Shadow Brokers Further Incites War between “scumbag Microsoft Lawyer” and NSA

The other day, Microsoft President and Chief Legal Officer Brad Smith wrote a blog post about the WannaCrypt ransomware exploiting his company’s products to disrupt the world. At one level it was one of the first entries in what will surely be an interesting policy discussion once there’s an aftermath to the crisis, calling for collective action and a Digital Geneva Convention.

But at another level, Smith’s post provided an opportunity to bitch out the CIA and NSA, the leaked and stolen exploits of which have really fucked with Microsoft in the last few months.

Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.

The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.

Joining the many people who object to the analogy between Tomahawks and hacking exploits, the entity that caused this crisis, Shadow Brokers, is none too impressed with Smith’s response, either. Along with suggesting NSA was paying Microsoft to sit on vulnerabilities and unleashing a load of expletives (you can click through for both of those), Shadow Brokers lays out the tensions between Microsoft, its enterprise contracts with the government, and the NSA’s reticence about the vulnerabilities in Microsoft products it is exploiting.

Despite what scumbag Microsoft Lawyer is wanting the peoples to be believing Microsoft is being BFF with theequationgroup. Microsoft and theequationgroup is having very very large enterprise contracts millions or billions of USD each year. TheEquationGroup is having spies inside Microsoft and other U.S. technology companies. Unwitting HUMINT.

[snip]

Microsoft is being embarrassed because theequationgroup is lying to Microsoft. TheEquationGroup is not telling Microsoft about SMB vulnerabilities, so Microsoft not preparing with quick fix patch. More important theequationgroup not paying Microsoft for holding vulnerability. Microsoft is thinking it knowing all the vulnerabilities TtheEquationGroup is using and paying for holding patch.

Then Shadow Brokers brings the hammer: threatens to dump (among other offerings in an “exploit of the month club”) a Windows 10 vulnerability.

TheShadowBrokers Monthly Data Dump could be being:

  • web browser, router, handset exploits and tools
  • select items from newer Ops Disks, including newer exploits for Windows 10
  • compromised network data from more SWIFT providers and Central banks
  • compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs

Heck, at this point, Shadow Brokers doesn’t even need to have this exploit (though I’m guessing the NSA and Microsoft both may be erring on the side of caution at this point). Because simply by threatening another leak after leaking two sets of Microsoft exploits, Shadow Brokers will ratchet up the hostility between Microsoft and the government.

It might even force some disclosure about exploits more critical to NSA’s current toolkit than the very powerful tools Shadow Brokers already used to create a global ransomware worm.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

13 replies
  1. b says:

    “the very powerful tools Shadow Brokers already used to create a global ransomware worm.”

    Are you really suggesting Shadow Brokers created the worm? Evidence? I’d very much doubt that claim.

    The NSA lost vulnerabilities, Shadow Brokers published them and, as far a we know, a third (and fourth? https://arstechnica.com/security/2017/05/massive-cryptocurrency-botnet-used-leaked-nsa-exploits-weeks-before-wcry/) party used them.

    Microsoft  knew that such an SMB attack was coming. It provided patches, but not for older versions of its OS. For those it only did so when it was too late. It certainly should have provided these upfront.

    One might argue that Shadow Brokers does not do the right thing by publishing the vulnerabilities (I think s/he does). But accusing it of ransoming random machines is a very different level and way more severe.

    • JGarbo says:

      Are we assuming that Microsoft didn’t know about NSA backdoors in its software? That’s a big assumption. I suspect, rather, that they’re working together, have been since day 1. Crippling recalcitrants still using XP is good for the upgrade business, after all.

    • SpaceLifeForm says:

      Marcy may be correct. Microsoft did get a responsible disclosure warning, they worked on it, skipping February 2017 patch Tuesday.
      But MS did not say that NSA warned them. Nor did they say CIA warned them. In fact, my reading says that ‘legally’, none of IC can actually do the responsible disclosure. VEP is crap. It is a legal CYA loophole.

      Still leaning on SB being a CIA shadow, that *CAN* do the responsible disclosure.

      SB ‘says’ it was North Korea behind Wcry. But that does not conflict with them being a CIA shadow. Recall that Vault7 tools used lots of obfuscation to mask the country/language of origin. Note that Wcry had lots of languages (most of text was translated via Google, but there are some exceptions), but that ties to CIA tools (Vault7).

      Just pointing out that Marcy may be correct on this. No definite proof yet, but it fits to me.

      Another angle: Wcry put together (sloppy by some reports), by combining SB and Vault7.

      But appearing sloppy nay be misdirection.

      As new attacks come out, watch for them be ‘attributed’ to China, Russia, Antartica, etc.

      Watch for Vault7 dumps to alternate with SB dumps.

      Once that gets going….

      Spy vs Spy. Fighting over taxpayer money.

  2. SpaceLifeForm says:

    I have to conclude that NSA is quite pwned. All of their talk about securing their systems after Snowden was just talk. There is just too much infrastructure in place, assembled over decades, under different ‘programs’, varying classification requirements, documentation that may have not been updated (and probably few read), that it is such a complex mess that few can put their hands around. Attempting to properly secure such a mess would be a fool’s errand.

    And do not forget the IC’s spycorp partners.
    Big corporations are no better.

    Internally, I am certain that NSA will NOT buy the exfiltrated tools and docs back from SB even though they have 2 weeks to do so.

    Why? Because they know they are pwned now, and the problem is that there could be other groups that have exfiltrated the same tools and docs that SB has. NSA would logically conclude that paying SB would not preclude that they still would not be dumped later by another group.

    It is about money, taxpayer money, and flat out lying to Congress.
    So, expect monthly attacks for quite a while. Years probably.

    What SB is doing is a twist of normal extortion.
    They do not really care about the money.
    NSA knows that too. But SB is going to force people to wake up, and realize most of IC is just a huge money grab.

    Did I mention Open Source?

  3. SpaceLifeForm says:

    In June, TheShadowBrokers is announcing “TheShadowBrokers Data Dump of the Month” service. TheShadowBrokers is launching new monthly subscription model. Is being like wine of month club.

    And there will be another club, that you will not even have to ‘join’ or pay a fee. Millions of IT folks will automagically become members of the

    ‘Whine of the month club’.

    Maybe if you use Open Source, you can opt out.

  4. SpaceLifeForm says:

    There be smoke.

    Comey knew he was going to be fired, so he wrote the memo immediately.

    https://mobile.nytimes.com/2017/05/16/us/politics/james-comey-trump-flynn-russia-investigation.html

    By MICHAEL S. SCHMIDT
    MAY 16, 2017

    WASHINGTON — President Trump asked the F.B.I. director, James B. Comey, to shut down the federal investigation into Mr. Trump’s former national security adviser, Michael T. Flynn, in an Oval Office meeting in February, according to a memo Mr. Comey wrote shortly after the meeting.

    “I hope you can let this go,” the president told Mr. Comey, according to the memo.

    The existence of Mr. Trump’s request is the clearest evidence that the president has tried to directly influence the Justice Department and F.B.I. investigation into links between Mr. Trump’s associates and Russia.

  5. SpaceLifeForm says:

    http://mobile.reuters.com/article/idUSKCN18C2PI

    Advisers to Judge Merrick Garland and U.S. Senator John Cornyn of Texas told Reuters they discouraged them from leading the Federal Bureau of Investigation, cautioning that they would be leaving important, secure jobs for one fraught with politics and controversy.

    [At this time, no one wants to replace Comey, because they will likely be fired quickly]

    [Unless the person is insane enough to pledge loyalty and promise to squash the Flynn investigation. Which means they will instantly become a material witness at some point. Career over.]

  6. jerryy says:

    Any bets on how long it will be before Senator Feinstein and Senator Burr are back in the news again for introducing another bill requiring software manufacturers to put backdoors in their stuff?

  7. jerryy says:

    It might even force some disclosure about exploits more critical to NSA’s current toolkit than the very powerful tools Shadow Brokers already used to create a global ransomware worm.

    It may just be the phrasing of your sentence, but do you think the SB wrote that puppy? No doubt they put the exploit out there after grabbing it from the spooks, but so far most folks are looking at other writers. (yeah, I know SB does not publish a members list. :) )

  8. scory says:

    The NSA stockpile of exploits is one thing (and is worthy of discussion for many reasons). The “beat the shit out of Microsoft” game is quite another. Every software publisher — even open source publishers — get to a point where it’s no longer feasible to update old operating system or application software.

    The problem is, sometimes people and organizations invest in application or OS software at the end of the software life cycle, and they’re stuck. For instance, if you decided to use Windows XP on a medical device in 2007, you would have built your device around an OS that was already seven years old and was likely close to the end of its life cycle. If you designed that device not to have a path forward for new operating systems, you’ve created a big, big problem — and not because of evil Microsoft. I’m working with a colleague who has a profound disability and uses a touch pad with an embedded Windows 7 OS to operate; he upgraded last year from his Windows XP version. It serves as a speak generator and a way for him to quickly write, because his disability makes it almost impossible for him to use a traditional keyboard or a pencil. If his device was compromised, he wouldn’t be able to speak or write, and in the event something happened to him, reach others for help. He would likely die. And that’s a case where the embedded OS isn’t running a device that’s actually supporting someone’s life, like a dialysis machine or a ventilator.

    Operating systems are really, really complicated code, made up of many pieces, all of which are tested, many of which are abused, but few of which are intentionally subjected to hacks. People pissing and moaning about Microsoft’s failure to alert people to the vulnerabilities in their OSs are wrong; they regularly do. What the NSA did was to examine as black hat hackers *all* of the vulnerabilities, catalogue them, and weaponize them. That they were unbelievably bad stewards of that information truly deserves investigation, because what they’ve now created is a situation where the weaponized exploits of older OSs can kill people.

    Microsoft, as a global corporation, is middling awful (and I do business with them regularly, and despise their incredibly arcane licensing for enterprise products), but it delivers a pretty good product at a pretty good price without the vagaries of open source (don’t get me started on Linux) or the lock in horror of Oracle. That they’ve taken the extraordinary measure of patching old OSs to address the NSA exploits published by Shadow Brokers is a measure of both corporate goodwill and a pretty clear acknowledgement that they recognize the bad actors in this drama are both NSA and the hackers, and the people hurt are the people served by their OSs.

    And they are right in calling for a Digital Geneva Convention, which along with a framework for identifying, remediating, and publishing patches to vulnerabilities, would help minimize the disruption of hacking caused by casual or organized non-state and state actors.

    Shorter Scott: Leave Microsoft alone! NSA and Shadow Brokers bad!

Comments are closed.