WannaCry and Vulnerabilities

There is plenty of blame to go around for the WannaCry ransomware that spread throughout the Internet earlier this month, disrupting work at hospitals, factories, businesses, and universities. First, there are the writers of the malicious software, which blocks victims' access to their computers until they pay a fee. Then there are the users who didn't install the Windows security patch that would have prevented an attack. A small portion of the blame falls on Microsoft, which wrote the insecure code in the first place. One could certainly condemn the Shadow Brokers, a group of hackers with links to Russia who stole and published the National Security Agency attack tools that included the exploit code used in the ransomware. But before all of this, there was the NSA, which found the vulnerability years ago and decided to exploit it rather than disclose it.

All software contains bugs or errors in the code. Some of these bugs have security implications, granting an attacker unauthorized access to or control of a computer. These vulnerabilities are rampant in the software we all use. A piece of software as large and complex as Microsoft Windows will contain hundreds of them, maybe more. These vulnerabilities have obvious criminal uses that can be neutralized if patched. Modern software is patched all the time -- either on a fixed schedule, such as once a month with Microsoft, or whenever required, as with the Chrome browser.

When the US government discovers a vulnerability in a piece of software, however, it decides between two competing equities. It can keep it secret and use it offensively, to gather foreign intelligence, help execute search warrants, or deliver malware. Or it can alert the software vendor and see that the vulnerability is patched, protecting the country -- and, for that matter, the world -- from similar attacks by foreign governments and cybercriminals. It's an either-or choice. As former US Assistant Attorney General Jack Goldsmith has said, "Every offensive weapon is a (potential) chink in our defense -- and vice versa."

This is all well-trod ground, and in 2010 the US government put in place an interagency Vulnerabilities Equities Process (VEP) to help balance the trade-off. The details are largely secret, but a 2014 blog post by then President Barack Obama's cybersecurity coordinator, Michael Daniel, laid out the criteria that the government uses to decide when to keep a software flaw undisclosed. The post's contents were unsurprising, listing questions such as "How much is the vulnerable system used in the core Internet infrastructure, in other critical infrastructure systems, in the US economy, and/or in national security systems?" and "Does the vulnerability, if left unpatched, impose significant risk?" They were balanced by questions like "How badly do we need the intelligence we think we can get from exploiting the vulnerability?" Elsewhere, Daniel has noted that the US government discloses to vendors the "overwhelming majority" of the vulnerabilities that it discovers -- 91 percent, according to NSA Director Michael S. Rogers.

The particular vulnerability in WannaCry is code-named EternalBlue, and it was discovered by the US government -- most likely the NSA -- sometime before 2014. The Washington Post reported both how useful the bug was for attack and how much the NSA worried about it being used by others. It was a reasonable concern: many of our national security and critical infrastructure systems contain the vulnerable software, which imposed significant risk if left unpatched. And yet it was left unpatched.

There's a lot we don't know about the VEP. The Washington Post says that the NSA used EternalBlue "for more than five years," which implies that it was discovered after the 2010 process was put in place. It's not clear if all vulnerabilities are given such consideration, or if bugs are periodically reviewed to determine if they should be disclosed. That said, any VEP that allows something as dangerous as EternalBlue -- or the Cisco vulnerabilities that the Shadow Brokers leaked last August to remain unpatched for years isn't serving national security very well. As a former NSA employee said, the quality of intelligence that could be gathered was "unreal." But so was the potential damage. The NSA must avoid hoarding vulnerabilities.

Perhaps the NSA thought that no one else would discover EternalBlue. That's another one of Daniel's criteria: "How likely is it that someone else will discover the vulnerability?" This is often referred to as NOBUS, short for "nobody but us." Can the NSA discover vulnerabilities that no one else will? Or are vulnerabilities discovered by one intelligence agency likely to be discovered by another, or by cybercriminals?

In the past few months, the tech community has acquired some data about this question. In one study, two colleagues from Harvard and I examined over 4,300 disclosed vulnerabilities in common software and concluded that 15 to 20 percent of them are rediscovered within a year. Separately, researchers at the Rand Corporation looked at a different and much smaller data set and concluded that fewer than six percent of vulnerabilities are rediscovered within a year. The questions the two papers ask are slightly different and the results are not directly comparable (we'll both be discussing these results in more detail at the Black Hat Conference in July), but clearly, more research is needed.

People inside the NSA are quick to discount these studies, saying that the data don't reflect their reality. They claim that there are entire classes of vulnerabilities the NSA uses that are not known in the research world, making rediscovery less likely. This may be true, but the evidence we have from the Shadow Brokers is that the vulnerabilities that the NSA keeps secret aren't consistently different from those that researchers discover. And given the alarming ease with which both the NSA and CIA are having their attack tools stolen, rediscovery isn't limited to independent security research.

But even if it is difficult to make definitive statements about vulnerability rediscovery, it is clear that vulnerabilities are plentiful. Any vulnerabilities that are discovered and used for offense should only remain secret for as short a time as possible. I have proposed six months, with the right to appeal for another six months in exceptional circumstances. The United States should satisfy its offensive requirements through a steady stream of newly discovered vulnerabilities that, when fixed, also improve the country's defense.

The VEP needs to be reformed and strengthened as well. A report from last year by Ari Schwartz and Rob Knake, who both previously worked on cybersecurity policy at the White House National Security Council, makes some good suggestions on how to further formalize the process, increase its transparency and oversight, and ensure periodic review of the vulnerabilities that are kept secret and used for offense. This is the least we can do. A bill recently introduced in both the Senate and the House calls for this and more.

In the case of EternalBlue, the VEP did have some positive effects. When the NSA realized that the Shadow Brokers had stolen the tool, it alerted Microsoft, which released a patch in March. This prevented a true disaster when the Shadow Brokers exposed the vulnerability on the Internet. It was only unpatched systems that were susceptible to WannaCry a month later, including versions of Windows so old that Microsoft normally didn't support them. Although the NSA must take its share of the responsibility, no matter how good the VEP is, or how many vulnerabilities the NSA reports and the vendors fix, security won't improve unless users download and install patches, and organizations take responsibility for keeping their software and systems up to date. That is one of the important lessons to be learned from WannaCry.

This essay originally appeared in Foreign Affairs.

Posted on June 2, 2017 at 6:06 AM • 73 Comments

Comments

Duk LoJune 2, 2017 6:28 AM

Re: Vulnerabilities Equities Process (VEP): "The details are largely secret,...". Sure, some secrets are necessary, but what the military does these days has been allowed to become so secretive they are beyond oversight, control and accountability. They do what they please. That's not the way democracy is supposed to go. That's more like police state autocracy.

Re: "Although the NSA must take its share of the responsibility,..."

But, they NEVER do. They violate the rules, laws and court orders at will. When seriously cornered for rogue conduct, they strong arm Congress into passing laws exempting and indemnifying them. That's not right.

Last, when NSA rogue conduct negatively impacts and harms this country and it's citizens it's simply not right.

MartinJune 2, 2017 7:26 AM

"portion of the blame falls on Microsoft, which wrote the insecure code in the first place"

"vulnerabilities that ... researchers discover."

Presumably, the researchers don't have access to the source code ... and yet, they are able to find vulnerabilities.

Presumably, NSA doesn't have access to the source code ... and yet, they are able to find vulnerabilities.

That makes us wonder why Microsoft with full access to the source code fails to find vulnerabilities ...

mimeJune 2, 2017 7:34 AM

Of course, a vulnerability is only important if you really really need to get into a system without help from the system operators.

On another hand if you can get help from the system operators, for example because they happen to be part of your team, then more important than having a vulnerability is to make sure that your code is sufficiently custom so it is not recognized by anti-virus.


Kmart Credit Card Breach: What You Need to Know
http://www.nbcnews.com/tech/security/kmart-credit-card-breach-what-you-need-know-n767161

Hackers appeared to infiltrate payment data systems with malicious code that was undetectable by existing antivirus systems, Howard Riefs, a spokesman for Sears Holdings, told NBC News

Bruce SchneierJune 2, 2017 7:35 AM

"That makes us wonder why Microsoft with full access to the source code fails to find vulnerabilities."

There's nothing conspiratorial going on here. Vulnerabilities are plentiful, and finding them can be expensive. Microsoft produces the quality of software the market demands.

And what make you think the NSA doesn't have access to the source code?

JonJune 2, 2017 8:43 AM

Microsoft produces the code of the quality that it is held responsible for.

Not quite the same thing as 'market demand'.

J.

call girlJune 2, 2017 9:03 AM

First, there are the writers of the malicious software, which blocks victims' access to their computers until they pay a fee.

Yes, burglars, thieves, and robbers are criminals. So are those who deny us the right and ability to defend ourselves from them.

Then there are the users who didn't install the Windows security patch that would have prevented an attack.

Users have work to do, and for them a computer is just a tool. This is like asking a framer or carpenter, who once did just fine with a claw hammer, to overhaul his pneumatic nailer on the job site because a new version of a retaining clip on some internal ratchet was specified. Oh, by the way, a new starting capacitor was specified for his air compressor. So no framing work got done on Patch Tuesday, because the carpenters had to secure their job site, load their inoperable tools onto the truck, and drive all the way back to the service shop for tool "upgrades" and repairs.

A small portion of the blame falls on Microsoft, which wrote the insecure code in the first place.

That stuff they're slamming the barn door on after the horse got out never should have been sold on the market in the first place. I am sorry. We need a stricter standard of liability than that. Microsoft sells utter tripe,* and takes full advantage of its illegal monopoly position to foreclose any possible alternative to that tripe.*

Microsoft is run by foreigners with military interests totally hostile to United States businesses and government. That proprietary, copyrighted, closed-source, bug-ridden tripe* has to go, and Microsoft will have to pay for it with their fortunes and their lives. We are at a state of total cyber-war, and Microsoft is simply not up to par.

*tripe = the intestines of a hog.

Nick PJune 2, 2017 9:06 AM

@ Bruce Schneier

"Microsoft produces the quality of software the market demands."

This is true but must modify it with lock-in. Most of their customers can't leave either for business or ecosystem reasons. So, they produce the quality that their customers can *tolerate* or have no choice for. They also consistently have reduced the *expectations* where people think these issues are normal. So, Microsoft is one of the special few that can ignore quality to a large degree vs many in market that will be judged on it.

JonKnowsNothingJune 2, 2017 9:07 AM

A small portion of the blame falls on Microsoft, which wrote the insecure code in the first place.

A "small" portion? A SMALL portion? "SMALL"???!!!

Until techies and computer companies get On-The-Wagon and admit that 100% of ALL vulnerabilities come from their own fingers and stop blaming end-users for "not installing" borked, buggy and not-even-fit-for-purpose updates that won't even install on anything defined as "obsolete" there are going to be more vulnerabilities.

rewrite that as:

"A HUGE portion" ... or better ... "THE ENTIRE BLAME FALLS ON MICROSOFT".

If every tech company had to PAY $$$$ for their bad coding and pay for the damage done to every user on the planet this very profitable line of business is going to continue.

How is it profitable?

Because if your system(s) get borked you have to hire a bunch of expensive folks who supposedly know how to return control to you or you are going to buy a new computer.

So why fix it? It makes money for everyone on the gravy train.

Soufiane TahiriJune 2, 2017 9:10 AM

"Shadow Brokers, a group of hackers with links to Russia" ?!

call girlJune 2, 2017 9:11 AM

P.S. You don't think they're Hindus and they sell us beef tripe, do you?

Martin WalshJune 2, 2017 9:50 AM

@Nick P

You're absolutely right, I totally agree.
In fact, we know Microsoft is even responsible for West Nile Virus! There's a lab in Redmond that injects it into mosquitoes before releasing them.

keinerJune 2, 2017 10:28 AM

@Nick P

Isn't that exactly the situation where antitrust laws were made for?

Critical infrastructure has to be socialized, in this case the code of Windows, and has to be made opensource. End of story.

The host of this blog is tied to the soft-/hardware-military complex. No other explanation for a statement like this otherwise:

"Microsoft produces the quality of software the market demands."

Me and billions of other Win users never asked for crappy code. Never.

AnuraJune 2, 2017 10:29 AM

@Bruce Schneier

Microsoft produces the quality of software the market demands.

So you are saying the market demands a solitaire game with a broken random number generator that repeats the same hands over and over? Yeah, no. The point of capitalism is to ensure the consumers are disorganized so they cannot make demands and you can sell crappier products at a higher price.

Other people can put it better than me:

http://www.interfluidity.com/v2/6846.html

Second, this line of reasoning reflects a very basic misinterpretation of economics. Aggregate outcomes are not in general or even usually interpretable as an aggregation of individual preferences. When we learn about the Prisoners’ Dilemma, we don’t interpret the fact that both players rat as evidence that, really, they both just wanted to go to jail for a long time. After all, that is their revealed preference, right? No. We understand that the arrangement that would obtain if they could cooperatively regulate one another’s behavior is in fact the outcome that they would prefer. As isolated individuals, they simply have no capacity to express this preference.

Martin WalshJune 2, 2017 10:38 AM

@The host of this blog is tied to the soft-/hardware-military complex.

And what complex are you tied to? I need it for my report.

zbootJune 2, 2017 10:44 AM

"This is like asking a framer or carpenter, who once did just fine with a claw hammer, to overhaul his pneumatic nailer on the job site "

because the nailer was found to kill every 4th operator. Yeah, if that guy didn't replace the nailer, after being notified, and it killed someone, he'd be responsible.

You don't get to claim "it's just a tool" if you knowingly use something dangerous.

AnuraJune 2, 2017 10:57 AM

Another thing to mention is that the consumers don't really know that much about the products. The less information the producers publish, the less the choices of the consumer reflect anything meaningful. I mostly work with databases, for example, which tend to be performance critical; this is why Microsoft's license agreement forbids publishing benchmarks - obviously, the consumers value being surprised by performance of their database.

AnuraJune 2, 2017 11:22 AM

Also, for the money that has been spent globally on Windows we could have probably built an OS that is equal in features but where every component was prudently designed and formally verified. This is especially true if you include externalities; I'd guess that the economic damage caused by the poor security and reliability of Microsoft software far exceeds the lifetime revenue of the company.

Ben BetterJune 2, 2017 11:34 AM

A scathing indictment of the NSA spy machine:

Spying on You, Spying on Me, Spying on the President

http://www.realclearpolitics.com/articles/2017/06/01/spying_on_you_spying_on_me_spying_on_the_president_134052.html

"...we are the most spied-upon people in world history and that the president himself has been a victim."

Some say NSA spying is bringing government in DC to a screeching halt because, finally, the same elected representatives who passed laws to make it happen or played three monkeys to flagrant abuses now understand they have also been deemed targets, adversaries, suspects and data sources.

...and then came the leaks.

x2bike4uJune 2, 2017 11:41 AM

@keiner

"Me and billions of other Win users never asked for crappy code. Never."

Then speak with the pockebook. Dump MS Windows and their other products. Use a totally bug free OS, such as OSX or Linux instead.

Who?June 2, 2017 11:43 AM

@ Bruce, Anura

The key here is not "producing the software the market demands" but "producing the software the market accepts."

There are much better software companies than Microsoft, even teams that write much better software and give it as a gift to the world for free. The market, for some unknown reason, chooses voluntarily stay at the worst software ever written. I desist to understand this behaviour, these poor choices.

I am happy to play without following the market rules. No Windows here. No OS X here. No iOS here. No Android here, and no Linux here neither. Only good and reliable operating systems. And, no, the driving factor is not only "security," it is performance, stability and simplicity too.

Who?June 2, 2017 11:46 AM

@ x2bike4u

Use a totally bug free OS, such as OSX or Linux instead.

Are you joking, right?

Ergo SumJune 2, 2017 11:58 AM

@Bruce....

It was only unpatched systems that were susceptible to WannaCry a month later, including versions of Windows so old that Microsoft normally didn't support them.

The "Windows so old" was the smallest part of the exploited system, the majority had been Windows 7 versions:

http://www.techrepublic.com/article/98-of-wannacry-victims-were-running-windows-7-not-xp/

I don't seem to find the link that stated, that infecting XP with WannaCry required manual process. The required code base did not exist in XP for auto-spreading, if I recall correctly...

AnuraJune 2, 2017 12:03 PM

@Who?

One of the business strategies of Microsoft was to bribe software companies to write Microsoft-exclusive software. They cornered the gaming market to the point where you couldn't not use Windows if you were a PC-gamer. They used Internet Explorer to hold back the web, and got companies to write software in proprietary languages. Microsoft's demise in PC dominance only ended because of EU antitrust suits and the growth web-based applications. So, really, it's largely not about good software vs bad, it's about what supports the software that you need it for. On top of that, people's preferences are sticky; it takes a more pronounced difference to get them to switch from what they are currently using than it would have if they were making the choice for the first time.

With businesses, there is also the talent pool which slows the adoption of different systems or technologies (i.e. you might choose PHP because of the number of PHP developers available to hire, not because it is in any sense a good language).

Ergo SumJune 2, 2017 12:07 PM

@keiner...

Me and billions of other Win users never asked for crappy code. Never.
Sarcasm...

Me and billions of other Win users don't even know what code is, nor do we ask. We trust Microsoft and other software companies. We have no other choices, unless we'd abandon our access to electronic devices.

End of sarcasm...

albertJune 2, 2017 12:09 PM

Microsoft operates today exactly as they have since their inception. None of this is news. I remember when I had to buy an OS for $300 and then spend another $80 for anti-virus software. A Whiskey Tango Foxtrot moment, for sure.

MS is in a survival mode. It is only theoretically possible for them to find -all- bugs in tens of millions of lines of code. Then there is the code they keep churning out year after year, and the bug fixes which seem to be continuous. How many bugs inhabit the bug fixes?

You can't turn a sows ear into a silk purse.

@Anura,
The goal of most businesses is to obtain a monopoly in one sector, then soak the hell out of the customers. The bigger and richer* they are, the easier it is. As long as the liabilities are passed on to the customers (or, increasing, the taxpayer) they're happy. The concept is 'do whatever you can get away with'.

"...this is why Microsoft's license agreement forbids publishing benchmarks...". Monsanto wrote a law preventing -anyone- from mentioning GMO content in a product.

@Martin,
"...That makes us wonder why Microsoft with full access to the source code fails to find vulnerabilities..."

It's motivation. Obviously, the NSA and the crooks are more motivated. I don't know what's going on inside MS. Do they have a team assigned to a full code review? Or do they just chase reported bugs. I recall a while back, they had an API the processed jpg files. Someone on the outside discovered an undocumented parameter that transfered execution (jumped) to a given address. Now what possible reason could they have for doing that?

@zboot,
It's not -knowing- something is dangerous, it's -not- knowing something is dangerous. Who's responsible for the pacemaker that got hacked and killed someone? The hacker. Does the maker bear any responsibility? Look up Therac-25. Half a dozen killed, and no one punished. Blaming the crooks accomplishes nothing. Ask the DNC. They continue to beat the 'Russia did it' drum, while their party drifts into oblivion.


---------
* ironically, wealth seems to be inversely proportional to the square of the productive, that is, socially beneficial, work they do.
. .. . .. --- ....

Ross SniderJune 2, 2017 12:14 PM

@Bruce Schneier

From my time working at Microsoft in Security Bug patching and internal pentesting (4 year tour) I regularly encountered government vulnerability and backdoor programs - and several of my colleagues had stories about being approached by NSA about acquiring back doors.

US government gets feeds of Windows crash reports, which they use to find new vulnerabilities, and as a source of data to track development and discover of vulnerabilities that they already know about.

But you're right - there's nothing conspiratorial about it. It's business and it's intelligence. The Snowden Documents put into plain language NSA's efforts to infiltrate corporations (including Microsoft) to insert vulnerabilities and reporting since then (Syrian Electronic Army timeframe) on how Microsoft had facilitated backdoor access to the FBI for all of its email services.

Again - no conspiracy. It's what you wrote about years ago in "The Continuing Public/Private Surveillance Partnership" and other articles. It's business and it's (via perhaps unvirtuous means) completely legal.

TatütataJune 2, 2017 12:15 PM

How does the NSA find out about these vulnerabilities in the first place anyway? The various leaks don't say much about this aspect.

Do the have a tiger team patiently poring over disassembled code, firing up debuggers, and throwing the whole colander of spaghetti at the target?

Or by having privileged/purloined access to the source code of the main closed source providers?

If Federal procurement requirements contain provisions obliging certain suppliers such as Microsoft to file their sources, then it would become a matter of having formal design reviews. After the hundredth buffer overflow vulnerability, a trained eye would begin to know what to spot and what to do with it...

Or, if the TLAs can really pilfer anything they want, how do we know they didn't create their access to development servers? If the NSA placed a "tapp" [sic] on Google's "wires", when they were still unencrypted they could also have done the same thing to M$.

Sneakernet is still also an option. A while back there was a reference to Apple iWhatever vulnerabilities, with a reference to their sprawling labs in Tel Aviv, which is a large city with a cluster of "high-tech" employers. I wouldn't be too surprised to learn that there is a high level of personal contacts and mobility between the fashionable industries and the security mob. In any case, quite probably higher than could exist between Cupertino and Fort Meade (road distance: ~4500km).

BearJune 2, 2017 12:29 PM

When automakers were allowed to produce "the quality that the market demands" they produced automobiles without seat belts, with hoods that acted as guillotines and rigid steering columns that often stabbed people through the heart in crashes, rigid frames that subjected passengers to an order of magnitude greater force than frames with crumple zones, and in some cases flimsy roofs that collapsed under the weight of the car in a rollover.

When enough people had died or gotten injured, automakers selling cars in the US were placed under conditions of strict liability. That means the burden of proof is on the automaker to show that an injury ISN'T due to a structural problem with their cars or else they become liable. Not just that they took "industry standard" precautions. Not even just that the problem wasn't strictly their fault. They are required to show that there were no feasible precautions they COULD have taken, that they didn't take.

Commercial operating systems, at this point, are at least as much a critical part of the national infrastructure as commercially manufactured cars. There is an effective monopoly on commercial operating systems. There is a long history of regulating monopolies to prevent market failures that result in low-quality products.

I'd say the conclusion's pretty obvious. It would have been done already in any other industry.

The situation is like allowing an automaker to sell unsafe automobiles specifically because you have an interest in causing particular people to suffer car crashes. This is absurd.

AnuraJune 2, 2017 12:30 PM

@albert

* ironically, wealth seems to be inversely proportional to the square of the productive, that is, socially beneficial, work they do.

I would argue that all profits (and losses) necessarily represent inefficiencies in the economy. As a simple example, imagine an industry like the car industry; you have to place production orders for cars based on how many you think you will sell, and if you produce too few then by the time you find out you won't produce enough. If you have perfect information, you will produce exactly how many that will be sold. If you produce fewer than the market wants, then prices will go up and the product will be more profitable per unit but the more efficient and responsive the market, the less this price will go up. Similarly, if you produce too many, then costs will exceed sales and you will take a loss.

Since most of the power is given to the people who make money off of inefficiency, our economy encourages us to spend more resources to produce lower quality products.

B.B. PepperJune 2, 2017 12:40 PM

Gents,
What is this thing about "NSA not having access the Windows source code"? Are you being serious?
There used to be a "government program" (not the exact name) at M$FT for gov/intel agencies under which these were given full access to Windows source code. They seem to have downsized this program, but as far as XP is concerned, no need to disassemble it for NSA and twin agencies.
BB

Who?June 2, 2017 12:45 PM

@ Anura

I remember when, in the mid-90s, Microsoft suggested replacing the Internet infrastructure at that time with a global communication network based on a mix of satellite communications and fiber-optic links, all based on the Microsoft proprietary non-routeable communication protocol (NetBEUI) and gateways.

I agree with you, Microsoft strategy was turning the world to develop for Windows only. The "people's preferences are sticky" part probably explains what happens right now.

Hope a few WannaCrys will suffice to change people's mind.

M. WelinderJune 2, 2017 1:03 PM

A large part of the blame really needs to go to Microsoft for having polluted its updated channel with so much unwanted stuff (Windows 10, Ads, Telemetry) that people were acting reasonably when turning updates off.

Who?June 2, 2017 1:04 PM

The GSP started in 2003, but the PDF linked in my previous post is a document from september 2014 that show this program provides access to recent source code (e.g. Windows 8.1, Windows server 2012, Office 2013, SharePoint 2010...) to government agencies.

Look at the PDF, it is only two pages. The document itself earns an entire thread on this blog!

The GSP provides transparency by giving governments controlled access to the source code for our core enterprise products. This level of transparency can help reassure customers that Microsoft products do not contain hidden "back doors." It also enhances a government's ability to design and build more secure computing infrastructures...

I would say that goal has not been reached yet.

de La BoetieJune 2, 2017 1:20 PM

There appear to be two issues with the VEP:

a) Is it working at all?
b) Has it factored in the risks of others finding the vulnerability properly?

Sadly, the answer to both questions is no, and the VEP doesn't seem fit for purpose.

The culpable side is that the risks of the vulnerability being discovered is highly correlated with the NSA having it in the first place, and it being leaked, stolen, passed on etc.

One aspect of the Snowden and Shadow Brokers revelations is that they are public. But I expect maybe 20-30 similar similar leaks to have already happened in a very non-public way for reasons of personal ideology or plain money. Whichever, US infrastructure is then vulnerable to some entity who has bought the material, or been given it (without our knowledge).

Moving on to a different slant, the practice of using badly flawed systems in mission critical infrastructures, with apparently feeble segregation practices, is negligent. However, the public sector and their corporate partners have basically no liability for negligence, which means disasters like the NHS vulnerability in the UK will happen again and again.

I'd be very surprised if patient data hasn't already been stolen in bulk from the NHS, despite the vacuous claims of politicians claiming that there was "no evidence" that that was the case.

parabarbarianJune 2, 2017 2:11 PM

"Microsoft produces the quality of software the market demands."

At the risk of sounding like a zealot: That is why I use Linux. It is not perfect but, at this time, it has a more demanding and capable user base.

SmedleyJune 2, 2017 2:13 PM

@Bruce Schneier

Sir, you state: "Microsoft produces the quality of software the market demands."

While true, I think it's pretty clear by now that this is just not good enough.

As "Bear" noted earlier, we saw in the 1960s that Detroit, which had been selling cars that were "what the market demanded" were actually putting their customers at risk (Nader). When the White Star line built ships that were "what the market demanded", more than a thousand people died in April 1912 (Titanic).

And yet, Volvo were already building safer cars than the Corvair, and Brunel had previously built a ship (Great Eastern) that was far better at surviving accidents than the later Titanic. So we had regulation and other forms of public pressure come in to force Detroit to build safer cars, as per the Volvo model. Similarly we had regulations about lifeboats and North Atlantic ice patrols pushed out that helped to mitigate these dangers.

The glib assertion that "All software has vulnerabilities" is used by industry shills to excuse the very act of making and selling a product that is clearly NOT "fit for purpose". Considering the egregious security history of Microsoft products, the "market" has clearly failed to protect the public against high risk to their economic lives.

The libertarian cry of "Caveat Emptor" cannot survive a massive push from millions of voters sick of being economically raped because of bad software.

We're heading towards a Black Swan around software security.

albertJune 2, 2017 2:23 PM

@Anura,

I'm talking about -wealth-, not profits. The auto industry has its problems (like any other top-heavy* industry), but it produces -usable products-, it's a -producing- entity. Yes, even as is MS.

Can you think of any businesses that exist only to -consume-?

----------
*-That's- where the inefficiencies are.

Bruce SchneierJune 2, 2017 2:25 PM

"The key here is not 'producing the software the market demands' but 'producing the software the market accepts.'"

A useful correction.

Bruce SchneierJune 2, 2017 2:27 PM

"Sir, you state: 'Microsoft produces the quality of software the market demands.' While true, I think it's pretty clear by now that this is just not good enough."

No argument.

This is the primary reason I am a strong proponent of government regulation in this space. As a previous commenter said:

"When automakers were allowed to produce 'the quality that the market demands' they produced automobiles without seat belts, with hoods that acted as guillotines and rigid steering columns that often stabbed people through the heart in crashes, rigid frames that subjected passengers to an order of magnitude greater force than frames with crumple zones, and in some cases flimsy roofs that collapsed under the weight of the car in a rollover."

Safety and security advances generally come from regulation, not from the market. It was true for food safety, drug safety, automobile safety, airplane safety, workplace safety, and etc.

Ross SniderJune 2, 2017 2:49 PM

@Bruce Schneier

Do you acknowledge that Microsoft freely works with intelligence and counterintelligence organizations to backdoor its products?

AnuraJune 2, 2017 2:51 PM

@Smedley

The libertarian cry of "Caveat Emptor" cannot survive a massive push from millions of voters sick of being economically raped because of bad software.

Unfortunately, this is the same mistake we keep making. Representative democracy is influenced by wealth, and as long as we have unequal wealth there will always be an uphill battle to getting what we want; it will not stop unless the consumers themselves have the power. How do they do that? By starting consumer cooperatives designed specifically to capture wealth, and then using their by-laws to circumvent the need for government regulation.

Set up thousands of cooperatively owned investment firms around the world that do not have a mechanism to pay our profits to the owners - instead, always reinvest all profits. They should be member-owned and get all of their capital contributions through donations and membership fees. Capitalism is a numbers game; odds are you are going to fail, but expected returns are positive. What's more is that the average investor should expect to make more money than the economy as a whole; as long as you always reinvest, this means you should grow faster than for-profit companies who will fall behind in market share every time they pay distributions or hold on to cash reserves.

Over time, you should be able to take over the entire market with consumer-owned and democratically controlled businesses, and then you don't need government to force companies to make good products, the consumers will simply have the power to demand it (with exceptions for externalities).

Because of the inefficiency of the market, there is so much potential wealth ripe for the taking if we could only get organized. Focus on specialized companies, and outsource everything not part of your specialization. Don't treat customer service as an entry-level position; it should be the highest position in the company, and all authority should be derived from the people working directly with the customer. They should be the authorities in their field. We shouldn't think of it as having sales people, we should think of it as having purchasing agents that work for the customer to get them what they want.

All businesses should be owned by their customer, and they should as a policy be as transparent about their products as possible; in fact, all products should be completely open just like software should. Modularize and standardize everything you can, and then have detailed data including failure reports on everything you can; how it is made, where the supplies came from, where it was built, etc. and make it all public. When I buy a car, I essentially should be hiring people who are experts on components of cars to look at every individual part on the market, look at reliability and performance data, as well as audits of their specifications. Actual numbers should be available on the estimated maintenance cost of every car.

AnuraJune 2, 2017 2:56 PM

@albert

I'm talking about -wealth-, not profits.

Which wealth is how much of the economy that you are in control of, which is measured in your potential for making profits.

Can you think of any businesses that exist only to -consume-?

If you mean that exists only for the consumers, yes. They are called consumer cooperatives. REI is a major one I actually shop at.

MaxJune 2, 2017 3:06 PM

The NSA is certainly to blame for carelessly allowing their tools to be stolen, but as far as disclosure is concerned, I'm skeptical that it does any good. When the bad guys are mostly using publicly available exploits, disclosure just provides them more weapons. And it doesn't make the software significantly better, because there's an endless supply of exploits. The only way to make a real improvement is to knock out entire classes of exploits, and it's entirely up to Microsoft etc to make the effort.

call girlJune 2, 2017 3:47 PM

"That makes us wonder why Microsoft with full access to the source code fails to find vulnerabilities."

Instead of offing a bona fide product on a bona fide competitive market, a multinational megacorporation abuses its illegal monopoly position to force an inferior product on consumers, who must pay the "Microsoft tax" and are left with no effective alternative, and hence no effective choice or redress to demand a better quality product. They collect the money by force in law from everyone who buys or uses a computer, no matter what the operating system. It's all about the money. They do not have to offer a product fit for a particular purpose. They retain the right to cripple the product you are buying from them. You must pay them whether or not you use or choose to use their product. They force vendors to cripple the hardware on which their software runs.

There's nothing conspiratorial going on here. Vulnerabilities are plentiful, and finding them can be expensive. Microsoft produces the quality of software the market demands ["accepts"].

Once again, there is no bona fide market. This "market" is a Microsoft-only cartel. Cartels are always conspiratorial. The New York concrete cartel of yonder days. Brutal and lawless enforcement. Concrete boots and worse if you don't cooperate or if you use, buy, or sell a genuine competing product.

And what make you think the NSA doesn't have access to the source code?

NSA is a red herring. There is *plenty* of lower-hanging fruit to pick before any cloak-and-dagger three-letter agencies get involved. I am positively certain that NSA has access to source, and so do most if not all nation-state-level intelligence agencies, regardless of whether they are hostile and friendly.

*bona fide is law Latin for "good faith." No, we are not talking about a good Catholic girl sitting on the pew in church praying. All that is meant by this phrase is that one who makes some legal or other allegation or claim or statement actually means what one is saying and is not flat-out lying through one's teeth. Example: Suppose I run a small business. Do I have an alternative to Microsoft Untouchable Windows? No, I do not. It just so happens that all the small business accountants in my town demand that I use Intuit QuickBooks. QuickBooks depends on Windows. Therefore there is no bona fide alternative to Microsoft Untouchable Windows for my business, and I have to suffer with everyone else for the vulnerabilities that are inflicted on me.

How many bugs live in the intestines of a hog? Nothing but pork barrel politics is keeping MSFT alive, and the same Republicrat pork barrel politics along with the entire corrupt military-industrial complex are the inevitable total ruin, final defeat, and nuclear death of our entire once proud country.

Enough is enough. You people just don't get it, do you?

AnuraJune 2, 2017 8:39 PM

@Smedley

TLDR:

Basically, if you are buying software you shouldn't be dealing with the developers or some sales person who just wants to make a commission, you should be hiring someone with people skills to work with you.

SpookyJune 2, 2017 9:35 PM

If Microsoft had wanted people to be punctual about updating their computers, perhaps they should not have taken such glee in turning those exact same update facilities against their own customers? What did we endure, nearly a year of Redmond boasting about unprecedented rates of adoption for all of the fly-by-night Windows 10 upgrades that were neither planned nor voluntary? Fool me once, shame on you; fool me twice, shame on me. Consumer trust has been utterly betrayed (and perhaps destroyed) by Microsoft themselves. Quite clever. Now people (esp. Windows 7 users) have little choice but to treat every single Update from MS as a potential poison pill. It's your own damn fault, Redmond...


Unkind regards,
Spooky

AndyJune 2, 2017 10:55 PM

Microsoft, is a good company, like working for any company, and you have to weight up stuff, but it is cheaper to outsource security than have in store. You might say Ms is valued at billions, but there cash flow is less, and it.. I will send exploit code to them, and ha not everything is about the money

ab praeceptisJune 2, 2017 11:07 PM

Bruce Schneier

Now we are getting close.

This is the primary reason I am a strong proponent of government regulation in this space....[automakers example]

Safety and security advances generally come from regulation, not from the market. It was true for food safety, drug safety, automobile safety, airplane safety, workplace safety, and etc.

Let's complete that by stating:

a) Corporations tend to dislike or to even fight regulation for obvious reasons.

b) For regulations to be created first *considerable damage* must be obvious and undeniable.

Usually there is also c) For regulations to be created first there must be an understanding that the corporations do not loose money but can make even more.

65535June 2, 2017 11:57 PM

@ Nick P and others

‘"Microsoft produces the quality of software the market demands." This is true but must modify it with lock-in. Most of their customers can't leave either for business or ecosystem reasons. So, they produce the quality that their customers can *tolerate* or have no choice for. They also consistently have reduced the *expectations* where people think these issues are normal. So, Microsoft is one of the special few that can ignore quality to a large degree… ‘ –Nick P

I agree with at statement. I work with Small to Medium sized business customers and due the programs they use, Accounting, HR, inventory, and basically A to Z general purpose programs that they need and have huge sunk costs in them Microsoft is the only way to go. As for Win 10 enterprise systems the cost/benefit is just not there. In fact, some customers cannot even break even when switching to Win 10 enterprise solutions – this doesn’t even touch the safety or far flung data centers which leak customer data like the Titanic.

@ JonKnowsNothing
rewrite that as: "A HUGE portion" ... or better ... "THE ENTIRE BLAME FALLS ON MICROSOFT".
That is an unspoken truth. Microsoft since the Dos days used their customers and beta testers for full profit. Sadly, this practice still goes on – just take a look at there jumbled spiderweb of TechNet/MSN and all of its tenticles/MDN/MicrosoftKnowledgeBase/FrontPage/MSwindows/FutureDecoder and so on.
Finding a technical answer or certain patch is so time consuming it is easier to just used Google to find the solution. Microsoft’s jumble of websites is a mess. It needs cleaning up and being more honest regarding hidden URLs that some people know of.

I thought Steve Ballmer was not the best but John Thompson's powerful position on the board of directors and his bringing in of Satya Nadella as CEO was a huge mistake. The Microsoft trust became Entertainment and customer data mining.

I’ll take Ballmer over Satya Nadella and his overloard John Thomson any day. Further with Brad Smith as President and Chief legal officer Microsoft’s association with the US Government and Microsoft's Eula contracts are some of the most abusive I have seen

https://en.wikipedia.org/wiki/John_W._Thompson

and

https://en.wikipedia.org/wiki/Satya_Nadella

The company that helps spy on you:

“According to leaks of said program, Microsoft joined the PRISM program in 2007.” –Wikipedia

https://en.wikipedia.org/wiki/Microsoft#United_States_government

Microsoft is not without it share of criticism – there is a whole Wikipeda page on criticisms of Microsoft:

"Criticism of Microsoft has followed various aspects of its products and business practices. Issues with ease of use, robustness, and security of the company's software are common targets for critics. In the 2000s, a number of malware mishaps have targeted security flaws in Microsoft Windows and other programs. Microsoft was also accused of locking vendors and consumers into their products, and of not following and complying with existing standards in its software. Total cost of ownership comparisons of Linux to Windows are a continuous... The company has been the subject of numerous lawsuits by several governments and other companies for unlawful monopolistic practices... the European Union found Microsoft guilty in the European Union Microsoft competition case. Additionally, EULAs for Microsoft programs are often criticized as being too restrictive…”-Wikipedia

https://en.wikipedia.org/wiki/Criticism_of_Microsoft

@ keiner

[to Nick P]

“Isn't that exactly the situation where antitrust laws were made for?... Me and billions of other Win users never asked for crappy code. Never.”

That is the whole crux of the matter. Microsoft and it legal department are deeply entwined with the US Military spy agencies. That is the main reason no further anti-trust suits have been filed against Microsoft in the USA. Until those ties with the military are broken Microsoft is untouchable in the USA… But, not in the EU and other places.

Returning to the problems of today, [and patching Microsoft machines that are not “Enterprise Editions”] I have customers who have turned off Automatic Updates from Microsoft since early 2016 and never had a problem with their network or machines.

Most of my customers are on Win 7 Pro or Win 8.1 and simply cannot afford to upgrade to Win 10 Enterprise Editions – and without those annoying advertisements.

Bruce S. will probably not like to hear this comment but there have been so many slow or frozen Microsoft boxes when “updating” that for financial reasons some small to medium business concerns it doesn’t pay to do so – it hurts with more help desk calls and anger at Microsoft’s “monthly roll-ups”.

I am testing Mint and other Linux versions. But, Linux doesn’t have the huge array of business software that Microsoft does – at this point in time. I will say I have tried to covert some customers to use, say, GNUcash for general ledger accounting only to hear complaints about basic components such as not having a pop-up calculator to separate complex journal entries into their respective general ledger or subsidiary ledger accounts.

I will keep looking. Sooner or later some group of coders is going to come up with a better solution that Microsoft and their many compatible business programs. The small to medium business market it very large and lucrative.

To suit a bullJune 3, 2017 5:52 AM

@Anura,

If the average user is unable to detect an average os supplying average numbers to your average game then yes; they are supplying the tripe that the average hOG (helpless OG) would find.

Rufo GuerreschiJune 3, 2017 8:00 AM

By far the greatest responsibility lays on those that made so that governments over the last decades had to break everything below point of encryption for all systems, through subversion of all kinds in the supply chains and letting impossible system complexity and critical parts obscurity be compatible to high assurance IT standards.
A majority of such responsibility lays on top cryptographers that wrote out for decades as impossible, and not deswrving of serious discussion, the creation of lawful access processes for ultra-high assurnace systems that do not pose unacceptable threats to privacy. That is instead most likely possible as we describe in the "Manifesto for Trustless Computing",outcome of our Free and Safe in Cyberspace global evebt series.

Ergo SumJune 3, 2017 8:05 AM

@ab praeceptis...

Usually there is also c) For regulations to be created first there must be an understanding that the corporations do not loose money but can make even more.

As of late, the "c)" moved up and it's actually "a)" by now. Especially in the US, where the definition of democracy has changed to:

The government of the corporations, by the corporations, and for the corporations

Jared HallJune 3, 2017 9:44 AM

1. Some believe, as do I, that EternalBlue existed as part of the Stuxnet delivery mechanism. This would date its existence to be prior to 2010.
2. Why does anybody here think that the NSA released that code? There were documents in tat same Vault 7 release that were totally bogus. You don't think the Koreans or Iranians don't have tons of NSA/CIA/WHOMEVER exploit samples? I do.
3. There is also the misguided assumption that the NSA/CIA write their own exploits. As I've said before, programmers at NSA/CIA are second and third fiddles. Top talent doesn't work there; just like Snowden. Good grief, these are the same guys that monitored all of the 202 areacode because of a programming mixup with the "20" Country Code of Egypt. Give me a break.
4. Frankly, the CIA, NSA, KGB, CSA, GCHQ all pay more for exploit knowledge than any Bug Bounty program. How ironic is it that the free market dictates who gets all the worms? Even though he's a first-class idiot, Putin's comments were somewhat accurate. You don't need a State or Nation sponsored hacking organization. You just need a fat wallet.
5. Microsoft patched Windows 10 with plenty of time to spare. They DID NOTHING for Windows 7, Windows 8, and Windows 8.1 until it was game over. That is very irresponsible.
6. Microsoft took over 9 months, from CVE listing to patching Office, while hundreds of thousands of computers were infected. This is very irresponsible.
7. Furthermore, Microsoft persisted in stating that there were no active Office exploits despite the rampant distribution of the Drisden banking worm. Again, that is very irresponsible.
8. Microsoft failed to properly patch its systems accurately for flaws in it's GDI Drivers. Granted, Apple had to patch a couple of times, but for Microsoft, it has been an eternal stream of never-ending GDI-related patches. Again, this is very irresponsible.
9. The WannCry(pt) virus signatures were known back in January; well before the bundling with EternalBlue and DoublePulsar. ESET, Bitdefender, and Kaspersky (all Non-US firms) didn't have any trouble stopping it. But it went through Microsoft AntiMalware and Security Essentials like a hot knife through butter. Microsoft's Brad Smith claims to have 3500 Security Engineers. What exactly do these guys/gals do, other than collect a paycheck? Microsoft has to totally rethink security, from the Top-Down. Again, they are irresponsible.

No, Microsoft should have the living hell sued out of them for this WannaCry debacle. We all sit around here and moan about how security *should* be more of a design goal than an add-on. You want to improve security? Start with a Class Action lawsuit against the worst offender of them all: Microsoft.

justarantJune 3, 2017 10:28 AM

The blame lies entirely with microsoft. The hacks that were created then stolen
then released were possible because of microsoft.

Microsoft has released buggy software and relied on users to fix it since day one. With win 10 they've made updates much riskier.

So people wait & watch. And wisely so.
It is very difficult for a mere mortal to know what an update will actually do.
Remember the red x that initiated the update instead of cancelling it?
Win 10 updates break things. . .drivers, third party software.
Pushed updates and pushed ads should be opt in.
Win 10 the free OS is expensive. If you are a freebie user you don't control telemetry but you do tune up the OS for microsoft. Hospitals, doctors, lawyers, gov't agencies, etc must control their data, so they have to pay for the enterprise version. That means you pay for it.

There was no need for win 10 to ever be published, ms did that to make money.
Wanted to increase their user base. Wanted to get more people on the windows phone.
Win 10 was given away, then pushed hard, and nobody much went for it.
Microsoft should have just fixed win 7.

But all is not lost. Increasing communication has already begun to encourage users to question microsoft's policies.

call girlJune 3, 2017 1:26 PM

@Mr. Schneier

This is the primary reason I am a strong proponent of government regulation in this space.

Adding yet more special-case fluff and verbiage to the regulations already on the books does nothing to solve the underlying problem, and only serves to further increase the regulatory compliance burden on all businesses and especially the shareof that burden borne by small and medium businesses as opposed to megalithic giants like Microsoft.

What we lack and what we need is a watchful and impartial enforcement of long-established basic fair business practices.

When a giant corporation breaks the law, the answer is not to make more laws. The answer is to hold the giant corporation, and the individuals acting on its behalf, accountable to the law.

We already have gargantuan fines and up to ten years' imprisonment for a man's failure to hold the door open for a lady:

On top of that, you men will have to go to war against Russia on terrorism through the male-only Selective Service System, and if you win the war, you will be allowed to go home and live happily ever after with your entitled bitches.

So step up to the plate, bitches. You're in business, you make a lot of money, and you're leaving anyone who breathes a word against you, online or off, penniless on the streets.

FuzzyJune 4, 2017 5:44 PM

"They claim that there are entire classes of vulnerabilities the NSA uses that are not known in the research world, making rediscovery less likely. This may be true, but the evidence we have from the Shadow Brokers is that the vulnerabilities that the NSA keeps secret aren't consistently different from those that researchers discover."

Think of the attack surface of the world.

Think of the potential targets of the USA.

Of course they know of vulnerabilities that will never be rediscovered unless exposed through contractor sloppiness/malice, and of course several dozen/hundred of those are in use right now, with comparable numbers waiting ready in standby and more discovered/engineered every single day.

What you're positing in questioning this regime is that the value of joe-6pak the end user of the internet/os in question to have access to all top-secret vuln data and patch his system is more profitable/valuable/regarded (or should be) than allowing a super-user to sell him out and throw him under the bus for the "greater good" of spycraft. Obviously the powers that be will never, ever, ever, ever consider that valid.

There is no law standing up for real digital privacy rights as we know them, nor will there be. And this is a result of the way people are conditioned to vote for one or two versions of the same thing, in this country.

Rant over.

ab praeceptisJune 5, 2017 1:07 AM

Rufo Guerreschi

A majority of such responsibility lays on top cryptographers that wrote out for decades as impossible, ...

No. From what I see the cryptologists have actually delivered quite good work and there are very few (known) exceptions like rsa taking a fat bribe for brutally weakening some crypto.

And that might actually not have been a case of greed and criminal character but of nsa which basically controls nist making rsa an "offer they couldn't refuse".

ATNJune 5, 2017 3:44 AM

While there may be reasons to hoard and keep secret zero days which are not used (by definition), there should be bug reports sent few months after first uses - there are too many honey pots and pass-through traffic analysers around to even think the vulnerability will not be detected within the first few attemps to use - by anyone (even the three letter agency which decided that this bug cannot be independently found).

Robert ChristianJune 5, 2017 2:24 PM

Microsoft has unfortunately turned off many users to installing security updates through their somewhat underhanded pushing of a whole new operating system -- Windows 10 -- as a security patch, as well as pushing "get your free upgrade" "annoyware" as a security patch. When installing updates, the nature of the updates is buried in Knowledge Base articles that burn a good deal of time to read each one, when they could be documented (at least in summary) in the Windows Update interface.

This isn't just a Microsoft issue, either. Other companies (Intuit comes to mind immediately) use the security patch features to load marketing functions into software, end-of-life software, and perform other similar functions that the end user would not choose if they were aware.

This unfortunately results in a number of users disabling automatic updates and, if they have the time, periodically vetting the updates to see what's [claimed to be] really included with them. This, of course, means that patches to fix dangerous vulnerabilities don't get applied as quickly as they would if the software publisher could be trusted.

Couple this issue with Microsoft's default "telemetry" (spyware, no matter how you slice it) settings in Windows 10 and back-ported to "security patches" in Windows 7 and 8.1, and it's no wonder people lose faith in security patches from their operating system vendor.

I don't know how Microsoft comes back from this, or how other vendors avoid the temptation of using a security patch system for marketing or other non-security functions.

Clemens HlauschekJune 5, 2017 2:32 PM

> Me and billions of other Win users never asked for crappy code. Never.

That's not how markets work. It is not that billions of users ask for low quality in a product, but billions of users are not ready to pay the price for a product that has higher quality. Otherwise, someone *would be selling it* to them. Simple as that. The cost of a OS and desktop environment that is magnitudes more secure is obviously nothing that billions of users would be willing to pay for. Otherwise someone most probably would have filled this gap, and sold it to them. And cost denotes not only the price you pay at the counter: Billions of users do not ditch MS Windows and install OpenBSD instead, because the additional cost in using it is too high for them.

Cheers

AnuraJune 5, 2017 3:05 PM

@Clemens Hlauschek

Microsoft has made over a trillion dollars in revenue in it's lifetime, not accounting for inflation. You are telling me that you don't think with a budget of a trillion dollars, you can possibly afford to make everything Microsoft has made, but better?

call girlJune 5, 2017 3:18 PM

@Clemens Hlauschek

Me and billions of other Win users never asked for crappy code. Never.

That's not how markets work. It is not that billions of users ask for low quality in a product, but billions of users are not ready to pay the price for a product that has higher quality.

It's not a market. It's an extortion racket.

  1. The users are already forced in law to pay an exorbitant price for Microsoft product whether they choose to use it or not.
  2. Users are not allowed to use any alternative product which they might deem to be of higher quality than Microsoft because of monopolous software dependency issues.

No different from that disreputable surgeon who scalped you in bed in the middle of the night, and went to law to charge you for a haircut and bloodletting by real live medicinal leeches.

Gerard van VoorenJune 5, 2017 3:25 PM

@ Anura,

"Microsoft has made over a trillion dollars in revenue in it's lifetime, not accounting for inflation. You are telling me that you don't think with a budget of a trillion dollars, you can possibly afford to make everything Microsoft has made, but better?"

Define "better".

No, I don't think they can make everything they have made "better". They will repeat mistakes, get rid of old ones and create new ones. But it's a fantasy. The reality is what it is today.

A philosopher from the movie Platoon once said in that movie:

"There's the way it ought to be. And there's the way it is."

AnuraJune 5, 2017 3:44 PM

@Gerard van Vooren

The other poster stated that if it was possible to write better software for the same price or cheaper, then someone would have done it. What I meant is not that Microsoft could have made better software, but simply that someone could have if they had a trillion dollar budget.

Gerard van VoorenJune 5, 2017 4:08 PM

@ Anura,

"What I meant is not that Microsoft could have made better software, but simply that someone could have if they had a trillion dollar budget."

Yes but we are not living in that world. I don't have to tell you how MS made its first millions and billions. We all know that history, it wasn't a pretty one. Would they do that again today? The world has changed, they would have come up with a different plan to make money. But that isn't the case. What do we have today? An OS called W10 that is backwards compatible to probably W0.1 if that ever existed and hence has all the legacy and wraths.

The same btw counts for most *nix, and networks protocols, and standards, and programming languages, and file formats.

AnuraJune 5, 2017 4:45 PM

@Gerard van Vooren

Yes but we are not living in that world.

I'm confused; my point is that Microsoft's dominance doesn't reflect the preferences of consumers for cheap software, and you seem to disagree with that somewhere but I have no clue where. If you don't disagree, I don't know what your point is.

JonKnowsNothingJune 6, 2017 9:53 AM

Here's another one coming to our world soon:

Internet news is reporting that the newest Apple iOS 11 update is going to brick a lot of devices by rendering them obsolete and unable to continue working.

It may not be possible to block this iOS update which is pretty much like the Windows 10+ updates. They want us to just EAT IT even if you don't want to have your apps broken.

Well. News. Back.

I am sure there will be a LOT of interest in blocking this sort of mandatory update breaking apps and bricking devices. Windows found out too. Blocking Updates like these stops crappy updates but makes NSA+Chums&Bums mucho happy.

It's not about "security". It never has been.

Apple has announced that its new iOS 11, launched at its developer conference in San Jose, will only operate on 64-bit devices, making the iPhone 5 and 5C, among other devices, obsolete and meaning some apps and games may stop working.

blerpJune 8, 2017 12:59 AM


Same botnet been running for some 4 years now and exploiting old vulnerabilities, like that certain vulnerability still not patched on many online stores that lets people capture stuff in servers memory piece by piece.

Luckily banks are insured and seem to be able to afford all the details that keep getting capped off insecure call centers, POS, manky online shopping sites, and the fraudulent payments as a result. Banking fraud investigators are having barrels of fun, that's why they always sound so rosey on the phone.

Meanwhile no one is responsible for anything, and certainly not willing to be. The IT Crowd is certainly justified in going home to bed if they want, companies probably should pay for their counseling too.

https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/

There are still plenty of vulnerabilities in Windows 10, it's not a magic pudding.

So many vulnerabilities have been know about and published all over the place online for years, and many of the backdoors have been open long too, a decade for some.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.