Despite their posturing, how can we trust Microsoft (and other companies like it) ? Windows is a black box. How do we know that there are no backdoors/spying routines to please some governments ? How can we trust that it behaves ethically with all the data it collects ? We only have their word for it.
How does wannacry spread? From what I find it's primarily via an SMB exploit, but who on earth can possible receive SMB traffic on the internet today?<p>Is it automatically opened via UPNP or something? (seems doubtful)
TLDR: Microsoft is using WannaCry as an opportunity to complain about the NSA and as an opportunity to tell people they need to update their software.<p>I personally think that it's great to get the message across that people need to keep their operating systems up-to-date. I see too many non-technical people thinking in dangerous ways:<p>* "I don't want to update software, because the new software could have bugs which might be a security risk." I used to work for a well-known Fortune 500 that thought this way. But _all_ software is vulnerable in one way or another and by keeping it up to date, you also get the most recent security patches. Software vendors generally aren't putting major resources into securing old versions of their software.<p>* "I've got anti-virus software installed on my computer and we've got a firewall on our network". And maybe that will help you at some point, but if you don't update your OS, that's like having bullet-proof windows and leaving your front door unlocked.
Not a big fan of Microsoft in general, and I generally distrust anything it does, but I'm beginning to like this Brad Smith fellow. He's been pushing for quite a few privacy initiatives inside Microsoft, and he's now also taking on NSA and calling for a Digital Geneva Convention.<p>I also think Microsoft "got lucky" this time. Shadow Brokers sit on EternalBlue for at least 6 months. They could've released it before the NSA even alerted Microsoft that such a bug exists in its operating system (probably earlier this year). That would've hurt Microsoft's image a lot more.<p>So I think this should also be a warning to Microsoft (and other software companies). If there is some other backdoor in Windows or bug on which Microsoft may decide to sit on to give the NSA a few extra months to exploit it, its image could be hurt a lot. Some other group may discover it and and then turn it into another global ransomware attack, before Microsoft even has a chance to patch it.<p>So lesson of the day: don't do back room (or door) deals with the NSA, whether because of fear, for money, "patriotism," or some other reason, because it could come back and hurt you 10 times more when you're put in the spotlight as the main party responsible for a global attack.
True or false?<p>Microsoft is a company that actively tries to prevent any comparisons of its products with other products, sometimes through threats of filing legal proceedings.<p>True or false?<p>Only government agencies are capabale of discovering flaws in Microsoft Windows.<p>True or false?<p>A closed source kernel is more secure than an open source kernel.<p>(For the avoidance of doubt, here "open source" means open to public inspection free of charges, terms or conditions, such as various UNIX-like kernels. It also means the right to make changes, re-compile and re-distribute without charges.)<p>True or false?<p>This determination can be made without comparing the source code for both kernels.<p>Hypothetical and questions:<p>Product A has 5000-6000 new vulnerabilities per year, about 15 per day.<p>Product B has 5-20 new vulnerabilities per year.<p>Can we explain this difference by focusing on the parties who find the problems that require patching?<p>Alternatively, should we focus instead on the products?<p>What if Product A is more complex is than Product B?<p>Does this make any difference?<p>What if Product B can perform many of the same functions as Product A, particularly the functions that are most often used to exploit a vulnerability.<p>For example handling data to be sent or recieved from the an untrustowrthy network such as the internet. In other words, networking with <i>remote</i> computers ("internet") as opposed to only networking with <i>local</i> computers ("IBM-compatible PC LAN").<p>Unlike BSD UNIX, Windows was originally designed for only local networking, where very little if any security is required.<p>True or false?<p>Windows still retains some of this original design and source code.<p>That is a trick question because the Windows source code is not open source. How would anyone verify what is still in that source code?<p>Keeping the source code from the eyes of its users does not protect them.<p>It may be possible to reverse engineer Microsoft products or patches to learn how Windows works.<p>"Good guys" may do this as well as "bad guys".<p>A vulnerability could be discovered by someone who is not even old enough to work for a government.<p>Repeat question:<p>Should we focus on who finds flaws in Windows or should we focus on the Windows product itself?