Re: Please run windows update now

[John Levine]

In article  you write:
>fyi, current opinion in the security community seems to be that win10 is
>better secured than linuxes, bsds, ...  see http://cyber-itl.org/; still
>pretty sparse, but getting flushed out.

Not against Microsoft.

R's,
John

Re: Please run windows update now

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Tue, 2017-05-16 at 10:33 -0500, Brad Knowles wrote:

> > In the American approach, if there are a significant number of road
> fatalities, then it's the drivers own fault and they should have taken
> more care.  They are automatically to blame for their own failure.

Not in all parts of America. Highway 18 here just got a full metal
barrier separating the opposing traffic in much of the 4 lane section.
55 mph limit, lots of tight curves, about 18 inches separation between
the opposing traffic, and a bunch of drivers that don't know how to
drive around a curve. Someone got tired of all the head on crashes, so
they "fixed" the road.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlkb1NQACgkQL6j7milTFsESFwCfY956WrGCswGc2CNPt1nHhGF0
WGYAnRsj+MZ937fiKjEbfNvCEiyUBx8o
=T1L3
-END PGP SIGNATURE-

Re: Please run windows update now

[Josh Luthman]

Can we end this thread?  I think the original intent has come and gone.

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On May 16, 2017 11:40 PM,  wrote:

> On Tue, 16 May 2017 20:55:37 -0600, "Keith Medcalf" said:
> >
> > On Tuesday, 16 May, 2017 18:13, Valdis Kletnieks  wrote:
> > > On Tue, 16 May 2017 16:41:36 -0600, "Keith Medcalf" said:
> >
> > >> Of course Microsoft knew, since they wrote in the backdoor in the
> first
> > >> place.  That is why when informed by their employers that the backdoor
> > >> was going to be made public, they could undo the changes they had
> > >> introduced so rapidly.
> >
> > > Do you have any actual evidence or citations that in fact, this was an
> > > intentionally inserted backdoor?
> >
> > Equal in quantity and quality to the evidence to the contrary.
>
> In that case, "Of course Microsoft didn't know" is equally probable.
>
> In fact, it's *more* probable, because if it was intentional, they'd
> have to have ways in place to make sure that if some random programmer
> managed to find it and report it, the bug wouldn't get fixed - and the
> fact that there was a long-standing bug not fixed didn't get noticed by
> the QA team and the rest.  After all, once some TLA paid good money to
> get that backdoor installed, the *last* thing you want happening is the
> sentence, "What do you mean, you accidentally fixed it?"
>
> Plus, since "Microsoft didn't intentionally put the MS17-010 bug in as
> a backdoor" is the null hypothesis, it requires zero evidence, and it's
> your job to bring positive evidence for the non-null hypothesis.
>

Re: Please run windows update now

[valdis . kletnieks]

On Tue, 16 May 2017 20:55:37 -0600, "Keith Medcalf" said:
>
> On Tuesday, 16 May, 2017 18:13, Valdis Kletnieks  wrote:
> > On Tue, 16 May 2017 16:41:36 -0600, "Keith Medcalf" said:
>
> >> Of course Microsoft knew, since they wrote in the backdoor in the first
> >> place.  That is why when informed by their employers that the backdoor
> >> was going to be made public, they could undo the changes they had
> >> introduced so rapidly.
>
> > Do you have any actual evidence or citations that in fact, this was an
> > intentionally inserted backdoor?
>
> Equal in quantity and quality to the evidence to the contrary.

In that case, "Of course Microsoft didn't know" is equally probable.

In fact, it's *more* probable, because if it was intentional, they'd
have to have ways in place to make sure that if some random programmer
managed to find it and report it, the bug wouldn't get fixed - and the
fact that there was a long-standing bug not fixed didn't get noticed by
the QA team and the rest.  After all, once some TLA paid good money to
get that backdoor installed, the *last* thing you want happening is the
sentence, "What do you mean, you accidentally fixed it?"

Plus, since "Microsoft didn't intentionally put the MS17-010 bug in as
a backdoor" is the null hypothesis, it requires zero evidence, and it's
your job to bring positive evidence for the non-null hypothesis.


pgp87aeORfKPX.pgp
Description: PGP signature

RE: Please run windows update now

[Keith Medcalf]

On Tuesday, 16 May, 2017 18:13, Valdis Kletnieks  wrote:
> On Tue, 16 May 2017 16:41:36 -0600, "Keith Medcalf" said:

>> Of course Microsoft knew, since they wrote in the backdoor in the first
>> place.  That is why when informed by their employers that the backdoor
>> was going to be made public, they could undo the changes they had
>> introduced so rapidly.

> Do you have any actual evidence or citations that in fact, this was an
> intentionally inserted backdoor?

Equal in quantity and quality to the evidence to the contrary.

Re: Please run windows update now

[J. Oquendo]

On Wed, 17 May 2017, Matt Palmer wrote:

> > 
> > Do you have any actual evidence or citations that in fact, this was an
> > intentionally inserted backdoor?
> 
> You'll have to speak up, he can't hear you over the rustling of the tin
> foil.
> 
> - Matt
> 

Pretty low blow considering if I saw "greys" in my yard,
I'd be all: "OMGF illuminati!"

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

0B23 595C F07C 6092 8AEB  074B FC83 7AF5 9D8A 4463
https://pgp.mit.edu/pks/lookup?op=get=0xFC837AF59D8A4463

Re: Please run windows update now

[Matt Palmer]

On Tue, May 16, 2017 at 08:12:41PM -0400, valdis.kletni...@vt.edu wrote:
> On Tue, 16 May 2017 16:41:36 -0600, "Keith Medcalf" said:
> > Of course Microsoft knew, since they wrote in the backdoor in the first
> > place.  That is why when informed by their employers that the backdoor was
> > going to be made public, they could undo the changes they had introduced so
> > rapidly.
> 
> Do you have any actual evidence or citations that in fact, this was an
> intentionally inserted backdoor?

You'll have to speak up, he can't hear you over the rustling of the tin
foil.

- Matt

Re: Please run windows update now

[valdis . kletnieks]

On Tue, 16 May 2017 16:41:36 -0600, "Keith Medcalf" said:
> Of course Microsoft knew, since they wrote in the backdoor in the first
> place.  That is why when informed by their employers that the backdoor was
> going to be made public, they could undo the changes they had introduced so
> rapidly.

Do you have any actual evidence or citations that in fact, this was an
intentionally inserted backdoor?


pgp0eAjOEyDNL.pgp
Description: PGP signature

RE: Please run windows update now

[Keith Medcalf]

> What would be more of an interesting discussion, to me, would be why
> doesn't Microsoft know about these hoarding of vulnerabilities by State
> actors and plug them up?

Some state actors they do know.  They custom write the security flaws on the 
state actors request.

> Are they really that clever of vulnerabilities? Does Microsoft not have
> the resources? Is Windows like the ocean, where there are just hundreds of new
> species awaiting to be discovered?
> Did Microsoft at least know of the NSA vulnerabilities, for example, and
> kept it classified until NSA told them to plug them up?

Of course Microsoft knew, since they wrote in the backdoor in the first place.  
That is why when informed by their employers that the backdoor was going to be 
made public, they could undo the changes they had introduced so rapidly.

Re: Please run windows update now

[LHC (k9m)]

YOU WENT THERE (ignores enough to run for president)

On May 15, 2017 1:48:51 AM PDT, Randy Bush  wrote:
>> Or BSD, or anything but Windows.  Anyone running Microsoft products
>> is quite clearly an unprofessional, unethical moron and fully
>deserves
>> all the pain they get -- including being sued into oblivion by their
>> customers and clients for their obvious incompetence and negligence.
>
>aside from being grossly rude, hyperbolic, and uninteligent, this rant
>ignores reality enough to make you a viable presidential candidate.
>
>80% of desk/laptops run windows.  get over it.  windows is embedded in
>many systems which will be hard to update in an hour or 100 hours.  and
>rude ranting is not doing one micron to help deal with it.
>
>embedded systems are very hard to update, think special drivers, kinky
>mods, ...  aside from the long softdev time, how much time do you think
>QA will take for moving a piece of medical equipment from xp to win10,
>let alone bsd?  and the state of the bsd update process is not
>something
>to describe in polite company.
>
>we have a vulnerable chain from weak software (which is improving, and
>msoft has been in the lead there for a decade), to nsa/cia not
>disclosing, to people choosing or having to run old versions (of
>whatever (and linux/bsd are not immune) for financial or technical
>reasons, to the conservative or lazy logistics of patching.  we can try
>to improve things at each link.  but this is gonna be slow.
>
>though this ransomware attack is not really that much larger than other
>attacks in the past (and the future is not cheering), at least it has
>reached the front pages and maybe people will patch more and vendors
>will issue more/better updates.  but, as @zeynep says, the lack of
>liability along the chain above allows bad practices to continue.
>
>in the meantime, backup, backup and take it offline so it does not get
>encrypted for you, patch, turn off unnecessary services/options, rinse
>repeat.  and try to promote prudent use among friends, family, and
>workplace.
>
>randy

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Please run windows update now

[valdis . kletnieks]

On Tue, 16 May 2017 09:40:50 -0700, JoeSox said:
> What would be more of an interesting discussion, to me, would be why
> doesn't Microsoft know about these hoarding of vulnerabilities by State
> actors and plug them up?

It's pretty hard for Microsoft to know about an exploit the NSA is sitting
on, until Shadow Brokers or similar spills the beans.

> Are they really that clever of vulnerabilities? Does Microsoft not have the
> resources?

The talent pool for top-flight hackers is not all that large.  And even if
you acquire a large skilled team, there is *zero* guarantee that some other
talented team won't find a hole that your team didn't spot.  In fact, there's
a lot of good reason to believe that exact situation happens *all the time*.

>Is Windows like the ocean, where there are just hundreds of new
> species awaiting to be discovered?

Find statistics on average number of bugs per thousand lines of code.
Find estimate of how many 10s of millions of lines of code ships as part
of Windows.  Do the math - and have alcohol handy for the almost certain
drinking binge that the answer will inspire.

> Did Microsoft at least know of the NSA vulnerabilities, for example, and
> kept it classified until NSA told them to plug them up?

There's lots of informed speculation on that one, but I can almost guarantee 
that
you'll never get a definitive answer from somebody who actually know.



pgpf83hSmaaJq.pgp
Description: PGP signature

Re: Please run windows update now

[valdis . kletnieks]

On Tue, 16 May 2017 12:23:36 -0500, Brad Knowles said:
> On May 16, 2017, at 11:40 AM, JoeSox  wrote:

> > Isn't it true, with any tech product, the more complex features, the less
> > secure it is? Ask yourself why this is the case, and I believe the true
> > issue with tech lays there.
>
> To a degree, this is true.  But there are more iOS devices out there than
> there are Windows boxes, and while iOS certainly isn't perfect, it definitely
> has a much better security posture.

Note that most of iOS's improved security posture is due to its design as a
launcher of apps from a tightly controlled source that tightly control the user
experience.  It's pretty damned easy to harden Windows as well, if you're going
to hobble it into being a canned app launcher.

Of course, that will piss off everybody who's using Windows as a base for
a generalized computing environment rather than an app-launching kiosk,


pgpBzNpDe9D0J.pgp
Description: PGP signature

Re: Please run windows update now

[Brad Knowles]

On May 16, 2017, at 11:40 AM, JoeSox  wrote:

> LOL. I think that is a really bad example and I see many facilities in it,
> including a hasty generalization, as intersections, and roads for that
> matter, in America have been resigned to improve safety.

So, if you want to talk about roads in the US, the first thing you have to do 
is look at the budgets.  There are trillions of dollars worth of road 
improvements that should have been made over the past decades, but which 
haven't.  You'd have to ask the politicians as to what they think the real 
reasons are, but my guess is that they were unwilling to make long-term 
investment on critical infrastructure, because it was seen as being too 
expensive in the short-term.

And I definitely see a strong analogy there with what Microsoft has/has not 
done.

> Isn't it true, with any tech product, the more complex features, the less
> secure it is? Ask yourself why this is the case, and I believe the true
> issue with tech lays there.

To a degree, this is true.  But there are more iOS devices out there than there 
are Windows boxes, and while iOS certainly isn't perfect, it definitely has a 
much better security posture.

So, there is at least one other company out there that can do the job.  I have 
to believe that there is more than just one.

> I don't know. It is hard to imagine a professional IT nowadays, seriously
> blaming Microsoft for every bad thing out there.

I don't blame Microsoft for every bad thing out there.  I do think they are, by 
far, the worst of the Fortune 25.  But there are 24 other companies on that 
list who all have their own part to play -- including Apple.

> What would be more of an interesting discussion, to me, would be why
> doesn't Microsoft know about these hoarding of vulnerabilities by State
> actors and plug them up?

Well, this one is actually an old vulnerability, right?  One that Microsoft 
supposedly fixed years ago?  So, why didn't they fix it properly back then?

> Are they really that clever of vulnerabilities? Does Microsoft not have the
> resources? Is Windows like the ocean, where there are just hundreds of new
> species awaiting to be discovered?
> Did Microsoft at least know of the NSA vulnerabilities, for example, and
> kept it classified until NSA told them to plug them up?

Good conspiracy questions to ask.  But frankly, I don't care that Microsoft 
wants to blame the NSA for hoarding vulnerabilities.  If Microsoft had spent 
more time/money/effort to get their crap right the first time, then we wouldn't 
have this mess.  We might have a different mess, but we wouldn't have this one.

-- 
Brad Knowles 

Re: Please run windows update now

[JoeSox]

On Tue, May 16, 2017 at 8:33 AM, Brad Knowles 
wrote:

> On May 15, 2017, at 4:31 PM, Jonathan Roach 
> wrote:
>
> > What's key is that administrators need to know how to secure their
> > estates. If they've failed to apply the patch, that's their failure, not
> > Microsoft's, but patching was not the only way to have curtailed this
> > weekend's outbreak.
>
> But their failure leads to further intrusions elsewhere.  Their failure
> has consequences beyond their own borders.
>
> IMO, this is a herd immunity problem that Microsoft needs to get better at.
>
>
> The analogy I would make here is the German versus the American approaches
> to road fatalities.
>
> In the German approach, if there are significant road fatalities in a
> given location, then that implies there is a failure with the way the road
> system is engineered, and it needs to be fixed so that the number of
> fatalities is brought down.  No blame is automatically assumed on the part
> of the drivers who failed at that location.
>
> In the American approach, if there are a significant number of road
> fatalities, then it's the drivers own fault and they should have taken more
> care.  They are automatically to blame for their own failure.
>
> But if you're one of the other drivers out there who might be impacted by
> the lack of due diligence practiced by another driver on the road, which
> approach are you going to want to see implemented?
>


LOL. I think that is a really bad example and I see many facilities in it,
including a hasty generalization, as intersections, and roads for that
matter, in America have been resigned to improve safety.
Isn't it true, with any tech product, the more complex features, the less
secure it is? Ask yourself why this is the case, and I believe the true
issue with tech lays there.
If a country must build a China Wall duplicate in 300 days (for some
reason, to save money lets say), unless the team can pull it off and
depending upon how long it must be, the wall you end up with will probably
have some holes in it or pieces of it may collapse at later dates.
I don't know. It is hard to imagine a professional IT nowadays, seriously
blaming Microsoft for every bad thing out there.
What would be more of an interesting discussion, to me, would be why
doesn't Microsoft know about these hoarding of vulnerabilities by State
actors and plug them up?
Are they really that clever of vulnerabilities? Does Microsoft not have the
resources? Is Windows like the ocean, where there are just hundreds of new
species awaiting to be discovered?
Did Microsoft at least know of the NSA vulnerabilities, for example, and
kept it classified until NSA told them to plug them up?
--
Later, Joe

Re: Please run windows update now

[Brad Knowles]

On May 15, 2017, at 4:31 PM, Jonathan Roach  wrote:

> What's key is that administrators need to know how to secure their
> estates. If they've failed to apply the patch, that's their failure, not
> Microsoft's, but patching was not the only way to have curtailed this
> weekend's outbreak.

But their failure leads to further intrusions elsewhere.  Their failure has 
consequences beyond their own borders.

IMO, this is a herd immunity problem that Microsoft needs to get better at.


The analogy I would make here is the German versus the American approaches to 
road fatalities.

In the German approach, if there are significant road fatalities in a given 
location, then that implies there is a failure with the way the road system is 
engineered, and it needs to be fixed so that the number of fatalities is 
brought down.  No blame is automatically assumed on the part of the drivers who 
failed at that location.

In the American approach, if there are a significant number of road fatalities, 
then it's the drivers own fault and they should have taken more care.  They are 
automatically to blame for their own failure.

But if you're one of the other drivers out there who might be impacted by the 
lack of due diligence practiced by another driver on the road, which approach 
are you going to want to see implemented?

-- 
Brad Knowles 

Re: Please run windows update now

[valdis . kletnieks]

On Mon, 15 May 2017 16:19:37 -0700, "Aaron C. de Bruyn via NANOG" said:

> Combine that with fail2ban.  When one user has more than 60 writes in
> 60 seconds *or* a write contains a well-known cryptolocker name (i.e.
> *DECRYPT_INSTRUCT*)

Oddly enough, we've seen *lots* of spammers that are *totally* able to
auto-tune their spew rate to whatever you set the knob to.  Set it to 3,293,
and it will quickly adjust to 3,250 or so.  Knock the knob down to 67, it will
tune down to 65. There's no reason to expect that the same methods won't
be used again.

If it's an entire network of vulnerable systems, it's perfectly reasonable for
malware to pick one system (the one with the least number of likely-valuable
files) as a sacrificial goat and burn it down, just to see where you've set the
knobs, and then fly under the radar for the rest of the network.

If malware waits till 5:01PM Friday or whenever it detects the user has left
for the weekend, and does a careful search of file extensions for files most
likely to be valuable enough to make the victim pay the ransom, and does them
at 3 per minute, how bad is the situation Monday morning?

So you restrict file change rate to 1 per hour or something draconian when the
user isn't at the keyboard.

What is the likely amount of time the malware can get away with doing 3 files a
minute in the background while the user *is* using the system, before they hit
an encrypted file and realize there's a problem (hint - avoid files modified in
the last few days and target more static files)?

What is the likely amount of time you can restrict the user to 2 files per
minute before they come looking for you with an ax?

Remember - the first rule of designing security is that if you haven't already
thought through the first several iterations of blatantly obvious ways to work
around your proposal, and dealt with them, it's guaranteed that the bad guys
will do so for you.

Remember this as well - the entire reason why Snowden walked away with so many
files was because the NSA was not using all the available security features
*because it put too much of a crimp in legitimate analyst activity*.  It's also
why almost nobody outside military and spook systems actually deploys MLS/MCS
security.

Given that we've been at this for well over 4 decades now, and we *still* can't
actually do it right, you should be *very* suspicious of any proposal that says
"Just count the number of opens, tie it to fail2ban, handwave yadda yadda
handwave *SECURE*".



pgpDLoLGGyvGm.pgp
Description: PGP signature

Re: Please run windows update now

[Joe]

Hi Scott

 As with any open forum you take the good with the bad. I've been on this
list since 2001, you learn to dump the static and learn from the good
advise.
Too much information (whether good or bad) is better than none.

-Joe

On Mon, May 15, 2017 at 8:12 PM, Scott Weeks  wrote:

>
>
> --- na...@incomingmta.com wrote:
> From: "Phillip White" 
>
> ...I have been on this list for many years...Today, though,
> I felt the need to create the mailbox just so I could reply
> since your posts have been the most irritating I have ever
> seen on this list.
> --
>
>
> "the most irritating I have ever seen on this list"
>
> You can't have been on this list very long, then... ;-)
>
> scott
>

Re: Please run windows update now

[Joe]

Hi Scott

 As with any open forum you take the good with the bad. I've been on this
list since 2001, you learn to dump the static and learn from the good
advise.
Too much information (whether good or bad) is better than none.



-Joe

On Mon, May 15, 2017 at 8:12 PM, Scott Weeks  wrote:

>
>
> --- na...@incomingmta.com wrote:
> From: "Phillip White" 
>
> ...I have been on this list for many years...Today, though,
> I felt the need to create the mailbox just so I could reply
> since your posts have been the most irritating I have ever
> seen on this list.
> --
>
>
> "the most irritating I have ever seen on this list"
>
> You can't have been on this list very long, then... ;-)
>
> scott
>

Re: Please run windows update now

[Jonathan Roach]

Microsoft aren't stupid. They have learned lessons from the days in the
90s and early 2000s when they were a laughing stock in terms of
security, and since then Windows security has improved enormously. OK,
so it's not perfect, but what software is? Dirty Cow, Shellshock and
Heartbleed for example weren't exactly minor flaws, but the world moved on.

What's key is that administrators need to know how to secure their
estates. If they've failed to apply the patch, that's their failure, not
Microsoft's, but patching was not the only way to have curtailed this
weekend's outbreak. Admins may have had their reasons for not patching -
maybe to do so would have invalidated some kind of certification on an
embedded system for example - but there should have been other controls
in place to limit the spread of this outbreak or others like it.

Something that's puzzled me about events this weekend is that hardly
anyone is mentioning firewalling. Servers generally need ports
135-139/445 to be accessible in order to act as, well, servers - but
workstations don't. Why aren't people - even cash-starved organisations
like the NHS - using the Windows firewall to protect at least their
workstations on an ongoing basis? How did this infection spread between
organisations without being stopped by a border firewall at any point?
Was nothing learned from the Blaster days? (I don't have the answer.)

Although the malware was probably injected into multiple organisations
in numerous countries via multiple phishing attacks, the spread as
reported seemed too fast between organisations and countries for it to
have been driven by phishing attacks alone, and I haven't seen any
reports showing people how to spot the phishing attempts. So I'm
guessing a lot of the propagation even between orgs was by MS17-010.

It would be interesting to find out if anyone saw unusual spikes in SMB
traffic over the weekend? Or if there are insights into any of the
semi-rhetorical questions I posed above?

Cheers,
Jon

RE: Please run windows update now

[Scott Weeks]

--- na...@incomingmta.com wrote:
From: "Phillip White" 

...I have been on this list for many years...Today, though, 
I felt the need to create the mailbox just so I could reply 
since your posts have been the most irritating I have ever 
seen on this list. 
--


"the most irritating I have ever seen on this list"

You can't have been on this list very long, then... ;-)

scott 

Re: Please run windows update now

[Aaron C. de Bruyn via NANOG]

On Mon, May 15, 2017 at 2:48 PM, J. Oquendo  wrote:
> On Mon, 15 May 2017, b...@theworld.com wrote:

>> You count the number of destructive opens in the kernel and if it
>> exceeds a threshold (for example) you stop it and pop up a warning.

That's basically what I did.  I got tired of users constantly opening
any attachment that came at them through e-mail and encrypting all the
files on their systems and other network systemsso...I installed a
Linux box running Samba backed by a ZFS file store.

Samba spits out syslog records on file writes.

Combine that with fail2ban.  When one user has more than 60 writes in
60 seconds *or* a write contains a well-known cryptolocker name (i.e.
*DECRYPT_INSTRUCT*) it immediately blocks their IP on the server,
looks up their MAC address, scans the switch for their MAC, and
disables the switch port.

Then I have a list of files in syslog that were encrypted and ZFS
snapshots I can restore from.

Additionally, some of the workstations were PXE or iSCSI booted from
the NAS so it was as simple as "Hold down the power button to turn off
your computer.  Ok, let me 'zfs rollback' your machine image...ok, now
turn your computer back on.  All set."

Plus adding new workstations was as easy as getting the MAC address
and doing a 'zfs clone' of a clean machine image.

Upgrades are easy too--boot a VM, install the latest version of
WIndows, update drivers, install software packages, then shutdown,
snapshot and clone.  Tell the user to reboot their PC and they are now
running the newer OS.

Windows isn't hard if you have Linux and Unix running underneath,
behind, and between everything. ;)

-A

Re: Please run windows update now

[J. Oquendo]

On Mon, 15 May 2017, b...@theworld.com wrote:

> Oh great a design review!
> 
> Hello Valdis, I am Barry Shein. I've done decades of internals and
> kernel work.
> 
> Ever use any Windows since about Vista? It throws up those warning
> pop-ups when you're about to do something it decides needs
> confirmation?
> 
> That was almost certainly my invention.
> 
> I described the idea on an anti-spam list and two Microsoft engineers
> contacted me to discuss whether this is feasible etc.
> 
> Never got a thank you tho.
> 
>  > 
>  > How do you throw a pop-up warning for that?  Pre-run it and see how many >
>  > might get executed? And how do you tell that the sequence ends up 
> destroying
>  > the file rather than creating a new one?
> 
> You count the number of destructive opens in the kernel and if it
> exceeds a threshold (for example) you stop it and pop up a warning.
> 
> For example.
> 
> As I said this is the sort of thing which is suitable for an end-user
> OS and no doubt annoying in a server OS.
> 

*popcorn* ... What was the original thread about? Because
once upon a time as a proof of concept for "undetectable"
viruses on *nix, (was for a competition where I was not
allowed to be play post disclosure of PoC), anyway, I
created a really really bad mechanism to negatively
impact ALL BSDs, Solaris, Linux, it was *nix agnostic.


Bigger takeaway, malware/scumware/whateverware authors
target Windows because there are more users. For someone
dealing with security 24x7x365, I can state MS has come
a very long way from what they were, including dealing
with MSRC and other departments. Do you have any idea
how difficult it is to deal with certain *nix projects?
Freshmeat? Github, hobby...

Apples and oranges. And I CAN COUNT the number of
destructive opens read, and write on any nix system, so
perhaps we should kill this thread before it becomes:
my NetBSD toaster is better than your windows powered
refrigetor.


-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

0B23 595C F07C 6092 8AEB  074B FC83 7AF5 9D8A 4463
https://pgp.mit.edu/pks/lookup?op=get=0xFC837AF59D8A4463

Re: Please run windows update now

[Royce Williams]

On Fri, May 12, 2017 at 10:30 AM, Royce Williams 
wrote:

> My $0.02, for people doing internal/private triage:
>
> - If your use of IPv4 space is sparse by routes, dump your internal
> routing table and convert to summarized CIDR.
>
> - Feed your CIDRs to masscan [1] to scan for internal port 445 (masscan
> randomizes targets, so destination office WAN links won't saturate, but
> local/intermediate might if you're not careful, so tune):
>
> sudo masscan -p445 --rate=[packets-per-second safe for your network]
> -iL routes.list -oG masscan-445.out
>
> - Use https://github.com/RiskSense-Ops/MS17-010/tree/master/scanners (the
> python2 one, or the Metasploit one if you can use that internally) to
> detect vuln. the python one is not* a parallelized script, so consider
> breaking it into multiple parallel runners if you have a lot of scale.
>

Note - I've learned that the detection rate for the Python script above is
*much* lower than this nmap script. I recommend using the nmap script
instead:

https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nse



> - If you're using SCCM/other, verify that MS17-010 was applied - but be
> mindful of Windows-based appliances not centrally patched, etc. Trust but
> verify.
>
> - In parallel, consider investigating low-hanging fruit by OU
> (workstations?) to disable SMBv1 entirely.
>
> Royce
>
> 1. https://github.com/robertdavidgraham/masscan
>
>

Re: Please run windows update now

[bzs]

On May 15, 2017 at 16:17 valdis.kletni...@vt.edu (valdis.kletni...@vt.edu) 
wrote:
 > On Mon, 15 May 2017 15:45:26 -0400, b...@theworld.com said:
 > 
 > > So for example why does a client OS produced with that much money
 > > available even allow things like wholesale encryption of files without
 > > at least popping up one of those warnings to confirm that you really
 > > meant to run a program on $THRESHOLD files, opening them for update
 > > etc, not just read?
 > 
 > Well Barry, I can tell you why, with examples from the Unix world.
 > 
 > for i in *; do encrypt < $i > $i.new; mv $i.new $i; done

Oh great a design review!

Hello Valdis, I am Barry Shein. I've done decades of internals and
kernel work.

Ever use any Windows since about Vista? It throws up those warning
pop-ups when you're about to do something it decides needs
confirmation?

That was almost certainly my invention.

I described the idea on an anti-spam list and two Microsoft engineers
contacted me to discuss whether this is feasible etc.

Never got a thank you tho.

 > 
 > How do you throw a pop-up warning for that?  Pre-run it and see how many >
 > might get executed? And how do you tell that the sequence ends up destroying
 > the file rather than creating a new one?

You count the number of destructive opens in the kernel and if it
exceeds a threshold (for example) you stop it and pop up a warning.

For example.

As I said this is the sort of thing which is suitable for an end-user
OS and no doubt annoying in a server OS.

 > 
 > OK. How about this one?
 > 
 > cat > ./wombat << EOF
 > ##!/bin/bash
 > encrypt < $1 > $1.new; mv $1.new $1
 > EOF
 > chmod +x ./wombat
 > for i in *; do ./wombat $i; done
 > 
 > Now convert that to C and  bury that whole thing inside a binary.  How does 
 > the
 > operating system detect that and throw a pop-up *before* that executes?
 > 
 > It's a lot harder problem than you think.  Hint:  Fred Cohen's PhD thesis
 > showed that detecting malware is isomorphic to the Turing Halting Problem.
 > 
 > 
 > x[DELETED ATTACHMENT , application/pgp-signature]

You don't seem to understand how OS's work which surprises me in your
case.

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: Please run windows update now

[William Waites]

> On May 15, 2017, at 21:17, valdis.kletni...@vt.edu wrote:
> 
>> So for example why does[n’t] a client OS confirm that you really
>> meant to run a program on $THRESHOLD files…

> How does the operating system detect that and throw a pop-up
> *before* that executes?
> 
> It's a lot harder problem than you think.  Hint:  Fred Cohen's PhD
> thesis showed that detecting malware is isomorphic to the Turing
> Halting Problem.

The general problem might well be that hard, I don’t know, it seems
plausible. However Barry’s suggestion doesn’t seem impossible.

One strategy is as follows. Have a counter in the kernel about writes to
files. Have some sort of log-structured filesystem with checkpoints or
whatever. When the counter goes too fast, show Barry’s dialog box and
if the user says no, roll back the filesystem to the time just before the
process (or its parent, or its parent’s parent, …) started. There are 
details to be ironed out, of course, but there’s no reason in principle
that it couldn’t be done like this.

The reason that you don’t have to make the operating system solve
the halting problem is because you ask the user.

William Waites
Laboratory for Foundations of Computer Science
School of Informatics, University of Edinburgh
Informatics Forum 5.38, 10 Crichton St.
Edinburgh, EH8 9AB, Scotland

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

Re: Please run windows update now

[valdis . kletnieks]

On Mon, 15 May 2017 15:45:26 -0400, b...@theworld.com said:

> So for example why does a client OS produced with that much money
> available even allow things like wholesale encryption of files without
> at least popping up one of those warnings to confirm that you really
> meant to run a program on $THRESHOLD files, opening them for update
> etc, not just read?

Well Barry, I can tell you why, with examples from the Unix world.

for i in *; do encrypt < $i > $i.new; mv $i.new $i; done

How do you throw a pop-up warning for that?  Pre-run it and see how many >
might get executed? And how do you tell that the sequence ends up destroying
the file rather than creating a new one?

OK. How about this one?

cat > ./wombat << EOF
##!/bin/bash
encrypt < $1 > $1.new; mv $1.new $1
EOF
chmod +x ./wombat
for i in *; do ./wombat $i; done

Now convert that to C and  bury that whole thing inside a binary.  How does the
operating system detect that and throw a pop-up *before* that executes?

It's a lot harder problem than you think.  Hint:  Fred Cohen's PhD thesis
showed that detecting malware is isomorphic to the Turing Halting Problem.




pgpPisOZIogHA.pgp
Description: PGP signature

Re: Please run windows update now

[bzs]

Since everyone else is bloviating I may as well also...

The underlying problem is that Microsoft tried to produce basically
one operating system for both servers and end-users and most anything
in between.

Putting some lipstick on them and names such as "server 2008" doesn't
negate that.

Ok so did everyone, sort of (does Apple even make servers? ok ok I
know the response, cylindrical things.)

But others, which means the un*x sphere, at least had the excuse that
they were practically unfunded with a few notable exceptions (but Sun
is gone no sense beating the dead.)

MS has about $100B cash on hand and has generally been a quite
profitable enterprise for longer than probably most people on this
list have been alive.

So for example why does a client OS produced with that much money
available even allow things like wholesale encryption of files without
at least popping up one of those warnings to confirm that you really
meant to run a program on $THRESHOLD files, opening them for update
etc, not just read? Even backup doesn't do that. I suppose update does
but that and similar could be handled specially.

Why?

Because it would be annoying to their server customers if they
interfered and it seems that's how decisions are made. Over and
over. And over.

What we really have is the end result of a company spending as little
as possible on their product and optimizing their bottom line because
no one has any power to make them produce anything better.

  One code base to rule them all, One code base to sell them, One code
  base to bring them all, And in their darkness bind them.

That's what MS needs to be held accountable for, sucking literally
hundreds of billions from companies and consumers (that is, no lack of
money) and passing the pain of an inferior product to those consumers
much like the car industry did until Ralph Nader ("Unsafe At Any
Speed") and others began pointing this out in the 1960s and action was
taken and we got some omg seat belts and attention paid to how easily
a car of that era could roll over on a turn at 25mph, etc.

I think making feelgood comments like one has to be an idiot to run
Windows is a huge waste of time at this point. That horse is out of
the barn, has sailed, the barn door is still wide open, and it's
become too way late to fret over saving nine except forward.

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

RE: Please run windows update now

[timrutherford]

>>  
>> <https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/>
>>  
>> https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

>> Look near the bottom under Further Resources.

 

Those are the links appear to be patches for older versions of Windows.

 

The link that Josh sent initially is probably the most straight forward for 
currently supported versions.  

 


https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

 

Scroll down below “Affected Software and Vulnerability Severity Ratings” and 
click on the link in the left column it will being you to the MS Update Catalog 
download page for the patch in question.

 



 

 

Keep in mind that since MS started doing monthly patch rollups instead of 
individual patches, they are listing a “rollup” KB# and “security only” KB# for 
each version of Windows.

 

For example, look at Windows 2012/2012R2 above – there are four different KB#s 
depending on the OS version and update method being used.  

 

KB4012217 : “monthly rollup” version for 2012 (gets delivered via windows 
update - contains this patch and several others)

KB4012214 : “security only” version for 2012 for this one patch 

 

KB4012216 : 2012R2 version of the rollup 

KB4012213 : 2012R2 version of the security only patch 

 

 

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Keith Stokes
Sent: Monday, May 15, 2017 11:49 AM
To: Keith Medcalf <kmedc...@dessus.com>
Cc: nanog@nanog.org
Subject: Re: Please run windows update now

 

 
<https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/>
 
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

 

 

Look near the bottom under Further Resources.

 

 

On May 15, 2017, at 10:44 AM, Keith Medcalf < 
<mailto:kmedc...@dessus.com%3cmailto:kmedc...@dessus.com> 
kmedc...@dessus.com<mailto:kmedc...@dessus.com>> wrote:

 

 

I do not see any links to actually download the actual patches.  Just a bunch 
of text drivel.

 

 

--

˙uʍop-ǝpısdn sı ɹoʇıuoɯ ɹnoʎ 'sıɥʇ pɐǝɹ uɐɔ noʎ ɟı

 

-Original Message-

From: NANOG [ <mailto:nanog-boun...@nanog.org> mailto:nanog-boun...@nanog.org] 
On Behalf Of  <mailto:timrutherf...@c4.net%3cmailto:timrutherf...@c4.net> 
timrutherf...@c4.net<mailto:timrutherf...@c4.net>

Sent: Monday, 15 May, 2017 09:23

To: 'Josh Luthman'; 'Nathan Fink'

Cc:  <mailto:nanog@nanog.org> nanog@nanog.org

Subject: RE: Please run windows update now

 

I should clarify, the link in my email below is only for windows versions that 
are considered unsupported.

 

This one has links for the currently supported versions of windows

 

 <https://support.microsoft.com/en-us/help/4013389/title> 
https://support.microsoft.com/en-us/help/4013389/title

 

 

-Original Message-

From:  <mailto:timrutherf...@c4.net> timrutherf...@c4.net [ 
<mailto:timrutherf...@c4.net> mailto:timrutherf...@c4.net]

Sent: Monday, May 15, 2017 11:12 AM

To: 'Josh Luthman' < <mailto:j...@imaginenetworksllc.com> 
j...@imaginenetworksllc.com>; 'Nathan Fink'

< <mailto:nef...@gmail.com> nef...@gmail.com>

Cc: 'nanog@nanog.org' < <mailto:nanog@nanog.org> nanog@nanog.org>

Subject: RE: Please run windows update now

 

They even released updates for XP & 2003

 

 <http://www.catalog.update.microsoft.com/search.aspx?q=4012598> 
http://www.catalog.update.microsoft.com/search.aspx?q=4012598

 

 

-Original Message-

From: NANOG [ <mailto:nanog-boun...@nanog.org> mailto:nanog-boun...@nanog.org] 
On Behalf Of Josh Luthman

Sent: Monday, May 15, 2017 10:45 AM

To: Nathan Fink < <mailto:nef...@gmail.com> nef...@gmail.com>

Cc:  <mailto:nanog@nanog.org> nanog@nanog.org

Subject: Re: Please run windows update now

 

Link?

 

I only posted it as reference to the vulnerability.

 

 

Josh Luthman

Office: 937-552-2340

Direct: 937-552-2343

1100 Wayne St

Suite 1337

Troy, OH 45373

 

On Sat, May 13, 2017 at 2:07 AM, Nathan Fink < <mailto:nef...@gmail.com> 
nef...@gmail.com> wrote:

 

I show MS17-010 as already superseded in SCCM

 

On Fri, May 12, 2017 at 1:44 PM, Josh Luthman <j...@imaginenetworksllc.com

 

wrote:

 

MS17-010

 <https://technet.microsoft.com/en-us/library/security/ms17-010.aspx> 
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

 

 

Josh Luthman

Office: 937-552-2340

Direct: 937-552-2343

1100 Wayne St

Suite 1337

Troy, OH 45373

 

On Fri, May 12, 2017 at 2:35 PM, JoeSox < <mailto:joe...@gmail.com> 
joe...@gmail.com> wrote:

 

Thanks for the headsup but I would expect to see some references to the patches 
that need to be installed to block the vulnerability (

RE: Please run windows update now

[Eliezer Croitoru]

Calling someone who uses Windows un-professional would be a "gossip" style
phrase.
This is a piece of software which can be tested and compared to others.
Would Android be better then windows only because it is based on the Linux
kernel or since it's based on the full engineering it was invested from the
bottom up? 

So from my point of view on things:
Windows is good
Linux is good
BSD is good
Mac is good
Others, good...

But depends on what you need.
If you need to work with a system that has a specific compatibility or
usability levels then this is what you need.
If it works for me it doesn't mean that it's either good or bad for me and
others!

I love Linux based systems but they all need some "magic hands" on them to
convert them from Linux to "something better".
So with this in mind: If you are a magician and Linux feels good for you it
doesn't mean that everybody should be magicians!

All The Bests,
Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of
valdis.kletni...@vt.edu
Sent: Monday, May 15, 2017 10:47 AM
To: Rich Kulawiec <r...@gsp.org>
Cc: nanog@nanog.org
Subject: Re: Please run windows update now

On Mon, 15 May 2017 02:12:27 -0400, Rich Kulawiec said:

> Or BSD, or anything but Windows.  Anyone running Microsoft products is 
> quite clearly an unprofessional, unethical moron and fully deserves 
> all the pain they get

Tell you what.  Go over to http://line6.com/software/ - You convince them to
produce a Linux version of the software for their musician's gear, and I'll
get rid of the Toshiba laptop running Windows.  Alternatively, find me an
OSX laptop that costs anywhere near the $400 I paid for the Toshiba
Satellite.

(And yes, I already tried running their software in a VM, neither VirtualBox
or VMWare does a good enough job of emulating MIDI-over-USB2 to let the
drivers in the VM connect to my Pod HD, so don't bother suggesting that).

You want to repeat your claim that I'm an unprofessional, unethical moron
because I have a fully patched Windows 10 laptop that's backed up on a
regular basis because there's no realistic alternative?

RE: Please run windows update now

[Phillip White]

You, sir, are to be congratulated!  I have been on this list for many years
- mainly to keep in the loop.  Up until today the list went to a catch-all
account as I have never felt the need to post.  Today, though, I felt the
need to create the mailbox just so I could reply since your posts have been
the most irritating I have ever seen on this list.  The complete ineptness
in any of the points you shared was astonishing.  If you are on this list
you are most likely in some business associated with the Internet so if you
are like some of those that "just want to get some regular work done" let me
remind you that this _is_ regular work.  Get it done.  Microsoft isn't to
blame here.  It's the people who refuse to upgrade their Operating Systems
or patch religiously who are (read: IT departments here too).  A lot more of
the world use Microsoft products than you seem to think - it is the dominant
and it's not going away.  If this causes you more work than the random
scripts you google on the Internet to run on your *nix boxes perhaps your
time in the business is up.  I too prefer and enjoy running all sorts of
flavors of unix/Linux and sometimes you will find that I bash the occasional
Windows user for being less than diligent but there is a limit to this
bashing and you, Rich, have well exceeded that IMO.

For those of you on this list that feel that this post was not necessary, I
am sorry and would normally agree with you and I hardly think it will happen
again.

Phillip White

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Rich Kulawiec
Sent: Monday, May 15, 2017 4:37 AM
To: nanog@nanog.org
Subject: Re: Please run windows update now


You make some excellent points: but I grow very, very tired of having to
spend my time and my energy -- note timestamp on my message -- dealing with
the fallout.  It should be painfully clear to everyone that there is no such
thing as a secure Windows system.  [1]  It should have been painfully clear
after Code Red, after the rise of bots, and after a hundred other incidents
before/since of varying severity and duration.
But apparently it's not and so despite the impact of this current one --
including large-scale disruption of healthcare in the UK -- this will keep
happening over and over again.  And even those of us who have the good
judgment to never use Microsoft products have to pay the price for the poor
decision-making of others.  Again.  And again.

It's getting old.  Just like all the other things that people do (many of
which have been discussed here at great length) that cause problems for
others who are making an earnest attempt to do things right.
How bad do things have to get before the people who are stubbornly
clinging to this finally let go?   Does someone have to die?  Because --
again, see healthcare provider impact in the UK -- we're not that far from
it.

---rsk

[1] There may be no such thing as a secure system, period.  But it would be
better to deploy things that may have a fighting chance instead of things
that have long since proven to have none at all.

Re: Please run windows update now

[Brad Knowles]

On May 15, 2017, at 11:21 AM, J. Oquendo  wrote:

>> Not everyone licks their chops and thinks "fresh meat" when they see 
>> worldwide panic that results from a massive security hole like this.
> 
> Jump in the security space, where we may gladly trade our
> cats and dogs for Porsche Panameras

Thanks, but no.  I am already forced to do much more in the security space than 
I would like.

And I love my little miracle kitty very much.  I wouldn't trade her for any 
kind of vehicle in this world.  I am rather less materialistic than that.

-- 
Brad Knowles 

Re: Please run windows update now

[J. Oquendo]

On Mon, 15 May 2017, Brad Knowles wrote:

> If Microsoft didn't open the security hole in the first place, then there 
> wouldn't be a need to patch it afterwards.

You are very correct. Microsoft opened the hole because
they had nothing better to do. Or, could it be that these
things happen, akin to a car having to perform a recall.
I am sure (with the exception of Volkswagen's clusterf^W)
no vendor in any vertical wants to put out subpar products
(call me a dreamer.)

> Of course, there will always be patches that need to be applied, and people 
> do have to decide what is a sane patching process.  But if a patch can be 
> completely avoided because they were more careful and rigorous in their 
> development to begin with, then as a whole the world would be better off.

Rigorous in development means little. Go pick an RFC and
you will find that over time, even the foundations have at
some point or another been broken/circumvented. I have a
mental running joke "Blame Paul Vixie!!!" (Sorry Paul :))
When the world lost their ability to use common sense,
anything related to DNS became a blame Paul for writing
BIND. No... Old saying: "Any time you point the finger,
remember, there are more of your fingers pointing back at
you."

Organizations do perform testing, and some don't. Just
because some don't does not mean the industry as a whole
won't, or doesn't do it. The fact MS went out of their way
to make patches for systems they SPECIFICALLY stated they
would not support no more gives them kudos across the
board.
 
> An ounce of prevention on their part would prevent a pound of cure having to 
> be applied by everyone else in the world.

With 20/20 vision, should that mean I should be expected
to see someone throwing a 100MPH fastball at me from
my back? Would my pound of cure be ESP for seeing the
future?

> But then Microsoft couldn't extract their value from selling that pound of 
> cure, so that would be another problem.

Sorry to tell you this, that comment makes little sense.
I didn't know Microsft sold that pound of cure (patch).

> Not everyone licks their chops and thinks "fresh meat" when they see 
> worldwide panic that results from a massive security hole like this.

Jump in the security space, where we may gladly trade our
cats and dogs for Porsche Panameras

> Some of us just want to get regular work done.

And some of us find that life goes on. This is no different
than Nimda, and other minor fiascos that occur every once
in a while. With the exception of Morris. No one, not even
the worms in the dirt like him.

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

0B23 595C F07C 6092 8AEB  074B FC83 7AF5 9D8A 4463
https://pgp.mit.edu/pks/lookup?op=get=0xFC837AF59D8A4463

Re: Please run windows update now

[Brad Knowles]

On May 15, 2017, at 10:08 AM, J. Oquendo  wrote:

> Spot on. Shame on Microsoft for releasing patches and not
> forcing the installation versus letting security managers
> open up ISC^, and other nonsensical frameworks to do things
> like "change/patch management" tasks. I mean, who cares if
> one little patch knocks a business out of existence.

If Microsoft didn't open the security hole in the first place, then there 
wouldn't be a need to patch it afterwards.

Of course, there will always be patches that need to be applied, and people do 
have to decide what is a sane patching process.  But if a patch can be 
completely avoided because they were more careful and rigorous in their 
development to begin with, then as a whole the world would be better off.

> I do believe Microsoft is directly responsible for making
> people such daft "To patch or not to patch" admins. Force
> feed patches on everyone! Then your next message will be:
> "I believe Microsoft is responsible for trillions of
> dollars by pushing out patches forcefully and negatively
> impacting businesses worldwide."

An ounce of prevention on their part would prevent a pound of cure having to be 
applied by everyone else in the world.

But then Microsoft couldn't extract their value from selling that pound of 
cure, so that would be another problem.

> Pain and anguish? I'm smiling and drinking coffee. I adore
> when security shenanigas occur. That is the sound of a cash
> register to me.

Not everyone licks their chops and thinks "fresh meat" when they see worldwide 
panic that results from a massive security hole like this.

Some of us just want to get regular work done.

-- 
Brad Knowles 

Re: Please run windows update now

[Keith Stokes]

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/


Look near the bottom under Further Resources.


On May 15, 2017, at 10:44 AM, Keith Medcalf 
<kmedc...@dessus.com<mailto:kmedc...@dessus.com>> wrote:


I do not see any links to actually download the actual patches.  Just a bunch 
of text drivel.


--
˙uʍop-ǝpısdn sı ɹoʇıuoɯ ɹnoʎ 'sıɥʇ pɐǝɹ uɐɔ noʎ ɟı

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of
timrutherf...@c4.net<mailto:timrutherf...@c4.net>
Sent: Monday, 15 May, 2017 09:23
To: 'Josh Luthman'; 'Nathan Fink'
Cc: nanog@nanog.org
Subject: RE: Please run windows update now

I should clarify, the link in my email below is only for windows versions
that are considered unsupported.

This one has links for the currently supported versions of windows

https://support.microsoft.com/en-us/help/4013389/title


-Original Message-
From: timrutherf...@c4.net [mailto:timrutherf...@c4.net]
Sent: Monday, May 15, 2017 11:12 AM
To: 'Josh Luthman' <j...@imaginenetworksllc.com>; 'Nathan Fink'
<nef...@gmail.com>
Cc: 'nanog@nanog.org' <nanog@nanog.org>
Subject: RE: Please run windows update now

They even released updates for XP & 2003

http://www.catalog.update.microsoft.com/search.aspx?q=4012598


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Josh Luthman
Sent: Monday, May 15, 2017 10:45 AM
To: Nathan Fink <nef...@gmail.com>
Cc: nanog@nanog.org
Subject: Re: Please run windows update now

Link?

I only posted it as reference to the vulnerability.


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Sat, May 13, 2017 at 2:07 AM, Nathan Fink <nef...@gmail.com> wrote:

I show MS17-010 as already superseded in SCCM

On Fri, May 12, 2017 at 1:44 PM, Josh Luthman
<j...@imaginenetworksllc.com

wrote:

MS17-010
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Fri, May 12, 2017 at 2:35 PM, JoeSox <joe...@gmail.com> wrote:

Thanks for the headsup but I would expect to see some references
to the patches that need to be installed to block the
vulnerability (Sorry for sounding like a jerk).
We all know to update systems ASAP.

--
Later, Joe

On Fri, May 12, 2017 at 10:35 AM, Ca By <cb.li...@gmail.com> wrote:

This looks like a major worm that is going global

Please run windows update as soon as possible and spread the
word

It may be worth also closing down ports 445 / 139 / 3389

http://www.npr.org/sections/thetwo-way/2017/05/12/
528119808/large-cyber-attack-hits-englands-nhs-hospital-
system-ransoms-demanded











---

Keith Stokes

RE: Please run windows update now

[Keith Medcalf]

I do not see any links to actually download the actual patches.  Just a bunch 
of text drivel.


--
˙uʍop-ǝpısdn sı ɹoʇıuoɯ ɹnoʎ 'sıɥʇ pɐǝɹ uɐɔ noʎ ɟı

> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of
> timrutherf...@c4.net
> Sent: Monday, 15 May, 2017 09:23
> To: 'Josh Luthman'; 'Nathan Fink'
> Cc: nanog@nanog.org
> Subject: RE: Please run windows update now
>
> I should clarify, the link in my email below is only for windows versions
> that are considered unsupported.
>
> This one has links for the currently supported versions of windows
>
>   https://support.microsoft.com/en-us/help/4013389/title
>
>
> -Original Message-
> From: timrutherf...@c4.net [mailto:timrutherf...@c4.net]
> Sent: Monday, May 15, 2017 11:12 AM
> To: 'Josh Luthman' <j...@imaginenetworksllc.com>; 'Nathan Fink'
> <nef...@gmail.com>
> Cc: 'nanog@nanog.org' <nanog@nanog.org>
> Subject: RE: Please run windows update now
>
> They even released updates for XP & 2003
>
> http://www.catalog.update.microsoft.com/search.aspx?q=4012598
>
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Josh Luthman
> Sent: Monday, May 15, 2017 10:45 AM
> To: Nathan Fink <nef...@gmail.com>
> Cc: nanog@nanog.org
> Subject: Re: Please run windows update now
>
> Link?
>
> I only posted it as reference to the vulnerability.
>
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
> On Sat, May 13, 2017 at 2:07 AM, Nathan Fink <nef...@gmail.com> wrote:
>
> > I show MS17-010 as already superseded in SCCM
> >
> > On Fri, May 12, 2017 at 1:44 PM, Josh Luthman
> > <j...@imaginenetworksllc.com
> > >
> > wrote:
> >
> > > MS17-010
> > > https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
> > >
> > >
> > > Josh Luthman
> > > Office: 937-552-2340
> > > Direct: 937-552-2343
> > > 1100 Wayne St
> > > Suite 1337
> > > Troy, OH 45373
> > >
> > > On Fri, May 12, 2017 at 2:35 PM, JoeSox <joe...@gmail.com> wrote:
> > >
> > > > Thanks for the headsup but I would expect to see some references
> > > > to the patches that need to be installed to block the
> > > > vulnerability (Sorry for sounding like a jerk).
> > > > We all know to update systems ASAP.
> > > >
> > > > --
> > > > Later, Joe
> > > >
> > > > On Fri, May 12, 2017 at 10:35 AM, Ca By <cb.li...@gmail.com> wrote:
> > > >
> > > > > This looks like a major worm that is going global
> > > > >
> > > > > Please run windows update as soon as possible and spread the
> > > > > word
> > > > >
> > > > > It may be worth also closing down ports 445 / 139 / 3389
> > > > >
> > > > > http://www.npr.org/sections/thetwo-way/2017/05/12/
> > > > > 528119808/large-cyber-attack-hits-englands-nhs-hospital-
> > > > > system-ransoms-demanded
> > > > >
> > > >
> > >
> >
>

RE: Please run windows update now

[timrutherford]

I should clarify, the link in my email below is only for windows versions that 
are considered unsupported.

This one has links for the currently supported versions of windows 

https://support.microsoft.com/en-us/help/4013389/title


-Original Message-
From: timrutherf...@c4.net [mailto:timrutherf...@c4.net] 
Sent: Monday, May 15, 2017 11:12 AM
To: 'Josh Luthman' <j...@imaginenetworksllc.com>; 'Nathan Fink' 
<nef...@gmail.com>
Cc: 'nanog@nanog.org' <nanog@nanog.org>
Subject: RE: Please run windows update now

They even released updates for XP & 2003

http://www.catalog.update.microsoft.com/search.aspx?q=4012598


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Josh Luthman
Sent: Monday, May 15, 2017 10:45 AM
To: Nathan Fink <nef...@gmail.com>
Cc: nanog@nanog.org
Subject: Re: Please run windows update now

Link?

I only posted it as reference to the vulnerability.


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Sat, May 13, 2017 at 2:07 AM, Nathan Fink <nef...@gmail.com> wrote:

> I show MS17-010 as already superseded in SCCM
>
> On Fri, May 12, 2017 at 1:44 PM, Josh Luthman 
> <j...@imaginenetworksllc.com
> >
> wrote:
>
> > MS17-010
> > https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
> >
> >
> > Josh Luthman
> > Office: 937-552-2340
> > Direct: 937-552-2343
> > 1100 Wayne St
> > Suite 1337
> > Troy, OH 45373
> >
> > On Fri, May 12, 2017 at 2:35 PM, JoeSox <joe...@gmail.com> wrote:
> >
> > > Thanks for the headsup but I would expect to see some references 
> > > to the patches that need to be installed to block the 
> > > vulnerability (Sorry for sounding like a jerk).
> > > We all know to update systems ASAP.
> > >
> > > --
> > > Later, Joe
> > >
> > > On Fri, May 12, 2017 at 10:35 AM, Ca By <cb.li...@gmail.com> wrote:
> > >
> > > > This looks like a major worm that is going global
> > > >
> > > > Please run windows update as soon as possible and spread the 
> > > > word
> > > >
> > > > It may be worth also closing down ports 445 / 139 / 3389
> > > >
> > > > http://www.npr.org/sections/thetwo-way/2017/05/12/
> > > > 528119808/large-cyber-attack-hits-englands-nhs-hospital-
> > > > system-ransoms-demanded
> > > >
> > >
> >
>

RE: Please run windows update now

[timrutherford]

They even released updates for XP & 2003

http://www.catalog.update.microsoft.com/search.aspx?q=4012598


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Josh Luthman
Sent: Monday, May 15, 2017 10:45 AM
To: Nathan Fink <nef...@gmail.com>
Cc: nanog@nanog.org
Subject: Re: Please run windows update now

Link?

I only posted it as reference to the vulnerability.


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Sat, May 13, 2017 at 2:07 AM, Nathan Fink <nef...@gmail.com> wrote:

> I show MS17-010 as already superseded in SCCM
>
> On Fri, May 12, 2017 at 1:44 PM, Josh Luthman 
> <j...@imaginenetworksllc.com
> >
> wrote:
>
> > MS17-010
> > https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
> >
> >
> > Josh Luthman
> > Office: 937-552-2340
> > Direct: 937-552-2343
> > 1100 Wayne St
> > Suite 1337
> > Troy, OH 45373
> >
> > On Fri, May 12, 2017 at 2:35 PM, JoeSox <joe...@gmail.com> wrote:
> >
> > > Thanks for the headsup but I would expect to see some references 
> > > to the patches that need to be installed to block the 
> > > vulnerability (Sorry for sounding like a jerk).
> > > We all know to update systems ASAP.
> > >
> > > --
> > > Later, Joe
> > >
> > > On Fri, May 12, 2017 at 10:35 AM, Ca By <cb.li...@gmail.com> wrote:
> > >
> > > > This looks like a major worm that is going global
> > > >
> > > > Please run windows update as soon as possible and spread the 
> > > > word
> > > >
> > > > It may be worth also closing down ports 445 / 139 / 3389
> > > >
> > > > http://www.npr.org/sections/thetwo-way/2017/05/12/
> > > > 528119808/large-cyber-attack-hits-englands-nhs-hospital-
> > > > system-ransoms-demanded
> > > >
> > >
> >
>

Re: Please run windows update now

[J. Oquendo]

On Mon, 15 May 2017, Brad Knowles wrote:

> As much as I hate, loathe, and despise Microsoft, there's always going to be 
> someone/something out there that is "the worst".  Eliminate the current 
> "worst", and there will be another one right behind them.
> 
> I do believe that Microsoft is directly responsible for trillions of 
> dollars/euros of damage done to economies worldwide, due to their lax 
> security practices over the years.  Their advances have only come at the cost 
> of great pain on the part of others, and they have been kicking and screaming 
> all the while being dragged into the modern world.
> 
> The rest of us will continue to bear the pain and anguish that they create.  
> That's just the way things are.  Not the way they should be, but the way they 
> are.
> 
> -- 
> Brad Knowles 


Spot on. Shame on Microsoft for releasing patches and not
forcing the installation versus letting security managers
open up ISC^, and other nonsensical frameworks to do things
like "change/patch management" tasks. I mean, who cares if
one little patch knocks a business out of existence.

I do believe Microsoft is directly responsible for making
people such daft "To patch or not to patch" admins. Force
feed patches on everyone! Then your next message will be:
"I believe Microsoft is responsible for trillions of
dollars by pushing out patches forcefully and negatively
impacting businesses worldwide."

Pain and anguish? I'm smiling and drinking coffee. I adore
when security shenanigas occur. That is the sound of a cash
register to me.

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

0B23 595C F07C 6092 8AEB  074B FC83 7AF5 9D8A 4463
https://pgp.mit.edu/pks/lookup?op=get=0xFC837AF59D8A4463

Re: Please run windows update now

[Brad Knowles]

On May 15, 2017, at 5:37 AM, Rich Kulawiec  wrote:
> [1] There may be no such thing as a secure system, period.  But it
> would be better to deploy things that may have a fighting chance
> instead of things that have long since proven to have none at all.

As much as I hate, loathe, and despise Microsoft, there's always going to be 
someone/something out there that is "the worst".  Eliminate the current 
"worst", and there will be another one right behind them.

I do believe that Microsoft is directly responsible for trillions of 
dollars/euros of damage done to economies worldwide, due to their lax security 
practices over the years.  Their advances have only come at the cost of great 
pain on the part of others, and they have been kicking and screaming all the 
while being dragged into the modern world.

The rest of us will continue to bear the pain and anguish that they create.  
That's just the way things are.  Not the way they should be, but the way they 
are.

-- 
Brad Knowles 

Re: Please run windows update now

[Josh Luthman]

Link?

I only posted it as reference to the vulnerability.


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Sat, May 13, 2017 at 2:07 AM, Nathan Fink  wrote:

> I show MS17-010 as already superseded in SCCM
>
> On Fri, May 12, 2017 at 1:44 PM, Josh Luthman  >
> wrote:
>
> > MS17-010
> > https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
> >
> >
> > Josh Luthman
> > Office: 937-552-2340
> > Direct: 937-552-2343
> > 1100 Wayne St
> > Suite 1337
> > Troy, OH 45373
> >
> > On Fri, May 12, 2017 at 2:35 PM, JoeSox  wrote:
> >
> > > Thanks for the headsup but I would expect to see some references to the
> > > patches that need to be installed to block the vulnerability (Sorry for
> > > sounding like a jerk).
> > > We all know to update systems ASAP.
> > >
> > > --
> > > Later, Joe
> > >
> > > On Fri, May 12, 2017 at 10:35 AM, Ca By  wrote:
> > >
> > > > This looks like a major worm that is going global
> > > >
> > > > Please run windows update as soon as possible and spread the word
> > > >
> > > > It may be worth also closing down ports 445 / 139 / 3389
> > > >
> > > > http://www.npr.org/sections/thetwo-way/2017/05/12/
> > > > 528119808/large-cyber-attack-hits-englands-nhs-hospital-
> > > > system-ransoms-demanded
> > > >
> > >
> >
>

Re: Please run windows update now

[Nathan Fink]

I show MS17-010 as already superseded in SCCM

On Fri, May 12, 2017 at 1:44 PM, Josh Luthman 
wrote:

> MS17-010
> https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
>
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
> On Fri, May 12, 2017 at 2:35 PM, JoeSox  wrote:
>
> > Thanks for the headsup but I would expect to see some references to the
> > patches that need to be installed to block the vulnerability (Sorry for
> > sounding like a jerk).
> > We all know to update systems ASAP.
> >
> > --
> > Later, Joe
> >
> > On Fri, May 12, 2017 at 10:35 AM, Ca By  wrote:
> >
> > > This looks like a major worm that is going global
> > >
> > > Please run windows update as soon as possible and spread the word
> > >
> > > It may be worth also closing down ports 445 / 139 / 3389
> > >
> > > http://www.npr.org/sections/thetwo-way/2017/05/12/
> > > 528119808/large-cyber-attack-hits-englands-nhs-hospital-
> > > system-ransoms-demanded
> > >
> >
>

Re: Please run windows update now

[Jorge Amodio]

With that kind of attitude and disconnect from reality I wonder who is the 
unprofessional moron...

- Jorge (mobile)


> On May 15, 2017, at 1:12 AM, Rich Kulawiec  wrote:
> 
>> On Sat, May 13, 2017 at 12:07:39AM -0500, Joe wrote:
>> One word. Linux.
> 
> Or BSD, or anything but Windows.  Anyone running Microsoft products
> is quite clearly an unprofessional, unethical moron and fully deserves
> all the pain they get -- including being sued into oblivion by their
> customers and clients for their obvious incompetence and negligence.
> 
> ---rsk

Re: Please run windows update now

[Andrew Kerr]

Just a note folks that while this particular ransomware is using the
MS17-010 exploit to help spread, it does not rely on it.  This is still a
regular piece of ransomware that if someone opens the malicious file, will
encrypt files.

SANS has some IoCs and more information:
https://isc.sans.edu/forums/diary/Massive+wave+of+ransomware+ongoing/22412/

On Fri, 12 May 2017 at 11:45 Josh Luthman 
wrote:

> MS17-010
> https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
>
>
> Josh Luthman
> Office: 937-552-2340 <(937)%20552-2340>
> Direct: 937-552-2343 <(937)%20552-2343>
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
> On Fri, May 12, 2017 at 2:35 PM, JoeSox  wrote:
>
> > Thanks for the headsup but I would expect to see some references to the
> > patches that need to be installed to block the vulnerability (Sorry for
> > sounding like a jerk).
> > We all know to update systems ASAP.
> >
> > --
> > Later, Joe
> >
> > On Fri, May 12, 2017 at 10:35 AM, Ca By  wrote:
> >
> > > This looks like a major worm that is going global
> > >
> > > Please run windows update as soon as possible and spread the word
> > >
> > > It may be worth also closing down ports 445 / 139 / 3389
> > >
> > > http://www.npr.org/sections/thetwo-way/2017/05/12/
> > > 528119808/large-cyber-attack-hits-englands-nhs-hospital-
> > > system-ransoms-demanded
> > >
> >
>

Re: Please run windows update now

[Randy Bush]

fyi, current opinion in the security community seems to be that win10 is
better secured than linuxes, bsds, ...  see http://cyber-itl.org/; still
pretty sparse, but getting flushed out.

randy

Re: Please run windows update now

[Rich Kulawiec]

You make some excellent points: but I grow very, very tired of having
to spend my time and my energy -- note timestamp on my message -- dealing
with the fallout.  It should be painfully clear to everyone that there
is no such thing as a secure Windows system.  [1]  It should have been
painfully clear after Code Red, after the rise of bots, and after a
hundred other incidents before/since of varying severity and duration.
But apparently it's not and so despite the impact of this current one --
including large-scale disruption of healthcare in the UK -- this will keep
happening over and over again.  And even those of us who have the good
judgment to never use Microsoft products have to pay the price for
the poor decision-making of others.  Again.  And again.

It's getting old.  Just like all the other things that people do (many
of which have been discussed here at great length) that cause problems
for others who are making an earnest attempt to do things right.
How bad do things have to get before the people who are stubbornly
clinging to this finally let go?   Does someone have to die?  Because --
again, see healthcare provider impact in the UK -- we're not that
far from it.

---rsk

[1] There may be no such thing as a secure system, period.  But it
would be better to deploy things that may have a fighting chance
instead of things that have long since proven to have none at all.

Re: Please run windows update now

[Randy Bush]

> Or BSD, or anything but Windows.  Anyone running Microsoft products
> is quite clearly an unprofessional, unethical moron and fully deserves
> all the pain they get -- including being sued into oblivion by their
> customers and clients for their obvious incompetence and negligence.

aside from being grossly rude, hyperbolic, and uninteligent, this rant
ignores reality enough to make you a viable presidential candidate.

80% of desk/laptops run windows.  get over it.  windows is embedded in
many systems which will be hard to update in an hour or 100 hours.  and
rude ranting is not doing one micron to help deal with it.

embedded systems are very hard to update, think special drivers, kinky
mods, ...  aside from the long softdev time, how much time do you think
QA will take for moving a piece of medical equipment from xp to win10,
let alone bsd?  and the state of the bsd update process is not something
to describe in polite company.

we have a vulnerable chain from weak software (which is improving, and
msoft has been in the lead there for a decade), to nsa/cia not
disclosing, to people choosing or having to run old versions (of
whatever (and linux/bsd are not immune) for financial or technical
reasons, to the conservative or lazy logistics of patching.  we can try
to improve things at each link.  but this is gonna be slow.

though this ransomware attack is not really that much larger than other
attacks in the past (and the future is not cheering), at least it has
reached the front pages and maybe people will patch more and vendors
will issue more/better updates.  but, as @zeynep says, the lack of
liability along the chain above allows bad practices to continue.

in the meantime, backup, backup and take it offline so it does not get
encrypted for you, patch, turn off unnecessary services/options, rinse
repeat.  and try to promote prudent use among friends, family, and
workplace.

randy

Re: Please run windows update now

[valdis . kletnieks]

On Mon, 15 May 2017 02:12:27 -0400, Rich Kulawiec said:

> Or BSD, or anything but Windows.  Anyone running Microsoft products
> is quite clearly an unprofessional, unethical moron and fully deserves
> all the pain they get

Tell you what.  Go over to http://line6.com/software/ - You convince them to
produce a Linux version of the software for their musician's gear, and I'll get
rid of the Toshiba laptop running Windows.  Alternatively, find me an OSX
laptop that costs anywhere near the $400 I paid for the Toshiba Satellite.

(And yes, I already tried running their software in a VM, neither VirtualBox
or VMWare does a good enough job of emulating MIDI-over-USB2 to let the drivers
in the VM connect to my Pod HD, so don't bother suggesting that).

You want to repeat your claim that I'm an unprofessional, unethical moron
because I have a fully patched Windows 10 laptop that's backed up on a regular
basis because there's no realistic alternative?




pgpMRMcAz9P_o.pgp
Description: PGP signature

Re: Please run windows update now

[Rich Kulawiec]

On Sat, May 13, 2017 at 12:07:39AM -0500, Joe wrote:
> One word. Linux.

Or BSD, or anything but Windows.  Anyone running Microsoft products
is quite clearly an unprofessional, unethical moron and fully deserves
all the pain they get -- including being sued into oblivion by their
customers and clients for their obvious incompetence and negligence.

---rsk

RE: Please run windows update now

[Keith Medcalf]

Not to mention of course that the version of Windows 10 that actually has all 
Microsoft's wonder-dunder-touted-all-and-fro security features is the one that 
most mere  mortals cannot buy.

I wunder.

When there are these wunderful fluffings of the security of Windows 10, should 
one be suing Microsoft for not explicitly stating in the opening sentence that 
the features touted do not apply to any version of Windows that can be 
purchased at whim (ie, retail) and only applies to the "Enterprise" version 
which is *only* available with a minimum purchase quantity and the selling of 
the first (and second) born to Microsoft, and at that only after entering into 
a really nasty contract with Microsoft?

Or should one be suing all the "security fools and newsfrothers" that 
promulgate the story without specifying that the emperors "new secure clothing" 
is only available to "Enterprise" customers with special contracts to Microsoft 
and failing to warn that Microsoft has deliberately left everyone else "naked 
and unprotected"?

Or should one simply sue them all and let God (or a judge) sort it out?

--
˙uʍop-ǝpısdn sı ɹoʇıuoɯ ɹnoʎ 'sıɥʇ pɐǝɹ uɐɔ noʎ ɟı


> -Original Message-
> From: Joe [mailto:jbfixu...@gmail.com]
> Sent: Friday, 12 May, 2017 23:08
> To: Keith Medcalf
> Cc: nanog@nanog.org
> Subject: Re: Please run windows update now
>
> One word. Linux.
>
> After this we'll probably see (yet more) additional processes running on
> windows boxes safe guarding against issues like this, forcing windoze
> users to upgrade memory/processor/disk space. I, for one, am not looking
> at Windoze 10 S as it locks too many applications needed for work to the
> Windoze store.
>
>
> Getting kind of ridiculous if you ask me.
>
>
> -Joe
>
>
> On Fri, May 12, 2017 at 11:56 PM, Keith Medcalf <kmedc...@dessus.com>
> wrote:
>
>
>
>   Well, this one was patched (or more accurately, undone).  Perhaps.
> Maybe.
>
>   How many other "paid defects" do you estimate there are in Microsoft
> Windows waiting to be exploited when discovered (or disclosed) by someone
> other than the "Security Agency" buying the defect?
>
>   Almost certainly more than just this one ... and almost certainly
> there is more than a single "payor agency" independently purchasing the
> deliberate introduction of code defects.
>
>   --
>   ˙uʍop-ǝpısdn sı ɹoʇıuoɯ ɹnoʎ 'sıɥʇ pɐǝɹ uɐɔ noʎ ɟı
>
>
>   > -Original Message-
>   > From: Nathan Brookfield [mailto:nathan.brookfi...@simtronic.com.au
> <mailto:nathan.brookfi...@simtronic.com.au> ]
>   > Sent: Friday, 12 May, 2017 22:48
>   > To: Keith Medcalf
>   > Cc: nanog@nanog.org
>   > Subject: Re: Please run windows update now
>   >
>   > Well it was patched by Microsoft of March 14th, just clearly
> people
>   > running large amounts of probably Windows XP have been owned.
>   >
>   > Largely in Russia.
>   >
>   > Nathan Brookfield
>   > Chief Executive Officer
>   >
>   > Simtronic Technologies Pty Ltd
>   > http://www.simtronic.com.au
>   >
>   > On 13 May 2017, at 14:47, Keith Medcalf <kmedc...@dessus.com>
> wrote:
>   >
>   >
>   > The SMBv1 issue was disclosed a year or two ago and never patched.
>   > Anyone who was paying attention would already have disabled SMBv1.
>   >
>   > Thus is the danger and utter stupidity of "overloading" the
> function of
>   > service listeners with unassociated road-apples.  Wait until the
> bad guys
>   > figure out that you can access the same "services" via a
> connection to the
>   > DNS port (UDP and TCP 53) on windows machines ...
>   >
>   > --
>   > ˙uʍop-ǝpısdn sı ɹoʇıuoɯ ɹnoʎ 'sıɥʇ pɐǝɹ uɐɔ noʎ ɟı
>   >
>   >
>   > > -Original Message-
>   > > From: NANOG [mailto:nanog-bounces+kmedcalf <mailto:nanog-
> bounces%2Bkmedcalf> =dessus@nanog.org] On
>   > Behalf
>   > > Of Karl Auer
>   > > Sent: Friday, 12 May, 2017 18:58
>   > > To: nanog@nanog.org
>   > > Subject: Re: Please run windows update now
>   > >
>   > >> On Fri, 2017-05-12 at 10:30 -0800, Royce Williams wrote:
>   > >> - In parallel, consider investigating low-hanging fruit by OU
>   > >> (workstations?) to disable SMBv1 entirely.
>   > >
>   > > Kaspersky reckons the exploit applies to 

Re: Please run windows update now

[Joe]

One word. Linux.
After this we'll probably see (yet more) additional processes running on
windows boxes safe guarding against issues like this, forcing windoze users
to upgrade memory/processor/disk space. I, for one, am not looking at
Windoze 10 S as it locks too many applications needed for work to the
Windoze store.

Getting kind of ridiculous if you ask me.

-Joe

On Fri, May 12, 2017 at 11:56 PM, Keith Medcalf <kmedc...@dessus.com> wrote:

>
> Well, this one was patched (or more accurately, undone).  Perhaps.  Maybe.
>
> How many other "paid defects" do you estimate there are in Microsoft
> Windows waiting to be exploited when discovered (or disclosed) by someone
> other than the "Security Agency" buying the defect?
>
> Almost certainly more than just this one ... and almost certainly there is
> more than a single "payor agency" independently purchasing the deliberate
> introduction of code defects.
>
> --
> ˙uʍop-ǝpısdn sı ɹoʇıuoɯ ɹnoʎ 'sıɥʇ pɐǝɹ uɐɔ noʎ ɟı
>
>
> > -Original Message-
> > From: Nathan Brookfield [mailto:nathan.brookfi...@simtronic.com.au]
> > Sent: Friday, 12 May, 2017 22:48
> > To: Keith Medcalf
> > Cc: nanog@nanog.org
> > Subject: Re: Please run windows update now
> >
> > Well it was patched by Microsoft of March 14th, just clearly people
> > running large amounts of probably Windows XP have been owned.
> >
> > Largely in Russia.
> >
> > Nathan Brookfield
> > Chief Executive Officer
> >
> > Simtronic Technologies Pty Ltd
> > http://www.simtronic.com.au
> >
> > On 13 May 2017, at 14:47, Keith Medcalf <kmedc...@dessus.com> wrote:
> >
> >
> > The SMBv1 issue was disclosed a year or two ago and never patched.
> > Anyone who was paying attention would already have disabled SMBv1.
> >
> > Thus is the danger and utter stupidity of "overloading" the function of
> > service listeners with unassociated road-apples.  Wait until the bad guys
> > figure out that you can access the same "services" via a connection to
> the
> > DNS port (UDP and TCP 53) on windows machines ...
> >
> > --
> > ˙uʍop-ǝpısdn sı ɹoʇıuoɯ ɹnoʎ 'sıɥʇ pɐǝɹ uɐɔ noʎ ɟı
> >
> >
> > > -Original Message-
> > > From: NANOG [mailto:nanog-bounces+kmedcalf=dessus@nanog.org] On
> > Behalf
> > > Of Karl Auer
> > > Sent: Friday, 12 May, 2017 18:58
> > > To: nanog@nanog.org
> > > Subject: Re: Please run windows update now
> > >
> > >> On Fri, 2017-05-12 at 10:30 -0800, Royce Williams wrote:
> > >> - In parallel, consider investigating low-hanging fruit by OU
> > >> (workstations?) to disable SMBv1 entirely.
> > >
> > > Kaspersky reckons the exploit applies to SMBv2 as well:
> > >
> > > https://securelist.com/blog/incidents/78351/wannacry-
> ransomware-used-in
> > > -widespread-attacks-all-over-the-world/
> > >
> > > I thought it was a typo in para 2 and the table, but they emailed back
> > > saying nope, SMBv2 is (was) also broken. However, they also say (same
> > > page) that the MS patch released in March this year fixes it.
> > >
> > > Assuming they are right, I wonder why Microsoft didn't mention SMBv2?
> > >
> > > Regards, K.
> > >
> > > --
> > > 
> ~~~
> > > Karl Auer (ka...@biplane.com.au)
> > > http://www.biplane.com.au/kauer
> > > http://twitter.com/kauer389
> > >
> > > GPG fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A
> > > Old fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> > >
> >
> >
> >
>
>
>
>
>

RE: Please run windows update now

[Keith Medcalf]

Well, this one was patched (or more accurately, undone).  Perhaps.  Maybe. 

How many other "paid defects" do you estimate there are in Microsoft Windows 
waiting to be exploited when discovered (or disclosed) by someone other than 
the "Security Agency" buying the defect?

Almost certainly more than just this one ... and almost certainly there is more 
than a single "payor agency" independently purchasing the deliberate 
introduction of code defects.

--
˙uʍop-ǝpısdn sı ɹoʇıuoɯ ɹnoʎ 'sıɥʇ pɐǝɹ uɐɔ noʎ ɟı


> -Original Message-
> From: Nathan Brookfield [mailto:nathan.brookfi...@simtronic.com.au]
> Sent: Friday, 12 May, 2017 22:48
> To: Keith Medcalf
> Cc: nanog@nanog.org
> Subject: Re: Please run windows update now
>
> Well it was patched by Microsoft of March 14th, just clearly people
> running large amounts of probably Windows XP have been owned.
>
> Largely in Russia.
>
> Nathan Brookfield
> Chief Executive Officer
>
> Simtronic Technologies Pty Ltd
> http://www.simtronic.com.au
>
> On 13 May 2017, at 14:47, Keith Medcalf <kmedc...@dessus.com> wrote:
>
>
> The SMBv1 issue was disclosed a year or two ago and never patched.
> Anyone who was paying attention would already have disabled SMBv1.
>
> Thus is the danger and utter stupidity of "overloading" the function of
> service listeners with unassociated road-apples.  Wait until the bad guys
> figure out that you can access the same "services" via a connection to the
> DNS port (UDP and TCP 53) on windows machines ...
>
> --
> ˙uʍop-ǝpısdn sı ɹoʇıuoɯ ɹnoʎ 'sıɥʇ pɐǝɹ uɐɔ noʎ ɟı
>
>
> > -Original Message-
> > From: NANOG [mailto:nanog-bounces+kmedcalf=dessus@nanog.org] On
> Behalf
> > Of Karl Auer
> > Sent: Friday, 12 May, 2017 18:58
> > To: nanog@nanog.org
> > Subject: Re: Please run windows update now
> >
> >> On Fri, 2017-05-12 at 10:30 -0800, Royce Williams wrote:
> >> - In parallel, consider investigating low-hanging fruit by OU
> >> (workstations?) to disable SMBv1 entirely.
> >
> > Kaspersky reckons the exploit applies to SMBv2 as well:
> >
> > https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in
> > -widespread-attacks-all-over-the-world/
> >
> > I thought it was a typo in para 2 and the table, but they emailed back
> > saying nope, SMBv2 is (was) also broken. However, they also say (same
> > page) that the MS patch released in March this year fixes it.
> >
> > Assuming they are right, I wonder why Microsoft didn't mention SMBv2?
> >
> > Regards, K.
> >
> > --
> > ~~~
> > Karl Auer (ka...@biplane.com.au)
> > http://www.biplane.com.au/kauer
> > http://twitter.com/kauer389
> >
> > GPG fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A
> > Old fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> >
>
>
>

Re: Please run windows update now

[Nathan Brookfield]

Well it was patched by Microsoft of March 14th, just clearly people running 
large amounts of probably Windows XP have been owned.

Largely in Russia.

Nathan Brookfield
Chief Executive Officer

Simtronic Technologies Pty Ltd
http://www.simtronic.com.au

On 13 May 2017, at 14:47, Keith Medcalf <kmedc...@dessus.com> wrote:


The SMBv1 issue was disclosed a year or two ago and never patched.
Anyone who was paying attention would already have disabled SMBv1.

Thus is the danger and utter stupidity of "overloading" the function of service 
listeners with unassociated road-apples.  Wait until the bad guys figure out 
that you can access the same "services" via a connection to the DNS port (UDP 
and TCP 53) on windows machines ...

-- 
˙uʍop-ǝpısdn sı ɹoʇıuoɯ ɹnoʎ 'sıɥʇ pɐǝɹ uɐɔ noʎ ɟı


> -Original Message-
> From: NANOG [mailto:nanog-bounces+kmedcalf=dessus@nanog.org] On Behalf
> Of Karl Auer
> Sent: Friday, 12 May, 2017 18:58
> To: nanog@nanog.org
> Subject: Re: Please run windows update now
> 
>> On Fri, 2017-05-12 at 10:30 -0800, Royce Williams wrote:
>> - In parallel, consider investigating low-hanging fruit by OU
>> (workstations?) to disable SMBv1 entirely.
> 
> Kaspersky reckons the exploit applies to SMBv2 as well:
> 
> https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in
> -widespread-attacks-all-over-the-world/
> 
> I thought it was a typo in para 2 and the table, but they emailed back
> saying nope, SMBv2 is (was) also broken. However, they also say (same
> page) that the MS patch released in March this year fixes it.
> 
> Assuming they are right, I wonder why Microsoft didn't mention SMBv2?
> 
> Regards, K.
> 
> --
> ~~~
> Karl Auer (ka...@biplane.com.au)
> http://www.biplane.com.au/kauer
> http://twitter.com/kauer389
> 
> GPG fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A
> Old fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> 

RE: Please run windows update now

[Keith Medcalf]

The SMBv1 issue was disclosed a year or two ago and never patched.
Anyone who was paying attention would already have disabled SMBv1.

Thus is the danger and utter stupidity of "overloading" the function of service 
listeners with unassociated road-apples.  Wait until the bad guys figure out 
that you can access the same "services" via a connection to the DNS port (UDP 
and TCP 53) on windows machines ...

--
˙uʍop-ǝpısdn sı ɹoʇıuoɯ ɹnoʎ 'sıɥʇ pɐǝɹ uɐɔ noʎ ɟı


> -Original Message-
> From: NANOG [mailto:nanog-bounces+kmedcalf=dessus@nanog.org] On Behalf
> Of Karl Auer
> Sent: Friday, 12 May, 2017 18:58
> To: nanog@nanog.org
> Subject: Re: Please run windows update now
>
> On Fri, 2017-05-12 at 10:30 -0800, Royce Williams wrote:
> > - In parallel, consider investigating low-hanging fruit by OU
> > (workstations?) to disable SMBv1 entirely.
>
> Kaspersky reckons the exploit applies to SMBv2 as well:
>
> https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in
> -widespread-attacks-all-over-the-world/
>
> I thought it was a typo in para 2 and the table, but they emailed back
> saying nope, SMBv2 is (was) also broken. However, they also say (same
> page) that the MS patch released in March this year fixes it.
>
> Assuming they are right, I wonder why Microsoft didn't mention SMBv2?
>
> Regards, K.
>
> --
> ~~~
> Karl Auer (ka...@biplane.com.au)
> http://www.biplane.com.au/kauer
> http://twitter.com/kauer389
>
> GPG fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A
> Old fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
>

Re: Please run windows update now

[Karl Auer]

On Fri, 2017-05-12 at 10:30 -0800, Royce Williams wrote:
> - In parallel, consider investigating low-hanging fruit by OU
> (workstations?) to disable SMBv1 entirely.

Kaspersky reckons the exploit applies to SMBv2 as well:

https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in
-widespread-attacks-all-over-the-world/

I thought it was a typo in para 2 and the table, but they emailed back
saying nope, SMBv2 is (was) also broken. However, they also say (same
page) that the MS patch released in March this year fixes it.

Assuming they are right, I wonder why Microsoft didn't mention SMBv2?

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A
Old fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B

Re: Please run windows update now

[Josh Luthman]

MS17-010
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Fri, May 12, 2017 at 2:35 PM, JoeSox  wrote:

> Thanks for the headsup but I would expect to see some references to the
> patches that need to be installed to block the vulnerability (Sorry for
> sounding like a jerk).
> We all know to update systems ASAP.
>
> --
> Later, Joe
>
> On Fri, May 12, 2017 at 10:35 AM, Ca By  wrote:
>
> > This looks like a major worm that is going global
> >
> > Please run windows update as soon as possible and spread the word
> >
> > It may be worth also closing down ports 445 / 139 / 3389
> >
> > http://www.npr.org/sections/thetwo-way/2017/05/12/
> > 528119808/large-cyber-attack-hits-englands-nhs-hospital-
> > system-ransoms-demanded
> >
>

Re: Please run windows update now

[JoeSox]

Thanks for the headsup but I would expect to see some references to the
patches that need to be installed to block the vulnerability (Sorry for
sounding like a jerk).
We all know to update systems ASAP.

--
Later, Joe

On Fri, May 12, 2017 at 10:35 AM, Ca By  wrote:

> This looks like a major worm that is going global
>
> Please run windows update as soon as possible and spread the word
>
> It may be worth also closing down ports 445 / 139 / 3389
>
> http://www.npr.org/sections/thetwo-way/2017/05/12/
> 528119808/large-cyber-attack-hits-englands-nhs-hospital-
> system-ransoms-demanded
>

Re: Please run windows update now

[Royce Williams]

My $0.02, for people doing internal/private triage:

- If your use of IPv4 space is sparse by routes, dump your internal routing
table and convert to summarized CIDR.

- Feed your CIDRs to masscan [1] to scan for internal port 445 (masscan
randomizes targets, so destination office WAN links won't saturate, but
local/intermediate might if you're not careful, so tune):

sudo masscan -p445 --rate=[packets-per-second safe for your network]
-iL routes.list -oG masscan-445.out

- Use https://github.com/RiskSense-Ops/MS17-010/tree/master/scanners (the
python2 one, or the Metasploit one if you can use that internally) to
detect vuln. the python one is not* a parallelized script, so consider
breaking it into multiple parallel runners if you have a lot of scale.

- If you're using SCCM/other, verify that MS17-010 was applied - but be
mindful of Windows-based appliances not centrally patched, etc. Trust but
verify.

- In parallel, consider investigating low-hanging fruit by OU
(workstations?) to disable SMBv1 entirely.

Royce

1. https://github.com/robertdavidgraham/masscan

On Fri, May 12, 2017 at 10:02 AM, Alexander Maassen 
wrote:

> Hail backups, and whoever keeps those ports accessible to the outside
> without a decent ACL in the firewall, or restricting it to (IPsec) VPN's
> should be shot on sight anyways.
>
> On Fri, May 12, 2017 7:35 pm, Ca By wrote:
> > This looks like a major worm that is going global
> >
> > Please run windows update as soon as possible and spread the word
> >
> > It may be worth also closing down ports 445 / 139 / 3389
> >
> > http://www.npr.org/sections/thetwo-way/2017/05/12/
> 528119808/large-cyber-attack-hits-englands-nhs-hospital-
> system-ransoms-demanded
> >
>
>
>

Re: Please run windows update now

[Alexander Maassen]

Hail backups, and whoever keeps those ports accessible to the outside
without a decent ACL in the firewall, or restricting it to (IPsec) VPN's
should be shot on sight anyways.

On Fri, May 12, 2017 7:35 pm, Ca By wrote:
> This looks like a major worm that is going global
>
> Please run windows update as soon as possible and spread the word
>
> It may be worth also closing down ports 445 / 139 / 3389
>
> http://www.npr.org/sections/thetwo-way/2017/05/12/528119808/large-cyber-attack-hits-englands-nhs-hospital-system-ransoms-demanded
>

Please run windows update now

[Ca By]

This looks like a major worm that is going global

Please run windows update as soon as possible and spread the word

It may be worth also closing down ports 445 / 139 / 3389

http://www.npr.org/sections/thetwo-way/2017/05/12/528119808/large-cyber-attack-hits-englands-nhs-hospital-system-ransoms-demanded