Chinese State Media Says US Should Take Some Blame For Cyberattack

An anonymous reader shares a CNBC report: Chinese state media on Wednesday criticized the United States for hindering efforts to stop global cyber threats in the wake of the WannaCry ransomware attack that has infected more than 300,000 computers worldwide in recent days. The U.S. National Security Agency (NSA) should shoulder some blame for the attack, which targets vulnerabilities in Microsoft systems and has infected some 30,000 Chinese organisations as of Saturday, the China Daily said. "Concerted efforts to tackle cyber crimes have been hindered by the actions of the United States," it said, adding that Washington had "no credible evidence" to support bans on Chinese tech firms in the United States following the attack. The malware attack, which began on Friday and has been linked by some researchers to previous hits by a North Korean-run hacking operation, leveraged a tool built by the NSA that leaked online in April, Microsoft says.

Don't blame the U.S.A.

Blame Microsoft.

Re:Don't blame the U.S.A.

[Solandri]

No, the people who stole the code from the NSA and released it without giving Microsoft a couple months to come up with patches bear the largest share of the blame. They're the ones who turned this into a 0-day exploit.

Releasing the code to the public wasn't necessary to shame and cripple the U.S. intelligence infrastructure. All they needed to do was give Microsoft a copy and publicly tell them to patch it or they'd make it public in 60 days. Once Microsoft confirmed the vulnerabilities were real, the NSA would've been shamed. And once the exploits were patched, the NSA tools would've become useless, and the objective of crippling the NSA and stopping their illegal wiretapping would've been achieved.

But they didn't do that. They immediately released it to the public. The people who stole and released the NSA software aren't freedom fighters or conscientious activists for democracy. They're anarchists and criminals. Those of you assuming some noble intent in their actions are mistakenly projecting your desires.

they have a point.

If the National Security agency had actually given a shit about security, it would help companies fix these problems before they are exploited in the wild, rather than hoard and weaponize them. They made a conscious decision to attack security rather than enhance it. As a result, critical infrastructure such as hospitals have suffered, and we haven't seen the end of it yet.

It is a rogue agency, and needs to be brought to heel. When parts of the government start treating its own people as enemies, it's time for a clean slate. You need intelligence agencies. They provide an important service to the nation. You do not need intelligence agencies that violate the Constitution and cause cyber-security issues all around the world. It has gone beyond anything acceptable, and must be dismantled and a new one created under the careful oversight of civilians who have an allegiance to civil rights.

The larger problems

[UnknowingFool]

While it might have been the NSA that created the basis of the ransomware, there's really larger problems. Any hacker could have discovered the vulnerability and launched the same attack.

The first problem is that the malware affected Russia and China in greater numbers for the simple reason that many Windows installations there are pirated so they are not likely to receive patches. MS for their part did patch the vulnerability in the March cumulative update if I remember correctly.

The second problem is that MS didn't patch unsupported, older versions of Windows until WannaCry became widespread (Windows XP, Vista, etc). So there are still many older versions of Windows out there being used. This second problem does affect companies and machines that have stayed on older Windows for a number of reasons (hospitals, factories, etc.)

The third problem is that trust in MS has slowly been eroded over the years with their behavior:

• Auto-updating their users without permission
• Rebooting machines without warning
• Sneaking in non-critical features (like telemetry) as critical updates
• Rolling up patches so that customers cannot refuse certain patches for practical reasons
• Patch quality dropping with a few of them making machines unusable

For many, they simply don't trust MS anymore. In years past, a bad patch every now and then could be forgiven. With no trust in MS, consumers are simply taking their chances.