Microsoft Is PISSED OFF At The NSA Over WannaCry Attack
from the as-it-should-be dept
So, for about a day, Microsoft followed the usual course of action concerning the WannaCry malware that made the rounds last week. As we noted, this ransomware/attackware was built off some leaked NSA exploit code utilizing a vulnerability in Microsoft Windows… that the NSA failed to tell Microsoft about. Microsoft had actually patched it a few weeks prior to the code leaking online via Shadow Brokers, but, still… the NSA is supposed to disclose most of these vulnerabilities, rather than hold them for offensive use (that’s the theory, at least).
Microsoft did its standard “no comment” bit for a day or so, but then on Sunday, its President and Chief Legal Officer let loose on the NSA for its failures that resulted in all of this happening. First, it officially confirmed what people were saying about the code being built off of leaked NSA code:
The WannaCrypt exploits used in the attack were drawn from the exploits stolen from the National Security Agency, or NSA, in the United States.
The post does a good job discussing what Microsoft is doing about this and what it means, but then has this:
Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today ? nation-state action and organized criminal action.
The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new ?Digital Geneva Convention? to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them. And it?s why we?ve pledged our support for defending every customer everywhere in the face of cyberattacks, regardless of their nationality. This weekend, whether it?s in London, New York, Moscow, Delhi, Sao Paulo, or Beijing, we?re putting this principle into action and working with customers around the world.
Whatever you might think of Microsoft and privacy and such, in the last few years (in part thanks to Smith’s focus on this), it has been really good about pushing back on government surveillance and interference. This blog post seems to be the next step in that effort. I’m sure that plenty of readers here have a reflexive dislike of Microsoft (no need to express it in the comments, we know already), but the company has been taking a strong stand against excessive surveillance and other efforts to weaken the public’s security. Calling out the failures of the intelligence community in not disclosing these kinds of vulnerabilities is another good step, and it’s good to see Microsoft make such a clear statement on it.
Filed Under: exploits, nsa, ransomware, vep, vulnerabilities equities program, wannacry
Companies: microsoft
Comments on “Microsoft Is PISSED OFF At The NSA Over WannaCry Attack”
Mostly...
Mostly Microsoft is pissed that their OS products are easily hacked, and those hacks are generally not detected for a very long time.
Trust me, if this was a MAC thing, Microsoft would be quietly whistling and walking the other way.
Re: Mostly...
Assuming that’s true, since when was Windows XP open source?
Re: Re: Mostly...
Gaaahhh! You meant “operating systems!” Sorry.
Microsoft doesn't care about security -- only reputation damage
If they really cared, then all their products would be open source, since that’s a necessary — but not sufficient — prerequisite to even pretending to release secure code.
And if they really cared, they would have coded, tested, and issued patches for Windows XP — with an estimated 150M systems still in the field — at the same time that they did for current Windows versions. But they didn’t. See: https://www.itwire.com/open-sauce/78090-ransomware-microsoft-can-no-longer-claim-to-be-proactive.html
AND if they really cared, they wouldn’t be calling for government-discovered vulnerabilities to be given only to vendors: they’d be calling for their immediate full public disclosure. By trying to keep them private they’re not only trying to conceal the extent of their well-known incompetence and negligence, but they’re creating the perfect conditions for a black market in vulnerabilities.
The only thing Microsoft is pissed about is the possible loss of profits.
Re: Microsoft doesn't care about security -- only reputation damage
The public disclosure point might seem unimportant, but people should remember all the times that vendors have had to be strong-armed into patching vulnerabilities after a few months of private disclosure yielded nothing. And I don’t think any government agency anywhere would go to the legal trouble of handling a public disclosure. Bare minimum done, hands clean, godspeed! (I understand why, BTW)
Re: Microsoft doesn't care about security -- only reputation damage
If they cared, they’d also have given people the privacy controls they wanted in Windows 10. Maybe even go further and include anti-forensic measures (such as one control to disable all MRU lists, last-access times, etc.).
Re: Microsoft doesn't care about security -- only reputation damage
Bull.
If you sign a big enough contract they’ll give you the source code (under an NDA,) and you can peruse it to your hearts’ contect.
Re: Microsoft doesn't care about security -- only reputation damage
Wow, so according to your theory if I bought a ford in 2001 they should still be proving me with free service for the car. Come on and get a grip. not every business can support every product forever. Do you get a 16 year warranty on your TV? Your Phone? Does Apple still support the iphone 1? Saying Microsoft is responsible for old Tech is Like saying Every Manufacturer is Responsible for everything they ever built and must support it till it is no longer used.
I think you need to have your head examined.
Re: Re: Microsoft doesn't care about security -- only reputation damage
Not really. The other companies like Ford you listed don’t forbid people from modifying the products they bought. They can’t legally stop me from distributing information about how to change those products.
Re: Re: Microsoft doesn't care about security -- only reputation damage
“Wow, so according to your theory if I bought a ford in 2001 they should still be proving me with free service for the car.”
First of all, if you bought a computer in 2006, it came with XP. You can’t start counting from the release date of XP; you have to start counting from when they released the next product, and that was Vista in 2007.
But as to the meat of your analogy: In 2009 Ford issued a recall that affected models as far back as 1992. So yes, as a matter of fact, they DO go back that far for serious defects.
Source: https://www.cars.com/recalls/ford/
Re: Re: Wow, so according to your theory if I bought a ford in 2001 they should still be proving me with free service for the car.
The difference being that Ford don’t claim ownership of the car they sold you, whereas Microsoft still claims intellectual property rights over Windows XP.
But with property rights come property responsibilities. Therefore, Microsoft should have to accept those responsibilities for as long as they claim those rights. If their property is causing a nuisance to others, then it is their responsibility to fix it.
Since I believe copyright terms currently last 90 years in the US, that seems a reasonable interval to continue to expect updates to Windows XP.
Re: Re: Re: Wow, so according to your theory if I bought a ford in 2001 they should still be proving me with free service for the car.
Brilliant.
This should be a serious proposal: you should be required to provide security support (et cetera?) for software, for as long as you claim IP rights over it which would prevent anyone else from providing that same support.
Announcing end-of-support for a software product should be read as implicitly releasing IP rights over that product.
Re: Microsoft doesn't care about security -- only reputation damage
Is this the same Rich Kulawiec that said “so my preferred solution would be the summary execution of every single Marketo employee.”
If so I think you need help.
Re: Microsoft doesn't care about security -- only reputation damage
MS is more worried about potential lawsuits and legislation that would hurt them more than Google, Apple, RedHat, or just about any Linux distro. To varying degrees all the later use FOSS code as the basis of their respective OSes. So legislation demanding all the OS source code be available and lawsuits that use discovery to get the source code into open court would hurt MS.
Re: Microsoft doesn't care about security -- only reputation damage
The WinXP patch released last week wasn’t a new patch they had just created, it was a patch they’d created in February.
Therefore they did create a patch for WinXP at the same time as they did the patches for other versions in February. They did release it, but only to those who had a paid post EOL-support contract.
The patch details themselves note it was created in February.
So while MS is correct in its castigation of the NSA (and the government), they are also partially to blame as they didn’t do a general release of a patch they had created 2-3 months earlier.
Senators Feinstein and Burr Need to Pay Attention
For the slow class, there is an important lesson here. An unintentional weakness created havoc this week, and the NSA’s knowledge hurt national and global security by not working with Microsoft to fix the problem. If an accidental flaw can cause trouble, then a designed-in backdoor has at least the same potential for damaging our security. We will only make our nation less secure by hiding vulnerabilities or, especially, if we actually deliberately create them; we will make our nation more secure, however, if we work to secure our software.
Re: Senators Feinstein and Burr Need to Pay Attention
Sorry, but I’ve got to disagree with you. This is truly apples and oranges. A built-in backdoor has much greater… nay, INFINITELY greater potential for damage. Not everyone uses Windows XP or 7 or Vista (supposedly, 8 and 10 were not affected by this). But everyone, and I mean EVERYONE, that uses a computer on the internet uses encryption (whether they are aware of it or not). A leaked “golden key” could, and I don’t exaggerate here, be the end of civilization as we know it.
Re: Re: Senators Feinstein and Burr Need to Pay Attention
The key doesn’t even have to leak. Would any foreign government/company use an O/S where they know the US Government has the backdoor key to any encryption on the device?
In order to sell in a foreign government, would {vendor} have to give them the backdoor encryption key, too? Making the product useless for US government use as well.
Who would be left to buy the product?
Re: Re: Senators Feinstein and Burr Need to Pay Attention
No, it really is apples and apples.
A backdoor would have the same scope of problem and magnitude as this one. Just because a backdoor is in place does not mean that other tech will not be in its way to block it. Until March this year, this was a zero-day vulnerability meaning that anyone that know about it had over a decade of time to exploit it by now.
Just because this would be less intentional than a back door does not mean it is somehow in a different category, it is not. This case makes a great argument for what any backdoor is going to become if created.
Microsoft
Didn’t Microsoft sealed a deal in 2003 with the DOD in order to give them security bulletins in advance ?
https://arstechnica.com/security/2013/06/nsa-gets-early-access-to-zero-day-data-from-microsoft-others/
Seeing Microsoft rage in 2017 about governements stockpiling bugs is a bit ironic.
Re: Microsoft
And this was severe enough and, as is evident, affected critical systems that are still on older Windows versions, that they should just have made the patches available alongside the ones for newer versions.
Maybe those systems should be on newer versions of Windows, sure. But the reality is, they’re not, and probably wouldn’t/won’t be despite these attacks.
No one comes out clean from this thing. The NSA hoarding exploits, MS not giving a shit and I’d bet almost hoping this would happen to force upgrades, these systems running on Windows versions out of support, it’s a clusterfuck.
That not even one of them rises above their egotistical needs to prevent all the harm caused speaks volumes.
Re: Re: Microsoft
Actually, Microsoft did put out a patch for older systems, even Windows XP.
I appreciate MS here, but they have to accept a lot of responsibility for the situation. It’s not just about their historically shoddy record of security (although that’s undoubtedly improved), it’s about how they’ve run their ecosystem for so long.
Many people have had major issues installing Windows updates in the past, so they make sure they’re turned off. Lots of people killed Windows 7/8 updates because they wanted to avoid being forced to install Windows 10 without their permission.
MS has been really bad at separating actual critical updates from other types of changes, so there’s no middle ground in a lot of areas – especially businesses where their updates have been known to kill mission critical production systems if not properly vetted. So, they don’t rush to install new patches unless they’re made aware of an urgent reason to do so.
Part of the reason why some places were still running XP has to do with compatibility issues for certain software and drivers. I can understand why Microsoft wants to get away from supporting such things. But, if they have introduced problems in getting legacy products to run on a new OS, then they’re the reason people didn’t upgrade to an OS that was protected against this attack.
All kudos due to Microsoft for coming out and saying what they have here, and taking a stance against the NSA (although a large part of that is probably self-preservation rather than altruism). But, they have to recognise that their own actions, not just recently but over most peoples’ experience with their products, has led to everyone being less secure. Saying they released a patch a couple of months ago is no good when the reason why the patches weren’t applied on so many machines is because of their own historical behaviour.
Re: Re:
Actually, no, Microsoft’s security record has NOT improved. As Dave Aitel put it, “Windows didn’t get more secure in the last two decades, the hackers just got nicer.”
If that isn’t clear, then consider that all of the systems affected by this could have just as easily been wiped. Or compelled to create corrupt/incomplete/useless backups, and THEN wiped. Or had all their data siphoned out, THEN the above.
The only reason that this isn’t far worse is that the attackers have refrained from causing even a fraction of the damage that they could in favor of attempting to monetize the problem. That’s a shift, as Aitel observes, from the strategies of ten or twenty years ago. But it’s not been compelled by anything Microsoft has done: their “security” is still nearly entirely composed of PR, which is why things like this keep happening on a regular basis.
And frankly, there’s no reason for them to do anything else: PR is cheap. Robust security engineering is expensive. So why bother with the latter when huge numbers of people will accept the former as a substitute?
Re: Re: Re:
Sadly, their security record has improved. What you say about the current situation is correct, but it’s demonstrably better than what was in place when XP was the new product to sell by a large factor. Even lip service like encouraging users not to run everything as admin and having a firewall on by default is better than what went before.
“Or had all their data siphoned out, THEN the above.”
Do we know this hasn’t already been done for sure? I would presume this would be the next step for encryption attacks if not.
Re: Re: Re: Re:
You’re absolutely correct: we DON’T know if that’s been done. While most operations have at least a semblance of outward-facing defenses, few have bothered to deal with the converse problem…and thus exfiltration and other outbound attacks often go not only undefended, but unnoticed.
So in this present instance, we can hope that wasn’t done. We can hope that if it was done, it was detected. We can hope that if it was detected, it was stopped. But now we’re quite deep into the realm of wishful thinking.
And as if this isn’t bad enough: I believe it was Bruce Schneier who said, a while back: attacks never get worse; they always get better. So while there’s already been considerable analysis dealing with the somewhat amateurish aspects of this particular attack, we can absolutely count on the next one, and the one after that, and the one after that, each being successively better than its predecessors.
Re: Re: Re:2 Re:
“we can absolutely count on the next one, and the one after that, and the one after that, each being successively better than its predecessors”
Absolutely. There’s already a version in the wild that removes the killswitch that was accidentally discovered and used to stop the majority of the attacks that started the whole thing off. The only reason we didn’t see everything suddenly get reinfected is because the route it took was so well known so early on and action was taken to close that hole up with existing patches.
Next time, we probably won’t be lucky enough to have it happen due to a well known leaked tool that exploits a hole that’s already has a patch released… and that’s the best case scenario compared to what they might do other than merely demand a couple of hundred in bitcoin.
Re: Re:
Has it really?
It’s been my experience that the latest version of any software (program or OS) is always hailed as the most stable and secure, but is quickly demoted to "bug-ridden, insecure, pile of shit" status after a couple later versions are released. A decade from now, people will be talking about how insecure Windows 10 is and why nobody in their right mind should still be using it.
Even if Linux was the dominant OS or if Windows was open source, we would be seeing this same scenario. Heck, it might be worse. Take a look at Andriod for example (yeah, it not completely open, but it is at the base). It has a very fractured ecosystem which would allow for something like WCry to spread just as easily. Linux is quite fractured as well. How many different disros are there?
Re: Re:
A fractured market didn’t really cause or amplify this, I don’t think. It affected all versions from the last 17 years, did it not? From at least XP, on to the very latest on March 2017.
Re: No, Windows is a uniquely insecure beast.
Take a minute and learn about OS structures. Windows is a megalithic structure with the pieces welded intimately (and sloppily) together. Crack your way into one part, and owning the whole system is much easier than with a modular OS (i.e., anything but Windows). Linux and BSD may not be the best in modularity, and maybe we’ll eventually move to a microkernel structure. However, they are inherently more secure because they’re much more modular than Windows.
Re: Re:
“Heck, it might be worse”
Doubtful. First of all, as you mention there can be a lot of variation between distros. This would work against the issue becoming quite as widespread. Unless the bug in question is present in the base kernel or a core package used across the board, it probably wouldn’t be present across all major distros. You might get something that attacks X number of Ubuntu versions or Samsung handsets over Y years old, but you won’t get “every version released in the last 17 years” as happened here.
Then, there’s the attitude of both the OS and the typical user. They not only tend to be far more security conscious, but they haven’t been burned by shoddy update cycles like Windows admin have. That means that the patches to block the spread of this are much more likely to be in place. From my experience, mostly *nix-based operations tend to have better design from a security point of view than 100% Windows shops, both on the network and internal OS security sides.
Something else worth pointing out here – Microsoft’s own engineering team has advised heavily against using SMB v1. This is the protocol that’s been used by WannaCry to spread internally through affected networks. A protocol that’s decades old and has been superseded by v2 and lately v3, and largely left open due to defaults and legacy compatibility.
https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
Different distros would react against such advice in a number of ways, ranging from issuing their own warnings and patches to removing it completely from newer versions. They’re not all perfect, of course, and some would be hit more than others. But, they wouldn’t take the monolithic approach taken by Microsoft here.
Now, obviously, none of that is to say that it couldn’t happen at all, but it’s far less likely to happen with such extent on Linux – in part due to the distros being as fragmented as they are.
Re: Re:
Yeah – and both parties are the same – bullshit.
Your mono culture solves nothing.
Re: Re: Re:
Both parties claim they are for liberty, but create more laws every chance they get.
Both parties claim they are for a balanced budget, but never create one, regardless of who is in power.
Both parties claim that they are against corruption, but employ and encourage it withing both of their voters and political processes regardless of who is in power.
Both parties claim to care for the common persona and minorities, yet more and more become poorer.
Both parties claim ethical & moral superiority over the other yet both are in the news every day over very visible ethical and moral decrepitness.
They really are the same, they just disagree on how best fool people like you and get your vote. A wise person judges by the fruits of their labor. Bush created DHS and Patriot Act, Obama wasted no time with employing them for his own use as well.
I sit and watch as both corrupt and dirty parties lambaste the other for the very sins they wallow in themselves! They are the same, they produce the same inequality, they both serve big business, they both think you need to be ruled over, they both do not care about you, and both are surrounded by power and wealth of the likes you do not even understand but can only dream of.
They ARE the same, they just disagree over the details of owning your silly ass!
Re: Re: Re: Re:
If you are unable to distinguish differences where they obviously are then perhaps you are unable to properly function in a dynamic society and this is why you desire the status quo or even a retro “when things where great” scenario.
Owning a silly ass or fooling people is not all that difficult, just look at trump. But getting the willing and enthusiastic public cooperation is very difficult as opposed to using force. I doubt you can see the difference.
Re: Re: Re: Re:AMEN
Both parties are broken, because man himself is broken. I just vote and pray for those in authority. Jesus Christ is the only answer.
Re: Re: Re:2 Re:AMEN
Yeah, fully proven by there not being corruption or immorality in his church’s authority!
/s
Re: Re:
If Linux is so insecure, explain how Arch and its derivatives, along with Slackware are reliable and safe distributions, despite lightly policed user maintained build systems; that is the AUR, and Slackbuilds. Note these are not search the Internet and grab an executable, but rather user maintained build systems available through the system package managers.
Re: Re: Linux
Yes, on the whole the Linux ecosystem would be more resilient against these kinds of attack. Because of fragmentation, and because security updates don’t tend to break the systems, and are mostly applied automatically.
Then again, some people are hellbound to have some ancient system running. “Our door controls only works with RedHat 4” (even if they don’t but they were only certified for RH4). And these would be exactly the same shops that would do things like running Windows XP.
And don’t even get started with Android. Now there’s a lot of systems out there having the same vulnerabilities and are not updated any more.
Re: Re: Re: Linux
And that very same fragmentation is what will keep Linux from ever becoming mainstream among average users.
Re: Re: Re:2 Linux
While the Linux ecosystem allows choices in desktop environment, and applications to achieve a task. Also users can choose between stability or up to date software. There is also a choice as to how upgrades to software are handled, varying from regular releases, sometimes mixed with long term support releases, through to rolling releases. However there are fewer problems in sharing documents that there is between different version of a windows application.
People would complain if their choice of car was limited to one model, yet complain when given a choice paint job and control layout in an operating system. This is strange, given that upgrading Windows to a new version can cause more problems sharing files, that a choice of Linux distro is unlikely to cause any problems, outside of sharing with proprietary applications, where the newest version often has an inbuilt comparability problem with earlier version, unless an earlier format is chosen; which is often deliberate to encourage people to buy an upgrade to avoid sharing problems.
Re: Re: Linux secure
There’s little doubt Linux is more secure that Windows.
However, it’s still too big…and it’s still insecure.
The right question is, in the face of inevitable failures in both hardware and software, and absolutely huge amounts of complexity, how do we return ownership of computers to the poeple nominally in control of the machines?
That is, why the ***@#! is any program so unsafe? How do we make such programs safe?
Re: Re: Re: Linux secure
You can’t from an information processing perspective.
All the computer cares about when doing a check is whether or not the set of bits match another set of bits, and only for THAT SPECIFIC CLOCK CYCLE. Afterwards it’s made it’s determination and moved on, fetching more code from either cache or RAM to decode and execute. Even the fastest computer in the universe would be susceptible to a well timed ToC / ToU bug. Assuming you can predict (or control) the chosen code path, you can modify it in memory on the fly. Nothing you do will change this fact. It’s one of the most basic concepts for a state machine. You can guard against these attacks (NX-bit, IOMMU, etc.), but in the end if the code is modified in memory prior to execution, but after any and all verification, an attacker will gain control of that context.
Re: Re: Re:
Mainly because the majority of hackers are going to go after the dominant operating system. Why spend time on a hacking a Linux system when most of the people you are trying to target are on Windows, then on Apple.
Re: Re: Re: Re:
It’s not only that. It’s because the Linux ecosystem itself is fragmented. An exploit running on Ubuntu 16 might work on Debian 9, but won’t work on SuSE 12 or Fedora 27. And of course, only on the same architecture, so the Raspbian running things like train tables might be immune.
So even when most of the worlds servers are running Linux (which they do), which ones are you going to target? Answer: The 20% running Microsoft products. Because it’s still the biggest uniform ecosystem.
It’s like the music charts. The hits on top might be the lousiest miserable excuse for music there is, but it its 15% market share is the biggest, it’s still the financially most interesting segment. You get the most market penetration for the least amount of effort. It’s also why pop (and Windows) sucks ;).
Re: Re: Re: Re:
“Why spend time on a hacking a Linux system when most of the people you are trying to target are on Windows, then on Apple.”
Why spend time attacking desktops, when you can cause much more damage and demand much more money from those using servers, a great deal more of which will be running Linux?
This kind of attack, at the moment, is going after low hanging fruit (Windows desktop users who don’t update regularly through choice or ignorance). Once they’ve refined their tactics, they’ll almost certainly go after higher value targets. Unless the inherent diversity and awareness of the Linux environment means it’s still more lucrative to go after the low hanging Windows users, of course.
Re: Re: Re: Re:
You are ignoring the ‘cloud’ which maony runs on Linux, and where the ‘rewards’ for a fast spreading exploit could be immense. Think AWS, Google/YouTube/Blogger/Twitter/Facebook etc. All would be suitable targets for ransomware, as well as a means of spreading malware. Although Individual servers can be breached, ther have not beenany fast spreading worms in that environment.
Yes the IOT, running Linux is often vulnerable, but usually due to bad security practice, like baked in logons, default passwords etc. rather than an easily used exploit, and only impact one manufacturers products.
Re: Re:
This argument is often advanced, but it’s flawed on multiple levels.
The most obvious thing to point out is that Linux is far from the only open-source operating system. The BSD family and others offer open-source alternatives that are also peer-reviewed. And in particular, OpenBSD has been repeatedly audited in exhaustive fashion with an eye toward not only removing possible security vulnerabilities, but even removing code that’s dubious or disused.
The second thing to point out is that you’re conflating Linux (the operating system) with Linux (the distributions). There are of course a plethora of the latter, including quite a few that have been stripped down in order to make them more secure than some of those which haven’t. (As always: you don’t make a system more secure by adding code. You make it more secure by removing code.) In other words, the Linux ecosystem isn’t monolithic.
The third thing is that the Linux and open source community in general are FAR more responsive to security issues than Microsoft. The reaction time is measured in minutes to hours, not months to years. Vulnerabilities are dealt with pre-emptively on a continuous basis, as careful reading of some of the numerous Linux-centric mailing lists will reveal. And those that are discovered after the fact are triaged and patched very quickly: nobody sits on them indefinitely as Microsoft did here.
The fourth is that there are fundamental architectural differences between the Windows operating system and the ‘nix operating systems (including Linux, BSD, Solaris, etc.). Those differences can’t be appreciated with a thorough understanding of the design and implementation of both, but the short, short version is that the latter is far more robust.
The fifth is that Microsoft has deliberately and badly undercut the security of Windows 10 by heavily embedding spyware into it. It is, as I like to say, pre-compromised at the factory. This can’t be fixed, patched, or worked around: the only way to make the problem go away is to rip it all out, and Microsoft won’t do that. So this is, at present, a huge and serious flaw that the vendor has no intention of fixing.
There are more — many more — of course. But the bottom line is that while none of these are “secure” in an absolute sense, and none of them are going to be, the ‘nix family sets the bar for attackers far higher.
Re: Re: Re:
Modern Windows has a strong basis in the OpenVMS architecture, thanks to ex-DECie Dave Cutler starting with Windows NT. OpenVMS is a very secure operating system, so it made for a good foundation. However, as other comments point out, the tightly coupled nature of so many Windows functions have compromised that secure foundation.
Re: Re:
Just to put an addendum:
Don’t take my remark as saying open source is bad. That is far from what I believe.
What I am saying is that we should not take the misguided belief that "if Windows was open source, this wouldn’t have happened." (I actually meant my note to be a reply to somebody’s post saying that, not as a new thread.)
"Government", perhaps, rather than "Intelligence Community"
“Intelligence Community” is the popular term that covers all the organisations like the NSA, CIA, FBI, MI5, MI6, FSB, etc.
This kinda lets governments off the hook: we can refer to the Intelligence Community as distinct from government departments, or Congress, or Parliament, but all these organisations are *part* of their respective governments, and are (at least) supposed to be overseen by them.
They work on behalf of those governments. Because they act in secret, with operational details shared only with specific government officers, it’s not really correct to say that they work on behalf of the people: that’s the job of the government itself.
So, why should we say “Intelligence Community”, when we really mean government?
“The government hoards exploits”
“The government should have brought these vulnerabilities to the attention of the vendors”
“The government failed to protect people’s computers by keeping these flaws to itself.”
Apologists for deeper and deeper intrusion into the lives of innocent people may find it harder to deflect criticism of these failures if they are correctly called out as government failures, rather than intelligence community failures.
I do support MS in this. We should see Apple and any other OS and software makers standing up and saying this. Hardware makers to (Cisco, and the like). People rely on using these tools safely. If the government can’t bother to share the info with the software companies, then what are they truly protecting?
If only we could be this lucky every time...
Seriously think about it. People and media act like this is the absolute worst that could happen, when in fact we got off easy.
Sure, a few hospitals and businesses are losing money and some have temporarily shut down, but most of society is rolling on.
Think if the hackers had instead integrated the vulnerability with data gathering tools, or if they had made it into a timebomb that would go off in a few days when it had been spread across the globe.
Instead they chose to loudly post across every computer screen “LOOK AT ME… I HAVE INFECTED A COMPUTER”. With the ransomware they made the threat serious enough that people would pay attention.
Even if the dormant timebomb or data leaker had been discovered by security experts and anti malware companies, it would still be a huge challenge to get people to patch the vulnerability because it would be one of those silent problems that are actually the worst, but few people pay attention to.
So they gave a lot of people enough time to patch during the weekend, limiting the spreading potential of any future malware that uses the SMB vulnerability.
I don’t know if it was meant as an attack, if it was incompetent hackers who did this for way to little money or if someone is trying to point to the problems of NSA hoarding, but in the end I actually think they did more good than bad.
Either way, I do hope they get caught because they deserve punishment (as well as our thanks).
Re: If only we could be this lucky every time...
And people will have died, or suffered a medical injury because operations have been canceled, and their medical history has not been available
Re: Re: If only we could be this lucky every time...
Yeah, it’s interesting that he jumped to thinking of the profits rather than the human impact. Especially considering that it’s a public healthcare system that was hit, not the US cash grab system.
Fortunately, I’ve not heard of any deaths – and I would assume that the Daily Fail or similar propaganda machine would be screaming right now if they could tie a death to incompetent NHS management (while ignoring that it’s Tory underfunding that’s likely to be a large part of the problem, of course). Fortunately, those rags seem to have been more interested in removing the anonymity of the guy who fixed the problem.
Re: Re: Re: If only we could be this lucky every time...
Indeed, the free paper Metro is in on the act. That lad should be left in peace, not plastered all over the papers.
Good luck to him, though. He did a good thing, bless him. If anyone here knows him, buy him a drink!
Re: Re: If only we could be this lucky every time...
I haven’t read anywhere that people have died. It wasn’t my intention to be insensitive to those who suffered.
My point was that it could have been much, much worse.
Re: Re: Re: If only we could be this lucky every time...
Yeah, I think they knew what you were saying there. The point is that “a few hospitals… are losing money and some have temporarily shut down” has an impact well beyond money, especially in non-profit focused healthcare system. That nobody appears to have been seriously hurt as a result is more luck than judgement on the hackers’ part, and that’s more concerning than the data leaking you went on to suggest.
Re: Re: Re:2 If only we could be this lucky every time...
Well that is true at first glance. What I mean is that this could silently take place over much longer time with a much broader scope. Data is very important.. data like peoples passwords or data regarding access to personal information, such as medical files and much more. How are you going to pay for medical treatment when someone emptied your bank account? What will happen when some troll, terrorist, or an enemy country gains access to all medical files in a hospital and the access from the employees because this worm has monitored the systems for a month? How much chaos could be caused remotely from someone on the other side of the planet?
This is not about money, but the whole infrastructure that we rely on to save us in an emergency.
This one was dangerous, not because of the ransomware, but because of the spreading potential in the vulnerability.
I do feel sorry for those who have suffered, but I still think that we were lucky.
Re: Re: Re:3 If only we could be this lucky every time...
“How are you going to pay for medical treatment when someone emptied your bank account?”
Fortunately, this was the NHS that got attacked so that’s not a consideration for its patients. Some identity theft or other issue might be of concern, but patients won’t be worrying about a bill for their care.
“How much chaos could be caused remotely from someone on the other side of the planet?”
Well, one corporation not fixing its stuff and one government exploiting their mistake has led to attacks in over 150 countries in this instance.
“This is not about money”
Actually, I think it was. The relatively low amount demanded and the spread of the targets suggest to me that they just scanned for vulnerable systems and tried to demand an amount ($300) that even individuals would be able to cover. I think they expected to quietly get a lot of little $300 payments, not bring down healthcare institutions.
I don’t think that the NHS and other affected institutions were deliberately targeted. We may not be so lucky next time, of course, but I don’t think that was it in this case. They just wanted to get a nice payday from the tool they obtained before it became ineffective.
Re: Re: Re:4 If only we could be this lucky every time...
I think you misunderstand, or I just explain poorly.
I was trying to elaborate on my comment about how a hypothetical major data leak would be worse than what we have seen so far from the ransomware.
“This is not about money”: was meant to explain that my comment was not directed towards money versus lives.
My first comment was always about the fact that it could have been a lot worse and had a lot more victims if someone had wanted to do that. This is why I am thankful that it was “just” a ramsomware attack. It showed us how vulnerable we are in a loud and noisy way that forces people to actually do something. We have seen before how security experts have tried to gain attention to a severe threat only to be ignored because it wasn’t visible enough.
It is a clear now that many have ignored this SMB vulnerability after it was released very publicly and until now.
Re: Re: Re: If only we could be this lucky every time...
The other thing is, it will be hard to directly attribute any death to the attack, but this attack has probably caused some due to delays in diagnosis or treatment, especially where treatment of critically ill people is concerned.
Re: Re: Re:2 If only we could be this lucky every time...
This is true and while I might have expressed myself poorly, I did write that the people behind this deserves to be punished. I shouldn’t have written that they deserve our thanks, because they are truly bastards and I acknowledge that it was bad form of me.
Re: If only we could be this lucky every time...
Actually, this time we were very lucky indeed, due to an accidental triggering of the malware’s killswitch:
https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack
If this had not been discovered, or a different method of disabling was used by the attackers, this could have been a lot worse across the world.
Re: Re: If only we could be this lucky every time...
Like I said, buy that fine lad a drink. And pat him on the shoulder for me.
Actually, they play both sides
So, the actual thought that I had when I read this when it first came out was that MS had done the perfect thing to come off as attacking, but basically appeases both sides while protecting itself. It’s very nicely done PR.
See, it gives the Intelligence community a huge out. It conflates leaked information with a missile being stolen. It in a sense adds blame to wikileaks too. So, a person on the side of the 3 letter agencies will read this as blaming wikileaks, and that this is just another reason that anyone associated with wikileaks should be locked away, because see what they did! It’s their fault people know about it, not our fault for using the tools at our disposal! Let’s make sure there can never, ever be another whistleblower, even legit ones!
But at the same time, they also start with complaining about stockpiles and end with state actors, which to normal people means the NSA and CIA, which are named. But the NSA and CIA read this in order. And if you read it, it only implicates their names at the very top. It then goes on to blame hackers/leakers, then call out state actors and organized crime, and then mentions other countries. So, they can read this as “See, these are the countries that are abusing it, we HAVE TO do this, it’s the new cyber cold war, we have to be ready”. By the end, the key that the US Intelligence is an issue can be easily glossed over by people who don’t want to accept that, and focus on other parts.
It’s craftful writing. Put the hard part in the beginning, but near the end give a higher view, so it doesn’t tick them all off.
The key is that in all this, it’s everyone else’s fault. There is nothing about then trying to work on their patch methods, especially since, again, THIS was patched earlier, so clearly the issue wasn’t communicated to end users and IT staff all that well, now was it? Was there a campaign by anyone at MS to say “hey, wait, see, this leak over here is bad, update all your computers with these patches, just to be safe”. It doesn’t feel like there was. It was another attempt at security by obscurity, or by ostrich effect. And like those attempts always do, it burned them.
It seems almost no software is bug or exploit free, at least not modern software. The fact is, that means more vigilance, which admittedly is costly for small coding groups. But especially for OS vendors, who need to accept their own responsibility for issues, and focus on fixing some basic communications. I agree a cyber Geneva convention would be great…. but that doesn’t fix people not installing patches, now does it? And that is one of the core issues here.
So, good job whoever wrote that PR, it was masterfully done. But bad job with deflection instead of admitting there was a role in it for themselves.
Re: Actually, they play both sides
It in a sense adds blame to wikileaks too.
Why would you say that? Are you just misinformed or are you doing propaganda against Wikileaks?
Because the exploit ETERNALBLUE was leaked by the Shadow Brokers. https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/
Re: Re: Actually, they play both sides
Umm, neither. I am saying that based on how they phrased this press release, it can be read in many ways:
1. It is the 3 letter agencies stockpiling
2. It theft like a missile done by bad people and they were helped by wikileaks
3. It is because of bad “other country” state actors.
Basically: “it’s not our fault, it’s everyone else’s”.
I am well aware of what happened. I think that wikileaks has shown many times that accountability and openness are lacking, but then again, this has always been the case. Some could make the argument that they went too far by releasing this source code, but I don’t actually subscribe to that theory, or that they shouldn’t have done expose after expose.
So, either you read what I said wrong, or you are looking for an argument that doesn’t exist. I was merely opining how cleverly written this PR was, as it kind of gave them an out against pissing off completely either side.
red herring
Useres are pissed off at Microsoft for breaking Windows Update for Win7 (try to install a fresh copy of Win7), for updates enforcing the upgrade to Win10, and for bad updates breaking your OS. That’s why they’ve turned off automatic updates. If Microsoft blames the NSA for WannaCry they have their 50% share in that.
Re: red herring
“breaking Windows Update for Win7”
They actually fixed windows update for win7, but it does mean that the shipped version is incompatible (well incredibly slow) and you have to download a security rollup (from July/August last year?) to get it going.
This is just economic posturing like Apple. Both continue to be PRISM partners, their strong relationship with US intelligence will not change.
take comfort in the fallacy
“online security” is an oxymoron
if it’s man made, it’s already BROKEN
keep trying
Re: take comfort in the fallacy
People keep using that word wrong. An Oxymoron is two words together that seem to contradict, but do NOT (e.g., “little giant”). It is a literally device, not a logical fallacy.
Another shining example as to why one should not connect critical infrastructure to the internet.
Re: Re:
Hell, yes! Mind you, even air-gaps fail. We need to be vigilant and be sure to update our systems as soon as patches become available.
Whose side are they on, anyway?
So let me get this straight. A government agency discovers a vulnerability that can harm American citizens. Rather than eliminate that vulnerability that can harm American citizens, they wait. What the smeg are they waiting for? For Americans to be harmed? Then what? “Look at this bad thing that happened! You need us, American people. Can we have more money, please?”
Re: Whose side are they on, anyway?
They’re waiting because they’re the same people who have fooled themselves into thinking it’s possible to have a “backdoor” that only the “good guys” can access. This vulnerability gave them such a back door, and they didn’t want to lose it, so they sacrificed everybody else’s security instead.
Re: Whose side are they on, anyway?
This is just a guess, but I think that the view of the NSA/CIA/etc is that it’s merely ordinary criminals that use exploits against civilians, while the government agencies use those exploits against terrorists and especially bad criminals, so the "greater good" is served by acting the way they do.
Re: Deflection and scapegoating
Sure, blame the NSA…
…even though the NSA actually informed Microsoft in time for Microsoft to release an effective patch for this critical vulnerability. And Microsoft in fact did release the patch in time.
But Microsoft chose to only make such patches available to those versions of Windows that Microsoft wants people to use, and to those computers who’s owners haven’t (often couldn’t) "upgrade" to the newer product, but who are willing (and able) to pay significant additional fees to receive the same patches that Microsoft has already released for more recent iterations of their software.
Microsoft already had the patch, even for Win XP, but only relaxed their control when the disaster became sufficiently grave and sufficiently embarrassing. Now Microsoft is vigorously casting itself as "the good guy" and slyly directing the blame and attention to other parties.
It seems to me that Microsoft is speaking out so strongly chiefly because Microsoft hopes to divert awkward questions, and to shift attention away from its own significant role in creating this mess?
Re: Re: Why yes, I will blame them
…even though the NSA actually informed Microsoft in time for Microsoft to release an effective patch for this critical vulnerability.
The NSA only informed Microsoft after the exploit was made public. Not when they had it in their box of ‘toys’ for years, not when it was originally copied from their servers and they knew someone else had it, they basically waited until the last minute before bothering to tell MS ‘So yeah, you might want to get on patching this exploit now that we know someone else has it.’
If MS was aware of the exploit beforehand, knew it was a serious problem and ignored it then sure, they’ve got some blame coming their way as well, but the NSA did know about the exploit and only bothered to tell MS once it became a moot point so they absolutely deserve a heaping portion of the blame for their inaction.
Re: Re: Re: Why yes, I will blame them
According to a comment further upthread, the patch for XP (et cetera) which Microsoft released after WannaCry was in the wild is a patch which they had created back in February, but had only made available to people on specialty operating systems which are variants of XP – things like “Windows POSReady”, for example. (“POS” here almost certainly stands for “Point Of Sale”, meaning it’s for things like cash registers, though many people have certainly made the “Piece Of Shit” joke by now.)
Even though Microsoft ended security support for XP some time ago, they’ve continued to make and distribute patches for XP variants which were sold under other names; people have found ways to modify the XP Registry to trick it into accepting those patches, and they install and run without apparent issues as far as I’ve heard.
The claim I see being made here is that Microsoft should not be restricting those security patches to only the private release channels of the companies which pay it to support those other-name XP variants; they should be releasing them publicly, just as they had done for years.
The only reason that Microsoft isn’t doing that, as far as I can see, is as a way of trying to push people off of XP and onto newer Windows.
I’m baffled. It’s the 3rd time this year I’m agreeing and applauding Microsoft.
Re: Re:
I am in the same boat, the guys at work now think I’m having a break down.
Re: Re:
M$ isn’t evil, just greedy. Sometimes greed leads to good things. Just more often makes you look like a jerk.
Re: Re: Re:
I’m trying to imagine just what sort of “good” can possibly come from greed. Any examples?
Perhaps it is a silver lining sort of thing, in that the good part although not intentional out weighs the bad.
Or possibly it could a be a schadenfreude situation where the greedy ass gets their comeuppance.
idk, seven deadly sins … greed is one of them.
Those Russians are at it again. Even if the patch for XP was crafted in February we all know Microsoft and the NSA are above reproach, Ed Snowden is proof of that.
Re: Re:
Per the Metro it’s the nefarious North Koreans. Whatever is Kim Jong-un hiding beneath that dodgy haircut? /tinfoil
Microsoft has helped NSA to spy on the Internet.
Microsoft is pissed off at Free Software (freedom software), ie, GNU/Linux.
Microsoft only cares about money.
Re: Re:
Umm, you know that Microsoft is working on a Linux distro, right? they also have included a bash shell into windows 10
the days of Microsofft hating open source software(I’m assuming that’s what you meant by “Free Software (freedom software), ie, GNU/Linux”) is fairly well over, since Ballmer is no longer CEO
Re: Re: Re:
Embrace, Extend, Extinguish
Hmmm, are we in the embrace or the extend part of their SOP?
Re: Re: Re: Re:
Opening up .NET was embrace. Adding bash is “extend”. It will not take long for their bash scripting to be different than standard bash.
That won’t help. Part of the problem is that they kind of are treating them like physical weapons, which means that they:
The government sees absolutely nothing wrong with stockpiling guns, missiles, bombs, tanks, and planes. Telling them to treat exploits like physical weapons only encourages the government to stockpile them, sell them, or occasionally just lose track of them.
What the government should be doing is treating exploits as security breaches or manufacturing defects. You don’t stockpile holes in the base fence you fix the fucking hole. You don’t stockpile vehicles that leak coolant, overheat, and catch fire, you haul the vendor in and tell them to fix the leak.
Security exploits in software aren’t weapons like bombs or armored personnel carriers. They are holes in personnel carrier’s armor, faulty wiring in bombs that make them randomly detonate.
windows N T beta 1 proves they are lying
the 1999 leak i got had tons of this telemetry and call home crap they knew would not fly in windows xp , but slowly over time theyd do all that has caused this issue
100% blame on an OS that did all that sneaky telemetry and update crap.
there is no need of a phone operating system on desktops
they only wanted that cause it would help the already rooted phone industry that cooperates with the nsa …
so QUIT LYING MICROSOFT
I KNOW THE TRUTH
adlib
title of above windows “NT 5” beta 1
( btw windows NT 5 beta 2 was xp )
go see what you can find about it
To anyone who picked “May 2017” as when tech companies get fed up with NSA/CIA/FBI shenanigans, Please step this way for your free prize of internet cookies (Provided by the NSA of course)
The "Golden" key
So, tell me again why it would be a good idea for government to have a “Golden” key to backdoor encryption again? I missed it the first 2,000 times…
Re: The "Golden" key
Intel ME provides backdoors to the spies.
State intel agencies should have a mandate to build an antidote or vaxiene at the same time they build a weaponised payload.
If the weaponised payload gets “lost” they should release the antidote or vaxiene.
Re: Re:
I do not think that is how it works.
network security penetration consulting for usa govt
want to hear a leak and shocker , not only do you break stuff like making these tools and virii, but the part of the job thats hard ..is FIXING THEM
the NSA has a fix for all this
DO NOT KID YOURSELF
and MS KNEW OF IT….
Sword to protect...
They swear to protect us against all enemies, foreign and domestic^H^H^H^H^H^H^H^H^H^H^H^.
The phone just rang...
> The governments of the world should treat this attack as a wake-up call.
No, the PEOPLE of the world should treat this attack as a wake-up call.
Re: The phone just rang...
*snort… .zzzzz hmm… wha? did you say something?
zzzzzzzzzzzzzzzzzzz….
North Korea
Now there are appearing a bunch of stories pushing the idea that this actually came from North Korea, instead of the NSA. Gee, I wonder who could be pushing that.*
*(Don’t forget that the U.S. military has an army of online trolls pushing stories favorable to the U.S. govt.)
Re: North Korea
Why “instead of”?
The established narrative is that the NSA found the vulnerability, it got leaked via the Shadow Brokers, and some unknown people used it to build this ransomware.
All the stories about North Korea seem to be saying is that the “unknown people” in question are the North Korean government, not that the earlier stages of the narrative (involving the NSA) didn’t happen.
Maybe this is a good time for an ISDS case against the US government. Smack them with a large hammer, and at the same time show how dangerous ISDS can be, even if used for good.
Re: Re:
Would the US government turn up at the tribunal, or would they laugh and ignore any payment demands? My money would be on the latter option, as their is prior form for it.
“stolen from the National Security Agency” ??
I thought the NSA lost it. Left it behind on someone else’s server?
Re: Re:
Haven’t you heard? Copying is stealing!
Microsoft kowtowed to governments by creating backdoors in their software, they have no one to blame but, themselves and their own crappy software. It just shows that consumers don’t know the difference between a crappy product and a superior one, when the crappy one beats the superior one to market. It’s also shameful how we have this illegitimate billionaire Gates who stole other people’s ideas and marketed it as his own. It’s hilarious though that both Jobs and Gatzs said the: “Pirates of Silicon Valley” movie was accurate.