China is likely stockpiling and deploying vulnerabilities, says Microsoft Microsoft has asserted that China's offensive cyber capabilities have improved, thanks to a law that has allowed Beijing to create an arsenal of unreported software vulnerabilities. China's 2021 law required organizations to report security vulnerabilities to local authorities before disclosing them to any other entity. The …
This post has been deleted by its author
Now that most applications are so huge and complex, vulnerabilities are almost inevitable. The sin is inadequate testing so they get released into the public space.
Unfortunately it clearly is cheaper to release buggy code and issue patches than to test properly and release clean code. Otherwise things would be different.
Firstly, the days of standalone programs are long over; they all rely on subroutines which themselves rely on subroutines. Nobody is ever going to check all that. Secondly, so many rely on networking, which introduces so many interruptions to otherwise simple logic.
Finally, nobody seems to use flowcharts to assist in creating sound logic.
"Nobody is ever going to check all that"
Source code checking by hand is obviously not feasible in that case. However, all exploitable vulnerabilities depend on interaction with the software (otherwise they'd not be exploitable), and there are numerous ways to check runtime interaction (many of them fully automated).
The source of the problem is the primary emphasis on "user acceptance" on the assumption of valid interaction, at the expense of testing for edge cases. The reason for this is almost certainly the dominant desire to get the application out the door, coupled with the absence of any effective redress for the user.
So how do the bad guys find them?
This is a market failure, plain and simple. The buyer entirely lacks the ability to evaluate security, and as only a very limited ability to even value it in the first place. Not that government intervention is likely to help much if at all.
Companies release garbage software because the market tolerates it. They can do a LOT better. It's just that they would lose market share if they did.
I think a small difference is that selling you the same stuff again is a business model (not only but including Microsoft) I'm not really convinced that closed source software suppliers ever really gave one about vulnerabilities until it was embarrassing to do otherwise.
Blaming China feels a little bit like "dog ate my homework".
If they gave more of a shit in the first place there would be few vulnerabilities to care about.
> "might" be enabling the Chinese government to weaponize the vulnerabilities.
Presumably doing precisely what every other actor in the field of cyber espionage is doing. The only difference is that nobody is talking about what is happening behind the closed doors of western (and others) security services.
Everything is limited so there's no way to know but I started seeing lots of viruses and phishing from China once we started selling products into China about 22 years ago, my opinion is that originally this was just localized hackers accessing our customers computers all the time.
Maybe the Chinese government has hired a lot of the hackers but talking with Chinese friends suggests that they have worse hacking issues that the West does ... given today's environment it's impossible to know what's causing what we see happening every day.
The only difference is that nobody is talking about what is happening behind the closed doors of western (and others) security services. .... Pete2
Internal revolt and virtually autonomous strife and deep paranoid introspection resulting from their mounting failures to continue effectively defending and pimping the indefensible, and attack the most unlikely probable and previously imagined impossible, is not something to talk about, alerting and encouraging as it would/does, although it would be a mistake to think any such encouragement be needed, further foreign developments along similar lines of applied intelligence to produce greater successful stealthy secretive incursions/extractions for guaranteed deeper and dark webbed cyber espionage field advantage. Digging a deeper hole in which one finds oneself captured and unable to escape is not something to crow about and share with anybody listening or interested and either unable or unwilling to help, methinks.
And one doesn't need to be a genius to know what that western security services problem delivers to others in reality fields dependent upon their services.
.. it is not like it is not giving you many, MANY reasons to avoid it like the unsafe plague it is.
To me it reads as a continuous demonstrator to its investors just how locked in its customers are. Security vulnerabilities, productivity destroying UI changes, updates and reboots, ever increasing resource demands (for what? Animating cursors? What IS a computer doing otherwise when you're just typing a letter?), extracting metrics and God knows what data from its users (ah, that answers the previous question), licensing games and in general badly written code, which may explain the security problems in the first place. When you are busy sticking plasters on plastered plasters it's really time to replace that tire.
But no, instead they run a team that finds vulnerabilities in the products of OTHERS.
There are a few more grave things wrong with Microsoft products, but I'm not going to get into that right now. It'll be more interesting to place that evidence where it belongs and see if authorities are willing to act or will demand more bribes free lunches from Microsoft reps. Because THAT, they appear to have down to perfection.
Howdy, AC
According to one acclaimed genius, Albert Einstein, there's an endless supply of those open doors enabling release and anonymous third party exercise and exploitation of sequestered assets.
The difference between stupidity and genius is that genius has its limits.Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.
Microsoft has had a presence in China for more than 20 years, entering the market in 1992. Our founder, Bill Gates, had the foresight to establish an office in Beijing, accurately predicting the country’s transition to the booming economy we see today.
Microsoft has expanded its business across the country under its strategy of long-term investment and development. Today, our most complete subsidiary and largest R&D center outside the United States is in China. Microsoft has been working closely with customers and industry partners to realize innovation and both localize and land Microsoft technologies and solutions in China. Microsoft boasts a robust partner ecosystem with 17,000 partners. For every RMB that Microsoft earns in China, Microsoft partners earn 16. In early 2015, Microsoft was awarded “The World’s Top 10 Most Innovative of 2015 Companies in China ” by Fast Company magazine due to its local product strategy and commitments to helping Chinese partners, and was included as one of ” The Companies Remaking The Chinese Economy” along with Alibaba, Tencent, Baidu and other companies.
Microsoft is committed to our Chinese customers and to enabling their success, supporting customers at the enterprise, city, provincial and national levels. Microsoft also attaches great importance to its social responsibilities and has been active in giving back to the local communities in which it operates. This includes supporting education and training initiatives, promoting innovation and local economic development and assisting in building a secure and open computing environment.
It's fud and diversionary doc to tell the world that China is to be blamed for all hacking and espionage information warfare when in fact. The US NSA is the worst offender. That's why the DOJ, NSA all wanted Eric Snowden and Manning to suffer so the secret that the NSA conducts the most hacking and surveillance around the world is discreet.
"China's 2021 law required organizations to report security vulnerabilities to local authorities before disclosing them to any other entity."
Other governments, businesses, etc... could make the same rule, and then...
Who do you trust most with this information?
"China's 2021 law required organizations to report security vulnerabilities to local authorities before disclosing them to any other entity. The rules mean Beijing can use local research to hoard vulnerability information."
The above statement makes no sense. According to the article the law requires that vulnerabilities be reported to local authorities BEFORE they are reported to anyone else. But the analysis and conclusion of the article proceeded as if the law requires them to report it to local authorities only with no further reporting to any one else allowing the POTENTIAL for the Chinese authorities to hoard and use the vulnerabilities for espionage..
Requiring to report vulnerability to local authorities in countries like China means that the local authorities can selectively ban reporting the vulnerabilities any further.
It is not an Anglo-Saxon legal system so you should not expect that people would report further until those in charge allow them.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
