The quote bombshell here, and what hasnt yet gotten much attention since sysadmins the world over are busy dealing with fallout, is that the NSA and therefore the US government is directly responsible for the current global cyber-carnage. We developed the capability, we chose to keep it unpatched, we tried to keep it secret, we lost control of it.<p>This has similarities in type, if not in horror, to the development and subsequent spread of nuclear weapons. When we lost control of those secrets, it was a BFD [0].<p>[0] <a href="https://en.m.wikipedia.org/wiki/Atomic_spies" rel="nofollow">https://en.m.wikipedia.org/wiki/Atomic_spies</a>
One of the reasons why such attack was possible is poor security in Windows. Port 445 that was used in an attack is opened by a kernel driver (at least that is what netstat says on WinXP) that runs in ring 0. This driver is enabled by default even if the user doesn't need SMB server and it cannot be easily disabled.<p>Most of services in Windows are run under two privileged user accounts (LocalService or NetworkService). Many of them are enabled by default and are listening on ports on external interface so the potential attack surface is large.<p>Microsoft uses programming languages like C++ that is very complicated and a little mistake can lead to vulnerabilities like stack overflow, use-after-free, etc.<p>Microsoft (and most companies) prefers to patch vulnerabilities with updates rather than take measures that would reduce attack surface.<p>Oh, and by the way Linux has similar problems. In a typical Linux distribution a program run with user privileges is able to encrypt all of the user's files, access user's cookies and saved passwords on all websites, listen to microphone and intercept kestrokes.
Another lesson learned: don't bundle your security updates with your cool new features nobody wants, Microsoft. This will aggravate the problem as more people/companies will defer updates.
There's a lot of blame being thrown around, and I think it's all merited, but an inordinate amount needs to be on the users. I don't know how many times I've heard things like: "I don't think I'll update to Windows 10" or "That update has been nagging me for months" or even security advocates saying "Windows 10 is a privacy nightmare, I'll stay on 7". Being on the latest secure upstream isn't a nicety, it's what you have to do if you want any semblance of a secure environment. If you don't like upstream, jump to another.<p>It's definitely not end-users either. There's a grocery store that just went up nearby that I saw Windows XP splash screen on when one of the cashiers rebooted. No joke, new store, Windows XP computers that handle money. Microsoft may have cultivated this nightmare, but it seems everyone wants to live in it.
No one in the UK seems to be tying this attack to the Conservative Party's desire for backdoors everywhere, which is a shame because it's a nice example for the public of how the government have got this very wrong.
One scary thing about these security holes is that it's almost impossible to <i>check</i> if your system is affected.<p>There are at least 50 different releases of Windows 10 alone, and it's hard enough to find which is actually used.<p>The "System" dialog Shows "Windows 10 2015 LTSB".
"Winver" on the command line shows "Windows 10 2015 LTSB build 10240" - but there are several releases of that and only the latest ones, e.g. from 10240.17236 and up have the patch - But I can't seem to find which one I have.<p>I don't doubt I have a patched version, but out of curiosity I'd just like to double check.
a lot of people kicking sand in MSFT's eyes for having such a vulnerability.. but come on, the code base for windows is enormous. The feat of engineering that is microsoft windows (and its many iterations) is pretty amazing when you really look at it. Yes, plenty of flaws, but show me some other software which has endured?<p>Further, all of the major infections are based on Windows XP. Windows XP mainstream support ended a full year before the first gen iPhone was out! It's seriously ancient and there are very few excuses for people to have this crap on a network in 2017. For the folks who dont run XP, but got infected because they didn't patch? No excuses.<p>If I booted a RedHat (5.2 came out in 2009ish) or FreeBSD machine from 2009 without patches, and put it on the internet, I'm pretty sure it'd be hosed just as bad (shellshock, heartbleed, ?). the difference is, everyone would tell me I'm an idiot for putting a machine online from 2009.
Should hospitals such as UK's NHS and other such organizations use dumb terminals (or chromebooks) instead of Windows? That way data is centralized on servers where it is easy to backup and harder for hackers to hold to ransom.
> We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.<p>This whole incident is really raising the profile of the creation of "cyber weapons".<p>They aren't like physical weapons with physical controls -- they are digital, controls and costs to copy/distribute are more like digital music than anything a Goverment organization is used to.
One thing that strikes me with this malware is that it hits pretty much every single country. Don't hackers try to follow the proverbial "don't shit where you eat" proverb? They have nowhere to hide if they are identified now.
For those who think that using free software would be similar (naming ubuntu or even centos).<p>The real question is why a hospital is still running windows xp even though it's not supported by its own vendor.<p>The answer is vendor lock ins. The upgrade is not a matter of simple command. Upgrade cost involves more licenses and hardware upgrades (which is not needed as old hardware is fine, but this is how things work between microsoft and hw vendors) it's like you need a new buy watch to apply dst summer time.<p>Also mirosoft and old school desktop software vendors used to make sure switch or upgrade cost is really high ex by using non stanard formats.. to lock users from switching to mac or linux<p>If you remember active x and internet explorer specific vbscript...<p>If you use free software from an expensive but decent vendor like redhat you can upgrade software on same hardware<p>And if it software was expensive you can switch to centos, scientific linux or pay anyone to handle that for you are fair rate. There is no vendor lock in. Every thing is stardard and no vendor lock in.
Microsoft's version:<p><pre><code> I see three areas where this event provides an
opportunity for Microsoft and the industry to improve.
</code></pre>
Fixed version:<p><pre><code> I see three areas where this event provides an
opportunity for Microsoft, the industry, and
government to improve.
</code></pre>
To be fair, he does go on to point out how this is partly the fault of poorly conceived government policies, namely the NSA's foolish practice of stockpiling exploits. But Microsoft and the industry should keep the heat on the government about this at every opportunity, because the horrifically bad and analogous idea of having government master keys is still being pushed forward.
And what about the lesson that software should be mortal, and should one day die? By what metric is, e.g. Windows XP, subject to evergreen updating to mitigate (prevent or reduce impact of) this exact scenario, forever? Does Microsoft have the right, and even the obligation, to remote detonate all Windows XP in existence on a certain date?<p>Perhaps EOL should be literal. The software kills itself and does not function.<p>The lesson I'm getting is our software can become malicious, and that malice can spread like wildfire. Is a company obligated to patch any wildfire type of bug forever? Is that a cost of proprietary software? Or is setting a date for its death the cost?<p>I think aging proprietary software has a much greater chance of becoming a weapon than it does becoming inconveniently obsolete. So forcing a company to release the code as free and open source software upon EOL date, I think just enhances the chances that it gets weaponized. There's a greater incentive to find exploits than to fix them, in old software.<p>Another lesson is most people really shouldn't be using Windows. If you can't afford to pay Microsoft to keep your software up to date, then use something that's FOSS and is up to date. (Same rule applies to Apple, if you can't afford new hardware in order to run current iOS/macOS versions that are being maintained, then don't buy stuff from Apple anymore.)
How did MS know to patch a month before the exploits leaked? Did they get advanced notice as a courtesy from NSA, or someone else, that the exploits leaked?
Lesson 1: don't use Windows.
Lesson 2: be it a web resource or your pc, make sure you can restore all your data/sw from clean/current copies.
Lesson 3: test lesson 2 periodically.
I think the lesson is to have less uniform, opaque bloatware controlled by disinterested parties whether through proprietary technologies, walled gardens, OR paternalistic update policies. Have some diversity in the network, let people really know and choose what they want on and off, and have the minimum of what is needed for the job turned on by that endowed choice, and half of these problems go away.
How to prevent an attack from internet is really a big problem. More open the system is, more dangerous the system maybe. like this attack, the macOS and Linux is safe. Maybe just because the system is not that open and malicious program cannot get some access to do something bad. And usually the update to prevent some kind of attack is later than the attack itself.
It's not just a question of people not keeping their computers updated. I have bought a few second hand computers with windows 7 the last few months and they have all had problems when updating. I doubt most people even notice this and think they are updated.
Side note, I posted <a href="https://news.ycombinator.com/item?id=14334776" rel="nofollow">https://news.ycombinator.com/item?id=14334776</a> on custom support and MS quarterly earnings.
The real question should be: Can Microsoft write an OS that does not have to be constantly patched, month after month?<p>We know they have written such things as part of research. But still they continue to release software that is unfinished.<p>They have trained their users that failure to update is fatal. No doubt, if they are using Windows.<p>They also like to conflate "update" with "upgrade". They use these security problems in Windows to scare people into upgrading.<p>Windows 10, whether they like it or not. As others have noted, <i>by design</i> the new versions are not safer than the old ones.<p>Retroactively fixing reported issues does not make a new version more secure <i>by design</i>. They could just as easily fix the issues in the older version.<p>Can this company get anything right the first time? Will they ever design a system that is secure?<p>Do they have any interest in doing so?<p>Are they incapable?<p>There is nothing wrong with releasing something simple, secure and <i>finished</i>.<p>Does MS believe Windows users are not worthy of a secure OS?<p>I think Microsoft Research have contributed to development of L4 systems that run on baseband.<p>Do these systems have the same vulnerabilities as Windows?<p>Fixing problems <i>after they occur</i> (past problems) is admirable but other free opens source OS written by volunteers accomplish the same thing. The question is whether the design of the system is such that <i>future problems</i> are avoided.<p>Does Microsoft believe Windows users deserve more security? Can Microsoft deliver it?<p>All indications suggest the answer to both questions is no.<p>With no viable alternatives, no one can blame Windows users for sticking with it despite red flag after red flag, but it makes no sense to defend the Microsoft approach to security for Windows users. The company has no respect for Windows users.<p>Being responsive to a constant stream of reported vulnerabilities is an improvement from 1995 but as we can see it is not enough. Their software is still full of mistakes.
They need to prove they can make something that is secure <i>by design</i> and that they are willing to do so for users.<p>(Truthfully, they probably do not need to do anything.<p>Quotes of 80% of Windows installations being tied to purchases of hardware are probably not far off the mark.<p>There is no selection of OS by most computer users.<p>A majority of users still get Windows pre-installed on the computers they purchase.<p>Microsoft could completely ignore users and it would not hurt their business, as long as they continue to maintain relationships with hardware manufacturers.)
<i>Second, this attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers.</i><p>Victim blaming at its finest.
Pretty sure this is a highly targeted piece of PR designed to shift the blame from Microsofts appallingly poor operating system design especially when it comes to security. Are the NSA a deceptive, anti-humanist organisation that performs atrocious acts against people - yes - I absolutely believe so and they play a HUGE part in this, but Microsoft - they are the irresponsible software vendor here and do they reimburse people that have PAID for their software? No.
> Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action<p>Did the Microsoft President just confirm that NSA develop the vulnerability which led to the attacks on hospitals this weekend?!
From the article:<p><i>>A month prior, on March 14, Microsoft had released a security update to patch this vulnerability and protect our customers. While this protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally.</i><p>They stopped supporting Windows XP years ago, including with security updates.<p>There are still around 100 million computers around the world running XP.<p>It seems irresponsible to just leave them to hang out to dry when there are that many machines out there running it. A virus seems inevitable if they do. And shifting the blame onto the customers is not reasonable when there are still 100 million customers who are "doing it wrong" by not upgrading to a later version of Windows.<p>This entire article pertains to directly shifting the blame onto their customers, and the governments of the affected countries (!)<p><i>>The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect</i><p>Again, XP systems are the most affected, and there was no patch released for XP. This is extremely irresponsible of Microsoft and this article shifting the blame onto everyone but themselves is reprehensible.
Microsoft is feature and sales oriented not quality oriented. Security is an aspect of quality. So if you voluntarily like to put yourself at risk, by all means use their products.<p>Their product design doesn't emphasize security. For example, remember the extremely convenient AUTORUN.INF feature? That has probably resulted in billions of dollars lost and that number continues to grow every day.<p>Rendering fonts on the kernel... fantastic idea! What's the next great Microsoft idea? Continue to buy their products and figure it out.