Microsoft Blasts Spy Agencies For Leaked Exploits Used By WanaDecrypt0r (engadget.com)
An anonymous reader shares Engadget's report about Microsoft's response to the massive WanaDecrypt0r ransomware attack:
Company president Brad Smith has posted a response to the attack that roasts the NSA, CIA and other intelligence agencies for hogging security vulnerabilities instead of disclosing them to be fixed. There's an "emerging pattern" of these stockpiles leaking out, he says, and they cause "widespread damage" when that happens. He goes so far as to liken it to a physical weapons leak -- it's as if the US military had "some of its Tomahawk missiles stolen"... Microsoft had already floated the concept of a "Digital Geneva Convention" that required governments to report security holes, but the idea has gained a new sense of urgency in light of the recent ransomware chaos... While Microsoft makes its own efforts by rushing out patches and sharing concerns with other companies, it also chastises customers who could have closed the WannaCry hole two months earlier but didn't.
BrianFagioli shared a BetaNews article arguing Microsoft "should absolutely not shoulder any of the responsibility. After all, the vulnerability that led to the disaster was patched back in March." But troublemaker_23 notes that ITwire still faults Microsoft for not planning ahead, since in February 150 million people were still using Windows XP.
BrianFagioli shared a BetaNews article arguing Microsoft "should absolutely not shoulder any of the responsibility. After all, the vulnerability that led to the disaster was patched back in March." But troublemaker_23 notes that ITwire still faults Microsoft for not planning ahead, since in February 150 million people were still using Windows XP.
Nobody is perfect, all software has vulnerabilities. Had our relevant TLAs bothered to tell the relevant companies about the holes they found we would all be a hundredfold safer. But no, they kept them secret, figuring they could hack Some Bad Guy's computer and Stop Some Low Level Bad Thing.
The fault here lies in our countries TLA's deciding it was better to leave 100% of the country at risk hoping they would be able to exploit a hole before someone else could exploit that same hole against us.
Fuck the NSA, CIA, FBI, and everyone else that finds security issues and keeps them private. They are the problem, not Microsoft.
Wait until one of these leaked/lost TLA tools becomes used by a 3rd party in such a way that it looks like a state-sponsored attack on one of their enemies. Or, equally likely, a 'leaked/lost' tool used by a 1st party, with a '3rd party did it' plausible deniability argument. It's like separating a 'rogue terrorist group' from a 'state-sponsored terrorist group'.
I imagine soon, a major power will say "all attacks by tools that could only have been created by a state actor, will be responded to as if actually used by that actor" and then the "oops, my WMD fell off the back of a truck, my bad" excuse will no longer work. It may soon be considered too dangerous to hoard these exploits, as their inevitable leak will harm their creator more than if they had never been created in the first place. Taking bets on if that happens before or after the IT world figures out how to secure their shit.
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
One of the problems is that MS poisoned any good will about upgrading with their own actions... first by more or less tricking people into upgrading to Windows 10, and second, by making that upgrade (and all other upgrades) less trusted by pushing telemetry as required updates, and by making Windows 10 updates incredibly annoying, disruptive, and on occasion, simply broken.
I don't blame MS for not writing perfect code, especially older code. No OS used today has zero exploits, so I think it's disingenuous to bash Microsoft with each new bug found but somehow give Linux a pass when the same damned things happen. But I'm sure as hell going to blame them for encouraging so many people to distrust Microsoft's own security patches in the first place, even going so far as to actively block them. That was all because of their OWN tone-deaf policies of "we know what's best for you, so shut up and update. Oh, and don't mind the telemetry we're slurping up. We promise its benign. What? No, there's no way to turn it off."
Irony: Agile development has too much intertia to be abandoned now.
secure Win10
+1 Funny
You're also ignoring the huge elephant in the room - that Microsoft probably knew about that vulnerability or even better, created it in conjunction with the NSA et al. By the way - WINDOWS 10 ALSO REQUIRED A "FIX". This is not a "zero day vulnerability", it's a back-door plain and simple.
The other elephant is that a lot of very expensive hardware still runs on WinXP (and other less-recent but still old versions), can't be upgraded to the new version, and is too expensive to replace.
Microsoft will still support WinXP, but basically it means a) they have the patches to prevent malware, but b) they'll only give it to you if you pay them.
Oh, and the price for WinXP support doubles yearly (someone else said that - don't know if it's true).
So effectively Microsoft is saying that you have to throw out and repurchase all of your medical equipment, all of your research equipment, and all of your manufacturing equipment - even if it's still working - because they want you to purchase a new version of their OS.
Oh, and the new version pushes adware on you and installs whatever the fuck Microsoft wants and reboots the system whenever it damn well pleases.
Yeah, I think Microsoft can shoulder at least *some* of the blame for this.
Nothing is going to make IS adhere to the real-world Geneva convention either. The point of such treaties aren't direct enforcement, they're to establish a standard for civilized warfare so that you can apply pressure to other nations to join, be able to chastise those who break it and give reasons to impose sanctions, intervene or join the opposing forces. Take for example the treaty on anti-personnel landmines, if you've promised to disarm it would be a pretty big scandal if you were secretly stockpiling and/or deploying them anyway. Assad kills people every day but start a chemical attack and he got a rather swift response.
If there was a treaty to disclose vulnerabilities in mass market consumer software (because face it they won't give up everything) then leaks like these would show that the US are lying sacks of shit whose words are worth nothing. Being a man of your words and having credibility are very real currencies in international politics. Breaking one treaty would put into question every other treaty the US has signed too. There's no real other force behind it than your own country's promise, there wouldn't be any other direct consequences than a loss of reputation. But that is usually sufficient to do some good, at least it puts a cost on violating it. Today the NSA can just shrug and say they're doing their job.
Live today, because you never know what tomorrow brings