Following the latest variant of the WannaCry(pt) RansomWare that spread throughout the globe last weekend, Microsoft’s President and Chief Legal Officer, Brad Smith, blew a gasket. He argues, “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”
First of all, Brad, all of the Digital Geneva Conventions, as you call it, will have their fair-share of non-signatory countries; just like everything else that comes out of Geneva. How ironic that when it comes to International Banking, even Geneva doesn’t play by everybody else’s rules. No, a Digital Geneva Convention is a Utopian concept. Sadly, should such a treaty actually be drafted and signed, the NSA, CIA, MI5/MI6, GCHQ, and everybody else, will just develop their evil goods in a non-signatory country. There will plenty of them.
Secondly, no law should leave Microsoft off the hook for writing crappy code. Nor should any law indemnify Microsoft for not supporting the systems that contain it. Microsoft still supports Windows XP Point-Of-Sale (POS) edition. Yet I haven’t seen any POS systems that didn’t load the application from a server. Does XP POS use SMBv1 protocol? Why yes, it does! I question whether Microsoft is even in touch with actual reality.
My third point is that even when Microsoft knew in advance that there was an active protocol exploit, they did not go back and fix it. Since Brad seems to be fond of analogies, here’s one: I have an Oldsmobile. It’s not under warranty. Heck, Oldsmobile isn’t even a company anymore. Yet GM is still obliged to fix the screwed up airbags. Why should Microsoft be different?
In your article you discuss the 3500 Security Engineers that Microsoft has. Consider that Microsoft has just been schooled by the NSA and CIA, by what, maybe a hundred or so low-paid programmers? Seriously, programmers are second or third Fiddles in those organizations. What exactly do these Microsoft Security Engineers do? Heads should be rolling. I’d say 3400 of them.
Here’s what Microsoft should be doing right now!
- Get feet on-the-street at ground-zero, presumably Spain. Find out how the virus gained access in the first place. Somebody clicked on something, somewhere. WanaCry(pt)‘s been out for a while. Find out why Security Essentials and/or Windows AntiMalware/Defender didn’t stop it. Then fix that. Not to rub it in, but ESET, Bitdefender, and Kaspersky didn’t have any trouble.
- As I wrote in my earlier post on WannaCry(pt) and the EternalBlue exploit, disabling SMBv1 may not be as easy as it sounds. Microsoft, as a company, should be contacting every printer, scanner, and MFC/Copier company in the planet to tell them not to use SMBv1. Make a list, and make it public; a peripheral vendor “Hall of Shame“.
- You know the name of this exploit, “EternalBlue” might provide you with a more realistic clue as to its origin. Maybe Microsoft should consult IBM to see what they know about it?
Here’s some life lessons for the rest of us:
- If you want security on the workstation, use a vendor that specializes in security. Microsoft builds O/Ses and Applications. Security is an add-on. Try using Bitdefender or ESET instead.
- If you want security in the network, use a vendor that specializes in security. Router companies are router companies. Security is an add-on. Use Fortinet, Palo Alto, Checkpoint, and even Sophos instead (shame on you, UK NHS).
- Get trained on your applications. Learn how to read Email Message Headers. Learn how to spot questionable hyperlinks and files.
- Security costs. But so does the lack of it.