Slashdot Mirror
Microsoft Blasts Spy Agencies For Leaked Exploits Used By WanaDecrypt0r (engadget.com)
An anonymous reader shares Engadget's report about Microsoft's response to the massive WanaDecrypt0r ransomware attack:
Company president Brad Smith has posted a response to the attack that roasts the NSA, CIA and other intelligence agencies for hogging security vulnerabilities instead of disclosing them to be fixed. There's an "emerging pattern" of these stockpiles leaking out, he says, and they cause "widespread damage" when that happens. He goes so far as to liken it to a physical weapons leak -- it's as if the US military had "some of its Tomahawk missiles stolen"... Microsoft had already floated the concept of a "Digital Geneva Convention" that required governments to report security holes, but the idea has gained a new sense of urgency in light of the recent ransomware chaos... While Microsoft makes its own efforts by rushing out patches and sharing concerns with other companies, it also chastises customers who could have closed the WannaCry hole two months earlier but didn't.
BrianFagioli shared a BetaNews article arguing Microsoft "should absolutely not shoulder any of the responsibility. After all, the vulnerability that led to the disaster was patched back in March." But troublemaker_23 notes that ITwire still faults Microsoft for not planning ahead, since in February 150 million people were still using Windows XP.
BrianFagioli shared a BetaNews article arguing Microsoft "should absolutely not shoulder any of the responsibility. After all, the vulnerability that led to the disaster was patched back in March." But troublemaker_23 notes that ITwire still faults Microsoft for not planning ahead, since in February 150 million people were still using Windows XP.
Any weapon ban treaty has a problem of detecting violations. If one cannot easily detect violations, one cannot enforce the treaty effectively. For pretty much every nuclear weapons treaty the biggest stumbling block has almost always been verification that people are adhering to it. At least there, there's infrastructure to look at. Trying to determine that governments aren't holding back tiny little files stored away somewhere would be much more difficult. In that context, such a treaty would be unlikely to succeed.
I don't see it.
MS tried everything short or threats to get people to upgrade to a secure Win10 version to no avail.
This will bring millions of new licenses for MS.
Nobody is perfect, all software has vulnerabilities. Had our relevant TLAs bothered to tell the relevant companies about the holes they found we would all be a hundredfold safer. But no, they kept them secret, figuring they could hack Some Bad Guy's computer and Stop Some Low Level Bad Thing.
The fault here lies in our countries TLA's deciding it was better to leave 100% of the country at risk hoping they would be able to exploit a hole before someone else could exploit that same hole against us.
Fuck the NSA, CIA, FBI, and everyone else that finds security issues and keeps them private. They are the problem, not Microsoft.
They want backdoors and keys into the things that they swear they will keep safe. Instead of affecting unpatched computers, a leak will affect every computer. But they pinky promise that there will be no leaks and they promise to feel bad if there is one even though it's probably somebody else's fault.
@Whee
Please forward me your bug-free code for review and then we'll talk.
Why should Microsoft be blamed for people getting infected while running Windows XP? The XP system is 16 years old and has been past EoL for years. Anyone running an XP machine connected to the Internet is practically begging to be hacked. Would we blame Red Hat for not patching RHEL 3 boxes left on-line or Apple for not patching 2001-era Macs? It's not as though Microsoft has not made it perfectly clear those old systems are no longer supported.
They probably got promoted for writing their code so quickly, and the manager who decided to enable the feature by default too.
Microsoft can save some of that blame for themselves. Many people had to turn automatic patching off because of Microsoft's shitty policy of trying to force people to Windows 10 through patch driven 'upgrades'.
This exploit exists in an old protocol no one uses any more. Is any vulnerability avoidable? Sure. Should this one have been fixed, or the code deprecated earlier, absolutely. Could /you/ write a hundred million lines of code and not have a critical vulnerability? In case it's not obvious (to you), that was a rhetorical question.
I am no fan of Microsoft. I never have been. But in this case, the real evil was perpetrated (and there is no other word for it) by the NSA. An agency of the United States government, one specifically tasked with the protection of US citizens, learned of a vulnerability in an operating system used in critical applications throughout the country, used by the majority of its citizens, and not even accidentally sat on it - they purposefully, with consideration and intent, sat on that information. Not only that, but they then developed a weapon to exploit it, lost control of that weapon, and it is now in the wild where it can do the most damage.
This is a combination of willful dereliction of duty, and gross negligence. This shouldn't be Microsoft complaining, this should be the director of the NSA hauled in handcuffs before congress.
"every single cyberattack on a Windows system seriously"
"We have more than 3,500 security engineers at the company"
Yet failed to notice PRISM? https://en.wikipedia.org/wiki/...
Re "This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support."
The US clandestine services are hiring from the same US university graduate groups over decades.
Top US executives should hire smarter people in the US who can code a secure a US OS in the private sector.
If the US clandestine services can hire US people to get into a US OS, hire from the same very smart skill set to protect an OS.
The US mil and gov does not have first pick or a gov monopoly on hiring very smart people every decade. Find some really skilled people in the USA to secure your OS.
Re 'And it’s why we’ve pledged our support for defending every customer everywhere in the face of cyberattacks, regardless of their nationality."
When a gov presents "real" court papers and wants long term access to plain text information its just a "legally binding order or subpoena".
The origin of this was a government product. Understand how governments work in the public and private sector. How staff move between the role of contractor, gov worker, mil worker and private sector staff to fully understand an OS maker.
Domestic spying is now "Benign Information Gathering"
When Microsoft started issuing "Security Patches" that were no security patches but telemetry and Windows 10 update patches, I stopped patching. Was I wrong? I take a lot of other precautions, one of which is that I ditched after 30 years of being a Microsoft fan boy to MAC.
This hacking provides the perfect argument against built-in backdoors that would enable the government to spy on people (but only when they wanted). All it takes is one leak and *boom* you have out of control hacking by everyone but the government.
I am Slashdot. Are you Slashdot as well?
Oh for the love of mod points...
I have quite a good discussion about Custom Support and MS quarterly earnings here: https://www.reddit.com/r/micro...
The original blogpost makes the following points:
1) Microsoft works hard, I tell you hard to avoid these problems.
2) Customers are to blame too! (really)
3) It's the government's fault!
They're trying to direct the conversation so they don't get all the blame. The reality is, if Microsoft hadn't made the flaw, then this attack never would have happened.
"First they came for the slanderers and i said nothing."
...
1.) Microsoft for having a shitty OS and
2.) The USA three-letters knowing it and not protecting its citizens.
It little behooves the best of us to comment on the rest of us.
Independent security audits......they are expensive & time consuming.
Most importantly, they don't make you secure. They're consultants who find a few bugs, then send you a big bill.
"First they came for the slanderers and i said nothing."
https://github.com/RiskSense-Ops/MS17-010/blob/master/exploits/eternalblue/ms17_010_eternalblue.rb#L32
According to the above, the bug comes from subtracting a DWORD from a WORD.
This is something a compiler will usually show a warning. If it did not, then the compiler is to blame.
If the Windows programmer set a flag to disable warnings from the compiler, or ignored the warnings from the compiler, then the programmer is to blame.
If an OS developer wants to secure their code, secure their site and code, consider every contractor and consultant who had access to the code.
Walk the life story. Is the resume real? Education, friends, university, who helped at university? First real job?
Are trusted staff walking out internal code early and often to the US gov for some reason?
Stop outsourcing, start hiring US experts who enjoy working in the private sector. Make the US private sector a better place to work than any US mil or gov site.
Consider how the gov or mil treats staff and ensure the private sector is always better. No new "contractors" telling expert private company staff what to do.
Make writing good code that protects the US brand and product line more fun and more rewarding than anything the mil/clandestine services can offer.
Find the very best graduates that passed on merit in the USA and offer them much better conditions before they consider the clandestine services.
Consider all past requests by law enforcement for internal plain text network access. What got installed, where, for how long. Strange gov hardware "tracking users" deep in company networks for years?
Build entire new research campus sites that do pure research well away from any users or gov/mil/court requests. Air gap new code efforts far away from any existing user networks or buildings.
Do not mix staff between the everyday user court work and secure new code creation.
Crypto everything early and often. Keep everything surrounding the product line in plain text but secure the new code.
Write trusted internal crypto. Never trust any crypto that a gov offers or says is a standard or has been "fully" gov tested. Its tested to revert to plain text.
A government does not need to see product creation, just user accounts. Keep users and code creation well separated.
Stop governments/mil teams from getting so far up the production line before a release date.
Look over all past issues. Is it staff walking out data or an entire network been copied? If no staff member has access to all the code, is the network been used as a way in to collect it all during code creation or review?
Could a very few well placed staff members work together to put together all existing code and walk out with work for every generation and product line?
Has pre release code always been shared with any part of the US mil or gov in full?
Build an internal security section. Create junk code and projects. Fill networks with bait raw code and see what gets created in the wild days or years later that only works with that code given to select people or was ever on a server. Log everything.
Someone or some network accused all that bait code.
Is code walking early in the creation stage? Testing? After a release? Start tracking every stage of the code and fill it with unique tracking.
Find out if it is trusted staff, wide open internal networks, or gov requests for all code have made it out into the wild. If it is trusted staff that get found, look over their resume and see who else has the same fake patterns of background work or study. An entire generation of clandestine staff could have been placed into a project and allowed to advance up the ranks over many years.
If its an open network, fill it with busy work and tracked junk projects.
Look over all past access or source code related malware events. See if groups, networks or staff keep on showing up for each event.
Domestic spying is now "Benign Information Gathering"
They probably got promoted for writing their code so quickly
It's a government agency. You don't get promoted for being clever or efficient, you get promoted for dotting the i's and crossing the t's (or, in some cases, for dotting the t's and crossing the i's).
Yeah next time your mechanic charges you $2000 for something you didn't need, make sure you listen to his "cars are really complicated with lots of moving parts and sophisticated electronics" justification.
Seven puppies were harmed during the making of this post.
This is something a compiler will usually show a warning. If it did not, then the compiler is to blame.
Guy in India writing the outsourced Microsoft code: "That stupid compiler always generates so many warnings I just turned the warnings off. The code compiles fine I don't see what the problem is."
Seven puppies were harmed during the making of this post.
This is something a compiler will usually show a warning. If it did not, then the compiler is to blame.
Blame isn't a limited commodity, where you reduce blame one place by adding it to another. "Shifting blame" is an attempt at binary thinking and reducing complexity, and is an impediment to justice.
That a compiler or static analysis tool is to blame for not warning where it should does not absolve the programmer one iota. A programmer who depends on software to tell him when he's done a mistake deserves blame heaped up high. The tools can warn about bad code, but absence of warnings does not imply good code.
They've got to blame someone. Opening bell happens in a few hours. The NSA is not publicly traded.
Seven puppies were harmed during the making of this post.
Gimme a break. The NSA as I last saw it had a division of COMPUTER SECURITY. What happened? Last year Comey said we needed an "adult conversation" about encryption and national security. Screw that. The National Security Agency best be looking after - Ah _ Um - National Security. We DO need an ADULT conversation folks.
The solution is not to give up vulnerabilities that the CIA and NSA discover and want to weaponize, the root of the problem is the most incompetent administration in 50 years (the Obama administration) being completely clueless about cyber security and letting our state secrets out. That shit would never have been hacked by the Russians and dumped into the wild if the incompetents at the CIA and NSA had air-gapped their stockpile and put people in prison for 10 years or more for moving the files to a networked location except for specific conditions and actual use where multiple sign-offs and precautions would be required. Those who were in charge and those who were responsible for the security measures at the CIA and NSA when these secrets were hacked/leaked should be fired and charged with criminal negligence at least or maybe espionage/treason.
If you disagree, please post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like
Let me break it to you gently, as you don't exactly appear to have your finger on the pulse of current American politics. You see, Barack Obama is not the president anymore, and so will not be pardoning anyone. He's just a citizen now.
He's not the president, but he is a president. Every former president gets a life long pension, an office, a staff, franking privileges, secret service protection, a presidential library, and the title of president. And are still bound by the oaths taken when entering office, making former presidents, much like the peerage in Europe, less free than full citizens.
Wait until one of these leaked/lost TLA tools becomes used by a 3rd party in such a way that it looks like a state-sponsored attack on one of their enemies. Or, equally likely, a 'leaked/lost' tool used by a 1st party, with a '3rd party did it' plausible deniability argument. It's like separating a 'rogue terrorist group' from a 'state-sponsored terrorist group'.
I imagine soon, a major power will say "all attacks by tools that could only have been created by a state actor, will be responded to as if actually used by that actor" and then the "oops, my WMD fell off the back of a truck, my bad" excuse will no longer work. It may soon be considered too dangerous to hoard these exploits, as their inevitable leak will harm their creator more than if they had never been created in the first place. Taking bets on if that happens before or after the IT world figures out how to secure their shit.
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
It's not the governments job to protect everyone from self inflicting their own wounds or creating their own problems.
In this case, the wound was made with a government made knife, designed to penetrate known armor, and leaked through government incompetence. I think that puts some blame on the government too.
If it wasn't for the government (a) making, and (b) leaking this weapon, this particular attack would likely not have happened. I can see the US government being sued for damages in foreign jurisdictions that allow this.
That does not absolve those who brought the malware onto a network by monkey-clicking links, of course.
Please forward me your bug-free code for review and then we'll talk.
10 print "Fuck You"
20 goto 10
We should be able to see how this occurred by looking at the leaked Windows 2000 source code back from 2004. I seem to recall that it included the networking code. Given that Microsoft backported the patch for this vulnerability to Windows XP then it seems reasonable to assume that it is still the same legacy code that came with Windows 2000 (and earlier).
Compiler warnings were a lot less sophisticated back in those days. I wonder how many warnings they have to turn off today just to be able to compile the ancient code that lives in the guts of Windows.
Fuck the NSA, CIA, FBI, and everyone else that finds security issues and keeps them private. They are the problem, not Microsoft.
MS is correct in noting that both the TLAs and the users who failed to apply the patch share some of the blame. However, at least an equal share of the blame lies with MS for the appalling number of serious bugs that Windows has. While it is impossible to write bug-free code many security bugs in Linux and Macs typically require existing user-level access to the machine which makes them much less serious. Those that do allow remote access are rare enough that they are huge news, not part of a typical monthly patch cycle.
So as I see it the blame goes three ways: MS for a bad security model for Windows; the TLAs for hiding the flaw after they spotted it and users who don't apply updates regularly when they should know how bug-ridden Windows is.
the spier whinning about spying
Microsoft is a government agency now?
https://en.wikipedia.org/wiki/Inverted_totalitarianism
Wrong.
The ADULT thing is for the NSA and others who HAVE most of the windows source code
is to rewrite the exploitable bits to make it a sequence of events to use it, and give microsoft back the new code, as three letter places do not have the competency to compile and test - arguably even MS gets caught out. State based testing is a forgotten art.
I remember SUN systems talking to Microsoft's broken AD It did not work. MS said repeat the packet again - and bingo - connection. Nah, whats in an AD backdoor.
secure Win10
+1 Funny
You're also ignoring the huge elephant in the room - that Microsoft probably knew about that vulnerability or even better, created it in conjunction with the NSA et al. By the way - WINDOWS 10 ALSO REQUIRED A "FIX". This is not a "zero day vulnerability", it's a back-door plain and simple.
The other elephant is that a lot of very expensive hardware still runs on WinXP (and other less-recent but still old versions), can't be upgraded to the new version, and is too expensive to replace.
Microsoft will still support WinXP, but basically it means a) they have the patches to prevent malware, but b) they'll only give it to you if you pay them.
Oh, and the price for WinXP support doubles yearly (someone else said that - don't know if it's true).
So effectively Microsoft is saying that you have to throw out and repurchase all of your medical equipment, all of your research equipment, and all of your manufacturing equipment - even if it's still working - because they want you to purchase a new version of their OS.
Oh, and the new version pushes adware on you and installs whatever the fuck Microsoft wants and reboots the system whenever it damn well pleases.
Yeah, I think Microsoft can shoulder at least *some* of the blame for this.
Interesting that people classifies parent as "Troll" even though it's not far from the truth - better blame the messenger than addressing the problem.
Realize that the architecture that Windows today has is based on Windows NT, an architecture that was founded in the beginning of the 90's. This in turn is built upon OS/2, which originally came out in 1987.
There have been improvements to that architecture over the years, which have caused it to become more and more of a patchwork and resource hog in order to still maintain backwards compatibility while also keeping up with new functionality and improved security.
However a lot of the design in the platform is still causing problems that are hard to resolve without admin rights for the user. The current Windows versions also seems to only utilize two Privilege Levels in the hardware architecture, level 0 (kernel) and level 3 (user applications). This is also the case for Linux, so it's not better on that point.
However the age of an OS does not necessarily indicate how bad it is from a security point of view and the utilization of the capabilities of the hardware. E,g. OpenVMS utilizes four privilege modes (Kernel, Executive, Supervisor and User) and OpenVMS is now being ported to x86. This seems to be good news for nerds.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
So, Microsoft is out of responsibility? The Victim is to blame? It is /my own/ fault if i still use Windows XP?
It seems to me like this whole WannaCry "Campaign" is about softly forcing users - by fear - to switch to Windows10+. All the newest built-in spy features are not available on the older Systems, at least not so comfortable preconfigured. Time to get more percentage of the population watched!
Oh, OSS Operating Systems will be the true last Boss for (elite) people thinking that way.
They're patching XP for chrissakes.
No, they're patching a very old product that they told people - for years straight - to stop using, and they explained why. You do get this, right?
It's hard to stop using a system when it requires repurchasing the $100,000 hospital X-ray machine that it runs.
Did you think every hospital should just throw out all it's working equipment and purchase new ones? For hospitals in Africa and India as well?
The solution is not to give up vulnerabilities that the CIA and NSA discover and want to weaponize, the root of the problem is the most incompetent administration in 50 years (the Obama administration) being completely clueless about cyber security and letting our state secrets out. That shit would never have been hacked by the Russians and dumped into the wild if the incompetents at the CIA and NSA had air-gapped their stockpile and put people in prison for 10 years or more for moving the files to a networked location except for specific conditions and actual use where multiple sign-offs and precautions would be required. Those who were in charge and those who were responsible for the security measures at the CIA and NSA when these secrets were hacked/leaked should be fired and charged with criminal negligence at least or maybe espionage/treason.
No, because they didn't *intend* to leak the information.
The new interpretation of the law requires intent, and besides, no one has ever been prosecuted for doing this in the past.
Haven't you been following the news last year?
The exploit code was written (or obtained through other means) by NSA, and partially rewritten by for now unknown hackers.
The exploited e-mail code (stage 1 infection) was written by several different vendors who allow click exploits.
Stage 1 also depends on badly written DNA, i.e. people triggering the infection.
The exploited SMB code (stage 2 infection) was written by 3Com, but since then presumably rewritten by Microsoft. Although legacy code has a tendency to survive quite a few rounds of copy/paste, as few programmers have an inclination to delve in and understand old code enough to rewrite from scratch.
"While Microsoft makes its own efforts by rushing out patches and sharing concerns with other companies, it also chastises customers who could have closed the WannaCry hole two months earlier but didn't." If Microsoft didn't dress up Windows 10 deployment campaigns as security patches maybe people would have applied important updates, instead, many people got fed up of cleaning up the Windows 10 installer so turned of auto update instead. Glad I'm no longer dependent on Windows.
"If it's lost, it'll turn up. Things always do" "I love it when a plan comes together"
Blame MS for not planning ahead, but blame cheap-ass customers for not upgrading when given plenty of notice. The NHS would not give people drugs with expired use-by dates, so why is using expired software different?
Yeah, that old code from Microsoft in the 90s was rather terrifying (it's the reason cmd.exe is so outdated, people don't dare to work on it). Not surprising someone would turn off the warnings, they might be all over the place.
"First they came for the slanderers and i said nothing."
Is that code available anywhere?
"First they came for the slanderers and i said nothing."
The cracking of the Axis secret codes at Bletchly Park, OP-20-G and elsewhere during World War 2 showed the allied powers just how important being able to read the other guys stuff really was.
Then computers came along and the Russians, Chinese and other bad guys started using digital encryption and other security measures and the western powers (NSA in the US, GCHQ in the UK and others) continued to do whatever was necessary to break into those computers and steal all the secrets.
When mass market PCs came along and everyone started using the same hardware and software as everyone else, the agencies followed suit with attacks on and back doors into the computers the bad guys were using.
I recon the big tech companies should all get together and throw a bunch of lobbying money at world governments to get laws passed to stop the hoarding. I am sure there are enough people in Congress who would listen when big fat "political donations" are waved in their face in return for stopping the abuse of vulnerabilities in this way.
I did a really quick search when I posted my first message, but the only thing I could find was a torrent on the pirate bay. I can't access that from here to tell if it is legitimate.
NSA is a large organization, different parts do different things. How do we actually know this bug came from NSA? All we have is some web site claiming it.
Windows NT was built with VMS in mind, not OS/2, MS hired VMS's main architect. When MS and IBM were in bed together, MS had the UI front end to do. They didn't like the back end from IBM because it made their front end run like shit. So they decided they needed their own back end.
After NT was thrown together, MS discovered their front end still ran like shit so they went into their back end and knackered the bits that made their front end look bad. Unfortunately, that also meant they had to include stuff in the kernel where from a security standpoint it didn't belong. And so MS's proud tradition for lack of security persisted.
VMS had 4 security levels and that was supported by the VAX architecture. OpenVMS is merely the successor to VMS. I'm unsure what is open about OpenVMS, last I checked it was owned by HP. It probably won't be long before they screw it up like everything else they touch.
Don't fight for your country, if your country does not fight for you.
This, so many times this.
If people are still using Windows XP, then maybe Microsoft could not make a better OS for them? At least until recently, most people installed updates. But then the whole Windows 10 nonsense started - spyware being installed as a critical update, Windows 10 nag screen too. At some point Windows 10 was installed automatically even if you closed the nag window. And Windows 10 is crap, or rather, it is a relatively good OS, but with spyware and adware right from Microsoft, oh, and Windows now automatically updates itself and reboots (for home users at least) and sometimes the updates introduce new problems.
The solution was to disable automatic updates and to optionally install the really important updates (not the Windows 10 nagware that Microsoft says is important)..Of course then Microsoft started to release all updates in one big package, so you could not install a security patch without installing spyware. Because of this, Microsoft created a bigger problem than it had with Windows XP. Since now people do not really want to update, stopping support for Windows 7 will not result in people hurrying to install Windows 10.
I have a PC with Windows 10 and have spent some time disabling its telemetry (some may still be left, but at least I did not see any traffic for a good while from that PC to microsoft). However, I cannot install this update, because it may turn telemetry back on (or hide it better). Thankfully, there is a workaround (disabling SMBv1) that does not require installing the patch.
I agree, but the conclusion that open source = safer software is not correct. Just recently Google researches found over 1000 security issues in FOSS projects. At least they could investigate the code and find these problems. Leaves the question if the project leaders now bother to have them fixed. Also, many security holes are introduced through bad online tutorials. Microsoft needs to do more testing on their end. They have a quasi-monopoly on desktop OS and unless they deliver top notch solutions they should not lay blame on others.
Ignoring compiler warnings is standard operating procedure for any large code base.
"His name was James Damore."
Watching all this unfold I thought it was a publicity stunt for the next season of 24
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
Warnings must ultimately be turned off because the code base has migrated from compiler version to compiler version, possibly also from 16-bit to 32-bit to 64-bit, ...
It isnt because submitting some new code causes a warning. Its because at some point, overnight, lots of old code started showing warnings with some change such as to a more "standards compliant" version of an ever evolving compiler, so many warnings all at once that it would take a serious concerted to "fix" and its just not worth it.
"His name was James Damore."
Gross negligence is when someone like the CTO and/or CEO continues to run his business using Windows XP without buying maintenance and patching the OS knowing the manufacturer stopped supporting this OS a long time ago, except for paying customers. Wow, there is still 150 million idiots out there running unpatched versions of Windows XP.
Gross negligence is letting you IT infrastructure going outdated and unmaintained because you want to save a few bucks and you are gambling with your company's security betting you will be safe because you are not a target big enough worth attacking.
Until six months ago, the large company in financial industry I am working for was still running thousands of Windows XP workstations and everything internally developped running in a browser needs to support IE 8.
Many servers were installed with selfsigned certificates and nobody really cares, even the authentication infrastructure was running an outdated and no longer supported version of OpenSSL. Outdated and no longer supported versions of Java were found everywhere.
But, we haven't suffer a major attack yet. Management is still rewarding the sloppiness attitude on security because it saves some budget money at the end of the year.
Achille Talon
Hop!
Windows NT was the OS/2 3.0 code base
The breach of contract settlement between IBM and Microsoft stipulated that IBM got exclusive rights to the OS/2 2.x code base and a royalty free license to emulate Microsofts then quite popular Windows 3, while Microsoft got to keep the OS/2 3.0 code base that Microsoft had been delaying development on. The OS/2 3.x line was to be the business/server version of the consumer OS/2 2.x.
"His name was James Damore."
That I don't understand. Are they saying that MS should keep supporting XP or that they didn't do enough to get people to upgrade? I don't see either as making any sense.
Comment removed based on user account deletion
M$ is spraying flann.
Citizen 4 showed that Microsoft, Apple, Facebook, etc. were being paid by the alphabet mafia to provide backdoor access.
We can't know with 100% certainty, but based on the available evidence, a US actor is the most likely candidate based on the code itself (e.g., it's not in Chinese or Russian or British English), it's 9-5 based on timestamps (i.e., not a late night hackathon but a professional entity), it's east coast also based on timestamps, it's likely government because the exploit is so old and yet it's never been either reported or seen in the wild, which is typical of acknowledged stockpiling behavior of the NSA, aaaaand the government had a shitstorm when it was leaked (although they will "neither confirm nor deny"). So... maybe it was someone else, and also maybe intelligent design is real. Who's to say?
ya know, a couple years ago when literally every third story on slashdort had some BITCOIN! angle, I would have agreed with you just for some relief from the fanbois.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Actually an interesting question: how do you write/run/test/debug malware :)
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
I hope you are not in the software business.
This: A programmer who depends on software to tell him when he's done a mistake deserves blame heaped up high. is a extremely idiotic attitude.
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
Windows NT was built with VMS in mind, not OS/2
This is nonsense. OS/2 was a joined project of IBM and MS, at some point MS left the joint venture and forked NT from the OS/2 code base. In the heart they still are the exact same software, besides the changes and further development during the previous 20 - 30 years ofc.
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
The original post said this,
Sure sucks that the exploit exists in the first place, but it sure sucks even more to be the person who wrote the code being exploited.
As it is Windows that is being exploited due to someone coding a dword being subtracted from a word, it seems they're referring to the MS coder, though your post implies 3com supplied the code to MS. Either way it was not the government who wrote the code being exploited.
Big business and government aren't that different, they're both large bureaucracies with the cover your ass attitude that comes with bureaucracies.
https://en.wikipedia.org/wiki/Inverted_totalitarianism
Wish I had mod points. :( It's a bummer that some of these people are so deep in it that they don't have a chance to step back and look at it.
I would like to know where to find you on IRC, As you seem to be rather defensive here.. but you seem like you may know a thing or 2. Also got a few questions about your hosts file creator. If you could drop me an address with ssl port. i would like to chat a bit.
With exploits like this. I would consider windows to be Weaponized..
Or more likely, when the original warning was generated, the subtraction was not a problem. There was some external constraint that made this a valid operation. Then later there was what was thought to be an unrelated change that relaxed the external constraint. That's why code this size is hard. Almost any line can affect any other line and there's no way to know when you make a change what else might break. Probably there is something that could have been done here (like range-checking the result just to be sure) but a simplistic diagnosis (too lazy or stupid to pay attention to the compiler warning) is unlikely to represent a very significant portion of the actual cause.
"ITwire still faults Microsoft for not planning ahead, since in February 150 million people were still using Windows XP."
From MS "After 12 years, support for Windows XP ended April 8, 2014" Over 3 years ago. If you wish to fault MS for 'not planning ahead' for things still under support, well may be, that being said IIRC the patch for *supported* items was released in March. IMO to even mention XP as not being planned for is stupid. Organizations should have spent the last 3 years migrating/mitigating. Ignoring that it became a hot topic in IT circles the year prior, and while I can't really find when the EOL date was first announced I know MS has a published list of all the EOL dates.
Any talk about issues about XP being anything other the the responsibility of the organization using it should be at this point, promptly chucked out the window
Big business and government aren't that different, they're both large bureaucracies with the cover your ass attitude that comes with bureaucracies.
And perhaps especially so for Microsoft, which probably is bigger than some countries' governments.
As the ggp said in the title, there's enough blame to go around. To both Microsoft, NSA, IT departments and individual users.
"While Microsoft makes its own efforts by rushing out patches and sharing concerns with other companies, it also chastises customers who could have closed the WannaCry hole two months earlier but didn't."
If Microsoft didn't dress up Windows 10 deployment campaigns as security patches maybe people would have applied important updates, instead, many people got fed up of cleaning up the Windows 10 installer so turned of auto update instead.
Glad I'm no longer dependent on Windows.
Exactly!
That's why I turned off WU on my Win7 work laptop.
Then, when I went to download the "Security Only" Update for Windows 7 (and others), part of MS17-010, it downloaded, spun for about 5 minutes, and then declared it didn't install. No explanation. Just. No.
Sigh...
Ever read the EULA? There is no real warranty. If you don't agree to it, then don't install it.
Microsoft is smarter than to actually say that though.
Just curious, what do people with hacked versions of Windows do? Can they install these updates?
I really don't know... my wife has a valid copy of Win7 on her laptop, and I run Linux.
My beliefs do not require that you agree with them.
When we first got wind of US spy agencies either discovering or planting exploits for spy purposes, we were told among other things that these exploits wouldn't escape into the wild because they were being kept under tight security.
I said at the time that these exploits will inevitably escape, because they were valuable, and it takes only one employee to trade them for money, and then they're in the wild.
And so, here we are.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Yeah, the EULA protects them against many kinds of lawsuits, but there are things the government can decide to do, capriciously. Like an anti-trust lawsuit, or make other new laws, for example.
"First they came for the slanderers and i said nothing."
Apparently in this case, it would have been worth it. What's the point of hiring 3000 security engineers if you don't do the known things that will give you good security?
"First they came for the slanderers and i said nothing."
A lot of security researchers recommended having your own small, private network that wasn't connected to the internet. I think a lot of them are switching to VMs, though. You can check here for work someone is doing to reproduce the current vulnerability in Metasploit.
"First they came for the slanderers and i said nothing."
This, so many times this.
If people are still using Windows XP, then maybe Microsoft could not make a better OS for them? At least until recently, most people installed updates. But then the whole Windows 10 nonsense started - spyware being installed as a critical update, Windows 10 nag screen too.
Windows 10 (and the Windows 7/8 telemetry updates) were released after Windows XP was EOL.
These people were never going to upgrade, either due to laziness, budget, or proprietary software that only worked on XP. (note those also apply to switching to Linux)
If people are still using Windows XP, then maybe Microsoft could not make a better OS for them?
This is what happened to me. As far as I am concerned, MIcrosoft never released a successor to Windows XP. They did not even release a *bad* successor to Windows XP.
At least until recently, most people installed updates. But then the whole Windows 10 nonsense started - spyware being installed as a critical update, Windows 10 nag screen too. At some point Windows 10 was installed automatically even if you closed the nag window. And Windows 10 is crap, or rather, it is a relatively good OS, but with spyware and adware right from Microsoft, oh, and Windows now automatically updates itself and reboots (for home users at least) and sometimes the updates introduce new problems.
The solution was to disable automatic updates and to optionally install the really important updates (not the Windows 10 nagware that Microsoft says is important)..Of course then Microsoft started to release all updates in one big package, so you could not install a security patch without installing spyware. Because of this, Microsoft created a bigger problem than it had with Windows XP. Since now people do not really want to update, stopping support for Windows 7 will not result in people hurrying to install Windows 10.
This has been a consistent pattern. One of these happening would be happenstance. Two of these might be coincidence. 6+ of these are policy no matter how many denials Microsoft makes.
As it is Windows that is being exploited due to someone coding a dword being subtracted from a word, it seems they're referring to the MS coder, though your post implies 3com supplied the code to MS. Either way it was not the government who wrote the code being exploited.
I am not convinced of that at least in the sense that the exploit was deliberate. Does anybody think that Microsoft is not cooperating with the NSA and other government agencies in one way or another to include exploits? RSA sure was so we know this happens.
I kinda like Windows 7, it's like updated XP. Of course, it requires more RAM and faster CPU than XP (each new version of Windows is said to be faster than the previous one, but actually runs slower on the same hardware), but overall it is quite good. And I can have the Windows2000 style UI instead of the new tablet-style UI of Windows 8 and 10.
As for updates, because this has been happening for a while now, it's way past incompetence and is pretty much certainly malice.
But even when updates were not malicious (mostly), requiring restart for pretty much any update is still extremely inconvenient. On Linux I need to restart if I update the kernel or a lib that everything uses, but I can update openssl or bash without a reboot. Windows even has a hot patching capability for its DLLs, just that it is not used.
How do we even know this had anything to do with a government entity, foreign or domestic? We teach in hacking class that there are people out there that take Microsoft updates and reverse engineer them every Patch Tuesday looking for an exploit. Some people have it all automated so about an hour later they have it. How do we know that wasn't done here? Apparently it wouldn't be hard to do. We already have access to the basic encryption stuff. Just need a vector to get in. Set up call centers, send it out with some tempting bait and whammo!
I kinda like Windows 7, it's like updated XP. Of course, it requires more RAM and faster CPU than XP (each new version of Windows is said to be faster than the previous one, but actually runs slower on the same hardware), but overall it is quite good. And I can have the Windows2000 style UI instead of the new tablet-style UI of Windows 8 and 10.
Started with a test system of Windows 7 and that was how I discovered that Microsoft had removed functionality. I am not talking about the user interface which was bad enough but types of programs not being supported because the necessary APIs were gone. Microsoft gave all kinds of bullshit answers when asked about this like "we removed that API for performance reasons".
It's funny to imagine that the NSA hacking tools were most likely stolen from a computer using hacking tools to compromise the computer they were stored on. If so, then it is possible that the NSA could avoid losing their own secrets if they worked with computer security instead of against it.
People say: "there is no such thing as computer privacy/security". And I guess that is true for NSA staff as much as any other citizen. But it's funny when they are actually causing the insecurities to weaken themselves.
It would be very nice if the NSA worked to protect Americans, instead of propagating national insecurity. It's like the NSA wants our computers to be hacked so that they are needed to investigate our private property (without our knowledge or consent) after the fact to see how it was done and catch the hackers, rather then stopping them before damage can be done. A form of job security for them... I guess.
I use some 16bit programs on my Windows 7 PC in XP mode, which is an XP virtual machine.