HideOnly 2 days left to get your copy of the CIA's declassified training game by backing CIA: Collect It All on Kickstarter »
HideOnly 2 days left to get your copy of the CIA's declassified training game by backing CIA: Collect It All on Kickstarter »

Microsoft Is PISSED OFF At The NSA Over WannaCry Attack

from the as-it-should-be dept

So, for about a day, Microsoft followed the usual course of action concerning the WannaCry malware that made the rounds last week. As we noted, this ransomware/attackware was built off some leaked NSA exploit code utilizing a vulnerability in Microsoft Windows... that the NSA failed to tell Microsoft about. Microsoft had actually patched it a few weeks prior to the code leaking online via Shadow Brokers, but, still... the NSA is supposed to disclose most of these vulnerabilities, rather than hold them for offensive use (that's the theory, at least).

Microsoft did its standard "no comment" bit for a day or so, but then on Sunday, its President and Chief Legal Officer let loose on the NSA for its failures that resulted in all of this happening. First, it officially confirmed what people were saying about the code being built off of leaked NSA code:

The WannaCrypt exploits used in the attack were drawn from the exploits stolen from the National Security Agency, or NSA, in the United States.

The post does a good job discussing what Microsoft is doing about this and what it means, but then has this:

Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.

The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them. And it’s why we’ve pledged our support for defending every customer everywhere in the face of cyberattacks, regardless of their nationality. This weekend, whether it’s in London, New York, Moscow, Delhi, Sao Paulo, or Beijing, we’re putting this principle into action and working with customers around the world.

Whatever you might think of Microsoft and privacy and such, in the last few years (in part thanks to Smith's focus on this), it has been really good about pushing back on government surveillance and interference. This blog post seems to be the next step in that effort. I'm sure that plenty of readers here have a reflexive dislike of Microsoft (no need to express it in the comments, we know already), but the company has been taking a strong stand against excessive surveillance and other efforts to weaken the public's security. Calling out the failures of the intelligence community in not disclosing these kinds of vulnerabilities is another good step, and it's good to see Microsoft make such a clear statement on it.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 16 May 2017 @ 4:26am

    If only we could be this lucky every time...

    Seriously think about it. People and media act like this is the absolute worst that could happen, when in fact we got off easy.
    Sure, a few hospitals and businesses are losing money and some have temporarily shut down, but most of society is rolling on.
    Think if the hackers had instead integrated the vulnerability with data gathering tools, or if they had made it into a timebomb that would go off in a few days when it had been spread across the globe.
    Instead they chose to loudly post across every computer screen "LOOK AT ME... I HAVE INFECTED A COMPUTER". With the ransomware they made the threat serious enough that people would pay attention.
    Even if the dormant timebomb or data leaker had been discovered by security experts and anti malware companies, it would still be a huge challenge to get people to patch the vulnerability because it would be one of those silent problems that are actually the worst, but few people pay attention to.
    So they gave a lot of people enough time to patch during the weekend, limiting the spreading potential of any future malware that uses the SMB vulnerability.

    I don't know if it was meant as an attack, if it was incompetent hackers who did this for way to little money or if someone is trying to point to the problems of NSA hoarding, but in the end I actually think they did more good than bad.
    Either way, I do hope they get caught because they deserve punishment (as well as our thanks).

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.