> Following Microsoft’s original disclosure in early March 2021, the United States Government also identified other vulnerabilities in the Exchange Server software.
> Rather than withholding them, the United States Government recognized that these vulnerabilities could pose systemic risk and the National Security Agency notified Microsoft to ensure patches were developed and released to the private sector.
Finally they seem to be starting to take the defence of citizens and private industry seriously - in a far more public forum. Instead of just hearing the odd story of this happening through back channels.
The challenge the NSA has is it possesses 2 separate missions that are often in direct conflict: secure the communications of the United States, and to collect, eavesdrop, and compromise the communications of other countries.
The United States Atomic Energy Commission of the 1950s and 60s had the same problem. Their mission was to both regulate nuclear power as well as research and promote the widespread adoption of nuclear power. Making things safe and keeping them safe while also making things easy and cheap are often in conflict. Ultimately it was split into two different agencies: One tasked with regulation and one Tasked with research and promotion.
I believe both missions of the NSA are important. However I believe it should be split into two agencies each Enthusiastically pursuing a single mission to the best of their abilities.
Imagine a cyber defense agency that does nothing but find and fix holes in computing infrastructure and major software projects. It pays for exploits and then works to patch them, promotes bug bounties, develops secure coding standards, audits open source projects, etc. Imagine something like The National Endowment for the Arts (NEA) that instead funds critical pieces of software like openSSL, etc.
Is that necessarily the best form? Probably not but it’s way better than what we have now: every time the NSA suggests changes to “make something more secure “ there is a looming specter that they are lying and are actually trying to compromise things.
> Imagine a cyber defense agency that does nothing but find and fix holes in computing infrastructure and major software projects. It pays for exploits and then works to patch them, promotes bug bounties, develops secure coding standards, audits open source projects, etc. Imagine something like The National Endowment for the Arts (NEA) that instead funds critical pieces of software like openSSL, etc.
I like this idea. At the same time, I think the agency - or organization, if you prefer - should look something like the National Transportation Safety Board, where incidents are investigated, reported on, and recommendations are made in a way that improves user safety. Maybe the 'National Digital Safety Board'?
> I like this idea. At the same time, I think the agency - or organization, if you prefer - should look something like the National Transportation Safety Board, where incidents are investigated, reported on, and recommendations are made in a way that improves user safety. Maybe the 'National Digital Safety Board'?
I like it too, but I also think it would be needed to be backed by some kind of regulatory agency that could issue the cybersecurity equivalent of an "Airworthiness Directive". Otherwise we'd be in a similar situation we have know: lots of information about vulnerabilities that are often not acted upon.
Or they should stop stealing tax payers money and dissolve these agencies. The one thing they are good at is digging deeper and deeper the debt account, for virtually no benefit, and surely nuisance and worries.
No. I'M by no means saying nor implying that.
I'm saying tax should not be taken away from people to fund agencies. Businesses are free to do a good or bad job at managing their security posture. And if it is a bad job they are very likely to pay the consequences. The market is fine regulating itself in the long term. Agencies and regulation rather create obstacles and biases.
> The challenge the NSA has is it possesses 2 separate missions that are often in direct conflict: secure the communications of the United States, and to collect, eavesdrop, and compromise the communications of other countries.
I don't know... isn't that like saying a military general has 2 conflicting missions: offense and defense? We trust military leaders with both duties, even though they could theoretically sacrifice everything to achieve victory.
> I believe both missions of the NSA are important. However I believe it should be split into two agencies each Enthusiastically pursuing a single mission to the best of their abilities.
If you split the NSA in two, wouldn't you just have two agencies working against each other? And it would essentially give the offensive agency full permission to hoard security flaws to the detriment of the nation it serves.
I think a better solution is to clearly establish the relative priorities of each mission. IMO, the NSA should always prioritize the security of the USA's (and it's allies') technological infrastructure over attacking its enemies'.
Genuinely curious about the downvotes on this. I know political stances often trump generally reasoned arguments on HN -- is it that this thread isn't _outright_ anti NSA?
Probably. I know people in my circles who believe without caveats or qualifications that the NSA is evil, that we just shouldn't have spy agencies at all, and wouldn't entertain any sort of abstract discussion of how the work should be organized.
> I believe both missions of the NSA are important. However I believe it should be split into two agencies each Enthusiastically pursuing a single mission to the best of their abilities.
At least with cryptography, I'm not sure how practical that is. I'm not cryptographer, but my impression is that offense and defense both deeply inform each other in that space.
>> Rather than withholding them, the United States Government recognized that these vulnerabilities could pose systemic risk and the National Security Agency notified Microsoft to ensure patches were developed and released to the private sector.
It is amazing that NSA had to notify Microsoft. You would thing a company with that much money like MS, they would have drop several millions on a few pen test, and independent security audit companies.
Digital security will never be trust unless these things are addressed in an open transparent way.
I don't understand why HN has such a flippant attitude towards cybersecurity. You would think a forum full of developers would understand the complexity of software.
But the "just hire a pentester and you'll never have any bugs" and "just follow some (ill-defined) 'best practices' and you'll never be hacked" attitudes are so prevalent.
> I don't understand why HN has such a flippant attitude towards cybersecurity. You would think a forum full of developers would understand the complexity of software.
HN is also full of contrarians and people who like to feel superior than everyone else (and often express that through flippant dismissals).
> You would thing a company with that much money like MS, they would have drop several millions on a few pen test, and independent security audit companies.
Are you under the impression that MS doesn't spend millions on security? They're currently spending roughly $1b/year. This isn't going to be fixed by "a few pen test"
You are hugely overestimating the level of security of software like this. There's a constant stream of vulnerability discoveries, disclosures and fixes. Those vulnerabilities don't pop into existence the week someone publicly discloses them and informs the vendor, they've been waiting there for anyone to find them for years.
If MS wanted to replace a product like this with one that has a low probability of containing any remotely exploitable vulnerabilities, they'd have to go back to the drawing board, do a full rewrite witha completely different sw development process, take a lot of time or make some major functionality compromises (or probably both).
How do you know they're not doing exactly that? For every 1 vulnerability that gets disclosed, we have no clue how many potential vulnerabilities were caught by security testing or practices. The entire nature of security is that it's impossible to have literally 0 vulnerabilities.
It's not possible to find all the bugs and they only get noticed when they fail to find one. No one recognizes all the bugs that they continually find and fix.
There is so much doubt in this comment section around the validity of the accusations.
We have a number of countries putting forward the knowledge they have mutually agreed upon. What is shared is known to a high degree of certainty. Any details that are questionable would not have been shared prematurely.
"Simply stated, there is no doubt that Saddam Hussein now has weapons of mass destruction." — Dick Cheney, before the US and coalition of the willing invaded Iraq.
I'd ask that we be more thoughtful on this and evaluate separate allegations on their own merits. Why do you think invoking Cheney's statement is relevant to this discussion?
As an aside, I'm not sure what's more frustrating:
Witnessing the Bush administration circa 2001-2004 be called out on these lies, by numerous entities, and still march inexorably toward armed conflict, or...
having to witness these lies being used to disingenuously discredit any future allegations made by the US.
I sympathize with your sentiment, but dishonesty in that case is relevant to credibility in this one.
What, besides credibility of the institutions making the allegations, are these allegations' "own merits"?
Agreed that a reflexive "they lie!" position isn't useful, but... trust doesn't seem like a reasonable default either. In the same vein, it would be naive to trust the Chinese NBS to report unflattering economic statistics honestly. Why? Because of past/recent dishonesty.
Whether it's true or not, I don't think the purpose of this announcement is to inform us. It's part of power games with China, laying public groundwork for updating the NATO mission, new departments/funding/laws/etc... That's not a general paranoia. I get this impression from the NATO statement itself.
from P4:
China’s growing influence and international policies can present challenges that we need to address together as an Alliance. We will engage China with a view to defending the security interests of the Alliance. We are increasingly confronted by cyber, hybrid, and other asymmetric threats, including disinformation campaigns, and by the malicious use of ever-more sophisticated emerging and disruptive technologies. Rapid advances in the space domain are affecting our security. The proliferation of weapons of mass destruction and the erosion of the arms control architecture also undermine our collective security.
Promising to engage China, followed by nonspecific cyber, WMD & space threats.
Here is where I might be paranoid, cynical or whatnot. Is defense against cyberattacks the actual goal, or is cyberwarfare just another long term raison d'etre?
"What, besides credibility of the institutions making the allegations, are these allegations' "own merits"?"
Because China hacking is fairly widespread and so this is not just about a single institution, it's about many.
There's broad consensus here, it's not just 'Dick Cheney & Co.', it's many governments, many agencies, many businesses, academic institutions and the spying/hacking takes a variety of forms.
Yes, this an 'escalation' of sorts, because making it 'NATO' makes it both firmly an issue of national security for not just the US, but for many 'important' actors.
If anything, I think there's not enough action here.
It's definitely worthwhile to keep a very close eye on misinformation and propaganda ... but I think so far we're on the right path.
That's clearly not their view. Blindly following liars into two wars has led to many avoidable casualties and has arguably made us less safe. The line between real & fake is the line between real & fake. We need to be on guard and insist on checking the intel before being led into another war.
Constant attempts to hack each other between rivals and even allies are not a big deal.
I'm not saying this is fake, our people should be doing their job mitigating this stuff and hacking them in turn, but it being blown up into a Big Deal is part of the propaganda.
Everything you said would be true if today's accusations were a pretext for armed conflict, but I don't believe we've reached that level of escalation. Do you?
Accordingly, I don't find comparison to prior wars helpful for discussion. Obviously opinions here may differ...
I do not expect that even if there was truth to the matter that war would be a direct consequence. I agree that citing historical false pretexts for war reduces the surface for debate of the validity of allegations of state-sponsored cybercrime. I should not have contributed in this manner. My apologies.
To me, it just goes to show that you cannot take on faith or even the evidence provided by the currently speaking government official (whoever that might be at whatever time).
It's a sad position to take, but we have definitely been misled/lied to by gov't officials.
Why is this particular incident any more legit/not-fake than the totally legit/not-fake WMD evidence?
>>> There is so much doubt in this comment section around the validity of the accusations.
>>> We have a number of countries putting forward the knowledge they have mutually agreed upon. What is shared is known to a high degree of certainty. Any details that are questionable would not have been shared prematurely.
>> "Simply stated, there is no doubt that Saddam Hussein now has weapons of mass destruction." — Dick Cheney, before the US and coalition of the willing invaded Iraq.
> I'd ask that we be more thoughtful on this and evaluate separate allegations on their own merits. Why do you think invoking Cheney's statement is relevant to this discussion?
I think the logic is once an organization or its leaders get something wrong, you should never, ever believe anything that organization ever says ever again. Even 20 years later after the leadership and staff has turned over a couple times.
Of course, that's totally unworkable idea when applied consistently, so it's only used, knowingly or unknowingly, to reenforce existing biases.
It's not a question of getting something wrong. The Bush administration carried out a massive disinformation campaign to convince the public that Saddam had WMD - something they knew they had no good evidence for. Large parts of the media and most senior politicians in both major parties (including the current President of the US) went along with this disinformation campaign.
After that experience, I'll believe the US government only when they make all their evidence public, and even then, I'll be exceedingly skeptical.
> After that experience, I'll believe the US government only when they make all their evidence public, and even then, I'll be exceedingly skeptical.
So who do you think carried out these attacks? Do you think that China does not carry out any offensive hacking? Do you think they do, but avoid the US for some reason?
IMHO, these allegations are plausible enough to believe without strong evidence to the contrary. Taking the experience with the Iraqi WMD allegations as your North Star (to the exclusion of all other factors) seems like a heuristic that will be wrong far more often than it's right, and more often wrong than alternative heuristics.
Simply stated, the say-so of the US government does not change my belief either way.
If they claim to have evidence but don't provide it, I assume they don't have evidence, or that the evidence is weaker than they are claiming. If they do provide evidence, I consider the possibility that it has been tampered with, that its provenance is dubious, or that contrary evidence has been concealed.
We're talking about professional liars here. Not everything they say is wrong, but everything they say is suspect.
1) When that was stated there was serious pushback not just from US reporters but also other countries/allies.
2) It's pretty reasonable to believe that it is far easier to obtain hacking tools and knowledge as compared to weapons of mass destruction. You can't just download the knowledge and tools for nuclear weapons through the internet.
I get the cynicism and I agree that we should be doubtful and not trust our leaders at face value. But that doesn't mean that we should throw all evidence to the wind. It just demonstrates that we need to be more thoughtful in our analysis.
Logical fallacy to say that China/Russia being behind hacking is false simply because of the Iraqi war. Of course I'm sure China/Russia absolutely love and actively push this fallacy. Just as China uses US's failures on certain civil rights to deflect from their concentration camps and slave labor.
Actually, the US worked to fabricate evidence in collaboration with the UK too. The UK had an expert produce the so called "dodgy dossier", that was used as Blair's justification to follow the US into their illegal war. The media called it out as obvious bullshit, then the guy that produced the report allegedly committed a timely suicide.
The EU does not have a foreign policy thus will never go to war. France has tried to boost their MIC as an alternative to the US and in doing so actively sought to damage US goals.
An invasion of another country that is neither carried out in self-defense against an imminent attack nor authorized by the UN Security Council is illegal under the UN Charter. This is one of the central principles of the modern international system.
> Iraq had weapons of mass destruction (chemical)
Even the US government admitted after the war that it could find no evidence of an Iraqi WMD program. All the US found were a few misplaced ancient, rusting artillery shells from the 1980s. These things were unusable, and were more of a danger to the people handling them than anything else. This is not the WMD stockpile the US claimed Saddam had. Nobody would ever have accepted to go to war on the basis of, "We think there are still a few misplaced, unusable artillery shells with degraded chemical agents in Iraq."
HN frowns on political commentary so I'll attempt to be brief
The vast majority of the most recent wars have not been UNSC authorized. UN involvement is not necessary for a war to occur nor do they prevent wars or proxy wars between countries on the UNSC. The "modern international system" is an ideal. The US was attacked.
>ancient, rusting artillery shells (from the 1980s)
20-30 years old isnt ancient, they were serviceable, and they had chemical weapons in the quantity for the potential of wmds. That is only what they found, and I imagine there were more not found.
>Nobody would ever have accepted to go to war
There was reasonable evidence they had more that the allied force didn't find. The international community is more to blame for the conditions after involvement than the instigators 10+ years on. A neighbor is beating up another neighbor and both are blaming it on someone else.
> The vast majority of the most recent wars have not been UNSC authorized.
Unless those wars are fought in imminent self-defense, then they're illegal. The invasion of Iraq was an especially egregious violation of international law for two reasons:
1. The US knew that the UN Security Council would reject a resolution authorizing war, so it decided in the end not to ask.
2. The war had catastrophic consequences for Iraq. It's not every day a country of 20+ million people is invaded and its government overthrown. Hundreds of thousands of people died as a result.
A third factor making this war particularly egregious is the deliberate campaign of disinformation that was carried out in order to justify it.
> The US was attacked.
Not by Iraq.
> 20-30 years old isnt ancient, they were serviceable, and they had chemical weapons in the quantity for the potential of wmds.
This is how the NY Times described the small number of chemical artillery shells found scattered across Iraq:
> Filthy, rusty or corroded, a large fraction of them could not be readily identified as chemical weapons at all. Some were empty, though many of them still contained potent mustard agent or residual sarin. Most could not have been used as designed, and when they ruptured dispersed the chemical agents over a limited area, according to those who collected the majority of them.
These were the misplaced remnants of the chemical weapons program that Iraq dismantled in the 1990s.
> There was reasonable evidence they had more that the allied force didn't find.
The US occupied Iraq for nearly a decade. It's simply not credible to claim that there was any sort of sizeable stockpile that the US did not find.
Saddam gave material assistance to suicide bombers and network. It would suggest had they not gotten rid of him some of the perpetrators would have tried again. The resulting catastrophe was the result of neighbors meddling in their affairs and an internal domestic power struggle.
>These were the misplaced remnants of the chemical weapons program that Iraq dismantled in the 1990s.
if it was dismantled it wouldn't exist.
>It's simply not credible to claim that there was any sort of sizeable stockpile that the US did not find.
Edit: I can't reply to the child but here are some salient quotes from the wiki...
"I will wait until the end of the week before judging – many dark actors playing games. Thanks for your support." - Dr Kelly
"it was subsequently established that neither the knife nor the blister packs showed Kelly's fingerprints on their surfaces"
"The former leader of the Conservative Party, Michael Howard, and the former Liberal Democrat MP, Norman Baker, both think Kelly was murdered.[173] In 2007 Baker published The Strange Death of David Kelly in which he argued that Kelly did not commit suicide."
I doubt you'll find a credible source - the security services are afterall very good at what they do. It's all circumstantial, but at the time you'd have been hard-pressed to find a single citizen who believed Kelly very conveniently killed himself at just the right time to prevent further damage to the government and their web of lies with the US.
I'm not sure I see what the theory is here. I could understand an argument that Kelly was killed to send a message, but it's hard to see what damage it could have prevented. If anything, his death confirmed the web of lies; the whole thing wouldn't have been a big deal if it were just a question of minor messaging details as the government was claiming.
It wasn't about sending message. The theory is that Kelly could have revealed he was told to fake evidence, and could have provided confirmation of who knew what, and importantly, when.
It was about timing too - it was a critical point for Blair and Bush getting the war they so desired. Keeping in mind there was already huge opposition to the war, proper 1st hand evidence being revealed at that point could well have resulted in Blair having to stand down, and potentially even the British not joining the war. Which of course the US services would not have liked.
There is a bit of a difference - we have an abundance of evidence disproving the fake moon landing stories. OTOH, there were no witnesses of Kelly's death, and the timing was so very convenient - frankly, it's naive to think our security services wouldn't do this, especially with what was at stake. Keep in mind the the US and UK were fabricating evidence as justification for an illegal war. One that they knew would claim many, many casualties, and for which they must have known would end up destabilising the whole region and growing fundamentalists and terrorists (this was certainly obvious to many at the time).
I do see your point, mind, but I don't think such damning circumstantial evidence is "shit"; by that logic, MI6 could never be responsible for anything, unless of course they signed a confession.
From late 2002 to 2003, it was very much the international consensus that Iraq might have active WMD programs. The Security Council never authorized a war, but they did issue a unanimous resolution declaring that Iraq was in violation of its disarmament obligations and offering "a final opportunity to comply".
Many countries did also provide help, even though they knew the "single US regime" was likely to be lying & fabricating.
This regime has remained in power ever since Bush's 8 year reign of terror. In fact, they were in power even before George W. Bush's administration. The name of the president may change, but the people running the US war machine remain the same.
I always see this is trotted out as to say that Iraq did not possess WMDs, however technically it is wrong, as WMDs (chemical weapons in this case) were found after the invasion, (see https://en.wikipedia.org/wiki/Iraq_and_weapons_of_mass_destr...). While there was no evidence of nuclear weapons or an active program I believe that a better quote should be used since the pretences that it is quoted for are technically wrong.
No, there's a pretty stable presumptive meaning of "weapons of mass destruction". It means radiological, biological and chemical.
There are always people trying to expand the definition, but it's usually from more left-leaning critical schools of thought that want to classify landmines, sanctions or guns as WMD.
But in official usage, it's been pretty stable at those three.
The utility is in the muddying. To use the broader term (WMD) instead of the specific (chemical weapons) is to imply the broader abuse. While the specific abuse is something the US turned a blind eye to a generation previously (chemcial weapons by Iraq against Iran)
Saddam 100% had WMD's and was capable of making more.
But he didn't have an active program, stockpiles were small and there wasn't really a huge risk of him selling to 'terrorists' etc..
The misrepresentation was really one of magnitude and capabilities and especially how the information is presented.
"He Has WMD's" is very true and legitimate (different than 'he has a knife'), but obviously the misrepresented context makes it a giant lie.
To this end, I suggest that the US would do better in their public communications if they revealed some Twitterable/TikTokable visuals and graphics which highlighted the nature of some of the incursions, so as to more strongly make their case i.e. it's easier to believe 'something material' than accusations.
This is meaningless. You're saying that since we have gotten it wrong in the past it must be wrong this time? That's not how it works. Show me your superior intelligence that contradicts this.
No, he's saying since the USG used a lie in order to further its' interests and which caused more than 500k deaths, it should not be trusted when it says anything about any other adversary.
I would be happy to believe them if they released more technical details. Otherwise, just sounds like a typical "best-guess" based on geopolitical considerations.
For example, the NYTimes just published a piece about a "Rogue" section of the Commerce Department that used racial profiling targeting Chinese Americans:
I don't think they should share more tech details.
I recall an incident long ago where it was back and forth - you don't know, we know, you don't have proof, we have proof, share proof - it's all bs.. then the frustrated investigators released a trail of this addy, this pic, which was also used for this and that..
what came of it?
not a damn thing changed other than teaching the other side what they needed to not do to not get caught in the same way.
If we are not going to put a missile into a building to stop office building 123456 - because of their theft, then keep the proof under wraps.
a public statement like this does nothing but make it reasonable for us to continue similar theft - meh. no proof needed for that.
I'm surprised given how much of it is already in plain sight. Sit down with any security engineer and you're going to hear a bunch of stories about strange network activity they've observed over the years. And this is just the stuff that's been detected.
Not to say I don’t believe that China is actively attacking networks and services (if they don’t then they’re lagging behind and it’s embarassing), but I can understand the skepticism of grand claims when the latest was that tiktok was impacting national security.
If you don’t believe Tiktok is a national security threat you are hopelessly naive.
MyFitnessPal, Strava, etc are threats to national security and they’re US based, but you think that Tiktok isn’t because someone you don’t like said it is? That’s playground logic.
Given the goals of the US, anything that weakens US hegemony can be regarded as a national security threat. Naturally, any internationally successful social media technology not under the control of US corporations counts.
If you are not American, though, the TikTok drama has been one of the more darkly amusing spectacles.
> when the latest was that tiktok was impacting national security.
Wait, it wasn't? I'm not sure why this is a controversial opinion. Social media has often been linked to information leakage. Geo tagging of photos was part of the proof that was used to show that Russia invaded Crimea. Similarly US soldiers have had their locations revealed when posting on Facebook/Twitter/Instagram. In fact if you're over seas and talking to your partner back home they generally have another soldier listening to the conversation. Given all this why is it surprising that a large social media platform that focuses on videos (which reveal more info), grabs a lot of data, and is connected to the US's largest geopolitical adversary is considered a threat?
There's NEVER any evidence posted, just "experts agree". In the past they at least trotted out that a "russian IP" or a "Chinese tool" was used ( e.g. the strings command showed Chinese strings in the binary). Evidence so flimsy a computer literate teenager would not be convinced. Now they can't even do that?
Sorry but a bunch of politicians agreeing isn't evidence. I have a higher standard.
China is just the bogeyman of the hour. If it were more politically convenient to blame Russia or Iran you'd suddenly find the same evidence pointing a different way.
Russia and Iran do cyberattacks all the time. We have good evidence of these attacks from many sources. Same with China. The idea that these attacks are just being made up or we don't have evidence who executed them is either willfully ignorant (a google search will provide plenty of evidence) or actively malicious.
> The idea that these attacks are just being made up or we don't have evidence who executed them is either willfully ignorant (a google search will provide plenty of evidence) or actively malicious.
Tools to fake such attribution and evidence were literally part of the leaked NSA/Equation Group toolkit.
I had only previously heard [0] that similarities in the tools were discovered by Kaspersky, not that there were any leaked docs that pointed the finger back at NSA themselves. Are you maybe thinking of PRISM/Wikileaks?
Sure, and we should be willing to entertain skepticism of specific incidents when justified. The idea that there's no such thing as real attribution, that it's always fabricated based on political convenience, is just unproductive nihilism.
There is such a thing as real attribution. Just not from IPs and tools that are easily faked. You need more than that, and indeed there were many cases were we got more than that.
Agreed, but this seems to be one of the cases where we got more than that. I don't have time to read the indictment in a ton of depth, but it tells a very detailed story about some of the hackers and how they organized the hacking; it's not just "the IP matched so it's gotta be them".
> There is such a thing as real attribution. Just not from IPs and tools that are easily faked. You need more than that, and indeed there were many cases were we got more than that.
And there are most likely a lot of cases where:
1) "...we got more than that," and...
2) ...data from "IPs and tools that are easily faked" is the only information that could be released publicly without compromising sources and methods.
It's a hopeless wish to want to be able to independently assess (as an amateur!) intelligence findings in all cases. If trusting the official assessments isn't acceptable (cross-checked with general knowledge of the situation), about the only reasonable alternative position is to remain agnostic.
The CCP runs concentration camps and is actively perpetuating ethnic cleansing. That doesn't seem "of the hour." That ignores CCP doings for the past 30+ years that have cost millions of lives.
It's also instituted a very oppressive social credit system and runs an enormous censorship apparatus that it will be increasingly able to turn outwards in the future.
Its really about their ability to destroy Western democracy - which is already happening.
The US has too many internal problem to be the world savior. Every time the US looks outside its border, it's for its sole selfish interests. Human rights enforcement around the world is (unfortunately) not something we can reasonaly expect from US.
Also the U in US is extremely optimistic. Different states would act completely differently if allowed to.
The world need to look for a different hero: any proposal?
(For a good laugh, I reccomend watching the excellent "When the Yogurt took over" on Netflix)
I was in France when the US started the Iraq war, now I live in China. Sorry if I doubt lol, it's just impossible to trust them now. And the attacks and humiliations I faced as a French (soft ones, ofc, in the US medias) really didn't help.
So no, having a lot of countries saying China bad poopoo together is not enough anymore for me.
The nature of comment sections like this don’t matter in the slightest if anyone is actually worried about it affecting anything, this isn’t copyright reform.
Exchange being hacked has 0 relevance to HN commenters, their knowledge, or their influence. Absolutely nobody cares about the technical specifics, or technical effects of this. This is an exec level political issue, and is more related to the recent trade wars than infosec.
There is a frankly stupid amount of bipartisan US consensus on confronting China. MENA is being put to simmer. A form of “rapprochement” with Russia is underway, and the EU & NATO are barking when told.
The comparisons to the Iraq war are apt in the sense there’s essentially nothing anyone outside those circles can do about this.
Bonus points for the fact there’s 0 chance of this going kinetic anytime soon, so no blood, guts, and (non climate) refugees to affect PR going forward.
It looks like cyber warfare, as well as espionage, is considered pretty much fair game in geopolitics nowadays. I wonder where the line is drawn that would make it an act of war.
In any case, a direct attack from the Chinese government towards it's main trade partners (US, Germany and Japan among them) sounds crazy to me.
I don't think it's crazy at all. We (i.e. the US) use our SIGINT abilities to spy on allies all the time, or at least according to numerous books and leaks. With that said, I'm not sure that the US government considers China an ally.
Was there ever a time when espionage and cyber warfare weren't fair game? To me the only difference seems to have been where a nation state did have the capability and where they didn't.
Why? China wants to build an empire and views the US as an enemy. They will use their military and intelligence forces to achieve that, just like any other country does to achieve their respective goals.
China goes down, so does aapl and tsla and our entire economy. Until the American voter is more powerful that the collected business interests of those mega-corps, China will be our most favored trade partner, even as they commit war crimes against the American people (in theory :)
I live in Hong Kong, and I don't care either lol. It's not that bad, so far.
The genocide, I stay a bit careful, I tended to consider direct immediate murder as genocide to respect a bit the Holocaust, but I would say they'll pay for it a thousandfold. They're building the Xinjiang country like never before by giving them a shared oppressive history. Israel "started"
(or at least really took off) like that so...
I cannot fathom how they don't see it, and that's the weakness of the party: it's so top down, if a stupid idea comes from high enough, it'll get implemented to the most stupid detail.
All the reports about the "genocide" come from one person, Adrian Zenz (https://en.wikipedia.org/wiki/Adrian_Zenz). It's about as credible as reports of Saddam's soldiers ripping babies from incubators. Zenz works for the Victims of Communism Memorial Foundation and enjoys nothing more than inventing new "victims" to add to the list.
It's pretty funny the lengths to which he and the western media that runs with whatever he says are willing to invent things out of whole cloth to support this. Uighurs openly celebrating Eid was used as evidence of attrocities since this couldn't possibly be their own free will, and it was done as propaganda by Beijing!
This is messy article. There are multiple things happening at once.
Attack vs. espionage are treated differently.
Espionage is done with the intention is to steal information. Espionage is relatively normal between states. Condemn, file charges, then do the same back a them.
Attack is when the intention is to cause harm or coerce. Ransomware, intentionally disrupting or destroying systems. Attacks from foreign government or entities acting behalf of an government are essentially acts of war.
The West is condemning together "mixing" where Chinese government sanctioned groups are doing attacks for financial gain on the side. China should spy responsibly and stop attacks.
I don't think Chinese cyber spying is really news to anyone. What's different about this now is that the U.S., a few others and notably, NATO are specifically calling out China for it.
That's a pretty heavy diplomatic change. Especially the inclusion of NATO.
China: Declaration by the High Representative on behalf of the European Union urging Chinese authorities to take action against malicious cyber activities undertaken from its territory
These activities can be linked to the hacker groups known as Advanced Persistent Threat 40 and Advanced Persistent Threat 31 and have been conducted from the territory of China for the purpose of intellectual property theft and espionage.
>> These activities can be linked to the hacker groups known as Advanced Persistent Threat 40 and Advanced Persistent Threat 31 and have been conducted from the territory of China for the purpose of intellectual property theft and espionage.
> Which is quite different from saying it is being done by the Chinese government.
Who in China would be more likely to organize an espionage campaign? Espionage is a game played by governments.
Your objection is like, after detecting a nuclear missile launch from the continental US, doubting that the US government was responsible.
UK and allies hold Chinese state responsible for a pervasive pattern of hacking
UK joins likeminded partners to confirm Chinese state-backed actors were responsible for gaining access to computer networks via Microsoft Exchange servers.
They are not getting sent to the FISA court, that court only issues warrants. They are charged with conspiracy to commit economic espionage and conspiracy to commit computer fraud and are likely going to a federal district court.
> Which is quite different from saying it is being done by the Chinese government.
Is it meaningfully different? Let's suppose that they aren't nationally funded. If there's a large group of elite hackers in your country generating international ill will is it not also your responsibility to shut them down? To work with the government of the country that these rogue hackers are attacking to find them? Not doing so is akin endorsing the behavior.
And it can't be anything else honestly. They are spy organizations, which are intentionally created to be difficult to track back to the funding government. We've seen the US do this for decades and have plenty of declassified documents to support this. It would be surprising if Russia, China, Germany, Australia, Israel, or anyone else didn't also operate in a similar fashion. If the method is effective then it is effective. The fact that a group resides in another country does not have any bearing on the effectiveness of the method.
Due to the level of control the Chinese government imposes on all the corporations within it, is it fair to say that such acts can't be done without the cooperation on some level of the govt?
As opposed to many western countries where the companies might be patriotic, but they have minimal fear of taking on the government in general in the courts if they feel they are in the right. Perhaps Chinese companies have the same feeling of freedom, do they?
> Due to the level of control the Chinese government imposes on all the corporations within it, is it fair to say that such acts can't be done without the cooperation on some level of the govt?
Honestly even without the government imposing so much control on corporations I believe it is fair to say that the acts can't be done without cooperation on some level of the government. If there's an elite group of hackers in your country attacking a country and generating ill will then a hands off approach is condoning the action. The only way to condemn the action is to work with said country to apprehend said hackers. But headlines aren't "US and China work together to apprehend rogue elite hacking group."
China is a big country and the Chinese government does not control everything that is going on.
Most hacking is done by kids with computers and uses trivial exploits: easy to guess passwords or security holes that are left unpatched for years after they are documented.
Fairly regularly I get a phone call from a guy with a strong accent claiming to be from Microsoft support. No one blames the Indian or Bangladeshi government for that.
You're being deliberately obtuse about this. The simplest explanation for cyberattacks against high-profile targets coming out of countries like China (or the US, for that matter) isn't "rando script-kiddies having a laugh ha ha!". It's that their government intelligence forces did it.
This kind of attempted misdirection is really common from people defending/spreading propaganda for the Chinese government. It's also similar to the excuses made when business partners with heavy government influence conduct scans and do other questionable things against US infrastructure. Apparently they think westerners are all too stupid or blind to understand what's happening. It's ridiculous.
What you're missing is that these attacks weren't targeted. They scanned internet and processed pretty much all accessible Exchange servers in the same manner. There were a few crews operating in parallel by the way which had access to same exploit chain but different exploits.
Some had certain variables hardcoded, e.g. Administrator user's name and their exploits worked with higher success rate in anglosphere, but failed in localized environments. Others had more advanced exploits which queried parameters instead of assuming them - those where more successful around the globe.
Another nuance missing from popular press is that most groups in China (and Russia) are operating independently, but share tradecraft among them and occasionally engage with politicized missions (either working on explicit orders from government handlers or simply defending their beliefs hacktivist-style). This is what FireEye means by "affiliation with Chinese government", NOT "operates strictly on government orders".
Why is it deliberately obtuse to think that some of China's billion people could be independent black hat hackers? Are they incapable of being evil or greedy?
They're not incapable of either. Are they as motivated as the government? In general, no. Genocidal dictatorships are more motivated than random script kiddies and "evil" black hat hackers to go after high profile government and government-adjacent (infrastructure) targets.
As the other commenter pointed out, these weren't really high profile targets. Hell, security groups found evidence they were planning to mine crypto on some of the servers. You don't need to be purposefully ignorant to question if private hackers were involved.
Whether the Chinese government has control over these APTs, the crime originated on Chinese soil, and it's their responsibility to deal with these threats. What's so hard for you to understand?
I don't think this makes much sense. We don't even know if the APTs actually do operate on Chinese soil, much less that the Chinese government condones them.
All we know is that they used Chinese IPs at some point and Chinese configured computers, and that they went after military targets.
And we don't even know that these are the same APTs.
Chinese citizens cannot even mention recent historical events on in private messages on the internet without approval from the government, and you're trying to tell us that some "kids with computers" were able to carry out a sophisticated years-long cyberattack? "Kids with computers" might be plausible in a free country, but not in China.
Edit: here is the situation on Germany's stance on China [1] from a German news source.
"If jobs in Germany depend on how we deal with controversial topics, then we shouldn't add to indignation, but rather carefully consider all positions and actions,"
Germany is the 'big country' using the most careful language.
Not necessarily, there are different ways to control companies in China. The big and important ones tend to be JVs and the Chinese have various ways to control the board, whether it's 51% directly or via proxy. For smaller ones, they mostly just have a small CCP cell that reads CCP literature. It's like bible study groups, but on XJP, apparently.
An indication that the EU does not believe the probably American intelligence assessment that these hackers operate on behalf of the Chinese government.
When the US was angry with Russia everything was suddenly Russians. Now they're being difficult at China, and suddenly China is the country doing everything wrong. That anyone still takes them seriously is to my mind an incredible miracle.
Not the same thing. Solarwinds saga (the one Russians are blamed for) was 1) extremely targeted and 2) extremely sophisticated. Exchange attacks on the other hand were indiscriminate (not targeting any single country or infrastructure, just unpatched Exchange servers) and very simple (they used 0day chain, but it was three months old and likely somehow leaked as multiple groups got access to it at the same time).
Not suggesting at all that the USA is some benign superpower, but Russia is run by a criminal gang and China by a despot and a corrupt communist party.
Note that I am a US citizen than expatriated after the second gulf war.
So I am not a fan if the US gvmt, but if you think for a second that the Chinese and Russian governments AREN'T doing the things they are accused you are naive.
just curious, have you visited china before? or seen first hand what's it actually like? you seem to have a very strong opinion, yet i'm not sure if they are based on reality or not.
This is a weird comment. Gp wasn't talking about day to day life or what cities look like or anything like that.
Going to China wouldn't teach you much about its government structure and governance. It's not like you can just walk in and observe party cells interacting with company leadership.
You don't need to go to China to know what the government structure is, what foreign policy it conducts and what kind of economic behavior is clearly not just condoned (small scale hacking, data harvesting) but encouraged (fishing other nations' territorial waters) or even demanded (foreign business ownership requirements, IP transfer requirements) by the party.
You don't need to go to China to hear reports from dissidents experiencing internment, forced labor and cultural genocide. Or to see all the broken international agreements and sovereign promises, eg the early destruction of a free Hong Kong. Or to see the territorial expansionism in salami slicing illegal maritime boundaries.
Or... most importantly, to understand that a despotic cartel that doesn't believe in individual human rights is a terrible form of human organization that has terrible externalities for the whole species and planet.
Or it is simply that the EU has turned into such a massive trading partner with China that it can't publicly deal with repercussions and just puts its head down as the US points it out. Germany does this with Russia too. Ignoring a lot of what it is doing in Ukraine to remain in the good graces to secure gas pipelines. Just because the EU doesn't publicly say it doesn't mean it isn't privately agreed upon.
What governments know based on intelligence and what they say publicly are not the same thing. If the EU thinks that making a direct public accusation would be antagonistic and would not serve their interests then they won't make one. That does not mean that they don't know what's going on, don't protect themselves, or even don't retaliate.
This is effectively a PR campaign. What is its purpose? Is it a coincidence that it comes at the same time as this Pegasus/NSO story blows up?
Would this be the first full scale assault by Chinese hackers in the supply chain that we know of? If so, it is notable that they are aggressively acting in that way (and breached).
China has been accused of hacking and/or electronic spying by other states.
Russia has been accused of hacking and/or electronic spying by other states.
North Korea has been accused of hacking and/or electronic spying by other states.
And yes, the US and quite a few European states -- and many other countries -- have also been accused of hacking and/or electronic spying by other states[a].
All these governments are playing with explosives: The right spark at the wrong place at the wrong time can start a fire.
Seemingly "minor" incidents have triggered wars in the past.[b]
I have to disagree, in todays internet-connected world cyber attacks are not insignificant. It is not inconceivable for an large-scale attack to e.g. turn off an entire countries' electricity distribution, and that's more than most traditional weapons ever could do.
Interesting to see the USA complaining about the cyberwarfare activities of other countries. As if it didn't have an entire government agency and even military branches dedicated to nothing but this.
And I'd bet an awful lot of these attacks are using the very same tools that the NSA created and left on a wide open AWS server, which was discovered, and downloaded, and spread all over the planet by the "shadow brokers" group for anyone to use how they see fit. They even included handy dandy user manuals.
Is there any evidence the US has directed the intentional sabotage of critical energy providers and food providers in Russia or China in recent years?
Russia appears to be waging an all-out cyber war against the US at this point. Putin admitted as much in the hour-long interview with NBC a month ago. He declared as openly as he possibly could have that the US would be targeted until it came to the negotiating table (they want sanctions etc. removed in exchange for stopping the attacks). So far the US appears to have been exceptionally reserved in its response, given it's a clear declaration of war by Russia to be intentionally targeting critical US infrastructure with attacks.
The USA has sabotaged everyone. They have compromised everyone's security. They spy on everyone, even their own citizens. Domestic law enforcement agencies actively exploit vulnerabilities in software. The USA has satellites violating the airspace of sovereign nations, imaging them and collecting all of their communications. They're so active on these fronts that it's comical to see them complaining about other countries trying to do anything.
Sibbling comment is correct that this is an attack on a military research project, not civilian infrastructure. Thus non-responsive to the original request.
Perhaps a better (but also possibly fictional) example is sabotage of the Soviet trans-Siberian gas pipeline in 1983. Certainly there appears to have been a US suggestion to surreptitiously provide the Soviet Union with compromised technology it was seeking in the West. But it's not clear whether compromised technology was provided, or whether the US caused the pipeline explosion.
I wasn't going to comment at all, since the US does a lot of - ahem - "disruption" throughout the world. However, I'm not aware that the US does a lot of civilian infrastructure attacks outside of active military theatres. If true: it's a notable/interesting fact.
But I'm also not sure that civilian infrastructure attacks are further beyond the pale than rendition, bombing, arms sales, embargoes, et cetera. I worry that we in the States are more sensitive to infrastructure attacks because (1) it's a weapon readily available to our national adversaries and (2) for the first time, we are the victims.
Why when asked about "sabotage of critical energy providers and food providers in Russia or China" do you reply with sabotage of something in Iran which is neither an energy nor food provider?
My guess would be that the illustrator decided to zoom in on the biggest star in the Chinese flag and was unaware that this made it look like the flag of Vietnam.
That's not the problem. We shit on the US all day every day. There's also not a problem with this. The problem is that when we're talking about someone else it's being used as a defense. Honestly it doesn't even matter if the US is doing the same thing. If something is wrong it is wrong, no matter who does it. Responding to "China is hacking the US" with "But the US hacks China" doesn't accomplish anything except create arguments nor is it logically consistent because both can be bad. The "but they did it" implies the action is not bad in the first place and that a double standard is an excuse. The problem is that there is not a double standard. People are also critical of the US's use of hacking both nationally and globally. So if you're concerned with the US hacking people it is logically obvious that you'd also be concerned with China (or anyone else!) hacking people.
I'm tired of this argument because it just serves the propagandists. It eliminates a real conversation happening because we can't even start one because we don't even agree on a basic premise of that things can be judged independently. Comparisons can be great, but independent judgement/criticism is also necessary.
What would you like to have discussed and/or judged independently?
I agree that a lot of the comments here are shitposting or making reactionary equivocations. Others though, are making valid points... which you may agree with, or not.
IMO, for example, the most important part of this to pay attention to is NATO. Cybersecurity & China seem to be the new focus of the alliance. To me, this seems like the most potentially impactful aspect.. and probably a key reason why this announcement was made in the way that it was made. IE, I think that what NATO do in the coming few years will make the history books, rather than Chinese cyberattacks. I may be wrong, but this isn't a disingenuous equivocation. It's just my judgement on this, at this point.
Well look at the conversations in threads about the US hacking. They typically discuss the international implications of this, how to protect yourself, and what we can do about it. Yeah, there's people that bring up China and Russia, but they typically aren't the top comment or a majority of the comments. The top comment in this thread[0] is the beginning of a conversation I'd like to see but one that is already being pulled away from. It recognizes the danger of these actions (independent of the country issuing them). It is not excusing the hacking by stating that another country has done it, but rather condemning it all around.
This isn't just a thread about chinese hacking, it's a thread about a US-NATO statement in response to hacking.
Anyway, who cares about convicting one or the other. This is about consequences. The consequences of whatever direction NATO is taking now are meaningful.. much more meaningful than the hack.
I recommend reading "The Perfect Weapon: How the Cyber Arms Race Set the World Afire" if you're interested in learning more about cyberattacks over the past decade and the geopolitics of it cyberattacks.
> If there was never evidence to anything, then it's reasonable to assume?
In some cases, yes.
For instance, I'm sure China wouldn't build its nuclear deterrent around some hypothetical US-made COTS "Nuclear Weapon Control System," even if there was zero evidence that system was compromised. Absence of evidence is not evidence of absence. Ditto with Huawei.
IMHO, if its decision-making wasn't so addled by wishful thinking and capitalism, the US would use far less Chinese technology for this reason.
First, just saying that something is legally possible does not mean that that's what occurred.
Second, this isn't something China-specific. The US Federal government also has enormous power to compel companies to cooperate in surveillance. Just recall when the US government ordered Lavabit to turn over its SSL keys, so that the government could intercept Snowden's emails.
You realize that all "private" companies and citizens in China are extensions of the Chinese government right? By law, all companies require party affiliation. So naturally, there is no separation between Huawei and the Chinese government.
Are there similar stories in China about Chinese companies being hacked by the US gov? Do Chinese people get outraged over them or does game recognize game? Do Chinese companies have hacking divisions?
why impose sanctions on Russia and not China? The article implies that allies would not agree to sanctions which is fair enough, but the USA can still do something alone, no?
Didn't vault 7 revealed the NSA had tooling to make hacks look like Russian and Chinese hacks Umbrage and the marble framework.
Wouldn't be surprised they will use these hacking threats to create a western great fire wall.
Pompeo already talked about it with the Clean network Initiative.
Useually they get some of the hackers tools / code and analyse that to discover the origin. They look for strings in a foreign language but mostly the grammer of the language is used as hackers will often write comments in a foreign language to try and make it difficult to originate.
* crushed protest at home and moved deeper into dictatorship
* shat all over the 1 country 2 systems agreement and strangled what little democracy there was in HK
* started a mini ground war with their nuclear armed neighbour India
* launched multiple pandemics, the latest costing the world trillions in lost output and millions of deaths
* started a Genocide internally
And were not willing to do anything are we? No so much as a sanction or an embargo except for Australia, who've been left to twist in the wind.
So now China hacked some shit? Great. What are we gonna do? Nothing because no one wants to pay interest on their borrowing or 3p more for pointless plastic shit they don't need from amazon.
Is anyone else sick of all this forced "connected cloud" crap?
My wife just got a new Windows laptop and the amount of dark patterns they use to push people towards the Windows cloud is insane. I haven't used Windows in years, but it's glaringly clear that the entire modern Windows OS is designed around recurring monetization of users. Nowadays, Windows machines are essentially one big trojan horse waiting to either be hacked or tapped into by 3-letter agencies.
This is maybe the fifth time this year I've seen Israel used as an immediate deflection subject in China-related cybersecurity news posts; is that a trend anyone else has picked up on? just me?
No, it's just you. Yesterday we had worldwide coordinated reports of shady Israeli companies getting innocent people killed and suddenly there's haphazard "breaking news" report on big bad CHHHIIIINNNAAA.
A better analogy would be, if you were a company selling doors - after a string of break-ins involving some group casually walking through your products like they weren't there, somebody would eventually start asking about your responsibility.
(Maybe "cyber insurance" needs to be a thing in the SMB world? As much as I feel it's currently mostly nonsense, maybe it's serviceable. In the physical world, it seems the driving force behind buying security measures is not the (unlikely) possibility of being a victim of a break-in, but the (more likely) possibility of not getting insurance to cover it.)
>A better analogy would be, if you were a company selling doors - after a string of break-ins involving some group casually walking through your products like they weren't there, somebody would eventually start asking about your responsibility.
Actually most locks are susceptible to being picked (ie. a known exploit), so what you're describing is already the case, minus the lawsuits.
Locks being susceptible to lock picking actually turns into a feature when, for example, you're locked out or lose your keys: you just call a locksmith and they pick it for you.
I get your metaphor but I don't think it meets the situation. If you were paying a security guard to watch your apartment and they instead went to guard some other place for additional money for 2 hours and then your apartment got robbed, well, that security guard is Microsoft in this example.
If you brought a security door, and the thieves just had to knock on it on the right frequency to open, yes, you would accuse the door seller of fraud.
If the property management company demanded that I use Insecure Brand locks on my front door, I'd have an issue with that. Of course that wouldn't excuse the robbers, but continuing to use Insecure Brand locks wouldn't be advisable. I'd also take exception if IB Locks or the property management company marketed themselves as a security oriented company.
> continuing to use Insecure Brand locks wouldn't be advisable.
Agreed. Microsoft should clarify how this happened and what measurements will take to prevent this incident from happening again. Still, the problem is with robbery and it should be condemned. Why changing the subject to Microsoft? I don't think whataboutism is the valid argument here.
It is not whataboutism. It is about 3 decades of seemingly intentional inability to deliver secure product on the mildly evil calculation that the subscriber will need 'security updates' and 'support'.
There is a good argument to be made that Windows is a big target, but they should at least try not making it so easy.
> It is about 3 decades of seemingly intentional inability to deliver secure product.
This is a consumer choice. You don't trust Microsoft, you don't use its services. On the government level, you ask for regulations if the situation is escalated (if necessary). But dealing with global cyberattacks is not Microsoft problem and it's not connected to one company or one service. It's an international responsibility to act and establish a framework that prevents such attacks.
Just the other day I was listening to a radio show ( further right than shown in mainstream ), where a user was clamoring for a proper locked down version of Windows where nothing can go wrong.
The current situation ( and the resulting clamoring ) is absolutely a direct result of people who create this software. Trying to shift the blame onto nonexistent framework is at best laughable and at worst very deceptive. It absolves MS and its engineers from guilt associated with it.
To put it another way, if those engineers were bridge engineers, we would now be witnessing multiple collapses with swathes of engineers arguing that it is not their fault as 'there is an international responsibility to act and establish a framework' that prevents bridges from falling apart.
I am sorry. I do not buy this defense. As an architect, you should know better.
You have a valid point. I am not arguing against it. I was trying to say discussing how MS deals with the subject is not the point. But after reading your recent comment, well, I guess we should talk more about MS failure.
But we speaking freaking NATO here !!!!! Do you attach string to hand granade and hand other side to your adversary ? And then argue that someone pulled it ??
Microsoft Windows and Microsoft Exchange is SYNONYM to "security HOLE" ! So tell me - why customer NATO _choose_ to use this ?
I don't think NATO has any value here. It's a signal of unity not just to China but to Russia. This is how Biden admin defines "America is back". So it might be aggressive but actually, it's a unity message. Us, the allies, against them the adversaries.
Eh, the issue was found by a random (Chinese) guy on the internet. And it was reported to Microsoft in the beginning of January. It got leaked and once you have the exploit chain - yeah, pretty much any random guy on the internet could use it for hacking. A few days after MS disclosure there were in fact independently produced exploits by other random guys.
This is sadly true. We need to return back to the Unix Philosophy of do one thing and do it well. None of these multi-purpose tools that have terrible feature creep and try to take over everything cough systemd cough. In all seriousness though, a lot of software that should be simple and easy to audit ends up having all these dependencies that are ether no longer maintained or doesn't get the necessary code reviews and it isn't until stuff like this happens that it actually comes to light.
I'm all for re-using code when rebuilding the wheel would be a hassle but it has to be balanced with proper code review before it should be included. Developers are much too quick to include outside code with the assumption that other people have already done the necessary reviews and this is where a lot of devs are getting bit.
They're not digressing. There is no such thing as not vulnerable software. Especially if the attacker is the government of one of the most powerful nations on Earth.
Nothing is perfect. I'm sure nobody here is proposing that. However the lack of perfect alternatives doesn't excuse Microsoft's or specifically MS Exchange's reputation.
Lol. Love it. Don't use Microsoft, instead become an expert in cisco OS and Linux and don't spend ay time generating anything of economic value but instead spend all your time securing your infrastructure and doing pen tests.
(yes, if you are expert open source is easier top secure maybe, at least that was my experience 20+ years ago. Now I mostly pay companies like microsoft to host my stuff so I can do billable shit).
And? U.S. and key allies install backdoors in device firmware and imbedded chips from manufacturers to spy on their own citizens. Why should we care at this point? We've had over 20 years to have this conversation, too late now. lol
The US intelligence services have specific tools to fake the source of a cyberattack. I really don't know what anyone thinks "...accuse China..." means in such headlines.
They are making accusations on China based on "educated" guesswork. The smoking gun is missing to "prove" provenance and attribution. In fact that is incredibly hard to prove.
In Stuxnet for example, the alleged perpetrators hinted that they were behind it.
Will the same countries and allies now condemn known, disclosed and proven cyberattacks sourced from other countries (with known state involvement and complicity) on activists and journalists that lead to imprisonment and death?
And Microsoft has a very long history of vulnerabilities and hiding it. And then they will refuse to patch known vulnerabilities in lower versioned software trying to force large customers to do unwanted version upgrades and to adopt the more expensive SaaS offerings.
They are now trying to force all customers off of the already paid for and cheaper on-prem Microsoft Exchange which is still the dominant software in the directory services market and trying to get all corporates onto Azure AD.
> Rather than withholding them, the United States Government recognized that these vulnerabilities could pose systemic risk and the National Security Agency notified Microsoft to ensure patches were developed and released to the private sector.
Finally they seem to be starting to take the defence of citizens and private industry seriously - in a far more public forum. Instead of just hearing the odd story of this happening through back channels.
From the linked press release:
https://www.whitehouse.gov/briefing-room/statements-releases...