[turnip123942]

I think this is an excellent example that we can all reference the next time someone says that governments should be allowed to have backdoors to encryption etc.

This shows that no agency is immune from leaks and when these tools fall into the wrong hands the results are truly catastrophic.

[dgregd]

> This shows that no agency is immune from leaks

That's well known for a long time. During cold war a lot of Russian weapons were based on the US designs. There is a TV series, Americans, which shows how to manipulate people and steal secrets. Even atomic bomb secrets were stolen (by Klaus Fuchs and others).

So I guess a lot of people in military complex make a lot of money on these exploits, PRISM and other projects. And they just don't care about whole society.

[hkmurakami]

If you explicitly ask someone with the form "are there are organizations that are infalliable to leaks?" they're likely to say "no of course not. Humans make errors"

But if you phrase it to something like "Can the government be trusted with backdoors to protect us from terrorists and Chinese hackers", then suddenly public sentiment will change dramatically.

[_asummers]

To quote Göring,

> Göring: Oh, that is all well and good, but, voice or no voice, the people can always be brought to the bidding of the leaders. That is easy. All you have to do is tell them they are being attacked and denounce the pacifists for lack of patriotism and exposing the country to danger. It works the same way in any country.

Patriotism is both a wonderful and terrible thing, and it is made worse by fearing the "other". Any time people create a boogeyman (China, Mexico, Muslims, what have you), be on the lookout for what the true motivations are.

[kartan]

> Patriotism is both a wonderful and terrible thing

I found that hypothesis widely accepted, without so much for it.

Patriotism fuses core values like freedom or solidarity with a flag. That's why it is easier to pervert.

Patriotism tells people that because there are people born in the same line limits that you, you should be proud of what they do, and you should help them first.

Patriotism distorts history.

> "Fourteen thousand years ago, Sweden was still covered by a thick ice cap." https://sweden.se/society/history-of-sweden/

Bullshit. Sweden didn't exist 14000 years ago. All history is learned as if the current countries were an inevitable result thousands of years ago. World history, human history, gets displaced to be able to build a national sentiment.

> "The colonial history of the United States covers the history of European settlements from the start of colonization until their incorporation into the United States of America" https://en.wikipedia.org/wiki/Colonial_history_of_the_United...

Again, we get that feeling of pre-determination. As if those people weren't free to choose their future as if they weren't individuals but just a means to create a country.

Patriotism narrows the mindset of populations. I don't see that usefulness. Anything that people does for patriotism will be better done for freedom, equality, fraternity, etc.

Why is patriotism a wonderful thing? What arguments am I missing?

[erikpukinskis]

Patriotism was temporarily necessary while we rapidly increased standard of living for ourselves, and didn't have enough resources to do it globally. In the early 21st century it was still a zero sum game on subdecade timescales.

Now we have more than enough resources to provide basics for all 10 billion of us (and decreasing) so patriotism has largely been confined to friendly rivalry around sports and regional cuisine. It was just a matter of mapping out the world's local customs and needs so the resources could be distributed intelligently.

And even at that, only about 4% of GWP goes to basic food, shelter, health, education, and cultural-ecological preservation these days. Entertainment and luxury goods make up the rest. This was unthinkable in the 2020s, but there was a lot of duplication of effort due to the maintenance of corporate moats in the basic sustenance industry at that time.

Sent from my iPhone 16S

[aswanson]

16s? No Neuralink?

[barrkel]

It's even stronger than that; it's tribal. It affects political affiliations as well; once you've identified yourself as part of a group, you're more inclined to take on group's opinions, and you start to feel knee-jerk disgust at the rationales of the opposing side.

Keep the temperature up, and it eventually leads to civil war, just like amped up patriotism / nationalism leads to wars between states.

[nl]

Patriotism can be a way to align the interests of a group ahead of those of the individuals in the group.

This can be a wonderful and terrible thing.

[ajmurmann]

The scary thing is that it's about the group as opposed to people not in the group. This tribalism is nothing but scary.

[PopsiclePete]

I'm yet to see anything positive from patriotism. It's a form of outdated tribalism. Even the idea of a nation-state isn't that old - this all started with the Napoleonic Wars.

Patriotism always leads to "us" vs "them", it seems.

[throwaway91111]

Patriotism seems to be a euphemism for nationalism.

[throwaway91111]

It's quite hard to find a good pitch for patriotism. I like my country, by like any relationship, it is conditional on not being a sociopath. Furthermore, everything i like about my country i country i can like directly: free speech is laudable in itself. Without free speech, what is the us? Nothing i care for.

[qznc]

Greetings from Germany. Losing WW2 thoroughly destroyed patriotism here. We do fine.

[pbowyer]

Greetings from Britain. Unfortunately we didn't get that benefit too, as Brexit and the current election demonstrate...

[usefulcat]

> That's well known for a long time.

But the implications of it are not. Otherwise, no one (including heads of TLAs) could continue to claim that gov't backdoors are a good idea without being widely perceived as an idiot.

[Animats]

We now know that the USSR A-bomb design was a copy of the US's first implosion design, but the USSR H-bomb design was completely new, very different from the US design.

[maerF0x0]

To be completely fair, it's not the NSA's fault that software has faults. Its the software manufacturers'.

The ethical concern here is whether the NSA should have reported the holes to the manufacturers and the failure to handle its privileged knowledge in a safe manner.

[ctrl-j]

> ... it's not the NSA's fault that software has faults.

But every time they ask for there to be legally mandated backdoors - they need to be reminded of these incidents.

The NSA actively wants there to be "faults" like these. They just only want the "good" guys to have access to them.

[maerF0x0]

I definitely agree wrt intentional exploits ("backdoors") to be added. To me this news highlights the need for fundamentally safe software. Just like we might have safety laws in the automotive or airline industry.

[winkeltripel]

If the NHS has been significantly crippled by this, and the NSA is partly at fault, could the NHS successfully sue the NSA in the UK?

(edit: my logic and phrasing was really bad)

[sbov]

At least in the US, there is limited ability to sue foreign sovereigns in our courts - not sure if that's the case in the UK too. Beyond that, I doubt this is a rabbit hole any government, much less the UK - which has a fairly imperialistic past - wants to go down. Glass houses and all.

[linkregister]

Now that the U.S. has set an alarming precedent that the Kingdom of Saudi Arabia can be sued in U.S. court over terrorist funding, maybe the U.S. government could be sued.

I don't think they'd win; the ransomware authors and operators are the ones who perpetrated the act. The U.S. government probably wouldn't be found negligent since the software was stolen. NHS carries partial liability since it was negligent with its patching, according to industry-wide IT security standards.

Comparing it to firearms, I can be held partially liable for a wrongful death if I leave my Colt 1911 out on my porch; it's different if a burglar stole my gun safe and committed a crime.

(obligatory disclaimer that I am not a lawyer, I just play one on Hacker News)

[drakonandor]

They've been told for years to get off XP. They weren't paying MS to keep it updated. The exploit was patched months ago. Why were these machines even on the internet?

I'd say the NHS is far more at fault than anyone else here.

[willstrafach]

That would be a tough argument to make. Similar to how you would have trouble going after a gun manufacturer for murder rather than the attacker.

[cortesoft]

He is not talking about the actual flaws as being the example as to why we shouldn't give the NSA backdoor access; he is saying that the leaks prove that even the NSA can't keep their stuff secret. If they couldn't keep their hacking tools secret, why should we think they can keep their backdoor access secret?

[rgbrenner]

In case anyone has been living under a rock for the past 3 years:

FBI's (recently fired) James Comey has been asking for an encryption backdoor for the past 3 years:

2014: https://www.fbi.gov/news/speeches/going-dark-are-technology-...

At that time, he said unbreakable encryption should be illegal: http://www.newsweek.com/going-not-so-bright-fbi-director-jam...

2015 (asking for a backdoor): https://www.theguardian.com/technology/2015/jul/08/fbi-chief...

2016 (same): https://arstechnica.com/tech-policy/2016/03/fbi-is-asking-co...

2016 (tried to force apple to create a backdoor for the iphone): https://www.apple.com/customer-letter/

And then here recently, he's upped it to an international agreement to create a backdoor: https://www.techdirt.com/articles/20170327/10121437009/james...

He's not the first, only, or last person to ask for it.

[superkuh]

The UK's doing it, http://www.theregister.co.uk/2017/05/04/uk_bulk_surveillance...

[Kholo]

Good time to remind folks that gmail, facebook, whatsapp, amazon etc aren't going to be able to protect their data forever at the levels they currently are capable off.

A couple of bad business decisions and they are where yahoo is today. So be smart about how you use these services and educate the non-technical folks around you.

[cortesoft]

What would 'being smart' about using these services mean? It is pretty difficult to get through life in the modern age without using email for sensitive documents (or at least without using ACCESS to your email as a way to gain access to sensitive services, eg password reset emails, proof of ownership, etc)

Since email in the modern world has this type of importance, what should I do? If you say gmail can't protect their data forever, do I not use gmail for email? What do I use then? No service will be free from data leakage, even an email server I run myself.

[Kholo]

Did I say stop using them?

Distribute risk. Use multiple accounts. Don't handle all work/financial stuff on a single account. Keep work and personal accounts separate. Reduce the number of hours you spend online being a data milch cow for these corps. This automatically reduces dependence. Don't allow messenger chat transcript backups to happen by just uninstalling the app every other night. Don't restore any saved transcripts on disk on reinstall.

I could go on and on but basic rule is use your imagination. Don't use these tools the way they want you to use them. Use them as you would use a tool in a workshed as an aid, not as a drug you are dependent on.

[corford]

Just make sure whatever email provider you use offers IMAP and use a client like Thunderbird to keep a local copy in sync. Back that up somewhere safe and you're fine. If you need good, fast search, use something like X1.

[paulryanrogers]

This was something I thought POP did better since it requires maintaining one's own copies after downloading. But it was much less convenient as people used more devices.

Sad that managing our own multi device services is so time consuming.

[cortesoft]

That will protect you from data loss, but not data theft.

[malandrew]

I would say that it's probably smart to occasionally purge all your content from online services and keep your data in cold storage you physically control.

[cortesoft]

There is quite a large cost to that, though. Being able to search through old emails is a lifesaver. I can't count how many times I have searched through email to find some account info I set up years ago, or to get date information about when something happened. Just today, I searched my email for my old FastTrak account info, and found it on an email from 5 years ago.

Deleting all my email would be a big cost to pay for a gain that I can't exactly quantify; I would have to figure out the likelihood of my data being leaked over time and the cost to me if the data was leaked. That isn't readily obvious what the risk factor is for me, but I KNOW the cost factor.

[ablankst]

I agree about this ethical concern, but this attack also shows that reporting the holes to manufacturers is of limited use -- these exploits have been known to manufacturers since at least March, and while patches have shipped, the computers remain vulnerable. Clearly, automatic security updates are still not aggressive enough to prevent these kinds of problems. Though it isn't clear from the article how out-of-date the vulnerable systems are, which would help in planning for the future. For example, Windows 10 pushes security updates very aggressively, and I wonder how many of the infected computers were running Windows 10 -- health care providers' computer systems are often notoriously out-of-date.

[Silhouette]

No-one running a large organisation's IT systems is going to be letting individual machines just install whatever updates the software maker feels like pushing, even on Windows 10. That would be a big risk in itself: plenty of software makers, including Microsoft, have pushed horrible breaking changes in updates in the past.

Personally, where I would point the finger squarely at Microsoft is in its recent attempts to conflate security and non-security updates. Plenty of people, including organisations who are well aware of what they're doing technically, have scaled down or outright stopped Windows updates since the GWX fiasco and other breaking changes over the past few years.

This also leads to silliness like the security-only monthly rollups for Windows 7 not being available via Windows Update itself for those who do update their own systems (not that this matters much if Windows Update was itself broken on your system by the previous updates and now runs too slowly to be of any use). Instead, if you don't want whatever other junk Microsoft feel like pushing this month, you have to manually download and install the update from Microsoft's catalog site. Even then, things like HTTPS and support for non-IE browsers took an eternity to arrive, and whether the article for the relevant KB on Microsoft's support site includes things like checksums to verify the files downloaded were unmodified seems to be entirely random.

I get that Microsoft would like everyone to use Windows 10, but since for some of us that isn't an option or simply isn't desirable. Since we bought Windows 7 with Microsoft's assurance that it would be supported with security patches until 2020, this sort of messing around is amateur hour and they really should be called out on it a lot more strongly than they have been.

[djsumdog]

I would be curious about this too. I'd assume many of them would be running Windows 7, maybe? (Let's hope it's not XP).

Also, does Windows 10 Pro attached to a domain controller still have the same aggressive updates? Or do domain admins dictate that policy?

At one company I worked at, everyone in IT could volunteer for the patch group to get security patches a few days before the rest of the machines. That seems to work pretty well. Is there any evidence there might have been a 0 day involved that wasn't patched? I find it disheartening that so many machines in large managed networks like telecos and hospitals could be so far behind on patches! (3 months is A LOT in Internet time).

If people are just doing really basic stuff like order entry for doctors/nurses, we really need to get away from the full PC model. Seems like most of these machines should just be Chromebooks, Linux boxes that boot straight to a browser or something of that nature instead of a full PC/Macs. Lower the attack surface with something that's easy to update. Those machines would be lower cost too and easier to manage/patch -- moving back to the terminal/thin-client model.

[uxp]

> Let's hope it's not XP

BMJ released a report[0] just two days ago alleging that up to 90% of the NHS's computers are still running XP.

> Many hospitals use proprietary software that runs on ancient operating systems. Barts Health NHS Trust’s computers attacked by ransomware in January ran Windows XP. Released in 2001, it is now obsolete, yet 90% of NHS trusts run this version of Windows.

[0] http://www.bmj.com/content/357/bmj.j2214

[kefabean]

It appears the Theresa May is trying to deflect attention from the fact that there has been massive under investment in NHS IT infrastructure by reinforcing that it is a 'international attack on a number of countries and organisations'.

Whilst this is true, it's probably also true that the impact of this attack is highly concentrated across organisations with chronic under-investment and a laissez-faire attitude to security.

[FLUX-YOU]

>Whilst this is true, it's probably also true that the impact of this attack is highly concentrated across organisations with chronic under-investment and a laissez-faire attitude to security.

Good developers are rare enough, but good IT security and security-minded developers are even more rare. And it's even more rare that they decide to work within healthcare.

There just isn't enough of you to go around and you can't be everywhere.

Even if you can afford to have a dedicated pentesting team (I'd like to work at a healthcare system/hospital network that did), physical security is still a major problem if only because it's very easy to impersonate people.

[djmobley]

In fairness, massive over-investment in NHS IT infrastructure hasn't gone so well either:

https://amp.theguardian.com/society/2013/sep/18/nhs-records-...

[gscott]

https://m.theregister.co.uk/2012/01/12/drone_consoles_linux_...

Military drones were using XP until they just had too much spyware on the machines to operate the drones.

[Radle]

It makes no difference whether they created the security holes by moles in the developers company or whether they simply withheld the information. They put human lives at risk by doing it.

[tmnvix]

> To be completely fair, it's not the NSA's fault that software has faults. Its the software manufacturers'.

While this is true, it doesn't address the point that you were responding to:

> this is an excellent example that we can all reference the next time someone says that governments should be allowed to have backdoors to encryption etc

...where "should be allowed to have" is interpreted as "should be given by software manufacturers".

[alasdair_]

>To be completely fair, it's not the NSA's fault that software has faults. Its the software manufacturers'.

The NSA has a specific mission to secure the nation's infrastructure. In witholding key information from US companies, it's failing that mission.

[korethr]

That's half the NSA's mission. Tt has another half and that is eavesdropping and getting into things. Those two missions are at odds with each other, and so the NSA has to make decisions about trade-offs. As these incidents show, the trade-offs the NSA has chosen to make have turned out to have been bad ideas.

[robin_reala]

This is why the NCSC was split from GCHQ in the UK. https://en.wikipedia.org/wiki/National_Cyber_Security_Centre...

[gigatexal]

Ok, so show us how you write perfectly secure code. It's sure as hell is the NSA's fault here for mishandling all their hacks into commercial sw.

[dv_dt]

I don't think you can completely separate the issue from other gov't actions. When the NSA or other gov't agencies come knocking on the door requiring a backdoor or other system security compromises, I would argue that those actions become a broad discouragement for private industry invest in security beyond a certain point.

[InclinedPlane]

You may be thinking of the 2nd law of thermodynamics. Possibly.

[davesque]

If I understand correctly, there were no backdoors used here. Only zero-days. If the NSA is guilty of anything, they're guilty of not informing system designers of exploitable vulnerabilities. But then the argument becomes entirely ideological and naive since we all know the NSA's mission is almost entirely counter to that outcome.

Edit: Apparently, not zero days. Vulnerabilities were patched months ago. I think the point still stands, which is that this outcome really has little to do with debate over encryption backdoors.

2nd Edit: On second thought, there is an argument that, if a backdoor were in place that only government agencies had access to, the means to access it could be leaked just as easily and in a similar manner to the way that information about these vulnerabilities was leaked. Then, we'd really be fucked since a backdoor could likely not be "fixed" with a simple patch (it might be fundamental to the design of a system). Considering this, I'll have to walk back my earlier statement and agree that the topic of backdoors is quite relevant here.

[uxp]

> Only zero-days.

The exploits released by Wikileaks' Vault 7 dump went public months ago. They're as much a 0-day as JFK's assassination was just a few days ago.

[matt_wulfeck]

I've seen a lot of security people sticking to "this is not an 0day you idiots" retort, downplaying the importance of the leak. Frankly I think that's a pedantic argument that ignores too much of the real world.

The NSA leaks contained previously undisclosed security vulnerabilities that were patched only because they were stolen. In MSFT's case it was less than 30 days, and they basically skipped a patch week to make it happen.

It's manifestly obvious that 0day and 30day can both be considered extremely dangerous in the real world.

[3pt14159]

The difference is that at least five nationstates could have gotten in a 30 day window without much trouble.

[willstrafach]

Small correction: Nearly everything in WikiLeaks Vault 7 material was already patched (With the exception of something Cisco related which has since been patched I believe). The Vault 7 content was from CIA.

This issue is apparently based on a more recent leak by the Shadow Brokers, containing content from NSA and some other DoD elements who worked on offensive cyber operations.

[ConroyBumpus]

Just because patches are available does not mean that they have been applied. Legacy applications, specialized hardware, vendor shenanigans, and organizational inertia can be significant impediments to keeping operating systems at current runlevels.

[sbov]

No zero days were used. This was patched in March.

[hoschicz]

Yes, but exploits for these bugs has been published now.

[slashcom]

I worry that they might sell it as a reason backdoors are necessary: if only we had backdoors, we could've saved those patients! The flaw of this logic would be lost on most lawmakers.

[betenoire]

Humor me... if encryption had a backdoor, then ransomware could be effectively mitigated.... Though I'm not a proponent of backdoors by any means, I don't see the logical flaw here.

[djsumdog]

...Because criminals are going to use state-sanctioned encryption software with mandated backdoors?

Even if everything off the shelf and open source has some built-in escrow unlocking keys compiled in, hackers are just going to find those code paths and remove them. Encryption works because of certain mathematical principals and laws.

Backdoors will only let governments look at legitimately encrypted data and not anything made by criminals who know how technology works.

There's a bigger question here: what if the NSA or CIA or some other intelligence/defence organisation discovers a solution to solve some of these hard problems in polynomial time .. and then doesn't release that information so they can use it to spy.

In that situation you're going even further: you have agents who are literally holding back scientific research that could change the entire field of mathematics and human understanding, research that could advance number theory by orders of magnitude (a jump equal to that of going from the first flight Kitty Hawk to the Saturn 5 rocket), for limited political gain.

[betenoire]

That makes sense...

So "If encryption had a backdoor" is meaningless. It's really "If a given encryption implementation had a back door" and no one is making the criminals use certain algorithms.

thanks

[pwagland]

Well, the bigger problem would be ensuring that the criminals used known broken encryption. The only advantage is that many of these attacks are copy-cat, so if you released the source code for a broken ransomware implementation, it will probably get used more or less verbatim… as has been shown in the past. (https://threatpost.com/bitcrypt-ransomware-deploying-weak-cr..., https://www.utkusen.com/blog/destroying-the-encryption-of-hi...)

Anyone who actually knows what they are doing, and are prepared to break the law, would just use AES. All of those law-abiding institutions would be forced to use a weak encryption scheme.

Sure, it might help stop script kiddies, but it won't help to stop professionals, and professionals are the ones that you have to worry about, since they end up hosing 45,000+ installations in a day.

[jacquesm]

If they don't just replace your data outright with noise.

[thomnottom]

Assuming that the criminal opts to use the encryption with an NSA backdoor and the victim is able to schedule time at their local NSA Genius Bar to recover their data.

[squeaky-clean]

> if encryption had a backdoor

This is the flaw in the logic. "Encryption" can't have a backdoor any more than math can have a back door.

Specific types of encryption can. But there's nothing to stop a malicious user from using a non-backdoored encryption algorithm or inventing their own.

[kmonsen]

Yeah, I don't think ransomware is going to use the US approved algorithm. What they are doing is already illegal.

[ajmurmann]

So developers of ransomware would build backdoors into their ransomware because the law requires them to?

[bajsejohannes]

How would you practically do that? Send all those encrypted hard drives to NSA to be decrypted? Publish the backdoor, effectively rendering that encryption scheme broken?

[asdfgadsfgasfdg]

Just ask the NSA to send you the un-encrypted files - they probably have them in their database anyway.

[TehCorwiz]

Wouldn't the attackers just use a crypto scheme that didn't have a backdoor?

[winkeltripel]

The logic is that encryption without a backdoor already exists, and no law can stop a criminal writing a virus from using that.

[H1Supreme]

Then encryption wouldn't be doing what it's set out to do.

[stevefeinstein]

The logic is sound in theory. But in practice if the government can't protect its exploits, they mot likely can't protect their keys to the backdoor.

[SimbaOnSteroids]

Why would the people reaping the rewards of ransomware use encryption that has backdoors if backdoorless encryption already exists.

[rickdg]

It's either turtles all the way down (backdoor of the backdoor of the backdoor..) or you always strive for secure software.

[merpnderp]

Why would ransomers use encryption with a back door? It's not like you can force them to only use the crackable math.

[pjc50]

Who has the keys to the backdoor? How do you force the ransomware authors not to use the good encryption?

[mtgx]

Only if the bad guys use the NSA-backdoored encryption.

[sergior]

Problem is that people (politician) wanting to push it through simply don't care. They just want to have access and they think there are agencies that can deal with potential consequences. It is frankly all about the money - they want to have ability to access sensitive data and therefore be more attractive to people willing to pay the bribe.

[HeavyStorm]

And it follows that anything that can create such harm CAN and eventually will "leak" or fall into the wrong hands.

Maybe one day, as a species, we'll learn not to create this kind of devices.

(sorry if the message seems too exaggerated)

[jps359]

also that it is very unethical for the US government to find some vulnerability in android/windows/whatever and not report it

[bdamm]

Is it particularly unethical? Many governments around the world are discovering 0-days in commonly deployed products and not revealing that to the vendor, but instead using it as a weapon for navigating computer networks.

Revealing the vulnerability would place the US Govt at a distinct disadvantage.

[tgragnato]

This is an argument that highlights the difference between attack and defence in cyber: attack is easier than defence, an is the most chosen path because of this reason.

Your point is actually valid, but that doesn't mean I have the intention to pardon the NSA for having compromised the network of my university, the same network I used each and every single day during my studies (and no, I am not a terrorist, nor I know anyone involved in terrorism, child pornography, or what-else they had in mind).

Sorry to say, but "anyone is doing it", is not an excuse or a reason for doing something.

If instead of exploiting half of the world, they had dedicated their experience in making their (and everyone else) infrastructure safer (by sharing security conscious design concepts, considerations with software developers and hardware manufacturers), now we probably would not have had massive botnets, exploitations and leaks (least but not least the political consequences of perpetrating and sustaining this kind of decisions).

Where is the point when maintaining the supremacy of one's country over the others through deceit, intrigue, and espionage costs too much in terms of negative outcomes?

For me that line, US and many others included, has been passed a long time ago. But that's just my humble opinion. Each one is free to draw conclusions through his own point of view.

[appleflaxen]

the entirety of your argument seems to be "it's not unethical because other countries do it", which is not compelling when you consider other forms of unethical behavior using this defense.

[tootie]

Were all of these unreported?

[agnokapathetic]

Not only unreported but weaponized by the US Government.

[linkregister]

You are right but I'm not pleased that your comment has hijacked all discussion on this article.

(Not that it's your fault, it's somewhat germane to the overall issue of government, I'm just whining)

[jsz0]

I agree with this but there is a good argument to be made that well engineered backdoors are better than intelligence agencies hoarding undisclosed exploits.

[charonn0]

Is there? I can't think of one.