{"id":92708,"date":"2017-05-22T12:00:55","date_gmt":"2017-05-22T11:00:55","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=92708"},"modified":"2017-05-20T15:23:40","modified_gmt":"2017-05-20T14:23:40","slug":"the-real-roots-of-the-worldwide-ransomware-outbreak-militarism-and-greed","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2017\/05\/the-real-roots-of-the-worldwide-ransomware-outbreak-militarism-and-greed\/","title":{"rendered":"The Real Roots of the Worldwide Ransomware Outbreak: Militarism and Greed"},"content":{"rendered":"

Leia em portugu\u00eas \u27f6<\/a><\/p>\n

\"\"<\/a>

Photo: Chris Ratcliffe\/Bloomberg\/Getty Images<\/p><\/div>\n

16 May 2017 – <\/em>A runaway strain of malware hit Windows computers Friday<\/a> [12 May] and spread through the weekend, rendering hundreds of thousands of computers around the world more or less useless. The big twist: The virus was made possible by U.S. government hackers at the National Security Agency. But the finger-pointing won\u2019t stop there, and it probably shouldn\u2019t.<\/p>\n

As the worm, known as WannaCry, has been contained, more free time has opened up in which to argue and assign blame beyond the anonymous hackers who used leaked NSA code to assemble the virus, and whatever party decided to turn it into ransomware. Microsoft isn\u2019t holding back.<\/p>\n

In an unusually bold and forthright post by president Brad Smith<\/a>, the company called out the NSA by name for not just creating, but\u00a0\u201cstockpiling\u201d \u2014 and then, like Cyber Frankenstein, losing all control over \u2014 the attacks that made WannaCry possible:<\/p>\n

This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today \u2013 nation-state action and organized criminal action.<\/p>\n

Every software weakness the NSA (or CIA, or FBI) decides to use for itself in total secrecy is necessarily one it won\u2019t\u00a0share with a company like Microsoft so that it can write and release a software update to keep its customers safe. (Whether or not you see this as a good and necessary thing likely has a lot\u00a0to do with your opinion of whether the NSA too often prioritizes its ability to hurt adversaries over the privacy and safety of U.S. citizens or over the privacy and safety of people in general).<\/p>\n

The government\u2019s official decision to withhold or disclose is driven by something called the Vulnerabilities Equity Process (or VEP), and its exact mechanism is not entirely known<\/a>. The VEP is meant to balance\u00a0the advantages gained by keeping a given software vulnerability secret versus the potential risks to the world at large.<\/p>\n

When the NSA adds\u00a0to its arsenal an undisclosed software vulnerability, known as a \u201czero day,\u201d rather than reporting it to the maker of the software, any common cybercriminal who happens to independently discover it will be free to exploit the security hole for their own ends, sometimes\u00a0for years and years<\/a>. Even if everything goes according to plan for the NSA, this sort of stockpiling values the military and intelligence community\u2019s\u00a0offensive capabilities over the digital safety of, well, literally everyone else, and is rightfully controversial.<\/p>\n

But per Microsoft\u2019s point, things\u00a0aren\u2019t<\/em> going according to plan recently, and our nation\u2019s secret keepers have been having a lot of trouble keeping their computer weapons away from the likes of the Shadow Brokers and Wikileaks. It\u2019s a true and damning argument on Smith\u2019s part: Whether due to internal leakers\u00a0or\u00a0 external attackers, two of the most advanced and secretive spy agencies in the world have seen some of their most prized offensive tools snatched out of the shadows and not only made public, but weaponized against British hospitals, Chinese universities, and FedEx.\u00a0 Congressman Ted Lieu, a rare legislator with any background in computer science, sees WannaCry as an opportunity to overhaul the VEP in favor of more disclosure: \u201cCurrently the Vulnerabilities Equities Process is not transparent and few people understand how the government makes these critical decisions,\u201d the California Democrat wrote in a statement<\/a> as WannaCry raged around the world. \u201cToday\u2019s worldwide ransomware attack shows what can happen when the NSA or CIA write malware instead of disclosing the vulnerability to the software manufacturer.\u201d<\/p>\n

The NSA did not create WannaCry. Rather, it discovered weaknesses in various versions of Windows and wrote programs that would allow American spies to penetrate computers running Microsoft\u2019s operating system, and it was one of these programs, codenamed ETERNALBLUE and repurposed by still-unidentified hackers, that allowed WannaCry to spread as quickly and uncontrollably as it did last week. Whether or not you think the causal chain is such that the NSA is in some sense morally responsible, it\u2019s undeniable that without the agency\u2019s work, there is no ETERNALBLUE, and without ETERNALBLUE, there is no May 2017 WannaCry Crisis. In this sense, Microsoft is right\u2013but the blame shouldn\u2019t\u00a0end there.<\/p>\n

Microsoft also did not create WannaCry. But it did create something something nearly as bad: Windows Vista, an operating system so horrendously bloated, broken, and altogether unpleasant\u00a0to use that many PC users back in 2007 skipped upgrading altogether, opting instead to stick with the outdated Windows XP, a decision that has left many people on that decade-and-a-half-old operating system even today, years after Microsoft stopped updating it.<\/p>\n

When Microsoft responded to the startling initial reports<\/a> of ETERNALBLUE\u2019s public release by noting it had already inoculated Windows against the threat via software patch<\/a>, it did not mention that XP users were not included. Using an operating system after its expiration date is unwise, but in fairness to the millions of people around the world still using old versions of Windows, expecting consumers to regularly buy expensive software of uncertain quality is unwise too. It\u2019s only relatively recently that Microsoft\u00a0has started to shake off the stink from Vista (and the confusing\u00a0Windows 8).<\/p>\n

Some of the NSA\u2019s defenders are quick to blame computer owners and IT administrators for not keeping their software current, but less likely to blame Microsoft for writing\u00a0insecure code, alienating customers with shoddy\u00a0operating systems\u00a0and planned obsolescence, or\u00a0dropping support for older OSes still in wide use. (The fact that Microsoft did actually release a WannaCry security patch for Windows XP over the weekend shows that it\u2019s entirely possible to make old software safer). It can\u2019t be overstated that the choice to let older versions of Windows lapse into a condition\u00a0of permanent insecurity is as much a business strategy as an engineering decision, and one that leaves Microsoft customers in the lurch when something like WannaCry breaks loose. In the case of a large, high-stakes organization like a hospital or manufacturing plant, upgrading to the next version of Windows isn\u2019t just a matter of waiting for the progress bar to fill, but a nightmarish web of compatibility issues with specialized hardware and niche, 3rd party software. If letting a computer network in you administer run Windows XP is negligent, it\u2019s surely a negligence that pales compared to losing a military cyberweapon, or abandoning\u00a0vulnerable customers whose computers work more or less fine.<\/p>\n

The NSA surely wants to do its work in full secrecy, undisturbed as much as possible by obligations to anyone or anything else\u2013it\u2019s the business they\u2019re in. Microsoft surely wants to continue to sell successive versions of Windows every several years and gradually forget about its earlier attempts\u2013it\u2019s the business they\u2019re in. But these two agendas, of militarism, absolute secrecy, and software profit maximization create an environment that allows something like WannaCry to stomp all over the globe,\u00a0hobbling hospitals and train stations in its wake.<\/p>\n

__________________________________________<\/strong><\/p>\n

\"\"<\/a>Sam Biddle<\/a> – \u2709 sam.biddle@\u200btheintercept.com<\/a><\/em><\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

Go to Original \u2013 theintercept.com<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

A runaway strain of malware hit Windows computers Friday [12 May] and spread through the weekend, rendering hundreds of thousands of computers around the world more or less useless. The big twist: The virus was made possible by U.S. government hackers at the National Security Agency. But the finger-pointing won\u2019t stop there, and it probably shouldn\u2019t.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[216],"tags":[],"class_list":["post-92708","post","type-post","status-publish","format-standard","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/92708","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/comments?post=92708"}],"version-history":[{"count":0,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/92708\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/media?parent=92708"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/categories?post=92708"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/tags?post=92708"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}