Microsoft will make the most from WannaCry

Despite their posturing, how can we trust Microsoft (and other companies like it) ? Windows is a black box. How do we know that there are no backdoors/spying routines to please some governments ? How can we trust that it behaves ethically with all the data it collects ? We only have their word for it.

How does wannacry spread? From what I find it&#x27;s primarily via an SMB exploit, but who on earth can possible receive SMB traffic on the internet today?<p>Is it automatically opened via UPNP or something? (seems doubtful)

Non-paywalled link: <a href="https:&#x2F;&#x2F;webcache.googleusercontent.com&#x2F;search?q=cache:28gvJsnYhf4J:https:&#x2F;&#x2F;www.ft.com&#x2F;content&#x2F;b25e5c5e-3a34-11e7-821a-6027b8a20f23+&amp;cd=4&amp;hl=en&amp;ct=clnk&amp;gl=us" rel="nofollow">https:&#x2F;&#x2F;webcache.googleusercontent.com&#x2F;search?q=cache:28gvJs...</a>

Only way I got around the paywall was pasting the URL into Google then clicking &#x27;Cached&#x27; version.

TLDR: Microsoft is using WannaCry as an opportunity to complain about the NSA and as an opportunity to tell people they need to update their software.<p>I personally think that it&#x27;s great to get the message across that people need to keep their operating systems up-to-date. I see too many non-technical people thinking in dangerous ways:<p>* &quot;I don&#x27;t want to update software, because the new software could have bugs which might be a security risk.&quot; I used to work for a well-known Fortune 500 that thought this way. But _all_ software is vulnerable in one way or another and by keeping it up to date, you also get the most recent security patches. Software vendors generally aren&#x27;t putting major resources into securing old versions of their software.<p>* &quot;I&#x27;ve got anti-virus software installed on my computer and we&#x27;ve got a firewall on our network&quot;. And maybe that will help you at some point, but if you don&#x27;t update your OS, that&#x27;s like having bullet-proof windows and leaving your front door unlocked.

Not a big fan of Microsoft in general, and I generally distrust anything it does, but I&#x27;m beginning to like this Brad Smith fellow. He&#x27;s been pushing for quite a few privacy initiatives inside Microsoft, and he&#x27;s now also taking on NSA and calling for a Digital Geneva Convention.<p>I also think Microsoft &quot;got lucky&quot; this time. Shadow Brokers sit on EternalBlue for at least 6 months. They could&#x27;ve released it before the NSA even alerted Microsoft that such a bug exists in its operating system (probably earlier this year). That would&#x27;ve hurt Microsoft&#x27;s image a lot more.<p>So I think this should also be a warning to Microsoft (and other software companies). If there is some other backdoor in Windows or bug on which Microsoft may decide to sit on to give the NSA a few extra months to exploit it, its image could be hurt a lot. Some other group may discover it and and then turn it into another global ransomware attack, before Microsoft even has a chance to patch it.<p>So lesson of the day: don&#x27;t do back room (or door) deals with the NSA, whether because of fear, for money, &quot;patriotism,&quot; or some other reason, because it could come back and hurt you 10 times more when you&#x27;re put in the spotlight as the main party responsible for a global attack.

Paywalled. Workaround it by pasting the URL into Google and clicking the link there.

True or false?<p>Microsoft is a company that actively tries to prevent any comparisons of its products with other products, sometimes through threats of filing legal proceedings.<p>True or false?<p>Only government agencies are capabale of discovering flaws in Microsoft Windows.<p>True or false?<p>A closed source kernel is more secure than an open source kernel.<p>(For the avoidance of doubt, here &quot;open source&quot; means open to public inspection free of charges, terms or conditions, such as various UNIX-like kernels. It also means the right to make changes, re-compile and re-distribute without charges.)<p>True or false?<p>This determination can be made without comparing the source code for both kernels.<p>Hypothetical and questions:<p>Product A has 5000-6000 new vulnerabilities per year, about 15 per day.<p>Product B has 5-20 new vulnerabilities per year.<p>Can we explain this difference by focusing on the parties who find the problems that require patching?<p>Alternatively, should we focus instead on the products?<p>What if Product A is more complex is than Product B?<p>Does this make any difference?<p>What if Product B can perform many of the same functions as Product A, particularly the functions that are most often used to exploit a vulnerability.<p>For example handling data to be sent or recieved from the an untrustowrthy network such as the internet. In other words, networking with <i>remote</i> computers (&quot;internet&quot;) as opposed to only networking with <i>local</i> computers (&quot;IBM-compatible PC LAN&quot;).<p>Unlike BSD UNIX, Windows was originally designed for only local networking, where very little if any security is required.<p>True or false?<p>Windows still retains some of this original design and source code.<p>That is a trick question because the Windows source code is not open source. How would anyone verify what is still in that source code?<p>Keeping the source code from the eyes of its users does not protect them.<p>It may be possible to reverse engineer Microsoft products or patches to learn how Windows works.<p>&quot;Good guys&quot; may do this as well as &quot;bad guys&quot;.<p>A vulnerability could be discovered by someone who is not even old enough to work for a government.<p>Repeat question:<p>Should we focus on who finds flaws in Windows or should we focus on the Windows product itself?

For developers, the takeaway is to use memory safe programming languages.