Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Blasts Spy Agencies For Leaked Exploits Used By WanaDecrypt0r (engadget.com)

Posted by EditorDavid on from the MS-vs-NSA dept.

An anonymous reader shares Engadget's report about Microsoft's response to the massive WanaDecrypt0r ransomware attack: Company president Brad Smith has posted a response to the attack that roasts the NSA, CIA and other intelligence agencies for hogging security vulnerabilities instead of disclosing them to be fixed. There's an "emerging pattern" of these stockpiles leaking out, he says, and they cause "widespread damage" when that happens. He goes so far as to liken it to a physical weapons leak -- it's as if the US military had "some of its Tomahawk missiles stolen"... Microsoft had already floated the concept of a "Digital Geneva Convention" that required governments to report security holes, but the idea has gained a new sense of urgency in light of the recent ransomware chaos... While Microsoft makes its own efforts by rushing out patches and sharing concerns with other companies, it also chastises customers who could have closed the WannaCry hole two months earlier but didn't.
BrianFagioli shared a BetaNews article arguing Microsoft "should absolutely not shoulder any of the responsibility. After all, the vulnerability that led to the disaster was patched back in March." But troublemaker_23 notes that ITwire still faults Microsoft for not planning ahead, since in February 150 million people were still using Windows XP.

29 of 324 comments (clear)

  1. Enforcement is the problem by JoshuaZ · · Score: 5, Insightful

    Any weapon ban treaty has a problem of detecting violations. If one cannot easily detect violations, one cannot enforce the treaty effectively. For pretty much every nuclear weapons treaty the biggest stumbling block has almost always been verification that people are adhering to it. At least there, there's infrastructure to look at. Trying to determine that governments aren't holding back tiny little files stored away somewhere would be much more difficult. In that context, such a treaty would be unlikely to succeed.

    1. Re:Enforcement is the problem by Anonymous Coward · · Score: 5, Insightful

      House rules:

      - The guy with the gun always wins.
      - Only the government gets to have guns.

      The government only needs to hold up a flimsiest facade that they're "good people", and that's only to keep the house of cards that is the American economy from collapsing into a heap. We're all taught from the youngest age that Mr Policeman is good and you should go to him if you need help. Fast-forward 20 years and you start to understand why you shouldn't. We all need to stop pretending that the government is here for our interests; it isn't.

    2. Re:Enforcement is the problem by Kjella · · Score: 4, Interesting

      Nothing is going to make IS adhere to the real-world Geneva convention either. The point of such treaties aren't direct enforcement, they're to establish a standard for civilized warfare so that you can apply pressure to other nations to join, be able to chastise those who break it and give reasons to impose sanctions, intervene or join the opposing forces. Take for example the treaty on anti-personnel landmines, if you've promised to disarm it would be a pretty big scandal if you were secretly stockpiling and/or deploying them anyway. Assad kills people every day but start a chemical attack and he got a rather swift response.

      If there was a treaty to disclose vulnerabilities in mass market consumer software (because face it they won't give up everything) then leaks like these would show that the US are lying sacks of shit whose words are worth nothing. Being a man of your words and having credibility are very real currencies in international politics. Breaking one treaty would put into question every other treaty the US has signed too. There's no real other force behind it than your own country's promise, there wouldn't be any other direct consequences than a loss of reputation. But that is usually sufficient to do some good, at least it puts a cost on violating it. Today the NSA can just shrug and say they're doing their job.

      --
      Live today, because you never know what tomorrow brings
  2. Why? by nospam007 · · Score: 3, Funny

    I don't see it.
    MS tried everything short or threats to get people to upgrade to a secure Win10 version to no avail.

    This will bring millions of new licenses for MS.

    1. Re:Why? by Dunbal · · Score: 3, Interesting

      secure Win10

      +1 Funny

      You're also ignoring the huge elephant in the room - that Microsoft probably knew about that vulnerability or even better, created it in conjunction with the NSA et al. By the way - WINDOWS 10 ALSO REQUIRED A "FIX". This is not a "zero day vulnerability", it's a back-door plain and simple.

      --
      Seven puppies were harmed during the making of this post.
    2. Re:Why? by Dutch+Gun · · Score: 4, Interesting

      One of the problems is that MS poisoned any good will about upgrading with their own actions... first by more or less tricking people into upgrading to Windows 10, and second, by making that upgrade (and all other upgrades) less trusted by pushing telemetry as required updates, and by making Windows 10 updates incredibly annoying, disruptive, and on occasion, simply broken.

      I don't blame MS for not writing perfect code, especially older code. No OS used today has zero exploits, so I think it's disingenuous to bash Microsoft with each new bug found but somehow give Linux a pass when the same damned things happen. But I'm sure as hell going to blame them for encouraging so many people to distrust Microsoft's own security patches in the first place, even going so far as to actively block them. That was all because of their OWN tone-deaf policies of "we know what's best for you, so shut up and update. Oh, and don't mind the telemetry we're slurping up. We promise its benign. What? No, there's no way to turn it off."

      --
      Irony: Agile development has too much intertia to be abandoned now.
  3. Microsoft is 100% right on this one by Snotnose · · Score: 5, Interesting

    Nobody is perfect, all software has vulnerabilities. Had our relevant TLAs bothered to tell the relevant companies about the holes they found we would all be a hundredfold safer. But no, they kept them secret, figuring they could hack Some Bad Guy's computer and Stop Some Low Level Bad Thing.

    The fault here lies in our countries TLA's deciding it was better to leave 100% of the country at risk hoping they would be able to exploit a hole before someone else could exploit that same hole against us.

    Fuck the NSA, CIA, FBI, and everyone else that finds security issues and keeps them private. They are the problem, not Microsoft.

    1. Re:Microsoft is 100% right on this one by rsmith-mac · · Score: 5, Interesting

      I know this isn't a popular opinion around here, but hear me out.

      The NSA is the US's SIGINT operation. Their job is to be both the offense and the defense when it comes to dealing with electronic systems. So developing attacks against other systems is part of their purview, and we want them to continue doing so such that we can spy on, and if necessary attack other nations. The need for an offensive SIGINT group will always exist, even if it's not the NSA.

      Back in the days of yore, it used to be that exporting valuable software was restricted. If the Soviets wanted software for controlling gas pipelines, for example, they either had to develop their own or steal it. And exporting useful encryption was right-out banned. The end result was that for SIGINT purposes, there was a very clear line between "us" and "them" in what each side's systems could do, how they worked, and what they ran.

      The Internet has put an end to national borders for software. Now everyone runs the same Oracle database, the same Cisco/Juniper routers, the same Microsoft OS, etc. It's allowed commerce to explode on our end by exporting valuable software to new market. However the flip side of that is that the line between "us" and "them" has almost entirely been erased. Now the nations we spy on run much the same software we do; now the nations that we need to be able to attack don't run antiquated little systems that are easy for us to break into. How do you balance offense and defense in that situation, when any weapon you make can be used against you, and any defense to develop can be used by your enemies to shield themselves from you?

      Had our relevant TLAs bothered to tell the relevant companies about the holes they found we would all be a hundredfold safer. But no, they kept them secret, figuring they could hack Some Bad Guy's computer and Stop Some Low Level Bad Thing.

      If our relevant TLAs informed software vendors about every exploit they found, it would improve the quality of software to be sure. And that definitely has some benefits. But then we'd be committing to an entirely defensive operation, due to the fact that everyone else is running this better-hardened software.

      Meanwhile when it comes to offense, we'd have no exploits let which to use to spy on or attack other nations with. But the same is not true for other nations. Their own SIGINT groups would be searching for exploits as well, and since they wouldn't be bound by what we're doing, they'd continue stockpiling them and using them against us as they deem necessary. Our software-hardening efforts would make this task a lot harder, but not even the NSA is going to find every bug in Windows. So at the end of the day, other nations would still be able to attack us, even if we did report all exploits we found.

      The problem with a purely defensive operation then, especially in the software sense, is that your defense only has to fail once for you to lose. Once they're in your systems you have no ability to retaliate (since you have no exploits to use as weapons), so hostile forces have very little incentive not to attack you. And while you can clean up afterwards, the damage is done: the blueprints have been stolen, the cyclotron has been busted, and Amazon is shipping everyone 50 gallon drums of lube.

      Ultimately Cyber security when both sides have the same systems is little more than a new variant on the Prisoner's Dilemma. We can stop ratting on the other prisoner, but they're not going to stop ratting on us. No matter what we do, it's in the best interests of foreign powers to be able to attack our systems. And that means we need to keep exploits of our own in order to be able to mount a credible (if not overwhelming) offense.

      The one problem here - and not to discount it, because it is a real problem - is that the NSA obviously didn't secure

    2. Re:Microsoft is 100% right on this one by ScentCone · · Score: 5, Insightful

      They're patching XP for chrissakes.

      No, they're patching a very old product that they told people - for years straight - to stop using, and they explained why. You do get this, right?

      --
      Don't disappoint your bird dog. Go to the range.
    3. Re:Microsoft is 100% right on this one by Dutch+Gun · · Score: 4, Insightful

      Well, you're brave to defend the TLAs. Hopefully you don't get unfairly mod-bombed because of it, as too often happens to unpopular posts.

      The core problem with your scenario is the implicit assumption that only the TLAs know about those particular exploits. There could very well have been other countries' agencies that knew about them as well, or criminals using them judiciously for their own zero-day exploits. Why assume that any other major state player couldn't collect these same bugs? We may know more in the months ahead if anyone discovers new information in old logs relating to these exploits.

      The other faulty assumption is that the only way to do offensive intelligence operations is with software exploits. Plenty of attacks, from many different criminal and/or government groups have shown that to absolutely not be the case. Human operators can be fooled into installing malware in targeted phishing attacks, or maybe even bribed into installing it. Or you can use more traditional bugging methods, installing hardware that intercepts information pre-encryption. Etc, etc...

      Holding onto an exploit that affects your own country's software (and the world's in fact), is playing a very risky game. And, as you rightly acknowledged, it just blew up in their faces. Given the proven inability of these agencies to hold onto secrets, I think playing a little more defense isn't a bad thing, at least until its been established that they don't leak their own secrets like a sieve.

      I fully understand and acknowledge that there are very bad people in the world, and these agencies help to protect the US from them. But I do wonder if, at the moment, that price is becoming a little too steep for what we're getting out of the deal. The problems is, though, that we'll never really know. The leaders at the top of that agency know, but sure as hell they're never going to admit to anyone anything that has a chance of ever reducing the power of their own little government fiefdom.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    4. Re:Microsoft is 100% right on this one by buss_error · · Score: 5, Insightful

      I know this isn't a popular opinion around here, but hear me out.

      I know this isn't a popular opinion, but hear -me- out.

      The statue clearly states that US intelligence services are required to divulge security vulnerabilities to vendors in a timely manner. It is blindingly obvious this was not done. So my question is very simple.

      Who is going to jail for violating Federal statues?

      Oh - silly me. Only chumps and civilians go to jail for violating the law.

      Here is the real problem - being able to access a computer is like being able to read their diary or eavesdrop on them. Before computers, this was also done. With computers, it's just easier. So what we are seeing the the degradation of everyone's privacy because it's easier to steal secrets from a computer that it is to, you know, actually do your fsck'ing job.

      Enforcing the law isn't about sitting on your fat ass in Virginia - it's about doing the work, the right way, within not just the letter of the law but the spirit of it. Only then is our system of government consistent, valuable, and worth dying to preserve.

      Otherwise it's just another big lie.

      --
      Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
    5. Re:Microsoft is 100% right on this one by dweller_below · · Score: 3, Interesting

      I know this isn't a popular opinion around here, but hear me out.

      Your reasoning has been official US policy, because it seems sound. But the last few years of Internet warfare has revealed some problems with favoring offense over defense:

      1. 1) The weapons of the Internet are not like tanks and nukes. Deploying weaponized exploits require very little infrastructure. They cost almost nothing to replicate. Almost anyone can do it. When an enemy deploys an Internet attack against you, you can easily (compared to a nuke) figure it out, and then deploy it back at them.
      2. 2) For years, our standard doctrine was that an Internet attack was not as significant as a physical attack. But, this is no longer true. We are so dependent on the Internet, that a sustained Internet outage has the potential to do more damage to us than a limited nuclear exchange.

      Perhaps the greatest problem with the offensive mindset is that it teaches us almost nothing about how to defend. We know we need to deploy better software, but we don't know:

      • * How to value effective security more than features.
      • * How to force large IT vendors to favor their customer's interests over short-term profit.
      • * How to force powerful Intelligence agencies to relinquish power, now that they are a greater threat to US, than they are to our enemies.
    6. Re:Microsoft is 100% right on this one by gtall · · Score: 5, Interesting

      There are some ideas buzzing around the U.S. government to separate out the functions of cyber so that security comes from a different entity than offensive weapons. Of course that means parts of the government will be fighting each other. NSA, CIA, FBI, etc. are all on public record as realizing this. There is no easy answer.

      Some of the misconception is that somehow spying is bad. It isn't. It is what keeps a government from overreacting to something out in the open. Offensive weapons will always be around. The Russians, Chinese, Iranians, I.M.A. Dipshit from Any Country have them.

      Some bright sparks in Congress asked James Clapper why the U.S. couldn't respond in the cyber arena against the naughty things the Russians did in the last election. His response was: well, if you are sure the U.S. infrastructure could stand the guaranteed response, then that might be advisable. He was of the opinion that the Russians have the U.S. electrical grid on their target list and that he (Clapper) figured they could take it down for retaliation. Of course, these would be acts of war...between nuclear armed nations....one of which has a ruthless dolt as head of state, the other also has a ruthless dolt as head of state.

    7. Re:Microsoft is 100% right on this one by Cyryathorn · · Score: 3, Informative

      Ah yes, here it is:

      https://epic.org/privacy/cyber...

      There's no Federal statute such as you describe. It's not even an Executive Order -- it's just a matter of policy. The "Vulnerabilities Equities Process" allows this: "the government may choose to withhold the information to use it for purposes including law enforcement, intelligence gathering, and 'offensive' exploitation".

  4. Re:The Blame Game by Anonymous Coward · · Score: 5, Insightful

    Please forward me your bug-free code for review and then we'll talk.

  5. Re:Enough blame to go around by Excelcia · · Score: 5, Insightful

    This exploit exists in an old protocol no one uses any more. Is any vulnerability avoidable? Sure. Should this one have been fixed, or the code deprecated earlier, absolutely. Could /you/ write a hundred million lines of code and not have a critical vulnerability? In case it's not obvious (to you), that was a rhetorical question.

    I am no fan of Microsoft. I never have been. But in this case, the real evil was perpetrated (and there is no other word for it) by the NSA. An agency of the United States government, one specifically tasked with the protection of US citizens, learned of a vulnerability in an operating system used in critical applications throughout the country, used by the majority of its citizens, and not even accidentally sat on it - they purposefully, with consideration and intent, sat on that information. Not only that, but they then developed a weapon to exploit it, lost control of that weapon, and it is now in the wild where it can do the most damage.

    This is a combination of willful dereliction of duty, and gross negligence. This shouldn't be Microsoft complaining, this should be the director of the NSA hauled in handcuffs before congress.

  6. Great argument against backdoors by OzPeter · · Score: 5, Insightful

    This hacking provides the perfect argument against built-in backdoors that would enable the government to spy on people (but only when they wanted). All it takes is one leak and *boom* you have out of control hacking by everyone but the government.

    --
    I am Slashdot. Are you Slashdot as well?
  7. This is CYA from Microsoft by phantomfive · · Score: 3, Insightful

    The original blogpost makes the following points:

    1) Microsoft works hard, I tell you hard to avoid these problems.
    2) Customers are to blame too! (really)
    3) It's the government's fault!

    They're trying to direct the conversation so they don't get all the blame. The reality is, if Microsoft hadn't made the flaw, then this attack never would have happened.

    --
    "First they came for the slanderers and i said nothing."
  8. Re:Enough blame to go around by Dunbal · · Score: 4, Insightful

    This is something a compiler will usually show a warning. If it did not, then the compiler is to blame.

    Guy in India writing the outsourced Microsoft code: "That stupid compiler always generates so many warnings I just turned the warnings off. The code compiles fine I don't see what the problem is."

    --
    Seven puppies were harmed during the making of this post.
  9. Digital Broken Arrow by mentil · · Score: 4, Interesting

    Wait until one of these leaked/lost TLA tools becomes used by a 3rd party in such a way that it looks like a state-sponsored attack on one of their enemies. Or, equally likely, a 'leaked/lost' tool used by a 1st party, with a '3rd party did it' plausible deniability argument. It's like separating a 'rogue terrorist group' from a 'state-sponsored terrorist group'.

    I imagine soon, a major power will say "all attacks by tools that could only have been created by a state actor, will be responded to as if actually used by that actor" and then the "oops, my WMD fell off the back of a truck, my bad" excuse will no longer work. It may soon be considered too dangerous to hoard these exploits, as their inevitable leak will harm their creator more than if they had never been created in the first place. Taking bets on if that happens before or after the IT world figures out how to secure their shit.

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
  10. Another elephant by Okian+Warrior · · Score: 4, Interesting

    secure Win10

    +1 Funny

    You're also ignoring the huge elephant in the room - that Microsoft probably knew about that vulnerability or even better, created it in conjunction with the NSA et al. By the way - WINDOWS 10 ALSO REQUIRED A "FIX". This is not a "zero day vulnerability", it's a back-door plain and simple.

    The other elephant is that a lot of very expensive hardware still runs on WinXP (and other less-recent but still old versions), can't be upgraded to the new version, and is too expensive to replace.

    Microsoft will still support WinXP, but basically it means a) they have the patches to prevent malware, but b) they'll only give it to you if you pay them.

    Oh, and the price for WinXP support doubles yearly (someone else said that - don't know if it's true).

    So effectively Microsoft is saying that you have to throw out and repurchase all of your medical equipment, all of your research equipment, and all of your manufacturing equipment - even if it's still working - because they want you to purchase a new version of their OS.

    Oh, and the new version pushes adware on you and installs whatever the fuck Microsoft wants and reboots the system whenever it damn well pleases.

    Yeah, I think Microsoft can shoulder at least *some* of the blame for this.

    1. Re:Another elephant by richy+freeway · · Score: 4, Interesting

      The other elephant is that a lot of very expensive hardware still runs on WinXP (and other less-recent but still old versions), can't be upgraded to the new version, and is too expensive to replace.

      Microsoft will still support WinXP, but basically it means a) they have the patches to prevent malware, but b) they'll only give it to you if you pay them.

      Oh, and the price for WinXP support doubles yearly (someone else said that - don't know if it's true).

      So effectively Microsoft is saying that you have to throw out and repurchase all of your medical equipment, all of your research equipment, and all of your manufacturing equipment - even if it's still working - because they want you to purchase a new version of their OS.

      Or the manufacturers of the expensive hardware could update their software to work on a more modern up to date operating system, be that Windows 10, Linux or whatever.

      But yeah, let's just blame Microsoft. It's the easy target.

  11. Re:The Blame Game by Z00L00K · · Score: 3, Interesting

    Interesting that people classifies parent as "Troll" even though it's not far from the truth - better blame the messenger than addressing the problem.

    Realize that the architecture that Windows today has is based on Windows NT, an architecture that was founded in the beginning of the 90's. This in turn is built upon OS/2, which originally came out in 1987.

    There have been improvements to that architecture over the years, which have caused it to become more and more of a patchwork and resource hog in order to still maintain backwards compatibility while also keeping up with new functionality and improved security.

    However a lot of the design in the platform is still causing problems that are hard to resolve without admin rights for the user. The current Windows versions also seems to only utilize two Privilege Levels in the hardware architecture, level 0 (kernel) and level 3 (user applications). This is also the case for Linux, so it's not better on that point.

    However the age of an OS does not necessarily indicate how bad it is from a security point of view and the utilization of the capabilities of the hardware. E,g. OpenVMS utilizes four privilege modes (Kernel, Executive, Supervisor and User) and OpenVMS is now being ported to x86. This seems to be good news for nerds.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  12. Hard to do by Okian+Warrior · · Score: 4, Insightful

    They're patching XP for chrissakes.

    No, they're patching a very old product that they told people - for years straight - to stop using, and they explained why. You do get this, right?

    It's hard to stop using a system when it requires repurchasing the $100,000 hospital X-ray machine that it runs.

    Did you think every hospital should just throw out all it's working equipment and purchase new ones? For hospitals in Africa and India as well?

    1. Re:Hard to do by oobayly · · Score: 3, Interesting

      I read a comment by a guy who develops MRIs - he made a very strong case for why hospitals are stuck using XP. Timing is critical, so simply shoving the controller card into a new machine with a new OS isn't an option as physical damage can be done to the machine.

      However, if an MRI takes an average of 45 minutes, that's only 32 per day if used continuously. If timing is so critical, then it makes sense to keep XP on the controller. But if the machine is critical, then air-gap it, and use removable media. Transferring the data 30 times a day isn't an onerous task.

    2. Re:Hard to do by swb · · Score: 4, Informative

      But if the machine is critical, then air-gap it, and use removable media. Transferring the data 30 times a day isn't an onerous task.

      Sounds easy, until you realize that they've been pushing radiology imagery over the network for years and the entire radiology workflow has been designed around this. The machines don't have external media drives, the staff doesn't know how to do this in a way that insures your "nothing is wrong" imagery is associated with your chart doesn't get conflated with the "stage 4 cancer" imagery of someone else, there's just an entire laundry list of shit that has to happen right, be supported, etc.

      I've seen a similar phenomenon in machine shops and metal fabricators where the tooling is controlled by ancient Windows versions and there just is no update for the driver software that isn't a extremely expensive machine upgrade. I don't know how the machine OEMs get away with this, really, but I'm sure at least in the medical field it has something to do with certification and probably there's a similar amount of BS associated with machine tools (ie, the PE signoff required for safety liability includes the entire control chain).

      I have no idea what the solution is short of machine system vendors producing way more of their own code which would make the machines more expensive.

    3. Re:Hard to do by AmiMoJo · · Score: 3, Interesting

      This problem was solved decades ago. VLAN, or even separate ethernet cards. Hardened BSD box in the middle that just acts as a temporary file storage unit. The XP machine has write access only, it can't read files off the server, making transfer a one way process.

      We know how to secure these systems, but people with that knowledge cost money. Maybe there is a market for a box with this set up built in, that can be easily deployed and swapped out by grunt level IT techs.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  13. Re: Enough blame to go around by Solo-Malee · · Score: 4, Insightful

    "While Microsoft makes its own efforts by rushing out patches and sharing concerns with other companies, it also chastises customers who could have closed the WannaCry hole two months earlier but didn't." If Microsoft didn't dress up Windows 10 deployment campaigns as security patches maybe people would have applied important updates, instead, many people got fed up of cleaning up the Windows 10 installer so turned of auto update instead. Glad I'm no longer dependent on Windows.

    --
    "If it's lost, it'll turn up. Things always do" "I love it when a plan comes together"
  14. Re:The Blame Game by gtall · · Score: 4, Informative

    Windows NT was built with VMS in mind, not OS/2, MS hired VMS's main architect. When MS and IBM were in bed together, MS had the UI front end to do. They didn't like the back end from IBM because it made their front end run like shit. So they decided they needed their own back end.

    After NT was thrown together, MS discovered their front end still ran like shit so they went into their back end and knackered the bits that made their front end look bad. Unfortunately, that also meant they had to include stuff in the kernel where from a security standpoint it didn't belong. And so MS's proud tradition for lack of security persisted.

    VMS had 4 security levels and that was supported by the VAX architecture. OpenVMS is merely the successor to VMS. I'm unsure what is open about OpenVMS, last I checked it was owned by HP. It probably won't be long before they screw it up like everything else they touch.