A Microsoft blog post on Lessons From Last Week’s Cyberattack blasted the NSA and the CIA for for “stockpiling vulnerabilities” to exploit them rather than report them to Microsoft to be fixed.
The blast was well deserved. In its blog, Microsoft also discusses “shared responsibility” of users not keeping up to date with software. I certainly agree on that point, but there is no excuse for US government agencies to seek out these vulnerabilities and use them without reporting them.
Early Friday morning the world experienced the year’s latest cyberattack.
Starting first in the United Kingdom and Spain, the malicious “WannaCrypt” software quickly spread globally, blocking customers from their data unless they paid a ransom using Bitcoin. The WannaCrypt exploits used in the attack were drawn from the exploits stolen from the National Security Agency, or NSA, in the United States. That theft was publicly reported earlier this year. A month prior, on March 14, Microsoft had released a security update to patch this vulnerability and protect our customers. While this protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally. As a result, hospitals, businesses, governments, and computers at homes were affected.
As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past. This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support.
Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.
The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them. And it’s why we’ve pledged our support for defending every customer everywhere in the face of cyberattacks, regardless of their nationality. This weekend, whether it’s in London, New York, Moscow, Delhi, Sao Paulo, or Beijing, we’re putting this principle into action and working with customers around the world.
We should take from this recent attack a renewed determination for more urgent collective action. We need the tech sector, customers, and governments to work together to protect against cybersecurity attacks. More action is needed, and it’s needed now. In this sense, the WannaCrypt attack is a wake-up call for all of us. We recognize our responsibility to help answer this call, and Microsoft is committed to doing its part.
Brad Smith
President and Chief Legal Officer
NSA Guilty of Criminal Negligence
Microsoft is spot on with its blog post. As an alleged protector of US security, the NSA sure did a piss poor job. More accurately, the NSA is guilty of criminal negligence for its role in this mess.
I repeat my questions from WannaCry Cyber Attack Hits 99 Countries, FedEx, Nissan, Hospitals, Universities with NSA Developed Malware: Five Questions.
Questions Abound
- Just how stupid was the NSA to get hacked itself?
- Just how stupid was the NSA for attempting to utilize the hole instead of informing Microsoft?
- Did the NSA demand that backdoor?
- Do we thank the folks who hacked the NSA for publicizing the backdoor necessitating the need to patch the hole?
Bonus fifth question: When does the Congressional investigation start?
Mike “Mish” Shedlock
If the NSA can’t safeguard my information, then they shouldn’t eavesdrop on my conversations/emails.
To say nothing of that that little matter of the Bill of Rights.
LikeLike
two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.
—
What’s the other threat?
LikeLiked by 1 person
I gave up on Microsoft after XP, which was the last sensible version as far as I am concerned. They stopped all support a while back ( except the wannacry patch) . Given that it was even till a couple years ago a quarter of the market, and that many still prefer it… shame they can’t keep the theme going… still has as much share as Mac and Linux combined
LikeLiked by 1 person
I started with one of these
https://en.m.wikipedia.org/wiki/ZX_Spectrum
a full 16 kb of ram and any further storage on audio cassette. So anything after seemed an improvement… to a point… my XP netbook is pretty much redundant and a decent Android ph/tablet does 90% of needed… must be a few on XP as they read 🙂 ….
LikeLike
Starting a war here. I was a Commodore 64 Fanboy at the time. Basically all I remember people doing was drawing rocket ships and sending command line Go to 10 so that it would make the screen repeat scrolling and make the rocket move.
FYI. Windows 10 is much better than XP. 8 was wonky at first but 10 has been incredibly stable – although a bit intrusive.
LikeLike
You had a…. Commodore 64 ! While I got as far as changing the colour of the TV screen and playing a very low resolution Space Invaders (if I remember), a friend with a Commodore would let me play a nice colourful version of Pacman.
I tried Vista and 7 on other computers and could not stand them… but haven’t looked at 10 as Android is good enough now for what I need. If I ever buy a new pc it will have 10 (or better) after testing them.
I don’t watch Eurovision (no, really), but this guy is still bewildered about how he ended up in the competition, and won – great attitude towards music also… for you worldy…
LikeLike
Many of the prettiest songs ever written are in Portuguese. I thought this guy was terrible.
LikeLike
I’ll take that as past tense… you’re arguing with me again…and on purpose. Not a good way to get even, but I can take it… you voted for Spain only to see them come last, and don’t say otherwise.
LikeLike
Only past tense in the compliment that Portuguese music holds it’s own surprisingly well over the timeline of all music. Or more correctly ‘songs in Portuguese’ since none of that music came from Portugal (a country stuck in the 1,500’s – and whose greatest export since is a some femme chick that plays soccer)
LikeLike
Yes yes, no need to continue… we all have our bad days, don’t we?
LikeLike
…and it’s a nice day outside. Going to put Joyce on my ‘walkman,’ and head out and enjoy. Have a good one.
LikeLike
You have a good day too.
LikeLike
If one ever notices nothing else about Microsoft, they can’t ignore the rapid pace of it’s planned obsolescence of its own products and its wide spread loss leader purchase programs to the public school systems.
LikeLiked by 1 person
Funny…just logged in to type an anecdote which is related :
One of the most disappointing events I remember ever was the day at school when instead of receiving the regular handwritten letter from my Dad, I was asked to the computer room to read an email ( my first) from him instead. I don’t remember receiving any handwritten letters after that either from him. Maybe that is just me, and online communication is very useful, but it does fall short in some ways. Actually, I would recommend to anyone who hasn’t sent a handwritten letter for a long time/ever, to choose someone dear to them and write to them that way.
LikeLiked by 1 person
Somewhere in my deceased parent’s archives, there exists many hand written letters between friends in far off cities. I remember reading them years ago and remembering all those friends they had… some of them from the great depression WWII are just haunting. Nothing sticks like a hand written letter.
LikeLike
Lest we forget.
LikeLike
That 2% market share for linux is just as well, and since I am writing this on Ubuntu linux, I hope it never gets so big to get to the crosshair of hackers. Many of the essential apps such as the shell were written before the internet, and have no protection. In those days hacking was an inside job.
LikeLiked by 1 person
Linux has a number of mechanisms to make it virtually impossible to hack. However, it is a non-trivial effort to learn them and use them properly.
LikeLike
Windows 10 is a good version the ones in between were poor to terrible
LikeLike
With all respect, Mish, I had Windows 10 installed. then I had the Anniversary upgrade. It irreparably crashed the machine, destroyed the contents of my hard drive, and erased the data structure of my RAID backup disk so I now have a disk drive with 1.4 million files. In one folder with no subfolders. Fortunately I backup onto DVD disks fairly regularly (and now much more regularly) and always order the disk version of the commercial software I buy, but it cost me several weeks to fix, not to mention that I definitely lost a few files somehow. Needless to say, anyone who proposes that I should copy my vinyl, tape, and CD music onto the computer is treated as being a bit out of touch with reality.
LikeLike
Agreed. Microsoft starting taking security seriously around 2005 and Win 10 shows the results of that effort.
Microsoft’s problem is that they have a lot of legacy OEM generated software that for whatever reason requires administrative priveleges to run. They will be fighting that battle for a long time.
LikeLike
Excellent chart. Speaks volumes. Only 25% of Windows is WIN 10, meaning Microsoft is leaving 75% of Windows users out in the cold. Or from a marketing standpoint, this vulnerability is a brilliant marketing strategy to “push” the other 75% of WIN users into WIN 10 upgrades. A big-time “Ca-ching” $$ moment for Microsoft.
LikeLike
And in another win for Microsoft- pirate copies are flushed out as well. Could be a significant
gain for them in Asia.
LikeLike
False. Win 7 is definitely protected. Most corporations run Win 7.
LikeLike
WIN 7 support and updating by Microsoft will soon end. Unless WIN 7 becomes Open Source when support ends, it will become more vulnerable to future ransomware attacks. If I was Microsoft, I would team with NSA and hackers as part of my upgrade marketing/sales strategy when WIN 7 support ends. Not in Microsoft’s financial interest to ever allow Open Source alternative WIN 7, as upgrade revenue would slow. Pure business dollars and sense, and good for the stockholders.
LikeLike
According to various reports, over 200K people in 150 countries have been effected by this attack on computers thus far…How many “techies” will loose their lives, along with collateral deaths when software in autonomous cars and trucks is compromised by hackers demanding ransom…
LikeLike
Unfortunately, every other government also has their own programmers working on looking for the same code holes. USA intel agencies are not alone.
In this game of global cyber cat and mouse, it doesn’t make any sense for the NSA to stop looking for these exposures or to turn them over tho the manufacturer when discovered.
Make sure your computers are always backed up and you will stand a good chance of recovering.
LikeLiked by 1 person
You’ld think that if NSA knew of a vulnerability they would want it plugged so that ‘the Russians’ could not use it, if they found it themselves, against US interests? Makes me think there is more to the story, that NSA discovery of the vulnerability was aided in a way they knew ‘the Russians’ would not be… either that or they were taking risks for the public justifying the potential advantage as greater than the potential loss.
LikeLike
In trying to determine if the San Bernardino shooters were acting alone, the FBI tried breaking into the guy’s iPhone and allegedly couldn’t do it. They then pushed Apple around a little bit to see if access could be gained that way. Of all times to do so, Apple actually demonstrated some spine in their response.
Suddenly, they broke in and Apple was no longer needed. They likely paid somebody from the underground hacker community to get in. I wouldn’t trust any of the alphabet soup agencies to NOT be negligent to a criminal extent.
LikeLike
Consider me a conspiracy theorist, but I always take the view that the US government agencies have full access to the Windows source code, and examining it for vulnerabilities is just another day on the job. I am sure other governments have the same working assumption.
LikeLiked by 1 person
it doesn’t make any sense for the NSA to stop looking for these exposures or to turn them over tho the manufacturer when discovered.
50% wrong. Grade F. The NSA should look for holes and patch them on the assumption other governments are aware of the holes and using them!
LikeLike
Agree. Otherwise, USA will be the only loser in a cyber warfare.
The correct solution is to build a more robust internet infrastructure and computer systems. Unfortunately we are still light years away to be able to accomplish it.
E.g. Java was supposed to be a ‘safe’ environment but… you know the story.
LikeLike
Criminal negligence? ha. Nobody will even get fired let alone prosecuted.
Imagine if the Russians were responsible for the release of the ransomware. Oh Christ. McStain and Grahamnesty would be calling for Putin’s head on a platter! ha. It would be an act of war!!! More sanctions!!!
But it’s not over until the fat lady sings. Watch these frauds try to blame this one on the Russians before it’s over. They have to find a fall guy outside the USA.
Chances are 20 to 1 that it was an inside job – just like the DNC leaks to Wikileaks.
LikeLiked by 1 person
A distribution graph showed Russia as being the primary recipient of this exploit. The UK (including the high profile NHS) was a far distant second.
One way of looking at that is this exploit is specifically anti-Russian. Another is simply that there a lot of un-patched Windows PCs in Russia. (China had hits in that graph, too.)
The NHS thing is something the US would mirror, probably. Health care in the US is saturated with old, un-patched Windows XP machines. They are effectively required to be that way by practitioners interpretation of FDA rules. Too expensive and error-prone to keep an OS up to date.
LikeLiked by 1 person
“A distribution graph showed Russia as being the primary recipient of this exploit.”
KTLA news didn’t even mention that Russia was a recipient, let alone the primary, but they did insinuate the Russians were the cause of it. Even threw “The Kremlin” in for good measure.
LikeLiked by 1 person
Recent evidence has surfaced fingering North Korea as the perp,
LikeLike
Oh God. Talk about tin-foil hyperbole! ha.
Russian banks and government operations were the most heavily impacted institutions by the ransomware. So now you expect us to believe that the Russians attacked themselves?
HAH! Now I’ve heard it all.
LikeLiked by 1 person
I’m wondering how many of the attacked computers have pirated copies of Windows XP.
LikeLike
I’m sure Himmler got a lot of stern letters of rebuke in his day.
Probably changed his methods accordingly too.
LikeLiked by 1 person
Microsoft is the problem, and deserves all the blame for keeping their Source Code secret rather than making it transparent (Open Source). You don’t need a Congressional investigation to figure this out. The NSA and CIA were never intended by Congress to be either consumer protection agencies or “the protector of US security”. The NSA and CIA are just doing their jobs (which includes cyber-warfare) as mandated by Congress and signed into law by Bush II and Obama. Like it or not, that’s the way it is: cyber-warfare has overwhelming bipartisan support in Congress. Obama threatened to do more of it against Russia on his way out of office. Unfortunately, it is not always containable.
Microsoft is disingenuous, and just trying to turn inadequate workmanship (security vulnerabilities), planned obsolescence (e.g. letting XP, WIN 7, etc. expire), and secrecy (nixing Open Source) into a money-making opportunity (boosting WIN 10 sales). Computer makers are contractually inhibited from marketing Open Source OSs if they want to do business with Microsoft. Now Microsoft blames both computer users and the NSA rather than Microsoft’s business practices/model, which makes this type of result inevitable. If not the NSA, eventually some other organization/country would figure out similar hacks. It is a great business model for Microsoft, at the world’s expense as this case demonstrates. Great sales propaganda for selling more units of WIN 10. Then when WIN 10 is obsoleted by Microsoft, it will happen all over again and people will have to upgrade to WIN 11, WIN 12, WIN 13 and so on to avoid newly emerging hacks. Constant upgrades, a great business model. This is an example of a “System Design” guaranteed to produce this result with cyclical regularity. Good for some companies (Microsoft, security firms), bad for others. Open Source OSs (Operating Systems) urgently needed worldwide, even though this would make NSA cyber-warfare more difficult.
LikeLiked by 1 person
Open source does not mean bug free! I am not aware of any complex systems that is bug free.
LikeLike
Agreed.
LikeLike
Open sourcing would not solve the problem; it would make it worse. Why? Because many variant of Windows would spring up, mainly because foreign governments would like their own secure version which would then be copy-cated.
The second reason is that the Windows, (and linux) code is such a behemoth that no single person fully understands it, and those who have a chance are few and fare between.
LikeLike
Open Source would let the computer scientists and graduate students look for and patch vulnerabilities. These are the people who got the secret codes from USA voting machines, and proved their vulnerability. Right now only the NSA can hack voting machines, and they got complacent as Hillary looked like such a sure thing. As to understanding it all, that has not been barrier, as the NSA has proven. It might be a good thing to have lots of different versions in different countries, as hackers would then have to be country specific and could not crash computers in 100 countries at once as with this latest ransomware. In other words, a diversity of operating system variants would add stability. So, NSA could concentrate on Russia or China or whomever, and not crash British hospitals at the same time.
LikeLike
Microsoft is not the issue in this case. My software engineering teams have used nothing but Linux for years now and we are facing a constant battle to keep current with the various security patches that are frequently released for both the OS and the various platforms we use (e.g. databases, Java, Ruby, etc,).
Installing a new version of Java to address security issues almost always winds up breaking our existing applications, which takes a lot of debugging and investigation to fix. There is no such thing as a painless patch.
If we just stay on old versions of Ruby and Linux we leave ourselves wide open to attack.
Keeping systems up to date with the latest versions and patches is a nightmare and it’s only getting worse.
LikeLiked by 1 person
Microsoft gets all the bad press. MacOS is as vulnerable and perhaps even worse because people falsely believe it is safe from hacking.
LikeLike
The big runnup in Bitcoin over the past few weeks just before these hackers demanded ransom payments via Bitcoin suggests somebody knew in advance that this attack was coming.
LikeLiked by 1 person
Big US tech companies area all in bed with NSA, I strongly believe Microsoft intentionally created holes in all their OS for NSA, upon request from NSA to hack any computer in the world they want.
LikeLiked by 1 person
If your claim is true, the leaked hacking tools would have demonstrated that. As far as I can tell, no researcher has made such a claim.
LikeLike
More crying over the inevitable. My tire is flat. Is it the tires fault, the nail or the driver. This happens so suck it up. Software is like Swiss cheese to hackers. Then again users are stupid so you can trick them into unlocking the door. Stop blaming your dog because he barks. That’s what he does. Mice eat cheese and hackers break software.
LikeLike
– @Mish: Nope. It was the NSA that was “a bit sloppy”. Because the NSA hackers left some hacking tools on someone’s system/harddisk. And those hacking tools were analyzed by other hackers. And then those other hackers found out what the method/vulnerability was in the Windows OS.
LikeLike
I do not understand the S in NSA. Shouldn’t that be an U?
Are they really trying to improve the security of the people living in the USA? The most direct way would be to eliminate threats as soon as possible. As Mish pointed out: the assumption must be that others nations or criminal organisations are capable to finding out the same.
That is also the reason security experts are against built-in back doors.
LikeLike
There is no excuse for using Microsoft Windows. Used Macs are affordable and fast. Linux is an excellent option. Google Chrome is OK if you trust all your sensitive information on Google’s cloud computers.
LikeLike
What do you expect. These companies are using old outdated XP software. They deserve to get hacked because they are to cheap to keep their software updated to a recent version. Those other OS are not any better. They just are not enough of them to make it worthwhile to hackers. Fill the world with Macs and they would be hacked to death just like Microsoft.
LikeLike
“Bonus fifth question: When does the Congressional investigation start?”
Finally a tech issue with a question that even I can answer correctly, and the answer is : never.
LikeLike
It starts as soon as someone thinks of a way of blaming the problem on Trump and the Russians.
LikeLiked by 1 person
The last thing we need is a senate or congressional investigation, neither of which would prove productive. A criminal investigation is in order. Frankly, I would love to see us do away with the NSA, the CIA, and other “Intelligence” agencies. But living in the real world, one finds that these government creations are something of a necessary evil. I keep a couple of handguns in my house for possible self protection, although I wish I didn’t need them. And I can see the day when I will need to obtain a concealed carry permit. It would be nice if societies would progress to such a point where such items were not needed but knowing human nature no one now or a thousand years in the future will ever see that day.
As an operating system MS was always sloppy. Unlike Apple, which was developed as a subset of BSD which itself is a subset of UNIX, or variation might be the better word for those technologists, the early DOS systems were unstable because the industry was new. The main frame operating systems were designed for 64 bit processors, not the 8 bit chips. And every time the processor chip increased its bit length, the old system had to be patched to accommodate it. Intel started with the 8008, went to the 8080, and then to 8086 and 8087, the last being a processor that could run both the 8 bit and 16 bit software. UNIX was developed for 32 bit processors (Motorola). Apple OS was developed for the Motorola 16 bit processor. While UNIX is not bullet proof, it does not have the sloppiness of Microsoft. Funny thing is, had IBM kept DOS it most likely would have developed a much tighter version of that operating system and Bill Gates would not be living in Washington State. There are a lot of what-ifs in the industry.
The internet and the browsers are a different story. The invention, despite Al gores best intentions was never meant to be more that a type of electronic document passing system between universities and corporations and maybe a couple of government agencies. Yes, it was funded by the military to provide a communications capability but the military relied on radio and teletype. Security was the last thing on the minds of the internet creators. If they had given serious though to the system then they might have copied the telephone example by using an SS7 signaling system. Both Bell labs and a few national telecoms in Europe were developing an out of common channel signaling system. Both systems needed electronic switching machines and most telecoms were using either steppers or crossbar machines. With the introduction of the 1ESS switch by Bell, Captain Crunch became increasingly out of business. Imagine then that that the point of entry being strictly controlled by the internet providers and that all signaling information was sent over a secure and physically separate channel, beyond the end users’ ability to control, that hacking, as we know it, would not exist. It would not exist because like the land lines, we know where you are. We could easily track you down, or at least isolate you to a square mile or two.
So why didn’t this happen? No one thought it necessary and when it did start to become a problem no one wanted to spend to money to correct it. The Internet and the computer software are a two edge sword. It’s that simple. You and I couldn’t afford a secure Internet access.
LikeLike
Excellent post, though many on this site will want to blame things on some world conspiracy.
LikeLike
Why not, i do. Everyone knows it’s a malignant conspiracy of inanimate objects.
LikeLike
I use Linux exclusively as the OS for my servers and am constantly fighting a battle to keep both the OS and the various components we use (e.g. Ruby, Java, MySQL, etc) updated with the latest security patches. Worse, most patches break our apps which requires debugging and engineering work every time we do an update.
The cost in effort to keep servers patched is a huge problem that is only getting worse. A greater and greater percentage of our effort is spent doing nothing other than patching and fixing the problems the patches cause.
LikeLiked by 1 person
It is Microsoft’s responsibility to keep constantly monitor their operating system we paid for secure. Passing the buck of crying foul about the government is a joke and a diversion for their lack of security not the NSA.
No system is invulnerable and sound practices help keep your system secure. You can indeed make a secure firewall using a raspberry Pi on the cheap for a home system. Pulling up the local wireless in my neighbor hood many are still unsecure. Many time we just ask for trouble.
The real take away which many already know is there is no such thing as privacy anymore and once you put it on the internet it is there somewhere permanently. I tend to comment as if I was speaking in first person. These days too many thing they are immune on the internet.
LikeLike
If Microsoft were required to pay for every ransomware attack, Windows would become very secure very quickly.
LikeLiked by 1 person
My budget chromebook has a few quirks but it’s always ready to go and quickly, every MS PC I’ve owned has been high maintenance, continuous cat and mouse with anti this and that which are platforms to sell more this and that.
Getting bloatware out of a new PC is a rite of passage, it’s like removing tapeworms, you pay for extra storage to hold software you don’t want.
LikeLike
For what it’s worth, I have been working with computers since 1972 (pre PCs). The best and most secure OS I have worked with is QNX. For the typical user today, Windows 10 is certainly the best ever version of Windows. Plus, Microsoft states it is the last version, and will be updated on a ongoing basis, while older versions will eventually be dropped from support (similar to how any warranty eventually expires).
In the never ending game of hacks and patches, Microsoft will continue to patch Windows versions that are still supported. If you are going to use computers, it is in your best interest to always have the latest version of your OS, and to have a basic understanding of security software. But the most important thing I teach people is the common sense basics that software can’t make up for. Like automobile accidents, most computer accidents are human error.
LikeLike
That’s funny. The NSA is not a “find the bugs for Microsoft” agency, it’s a “find the bugs to exploit and if we report them to be fixed we can’t” agency. The KEY point is for them to make sure they and the CIA don’t allow them to leak out, something they’ve been able to manage until just recently. Why can’t they seem to do so now? I suspect it’s because they now have such vast numbers of people with TS clearances working on cyber-warfare projects.
PBS Frontline: Top Secret America
http://www.pbs.org/wgbh/frontline/film/topsecretamerica/
LikeLike
This was an attack on XP machines only. XP came out in 2001 and Microsoft stopped supporting XP two years ago, offering FREE upgrades to Win and 8. Don’t the organizations who still run a non-supported OS have some responsibility if not all the responsibility for getting ransomware hacked regardless of where and who did the hacking? (BTW, I read today that Assange warned of this very thing wrt XP over two years ago, apparently landing on deaf ears)
If my wife leaves her purse in her shopping cart at Walmart then walks away from her shopping cart and the purse is stolen, is it Walmart’s fault? Is it Walmart security’s fault? If she gets a phone call from the thief who demands 300 bucks for the purse and all its contents, I’d say that’s a pretty wonderful problem and we’d gladly pay him the 300 to mitigate my wife’s stupidity.
This reminds me of blaming the Russians for hacking John Podesta’s email when his password was ‘password’.
LikeLike
well, it’s a good thing my Toshiba isn’t running XP. I’m running vista absolutely no MS support. No download for my security, only the advice to buy a new computer with Win 10 installed. Makes me feel special. Maybe Gates would like to buy me a brand new toshiba with Win10.
LikeLike
there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past. This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone
Yes, those innocent huge corporations and organizations who choose to use an unsupported Windows OS on their servers and PC’s and are warned about its vulnerabilities for years are victims of that evil and greedy Bill Gates, even though he offered to replace their OS for free. Reminds me of poor innocent Hillary and those bastard Russians. Too bad there are no alternatives like updating the OS (for free) or using a Linux based OS or not using passwords like ‘password.’. Oh the humanity.
LikeLike
normally I might agree with you on this topic. I spent a couple of decades in high tech. I learned programming and computer architecture and engineering. I build an Intel 8085 prototyping kit and programmed the thing in assembler using a hex keyboard. Yeah, I followed all that stuff and became a telecommunications engineer. I knew the voice, the data, and even the catv side of the house. I fought the good fight for equipment that actually worked to standards we wrote even when the VPs and CEO were being bribed with IPO stock. Been there and done a lot of it.
Now, let us talk about the customer. Back in the days of the land line service was important. We did not expect the customer to go climbing telephone poles or poke around in the central office trying to fix his non working telephone. We promised 24/7/365 service, period. Let me tell you, I put in the hours getting service restore during all kinds of weather just so grandma could get the call from her children and grandchildren on Christmas. Service means it works when you need it to work.
I didn’t buy an automobile thinking I had to do all the repair work myself. Back when I bought my first car I had to do the work myself, I didn’t have the money to pay someone to do it for me. Now days about the only thing pone can do oneself is change the oil and maybe the air filters. Detroit does not sell cars telling its customers to learn how to be mechanics. Okay, so the computer user doesn’t really need to know how to do much but point and click. And he has become accustomed to the software automatically checking for software updates and security fixes. But unlike automobiles, there is really no after market service for parts and software. One does not go down to the Auto Zone and ask for the latest software security fix for window vista. And Microsoft doesn’t stock it either. Fact is, Microsoft doesn’t do service very well. Like many of today’s big corporations customer service is an after thought. When was the last time you could speak to a real human on the Microsoft help line?
And as for that “free” Windows 10 give-away, it was not without hooks. Oh yes, you would have gotten the OS for “free” only to be charged later for the upgrades. I actually bothered to read the fine print. Of, my Toshiba model did not qualify for the upgrade. But guess what? I can and will install some version of Unix on it. Screw Microsoft. Unfortunately most of the public doesn’t have a clue how to do that and there is no computer Auto Zone to take your laptop to. Moral of the story: don’t be so quick to pass the buck.
LikeLiked by 1 person
So out of your dislike for Microsoft and love for your own OS skills, it’s still Microsoft’s fault for all those companies who refused to upgrade, who were warned about it for at least two years that they were vulnerable and knowing MS no longer supported XP for two years. And, I too have been a computer tech for years, using Linux and MS on both work stations and servers. So tell me, what MS “hooks” are you talking about after a free upgrade from XP? I applied the free upgrade to Win 8 on several XP machines several years ago when MS made it clear they were no longer supporting XP and apparently dodged the “hooks” to which you refer.
I didn’t buy an automobile thinking I had to do all the repair work myself. Back when I bought my first car I had to do the work myself.
Neither did ANY of those companies running XP. All they had to do was upgrade which is not even close to changing your own oil or even adding patches to the OS, Your AutoZone/work-on-my-own-car analogy doesn’t hunt. What does hunt is knowing you need to change the oil, refusing to do so then blaming the car company when the engine seizes.
LikeLike
I think you missed the point. Most individuals know little about their automobiles. Most would have a hard time even changing the oil.
We now count computer literate the ability to turn the thing on and do a few point and clicks and maybe type, or, I’m sorry, they call that keyboarding now, and that is about it. They don’t know the first thing about security except change their passwords one a year.
What the draw to IBM’s PS/2? Do you remember? It was so easy to use. What did you think sold personal computers? As an industry the computer world has sold click and play. Or to steal for an insurance ad, it’s so easy even a caveman can do it.
so now you want to castigate them for not being tech savvy, for not understand what they purchased to some technical degree you believe they should have. And on the same hand, while MS and others have their automatic updates so people don’t have to always worry about the safety of their computers, MS and others pull the plug on support for older versions to the point of trying to force you to buy another computer with their software. Did I miss something there?
Auto makers don’t make most of their own parts, haven’t for decades. They outsource from many different suppliers and suppliers make a market in supporting vehicles upwards of twenty, thirty, and even forty years old. Hell, that has been the way things were and are for the last seventy years. where is that same kind of support for computers and software? Do you see the difference?
At least when one owns an automobile one can take it to the dealer if one wants to be ripped off and have the oil changed or one takes it to a jiffy lube type place and has it done for far less, something like forty or fifty bucks.
but what options does one have with his or her laptop or worse still their desk top? Oh, the Geek squad, an over priced service that is not guaranteed. An oil change will cost you twenty minutes to half an hour at most. and you know up front what the cost will be. Geek Squad, not so much. You are still bashing the customer and for what reason, you don’t like the concept of customer service. I buy Toyota or Honda because I can get 300k miles out of them before I take them to the wrecker. I but Toshiba because they are built well and last. I have an old Toshiba I bought in 1998 that still runs well. I don’t buy Ford and GM because they don’t last, don’t have the same quality, have lots of problems. Thing is, if I buy cheap and it quits I blame myself first and then the manufacturer second. Last time that happened was with a cheap off brand chain saw. I should have known better. But most people are not familiar with electronic stuff except that it is suppose to work as advertised. And for many, they think they are the geek if they can add all sorts of apps and other junk. and have them work. when it comes to electronics most people have a very limited knowledge of what they are buying and most of the “research” they do before buying is whether their friends have one. Corporations love that world because it makes it easier for them to sell the electronics at whatever price the market will bear. It’s a double edged sword.
LikeLike
“Bonus fifth question: When does the Congressional investigation start?”
When there is Democratic President so that the Republicans can make “political hay” from the investigation.
LikeLike
Nobody is hacking Windows 95 anymore so it’s safe to loop back and start over. It’s installed on my HP Vectra desktop, plus I have the CD-ROM (so I won’t get a repetitive strain injury dealing with all the floppies) if I need it on other machines. BTW, Office 97 works as well as it did 20 years ago (no subscription required!) even on Windows 10. Found the CD for $1 at Goodwill.
LikeLiked by 1 person
You are playing with fire…
LikeLike
O/T
LikeLike
“Did the NSA demand that backdoor?”
….
Rhetorical, surely
LikeLike
Game theory here. The NSA learns about a vulnerability and keeps it in case it can be exploited somewhere (say to spy on Iran or North Korea). But there’s more agencies and hackers out there who would use any hole discovered for purposes at odds to US interests.
Therefore following a rule of avoiding being ‘penny wise and pound foolish’, the NSA should hunt out holes and alert Microsoft and other providers in a timely manner and then make the holes public after a period of time like other ‘white hat hackers’ do. What might be gained from exploiting a hole in a one-time case will usually not be of more value than have a more reliable system overall. China, NK, Iran, Russia, plus all nefarious non-state actors. can all toss more ‘hacker bodies’ at the holes than the US can.
LikeLiked by 1 person
Why would China, Russia or Iran would use an operating system created by an American company? Imagine a world where they use their own managed versions of Linux and left the “West” to Windows. We wouldn’t have a chance.
LikeLiked by 1 person
“China has been trying to move away from relying on Microsoft’s Windows software for its government, enterprise, and education industries. The Chinese government originally partnered with Ubuntu maker Canonical back in 2013 to create an alternative to Windows, codenamed Kylin. While that initial effort didn’t really take off, a new Linux-based operating system dubbed NeoKylin is quickly becoming one of the most popular alternatives to Windows in China.”
Thing is, ANY complex OS is going to have bugs… plenty of them… as will the myriad of drivers required to be used with it. If they use something like Wine within Kylin to run software written for the OS with -BY FAR- the most software available for it, there will be vulnerabilities involved with that, too. The CIA and NSA will obtain copies of Kylin and drivers and produce exploits that will have the great advantage of NOT affecting the west if they are leaked.
The greatest threat in cyber warfare is the asymmetrical damage aspect between advanced technological western nations and countries like Iran and, especially, North Korea. We would suffer vastly more damage from a cyber attack than the mostly dark at night when seen from space North Korea. How does one then retaliate in kind? If we use military force, NK can already kill a significant number of people in SK through the use of massed artillery alone. They now have functional nukes, missiles, and are suspected of having a large chemical weapons inventory.
LikeLiked by 1 person
That security hole was published in mid April.
I wonder why Microsoft did not bother to look at NSA hacking arsenal to see if their. Windows was compromised.
Why they fixed it after new virus was spreading around?
LikeLike
I think you missed something. This hole was patched back in March. Microsoft would have seen that when they reviewed the leaked arsenal and moved on.
LikeLike
NSA and CIA stockpiling of these weaknesses for later exploitation is the most often repeated criticism coming out of this news. What also ought to be part of this critique are the hazards created by the deliberate weakening of encryption standards that has been promoted or enabled by these agencies. They have done this via participation in code-standards committees and software development forums. This would include the government’s demands that backdoors be deliberately included in all of these products.
LikeLiked by 1 person
The real problem is the growing expense in time and effort to keep internet connected systems up to date. You can’t just get something running and forget about it. No, you have to constantly keep it updated. Worse, updates are highly disruptive and often cause existing apps to break which then requires effort just to get everything running again.
This is NOT a “Microsoft” problem. My company uses Linux pretty much exclusively on our servers and we are having to sink ever increasing amounts of time into keeping the Linux servers and all the various libraries and components we use patched.
Maybe some new kind of technology breakthrough is required that can’t be “hacked”. All I know is that the current technology base is requiring ever increasing amounts of IT/engineering effort to keep patched and running. Something is going to have to give eventually.
If not, we will have to move to a world where computers are purposefully kept off of networks and disconnected from one another. It reminds me of the Battlestar Galactica reboot where the spaceship didn’t allow networked computing because it was too vulnerable to Ceylon attacks.
LikeLiked by 1 person
Hotbed of Bootleg Software, China Gets Hit Most by WannaCry
by Wolf Richter • May 15, 2017
http://wolfstreet.com/2017/05/15/china-bootleg-unlicensed-windows-hit-most-by-wannacry/
Excerpt:
According to China’s official state TV broadcaster, cited by the New York Times, about 40,000 institutions were hit by the WannaCry ransomware attack on Windows-based computers since Friday – more institutions than in any other country.
This included research universities like Tsinghua University. Students around the country complained about being locked out of final thesis papers. Hainan Airlines and other major companies were infected. The electronic payment systems at PetroChina’s gas stations around the country went down for much of the weekend. Bank of China ATMs went down too.
China Telecom was among the companies that instructed employees over the weekend to patch the vulnerability of their computers, first using a patch it provided, and when that failed, a patch provided by Chinese security company Qihoo 360, which, as the Times put it, citing an employee of China Telecom, “supports pirated and out-of-date versions of Windows.”
So why did China’s companies and institutions get infected with this ransomware in such large numbers? One reason is the sheer size and complexity of the Chinese economy and the large numbers of computers. The other reason: Pirated versions of Microsoft Windows running on those computers.
These bootleg copies cannot be patched via Microsoft updates.
LikeLike
Ransomware attacks are growing day by day and we all can be at guard by these simple tips.Read them and setup your own best ransomware protection
http://businesstiptop.com/ransomware-protection-for-your-business/
LikeLike