
Microsoft will make the most from WannaCry - dberhane
https://www.ft.com/content/b25e5c5e-3a34-11e7-821a-6027b8a20f23
======
jkh1
Despite their posturing, how can we trust Microsoft (and other companies like
it) ? Windows is a black box. How do we know that there are no
backdoors/spying routines to please some governments ? How can we trust that
it behaves ethically with all the data it collects ? We only have their word
for it.

~~~
captainmuon
Well, you often have no other choice. You can go out of your way and install
an open source OS, but then there might still be a backdoor in your hardware.
Ultimatively, this can not be solved technically, but socially. In a country
with a strong rule of law and democracy, you _should_ be able to trust that
the state builds no backdoors into your devices when they say they don't. And
you should be able to trust the manufacturers that they don't do it by
themselves. But unfortunately they have incentives to go both ways (short term
profit + appeasing governments on the one hand, vs. gaining consumer trust on
the other).

I'll go meta here: How can we trust food companies? They have incentives to
decieve us, to adulterate their products, produce as cheaply as possible and
sell as expensively as possible. There are magazines, websites, that do
nothing but test food. It blows my mind when I think about that. How
antagonistic is our society, when _the people who make our food_ are working
against us. The solution we developed for that are checks and balances in form
of journalism and consumer protection laws. Sometimes it works, sometimes not.
Whether its adulterants in food or backdoors in software, it's a similar
problem.

~~~
jkh1
I agree although recent developments in the western world indicate that we're
not going down the road of checks and balances e.g. snooper charter in the UK,
secret courts in the US.

------
tjoff
How does wannacry spread? From what I find it's primarily via an SMB exploit,
but who on earth can possible receive SMB traffic on the internet today?

Is it automatically opened via UPNP or something? (seems doubtful)

~~~
tunap
Initially through an attachment and subsequently throughm the LAN via SMB. SMB
is(was?) enabled by default in Windows Features.

~~~
tjoff
So, if the attack requires you to double-click on virus.exe the NSA exploits
everyone is talking about didn't really matter that much did it?

Sure, when hitting a large corporation that would obviously help a lot but
home networks (which for some reason have been hit quite hard as well) don't
even have that many machines to begin with.

~~~
devopsproject
The NSA exploits matter because they would be one of the few orgs to have
access to multiple zero days. Imagine wannacry paired with a drive by browser
exploit.

~~~
tjoff
Of course, I meant that it didn't matter much in this particular case.

Every news outlet as well as technical sites seems to agree that it was NSA
that enabled _this_ attack, but if it all boils down to users opening email
attachments that's something else entirely.

~~~
xg15
The email attachment is the matchstick, the NSA has soaked everything in
gasoline, so to speak. Thanks to the zero day, you need _one_ person opening
the attachment to infect every machine on the LAN.

You're right about the point of home networks though. Some wild guesses:

\- Infected machines that are moved between networks - e.g. a laptop that's
used in both public and a private networks BYOD-style.

\- The worm also didn't use broadcasts to spread but simply tried out all IP
addresses in its subnet. So if an ISP isn't properly isolating its customers,
the worm might spread from customer to customer _behind_ the ISP's NAT.

\- People are actually that stupid and clicked on the attachment a lot.

~~~
tjoff
Even without the zero-day it would have spread to whatever NAS was used and
eventually encrypt and possibly spread - though just not as quickly.

So, _it would have been game over anyway._ The main advantage of a quick
attack is likely that if you opt to pay to decrypt you have more infected
computers (and sure, laptops - but these details are not exactly game-
changing).

~~~
xg15
> _Even without the zero-day it would have spread to whatever NAS was used and
> eventually encrypt and possibly spread - though just not as quickly._

That kind would have been orders of magnitude slower though and again
dependant on social engineering: The worm would have needed someone do
download the executable from the NAS and run it - in the face of usual
security practices and anti-virus software looking for exactly that kind of
thing - for every single machine. Even then the executable would only have
admin privileges at best and probably not even that.

Compare that to the exploit which allowed the worm to execute code on every
windows machine in the LAN, with system privileges and without _any_ user
interaction needed.

I think the exploit increased both the speed and the likelihood of successful
infection by an order that _is_ game-changing: Even if an infection was
spotted, by the time countermeasures could have been deployed, the damage had
already been done. Because no social engineering was required, even machines
with restricted user input or no input at all were at risk (e.g. information
screens or specialized hospital equipment).

~~~
tjoff
_> The worm would have needed someone do download the executable from the NAS
and run it..._

Well, by that time the NAS is lost so it is already game over anyway. Nothing
of value is stored on individual workstations (and if they do they ought to
have some form of backup (which again, probably is the very same NAS)). It is
an inconvenience, sure, but comparatively a minor detail.

~~~
xg15
> _Nothing of value is stored on individual workstations (and if they do they
> ought to have some form of backup [...])_

That's a very broad assertion. Maybe that's true in a setup where everyone
uses thin clients, but in the usual case, there is still enough friction on
Windows to using network shares that many people will have local copies of the
files they work with. Also, a NAT is probably the fist thing you'd hook up to
a backup - if you're not using a cloud service anyway.

Finally, the workstation itself is absolutely important. If only the NAS were
affected you could at least keep working with what's left. Some machines are
also specialized, e.g. info screens, ATMs, PoS terminals, hospital
equipment...

~~~
tjoff
Info screens, ATMs etc. are easily reimaged though - no data loss.

Anyway:
[http://baesystemsai.blogspot.se/2017/05/wanacrypt0r-ransomwo...](http://baesystemsai.blogspot.se/2017/05/wanacrypt0r-ransomworm.html)

 _The initial infection vector is still unknown. Reports by some of phishing
emails have been dismissed by other researchers as relevant only to a
different (unrelated) ransomware campaign, called Jaff.

There is also a working theory that initial compromise may have come from SMB
shares exposed to the public internet. Results from Shodan show over 1.5
million devices with port 445 open – the attacker could have infected those
shares directly._

Surprisingly large amount of SMB shares exposed directly to internet, that
would of course be a great starting point.

~~~
xg15
> _Info screens, ATMs etc. are easily reimaged though - no data loss._

Indeed. I figure the damage in that case is more lost time and bad publicity
(lots of photos showing the ransom note on public screens)

> _The initial infection vector is still unknown [...] SMB shares exposed to
> the public internet_

That's interesting. I wasn't aware of that but I agree, it would explain the
quick spreading much better.

------
vengefulduck
Non-paywalled link:
[https://webcache.googleusercontent.com/search?q=cache:28gvJs...](https://webcache.googleusercontent.com/search?q=cache:28gvJsnYhf4J:https://www.ft.com/content/b25e5c5e-3a34-11e7-821a-6027b8a20f23+&cd=4&hl=en&ct=clnk&gl=us)

------
jdironman
Only way I got around the paywall was pasting the URL into Google then
clicking 'Cached' version.

~~~
jaimex2
why bother? Just click back and move on to other news.

~~~
LyndsySimon
Yep. I no longer visit news sites with paywalls, no matter how easily
circumvented.

~~~
pjmlp
I hope you also don't complain about lack of quality of free content.

~~~
LyndsySimon
Nope.

The quality of free content is quite good, and general the bias of that
content is more apparent.

------
dtnewman
TLDR: Microsoft is using WannaCry as an opportunity to complain about the NSA
and as an opportunity to tell people they need to update their software.

I personally think that it's great to get the message across that people need
to keep their operating systems up-to-date. I see too many non-technical
people thinking in dangerous ways:

* "I don't want to update software, because the new software could have bugs which might be a security risk." I used to work for a well-known Fortune 500 that thought this way. But _all_ software is vulnerable in one way or another and by keeping it up to date, you also get the most recent security patches. Software vendors generally aren't putting major resources into securing old versions of their software.

* "I've got anti-virus software installed on my computer and we've got a firewall on our network". And maybe that will help you at some point, but if you don't update your OS, that's like having bullet-proof windows and leaving your front door unlocked.

~~~
mstade
I wonder how much of the never-upgrade mentality is down to Microsoft
insisting on being backwards compatible back till basically the Jurassic
period, and providing support for obsolete software for years and years. Their
intention is commendable, but there's something to be said for sometimes
breaking things for what is _hopefully_ the greater good.

The rust package manager issue that was on HN the other week comes to mind,
where a package called NUL (I think) wreaked havoc on Windows systems because
of backwards compatibility with DOS.

My point is: why rush to upgrade when you've got "support" anyway? For varying
definitions of support.

~~~
ambulancechaser
I'm not sure that your point makes sense. If Microsoft insists on backwards
compatibility, then you _can_ upgrade with "no worries". This policy seems to
encourage people to upgrade as the new OS will honor the old mechanisms.

In an OS where there was no commitment to backwards compatibility you would
have an incentive to not change anything when it works.

> My point is: why rush to upgrade when you've got "support" anyway?

This is a different point. But you seem to be criticizing the decision by
Microsoft to focus on backwards compatibility and support for old operating
systems, two things that seem to be commendable.

~~~
mstade
No, my apologies, I'm not being very clear then. I don't mean to criticise
Microsoft here, in fact I think their commitment to backwards compatibility is
commendable and I think history proves they've at least _tried_ to get people
on the automatic updates track. Execution hasn't been flawless, for sure, but
we're in better place now than we were 15-20 years ago.

And I'm also not trying to draw any conclusions with my post. I'm genuinely
wondering whether the fact that Microsoft has been so committed to backwards
compatibility has fostered a kind of mentality where people and indeed
developers don't upgrade, simply because they know they won't be abandoned
_anyway_. It's always easier _not_ to change anything, and if the message is
typically "you'll be fine" anyway then where's the incentive? The "you'll be
safer, probably" message doesn't seem to me like it's working.

You're probably right that I'm not making much sense, I'm finding it a bit
hard to put my thoughts into words here.

------
mtgx
Not a big fan of Microsoft in general, and I generally distrust anything it
does, but I'm beginning to like this Brad Smith fellow. He's been pushing for
quite a few privacy initiatives inside Microsoft, and he's now also taking on
NSA and calling for a Digital Geneva Convention.

I also think Microsoft "got lucky" this time. Shadow Brokers sit on
EternalBlue for at least 6 months. They could've released it before the NSA
even alerted Microsoft that such a bug exists in its operating system
(probably earlier this year). That would've hurt Microsoft's image a lot more.

So I think this should also be a warning to Microsoft (and other software
companies). If there is some other backdoor in Windows or bug on which
Microsoft may decide to sit on to give the NSA a few extra months to exploit
it, its image could be hurt a lot. Some other group may discover it and and
then turn it into another global ransomware attack, before Microsoft even has
a chance to patch it.

So lesson of the day: don't do back room (or door) deals with the NSA, whether
because of fear, for money, "patriotism," or some other reason, because it
could come back and hurt you 10 times more when you're put in the spotlight as
the main party responsible for a global attack.

~~~
j_s
EternalBlue CVE-2017-0144 was [edit:allocated/reserved instead of "assigned"
per tweet] 2016-09-09. [https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2017-0144](https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2017-0144)

Source:
[https://twitter.com/_supernothing/status/864021595303456768](https://twitter.com/_supernothing/status/864021595303456768)

> _MS has known about this bug since 09 /2016 (when CVE was assigned) and
> patched in 03/2017\. 240day_

~~~
belltaco
From the source that that tweet gets the "date" from:

>Date Entry Created 20160909

>Disclaimer: The entry creation date may reflect when the CVE-ID was allocated
or reserved, and does not necessarily indicate when this vulnerability was
discovered, shared with the affected vendor, publicly disclosed, or updated in
CVE.

Do you have a better source for the 240day claim?

~~~
j_s
I included a link to the tweet's source.

AFAIK, this CVE's "Date Entry Created" is an interesting metadata artifact
without any additional significance currently (no futher background info
publicly available at this time). I don't know if MITRE makes any additional
info (such as "who") public, though I'm sure it is stored somewhere.

I haven't had a chance to review the same value for other CVE's to determine
how "normal" it is for the create date to be so long before when the CVE goes
public, nor how things correlate for the associated Shadow Brokers fixes.

\--

[https://twitter.com/thegrugq/status/853142591289802752](https://twitter.com/thegrugq/status/853142591289802752)

> _There are no acknowledgements for MS17-10 which patched most of the big
> bugs from the ShadowBrokers drop._

[https://www.renditioninfosec.com/2017/05/call-to-
microsoft-t...](https://www.renditioninfosec.com/2017/05/call-to-microsoft-to-
release-information-about-ms17-010/)

> _Microsoft has not disclosed how it came to know about the vulnerabilities
> included in the MS17-010 patch. Microsoft also has not disclosed any
> information about “in the wild” exploitation of these vulnerabilities._

------
hrnnnnnn
Paywalled. Workaround it by pasting the URL into Google and clicking the link
there.

~~~
Kiro
You can click "web" as well.

~~~
Beltiras
This bookmarklet works as well:

    
    
      javascript:window.location.href='https://m.facebook.com/l.php?u='+encodeURIComponent(window.location.href);

------
a_b_c_d
True or false?

Microsoft is a company that actively tries to prevent any comparisons of its
products with other products, sometimes through threats of filing legal
proceedings.

True or false?

Only government agencies are capabale of discovering flaws in Microsoft
Windows.

True or false?

A closed source kernel is more secure than an open source kernel.

(For the avoidance of doubt, here "open source" means open to public
inspection free of charges, terms or conditions, such as various UNIX-like
kernels. It also means the right to make changes, re-compile and re-distribute
without charges.)

True or false?

This determination can be made without comparing the source code for both
kernels.

Hypothetical and questions:

Product A has 5000-6000 new vulnerabilities per year, about 15 per day.

Product B has 5-20 new vulnerabilities per year.

Can we explain this difference by focusing on the parties who find the
problems that require patching?

Alternatively, should we focus instead on the products?

What if Product A is more complex is than Product B?

Does this make any difference?

What if Product B can perform many of the same functions as Product A,
particularly the functions that are most often used to exploit a
vulnerability.

For example handling data to be sent or recieved from the an untrustowrthy
network such as the internet. In other words, networking with _remote_
computers ("internet") as opposed to only networking with _local_ computers
("IBM-compatible PC LAN").

Unlike BSD UNIX, Windows was originally designed for only local networking,
where very little if any security is required.

True or false?

Windows still retains some of this original design and source code.

That is a trick question because the Windows source code is not open source.
How would anyone verify what is still in that source code?

Keeping the source code from the eyes of its users does not protect them.

It may be possible to reverse engineer Microsoft products or patches to learn
how Windows works.

"Good guys" may do this as well as "bad guys".

A vulnerability could be discovered by someone who is not even old enough to
work for a government.

Repeat question:

Should we focus on who finds flaws in Windows or should we focus on the
Windows product itself?

------
WalterBright
For developers, the takeaway is to use memory safe programming languages.

