ALL BLOG POSTS AND COMMENTS COPYRIGHT (C) 2003-2017 VOX DAY. ALL RIGHTS RESERVED. REPRODUCTION WITHOUT WRITTEN PERMISSION IS EXPRESSLY PROHIBITED.

Monday, May 15, 2017

He's not wrong

Vladimir Putin blames the USA for the mass cyberattack utilizing NSA software:
Vladimir Putin has blamed the US for the global cyber attack that has crippled computer systems around the world since Friday. The cyber attack, which wreaked havoc at dozens of NHS trusts on Friday, has continued to spread, hitting thousands of computers in China and Japan.

Putin said Russia had "nothing to do" with the attack and blamed the US for creating the hacking software that affects Microsoft computers.

"Malware created by intelligence agencies can backfire on its creators," said Putin, speaking to media in Beijing. He added that global leaders needed to discuss cyber security at a "serious political level" and said the US has backed away from signing a cyber security agreement with Russia.
It is the USA's fault. There simply isn't any way around it. Heads at the NSA should be rolling right now and the God-Emperor should demand the resignations of everyone who had anything to do with the relevant program. This is evidence of a costly and extreme dereliction of duty at the agency, all so they could better commit unconstitutional and illegal acts at the expense of the American people.

Labels:

129 Comments:

Blogger Iron Spartan May 15, 2017 11:08 AM  

My other question is did M$ offer to put in the exploit or were they strong armed into it?

Anonymous thortron May 15, 2017 11:10 AM  

Actually heads at Microsoft should be rolling for writing insecure software. Heads at Intel, tool.

Blogger Snidely Whiplash May 15, 2017 11:33 AM  

but but but, if they can't access our computers and every email, every chat stream, every phone coll we ever make, the TERRORISTS WILL WIN!!!

THE CONSTITUTION ISN'T A SUICIDE PACT!

DO YOU WANT TO DIE?!?!?

Blogger James Dixon May 15, 2017 11:36 AM  

> My other question is did M$ offer to put in the exploit or were they strong armed into it?

Microsoft has never needed any incentive to install exploits. It's a natural result of their development process.

To be fair, developing secure code isn't an easy problem. There have been a couple of long standing bugs in the Linux kernel discovered recently.

Blogger James Dixon May 15, 2017 11:38 AM  

> DO YOU WANT TO DIE?!?!?

Yeah, I get the sarcasm. But taking that question literally for the sake of argument: I'm going to die eventually anyway. The question is whether I want to live as a free man in the interim.

Blogger JP May 15, 2017 11:39 AM  

James Dixon wrote:> My other question is did M$ offer to put in the exploit or were they strong armed into it?

Microsoft has never needed any incentive to install exploits. It's a natural result of their development process.

To be fair, developing secure code isn't an easy problem. There have been a couple of long standing bugs in the Linux kernel discovered recently.


Expect Linux and OSX exploits to increase as the platforms gain market share. Once grandma is running Ubuntu, she'll be right back to clicking those links you told her not to.

Blogger Achilles May 15, 2017 11:40 AM  

The NSA should be spying on non-US targets. But once you release malware you've given it to the target to deploy themselves. The NSA should be much more targeted in their deployment, more ethical in their actions, and more sophisticated in their coding. It highlights the tremendous weakness of major programmers. These exploits are everywhere. A mixture of corporate laziness and government demands for vulnerability. What this malware plague really shows is how inept Asians are. Places like China are hardest hit. Kind of surprising considering how many White Americans are replaced every year for the superior coding skills of those Chinese and Indians. These events reinforce the importance of ending programs like H1B Visas as we know them.

Anonymous Dr. Donald Trump May 15, 2017 11:41 AM  

Who are they really working for? The NSA tried to make itself secure by making everything else insecure. Many such cases!

Blogger YIH May 15, 2017 11:43 AM  

What I've heard was the NSA 'backdoor' was written into Windows starting with NT 4.0 as part of a deal with the Clinton Justice Dept. As you might remember, after '96 they were pushing antitrust action against MS.
That the government 'backdoor' would get used by hackers for fun or profit was inevitable.
https://infogalactic.com/info/Stuxnet

Anonymous Dr. Donald Trump May 15, 2017 11:44 AM  

Thank you for that recent honorary doctorate, Liberty University! What a wonderful Christian university. The doctor is HERE! I'm bringing the medicine!

Blogger Azimus May 15, 2017 11:46 AM  

Who needs a low orbit EMP warhead when you have the internet? You can walk into every business, home, school, government office, and electronic device in the country in a matter of seconds and wreak havoc...

Blogger Salt May 15, 2017 11:47 AM  

NSA: No Secrets Anywhere

Anonymous Terry Hemphill May 15, 2017 11:51 AM  

The underlying REALITY is that ALL systems have vulnerabilities; and ALL software has BUGS. The sooner we accept this fact and act accordingly, the better.

Blogger VD May 15, 2017 11:51 AM  

What this malware plague really shows is how inept Asians are. Places like China are hardest hit.

Pirated and outdated versions of Windows, one presumes.

Blogger The Chortling May 15, 2017 11:56 AM  

Kim Zetter's book really paints the picture of what has happened (it's a repeat of Stuxnet 2006-2009 ... Obama didn't do anything but rubber stamp Bush's cyberwarfare endeavors ... other nations warned that the genie was out of the box in proportions that no one had any idea about ... round deaux ... )

more military industrial complex fun.

https://www.amazon.com/dp/B00KEPLC08/ref=dp-kindle-redirect?_encoding=UTF8&btkr=1

Anonymous Icicle May 15, 2017 11:58 AM  

NSA: No Secrets Anywhere

There should be. I would prefer the terrorists winning over the NSA always knowing when someone takes a sh*t.

Blogger Ron Winkleheimer May 15, 2017 11:59 AM  

Kind of surprising considering how many White Americans are replaced every year for the superior coding skills of those Chinese and Indians.

I realize you are being sarcastic, but the reason for outsourcing is to reduce the costs. I have been on many major development projects, stuff used by thousands of people in multi-state regions integrating UNIX and mainframe servers with redundancy provided by duplicating the services in multiple data centers in different states. Every single time a project would start to slip milestones (and they always do) the first thing that would be cut was testing. And secure coding was never even an after thought.

People aren't willing to pay for secure software. They want it cheap and if company a is selling it for $100 and company b is selling it for $110, then company a's software would have to be a real piece of crap to not be the better seller.

Then add on absolutely idiotic ideas like the IoT and unsecure routers and other Internet connected devices. Schneier wrote a column not to long ago predicting (calling for?) regulation. I don't think that will help.

Oh, and there was never any question that the NSA's hacks would eventually make it into the wild. Anyone with any interest in the subject knows that the US intel agencies cannot be trusted to keep anything secret.

Blogger The Chortling May 15, 2017 12:00 PM  

watched "Good Kill" the other day... it seemed like a good balance of why there's a lot of barbecued internationals at the other end of Hellfire missions but also the illegality of the CIA's operations globally.

http://www.imdb.com/title/tt3297330/videoplayer/vi97890585

Blogger DAMN SON May 15, 2017 12:00 PM  

first thing that came to mind was chinese soldiers singing a serbian war song: https://www.youtube.com/watch?v=OOECyf3_zTg

Anonymous Icicle May 15, 2017 12:01 PM  

Oh, and there was never any question that the NSA's hacks would eventually make it into the wild. Anyone with any interest in the subject knows that the US intel agencies cannot be trusted to keep anything secret.

And how long before the surveillance files from the Derp State start to leak?

Americans are going to be absolutely floored.

Anonymous BBKGB May 15, 2017 12:07 PM  

I would prefer the terrorists winning over the NSA always knowing when someone takes a sh*t.

I would prefer a 911 to hit NYC & Berkley to burn each week over NSA being able to tell when I shower & for how long.

Blogger Ron Winkleheimer May 15, 2017 12:13 PM  

After Snowden leaked all those documents to WikiLeaks I was astounded at the amount of data he had access to. Back when I was in the army everything was strictly compartmentalized. And I could not believe the was a actual DVD writer in his computer. In my day, the hard drive was removable and you took it out and put it in a vault when you weren't using it.

Anyway, after seeing the situation as reported by the MSM, I knew that there was no way that any intelligence service that was interested in those documents didn't already have them. You simply cannot have that many people with access to information and the ability to copy it and not have it leaked. My thoughts were that Russia and China were probably upset that they had paid for the intel.

Blogger Nate May 15, 2017 12:13 PM  

Microsoft's analogy is perfect.

What would the consequences be if the military let someone steal a bunch of tomahawk missiles and they shot them off all around the globe?

This is the same thing.

Blogger Random May 15, 2017 12:14 PM  

Icicle wrote:Americans are going to be absolutely floored.

I doubt it. Most americans these days would give you a shrug at most.

Anonymous a deplorable rubberducky May 15, 2017 12:19 PM  

The ransomware seems to target Windows XP machines. These were desupported three years ago, so I'm having a hard time blaming Microsoft.

There's the NSA, sitting there demanding hackable operating systems from everybody and pouring millions into developing exploits. Word is that $150 million was spent just under the Obama administration developing new hacks. Which they sit on, of course, then have them stolen. There's your problem, that's why we have a global problem now.

Blogger Dirk Manly May 15, 2017 12:23 PM  

M$ probably put the backdoor in for their usr, and sold the relevant specs to NSA.

Blogger Dirk Manly May 15, 2017 12:25 PM  

As much as I dislike Intel, they have no culp@bity for M$ lackadaisical attitude about user security of their OS products.

Blogger Dirk Manly May 15, 2017 12:28 PM  

When a security hole is reported in Linux, a kernal patch is put out in time measured in hours, not quarter-years

Blogger Noah B The Savage Gardener May 15, 2017 12:28 PM  

As I understand the situation, the US government has outlawed the practice of software bug hunters charging software companies for providing data about code vulnerabilities. The US government does, however, pay bug hunters for information previously unknown vulnerabilities/exploits.

So the US government has directly incentivized the creation of malware, either for private use or for the government's use.

Blogger Dirk Manly May 15, 2017 12:29 PM  

Ubuntu doesn't install software by clicking a link in a lure-page.

Blogger Robert What? May 15, 2017 12:30 PM  

I got news for you: most government employees are not very smart - even those in the intelligence community. And with Diversity™ the average intelligence goes down even further. Combine that with the fact that they can't be fired for any reason - even gross dereliction of duty - well you have the recipe for this type of disaster.

Blogger James Dixon May 15, 2017 12:32 PM  

> Expect Linux and OSX exploits to increase as the platforms gain market share.

Of course. But they could increase 100 fold and they'd still be dwarfed by those of Windows. There really isn't a comparison.

> The underlying REALITY is that ALL systems have vulnerabilities; and ALL software has BUGS.

Tell us something we don't know.

> The ransomware seems to target Windows XP machines.

All unpatched versions of Windows seem to be vulnerable. It's just that Microsoft didn't have a patch for XP: https://technet.microsoft.com/en-us/library/security/ms17-017.aspx

Blogger Ron Winkleheimer May 15, 2017 12:33 PM  

The ransomware seems to target Windows XP machines. These were desupported three years ago, so I'm having a hard time blaming Microsoft.

Yeah, MS advice to Windows XP users, "don't."

I built a Windows XP VM in Virtualbox and exposed it to the Internet a couple of weeks ago. Within just a few minutes it was infected by Malware. No need for me to do anything, the Malware found it. I think the real issue is the firewall exploit. I'm sure the thinking in organizations using XP is that its going to cost a lot of money to transition, sure there's no updates, but we are behind these firewalls so the malware won't be able to get to the computers. So they wrote that up and hired some third party company to be their XP "support." Some might even have contracted with MS to provide "best effort" support. I can see MS doing that with Britain since they are going to want to continue to sell to the government, so the government has leverage.

Anonymous Icicle May 15, 2017 12:34 PM  

I doubt it. Most americans these days would give you a shrug at most.

There's an informant system in place. We'll see, though.

Blogger James Dixon May 15, 2017 12:37 PM  

> Ubuntu doesn't install software by clicking a link in a lure-page.

Oh, it can. Via a shell script installing to a folder in the user directory. But you're correct that it can't do so to a system folder without the user authorizing it. Of course, one of the problems I have with the sudo system Ubuntu uses is that the user *can* authorize it.

Blogger Silly but True May 15, 2017 12:44 PM  

At best this is Working as intended: the hardest hit were Russia and China.

Standard NSA Op not negligence.

Blogger Lazarus May 15, 2017 12:44 PM  

a deplorable rubberducky wrote:The ransomware seems to target Windows XP machines. These were desupported three years ago, so I'm having a hard time blaming Microsoft.

Microsoft probably is using the ransomware to punish people who don't buy the new products.

Anonymous fop May 15, 2017 12:45 PM  

If only we had more Girls Who Code.

Anonymous A Most Deplorable Paradigm Is More Than Twenty Cents May 15, 2017 12:47 PM  

@33
I built a Windows XP VM in Virtualbox and exposed it to the Internet a couple of weeks ago. Within just a few minutes it was infected by Malware.

Well, there's your problem: connecting to the Internet.

Blogger Cail Corishev May 15, 2017 12:51 PM  

Yeah, MS advice to Windows XP users, "don't."

Millions of people have continued to use XP because they still consider it the best version of Windows, and it still does what they need to do, so they see no reason to upgrade. If you have a perfectly good hammer, you don't buy a new one every year just because there's a new "release."

On the other hand, Microsoft doesn't have an obligation to continue supporting a product they sold you for a one-time fee more than a decade ago. If you were paying a regular subscription fee for Windows (the model they'd like to move toward), that'd be different. But that wasn't the case when you bought XP, so they don't owe you anything. They've muddied the waters by selling you a license instead of a product, but the license doesn't promise lifetime updates, so it's a product in that sense.

A cynic might wonder if Microsoft would release an exploit that hits XP to try to push people into purchasing a supported version, and then the exploit was a little too successful, so they had to release a fix for it after all.

Blogger Dexter May 15, 2017 12:53 PM  

Heads at the NSA should be rolling right now and the God-Emperor should demand the resignations of everyone who had anything to do with the relevant program.

Being punished when you fuck up? That's not that American way any more.

Blogger Cail Corishev May 15, 2017 12:57 PM  

Of course, one of the problems I have with the sudo system Ubuntu uses is that the user *can* authorize it.

Yeah, they basically use sudo to copy the Windows Vista method of "please confirm that you want to do this admin-level thing you just asked me to do," except sudo at least requires your password.

Ultimately, when the user is also the sysadmin, which is the case on most PCs regardless of OS, the security of the software is beside the point. If I can convince the user to run my script/executable with administrator rights, I own his system. You can't secure a PC against that, while also allowing the user to do things like system upgrades.

Blogger Ron Winkleheimer May 15, 2017 1:01 PM  

@39

Yeah, I was curious about how long it would take. I had read that it would happen within minutes, but I decided to verify it. Just cause the security experts tell you something doesn't make it true.

Blogger James Dixon May 15, 2017 1:11 PM  

> ...while also allowing the user to do things like system upgrades.

Ideally system upgrades would be installed via a crontab process without requiring user intervention. I'm pretty sure I could set that up on Slackware using slackpkg.

Blogger Shehab Hk May 15, 2017 1:18 PM  

24 HOURS NEWS.A PLACE WHERE YOU CAN FIND daily news

Blogger Thurston Pilgrim May 15, 2017 1:20 PM  

I don't think anyone on the left will even care that this happened. They're too busy plotting how to harass and assault GOP officials: http://www.huffingtonpost.com/entry/protesting-donald-trump-comey_us_591313d1e4b050bdca61270c

Blogger Francis Parker Yockey May 15, 2017 1:24 PM  

James DixonMay
"> Expect Linux and OSX exploits to increase as the platforms gain market share.

Of course. But they could increase 100 fold and they'd still be dwarfed by those of Windows. There really isn't a comparison"

It's almost as if herd immunity is very good for pathogens targeting Linux or OSX systems, or something.

Anonymous A Deplorable Paradigm Is More Than Twenty Cents May 15, 2017 1:26 PM  

@74
Wait, there's mercury in Unix?

Blogger Ron Winkleheimer May 15, 2017 1:27 PM  

Ultimately, when the user is also the sysadmin, which is the case on most PCs regardless of OS, the security of the software is beside the point.

Security is not a technology problem. Security is a people problem. And since MPAI.

I remember when you really had to work to get a computer virus.

First you had to be on Usenet, then you had to download bunches of files and concatenate them together and then run that program that would convert text to a binary file, and then and only then could you run the program that was supposed to be Doom, but instead erased the MBR causing me, the admin, to have to come and fix your computer.

Blogger Francis Parker Yockey May 15, 2017 1:27 PM  

@Lazarus
"Microsoft probably is using the ransomware to punish people who don't buy the new products."

Deters piracy, too. There's no question that the incentive is there. The threat of malware must be good for the sale of software and updates in general.

Blogger Ron May 15, 2017 1:39 PM  

@fop

If only we had more Girls Who Code.

I was in a very down mood when I saw that line, then I started laughing. That was great. thanks.

Blogger Francis Parker Yockey May 15, 2017 1:39 PM  

OK, this is really just a troll by the Russians, but it's kind of funny. RT claims that UK Trident subs run on a Windows XP variant (The Guardian made the same claim a while back). Will they have to pay $300 in bitcoins in order to launch a first strike?

https://www.rt.com/uk/388334-cyber-attack-nuclear-weapons-trident/

Blogger Ron Winkleheimer May 15, 2017 1:40 PM  

So I looked at that Windows XP patch and guess what, it isn't for the Home Edition. Who would have thought it?

Anonymous DirkH May 15, 2017 1:48 PM  

@52. Francis Parker Yockey May 15,
"RT claims that UK Trident subs run on a Windows XP variant (The Guardian made the same claim a while back). "

Subs use all kind of cheap consumer shit to run their computers - the reasoning being: If the computers fail, you control the sub with pneumatic controls.
It's not that big a deal for them.

Anonymous DirkH May 15, 2017 1:58 PM  

@37. Lazarus May 15, 2017 12:44 PM
" Microsoft probably is using the ransomware to punish people who don't buy the new products."

Absolutely not. They're openly accusing the NSA. They have a serious image problem. I for instance am livid at the way Microsoft handles updates to Win10, the update GUI is shit and I had to download it seems an entire new version of Win10 which took forever only to get the security fix, or so it seems, I don't even want to wade through their numbering system to find out what I got, I feel like I got one fix and 10 new security risks.

What I want to say is: Microsoft does not win anything from this. Personally I'm going to pack it up and leave if possible. The combination of NSA treachery and MSFT incompetence just kills it for me.

Anonymous Dedicating Ruckus May 15, 2017 1:59 PM  

> Ideally system upgrades would be installed via a crontab process without requiring user intervention. I'm pretty sure I could set that up on Slackware using slackpkg.

Problem isn't system updates per se, it's the user being able to do administration.

Basically, either the user can do admin-level tasks, or he can't. If he can, then he can give his permission to a virus that will pwn the system. If he can't, then you have a system the user doesn't control.

Both models have produced successful products. It seems end-user systems may be by and large moving toward the second one, as seen in the mobile platforms. We'll see how that turns out.

Anonymous FP May 15, 2017 2:01 PM  

"First you had to be on Usenet, then you had to download bunches of files and concatenate them together and then run that program that would convert text to a binary file, and then and only then could you run the program that was supposed to be Doom, but instead erased the MBR causing me, the admin, to have to come and fix your computer."

Or the guy who borrowed my computer to fix and print out a paper from a disk that had been used in the school computer lab would infect my system.

Anonymous Brick Hardslab May 15, 2017 2:10 PM  

Something needs to be addressed here. We've had an actual Norse god here. Well not really a Norse god but a guy pretending to be an alien from another dimension pretending to be a Norse god. A guy pretending to be the POTUS is a step down. If you're going to larp go big or go home.

Oh and there's probably no money quid pro quo involved with the nsa back door. It's probably a anti trust suit and I'll scratch your back if you scratch mine deal. Money at that level is not an end but a means.

Blogger James Dixon May 15, 2017 2:18 PM  

> Problem isn't system updates per se, it's the user being able to do administration.

Agreed.

> If he can, then he can give his permission to a virus that will pwn the system.

Yes, but logging in to a completely separate account to do so is such a hassle you can bet most people won't do it. Of course, they won't do most standard maintenance either.

> It seems end-user systems may be by and large moving toward the second one, as seen in the mobile platforms.

Agreed. That's probably the more sustainable of the two models over the medium term. The drawbacks to it are that it renders you dependent on a third party for security and has a single point of failure, almost guaranteeing an eventual catastrophic failure.

The old comp.risks Usenet group covered things like this in detail.

Blogger APL May 15, 2017 2:18 PM  

JP: "Expect Linux and OSX exploits to increase as the platforms gain market share. "

Linux is the Internet.

Blogger Basil Makedon May 15, 2017 2:18 PM  

It's been 20 years since I coded anything, and I was never a "programmer." Thus, I'm perfectly happy to admit my ignorance here.

I have heard (or perhaps read) that underlying many of our current security issues is the fact that C and its variants is deeply flawed from a security perspective.

Since most everything important incorporates C, or its variants, to a degree that no matter the effort placed into securing some software product, there is an inherent ceiling that is reached in terms of security.

That, of course, does not even address all of the issues created by interoperability, unpatched, unsupported software, insider threat, etc., etc.

Blogger Dirk Manly May 15, 2017 2:18 PM  

Even with sudo, it requires the user to go to the command line to install the software. Lusers who are stupid enough to click on malware links aren't smart enough to know how to install software from the command line -- nor even an administrator's gui suite like what SuSE and Red Hat have.

Blogger Dirk Manly May 15, 2017 2:24 PM  

I wouldn't put any idea as beyond the lack of ethics at Microsoft.

Blogger James Dixon May 15, 2017 2:33 PM  

> I have heard (or perhaps read) that underlying many of our current security issues is the fact that C and its variants is deeply flawed from a security perspective.

That would be incorrect. C is not flawed from a security perspective. The Linux kernel is coded in C.

What they are probably talking about is (as I understand it, like you I'm not a programmer) that it can be much easier to make some simple coding mistakes in C that will create an insecure program, because C assumes you know what you're doing. Some more "modern" programming languages don't assume that and take steps to prevent the programmer from making those mistakes.

Blogger Glenn Donovan May 15, 2017 2:33 PM  

Shocker, blaming the U.S. govt. I mean, Vox is so focused on individual accountability, how about we start with the individual who stole the information. Do we even know who that is? And then what about he culpability of Wikileaks and that deranged U.S. hater, Julian Assange for disseminating it? And oh yeah, if you don't know Assange's history, go find the old documentary on him on Netflix, it's like from 1999 or something, before his big "rebrand" into Wikileaks.

You guys here also seem to give zero credence to the idea that Wikileaks is a Russian op and that Snowden was a Russian operative. Non partisan folks I know in the NatSec world consider that most likely, actually and if you look at the factset without fluffing for the likes of Assange and Snowden, it's classic Russian intelligence work.

But hey, blame the NSA loudly, that feels good I'm sure.

Blogger Dirk Manly May 15, 2017 2:34 PM  

C is not inherently insecure. You can write insecure code in any language -- even java and Perl.

Blogger Dirk Manly May 15, 2017 2:37 PM  

Then why we're Russia and China the hardest hit?

Anonymous badhairday May 15, 2017 2:38 PM  

Letting this code 'escape' is a failure to correctly guard state secrets.

However, publicly prosecuting someone over this would likely reveal too much about the workings of the NSA. I would suggest that expecting heads to roll is a little bit naive - a few eyes perhaps.

Blogger James Dixon May 15, 2017 2:41 PM  

> Even with sudo, it requires the user to go to the command line to install the software.

I believe the last time I installed a .deb package in Ubuntu (Teamviewer, from memory) I simply double clicked on it and it prompted with a GUI password prompt and then installed without touching the command line.

Anonymous A.B. Prosper May 15, 2017 2:42 PM  

A Most Deplorable Paradigm Is More Than Twenty Cents wrote:@33

I built a Windows XP VM in Virtualbox and exposed it to the Internet a couple of weeks ago. Within just a few minutes it was infected by Malware.

Well, there's your problem: connecting to the Internet.



You joke ,but really that is the best solution. Unless the being connected to the Internet is essential to the function of the device like say a web browser , don't connect it

If you can possibly use it, have an intranet instead.

This would reduce a lot of cybercarnage

Anonymous Napoleon 12pdr May 15, 2017 2:45 PM  

@68: Absolutely correct. This was a massive breach of security. Cyberwarfare lends itself to "secret weapon" attacks on the first day or two of the war very nicely...but making that sort of thing work relies on keeping the secret until that war arrives.

And someone just opened the doors on the magazine wide open...for which we should put a noose around his neck and open a trap door wide open.

Blogger Snidely Whiplash May 15, 2017 2:49 PM  

James Dixon wrote:Yes, but logging in to a completely separate account to do so is such a hassle you can bet most people won't do it. Of course, they won't do most standard maintenance either.

Sudo is a very good solution to a serious security problem. That problem was that people were logging in as root to do administrative tasks. While you are in as root, any simple typo could wipe out the system ( I once erased the /devices directory on a Solaris machine that way), and all sorts of holes could be created accidentally. And since you are running dozens of commands, that expose profile can get enormous.

Sudo requires that you use root authority only for the administrative command you actually want to run. You're just as vulnerable on a per-command basis, but you are running only a few commands with root authority, and the exposure profile is reduced by at least an order of magnitude. Plus, you're more likely to double check a single command than every command in a login session, which also reduces exposure substantially.

Blogger James Dixon May 15, 2017 2:49 PM  

> ...how about we start with the individual who stole the information. Do we even know who that is?

Stolen from the most secure agency in the federal government? It could only have been Alexander Mundy.

> You guys here also seem to give zero credence to the idea that Wikileaks is a Russian op and that Snowden was a Russian operative.

Because neither is remotely credible.

Blogger Snidely Whiplash May 15, 2017 2:52 PM  

Glenn Donovan wrote:Non partisan folks I know in the NatSec world consider that most likely, actually and if you look at the factset without fluffing for the likes of Assange and Snowden, it's classic Russian intelligence work.


Yes, Glenn, we know you're stuck in the '80s, as is much of the intelligence community and evidently the GOPe. No-one takes you seriously anymore.

Blogger Francis Parker Yockey May 15, 2017 2:53 PM  

And here I thought they had a broadband Internet connection via VLF.

Blogger Snidely Whiplash May 15, 2017 2:54 PM  

C is not less secure. The most secure operating systems int he world, OpenBSD and QNX, are written in C. C is an object of derision for an entire generation of programmers who believe Java is efficient and JavaScript is secure, mostly because the don't understand how to use it.

Blogger Robert Divinity May 15, 2017 2:55 PM  

But hey, blame the NSA loudly, that feels good I'm sure.

It feels right. This wouldn't have happened if the NSA had not created and then secured the Malware. This will be a good time for the God Emperor to take the axe to NSA holdovers from the Obama-Bush disaster.

Blogger James Dixon May 15, 2017 2:56 PM  

> Sudo is a very good solution to a serious security problem.

Every tools has both it's uses and drawbacks, Snidely.

Anonymous Athor Pel May 15, 2017 2:57 PM  

"65. Blogger Glenn Donovan May 15, 2017 2:33 PM
... how about we start with the individual who stole the information. Do we even know who that is?
..."



There are more ways code gets into the wild than giving or selling the source code. It's the obvious method but it isn't the only way.

Any executable code running on any computer can be decompiled, meaning made human readable. This means any malware infected machine can provide source code after the malware has been decompiled. It can be a lot of work but it can be done.

Some people place target machines on the web with the intention of getting them infected in order to collect malware source code. Some do it in order to create counters to the malware. Some do it in order to reuse the malware for their own purposes.

If a piece of previously unknown code is running on a machine accessible to a hacker that hacker will make that code his. It doesn't matter where the code came from, from a script kiddie or NSA analyst, makes no difference. If you have the tools to look directly at all machine memory or hard drive sectors then even code that tries to hide can be found.

Blogger Cail Corishev May 15, 2017 3:00 PM  

You joke ,but really that is the best solution.

Yep. I run Windows games in an XP instance in VirtualBox on a FreeBSD host, so the XP guest isn't reachable from the outside at all. It could still be vulnerable if I started browsing web sites and downloading things in it, so I don't do that. I download games from GOG on the host system, and only install them in the XP guest. I also keep a clean snapshot of the guest, so if it gets hosed, it's easy to rollback.

I've run across a couple games that don't seem to like VirtualBox or Wine, so I'm thinking of installing XP directly on a spare system; but if so, it won't be on the Internet at all.

Blogger Valtandor Nought May 15, 2017 3:03 PM  

Regarding the NHS' use of an antiquated operating system that is no longer getting security patches, it's amazing how that situation can persist. They probably have some business-critical third-party software. They know that package works on XP, they don't know whether it works on any later Windows. To test it on e.g. Windows 10 and fix any incompatibilities would be a cost, money that could otherwise be spent "to treat patients". As for upgrading without such a testing/development phase, I fully expect the policy to be, "If it ain't broke, don't you dare fix it."

Which means that these sorts of outfits just wait until their insecure systems become a source of embarrassment to the relevant Government minister.

Blogger Francis Parker Yockey May 15, 2017 3:04 PM  

@Glenn Donovan

I'm glad to see that someone else understands how Assange, Snowden, Putin, and Assad conspired to force the NSA and CIA to buy up all those zero days and exploit them, then lose track of all of their exploits. I heard that Kim Jong Un was in on it, too. Terrible.

Blogger Silly but True May 15, 2017 3:05 PM  

@Dirk,
I waffle between this being a hit by one Russian oligarch to another, an enterprising Russian oligarch-to-be making his move, false-flag government collusion to create anti-bitcoin narrative, NSA op, or NSA incompetence.

At this point, it lo Me like pretty even horse race at moment.

Blogger Happy LP9 May 15, 2017 3:11 PM  

Time after time Vlad Putin remains on the correct side of history.

Blogger Snidely Whiplash May 15, 2017 3:14 PM  

James Dixon wrote:Every tools has both it's uses and drawbacks, Snidely.
I absolutely agree, but he was dissin' on sudo. Sudo's my homie, it's saved me from my bad typing more times than I care to think about. Don't be sayin nothin bad 'bout sudo.

Blogger James Dixon May 15, 2017 3:17 PM  

> Don't be sayin nothin bad 'bout sudo.

I have nothing bad to say about sudo. Ubuntu's locking out of the root account and forcing you do do everything via sudo, on the other hand... :)

Fortunately there's sudo -i.

Blogger modsquad May 15, 2017 3:25 PM  

Ya, ya, I'm banned...

"Heads at the NSA should be rolling right now and the God-Emperor should demand the resignations of everyone who had anything to do with the relevant program."

They turned it off like a light switch. It was a test run. Imagine it happens again (it will) but this time it affect's the banks and you can't access your money for say.... six weeks. A financial collapse is smoke screened and it's "not our fault" say the bankers. When it's all over, you get 10 cents on the dollar of what you held in savings and a nice set of handcuffs whenever you want to deal with cash in the future.

Blogger Cail Corishev May 15, 2017 3:26 PM  

I knew a sysadmin who did some contract work for the NSA back in the mid-1990s. It was one of the first thing he'd tell you about himself. He would have gladly given them the key to any system, just to hang with the "cool kids" there. And I got the impression (at least to hear him tell it) that they told/showed him things they maybe shouldn't have in order to impress him.

That's how I see a lot of this stuff happening. You've got a combination of:

Gamma nerds who think they're smarter than they really are, so they'll never get caught/cheated/hacked.

The further arrogance that comes from working for the government.

The hacker ethos that's a little, let's say, casual about ownership of information and privacy and things like that.

Now to those three, add another 20 years of affirmative action. So you've got people who think security and privacy restrictions are for lusers, not for them, but they're also not as bright as they used to be.

Anonymous Dedicating Ruckus May 15, 2017 3:28 PM  

> I absolutely agree, but he was dissin' on sudo. Sudo's my homie, it's saved me from my bad typing more times than I care to think about. Don't be sayin nothin bad 'bout sudo.

Heh. I find sudo annoying, and I don't make typos, so my habit is still to log in to root for administrative tasks. sudo's environment handling tends to trip me up.

That said, it's very useful in a more intricate policy setup for granting limited administrative rights. Certainly far better than granting random executables suid.

Just having the distinction at all is probably the biggest security advantage Unixes ever had over Windows. The XP-era brain damage of users habitually running as admin (and applications concomitantly coming to expect this and breaking without it) made everything awful.

Anonymous Dan May 15, 2017 3:33 PM  

"On the other hand, Microsoft doesn't have an obligation to continue supporting a product they sold you for a one-time fee more than a decade ago."

And yet car companies support cars from years and years ago. One time fee with cars too. There are probably orders of magnitude more active XP installations than there are most models of cars.

Microsoft can get away with terrible customer service because they are a kind of monopoly.

Anonymous Fit Studs May 15, 2017 3:39 PM  

Like Happy LP9 said above...

"Time after time Vlad Putin remains on the correct side of history."

Anonymous Napoleon 12pdr May 15, 2017 4:26 PM  

@90 Dan: Actually, there's Federal law/regulation that requires an auto manufacturer to support a car with parts for 10 years after production. Not that this changes the fact that the software industry is particularly abusive of the customers...the Federal anti-trust case against Microsoft was a strong one.

Blogger Heian-kyo Dreams May 15, 2017 4:28 PM  

@86

Does sudo bash not work anymore?

Prediction: Since the GE is president, the SJWs to to just left of center will now rally around the NSA.

Blogger Billy Ray May 15, 2017 4:32 PM  

and trump the cuck has done...NOTHING, as expected by anyone and everyone who doesn't have his nose a mile up the hairdo's behind

Anonymous 5343 Kinds of Deplorable May 15, 2017 4:38 PM  

Billy Ray wrote:and trump the cuck has done...NOTHING, as expected by anyone and everyone who doesn't have his nose a mile up the hairdo's behind

Because Hillary would've been so much better, I'm sure.

Blogger James Dixon May 15, 2017 4:42 PM  

> Because Hillary would've been so much better, I'm sure.

If Hillary had any sense of humor she'd release a statement congratulating Trump on this decisive retaliation against Russia for their meddling in our elections.

Blogger weka May 15, 2017 5:08 PM  

Legacy hardware needs to migrate to a lightweight *nix. I use antergos. But then you need a clued in sysadmin who locks the machinds down until the weekly update via from and a proxy repo.

And sandboxes legacy programs using wine.

Anonymous A Most Deplorable Paradigm Is More Than Twenty Deplorable Cents May 15, 2017 5:09 PM  

@94 Rilly Bay

5 and a half hours? Dude, you are really slipping. No bonus.

Anonymous Ryan May 15, 2017 5:11 PM  

Not NSA heads, this was the CIA's fault.

Blogger Glenn Donovan May 15, 2017 5:40 PM  

Love people telling me how code works, and that it can be purloined in multiple ways (when we already know the media for the NSA theft). Even richer are the comments telling me "it's the '80s" - some anonymous guy calling himself @Snidely Whiplash above.

I wonder, how many people you, Snidely, have spoken to who actually worked in U.S. intelligence who did actual covert work against the Soviets and Russians? Hmmm - I'll bet 1000 bucks it's ZERO. The Soviets/Russians were/are the masters of the universe at political destabilization via intelligence activities. It's entirely within their wheelhouse to have run Snowden and Assange, and Wikileaks.

My case? None needed on Snowden. He fled to Russia, lol, complaining about a surveillance state and personal liberties, LMFAO. I mean, it's just so rich. You are electronically assaulted and have zero privacy in Russia, period. And liberties for homosexuals and religious people and political dissidents are violated regularly. The entire system is riddled with corruption as well.

The IC laughs at guys like you, Snidely. Like how can you ignore that Snowden was offered asylum in Russia? Sure, it could be explained as opportunistic but it's just as good a fit for being a Russian op. Also his background is so dodgy, a great book on all this just came out - HOW AMERICA LOST ITS SECRETS Edward Snowden, the Man and the Theft By Edward Jay Epstein. You should try reading it. Facts matter. And my guess is you don't have many to support your aspersions.

Blogger Glenn Donovan May 15, 2017 5:47 PM  

Also note that Snowden was to flee to Ecuador from Russia, but when the U.S. threatened to shoot the Ecuadorian plane out of the sky, he was stuck. And Assange has been hiding in an Ecuadorian embassy for 3 years.

And gosh, Ecuador has what they both call a "strategic relationship" with Russia. But hey, I'm just some dingbat living in the '80s.

Also, you want to find someone to blame for NSA leaks? The fact that Snowden and Assange are still breathing encourages others to do the same, thinking they can get away with it. And if you aren't clear on Snowden, just consider this. The broadness of his data release was incredible. He went far beyond programs that focused on domestic surveillance and were questionable, he exposed many legitimate programs that damaged our ability to collect intelligence drastically.

Most of the Islamic terrorist world changed communications methods after Snowden's release, as did other enemies of our's. It cost us billions, and we went dark on lots of very real threats.

I'm mixed on the alt-right but am attracted by the nationalism. I'm a nationalist, and I want traitors to my country dead. Snowden and Assange are merely a good start.

Blogger Silly but True May 15, 2017 5:53 PM  

Snowden was only slightly more conservative than Bradley Manning and slightly less masculine.

He fled to Russia because he was a Cheney-Nuland-Kerry--Pyatt-Ash-Carter geopolitician, and so viewed Russia as being the only place he coukd be safe and not have to speak Asian.

The solution to these people is to not increase security against Russian plants.

The solution is to not let American-hating Americans into positions of security.

Blogger Cail Corishev May 15, 2017 5:55 PM  

Soooo much laughter. I wonder if that could be a tell.

Anonymous LurkingPuppy May 15, 2017 6:09 PM  

A troll pooped:The Soviets/Russians were/are the masters of the universe at political destabilization via intelligence activities. It's entirely within their wheelhouse to have run Snowden and Assange, and Wikileaks.
And Bill ‘Slick Willy’ Clinton. And Barry Obama. And Crooked Hillary.

The Soviets have run the U.S. government since the 1990s, and they hate Russia because they lost control over it.

Anonymous LurkingPuppy May 15, 2017 6:14 PM  

Cail Corishev wrote:I knew a sysadmin who did some contract work for the NSA back in the mid-1990s. It was one of the first thing he'd tell you about himself.
That's a bad sign right there. They were supposed to say that they worked for ‘the Department of Defense’, and even that much only when necessary.

Blogger Ron Winkleheimer May 15, 2017 6:16 PM  

#70

I run XP in a VM so I can use the ancient Office Suite I bought back in 2002. The formatting of Open and LibreOffice always seem a bit off.

Anonymous A Deplorable Paradigm Is More Than Twenty Cents May 15, 2017 6:45 PM  

@106
What do you do about files in docx, xlsx, etc.?

Anonymous Pennywise May 15, 2017 7:35 PM  

Heads aren't going to roll, nor should they. The NSA is doing exactly what Russia has been engaging in for years. Putin has no moral leg to stand on.

https://www.buzzfeed.com/sheerafrenkel/the-new-handbook-for-cyberwar-is-being-written-by-russia?utm_term=.xy6wrwpBK#.qjozAzVLx

Anonymous johnc May 15, 2017 7:41 PM  

@101 I'm a nationalist, and I want traitors to my country dead. Snowden and Assange are merely a good start.

One would think a good start would be the Israeli-occupied territory on Capitol Hill.

But yeah, let's go after the small fish.

Blogger tz May 15, 2017 8:28 PM  

I blame Microsoft.
Two reasons, first for about a year, they kept trying to shove Windows 10 down our throats including downloading the huge installer (oh, sorry your cell plan went over) and one version where if you hit the X-close-window it would take it as permissino to install.
Lots of people turned off automatic updates and would wait to hear which patch tuesday updates were MSMalware.
Then there was Windows 10. It had not merely automatic updates, but it would - in the middle of your work where you might not have saved it or couldn't interrupt - restart the system and install, sometimes locking it out for almost an hour until it was finished, e.g. like when you needed your laptop to do a midterm exam.

By making software updates toxic, people disabled them.

Note that the shove Win10 down your throat update was marked as "Important", not some optional update, and they don't give a sysopsis of what an update does, you have to click through to a web page.

I'd have no problem automatically updating for critical zero-day problems (but I should be able to delay resetting), but I can't do that, and now they are rolling-up all the updates into a huge blob.

Blogger Were-Puppy May 15, 2017 8:40 PM  

@40 Cail Corishev

A cynic might wonder if Microsoft would release an exploit that hits XP to try to push people into purchasing a supported version, and then the exploit was a little too successful, so they had to release a fix for it after all.
---

That's exactly what I think happened. When the Win10 update was free, as the last days drew near, I kept getting these dumb magic messages that my windows was not genuine.

F them. Now that message pops up again all the time lately, and this dumb virus appears to push it even more.

Blogger Were-Puppy May 15, 2017 8:46 PM  

@65 Glenn Donovan
You guys here also seem
---

There's the tell

Blogger Skyler the Weird May 15, 2017 9:16 PM  

@105. They aren't even supposed to do that. You say you're a truck driver or a server at the Edsall Road Denny's.

Anonymous Icicle May 15, 2017 9:18 PM  

Did anyone consider NSA plants working at Microsoft?

Blogger Snidely Whiplash May 15, 2017 10:32 PM  

Glenn Donovan wrote:I wonder, how many people you, Snidely, have spoken to who actually worked in U.S. intelligence who did actual covert work against the Soviets and Russians?
Unlike you, I know actual intelligence people, and the intelligence people I know, know how to keep their mouths shut. People who tell idiots like you about their exploits are bar braggarts and poseurs. People who actually know what's going on don't tell you about it.

My brother has a plaque on the wall from the NSA, thanking him for excellence in services rendered during his time in Army Intelligence. Literally the only thing I know about his service is that he was based out of Ft Huachuca and he was often gone for months at a time throughout the '80s and '90s, and that he saw a lot of tropical locations. He will tell me literally nothing about it.
So go ahead and intimate that you have the real, inside scoop. I'm sure you believe it. Because you're an Internet Secret Agent(!) who knows all the insiders and all the straight dope.

Glenn Donovan wrote:My case? None needed on Snowden. He fled to Russia, lol, complaining about a surveillance state and personal liberties, LMFAO.

Because the CIA had already threatened his life, while he was in China, long before Russia offered him asylum.

I mean, it's just so rich. You are electronically assaulted and have zero privacy in Russia, period. And liberties for homosexuals and religious people and political dissidents are violated regularly. The entire system is riddled with corruption as well.
Unlike the US, which, as Snowden demonstrated, with actual NSA documents, not bald assertions, is actually and in fact collecting every possible datum about every person in the US. Which is why they want to kill him. Also unlike the US system where you can be hit with a secret warrant from a secret court, and the data collected will be used to force a confession, like 90% of the others haled before Federal Court. And if you try to defend yourself, like Martha Stewart, you will be sent to pokey.
Completely different also in how religious dissidents from the Official Church are publicly bankrupted, fined absurd amounts, and destroyed in the US.
It's just not at all the same. Especially the corruption. No one can ever bribe a government official in the US. They'd be rebuffed and charged with a crime. American government officials only violate the laws and the rights of citizens in pursuit of politcial, not monetary, goals.

The IC laughs at guys like you, Snidely. Like how can you ignore that Snowden was offered asylum in Russia?
The IC laughs at guys like you, Glenn. Like how can you ignore that you are a complete plant, a complete shill, delivering their message in fora like this one, believing it wholeheartedly and never once realizing you're being played.
- HOW AMERICA LOST ITS SECRETS Edward Snowden, the Man and the Theft By Edward Jay Epstein. You should try reading it.
Oh goody, a book version of the story the CIA and NSA want told. Books never5 lie, do they.
Facts matter. And my guess is you don't have many to support your aspersions.
What is gratuitously asserted may be gratuitously denied. You are obviously wrong on the face of it. Present one scintilla of evidence beyond "my unnamed sources and these compromised journalists say so."

You're a freaking moron, and you're not even happy. Ignorance should be bliss. You're doing it wrong.

Anonymous Mr. Rational May 15, 2017 11:15 PM  

@59  The RISKS digest is one place you will find my name mentioned.

Blogger James Dixon May 15, 2017 11:35 PM  

> The RISKS digest is one place you will find my name mentioned.

See, you do have your good points. :)

Blogger Were-Puppy May 16, 2017 12:11 AM  

@100 Glenn Donovan

My case? None needed on Snowden. He fled to Russia, lol, complaining about a surveillance state and personal liberties, LMFAO.
---

He wasn't going to Russia. They cut his visa on the way and he got stuck there.


--
I mean, it's just so rich. You are electronically assaulted and have zero privacy in Russia, period. And liberties for homosexuals and religious people and political dissidents are violated regularly. The entire system is riddled with corruption as well.

HOW AMERICA LOST ITS SECRETS Edward Snowden, the Man and the Theft By (((Edward Jay Epstein))).
--
Yeah, real winner there.

Blogger Were-Puppy May 16, 2017 12:16 AM  

@101 Glenn Donovan

I'm mixed on the alt-right but am attracted by the nationalism. I'm a nationalist, and I want traitors to my country dead. Snowden and Assange are merely a good start.
----

Snowden and Assange are only traitors from the viewpoint of the establishment, neocons, and globalists. We would already have gone down by now, and at the least be suffering further under a Hildebeast administration if not for these guys.

Blogger Were-Puppy May 16, 2017 12:20 AM  

@110 tz
I blame Microsoft.
---

I'm leaning that way too. I still get the #@$)@(! thing popping up "not genuine windows" and anything you do leads you to upgrading to win10.

Blogger Were-Puppy May 16, 2017 12:21 AM  

@114 Icicle
Did anyone consider NSA plants working at Microsoft?
---

Hadn't really thought of that. It will probably turn out Bill Gates was a CIA or something. He's definitely a globalist population control freak pushing vaccines

Blogger liberranter May 16, 2017 1:00 AM  

"Glenn Donovan" fits the profile of a fed-paid troll. If he's the best they could get, they must be paying peanuts ...

Anonymous LurkingPuppy May 16, 2017 1:08 AM  

Were-Puppy wrote:Snowden and Assange are only traitors from the viewpoint of the establishment, neocons, and globalists.
Actually, Assange can't be a traitor to the United States, because he's never been a U.S. citizen.

Were-Puppy wrote:@110 tz
I blame Microsoft.
---
I'm leaning that way too. I still get the #@$)@(! thing popping up "not genuine windows" and anything you do leads you to upgrading to win10.

Genuine Windows is a fake operating system.

Anonymous Icicle May 16, 2017 1:33 AM  

Hadn't really thought of that. It will probably turn out Bill Gates was a CIA or something.

It does not even need to be that high-up in the chain. Think about how SJWs take over an organization. Or even control an editorial page at a newspaper, like a virus. Same concept really.

SJWs are definitely pathological in thinking. So you could call Vox's work a study of that type of "pathocracy."

https://infogalactic.com/info/Political_ponerology
"A form of government interesting to ponerologists is one they have called pathocracy, in which individuals with personality disorders (especially psychopathy) occupy positions of power and influence. The result is a totalitarian system characterized by a government turned against its own people. (Icicle's note: Sounds like SJW convergence) A pathocracy may emerge when a society is insufficiently guarded against the typical and inevitable minority of such abnormal pathology, which Łobaczewski asserts is caused by biology or genetics."

Andrzej Łobaczewski was very good...

Blogger Dirk Manly May 16, 2017 7:00 AM  

$ sudo bash

Is the most retarded, preventable security hole ever.

Blogger Dirk Manly May 16, 2017 10:04 AM  

(((Frenkel)))?

Blogger Cail Corishev May 16, 2017 10:29 AM  

"Glenn Donovan" fits the profile of a fed-paid troll.

Not necessarily. He just sounds like a mainstream conservative to me, especially one from 1990 or so. Heck, I probably made that No True Empire argument back then at some point, embarrassing as it is. He's confusing nationalism with jingoism, but that just reflects common binary thinking -- the opposite of globalism (wanting to wipe our national sovereignty) must be rah-rah support of whatever your nation does and hating the Russkies.

Anonymous Mr. Rational May 16, 2017 12:47 PM  

@123  You mis-spelled "swisstem".

Anonymous kjj May 17, 2017 1:13 AM  

@VD

Another perspective, not entirely mine.

Putin is calling for a unilateral disarming of our cyber capabilities. No one believes that he'll notify vendors about the flaws used by his weapons, but he wants the US to notify vendors about the flaws used by our weapons.

Essentially, this destroys our credible retaliation capability.

Post a Comment

Rules of the blog
Please do not comment as "Anonymous". Comments by "Anonymous" will be spammed.

<< Home

Newer Posts Older Posts