Microsoft Blasts Spy Agencies For Leaked Exploits Used By WanaDecrypt0r

An anonymous reader shares Engadget's report about Microsoft's response to the massive WanaDecrypt0r ransomware attack: Company president Brad Smith has posted a response to the attack that roasts the NSA, CIA and other intelligence agencies for hogging security vulnerabilities instead of disclosing them to be fixed. There's an "emerging pattern" of these stockpiles leaking out, he says, and they cause "widespread damage" when that happens. He goes so far as to liken it to a physical weapons leak -- it's as if the US military had "some of its Tomahawk missiles stolen"... Microsoft had already floated the concept of a "Digital Geneva Convention" that required governments to report security holes, but the idea has gained a new sense of urgency in light of the recent ransomware chaos... While Microsoft makes its own efforts by rushing out patches and sharing concerns with other companies, it also chastises customers who could have closed the WannaCry hole two months earlier but didn't.
BrianFagioli shared a BetaNews article arguing Microsoft "should absolutely not shoulder any of the responsibility. After all, the vulnerability that led to the disaster was patched back in March." But troublemaker_23 notes that ITwire still faults Microsoft for not planning ahead, since in February 150 million people were still using Windows XP.

Enforcement is the problem

[JoshuaZ]

Any weapon ban treaty has a problem of detecting violations. If one cannot easily detect violations, one cannot enforce the treaty effectively. For pretty much every nuclear weapons treaty the biggest stumbling block has almost always been verification that people are adhering to it. At least there, there's infrastructure to look at. Trying to determine that governments aren't holding back tiny little files stored away somewhere would be much more difficult. In that context, such a treaty would be unlikely to succeed.

Re:Enforcement is the problem

[Anonymous Coward]

House rules:

- The guy with the gun always wins.
- Only the government gets to have guns.

The government only needs to hold up a flimsiest facade that they're "good people", and that's only to keep the house of cards that is the American economy from collapsing into a heap. We're all taught from the youngest age that Mr Policeman is good and you should go to him if you need help. Fast-forward 20 years and you start to understand why you shouldn't. We all need to stop pretending that the government is here for our interests; it isn't.

TELEMETRY

[Anonymous Coward]

the spier whinning about spying

Re:Enforcement is the problem

[Kjella]

Nothing is going to make IS adhere to the real-world Geneva convention either. The point of such treaties aren't direct enforcement, they're to establish a standard for civilized warfare so that you can apply pressure to other nations to join, be able to chastise those who break it and give reasons to impose sanctions, intervene or join the opposing forces. Take for example the treaty on anti-personnel landmines, if you've promised to disarm it would be a pretty big scandal if you were secretly stockpiling and/or deploying them anyway. Assad kills people every day but start a chemical attack and he got a rather swift response.

If there was a treaty to disclose vulnerabilities in mass market consumer software (because face it they won't give up everything) then leaks like these would show that the US are lying sacks of shit whose words are worth nothing. Being a man of your words and having credibility are very real currencies in international politics. Breaking one treaty would put into question every other treaty the US has signed too. There's no real other force behind it than your own country's promise, there wouldn't be any other direct consequences than a loss of reputation. But that is usually sufficient to do some good, at least it puts a cost on violating it. Today the NSA can just shrug and say they're doing their job.

Re:

[Anonymous Coward]

"Civilized warfare"

Sounds like "military" and "intelligence". Two words that cannot be part of the same sentence.

Re:

[courteaudotbiz]

Even Hitler did not.

Are you totally out of your Sean Spicer brainwashed mind? Ever heard of Zyclon B [wikipedia.org]?

Maybe you are being sarcastic, but I just don't get it in your post (English is not my first language)

Re:

[GLMDesigns]

First of all we're talking about treaties regarding combat not concentration camps. This "Even Hitler did not use chemical weapons" phrase has been used since at least the 1980s. I first heard about it when people were talking about chemical weapons being used in the Iraq-Iran war.

Hitler could have used it with great affect in the Battle of Stalingrad, He could have pulled his troops out of the city and used artillery and planes to saturate the city with chemical weapons. He did not.

There is evidenc

Re:

[DMJC]

No Treaty stopped Hitler using chemical weapons. It was the knowledge that Churchill had large enough stockpiles to gas every German in Germany multiple times over that stopped him from opening that Pandora's box.

Re:

[TheRaven64]

As with any law or convention, there's a balance between probability of detection and penalty. Nuclear weapons are an interesting one, because for a small country having nuclear weapons has often been the difference between being invaded by a superpower and not being. The worst-case penalty for not having nuclear weapons is an invasion, the penalty for having them is economic sanctions. There's therefore a big problem in enforcement. Heinlein's (fictional) Space Patrol was a non-national entity that had

Why?

[nospam007]

I don't see it.
MS tried everything short or threats to get people to upgrade to a secure Win10 version to no avail.

This will bring millions of new licenses for MS.

Re:Why?

[Dunbal]

secure Win10

+1 Funny

You're also ignoring the huge elephant in the room - that Microsoft probably knew about that vulnerability or even better, created it in conjunction with the NSA et al. By the way - WINDOWS 10 ALSO REQUIRED A "FIX". This is not a "zero day vulnerability", it's a back-door plain and simple.

Another elephant

[Okian Warrior]

secure Win10

+1 Funny

You're also ignoring the huge elephant in the room - that Microsoft probably knew about that vulnerability or even better, created it in conjunction with the NSA et al. By the way - WINDOWS 10 ALSO REQUIRED A "FIX". This is not a "zero day vulnerability", it's a back-door plain and simple.

The other elephant is that a lot of very expensive hardware still runs on WinXP (and other less-recent but still old versions), can't be upgraded to the new version, and is too expensive to replace.

Microsoft will still support WinXP, but basically it means a) they have the patches to prevent malware, but b) they'll only give it to you if you pay them.

Oh, and the price for WinXP support doubles yearly (someone else said that - don't know if it's true).

So effectively Microsoft is saying that you have to throw out and repurchase all of your medical equipment, all of your research equipment, and all of your manufacturing equipment - even if it's still working - because they want you to purchase a new version of their OS.

Oh, and the new version pushes adware on you and installs whatever the fuck Microsoft wants and reboots the system whenever it damn well pleases.

Yeah, I think Microsoft can shoulder at least *some* of the blame for this.

Re:Another elephant

[richy freeway]

The other elephant is that a lot of very expensive hardware still runs on WinXP (and other less-recent but still old versions), can't be upgraded to the new version, and is too expensive to replace.

Microsoft will still support WinXP, but basically it means a) they have the patches to prevent malware, but b) they'll only give it to you if you pay them.

Oh, and the price for WinXP support doubles yearly (someone else said that - don't know if it's true).

So effectively Microsoft is saying that you have to throw out and repurchase all of your medical equipment, all of your research equipment, and all of your manufacturing equipment - even if it's still working - because they want you to purchase a new version of their OS.

Or the manufacturers of the expensive hardware could update their software to work on a more modern up to date operating system, be that Windows 10, Linux or whatever.

But yeah, let's just blame Microsoft. It's the easy target.

Re:Why?

[Dutch Gun]

One of the problems is that MS poisoned any good will about upgrading with their own actions... first by more or less tricking people into upgrading to Windows 10, and second, by making that upgrade (and all other upgrades) less trusted by pushing telemetry as required updates, and by making Windows 10 updates incredibly annoying, disruptive, and on occasion, simply broken.

I don't blame MS for not writing perfect code, especially older code. No OS used today has zero exploits, so I think it's disingenuous to bash Microsoft with each new bug found but somehow give Linux a pass when the same damned things happen. But I'm sure as hell going to blame them for encouraging so many people to distrust Microsoft's own security patches in the first place, even going so far as to actively block them. That was all because of their OWN tone-deaf policies of "we know what's best for you, so shut up and update. Oh, and don't mind the telemetry we're slurping up. We promise its benign. What? No, there's no way to turn it off."

Re:

[Errol backfiring]

So the blame is 100% on Microsoft. The whole Windows 10 debacle shows that Microsoft's updates cannot be trusted. So the Windows population now consists of mainly two groups: those who could not switch updates off on time (and now never can switch off again because they have windows 10 involuntarily) and those who could switch them off and dare not install anything from Microsoft ever again. Microsoft itself has made terribly sure that updates are not installed if it can be avoided.

Microsoft is 100% right on this one

[Snotnose]

Nobody is perfect, all software has vulnerabilities. Had our relevant TLAs bothered to tell the relevant companies about the holes they found we would all be a hundredfold safer. But no, they kept them secret, figuring they could hack Some Bad Guy's computer and Stop Some Low Level Bad Thing.

The fault here lies in our countries TLA's deciding it was better to leave 100% of the country at risk hoping they would be able to exploit a hole before someone else could exploit that same hole against us.

Fuck the NSA, CIA, FBI, and everyone else that finds security issues and keeps them private. They are the problem, not Microsoft.

Re:

[TWX]

Microsoft is not 100% right; they created something with this vulnerability and sold it for a very long period of time. They're patching XP for chrissakes.

Re:Microsoft is 100% right on this one

[ScentCone]

They're patching XP for chrissakes.

No, they're patching a very old product that they told people - for years straight - to stop using, and they explained why. You do get this, right?

Hard to do

[Okian Warrior]

They're patching XP for chrissakes.

No, they're patching a very old product that they told people - for years straight - to stop using, and they explained why. You do get this, right?

It's hard to stop using a system when it requires repurchasing the $100,000 hospital X-ray machine that it runs.

Did you think every hospital should just throw out all it's working equipment and purchase new ones? For hospitals in Africa and India as well?

Re:

[ScentCone]

But it's not all that hard for the manufacturer of that radiology equipment to port their app over to something like Win 7. Come on, just think about it. Who says you have to scrap an expensive piece of equipment just because you'll have to sort out some DLL issues?

Re:

[gtall]

Yes, maybe porting is easy. And...errr...who is going to pay for this port? The hospital already has a running system and security it the manufacturer's job. The manufacturer has already sold the system and won't get any more money for an upgrade in security. MS won't pay because they don't have to. There is no case law that says MS, the manufacturer, or the hospital should pay.

Now, please go explain to the manufacture why they should update their old software and hand it out for free. I'm sure they'd liste

Re:

[Gilgaron]

This sort of support from a manufacturer is usually in the support agreements for the hardware. Customers can skip the support packages but it's like buying it used on eBay: might work out ok, but if you'll be pissed if it breaks in 6 months maybe get it from a reliable source. If the hospital is hosed because their expensive X Ray machines depend on outdated computers it is their own fault. Worst case scenario they just take the computers off the network and walk the files to an updated network machine

Re:

[ScentCone]

Because radiology workflow is now entirely network-centric.

Re:

[Anonymous Coward]

The supplier of that X-ray machine is the one that is negligent. The hospital itself is negligent if it doesn't demand that the supplier supports a supported OS. If the suppliers ignores those demands they should join forces with other customers. They should also isolate vulnerable equipment from the network, and accept any inconveniences that causes as a lesser evil than risking a total shutdown of the machine, or of an attacker taking over the machine, or leaks of highly private data.

IT doesn't just happe

Re:Hard to do

[oobayly]

I read a comment by a guy who develops MRIs - he made a very strong case for why hospitals are stuck using XP. Timing is critical, so simply shoving the controller card into a new machine with a new OS isn't an option as physical damage can be done to the machine.

However, if an MRI takes an average of 45 minutes, that's only 32 per day if used continuously. If timing is so critical, then it makes sense to keep XP on the controller. But if the machine is critical, then air-gap it, and use removable media. Transferring the data 30 times a day isn't an onerous task.

Re:Hard to do

[swb]

But if the machine is critical, then air-gap it, and use removable media. Transferring the data 30 times a day isn't an onerous task.

Sounds easy, until you realize that they've been pushing radiology imagery over the network for years and the entire radiology workflow has been designed around this. The machines don't have external media drives, the staff doesn't know how to do this in a way that insures your "nothing is wrong" imagery is associated with your chart doesn't get conflated with the "stage 4 cancer" imagery of someone else, there's just an entire laundry list of shit that has to happen right, be supported, etc.

I've seen a similar phenomenon in machine shops and metal fabricators where the tooling is controlled by ancient Windows versions and there just is no update for the driver software that isn't a extremely expensive machine upgrade. I don't know how the machine OEMs get away with this, really, but I'm sure at least in the medical field it has something to do with certification and probably there's a similar amount of BS associated with machine tools (ie, the PE signoff required for safety liability includes the entire control chain).

I have no idea what the solution is short of machine system vendors producing way more of their own code which would make the machines more expensive.

Re:Hard to do

[AmiMoJo]

This problem was solved decades ago. VLAN, or even separate ethernet cards. Hardened BSD box in the middle that just acts as a temporary file storage unit. The XP machine has write access only, it can't read files off the server, making transfer a one way process.

We know how to secure these systems, but people with that knowledge cost money. Maybe there is a market for a box with this set up built in, that can be easily deployed and swapped out by grunt level IT techs.

Re:

[swb]

I don't disagree that the problem is conceptually solved, but implementing the solution so it works seamlessly probably isn't "solved".

The vendor that does technical support for the MRI machine wouldn't know shit about the inserted security system and anything and everything wrong with the radiology equipment would be blamed on any third party data connections inserted downstream. Solves a security problem which may seldom be seen for IT, but whenever the imaging system doesn't work right it's now high-lev

Re:

[wildstoo]

This isn't Microsoft's problem. This is OEMs racing to get something out the door and get paid, and not giving a shit about after-sales support.

If you're paying $200,000 for a piece of equipment, maybe read the small print first? Like the stuff that says "We take no responsibility for keeping this hastily cobbled-together collection of random components working past the EoL of Windows Whatever."

Re:

[thegarbz]

If your $100000 hospital X-ray machine managed to get infected by this then bugs in the OS are the least of your concern.

Physician heal thyself.

Re:

[drinkypoo]

No, they're patching a very old product that they told people - for years straight - to stop using,

Yes, after they spent years doing their best to force them to use it. I call shenanigans. Microsoft wants to embrace and extend so they can have vendor lock-in? Let them be held responsible for the situation they have created.

Re:Microsoft is 100% right on this one

[rsmith-mac]

I know this isn't a popular opinion around here, but hear me out.

The NSA is the US's SIGINT operation. Their job is to be both the offense and the defense when it comes to dealing with electronic systems. So developing attacks against other systems is part of their purview, and we want them to continue doing so such that we can spy on, and if necessary attack other nations. The need for an offensive SIGINT group will always exist, even if it's not the NSA.

Back in the days of yore, it used to be that exporting valuable software was restricted. If the Soviets wanted software for controlling gas pipelines, for example, they either had to develop their own or steal it [wikipedia.org]. And exporting useful encryption was right-out banned [wikipedia.org]. The end result was that for SIGINT purposes, there was a very clear line between "us" and "them" in what each side's systems could do, how they worked, and what they ran.

The Internet has put an end to national borders for software. Now everyone runs the same Oracle database, the same Cisco/Juniper routers, the same Microsoft OS, etc. It's allowed commerce to explode on our end by exporting valuable software to new market. However the flip side of that is that the line between "us" and "them" has almost entirely been erased. Now the nations we spy on run much the same software we do; now the nations that we need to be able to attack don't run antiquated little systems that are easy for us to break into. How do you balance offense and defense in that situation, when any weapon you make can be used against you, and any defense to develop can be used by your enemies to shield themselves from you?

Had our relevant TLAs bothered to tell the relevant companies about the holes they found we would all be a hundredfold safer. But no, they kept them secret, figuring they could hack Some Bad Guy's computer and Stop Some Low Level Bad Thing.

If our relevant TLAs informed software vendors about every exploit they found, it would improve the quality of software to be sure. And that definitely has some benefits. But then we'd be committing to an entirely defensive operation, due to the fact that everyone else is running this better-hardened software.

Meanwhile when it comes to offense, we'd have no exploits let which to use to spy on or attack other nations with. But the same is not true for other nations. Their own SIGINT groups would be searching for exploits as well, and since they wouldn't be bound by what we're doing, they'd continue stockpiling them and using them against us as they deem necessary. Our software-hardening efforts would make this task a lot harder, but not even the NSA is going to find every bug in Windows. So at the end of the day, other nations would still be able to attack us, even if we did report all exploits we found.

The problem with a purely defensive operation then, especially in the software sense, is that your defense only has to fail once for you to lose. Once they're in your systems you have no ability to retaliate (since you have no exploits to use as weapons), so hostile forces have very little incentive not to attack you. And while you can clean up afterwards, the damage is done: the blueprints have been stolen, the cyclotron has been busted, and Amazon is shipping everyone 50 gallon drums of lube.

Ultimately Cyber security when both sides have the same systems is little more than a new variant on the Prisoner's Dilemma. We can stop ratting on the other prisoner, but they're not going to stop ratting on us. No matter what we do, it's in the best interests of foreign powers to be able to attack our systems. And that means we need to keep exploits of our own in order to be able to mount a credible (if not overwhelming) offense.

The one problem here - and not to discount it, because it is a real problem - is that the NSA obviously didn't secure

Re:Microsoft is 100% right on this one

[Dutch Gun]

Well, you're brave to defend the TLAs. Hopefully you don't get unfairly mod-bombed because of it, as too often happens to unpopular posts.

The core problem with your scenario is the implicit assumption that only the TLAs know about those particular exploits. There could very well have been other countries' agencies that knew about them as well, or criminals using them judiciously for their own zero-day exploits. Why assume that any other major state player couldn't collect these same bugs? We may know more in the months ahead if anyone discovers new information in old logs relating to these exploits.

The other faulty assumption is that the only way to do offensive intelligence operations is with software exploits. Plenty of attacks, from many different criminal and/or government groups have shown that to absolutely not be the case. Human operators can be fooled into installing malware in targeted phishing attacks, or maybe even bribed into installing it. Or you can use more traditional bugging methods, installing hardware that intercepts information pre-encryption. Etc, etc...

Holding onto an exploit that affects your own country's software (and the world's in fact), is playing a very risky game. And, as you rightly acknowledged, it just blew up in their faces. Given the proven inability of these agencies to hold onto secrets, I think playing a little more defense isn't a bad thing, at least until its been established that they don't leak their own secrets like a sieve.

I fully understand and acknowledge that there are very bad people in the world, and these agencies help to protect the US from them. But I do wonder if, at the moment, that price is becoming a little too steep for what we're getting out of the deal. The problems is, though, that we'll never really know. The leaders at the top of that agency know, but sure as hell they're never going to admit to anyone anything that has a chance of ever reducing the power of their own little government fiefdom.

Re:Microsoft is 100% right on this one

[buss_error]

I know this isn't a popular opinion around here, but hear me out.

I know this isn't a popular opinion, but hear -me- out.

The statue clearly states that US intelligence services are required to divulge security vulnerabilities to vendors in a timely manner. It is blindingly obvious this was not done. So my question is very simple.

Who is going to jail for violating Federal statues?

Oh - silly me. Only chumps and civilians go to jail for violating the law.

Here is the real problem - being able to access a computer is like being able to read their diary or eavesdrop on them. Before computers, this was also done. With computers, it's just easier. So what we are seeing the the degradation of everyone's privacy because it's easier to steal secrets from a computer that it is to, you know, actually do your fsck'ing job.

Enforcing the law isn't about sitting on your fat ass in Virginia - it's about doing the work, the right way, within not just the letter of the law but the spirit of it. Only then is our system of government consistent, valuable, and worth dying to preserve.

Otherwise it's just another big lie.

Re:

[Cyryathorn]

Ah yes, here it is:

https://epic.org/privacy/cyber... [epic.org]

There's no Federal statute such as you describe. It's not even an Executive Order -- it's just a matter of policy. The "Vulnerabilities Equities Process" allows this: "the government may choose to withhold the information to use it for purposes including law enforcement, intelligence gathering, and 'offensive' exploitation".

Re:

[Plus1Entropy]

You make some interesting points. However I think one major problem with your argument is that it assumes the only way to be offensive is by exploiting flaws in the system. There are other ways to be offensive, and one of the most effective of those has been exploiting flaws in the humans using the system.

The other thing is that I really can't see how the risk of leaving these exploits open will ever be overtaken by the potential "offensive" gains. The potential damage to institutions, businesses, the econo

Re:Microsoft is 100% right on this one

[dweller_below]

I know this isn't a popular opinion around here, but hear me out.

Your reasoning has been official US policy, because it seems sound. But the last few years of Internet warfare has revealed some problems with favoring offense over defense:

1. 1) The weapons of the Internet are not like tanks and nukes. Deploying weaponized exploits require very little infrastructure. They cost almost nothing to replicate. Almost anyone can do it. When an enemy deploys an Internet attack against you, you can easily (compared to a nuke) figure it out, and then deploy it back at them.
2. 2) For years, our standard doctrine was that an Internet attack was not as significant as a physical attack. But, this is no longer true. We are so dependent on the Internet, that a sustained Internet outage has the potential to do more damage to us than a limited nuclear exchange.

Perhaps the greatest problem with the offensive mindset is that it teaches us almost nothing about how to defend. We know we need to deploy better software, but we don't know:

• * How to value effective security more than features.
• * How to force large IT vendors to favor their customer's interests over short-term profit.
• * How to force powerful Intelligence agencies to relinquish power, now that they are a greater threat to US, than they are to our enemies.

Re:Microsoft is 100% right on this one

[gtall]

There are some ideas buzzing around the U.S. government to separate out the functions of cyber so that security comes from a different entity than offensive weapons. Of course that means parts of the government will be fighting each other. NSA, CIA, FBI, etc. are all on public record as realizing this. There is no easy answer.

Some of the misconception is that somehow spying is bad. It isn't. It is what keeps a government from overreacting to something out in the open. Offensive weapons will always be around. The Russians, Chinese, Iranians, I.M.A. Dipshit from Any Country have them.

Some bright sparks in Congress asked James Clapper why the U.S. couldn't respond in the cyber arena against the naughty things the Russians did in the last election. His response was: well, if you are sure the U.S. infrastructure could stand the guaranteed response, then that might be advisable. He was of the opinion that the Russians have the U.S. electrical grid on their target list and that he (Clapper) figured they could take it down for retaliation. Of course, these would be acts of war...between nuclear armed nations....one of which has a ruthless dolt as head of state, the other also has a ruthless dolt as head of state.

Re:

[thegarbz]

Their job is to be both the offense and the defense

Their job is to protect the people. Their options are to do this offensively and defensively. The evidence said they did it the wrong way.

A lot of people have likened this to loss of control of weapons, but it's nothing of the sort. Weapons predominantly get used once and have a small local effect. This is self-replicating. The only weapon I can think of that is self-replicating are ones that are also illegal to use under the Geneva Convention.

Re:

[AmiMoJo]

There is a flaw in your reasoning.

You assume that when vulnerabilities are known, everyone patches and is safe. That's now how it works. Microsoft released a patch for this vulnerability a while back, but a lot of systems have not received it.

Cyber offence is mostly about exploiting known flaws, not zero days known only to security services. Cyber defence is mostly about getting people to patch their systems and configure them in a somewhat sane manner.

Much of the really high end stuff is things like replac

The NSA as I last saw it had a division of C SEC

[charlie merritt]

Gimme a break. The NSA as I last saw it had a division of COMPUTER SECURITY. What happened? Last year Comey said we needed an "adult conversation" about encryption and national security. Screw that. The National Security Agency best be looking after - Ah _ Um - National Security. We DO need an ADULT conversation folks.

Microsoft is 33% right

[Roger W Moore]

Fuck the NSA, CIA, FBI, and everyone else that finds security issues and keeps them private. They are the problem, not Microsoft.

MS is correct in noting that both the TLAs and the users who failed to apply the patch share some of the blame. However, at least an equal share of the blame lies with MS for the appalling number of serious bugs that Windows has. While it is impossible to write bug-free code many security bugs in Linux and Macs typically require existing user-level access to the machine which makes them much less serious. Those that do allow remote access are rare enough that they are huge news, not part of a typical month

Re:

[WaffleMonster]

Nobody is perfect, all software has vulnerabilities.

This isn't a falsifiable statement. Any software defect no matter how egregiously pathetic could be explained away by the same statement. Just saying nobody is perfect doesn't communicate objectively useful information.

NSA's SMB exploit was just another buffer overflow vulnerability.

Buffer overflows like various forms of injection attacks are entirely preventable classes of failure by imposing constraints on software design. You can even get to no overflows for free just by selecting a different programm

Re:

[drinkypoo]

NSA is at fault only for failing to keep their weapons safe.

The NSA's job is securing the nation's communications. Part of that would be reporting vulnerabilities to vendors so that they can be fixed.

They need backdoors too?

[KitFox]

They want backdoors and keys into the things that they swear they will keep safe. Instead of affecting unpatched computers, a leak will affect every computer. But they pinky promise that there will be no leaks and they promise to feel bad if there is one even though it's probably somebody else's fault.

Older versions

[Anonymous Coward]

Why should Microsoft be blamed for people getting infected while running Windows XP? The XP system is 16 years old and has been past EoL for years. Anyone running an XP machine connected to the Internet is practically begging to be hacked. Would we blame Red Hat for not patching RHEL 3 boxes left on-line or Apple for not patching 2001-era Macs? It's not as though Microsoft has not made it perfectly clear those old systems are no longer supported.

Re:

[scdeimos]

Bought a new car in the last decade? How much phone-home telemetry do you think there is in the average Ford infotainment system versus Windows 10?

Secure the code, secure the OS

[AHuxley]

"every single cyberattack on a Windows system seriously"
"We have more than 3,500 security engineers at the company"
Yet failed to notice PRISM? https://en.wikipedia.org/wiki/... [wikipedia.org]
Re "This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support."
The US clandestine services are hiring from the same US university graduate groups over decades.
Top US execut

Great argument against backdoors

[OzPeter]

This hacking provides the perfect argument against built-in backdoors that would enable the government to spy on people (but only when they wanted). All it takes is one leak and *boom* you have out of control hacking by everyone but the government.

Re:

[mentil]

I agree this is Exhibit A of why there shouldn't be built-in govt. backdoors in computers. However, the powers that be will simply weigh
a) likelihood * damage if knowledge of the backdoor were to leak
vs b) all those Bad Guys they'll be able to catch because of this omniscient surveillance. if knowledge is power then a God am I! bwahahaha! sorry, i mean, catch terr'ists and stuff. think of the children and whatnot.

most of the 'damage' in A will be borne by people/organizations outside of the nation that mand

Custom Support and MS quarterly earnings

[yuhong]

I have quite a good discussion about Custom Support and MS quarterly earnings here: https://www.reddit.com/r/micro... [reddit.com]

Re:

[phantomfive]

Can you give a summary of the main points? I have reddit set in my hosts file to 0.0.0.0

Re:

[yuhong]

The original quote from https://view.officeapps.live.c... [live.com] : "As expected, Enterprise Services revenue declined 1 percent and was flat in constant currency, due to a lower volume of Windows Server 2003 custom support agreements."

I was guessing that this decline is because the revenue declined by tens of millions, which implies that they are likely making much more than that total in these contracts especially given that Server 2003 is still widely used. I checked "Productivity and Business Processes", "Intel

This is CYA from Microsoft

[phantomfive]

The original blogpost [microsoft.com] makes the following points:

1) Microsoft works hard, I tell you hard to avoid these problems.
2) Customers are to blame too! (really)
3) It's the government's fault!

They're trying to direct the conversation so they don't get all the blame. The reality is, if Microsoft hadn't made the flaw, then this attack never would have happened.

Re:

[ogdenk]

And your bug-free 100% secure multi-user OS w/ flawless network stack is where, exactly? All large software projects have bugs and vulnerabilities. It's a fact of life.

If the NSA had actually cared about securing US systems from attack, they would have had MS fix the vulnerabilities instead of exploiting them for fun and profit we wouldn't have this problem.

If the general public realized the importance of keeping software vulnerabilities patched, they might have been able to avoid such widespread infectio

Re:

[phantomfive]

And your bug-free 100% secure multi-user OS w/ flawless network stack is where, exactly?

Here you go [openbsd.org]. They have exploits occasionally, but they're rare. Not bad for a scrappy team of programmers, showing the world what is possible.

If they had Microsoft's resources, they would be perfect.

Re:

[ogdenk]

As much as their proactive approach to security helps with an out-of-the-box, you're still screwed if you rely on things like Apache httpd, MySQL, Samba, Xorg, etc. And wasn't it their OpenSSH project that was full of interesting holes pretty recently?

And I'm saying this as someone who's been running various forms of BSD since around 1994. Nothing is perfect. BSD just sucks less. And if you're really trying to imply OpenBSD is "bug-free" that's just wishful thinking.

The "ZOMG MS iz teh SuX0rz.... if onl

Re:

[phantomfive]

And wasn't it their OpenSSH project that was full of interesting holes pretty recently?

No, that was OpenSSL.

As much as their proactive approach to security helps with an out-of-the-box, you're still screwed if you rely on things like Apache httpd, MySQL, Samba, Xorg, etc.

Again, if they had the resources of Microsoft, the openBSD team would be perfect.

Re:

[thygate]

if Microsoft hadn't made the flaw

you misspelled backdoor.

Re:

[thegarbz]

The reality is, if Microsoft hadn't made the flaw, then this attack never would have happened.

So let's analyse this for a moment:

1. You attack human's imperfect nature (code bug) vs something that could have been avoided out of policy (responsible disclosure instead of weaponising a bug).
2. You assume that all the blame lies at Microsoft whereas a large portion of customers have put their systems into a position which allowed this problem to spread. This in itself is stupid as what is more suitable form of protection:
a) Good network design and computer isolation principles? Or
b) Hoping that the 60 m

Re:

[Big Hairy Ian]

They're trying to direct the conversation so they don't get all the blame. The reality is, if Microsoft hadn't made the flaw, then this attack never would have happened.

Utter fuckwittery of the highest order. Yes M$ Made the flaw so did almost every other tech company. The NSA new about it for years, kept schtum then got hacked and now everybody knows and some crook is using it to extort hospitals around the world.

Two responsible parties ...

[CaptainDork]

...

1.) Microsoft for having a shitty OS and

2.) The USA three-letters knowing it and not protecting its citizens.

What a company can do

[AHuxley]

If an OS developer wants to secure their code, secure their site and code, consider every contractor and consultant who had access to the code.
Walk the life story. Is the resume real? Education, friends, university, who helped at university? First real job?
Are trusted staff walking out internal code early and often to the US gov for some reason?
Stop outsourcing, start hiring US experts who enjoy working in the private sector. Make the US private sector a better place to work than any US mil or gov

State Competence and Consequences are the Solution

[LeftCoastThinker]

The solution is not to give up vulnerabilities that the CIA and NSA discover and want to weaponize, the root of the problem is the most incompetent administration in 50 years (the Obama administration) being completely clueless about cyber security and letting our state secrets out. That shit would never have been hacked by the Russians and dumped into the wild if the incompetents at the CIA and NSA had air-gapped their stockpile and put people in prison for 10 years or more for moving the files to a netwo

Requires intent

[Okian Warrior]

The solution is not to give up vulnerabilities that the CIA and NSA discover and want to weaponize, the root of the problem is the most incompetent administration in 50 years (the Obama administration) being completely clueless about cyber security and letting our state secrets out. That shit would never have been hacked by the Russians and dumped into the wild if the incompetents at the CIA and NSA had air-gapped their stockpile and put people in prison for 10 years or more for moving the files to a networked location except for specific conditions and actual use where multiple sign-offs and precautions would be required. Those who were in charge and those who were responsible for the security measures at the CIA and NSA when these secrets were hacked/leaked should be fired and charged with criminal negligence at least or maybe espionage/treason.

No, because they didn't *intend* to leak the information.

The new interpretation of the law requires intent, and besides, no one has ever been prosecuted for doing this in the past.

Haven't you been following the news last year?

Digital Broken Arrow

[mentil]

Wait until one of these leaked/lost TLA tools becomes used by a 3rd party in such a way that it looks like a state-sponsored attack on one of their enemies. Or, equally likely, a 'leaked/lost' tool used by a 1st party, with a '3rd party did it' plausible deniability argument. It's like separating a 'rogue terrorist group' from a 'state-sponsored terrorist group'.

I imagine soon, a major power will say "all attacks by tools that could only have been created by a state actor, will be responded to as if actually used by that actor" and then the "oops, my WMD fell off the back of a truck, my bad" excuse will no longer work. It may soon be considered too dangerous to hoard these exploits, as their inevitable leak will harm their creator more than if they had never been created in the first place. Taking bets on if that happens before or after the IT world figures out how to secure their shit.

The government wont stop this stuff

[jonwil]

The cracking of the Axis secret codes at Bletchly Park, OP-20-G and elsewhere during World War 2 showed the allied powers just how important being able to read the other guys stuff really was.

Then computers came along and the Russians, Chinese and other bad guys started using digital encryption and other security measures and the western powers (NSA in the US, GCHQ in the UK and others) continued to do whatever was necessary to break into those computers and steal all the secrets.

When mass market PCs came along and everyone started using the same hardware and software as everyone else, the agencies followed suit with attacks on and back doors into the computers the bad guys were using.

I recon the big tech companies should all get together and throw a bunch of lobbying money at world governments to get laws passed to stop the hoarding. I am sure there are enough people in Congress who would listen when big fat "political donations" are waved in their face in return for stopping the abuse of vulnerabilities in this way.

Re:

[mysidia]

throw a bunch of lobbying money at world governments to get laws passed to stop the hoarding.

If not world governments, then Cybercriminals. They're all the same.

How about putting that money towards making software that is actually secure, starting with network protocols?

This SMBv1 bug would have been a non-issue had the SMB service been sandboxed such that arbitrary code running as the SMB service cannot initiate an outbound connection or Modify files except after passing through a user credential f

So is ITwire suffering from head trauma?

[MrLint]

"ITwire still faults Microsoft for not planning ahead, since in February 150 million people were still using Windows XP."

From MS "After 12 years, support for Windows XP ended April 8, 2014" Over 3 years ago. If you wish to fault MS for 'not planning ahead' for things still under support, well may be, that being said IIRC the patch for *supported* items was released in March. IMO to even mention XP as not being planned for is stupid. Organizations should have spent the last 3 years migrating/mitigating. Ignoring that it became a hot topic in IT circles the year prior, and while I can't really find when the EOL date was first announced I know MS has a published list of all the EOL dates.

Any talk about issues about XP being anything other the the responsibility of the organization using it should be at this point, promptly chucked out the window

Re:The Blame Game

[Anonymous Coward]

Please forward me your bug-free code for review and then we'll talk.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Dunbal]

They've got to blame someone. Opening bell happens in a few hours. The NSA is not publicly traded.

Re:The Blame Game

[Z00L00K]

Interesting that people classifies parent as "Troll" even though it's not far from the truth - better blame the messenger than addressing the problem.

Realize that the architecture that Windows today has is based on Windows NT, an architecture that was founded in the beginning of the 90's. This in turn is built upon OS/2, which originally came out in 1987.

There have been improvements to that architecture over the years, which have caused it to become more and more of a patchwork and resource hog in order to still maintain backwards compatibility while also keeping up with new functionality and improved security.

However a lot of the design in the platform is still causing problems that are hard to resolve without admin rights for the user. The current Windows versions also seems to only utilize two Privilege Levels [wikipedia.org] in the hardware architecture, level 0 (kernel) and level 3 (user applications). This is also the case for Linux, so it's not better on that point.

However the age of an OS does not necessarily indicate how bad it is from a security point of view and the utilization of the capabilities of the hardware. E,g. OpenVMS utilizes four privilege modes (Kernel, Executive, Supervisor and User) and OpenVMS is now being ported to x86 [theregister.co.uk]. This seems to be good news for nerds [openvms.org].

Re:The Blame Game

[gtall]

Windows NT was built with VMS in mind, not OS/2, MS hired VMS's main architect. When MS and IBM were in bed together, MS had the UI front end to do. They didn't like the back end from IBM because it made their front end run like shit. So they decided they needed their own back end.

After NT was thrown together, MS discovered their front end still ran like shit so they went into their back end and knackered the bits that made their front end look bad. Unfortunately, that also meant they had to include stuff in the kernel where from a security standpoint it didn't belong. And so MS's proud tradition for lack of security persisted.

VMS had 4 security levels and that was supported by the VAX architecture. OpenVMS is merely the successor to VMS. I'm unsure what is open about OpenVMS, last I checked it was owned by HP. It probably won't be long before they screw it up like everything else they touch.

Re:

[Rockoon]

Windows NT was the OS/2 3.0 code base

The breach of contract settlement between IBM and Microsoft stipulated that IBM got exclusive rights to the OS/2 2.x code base and a royalty free license to emulate Microsofts then quite popular Windows 3, while Microsoft got to keep the OS/2 3.0 code base that Microsoft had been delaying development on. The OS/2 3.x line was to be the business/server version of the consumer OS/2 2.x.

Re:

[gtall]

NSA is a large organization, different parts do different things. How do we actually know this bug came from NSA? All we have is some web site claiming it.

Re:

[arth1]

Let me break it to you gently, as you don't exactly appear to have your finger on the pulse of current American politics. You see, Barack Obama is not the president anymore, and so will not be pardoning anyone. He's just a citizen now.

He's not the president, but he is a president. Every former president gets a life long pension, an office, a staff, franking privileges, secret service protection, a presidential library, and the title of president. And are still bound by the oaths taken when entering office, making former presidents, much like the peerage in Europe, less free than full citizens.

Re:Enough blame to go around

[Excelcia]

This exploit exists in an old protocol no one uses any more. Is any vulnerability avoidable? Sure. Should this one have been fixed, or the code deprecated earlier, absolutely. Could /you/ write a hundred million lines of code and not have a critical vulnerability? In case it's not obvious (to you), that was a rhetorical question.

I am no fan of Microsoft. I never have been. But in this case, the real evil was perpetrated (and there is no other word for it) by the NSA. An agency of the United States government, one specifically tasked with the protection of US citizens, learned of a vulnerability in an operating system used in critical applications throughout the country, used by the majority of its citizens, and not even accidentally sat on it - they purposefully, with consideration and intent, sat on that information. Not only that, but they then developed a weapon to exploit it, lost control of that weapon, and it is now in the wild where it can do the most damage.

This is a combination of willful dereliction of duty, and gross negligence. This shouldn't be Microsoft complaining, this should be the director of the NSA hauled in handcuffs before congress.

Re:

[scdeimos]

Oh for the love of mod points...

Re:

[Dunbal]

Yeah next time your mechanic charges you $2000 for something you didn't need, make sure you listen to his "cars are really complicated with lots of moving parts and sophisticated electronics" justification.

Re:

[AchilleTalon]

Gross negligence is when someone like the CTO and/or CEO continues to run his business using Windows XP without buying maintenance and patching the OS knowing the manufacturer stopped supporting this OS a long time ago, except for paying customers. Wow, there is still 150 million idiots out there running unpatched versions of Windows XP.

Gross negligence is letting you IT infrastructure going outdated and unmaintained because you want to save a few bucks and you are gambling with your company's security bett

Re:Enough blame to go around

[Dunbal]

This is something a compiler will usually show a warning. If it did not, then the compiler is to blame.

Guy in India writing the outsourced Microsoft code: "That stupid compiler always generates so many warnings I just turned the warnings off. The code compiles fine I don't see what the problem is."

Re:

[phantomfive]

Yeah, that old code from Microsoft in the 90s was rather terrifying (it's the reason cmd.exe is so outdated, people don't dare to work on it). Not surprising someone would turn off the warnings, they might be all over the place.

Re:

[Rockoon]

Warnings must ultimately be turned off because the code base has migrated from compiler version to compiler version, possibly also from 16-bit to 32-bit to 64-bit, ...

It isnt because submitting some new code causes a warning. Its because at some point, overnight, lots of old code started showing warnings with some change such as to a more "standards compliant" version of an ever evolving compiler, so many warnings all at once that it would take a serious concerted to "fix" and its just not worth it.

Re:

[Ed Tice]

Or more likely, when the original warning was generated, the subtraction was not a problem. There was some external constraint that made this a valid operation. Then later there was what was thought to be an unrelated change that relaxed the external constraint. That's why code this size is hard. Almost any line can affect any other line and there's no way to know when you make a change what else might break. Probably there is something that could have been done here (like range-checking the result just

Re:

[arth1]

This is something a compiler will usually show a warning. If it did not, then the compiler is to blame.

Blame isn't a limited commodity, where you reduce blame one place by adding it to another. "Shifting blame" is an attempt at binary thinking and reducing complexity, and is an impediment to justice.

That a compiler or static analysis tool is to blame for not warning where it should does not absolve the programmer one iota. A programmer who depends on software to tell him when he's done a mistake deserves blame heaped up high. The tools can warn about bad code, but absence of warnings does not imply good c

Re:

[Gadget_Guy]

We should be able to see how this occurred by looking at the leaked Windows 2000 source code back from 2004. I seem to recall that it included the networking code. Given that Microsoft backported the patch for this vulnerability to Windows XP then it seems reasonable to assume that it is still the same legacy code that came with Windows 2000 (and earlier).

Compiler warnings were a lot less sophisticated back in those days. I wonder how many warnings they have to turn off today just to be able to compile the

Re:

[phantomfive]

Is that code available anywhere?

Re:

[Gadget_Guy]

I did a really quick search when I posted my first message, but the only thing I could find was a torrent on the pirate bay. I can't access that from here to tell if it is legitimate.

Re:

[Rockoon]

Ignoring compiler warnings is standard operating procedure for any large code base.

Re:

[arth1]

It's not the governments job to protect everyone from self inflicting their own wounds or creating their own problems.

In this case, the wound was made with a government made knife, designed to penetrate known armor, and leaked through government incompetence. I think that puts some blame on the government too.

If it wasn't for the government (a) making, and (b) leaking this weapon, this particular attack would likely not have happened. I can see the US government being sued for damages in foreign jurisdictions that allow this.

That does not absolve those who brought the malware onto a network by monkey-clicking links, of c

Re: Enough blame to go around

[Solo-Malee]

"While Microsoft makes its own efforts by rushing out patches and sharing concerns with other companies, it also chastises customers who could have closed the WannaCry hole two months earlier but didn't." If Microsoft didn't dress up Windows 10 deployment campaigns as security patches maybe people would have applied important updates, instead, many people got fed up of cleaning up the Windows 10 installer so turned of auto update instead. Glad I'm no longer dependent on Windows.

Re:

[Pentium100]

This, so many times this.

If people are still using Windows XP, then maybe Microsoft could not make a better OS for them? At least until recently, most people installed updates. But then the whole Windows 10 nonsense started - spyware being installed as a critical update, Windows 10 nag screen too. At some point Windows 10 was installed automatically even if you closed the nag window. And Windows 10 is crap, or rather, it is a relatively good OS, but with spyware and adware right from Microsoft, oh, and Wind

Re:

[arth1]

They probably got promoted for writing their code so quickly

It's a government agency. You don't get promoted for being clever or efficient, you get promoted for dotting the i's and crossing the t's (or, in some cases, for dotting the t's and crossing the i's).

Re:

[dryeo]

Microsoft is a government agency now?

Re:

[arth1]

The exploit code was written (or obtained through other means) by NSA, and partially rewritten by for now unknown hackers.
The exploited e-mail code (stage 1 infection) was written by several different vendors who allow click exploits.
Stage 1 also depends on badly written DNA, i.e. people triggering the infection.
The exploited SMB code (stage 2 infection) was written by 3Com, but since then presumably rewritten by Microsoft. Although legacy code has a tendency to survive quite a few rounds of copy/paste, as

Re:

[phantomfive]

Independent security audits......they are expensive & time consuming.

Most importantly, they don't make you secure. They're consultants who find a few bugs, then send you a big bill.

Re:

[ls671]

You spoofed your MAC address? Very clever...

Re:

[MoarSauce123]

I agree, but the conclusion that open source = safer software is not correct. Just recently Google researches found over 1000 security issues in FOSS projects. At least they could investigate the code and find these problems. Leaves the question if the project leaders now bother to have them fixed. Also, many security holes are introduced through bad online tutorials. Microsoft needs to do more testing on their end. They have a quasi-monopoly on desktop OS and unless they deliver top notch solutions they sh

Re:

[Big Hairy Ian]

Watching all this unfold I thought it was a publicity stunt for the next season of 24