
Lessons from last week’s cyberattack - ycitm
https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/
======
loteck
The quote bombshell here, and what hasnt yet gotten much attention since
sysadmins the world over are busy dealing with fallout, is that the NSA and
therefore the US government is directly responsible for the current global
cyber-carnage. We developed the capability, we chose to keep it unpatched, we
tried to keep it secret, we lost control of it.

This has similarities in type, if not in horror, to the development and
subsequent spread of nuclear weapons. When we lost control of those secrets,
it was a BFD [0].

[0]
[https://en.m.wikipedia.org/wiki/Atomic_spies](https://en.m.wikipedia.org/wiki/Atomic_spies)

~~~
Kholo
Complete BS. This is what happens when you have top class PR at your disposal
to define the narrative.

Microsoft is responsible for their shit software getting exploited first and
foremost. Seriously fine Microsoft and by day after tomorrow that 3500
security engineer number will jump to something realistic.

Instead what will happen is more tightening of the walled garden, overcharging
of support/security contracts and propping up of another billionaire or two. I
can hear the whisky glasses clinking.

Corporations do not get to set the agenda and the narrative. When they are
allowed to, the results are very predictable - in this case Microsoft will
make more than they loose. Who here disagrees that is going to happen? And who
here believes that is right?

The answer is simple whether its Microsoft today or Facebook and Google
tomorrow win-win should not be an option when such things happen.

~~~
dasil003
Uh, except Microsoft had already patched the vulnerability, just not for XP
that was still being run. Of course you can punish them and force them to
support all legacy OSes forever, until that strangles the life out of them at
which point large institutions _still_ have to run the old OS because they
have too much investment in computer controlled hardware with no forward
migration. Now they are locked into an insecure technology stack with no
vendor to take responsibility and no source code to even take on the problem
themselves.

There's plenty of blame to go around to be sure, but giving the NSA a pass for
developing zero days is batshit insane. These guys are playing god instead of
helping make infrastructure more secure overall, and it will not end well,
even if they outcompete the Chinese or whatever other bogeyman they cook up to
justify their power grab.

~~~
thomastjeffery
This is why free software is necessary.

Proprietary software makes you rely on a company to fix _everything_. It's
like driving a car without being able to replace a flat tire.

~~~
whazor
Assuming these hospitals keep updating and do not get stuck at Ubuntu 10.04.

~~~
EvanAnderson
Anyone can seek help on the open market to support Ubuntu 10.04 forever if
they like. You can't go to another company if you don't like the price
Microsoft sets for support for Windows XP.

~~~
pawadu
This comment makes my blood boil. Please ask yourself:

1\. why would anybody want to keep 10.04 alive?

2\. do you think the type of people who stubbornly continue to use 10.04 would
know/care enough about security to seek an alternative source for security
patches?

 _edit: should maybe add why this pisses me off: just logged into a production
server running 12.04, default install apache and updates _turned off_. the
owner looked confused (and slightly bored) when I explained the problem to
him._

~~~
belorn
Whatever hardware that is running that 12.04 system can be upgraded, free of
charge, for likely the next 20 years if the past 20 years of linux is anything
to go by.

Even if you pay money for the windows 10, it is unlikely to even start on the
hardware that XP ran on. Not only will the people have to go through the
budget to pay for the software, but now you need a full upgrade plan.

To put this in a concrete example. If a hospital had a check-in system running
12.04 they could just take someone internal from IT and go and fix it. If it
was Windows XP then they need to go through finance, then get a offers from
competing companies, fitting the upgrading into the budget, and last have
people installing it in each of the hospitals entrances. The first case has a
project length of days and the other of months and in worst case years.

~~~
thecosas
I understand the argument, but I think "just take someone internal from IT and
go and fix it" is vastly oversimplifying the skills/manpower/time required for
doing something like this.

~~~
belorn
I can only speak of my own experience as a sysadmin, but the more isolated the
system is and the less critical it is for operation, the easier it is to
delegate the job of doing a software update to coworkers and new hire.
Especially if all the issues from doing an update has already been established
on several other machines, in which case the update is more or less mechanical
in nature.

It reminds me of the story about a thirty year old Commodore Amiga running the
AC system for a school district. The district finally decided to modernize the
AC for $2 million, but until then it was just cheaper and easier to continue
paying a person to run it every year. Replacing hardware systems is expensive
and political complicated, while continuing paying an employee is just status
quo.

------
codedokode
One of the reasons why such attack was possible is poor security in Windows.
Port 445 that was used in an attack is opened by a kernel driver (at least
that is what netstat says on WinXP) that runs in ring 0. This driver is
enabled by default even if the user doesn't need SMB server and it cannot be
easily disabled.

Most of services in Windows are run under two privileged user accounts
(LocalService or NetworkService). Many of them are enabled by default and are
listening on ports on external interface so the potential attack surface is
large.

Microsoft uses programming languages like C++ that is very complicated and a
little mistake can lead to vulnerabilities like stack overflow, use-after-
free, etc.

Microsoft (and most companies) prefers to patch vulnerabilities with updates
rather than take measures that would reduce attack surface.

Oh, and by the way Linux has similar problems. In a typical Linux distribution
a program run with user privileges is able to encrypt all of the user's files,
access user's cookies and saved passwords on all websites, listen to
microphone and intercept kestrokes.

~~~
zild3d
Why do you claim C++ relates to poor security? OSX and iOS are primarily C,
C++, and assembly, (objective C at the higher levels). And linux of course is
C and assembly.

Are you saying all of the major operating systems have poor security because
they use "vulnerable" languages?

~~~
alkonaut
> Are you saying all of the major operating systems have poor security because
> they use "vulnerable" languages?

Absolutely.

~~~
JimDabell
Does this include OpenBSD?

~~~
alkonaut
Is it a program written by humans and have parts that accept user input or
network input? then yes.

~~~
JimDabell
By that definition, pretty much all software has "poor security" regardless of
language. I don't think your definition of "poor security" is proportionate or
useful.

~~~
alkonaut
> By that definition, pretty much all software has "poor security" regardless
> of language.

My definition of "poor" is that it must have a babysitter to maintain and
patch it. Whether or not this is the case depends on the attack surface, which
of course depends on the complexity of what it does. A system that has no
attack surface can be very buggy without having poor security. But an internet
connected machine with modern windows/posix OS that does some useful work will
likely need a security patch already within the first couple of years - and
that I consider pretty poor.

------
cm2187
Another lesson learned: don't bundle your security updates with your cool new
features nobody wants, Microsoft. This will aggravate the problem as more
people/companies will defer updates.

~~~
ak39
I disabled updates on my Windows 7 last September when I feared that I'd wake
up to a Windows 10 machine like my wife did when her laptop updated to Windows
10. Unfortunately I can't seem to resume updates and fear that I may be
vulnerable to WannaCrypt. (Some recent updates succeeded but I don't know if i
patched for it)

~~~
mobiplayer
Why do you fear updating to Windows 10?

~~~
mistermann
a) telemetry

b) I'm worried my fairly nicely working Win7 environment will not work so well
after updating to 10, as much as I want to get current with some genuinely
useful features.

I'm generally a Microsoft "fan", but this is one of the many reasons I hate on
them as much as Linux fans.

~~~
mobiplayer
Sounds reasonable, thanks for replying!

------
ssdfe
There's a lot of blame being thrown around, and I think it's all merited, but
an inordinate amount needs to be on the users. I don't know how many times
I've heard things like: "I don't think I'll update to Windows 10" or "That
update has been nagging me for months" or even security advocates saying
"Windows 10 is a privacy nightmare, I'll stay on 7". Being on the latest
secure upstream isn't a nicety, it's what you have to do if you want any
semblance of a secure environment. If you don't like upstream, jump to
another.

It's definitely not end-users either. There's a grocery store that just went
up nearby that I saw Windows XP splash screen on when one of the cashiers
rebooted. No joke, new store, Windows XP computers that handle money.
Microsoft may have cultivated this nightmare, but it seems everyone wants to
live in it.

~~~
josefx
> Being on the latest secure upstream isn't a nicety, it's what you have to do
> if you want any semblance of a secure environment.

Windows 7 is in extended support to 2020. So as far as I know security wise
still up to date.

> There's a grocery store that just went up nearby that I saw Windows XP
> splash screen on when one of the cashiers rebooted.

The cash register may be even running with a user interface written in VB6.
Don't attach it to an external network and it will work just fine. No need to
invest in new hardware/software when you can get it old, working and cheap.

> Windows XP computers that handle money.

In what way do they handle money? A computer virus isn't going to steal paper
money and the device operating the card reader should have been sufficiently
separated to begin with.

~~~
dotancohen
Do you really think that the machine does not handle credit cards a well?
Provide a daily management report? Report inventory? Provide a Facebook
interface between customers via the big blue E icon?

~~~
josefx
> Do you really think that the machine does not handle credit cards a well?

I don't know about the U.S., but as far as I know were I live these card
readers have to be almost completely separate systems. The connection between
these two should only exist to a) set the price to pay and b) confirm that a
payment was made.

> Provide a daily management report? Report inventory?

No longer managing money directly, so the possible abuse for financial gain is
quite restricted. You could argue that someone manipulates the reports in
order to skim some money for himself, however that would be a rather targeted
attack with someone on the inside profiting and could be detected when the
physical goods no longer line up with the reported values.

> Provide a Facebook interface between customers via the big blue E icon?

Are we even talking about the same thing?

------
DanBC
No one in the UK seems to be tying this attack to the Conservative Party's
desire for backdoors everywhere, which is a shame because it's a nice example
for the public of how the government have got this very wrong.

~~~
setq
Reddit is all over it although it has turned into something suitably
reminiscent of Alex Jones' material. Jeremy Hunt is apparently directly
responsible for running XP on all NHS equipment and pulling the plug on the
support contract for post-extended-support causing the deaths of thousands of
people while he rolls around in the dust of the crushed skulls of all his
victims.

I would rather see it used to leverage an opinion against back doors and
surveillance culture but alas this is merely administrative incompetence and
failure to either upgrade or airgap systems which have had a clock ticking on
them and plenty of notice from the vendor to sort. The buck should stop at the
trust IT directors as this was entirely avoidable with a properly managed
estate.

------
alkonaut
One scary thing about these security holes is that it's almost impossible to
_check_ if your system is affected.

There are at least 50 different releases of Windows 10 alone, and it's hard
enough to find which is actually used.

The "System" dialog Shows "Windows 10 2015 LTSB". "Winver" on the command line
shows "Windows 10 2015 LTSB build 10240" \- but there are several releases of
that and only the latest ones, e.g. from 10240.17236 and up have the patch -
But I can't seem to find which one I have.

I don't doubt I have a patched version, but out of curiosity I'd just like to
double check.

~~~
kaoD
Go to your Windows Update History and check if you have KB4013429 installed.

[https://support.microsoft.com/en-
us/help/4013429/windows-10-...](https://support.microsoft.com/en-
us/help/4013429/windows-10-update-kb4013429)

EDIT: Or KB4012606 / KB4013198 for older Windows builds.

~~~
alkonaut
How do I know that's the one? I'm was curious about the _process_ of knowing
how to find out if my system is patched against vulnerability X.

~~~
kaoD
Here's the complete process I followed:

1\. Search for "windows smb server vuln" in Google.

2\. "Microsoft Security Bulletin MS17-010 - Critical"[0] is the link I'm
looking for.

3\. Search for your version in the list. Mine is "Windows 10 Version 1607",
listed in the table with 4013429 (right next to the Windows version, not in
"Updates replaced"). That's my update number.

[0] [https://technet.microsoft.com/en-
us/library/security/ms17-01...](https://technet.microsoft.com/en-
us/library/security/ms17-010.aspx)

~~~
alkonaut
I think a lot of the confusion here is what constitutes a "version" of windows
10.

~~~
kaoD
Indeed. As far as I can tell they are like what used to be Service Packs?

E.g.: I didn't install the so-called Creators Update so I'm not in the latest
Windows 10 version.

I'm no Windows sysadmin though so I'm not really sure.

------
spydum
a lot of people kicking sand in MSFT's eyes for having such a vulnerability..
but come on, the code base for windows is enormous. The feat of engineering
that is microsoft windows (and its many iterations) is pretty amazing when you
really look at it. Yes, plenty of flaws, but show me some other software which
has endured?

Further, all of the major infections are based on Windows XP. Windows XP
mainstream support ended a full year before the first gen iPhone was out! It's
seriously ancient and there are very few excuses for people to have this crap
on a network in 2017. For the folks who dont run XP, but got infected because
they didn't patch? No excuses.

If I booted a RedHat (5.2 came out in 2009ish) or FreeBSD machine from 2009
without patches, and put it on the internet, I'm pretty sure it'd be hosed
just as bad (shellshock, heartbleed, ?). the difference is, everyone would
tell me I'm an idiot for putting a machine online from 2009.

~~~
merlincorey
> If I booted a RedHat (5.2 came out in 2009ish) or FreeBSD machine from 2009
> without patches, and put it on the internet, I'm pretty sure it'd be hosed
> just as bad (shellshock, heartbleed, ?). the difference is, everyone would
> tell me I'm an idiot for putting a machine online from 2009.

As a tongue in cheek (but totally true) correction, FreeBSD from 2009 would
NOT be vulnerable to the shellshock vulnerability unless you explicitly
install `bash` and make it the shell used by apache-cgi.

By default, FreeBSD lacks bash.

~~~
alex_anglin
True, but FreeBSD can't guarantee perpetual security for releases. It also
doesn't provide warranties, like the majority of software out there.

FWIW, I do hold FreeBSD in high regard. It's just that expecting perfection
security-wise from complex systems is a fools errand.

~~~
asdfgadsfgasfdg
> It's just that expecting perfection security-wise from complex systems is a
> fools errand.

I think that may have been the OP's point. Bash is more complex than sh has to
be hence because FreeBSD choose the simpler option they avoid the inherent
security implications of complex systems.

(I use bash myself and don't use FreeBSD.)

~~~
dotancohen
Exactly, FreeBSD uses the simplest solution for the task, in the name of
security. FreeBSD isn't "secure from Heartbleed because they don't use Bash"
but rather, FreeBSD is "secure because by default only the most basic,
necessary software is installed" which happened to be sh instead of bash.

------
whitefish
Should hospitals such as UK's NHS and other such organizations use dumb
terminals (or chromebooks) instead of Windows? That way data is centralized on
servers where it is easy to backup and harder for hackers to hold to ransom.

~~~
cryptarch
It'd be a good start if they just didn't use Windows.

But yeah, definitely. It's pretty damned unlikely that an OpenBSD backup
server would get wormed, unless an ME exploit is involved.

~~~
phs318u
Let's be clear on this. No matter how secure the operating system initially,
if it stays unpatched then over time it will become more and more vulnerable
as uncovered exploits go unfixed.

The reason a machine might go unpatched is because it might support some
critical hardware (eg medical) for which there is only one or two vendors and
only a particular combination of HW and SW are supported (eg due to a specific
custom hardware driver).

To lay the blame for this at a single vendor's feet is naive.

~~~
pier25
True, but I'm sure there are a lot of cases where the OS wasn't updated
because of the necessary investment to jump to a new Windows version.

~~~
kijin
There are very few free/open-source operating systems that get security
patches for as long as Windows does.

Major versions of OpenBSD are only supported for 5-6 years. Most Linux
distributions only get 3-5 years. Red Hat promises 10 years of support, the
same as Windows 7/8/10\. None comes close to the 13 years that Windows XP was
supported for.

So you're gonna have to update anyway, at roughly the same interval if not
more often, as if you had used an enterprise edition of Windows.

~~~
danieldk
_Major versions of OpenBSD are only supported for 5-6 years._

I thought that security updates are only made for -current, the current stable
release, and the previous stable release. So, 1 year of support, not 5-6.

A cursory look at the errata seems to confirm this.

~~~
kijin
Most of the time, upgrading from one minor version to the next is painless. If
you installed OpenBSD 5.0, you are expected to keep updating all the way to
5.9. (For some reason, OpenBSD always makes exactly 9 minor versions for each
major version.)

Most Linux distros don't even make any fuss about minor versions, using them
only as an opportunity to build fresh installation images. New minor versions
_are_ security patches for the major version and all previous minor versions.

------
pquerna
> We need governments to consider the damage to civilians that comes from
> hoarding these vulnerabilities and the use of these exploits.

This whole incident is really raising the profile of the creation of "cyber
weapons".

They aren't like physical weapons with physical controls -- they are digital,
controls and costs to copy/distribute are more like digital music than
anything a Goverment organization is used to.

------
cm2187
One thing that strikes me with this malware is that it hits pretty much every
single country. Don't hackers try to follow the proverbial "don't shit where
you eat" proverb? They have nowhere to hide if they are identified now.

~~~
flukus
You're assuming it was released on purpose and worked on the intended scale,
I'm not sure either are true.

~~~
muricula
This malware was first released as part of a massive spam campaign, and then
from there wormed its way onto other systems. It was definitely released on
purpose.

~~~
flukus
Has any of that been confirmed? I thought patient zero's were still mostly
speculation.

~~~
muricula
I don't have a citation I can point you towards, just the word of a coworker
who's a malware researcher, sorry.

------
alsadi
For those who think that using free software would be similar (naming ubuntu
or even centos).

The real question is why a hospital is still running windows xp even though
it's not supported by its own vendor.

The answer is vendor lock ins. The upgrade is not a matter of simple command.
Upgrade cost involves more licenses and hardware upgrades (which is not needed
as old hardware is fine, but this is how things work between microsoft and hw
vendors) it's like you need a new buy watch to apply dst summer time.

Also mirosoft and old school desktop software vendors used to make sure switch
or upgrade cost is really high ex by using non stanard formats.. to lock users
from switching to mac or linux

If you remember active x and internet explorer specific vbscript...

If you use free software from an expensive but decent vendor like redhat you
can upgrade software on same hardware

And if it software was expensive you can switch to centos, scientific linux or
pay anyone to handle that for you are fair rate. There is no vendor lock in.
Every thing is stardard and no vendor lock in.

------
natch
Microsoft's version:

    
    
        I see three areas where this event provides an
        opportunity for Microsoft and the industry to improve.
    

Fixed version:

    
    
        I see three areas where this event provides an
        opportunity for Microsoft, the industry, and
        government to improve.
    

To be fair, he does go on to point out how this is partly the fault of poorly
conceived government policies, namely the NSA's foolish practice of
stockpiling exploits. But Microsoft and the industry should keep the heat on
the government about this at every opportunity, because the horrifically bad
and analogous idea of having government master keys is still being pushed
forward.

------
cmurf
And what about the lesson that software should be mortal, and should one day
die? By what metric is, e.g. Windows XP, subject to evergreen updating to
mitigate (prevent or reduce impact of) this exact scenario, forever? Does
Microsoft have the right, and even the obligation, to remote detonate all
Windows XP in existence on a certain date?

Perhaps EOL should be literal. The software kills itself and does not
function.

The lesson I'm getting is our software can become malicious, and that malice
can spread like wildfire. Is a company obligated to patch any wildfire type of
bug forever? Is that a cost of proprietary software? Or is setting a date for
its death the cost?

I think aging proprietary software has a much greater chance of becoming a
weapon than it does becoming inconveniently obsolete. So forcing a company to
release the code as free and open source software upon EOL date, I think just
enhances the chances that it gets weaponized. There's a greater incentive to
find exploits than to fix them, in old software.

Another lesson is most people really shouldn't be using Windows. If you can't
afford to pay Microsoft to keep your software up to date, then use something
that's FOSS and is up to date. (Same rule applies to Apple, if you can't
afford new hardware in order to run current iOS/macOS versions that are being
maintained, then don't buy stuff from Apple anymore.)

------
fiatpandas
How did MS know to patch a month before the exploits leaked? Did they get
advanced notice as a courtesy from NSA, or someone else, that the exploits
leaked?

~~~
amaterasu
I'm assuming this was contained in the vault7 leak:
[https://en.wikipedia.org/wiki/Vault_7](https://en.wikipedia.org/wiki/Vault_7)

------
bikamonki
Lesson 1: don't use Windows. Lesson 2: be it a web resource or your pc, make
sure you can restore all your data/sw from clean/current copies. Lesson 3:
test lesson 2 periodically.

~~~
thomastjeffery
Lesson 1: don't use proprietary operating systems.

~~~
ry_ry
If Windows were open-source, would the situation have been any different?

Would organisations with very conservative attitudes to upgrade paths or a
requirement to run an older OS version have suddenly been patching nightly?

Would the exploits used have been identified and patched prior to their
malicious deployment?

Would organisations with a vested interest in stockpiling exploits have
elected to immediately notify projects' maintainers?

The answer to these swings wildly between 'maybe' and 'probably not', so the
eventual endpoint is likely largely the same. It's a compound issue brought
about by a chain of decisions made by disparate organisations, and using it as
a stick to beat Microsoft or proprietary vendors in general with is missing a
very important point -

Security is the responsibility of everybody involved, from vendors and the
government, all the way down through to the people innocently opening infected
attachments.

~~~
thomastjeffery
Windows update is, put simply, a pain in the ass.

That has been the case for over a decade, and it has been getting worse over
time.

The reason I recommend a _free_ operating system is not because you are
allowed to read the source (although that is a bonus), it is because you have
the freedom to _control_ your operating system.

The problem with Windows is that "updates" are done in the most inconvenient
way possible, and with no control by the user. They often include changes that
the user _does not want_ bundled in with security patches. To contrast, a free
operating system gives you options (liberty). If I just want an old stable
version of Debian with security patches, I can get it.

The issue here stems from using proprietary software in the first place.
Proprietary software is controlled by the company, not the user.

------
pishpash
I think the lesson is to have less uniform, opaque bloatware controlled by
disinterested parties whether through proprietary technologies, walled
gardens, OR paternalistic update policies. Have some diversity in the network,
let people really know and choose what they want on and off, and have the
minimum of what is needed for the job turned on by that endowed choice, and
half of these problems go away.

------
linjian
How to prevent an attack from internet is really a big problem. More open the
system is, more dangerous the system maybe. like this attack, the macOS and
Linux is safe. Maybe just because the system is not that open and malicious
program cannot get some access to do something bad. And usually the update to
prevent some kind of attack is later than the attack itself.

------
Moru
It's not just a question of people not keeping their computers updated. I have
bought a few second hand computers with windows 7 the last few months and they
have all had problems when updating. I doubt most people even notice this and
think they are updated.

------
yuhong
Side note, I posted
[https://news.ycombinator.com/item?id=14334776](https://news.ycombinator.com/item?id=14334776)
on custom support and MS quarterly earnings.

------
WalterBright
I'm curious what kind of vulnerability it was. A buffer overflow? Stack
corruption? A memory safety issue at all, or something else?

~~~
setq
Overflow on a cast between a 16/32 bit value I think.

------
LoonyBalloony
I think the lesson here is to disband all spy agencies when not at war with
another nation state.

------
dominhhai
Why not use Linux or MacOS?

~~~
carlosrg
You have to be pretty delusional if you think macOS or Linux don't have
security problems.

~~~
pmlnr
Of course they do, yet we still haven't seen an outage like this, even though
most of the web world is running on some kind of linux.

Most probably it's due to the high variety in kernels, versions and the subtle
differences in linux distributions.

------
accountyaccount
LESSON: UPDATE YOUR SHIT

------
justinzollars
stackoverflow nazis; this should not be a closed question

------
10165
The real question should be: Can Microsoft write an OS that does not have to
be constantly patched, month after month?

We know they have written such things as part of research. But still they
continue to release software that is unfinished.

They have trained their users that failure to update is fatal. No doubt, if
they are using Windows.

They also like to conflate "update" with "upgrade". They use these security
problems in Windows to scare people into upgrading.

Windows 10, whether they like it or not. As others have noted, _by design_ the
new versions are not safer than the old ones.

Retroactively fixing reported issues does not make a new version more secure
_by design_. They could just as easily fix the issues in the older version.

Can this company get anything right the first time? Will they ever design a
system that is secure?

Do they have any interest in doing so?

Are they incapable?

There is nothing wrong with releasing something simple, secure and _finished_.

Does MS believe Windows users are not worthy of a secure OS?

I think Microsoft Research have contributed to development of L4 systems that
run on baseband.

Do these systems have the same vulnerabilities as Windows?

Fixing problems _after they occur_ (past problems) is admirable but other free
opens source OS written by volunteers accomplish the same thing. The question
is whether the design of the system is such that _future problems_ are
avoided.

Does Microsoft believe Windows users deserve more security? Can Microsoft
deliver it?

All indications suggest the answer to both questions is no.

With no viable alternatives, no one can blame Windows users for sticking with
it despite red flag after red flag, but it makes no sense to defend the
Microsoft approach to security for Windows users. The company has no respect
for Windows users.

Being responsive to a constant stream of reported vulnerabilities is an
improvement from 1995 but as we can see it is not enough. Their software is
still full of mistakes. They need to prove they can make something that is
secure _by design_ and that they are willing to do so for users.

(Truthfully, they probably do not need to do anything.

Quotes of 80% of Windows installations being tied to purchases of hardware are
probably not far off the mark.

There is no selection of OS by most computer users.

A majority of users still get Windows pre-installed on the computers they
purchase.

Microsoft could completely ignore users and it would not hurt their business,
as long as they continue to maintain relationships with hardware
manufacturers.)

~~~
thr0waway1239
Most of these fit into a tweet. You could have asked Tay if it was still
around :-)

------
Findeton
Lesson 1: don't use Windows.

------
z3t4
stop exposing functions ment to run in private networks (LAN) to the internet.
please make stuff secure by default.

------
a_imho
_Second, this attack demonstrates the degree to which cybersecurity has become
a shared responsibility between tech companies and customers._

Victim blaming at its finest.

------
mrmondo
Pretty sure this is a highly targeted piece of PR designed to shift the blame
from Microsofts appallingly poor operating system design especially when it
comes to security. Are the NSA a deceptive, anti-humanist organisation that
performs atrocious acts against people - yes - I absolutely believe so and
they play a HUGE part in this, but Microsoft - they are the irresponsible
software vendor here and do they reimburse people that have PAID for their
software? No.

------
denzil_correa
> Finally, this attack provides yet another example of why the stockpiling of
> vulnerabilities by governments is such a problem. This is an emerging
> pattern in 2017. We have seen vulnerabilities stored by the CIA show up on
> WikiLeaks, and now this vulnerability stolen from the NSA has affected
> customers around the world. Repeatedly, exploits in the hands of governments
> have leaked into the public domain and caused widespread damage. An
> equivalent scenario with conventional weapons would be the U.S. military
> having some of its Tomahawk missiles stolen. And this most recent attack
> represents a completely unintended but disconcerting link between the two
> most serious forms of cybersecurity threats in the world today – nation-
> state action and organized criminal action

Did the Microsoft President just confirm that NSA develop the vulnerability
which led to the attacks on hospitals this weekend?!

~~~
rando444
This is public knowledge at this point.

~~~
MichaelGG
Citation please?

~~~
laumars
The NSA hoarding / leaking aspect of this vulnerability has been reported by
most major news outlets. Even the mainstream ones. Albeit most haven't
expanded on that point to the level that Microsoft did here.

~~~
MichaelGG
Sorry I misread it as the NSA was developing the holes as in backdoors,
intentionally creating the vulnerability.

~~~
dredmorbius
Effectively, that's what happened.

------
feelix
From the article:

 _> A month prior, on March 14, Microsoft had released a security update to
patch this vulnerability and protect our customers. While this protected newer
Windows systems and computers that had enabled Windows Update to apply this
latest update, many computers remained unpatched globally._

They stopped supporting Windows XP years ago, including with security updates.

There are still around 100 million computers around the world running XP.

It seems irresponsible to just leave them to hang out to dry when there are
that many machines out there running it. A virus seems inevitable if they do.
And shifting the blame onto the customers is not reasonable when there are
still 100 million customers who are "doing it wrong" by not upgrading to a
later version of Windows.

This entire article pertains to directly shifting the blame onto their
customers, and the governments of the affected countries (!)

 _> The fact that so many computers remained vulnerable two months after the
release of a patch illustrates this aspect_

Again, XP systems are the most affected, and there was no patch released for
XP. This is extremely irresponsible of Microsoft and this article shifting the
blame onto everyone but themselves is reprehensible.

~~~
will4274
How long should Microsoft be required to support XP? They extended the
original support period TWICE. Why are customers entitled to support when they
were informed prior to purchasing the product that support expired on a given
date?

~~~
codedokode
Maybe newer OS do not have any useful features for those customers? Maybe they
are even worse for them because work slower, are not compatible with old
drivers, contain spyware (telemetry)?

~~~
will4274
Is a company obligated to sell a product with features that you consider
useful? Intel doesn't make pre-ME CPUs anymore. Apple doesn't make Power PC
iMacs anymore. And Microsoft doesn't make Windows XP anymore. In all these
markets, there are consumers who would prefer to purchase the discontinued
product. So what? Products get discontinued.

Consider a discontinued product from another industry, like a car or an
appliance. When the product is discontinued, the manufacturer only creates
replacement parts for existing machines for a limited time period. After some
years, it's difficult for a consumer to maintain their copy of the
discontinued product because it is difficult to find replacement parts.

The point is, mass produced engineering products have lifecycles. Microsoft
clearly defined (and extended) Windows XPs lifecycle and provided patches for
the entirety of that lifecycle. It's hard for me to understand how that
doesn't fully meet their obligations to be fair to their customers.

~~~
codedokode
While you are right, there is a difference that you can drive a 20-30-year old
(if repaired) car on modern roads but you once you connect a PC with 20-year
old OS to the internet, it will get infected. And 20-year old browser will not
be able to display modern websites.

Maybe when cars will become more computerized(?) and connected, they will
become unusable faster.

------
partycoder
Microsoft is feature and sales oriented not quality oriented. Security is an
aspect of quality. So if you voluntarily like to put yourself at risk, by all
means use their products.

Their product design doesn't emphasize security. For example, remember the
extremely convenient AUTORUN.INF feature? That has probably resulted in
billions of dollars lost and that number continues to grow every day.

Rendering fonts on the kernel... fantastic idea! What's the next great
Microsoft idea? Continue to buy their products and figure it out.

~~~
cholantesh
>implying ransomware has only ever affected Windows

