Microsoft Blasts Spy Agencies For Leaked Exploits Used By WanaDecrypt0r

An anonymous reader shares Engadget's report about Microsoft's response to the massive WanaDecrypt0r ransomware attack: Company president Brad Smith has posted a response to the attack that roasts the NSA, CIA and other intelligence agencies for hogging security vulnerabilities instead of disclosing them to be fixed. There's an "emerging pattern" of these stockpiles leaking out, he says, and they cause "widespread damage" when that happens. He goes so far as to liken it to a physical weapons leak -- it's as if the US military had "some of its Tomahawk missiles stolen"... Microsoft had already floated the concept of a "Digital Geneva Convention" that required governments to report security holes, but the idea has gained a new sense of urgency in light of the recent ransomware chaos... While Microsoft makes its own efforts by rushing out patches and sharing concerns with other companies, it also chastises customers who could have closed the WannaCry hole two months earlier but didn't.
BrianFagioli shared a BetaNews article arguing Microsoft "should absolutely not shoulder any of the responsibility. After all, the vulnerability that led to the disaster was patched back in March." But troublemaker_23 notes that ITwire still faults Microsoft for not planning ahead, since in February 150 million people were still using Windows XP.

Enforcement is the problem

[JoshuaZ]

Any weapon ban treaty has a problem of detecting violations. If one cannot easily detect violations, one cannot enforce the treaty effectively. For pretty much every nuclear weapons treaty the biggest stumbling block has almost always been verification that people are adhering to it. At least there, there's infrastructure to look at. Trying to determine that governments aren't holding back tiny little files stored away somewhere would be much more difficult. In that context, such a treaty would be unlikely to succeed.

Re:Enforcement is the problem

House rules:

- The guy with the gun always wins.
- Only the government gets to have guns.

The government only needs to hold up a flimsiest facade that they're "good people", and that's only to keep the house of cards that is the American economy from collapsing into a heap. We're all taught from the youngest age that Mr Policeman is good and you should go to him if you need help. Fast-forward 20 years and you start to understand why you shouldn't. We all need to stop pretending that the government is here for our interests; it isn't.

Re:The Blame Game

Please forward me your bug-free code for review and then we'll talk.

Re:Enough blame to go around

[Excelcia]

This exploit exists in an old protocol no one uses any more. Is any vulnerability avoidable? Sure. Should this one have been fixed, or the code deprecated earlier, absolutely. Could /you/ write a hundred million lines of code and not have a critical vulnerability? In case it's not obvious (to you), that was a rhetorical question.

I am no fan of Microsoft. I never have been. But in this case, the real evil was perpetrated (and there is no other word for it) by the NSA. An agency of the United States government, one specifically tasked with the protection of US citizens, learned of a vulnerability in an operating system used in critical applications throughout the country, used by the majority of its citizens, and not even accidentally sat on it - they purposefully, with consideration and intent, sat on that information. Not only that, but they then developed a weapon to exploit it, lost control of that weapon, and it is now in the wild where it can do the most damage.

This is a combination of willful dereliction of duty, and gross negligence. This shouldn't be Microsoft complaining, this should be the director of the NSA hauled in handcuffs before congress.

Great argument against backdoors

[OzPeter]

This hacking provides the perfect argument against built-in backdoors that would enable the government to spy on people (but only when they wanted). All it takes is one leak and *boom* you have out of control hacking by everyone but the government.

Re:Microsoft is 100% right on this one

[ScentCone]

They're patching XP for chrissakes.

No, they're patching a very old product that they told people - for years straight - to stop using, and they explained why. You do get this, right?

Re:Microsoft is 100% right on this one

[buss_error]

I know this isn't a popular opinion around here, but hear me out.

I know this isn't a popular opinion, but hear -me- out.

The statue clearly states that US intelligence services are required to divulge security vulnerabilities to vendors in a timely manner. It is blindingly obvious this was not done. So my question is very simple.

Who is going to jail for violating Federal statues?

Oh - silly me. Only chumps and civilians go to jail for violating the law.

Here is the real problem - being able to access a computer is like being able to read their diary or eavesdrop on them. Before computers, this was also done. With computers, it's just easier. So what we are seeing the the degradation of everyone's privacy because it's easier to steal secrets from a computer that it is to, you know, actually do your fsck'ing job.

Enforcing the law isn't about sitting on your fat ass in Virginia - it's about doing the work, the right way, within not just the letter of the law but the spirit of it. Only then is our system of government consistent, valuable, and worth dying to preserve.

Otherwise it's just another big lie.