Microsoft: NSA’s Bug Hoarding To Blame For WannaCry Ransomware Spread

Status
Not open for further replies.

COLGeek

Cybernaut
Moderator
When tools (and their knowledge/flaws) like these escape into the wild, you don't get to choose who uses (abuses) them. This is true whether the intentions are honorable, or not.
 

problematiq

Reputable
Dec 8, 2015
443
0
4,810
16
And so Microsoft will be charging double for the information they sell to the NSA in this backlash. Also, don't leave RDP and SMB/CIFS exposed to the net, it's just stupid.
 


It is their software, so they are accountable for it.

That doesn't mean what they're saying is not correct: if you discover a bug, and more importantly, a SECURITY HOLE, it is your duty to report it. Unfortunately, there's no gap-closing between what is (and we should all agree here) morally right and legally right. I would imagine, if there's a way to prove it, MS could sue the agencies, but that is just getting into the pockets of tax payers at the end of the day... So many things gone wrong here for everyone it's amazing this is not getting more regular press. Or maybe I'm under a rock, lol.

Cheers!
 

InvalidError

Titan
Moderator

The way Apple's Secure Enclave is designed, Apple shouldn't be able to even if it wanted to unless it issued an OS update to decrypt phones the next time they are unlocked and stopped using SE-based encryption afterward.


Microsoft can't be blamed for not fixing bugs that haven't been disclosed. Let us hope that this will serve as a lesson for every intelligence agency advocating intentional backdoors in software and systems. Secrets want to be shared and if you want to keep backdoors or exploit secret, you had better be ready for the consequences when they inevitably get leaked or re-discovered in the wild.
 
G

Guest

Guest
Microsoft knew for this exploit, it is Microsoft who let them do it. Those f. crooks at Microsoft have courage to even f. comment it. I don't blame NSA for anything. It is f. MS. to blame for cause they are the ones who made the f. deal with NSA to start with.
 


I don't know if "blamed", but they are "accountable". That is why I used that word in particular.

Cheers!
 

motocros1

Distinguished
Jan 27, 2011
19
0
18,510
0
"Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage." Ya I bet they were "leaked" and no money was exchanged.
 

leoscott

Distinguished
Dec 30, 2009
114
0
18,710
11
This is smoke and mirrors. It has been reported that this vulnerability only works on computers with older Microsoft OSes, prior to Win7, and computers that haven't been getting automatic updates. Those with 7+ OSes and auto updates are not supposed to be vulnerable. So how is this NSA's fault? The real problem is two fold.
1) Companies with legacy apps that won't run on newer OSes. Either MS should provide a way to run those apps in newer OSes or the companies have to spend the money to update their apps. Microsoft 'tries' to allow legacy apps to run, but it has many short comings.
2) Companies don't/won't upgrade to later OSes, either because of cost or upgrade headaches.

Bottom line, none of this is the NSA's fault in this case and the blame lies in many places.
 

problematiq

Reputable
Dec 8, 2015
443
0
4,810
16


This works on all versions of Microsoft OS's that support (Edit: And have enabled) SMB V1. that is, XP to windows 10. wanna watch a windows 10 machine get infected? https://youtu.be/Zy4G30kSPnY
Company's fail to patch their systems all the time, and then you have idiots who set up a host to directly talk to the rest of the world via SMB and RDP. After the initial infection the sucker spreads like wildfire through your network shares.
 

rwinches

Distinguished
Jun 29, 2006
888
0
19,060
30
How is this not the NSA's fault? They (or a third party contributor) were hacked which shows their incompetents at the very core of their responsibility to the US.

Saying that users with 7+ have nothing to worry about is naive as there may well be a new exploit/s stockpiled by the NSA.

I use Malwarebytes Anti-Ransomeware SW which I hope helps.

I use an external storage disk for backups which is only connected during backup. I do disk image backup, but typical 'your files' backup SW works for many but should be directed to a non-local disk/s.
 

spectrewind

Distinguished
Mar 25, 2009
446
0
18,790
2
@RWINCHES...
It is the NSA's fault because of the ETERNALBLUE exploit on of SMB version 1 & 2 across TCP/445... Most companies alert each other to exploits... MS16-075 prevents this, no thanks to the sh*t-h0le called the NSA.
WannaCry quit replicating last week, as the single IP it was reporting to was taken offline...
Next up: Uiwix.
 

bit_user

Splendid
Ambassador
Why is this even a debate? MS is responsible for the design, implementation, and testing of their products. Full stop. If there are bugs or security holes, the blame lies primarily with them.

If the NSA knows about bugs and doesn't report them, that's also bad.

Both organizations can be in the wrong. It's not either/or. This finger-pointing is not helpful.


Oh, so they only have to fix exploits once they've been disclosed? That's a really low bar. So, if some hacker or foreign government finds a bug or design flaw and exploits it without choosing to tell MS about it, then you attribute no blame to MS? Even if they know about it but don't know that anyone else does? Wow.

Seriously, you have to assume that any given vulnerability will eventually be found and exploited. Without that attitude such events as this will become only more commonplace. MS has a responsibility to fix every vulnerability they know about, in a timely manner.
 

InvalidError

Titan
Moderator

How do you fix bugs you aren't aware of yet? You can't.

AFAIK, Microsoft didn't know about the bug until March 2017 where it promptly issued patches for all currently supported OSes, which is reasonable and timely enough. By the time the WannaCry outbreak made the news, people and companies already had nearly two months to roll out Microsoft's 17-010 patches.
 

dogofwars

Distinguished
May 6, 2009
163
0
18,680
0
They should blame themselves for the stupid culture of developping and fixing shit after the product is out.
No incentive for the programmers to fix the bug before hand but big pay out for fixing the bug they created in the first place. That is why we have so many problem today.
 

dogofwars

Distinguished
May 6, 2009
163
0
18,680
0
One of the major problem is the medical devices that run on XP that does not get updated because the hardware companies does not support their devices anymore etc. The whole industry need to be punished really hard for the lack of updating their devices with the proper patch which they do not.
 

InvalidError

Titan
Moderator

It is nearly impossible to find all bugs beforehand in any project of significant scope.

If companies had to wait until all bugs were worked out before releasing software, no software would ever get released. Even ASICs which go through millions of dollars worth of functional and annotated simulations prior to production to avoid wasting millions of dollars on masks for designs with show-stopping flaws still have lesser flaws that may get addressed in future die revisions by the time chip designers deem them good enough for production. If AMD, Intel and others didn't release CPUs, GPUs and whatever other chips until their errata list was cleared, we'd be waiting for several more years between new architectures.
 

bigdragon

Distinguished
Oct 19, 2011
706
126
19,160
0
I have a totally different take on this. It seems WannaCry is a stark reminder that companies need to spend on IT security expertise, need to upgrade their equipment, and need to pick software that can meet their support needs. I don't think blaming the government is the right move here.

If these companies and organizations were using fully-patched copies of Windows 7, 8, or 10 then I'd be agreeing with Microsoft. However, most of what I'm reading is affecting unpatched, ancient copies of Windows XP, XP embedded, Windows 2000, Vista, and 7. These companies and organizations had this coming. The same government being blamed is also the one that was screaming about cybersecurity under the Obama administration, and they were churning out all sorts of documents citing how to protect systems from attacks like WannaCry.

If you want to blame someone, you blame the operators of the affected computers.
 

dogofwars

Distinguished
May 6, 2009
163
0
18,680
0

Still not an excuse for skimming on security. At least there is a will now to correct that or so it seems.
 
Status
Not open for further replies.

ASK THE COMMUNITY