humans using the system.

        The other thing is that I really can't see how the risk of leaving these exploits open will ever be overtaken by the potential "offensive" gains. The potential damage to institutions, businesses, the econo

      • by dweller_below ( 136040 ) on Monday May 15, 2017 @03:20AM (#54417125)

        I know this isn't a popular opinion around here, but hear me out.

        Your reasoning has been official US policy, because it seems sound. But the last few years of Internet warfare has revealed some problems with favoring offense over defense:

        1. 1) The weapons of the Internet are not like tanks and nukes. Deploying weaponized exploits require very little infrastructure. They cost almost nothing to replicate. Almost anyone can do it. When an enemy deploys an Internet attack against you, you can easily (compared to a nuke) figure it out, and then deploy it back at them.
        2. 2) For years, our standard doctrine was that an Internet attack was not as significant as a physical attack. But, this is no longer true. We are so dependent on the Internet, that a sustained Internet outage has the potential to do more damage to us than a limited nuclear exchange.

        Perhaps the greatest problem with the offensive mindset is that it teaches us almost nothing about how to defend. We know we need to deploy better software, but we don't know:

        • * How to value effective security more than features.
        • * How to force large IT vendors to favor their customer's interests over short-term profit.
        • * How to force powerful Intelligence agencies to relinquish power, now that they are a greater threat to US, than they are to our enemies.
      • by gtall ( 79522 ) on Monday May 15, 2017 @04:49AM (#54417335)

        There are some ideas buzzing around the U.S. government to separate out the functions of cyber so that security comes from a different entity than offensive weapons. Of course that means parts of the government will be fighting each other. NSA, CIA, FBI, etc. are all on public record as realizing this. There is no easy answer.

        Some of the misconception is that somehow spying is bad. It isn't. It is what keeps a government from overreacting to something out in the open. Offensive weapons will always be around. The Russians, Chinese, Iranians, I.M.A. Dipshit from Any Country have them.

        Some bright sparks in Congress asked James Clapper why the U.S. couldn't respond in the cyber arena against the naughty things the Russians did in the last election. His response was: well, if you are sure the U.S. infrastructure could stand the guaranteed response, then that might be advisable. He was of the opinion that the Russians have the U.S. electrical grid on their target list and that he (Clapper) figured they could take it down for retaliation. Of course, these would be acts of war...between nuclear armed nations....one of which has a ruthless dolt as head of state, the other also has a ruthless dolt as head of state.

      • Their job is to be both the offense and the defense

        Their job is to protect the people. Their options are to do this offensively and defensively. The evidence said they did it the wrong way.

        A lot of people have likened this to loss of control of weapons, but it's nothing of the sort. Weapons predominantly get used once and have a small local effect. This is self-replicating. The only weapon I can think of that is self-replicating are ones that are also illegal to use under the Geneva Convention.

      • by AmiMoJo ( 196126 )

        There is a flaw in your reasoning.

        You assume that when vulnerabilities are known, everyone patches and is safe. That's now how it works. Microsoft released a patch for this vulnerability a while back, but a lot of systems have not received it.

        Cyber offence is mostly about exploiting known flaws, not zero days known only to security services. Cyber defence is mostly about getting people to patch their systems and configure them in a somewhat sane manner.

        Much of the really high end stuff is things like replac

    • Gimme a break. The NSA as I last saw it had a division of COMPUTER SECURITY. What happened? Last year Comey said we needed an "adult conversation" about encryption and national security. Screw that. The National Security Agency best be looking after - Ah _ Um - National Security. We DO need an ADULT conversation folks.
    • Fuck the NSA, CIA, FBI, and everyone else that finds security issues and keeps them private. They are the problem, not Microsoft.

      MS is correct in noting that both the TLAs and the users who failed to apply the patch share some of the blame. However, at least an equal share of the blame lies with MS for the appalling number of serious bugs that Windows has. While it is impossible to write bug-free code many security bugs in Linux and Macs typically require existing user-level access to the machine which makes them much less serious. Those that do allow remote access are rare enough that they are huge news, not part of a typical month

    • Nobody is perfect, all software has vulnerabilities.

      This isn't a falsifiable statement. Any software defect no matter how egregiously pathetic could be explained away by the same statement. Just saying nobody is perfect doesn't communicate objectively useful information.

      NSA's SMB exploit was just another buffer overflow vulnerability.

      Buffer overflows like various forms of injection attacks are entirely preventable classes of failure by imposing constraints on software design. You can even get to no overflows for free just by selecting a different programm

      • NSA is at fault only for failing to keep their weapons safe.

        The NSA's job is securing the nation's communications. Part of that would be reporting vulnerabilities to vendors so that they can be fixed.

  • They want backdoors and keys into the things that they swear they will keep safe. Instead of affecting unpatched computers, a leak will affect every computer. But they pinky promise that there will be no leaks and they promise to feel bad if there is one even though it's probably somebody else's fault.

  • Older versions (Score:2, Insightful)

    by Anonymous Coward

    Why should Microsoft be blamed for people getting infected while running Windows XP? The XP system is 16 years old and has been past EoL for years. Anyone running an XP machine connected to the Internet is practically begging to be hacked. Would we blame Red Hat for not patching RHEL 3 boxes left on-line or Apple for not patching 2001-era Macs? It's not as though Microsoft has not made it perfectly clear those old systems are no longer supported.

  • "every single cyberattack on a Windows system seriously"
    "We have more than 3,500 security engineers at the company"
    Yet failed to notice PRISM? https://en.wikipedia.org/wiki/... [wikipedia.org]
    Re "This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support."
    The US clandestine services are hiring from the same US university graduate groups over decades.
    Top US execut
  • by OzPeter ( 195038 ) on Sunday May 14, 2017 @09:31PM (#54416291)

    This hacking provides the perfect argument against built-in backdoors that would enable the government to spy on people (but only when they wanted). All it takes is one leak and *boom* you have out of control hacking by everyone but the government.

    • by mentil ( 1748130 )

      I agree this is Exhibit A of why there shouldn't be built-in govt. backdoors in computers. However, the powers that be will simply weigh
      a) likelihood * damage if knowledge of the backdoor were to leak
      vs b) all those Bad Guys they'll be able to catch because of this omniscient surveillance. if knowledge is power then a God am I! bwahahaha! sorry, i mean, catch terr'ists and stuff. think of the children and whatnot.

      most of the 'damage' in A will be borne by people/organizations outside of the nation that mand

  • I have quite a good discussion about Custom Support and MS quarterly earnings here: https://www.reddit.com/r/micro... [reddit.com]

    • Can you give a summary of the main points? I have reddit set in my hosts file to 0.0.0.0
      • by yuhong ( 1378501 )

        The original quote from https://view.officeapps.live.c... [live.com] : "As expected, Enterprise Services revenue declined 1 percent and was flat in constant currency, due to a lower volume of Windows Server 2003 custom support agreements."

        I was guessing that this decline is because the revenue declined by tens of millions, which implies that they are likely making much more than that total in these contracts especially given that Server 2003 is still widely used. I checked "Productivity and Business Processes", "Intel

  • by phantomfive ( 622387 ) on Sunday May 14, 2017 @09:35PM (#54416305) Journal
    The original blogpost [microsoft.com] makes the following points:

    1) Microsoft works hard, I tell you hard to avoid these problems.
    2) Customers are to blame too! (really)
    3) It's the government's fault!

    They're trying to direct the conversation so they don't get all the blame. The reality is, if Microsoft hadn't made the flaw, then this attack never would have happened.
    • by ogdenk ( 712300 )

      And your bug-free 100% secure multi-user OS w/ flawless network stack is where, exactly? All large software projects have bugs and vulnerabilities. It's a fact of life.

      If the NSA had actually cared about securing US systems from attack, they would have had MS fix the vulnerabilities instead of exploiting them for fun and profit we wouldn't have this problem.

      If the general public realized the importance of keeping software vulnerabilities patched, they might have been able to avoid such widespread infectio

      • And your bug-free 100% secure multi-user OS w/ flawless network stack is where, exactly?

        Here you go [openbsd.org]. They have exploits occasionally, but they're rare. Not bad for a scrappy team of programmers, showing the world what is possible.

        If they had Microsoft's resources, they would be perfect.

        • by ogdenk ( 712300 )

          As much as their proactive approach to security helps with an out-of-the-box, you're still screwed if you rely on things like Apache httpd, MySQL, Samba, Xorg, etc. And wasn't it their OpenSSH project that was full of interesting holes pretty recently?

          And I'm saying this as someone who's been running various forms of BSD since around 1994. Nothing is perfect. BSD just sucks less. And if you're really trying to imply OpenBSD is "bug-free" that's just wishful thinking.

          The "ZOMG MS iz teh SuX0rz.... if onl

          • And wasn't it their OpenSSH project that was full of interesting holes pretty recently?

            No, that was OpenSSL.

            As much as their proactive approach to security helps with an out-of-the-box, you're still screwed if you rely on things like Apache httpd, MySQL, Samba, Xorg, etc.

            Again, if they had the resources of Microsoft, the openBSD team would be perfect.

    • if Microsoft hadn't made the flaw

      you misspelled backdoor.

    • The reality is, if Microsoft hadn't made the flaw, then this attack never would have happened.

      So let's analyse this for a moment:

      1. You attack human's imperfect nature (code bug) vs something that could have been avoided out of policy (responsible disclosure instead of weaponising a bug).
      2. You assume that all the blame lies at Microsoft whereas a large portion of customers have put their systems into a position which allowed this problem to spread. This in itself is stupid as what is more suitable form of protection:
      a) Good network design and computer isolation principles? Or
      b) Hoping that the 60 m

    • They're trying to direct the conversation so they don't get all the blame. The reality is, if Microsoft hadn't made the flaw, then this attack never would have happened.

      Utter fuckwittery of the highest order. Yes M$ Made the flaw so did almost every other tech company. The NSA new about it for years, kept schtum then got hacked and now everybody knows and some crook is using it to extort hospitals around the world.

  • ...

    1.) Microsoft for having a shitty OS and

    2.) The USA three-letters knowing it and not protecting its citizens.

  • If an OS developer wants to secure their code, secure their site and code, consider every contractor and consultant who had access to the code.
    Walk the life story. Is the resume real? Education, friends, university, who helped at university? First real job?
    Are trusted staff walking out internal code early and often to the US gov for some reason?
    Stop outsourcing, start hiring US experts who enjoy working in the private sector. Make the US private sector a better place to work than any US mil or gov
  • The solution is not to give up vulnerabilities that the CIA and NSA discover and want to weaponize, the root of the problem is the most incompetent administration in 50 years (the Obama administration) being completely clueless about cyber security and letting our state secrets out. That shit would never have been hacked by the Russians and dumped into the wild if the incompetents at the CIA and NSA had air-gapped their stockpile and put people in prison for 10 years or more for moving the files to a netwo

    • The solution is not to give up vulnerabilities that the CIA and NSA discover and want to weaponize, the root of the problem is the most incompetent administration in 50 years (the Obama administration) being completely clueless about cyber security and letting our state secrets out. That shit would never have been hacked by the Russians and dumped into the wild if the incompetents at the CIA and NSA had air-gapped their stockpile and put people in prison for 10 years or more for moving the files to a networked location except for specific conditions and actual use where multiple sign-offs and precautions would be required. Those who were in charge and those who were responsible for the security measures at the CIA and NSA when these secrets were hacked/leaked should be fired and charged with criminal negligence at least or maybe espionage/treason.

      No, because they didn't *intend* to leak the information.

      The new interpretation of the law requires intent, and besides, no one has ever been prosecuted for doing this in the past.

      Haven't you been following the news last year?

  • Digital Broken Arrow (Score:5, Interesting)

    by mentil ( 1748130 ) on Sunday May 14, 2017 @10:36PM (#54416509)

    Wait until one of these leaked/lost TLA tools becomes used by a 3rd party in such a way that it looks like a state-sponsored attack on one of their enemies. Or, equally likely, a 'leaked/lost' tool used by a 1st party, with a '3rd party did it' plausible deniability argument. It's like separating a 'rogue terrorist group' from a 'state-sponsored terrorist group'.

    I imagine soon, a major power will say "all attacks by tools that could only have been created by a state actor, will be responded to as if actually used by that actor" and then the "oops, my WMD fell off the back of a truck, my bad" excuse will no longer work. It may soon be considered too dangerous to hoard these exploits, as their inevitable leak will harm their creator more than if they had never been created in the first place. Taking bets on if that happens before or after the IT world figures out how to secure their shit.

  • by jonwil ( 467024 ) on Monday May 15, 2017 @02:32AM (#54416981)

    The cracking of the Axis secret codes at Bletchly Park, OP-20-G and elsewhere during World War 2 showed the allied powers just how important being able to read the other guys stuff really was.

    Then computers came along and the Russians, Chinese and other bad guys started using digital encryption and other security measures and the western powers (NSA in the US, GCHQ in the UK and others) continued to do whatever was necessary to break into those computers and steal all the secrets.

    When mass market PCs came along and everyone started using the same hardware and software as everyone else, the agencies followed suit with attacks on and back doors into the computers the bad guys were using.

    I recon the big tech companies should all get together and throw a bunch of lobbying money at world governments to get laws passed to stop the hoarding. I am sure there are enough people in Congress who would listen when big fat "political donations" are waved in their face in return for stopping the abuse of vulnerabilities in this way.

    • by mysidia ( 191772 )

      throw a bunch of lobbying money at world governments to get laws passed to stop the hoarding.

      If not world governments, then Cybercriminals. They're all the same.

      How about putting that money towards making software that is actually secure, starting with network protocols?

      This SMBv1 bug would have been a non-issue had the SMB service been sandboxed such that arbitrary code running as the SMB service cannot initiate an outbound connection or Modify files except after passing through a user credential f

  • by MrLint ( 519792 ) on Monday May 15, 2017 @11:11AM (#54419213) Journal

    "ITwire still faults Microsoft for not planning ahead, since in February 150 million people were still using Windows XP."

    From MS "After 12 years, support for Windows XP ended April 8, 2014" Over 3 years ago. If you wish to fault MS for 'not planning ahead' for things still under support, well may be, that being said IIRC the patch for *supported* items was released in March. IMO to even mention XP as not being planned for is stupid. Organizations should have spent the last 3 years migrating/mitigating. Ignoring that it became a hot topic in IT circles the year prior, and while I can't really find when the EOL date was first announced I know MS has a published list of all the EOL dates.

    Any talk about issues about XP being anything other the the responsibility of the organization using it should be at this point, promptly chucked out the window

No spitting on the Bus! Thank you, The Mgt.

Working...