
US Government Fears Another Explosion Of The Ransomware Plague It Helped Create - JumpCrisscross
https://gizmodo.com/u-s-government-fears-a-monday-explosion-of-the-ransomw-1795208518
======
Asdfbla
I guess it will unfortunately take a long time for the world to realize that
the rules of "cyberwar" are different from the conventional military. (Of
course, there's a lot of literature from security and cyberwar researchers,
but that doesn't seem to reach the politicians.)

You can't just pour money in offensive capabilities of your intelligence
agencies, as is currently done in most countries, and hope to "win". Your
exploits and zero days will be stolen, your critical systems will be weaker
(because you intentionally weakened them or didn't disclose vulnerabilities)
and you simply can't control the weapons you created. Worst of all, the
weapons developed by state actors will fall into the hands of ordinary
criminals, which makes for an even more complicated world.

~~~
daurnimator
How is that any different from manufacturing physical arms that somehow end up
in the possession of some enemy foreign power?

~~~
cryptarch
It's more akin to manufacturing portable arms factories, that can also
replicate themselves.

Lose one and you're SOL.

~~~
votepaunchy
SOL except that the arms can be rendered useless with a simple update in
defenses.

~~~
WrtCdEvrydy
Yeah, and when the US power grid is offline for three days due to latest NSA
cyber toy to get out of fucking Fort Meade, I'm sure the priority of those
people stuck in an elevator or families watching their loved ones die due to a
life support system failure will be to fucking update Windows XP.

~~~
ams6110
If that were to happen it would be more the fault of power companies that do
not have critical systems well protected. Fort Meade is hardly the only entity
developing these sorts of exploits, so you have to expect them. The patch for
this has been out for a while now.

------
windlep
Liability.

If the NSA was actually forced to be liable for the damage of their hoarded
0-day's should they leak, that might have a bigger effect than any 'guidance'
I would imagine politicians might pass in a law. I hate to suggest something
that involves yet more lawyers, but its amazing how effective that can be to
make people in charge do some serious risk-assessment analysis about what they
hoard and for how long.

~~~
tuxxy
How would this work for a private individual? Would this help create a
precedent for private security researchers where they might be held liable for
not disclosing 0days?

I agree that this would definitely curb potential damage, but I'm not sure if
this is exactly the right way to go about it. NSA is first and foremost an
intelligence agency. What do you think the best policy is for maintaining an
effective arsenal and maintaining "0day responsibility"?

~~~
mcintyre1994
Is there any legitimate reason to hold 0 days without disclosing them to the
vendor? There probably are reasons I haven't thought of, but do they apply to
as active a company as Microsoft?

Edit: I think I misread this and you're asking in the context of the NSA
holding them. I still doubt there's a way to do it responsibly, so they
probably shouldn't be doing it.

~~~
downandout
Sure there is a legitimate reason to withhold them, though many would say it's
not a very ethical one: money. Private researchers hold them for sale to the
NSA and other agencies all the time. Here are a few exchanges (there are also
high end "agents" \- akin to Hollywood agents - that broker these deals):

[1] [https://zerodium.com/](https://zerodium.com/)

[2] [https://www.mitnicksecurity.com/shopping/absolute-zero-
day-e...](https://www.mitnicksecurity.com/shopping/absolute-zero-day-exploit-
exchange)

And some info on this market: [https://en.wikipedia.org/wiki/Market_for_zero-
day_exploits](https://en.wikipedia.org/wiki/Market_for_zero-day_exploits)

~~~
frubar
Every possible job doesn't need to exist. We shouldn't put the whole online
world at risk so a handful of people can make a buck.

------
whatnotests
Do you want insecure systems, massive fallout from leaked pwning tools and
thieves taking the world prisoner? Because the NSA's strategy so far is how
you get insecure systems, massive fallout from leaked pwning tools and thieves
taking the world prisoner.

I wonder how the dialectic will play out in a worst-case scenario if we get to
that point.

~~~
jessaustin
It would be worth months of serious global computer outages, to bring NSA
under control of elected officials. I fear we'll get the former without the
latter...

~~~
boomboomsubban
Elected officials in charge of the NSA isn't a desirable result. They will
just replace the leaders with people loyal to them and we're in the same
situation.

~~~
rev_null
If elected officials aren't already in charge of the NSA, who is?

Does the NSA literally report to no one?

~~~
boomboomsubban
Technically the military is in charge, who report to the elected officials.
But a battle between politicians and an intelligence//counterintelligence
agency seems one sided.

~~~
jessaustin
The idea that NSA are under military control is also pretty fanciful. That
almost plays against the spooks in the current situation, however. It inspires
some skeptics to notice the puppeteer's hand the spooks have run up the
media's ass, constantly searching for any narrative that could bring the
current officeholder under their thumb.

~~~
boomboomsubban
Don't kid yourself, he is already under their thumb. Look at his proposed
budget, three things had a budget increase and two of them contain
intelligence organizations. These groups aren't unified.

~~~
jessaustin
Haha yeah that's tough. It's kind of a bleak view, that all of the big
tribulations of our world are nothing but the dog being wagged while different
factions of the intelligence complex play petty meaningless games of king of
the mountain.

------
beedogs
This kind of thing is going to just keep happening, and there's really not a
whole lot anyone can do to stop it.

It's been an escalating war of intrusion capabilities among nation-states for
the past 20 years, and when some of those weapons are released into the wild,
this is sometimes the result.

------
vezycash
The US government will attack Bitcoin - both technologically and politically
instead of taking responsibility for this.

------
contingencies
The ransomware reportedly hit Chinese police networks today, and is causing
significant issues.

~~~
geomark
Thailand's national police, too. Someone there tweeted a photo this morning.
[https://pbs.twimg.com/media/C_yiGj1UIAE6wby.jpg](https://pbs.twimg.com/media/C_yiGj1UIAE6wby.jpg)

------
dandare
Why can't Microsoft or NSA or whatever good samaritan use the same
vulnerability and attack vector to force-spread the update or at least a patch
of some kind?

~~~
FungalRaincloud
Because such entities, even when acting in the public good, would be breaking
the law if they did. Those who publicly act in the public good usually try not
to break the law to do so.

~~~
dandare
Could not the president easily issue an executive order asking NSA to use the
hack to protect everyone?

~~~
FungalRaincloud
EOs cannot violate the law, or compel someone to violate the law. Could the
president issue such an executive order? Potentially. But that does not mean
it gets carried out, or is legal.

Do you think this president would? I don't think it terribly likely, and if I
heard that he was about to, I'd probably start booting Linux for a few months,
because I would wholeheartedly suspect that it did more than just patch
effected systems.

------
HalfwayToDice
Huh? The NSA didn't create the exploit. Oh, it's Gizmodo. Why is this garbage
on HackerNews.

~~~
zigzigzag
Yes they did. Nobody so far has posted a reverse engineering of exactly how
EternalBlue works (I saw an article in Chinese but it was hard to tell if it
had a real explanation given the auto-translate). WannaCry is simply using the
actual NSA exploits, compiled, direct from the ShadowBrokers leaks, along with
the DOUBLEPULSAR "implant".

~~~
hiisukun
The commentary within the metasploit module for MS17-010 [1] should count for
posting 'a reverse engineering' or at least some meaningful analysis of moving
parts within EternalBlue SMB exploit.

The researchers involved are @zerosum0x0 and @JennaMagius on twitter. Their
work has been impressive (including eliminating a 10 second delay in some of
the exploit chain iirc) if you ask me.

Of course I don't disagree with the content of your post - it does appear that
the release of a working exploit has driven the release of this malware,
rather than the release of the MS patch, or a description of the vulnerability
in general (such as within the CVE).

[1] [https://github.com/RiskSense-Ops/MS17-010](https://github.com/RiskSense-
Ops/MS17-010)

~~~
zigzigzag
I looked there. It doesn't explain anything beyond mentioning that the exploit
involves heap manipulation.

The Metasploit eternalblue module simply runs an interpreter for a long set of
commands that send massive binary blobs over the wire in a particular
sequence. To me this looks like a cleaned up WireShark trace rather than
anything based on true understanding of what it really does. As far as I can
tell the only people who understand what these packets are doing to Windows
are TAO and probably one or two developers at Microsoft.

------
thrillgore
If you want to stop this arms race of ransomware, STOP HOARDING ZERO DAYS

------
colept
What is there to gain, say for example, if this wasn't an accident?

~~~
nyolfen
very little? nsa loses both the ability to use their classified exploits when
they're burned (or at least use them as effectively), and they lose out in the
PR arena for looking like they can't keep a lid on their own secret weapons,
at everyone else's cost. those are _extremely_ severe costs, particularly the
latter. i really can't think of any potential upside that isn't trivial in
their shadow -- the $30k in bitcoin ransoms people have ponied up?

~~~
MaulingMonkey
> the $30k in bitcoin ransoms people have ponied up?

Smokescreen for your $N if you're a rogue agent selling your exploits to
another organization - or simply claiming some part of the ransomware pie?
Just because the NSA as an organization is paying the price, doesn't mean
_you_ as an individual agent are.

Of course, this requires the gumption to think you'll get away with it.

------
biocomputation
It's even more horrifying that, as a US citizen, I'm one of the people who
paid for this work.

