NSA-Leaking Shadow Brokers Just Dumped Its Most Damaging Release Yet

An anonymous reader quotes a report from Ars Technica: The Shadow Brokers -- the mysterious person or group that over the past eight months has leaked a gigabyte worth of the National Security Agency's weaponized software exploits -- just published its most significant release yet. Friday's dump contains potent exploits and hacking tools that target most versions of Microsoft Windows and evidence of sophisticated hacks on the SWIFT banking system of several banks across the world. Friday's release -- which came as much of the computing world was planning a long weekend to observe the Easter holiday -- contains close to 300 megabytes of materials the leakers said were stolen from the NSA. The contents (a convenient overview is here) included compiled binaries for exploits that targeted vulnerabilities in a long line of Windows operating systems, including Windows 8 and Windows 2012. It also included a framework dubbed Fuzzbunch, a tool that resembles the Metasploit hacking framework that loads the binaries into targeted networks. Independent security experts who reviewed the contents said it was without question the most damaging Shadow Brokers release to date. One of the Windows zero-days flagged by Hickey is dubbed Eternalblue. It exploits a remote code-execution bug in the latest version of Windows 2008 R2 using the server message block and NetBT protocols. Another hacking tool known as Eternalromance contains an easy-to-use interface and "slick" code. Hickey said it exploits Windows systems over TCP ports 445 and 139. The exact cause of the bug is still being identified. Friday's release contains several tools with the word "eternal" in their name that exploit previously unknown flaws in Windows desktops and servers.

Explosive!

Diarrhea!

Re:Explosive!

shadow brokers took a dump

Re: Explosive!

Those pesky Russians, planting bugs in Microsoft executables

Need to order a drone strike against these traitor

The NSA has done nothing wrong. It's their duty to protect the United States by spying on threats to national security. Whoever is leaking this information needs to be on the receiving end of a drone strike.

Why are these fucking Americans hacking banks?

Are they rigging banking computer systems around the world in order to discretely steal money? What is the exact purpose?

Re: Why are these fucking Americans hacking banks?

[pchasco]

My uneducated guess would be that they would use it to follow the money.

Re:Why are these fucking Americans hacking banks?

What a dumb comment to make. (yours, not OPs)

Re:Why are these fucking Americans hacking banks?

[110010001000]

Which one? I make a lot of dumb comments here.

Re: Why are these fucking Americans hacking banks?

[rmdingler]

Of course they would... there's no need to steal money, per say, for black budget spending when you can essentially print your own money.

TPFTDL: $52.06 billion in 2013, according to an imperfectly legitimate Edward Snowden release of government information.

Years removed from the lessons of Iran/Contra, governments have learned to just fund the cloak & dagger bunch... saves on eventual, inevitable, embarassment as you're employing folks who have proven eager to scam the funds they need clandestinely.

Re:Why are these fucking Americans hacking banks?

[AHuxley]

The US does not like France winning, so the US (with 5 eye friends) spy on every part of the French economy.
https://wikileaks.org/nsa-fran...
"French contract proposals or feasibility studies and negotiations for international sales or investments in major projects or systems of significant interest to the foreign host country or $200 million or more in sales and/or services, including financing information or projects of high interest... "

Re:Why are these fucking Americans hacking banks?

[Motherfucking+Shit]

They're monitoring transfers into and out of what appear to be primarily middle eastern banking institutions. This is a legitimate national security interest for the United States. It's helpful to see that (e.g.) Saudi Prince #1,804 is wiring money to AQAP principals or what have you.

This is exactly the sort of activity NSA is supposed to be engaging in, as opposed to trawling through every American's emails and credit card bills.

Re: Why are these fucking Americans hacking banks?

You could leave out "winning" .

The US has to watch the French because they are so goddamn fucking corrupt.

Re: Why are these fucking Americans hacking banks?

I agree the US is corrupt. However - I do not agree with watching those French by breaking in their banking systems.

Re:Why are these fucking Americans hacking banks?

He's likely referring to the comment you posted that he just replied to. Usually when someone "replies" (this means the comment appears underneath yours and slightly indented) to a post referring to the comment you made, it refers to the post they replied to. Hope I could help you out with the internet! Good luck out there!

Doesn't affect me

[110010001000]

I use Windows 10. The safest OS every made. Unbreakable.

Re: Doesn't affect me

RCE also works on Win10 so, er, yeah.

Thanks, NSA

The Shadow Brokers advertised the names of these exploits in January. The NSA had 3 months to warn Microsoft. But nope. Enjoy the 0day shitstorm that's about to drop.

Re:Thanks, NSA

From a Simpson's episode: "US policy is very clear, never back down, never admit a mistake. That's why we won over half the war we fought!" Perfect summation as to why they didn't warn M$

Re:Thanks, NSA

They had much more time to warn Microsoft, from the moment they found those exploitable bugs, to be exact. These people don't care about security. They'd rather keep millions of American computers exploitable by anyone in the world than give up their potential access.

Re:Thanks, NSA

Precisely. These agencies knowingly allowed crime to flourish by failing to disclose these exploits.

They are absolutely not protecting us. So, why are we paying their salaries?

Re: Thanks, NSA

Because these are the sort of people that shoot you if you don't pay them to screw around doing whatever they want.
They should have been incarcerated instead of employed.

Re:Thanks, NSA

Why should the NSA warn Microsoft?
They both know those back-doors "bugs", because that is what they agree up on.
Wait for an update that "repairs" those back-doors, while silently installing new ones.

Re:Thanks, NSA

I worked for a company that made hardware products based on the BSD Streams. Some libraries such as encryption, we were just not allowed to touch, even if it was obvious there was a bug there.

Re: Thanks, NSA

I imagine the idea of the combined security roll up was to slip in the fixes without having to say so.

Re:Need to order a drone strike against these trai

And all the other nations are using the same exploits to spy on americans. Deal with that dumbass.

The public at large is bound to care.

Eventually, right?

Re: The public at large is bound to care.

They will when the Russians or Chinese use it against us or that Nigerian scammer uses these to clear out their bank accounts. Or Trump tweets about it.

Re:Need to order a drone strike against these trai

[drsmack1]

Preventing companies from repairing exploitable flaws in major software products is NOT something they should be doing.

Really old

[110010001000]

Wow, this code is really old. Almost 10 years old. You can tell by the excessive use of XML.

Re:Really old

[SuricouRaven]

In ten more years people will be saying the same about JSON.

Re:Really old

[Mr0bvious]

{
    "question": "What?"
}

NetBT = netbios = still enabled by default.

Exists on W10 unless turned off in Enterprise. Sure they may have patched the hole in question... It's Netbios though.

Re:Need to order a drone strike against these trai

[CaptainDork]

It's their duty to protect their own goddam security and all Americans.

Given that they know millions of Americans are at risk from exploits they have not reported to the vendors, by your logic, the NSA is a traitor organization and qualifies for a drone strike.

Why not read the article before ranting about it?

"This would make a lot of sense that the NSA compromise this specific SWIFT Service Bureau for Anti-money laundering (AML) reasons in order to retrieve ties with terrorists groups," Suiche wrote.

Re:Need to order a drone strike against these trai

[HeckRuler]

Sitting on a zero-day vulnerability without telling the maintainers certainly makes the USA less secure and runs afoul of their duty to protect the USA...
 
...But have they actually prevented a company from fixing exploits? Like a court order telling Microsoft to leave a vulnerability in place?

Advance notice?

[jodido]

Anybody else wonder if Microsoft is cooperating with the NSA? Seems like there are a lot of security issues and I wonder why MS hasn't seemed to be able to find them and why the NSA has.

Re:Advance notice?

[rtb61]

Why has the NSA found them and M$ hasn't, dude seriously, now tell me where is the profit for M$ to find and fix bugs in their software. Does it help them to sell the next version, hmm, NO. Does it make them profit to do so, paying coders to review code that just barely works, hmm, NO. Does it prevent M$ from being prosecuted for failing to secure systems (when the users of M$ do get prosecuted for failing to secure systems, which once windows has been installed, apparently can not be secured), hmm, NO. Why can't M$ find because there is no profit in doing so but there is a whole bunch of profit in not doing so. Any other questions?

Yes, the NSA is exploiting M$'s greed driven stupidity, just as the FSB does and just as MSS does (those guys and gals need to advertise more no one knows what those letters stand for https://en.wikipedia.org/wiki/... , catch up with that pompous dude from the CIA, c'mon China). When M$ and all the other software companies start getting fined for security bugs, just like the sucker companies that use that insecure software and get blamed for it, than M$ will fix their software, until then, well, that's what advertising is for, spread a layer of sweet smelling fertiliser across the foetid cesspool rotting below.

So why is it when companies use M$ software and get hacked they get fined but the suppliers of the software point to their non-warranty and say, see we acknowledge our software is shite and only warrant losses to the value of the software ie M$ software should only be used to secure stuff to the value of the M$ software licence and that it is categorically across the board unfit for any purpose (actually right in the warranty, "Microsoft excludes all implied warranties and conditions, including those of merchantability, fitness for a particular purpose, and non-infringement."). So is a company liable for using M$ software, just by using it, based upon the M$ warranty and the declaration by M$ that it is unfit for use for any particular purpose in writing.

Re:Advance notice?

[Atryn]

I don't think all the negative press is good for M$ or their Windows brand. People do have alternatives and this does make those alternatives look a bit better than before.

BTW, where is the NSA's trove of Linux and MacOS exploits? How about an NSA trove of Android and iOS exploits? They must have them.

Re:Advance notice?

[jodido]

I think you're half right. Security is just an added expense. OTOH as someone else pointed out it's also good PR to say you've found x bug and have fixed it. And bad PR when it leaks that the NSA found all kinds of ways to exploit your software and you didn't. So there are costs on both sides. In the end the main reason I have no confidence in MS is that they are, after all, a very large American corporation, and the NSA and all the rest of the cop agencies exist to protect them. So why wouldn't they cooperate?

Re:Advance notice?

Negative press for Windows?
Like anyone has a fucking say in their OS choice of any money-related significance.
You have businesses, all mostly Windows for desktops.
You have gaming, all mostly Windows.
OEM, >99% most of any home computing device comes with Windows.
And they have been gaining some ground in the server markets and cloud hosting crap.
Practically everything of any financial worth is behind Windows.

They've literally turned Windows Updates in to malware and STILL GET AWAY WITH IT.
They've killed peoples machines and hardware and still get away with it.

Microsoft fired most of their testing department.
Hell, they fired most of their programmers and hired half of fucking India.
This is why Windows 10 is so horrifically inconsistent. It is hacks on top of hacks done by people that completed a summer course in Searching StackOverflow for programming snippets. I'm getting sick and tired of seeing these fucks pollute Stackoverflow with their stupid questions.

bugs or backdoors?

I wonder how many of this "unknown bugs" used by "slick code" where put there on purpose in windows and how much is actual bugs.

Re:bugs or backdoors?

[bill_mcgonigle]

I wonder how many of this "unknown bugs" used by "slick code" where put there on purpose in windows and how much is actual bugs.

If you talk to people who have seen the older parts of Windows source, you start to become less conspiratorial. Much of the code was written when these machines were only networked if the company had a Novell network (yeah, yeah, both of you who ran LANMan can pipe down) and security wasn't even on the RADAR. Modern programmers at Microsoft are either disgusted or terrified by it, from what I hear.

Backwards compatibility cuts both ways.

Re:bugs or backdoors?

[davecb]

An old employer was a Windows 2.0 licensee: it wasn't even supposed to be secure, it was to run on a machine that wan't on a network, or was on a secure network.

Can you say "red-book at system-low" ? It was logical, but assumed there was no internet.

Re:bugs or backdoors?

> (yeah, yeah, both of you who ran LANMan can pipe down)

What do you mean "both of us". I did a stint as a consultant for an IBM-owned company, where the *actual* server in question was used on OS/2. We three consultants connected to it using WfW 3.11, so there were at least FIVE users of it! :-)

Re:bugs or backdoors?

[mikael]

That's true. The first Ethernet adapters that came along for PC's were huge cards with a physical key lock and a user ID card. Everything was intended to run on offical Ethernet cable; bright yellow or blue coaxial cables connected by vampire taps, which were simple blocks with three spikes that went through the coaxial sheathing and connected to the core copper, with LAN's connected by bridges, routers and firewalls. Everything was intended to be static and predefined.
For home business use, ISDN was the only choice, with data traffic charged at a cent per kilobyte. That didn't change anything since only business directors could really afford that service.

Microsoft was taken by surprise in 1993 by the sudden appearance of ISP's offering home Internet with SLIP and PPP. Those two protocols allowed every other traditional UNIX internet protocol to run transparently between the PC and remote web servers; X-windows, telnet, ftp, gopher, traceroute, netstat, ping, http, all suddenly had to be supported. Options for MSDOS were TCP/IP stack and text based browser provided by the ISP (Trumpet Winsock). Microsoft just simply could not invent their own API's as they always had to in the past. They were forced to adapt to the rest of the world.

Microsoft's only choice was to bundle their own network stack with Windows 95. Even then, CPU's were so slow that the code had to be super-optimized to the point that everything was munged together. Look at how svchost.exe does every function. There was never any anticipation at the time that joe sixpack was going to have an always-on 60Mbit connection to his gaming rig or netbook.

Re:Need to order a drone strike against these trai

And if they don't turn out to be US citizens leaking it, what then? Try to DRM their ass?

Linux FTW !!!

[RamBurner]

I'm glad I use Linux and not have to worry about these exploits and zero day attacks.

Re:Linux FTW !!!

[bill_mcgonigle]

I'm glad I use Linux and not have to worry about these exploits and zero day attacks.

Hey, the NSA probably has more people working on breaking linux than we have working on building it. Be ready to apply updates when SB drops that tranche. Practice defense-in-depth.

Re:Linux FTW !!!

[ozduo]

Are you taking the piss? Or are you just naive?

Re:Linux FTW !!!

Every Linux kernel before 4.5 has a core UDP code bug which is exploitable for remote code execution. Happy nightmares!

Re:Linux FTW !!!

[RamBurner]

I use kernel 4.8 so no nightmares here.

Re:Linux FTW !!!

[Moheeheeko]

you must be new here

Re:Linux FTW !!!

I'm not sure if you forgot to add a sarcasm tag or if you missed the headline saying that there are exploits at the motherboard level that don't care which operating system is installed.

Re:Linux FTW !!!

[skids]

Not "every linux kernel before 4.5". Whether a kernel is vulnerable depends on whether the bug was backported by distros. RHEL never backported it, and Debian quietly fixed it a good while ago (kernels of any version shipped Sep 2015 to Jan 2016)

http://www.zdnet.com/article/r...

Re:Linux FTW !!!

I did miss that actually. That can't be right can it? Why mess around with these exploits when they have that thing?

Re:Linux FTW !!!

You missed the previous dump prior to this. All the tools dumped prior to this news were Linux, Solaris and Mac exploits for those specific kernels.

Re:Linux FTW !!!

[mikael]

Worry about what servers your Firefox web browser is settting up (SSDP) and why it needs to send out multicast broadcasts. Does your wifi router block those packets? Does it allow them to come in on your network? Why doesn't the menu option disable this feature? Apparently it's to provide competition to ChromeCast which allows you to stream the contents of your screen to other mobile devices across the Internet.

Re:Linux FTW !!!

Hate to tell you this but the dump a few weeks back was full of Linux and Solaris exploits and Yes they do work.

I love Linux but you have to remember given enough money and time ANY system can be hacked.

The other submission

The other submission, which mods ignored, contained a better list of the exploits: https://www.bleepingcomputer.c...

Now we know why he went to FL early

[WillAffleckUW]

And why a certain foreign agent went to Korea a while back.

Re:Need to order a drone strike against these trai

[bill_mcgonigle]

C'mon, if you're going to hold yourself out as a professional propagandist, at least put in the effort to get your possessive pronoun number agreement correct.

Very interesting

Very interesting dump. From the notes you can see that they completely hacked and downloaded the Oracle databases of SWIFT operators. They use university computers to triangulate. The hacking program into universities that was disclosed a few weeks ago was for having access to unsecured university servers from where to hack higher value targets.

Re:Very interesting

NSA is no different from any hacking mafia.

Re: Need to order a drone strike against these tra

[negRo_slim]

That sounds about right.

Re: Need to order a drone strike against these tra

I would say no, but there exist courts whose every detail is secret, and deal with these matters.

So, who knows.

Security removed for good reasons

[raymorris]

> Much of the code was written when these machines were only networked if the company had a Novell network (yeah, yeah, both of you who ran LANMan can pipe down) and security wasn't even on the RADAR.

Indeed. Historically, it was DISK Operating System (DOS) on a PERSONAL Computer (PC) as opposed to the then-traditional NETWORK operating system on a time-sharing computer (which cost over $100,000). The point of DOS, the difference between Microsoft and what was already common place, was that the Microsoft OS was for cheap little computers used by one person, and not connected to a big corporate network. Instead of requiring many MBs of RAM, DOS could run in as little as 16KB pf RAM by getting rid of all the stuff that wasn't needed on a PERSONAL, DISK-based computer - stuff like security, stuff like isolating the files and processes of one user from the rest of the system.

This was a great idea. It worked brilliantly. Then the internet happened. Microsoft had a shit fit. Not only was their entire company based on PCs rather than the client-server model, but they had just spent millions upgrading Object Linking and Embedding (OLE), and named the new version COM. It was really cool - it let you do things like embed a picture in a Word document, or link a sound file from a picture. It was awesome. Then the web showed up with "img src" and "a href". Oh shit!

Microsoft did exactly the right thing, making an OS for personal, home computers, which weren't on a network and therefore any security was unnecessary overhead that they removed. Then the sudden popularity of the web screwed them and they had to play catch-up for 15 years.

Re:Security removed for good reasons

Try something like 27 years. The whole networking-computers thing and client-server stuff is at least as old as the early 1990s. Hell, Novell Netware started in 1983. It's also one reason why as much as I liked the idea of OS/2 in a lot of ways*, NT was the way to go. Unfortunately, all the talk about NT being "robust" was and is utter bullshit. The only reason systems like Linux were more secure (hard to say if they are overall now**) is they were part of the front line of attacks which meant a lot of the direct network facing stuff had to be patched ASAP (and Linux got to adopt a lot of the *nix stuff that was swiss cheese and then patched).

In any case, I agree with your overall point. I just don't think the time frame is really too accurate. MS "won" with DOS and then Windows, but most of that had had to do with there being no good, cheap alternatives that maintained backwards compatibility. That last part is the key.

* In the end, OS/2's main failing is the same reason tabbed window managers are a bad idea. You shouldn't be creating n-instances of something and just grouping them together under a UI or some bits because they don't unify well. Instead, you need to figure out the apps that need tabs (or some other similar dynamic) and then build the unification directly inside. Then you can do things like have multiple windows with their own distinct tabs. For OS/2 to have moved forward (and retain backwards compatibility) would have involved a massive headache of trying to contain "displays" or "sessions"*** of windows to contain different users/programs/whatever. NT was right to put in users from the start.

** At this point, the attack vector of web browser, which is heavily of the cross-platform variety, is 90% of what the average user has to worry about. The rest is system or system library bugs of the sort that Windows and Linux are both rather guilty of. Linux ends up being less valuable to code for, even with malware. The story was different when IE was the norm.

*** which I find ironic since such is a big whole in Windows that was patched up in Vista going forward. Meanwhile, Linux with X still has this as a huge security window ripe for exploit.

Re:Security removed for good reasons

[axewolf]

Yeah poor Microsoft didn't even have the money to remake their product in a way that serves the needs of their customers in the way they expect....

Re:Security removed for good reasons

Wow, I think you are manipulating history a bit. I was there, before the internet "happened" DOS already had a lot of issues with security. This was most evident with virusses which were spread by floppies. The whole purpose of a DISK based OS was to store and share information and programs. Security WAS needed but Microsoft thought it could take a shortcut. The whole way they think of OLE is dumb, don't mix data with executable code, this was already known in computer science since the 60s. They are playing catch up till today and any Microsoft IIS server can be hacked within a minute, unbelievable that the US government still uses Microsoft software. It is stupidity or corruption?

Re:Need to order a drone strike against these trai

Unfortunately, the NSA and CIA have completely failed in their "jobs". They have not prevented anything or protected a single American, but they do continue to create some odd justification for their jobs. Same can be said for the DEA. The "war" on drugs is not a war, but an income stream for the Drug Enhancement Agency who has no real intention of shutting down drug trafficking.

By keeping these exploits from being patched they are actually harming more Americans than doing good. Just keeping their jobs going, not protecting one single American. Good job people another huge government fail.

Not too happy about this one

[GameboyRMH]

I think I'd prefer if the NSA *could* see those bank transactions. I'm not a fan of privacy in banking. If you want to do a transaction privately, that's what cash (and maybe cryptocurrency, that genie's out of the bottle) is for. Any privacy beyond that only provides enhanced convenience to criminals IMO. I'd prefer if all bank transactions were visible to law enforcement and tax authorities.

Re:Not too happy about this one

The NSA is neither "law enforcement" or "tax authorities".

And who do you really want monitoring all global banking? Interpol and the UN? Chicago's finest and the IRS? Sheriff Earl and CPA Bill?

Re:Not too happy about this one

[GameboyRMH]

Well I'm glad that someone without a vested interest in banking secrecy has some idea about what's going on. If the NSA sees terrorists laundering money or companies violating sanctions they can tip off the relevant authorities.

I'd say that the FBI and IRS should be monitoring all global banking. along with their equivalents in every country. Interpol as well, sure.

Re:Not too happy about this one

If the NSA sees terrorists laundering money or companies violating sanctions they can tip off the relevant authorities.

Like they tipped off Microsoft to the release of a wealth of 0-day exploits?

I'd say that the FBI and IRS should be monitoring all global banking. along with their equivalents in every country. Interpol as well, sure.

Everyone just cooperates in your world, do they? Always on the same page.

Re:Not too happy about this one

[Atryn]

Well I'm glad that someone without a vested interest in banking secrecy has some idea about what's going on. If the NSA sees terrorists laundering money or companies violating sanctions they can tip off the relevant authorities.

Wait... what about this recent news has you believing the NSA wants to tip of anyone about anything they discover?

Re:Not too happy about this one

[John.Banister]

I'm happy if mine are visible so long as all the transactions investment banks make with one another are also visible.

Re: Not too happy about this one

Monitoring != controlling

Re: Need to order a drone strike against these tra

Yeah, hacks that only work against banks is totally what I need my tax dollars to go towards.
Oh, they aren't killing banks? Then WTF?

Bangladesh swift fraud case

Could these tools be responsible of the bangladesh swift fraud case?

Re: Bangladesh swift fraud case

Could be! You can find usernames and passwords for SWIFT servers and databases in the operation logs. I checked the op notes and saw passwords myself.

Re:other nations are using the same exploits

The solution is the same. Un-bank.

Re:Thanks Obama

Damnit 'Bama. You have one job.

Fucking KGB

Fucking KGB releases more shit into the wild to give them plausible deniability. Fuck I wish the fucking Russians would just make car parts instead of war toys.

Re:Need to order a drone strike against these trai

[bheerssen]

No kidding. Besides, how often do you get to use "It's its" in a sentence?

LMAO - 'pats self on back', why?

See subject: The way I setup my system isn't vulnerable to a SINGLE ATTACK there (mostly networking dependent's why) per my security guides I did LONG ago & was paid for (for STAND-ALONE systems that are non-networked) using the HIGHLY esteemed CIS Tool (who took fixes from me to their program too): https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/

* :)

(In other words? I've been SAFE FROM THEIR SHIT since, oh, around 1998!)

APK

P.S.=> That's what security patching, OS & IP stack tweaking + shutting off services you DO NOT NEED + yes HOSTS FILES USAGE not only speed you up but SECURE you better too (this goes for routers too, that can be done there also @ all those levels)... apk

Re:LMAO - 'pats self on back', why?

Insane since 1998 more like it.

Re:LMAO - 'pats self on back', why?

You know what the infamous they say about insanity and genius. More like insanely great he can actually show he's right.

Tip of the iceberg

Along with Intel Management Engine backdoor in place, what else can go wrong? You're pretty much fucked top down, bottom up and sideways.

Re:Tip of the iceberg

What are the chances that this italian group called Hacking Team were attacked using IME? Screengrab from the CEO of that company and all of their tools were leaked making that company close their shop.

captcha: acquires

Re:Tip of the iceberg

Don't have any new Intel processors facing the internet. An old box should be good enough for a firewall in many cases.

Consider a mix of processor types in your network chain.

Not just money, but compatibilty, user experience

[raymorris]

It's not *just* a matter of money, but compatibilty was / is a huge issue and also user experience. It took ten years for Microsoft to slowly transition not only users, but all of their legacy software, away from essentially running as "root" (Administrator) all the time. Initially on Windows, any program run by any user was allowed to do anything and everything to the computer. Programs did in fact interact with the system, writing registry entries wherever they felt like, putting files in system directories, etc. You can't just suddenly prevent that out the blue - a large percentage of the existing software would stop working.

So Microsoft had to slowly transition away from that. Which put them behind, because before DOS, UNIX users were ALREADY accustomed to running as a non-root user. Most computer users before Microsoft didn't *have* root access - they had a terminal connected to a mainframe. They were accustomed to the idea that they ran their software within their private space, and the user software didn't need system-level access.

So first Microsoft added user login, which *hid* the icons that would link to other people's files. Any "power user" knew how to navigate to the C drive and then back up to any users' files. Slowly they changed the system to where now Windows 8 and Windows 10 have user security similar to what UNIX had in 1979.

In the meantime, UNIX, and more often these days Linux, have moved on from that security model (discretionary access control) to a newer, more secure model (mandatory access control). Microsoft has played around with adding a bit of DAC-like capability to Windows, but essentially nobody uses it and it's not at all complete and ready for prime time.

Running the browser as root/Admin is bad

[raymorris]

> The only reason systems like Linux were more secure (hard to say if they are overall now**) is they were part of the front line of attacks which meant a lot of the direct network facing stuff had to be patched ASAP

Remember iitially on Windows, any program run by any user was allowed to do anything and everything to the computer. Programs did in fact interact with the system, writing registry entries wherever they felt like, putting files in system directories, etc. You can't just suddenly prevent that out the blue - a large percentage of the existing software would stop working.

So Microsoft had to slowly transition away from that. Which put them behind, because before DOS, UNIX users were ALREADY accustomed to running as a non-root user. Most computer users before Microsoft didn't *have* root access - they had a terminal connected to a mainframe. They were accustomed to the idea that they ran their software within their private space, and the user software didn't need system-level access.

For quite some time, Windows users were essentially running their browsers as root - including Flash and Java. For some years after that, it *appeared* that they were running as some user, but under the hood there was no real security.

Linux comes from that Unix heritage, from the basic assumption that an individual user shouldn't be able to take down the system even if they tried.

Re:Running the browser as root/Admin is bad

Remember iitially on Windows, any program run by any user was allowed to do anything and everything to the computer. Programs did in fact interact with the system, writing registry entries wherever they felt like, putting files in system directories, etc. You can't just suddenly prevent that out the blue - a large percentage of the existing software would stop working.

Remind me, again, why 99% of Windows 9x/3.x software runs on Windows NT/2000/XP? Oh, right, "a large percentage of the existing software" doesn't need that sort of access and even those that do can have their access virtualized away to a separate folder. In fact, repeatedly Microsoft bent over backwards to break the security (and stability) of Windows NT (4.0 having kernel graphics drivers, 2000 adding "Power Users", etc) for performance and convenience. The reality is Microsoft pushed the idea of Windows NT as a "secure" system and then encouraged "Power" users to use it and in a semi or outright Admin role. That simply defeats the purpose.

For quite some time, Windows users were essentially running their browsers as root - including Flash and Java. For some years after that, it *appeared* that they were running as some user, but under the hood there was no real security.

Which, again, brings back the point that Windows NT was never really written to be used by non-Admins. That's not an intrinsic part of the Windows API or programs themselves. It comes down to the point that until Vista there was no real effort from the UI to have privilege separation. Instead, you were (and even now are) encourage to do a "Run as Administrator" cmd prompt and go that route or if it's a stand alone program, run it as admin. If it's part of the base OS and pre vista, you're pretty much fucked unless you start a whole separate login session (and log out of the current user) or remotely login and..well, you get the idea.

In short, this isn't some inherent problem of Windows because of 27 years of history. 16-bit Windows 3.0 was released in 1990. 32-bit Windows NT 3.1 was released in 1993. All the Windows 9x API were basically NT API ports. That Microsoft created user accounts with NT but failed to use them properly is their own fuck up and they had plenty of time to fix it. They just didn't give a shit until IE 6.x and their whole Admin-only approach proved how important security and user accounts were. By then, though, yea, the damage was done. Too much swiss cheese permissions had been integrated into Windows and UAC, even at its best, is a horrible gatekeeper to bandaid over the problem.

Oh, and just so you know, Linux too started out as admin only. Until Linus accidentally trashed his HDD by overwriting it. Like many systems, they aren't perfect. And the sooner you recognize a serious issue and fix it, the more robust that change can be adopted. The real lesson is Microsoft favored short-term convenience over long-term consideration, and that decision is still hardly biting them in the ass as their monopoly position grants them a slow, long death.

Re:Not just money, but compatibilty, user experien

[axewolf]

Microsoft didn't have to do anything slowly. They have and have had enough capital to mobilize the economy to do just about whatever the hell they want, even if it was to build bridge out of rainbows and fairy dust to the moon. The simple fact is they foresaw the market for their privacy-raping backdoored crap software.

Once a company goes public, once it hits a certain threshold of market capitalisation, it starts working not for its 'customers' but for its investors. If the investors want to 'cannibalise' one holding as leverage to greatly increase the value of another holding, of course they will do so as long as they can get away with it.

Don't believe their cover stories, the corporations, military, government, and a great many NPOs are all one gang of thugs exploiting the vast majority of the population, robbing them of livelihood and potential to grow - robbing them of their humanity no less.

Shadow Brokers == angry gopniks

I love the smell of Russian butthurt and desperation in the morning!!

Where's the torrent?

NT

Re: Need to order a drone strike against these tra

I do believe President Truman is immune from drone strikes.

Yah. causality is a demon

Re:Need to order a drone strike against these trai

you idiot, they are spying on innocent americans too. this is the early stages of a supranational surveillance system paid for by idiot whores like you.

Re: Need to order a drone strike against these tr

Cutting funding that pays for bombs that go off in western cities, dumbass

Thank You ShadowBrokers

Yes isn't it nice.

As a Pen Tester I must say thank you ShadowBrokers for the wonderful gifts. I also really enjoy writing in the reports that I hacked your network using taxpayer paid for tools.

Our tax dollars at work.
Well I did get a return on investment.

Microsoft said they patched these last month

[UpnAtom]

"... the critical vulnerabilities for four exploits previously believed to be zerodays were patched in March, exactly one month before a group called Shadow Brokers published Friday's latest installment of weapons-grade attacks."

https://arstechnica.com/securi...

Re:Need to order a drone strike against these trai

No, it is not. The claim that the government "of the people" is also "for the people" is only partially true. Interests of strong social groups - large commercial corporations, the military and the intelligence bureaucracy - usually come before those of the masses.

If you stop thinking of the state as something that serves the people but as one of the meeting points of conflicting social interests things make more sense.

Re:Need to order a drone strike against these trai

[beastofburdon]

I agree, we should hit every one of their offices at the same time to minimize survivors, and while we're at it, hit the CIA at the same time.

Re: Need to order a drone strike against these tr

[beastofburdon]

All that money comes from the CIA.

This doesn't change _anything_ but XP/Vista safety

NSA saw it coming and for each vulnerability designed a suggested Microsoft code change that would fix this vuln and open another that is very similar.

NSA makes new dual mode exploits that work for either new or old vulns and installs them in all the places they currently spy on.

NSA tells MS, here are the bugs and the here are the exact fixes we want.

NSA can still hack new PC's and still has access to all their currently hacked PC's.

The world patches to keep the script kiddies out, making the ShadowBroker tools useless except on XP and Vista (and earlier).

If NSA lost anything besides face, they are stupid, and they are not stupid. They are not even angry about this except that more than just the paranoid now know what they actually do.

Somebody should modify the hacks themselves to provide immunity from the unmodified hacks or hand patch the original code to remove the vulns (at least make it crash before permanent install).

The only question in my mind is what does MS do when a programmer finds a vuln the NSA uses? Make sure the vulnerable code is not accessible to review in the first place? Cover the programmer in delays and paperwork while the NSA makes another hack? Being in cahoots with the NSA makes MS very dirty in that they will not fix some known bugs. That alone is enough for me to be so repulsed by the ugliness that is MS, that I won't be using any of their products again.

iron guard

Could it be the Romanian programmers are doing this with MS software so they can card everyone? HMMM

Re:Thanks Obama

[chill]

Yeah! Beat Auburn! Roll Tide!