[loteck]

The quote bombshell here, and what hasnt yet gotten much attention since sysadmins the world over are busy dealing with fallout, is that the NSA and therefore the US government is directly responsible for the current global cyber-carnage. We developed the capability, we chose to keep it unpatched, we tried to keep it secret, we lost control of it.

This has similarities in type, if not in horror, to the development and subsequent spread of nuclear weapons. When we lost control of those secrets, it was a BFD [0].

[0] https://en.m.wikipedia.org/wiki/Atomic_spies

[3chelon]

I agree completely. People can blame MS for their insecure OS, or users who don't know any better for running outdated systems (or even for running Windows at all), but the stark reality is that all OSes have vulnerabilities because they are huge and complex and it is impossible to make them 100% secure.

But the NSA are - by definition - supposed to be security experts, so what are they doing letting themselves get hacked? They have effectively given away the nuclear football.

I'm shocked we're not seeing more blame in their direction on this one.

[nthcolumn]

A bit rich from Microsoft to talk about hoarding when the patches they released over the weekend were all signed back in February... i.e. they are hoarding fixes to their own shit for their $$$ extended support agreements.

[ralphie02]

"The chaos surprised many security watchers because Microsoft issued an update in March that patched the underlying vulnerability in Windows 7 and most other supported versions of Windows. (Windows 10 was never vulnerable.)"

source: https://arstechnica.co.uk/security/2017/05/wcry-microsoft-is...

So I don't really know what you mean by 'hoarding the fix'. The patch was not initially released to some OS versions because they are NO LONGER supported.

[bm98]

I believe the "hoarding the fix" comment was in reference to the patches for Server 2003, XP, and Windows 8 that were released publicly for the first time over the weekend (but had been distributed previously to customers paying for custom support) [0].

[0] https://news.ycombinator.com/item?id=14329914

[ralphie02]

I guess I don't see it that way. Extended support (which includes security patches) are only for paying customers.

[SmellyGeekBoy]

The "$$$ extended support agreements" funded the development of those fixes. Why would anyone pay the agreements if Microsoft just developed and released those fixes for free? If organisations are stupid enough to lock themselves in to 16-year-old software and create more work for Microsoft I'd say they were well within their rights to charge.

[yread]

maybe they were testing them?

[rbanffy]

For three months? That says a lot about the overall testability of their stuff.

[324324133]

I blame Microsoft, not for having a shitty OS, but for colluding directly with the NSA. Anyone who believes that Microsoft was not aware of the exploits in their system is naive.

Microsoft has done NOTHING to show that things have changed since they colluded with the NSA on PRISM (https://www.theguardian.com/world/2013/jul/11/microsoft-nsa-...), and so anyone who believes that things have changed is a moron.

Remember, head executives at Microsoft are essentially part of the "shadow government" as they were privy to 1984-style surveillance that even much of congress was unaware of until the Snowden leaks. People at MS knew and said nothing. Executives at MS are closer to the NSA than most of congress. Let that sink in.

[SomeStupidPoint]

MS issued a patch ahead of the usage of the lost exploit by a wide enough margin that I'm loathe to blame the government for the mere existence.

The problem lies in our defensive infrastructure and our ability to roll out patches responding to incidents.

It also lies in our security infrastructure: that cryptoworms are a danger speaks to a fundamental lapse in permission and process management systems.

[flukus]

> The problem lies in our defensive infrastructure and our ability to roll out patches responding to incidents.

The problem is corporate IT (or management) think they can create some sort of stable environment, driven by fear of having things break. Organizationally they need to accept that they are operating in a dynamic and hostile ecosystem and that the risk of worms is higher than the risk of some random app breaking on a windows patch.

[CamperBob2]

Organizationally they need to accept that they are operating in a dynamic and hostile ecosystem and that the risk of worms is higher than the risk of some random app breaking on a windows patch.

Except it's not. The account used by the hackers has supposedly earned about 4 Bitcoins so far. Meanwhile, many people from home users to professional IT personnel can recall incidents where Windows Update has broken something that worked fine before. Up to and including installing a completely new version of Windows, force-fed to unwilling customers with intentionally-deceptive practices.

[21]

I know more times when updating Ubuntu made the machine unbootable than for Windows.

[dotancohen]

I'm a CentOS desktop user at work and Ubuntu at home. I love my Linux. Objectively, the parent poster is correct. For all MS's faults, I've had no less problems updating Ubuntu systems than I've had or seen with MS systems.

That said, CentOS is _rock solid_. The packages are old, but maintained by Redhat upstream and do not break on updates. The only thing I recall seeing break on a CentOS update, including point releases, are Firefox and Thunderbird extensions as Mozilla apps are updated eight version numbers from one ESL release to the next.

[flukus]

What type of update? Dist upgrades can be broken, but I've never had issues with general updates.

[tragic]

This is a little misleading. The cost of the attack to businesses, governments etc is vastly greater than the laughable amount of money actually raised by the criminals.

A doctor who needs to look at an X-ray and comes up against WC is not going to pay up on her credit card. She will call the IT department to 'fix the broken computer'. But she still won't be able to look at the damn X-ray.

[flukus]

This is only a single particularly large attack, the same sort of thing happens to machines everyday on a smaller scale. The future potential for attacks like this also go way beyond the current attack.

I do agree MS needs to shoulder a lot of the blame here, but would they have acted differently if IT departments didn't block updates?

[CydeWeys]

The margin would've been much wider still with responsible disclosure from the NSA, however. This means that fewer people would have been affected.

[mastax]

Unless the NSA reported it to MS back when XP was still supported, not much would change. People can (and do) reverse-engineer exploits from windows updates, and they could still take advantage of the large number of unpatched XP machines.

[muricula]

In an unusual move, after the worm statrted spreading MS released a patch to XP for this exploit.

[SomeStupidPoint]

Based on what?

The NSA likely gave MS months of lead once they determined what SB stole. A patch was pushed out before the release of the vulns.

There's no reason to suspect that people wouldn't have reverse engineered the vuln from the patch and had similar timelines of unpatched systems being exposed.

In fact, we see exactly that play out over and over with security patches.

[gutnor]

Well a US government agency in charge of US Security decided that keeping the US and its allies vulnerable. They definitively need to answer if the benefit was really worth it.

[drakonandor]

How many times do people need to be told that XP machines should not be connected to the internet, especially if they're not keeping up with patches?

[askvictor]

MS also has to share some blame here for updates that break things, and updates that restart at random times (such as when you're doing some really urgent work). This has trained a whole lot of users to believe that windows updates are a risk to their use of the computer, and now just click away any update prompts.

[tallanvor]

Honestly, though, updates breaking things are quite rare. Sure, I know of "a friend of a friend of a friend" who had something break, but honestly, aside from patch installations sometimes being started at inopportune times, I haven't personally encountered things breaking on any of my systems or those of friends or family. More things get broken because people hear that there are problems and try to stop the updates.

[Kholo]

Complete BS. This is what happens when you have top class PR at your disposal to define the narrative.

Microsoft is responsible for their shit software getting exploited first and foremost. Seriously fine Microsoft and by day after tomorrow that 3500 security engineer number will jump to something realistic.

Instead what will happen is more tightening of the walled garden, overcharging of support/security contracts and propping up of another billionaire or two. I can hear the whisky glasses clinking.

Corporations do not get to set the agenda and the narrative. When they are allowed to, the results are very predictable - in this case Microsoft will make more than they loose. Who here disagrees that is going to happen? And who here believes that is right?

The answer is simple whether its Microsoft today or Facebook and Google tomorrow win-win should not be an option when such things happen.

[dasil003]

Uh, except Microsoft had already patched the vulnerability, just not for XP that was still being run. Of course you can punish them and force them to support all legacy OSes forever, until that strangles the life out of them at which point large institutions still have to run the old OS because they have too much investment in computer controlled hardware with no forward migration. Now they are locked into an insecure technology stack with no vendor to take responsibility and no source code to even take on the problem themselves.

There's plenty of blame to go around to be sure, but giving the NSA a pass for developing zero days is batshit insane. These guys are playing god instead of helping make infrastructure more secure overall, and it will not end well, even if they outcompete the Chinese or whatever other bogeyman they cook up to justify their power grab.

[thomastjeffery]

This is why free software is necessary.

Proprietary software makes you rely on a company to fix everything. It's like driving a car without being able to replace a flat tire.

[DominikD]

It wasn't about fixing, it was about upgrading/updating. It takes people and money to upgrade large infrastructures - closed source or open source, doesn't matter. Thinking that irresponsible (or budged-constrained) organizations will somehow have a completely different mindset and or set of priorities when they switch from Windows to open source software is naive.

[unholythree]

No it is about fixing, a design flaw allowed this to happen. SMB1 (hopefully) wasn't built thinking EternalBlue would be a fun feature.

No one expects perfect software; but this clearly happened because Microsoft's​ software was broken, the NSA found where, and horded and then lost control of that knowledge.

edited: I understand what you mean about people not patching and leaving themselves vulnerable. A lot of pain could have been prevented at that level.

[philliphaydon]

So let's assume this was in Ubuntu, lets say, version Ubuntu 10.04.4 LTS (5 years of support), and the NHS decided that it didn't want to upgrade beyond 10.04.4 because some of their stuff broken...

Long term support ended in May 2013 for desktop. But Ubuntu patched the bug in March 2017 for all current supported versions of Ubuntu.

Then the NHS got his with the bug.

How does free / non-microsoft software protect against a shitty decision to not update / upgrade?

[whazor]

Assuming these hospitals keep updating and do not get stuck at Ubuntu 10.04.

[EvanAnderson]

Anyone can seek help on the open market to support Ubuntu 10.04 forever if they like. You can't go to another company if you don't like the price Microsoft sets for support for Windows XP.

[pawadu]

This comment makes my blood boil. Please ask yourself:

1. why would anybody want to keep 10.04 alive?

2. do you think the type of people who stubbornly continue to use 10.04 would know/care enough about security to seek an alternative source for security patches?

edit: should maybe add why this pisses me off: just logged into a production server running 12.04, default install apache and updates _turned off_. the owner looked confused (and slightly bored) when I explained the problem to him.

[bigbugbag]

Hospitals run life critical equipment, Ubuntu is not suited for this. AFAIK hospital running linux choose debian for stability, or red hat for support.

[pmlnr]

Install Debian with testing repositories and unattended upgrades and you're done for good.

Or just stick to CentOS and with their 11 years support period.

[ascorbic]

XP was supported for 12 years. It's now over 15 years since it was released.

[pjmlp]

The CVE database or Open SSL, are good examples how much safer open source actually is.

[pksadiq]

> ... are good examples how much safer open source actually is.

Sorry, open source never equals free software (most of the time). Though what you said may be true for both.

And some day, we will surely know why free software is better than open source. It's only a matter of time. But by the time, it will be late, and out of control.

[pjmlp]

Free software can be closed source, which is why companies love MIT style licenses.

[Robin_Message]

Maybe the law should say 'security patches or open source'?

[chopin]

The law should simply put liability on the software, if it is not open source.

[thomastjeffery]

Why do you want the law involved?

What we have is a cultural issue, not a legal issue.

[developer2]

>> large institutions still have to run the old OS because they have too much investment in computer controlled hardware with no forward migration. Now they are locked into an insecure technology stack with no vendor to take responsibility

Any company that locks themselves into a specific operating system, and then declines investing to upgrade with each new release is entirely at fault. I can imagine the executives at these companies complaining about how their one-time outsourced application made overseas cannot possibly be migrated. Even if built locally, clearly no money was budgeted to maintain the software or infrastructure. These companies get what is coming to them when their only priority is the current quarter's bottom line, with no planning for how the company will manage to keep operations up and running in the next quarter, let alone the years ahead.

You specifically mention lock-in due to "computer controlled hardware". The idea that companies build the core of their business on hardware that can be controlled with Windows XP but not Windows 7 or Windows 10 is laughable. How is that even possible? The backwards compatibility Microsoft provides means it's nearly impossible for any application to become unusable within a decade - or even longer. The application will need to be maintained with minor changes to make use of modified APIs, or to transition from 32 to 64 bit architecture, etc. - but the amount of work needed is nowhere near infeasible. It only becomes difficult if you spend many years ignoring required upgrades, and then try to perform a single massive upgrade covering half a dozen missed release cycles all at once. Even hardware ports going out of fashion (example: serial ports) is not the end of the world. Compatibility between the latest operating system and old port standards will always be possible, as those that need such things make it happen.

No sympathy for any company still running Windows XP. None whatsoever. It sucks when it's government that is affected, whereby taxpayers' dollars take the hit for the fallout. Still not a shocking, unexpected result. In fact, this is precisely the expected result.

[ouid]

how much do you think it would cost Microsoft to support XP forever?

[nevir]

There's a big argument for only releasing evergreen style software, and giving the middle finger to IT orgs that want more control

[goatherders]

This. There are lots of groups to blame, but corporate IT departments are high on the list.

[Consultant32452]

What does "evergreen style software" mean? A quick search didn't return an obvious answer.

[Sammi]

Software that continually updates itself automatically. It's what Chrome popularized.

[threeseed]

Allowing XP to exist forever is not a good thing for security either. There are security architectures in place within Windows 10 for example that do significantly improve security.

At some point companies need to cough up the money and upgrade their technology.

[ouid]

Is there some philosophical principle under which you believe that companies must "cough up money" for services that they have already ostensibly paid for? That sounds remarkably like extortion.

If Windows XP is proven to be untenably insecure, anyone who bought it should receive a refund.

[vel0city]

My car will break down at some point due to imperfect engineering and the realities of physics. Is Ford required to repair my car indefinitely or allow a refund on a car with 250k miles? No, when I bought the car, it came with a warranty stating if they messed up they would fix it within a certain period of time or miles.

When I buy Windows, I agree to a warranty of sorts. They agree to supply updates to the software for a set period of time. Afterward, it is on me.

Nobody can write perfect software, it will age and break down. Nobody can engineer a perfect car, it will age and break down. Demanding infinite warranties is ridiculous.

[retox]

I think the discovery of new types of exploits could be considered akin to wear-and-tear of physical things you buy. At the point of sale the software was safe, but over time problems were discovered.

When you buy a house you have a whole battery of inspections performed to make sure that you're buying somewhere safe, but over time the small things that got overlooked (like a small crack in a roof joint) or were considered safe at the point of sale become worn, or are discovered to be unsafe (locks susceptible to bumplocking for instance).

It's a tenuous analogy to be sure, but I don't think it's reasonable to think that Microsoft should refund people who bought XP. Are there any Linux distributions that back port all fixes to version 0.1?

[gruez]

Microsoft's support policy says they will only provide security updates for 10 years. Any company who wants more than that can pay them extra for the privilege. That's not extortion anymore than extended warranties are extortion.

[mikekchar]

Assuming we class XP as a defective product, at what point do we stop requiring recalls? If there is a safety defect in a 2001 model car, will it be required to have a recall?

Given that MS even made a patch (which is generally equivalent to a recall), I'm not sure that your suggestion will be given that much credence. I mean, if we say that XP is an unsafe product, the government could stop them from selling it and to remove it from the shelves, but MS stopped selling the product in 2008 (nearly 10 years ago) and has repeated urged its customers to stop using it because it is insecure. This is all that the government generally requires in this situation as far as I can tell.

Edit: grammar

[youdontknowtho]

Not all markets or products are the same. You're taking about software as if it were a rotten potato. It's not. It's an incredibly complex market for incredibly complex products. I agree that there needs to be a way to value the liability that software makers should face.

In the short term we need everyone to be better net citizens. That includes the businesses using this software to create the trillions of dollars of wealth on the global economy.

[sundvor]

Yeah, I'm hoping that, if nothing else, WannaCry will prove to be the incentive required for a lot of places to stop putting the upgrade off.

[lysp]

Microsoft still are supporting XP. Just not for the the general public.

Organisations with high value software that relies on XP still receive ongoing support from Microsoft (such as the US Navy and anyone else who wants to pay big bucks for it). The difference is none of these patches usually make it to the public.

For Microsoft to patch this current issue, there would have already been a pre-existing team working on XP patches, the only difference is this one was released publicly due to it's impact.

http://bgr.com/2015/06/24/windows-xp-support-us-navy-million...

[bigbugbag]

Why would you pay to change something that works fine ? And pay more to have your software redone, and pay more to have the employees retrained.

Microsoft wants more money and push newer revisions of the same crap instead of actually improving the existing one.

Until win10 that is, win10 is now the only windows version and offers more spying, a worse UI and UX while also including ads.

[youdontknowtho]

See, but you're​ making practical sense about the real world. That's not going to fly with people using this as an opportunity to push their favorite narrative.

I agree with the point on the NSA. there were surgeries cancelled in the UK. This materially impacted the lives of our allies. How is that supposed to work?

Luckily we've got a set of level heads running every branch of government these days...

[josephg]

> Instead what will happen is more tightening of the walled garden

You know what? I'm starting to get excited for the walled garden to get more walls.

Native desktop applications get far too many permissions by default - its crazy that any desktop application, once running can register itself at startup, see all my files (created by any application), register system-wide keyloggers, take screenshots of other applications and download my contacts list, all without my permission. We don't let web apps do that, because web app developers aren't trusted by default. We don't let mobile apps do that, because mobile app developers aren't trusted by default. Why on earth do we implicitly trust any executable file run on the desktop so much?

Telling users not to double click on executables is obviously not working. Even for experienced users I have no idea whether some random app on the internet is trustworthy. Its a reverse lottery. I also suspect ransomware like this one would have been slowed down if it needed explicit user permission to read & modify files on disk.

We even know what the sandbox should look like, because we have two working examples in the form of the web and mobile. And we have sandboxing support & APIs in most operating systems. We're just missing the UI part.

I'm imagining something like:

- All apps get signed by the developer (Lean on SSL? Not sure the chain here.)

- The app needs to request capabilities from the user, like on iOS. "App X by Y developer wants permission to read the files in your home directory". (/ Read your contacts / Register at startup / Take screenshots / Modify these files).

- Capabilities can be viewed and revoked at a system-wide level in the control panel / system preferences.

[beagle3]

That's fine and dandy - I'm all for it, in fact, I configure my systems thus with 3rd party tools as much as I can. Android is mostly like this (with a less than perfect implementation)

But when people talk of "walled gardens", they mostly refer to the guardian at the entrance. Only Apple decides what runs on iOS, only Microsoft decides whats in the App Shop. That's NOT good for anyone (except Apple and Microsoft).

Sure, make users jump through hoops to install alternate stores, and warn them up the wazoo when they do that. But do let them, or general purpose computing as we know it is gone.

[youdontknowtho]

Security professionals are almost completely unanimous about how effective Apple has been with it's "walled garden". I'm not even an Apple fan, but what they have done is pretty amazing from a security perspective. Like it or not it has worked to keep people safe from many many types of attacks.

[kijin]

Sandboxing and tighter security are orthogonal to app stores. The same security policy should apply to every app, regardless of whether it was installed through the official store or from another source.

What the grandparent is suggesting is akin to UAC, which received much hate when it first debuted in Vista but has now become a mostly accepted part of the Windows user experience. It has been done before, and it can be done again, with every Windows app, not just apps from the Microsoft Store.

[beagle3]

They are orthogonal in theory, but so far not in practice - all three appstores in common use (iOS, macOS, Android) have mandated sandboxing and security.

grandparent was suggesting UAC, but started with:

> You know what? I'm starting to get excited for the walled garden to get more walls.

[panzer_wyrm]

Walled garden is fine only if you build the walls. Please let the iOS stay the only such corporate build travesty.

It is good to have the ability to raise the walls. It is not good for apple and MS to decide what to use their OS for...

[josephg]

Yeah I don't want the only distribution model to be an App Store. And I don't want to lose the ability to run things with root access.

But I strongly believe that right now apps get too much access by default (read, write all my files is crazy). And if they need anything beyond that they just ask for root. There needs to be much more granular permissions, with more restrictive defaults and nice informative dialogs.

It's unsexy, and inconvenient for developers. But it's the right thing for our users. It's how I want random programs downloaded from the internet to behave.

[pharrlax]

>You know what? I'm starting to get excited for the walled garden to get more walls.

Yep. What developer types don't like to admit is that for the average user, who doesn't use the features excluded by the walled garden anyway, the tradeoff is well worth the security gains.

[xtreme]

Why do you think people would treat them any differently from the UAC screen of Windows 7? That is, just click OK to grant whatever permission it wants, or disable it entirely to avoid the annoyance.

[eicnix]

Thats probably true but you could enforce it at a corporate level with a whitelist of apps that should have access to certain permissions.

[21]

I'm not sure if you know, but Windows already has that - Metro apps (or whatever the name is now) are sandboxed and with a permission system.

But they are much hated.

[threeseed]

> But they are much hated.

Most people wouldn't even know that they are sandboxed.

But we will see for sure with Windows 10S and its optional upgrade to Pro policy.

[shitloadofbooks]

And who do we fine for all the bugs in Open Source software then. The most serious vulnerabilities of late have all been in Open Source packages: - ShellShock - Heartbleed - etc

Do we fine the person who committed the faulty logic, the reviewers, the entire community who "peer reviewed" it?

[syshum]

>ShellShock - Heartbleed - etc

How many systems where actually compromised in an unrecoverable manner costing thousands or millions, maybe even billions of damage due to any of those Vulnerabilities?

All of them combined to not even come close to the damage that occured over the weekend

Shellshock, heartbleed were a inconvenience for some sysadmins and click bait for the tech press

[tomstockmail]

Heartbleed and ShellShock were serious but nowhere near the seriousness of WannaCrypt. Don't let the top headlines of HN and a fancy logo be how you rate vulnerabilities.

[gggmaster]

Thanks for the transparency of open source you have learnt those buzzwords. Wish you the best of luck with your black boxes.

[bigiain]

I'd be happy enough to go with "you fine whoever wrote the invoice or cashed the cheque". You wanna sell it? Take responsibility for it. You scratch your own itch and give it away for free? Good on you.

[21]

It doesn't quite work like that.

If I give away "free lemonade", but people get sick because I've made it in dirty conditions, I will not get away just because it's free.

[bigiain]

Maybe...

What's your alternative? Are you suggesting we _do_ fine all the OpenSSL contributors? Or that we do not hold anyone except end users responsible for software/hardware security?

I'm not sure metaphors or comparisons between software and lemonade are entirely helpful - although they do push the discussion along, which is at least interesting... (So if I didn't _make_ the lemonade, but published my "4 lemons pulped, 1/2 a cup of sugar, and 2 teaspoons of rat poison" lemonade recipe on github - then you made it and got sick... Who's in the firing line then? What if the README says "this recipe is satire"?)

[dotancohen]

Redhat and Canonical will be in a world of hurt.

[Shinkirou]

No system is perfect. Remember Heartbleed? Microsoft released a patch to correct this particular issue in March, however the IT infrastructure in companies is slow, the whole process is convoluted, yada yada.

The point is: the NSA caused this particular problem. Steps should be taken be everyone to ensure something like this doesn't happen ever again.

[fencepost]

The NSA did not cause this particular problem. The NSA may have identified the vulnerability, however there is certainly an argument that their other responsibilities outweigh any responsibility that they might have to act as a free security investigation team and report a security vulnerability to an outside corporation.

If Russian government intelligence agency security researchers found that bug first would you say that they have a responsibility to disclose it to Microsoft (notably a United States company)? Would you be surprised if they felt and acted differently?

[gech]

> however there is certainly an argument that their other responsibilities outweigh any responsibility that they might have to act as a free security investigation team and report a security vulnerability to an outside corporation.

Yeah, a shitty one. Free? No they're funded by tax payer dollars. I do think we need to argue about priority of responsibilities. Was this exploit used to spy on allies?

[fencepost]

> Was this exploit used to spy on allies?

Don't know, and unlikely to ever find out. If so, it was likely very targeted to avoid detection on modern systems. Was it ever used to spy on Iran's nuclear enrichment program?

> I do think we need to argue about priority of responsibilities.

Ok. What responsibilities does a US government agency have to disclose vulnerabilities? Should they be required to disclose all vulnerabilities found in software and equipment from US companies? Since a lot of that technology is used around the world, are you on with the corollary of it being harder for the US to spy on anyone using modern equipment?

How about disclosing problems found in tech products used by US companies? Should the NSA do that as well to keep those companies safe?

The US provides a fair amount of funding to organizations focused on finding and responsibly disclosing security problems, notably CERT[1] and US-CERT [2]. The NSA is a completely separate thing.

1: http://cert.org/about/ 2: https://www.us-cert.gov/

Edit: removed snark

[mrmondo]

Just because the media (including Microsoft) tagged those projects (that were maintained by small groups of core develops and are free (unpaid) software) with fancy names - those problems weren't anything like the massive, global impact of just one of Microsoft's ticking timebombs due to poor software design and lack of emphasis on security in their products. OpenSSL doesn't and didn't have the PR powerhouse of Microsoft and people didn't pay for their software let alone fund its development.

[threeseed]

> Microsoft's ticking timebombs due to poor software design and lack of emphasis on security in their products

I assume you know nothing about software with flippant comments like this.

Completely securing software is an incredibly difficult thing to do and merely throwing resources isn't going to change that. It is just as likely to affect well designed software as it is poorly designed. Especially given that all of us rely heavily on third party libraries and underlying infrastructure.

[iamaelephant]

All software has flaws. It's how we respond to them that matters.

https://twitter.com/ben_a_adams/status/863563517898747904

[ArchReaper]

>Microsoft is responsible for their shit software getting exploited

This is an absurdly naive viewpoint. How are they responsible? What is their responsibility? How is it their responsibility when a state-funded group/actor targets their software and finds an exploit?

At some point you have to realize that 0days will always exist. It is an impossible task to expect software developers to ship perfect software.

[ladzoppelin]

Fair enough but, like others have said, who do I fine when my Wordpress site gets pawned or for Shellshock, etc? I wish this problem was a simple as blaming/fining MS or Google.

[drvdevd]

I think without: 1) Open Source software AND especially 2) significant financial incentives for finding and reporting bugs, it will be business as usual for the foreseeable future.

[youdontknowtho]

Agreed. The NSA has known about the shadow brokers beach for 4 or 5 months. They should have warned industry sooner.

They ostensibly maintain their capability to protect us, but this is a clear example of them failing to protect us. The focus on offensive posture is all macho and typical military industrial bluster. My point is that the offensive cyber capability is more about dick length than keeping the country safer.

Nevermind that the internet is a global shared resource that works best when we work together.

Also, MS haters are doing some pretty fantastic replays of the hits in this thread. I get that you don't like them, but "kill Microsoft" isn't the answer. Maybe there needs to be a model for assigning cost to vulnerabilities like this...to Microsoft and the NSA. Make them account for this in monetary terms and you will see change.

[yoaviram]

Another point which hasn't yet gotten much attention is the valuable role Wikileaks played as an early working system. Without Wikileaks it is likely that Microsoft wouldn't have had the chance to release a patch ahead of any attacks.

[tallanvor]

The exploit was released in April. Microsoft patched it in March. How did Wikileaks play any role in the problem getting fixed?

[Angostura]

> we chose to keep it unpatched

Are you saying that the choice was made my the NSA whole failed to report it, or suggesting that Microsoft colluded in keeping a known exploit open?

[bigbugbag]

How is that a surprise ? Warnings have been around left and right since before Snowden about this kind of scenario. Has happened before, will happen again. What's new here is that a suspicious group named Shadow Brokers went public about it and the release while this usually happens in private.

[rbanffy]

Sorry, but I can't agree with this. If it weren't the NSA discovering it and losing control of it, some other group would eventually get to it.

The problem is Microsoft, who wrote the exploitable software in the first place.

[yig]

We would be in the exact same situation if the NSA had immediately disclosed the vulnerability to Microsoft. Old software wouldn't have been updated and someone would have exploited it.

[panzer_wyrm]

I am not exactly sure what dark powers were US government using to force people to leave 3389 on public facing ips. I thought that CIA mind control experiments failed.

[phs318u]

According to CERT [0], the original infection vector is still unclear but possibly phishing, however once a computer is infected, any vulnerable machines on the local network are targets.

[0] https://www.us-cert.gov/ncas/alerts/TA17-132A

[syshum]

Yep, too many companies still use the Ring Fence approach to security, in a day where Mobile Devices and laptops are moving all the time this is very very very bad.

All it takes is one infected machine to get behind the permitter defenses and it is game over.