Conversation
Notices
-
A reminder that this latest ransomware attack (#Petya) is made possible by #NSA-developed exploits #ETERNALBLUE and #ETERNALROMANCE (the former used in #WannaCry)---exploits that the government decided to hoard as 0days instead of notifying Microsoft to fix the issues. Instead of helping to protect the United States and its allies, it has made us far less safe. Petya and WannaCry are products of its negligence.
This issue goes back to the #VEP (the Vulnerabilities Equities Process)---the supposed process that is used by the government to determine whether to disclose to weaponize exploits. If WannaCry didn't spur enough discussion, let's hope this does.
https://social.mikegerwitz.com/url/7904
- Klaus Jónsson Zimmermann likes this.
- Klaus Jónsson Zimmermann, Annah and Charles ☭ Hutchins repeated this.
-
You are mistaken. These exploits are common knowledge and were patched in April. Fault is to be directed at those who have not patched their systems.
-
@zoowar They were exposed in April by the Shadow Brokers leak. Many of them (including both of the above) were already patched by Microsoft exactly one month prior, leading to suspicions that they were tipped off, or that the Shadow Brokers decided to leak them because they had been fixed.
WannaCry and Petya integrate the exploits leaked by the Shadow Brokers; they would not exist without the leaks.
If you were only saying "you are mistaken" to my statement that both are products of the NSA's negligence, you're blaming the victim. If someone unleashes a bioweapon, and immunizations are offered to the general population, and a number of people die because they fail to get immunized, you don't blame the people---you blame whomever deployed the weapon.
Some systems aren't upgraded because of negligence. Others aren't updated because users don't know there's a problem, or don't know how (e.g. grandma). Others are using ancient operating systems and upgrading might be a financial burden. Others haven't upgraded because of strict regulations or bureaucracy within an organization, or because of incompatibility with critical systems. Others rely on technical support staff or contractors that haven't come by, or that they can't afford to pay at the moment.
Blaming most users for not upgrading their system is wholly inappropriate. If I used Windows and didn't update? Sure. You? Sure. But we're both technical people with no hoops to jump through or people to pay.
-
I agree that they were exposed in April. However, a patch was issued back in April, so those who have not patched their systems are responsible for what ever harm they incur from the current attack. "Blaming most users for not upgrading their system is wholly inappropriate." WTF? The first rule of security is patch your system.
-
@zoowar *most* users; average users. Yes, they should update, but they don't, for reasons I listed.
If the company I work for gets pwned? There's a difference between being negligent in your professional responsibilities to defend your own systems and negligent for hoarding exploits that are then leaked and used to attack people.
You were attributing full blame on users who didn't patch their systems. That doesn't forgive the US of its negligence. They are different faults.
-
You continue to be mistaken. Every Microsoft system is informed when a patch is available, unless the admin has disabled this feature.
-
"If the company I work for gets pwned? There's a difference between being negligent in your professional responsibilities to defend your own systems and negligent for hoarding exploits that are then leaked and used to attack people." Not once said company has been informed to patch their system. If said company decides not to patch their system, they are responsible.
-
I'm not forgiving the organization that held onto the exploit. I'm also not holding them accountable for any harm which occurred after it was patched.
Mike Gerwitz
zoowar
All umeHack social content and data are available under the