Slashdot Mirror


Microsoft Blasts Spy Agencies For Leaked Exploits Used By WanaDecrypt0r (engadget.com)

An anonymous reader shares Engadget's report about Microsoft's response to the massive WanaDecrypt0r ransomware attack: Company president Brad Smith has posted a response to the attack that roasts the NSA, CIA and other intelligence agencies for hogging security vulnerabilities instead of disclosing them to be fixed. There's an "emerging pattern" of these stockpiles leaking out, he says, and they cause "widespread damage" when that happens. He goes so far as to liken it to a physical weapons leak -- it's as if the US military had "some of its Tomahawk missiles stolen"... Microsoft had already floated the concept of a "Digital Geneva Convention" that required governments to report security holes, but the idea has gained a new sense of urgency in light of the recent ransomware chaos... While Microsoft makes its own efforts by rushing out patches and sharing concerns with other companies, it also chastises customers who could have closed the WannaCry hole two months earlier but didn't.
BrianFagioli shared a BetaNews article arguing Microsoft "should absolutely not shoulder any of the responsibility. After all, the vulnerability that led to the disaster was patched back in March." But troublemaker_23 notes that ITwire still faults Microsoft for not planning ahead, since in February 150 million people were still using Windows XP.

3 of 324 comments (clear)

  1. Microsoft is 100% right on this one by Snotnose · · Score: 5, Interesting

    Nobody is perfect, all software has vulnerabilities. Had our relevant TLAs bothered to tell the relevant companies about the holes they found we would all be a hundredfold safer. But no, they kept them secret, figuring they could hack Some Bad Guy's computer and Stop Some Low Level Bad Thing.

    The fault here lies in our countries TLA's deciding it was better to leave 100% of the country at risk hoping they would be able to exploit a hole before someone else could exploit that same hole against us.

    Fuck the NSA, CIA, FBI, and everyone else that finds security issues and keeps them private. They are the problem, not Microsoft.

    1. Re:Microsoft is 100% right on this one by rsmith-mac · · Score: 5, Interesting

      I know this isn't a popular opinion around here, but hear me out.

      The NSA is the US's SIGINT operation. Their job is to be both the offense and the defense when it comes to dealing with electronic systems. So developing attacks against other systems is part of their purview, and we want them to continue doing so such that we can spy on, and if necessary attack other nations. The need for an offensive SIGINT group will always exist, even if it's not the NSA.

      Back in the days of yore, it used to be that exporting valuable software was restricted. If the Soviets wanted software for controlling gas pipelines, for example, they either had to develop their own or steal it. And exporting useful encryption was right-out banned. The end result was that for SIGINT purposes, there was a very clear line between "us" and "them" in what each side's systems could do, how they worked, and what they ran.

      The Internet has put an end to national borders for software. Now everyone runs the same Oracle database, the same Cisco/Juniper routers, the same Microsoft OS, etc. It's allowed commerce to explode on our end by exporting valuable software to new market. However the flip side of that is that the line between "us" and "them" has almost entirely been erased. Now the nations we spy on run much the same software we do; now the nations that we need to be able to attack don't run antiquated little systems that are easy for us to break into. How do you balance offense and defense in that situation, when any weapon you make can be used against you, and any defense to develop can be used by your enemies to shield themselves from you?

      Had our relevant TLAs bothered to tell the relevant companies about the holes they found we would all be a hundredfold safer. But no, they kept them secret, figuring they could hack Some Bad Guy's computer and Stop Some Low Level Bad Thing.

      If our relevant TLAs informed software vendors about every exploit they found, it would improve the quality of software to be sure. And that definitely has some benefits. But then we'd be committing to an entirely defensive operation, due to the fact that everyone else is running this better-hardened software.

      Meanwhile when it comes to offense, we'd have no exploits let which to use to spy on or attack other nations with. But the same is not true for other nations. Their own SIGINT groups would be searching for exploits as well, and since they wouldn't be bound by what we're doing, they'd continue stockpiling them and using them against us as they deem necessary. Our software-hardening efforts would make this task a lot harder, but not even the NSA is going to find every bug in Windows. So at the end of the day, other nations would still be able to attack us, even if we did report all exploits we found.

      The problem with a purely defensive operation then, especially in the software sense, is that your defense only has to fail once for you to lose. Once they're in your systems you have no ability to retaliate (since you have no exploits to use as weapons), so hostile forces have very little incentive not to attack you. And while you can clean up afterwards, the damage is done: the blueprints have been stolen, the cyclotron has been busted, and Amazon is shipping everyone 50 gallon drums of lube.

      Ultimately Cyber security when both sides have the same systems is little more than a new variant on the Prisoner's Dilemma. We can stop ratting on the other prisoner, but they're not going to stop ratting on us. No matter what we do, it's in the best interests of foreign powers to be able to attack our systems. And that means we need to keep exploits of our own in order to be able to mount a credible (if not overwhelming) offense.

      The one problem here - and not to discount it, because it is a real problem - is that the NSA obviously didn't secure

    2. Re:Microsoft is 100% right on this one by gtall · · Score: 5, Interesting

      There are some ideas buzzing around the U.S. government to separate out the functions of cyber so that security comes from a different entity than offensive weapons. Of course that means parts of the government will be fighting each other. NSA, CIA, FBI, etc. are all on public record as realizing this. There is no easy answer.

      Some of the misconception is that somehow spying is bad. It isn't. It is what keeps a government from overreacting to something out in the open. Offensive weapons will always be around. The Russians, Chinese, Iranians, I.M.A. Dipshit from Any Country have them.

      Some bright sparks in Congress asked James Clapper why the U.S. couldn't respond in the cyber arena against the naughty things the Russians did in the last election. His response was: well, if you are sure the U.S. infrastructure could stand the guaranteed response, then that might be advisable. He was of the opinion that the Russians have the U.S. electrical grid on their target list and that he (Clapper) figured they could take it down for retaliation. Of course, these would be acts of war...between nuclear armed nations....one of which has a ruthless dolt as head of state, the other also has a ruthless dolt as head of state.