The NSA Intercepted Microsoft's Windows Bug Reports

Bruce Schneier writes on his security blog: Back in 2013, Der Spiegel reported that the NSA intercepts and collects Windows bug reports... "When Tailored Access Operations selects a computer somewhere in the world as a target and enters its unique identifiers (an IP address, for example) into the corresponding database, intelligence agents are then automatically notified any time the operating system of that computer crashes and its user receives the prompt to report the problem to Microsoft... this passive access to error messages provides valuable insights into problems with a targeted person's computer and, thus, information on security holes that might be exploitable for planting malware or spyware on the unwitting victim's computer..."

The article talks about the (limited) value of this information with regard to specific target computers, but I have another question: how valuable would this database be for finding new zero-day Windows vulnerabilities to exploit?

can't be true.

the NSA intercepts and collects Windows bug reports.

No way can that be true. Even the NSA's Utah Data Center doesn't have that much storage capacity.

Make it simpler

[aepervius]

The NSA intercepted anything and everything which went in the direction of the US, possibly also stuff which never went in the US. Consider all your communication compromised by the NSA. Now whether you care (privacy minded people, people not liking government overreach and spying and crook/spy/other nations intelligence agencies) or not (most people) is up to you.

Re:Well, sure.

[AHuxley]

Re " and the foreign equivalents are not the only ones that thought of this obvious source"
The foreign equivalents don't watch the internet like the NSA and GCHQ do.
The net belongs to the NSA, so other nations don't waste funds on low return internet things.
Some of the cool things other nations did or learned from just went back to simple human spying.
France had all its diplomatic codes broken by the USA and UK in the 1950's. It took France a while to learn from that decade long communications mistake.
China learned of the importance of Little Sai Wan in Hong Kong and just sent human spies in. The UK was using translators it could not trust trying to keep up with the amount of collection into the 1960's. China just used well placed human spies to collect on the secret UK collect it all policy.
The UK collected from Cyprus. The UK base staff had long hours and very low pay. Soviet spies just to wait in the local bars and make a lot of new friends with stories to share.
Foreign equivalents spy on their own nations but have learned to be much more careful around the world using well supported human spies.

Really smart nations have worked around that US/UK global collection system many decades ago. Collect it all is great for contractor overtime and seeing the world.
Collect it all works wonders if the enemy never knows about it. The easy Enigma days are over.
What can be learned from Windows networks left wide open in other nations? The emery left a bait computer online and waits to see who comes looking?
Tech support or a charity over story? NGO? Who wants access to that building and network once its found?
The UK and USA have to watch every interesting computer network globally. The enemy just has to bait a few networks in their own select buildings with gems of unencrypted information.

Re:Ok...and?

[DarkOx]

Windows and windows networks are a huge liability. CIOs and CSO need to have a come to Jesus moment on that.

I sometimes do internal pentest work, and Its rare even not in 2017 that some combination of null sessions to get user names, and password spray, or just shutting up and listening for LLMNR or old NetBios and than cracking the acquired hashes won't work at a big organization. That is before you even need to consider getting "fancy" with attacks on Kerberos or SPNs. Yes you need to be on the internal network to do these things but you one good phishing catch away from that with most big organizations too. Many of the other pentests I know rarely even both trying to exploit other types servers or internal web applications anymore.

I am not saying the traditional UNIX/Linux solutions like (YP|NIS|LDAP|Hesiod) with or without Kerberos are not worse in many ways than (AD/LDAP) + Kerberos. Its just the AD is the standard and most often I see UNIX land being made to talk to AD rather than and Windows infra being made to speak anything UNIXy.

My thesis here is that when your authentication/authorization infrastructure itself is the biggest liability and has been for nearly a decade something is terribly terribly wrong. Windows/Windows networking really is the way in and why that remains "acceptably" is beyond me. Sure you can harden it a lot, but that is a real challenge for anyone who isn't an expert and does not have $$$ to eliminate every old client, many of which are part of integrated solutions like controllers etc.

What M$ really needs to do is make the next windows server upgrade move the hardened configurations OOB. No NTLMv1, no LLMNR, no NetBIOS, no null sessions, password complexity enabled, and some others. They then need to provide a "Gateway" for legacy systems where the older protocols can be configured to only talk to certain hosts, and only allow the use of specific accounts easily.