NSA Exploits Ported To Work on All Windows Versions Released Since Windows 2000 (bleepingcomputer.com) 95
Catalin Cimpanu, reporting for BleepingComputer: A security researcher has ported three leaked NSA exploits to work on all Windows versions released in the past 18 years, starting with Windows 2000. The three exploits are EternalChampion, EternalRomance, and EternalSynergy; all three leaked last April by a hacking group known as The Shadow Brokers who claimed to have stolen the code from the NSA. Several exploits and hacking tools were released in the April 2017 Shadow Brokers dump, the most famous being EternalBlue, the exploit used in the WannaCry, NotPetya, and Bad Rabbit ransomware outbreaks.
What about Eternal Death Slayer (Score:2)
4.... "It's EDS 4."
Re:yes but did you heard the eagles won the game (Score:4, Funny)
I made a fair amount of money on that game. Monopoly money, of course ...
Exchange it for BitCoins.
Windows always excelled at backward compatibility (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
Yeah, but you get much better framerates in Win 10
This experience isn't universal, in fact theres a thread on nvidia driver forums thousands of responses long complaining about massive performance issues in general on windows 10 but not a similar complaint mountain on windows 7(many people actually note that performance issues is not present on windows 7 on exactly same hardware setup) which was the most popular windows until literally a few days ago
Penguin (Score:1)
I guess Linus and his penguin flock will be having a field day.
Re: (Score:2)
What does Windows ME have to do with anything? Even at the time everybody recognized it as a bad joke. The only people to use it were the suckers that bought a new computer without first making sure it was running 98 instead.
Re: Joke's boner him (Score:2)
Are any of these true 'remote explots'? (Score:1)
Or must you visit a malicious web site, or firewalls be down, open shares and what not? I'm generally only worried about true remote exploits, the last I knew of for Windows was in 2001ish, "MS Blast".
Re: (Score:2)
This can be mitigated via echolonic irrigation. Pro Tip: take good care of your phat pipe.
The good old days (Score:3, Funny)
Re:The good old days (Score:5, Insightful)
They are a government agancy first (Score:5, Interesting)
It's not the fact that the NSA isn't allowed to hack. It's the fact that they discovered multiple critical vulnerabilities in an OS used by hundreds of millions of American citizens and other American agencies and governments, and instead of disclosing it responsibly so that Americans would be protected, they sat on that information. Worse, they weaponized it, then they let the weapon escape out into the wild. NSA exploits are responsible for more billions of dollars in ransomeware attacks than any single source.
The NSA failed to protect Americans, weaponized a weakness shared by virtually every citizen, and then failed to keep their weapons locked up. Imagine if the US Air Force lost a few nukes. The property damage by NSA leaks is about akin to dropping a nuke on medium sized city. The NSA leadership responsible for those decisions shouldn't just be fired, they should be hauled (in chains) before congress to answer publicly for those decisions. I cannot fathom why the American people aren't still howling for their arrest.
Re: (Score:1)
My generation stopped the NSA Clipper chip. What’s your generation’s excuse?
Re: Suuuure you did (Score:1)
Intel ME is just a mirage!
Re: (Score:2)
How many phone calls did you make to your elected representatives demanding they do something about this? Oh wait, you expected someone else to solve the problem for you?
Even if you're not in the states, like any citizen, part of your responsibility is to regularly lobby the government to represent your interests. This stuff happens everywhere, in every country where people expect some annointed king-like leader to solve all their problems and read their minds.
Re:They are a government agancy first (Score:4, Insightful)
How many phone calls did you make to your elected representatives demanding they do something about this? Oh wait, you expected someone else to solve the problem for you?
Even if you're not in the states, like any citizen, part of your responsibility is to regularly lobby the government to represent your interests. This stuff happens everywhere, in every country where people expect some annointed king-like leader to solve all their problems and read their minds.
Yes, that's the typical response of victim blamers and it's a load of bollocks.
How are citizens supposed to do something when their political representatives actively avoid them, and everything that matters to people is taken out of democratic control, or made secret, e.g. that the NSA was spying on American citizens in the US without reasonable suspicion or probable cause?
How would you like to blame voters who've been forced into a captive 2 party system dominated by corporate funding?
And how about all the US citizens and party members who are denied their right to vote by closing down polling stations and disqualifying large numbers of votes? How would you like to blame them?
When you have a participatory democracy instead of a representative one, you can blame the electorate for lack of participation. Don't shit on the unfortunate and disenfranchised.
Re: (Score:2, Insightful)
Yeah, we know. You hate us Americans. Don't think that you need to repeat yourself: I'm here to tell you, your message has been received, loud and clear.
All I'm hearing is that non-Americans want Americans to act not in the best interests of themselves, but the best interests of non-Americans and special interests. I don't really give a rat's ass, and it's particularly hilarious coming from Europeans.
"Americans cannot care more for your childrenâ(TM)s future security than you do."
-- Maddog Mattis
Re:The good old days (Score:4, Insightful)
Given the currently known evidence, it actually does appear that in the 1960's the NSA was partially on the side of secure communications. It's true they argued for a key short enough that they could break it, but they also argued for some program changes that nobody else understood, but which eventually turned out to patch the program to make it more difficult to break.
The problem is that the NSA is inherently two different organizations with conflicting goals. One is supposed to secure communications, and the other is supposed to spy on them. (Nevermind that it's only supposed to spy on foreigners. That's irrelevant to the point.) Unfortunately the spys are more adept at politics than the security researchers, so they appear have come to totally dominate the agency...and as a result nobody sensible trusts anything related to it.
Re: (Score:2)
Neither of them are supposed to act like bumbling fools and release 0 day exploits to hacker groups. Three of the most damaging crypto locker type attacks out there can be directly attributed to the idiots at the NSA that couldn't secure their weapons.
I'm pretty sure irresponsible idiots running around with weapons isn't in anyone's interest.
Dodged a bullet there... (Score:4, Funny)
... I'm still running NT Workstation
Re: (Score:3)
I know you jest, but I actually installed NT 4.0 workstation last year onto a laptop built in the post 2000 era.
*Very* challenging (drivers being a huge issue), but in the end, I had a laptop that booted in seconds, and was quite useless online (but it was funny to see webpages attempt to render on a platform that didn't recognize the web-programming languages.)
One of the biggest challenges was simply finding SPs and patches. MS of course wiped them all out, and many websites were simply pointing back to M
Re: (Score:2)
Whoosh.
That's the sound of the post going over your head.
But apparently you're too stupid to realize that.
Re: (Score:2)
I'm surprised it booted so fast. I used one of the Alpha versions of NT (v3?) which was pretty slow, but Server was far worse. Had one machine doing Lotus that took 30 minutes to reboot, although that might have been IBM's fault.
Re: (Score:2)
This was a naked NT 4 Workstation. It was such a chore getting everything working right, that I really didn't bother putting any software on it. Opera and ad-muncher, and that was it.
So once you went past the BIOS load-up screens, yeah, NT zipped right along.
Re: (Score:1)
I boot Windows 10 in seconds. And I don't even have a fast SSD.
i7 8700K on Z370-F Strix with Samsung EVO 850 SATA 250 GB.
Re: (Score:2)
If the NSA and other agencies worked on making US telecoms infrastructure and software more secure instead of ....
I must be missing something. Isn't it the purview of the US telecoms and other companies that are creating, deploying and selling the infrastructure and software to ensure that it's secure, reliable and cost-effective, not the US government? That is, if they want customers.
Re: (Score:2)
The NSA's charter has two goals: improve the security of US stuff, and penetrate the security of non-US stuff. They've apparently decided that attack is more important than defense and it's biting them (and everyone else) in the butt.
Re: (Score:2)
The NSA's charter has two goals: improve the security of US stuff, and penetrate the security of non-US stuff...
From what I can tell, their "improvement" is restricted to "national security information and systems". I didn't know that included Windows XP.
From NSA story [fas.org]:
NSA Mission
NSA's Mission is to help protect national security by providing policy makers and military commanders with the intelligence information they need to do their jobs. NSA's priorities are driven by externally developed and validated intelligence requirements, provided to NSA by the President, his national security team, and their staff
Re: (Score:2)
Fair enough. You have a lot more detail there than wikipedia (their source is from 2014 anyway; it's been modified since then). Thanks for the references :)
Good news everyone! (Score:4, Funny)
At least the NSA won't be able to use those exploits anymore.
Re: (Score:2)
Rather than "spineless", I would say "complicit".
When are they releasing the Windows 2000 patch? (Score:2)
Re: (Score:3)
Many of the operating systems are on End-of-Life status [microsoft.com] which means this product will no longer receive assisted support or security updates from Microsoft. These OSs are still widely used [hothardware.com] and are now even more vulnerable, if that's possible.
Microsoft is in a bind. They could provide patches for these vulnerabilities, or restate their policy: "Your're on your own bucko". How many people left at Microsoft worked on the Windows 2000 software or remember it? If MS does someh
Re: (Score:2)
Re: (Score:2)
If someone else can port the exploit to Windows 2000, Microsoft should be capable of porting the fix.
Possibly, but is it cost-effective and can it be achieved within reasonable time constraints? IMHO, information warfare, like terrorism, is asymmetric. It's easier to burn a bridge than to design and build it.
You don't steal from the NSA unless... (Score:3)
... you worked there. The chances of Mr A Random Hacker gaining access to their core systems are as close to zero as makes no difference. If original code is truly from the NSA then it was leaked by an employee.
Re: (Score:1)
two things every IT veteran knows:
1. never discount the improbable
2. shit happens
Re: (Score:2)
Lots of contractors and private sector networks rented their services back to the NSA per mission. The US mil/gov "contractor" staging servers held out for many years online but someone finally tracked some bot, automated network back to a NSA contractor.
With correct US gov com
Re: (Score:2)
Or some idiot violated security protocols.
Re: (Score:2)
I think you can fairly blame every president since Eisenhower...and possibly him.
It's a systematic problem. When some gets into a position of power, they almost inevitably try to consolidate the power. If they weren't the kind of person who would do that, they wouldn't have schemed for the power in the first place. And the election system guarantees that only those nearly psychotically driven to gain power will be willing to put themselves through the process.
So I recommend selecting government officials
"All versions", yeah right (Score:4, Interesting)
Interesting that he went for a 2 year old version of Windows 10. Would have been much more interesting if he tested the latest patched versions of all OS's. If he did that for Windows 10, won't surprise me if he also used unpatched versions of Windows 8.1 and 7.
Re: (Score:2, Informative)
Interesting that he went for a 2 year old version of Windows 10. Would have been much more interesting if he tested the latest patched versions of all OS's.
He did, although you have to read the article linked in the article linked from the summary to know this.
He tested on FOUR different versions of Windows 10:
10.10240 - vulnerable
10.10586 - vulnerable
10.14393 - vulnerable
10.16299 - NOT VULNERABLE
Also 10.16299 is from October 2017, which is only 5 months old right now, not 24 months as you imply.
10.10586 and 10.14393 are both not 24 months old yet either.
Only one version in that list, 10.10240, is more than 24 months old. But seeing as four isn't one as you c
The perils of outsourcing :] (Score:2)
Re: (Score:2)
With the use of contractors the compartmentalization was finally lost.
Every contractor had its own new ways and full tool lists. Staging servers could do anything for any mission at any time for a price.
Contractors got let into more and more US gov secrets until the esprit de corps within the US gov, mil was replaced by contractors rent seeking.
Political leaders backed the private