The NSA Intercepted Microsoft's Windows Bug Reports

Bruce Schneier writes on his security blog: Back in 2013, Der Spiegel reported that the NSA intercepts and collects Windows bug reports... "When Tailored Access Operations selects a computer somewhere in the world as a target and enters its unique identifiers (an IP address, for example) into the corresponding database, intelligence agents are then automatically notified any time the operating system of that computer crashes and its user receives the prompt to report the problem to Microsoft... this passive access to error messages provides valuable insights into problems with a targeted person's computer and, thus, information on security holes that might be exploitable for planting malware or spyware on the unwitting victim's computer..."

The article talks about the (limited) value of this information with regard to specific target computers, but I have another question: how valuable would this database be for finding new zero-day Windows vulnerabilities to exploit?

Well, sure.

[Frosty Piss]

I suppose this is "news", but I also suppose it should have been (and for many, was) assumed. And I'll bet the NSA and the foreign equivalents are not the only ones that thought of this obvious source...

Re:

[ls671]

Sure, just have a list of keys like .ssh/authorized_keys so anybody could stick its own key in there.

Re:

[AHuxley]

Re " and the foreign equivalents are not the only ones that thought of this obvious source"
The foreign equivalents don't watch the internet like the NSA and GCHQ do.
The net belongs to the NSA, so other nations don't waste funds on low return internet things.
Some of the cool things other nations did or learned from just went back to simple human spying.
France had all its diplomatic codes broken by the USA and UK in the 1950's. It took France a while to learn from that decade long communications mistake.

Slashdot is speeding up

[Anonymous Coward]

It's now reporting on articles from 2013!

can't be true.

[Anonymous Coward]

the NSA intercepts and collects Windows bug reports.

No way can that be true. Even the NSA's Utah Data Center [wikipedia.org] doesn't have that much storage capacity.

Re:

[chill]

Deduplication works miracles on repetitive data. If there was ever a source of repetitive data, Microsoft crashes are it.

Re:

[ls671]

Maybe, maybe not, it depends on how deduplicable the records are. The same bug trace could very well have different output on different computers, memory addresses etc. could be different.

Re:

[Anonymous Coward]

Finally, a post that made me laugh. Very nice. I also think broadband speeds have been held back because of the need to match NSA data storage capacity with internet throughput.

Re:

[apraetor]

Broadband speeds have lagged the rest of the developed world because monopolies only produce up to the point marginal cost equals marginal revenue. This wouldn't be a problem if, like most natural monopolies (water, electricity), broadband was closely regulated, but it isn't. There's effectively no fixed wireline competition for cable broadband; without competition there is no pressure to increase efficiency. The problem is that regulators have been pretending cable internet, dsl (i.e. uverse) internet, and

Re:

[AHuxley]

AC the Windows bug reports of interesting people.
The people who know interesting people.
The people who are 3 and 4 hops from interesting people.
The unknown people who then make contact with interesting people or people who know interesting people.
Whats a few million files collected per task?
All the interesting users computers get altered as needed.

Re:

[AHuxley]

Backdoor, front door, trapdoor, or in the window.
If one way in is closed by a user or unexpected update another way into Windows is found.
Collect it all always works.

Re:

[AHuxley]

Someone still thought bug reports got encrypted and sent to the big private company secure from strange computer on the net.
Reality now sets in.
Windows is the way in.

Re:

[DarkOx]

Windows and windows networks are a huge liability. CIOs and CSO need to have a come to Jesus moment on that.

I sometimes do internal pentest work, and Its rare even not in 2017 that some combination of null sessions to get user names, and password spray, or just shutting up and listening for LLMNR or old NetBios and than cracking the acquired hashes won't work at a big organization. That is before you even need to consider getting "fancy" with attacks on Kerberos or SPNs. Yes you need to be on the interna

Um, yay for them?

[Snotnose]

Sure, they're slimy, illegal, and immoral. But it sounds like at least they're competent.

/ lock em up
// right next to Hillary
/// save a spot for Donny boy

Re:

[sheramil]

I hope they'll decide to monetize it soon - there's a bunch of posts I made to talk.bizarre a long time ago, and google doesn't seem to have archival copies.

those buggers

[turkeydance]

bugging

This is actually serious

[FeelGood314]

The Microsoft bug reports are important to Microsoft. They do actually analyze them to try and find bugs or in their products or in code from common/popular vendors. The NSA is undermining this trust. This is similar to the way the USA undermined doctors in Pakistan by using doctors in their search for Bin Laden. Maybe if the USA had to compensate every single person who gets Polio 10 million dollars they might not think their plan was such a great idea. Same for the NSA, they should be trying to help

Make it simpler

[aepervius]

The NSA intercepted anything and everything which went in the direction of the US, possibly also stuff which never went in the US. Consider all your communication compromised by the NSA. Now whether you care (privacy minded people, people not liking government overreach and spying and crook/spy/other nations intelligence agencies) or not (most people) is up to you.

Re:

[apraetor]

Most people care, just not enough to make it worth the cost of doing anything. Make end-to-end encryption simpler and more ubiquitous (WhatsApp, Signal) and people will use it. Given two equivalent goods where the only differentiator is privacy, users will choose the more-secure option.

What about exploitable 3rd-party bugs + targeting?

[Aryeh Goretsky]

Hello,

I seem to recall a discussion about this at the time of disclosure that the main concern was not so much finding exploitable bugs in Windows, per se, but finding bugs in third-party drivers like those from AMD and nVidia, as well as determining hardware and software a target might be using, in order to help perform vulnerability research on targets.

Regards,

Aryeh Goretsky