Slashdot Mirror
Microsoft Blasts Spy Agencies For Leaked Exploits Used By WanaDecrypt0r (engadget.com)
An anonymous reader shares Engadget's report about Microsoft's response to the massive WanaDecrypt0r ransomware attack:
Company president Brad Smith has posted a response to the attack that roasts the NSA, CIA and other intelligence agencies for hogging security vulnerabilities instead of disclosing them to be fixed. There's an "emerging pattern" of these stockpiles leaking out, he says, and they cause "widespread damage" when that happens. He goes so far as to liken it to a physical weapons leak -- it's as if the US military had "some of its Tomahawk missiles stolen"... Microsoft had already floated the concept of a "Digital Geneva Convention" that required governments to report security holes, but the idea has gained a new sense of urgency in light of the recent ransomware chaos... While Microsoft makes its own efforts by rushing out patches and sharing concerns with other companies, it also chastises customers who could have closed the WannaCry hole two months earlier but didn't.
BrianFagioli shared a BetaNews article arguing Microsoft "should absolutely not shoulder any of the responsibility. After all, the vulnerability that led to the disaster was patched back in March." But troublemaker_23 notes that ITwire still faults Microsoft for not planning ahead, since in February 150 million people were still using Windows XP.
BrianFagioli shared a BetaNews article arguing Microsoft "should absolutely not shoulder any of the responsibility. After all, the vulnerability that led to the disaster was patched back in March." But troublemaker_23 notes that ITwire still faults Microsoft for not planning ahead, since in February 150 million people were still using Windows XP.
Any weapon ban treaty has a problem of detecting violations. If one cannot easily detect violations, one cannot enforce the treaty effectively. For pretty much every nuclear weapons treaty the biggest stumbling block has almost always been verification that people are adhering to it. At least there, there's infrastructure to look at. Trying to determine that governments aren't holding back tiny little files stored away somewhere would be much more difficult. In that context, such a treaty would be unlikely to succeed.
I don't see it.
MS tried everything short or threats to get people to upgrade to a secure Win10 version to no avail.
This will bring millions of new licenses for MS.
Nobody is perfect, all software has vulnerabilities. Had our relevant TLAs bothered to tell the relevant companies about the holes they found we would all be a hundredfold safer. But no, they kept them secret, figuring they could hack Some Bad Guy's computer and Stop Some Low Level Bad Thing.
The fault here lies in our countries TLA's deciding it was better to leave 100% of the country at risk hoping they would be able to exploit a hole before someone else could exploit that same hole against us.
Fuck the NSA, CIA, FBI, and everyone else that finds security issues and keeps them private. They are the problem, not Microsoft.
Please forward me your bug-free code for review and then we'll talk.
Why should Microsoft be blamed for people getting infected while running Windows XP? The XP system is 16 years old and has been past EoL for years. Anyone running an XP machine connected to the Internet is practically begging to be hacked. Would we blame Red Hat for not patching RHEL 3 boxes left on-line or Apple for not patching 2001-era Macs? It's not as though Microsoft has not made it perfectly clear those old systems are no longer supported.
This exploit exists in an old protocol no one uses any more. Is any vulnerability avoidable? Sure. Should this one have been fixed, or the code deprecated earlier, absolutely. Could /you/ write a hundred million lines of code and not have a critical vulnerability? In case it's not obvious (to you), that was a rhetorical question.
I am no fan of Microsoft. I never have been. But in this case, the real evil was perpetrated (and there is no other word for it) by the NSA. An agency of the United States government, one specifically tasked with the protection of US citizens, learned of a vulnerability in an operating system used in critical applications throughout the country, used by the majority of its citizens, and not even accidentally sat on it - they purposefully, with consideration and intent, sat on that information. Not only that, but they then developed a weapon to exploit it, lost control of that weapon, and it is now in the wild where it can do the most damage.
This is a combination of willful dereliction of duty, and gross negligence. This shouldn't be Microsoft complaining, this should be the director of the NSA hauled in handcuffs before congress.
This hacking provides the perfect argument against built-in backdoors that would enable the government to spy on people (but only when they wanted). All it takes is one leak and *boom* you have out of control hacking by everyone but the government.
I am Slashdot. Are you Slashdot as well?
The original blogpost makes the following points:
1) Microsoft works hard, I tell you hard to avoid these problems.
2) Customers are to blame too! (really)
3) It's the government's fault!
They're trying to direct the conversation so they don't get all the blame. The reality is, if Microsoft hadn't made the flaw, then this attack never would have happened.
"First they came for the slanderers and i said nothing."
Independent security audits......they are expensive & time consuming.
Most importantly, they don't make you secure. They're consultants who find a few bugs, then send you a big bill.
"First they came for the slanderers and i said nothing."
This is something a compiler will usually show a warning. If it did not, then the compiler is to blame.
Guy in India writing the outsourced Microsoft code: "That stupid compiler always generates so many warnings I just turned the warnings off. The code compiles fine I don't see what the problem is."
Seven puppies were harmed during the making of this post.
Gimme a break. The NSA as I last saw it had a division of COMPUTER SECURITY. What happened? Last year Comey said we needed an "adult conversation" about encryption and national security. Screw that. The National Security Agency best be looking after - Ah _ Um - National Security. We DO need an ADULT conversation folks.
Wait until one of these leaked/lost TLA tools becomes used by a 3rd party in such a way that it looks like a state-sponsored attack on one of their enemies. Or, equally likely, a 'leaked/lost' tool used by a 1st party, with a '3rd party did it' plausible deniability argument. It's like separating a 'rogue terrorist group' from a 'state-sponsored terrorist group'.
I imagine soon, a major power will say "all attacks by tools that could only have been created by a state actor, will be responded to as if actually used by that actor" and then the "oops, my WMD fell off the back of a truck, my bad" excuse will no longer work. It may soon be considered too dangerous to hoard these exploits, as their inevitable leak will harm their creator more than if they had never been created in the first place. Taking bets on if that happens before or after the IT world figures out how to secure their shit.
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
the spier whinning about spying
secure Win10
+1 Funny
You're also ignoring the huge elephant in the room - that Microsoft probably knew about that vulnerability or even better, created it in conjunction with the NSA et al. By the way - WINDOWS 10 ALSO REQUIRED A "FIX". This is not a "zero day vulnerability", it's a back-door plain and simple.
The other elephant is that a lot of very expensive hardware still runs on WinXP (and other less-recent but still old versions), can't be upgraded to the new version, and is too expensive to replace.
Microsoft will still support WinXP, but basically it means a) they have the patches to prevent malware, but b) they'll only give it to you if you pay them.
Oh, and the price for WinXP support doubles yearly (someone else said that - don't know if it's true).
So effectively Microsoft is saying that you have to throw out and repurchase all of your medical equipment, all of your research equipment, and all of your manufacturing equipment - even if it's still working - because they want you to purchase a new version of their OS.
Oh, and the new version pushes adware on you and installs whatever the fuck Microsoft wants and reboots the system whenever it damn well pleases.
Yeah, I think Microsoft can shoulder at least *some* of the blame for this.
Interesting that people classifies parent as "Troll" even though it's not far from the truth - better blame the messenger than addressing the problem.
Realize that the architecture that Windows today has is based on Windows NT, an architecture that was founded in the beginning of the 90's. This in turn is built upon OS/2, which originally came out in 1987.
There have been improvements to that architecture over the years, which have caused it to become more and more of a patchwork and resource hog in order to still maintain backwards compatibility while also keeping up with new functionality and improved security.
However a lot of the design in the platform is still causing problems that are hard to resolve without admin rights for the user. The current Windows versions also seems to only utilize two Privilege Levels in the hardware architecture, level 0 (kernel) and level 3 (user applications). This is also the case for Linux, so it's not better on that point.
However the age of an OS does not necessarily indicate how bad it is from a security point of view and the utilization of the capabilities of the hardware. E,g. OpenVMS utilizes four privilege modes (Kernel, Executive, Supervisor and User) and OpenVMS is now being ported to x86. This seems to be good news for nerds.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
They're patching XP for chrissakes.
No, they're patching a very old product that they told people - for years straight - to stop using, and they explained why. You do get this, right?
It's hard to stop using a system when it requires repurchasing the $100,000 hospital X-ray machine that it runs.
Did you think every hospital should just throw out all it's working equipment and purchase new ones? For hospitals in Africa and India as well?
The exploit code was written (or obtained through other means) by NSA, and partially rewritten by for now unknown hackers.
The exploited e-mail code (stage 1 infection) was written by several different vendors who allow click exploits.
Stage 1 also depends on badly written DNA, i.e. people triggering the infection.
The exploited SMB code (stage 2 infection) was written by 3Com, but since then presumably rewritten by Microsoft. Although legacy code has a tendency to survive quite a few rounds of copy/paste, as few programmers have an inclination to delve in and understand old code enough to rewrite from scratch.
"While Microsoft makes its own efforts by rushing out patches and sharing concerns with other companies, it also chastises customers who could have closed the WannaCry hole two months earlier but didn't." If Microsoft didn't dress up Windows 10 deployment campaigns as security patches maybe people would have applied important updates, instead, many people got fed up of cleaning up the Windows 10 installer so turned of auto update instead. Glad I'm no longer dependent on Windows.
"If it's lost, it'll turn up. Things always do" "I love it when a plan comes together"
The cracking of the Axis secret codes at Bletchly Park, OP-20-G and elsewhere during World War 2 showed the allied powers just how important being able to read the other guys stuff really was.
Then computers came along and the Russians, Chinese and other bad guys started using digital encryption and other security measures and the western powers (NSA in the US, GCHQ in the UK and others) continued to do whatever was necessary to break into those computers and steal all the secrets.
When mass market PCs came along and everyone started using the same hardware and software as everyone else, the agencies followed suit with attacks on and back doors into the computers the bad guys were using.
I recon the big tech companies should all get together and throw a bunch of lobbying money at world governments to get laws passed to stop the hoarding. I am sure there are enough people in Congress who would listen when big fat "political donations" are waved in their face in return for stopping the abuse of vulnerabilities in this way.
Windows NT was built with VMS in mind, not OS/2, MS hired VMS's main architect. When MS and IBM were in bed together, MS had the UI front end to do. They didn't like the back end from IBM because it made their front end run like shit. So they decided they needed their own back end.
After NT was thrown together, MS discovered their front end still ran like shit so they went into their back end and knackered the bits that made their front end look bad. Unfortunately, that also meant they had to include stuff in the kernel where from a security standpoint it didn't belong. And so MS's proud tradition for lack of security persisted.
VMS had 4 security levels and that was supported by the VAX architecture. OpenVMS is merely the successor to VMS. I'm unsure what is open about OpenVMS, last I checked it was owned by HP. It probably won't be long before they screw it up like everything else they touch.
Windows NT was the OS/2 3.0 code base
The breach of contract settlement between IBM and Microsoft stipulated that IBM got exclusive rights to the OS/2 2.x code base and a royalty free license to emulate Microsofts then quite popular Windows 3, while Microsoft got to keep the OS/2 3.0 code base that Microsoft had been delaying development on. The OS/2 3.x line was to be the business/server version of the consumer OS/2 2.x.
"His name was James Damore."
Or more likely, when the original warning was generated, the subtraction was not a problem. There was some external constraint that made this a valid operation. Then later there was what was thought to be an unrelated change that relaxed the external constraint. That's why code this size is hard. Almost any line can affect any other line and there's no way to know when you make a change what else might break. Probably there is something that could have been done here (like range-checking the result just to be sure) but a simplistic diagnosis (too lazy or stupid to pay attention to the compiler warning) is unlikely to represent a very significant portion of the actual cause.
"ITwire still faults Microsoft for not planning ahead, since in February 150 million people were still using Windows XP."
From MS "After 12 years, support for Windows XP ended April 8, 2014" Over 3 years ago. If you wish to fault MS for 'not planning ahead' for things still under support, well may be, that being said IIRC the patch for *supported* items was released in March. IMO to even mention XP as not being planned for is stupid. Organizations should have spent the last 3 years migrating/mitigating. Ignoring that it became a hot topic in IT circles the year prior, and while I can't really find when the EOL date was first announced I know MS has a published list of all the EOL dates.
Any talk about issues about XP being anything other the the responsibility of the organization using it should be at this point, promptly chucked out the window