Ransomware is NSA’s mess
Largest ransomware attack in history, made possible by abuse of power.
Your machine is infected and infecting others, your files have been encrypted and you have a limited period of time to get them back: if you pay.
By now everyone who’s been online or watching TV in the last few days know about #WannaCry ransomware attack, the hijacking of files and the asking for Bitcoin to decrypt stuff in computers running on Windows, which affected up to 75 countries, companies and UK’s National Healthcare Service.
Most cybersecurity experts that circulated in TV shows these days have explained very efficiently the technical aspects of the attack, somehow managing to belittle the political dimension of the event and making it an “incompetent developers, evil hackers and heroic researchers” drama.
We think it’s fundamental to highlight there’s more here than anonymous hustlers and that this wouldn’t be a global disaster without Microsoft and the NSA.
What made such a mess possible?
The attack affects particularly Windows, the closed-source operating system which vulnerabilities the virus exploited. One specific flaw that made this attack possible was a bug in Windows’ SMB file-sharing services, which had been detected by the National Security Agency of the United States and used with the purpose of peering into people’s computers. The NSA designed a tool to exploit it and extract information: Eternalblue, which got stolen and leaked months ago, so the WannaCry authors took advantage of it. The second tool used to complete the job was Doublepulsar, a backdoor also designed and installed by the NSA, also leaked by The Shadow Brokers months ago. This means vulnerabilities were built in intentionally or allowed by petition (well, demand) of the the National Security Agency.
The irony of a security agency making everyone more insecure; only an irony if we pretend the NSA is a security agency rather than an organism of domestic and international surveillance with the goal of accumulating power and control over citizens worldwide. Now state-funded tools for surveillance triggers a disaster in UK hospitals.
The ethical decision of using the knowledge programmers gain over systems is whether the know-how is used to expand and share public knowledge or to use it for control, to manipulate scarce information and trade secrets. So the meaning of the word “hacker” is defined pragmatically by observing what effects their actions produce. In this case it’s extremely important to point out that the authors of the malware are not the only hackers in this scene: Microsoft itself like several other tech companies -who, by the way, control most of the software we run on our computers- are also “hackers”: authors of security, exceptions and vulnerabilities.
When it comes to finding who’s responsible, the largest ransomware attack in history is more about government agencies systematically violating privacy and companies refusing to pay proper attention to security than about extortion.
What can be done?
Cyberattacks are neither inevitable nor incontestable.
Users can fight back this and future attacks taking a couple basic preventions:
- Keep your software up to date. Updates often include patches to fix important security bugs.
- Mind before clicking links and attachments sent by anybody. Just ask yourself how legit do the source and the link look like.
- Encrypt your files and messages whenever possible. Even if nobody steals them, it’s clear some negligent people are after them.
Still, we insist given NSA’s big share of responsibility, more can, should and must be done to prevent future attacks. A good start:
- The US Congress has to hold the NSA accountable, ask them about bugs they find in software and provide instruction for such cases — (since they fund the research, perhaps they could fund the fixing or at least not the development of exploitative tools).
- Microsoft and all other companies can pay more attention to information security researchers and advisers.
- The NSA and security agencies in general can stop demanding companies to give up user’s privacy in the name of law enforcement.
- Tech companies can stop trading with personal data and collaborating in the installation of surveillance states around the world. One first step would be to refuse governments access to their software, like Apple has recently done.
We can work on the design of better, decentralized, more accountable systems to put an end to our dependency to these actor’s intentions and grant every citizen in the world personal sovereignty.
