I couldn't tell from the main Ars article, or perhaps just don't understand Windows architecture, but Win 10 exploits weren't included in the release, yes?
posted by codacorolla at 2:37 PM on April 14, 2017

In their opinion!!
Not necessarily FACT
Most people don't expose non-protected boxes to the internet.
posted by Burn_IT at 2:38 PM on April 14, 2017

These Russians sure do have talking like Ali G down.
posted by Artw at 2:39 PM on April 14, 2017 [6 favorites]

but Win 10 exploits weren't included in the release, yes?

The Ars article actually touches on this: "There's no indication any of the exploits work on Windows 10 and Windows Server 2016, although it's possible the exploits could be modified to work on these operating systems."
posted by Nonsteroidal Anti-Inflammatory Drug at 2:41 PM on April 14, 2017 [1 favorite]

Ah, so it seems like it's mainly servers and business class machines, as well as the few systems not at Win8. Still very bad. A Win10 or Win7 exploit kit on this level would be... apocalyptic, right? That would be like 75% of the world's computers.
posted by codacorolla at 2:43 PM on April 14, 2017

So weird that there's not much coverage outside of places like ZDNet as if it were a new Canon color printer or something. I guess we're just accustomed to massive drops of intel agency hacking tools, like people got used to routine moon landings in the 60s.
posted by RobotVoodooPower at 2:45 PM on April 14, 2017 [19 favorites]

but Win 10 exploits weren't included in the release, yes?

Win10 was a big update but I'd bet dollars to doughnuts there's still some NT code in there.
posted by sammyo at 2:50 PM on April 14, 2017 [4 favorites]

like people got used to routine moon landings in the 60s

You mean the 70s? The first moon landing was halfway through 1969; I don't think people got blasé quite that quickly.
posted by Greg_Ace at 2:52 PM on April 14, 2017 [10 favorites]

These Russians sure do have talking like Ali G down.

Like the previous statement, the new statement seems likely that this text has been heavily manipulated to obscure its origin. Either someone deliberately talking strange or maybe an automated tool.

Can we just say now fuck the NSA? They created these hacking tools. They lobby and exploit in various ways to make computers less secure. And now the fruits of their labors have been stolen and dumped on the Internet to make everyone's life miserable. Nice job, NSA.
posted by Nelson at 2:55 PM on April 14, 2017 [23 favorites]

It's not safe to run an internet facing Windows box ever.
posted by Talez at 2:57 PM on April 14, 2017 [28 favorites]

A Win10 or Win7 exploit kit on this level would be... apocalyptic, right? That would be like 75% of the world's computers.

From the short description, it looks like ENTERNALCHAMPION, ETERNALSYSTEM, and ETERNALBLUE all would work against Win7.

As noted in the article, the apocalypticness of this is somewhat mitigated by the fact that most routers don't let this kind of traffic through, but it's easy to imagine a laptop being compromised while connected to a public wifi network, and later being used to attack other machines on a home or corporate network.

So it's definitely bad.
posted by aubilenon at 3:13 PM on April 14, 2017 [5 favorites]

Makes me pretty glad all the webservers I have are running linux, or I'd have a nervous weekend.
posted by signal at 3:32 PM on April 14, 2017 [1 favorite]

So weird that there's not much coverage outside of places like ZDNet as if it were a new Canon color printer or something. I guess we're just accustomed to massive drops of intel agency hacking tools, like people got used to routine moon landings in the 60s.

The same thing happens with the coverage, or lack thereof, of all of the major Android malware issues out there. I wonder at times if it's related to how coverage of this stuff mostly follows Tall Poppy rules, where people don't really have any expectations or standards of the sort of "generic" commoditized option for a lot of stuff — compare the Prius "issues" that, if memory serves, were basically just not real with the fact that American car maker recalls aren't really considered news, for instance.

I mean, it's certainly possible to run a secure Windows box connected to the internet, but the moment you suggest that it's a hell of a lot easier to do so on a *nix system it's suddenly SO YOU'RE SAYING MY SON'S TOO GOOD FOR THE COAL MINES
posted by DoctorFedora at 3:42 PM on April 14, 2017 [8 favorites]

If this GovTrack page is to be believed, there are a lot of people in USG buildings on Windows 7. Fuuu-uck. (Though maybe Chrome always reports user-agent as Windows 7?)
posted by RobotVoodooPower at 3:55 PM on April 14, 2017 [1 favorite]

The Linux kernel UDP "RCE" that dropped last week doesn't concern you then?

(I looked and didn't see a path for code exec, but you hate to say something is unexploitable...)

The Windows vs Linux in terms of security you'll see repeated here and elsewhere is largely based off out of date info. Starting with Win10 you're beginning to see the payoff of MS hiring some very smart people and letting them work for a very long time. Linux without grsec is a fair bit behind modern Windows in terms of exploit mitigations, and they don't really seem to have a good strategy for catching up, or even the awareness of the features they're missing. It will be very interesting to see the effect the Win10 mitigations have on windows exploits going forward.

From a defensive standpoint, it would be especially interesting to see if these bugs were fixed in Win10, or are instead unexploitable due to some of the new security mitigations. I don't know what mitigations the Win10 services have enabled, and don't have a box laying around to check but if someone wants to that'd certainly be relevant info...
posted by yeahwhatever at 3:57 PM on April 14, 2017 [11 favorites]

Makes me pretty glad all the webservers I have are running linux, or I'd have a nervous weekend.

You've seen https://nvd.nist.gov/vuln/detail/CVE-2016-10229, right? (if you're running the latest of everything, you're probably ok).
posted by effbot at 3:57 PM on April 14, 2017 [2 favorites]

Can we just say now fuck the NSA? They created these hacking tools. [...] And now the fruits of their labors have been stolen and dumped on the Internet to make everyone's life miserable.

Don't forget the other fact buried in the ArsTechnica article: The NSA knew 96 days ago that these tools were out of their hands. Instead of warning Microsoft to prepare defensive patches, they did nothing.
posted by JoeZydeco at 4:01 PM on April 14, 2017 [48 favorites]

... DOD has migrated 200,000 devices to Windows 10, and that number is expected to double in the coming months. But with some 4 million desktops, laptops and tablets in the department, that means only 10 percent will soon be up to current standards.

Originally, DOD expected to have all devices running Windows10 by January 2017. However, former CIO Terry Halvorsen acknowledged as far back as September of last year that the goal was overly ambitious, and now it looks like the migration might not be complete until sometime in 2018.

Sounds pretty bad. And DoD is likely ahead of the rest of USG.
posted by RobotVoodooPower at 4:20 PM on April 14, 2017 [3 favorites]

Good news for most people is that odds are your computers are behind a firewall (even if you don't know what one is) since most routers/modems will have one built in. Thus, you are likely not "internet facing", this is primarily a concern for servers. At least, as far as _these_ exploits go --- firewalls are by no means hackproof but that would be a separate set of exploits.

It's not safe to run an internet facing Windows box ever.

I wouldn't feel safe to running any server that allows incoming connections without a dedicated security team. Linux is under pretty constant attack/threats too given that it runs so many major sites, including by state agents and fairly sophisticated groups. And of course Macs have a fair amount of vulnerabilities these days too. To really keep up with the security situation is a full time job / set of jobs.

For most consumers, the combination of a firewall + not being a focused target (ie, you're not a large company with lots of juicy data) means you probably don't need to lose any sleep over this (and there's probably not much you could do anyway...)
posted by thefoxgod at 4:20 PM on April 14, 2017 [14 favorites]

It will be very interesting to see the effect the Win10 mitigations have on windows exploits going forward.

It doesn't really matter how many 'very smart people' MS hires to do security if they let the NSA install exploits that then get leaked.
posted by overhauser at 4:26 PM on April 14, 2017

... DOD has migrated 200,000 devices to Windows 10...

I would imagine that a significant number of these are not internet facing, but are on secure airgapped networks.
posted by Emperor SnooKloze at 4:31 PM on April 14, 2017 [1 favorite]

It doesn't really matter how many 'very smart people' MS hires to do security if they let the NSA install exploits that then get leaked.

There's nothing in these exploits that suggests that MS was colluding with the NSA, in fact, all evidence currently points to the exact opposite conclusion (see: MS running around currently with their hair on fire). Furthermore, even if we were to accept the hypothesis that MS and the NSA are colluding, the mitigations that the Very Smart people are adding will make the supposed implants the NSA provides have a larger footprint and be more noticeable, which will decrease their value.
posted by yeahwhatever at 4:35 PM on April 14, 2017 [13 favorites]

I have assumed for decades that big governments can source/read/install anything they want on any computer anywhere. Everyone gets upset and there are big investigations hue and cry when the Russians do it, so why assume the USA can't do the same?

I was just in the MDs office and an office worker person just told me, "You read that email at ___ o/clock on the 4th from xxx.xxx.xxx.xxx (location).

I asked her, "OK, so smartie...what did I have for lunch that day?" ^_^

Gist: Anything one might think is "secure" probably isn't....
posted by CrowGoat at 4:39 PM on April 14, 2017

> Can we just say now fuck the NSA? They created these hacking tools.

I'm not feeling the outrage. Writing exploit kits is not bulk metadata collection. The Snowden docs showed infrastructure that was just waiting for another J. Edgar Hoover -- this looks like an institution following their mission and then getting badly hacked. I'm not saying it's good, but the shitty situation caused by the dump is part and parcel with larger shitty convergences.

I dunno, maybe I've just gone soft on them since the election.
posted by postcommunism at 4:45 PM on April 14, 2017 [6 favorites]

This is not to say I mightn't switch to my linux partition for the weekend. With its cross-eyed video drivers.
posted by postcommunism at 4:50 PM on April 14, 2017 [1 favorite]

I'm not feeling the outrage. Writing exploit kits is not bulk metadata collection.

They knew that these exploits were stolen/leaked more than 90 days ago. That would have been a good time to work with Microsoft to fix the holes, and drastically lower both the value of these exploits and the harm that comes to users when those exploits inevitably see a wider release.

I'm not outraged that they wrote these tools; that's part of their job. I'm outraged that when they lost control of them, they didn't make any effort to act responsibly.

It's 2017. Any software company that treats NSA as anything other than a hostile actor is no longer acting responsibly, either.
posted by toxic at 5:00 PM on April 14, 2017 [30 favorites]

Seconding toxic and JoeZydeco: intelligence agencies hacking isn't surprising but as soon as the Shadow Brokers advertised these by code-name they should have notified the vendors.

“Internet-facing” is a good first “how screwed are we?” pass but it may lead people to believe they're not at much risk. Since most places learned to firewall windows a couple decades ago, I bet most of the damage will come from escalating an initial compromise: phish someone into opening the wrong PDF and then use their desktop to hit that really important server IT has on a 10 year upgrade schedule because everyone's afraid to break something if they touch it.
posted by adamsc at 5:16 PM on April 14, 2017 [7 favorites]

I expect open source data-diodes to show up any day now. They allow you to guarantee that data flows in one direction only, using the laws of physics.

I also expect capability based security to start crossing into the mindset of people soon.
posted by MikeWarot at 5:52 PM on April 14, 2017

I expect open source data-diodes to show up any day now. They allow you to guarantee that data flows in one direction only, using the laws of physics.

...so, an interface over which TCP could never hope to operate?
posted by destructive cactus at 6:17 PM on April 14, 2017 [4 favorites]

Writing exploit kits is not bulk metadata collection ... this looks like an institution following their mission and then getting badly hacked

Well fuck the NSA for the bulk data collection too. I've got a little extra outrage to spare.

But my anger at the NSA over these hacking tools is more specific than that. Part of the NSA's mission historically has been to help make American crypto and computer systems more secure. The most famous example is probably the DES S-Boxes, where it turns out NSA tweaked the encryption algorithm's constants so that they were secure against an attack only the NSA knew about at the time. They benevolently made us more secure.

But that time of NSA being helpful is long since past. The NSA no longer can assist American companies with security because we know they actively work to subvert those company's security systems. In theory NSA only has access to the backdoors they've discovered or placed. And yet here we are, looking at a bunch of NSA zero days they didn't even have the fucking courtesy to suggest Microsoft should maybe patch when they lost control of them months ago.

As an American, it angers me greatly I have to worry about an American agency as a threat as much as I have to worry about Russian and Chinese hackers. Not to mention various transnational extortion rackets. The NSA should be protecting us from those threats, not creating new ones.
posted by Nelson at 6:54 PM on April 14, 2017 [25 favorites]

...so, an interface over which TCP could never hope to operate?

UDP would be unaffected, though.
posted by Juffo-Wup at 7:08 PM on April 14, 2017 [1 favorite]

"step-by-step logs laying out how they're used and the commands to run,"

I, for one, am glad that the NSA writes good documentation.
posted by Going To Maine at 7:35 PM on April 14, 2017 [2 favorites]

> But that time of NSA being helpful is long since past. The NSA no longer can assist American companies with security because we know they actively work to subvert those company's security systems. In theory NSA only has access to the backdoors they've discovered or placed. And yet here we are, looking at a bunch of NSA zero days they didn't even have the fucking courtesy to suggest Microsoft should maybe patch when they lost control of them months ago.

> As an American, it angers me greatly I have to worry about an American agency as a threat as much as I have to worry about Russian and Chinese hackers. Not to mention various transnational extortion rackets. The NSA should be protecting us from those threats, not creating new ones.

I think, from what is revealed about the NSA (and other TLAs), their goal is to make themselves the only party that can breach secure systems. That includes not disclosing security flaws responsibly, and suspected curve-cooking in elliptic-curve cryptography standards.

In other words, they're a bunch of intelligent people with grand delusions, running the asylum with no oversight.
posted by runcifex at 9:02 PM on April 14, 2017 [6 favorites]

I, for one, am glad that the NSA writes good documentation.

Final step of the ODDJOB user docs (DL), once you've finished setting up:

• Drink a beer because you're done. Hey, you're just following directions.

posted by russm at 9:42 PM on April 14, 2017 [4 favorites]

If you think there is any chance I'm opening a random docx from GitHub any time soon, you are greatly misunderestimating my paranoia. ;)
posted by wierdo at 10:09 PM on April 14, 2017 [5 favorites]

wierdo - I'll mirror it on mega.nz if that'll help :)
posted by russm at 10:37 PM on April 14, 2017 [1 favorite]

Microsoft claims these exploits have been mostly patched, and the unpatched ones don't work on Windows 7 and above.
posted by xigxag at 12:24 AM on April 15, 2017 [2 favorites]

The NSA no longer can assist American companies

What *is* an American company these days? MY NY L.L.C. is one, since it's just lil' old me, and I've been in NY since I was born, but once you get into shareholders, then what % of ownership by a Chinese bank tips the scale?

With that said, I'd put money on everything being 'leaked' already being obsolete at the NSA. Win 10 phones home to MSFT servers all the time. Anyone want to lose money betting they're into those? ( And router operating systems. They're all deep in the routing fabric...
posted by mikelieman at 12:54 AM on April 15, 2017 [1 favorite]

There's nothing in these exploits that suggests that MS was colluding with the NSA, in fact, all evidence currently points to the exact opposite conclusion (see: MS running around currently with their hair on fire).

The smart money has always assumed that the NSA partnered with Microsoft (and other vendors, like Cisco and Oracle) and/or forced them to insert various backdoors and weaknesses into their products... and then also, of course developed and inserted their own set of additional ones that their "partner" didn't know about.

I mean, they're a spy agency. How else would you do it?
posted by rokusan at 3:41 AM on April 15, 2017

● Drink a beer because you're done. Hey, you're just following directions.

Well, at least he didn't say "orders."
posted by rokusan at 3:43 AM on April 15, 2017 [2 favorites]

"...so, an interface over which TCP could never hope to operate?"

Actually, you can run almost any protocol through a data diode, HTTP, FTP, EMAIL, etc. Data diodes are a pair of computers, connected by a unidirectional link. The "low" (low security) side, acts as a conventional internet node, with any services you care to configure. All received data then goes into a buffer, which is scanned and transmitted as a stream (probably with forward error correcting and lots of redundancy, as there is no possibility of requesting re-transmission) to the "high" (high security) side... which receives the stream, and makes the data available to its pair of servers.

A pair of raspberry pi's could do the job, using a optoisolator to connect their UARTs.

And, after about 5 minutes with the gargler... here's a project doing some of the above, a raspberry pi based data diode, using optical converters to make it one way.
posted by MikeWarot at 3:48 AM on April 15, 2017 [6 favorites]

With old Ethernet it used to be possible to just clip the Rx pair and make it transmit only... Old sysadmins used to do this for the connections to their logging servers. Unlikely to work with modern anything.
posted by miyabo at 4:07 AM on April 15, 2017 [3 favorites]

MetaFilter: a bunch of intelligent people with grand delusions, running the asylum with no oversight.
posted by oheso at 4:24 AM on April 15, 2017 [12 favorites]

> Microsoft claims these exploits have been mostly patched, and the unpatched ones don't work on Windows 7 and above.

Sure ... that's what they want us to think.
posted by oheso at 4:34 AM on April 15, 2017

Microsoft has already patched the NSA's leaked Windows hacks, a Verge summary with links to other articles. Some speculation that contrary to discussion here, NSA may have quietly notified Microsoft of some of the exploits back in February.
posted by Nelson at 6:42 AM on April 15, 2017 [1 favorite]

Any software company that treats NSA as anything other than a hostile actor is no longer acting responsibly, either.

RFC 7169: The NSA (No Secrecy Afforded) Certificate Extension
Note the publication date.

RFC 7258: Pervasive Monitoring Is an Attack
This is considered Best Current Practice (BCP 188).

Th following related RFCs are informational:
RFC 6973: Privacy Considerations for Internet Protocols
RFC 7624: Confidentiality in the Face of Pervasive Surveillance: A Threat Model and Problem Statement
posted by ryanrs at 6:48 AM on April 15, 2017 [4 favorites]

We can safely assume that (a) the NSA/CIA have more recent Windows zeros days, and (b) Russia has copied those too, but (c) Russia wont release them until those too get burned. Fun times ahead!
posted by jeffburdges at 6:55 AM on April 15, 2017 [1 favorite]

I suppose this doesn't affect me (lol windows), but I'll take a few minutes to craft a some ever more draconian firewall rules for my linux server, for lack of better things to do.

Lately I've been messing around with this rule pattern:
iptables LOG --> fail2ban --> iptables DROP

For example, if someone touches port 23 telnet, all their packets will get dropped for a few hours. I'm honestly surprised I haven't locked myself out or triggered some iptables rule-storm from hell.

I'd publish the rules, but it's very susceptible to DOS because it doesn't go through the full three-way handshake before blocking the IP. There's a conflict between falling for forged source addresses and catching portscans that I need to think about some more.
posted by ryanrs at 7:45 AM on April 15, 2017

ryan@server:~$ sudo iptables -L -v -n | fgrep -i reject | wc -l
112

it warms my heart
posted by ryanrs at 7:51 AM on April 15, 2017

Linux iptables-based protection is enacted by the kernel, and if there were a bug in that code, then iptables won't protect the system (and could theoretically be the attack vector). Normally this would just be fear mongering, but as effbot pointed out upthread, CVE-2016-10229 just made the rounds on Wednesday. (Mudge cheekily tweeted that it "NEEDS BRANDING! ;P".) Linux machines running affected software versions that can receive UDP packets can be remotely rooted. Up to date versions aren't vulnerable, but it's a kernel level exploit which generally requires a reboot.

The fact is, we Linux users don't automatically get to be smug about computer security. (*BSD users are in clear still.) Back in the 90's, vulnerable versions of Outlook could be exploited by simply receiving an email which was the height of Microsoft's perceived stupidity. Fast forwards to a few years ago, and it turns out Linux (specifically Exim) had the same issue where simply receiving an email could get a server rooted.

Unfortunately, as a software company, it's one thing to put up a firewall to defend against script kiddies, but due diligence to protect against the NSA (and CIA) when they have entire departments bigger than your company trying to subvert the firewall manufacturer is a bit of a different story.

In terms of the stories, the SWIFT stuff is probably the most worrying, but in terms of targets it's a pretty obvious one in hindsight.

(Do something nice for the Windows admins in your life that are unexpectedly working on Easter.)
posted by fragmede at 10:29 AM on April 15, 2017 [2 favorites]

We can safely assume that (a) the NSA/CIA have more recent Windows zeros days, and (b) Russia has copied those too, but (c) Russia wont release them until those too get burned. Fun times ahead!

It seems as though the US government doesn't retain very many 0days. I've no expertise at all, and it shocks me too, but dude makes a pretty reasonable argument.
posted by Chuckles at 5:58 PM on April 15, 2017

SO YOU'RE SAYING MY SON'S TOO GOOD FOR THE COAL MINES

It used to make me crazy back in the day when the news would breathlessly report "computer virus!" and "computer exploit! Your computer isn't safe!" and do repeated stories for several minutes and never or barely mention IT'S A WINDOWS PROBLEM NOT A COMPUTER PROBLEM! (that's what I would yell at the TV).

Now they just don't mention them at all, progress?
posted by bongo_x at 6:00 PM on April 15, 2017

God forbid you use the M word in discussions about OS security
posted by DoctorFedora at 8:39 PM on April 15, 2017

God forbid you use the M word in discussions about OS security

Rewriting everything in purely functional Haskell sounds a bit extreme...
posted by acb at 4:16 AM on April 16, 2017 [1 favorite]

Rewriting everything in purely functional Haskell sounds a bit extreme...

Full disclosure. I've been writing code since Commodore PETs TRS-80 Mod I's and HP 2000 F timesharing ttys.

And I have no fucking idea what my xmonad.hs file is doing, other than I got it to compile and treat mplayer windows properly.
posted by mikelieman at 4:40 AM on April 16, 2017

The sober technical reporting contrasted with the actual statement (Password = Reeeeeeeeeeeeeee) is a hell of a thing.
posted by lucidium at 6:02 AM on April 16, 2017

SWIFT - are they fucking insane?
posted by infini at 9:51 AM on April 16, 2017

I'm gonna go with "arrogant".
posted by Nelson at 10:12 AM on April 16, 2017 [2 favorites]