theshadowbrokers asserts that the NSA pays Microsoft to keep vulnerabilities open, to be exploited

[Delicieuxz]

theshadowbrokers is a group of hackers who claim to be former USA deep-state employees (such as those who work for the NSA), and is the group that is responsible for leaking the NSA's hacking tools, which were used in the recent ransomware threat that Microsoft eventually released fixes for - despite Microsoft having already known of the vulnerability and made the fix for it a while in advance of its widespread threat.

 

Now, the shadowbrokers have made a new post, in cryptic and messy English (as have been their previous posts, though in changing styles, likely for the purpose of preventing analysis of the author), asserting that the NSA pays Microsoft and other USA technology companies to put vulnerabilities into their software, and to leave them there unless discovered by the public.

 

In their new post, theshadowbrokers' mention "thequationgroup" many times. For those who don't know, Equation Group is the internal name for a USA government hacking group that is known to be responsible for hacks and attacks throughout the world, such as the Stuxnet virus that attacked Iranian nuclear facilities in 2009.

 

Here is an Ars Technica article giving some background on Equation Group.

 

Back to the topic at hand, here is an excerpt from theshadowbrokers' new public post, with the core assertions I mentioned highlighted:

 

Quote

 

In April, 90 days from theequationgroup show and tell, 30 days from Microsoft patch, theshadowbrokers dumps old Linux (auction file) and windows ops disks. Because why not? TheShadowBrokers is having many more where coming from? "75% of U.S. cyber arsenal" TheShadowBrokers dumped 2013 OddJob from ROCTOOLS and 2013 JEEPFLEAMARKET from /TARGETS. This is theshadowbrokers way of telling theequationgroup "all your bases are belong to us". TheShadowBrokers is not being interested in stealing grandmothers' retirement money. This is always being about theshadowbrokers vs theequationgroup.

 

Eternal exploits is not being ZeroDays. Is being gay to be using this term, but if being gay then correct terminology is being ThirtyDays because Microsoft patch was being available for 30 days before theshadowbrokers is releasing dump to public. Despite what scumbag Microsoft Lawyer is wanting the peoples to be believing Microsoft is being BFF with theequationgroup. Microsoft and theequationgroup is having very very large enterprise contracts millions or billions of USD each year. TheEquationGroup is having spies inside Microsoft and other U.S. technology companies. Unwitting HUMINT. TheEquationGroup is having former employees working in high up security jobs at U.S. Technology companies. Witting HUMINT. Russian, China, Iran, Israel intelligence all doing same at global tech companies. TheShadowBrokers is thinking Google Project Zero is having some former TheEquationGroup member. Project Zero recently releasing "Wormable Zero-Day" Microsoft patching in record time, knowing it was coming? coincidence?

 

If theshadowbrokers is telling thepeoples theequationgroup is paying U.S technology companies NOT TO PATCH vulnerabilities until public discovery, is this being Fake News or Conspiracy Theory? Why Microsoft patching SMB vulnerabilities in secret? Microsoft is being embarrassed because theequationgroup is lying to Microsoft. TheEquationGroup is not telling Microsoft about SMB vulnerabilities, so Microsoft not preparing with quick fix patch. More important theequationgroup not paying Microsoft for holding vulnerability. Microsoft is thinking it knowing all the vulnerabilities TtheEquationGroup is using and paying for holding patch. Douche bag, dumbass, libtard, rich prick Head Microsoft Lawyer is running his cock holster because he is having ruff weekend doing real work. Head Microsoft Lawyer being angry because he is missing leisurely weekend playing the skin flute behind the country club. Real work is not being for executives. Real work is being for dirty foreign H1B workforce, happily working for less than stupid lazy American workers.

 

 

This comes not too long after Edward Snowden claimed evidence that the USA government pays USA technology companies to leave vulnerabilities in their software, so that the NSA can exploit and potentially weaponize them.

 

It is not new news that Microsoft shares Windows owners' data with the government.

 

https://arstechnica.com/security/2013/06/nsa-gets-early-access-to-zero-day-data-from-microsoft-others/

https://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data

http://www.itproportal.com/2014/05/14/microsoft-openly-offered-cloud-data-fbi-and-nsa/

https://www.forbes.com/sites/petercohan/2013/06/20/project-chess-how-u-s-snoops-on-your-skype/#7d360fc6484e

https://www.bloomberg.com/news/articles/2013-06-14/u-s-agencies-said-to-swap-data-with-thousands-of-firms

 

Neither is the expectation that they create "backdoors" (in other words, secret vulnerabilities) in their software at the request / payment of police, government, high bidders, etc, something new.

 

So, considering the sketchy history Microsoft has of being cozy and willing partners with the NSA, and also the typically aggressive, greedy, and dishonest behaviour that Microsoft is known for when it comes to pushing Windows updates, forced "upgrades", hiding data-leeching tools in their software, and frustrating any attempts by Windows owners to secure their own personal and private system's data, I think theshadowbrokers' allegations towards Microsoft and the NSA sound entirely believable, and, unfortunately, unsurprisingly so.

 

 

In a similar example of business philosophy treating users as mere fodder, a former Facebook executive, who was tasked with monetizing Facebook user data, recently went public in saying that Facebook is "lying through their teeth" about how they target vulnerable teenagers to sell ad-space. In both the cases of Facebook and Microsoft, what they tell the public and what they actually do are entirely separate things, with what they tell the public being merely the words to make the public feel satisfied, despite those words being extremely detached and often obtuse from the reality of what is happening.

 

 

I think that people need to wake up, and recognize that they've accepted enslavement by corporations, who profit off of people's personal and private data. If I run a business by hooking up a bunch of Bitcoin mining machines to my next-door neighbour's electricity, would that be legal? How about if I handle a lot of people's investments, and I discretely take 0.2% of all my client's investment values for myself, and don't tell any of them that I did so - would that be legal and right? If profits are generated by your property, assets, and actions, and time, do the profits belong to you, or to somebody else? And is somebody else entitled to unilaterally use those things of yours for their own profit?

 

Well, those things are exactly what Microsoft is doing when they add in data-leeching tools to their software, which use your personal hardware, your paid-for electricity, your owned software licenses, your effort and time of using your PC system, to send personal usage data to Microsoft's servers, which Microsoft then sells to anyone with the money to pay for it. What Microsoft (and other companies) are doing is theft, and their millions and billions of dollars in profits from these actions are illegitimate and criminal proceeds.

[SCHISCHKA]

First to say fuck windows and fuck microsoft

[leadeater]

Quote taken from my status updating regarding this.

 

Quote

Microsoft only release patches on the second Tuesday of the month, known as Patch Tuesday.

 

Microsoft did create the patches in Feb and they actually released them but serious issues were reported and the updates were pulled. Microsoft then fixed the reported issues and released the patches on the following Patch Tuesday, March.

 

There are organisations that also pay Microsoft bucket loads of money to get updates for XP and Server 2003 etc even though they are past Extended Support, of those one being US Department of Defense (go figure).

 

On the 12 of May Microsoft released the security update previously only available for those organisations paying for additional extended support to the general public, for all unsupported systems past their Extended Support: Windows XP, Windows Vista, Windows 8, Windows Server 2003 and Windows Server 2008.

 

The update KB4012598 is only for the unsupported operating systems, all others have their own KBs and were done using the Monthly Security Rollup patches.

 

Only saying this as a lot the information regarding time frames of what Microsoft did is incorrect or incomplete. The assertion that patches existed in Feb is true even for XP etc.

[The Sloth]

6 minutes ago, SCHISCHKA said:

First to say fuck windows and fuck microsoft

nothing you can really do about it sadly, windows has become number one business platform. 

[The Sloth]

Just now, Nicholatian said:

Haha, good one. The first step to solving a problem like this is owning the issue for yourself. Stop the excuses, and make the sacrifice if you really need to. If your digital life isn’t that important, then why does it really matter?

 

billions of people are not going to quit their jobs because of this. I have a job that requires windows for my work, not gonna just stop using it. 

[leadeater]

From memory I think it was either the NSA or the CIA that was caught intercepting networking equipment from the likes of Cisco destined to foreign countries and installing their own firmware then shipping it on.

[The Sloth]

Just now, leadeater said:

From memory I think it was either the NSA or the CIA that was caught intercepting networking equipment from the likes of Cisco destined to foreign countries and installing their own firmware then shipping it on.

https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/

[leadeater]

Just now, nerdslayer1 said:

https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/

Yep that's the one, lol. Mind you an organisation that exists for the sole purpose of doing shady shit doing shady shit isn't surprising  

[NTDaws]

Cool. Still gonna use Windows for any type of work. 

[SCHISCHKA]

5 minutes ago, Nicholatian said:

If you care about running an enterprise like I do, you’ll need Windows.

Not needed but forced due to executive sheep herd mentality.

[SCHISCHKA]

10 minutes ago, nerdslayer1 said:

nothing you can really do about it sadly, windows has become number one business platform. 

Cloud uptake will end that. Maybe apple might be successful in turning the iPad into a laptop. What are computers mostly for? Communications and spreadsheets? I won't be crying when windows looses market share, I wasn't born when it was a good time to buy shares

[Guest]

#Linux Master Race? 

[The Sloth]

Just now, SCHISCHKA said:

Cloud uptake will end that. Maybe apple might be successful in turning the iPad into a laptop. What are computers mostly for? Communications and spreadsheets? I won't be crying when windows looses market share, I wasn't born when it was a good time to buy shares

apple is bad as Microsoft when it comes to privacy,https://www.theguardian.com/technology/2016/mar/15/apple-fbi-debate-sxsw-former-nsa-lawyer-tim-cook   

[SCHISCHKA]

As usual RT, Russia's news company, is all over this. Their even pulling out decade old stories on YouTube about USA gov buying user data

[SCHISCHKA]

2 minutes ago, fpo said:

#Linux Master Race? 

It's above race it's # Linux master sentience 

[SCHISCHKA]

Just now, Nicholatian said:

RT = Russian Telecom ?

Russia today

[Zodiark1593]

The haste of which Microsoft issued the fix for the Eternal Blue exploit lends, at least, some consideration of the claims of bribery to keep the exploits open. The possibility exists that the fix for this exploit had been prepared well in advance, only to release when the exploit is inevitably uncovered. 

 

On the other hand, it isn't impossible that a group of developers with a fire under their butts can put together and validate a fix in a very short amount of time. 

 

Under the assumption that the first paragraph is true, Microsoft would be under considerable pressure to ensure client systems recieve the applicable updates ASAP to minimize the time between the exploit being uncovered, and being patched. 

[RedRound2]

The only reason companies are getting away with these kind atrocious deals is because for some reason the public doesn't really care. I wish I could easily switch to mac and linux, but the former being expensive for my requirements and latter having pretty much no support for anything I do makes switching an impossible feat

[79wjd]

8 hours ago, Zodiark1593 said:

The haste of which Microsoft issued the fix for the Eternal Blue exploit lends, at least, some consideration of the claims of bribery to keep the exploits open. The possibility exists that the fix for this exploit had been prepared well in advance, only to release when the exploit is inevitably uncovered. 

 

On the other hand, it isn't impossible that a group of developers with a fire under their butts can put together and validate a fix in a very short amount of time. 

 

Under the assumption that the first paragraph is true, Microsoft would be under considerable pressure to ensure client systems recieve the applicable updates ASAP to minimize the time between the exploit being uncovered, and being patched. 

Windows 7-10 got patches for this back in March, and XP/2003/other had patches signed in February. They didn't just push the patches out immediately.

[LePawel]

8 hours ago, Zodiark1593 said:

The haste of which Microsoft issued the fix for the Eternal Blue exploit lends, at least, some consideration of the claims of bribery to keep the exploits open. The possibility exists that the fix for this exploit had been prepared well in advance, only to release when the exploit is inevitably uncovered. 

 

On the other hand, it isn't impossible that a group of developers with a fire under their butts can put together and validate a fix in a very short amount of time. 

 

Under the assumption that the first paragraph is true, Microsoft would be under considerable pressure to ensure client systems recieve the applicable updates ASAP to minimize the time between the exploit being uncovered, and being patched. 

Another uninformed alternative fact spreading. They had a patch in Feb, they built it for all platforms for private, expensive support, then they released it on all officially supported platforms to the public in March.

They only released it in May on XP/other old OSes for free because of the scale of attack and type of targets, they wouldn't otherwise.

I love people that shit on companies before knowing stuff...

[Zodiark1593]

31 minutes ago, djdwosk97 said:

Windows 7-10 got patches for this back in March, and XP/2003/other had patches signed in February. They didn't just push the patches out immediately.

I'm not a developer, but less than a month of time between signing a patch and releasing it doesn't seem to be a lot of time. Did Shadow Brokers include anything useful to verify their claim? Emails or some other form of communication between Microsoft and the NSA? 

[LePawel]

2 minutes ago, Zodiark1593 said:

I'm not a developer, but less than a month of time between signing a patch and releasing it doesn't seem to be a lot of time. Did Shadow Brokers include anything useful to verify their claim? Emails or some other form of communication between Microsoft and the NSA? 

I am, and it is. A lot can happen in a month. However, someone here mentioned the patch wasn't stable in Feb, so they pushed it back to monthly March update, hence the month of delay, no reason to complain, nothing was shutting down UK's NHS back then after all

[leadeater]

27 minutes ago, LePawel said:

Another uninformed alternative fact spreading. They had a patch in Feb, they built it for all platforms for private, expensive support, then they released it on all officially supported platforms to the public in March.

They only released it in May on XP/other old OSes for free because of the scale of attack and type of targets, they wouldn't otherwise.

I love people that shit on companies before knowing stuff...

It's a bit like The Mandela Effect:

Quote

The Mandela Effect is a name given to the phenomenon of the collective misremembering of specific facts or events

 

[SpaceGhostC2C]

28 minutes ago, LePawel said:

Another uninformed alternative fact spreading. They had a patch in Feb, they built it for all platforms for private, expensive support, then they released it on all officially supported platforms to the public in March.

They only released it in May on XP/other old OSes for free because of the scale of attack and type of targets, they wouldn't otherwise.

I love people that shit on companies before knowing stuff...

I think you missed @Zodiark1593's point. It's not about Microsoft not being quick enough, it's rather about it being quick enough to be consistent with knowing the vulnerability and having the patch on hold until the exploit went off the NSA hands. Of course, being consistent with is different from being a proof of, as the facts are also consistent with Microsoft not being aware and rushing a patch for it after the leak.

The bottom line is that the claim by theshadowbrokers is about how NSA-known exploits are handled while they remain private information of the NSA (which you can never be sure of anyway), while the story of the March patch is about a vulnerability already gone public (hence something that needed to be patched regardless of whether the NSA deal exists or not).

[leadeater]

34 minutes ago, LePawel said:

I am, and it is. A lot can happen in a month. However, someone here mentioned the patch wasn't stable in Feb, so they pushed it back to monthly March update, hence the month of delay, no reason to complain, nothing was shutting down UK's NHS back then after all

 

Quote

Microsoft is delaying its regular Patch Tuesday round of security fixes this month. The software giant is blaming a “last minute issue” for the delay, and now plans to release the patches on March 14th, a whole month after they were supposed to go live. Microsoft was expected to patch a zero-day flaw in the company’s file sharing protocol, SMB, with its February patches, but Windows machines will now be left vulnerable to in-the-wild attacks until March 14th.

https://www.theverge.com/2017/2/16/14634576/microsoft-patch-tuesday-februrary-2017-delay

 

Everyone actually in the know already knew about the SMB exploit and were implementing mitigation procedures until the patch came out, it being delayed by a month was a bit of a spanner in the works but the patch was out well before wanncry. And I still have no idea why it is so shocking an unsupported operating system was well.... unsupported. Microsoft releasing it after it was apparent this was a pandemic level problem is something we should be thanking them for along with collectively chastising organisations that ignored all warnings and continued to run unsupported.