Microsoft slams NSA for enabling recent Ransomware attack

[bmw95]

Dont be naive. This wasnt mistake by Microsoft but by NSA - the "flaw" is simple backdoor (and its dragging all the way to Windows XP, despite Vista and newer versions are all featuring different kernel) that was exploited by NSA for years - when the tools leaked it was just matter of a time. There is no doubt in my mind that all major software developers are required to make those kind of "backdoors" for NSA, CIA, FBI etc. How NSA got hacked (or more probably - it was Edward Snowden-like leak) is another topic..

And this is definitely the other side to the coin. My initial comment was about things being Microsoft's fault, and I still stand by that because of MS attitude that they can do no wrong and then question why companies are doing what they are doing. I was in IT for a little bit and I totally understand why it's so important to wait for a bit after MS releases an update.

Then on the other side, you have companies who are still on windows XP, making ridiculous statements that Microsoft is some horrible company that doesn't support them at all. And then when they get bit from something that the NSA does as per your comment, they just automatically blame MS for their own problems.

I guess it's just a very destructive cycle. My point though is that people would be a lot more happy to stand behind microsoft if the company didn't just simply dismiss itself as even just a tiny part of any problem that shows up. For example they could take a look at the reason why companies are so slow to update, and notice the amount of support calls they get from their customers after releasing updates. Then think, 'well hmmm, maybe we're contributing to this problem a bit'. Instead the company either blames the customer or bullies customers into doing what they want.

 

[merikafyeah]

Microsoft often pushes non-security related updates into "security-only" patches which can break a normally functioning machine. Like this: https://www.ghacks.net/2017/04/12/microsoft-screws-up-windows-patching-even-more/

This is just one of many incidents over the years where a security update just makes things worse.

I was specifically curious about recent issues businesses have had, not updates affecting end users. I'm fully aware of the issues end users have had over the years.

Because businesses use a completely different version of Windows with completely different patches from end users? What world do you live in?

But if you want an example of businesses being affected more than end users then I remember KB3163622 broke Group Policy which affected organizations everywhere. It was HUGE. http://www.infoworld.com/article/30...tches-kb-3159398-3163017-3163018-3163016.html

There was also MS16-075 and MS16-076 which affected Netlogon and SMB server functions. KB3161606 update rollup caused numerous issues including many bugs with Hyper-V instances.

Microsoft's quality control is lower than ever and anyone who manages these systems would know first hand.

 

[wiyosaya]

Why? Money. At times it's borderline impossible to get the budget to mass upgrade. You suggest till you're red in the face at times. You have to use worse case scenarios and you still may fail. So they roll the dice. Some companies fall on the argument, "that's why we have an IT staff." If there was enough staff to sit next to each user to slap their hand when they do something dumb, maybe that'll help.. though not enough.

Seems a bit ridiculous that the virus caused so much problems. While the refusal to upgrade/update OS's was the focus, their systems/network had to attribute. How the hell did a virus jump from a user/thinclient to the server? Do they have any security? Blame the NSA and virus makers all you want, if you systems haven't been up-kept for many years in such a large company, you have bigger problems.

As far as updates that cause issues on business machines. The source is reality. our Win10 field systems were wrecked with 1607 which broke IIS proprietary configurations. Also force-ably introducing/enabling game mode on win10pro business environment was stupid. Possible remedy would be an added note in win update to include usage patterns with manual update. If you never played games or have them installed, rate game mode as low priority or manual update only. If there's a program on your system that has an update but hasn't been used for 5 years, perhaps a popup suggesting to uninstall.

Seems like you and I can keep yelling about things like this, but even though we are vociferous about them, there are those who simply cannot understand that when an update breaks a business computer, it costs the business a lot of money.

 

[wiyosaya]

You liked the above comment that didn't answer my question, but you failed to answer it here. Perhaps you have some recent articles about how upset businesses are with Microsoft over their quality of updates... in a business environment. Thank you.

Because people are too lazy, cheap and/or daft to download updates and/or update their damn OS! Oh, and the NSA!

This isn't the final answer, but it's pretty damn hard to update millions of systems at once. So much so M$ hired 3500 more people to help. Some W10 versions let you disable and even pause updates so they are doing something to fix the issues on their end, but people need to do their parts too.

The whole, "if it ain't broke don't fix it" mentality has to go when it comes to computers connected to the Internet. Clearly this article proves it. If you wanna still use XP then disconnect it from the web.

If you want the references, I am sure you are skilled enough to find them yourself.

As you noted, there are versions of 10 where a user can disable updates. I've done so. Why? Because updates have broken things to the point of making my PC unusable, and also to the point of making some features that I regularly use unusable on at least one of the machines where I have disabled updates.

So I should allow M$ to push updates to my PCs so that my PCs break and become unusable? I don't think so.

And before you go lecturing me about how I am going to get a virus, I've been using PCs since the early 90s and have never gotten a virus simply because I am security conscious, don't expose my internal network to the outside world, and am easily able to see a scam. I am not saying that I won't or can't get a virus, but in 25+ years of PC ownership, most of them using M$ operating systems and 20+ years of internet usage, I have yet to get a virus. It is pretty easy, from my point of view, to NOT get a virus.

As I see it, it does not matter how many people M$ hired. If the answers that have been posted to technical questions on M$ main site are any indication, there are a large number of people that they have hired that are completely clueless, and their answers to the questions are less than useless.

M$ has only one thing in mind and that is $$$$. Poor M$' seems to think that it has a spotless reputation and that the NSA is somehow tarnishing that reputation. What they don't realize is that they themselves, meaning M$, have trashed their own reputation.

And your statement regarding "if it ain't broke, don't fix it" sets aside reality - at least as I see it. Not everyone is some dumb wanker who needs have sh!t shoved down their throats.

Like I said, though, when "updates" make PCs completely unusable (such as the 10 update that left my PC with a black screen and only the mouse cursor showing), or break major features that are regularly used, then those updates are less than useless - at least in my eyes. I image backup when I do 10 updates. If they break things, I restore the image. IMO, M$ has taken a gigantic leap backwards with 10.

 

[wiyosaya]

I was specifically curious about recent issues businesses have had, not updates affecting end users. I'm fully aware of the issues end users have had over the years.

And like end users do not exist in businesses, and an end user in a business cannot have the same problems that an "end user" has in the "real world?" Do you live on Earth, or are you just throwing straw men into the fire?

 

[wiyosaya]

Where's my NT4 update!!! I kid you not I have an NT4 server still running

(y)Awesome! I thought I was old running XP/XP64.

 

[hahahanoobs]

If you want the references, I am sure you are skilled enough to find them yourself.

As you noted, there are versions of 10 where a user can disable updates. I've done so. Why? Because updates have broken things to the point of making my PC unusable, and also to the point of making some features that I regularly use unusable on at least one of the machines where I have disabled updates.

So I should allow M$ to push updates to my PCs so that my PCs break and become unusable? I don't think so.

And before you go lecturing me about how I am going to get a virus, I've been using PCs since the early 90s and have never gotten a virus simply because I am security conscious, don't expose my internal network to the outside world, and am easily able to see a scam. I am not saying that I won't or can't get a virus, but in 25+ years of PC ownership, most of them using M$ operating systems and 20+ years of internet usage, I have yet to get a virus. It is pretty easy, from my point of view, to NOT get a virus.

As I see it, it does not matter how many people M$ hired. If the answers that have been posted to technical questions on M$ main site are any indication, there are a large number of people that they have hired that are completely clueless, and their answers to the questions are less than useless.

M$ has only one thing in mind and that is $$$$. Poor M$' seems to think that it has a spotless reputation and that the NSA is somehow tarnishing that reputation. What they don't realize is that they themselves, meaning M$, have trashed their own reputation.

And your statement regarding "if it ain't broke, don't fix it" sets aside reality - at least as I see it. Not everyone is some dumb wanker who needs have sh!t shoved down their throats.

Like I said, though, when "updates" make PCs completely unusable (such as the 10 update that left my PC with a black screen and only the mouse cursor showing), or break major features that are regularly used, then those updates are less than useless - at least in my eyes. I image backup when I do 10 updates. If they break things, I restore the image. IMO, M$ has taken a gigantic leap backwards with 10.

None of that was relevant to what I was curious about, but you tried.

 

[marko88]

Great haha

 

[skribat]

Microsoft has yelled at Google for finding and announcing vulnerabilities as well. It's funny how they release a product with holes in it then complain that people are pointing them out. How about you show appreciation and fix them as they come?

"there is simply no way for customers to protect themselves against threats unless they update their systems." guilty or not .. sure Microsoft are going to be top of the list of suspects .. they stand to make the most money from these forced upgrades ..

 

[Darth Shiv]

The question it seems to me is why are there so many systems running an operating system that was released in 2001 and had official support killed in 2014? Everyone knew Microsoft ended support for XP but some continued to roll the dice hoping nothing would happen. Microsoft had no responsibility to release a patch for an OS they had officially ended support for 3 years ago.

For corporate embedded systems that work, an OS upgrade introduces many many new services which need lockdown, patching, migration. Very very expensive exercise for no business gain until compromised. Management prioritise something with no monetary benefits very low in a budget. It's hard to get customers to pay for something they already have unless you pad your initial contract or include maintenance which decreases your competitiveness.

 

[James00007]

"there is simply no way for customers to protect themselves against threats unless they update their systems" At least its a way to ensure a poorly designed update doesn't do as much damage as the threats we are trying to avoid or at least reduce functionality. More important is at least a basic awareness of the dangers online and knowing how to protect against them (don't use suspect sites, click links in dodgy emails or download that harmful exe, scr or bat file). Currently my PC with Windows 10 is working fine (older update), getting those updates could mean hours or even days of troubleshooting. Worth the risk?