More on the Chinese Zero-Day Microsoft Exchange Hack

Nick Weaver has an excellent post on the Microsoft Exchange hack:

The investigative journalist Brian Krebs has produced a handy timeline of events and a few things stand out from the chronology. The attacker was first detected by one group on Jan. 5 and another on Jan. 6, and Microsoft acknowledged the problem immediately. During this time the attacker appeared to be relatively subtle, exploiting particular targets (although we generally lack insight into who was targeted). Microsoft determined on Feb. 18 that it would patch these vulnerabilities on the March 9th “Patch Tuesday” release of fixes.

Somehow, the threat actor either knew that the exploits would soon become worthless or simply guessed that they would. So, in late February, the attacker changed strategy. Instead of simply exploiting targeted Exchange servers, the attackers stepped up their pace considerably by targeting tens of thousands of servers to install the web shell, an exploit that allows attackers to have remote access to a system. Microsoft then released the patch with very little warning on Mar. 2, at which point the attacker simply sought to compromise almost every vulnerable Exchange server on the Internet. The result? Virtually every vulnerable mail server received the web shell as a backdoor for further exploitation, making the patch effectively useless against the Chinese attackers; almost all of the vulnerable systems were exploited before they were patched.

This is a rational strategy for any actor who doesn’t care about consequences. When a zero-day is confidential and undiscovered, the attacker tries to be careful, only using it on attackers of sufficient value. But if the attacker knows or has reason to believe their vulnerabilities may be patched, they will increase the pace of exploits and, once a patch is released, there is no reason to not try to exploit everything possible.

We know that Microsoft shares advance information about updates with some organizations. I have long believed that they give the NSA a few weeks’ notice to do basically what the Chinese did: use the exploit widely, because you don’t have to worry about losing the capability.

Estimates on the number of affected networks continues to rise. At least 30,000 in the US, and 100,000 worldwide. More?

And the vulnerabilities:

The Chinese actors were not using a single vulnerability but actually a sequence of four “zero-day” exploits. The first allowed an unauthorized user to basically tell the server “let me in, I’m the server” by tricking the server into contacting itself. After the unauthorized user gained entry, the hacker could use the second vulnerability, which used a malformed voicemail that, when interpreted by the server, allowed them to execute arbitrary commands. Two further vulnerabilities allow the attacker to write new files, which is a common primitive that attackers use to increase their access: An attacker uses a vulnerability to write a file and then uses the arbitrary command execution vulnerability to execute that file.

Using this access, the attackers could read anybody’s email or indeed take over the mail server completely. Critically, they would almost always do more, introducing a “web shell,” a program that would enable further remote exploitation even if the vulnerabilities are patched.

The details of that web shell matter. If it was sophisticated, it implies that the Chinese hackers were planning on installing it from the beginning of the operation. If it’s kind of slapdash, it implies a last-minute addition when they realized their exploit window was closing.

Now comes the criminal attacks. Any unpatched network is still vulnerable, and we know from history that lots of networks will remain vulnerable for a long time. Expect the ransomware gangs to weaponize this attack within days.

EDITED TO ADD (3/12): Right on schedule, criminal hacker groups are exploiting the vulnerabilities.

EDITED TO ADD (3/13): And now the ransomware.

Posted on March 10, 2021 at 6:28 AM38 Comments


Clive Robinson March 10, 2021 10:52 AM


“the second vulnerability, which used a malformed voicemail that, when interpreted by the server, allowed them to execute arbitrary commands.”

If I’m reading that correctly then a media file which should only be “data” is getting treated as an “executable” in some way.

I know Adobe had a bit of a reputation for that sort of nonsense, and Google a few yeard back got hit with a graphics library in Android where sending a picture attached to an SMS could be disasterous.

I would have thought that if this is what is happening to Exchange then MS would have wised up about it by now…

Kurt Seifried March 10, 2021 11:46 AM

This sounds a lot like classic market segmentation. You start out with an exclusive high touch experience, 1:1 service, you ensure it goes smoothly, once that market is full you basically start selling to anyone with money, and once that is done you basically start giving it away for free to ensure market penetration.

In other words, what happens when attackers behave like rational economic actors trying to “maximize profits” AND have the ability to “full service” the market? Also note: attacking the entire IPv4 space is doable from a single machine now, performance-wise, obviously you’d want a pool of systems to attack from to avoid detection/filtering, obviously something within the budget of a nation-state.

lurker March 10, 2021 12:04 PM

@Clive,re malformed voicemail

At first I assumed that meant malformed headers/metadata, but then this is MS …

@Bruce, All, Microsoft acknowledged the problem immediately.

Were they expecting this?

Fed.up March 10, 2021 1:26 PM


Maybe the better question is “why did they do this?”

Do we need to revisit MS’s assertions that their code wasn’t altered when it was breached?

ht tps://

In this announcement they admit that their Intune components were accessed. Look at what Intune does.

Also Authenticator can copy anything on a phone so conceivably doesn’t this mean it can write to a device too?

Nicholas Weaver is assuming that this voicemail exploit would be used within Exchange. I think that is a false assumption if he is referencing this on-prem attack. On-prem customers often don’t have their voicemail integrated with Exchange because Microsoft ended support for third party customer PBX operated SBC’s 12.1.2019. Meaning if this voicemail exploit is real then it may relate to 0365, not on-prem. Plus since working from home everyone is using Teams to communicate, not voicemail.

SpaceLifeForm March 10, 2021 2:31 PM

Webshells everywhere.

It makes sense that the attackers would spread webshells everywhere as that muddies the water, and makes it more difficult to determine intended targets.

ESET report

Exchange servers under siege from at least 10 APT groups

We have already detected webshells on more than 5,000 email servers as of the time of writing, and according to public sources, several important organizations, such as the European Banking Authority, suffered from this attack.

Clive Robinson March 10, 2021 4:30 PM

@ lurker,

Were they expecting this?

I would very strongly suggest they were, but I don’t have evidence other than very circumstantial at best.

That is I suspect other US entities were aware of it at some point and either gave a “heads up” or a “Leave Alone” message to some one senior.

Have a look at @John Mosby above @Bruces,

I have long believed that they give the NSA a few weeks’ notice to do basically what the Chinese did

And the general tone of several people since SolarWinds brcame the ill wind from the east.

Name withheld March 10, 2021 5:38 PM

@ Clive

I noticed that Snowden took a Twitter sabbatical January 26. He was very upset he wasn’t pardoned by the outgoing President. I think if he had the opportunity to further prove his actions justified that he’d be doing so now. His silence speaks volumes.

Also strange to have 2 fires in a cloud data center. Why didn’t the fire suppression work?

It is a cloud favored by hackers and Bitcoin exchange.

Fire in a data center could conceivably be caused by malware that causes the HVAC and fire suppression to stop working and crypto mining could purposely be used to cause it to overheat.

calvin March 10, 2021 7:07 PM

@Bruce, All, Microsoft acknowledged the problem immediately.

Were they expecting this?

I have long believed that they give the NSA a few weeks’ notice to do basically what the Chinese did: use the exploit widely, because you don’t have to worry about losing the capability.

So was this maybe a known vulnerability that, when shared with NSA-or-some-similar-party, was abused in a hurry?

NSA probably has double-agents too BTW. So when some info is disseminated, it can end up who knows where…

Cincinnatus March 10, 2021 11:37 PM

There are currently no reasons why an attacker who has access to a zero-day shouldn’t simply press a button and exploit every possible target at the moment when they know their exploit is about to lose value.

I’m mystified as to why this wasn’t the case before.

If you’re a badguy with a zero-day, and you know a patch for it is imminent or available, what do you have to lose by immediately switching to “exploit all the things” mode? Nothing, really. But this has always been the case. Why did it take until March of 2021 for the badguys to realize this?

Clive Robinson March 11, 2021 6:30 AM

@ Cincinnatus, ALL,

With regards your question, I’m going to answer it in a bit more depth as there is a lot many realy do not realise both from a defenders and attackers point of view.

So your question,

I’m mystified as to why this wasn’t the case before.

It rather depends on your outlook, previously as defenders we have realy just considered the two end points of the attacker spectrum line,

1, Covert APT.
2, Overt crook.

Obviously a spectrum exists between these two points from the unseen to the blindingly obvious. But we’ve more or less considered these points independently of anything else. In part because “to the attackers we have seen” that has been the two basic MO’s.

Thus as we think furthet there are actually two things to consider about individual attwcksr,

1, Defender scope.
2, Attacker objectives.

Both of these should evolve with both time and experience, but as defenders we tend not to see it that way which raises the “Why?” question. That is we know what we get to see as defenders by “observation” should improve by the “evolution of our tools”.

But there is a problem, with Covert APT our tools pick attacks up long after the fact. That is weeks, months or even years after the deployment of the zero day.

Simply because we had no idea what to look for and the “network noise/anomalies” were so far down in the grass you’ld have to be digging dirt (HumInt) to find them. Butvas importantly the lack of human resources to investigate.

Consider the predecessors of Stuxnet Duqu and Flame, they were not discovered untill long after they were first deployed by the attackers. But when they were sufficiently recognised as the integration of commonalities got above a threshold to attract interest, the AV companies then started to investigate. Primarily they looked back through their Data Base of files previously reported by customers, but untill that point unlooked at by the AV Companies staff.

Thus the attackers trail was spotted eventually after there was suficient aggregated noise. Because those AV DB files are a form of “Collect it all” they could in effect “go back and forth in time” and rerun “observational” histories looking for clues. But this time “with building knowledge” of what “Network Noise/anomalies” to look for as expressed in the AV DB file records. Thus over a relatively short period of time the AV companies could look for further “noise/anomolies” improving their tools very rapidly but very much long after the sound of hoof beats was a distant memory…

I don’t know why but I suspect dor some the assumption was if you were sufficciently covert the “noise/anomalies” of your Zero-Day would remain hidden, thus would go on indefinately staying down in the grass below some noise floor.

However anyone who has done even rudimentary “Signal Processing” knows what happens to “signals that look like noise” when you sufficiently average them in a time synced manner. The level of the attack signal rises (by n) and the level of the signals uncorrelated with the Zero Day attack go down (1/sqr(n)). The better the time sync on the Zero Day signal and the more otherwise independent other incoming sources you have the faster not just the first signals you found of the Zero Day rise but also new signsls correlated with the Zero Day attack. You can then go back with this new information as a “matched filter” to get more signal information and so on through several iterations.

Covert attacks based on “Low Probability of Intercept”(LPI)[1] do not remain covery long when you can “go back in time” repeatedly with “Collect it All” databases. A lesson I’m not entirely sure many people get in the right way.

So that kind of makes it appear that the proper use of a Zero Day is effectively a “one off” if you want it to remain undetected for serious “Covert APT” work[2].

But actually that is not true, we know from cryptanalysis that you can send the same message twice under different keys, if you take care to ensure the meta-data of the message remains likewise uninteligable.

Thus a smart “Covert APT” attacker will not just “randomize” the Zero Day it’s self but all things related from the start/source of the attack and also remove or randomize all artifacts from the attack.

Such behaviour does put Covert APT attacks under the noise, but if done well keeps them there.

Whilst an examination of early AV history shows past attackers have realised this and attacked accordingly, “we do not appear to be seeing it with Covert APT”

Thus you should ask yourself the question,

“Are such “Advanced Covert APT”(ACA) attacks NOT happening, or is it a case that as defenders we are blind to them?”

Factor that in and the answer to your question is probably “The defenders can not see ACA attacks, even though ACA attacks are probably happening”.

Further think on who are best positioned to carry out ACA attacks… Well it’s not China, Iran, North Korea, or Russia when you consider the real tangible physical layer of the Internet. That is they are in effect on the edge of the web not it’s center, nor do they straddle major traffic choke points… Those positions fall to the US at the center, and the UK and Australia on the major cable choke points, with other Five-Eyes of Canada and New Zeland at the “spill over” of satellite choke points. The Extended Five-Eyes in Europe and other parts of the world cover the nodes that are becoming the new through traffic choke points.

For the US’s “Four Horsemen of the Cyber-Apocalypse” of China, Iran, North Korea, Russian, they do not have traffic passing through their boarders so they have to “reach out” beyond or “drag in” traffic to get that sort of access to get the benifits.

But what benifits?

There is a long list, but two to think about are,

1, To enumerate target traffic.
2, To inject faux traffic.

It’s no secret that Sys/Net Admins profile their traffic just inside their gateway with automated tools. They then perform a form of automated signal processing that looks at the space between valid traffic and what the admin sets their noise floor at to avoid to many false poditives.

So to be covert you need to be either up in the valid traffic or well down in the noise floor. As indicated being in the noise floor is not the best place to put Covert traffic if you have a choice. If you can enumerate a targets traffic without them becoming aware of it, then the opportunity to hide in valid traffic becomes possible. So being able to see a targets traffic “passively” as the Five-Eyes do gives a massive advantage over those who have to use “active” techniques to “reach out / drag in” traffic inside their boarders. Both of which are quite “noisy” things to do but potentially have been seen from time to time with Boarder Gateway Protocol manipulatons etc. Which as the are obvious fairly quickly just by shear traffic flow “hitting the end stops” are in effect very noisy as they trip alarms. So most nations can not operate safely inside their jurisdictions as the Five-Eyes can, so effectively they have to “go out” in various ways if they want to do “passive” observation[4].

The other advantage the Five-Eyes have over other nations is the ability to not just inject false traffic but intetcept and respond to any returns. So if they are between you and their target, thay can fake as much traffic from you as they want and you will not be able to see it on the wire with your IDS etc as it will never get to you[5].

With at best week authentication but mostly no authentication on traffic, the likes of the NSA can make their false traffic, look just like the traffic you expect to see, in any way most IDS boxes can not differentiate or detect. Thus the NSA et al, can slip through their attack unrecognised. Not by trying to be unseen by crawling through or under the grass but by simply putting on a “sheep skin” and looking just like any other member of the flock in plain sight, thus passing unnoticed…

For obvious reasons these are not the things the NSA, GCHQ or other Five-Eyes or Extended Five Eyes want you thinking about.

Because as a potential target site you might decide to significantly update the way you not only run your IDSs but how you authenticate, not session traffic/comms but actuall individual transactions within a session with authentication they can not fake. As they would loose a major benifit of “being at the center of the web”…

They kind of got a bad hit when the “HTTPS for All” gained traction, so they had to develop other methods, in which week authentication significantly helped. If we now tighten up authetication correctly then they get another hit they do not want.

It should be obvious but nobody is realy doing it, perhaps it’s time for another “Why?” question…

[1] Now for the “dirty little secret” that some do not want generally known. Digital Signal Processing(DSP) techniques to pull “signals out of noise” generally only work if you know what the signal looks like, or atleast part of it or you have a sufficientky accurate time reference. So you can have a “matched filter” do “time synchronizing” and a number of other things (see work on Spread Spectrum techniques). So the concequence of this is[2],

[2] Generating the same signal twice is effectively as fatal to your Zero Day attack, as is using an OTP Key Stream twice or more, as it enables what is an “attack in depth” which is the same as a Signal Processing function just from a different “knowledge domain”[3]. Now oddly this was “known knowledge” back from the earlier days of computer viruses, but for some reason the Zero Day finders/attackers “we see” do not appear to realise this and thus do not change their behaviours accordingly… Or more correctly… “The defenders are only seeing those attackers that do not take care to randomize their attack signals sufficiently”. Which is in effect the missing piece of the puzzle you might be loojing for.

[3] If you look at past job adverts for the type of people both GCHQ and the NSA wanted back last century, you would see they were looking for rather more “Signal Processing” people than would be needed for normal DSP activities, thus they needed them for something else. Ironically they were “building a message in depth” about their intended activities via the job ads

[4] There is only one way to avoid creating “reach out / drag in” noise, and that is to do neither activity. Instead you “go to” where you can “passively” observe the target. All though no real evidence of such longterm observation by the four horsemen has been given by the primary Five-Eyes we do know that Russia has been caught atleast once or twice doing this short term to the likes of the IOC agencies so we assume other targets as well. The US has hinted that both Iran and North Korea have done similar but no evidence as such has been given. As for China the US has for the past few years been following a “Reds under the bed” campaign and maligning not just Chinese citizens but citizens in both the US and other countries that have Chinese ancestors. So in effect the US have so stired up the mud that nothing about Chinese activities can be easily distinguished as Fiction or Fact.

[5] Whilst there is nothing you can do with detecting people forging traffic from you by observation on the wire at your gateway, there are other things you can do. One of which is proper authentication not of the communications channel, but by proper authentication of all transactions which unfortunately requires a shared “Master Secret” and “non deducable by others” derived sesion/instance secrets. As is becoming obvious with attacks on the likes of random number generators and authentication protocols the NSA, GCHQ and presumably other Five-Eyes are actively doing such things.

jbmartin6 March 11, 2021 7:53 AM

I’d like to know what their goal was. Widespread global exploitation will fast track a patch a lot more than ‘limited, targeted attacks’ so I’m not so sure they were simply rushing to exploit before the window closed. Their actions shortened the window considerably.

Fed.up March 11, 2021 10:23 AM

@ Cincinnatus (links fractured)

Because it’s insiders. Chris Krebs former DHS/CISA tweeted this a few days ago.
ht tps://

There’s lots of other similar exploits going on. Verkada is one. For years all of their employees spied on this customers.
ht tps://

China just blocked LinkedIn. They realized LI was spying and that LI is the super vector. Thanks for the laugh China!
ht tps://

COVID stopped IT projects. Too dangerous when everyone working from home around the world, but also reducing tech spend necessary now. Is this why the media and so called security experts are now pushing for migration to the cloud? If tech spending doesn’t start up again quickly the attacks will increase. So is this some form of ransomware? If so, is the answer throwing money at them?

They left the backdoors open for operational reasons. It was a widely known secret. There was so much turnover that they couldn’t wait for someone new in the role to go through background screening so they used ‘Password123’, etc a lot. But they purposely created backdoors for other reasons. One of which if a new joiner was too inexperienced to do something, they called home for someone to surreptitiously cover for them. The big question is why didn’t SIEM pick this up? I knew it was happening for years. But no one wanted to listen.

If I knew this was happening millions of other people did too. That only encouraged them to make their own personal backdoors for their enjoyment and perhaps a little money on the side. But in some parts of the world, they don’t even call this spying. It is ingenuity and required to get ahead in life.

Has anyone Whistleblown about this? Enron was a $60 Billion fraud in the USA. 27,000 employees at a company that had no real business. People went to work and did nothing. No one blew the whistle. It happens.

Look at all of the companies under attack over the past few months, they all have something in common. That commonality is the attack vector.

So when people say the solution is to move to the cloud, that will only make companies a lot more vulnerable to this type of attack. The exact opposite is the solution now.

If China is able to block LinkedIn within their country – obviously with Microsoft’s assistance, then why can’t Microsoft limit each customer’s instance on to those country’s where they do business? It isn’t like anyone is traveling. Lots of medium sized businesses are getting attacked but they don’t do any international business – so why not just block them off from outside the country where they do business?

This is the solution. But then Microsoft cannot support US and EU customers from India. Most of their Government and enterprise customers don’t even know that’s happening and wouldn’t allow that if they did know. It’s against the law in much of the world and in most sectors. It is just that Microsoft is considered a 4th party vendor (not 3rd), so often they aren’t scrutinized in the procurement risk assessment. They are subcontractor to the integrators. And this also is the reason why this will continue until Government’s put their foot down and stop it. Data Residency is the answer. THIS is why the EU cancelled Safe Harbor and Privacy Shield too.

Paige Thompson, the Capital One AWS hacker is now on trial. But no news coming out of Seattle. I always suspected she was a whistleblower. She was let out of jail in 2019 without bail. She knows how easy it is to spy undetected.

JonKnowsNothing March 11, 2021 1:09 PM


re: If China is able to block LinkedIn within their country – obviously with Microsoft’s assistance…

I do not think China needs M$ permission nor assistance to block any content they choose. They own the Great Firewall. They set the rules.

M$ and others choose to provide services in China according to China rules. Same in the USA, same in the EU etc.

Once upon a time, not that many decades ago, the USA had nearly zero connections to Mainland China. It was official US policy to ignore them. We had no diplomatic ties or trade.

The NeoCon-Libertarian-Economists did the math: Extra sales to 1.7 Billion Consumers was too much money to leave on the Table; Ping Pong or not.

China did the same calculations too, except their view point was 180 degrees. They got 1.7 Billion Consumers worth of Transfer Goods, Services and Technologies.

ht tps://
ht tps://

  • Since the end of the Chinese Civil War [1949], the United States had refused to formally recognize the People’s Republic of China (PRC) as the legitimate government of China, though the PRC controlled Mainland China. The U.S. had instead supported the Republic of China (ROC), which controlled Taiwan.

ht tps://

  • Ping-pong diplomacy refers to the exchange of table tennis (ping-pong) players between the United States (US) and People’s Republic of China (PRC) in the early 1970s,

ht tps://

  • [February 1972] Nixon’s arrival in Beijing ended 25 years of no communication or diplomatic ties between the two countries and was the key step in normalizing relations between the U.S. and PRC.

Fed.up March 11, 2021 1:18 PM


You obviously didn’t read the article about the LinkedIn incident. China had LinkedIn selectively block. It wasn’t China that did so.

I don’t get why lots of readers here want this to be the US Government’s fault, when the US Government is the primary victim in this. It is as if those who keep faulting the NSA want the US to go to war.

China keeps their data to themselves. India keeps their data to themselves. The EU has been trying (unsuccessfully due to FB and friends) to keep their data to themselves.

Why is it so offensive that this is the solution to the USA’s rampant attacks?

I don’t want my data to leave the USA’s jurisdiction and protection. Shouldn’t this be every American’s right to determine?

A Serious Hypothetical March 11, 2021 1:48 PM


I do not understand what you are trying to say here:

We know that Microsoft shares advance information about updates with some organizations. I have long believed that they give the NSA a few weeks’ notice to do basically what the Chinese did: use the exploit widely, because you don’t have to worry about losing the capability.

Are you implying that Microsoft told the attacker(s) their timeline for releasing a patch to close the door on this vulnerability?

Are you implying that the attacker(s) are the NSA/CIA?

Can you please clarify this?

SpaceLifeForm March 11, 2021 3:12 PM

@ Fed.up

I don’t want my data to leave the USA’s jurisdiction and protection. Shouldn’t this be every American’s right to determine?

You have no control over that unless you get off of the internet. You do not control the upstream routers. You do not control BGP. Since you have no control over those things, your traffic can be routed out of US and back in, which then legally allows NSA to “collect it all”.

SpaceLifeForm March 11, 2021 3:42 PM

@ Clive

Excellent summary. One nitpick.

One of which is proper authentication not of the communications channel, but by proper authentication of all transactions which unfortunately requires a shared
“Master Secret” and “non deducable by others” derived sesion/instance secrets.

Should not require a shared “Master Secret”. PKI is workable.

The “non deducable by others” is the crux of the problem.

Fed.up March 11, 2021 3:52 PM


Attribution has been all over the place. Let’s count shall we –

United States

Anyone see a proof of concept yet?

As a technologist if you let bias cloud your judgment, you cannot find a solution. None of our present security techniques are keeping the USA or corporations safe. Maybe it is time to emulate China a bit. I doubt China is using the same software versions we have in the US. Security needs to be embedded into applications. It cannot be an afterthought for the sheer fact that monitoring cannot identify zero day vulnerabilities.

China is confident in LinkedIn’s ability to restrict usage in their country. Why can’t we ask the same of software vendors in the USA?

China still manages to do business globally even with their “walls” and application level restrictions. Do you think their hospitals and schools are inundated with ransomware? If not, why? Might their security techniques work?

SpaceLifeForm March 11, 2021 4:57 PM

@ Clive, ALL

Notice my point above re routers, BGP, was NOT addressed.

Just a ton of Red Herrings spread about.

The nym may be your clue.

SpaceLifeForm March 11, 2021 5:18 PM

@ Clive, ALL

Just say NO to sigstore.

Just say NO.

You will be making a MAJOR OPSEC mistake.

A MAJOR mistake.

Do NOT even entertain the thought.

Clive Robinson March 11, 2021 6:43 PM

@ SpaceLifeForm,

The “non deducable by others” is the crux of the problem.

To be non deducable by others requires knowledge that is not known to them. For you to be able to authentic to me you and I have to have the same knowledge, that nobody else does.

It does not realy matter what you call it but at the end of the day it is a secret you and I have to share it.

Which brings the problem down to how do we communicate the secret, there are three basic routes,

1, I give you the secret via a secure channel.

2, You give me the secret via a secure channel.

3, We create the secret together in some way.

The third way can be done in a number of ways but it just so happens that most functional is the least secure. Which is to use a clever bit of maths, that nobody has a clue as ti if it is secure or not.

The Chinese do not like to trust that uncertain math, so they have come up with a different way, which aledgedly uses a satellite and a source of entangled photons. Where it sends one photon of an entangled pair to me and the other one to you and the information encoded by the two Qbits becomes bits in a shared secret. The laws of physics as we currently know them indicate that whilst you and I know the secret nobody else will including the satellite where the entangled pair was generated…

As it costs ~$3million a year over the lifetime of the satellite to put one up and keep it there, as the lifetime is dependent on an orbit and slot being available, it’s unlikely that most of us will ever have one even if we wanted to keep up with the Chinese equivalent of the “Joneses” 😉

It’s a bit of a poser that the only method with flexability is prophesied to be “fallen to quantum computers” within a decade. Personally I’m not expecting a breakthrough any time soon, but then, the thing about breakthroughs, is we don’t expect them any time…

Fed.up March 11, 2021 9:39 PM

@ Clive

For you.

ht tps://

Needs a new name

We are overdue for disruptive tech.

lurker March 11, 2021 10:45 PM


I don’t want my data to leave the USA’s jurisdiction and protection. Shouldn’t this be every American’s right to determine?

And I don’t want my data to enter the USA’s jurisdiction and prosecution. Shouldn’t this be the right of every non-American to determine?

But I already know the answer, as spelt out by @SpaceLifeForm: get off the internet. Who’s gonna jump first?

Fed.up March 11, 2021 11:04 PM

@ SpaceLifeFrom

I’m not ignoring you. You don’t seem to understand the US and EU have great laws which aren’t being upheld. We need to find a way to uphold them.

That’s for Gov to figure out. Regulations are the result of business making bad choices.

The tech industry needs to be regulated. The USA often creates laws which result in new technological innovation. I’ve been involved in a few.

ht tps://

There are industry sectors in the US which prohibit data from leaving the US. It is possible to do this. DLP is regulated in quite a few sectors. Data classification and protection/sensitivity needs to occur at the point of creation. Not after the fact. Or it will fail. There are vendors that specialize in this. A Microsoft product can do this too. But the extraordinary amount of configuration required exceeds the capability of their integrators and the willingness of their customers to pay for it. It should be built in. Security won’t be achieved without some very impactful procedural changes. But it was the same thing with 9/11. Up until then office buildings and airports had no security. Disaster Recovery data centers were located right next to Production. Lots of lessons learned from disaster.

I don’t think the solution to zero trust is technical. People say that Cybersecurity is lacking because of lack of investment. I think it more lack of will. No one wants to accept what the real problems are. No one wants to change.

Fed.up March 11, 2021 11:44 PM

@ Lurker

I agree to some extent. But my thoughts on the subject are complex. I feel really safe in London knowing I am on camera all of the time. I am also glad that facial recognition caught the 7/7 suspects so fast. I am always grateful for getting through Heathrow and Gatwick customs so quickly.

But I will leave the ethics up to others. That’s not my field of expertise. I believe data privacy is a human right. But what offends me more than anything is that garbage data is compiled on us and represented as fact.

I get that some Europeans love to hate on America or my Government. I believe in free speech so that’s your right. But as Meghan said the other day, I find it perplexing.

xcv March 12, 2021 1:21 AM


I don’t want my data to leave the USA’s jurisdiction and protection. Shouldn’t this be every American’s right to determine?

And every town, village, city, municipality, county, parish, and district? Under the orders of City Hall, gentlemen take your hats off hold the doors open pull the chairs out for the ladies the board of commissioners is meeting in extraordinary closed executive session due to these unprecedented times of COVID-19 data breaches.


And I don’t want my data to enter the USA’s jurisdiction and prosecution. Shouldn’t this be the right of every non-American to determine?

And please don’t tell me the Swiss “cantons” and other sorts of petty jurisdictions in Europe have anything better to offer in the way of banking privacy without accountability.


But what offends me more than anything is that garbage data is compiled on us and represented as fact.

And that’s nothing but “the usual” lies and slander — you can tie a bell around your neck and moo “lie-bell” all you want at your lawyer’s office — after all, lie + bell = libel — but a lie is a lie, with all the ignominy and destruction of a lifetime of human production and earnings for a normal working career.

Clive Robinson March 12, 2021 4:01 AM

@ Fed.up,

There are industry sectors in the US which prohibit data from leaving the US.

Rule #1 of the Internet Security,

You can not verfy beyond your gateway.

Thus every thing that happens out there you have no control over.

As I’ve noted in the past there are all sorts of tricks you can do as an attacker make IP traffic go where you want, not where the data owner wants.

But people forget a fundemental fact,

The “Physical Layer” is turtles all the way down

That is you can tunnel down to the IP layer, but what carries the IP layer? Ethernet?, ATM?,
X.25?, another IP network?, and what do they run on?

But how can you tell if you don’t have the physical wire/fibre in your hand, and you can “walk the line”?

How do you know your data is not being “Tee’d Off by some third party”? Do they do it actively inside a box the wire/fibre plugs in? Or are they doing it passively sniffing the wire/fibre energy as it goes by. How do you know even if you do “walk the line” looking for “Vampire Taps” or their equivalent?

You might say “Ah Encryption is key” but is it? The data is still leaving your area of control. How do you know the encryption key is not lraving with it?

So you get back to the point where you realise that @SpaceLifeForm’s advice of,

“You have no control over that unless you get off of the internet.”

OK so we rule out electronic means, how about physical? How do you know that the backup / archive tapes/media is not copied by somebody at some point? The rule about the failing of encryption still applies here…

The US DoD were going through these problems back over sixty years ago, and they eventually realised two things,

1, The security cost rose exponentially.

2, No matter whay you did there was always a flaw and you could not achive the required level of “Control over the data”.

As I noted not so long ago there used to be a joke about making a computer secure, where you turned it off, pulled all the cables, embeded it in a large block of concrete and dropped it in the deepest ocean trench. That joke was about just how unusable strong computer security made things. But as always, somebody found a new punch line… Back when the joke was made you could not get to the bottom of the world’s deepest ocean trench, it was beyond us back then… But technology moves and now even famous ScFi movie directors can get down there and make their own “home moves of their fabulous adventure”.

Hence proving rule #1 of security,

What ever security measure you put in place, given time it will be broken or worked around.

A point that Dr. Jethro Beekman does not appear to get or has chosen to ignore when he says

“The key to implementing confidential computing is a trusted execution environment that secures encryption keys within secure enclaves to protect them from external threats such as root users, a compromised network, rogue hardware devices, or, as was the case in the SolarWinds attack, advanced malware.”

In the article you linked to. Secure enclaves in Intel’s chips are not secure, people have attacks to get data out of them. Likewise those very expensive bits of hardware used to store crypto keus and the like have been breached.

But the real problem is in the case of SolarWinds the sustem was doing exactly as it was setup to do which was “sign an atchive” of instalation files. It failed for two reasons,

1, The BOM was not secure.
2, The Authentication was not secure.

And when you think about it they never can be secure because there is no way to secure a “treasonous insider” even “two keymen” solutions have their security weaknesses a so called “Confidential Computing Environment” will always fail to “trusted insiders”.

I had predicted both this failure and signing key access failure of code signing attack on this blog more than a decade ago in a conversation with @NicK P you can probably find it by searching for our handles and “code signing”. It was long before Stuxnet proved the failuer of “signing key access”.

Code signing was never ever going to atest to the security, correctness, or quality of data / code in an archive, it can not that is a logical impossibility, because it has to follow the fundemental law of “Garbage in, Garbage out”, just sign the hash to show they are the same pile of garbage.

It’s also why that “prohibition” you mentioned will never work either.

Something the Dr. did get right with most of his article, and specifically,

“The problem is that it can (and often does) give people a false sense of security.”

That is we kid ourselves, it’s a “comfort blanket process” because we want the “feeling of security” even though the level we want of “security is not possible”.

So the question is what do we actually want to do within the bounds of possibility?

As I’ve indicated in the past,

You can try to build castles in the air, but it’s a short lived venture. As is building them on shifting sands. Every one will tell you that for a castle to endure it has to be built on bed rock… But is that actually true?

Well actually it’s not, even before the times of the Tudor’s we knew you could build a castle on water, you just had to understand density and center of gravity. Hence the forerunners of the capital battleships the “men of war” ships loaded with cannon and hulls up to four feet thick of English Oak.

The important lesson is,

Sometimes you have to live with what you’ve got, just make it work for you.

And the most important thing to not just learn but grasp fundementaly, comes from “Physical Security”,

Security is not about stopping an object being reached by an attacker, it is about detecting and delaying the attacker so there is time to bring resources into play to stop the attacker.

If we forget that security is mearly a detection and deterrent process that needs to be backed up by other resources, –and we very much do in ICTsec,– we are eventually going to end up in a world of hurt of our own making.

And guess what Stuxnet “broke the ice” on one major weakness (cert access) on “code signing”, SolarWinds has just “blown it out of the water” with the other major weakness (insider attack). Those were the two “alledged” security pillars code signing stood on, they are now both shown to have failed, the only conclusion is the one I made years ago “code signing is a failure as it stands” back then we were waiting for it to happen now both have and “The case is prooven m’Lord”…

Clive Robinson March 12, 2021 7:32 AM

@ Fed.up,

We are overdue for disruptive tech.

Well I realy do not think it’s going to be homomorphic encryption on chip or in firmware, software etc.

Let’s think what encryption is all about,

1, Use minimal workfactor to obfuscate information.

2, Make workfactor maximal for eavesdroper.

So if you take a OTP, the work factor required is in two parts,

1.1 Make the pad of random numbers
1.2 Use the pad to encrypt information.

The first can be done by sitting there and quite laboriously throwing a pair of dice, use them to looking up an alphabet char in a 6×6 table and type it in to a process that converts it to a pad.

Fairly simple to do and labourious because the throwing of the pair of dice is “the non-deterministic or random” input required. Again using the pad is fairly trivial but tedious. So the real work factor is the “randomization” process which is about as near to a one way function as you could hope for and should be also as near non-deterministic as you could hope for.

That one-way non-determanistic function is where all the security of the OTP comes from. However use a pad twice and it cancels out leaving two plaintexts XOR’d together which has little workfactor to seperate[1].

If instead of the reversable XOR function we use ADD and SUB an interesting property arises.

Because the encryption is “addative” you can do basic addition and subtraction on the encrypted “ciphertext” which keeps the correct value when the ciphertext is decrypted. So it gives you one of the basic homomorphic encryption primitives.

Whilst that demonstrates the possabilities it has an issue.

That is you can “change the encrypted data” but you can not “use the encrypted data” because you can not “test it’s value”.

When you think about how to do a simple “compare” –which is normally the equivalent of a SUB statment– you realise just how difficult homomorphic encryption can be.

Because to test/compare raises the workfactor of encrypting whilst decreasing the work factor by a great deal for an attacker, thus the securoty margin plumets.

Thus whilst homomorphic encryption is an academics “life long work” to come up with a system, users on the other hand will see large electricity bills and low work efficiency and wil not be happy.

That’s a fairly steep hill to push a rock up and I’m realy not sure many people will want to meet the grade.

[1] So the OTP “Goes from hero to zero” in the encryption game with easily made often trivial mistakes. Which is one of the reasons it’s not particularly liked. Another is that the size of the OTP you have to securely transport in advance is large, that is large enough to cover you conceivable needs untill the next secure transport.

Clive Robinson March 12, 2021 6:09 PM

@ SpaceLifeForm,

Things are not making sense.

Well as I don’t subscribe or have javascript I only get the first few paragraphs of the WSJ article (and it’s never been worth paying for it, unless there’s a panic buy on loo paper 😉

But the time line they give does not make sense to this tired brain…

But as for attack code looking like POC code, well that is not of it’s self suspicious, people see the faces of jesus in clouds and on burnt toast when they want to…

You kind of need independent view points otherwise you are beyond “trusting” and into the equivalent of “quasi religious belief” and where I come from that sort of “faith” is seen to be not to far from “hearing voices from god” or “kissing the ring of the glourious leader”.

So in the words of the film to Miss Connie Swail, “Just the facts ma’am”…

Clive Robinson March 14, 2021 3:24 AM

@ SpaceLifeForm,

Keep an eye out for the sternly written email

Or stronger…

Remember that article that was confusing my tired brain over dates for a timeline,

Well if you look down at the bottom it says,

“In 2012, Microsoft kicked out a Chinese company, Hangzhou DPTech Technologies Co., Ltd, from Mapp after determining that it had leaked proof-of-concept code that could be used in an attack and that code appeared on a Chinese website.”

If true, and I’ve not checked it’s true, then some security firm is going to loose an important source of information that puts them ahead of others in the game. Thus I suspect there will be no hands going up with a “mea culpa” plea. But potentially a closed door discussion where “some intern” or other individual gets chosen as the sacrificial goat…

xcv March 14, 2021 11:47 AM

Not just Microsoft.

Not by a long shot.

Postfix + Dovecot, Linux email clients including KMail were hit severely.

Something went wrong with the basic architecture of the “IMAP4rev1” system inasmuch as it represents any improvement over “POP3”.

Not really a conspiracy or hack, though.

The general spam load is too heavy, and it’s just not the sort of spam that lands in your inbox, either. Authentication mechanisms are overloaded with attempts on various email ports, not just 25 but especially 110, 143, 465, 587, 993, and 995.

I will have to wait for serious security updates before I can even consider getting online with email again.

GMail, Yahoo mail, etc., are okay most of the time, but not much good for anything but fluff.

SpaceLifeForm March 16, 2021 12:53 AM

For those that not have applied the updates, or don’t have someone with the tech skills that understands the process, Microsoft has a new tool to buy you time. That hopefully someone onsite can understand and run.

Microsoft has released a new, one-click mitigation tool, Microsoft Exchange On-Premises Mitigation Tool to help customers who do not have dedicated security or IT teams to apply these security updates. We have tested this tool across Exchange Server 2013, 2016, and 2019 deployments. This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.