Microsoft tells the NSA (and similar) to stop being total shits
-
Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organised criminal action.
The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new "Digital Geneva Convention" to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them. And it’s why we’ve pledged our support for defending every customer everywhere in the face of cyberattacks, regardless of their nationality. This weekend, whether it’s in London, New York, Moscow, Delhi, Sao Paulo, or Beijing, we’re putting this principle into action and working with customers around the world.
-
I love the fact that - since Russia has also been hit by this attack - Putin has also been using the fact that these exploits were created by the NSA as a stick to beat the West with. This conveniently ignores the fact that the Shadow Brokers who leaked the exploit almost certainly did so under direction of the Kremlin.
-
@gwowen Are you suggesting that Putin might not be being entirely honest? ;)
-
@RaceProUK He's as honest as the day is long. In December in Murmansk.
-
The only thing I'm interested to know is that, will there be any NSA officer(s) be held responsible for the leak?
You know, the kind of things like leaking government secrets would usually be investigated high-profilely.
-
@cheong said in Microsoft tells the NSA (and similar) to stop being total shits:
will there be any NSA officer(s) be held responsible for the leak?
I get the feeling there's less chance of someone being found guilty over the leak than I have of fitting Pluto and Charon into a thimble.
-
@RaceProUK said in Microsoft tells the NSA (and similar) to stop being total shits:
I get the feeling there's less chance of someone being found guilty over the leak than I have of fitting Pluto and The Charon Mass Relay into a thimble.
FTFR.
-
@cheong Well, its quite possible that someone has already been held responsible for the leak. Whoever left the code on the staging server (from where it was apparently exfiltrated) is almost certainly not at the NSA anymore.
Will they be held publically accountable? No freaking chance.
The NSA tends to not want attention drawn to its covert operations by attempting to convict the people who f*** them up in open court, unless that person has deliberately put them in the public sphere (Ellsberg, Manning, Snowden etc)
-
@accalia said in Microsoft tells the NSA (and similar) to stop being total shits:
@RaceProUK said in Microsoft tells the NSA (and similar) to stop being total shits:
I get the feeling there's less chance of someone being found guilty over the leak than I have of fitting Pluto and The Charon Mass Relay into a thimble.
FTFAR.
FTFY :P
-
@RaceProUK said in Microsoft tells the NSA (and similar) to stop being total shits:
@accalia said in Microsoft tells the NSA (and similar) to stop being total shits:
@RaceProUK said in Microsoft tells the NSA (and similar) to stop being total shits:
I get the feeling there's less chance of someone being found guilty over the leak than I have of fitting Pluto and The Charon Mass Relay into a thimble.
FTFAR.
FTFY :P
not really. it's reality reality. not alternate reality.
Filed under: The Reapers are coming
-
@accalia That's not what the
A
was for:
-
@RaceProUK said in Microsoft tells the NSA (and similar) to stop being total shits:
@accalia That's not what the
A
was for:
-
@accalia Haha! My plan worked! :D
-
@RaceProUK said in Microsoft tells the NSA (and similar) to stop being total shits:
@accalia Haha! My plan worked! :D
-
@accalia You can't do that! It's my plan! I planned it!
-
@RaceProUK said in Microsoft tells the NSA (and similar) to stop being total shits:
@accalia You can't do that! It's my plan! I planned it!
-
-
-
@RaceProUK said in Microsoft tells the NSA (and similar) to stop being total shits:
a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.
This is as unreasonable as expecting a government to get rid of its own nuclear bombs, with no guarantee its enemies will do the same.
Worse, because exploits and the search for them are easier to hide.
-
@wharrgarbl You do realise that a lot of the time, in cyber-security, the weapons the enemy has are the same weapons the 'good' guys have?
-
-
@RaceProUK imagine a fictional reality where:
That 80% of the exploits the NSA and China are common
NK has only one but good exploitNow NSA decide to be naive good guys and all they know gets patched.
USA now has no useful exploits for patched servers
China still has 20% of its former arsenal
NK still has their one good exploit
-
@thegoryone said in Microsoft tells the NSA (and similar) to stop being total shits:
@dkf I had no idea Murmansk has perpetual daily twilight in December. You learn something new every day!
That happens for about three months every year in Toronto. It's a fifth season, called the "Canadark".
-
@DCRoss said in Microsoft tells the NSA (and similar) to stop being total shits:
That happens for about three months every year in Toronto.
You do realise that that's practically a Southern city, from where I'm standing? ;)
-
@wharrgarbl said in Microsoft tells the NSA (and similar) to stop being total shits:
@RaceProUK imagine a fictional reality where:
That 80% of the exploits the NSA and China are common
NK has only one but good exploitNow NSA decide to be naive good guys and all they know gets patched.
USA now has no useful exploits for patched servers
China still has 20% of its former arsenal
NK still has their one good exploitBut, if by chance NK's exploit is one of those which is disclosed and patched, NK will now have none.
-
@cheong That's doesn't affect my point.
-
@thegoryone said in Microsoft tells the NSA (and similar) to stop being total shits:
@dkf Yet for all that, Toronto averages 2000 hours sunshine a year. Belfast averages 1200. The official welcome kit for Ireland includes Guinness, an umbrella and a dinghy.
Meanwhile Canada has 800 miles of paved road and just legalized the stapler.
-
@thegoryone said in Microsoft tells the NSA (and similar) to stop being total shits:
@DCRoss That is absolutely amazing. Is it better or worse than this, though? (In fairness it's more of a quality check but it's been used in the past to annoy the shit out of farmers for no reason)
The Marketing of Potatoes Act (1964) states that: “A constable may seize and may detain in custody any potatoes which are being or which are suspected by such an officer or constable of being, sent out of Northern Ireland”
I live in a culture which thinks it's okay to arrest someone for trying to bring 101mL of water onto an airplane, so very little surprises me any more.
-
@wharrgarbl said in Microsoft tells the NSA (and similar) to stop being total shits:
@RaceProUK imagine a fictional reality where:
That 80% of the exploits the NSA and China are common
NK has only one but good exploitNow NSA decide to be naive good guys and all they know gets patched.
USA now has no useful exploits for patched servers
China still has 20% of its former arsenal
NK still has their one good exploitAnd security overall is better because a lot more exploits are getting patched.
-
@wharrgarbl said in Microsoft tells the NSA (and similar) to stop being total shits:
@cheong That's doesn't affect my point.
And NSA can continue to dig more exploit out and let the vendors patch it, so hopefully one day the other countries will have none on hand.
The fact that unpatched exploits tend to have groups of similar pattern means that, for a lot of time, each disclosed vulnerability means a dozen of other similar vulnerabilities will be patched. The more you disclose, the safer the world would be.
-
@wharrgarbl However, defending against cyber attacks is (at least in theory) much easier than nuclear bombs. We just lack any kind of security culture.
My country made some legislation forcing everyone to switch to network-connected "smart meters". Some students showed that they could be hacked, allowing anyone to shut down electricity in the local area. This should be a big deal, but guess what actually happened? Nothing. That's precisely where the problem comes from.
Throw a few billions at cybersecurity research and education programs (not to get into the topic of laws and regulations), and things will start to change.
I remember those blog posts about Midori. Basically Microsoft (supposedly) created a system that allowed code to run with memory safety (like .NET code) but as fast as native code, to the point where you can build most of the OS kernel out of it (and all of the userland, of course). Then it was apparently abandoned. Something like that being widely adopted would already remove most exploits we have today.
Or all those posts in the other thread about hospital devices running Windows XP with standard network shares, because it's easier and cheaper than using embedded OSs with secure protocols. Making devices with secure embedded software is not impossible, but it's hard. If every manufacturer has to solve that problem by themselves, the result will be a mess. Produce official guidelines on how to do that, and maybe subsidizing the development costs for those secure systems so they don't cost more than plain Windows, and you can avoid another NHS mess 10 years from now.
-
@anonymous234 said in Microsoft tells the NSA (and similar) to stop being total shits:
However, defending against cyber attacks is (at least in theory) much easier than nuclear bombs.
It's not just defense the NSA does. They claim to want to spy on terrorists too. (But they have a lot of interest in private corporations and economic benefit too).
(They could get billions in the stock market with all this spying, I wouldn't be surprised if there is a lot of that too, it would be like insider trading)
-
@wharrgarbl said in Microsoft tells the NSA (and similar) to stop being total shits:
It's not just defense the NSA does. They claim to want to spy on terrorists too.
Yes, that's the thing. I guess that most governments simply don't WANT to improve global cybersecurity. They'd rather have the opportunity to exploit it themselves, even at some risk.
-
@anonymous234 said in Microsoft tells the NSA (and similar) to stop being total shits:
subsidizing the development costs
Fuck this. Every time the government subsidize something its just a money grab and we end with shitty results.
-
@wharrgarbl said in Microsoft tells the NSA (and similar) to stop being total shits:
Every time the government subsidize something its just a money grab and we end with shitty results.
Says man ON THE INTERNET
-
@wharrgarbl said in Microsoft tells the NSA (and similar) to stop being total shits:
Fuck this. Every time the government subsidize something its just a money grab and we end with shitty results.
That's just some weird American belief.
-
@RaceProUK said in Microsoft tells the NSA (and similar) to stop being total shits:
I get the feeling there's less chance of someone being found guilty over the leak than I have of fitting Pluto and Charon into a thimble.
Well, Pluto is no longer a planet, so your chances are higher now.
-
@thegoryone said in Microsoft tells the NSA (and similar) to stop being total shits:
They didn't look very well, I accidentally had a stanley knife and a screwdriver in my laptop bag. Got it in and out both ends of the trip.
I'm also getting surprising things through the airport by complete accident.
It makes me wonder what someone can get through with the intention of doing so.
I got a coke through by placing it on the xray baggage scanner and picking it up when I got through the metal detector on the other side. I might have even verbally said "Forgot this."
-
@anonymous234 said in Microsoft tells the NSA (and similar) to stop being total shits:
My country made some legislation forcing everyone to switch to network-connected "smart meters". Some students showed that they could be hacked, allowing anyone to shut down electricity in the local area. This should be a big deal, but guess what actually happened? Nothing.
All that needs to happen now is to "accidentally" hack a few "important" people. It will be amazing how quickly it becomes a priority 1 bug.
-
@anonymous234 said in Microsoft tells the NSA (and similar) to stop being total shits:
I guess that most governments simply don't WANT to improve global cybersecurity.
Some parts of governments (most likely) will want to, but due to the nature of the beast, intelligence services tend to be highly secretive of what they know and can do, and very protective of their secrets even toward people or organizations who probably should know them. So even if the top levels of government decide that computer security is priority number one, it might be very doubtful if their own intelligence services would cooperate 100% with that goal — given that it would require them to disclose some of their secrets, might make their work more difficult in future, and could in theory allow an opponent to gain an advantage.
-
@RaceProUK said in Microsoft tells the NSA (and similar) to stop being total shits:
including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them
Yeah, uh... good luck with that.
-
@anotherusername said in Microsoft tells the NSA (and similar) to stop being total shits:
Yeah, uh... good luck with that.
How many nukes does America have?
-
@xaade said in Microsoft tells the NSA (and similar) to stop being total shits:
@anotherusername said in Microsoft tells the NSA (and similar) to stop being total shits:
Yeah, uh... good luck with that.
How many nukes does America have?
The CIA will be along shortly to disappear you for spying.
-
@xaade said in Microsoft tells the NSA (and similar) to stop being total shits:
@thegoryone said in Microsoft tells the NSA (and similar) to stop being total shits:
They didn't look very well, I accidentally had a stanley knife and a screwdriver in my laptop bag. Got it in and out both ends of the trip.
I'm also getting surprising things through the airport by complete accident.
It makes me wonder what someone can get through with the intention of doing so.
I got a coke through by placing it on the xray baggage scanner and picking it up when I got through the metal detector on the other side. I might have even verbally said "Forgot this."
Shit, I just flew on Friday and got away with an opened bag of pistachios IN THE BIN (as in I took them out of my bag like you need to do for laptops), as well as a McDonald's cheeseburger in said bag from the day before. Nobody said a word.
-
@e4tmyl33t said in Microsoft tells the NSA (and similar) to stop being total shits:
Shit, I just flew on Friday and got away with an opened bag of pistachios IN THE BIN (as in I took them out of my bag like you need to do for laptops), as well as a McDonald's cheeseburger in said bag from the day before. Nobody said a word.
E_NOT_LIQUID. Good to go.
-
@dcon Is it really an
E_
when it doesn't provoke an error response?
-
@masonwheeler said in Microsoft tells the NSA (and similar) to stop being total shits:
@dcon Is it really an
E_
when it doesn't provoke an error response?Well, we do have
ERROR_SUCCESS
(so close enough)
-
@dcon said in Microsoft tells the NSA (and similar) to stop being total shits:
ERROR_SUCCESS
-
@masonwheeler said in Microsoft tells the NSA (and similar) to stop being total shits:
@dcon Is it really an
E_
when it doesn't provoke an error response?ENOERROR
-
@e4tmyl33t they should've stopped @xaade's coke (they aren't supposed to allow beverages larger than 3 oz), but like @dcon said, solid food is perfectly fine. It just has to be wrapped up and sent through the x-ray machine.
And once you've gone through security, anything you get after you're inside the secured area is fine to carry onto the plane with you. So if you bought drinks or filled up your (empty to get it through security) water bottle, that's fine.