TLDR: Microsoft is using WannaCry as an opportunity to complain about the NSA and as an opportunity to tell people they need to update their software.
I personally think that it's great to get the message across that people need to keep their operating systems up-to-date. I see too many non-technical people thinking in dangerous ways:
* "I don't want to update software, because the new software could have bugs which might be a security risk." I used to work for a well-known Fortune 500 that thought this way. But _all_ software is vulnerable in one way or another and by keeping it up to date, you also get the most recent security patches. Software vendors generally aren't putting major resources into securing old versions of their software.
* "I've got anti-virus software installed on my computer and we've got a firewall on our network". And maybe that will help you at some point, but if you don't update your OS, that's like having bullet-proof windows and leaving your front door unlocked.
I wonder how much of the never-upgrade mentality is down to Microsoft insisting on being backwards compatible back till basically the Jurassic period, and providing support for obsolete software for years and years. Their intention is commendable, but there's something to be said for sometimes breaking things for what is hopefully the greater good.
The rust package manager issue that was on HN the other week comes to mind, where a package called NUL (I think) wreaked havoc on Windows systems because of backwards compatibility with DOS.
My point is: why rush to upgrade when you've got "support" anyway? For varying definitions of support.
I'm not sure that your point makes sense. If Microsoft insists on backwards compatibility, then you _can_ upgrade with "no worries". This policy seems to encourage people to upgrade as the new OS will honor the old mechanisms.
In an OS where there was no commitment to backwards compatibility you would have an incentive to not change anything when it works.
> My point is: why rush to upgrade when you've got "support" anyway?
This is a different point. But you seem to be criticizing the decision by Microsoft to focus on backwards compatibility and support for old operating systems, two things that seem to be commendable.
No, my apologies, I'm not being very clear then. I don't mean to criticise Microsoft here, in fact I think their commitment to backwards compatibility is commendable and I think history proves they've at least tried to get people on the automatic updates track. Execution hasn't been flawless, for sure, but we're in better place now than we were 15-20 years ago.
And I'm also not trying to draw any conclusions with my post. I'm genuinely wondering whether the fact that Microsoft has been so committed to backwards compatibility has fostered a kind of mentality where people and indeed developers don't upgrade, simply because they know they won't be abandoned anyway. It's always easier not to change anything, and if the message is typically "you'll be fine" anyway then where's the incentive? The "you'll be safer, probably" message doesn't seem to me like it's working.
You're probably right that I'm not making much sense, I'm finding it a bit hard to put my thoughts into words here.
No people fear updates from M$ because M$ has a bad history of bricking devices and pushing hidden privacy-harming updates without consorting their users.
Or maybe it's the fact that Windows has to restart after every single software update.
Really it's astounding that Microsoft provides this kind of awful updating experience and then inseminates propoganda into people's minds that those who don't auto update their W10 boxes are stupid and endangering themselves.
If you use Windows 10 in general, you are stupid and endangering yourself.
Can't see the original now, someone flagged it. Even so:
- Yes, there are IIRC updates not requiring restart ("not every" <=> "some exist that do not have the property").
- Not updating your existing system is indeed dangerous. Updating your Windows system...is sometimes even more dangerous: I was on the receiving end of "Where do you want to go today? Never mind, you want to upgrade to WinX; stop whining, we know you want it!" That said, there are far more dangerous MS FUD campaigns, I think.
- The final question is quite different to your original claim, IIRC; but yes, Win10 IMNSHO falls squarely under "malware," and thus I'm not using it. Not even using Windows, FWIW. Even better, the GWX fiasco helped me persuade people to move off Windows altogether.
Please explain to me what about this was uncivil so that I may do better in the future.
Was it my choice in adjectives? Is "stupid" not an appropriate word on HN? Is it because I had a spelling error? Is it because I displayed a strong negative opinion of something?
PC are now a commodity in most countries (sadly not in all), so unless there is a very compelling reason to upgrade, no one among non technical users will do it, even less when the new OS isn't compatible with their existing software.
Afaik AV wouldn't even protect against WannaCry until after its signature was already in the wild, when it was too late. But Windows update would've prevented the SMB hole by which it spread in networks.
>as an opportunity to tell people they need to update their software.
How are defining update? I don't think anyone has issues with security updates but being force-fed a new version of Windows10 every 6 months is questionable especially when its a true re-imaging of the PC and a migration of apps and data, often screwing up in some way mostly with putting in older or buggy drivers that the end user has replaced with newer ones on the previous version. Every update has broke my trackpad on my laptop and badly hurt my gaming performance on my desktop until I could find the proper nvidia drivers. On top of having to deal with all the UI changes and other changes, none of which seem documented in a easy end-user digestible way. Also some of which have to be discovered by sysadmins like Win10 Pro now ignoring GPOs to block the store, for example.
I think MS is going to use anything to justify an evergreen Windows 10. I'm not sure that's a good thing. I'm not more secure with the current version with this issue patched compared to the previous version with this issue patched. Its the same level of security. I dislike it when companies disingenuously conflate feature updates with security updates. These are two entirely different things.
I think is Win10 moved at a much slower pace for feature upgrades, say every 12-18 months, people wouldn't be so wary of it. Instead, MS is forcing things down the throats of customers that are not desired or asked for. Worse, it validates a "ship and fix later" approach that will always lead to poor quality software.
Lastly, MS is just being downright dishonest. Most of the infected weren't Win10 or 8/7 users too lazy to update, but old copies of XP still in use. Those XP users have auto-update running, but MS has chosen EOL it. Fine, but don't browbeat Win10 users sick of endless and buggy feature updates because of it. The two have nothing in common.
> I see too many non-technical people thinking in dangerous ways
Large IT organizations are just as bad. Instead of patching proactively, they prefer to delay patches indefinitely. Reddit /r/sysadmin and other public forums have been a mess of "which KB do I install to block WannaCry?" type questions for the past several days.
Not a big fan of Microsoft in general, and I generally distrust anything it does, but I'm beginning to like this Brad Smith fellow. He's been pushing for quite a few privacy initiatives inside Microsoft, and he's now also taking on NSA and calling for a Digital Geneva Convention.
I also think Microsoft "got lucky" this time. Shadow Brokers sit on EternalBlue for at least 6 months. They could've released it before the NSA even alerted Microsoft that such a bug exists in its operating system (probably earlier this year). That would've hurt Microsoft's image a lot more.
So I think this should also be a warning to Microsoft (and other software companies). If there is some other backdoor in Windows or bug on which Microsoft may decide to sit on to give the NSA a few extra months to exploit it, its image could be hurt a lot. Some other group may discover it and and then turn it into another global ransomware attack, before Microsoft even has a chance to patch it.
So lesson of the day: don't do back room (or door) deals with the NSA, whether because of fear, for money, "patriotism," or some other reason, because it could come back and hurt you 10 times more when you're put in the spotlight as the main party responsible for a global attack.
They were looking for buyers this whole time. Perhaps you are unaware but there's an entire cottage industry of selling and buying of vulnerabilities out there. There are many zero days being sat on. No one is getting 'lucky.' They will be sold and used as needed by whatever group.
There seems to be this narrative developing about how this exploit is some rare thing. There are hundreds of serious exploits discovered in Windows a year and those are the ones we know about. There was no nation state involved with conficker, slammer, codered, heartbleed, etc. So its silly to focus solely on the NSA here. Exploits will be found, forever. We don't have the ability to make defect-free software.
From the source that that tweet gets the "date" from:
>Date Entry Created 20160909
>Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
AFAIK, this CVE's "Date Entry Created" is an interesting metadata artifact without any additional significance currently (no futher background info publicly available at this time). I don't know if MITRE makes any additional info (such as "who") public, though I'm sure it is stored somewhere.
I haven't had a chance to review the same value for other CVE's to determine how "normal" it is for the create date to be so long before when the CVE goes public, nor how things correlate for the associated Shadow Brokers fixes.
> Microsoft has not disclosed how it came to know about the vulnerabilities included in the MS17-010 patch. Microsoft also has not disclosed any information about “in the wild” exploitation of these vulnerabilities.
So, if the attack requires you to double-click on virus.exe the NSA exploits everyone is talking about didn't really matter that much did it?
Sure, when hitting a large corporation that would obviously help a lot but home networks (which for some reason have been hit quite hard as well) don't even have that many machines to begin with.
The NSA exploits matter because they would be one of the few orgs to have access to multiple zero days. Imagine wannacry paired with a drive by browser exploit.
Of course, I meant that it didn't matter much in this particular case.
Every news outlet as well as technical sites seems to agree that it was NSA that enabled this attack, but if it all boils down to users opening email attachments that's something else entirely.
The email attachment is the matchstick, the NSA has soaked everything in gasoline, so to speak. Thanks to the zero day, you need one person opening the attachment to infect every machine on the LAN.
You're right about the point of home networks though. Some wild guesses:
- Infected machines that are moved between networks - e.g. a laptop that's used in both public and a private networks BYOD-style.
- The worm also didn't use broadcasts to spread but simply tried out all IP addresses in its subnet. So if an ISP isn't properly isolating its customers, the worm might spread from customer to customer behind the ISP's NAT.
- People are actually that stupid and clicked on the attachment a lot.
Even without the zero-day it would have spread to whatever NAS was used and eventually encrypt and possibly spread - though just not as quickly.
So, it would have been game over anyway. The main advantage of a quick attack is likely that if you opt to pay to decrypt you have more infected computers (and sure, laptops - but these details are not exactly game-changing).
> Even without the zero-day it would have spread to whatever NAS was used and eventually encrypt and possibly spread - though just not as quickly.
That kind would have been orders of magnitude slower though and again dependant on social engineering: The worm would have needed someone do download the executable from the NAS and run it - in the face of usual security practices and anti-virus software looking for exactly that kind of thing - for every single machine. Even then the executable would only have admin privileges at best and probably not even that.
Compare that to the exploit which allowed the worm to execute code on every windows machine in the LAN, with system privileges and without any user interaction needed.
I think the exploit increased both the speed and the likelihood of successful infection by an order that is game-changing: Even if an infection was spotted, by the time countermeasures could have been deployed, the damage had already been done. Because no social engineering was required, even machines with restricted user input or no input at all were at risk (e.g. information screens or specialized hospital equipment).
> The worm would have needed someone do download the executable from the NAS and run it...
Well, by that time the NAS is lost so it is already game over anyway. Nothing of value is stored on individual workstations (and if they do they ought to have some form of backup (which again, probably is the very same NAS)). It is an inconvenience, sure, but comparatively a minor detail.
> Nothing of value is stored on individual workstations (and if they do they ought to have some form of backup [...])
That's a very broad assertion.
Maybe that's true in a setup where everyone uses thin clients, but in the usual case, there is still enough friction on Windows to using network shares that many people will have local copies of the files they work with. Also, a NAT is probably the fist thing you'd hook up to a backup - if you're not using a cloud service anyway.
Finally, the workstation itself is absolutely important. If only the NAS were affected you could at least keep working with what's left. Some machines are also specialized, e.g. info screens, ATMs, PoS terminals, hospital equipment...
The initial infection vector is still unknown. Reports by some of phishing emails have been dismissed by other researchers as relevant only to a different (unrelated) ransomware campaign, called Jaff.
There is also a working theory that initial compromise may have come from SMB shares exposed to the public internet. Results from Shodan show over 1.5 million devices with port 445 open – the attacker could have infected those shares directly.
Surprisingly large amount of SMB shares exposed directly to internet, that would of course be a great starting point.
Look at the number of exploits Microsoft has patched in the last 2-3 years. Then realize most of them also apply to XP, and haven't been patched for that OS. Exploiting XP users is incredibly easy.
Despite their posturing, how can we trust Microsoft (and other companies like it) ? Windows is a black box. How do we know that there are no backdoors/spying routines to please some governments ? How can we trust that it behaves ethically with all the data it collects ? We only have their word for it.
Oh come on, this is stretching the accepting definition of malware a mile and then some.
This is FUD plain and simple without facts to back it up.
Microsoft releasing details of vulnerabilities in advance to premier customers is not something new. All software companies have that practice and we have seen it happen with recent OpenSSL vulnerabilities when CloudFlare has been given advance notice.
Microsoft has different classes of customers and the functionality that you don't want, many customers request and may even require. You aren't obligated to use their disk encryption or functionality. You can install your own WDE product, but you appear to want the features of a Ferrari for the price of a Ford Focus, which is not reasonable.
Microsoft is not trying to mess with your system via that method. If anything, that is a blanket improvement prior by default there was no encryption. Could the design be made better? Maybe, with any implementation of a security feature there are always trade-offs. Microsoft could force users to store the key locally or print it, but then millions of people would simply turn encryption off or lose their key. This does not grant MS remote access to your system.
There are plenty of things that are wrong with MS, but saying Windows is malware is FUD plain and simple.
Transmitting encryption keys is not a feature any sane person would want. It is convenient. But the fact that it does this in the background is ridiculous.
And your cost comparison is equally absurd. It costs more money to store and manage our keys than it would to just leave them alone.
> Microsoft is not trying to mess with your system via that method
They use other methods to interact with your pc without your permission
I am a windows user. I'm just not sure how anyone could claim that an OS that updates without your permission, sends and stores your encryption keys, captures browser history and all keystrokes, etc is not considered malware.
Quoting you, "I'm just not sure how anyone could claim that an OS that updates without your permission, sends and stores your encryption keys, captures browser history and all keystrokes, etc is not considered malware."
I'm making that claim and I don't think you have a clue on how security works.
1. Transmitting encryption keys is something many people want as it removes the overhead of them having to manage them on their own. Businesses use this too (via the cloud) in many cases. As for doing it in the background - how else should it do it? Have a big flashy screen that will confuse the average user? This feature allows Microsoft to gradually raise the bar on its OS security and prevent data recovery from physically stolen devices; while still allowing the user to recover their data if they lock themselves out.
2. The cost comparison is valid. Disk is cheap, and key management should be (this I don't know) automated. Microsoft stores tons of data already (all major software vendors do).
3. Windows Updates should trend towards automation frankly for the consumer versions of the product. Those versions don't have sufficient security features to not get updated.
4. No PII is sent with the core dumps; it's debugging information and helps make the product more secure - that's kind of something you want right?
5. The NSA key is a known falsehood. I'm not even going to bother to address it.
I'm honestly not sure if you're a troll or a rabid conspiracy theorist at this point.
> Transmitting encryption keys is something many people want
This proves you know absolutely nothing about security. lol. The reason they call them "private" is because you are supposed to keep it a secret. Key management services exist to promote ease of use. And those often include extra layers of protection (eg hsm)
> I'm honestly not sure if you're a troll or a rabid conspiracy theorist
Your logical fallicay is "ad hominem". How is this helping your argument?
I use windows. If I was rabid i'd be on SElinux all day. I'm just not ignorant to volumes of data our computers are leaking.
Well, you often have no other choice. You can go out of your way and install an open source OS, but then there might still be a backdoor in your hardware. Ultimatively, this can not be solved technically, but socially. In a country with a strong rule of law and democracy, you should be able to trust that the state builds no backdoors into your devices when they say they don't. And you should be able to trust the manufacturers that they don't do it by themselves. But unfortunately they have incentives to go both ways (short term profit + appeasing governments on the one hand, vs. gaining consumer trust on the other).
I'll go meta here: How can we trust food companies? They have incentives to decieve us, to adulterate their products, produce as cheaply as possible and sell as expensively as possible. There are magazines, websites, that do nothing but test food. It blows my mind when I think about that. How antagonistic is our society, when the people who make our food are working against us. The solution we developed for that are checks and balances in form of journalism and consumer protection laws. Sometimes it works, sometimes not. Whether its adulterants in food or backdoors in software, it's a similar problem.
I agree although recent developments in the western world indicate that we're not going down the road of checks and balances e.g. snooper charter in the UK, secret courts in the US.
You do? Where? Does this company warranty anything?
What the user needs is not for Microsoft to improve Windows. At 15 new vulnerabilities a day (source: Microsoft) how can anyone argue with a straight-face that this is not a futile exercise?
What the user needs is choice. More choices of computers that do not have Windows pre-installed.
This monopoly is hurting consumers. It relies on a product that is grossly unfit for one specific area of usage: interfacing with an untrusted network, i.e., the internet. And Microsoft today requires a user to connect their Windows computer to the internet (for "updates" and "upgrades") lest the user be blamed for the product's own flaws when used in this way.
Windows should not be connected to the internet, ever. It is for the LAN only.
Microsoft is a company that actively tries to prevent any comparisons of its products with other products, sometimes through threats of filing legal proceedings.
True or false?
Only government agencies are capabale of discovering flaws in Microsoft Windows.
True or false?
A closed source kernel is more secure than an open source kernel.
(For the avoidance of doubt, here "open source" means open to public inspection free of charges, terms or conditions, such as various UNIX-like kernels. It also means the right to make changes, re-compile and re-distribute without charges.)
True or false?
This determination can be made without comparing the source code for both kernels.
Hypothetical and questions:
Product A has 5000-6000 new vulnerabilities per year, about 15 per day.
Product B has 5-20 new vulnerabilities per year.
Can we explain this difference by focusing on the parties who find the problems that require patching?
Alternatively, should we focus instead on the products?
What if Product A is more complex is than Product B?
Does this make any difference?
What if Product B can perform many of the same functions as Product A, particularly the functions that are most often used to exploit a vulnerability.
For example handling data to be sent or recieved from the an untrustowrthy network such as the internet. In other words, networking with remote computers ("internet") as opposed to only networking with local computers ("IBM-compatible PC LAN").
Unlike BSD UNIX, Windows was originally designed for only local networking, where very little if any security is required.
True or false?
Windows still retains some of this original design and source code.
That is a trick question because the Windows source code is not open source. How would anyone verify what is still in that source code?
Keeping the source code from the eyes of its users does not protect them.
It may be possible to reverse engineer Microsoft products or patches to learn how Windows works.
"Good guys" may do this as well as "bad guys".
A vulnerability could be discovered by someone who is not even old enough to work for a government.
Repeat question:
Should we focus on who finds flaws in Windows or should we focus on the Windows product itself?
73 comments
[ 4.3 ms ] story [ 139 ms ] threadThe quality of free content is quite good, and general the bias of that content is more apparent.
I personally think that it's great to get the message across that people need to keep their operating systems up-to-date. I see too many non-technical people thinking in dangerous ways:
* "I don't want to update software, because the new software could have bugs which might be a security risk." I used to work for a well-known Fortune 500 that thought this way. But _all_ software is vulnerable in one way or another and by keeping it up to date, you also get the most recent security patches. Software vendors generally aren't putting major resources into securing old versions of their software.
* "I've got anti-virus software installed on my computer and we've got a firewall on our network". And maybe that will help you at some point, but if you don't update your OS, that's like having bullet-proof windows and leaving your front door unlocked.
The rust package manager issue that was on HN the other week comes to mind, where a package called NUL (I think) wreaked havoc on Windows systems because of backwards compatibility with DOS.
My point is: why rush to upgrade when you've got "support" anyway? For varying definitions of support.
In an OS where there was no commitment to backwards compatibility you would have an incentive to not change anything when it works.
> My point is: why rush to upgrade when you've got "support" anyway?
This is a different point. But you seem to be criticizing the decision by Microsoft to focus on backwards compatibility and support for old operating systems, two things that seem to be commendable.
And I'm also not trying to draw any conclusions with my post. I'm genuinely wondering whether the fact that Microsoft has been so committed to backwards compatibility has fostered a kind of mentality where people and indeed developers don't upgrade, simply because they know they won't be abandoned anyway. It's always easier not to change anything, and if the message is typically "you'll be fine" anyway then where's the incentive? The "you'll be safer, probably" message doesn't seem to me like it's working.
You're probably right that I'm not making much sense, I'm finding it a bit hard to put my thoughts into words here.
Or maybe it's the fact that Windows has to restart after every single software update.
Really it's astounding that Microsoft provides this kind of awful updating experience and then inseminates propoganda into people's minds that those who don't auto update their W10 boxes are stupid and endangering themselves.
If you use Windows 10 in general, you are stupid and endangering yourself.
You don't believe Microsoft is engaged in propaganda campaigns, specifically the idea that not updating is being a "bad user"?
You don't believe that by using Win10, you aren't legitimizing the "OS as Malware" concept and endangering yourself to a huge remote attack surface?
- Yes, there are IIRC updates not requiring restart ("not every" <=> "some exist that do not have the property").
- Not updating your existing system is indeed dangerous. Updating your Windows system...is sometimes even more dangerous: I was on the receiving end of "Where do you want to go today? Never mind, you want to upgrade to WinX; stop whining, we know you want it!" That said, there are far more dangerous MS FUD campaigns, I think.
- The final question is quite different to your original claim, IIRC; but yes, Win10 IMNSHO falls squarely under "malware," and thus I'm not using it. Not even using Windows, FWIW. Even better, the GWX fiasco helped me persuade people to move off Windows altogether.
https://news.ycombinator.com/newsguidelines.html
Please explain to me what about this was uncivil so that I may do better in the future.
Was it my choice in adjectives? Is "stupid" not an appropriate word on HN? Is it because I had a spelling error? Is it because I displayed a strong negative opinion of something?
Which is in large parts due to irresponsible marketing given to these people by AV companies.
How are defining update? I don't think anyone has issues with security updates but being force-fed a new version of Windows10 every 6 months is questionable especially when its a true re-imaging of the PC and a migration of apps and data, often screwing up in some way mostly with putting in older or buggy drivers that the end user has replaced with newer ones on the previous version. Every update has broke my trackpad on my laptop and badly hurt my gaming performance on my desktop until I could find the proper nvidia drivers. On top of having to deal with all the UI changes and other changes, none of which seem documented in a easy end-user digestible way. Also some of which have to be discovered by sysadmins like Win10 Pro now ignoring GPOs to block the store, for example.
I think MS is going to use anything to justify an evergreen Windows 10. I'm not sure that's a good thing. I'm not more secure with the current version with this issue patched compared to the previous version with this issue patched. Its the same level of security. I dislike it when companies disingenuously conflate feature updates with security updates. These are two entirely different things.
I think is Win10 moved at a much slower pace for feature upgrades, say every 12-18 months, people wouldn't be so wary of it. Instead, MS is forcing things down the throats of customers that are not desired or asked for. Worse, it validates a "ship and fix later" approach that will always lead to poor quality software.
Lastly, MS is just being downright dishonest. Most of the infected weren't Win10 or 8/7 users too lazy to update, but old copies of XP still in use. Those XP users have auto-update running, but MS has chosen EOL it. Fine, but don't browbeat Win10 users sick of endless and buggy feature updates because of it. The two have nothing in common.
Large IT organizations are just as bad. Instead of patching proactively, they prefer to delay patches indefinitely. Reddit /r/sysadmin and other public forums have been a mess of "which KB do I install to block WannaCry?" type questions for the past several days.
I also think Microsoft "got lucky" this time. Shadow Brokers sit on EternalBlue for at least 6 months. They could've released it before the NSA even alerted Microsoft that such a bug exists in its operating system (probably earlier this year). That would've hurt Microsoft's image a lot more.
So I think this should also be a warning to Microsoft (and other software companies). If there is some other backdoor in Windows or bug on which Microsoft may decide to sit on to give the NSA a few extra months to exploit it, its image could be hurt a lot. Some other group may discover it and and then turn it into another global ransomware attack, before Microsoft even has a chance to patch it.
So lesson of the day: don't do back room (or door) deals with the NSA, whether because of fear, for money, "patriotism," or some other reason, because it could come back and hurt you 10 times more when you're put in the spotlight as the main party responsible for a global attack.
They were looking for buyers this whole time. Perhaps you are unaware but there's an entire cottage industry of selling and buying of vulnerabilities out there. There are many zero days being sat on. No one is getting 'lucky.' They will be sold and used as needed by whatever group.
There seems to be this narrative developing about how this exploit is some rare thing. There are hundreds of serious exploits discovered in Windows a year and those are the ones we know about. There was no nation state involved with conficker, slammer, codered, heartbleed, etc. So its silly to focus solely on the NSA here. Exploits will be found, forever. We don't have the ability to make defect-free software.
Source: https://twitter.com/_supernothing/status/864021595303456768
> MS has known about this bug since 09/2016 (when CVE was assigned) and patched in 03/2017. 240day
>Date Entry Created 20160909
>Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Do you have a better source for the 240day claim?
AFAIK, this CVE's "Date Entry Created" is an interesting metadata artifact without any additional significance currently (no futher background info publicly available at this time). I don't know if MITRE makes any additional info (such as "who") public, though I'm sure it is stored somewhere.
I haven't had a chance to review the same value for other CVE's to determine how "normal" it is for the create date to be so long before when the CVE goes public, nor how things correlate for the associated Shadow Brokers fixes.
--
https://twitter.com/thegrugq/status/853142591289802752
> There are no acknowledgements for MS17-10 which patched most of the big bugs from the ShadowBrokers drop.
https://www.renditioninfosec.com/2017/05/call-to-microsoft-t...
> Microsoft has not disclosed how it came to know about the vulnerabilities included in the MS17-010 patch. Microsoft also has not disclosed any information about “in the wild” exploitation of these vulnerabilities.
Is it automatically opened via UPNP or something? (seems doubtful)
Sure, when hitting a large corporation that would obviously help a lot but home networks (which for some reason have been hit quite hard as well) don't even have that many machines to begin with.
Every news outlet as well as technical sites seems to agree that it was NSA that enabled this attack, but if it all boils down to users opening email attachments that's something else entirely.
You're right about the point of home networks though. Some wild guesses:
- Infected machines that are moved between networks - e.g. a laptop that's used in both public and a private networks BYOD-style.
- The worm also didn't use broadcasts to spread but simply tried out all IP addresses in its subnet. So if an ISP isn't properly isolating its customers, the worm might spread from customer to customer behind the ISP's NAT.
- People are actually that stupid and clicked on the attachment a lot.
So, it would have been game over anyway. The main advantage of a quick attack is likely that if you opt to pay to decrypt you have more infected computers (and sure, laptops - but these details are not exactly game-changing).
That kind would have been orders of magnitude slower though and again dependant on social engineering: The worm would have needed someone do download the executable from the NAS and run it - in the face of usual security practices and anti-virus software looking for exactly that kind of thing - for every single machine. Even then the executable would only have admin privileges at best and probably not even that.
Compare that to the exploit which allowed the worm to execute code on every windows machine in the LAN, with system privileges and without any user interaction needed.
I think the exploit increased both the speed and the likelihood of successful infection by an order that is game-changing: Even if an infection was spotted, by the time countermeasures could have been deployed, the damage had already been done. Because no social engineering was required, even machines with restricted user input or no input at all were at risk (e.g. information screens or specialized hospital equipment).
Well, by that time the NAS is lost so it is already game over anyway. Nothing of value is stored on individual workstations (and if they do they ought to have some form of backup (which again, probably is the very same NAS)). It is an inconvenience, sure, but comparatively a minor detail.
That's a very broad assertion. Maybe that's true in a setup where everyone uses thin clients, but in the usual case, there is still enough friction on Windows to using network shares that many people will have local copies of the files they work with. Also, a NAT is probably the fist thing you'd hook up to a backup - if you're not using a cloud service anyway.
Finally, the workstation itself is absolutely important. If only the NAS were affected you could at least keep working with what's left. Some machines are also specialized, e.g. info screens, ATMs, PoS terminals, hospital equipment...
Anyway: http://baesystemsai.blogspot.se/2017/05/wanacrypt0r-ransomwo...
The initial infection vector is still unknown. Reports by some of phishing emails have been dismissed by other researchers as relevant only to a different (unrelated) ransomware campaign, called Jaff.
There is also a working theory that initial compromise may have come from SMB shares exposed to the public internet. Results from Shodan show over 1.5 million devices with port 445 open – the attacker could have infected those shares directly.
Surprisingly large amount of SMB shares exposed directly to internet, that would of course be a great starting point.
Indeed. I figure the damage in that case is more lost time and bad publicity (lots of photos showing the ransom note on public screens)
> The initial infection vector is still unknown [...] SMB shares exposed to the public internet
That's interesting. I wasn't aware of that but I agree, it would explain the quick spreading much better.
No one group has a monopoly on knee-jerk reactions, you see.
more here: https://www.gnu.org/proprietary/malware-microsoft.en.html
This is FUD plain and simple without facts to back it up.
Microsoft releasing details of vulnerabilities in advance to premier customers is not something new. All software companies have that practice and we have seen it happen with recent OpenSSL vulnerabilities when CloudFlare has been given advance notice.
If storing my disk encryption keys on Microsoft servers isn't harmful to my privacy and security, I don't know what is.
https://theintercept.com/2015/12/28/recently-bought-a-window...
I'm going to address your specific link.
Microsoft has different classes of customers and the functionality that you don't want, many customers request and may even require. You aren't obligated to use their disk encryption or functionality. You can install your own WDE product, but you appear to want the features of a Ferrari for the price of a Ford Focus, which is not reasonable.
Microsoft is not trying to mess with your system via that method. If anything, that is a blanket improvement prior by default there was no encryption. Could the design be made better? Maybe, with any implementation of a security feature there are always trade-offs. Microsoft could force users to store the key locally or print it, but then millions of people would simply turn encryption off or lose their key. This does not grant MS remote access to your system.
There are plenty of things that are wrong with MS, but saying Windows is malware is FUD plain and simple.
And your cost comparison is equally absurd. It costs more money to store and manage our keys than it would to just leave them alone.
> Microsoft is not trying to mess with your system via that method
They use other methods to interact with your pc without your permission
1. http://www.informationweek.com/microsoft-updates-windows-wit...
2. http://slated.org/windows_by_stealth_the_updates_you_dont_wa...
Your core dumps are being captured. And then sent to a third party: https://betanews.com/2016/11/24/microsoft-shares-windows-10-...
Default settings let Microsoft capture everything you type and your browsing history: https://web.archive.org/web/20151001035410/https://jonathan....
And don't forget about the NSA key buried in windows: http://www.marketoracle.co.uk/Article40836.html
I am a windows user. I'm just not sure how anyone could claim that an OS that updates without your permission, sends and stores your encryption keys, captures browser history and all keystrokes, etc is not considered malware.
I'm making that claim and I don't think you have a clue on how security works.
1. Transmitting encryption keys is something many people want as it removes the overhead of them having to manage them on their own. Businesses use this too (via the cloud) in many cases. As for doing it in the background - how else should it do it? Have a big flashy screen that will confuse the average user? This feature allows Microsoft to gradually raise the bar on its OS security and prevent data recovery from physically stolen devices; while still allowing the user to recover their data if they lock themselves out.
2. The cost comparison is valid. Disk is cheap, and key management should be (this I don't know) automated. Microsoft stores tons of data already (all major software vendors do).
3. Windows Updates should trend towards automation frankly for the consumer versions of the product. Those versions don't have sufficient security features to not get updated.
4. No PII is sent with the core dumps; it's debugging information and helps make the product more secure - that's kind of something you want right?
5. The NSA key is a known falsehood. I'm not even going to bother to address it.
I'm honestly not sure if you're a troll or a rabid conspiracy theorist at this point.
This proves you know absolutely nothing about security. lol. The reason they call them "private" is because you are supposed to keep it a secret. Key management services exist to promote ease of use. And those often include extra layers of protection (eg hsm)
> I'm honestly not sure if you're a troll or a rabid conspiracy theorist
Your logical fallicay is "ad hominem". How is this helping your argument?
I use windows. If I was rabid i'd be on SElinux all day. I'm just not ignorant to volumes of data our computers are leaking.
I'll go meta here: How can we trust food companies? They have incentives to decieve us, to adulterate their products, produce as cheaply as possible and sell as expensively as possible. There are magazines, websites, that do nothing but test food. It blows my mind when I think about that. How antagonistic is our society, when the people who make our food are working against us. The solution we developed for that are checks and balances in form of journalism and consumer protection laws. Sometimes it works, sometimes not. Whether its adulterants in food or backdoors in software, it's a similar problem.
But, at least, not in the software. That's a large part of the attack surface that just isn't there.
You do? Where? Does this company warranty anything?
What the user needs is not for Microsoft to improve Windows. At 15 new vulnerabilities a day (source: Microsoft) how can anyone argue with a straight-face that this is not a futile exercise?
What the user needs is choice. More choices of computers that do not have Windows pre-installed.
This monopoly is hurting consumers. It relies on a product that is grossly unfit for one specific area of usage: interfacing with an untrusted network, i.e., the internet. And Microsoft today requires a user to connect their Windows computer to the internet (for "updates" and "upgrades") lest the user be blamed for the product's own flaws when used in this way.
Windows should not be connected to the internet, ever. It is for the LAN only.
Microsoft is a company that actively tries to prevent any comparisons of its products with other products, sometimes through threats of filing legal proceedings.
True or false?
Only government agencies are capabale of discovering flaws in Microsoft Windows.
True or false?
A closed source kernel is more secure than an open source kernel.
(For the avoidance of doubt, here "open source" means open to public inspection free of charges, terms or conditions, such as various UNIX-like kernels. It also means the right to make changes, re-compile and re-distribute without charges.)
True or false?
This determination can be made without comparing the source code for both kernels.
Hypothetical and questions:
Product A has 5000-6000 new vulnerabilities per year, about 15 per day.
Product B has 5-20 new vulnerabilities per year.
Can we explain this difference by focusing on the parties who find the problems that require patching?
Alternatively, should we focus instead on the products?
What if Product A is more complex is than Product B?
Does this make any difference?
What if Product B can perform many of the same functions as Product A, particularly the functions that are most often used to exploit a vulnerability.
For example handling data to be sent or recieved from the an untrustowrthy network such as the internet. In other words, networking with remote computers ("internet") as opposed to only networking with local computers ("IBM-compatible PC LAN").
Unlike BSD UNIX, Windows was originally designed for only local networking, where very little if any security is required.
True or false?
Windows still retains some of this original design and source code.
That is a trick question because the Windows source code is not open source. How would anyone verify what is still in that source code?
Keeping the source code from the eyes of its users does not protect them.
It may be possible to reverse engineer Microsoft products or patches to learn how Windows works.
"Good guys" may do this as well as "bad guys".
A vulnerability could be discovered by someone who is not even old enough to work for a government.
Repeat question:
Should we focus on who finds flaws in Windows or should we focus on the Windows product itself?