Slashdot Mirror
Microsoft Blasts Spy Agencies For Leaked Exploits Used By WanaDecrypt0r (engadget.com)
An anonymous reader shares Engadget's report about Microsoft's response to the massive WanaDecrypt0r ransomware attack:
Company president Brad Smith has posted a response to the attack that roasts the NSA, CIA and other intelligence agencies for hogging security vulnerabilities instead of disclosing them to be fixed. There's an "emerging pattern" of these stockpiles leaking out, he says, and they cause "widespread damage" when that happens. He goes so far as to liken it to a physical weapons leak -- it's as if the US military had "some of its Tomahawk missiles stolen"... Microsoft had already floated the concept of a "Digital Geneva Convention" that required governments to report security holes, but the idea has gained a new sense of urgency in light of the recent ransomware chaos... While Microsoft makes its own efforts by rushing out patches and sharing concerns with other companies, it also chastises customers who could have closed the WannaCry hole two months earlier but didn't.
BrianFagioli shared a BetaNews article arguing Microsoft "should absolutely not shoulder any of the responsibility. After all, the vulnerability that led to the disaster was patched back in March." But troublemaker_23 notes that ITwire still faults Microsoft for not planning ahead, since in February 150 million people were still using Windows XP.
BrianFagioli shared a BetaNews article arguing Microsoft "should absolutely not shoulder any of the responsibility. After all, the vulnerability that led to the disaster was patched back in March." But troublemaker_23 notes that ITwire still faults Microsoft for not planning ahead, since in February 150 million people were still using Windows XP.
Any weapon ban treaty has a problem of detecting violations. If one cannot easily detect violations, one cannot enforce the treaty effectively. For pretty much every nuclear weapons treaty the biggest stumbling block has almost always been verification that people are adhering to it. At least there, there's infrastructure to look at. Trying to determine that governments aren't holding back tiny little files stored away somewhere would be much more difficult. In that context, such a treaty would be unlikely to succeed.
Sure sucks that the exploit exists in the first place, but it sure sucks even more to be the person who wrote the code being exploited.
I don't see it.
MS tried everything short or threats to get people to upgrade to a secure Win10 version to no avail.
This will bring millions of new licenses for MS.
Nobody is perfect, all software has vulnerabilities. Had our relevant TLAs bothered to tell the relevant companies about the holes they found we would all be a hundredfold safer. But no, they kept them secret, figuring they could hack Some Bad Guy's computer and Stop Some Low Level Bad Thing.
The fault here lies in our countries TLA's deciding it was better to leave 100% of the country at risk hoping they would be able to exploit a hole before someone else could exploit that same hole against us.
Fuck the NSA, CIA, FBI, and everyone else that finds security issues and keeps them private. They are the problem, not Microsoft.
They want backdoors and keys into the things that they swear they will keep safe. Instead of affecting unpatched computers, a leak will affect every computer. But they pinky promise that there will be no leaks and they promise to feel bad if there is one even though it's probably somebody else's fault.
@Whee
Please forward me your bug-free code for review and then we'll talk.
Why should Microsoft be blamed for people getting infected while running Windows XP? The XP system is 16 years old and has been past EoL for years. Anyone running an XP machine connected to the Internet is practically begging to be hacked. Would we blame Red Hat for not patching RHEL 3 boxes left on-line or Apple for not patching 2001-era Macs? It's not as though Microsoft has not made it perfectly clear those old systems are no longer supported.
Microsoft can save some of that blame for themselves. Many people had to turn automatic patching off because of Microsoft's shitty policy of trying to force people to Windows 10 through patch driven 'upgrades'.
More like Microsoft left a soft target on a battlefield without any armor and the users are the cannon fodder. Unless you think that Windows is a weapons system(in that case, I don't even know what to say).
"every single cyberattack on a Windows system seriously"
"We have more than 3,500 security engineers at the company"
Yet failed to notice PRISM? https://en.wikipedia.org/wiki/...
Re "This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support."
The US clandestine services are hiring from the same US university graduate groups over decades.
Top US executives should hire smarter people in the US who can code a secure a US OS in the private sector.
If the US clandestine services can hire US people to get into a US OS, hire from the same very smart skill set to protect an OS.
The US mil and gov does not have first pick or a gov monopoly on hiring very smart people every decade. Find some really skilled people in the USA to secure your OS.
Re 'And it’s why we’ve pledged our support for defending every customer everywhere in the face of cyberattacks, regardless of their nationality."
When a gov presents "real" court papers and wants long term access to plain text information its just a "legally binding order or subpoena".
The origin of this was a government product. Understand how governments work in the public and private sector. How staff move between the role of contractor, gov worker, mil worker and private sector staff to fully understand an OS maker.
Domestic spying is now "Benign Information Gathering"
When Microsoft started issuing "Security Patches" that were no security patches but telemetry and Windows 10 update patches, I stopped patching. Was I wrong? I take a lot of other precautions, one of which is that I ditched after 30 years of being a Microsoft fan boy to MAC.
This hacking provides the perfect argument against built-in backdoors that would enable the government to spy on people (but only when they wanted). All it takes is one leak and *boom* you have out of control hacking by everyone but the government.
I am Slashdot. Are you Slashdot as well?
I have quite a good discussion about Custom Support and MS quarterly earnings here: https://www.reddit.com/r/micro...
The original blogpost makes the following points:
1) Microsoft works hard, I tell you hard to avoid these problems.
2) Customers are to blame too! (really)
3) It's the government's fault!
They're trying to direct the conversation so they don't get all the blame. The reality is, if Microsoft hadn't made the flaw, then this attack never would have happened.
"First they came for the slanderers and i said nothing."
...
1.) Microsoft for having a shitty OS and
2.) The USA three-letters knowing it and not protecting its citizens.
It little behooves the best of us to comment on the rest of us.
Independent security audits......they are expensive & time consuming.
Most importantly, they don't make you secure. They're consultants who find a few bugs, then send you a big bill.
"First they came for the slanderers and i said nothing."
There is no ransomware without anonymous funds transfer.
KILL BITCOIN and you stop ransomware.
Why are we protecting a cryptocurrency that is the foundation of criminal activity?
KILL BITCOIN and you stop ransomware.
BITCOIN could be shut down tomorrow, and nobody would be adversely affected.
KILL BITCOIN and you stop ransomware.
Now you say it.
If an OS developer wants to secure their code, secure their site and code, consider every contractor and consultant who had access to the code.
Walk the life story. Is the resume real? Education, friends, university, who helped at university? First real job?
Are trusted staff walking out internal code early and often to the US gov for some reason?
Stop outsourcing, start hiring US experts who enjoy working in the private sector. Make the US private sector a better place to work than any US mil or gov site.
Consider how the gov or mil treats staff and ensure the private sector is always better. No new "contractors" telling expert private company staff what to do.
Make writing good code that protects the US brand and product line more fun and more rewarding than anything the mil/clandestine services can offer.
Find the very best graduates that passed on merit in the USA and offer them much better conditions before they consider the clandestine services.
Consider all past requests by law enforcement for internal plain text network access. What got installed, where, for how long. Strange gov hardware "tracking users" deep in company networks for years?
Build entire new research campus sites that do pure research well away from any users or gov/mil/court requests. Air gap new code efforts far away from any existing user networks or buildings.
Do not mix staff between the everyday user court work and secure new code creation.
Crypto everything early and often. Keep everything surrounding the product line in plain text but secure the new code.
Write trusted internal crypto. Never trust any crypto that a gov offers or says is a standard or has been "fully" gov tested. Its tested to revert to plain text.
A government does not need to see product creation, just user accounts. Keep users and code creation well separated.
Stop governments/mil teams from getting so far up the production line before a release date.
Look over all past issues. Is it staff walking out data or an entire network been copied? If no staff member has access to all the code, is the network been used as a way in to collect it all during code creation or review?
Could a very few well placed staff members work together to put together all existing code and walk out with work for every generation and product line?
Has pre release code always been shared with any part of the US mil or gov in full?
Build an internal security section. Create junk code and projects. Fill networks with bait raw code and see what gets created in the wild days or years later that only works with that code given to select people or was ever on a server. Log everything.
Someone or some network accused all that bait code.
Is code walking early in the creation stage? Testing? After a release? Start tracking every stage of the code and fill it with unique tracking.
Find out if it is trusted staff, wide open internal networks, or gov requests for all code have made it out into the wild. If it is trusted staff that get found, look over their resume and see who else has the same fake patterns of background work or study. An entire generation of clandestine staff could have been placed into a project and allowed to advance up the ranks over many years.
If its an open network, fill it with busy work and tracked junk projects.
Look over all past access or source code related malware events. See if groups, networks or staff keep on showing up for each event.
Domestic spying is now "Benign Information Gathering"
Microsoft might be right in this rare instance.
Independent, is one or more not related to the task, i.e. their future is not tied to the code at hand appearing great, either directly or indirectly.
Vetted, means you can trust them. How they are to be incentivized to be honest is a task best left to the organizer. ( I prefer sharks w/ lasers on their head).
Hell make it competitive based non zero sum game. Peer code review sounds nice but everyone winds up seeking butt sucking friendly reviewers, who will review them nicely & be reviewed nicely later. I'm certain the EMI cert coding snafu was a product of peer code review.
Peer code review in this case means: the same folks that crap out buggy code look over their neighbors' work, who also crap out buggy code.
Let me break it to you gently, as you don't exactly appear to have your finger on the pulse of current American politics. You see, Barack Obama is not the president anymore, and so will not be pardoning anyone. He's just a citizen now.
I think it's important to get the facts straight when trolling as when you are so obviously stupid as a broken tree stump it undermines the value of an otherwise admirable troll.
My God you are abysmally and uncomprehensively stupid. Don't get me wrong, and take that in a good way. I mean to insult your intelligence as directly and as unambiguously as possible.
Let me run the subs, I'll do it phatly.
On the Oregon Cost born and raised, On the beach is where I spent most of my days
Some out there have been going on about how the infected are responsible for not having applied the just-recently-released MS update. They seem to ignore the fact that Microsoft's updates of late are far too unreliable to blindly apply as soon as they're pushed out. Between the GWX malware campaign where MS was continually updating their installer and MS having killed off QA and frequently releasing broken updates, the smart move for the past couple of years has been to hold off at least a couple of months while the early adopters discovered what MS broke with the updates and watch MS re- and re-re-release updates as they tried to get it right.
It's all well and good to sneer and point out that Microsoft released an update that would have protected against the NSA's malware a couple of months ago, but anyone with sense wouldn't have gotten around to installing it yet for fear of what the update would have borked.
You don't wanna know about his mother. You just don't.
They've got to blame someone. Opening bell happens in a few hours. The NSA is not publicly traded.
Seven puppies were harmed during the making of this post.
Almost hopped something like the TV series Mr. Robot would happen and these events weren't anywhere near catastrophic but still a decent eye opener to what's very likely close to reality than it has ever been.
Gimme a break. The NSA as I last saw it had a division of COMPUTER SECURITY. What happened? Last year Comey said we needed an "adult conversation" about encryption and national security. Screw that. The National Security Agency best be looking after - Ah _ Um - National Security. We DO need an ADULT conversation folks.
The solution is not to give up vulnerabilities that the CIA and NSA discover and want to weaponize, the root of the problem is the most incompetent administration in 50 years (the Obama administration) being completely clueless about cyber security and letting our state secrets out. That shit would never have been hacked by the Russians and dumped into the wild if the incompetents at the CIA and NSA had air-gapped their stockpile and put people in prison for 10 years or more for moving the files to a networked location except for specific conditions and actual use where multiple sign-offs and precautions would be required. Those who were in charge and those who were responsible for the security measures at the CIA and NSA when these secrets were hacked/leaked should be fired and charged with criminal negligence at least or maybe espionage/treason.
If you disagree, please post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like
Let me break it to you gently, as you don't exactly appear to have your finger on the pulse of current American politics. You see, Barack Obama is not the president anymore, and so will not be pardoning anyone. He's just a citizen now.
He's not the president, but he is a president. Every former president gets a life long pension, an office, a staff, franking privileges, secret service protection, a presidential library, and the title of president. And are still bound by the oaths taken when entering office, making former presidents, much like the peerage in Europe, less free than full citizens.
Wait until one of these leaked/lost TLA tools becomes used by a 3rd party in such a way that it looks like a state-sponsored attack on one of their enemies. Or, equally likely, a 'leaked/lost' tool used by a 1st party, with a '3rd party did it' plausible deniability argument. It's like separating a 'rogue terrorist group' from a 'state-sponsored terrorist group'.
I imagine soon, a major power will say "all attacks by tools that could only have been created by a state actor, will be responded to as if actually used by that actor" and then the "oops, my WMD fell off the back of a truck, my bad" excuse will no longer work. It may soon be considered too dangerous to hoard these exploits, as their inevitable leak will harm their creator more than if they had never been created in the first place. Taking bets on if that happens before or after the IT world figures out how to secure their shit.
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
Please forward me your bug-free code for review and then we'll talk.
10 print "Fuck You"
20 goto 10
the idiots who still use m$ software... you deserve it lol
Microsoft made BILLIONS of dollars over the past years selling poorly written buggy software that contained this (and MANY other) bugs. Many of the hundreds (thousands?) of bugs they have included in their products over the years were caused by truly stupid design decisions and/or incompetent coding. They maintained their market control while selling these bug-infested products with the assistance of some extremely shady business practices, without which it's possible that other products like Linux, BSD, OS/2 etc could attained more market penetration --- and THAT competition might have forced Microsoft to actually work harder to make a better product (a benefit of TRUE free market competition)
When a fast food chain gets a bit sloppy and poisons some customers, who is responsible? Do we let the fast food place claim innocence and shift the blame to some third party that made it easier for people to see the problems in the kitchen at the fast food place? Nope. We allow the fast food place to be sued and the courts figure out which entities have what percent of the responsibility.
Did the feds competently create an exploit? Apparently so, and they have the right to do that as part of the typical international spying game.
Did the feds leak that code? Apparently so, and they are to blame for THAT act of incompetence.
Did some criminals use that code to bring a lot of hurt to a lot of people? Yup. Could they have done it without the initial total incompetence of the people at
Microsoft who like to present themselves to the public as the best in the world? Nope. If Microsoft had initially been competent and sold a solid product to the public then the actions of the feds and these current crimnals would have been of no consequence.
If you truly want to shift the blame from Microsoft, let me give you another candidate: Every reasonably competent computer geek has known for over a decade that it is unsafe to connect a Windows system to the web, and unsafe to use Outlook for e-mail etc. If an entity like the NHS in the UK is stupid enough to use Windows in a safety-critical place like a hospital, then the "professionals" of (in this example) the NHS who are likely over-paid and now unmasked as incompetent ought to be fired and publicly shamed.
People doing nefarious things for money are often wiling to do otherwise economically-unsound things, take large losses in the conversions, etc and...
MONEY IS FUNGIBLE
Also, as anybody whose been in prison (or seen any prison movie) will know, ANYTHING of value becomes fungible in the right circumstances.
Consider: People on food stamps have been seen buying flats of bottled water (which they CAN buy), then emptying the bottles in the parking lot and immediately turning the bottles in to recylcing to get the deposits. That's a horrendous rate of return, but when you consider that the taxpayer provided the food stamps and the person doing this particular transaction ends up with "free" money... it's "worth it".
If you kill anonymous funds transfers, you eliminate the freedom all the law-abiding people have to engage in private economic activity - but the criminals will then simply resort to various means of money laundering. If you ban bitcoins, they'll simply work out schemes to have people obtain something else of value and convey it somewhere to be picked up, possibly by another victim who is being blackmailed into converting the value to something else and forwarding it so some other place, and so on.
Stop thinking like a totalitarian who wants to use the sledgehammer of government to solve all problems by reducing liberty and privacy; start considering basic human nature and noticing that most solutions along the lines you suggest hit the wrong targets.
Fuck the NSA, CIA, FBI, and everyone else that finds security issues and keeps them private. They are the problem, not Microsoft.
MS is correct in noting that both the TLAs and the users who failed to apply the patch share some of the blame. However, at least an equal share of the blame lies with MS for the appalling number of serious bugs that Windows has. While it is impossible to write bug-free code many security bugs in Linux and Macs typically require existing user-level access to the machine which makes them much less serious. Those that do allow remote access are rare enough that they are huge news, not part of a typical monthly patch cycle.
So as I see it the blame goes three ways: MS for a bad security model for Windows; the TLAs for hiding the flaw after they spotted it and users who don't apply updates regularly when they should know how bug-ridden Windows is.
By heavily marketing Microsoft Windows to the point that it is used, in a capacity where it can run things like Minecraft, in mission-critical IT infrastructure, they have done much to bring the current situation about. Mission critical IT infrastructure should be decomposed as a system of well-defined, hardware-isolated roles, each of which has only the authority necessary to do its job, and nothing more. (This is the principle of least authority.) There is more profit for Microsoft and major IT consultancies in just pushing Windows. Indeed Linux, in its 'desktop' flavour is no better. But Linux, being open-source, is sufficiently customisable that, as in Android or embedded uses, you can remove as much as you like.
For example, there is no need, in a patient records system, for the facility to arbitrarily create, overwrite, and delete files. If you have one machine that stores important details, another that categorises records stored by the first, and another that reads back the result, and can do nothing else (such as run Microsoft Word or Minecraft), then there is simply far less to go wrong. But systems need to be architected around this. The current trend to maximise 'bang for buck' has led to maximising flexibility and agility and, with it, maximising the flexibility and and agility offered to attackers and, thus, maximising vulnerability.
Microsoft and other proprietary software vendors, in pursuing their market positions, have done much to bring this situation about, and only when we learn that a general purpose OS is not a good idea for actually running mission-critical infrastructure (even while they are great for designing and programming them), will we start to get out of this mess of 'cyber insecurity' that we find ourselves.
John_Chalisque
the spier whinning about spying
Microsoft should take their share of the blame on this one. Starting with the heavy push for Windows 10 free upgrades to telemetry upgrades on previous versions. Those shenanigans eroded end user trust and result was that no updates were done. This was entirely preventable.
Wrong.
The ADULT thing is for the NSA and others who HAVE most of the windows source code
is to rewrite the exploitable bits to make it a sequence of events to use it, and give microsoft back the new code, as three letter places do not have the competency to compile and test - arguably even MS gets caught out. State based testing is a forgotten art.
I remember SUN systems talking to Microsoft's broken AD It did not work. MS said repeat the packet again - and bingo - connection. Nah, whats in an AD backdoor.
secure Win10
+1 Funny
You're also ignoring the huge elephant in the room - that Microsoft probably knew about that vulnerability or even better, created it in conjunction with the NSA et al. By the way - WINDOWS 10 ALSO REQUIRED A "FIX". This is not a "zero day vulnerability", it's a back-door plain and simple.
The other elephant is that a lot of very expensive hardware still runs on WinXP (and other less-recent but still old versions), can't be upgraded to the new version, and is too expensive to replace.
Microsoft will still support WinXP, but basically it means a) they have the patches to prevent malware, but b) they'll only give it to you if you pay them.
Oh, and the price for WinXP support doubles yearly (someone else said that - don't know if it's true).
So effectively Microsoft is saying that you have to throw out and repurchase all of your medical equipment, all of your research equipment, and all of your manufacturing equipment - even if it's still working - because they want you to purchase a new version of their OS.
Oh, and the new version pushes adware on you and installs whatever the fuck Microsoft wants and reboots the system whenever it damn well pleases.
Yeah, I think Microsoft can shoulder at least *some* of the blame for this.
Interesting that people classifies parent as "Troll" even though it's not far from the truth - better blame the messenger than addressing the problem.
Realize that the architecture that Windows today has is based on Windows NT, an architecture that was founded in the beginning of the 90's. This in turn is built upon OS/2, which originally came out in 1987.
There have been improvements to that architecture over the years, which have caused it to become more and more of a patchwork and resource hog in order to still maintain backwards compatibility while also keeping up with new functionality and improved security.
However a lot of the design in the platform is still causing problems that are hard to resolve without admin rights for the user. The current Windows versions also seems to only utilize two Privilege Levels in the hardware architecture, level 0 (kernel) and level 3 (user applications). This is also the case for Linux, so it's not better on that point.
However the age of an OS does not necessarily indicate how bad it is from a security point of view and the utilization of the capabilities of the hardware. E,g. OpenVMS utilizes four privilege modes (Kernel, Executive, Supervisor and User) and OpenVMS is now being ported to x86. This seems to be good news for nerds.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
So, Microsoft is out of responsibility? The Victim is to blame? It is /my own/ fault if i still use Windows XP?
It seems to me like this whole WannaCry "Campaign" is about softly forcing users - by fear - to switch to Windows10+. All the newest built-in spy features are not available on the older Systems, at least not so comfortable preconfigured. Time to get more percentage of the population watched!
Oh, OSS Operating Systems will be the true last Boss for (elite) people thinking that way.
They're patching XP for chrissakes.
No, they're patching a very old product that they told people - for years straight - to stop using, and they explained why. You do get this, right?
It's hard to stop using a system when it requires repurchasing the $100,000 hospital X-ray machine that it runs.
Did you think every hospital should just throw out all it's working equipment and purchase new ones? For hospitals in Africa and India as well?
The solution is not to give up vulnerabilities that the CIA and NSA discover and want to weaponize, the root of the problem is the most incompetent administration in 50 years (the Obama administration) being completely clueless about cyber security and letting our state secrets out. That shit would never have been hacked by the Russians and dumped into the wild if the incompetents at the CIA and NSA had air-gapped their stockpile and put people in prison for 10 years or more for moving the files to a networked location except for specific conditions and actual use where multiple sign-offs and precautions would be required. Those who were in charge and those who were responsible for the security measures at the CIA and NSA when these secrets were hacked/leaked should be fired and charged with criminal negligence at least or maybe espionage/treason.
No, because they didn't *intend* to leak the information.
The new interpretation of the law requires intent, and besides, no one has ever been prosecuted for doing this in the past.
Haven't you been following the news last year?
How many macOS + linux machines were compromised?
Thank you.
Hey microsoft, fuck you, your shitty O/S, and your monopolistic legal practices in the 90's that brought you to power. Bill Gates & Steven Allen are dirty motherfuckers, and they deserve the blame for stifling innovation with legal $$$.
Blame MS for not planning ahead, but blame cheap-ass customers for not upgrading when given plenty of notice. The NHS would not give people drugs with expired use-by dates, so why is using expired software different?
nice straw man. apparently you're better at being a troll than you are understanding software. go have a look at GNU and Linux, and come back after you've grown up, little boy.
you're such a little narcissist you probably think there's no one better at writing code than you. typical millennial coder-wannabe bullshit.
The cracking of the Axis secret codes at Bletchly Park, OP-20-G and elsewhere during World War 2 showed the allied powers just how important being able to read the other guys stuff really was.
Then computers came along and the Russians, Chinese and other bad guys started using digital encryption and other security measures and the western powers (NSA in the US, GCHQ in the UK and others) continued to do whatever was necessary to break into those computers and steal all the secrets.
When mass market PCs came along and everyone started using the same hardware and software as everyone else, the agencies followed suit with attacks on and back doors into the computers the bad guys were using.
I recon the big tech companies should all get together and throw a bunch of lobbying money at world governments to get laws passed to stop the hoarding. I am sure there are enough people in Congress who would listen when big fat "political donations" are waved in their face in return for stopping the abuse of vulnerabilities in this way.
I completely agree with Microsoft's point, but there's some irony in here. MS produces privative software, "blackboxes" in terms of software. Nobody can access their code, nobody knows how it works, what it does (cough "telemetry" cough), etc. which is fair enough, I guess.
Other companies produce open software (whether OS or not, whether free/GPL or not). People can access their code (Whether or not they understand it is another matter) and learn/know how that software works do whatever they want. Meaning that if an issue is found, be this critical or simpler bugs, people can fix it themselves and share it or report it for someone else more capable to fix (not everyone is a developer).
Seems a bit of an irony that MS asks for a open-software-like behaviour from third parties (people or companies/agencies) whilst not permitting the audition of their code.
NSA is a large organization, different parts do different things. How do we actually know this bug came from NSA? All we have is some web site claiming it.
Windows NT was built with VMS in mind, not OS/2, MS hired VMS's main architect. When MS and IBM were in bed together, MS had the UI front end to do. They didn't like the back end from IBM because it made their front end run like shit. So they decided they needed their own back end.
After NT was thrown together, MS discovered their front end still ran like shit so they went into their back end and knackered the bits that made their front end look bad. Unfortunately, that also meant they had to include stuff in the kernel where from a security standpoint it didn't belong. And so MS's proud tradition for lack of security persisted.
VMS had 4 security levels and that was supported by the VAX architecture. OpenVMS is merely the successor to VMS. I'm unsure what is open about OpenVMS, last I checked it was owned by HP. It probably won't be long before they screw it up like everything else they touch.
Don't fight for your country, if your country does not fight for you.
I agree, but the conclusion that open source = safer software is not correct. Just recently Google researches found over 1000 security issues in FOSS projects. At least they could investigate the code and find these problems. Leaves the question if the project leaders now bother to have them fixed. Also, many security holes are introduced through bad online tutorials. Microsoft needs to do more testing on their end. They have a quasi-monopoly on desktop OS and unless they deliver top notch solutions they should not lay blame on others.
Watching all this unfold I thought it was a publicity stunt for the next season of 24
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
Windows NT was the OS/2 3.0 code base
The breach of contract settlement between IBM and Microsoft stipulated that IBM got exclusive rights to the OS/2 2.x code base and a royalty free license to emulate Microsofts then quite popular Windows 3, while Microsoft got to keep the OS/2 3.0 code base that Microsoft had been delaying development on. The OS/2 3.x line was to be the business/server version of the consumer OS/2 2.x.
"His name was James Damore."
That I don't understand. Are they saying that MS should keep supporting XP or that they didn't do enough to get people to upgrade? I don't see either as making any sense.
(AC who started the thread)
Indeed, open source does not mean more secure. By all means. Now, the fact that things a more transparent permits a quicker fix (instead of waiting for MS bulletins). But again, this is bound to people updating their systems. At the end, the weakest part of any computer lays between a chair and the keyboard.
If a Russian computer agency had done the same thing there would be accusations of an act of War with unknowable consequences.
Comment removed based on user account deletion
M$ is spraying flann.
Citizen 4 showed that Microsoft, Apple, Facebook, etc. were being paid by the alphabet mafia to provide backdoor access.
We can't know with 100% certainty, but based on the available evidence, a US actor is the most likely candidate based on the code itself (e.g., it's not in Chinese or Russian or British English), it's 9-5 based on timestamps (i.e., not a late night hackathon but a professional entity), it's east coast also based on timestamps, it's likely government because the exploit is so old and yet it's never been either reported or seen in the wild, which is typical of acknowledged stockpiling behavior of the NSA, aaaaand the government had a shitstorm when it was leaked (although they will "neither confirm nor deny"). So... maybe it was someone else, and also maybe intelligent design is real. Who's to say?
You are truly a self-entitled psychopath who lives in his delusional world.
See subject: Wana can't get to my setup (no SMB or port 445 access). It's secured via CIS Tool (highly esteemed & took fixes from "yours truly" too) & does only SMB2 or better + I don't run Server or Workstation services soliciting connections (wastes for me - no home LAN/network) which automatically protects me right there 2 ways:
1.) Nothing to get a 'handle' on to connect to via a port 445 listener in the 1st place & EVEN IF it did?
2.) I am SMB2++ secured.
* FOR SINGLE SYSTEMS NOT ON A NETWORK @ HOME (no LAN)? It works.
"I AM LEGEND" immune here.
APK
P.S.=> It's ALL here how to do it FROM 11++ yrs. ago too no less "A look @ the future - & the FUTURE was THEN" + got me paid too, will wonders NEVER cease https://www.google.com/search?...> ... apk
ya know, a couple years ago when literally every third story on slashdort had some BITCOIN! angle, I would have agreed with you just for some relief from the fanbois.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
This is Awesome! I just wanted to come in here as someone who dislikes intelligence services and law enforcement in general and just slap a nice big wet carp in the faces of those embarrassed by these leaks.
Your thieving holier than thou ways are just about over and the ones you oppress are stealin your pancakes gramps!
Just wait until we release the hacked recordings of the president..... it's one beautiful thing about cameras being everywhere.... they eventually catch something.
Windows NT was built with VMS in mind, not OS/2
This is nonsense. OS/2 was a joined project of IBM and MS, at some point MS left the joint venture and forked NT from the OS/2 code base. In the heart they still are the exact same software, besides the changes and further development during the previous 20 - 30 years ofc.
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
Wish I had mod points. :( It's a bummer that some of these people are so deep in it that they don't have a chance to step back and look at it.
I see this site is still pushing the lie of 'accidental' exploits in MS operating systems. Microsoft makes all it products hacker-enbled with the understanding that the hackers will be 'official' agents in the UK, USA, Israel, Saudia Arabia and other places with 'wonderful' Human Rights records. Usually, thanks to 'friends of Israel', MS backdoors crafted for the NSA end up in the hands of 'friends of Israel' criminal cyber-gangs operating out of Ukraine- and then into the wider criminal community at which point MS issues 'patches' that close these backdoors and open brand new ones.
This time the MS created NSA backdoors bypassed the usual route from Israel to Ukraine, and were dumped all at once into the wider community- hence the 'problem' (as if 'friends of Israel' cyber crooks running lower-level ransomeware scams across the planet using MS/NSA backdoors isn't problem enough).
Snowden revealed how the 'tinfoil hat wearing slur' had alware been an NSA psy-op aimed at any person who dared to point out the full extent of NSA cooperation by every major IT company (including the owners of this site). The NSA is a full spectrum dominance enterprise, and that certainly includes regular doses of propaganda here.
I would like to know where to find you on IRC, As you seem to be rather defensive here.. but you seem like you may know a thing or 2. Also got a few questions about your hosts file creator. If you could drop me an address with ssl port. i would like to chat a bit.
With exploits like this. I would consider windows to be Weaponized..
Thanks to Microsoft, you CANNOT update a Windows 7 with a Kabylake processor...
"ITwire still faults Microsoft for not planning ahead, since in February 150 million people were still using Windows XP."
From MS "After 12 years, support for Windows XP ended April 8, 2014" Over 3 years ago. If you wish to fault MS for 'not planning ahead' for things still under support, well may be, that being said IIRC the patch for *supported* items was released in March. IMO to even mention XP as not being planned for is stupid. Organizations should have spent the last 3 years migrating/mitigating. Ignoring that it became a hot topic in IT circles the year prior, and while I can't really find when the EOL date was first announced I know MS has a published list of all the EOL dates.
Any talk about issues about XP being anything other the the responsibility of the organization using it should be at this point, promptly chucked out the window
Ever read the EULA? There is no real warranty. If you don't agree to it, then don't install it.
Microsoft is smarter than to actually say that though.
Just curious, what do people with hacked versions of Windows do? Can they install these updates?
I really don't know... my wife has a valid copy of Win7 on her laptop, and I run Linux.
My beliefs do not require that you agree with them.
When we first got wind of US spy agencies either discovering or planting exploits for spy purposes, we were told among other things that these exploits wouldn't escape into the wild because they were being kept under tight security.
I said at the time that these exploits will inevitably escape, because they were valuable, and it takes only one employee to trade them for money, and then they're in the wild.
And so, here we are.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Yeah, the EULA protects them against many kinds of lawsuits, but there are things the government can decide to do, capriciously. Like an anti-trust lawsuit, or make other new laws, for example.
"First they came for the slanderers and i said nothing."
Classic slashdot : blowhard amateur thinks they know more about a subject than the people who work in a particular field. Round my way, we call your type a "CantTheyJust"
How do we even know this had anything to do with a government entity, foreign or domestic? We teach in hacking class that there are people out there that take Microsoft updates and reverse engineer them every Patch Tuesday looking for an exploit. Some people have it all automated so about an hour later they have it. How do we know that wasn't done here? Apparently it wouldn't be hard to do. We already have access to the basic encryption stuff. Just need a vector to get in. Set up call centers, send it out with some tempting bait and whammo!
It's funny to imagine that the NSA hacking tools were most likely stolen from a computer using hacking tools to compromise the computer they were stored on. If so, then it is possible that the NSA could avoid losing their own secrets if they worked with computer security instead of against it.
People say: "there is no such thing as computer privacy/security". And I guess that is true for NSA staff as much as any other citizen. But it's funny when they are actually causing the insecurities to weaken themselves.
It would be very nice if the NSA worked to protect Americans, instead of propagating national insecurity. It's like the NSA wants our computers to be hacked so that they are needed to investigate our private property (without our knowledge or consent) after the fact to see how it was done and catch the hackers, rather then stopping them before damage can be done. A form of job security for them... I guess.