Microsoft Blasts Spy Agencies For Leaked Exploits Used By WanaDecrypt0r

An anonymous reader shares Engadget's report about Microsoft's response to the massive WanaDecrypt0r ransomware attack: Company president Brad Smith has posted a response to the attack that roasts the NSA, CIA and other intelligence agencies for hogging security vulnerabilities instead of disclosing them to be fixed. There's an "emerging pattern" of these stockpiles leaking out, he says, and they cause "widespread damage" when that happens. He goes so far as to liken it to a physical weapons leak -- it's as if the US military had "some of its Tomahawk missiles stolen"... Microsoft had already floated the concept of a "Digital Geneva Convention" that required governments to report security holes, but the idea has gained a new sense of urgency in light of the recent ransomware chaos... While Microsoft makes its own efforts by rushing out patches and sharing concerns with other companies, it also chastises customers who could have closed the WannaCry hole two months earlier but didn't.
BrianFagioli shared a BetaNews article arguing Microsoft "should absolutely not shoulder any of the responsibility. After all, the vulnerability that led to the disaster was patched back in March." But troublemaker_23 notes that ITwire still faults Microsoft for not planning ahead, since in February 150 million people were still using Windows XP.

Re:The Blame Game

[gtall]

Windows NT was built with VMS in mind, not OS/2, MS hired VMS's main architect. When MS and IBM were in bed together, MS had the UI front end to do. They didn't like the back end from IBM because it made their front end run like shit. So they decided they needed their own back end.

After NT was thrown together, MS discovered their front end still ran like shit so they went into their back end and knackered the bits that made their front end look bad. Unfortunately, that also meant they had to include stuff in the kernel where from a security standpoint it didn't belong. And so MS's proud tradition for lack of security persisted.

VMS had 4 security levels and that was supported by the VAX architecture. OpenVMS is merely the successor to VMS. I'm unsure what is open about OpenVMS, last I checked it was owned by HP. It probably won't be long before they screw it up like everything else they touch.

Re:Hard to do

[swb]

But if the machine is critical, then air-gap it, and use removable media. Transferring the data 30 times a day isn't an onerous task.

Sounds easy, until you realize that they've been pushing radiology imagery over the network for years and the entire radiology workflow has been designed around this. The machines don't have external media drives, the staff doesn't know how to do this in a way that insures your "nothing is wrong" imagery is associated with your chart doesn't get conflated with the "stage 4 cancer" imagery of someone else, there's just an entire laundry list of shit that has to happen right, be supported, etc.

I've seen a similar phenomenon in machine shops and metal fabricators where the tooling is controlled by ancient Windows versions and there just is no update for the driver software that isn't a extremely expensive machine upgrade. I don't know how the machine OEMs get away with this, really, but I'm sure at least in the medical field it has something to do with certification and probably there's a similar amount of BS associated with machine tools (ie, the PE signoff required for safety liability includes the entire control chain).

I have no idea what the solution is short of machine system vendors producing way more of their own code which would make the machines more expensive.

Re:Microsoft is 100% right on this one

[Cyryathorn]

Ah yes, here it is:

https://epic.org/privacy/cyber...

There's no Federal statute such as you describe. It's not even an Executive Order -- it's just a matter of policy. The "Vulnerabilities Equities Process" allows this: "the government may choose to withhold the information to use it for purposes including law enforcement, intelligence gathering, and 'offensive' exploitation".

Re:Enforcement is the problem

[courteaudotbiz]

Even Hitler did not.

Are you totally out of your Sean Spicer brainwashed mind? Ever heard of Zyclon B?

Maybe you are being sarcastic, but I just don't get it in your post (English is not my first language)