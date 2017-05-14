Microsoft Blasts Spy Agencies For Leaked Exploits Used By WanaDecrypt0r (engadget.com) 41
An anonymous reader shares Engadget's report about Microsoft's response to the massive WanaDecrypt0r ransomware attack: Company president Brad Smith has posted a response to the attack that roasts the NSA, CIA and other intelligence agencies for hogging security vulnerabilities instead of disclosing them to be fixed. There's an "emerging pattern" of these stockpiles leaking out, he says, and they cause "widespread damage" when that happens. He goes so far as to liken it to a physical weapons leak -- it's as if the US military had "some of its Tomahawk missiles stolen"... Microsoft had already floated the concept of a "Digital Geneva Convention" that required governments to report security holes, but the idea has gained a new sense of urgency in light of the recent ransomware chaos... While Microsoft makes its own efforts by rushing out patches and sharing concerns with other companies, it also chastises customers who could have closed the WannaCry hole two months earlier but didn't.
BrianFagioli shared a BetaNews article arguing Microsoft "should absolutely not shoulder any of the responsibility. After all, the vulnerability that led to the disaster was patched back in March." But troublemaker_23 notes that ITwire still faults Microsoft for not planning ahead, since in February 150 million people were still using Windows XP.
Could
/you/ write a hundred million lines of code and not have a critical vulnerability?
Without a buffer overflow? Yes. Without an SQL injection? Yes.
Absolute security is hard, but there are some security mistakes that should never happen.
Independent security audits......they are expensive & time consuming.
Most importantly, they don't make you secure. They're consultants who find a few bugs, then send you a big bill.
The Blame Game (Score:1)
I suppose it's easier to blame the NSA then to blame your own company for writing shitty software.
That being said, n theory the NSA should be working for the best interests of the American public, and by not disclosing software vulnerabilities it is clear that they are not. It's a shame the biggest threat to our own cybersecurity is the US government. We are spending a lot of money and not getting a fair value for the money spent. I don't claim to understand why.
Please forward me your bug-free code for review and then we'll talk.
Why? (Score:2)
I don't see it.
MS tried everything short or threats to get people to upgrade to a secure Win10 version to no avail.
This will bring millions of new licenses for MS.
Microsoft is 100% right on this one (Score:5, Interesting)
The fault here lies in our countries TLA's deciding it was better to leave 100% of the country at risk hoping they would be able to exploit a hole before someone else could exploit that same hole against us.
Fuck the NSA, CIA, FBI, and everyone else that finds security issues and keeps them private. They are the problem, not Microsoft.
Microsoft is not 100% right; they created something with this vulnerability and sold it for a very long period of time. They're patching XP for chrissakes.
They need backdoors too? (Score:2)
They want backdoors and keys into the things that they swear they will keep safe. Instead of affecting unpatched computers, a leak will affect every computer. But they pinky promise that there will be no leaks and they promise to feel bad if there is one even though it's probably somebody else's fault.
Plenty of blame for Microsoft too (Score:1)
Microsoft can save some of that blame for themselves. Many people had to turn automatic patching off because of Microsoft's shitty policy of trying to force people to Windows 10 through patch driven 'upgrades'.
Secure the code, secure the OS (Score:2)
"We have more than 3,500 security engineers at the company"
Yet failed to notice PRISM? https://en.wikipedia.org/wiki/... [wikipedia.org]
Re "This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support."
The US clandestine services are hiring from the same US university graduate groups over decades.
Great argument against backdoors (Score:2)
This hacking provides the perfect argument against built-in backdoors that would enable the government to spy on people (but only when they wanted). All it takes is one leak and *boom* you have out of control hacking by everyone but the government.
Custom Support and MS quarterly earnings (Score:2)
I have quite a good discussion about Custom Support and MS quarterly earnings here: https://www.reddit.com/r/micro... [reddit.com]
The original quote from https://view.officeapps.live.c... [live.com] : "As expected, Enterprise Services revenue declined 1 percent and was flat in constant currency, due to a lower volume of Windows Server 2003 custom support agreements."
I was guessing that this decline is because the revenue declined by tens of millions, which implies that they are likely making much more than that total in these contracts especially given that Server 2003 is still widely used. I checked "Productivity and Business Processes", "Intel
This is CYA from Microsoft (Score:2)
1) Microsoft works hard, I tell you hard to avoid these problems.
2) Customers are to blame too! (really)
3) It's the government's fault!
They're trying to direct the conversation so they don't get all the blame. The reality is, if Microsoft hadn't made the flaw, then this attack never would have happened.
Two responsible parties ... (Score:2)
...
1.) Microsoft for having a shitty OS and
2.) The USA three-letters knowing it and not protecting its citizens.