Chinese State Media Says US Should Take Some Blame For Cyberattack (cnbc.com) 82
An anonymous reader shares a CNBC report: Chinese state media on Wednesday criticized the United States for hindering efforts to stop global cyber threats in the wake of the WannaCry ransomware attack that has infected more than 300,000 computers worldwide in recent days. The U.S. National Security Agency (NSA) should shoulder some blame for the attack, which targets vulnerabilities in Microsoft systems and has infected some 30,000 Chinese organisations as of Saturday, the China Daily said. "Concerted efforts to tackle cyber crimes have been hindered by the actions of the United States," it said, adding that Washington had "no credible evidence" to support bans on Chinese tech firms in the United States following the attack. The malware attack, which began on Friday and has been linked by some researchers to previous hits by a North Korean-run hacking operation, leveraged a tool built by the NSA that leaked online in April, Microsoft says.
Don't blame the U.S.A. (Score:2, Insightful)
Blame Microsoft.
Re: (Score:2)
Last time I read about Windows in China, most people were still using Windows XP. Does Microsoft still release patches for XP?
Re:Don't blame the U.S.A. (Score:4, Informative)
They did this weekend. https://www.microsoft.com/fr-F... [microsoft.com]
Re: (Score:2)
Patched after the fact of course. Microsoft shares blame here for facilitating the attack by having the ridiculous feature of allowing scripting in downloaded documents or emails.
Re: (Score:2)
Re: (Score:3, Interesting)
Agreed, blame the US TLAs for this. It falls *directly* on them in this particular case. Microsoft made a mistake, but they made a good-faith efforts to fix said mistake. And if you're going to castigate organizations for making security mistakes, there's no widely used OSes that haven't had their share of doozies in the last few years alone.
That being said, the last country I want to hear casting blame about regarding cyberattacks is China.
Blame the NSA, not the U.S.A. (Score:2)
Do you even know what intelligence and counter intelligences actually do? If the NSA open sources all their tools and methods do you expect the other foreign intelligence agencies to do the same thing? Because that is what the mindless proles are asking for.
As I understand it, what the "mindless proles" are asking for is for the NSA, when they discover that there is a vulnerability in the software that allows it to be attached, to tell the companies that make the software about it to allow it to be patched instead of hiding the information.
By the way-- "mindless proles"?? What's with the neo-Marxist-jargon? I don't think I've heard anybody use the word "proletariat" seriously in fifty years.
That is sort of like going to war and telling your target the time of the attack, the force size the target can expect to face, and then leaving all the ammunition locked up back home in the armory.
It's more like the NSA discovering that there's a grenade strapped to
Re: (Score:2)
As I understand it, what the "mindless proles" are asking for is for the NSA, when they discover that there is a vulnerability in the software that allows it to be attached, to tell the companies that make the software about it to allow it to be patched instead of hiding the information.
It is not the NSA's responsibility to make sure software is secure. Their job is to find vulnerabilities that can be exploited to meet their ends. To suggest that they immediately throw away each new capability they develop by alerting the software makers is just stupid. If they were looking for vulnerabilities just so they could be patched, it would go against the entire purpose of their looking for those vulnerabilities - Why would they bother searching if not to find something to exploit?
Re: (Score:2)
It is not the NSA's responsibility to make sure software is secure. Their job is ...
As an agency of the U.S. government, their job is to uphold the constitution, and specifically their job is to provide for the common defence (you know, that constitution stuff?).
They decided that "making us safer" meant "don't report vulnerabilities that might make us unsafe." That was their decision. "Let's leave the U.S. vulnerable" was what they chose.
They believed that not patching vulnerabilities makes us safer. Worse, not only did they not warn us, and thus allow us to defend against the vulnera
Re: (Score:2)
As an agency of the U.S. government, their job is to uphold the constitution, and specifically their job is to provide for the common defence (you know, that constitution stuff?).
And by maintaining their ability to break into adversaries' computers, they concluded that's what they were doing.
"Let's leave the U.S. vulnerable" was what they chose.
No. They decided, "let's leave the world vulnerable." That unfortunately includes their own country.
They believed that not patching vulnerabilities makes us safer.
That part you got right.
Re: (Score:3)
It is not the NSA's responsibility to make sure software is secure.
Sorry, but you're wrong. The National Security Agency has multiple tasks. Among them and besides the signals-intelligence role, they are also tasked with securing the US' data networks as part of essential infrastructure vital to national security.
They sacrificed national security for signals-intelligence capability, mostly motivated by domestic politics and the desire to use the NSA domestically to suppress dissent and political opposition. I blame this change in the NSA to the political appointees that ha
Re: Blame the NSA, not the U.S.A. (Score:1)
Re: (Score:3)
Re: (Score:3)
...they should still inform microsoft so they can make a patch that can be sent out asap if one of those tools gets loose
Are you suggesting that they inform Microsoft as soon as they find a vulnerability and have them sit on a patch until the exploit "gets loose"? What would be the difference between that and just requesting that Microsoft include a back door that could be modified once it's discovered by someone else?
Re: (Score:2)
Of course the NSA has the largest share of the blame, because they lost ready-to use 0-day exploit code. That is about the worst thing possible.
The NSA is also to blame because they did not report the 0-day after a reasonable time, say 1 year or so.
That makes to major screw-ups or seriously criminal acts on the side of the NSA.
MS puts out shoddy software, but a) everybody knows that and b) a lot of others do it to. So some, but not a lot of blame to MS.
The the fuckups that used this code also have some blam
Re: (Score:2, Insightful)
Releasing the code to the public wasn't necessary to shame and cripple the U.S. intelligence infrastructure. All they needed to do was give Microsoft a copy and publicly tell them to patch it or they'd make it public in 60 days. Once Microsoft confirmed the vulnerabilities were real, th
Re: (Score:2)
This reminds me of the of the plot from the movie "Outbreak'.
Sure, that chick from Grey's Anatomy started the outbreak by stealing the monkey, but why the fuck was the US gov't weaponizing horrific viruses in the first god damn place?
Re: (Score:2)
No, their actions were a brutal but much needed outing the NSA as the enemy. They are sitting on many, many more exploits, and Microsoft was caught purposefully introducing backdoors for NSA before (like, say, the _NSAKEY signing key).
Patching this particular exploit would have no lasting effect.
Re: (Score:2)
Indeed. What the NSA did here would be called treason in any non-government organization, because what they did massively helped enemies. They need to massively reduce the number of exploits they keep secret (I can understand that they want a few), they need to make very sure the exploits and exploit-code does not ever get stolen and they need to make sure the exploits they keep secret are both hard to find and hard to exploit. Unless and until they do that, they will indeed need to be considered an enemy o
it's a step up (Score:1)
Well, that kind of "blame" is a step up from the traditional Chinese statements about the US:
Made in the USA... (Score:2)
Not just the Chinese saying this (Score:4, Informative)
https://www.washingtonpost.com... [washingtonpost.com]
http://www.zerohedge.com/news/2017-05-14/microsoft-slams-nsa-letting-its-hacking-tools-cause-global-malware-epidemic [zerohedge.com]
Re: (Score:2)
I think they did awhile ago, perhaps shortly after they found out that the burglar tools they were holding had been copied. But they *should* have gotten them to fix the problem nearly as soon as they discovered it.
MS issued a fix for the bug before the WannaCry attack was launched. That looks like advance warning, though it could be ordinary bug repair. The problem is that there are a huge number of systems that either won't be fixed or can't be fixed, and some of the most critical are those that can't
Re: (Score:2, Flamebait)
These days, the US has just two things left: Being large and being very stupid. Hence electing Trump as president is fine, because he is an exceptionally appropriate representative of the US population.
they have a point. (Score:2, Insightful)
If the National Security agency had actually given a shit about security, it would help companies fix these problems before they are exploited in the wild, rather than hoard and weaponize them. They made a conscious decision to attack security rather than enhance it. As a result, critical infrastructure such as hospitals have suffered, and we haven't seen the end of it yet.
It is a rogue agency, and needs to be brought to heel. When parts of the government start treating its own people as enemies, it's ti
Re: (Score:3)
Re: (Score:2)
70% of software in China is "unregistered" (Score:4, Informative)
According to Engaget [engadget.com] and other sources. So yea, the US is to blame for all the pirated un-patched installs of XP in China. Russia has purportedly Russia 64 percent. Isn't it strange that the NSA would code such and exploit. Live by the sword, die by the sword.
Re: (Score:2)
Gonna call bullshit on those numbers. For a start, they come from the Business Software Alliance, which profits from scaring companies about piracy and "fining" them for unlicensed software. Also, they don't give the number for the US for comparison.
I live in the UK. Everyone I know uses at least one pirate app, often Windows.
Anyway, if China pirates software so much, why would it stick with XP? Just pirate Windows 10 instead.
Re: (Score:2)
hmmm...let's see what mr Gates himself said...
"Although about 3 million computers get sold every year in China, people don't pay for the software. Someday they will, though," Gates told an audience at the University of Washington. "And as long as they're going to steal it, we want them to steal ours. They'll get sort of addicted, and then we'll somehow figure out how to collect sometime in the next decade."
http://articles.latimes.com/20... [latimes.com]
Re: EZ way to protect "standalones" vs. it (Score:1)
Re: (Score:1)
Re: (Score:2)
This is not the door to the vault was left open. Rather the lock on the vault was easy to pick and the cops who are supposed to watch out for everyone ; when they found out; instead of telling the Bank created a set of custom lockpicks for that type of vault and then lost them in the common marketplace for any thief to pick up and use.
Re: (Score:2)
More like a car manufacturer who made a truck with brakes that can be hacked: made to fail via an external wifi signal ... then a mechanic at a repair shop notices that the wifi is not properly protected but does not tell anyone. Mr Nasty sends the signal and someone dies. Who is at fault: the manufacturer, the repair shop or Mr Nasty ? Mr Nasty deserves jail time, but, I believe, so does the mechanic for not reporting the fault.
The larger problems (Score:4, Insightful)
While it might have been the NSA that created the basis of the ransomware, there's really larger problems. Any hacker could have discovered the vulnerability and launched the same attack.
The first problem is that the malware affected Russia and China in greater numbers for the simple reason that many Windows installations there are pirated so they are not likely to receive patches. MS for their part did patch the vulnerability in the March cumulative update if I remember correctly.
The second problem is that MS didn't patch unsupported, older versions of Windows until WannaCry became widespread (Windows XP, Vista, etc). So there are still many older versions of Windows out there being used. This second problem does affect companies and machines that have stayed on older Windows for a number of reasons (hospitals, factories, etc.)
The third problem is that trust in MS has slowly been eroded over the years with their behavior:
For many, they simply don't trust MS anymore. In years past, a bad patch every now and then could be forgiven. With no trust in MS, consumers are simply taking their chances.
Re: (Score:2)
With no trust in MS, consumers are simply taking their chances
Right conclusion but wrong causality. Consumers have been taking their chances for many years before MS's patching practices became even remotely questionable. Back when security was just a thing those IT nerds talked about disabling windows update was common. Didn't want it slowing my internet connection down. Didn't want it doing something on my computer. This goes back into the early days to the point that in Service Packs MS introduced warnings to users who disabled windows update.
It was an endless powe
Re: (Score:2)
Consumers have been taking their chances for many years before MS's patching practices became even remotely questionable.
Consumers didn't run updates as often as MS would like but it was mostly due to laziness than anything else. Now they legitimately have reasons not to do so.
Back when security was just a thing those IT nerds talked about disabling windows update was common.
IT Admins did not roll out updates automatically for good reasons. For corporate networks, software compatibility and testing were priorities than merely installing whatever patch MS rolled out. As an IT admin if you roll out an update without testing it and systems go down, it affects the company. But MS respected the system back then. These days MS se
Re: (Score:2)
but it was mostly due to laziness than anything else.
If you installed Windows XP SP1 and later and just click next a few times to make the popups go away the updates would be automatic. Same with every subsequent version. No people actually put effort into not updating.
IT Admins did not roll out updates automatically for good reasons.
You misread my sentence. Of course IT admins didn't do it for good reason. My post wasn't about IT admins.
I don't know who you know but none of those reasons were ever brought up by people I knew not to update.
Plenty. What reasons do you know? Lazyness? That's even worse.
No, updates were inconvenient for most people.
Exactly my point, read my last sentence again.
Re: (Score:2)
If you installed Windows XP SP1 and later and just click next a few times to make the popups go away the updates would be automatic. Same with every subsequent version. No people actually put effort into not updating.
Did you forgot the hours it took to update to service packs and patches?
Plenty. What reasons do you know? Lazyness? That's even worse.
Again did you forget that a SP could take hours? SP3 took me at least 8 hours with one computer and 1 hour with another. But the thing is you never really knew how long it might take.
Wouldn't have helped China if NSA told Microsoft (Score:1)
Even if the NSA told Microsoft about this bug a year or more ago, it wouldn't have helped China at all. They're running tens of thousands of stolen copies of Windows and on old versions like XP so any patch Microsoft released would have never been installed anyway.
The blame here is on China and any other companies that kept using XP passed it's end of support date. They made that decision, they have to live with it. If they can't afford Windows, there are some perfectly usable Linux distributions out th
The U.S. should take a little blame... (Score:3)
... when the Chinese take a LOT of blame (all the blame?) for North Korea.
For over 50 YEARS, CHINA has been basically the SOLE supporter of a despotic regime that, in addition to crimes and atrocities only exceeded by the Holocaust, Stalin or "The Great Leap Foward", through forced labor, prison camps and also responsible for the DEATHS of MILLIONS of its citiizens (primarily through starvation), is now threatening the security of much of the world (even Putin made some nervous remarks). That the North Koreans don't give a flying F*** about convention or Geneva protocols or whatever is obvious from their past terrorist attacks (bombing of an airliner) to using the (most) deadly chemical weapon known to man (basically all other nations have destroyed their stocks) in a densely populated city in an uninvolved country just to kill one possible dissident (and they probably smuggled it in via diplomatic pouch, hence the police apprehending N. Korean embassy workers).
That the Chinese were willing to put an entire nation of people IN HELL for five decades just so that they could possibly keep the Americans from being on their doorstep shows how little regard they have for HUMAN RIGHTS or even LIFE. (They probably could've gotten the Americans to have agreed to leave S. Korea if N. Korea was unified. From what I can tell, they never tried). But even if you were ignorant of the North Korean situation, you could probably have guessed their (lack of) morals from the way they treated Tibet and their own ethnic minorities.
That is why I have so little regard for the Chinese (government) and long ago stopped making direct investments in China. As for their citizens, I'd like to believe that they are the classic example of why a people blindfolded by censorship can be lead to do the worst imaginable things. A person can easily be convinced to murder (and a country to genocide) if he is lied to.
Re: (Score:1)
The US put nukes into South Korea as well as invaded North Korea twice - once all the way to the Chinese border. If North Korea is hyper militarized its not because they want to but because they have to if they want to avoid becoming another East Germany. US would never have withdrawn from South Korea. Only way to get US to withdraw is to make the costs too heavy like in Vietnam.
US was also willing to put an entire nation (Cuba) into misery using sanctions just so that an example of a successful communist c
Re: The U.S. should take a little blame... (Score:1)
National Insecurity Agency (Score:1)
Hey China (Score:2)
How is the US obligated to handle negligence? (Score:2)
It seems to me that Microsoft has been negligent with security. They don't support any sort of granular permissions, nor any modes for running applications that would limit the damage they can do. (Why can DailyJoke.exe read/write all files except system files, read the screen buffer, and listen for keypresses?) If granular permissions are too hard, why has sandboxing not been implemented? Why is every installer a black box which must be run as admin?
However, since we haven't legislated that they aren't all