Slashdot Mirror
Microsoft Blasts Spy Agencies For Leaked Exploits Used By WanaDecrypt0r (engadget.com)
An anonymous reader shares Engadget's report about Microsoft's response to the massive WanaDecrypt0r ransomware attack:
Company president Brad Smith has posted a response to the attack that roasts the NSA, CIA and other intelligence agencies for hogging security vulnerabilities instead of disclosing them to be fixed. There's an "emerging pattern" of these stockpiles leaking out, he says, and they cause "widespread damage" when that happens. He goes so far as to liken it to a physical weapons leak -- it's as if the US military had "some of its Tomahawk missiles stolen"... Microsoft had already floated the concept of a "Digital Geneva Convention" that required governments to report security holes, but the idea has gained a new sense of urgency in light of the recent ransomware chaos... While Microsoft makes its own efforts by rushing out patches and sharing concerns with other companies, it also chastises customers who could have closed the WannaCry hole two months earlier but didn't.
BrianFagioli shared a BetaNews article arguing Microsoft "should absolutely not shoulder any of the responsibility. After all, the vulnerability that led to the disaster was patched back in March." But troublemaker_23 notes that ITwire still faults Microsoft for not planning ahead, since in February 150 million people were still using Windows XP.
BrianFagioli shared a BetaNews article arguing Microsoft "should absolutely not shoulder any of the responsibility. After all, the vulnerability that led to the disaster was patched back in March." But troublemaker_23 notes that ITwire still faults Microsoft for not planning ahead, since in February 150 million people were still using Windows XP.
Any weapon ban treaty has a problem of detecting violations. If one cannot easily detect violations, one cannot enforce the treaty effectively. For pretty much every nuclear weapons treaty the biggest stumbling block has almost always been verification that people are adhering to it. At least there, there's infrastructure to look at. Trying to determine that governments aren't holding back tiny little files stored away somewhere would be much more difficult. In that context, such a treaty would be unlikely to succeed.
Please forward me your bug-free code for review and then we'll talk.
Why should Microsoft be blamed for people getting infected while running Windows XP? The XP system is 16 years old and has been past EoL for years. Anyone running an XP machine connected to the Internet is practically begging to be hacked. Would we blame Red Hat for not patching RHEL 3 boxes left on-line or Apple for not patching 2001-era Macs? It's not as though Microsoft has not made it perfectly clear those old systems are no longer supported.
This exploit exists in an old protocol no one uses any more. Is any vulnerability avoidable? Sure. Should this one have been fixed, or the code deprecated earlier, absolutely. Could /you/ write a hundred million lines of code and not have a critical vulnerability? In case it's not obvious (to you), that was a rhetorical question.
I am no fan of Microsoft. I never have been. But in this case, the real evil was perpetrated (and there is no other word for it) by the NSA. An agency of the United States government, one specifically tasked with the protection of US citizens, learned of a vulnerability in an operating system used in critical applications throughout the country, used by the majority of its citizens, and not even accidentally sat on it - they purposefully, with consideration and intent, sat on that information. Not only that, but they then developed a weapon to exploit it, lost control of that weapon, and it is now in the wild where it can do the most damage.
This is a combination of willful dereliction of duty, and gross negligence. This shouldn't be Microsoft complaining, this should be the director of the NSA hauled in handcuffs before congress.
This hacking provides the perfect argument against built-in backdoors that would enable the government to spy on people (but only when they wanted). All it takes is one leak and *boom* you have out of control hacking by everyone but the government.
I am Slashdot. Are you Slashdot as well?
The original blogpost makes the following points:
1) Microsoft works hard, I tell you hard to avoid these problems.
2) Customers are to blame too! (really)
3) It's the government's fault!
They're trying to direct the conversation so they don't get all the blame. The reality is, if Microsoft hadn't made the flaw, then this attack never would have happened.
"First they came for the slanderers and i said nothing."
...
1.) Microsoft for having a shitty OS and
2.) The USA three-letters knowing it and not protecting its citizens.
It little behooves the best of us to comment on the rest of us.
This is something a compiler will usually show a warning. If it did not, then the compiler is to blame.
Guy in India writing the outsourced Microsoft code: "That stupid compiler always generates so many warnings I just turned the warnings off. The code compiles fine I don't see what the problem is."
Seven puppies were harmed during the making of this post.
This is something a compiler will usually show a warning. If it did not, then the compiler is to blame.
Blame isn't a limited commodity, where you reduce blame one place by adding it to another. "Shifting blame" is an attempt at binary thinking and reducing complexity, and is an impediment to justice.
That a compiler or static analysis tool is to blame for not warning where it should does not absolve the programmer one iota. A programmer who depends on software to tell him when he's done a mistake deserves blame heaped up high. The tools can warn about bad code, but absence of warnings does not imply good code.
They're patching XP for chrissakes.
No, they're patching a very old product that they told people - for years straight - to stop using, and they explained why. You do get this, right?
Don't disappoint your bird dog. Go to the range.
Please forward me your bug-free code for review and then we'll talk.
10 print "Fuck You"
20 goto 10
Well, you're brave to defend the TLAs. Hopefully you don't get unfairly mod-bombed because of it, as too often happens to unpopular posts.
The core problem with your scenario is the implicit assumption that only the TLAs know about those particular exploits. There could very well have been other countries' agencies that knew about them as well, or criminals using them judiciously for their own zero-day exploits. Why assume that any other major state player couldn't collect these same bugs? We may know more in the months ahead if anyone discovers new information in old logs relating to these exploits.
The other faulty assumption is that the only way to do offensive intelligence operations is with software exploits. Plenty of attacks, from many different criminal and/or government groups have shown that to absolutely not be the case. Human operators can be fooled into installing malware in targeted phishing attacks, or maybe even bribed into installing it. Or you can use more traditional bugging methods, installing hardware that intercepts information pre-encryption. Etc, etc...
Holding onto an exploit that affects your own country's software (and the world's in fact), is playing a very risky game. And, as you rightly acknowledged, it just blew up in their faces. Given the proven inability of these agencies to hold onto secrets, I think playing a little more defense isn't a bad thing, at least until its been established that they don't leak their own secrets like a sieve.
I fully understand and acknowledge that there are very bad people in the world, and these agencies help to protect the US from them. But I do wonder if, at the moment, that price is becoming a little too steep for what we're getting out of the deal. The problems is, though, that we'll never really know. The leaders at the top of that agency know, but sure as hell they're never going to admit to anyone anything that has a chance of ever reducing the power of their own little government fiefdom.
Irony: Agile development has too much intertia to be abandoned now.
the spier whinning about spying
I know this isn't a popular opinion around here, but hear me out.
I know this isn't a popular opinion, but hear -me- out.
The statue clearly states that US intelligence services are required to divulge security vulnerabilities to vendors in a timely manner. It is blindingly obvious this was not done. So my question is very simple.
Who is going to jail for violating Federal statues?
Oh - silly me. Only chumps and civilians go to jail for violating the law.
Here is the real problem - being able to access a computer is like being able to read their diary or eavesdrop on them. Before computers, this was also done. With computers, it's just easier. So what we are seeing the the degradation of everyone's privacy because it's easier to steal secrets from a computer that it is to, you know, actually do your fsck'ing job.
Enforcing the law isn't about sitting on your fat ass in Virginia - it's about doing the work, the right way, within not just the letter of the law but the spirit of it. Only then is our system of government consistent, valuable, and worth dying to preserve.
Otherwise it's just another big lie.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
They're patching XP for chrissakes.
No, they're patching a very old product that they told people - for years straight - to stop using, and they explained why. You do get this, right?
It's hard to stop using a system when it requires repurchasing the $100,000 hospital X-ray machine that it runs.
Did you think every hospital should just throw out all it's working equipment and purchase new ones? For hospitals in Africa and India as well?
"While Microsoft makes its own efforts by rushing out patches and sharing concerns with other companies, it also chastises customers who could have closed the WannaCry hole two months earlier but didn't." If Microsoft didn't dress up Windows 10 deployment campaigns as security patches maybe people would have applied important updates, instead, many people got fed up of cleaning up the Windows 10 installer so turned of auto update instead. Glad I'm no longer dependent on Windows.
"If it's lost, it'll turn up. Things always do" "I love it when a plan comes together"
No, they're patching a very old product that they told people - for years straight - to stop using,
Yes, after they spent years doing their best to force them to use it. I call shenanigans. Microsoft wants to embrace and extend so they can have vendor lock-in? Let them be held responsible for the situation they have created.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"