![]() | This is an archive of past discussions. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current talk page. |
Archive 1 | Archive 2 | Archive 3 |
I've left a note about the event on the Current Events Portal talkpage. — Sasuke Sarutobi ( talk) 16:53, 12 May 2017 (UTC)
It seems there's another page about this topic. Do we merge its information to this page? — Gestrid ( talk) 22:05, 12 May 2017 (UTC)
Why is this in here, it literally has nothing to do with the content of the article? Sephiroth storm ( talk) 02:33, 13 May 2017 (UTC)
Just deleted this from the intro. If three Russian ministries avoided being infected by "repulsing" the attack, why is it news? In fact the references (when translated) say that "the servers were not infected because they run 'a different operating system'", and at the Ministry of Internal Affairs the attack, "was localized, no leakage of information occurred" - the same could, and was, said of the NHS. Snori ( talk) 19:36, 13 May 2017 (UTC)
I added this. Feel free to remove it if you feel it doesn't add much to the article. It wasn't much effort to make or upload. Anna Frodesiak ( talk) 21:10, 13 May 2017 (UTC)
Is it just Microsoft that is having issues with this, or are apple and ibm and other computer groups experiencing this same issue? Also, is it safe to go online with a Microsoft machine right now? I have mine physically disconnected from the internet line when I am not there to use it with this exact situation in mind, but I have no idea how to check and see if I have the patch needed to keep my machine uninfected. 2600:1011:B018:196E:3925:4863:EC2:A9C8 ( talk) 23:42, 13 May 2017 (UTC)
Someone named Kurt Knutsson who was on Fox Business blamed it on last month's Wikileaks document "dump"--perhaps this should be mentioned in this article, if there is an RS. Zigzig20s ( talk) 07:49, 13 May 2017 (UTC)
should there be 2 separate pages about Wannacry and the attack respectively, the page about Wannacry would cover the ransomware only and the attack page would cover the 12th May cyber attack and its fallout / reactions. — Popeter45 21:20, 12 May 2017 (UTC)
'Accidental hero' finds kill switch to stop spread of ransomware cyber-attack https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack Can we place this in the article. Sherenk1 ( talk) 04:48, 13 May 2017 (UTC)
Could you add an explanation why the kill switch {what mean unplugging the comp from power line } is not working. The personal yps devices era designed so the lame victims (aka customer or user ) can not power off they attachments. There is no way to remove the battery and the turn off button is merely pp fake for peace of mind decoration. This was visible by netmonitoring (eg wireshark's taps) years ago where believed turn off devices exchanged to Mbase encrypted packets //and this is so manufactured day to day operation. [knwnxample:= the turn off tv verting spk to mik] — Preceding unsigned comment added by 99.90.196.227 ( talk) 09:40, 14 May 2017 (UTC)
Cite note doesn't work... — Preceding unsigned comment added by 2607:FEA8:4EE0:784:EDF1:D58A:EA07:1855 ( talk) 07:53, 14 May 2017 (UTC)
What is the significance of that? 80.140.197.186 ( talk) 10:34, 13 May 2017 (UTC)
See The worm that spreads WanaCrypt0r (detailed analysis of code) Esowteric+ Talk 16:04, 14 May 2017 (UTC)
Are there any reports out there that describe how the bitcoin is evaluated by the software? Is it the time of the payment? If so what data is used for that? Is it getting fetched from the Internet?
Or was it hardcoded into the software and used data at the time of the malware's creation?
In either case this needs to be specified.
Also note that this information is important for instance because uninformed victims might buy exactly $300 worth of bitcoin, the evaluated price might come from some up-to-date source, the malware might be very exact with its minimum payment requirement, the bitcoin-value might fluctuate so that $300 worth of bitcoin becomes $290 worth of bitcoins and many affected systems might be critical to lives and society.
-- Fixuture ( talk) 16:57, 14 May 2017 (UTC)
Should content about the G7 meeting be added to the "Reactions" section? I'm not sure as I couldn't find any direct reference to this particular cyberattack in their statements so far.
E.g. this:
-- Fixuture ( talk) 17:57, 14 May 2017 (UTC)
References
To WannCry cyber attack, as most readers are unfamiliar with "ransomware". fgnievinski ( talk) 23:38, 13 May 2017 (UTC)
Which EngVar should this article be in? I'm currently seeing mixed BrE and AmE. Adam9007 ( talk) 21:27, 14 May 2017 (UTC)
Technical details - https://www.symantec.com/connect/blogs/what-you-need-know-about-wannacry-ransomware — Preceding unsigned comment added by Abhishikt ( talk • contribs) 00:06, 13 May 2017 (UTC)
This article is by far the most complete technical article about WannaCry. Should we use this instead of the Symantec one, which does not have that much info? Or both? https://www.bleepingcomputer.com/news/security/wannacry-wana-decryptor-wanacrypt0r-technical-nose-dive/ — Preceding unsigned comment added by Rylheh ( talk • contribs) 23:43, 14 May 2017 (UTC)
I propose we move the page to WannaCry ransomware attack (2017). This way, we can leave this page open to be used as an article about WannaCry in general. — Gestrid ( talk) 18:23, 12 May 2017 (UTC)
I think just WannaCry would be more appropriate, the disambiguation is not needed. ViperSnake151 Talk 02:52, 15 May 2017 (UTC)
Shouldn't there be a section referencing advised solutions if infected? As I don't see any info spoken about in the article. Are people being advised to pay, are people paying (wisely or otherwise), and does paying actually get their machines decrypted? And other related questions. Jimthing ( talk) 22:09, 15 May 2017 (UTC)
How do I get a patch to defend my XP against this please ? Many thanks ! Darkman101 ( talk) 00:19, 16 May 2017 (UTC)
![]() | This page is not a forum for general discussion about WannaCry ransomware attack/Archive 1. Any such comments may be removed or refactored. Please limit discussion to improvement of this page. You may wish to ask factual questions about WannaCry ransomware attack/Archive 1 at the Reference desk. |
JTP ( talk • contribs) 00:32, 16 May 2017 (UTC)
There has been a massive amount of amateurish/incorrect edits made by one user, User:GliderMaven, over the past day. The user made no attempt at talk page discussion nor collaboration, and unfathomably reverted legitimate edits by other users on at least one occasion.
These are examples of edits that blatantly fall under WP:OR or WP:SYNTH:
https://en.wikipedia.org/?title=WannaCry_cyber_attack&diff=prev&oldid=780294423
https://en.wikipedia.org/?title=WannaCry_cyber_attack&diff=prev&oldid=780317291
https://en.wikipedia.org/?title=WannaCry_cyber_attack&diff=prev&oldid=780318804
These edits are factually incorrect or misleading:
https://en.wikipedia.org/?title=WannaCry_cyber_attack&diff=prev&oldid=780194041 (this incorrectly identifies one person as "researchers", etc.)
https://en.wikipedia.org/?title=WannaCry_cyber_attack&diff=prev&oldid=780294423 (this contains a sheer fabrication)
https://en.wikipedia.org/?title=WannaCry_cyber_attack&diff=780317291&oldid=780316995 (would be WP:OR if this is true, but it isn't even true if you actually look at the data)
https://en.wikipedia.org/?title=WannaCry_cyber_attack&diff=780321147&oldid=780320163 (these two are overlapping)
https://en.wikipedia.org/?title=WannaCry_cyber_attack&diff=780323500&oldid=780323351 (incorrect interpretation of phishing)
https://en.wikipedia.org/?title=WannaCry_cyber_attack&diff=prev&oldid=780322912 (the edit summary also makes zero sense)
https://en.wikipedia.org/?title=WannaCry_cyber_attack&diff=prev&oldid=780324990 (this is uncited/OR, and is technically confusing, and is probably incorrect, depending on your interpretation. In any case, it's clear he doesn't understand the relationship between phishing attack and antivirus software.)
These are attempts to improve grammar/prose that are grammatically incorrect or very awkward:
https://en.wikipedia.org/?title=WannaCry_cyber_attack&diff=prev&oldid=780293149
https://en.wikipedia.org/?title=WannaCry_cyber_attack&diff=780338512&oldid=780338198
https://en.wikipedia.org/?title=WannaCry_cyber_attack&diff=prev&oldid=780295658 ("registering for a DNS sinkhole" does not make technical sense either)
https://en.wikipedia.org/?title=WannaCry_cyber_attack&diff=prev&oldid=780292481 ("may be a bug whose code..." - again, both grammatically and technically incorrect)
These are other edits that are contrary to WP:MoS and usual practice:
https://en.wikipedia.org/?title=WannaCry_cyber_attack&diff=prev&oldid=780319655
A number of other edits are attempts to adjust his own copyedit oversights, such as this edit. I haven't included mistakes that had been corrected by himself and other users, but there is a decent number of these, as some other editors can testify.
Finally, the user also made a bizarre attempt to swap a content section with a paragraph in the lede. He then reverted back 5 edits, including his own, and added back some of the content himself It's not clear if this is a good faith attempt followed by bad editorial practice, or if he has an issue with WP:OWN and is trying to camouflage other edits as his own.
Otherwise, this is a clear case of a user with good faith who doesn't meet WP:CIR. The user is not familiar with basic WP:MoS guidelines. The user evidently does not possess the minimum competency to be altering technical information for a front page article. The user is also likely ESL or has poor verbal fluency.
I have painstakingly tried to reverse most of these problematic edits while retaining some legitimate contributions. Please help keep track, and please correct me if I've accidentally removed legitimate changes. 73.61.20.253 ( talk) 13:20, 14 May 2017 (UTC)
Closed since not that important in terms of the article content but since it's a direct respond to the comments here, I find it confusing to take the discussion to the IP's talk page so leaving it here.
Nil Einne (
talk)
02:57, 15 May 2017 (UTC)
|
---|
No I never agreed that. The fact that a user who's been here for a long time still doesn't understand our OR policies is problematic but not automatically indicative of CIR issues. Perhaps it hasn't come up before for some reason, I don't really know. CIR would only come in to play if they still don't understand our OR policies after multiple attempts to get them to understand, and I see no indication this has happened her yet, it's only just starting. I mean if you want to discuss CIR issues, there is the fact you've made two highly questionable claims namely that the editor isn't involved in discussion when they had been, before you even posted at ANI and you were also part of that discussion; and also that we agree with you there is a CIR issue here, when I at least don't; i.e. that you seem to have trouble either understanding what's going on or for whatever other reason make claims that are untrue could be said to bring up CIR issues. But again even in your case I've seen too little for me to bring up CIR in practice. You've already been told that copyvio issues are a serious matter which could be dealt with at ANI or elsewhere, but you provided no actually clearcut examples of this so of course nothing happened. We generally do not take people's word for anything, whether they are experienced editors or whatever, we always require evidence in the form of diffs etc. Also this article is only a few days old and due to what it covers it's been edited extensively so referring to anything as a stable version is always going to be teneous. Of course reverting to a stable version isn't something that involves administrators anyway, unless the article is fully protected and even there WP:Wrong version means it's very rarely done. Really the only possible administrative actions here would be fully protecting this article which is never going to happen; or blocking participants, which could happen but hopefully won't be required. And yes, being civil is always important in any discussion. In fact since civility is a behavioural issue, whereas disagreements over content are not, it's easily possible an uncivil editor could be sanctioned whereas the other editor is fine even if most people feel the second editor's content proposals are out of line with our guidelines and policies. This clearly isn't the case here, but if you're complaining about another editor's behaviour and were uncivil in the process, you shouldn't be surprised if the first thing people see is the incivility. |
There is no need for an adminstator to warn someone. Anyone is free to warn another editor, and it would carry as much weight if it's suggested a block is needed. If there is question over adequate warning, it will be because of the quality (tone, explaination etc) of the warning, not because of who gave it. Even Wikipedia:Arbitration Committee/Discretionary sanctions alerts do not require administrators to issue them, simply that the proper process is followed. If a section is duplicated, you're right it should be removed. Anyone who can edit the article, and that includes you as an IP since this article isn't semi protected, can do so. There should generally be absolutely no need for administrative action. If another editor is repeatedly inserting duplicated sections or adding back a section which is a complete duplicate then yes, may be administrative action i.e. blocking will be needed but it should be very rare this ever happens. For example, in this case a duplicated section was removed by another editor [2] but this wasn't introduced by the editor you keep complaining about [3]. It wasn't reverted, probably because it was clear what was being done. Which highlights another point. The best way to deal with a duplicated section is to remove the section and leave a clear edit summary. If you make a whole bunch of other edits, and even worse if you don't leave a clear edit summary; editors may simple see a bunch of changes including the removal of content and revert you. I'm not sure if this happened here since I don't actually see any other examples of a duplicated section in the entire article history, maybe because I'm assuming someone actually mentioned something like 'dupl', 'cop', 'repea' in the edit summary. I'm not counting [4] since it's very minor, and [5] even if it was justifable, wasn't a clear cut duplicated section but rather a new section which mostly repeated information already covered elsewhere. Also from what I see, no one actually reverted the removal. The ultimate point is if you find you're having problems getting your removal of a duplicated section to stick, you need to make sure your editing isn't contributing to that. It's unfortunately true that because you are an IP, you're probably going to have more problems than if you were editing from an account. Dealing with edits which seem to have made an article worse is a part and parcel of the WP:collaborative nature of wikipedia. If the editor appears to be acting in bad faith, then they can be sanctioned quickly. If they are acting in good faith then we are a lot more hesitant to sanction. Whatever the rights and wrongs here, and I'm specifically not commenting on them, I see no evidence anything has rise to the level where sanction is required. As others have said, if another editor's edits seem to have made an article worse than yes you do have to try and civily explain this to them. |
We might edit the section title to something more suitable? And if someone please could proof read it? I wrote the section, and I don't know if I got something wrong there?-- Rævhuld ( talk) 23:06, 12 May 2017 (UTC)
I edited some of the grammar there. Tedmarynicz ( talk) 14:11, 16 May 2017 (UTC)
Vagueness like "spreads through network defenses" means absolutely nothing. How does this stuff spread? Executable files? Do users have to click on something? Is it a macro-enabled ms office document that drops the payload? What does any of this mean?
If I have an unpatched computer sitting randomly connected to the internet, how am I affected? Does a virus just pop up out of nowhere? Do I get an email asking me to download a booby trapped word document? Does my computer have to be sent magic packets that somehow runs an executable without prompting me? Seriously, WTF? How the hell is anyone supposed to understand any of the sensational headlines when this basic information is nowhere to be found? — Preceding unsigned comment added by 199.18.157.82 ( talk) 03:17, 16 May 2017 (UTC)
Yes the article already explains it fairly well IMO. It relies on a bug in SMB1 in unpatched versions of Windows. This allows remote code execution without the user's involvement. But as I mentioned above, a computer needs to actually exposing SMB to the, internet something which it would not normally do in the post XP SP2 world except when someone is silly enough to change the default config probably without knowing what they are doing. However since most people aren't going to use SMB over the internet, and getting it to work behind a NAT is complicated anyway, this most likely would only occur if someone completely disabled the firewall.
The problem is if your computer accesses a local network. In such a case SMB may very well be open to the local network, and so all it takes is one infected computer. (As I mentioned, technically the vector doesn't have to be vunerable itself. It doesn't even need to be running Windows. Although obviously it needs to become a vector somehow.) This may include wifi access points. (Although by default, most modern versions of Windows puts new networks into the 'public' category and SMB is not exposed in the public category. However there's a greater chance someone will accidentally or intentionally change this. Whether exposing SMB on 'public' networks; or classifying something as private when they probably shouldn't.
This incidentally is also why it's a big deal for businesses. There once it gets onto a single computer in some fashion, it can potentially spread to all unpatched computers depending on how they expose SMB. (Many do use it, so it isn't uncommon it's fairly exposed.)
As I mentioned above, the Blaster situation was somewhat different. At the time, it was still fairly common, and actually even the default that these ports were exposed to the internet provided you were directly connected with no external firewall. (NAT was already fairly common, although surely less so than now, meaning some people escaped by chance.) In other words, a default XP installation with the other requirements would generally be infected. Corporate systems would generally be expected to have one or more firewalls, although if it was acceptable to BYOD, e.g. in a university this may not have mattered.
This isn't the case, for any post XP OS, or for XP with SP2; meaning even if they are vunerable the worm won't spread to them from the internet on a default install. (IIRC, for quite a long time, any pre SP2 XP system directly connected and without ISP filtering would have been infected with Blaster or similar quite fast.) If someone screws around and messes things up, they may be vunerable just by being connected to the internet. However if you have an unpatched system you do just need one vector on your local network and you could easily be vunerable on a default set up, Blaster of course also relied on this to some extent except there the initial vector as mentioned could easily be a default config computer with a direct connection, which isn't the case here.
The vector could nominally be any system, with potentially any OS vunerable or not; this also means if even one of your systems is exposing SMB to the internet it can become that factor. (Something I forgot to mention above, a business who still feel they need XP on some systems, for compatibility for example may have blocked it from the internet to try and protect it. This worm illustrates why that isn't a perfect solution.)
Sobig by comparison was a more typical email worm. The reasons why these don't seem to spread so much anymore ( Mydoom was I think the last massive email worm; although there were some others that were fairly major like Storm Worm) probably includes more effective ISP filtering both of attachments and of SMTP ports, the rise of webmail and the drop in use of ISP email and the common requirement for authentication, greater protection in email clients and OSes from attachments etc.
WannaCry got around these limitations by to some extent combining both. Email worms may not be so effective, but you may only need to infect one computer in the local network, and then it can often easily spread to vunerable computers. (Although I should be clear AFAIK no current variant of WannaCry has an email worm component. Rather whoever made set up the spread themselves. This perhaps isn't surprising since trying to mass spread en email worm may be more likely to result in all your attachments being blocked, a targeted attack in a spear phising manner could easily work better.)
See The worm that spreads WanaCrypt0r (detailed technical analysis of code). Esowteric+ Talk 11:56, 16 May 2017 (UTC)
Till recent 170419 changes routers was vulnerable [6] exposing the private net e.g. 10.* 172. ... to internet by commonly used VOIP/sip . So for spooks there were no problem to access private nets. How such impossible WCry attack penetrated to so many targets ?: The back-doors work in tandemic team and targets must been prepared well before. The Wikileaks logs show zbuk's logs: jumping via sip with payloads. Some like Elinks team dropping features just about Heartbleed and pausing in 2012. Some others obey NSL⋈□. 99.90.196.227 ( talk) 03:48, 17 May 2017 (UTC)
I heard on the radio this morning that more and more "computer experts" are thinking it might originate from North Korea. Any source to back this up? 24.37.29.254 ( talk) 12:11, 16 May 2017 (UTC)
Note that we now have an "Attribution" section covering this. Snori ( talk) 01:23, 17 May 2017 (UTC)
The article (and I presume the sources used) claim that there have been 238 payments totalling $72,144.76. At $300 a pop, from where has the additional 744 dollars, and 76 cents come from? It is possible that 2 payments may be for $600 as the three day deadline has passed, but that still leaves 144 dollars and 76 cents. 86.145.209.23 ( talk) 17:07, 17 May 2017 (UTC)
Have removed this again. User:CowthVader's put this back in after I'd removed it with the comment "..poorly written. Computer_worm#Worms_with_good_intent? ...no evidence that anyone's in fact suggesting this", I'm wary of my actions being seen as an edit war, but really this is quiet clearly pure speculation and WP:SYNTH at best. You'll note that CowthVader's had to add a new stub article for Live Exploit Immunisation, which is a pretty good indication that it's "not a real thing". Snori ( talk) 01:07, 18 May 2017 (UTC)
There had previously been various flags for countries of the affected organisations added by Pek~enwiki, but I see that they are removed as of the current version (although I can't immediately see any comments mentioning this removal). Before any of us gets into adding them back in for someone only to remove them again, I'm looking to get some consensus on how everyone feels about attributing countries of organisations affected, especially since the simultaneous internationality of the event is one of the things that has made the attack notable.
Should we use flags, just mention countries alongside the organisation, or leave it with the names of the organisations? — Sasuke Sarutobi ( talk) 12:49, 15 May 2017 (UTC)
Hi Fixuture. With regards as to your question, more than 80% of the systems known to have been so far affected are either cloud based or connected to same. The attack has been in part structured to take advantage of inherent weaknesses in cloud architecture; originally cloud computing was not intended for the creation of permanent, much less secure or mission critical, infrastructure. Rather it was intended to provide a temporary, or at best ad-hoc semi-permanent resource for high intensity and/or resource intensive computing applications where it would not be considered cost effective to procure or lease more permanent infrastructure (or time on same), i.e. hardware. Security and robustness were at best tertiary concerns.
Cloud computing was actually designed in part as a low cost alternative to/revival of traditional timesharing computing, in particular for academic purposes. Unfortunately during the late 2000s, far too many people & organisations forgot or overlooked its origins and attendant shortcomings in the rush to adopt what seemed to them to be a low cost/low risk technology, especially for commercial applications (which it was never intended for). Something which has played a major part in the mess we find ourselves in today. Ceannlann gorm ( talk) 16:01, 18 May 2017 (UTC)
A claim of a new variant without the kill switch keeps being edited into the article by various (probably well meaning) users. In reality, there are no main stream media reports of such a strain having merged. All the media reports are either speculating about a new variation or are quoting various cyber security companies that such a new strain exists (and they have a vested interest in doing so). The claim in the article is flawed because no reliable reference is provided (once the cyber security companies are discounted). I have thus removed it.
It is probably no coincidence, but the recognised stock market index for the UK (the FTSE100) hit a 6 month high this week, all of it driven by the sudden rise in the stock prices of cyber security companies who have had unprecedented demand for their wares. 86.174.152.128 ( talk) 16:47, 18 May 2017 (UTC)
I've just reverted User:Ceannlann gorm's take on this, and gone back to almost the original wording. AFAIK there were no "shortfalls in the range/scope & application of the initially released patches", except: (a) organisations didn't install them (b) they were not available for products for which support and security updates are no longer produced. Arguing that it has "pretty much the same effect" as a Zero day is far too woolly. Snori ( talk) 18:17, 18 May 2017 (UTC)
Even though there still hasn't been a large scale attack, there is at least one verified attack in a university in Thessaloniki. Source(in Greek): [1] — Preceding unsigned comment added by 83.212.232.252 ( talk) 11:33, 18 May 2017 (UTC)
References
Done
Well, since there have been a couple of confirmed attacks in Greece, it should appear on the map. I tried editing the map (goo.gl/mwYDtf) used in the article to include Greece. I cannot upload it (my profile is new) so someone either upload it, or make a better one. A new one should me made, since in my version the color and the borders of countries are a bit off.
The new map: http://i.imgur.com/OhckwUR.png
![]() | This is an archive of past discussions. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current talk page. |
Archive 1 | Archive 2 | Archive 3 |
I've left a note about the event on the Current Events Portal talkpage. — Sasuke Sarutobi ( talk) 16:53, 12 May 2017 (UTC)
It seems there's another page about this topic. Do we merge its information to this page? — Gestrid ( talk) 22:05, 12 May 2017 (UTC)
Why is this in here, it literally has nothing to do with the content of the article? Sephiroth storm ( talk) 02:33, 13 May 2017 (UTC)
Just deleted this from the intro. If three Russian ministries avoided being infected by "repulsing" the attack, why is it news? In fact the references (when translated) say that "the servers were not infected because they run 'a different operating system'", and at the Ministry of Internal Affairs the attack, "was localized, no leakage of information occurred" - the same could, and was, said of the NHS. Snori ( talk) 19:36, 13 May 2017 (UTC)
I added this. Feel free to remove it if you feel it doesn't add much to the article. It wasn't much effort to make or upload. Anna Frodesiak ( talk) 21:10, 13 May 2017 (UTC)
Is it just Microsoft that is having issues with this, or are apple and ibm and other computer groups experiencing this same issue? Also, is it safe to go online with a Microsoft machine right now? I have mine physically disconnected from the internet line when I am not there to use it with this exact situation in mind, but I have no idea how to check and see if I have the patch needed to keep my machine uninfected. 2600:1011:B018:196E:3925:4863:EC2:A9C8 ( talk) 23:42, 13 May 2017 (UTC)
Someone named Kurt Knutsson who was on Fox Business blamed it on last month's Wikileaks document "dump"--perhaps this should be mentioned in this article, if there is an RS. Zigzig20s ( talk) 07:49, 13 May 2017 (UTC)
should there be 2 separate pages about Wannacry and the attack respectively, the page about Wannacry would cover the ransomware only and the attack page would cover the 12th May cyber attack and its fallout / reactions. — Popeter45 21:20, 12 May 2017 (UTC)
'Accidental hero' finds kill switch to stop spread of ransomware cyber-attack https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack Can we place this in the article. Sherenk1 ( talk) 04:48, 13 May 2017 (UTC)
Could you add an explanation why the kill switch {what mean unplugging the comp from power line } is not working. The personal yps devices era designed so the lame victims (aka customer or user ) can not power off they attachments. There is no way to remove the battery and the turn off button is merely pp fake for peace of mind decoration. This was visible by netmonitoring (eg wireshark's taps) years ago where believed turn off devices exchanged to Mbase encrypted packets //and this is so manufactured day to day operation. [knwnxample:= the turn off tv verting spk to mik] — Preceding unsigned comment added by 99.90.196.227 ( talk) 09:40, 14 May 2017 (UTC)
Cite note doesn't work... — Preceding unsigned comment added by 2607:FEA8:4EE0:784:EDF1:D58A:EA07:1855 ( talk) 07:53, 14 May 2017 (UTC)
What is the significance of that? 80.140.197.186 ( talk) 10:34, 13 May 2017 (UTC)
See The worm that spreads WanaCrypt0r (detailed analysis of code) Esowteric+ Talk 16:04, 14 May 2017 (UTC)
Are there any reports out there that describe how the bitcoin is evaluated by the software? Is it the time of the payment? If so what data is used for that? Is it getting fetched from the Internet?
Or was it hardcoded into the software and used data at the time of the malware's creation?
In either case this needs to be specified.
Also note that this information is important for instance because uninformed victims might buy exactly $300 worth of bitcoin, the evaluated price might come from some up-to-date source, the malware might be very exact with its minimum payment requirement, the bitcoin-value might fluctuate so that $300 worth of bitcoin becomes $290 worth of bitcoins and many affected systems might be critical to lives and society.
-- Fixuture ( talk) 16:57, 14 May 2017 (UTC)
Should content about the G7 meeting be added to the "Reactions" section? I'm not sure as I couldn't find any direct reference to this particular cyberattack in their statements so far.
E.g. this:
-- Fixuture ( talk) 17:57, 14 May 2017 (UTC)
References
To WannCry cyber attack, as most readers are unfamiliar with "ransomware". fgnievinski ( talk) 23:38, 13 May 2017 (UTC)
Which EngVar should this article be in? I'm currently seeing mixed BrE and AmE. Adam9007 ( talk) 21:27, 14 May 2017 (UTC)
Technical details - https://www.symantec.com/connect/blogs/what-you-need-know-about-wannacry-ransomware — Preceding unsigned comment added by Abhishikt ( talk • contribs) 00:06, 13 May 2017 (UTC)
This article is by far the most complete technical article about WannaCry. Should we use this instead of the Symantec one, which does not have that much info? Or both? https://www.bleepingcomputer.com/news/security/wannacry-wana-decryptor-wanacrypt0r-technical-nose-dive/ — Preceding unsigned comment added by Rylheh ( talk • contribs) 23:43, 14 May 2017 (UTC)
I propose we move the page to WannaCry ransomware attack (2017). This way, we can leave this page open to be used as an article about WannaCry in general. — Gestrid ( talk) 18:23, 12 May 2017 (UTC)
I think just WannaCry would be more appropriate, the disambiguation is not needed. ViperSnake151 Talk 02:52, 15 May 2017 (UTC)
Shouldn't there be a section referencing advised solutions if infected? As I don't see any info spoken about in the article. Are people being advised to pay, are people paying (wisely or otherwise), and does paying actually get their machines decrypted? And other related questions. Jimthing ( talk) 22:09, 15 May 2017 (UTC)
How do I get a patch to defend my XP against this please ? Many thanks ! Darkman101 ( talk) 00:19, 16 May 2017 (UTC)
![]() | This page is not a forum for general discussion about WannaCry ransomware attack/Archive 1. Any such comments may be removed or refactored. Please limit discussion to improvement of this page. You may wish to ask factual questions about WannaCry ransomware attack/Archive 1 at the Reference desk. |
JTP ( talk • contribs) 00:32, 16 May 2017 (UTC)
There has been a massive amount of amateurish/incorrect edits made by one user, User:GliderMaven, over the past day. The user made no attempt at talk page discussion nor collaboration, and unfathomably reverted legitimate edits by other users on at least one occasion.
These are examples of edits that blatantly fall under WP:OR or WP:SYNTH:
https://en.wikipedia.org/?title=WannaCry_cyber_attack&diff=prev&oldid=780294423
https://en.wikipedia.org/?title=WannaCry_cyber_attack&diff=prev&oldid=780317291
https://en.wikipedia.org/?title=WannaCry_cyber_attack&diff=prev&oldid=780318804
These edits are factually incorrect or misleading:
https://en.wikipedia.org/?title=WannaCry_cyber_attack&diff=prev&oldid=780194041 (this incorrectly identifies one person as "researchers", etc.)
https://en.wikipedia.org/?title=WannaCry_cyber_attack&diff=prev&oldid=780294423 (this contains a sheer fabrication)
https://en.wikipedia.org/?title=WannaCry_cyber_attack&diff=780317291&oldid=780316995 (would be WP:OR if this is true, but it isn't even true if you actually look at the data)
https://en.wikipedia.org/?title=WannaCry_cyber_attack&diff=780321147&oldid=780320163 (these two are overlapping)
https://en.wikipedia.org/?title=WannaCry_cyber_attack&diff=780323500&oldid=780323351 (incorrect interpretation of phishing)
https://en.wikipedia.org/?title=WannaCry_cyber_attack&diff=prev&oldid=780322912 (the edit summary also makes zero sense)
https://en.wikipedia.org/?title=WannaCry_cyber_attack&diff=prev&oldid=780324990 (this is uncited/OR, and is technically confusing, and is probably incorrect, depending on your interpretation. In any case, it's clear he doesn't understand the relationship between phishing attack and antivirus software.)
These are attempts to improve grammar/prose that are grammatically incorrect or very awkward:
https://en.wikipedia.org/?title=WannaCry_cyber_attack&diff=prev&oldid=780293149
https://en.wikipedia.org/?title=WannaCry_cyber_attack&diff=780338512&oldid=780338198
https://en.wikipedia.org/?title=WannaCry_cyber_attack&diff=prev&oldid=780295658 ("registering for a DNS sinkhole" does not make technical sense either)
https://en.wikipedia.org/?title=WannaCry_cyber_attack&diff=prev&oldid=780292481 ("may be a bug whose code..." - again, both grammatically and technically incorrect)
These are other edits that are contrary to WP:MoS and usual practice:
https://en.wikipedia.org/?title=WannaCry_cyber_attack&diff=prev&oldid=780319655
A number of other edits are attempts to adjust his own copyedit oversights, such as this edit. I haven't included mistakes that had been corrected by himself and other users, but there is a decent number of these, as some other editors can testify.
Finally, the user also made a bizarre attempt to swap a content section with a paragraph in the lede. He then reverted back 5 edits, including his own, and added back some of the content himself It's not clear if this is a good faith attempt followed by bad editorial practice, or if he has an issue with WP:OWN and is trying to camouflage other edits as his own.
Otherwise, this is a clear case of a user with good faith who doesn't meet WP:CIR. The user is not familiar with basic WP:MoS guidelines. The user evidently does not possess the minimum competency to be altering technical information for a front page article. The user is also likely ESL or has poor verbal fluency.
I have painstakingly tried to reverse most of these problematic edits while retaining some legitimate contributions. Please help keep track, and please correct me if I've accidentally removed legitimate changes. 73.61.20.253 ( talk) 13:20, 14 May 2017 (UTC)
Closed since not that important in terms of the article content but since it's a direct respond to the comments here, I find it confusing to take the discussion to the IP's talk page so leaving it here.
Nil Einne (
talk)
02:57, 15 May 2017 (UTC)
|
---|
No I never agreed that. The fact that a user who's been here for a long time still doesn't understand our OR policies is problematic but not automatically indicative of CIR issues. Perhaps it hasn't come up before for some reason, I don't really know. CIR would only come in to play if they still don't understand our OR policies after multiple attempts to get them to understand, and I see no indication this has happened her yet, it's only just starting. I mean if you want to discuss CIR issues, there is the fact you've made two highly questionable claims namely that the editor isn't involved in discussion when they had been, before you even posted at ANI and you were also part of that discussion; and also that we agree with you there is a CIR issue here, when I at least don't; i.e. that you seem to have trouble either understanding what's going on or for whatever other reason make claims that are untrue could be said to bring up CIR issues. But again even in your case I've seen too little for me to bring up CIR in practice. You've already been told that copyvio issues are a serious matter which could be dealt with at ANI or elsewhere, but you provided no actually clearcut examples of this so of course nothing happened. We generally do not take people's word for anything, whether they are experienced editors or whatever, we always require evidence in the form of diffs etc. Also this article is only a few days old and due to what it covers it's been edited extensively so referring to anything as a stable version is always going to be teneous. Of course reverting to a stable version isn't something that involves administrators anyway, unless the article is fully protected and even there WP:Wrong version means it's very rarely done. Really the only possible administrative actions here would be fully protecting this article which is never going to happen; or blocking participants, which could happen but hopefully won't be required. And yes, being civil is always important in any discussion. In fact since civility is a behavioural issue, whereas disagreements over content are not, it's easily possible an uncivil editor could be sanctioned whereas the other editor is fine even if most people feel the second editor's content proposals are out of line with our guidelines and policies. This clearly isn't the case here, but if you're complaining about another editor's behaviour and were uncivil in the process, you shouldn't be surprised if the first thing people see is the incivility. |
There is no need for an adminstator to warn someone. Anyone is free to warn another editor, and it would carry as much weight if it's suggested a block is needed. If there is question over adequate warning, it will be because of the quality (tone, explaination etc) of the warning, not because of who gave it. Even Wikipedia:Arbitration Committee/Discretionary sanctions alerts do not require administrators to issue them, simply that the proper process is followed. If a section is duplicated, you're right it should be removed. Anyone who can edit the article, and that includes you as an IP since this article isn't semi protected, can do so. There should generally be absolutely no need for administrative action. If another editor is repeatedly inserting duplicated sections or adding back a section which is a complete duplicate then yes, may be administrative action i.e. blocking will be needed but it should be very rare this ever happens. For example, in this case a duplicated section was removed by another editor [2] but this wasn't introduced by the editor you keep complaining about [3]. It wasn't reverted, probably because it was clear what was being done. Which highlights another point. The best way to deal with a duplicated section is to remove the section and leave a clear edit summary. If you make a whole bunch of other edits, and even worse if you don't leave a clear edit summary; editors may simple see a bunch of changes including the removal of content and revert you. I'm not sure if this happened here since I don't actually see any other examples of a duplicated section in the entire article history, maybe because I'm assuming someone actually mentioned something like 'dupl', 'cop', 'repea' in the edit summary. I'm not counting [4] since it's very minor, and [5] even if it was justifable, wasn't a clear cut duplicated section but rather a new section which mostly repeated information already covered elsewhere. Also from what I see, no one actually reverted the removal. The ultimate point is if you find you're having problems getting your removal of a duplicated section to stick, you need to make sure your editing isn't contributing to that. It's unfortunately true that because you are an IP, you're probably going to have more problems than if you were editing from an account. Dealing with edits which seem to have made an article worse is a part and parcel of the WP:collaborative nature of wikipedia. If the editor appears to be acting in bad faith, then they can be sanctioned quickly. If they are acting in good faith then we are a lot more hesitant to sanction. Whatever the rights and wrongs here, and I'm specifically not commenting on them, I see no evidence anything has rise to the level where sanction is required. As others have said, if another editor's edits seem to have made an article worse than yes you do have to try and civily explain this to them. |
We might edit the section title to something more suitable? And if someone please could proof read it? I wrote the section, and I don't know if I got something wrong there?-- Rævhuld ( talk) 23:06, 12 May 2017 (UTC)
I edited some of the grammar there. Tedmarynicz ( talk) 14:11, 16 May 2017 (UTC)
Vagueness like "spreads through network defenses" means absolutely nothing. How does this stuff spread? Executable files? Do users have to click on something? Is it a macro-enabled ms office document that drops the payload? What does any of this mean?
If I have an unpatched computer sitting randomly connected to the internet, how am I affected? Does a virus just pop up out of nowhere? Do I get an email asking me to download a booby trapped word document? Does my computer have to be sent magic packets that somehow runs an executable without prompting me? Seriously, WTF? How the hell is anyone supposed to understand any of the sensational headlines when this basic information is nowhere to be found? — Preceding unsigned comment added by 199.18.157.82 ( talk) 03:17, 16 May 2017 (UTC)
Yes the article already explains it fairly well IMO. It relies on a bug in SMB1 in unpatched versions of Windows. This allows remote code execution without the user's involvement. But as I mentioned above, a computer needs to actually exposing SMB to the, internet something which it would not normally do in the post XP SP2 world except when someone is silly enough to change the default config probably without knowing what they are doing. However since most people aren't going to use SMB over the internet, and getting it to work behind a NAT is complicated anyway, this most likely would only occur if someone completely disabled the firewall.
The problem is if your computer accesses a local network. In such a case SMB may very well be open to the local network, and so all it takes is one infected computer. (As I mentioned, technically the vector doesn't have to be vunerable itself. It doesn't even need to be running Windows. Although obviously it needs to become a vector somehow.) This may include wifi access points. (Although by default, most modern versions of Windows puts new networks into the 'public' category and SMB is not exposed in the public category. However there's a greater chance someone will accidentally or intentionally change this. Whether exposing SMB on 'public' networks; or classifying something as private when they probably shouldn't.
This incidentally is also why it's a big deal for businesses. There once it gets onto a single computer in some fashion, it can potentially spread to all unpatched computers depending on how they expose SMB. (Many do use it, so it isn't uncommon it's fairly exposed.)
As I mentioned above, the Blaster situation was somewhat different. At the time, it was still fairly common, and actually even the default that these ports were exposed to the internet provided you were directly connected with no external firewall. (NAT was already fairly common, although surely less so than now, meaning some people escaped by chance.) In other words, a default XP installation with the other requirements would generally be infected. Corporate systems would generally be expected to have one or more firewalls, although if it was acceptable to BYOD, e.g. in a university this may not have mattered.
This isn't the case, for any post XP OS, or for XP with SP2; meaning even if they are vunerable the worm won't spread to them from the internet on a default install. (IIRC, for quite a long time, any pre SP2 XP system directly connected and without ISP filtering would have been infected with Blaster or similar quite fast.) If someone screws around and messes things up, they may be vunerable just by being connected to the internet. However if you have an unpatched system you do just need one vector on your local network and you could easily be vunerable on a default set up, Blaster of course also relied on this to some extent except there the initial vector as mentioned could easily be a default config computer with a direct connection, which isn't the case here.
The vector could nominally be any system, with potentially any OS vunerable or not; this also means if even one of your systems is exposing SMB to the internet it can become that factor. (Something I forgot to mention above, a business who still feel they need XP on some systems, for compatibility for example may have blocked it from the internet to try and protect it. This worm illustrates why that isn't a perfect solution.)
Sobig by comparison was a more typical email worm. The reasons why these don't seem to spread so much anymore ( Mydoom was I think the last massive email worm; although there were some others that were fairly major like Storm Worm) probably includes more effective ISP filtering both of attachments and of SMTP ports, the rise of webmail and the drop in use of ISP email and the common requirement for authentication, greater protection in email clients and OSes from attachments etc.
WannaCry got around these limitations by to some extent combining both. Email worms may not be so effective, but you may only need to infect one computer in the local network, and then it can often easily spread to vunerable computers. (Although I should be clear AFAIK no current variant of WannaCry has an email worm component. Rather whoever made set up the spread themselves. This perhaps isn't surprising since trying to mass spread en email worm may be more likely to result in all your attachments being blocked, a targeted attack in a spear phising manner could easily work better.)
See The worm that spreads WanaCrypt0r (detailed technical analysis of code). Esowteric+ Talk 11:56, 16 May 2017 (UTC)
Till recent 170419 changes routers was vulnerable [6] exposing the private net e.g. 10.* 172. ... to internet by commonly used VOIP/sip . So for spooks there were no problem to access private nets. How such impossible WCry attack penetrated to so many targets ?: The back-doors work in tandemic team and targets must been prepared well before. The Wikileaks logs show zbuk's logs: jumping via sip with payloads. Some like Elinks team dropping features just about Heartbleed and pausing in 2012. Some others obey NSL⋈□. 99.90.196.227 ( talk) 03:48, 17 May 2017 (UTC)
I heard on the radio this morning that more and more "computer experts" are thinking it might originate from North Korea. Any source to back this up? 24.37.29.254 ( talk) 12:11, 16 May 2017 (UTC)
Note that we now have an "Attribution" section covering this. Snori ( talk) 01:23, 17 May 2017 (UTC)
The article (and I presume the sources used) claim that there have been 238 payments totalling $72,144.76. At $300 a pop, from where has the additional 744 dollars, and 76 cents come from? It is possible that 2 payments may be for $600 as the three day deadline has passed, but that still leaves 144 dollars and 76 cents. 86.145.209.23 ( talk) 17:07, 17 May 2017 (UTC)
Have removed this again. User:CowthVader's put this back in after I'd removed it with the comment "..poorly written. Computer_worm#Worms_with_good_intent? ...no evidence that anyone's in fact suggesting this", I'm wary of my actions being seen as an edit war, but really this is quiet clearly pure speculation and WP:SYNTH at best. You'll note that CowthVader's had to add a new stub article for Live Exploit Immunisation, which is a pretty good indication that it's "not a real thing". Snori ( talk) 01:07, 18 May 2017 (UTC)
There had previously been various flags for countries of the affected organisations added by Pek~enwiki, but I see that they are removed as of the current version (although I can't immediately see any comments mentioning this removal). Before any of us gets into adding them back in for someone only to remove them again, I'm looking to get some consensus on how everyone feels about attributing countries of organisations affected, especially since the simultaneous internationality of the event is one of the things that has made the attack notable.
Should we use flags, just mention countries alongside the organisation, or leave it with the names of the organisations? — Sasuke Sarutobi ( talk) 12:49, 15 May 2017 (UTC)
Hi Fixuture. With regards as to your question, more than 80% of the systems known to have been so far affected are either cloud based or connected to same. The attack has been in part structured to take advantage of inherent weaknesses in cloud architecture; originally cloud computing was not intended for the creation of permanent, much less secure or mission critical, infrastructure. Rather it was intended to provide a temporary, or at best ad-hoc semi-permanent resource for high intensity and/or resource intensive computing applications where it would not be considered cost effective to procure or lease more permanent infrastructure (or time on same), i.e. hardware. Security and robustness were at best tertiary concerns.
Cloud computing was actually designed in part as a low cost alternative to/revival of traditional timesharing computing, in particular for academic purposes. Unfortunately during the late 2000s, far too many people & organisations forgot or overlooked its origins and attendant shortcomings in the rush to adopt what seemed to them to be a low cost/low risk technology, especially for commercial applications (which it was never intended for). Something which has played a major part in the mess we find ourselves in today. Ceannlann gorm ( talk) 16:01, 18 May 2017 (UTC)
A claim of a new variant without the kill switch keeps being edited into the article by various (probably well meaning) users. In reality, there are no main stream media reports of such a strain having merged. All the media reports are either speculating about a new variation or are quoting various cyber security companies that such a new strain exists (and they have a vested interest in doing so). The claim in the article is flawed because no reliable reference is provided (once the cyber security companies are discounted). I have thus removed it.
It is probably no coincidence, but the recognised stock market index for the UK (the FTSE100) hit a 6 month high this week, all of it driven by the sudden rise in the stock prices of cyber security companies who have had unprecedented demand for their wares. 86.174.152.128 ( talk) 16:47, 18 May 2017 (UTC)
I've just reverted User:Ceannlann gorm's take on this, and gone back to almost the original wording. AFAIK there were no "shortfalls in the range/scope & application of the initially released patches", except: (a) organisations didn't install them (b) they were not available for products for which support and security updates are no longer produced. Arguing that it has "pretty much the same effect" as a Zero day is far too woolly. Snori ( talk) 18:17, 18 May 2017 (UTC)
Even though there still hasn't been a large scale attack, there is at least one verified attack in a university in Thessaloniki. Source(in Greek): [1] — Preceding unsigned comment added by 83.212.232.252 ( talk) 11:33, 18 May 2017 (UTC)
References
Done
Well, since there have been a couple of confirmed attacks in Greece, it should appear on the map. I tried editing the map (goo.gl/mwYDtf) used in the article to include Greece. I cannot upload it (my profile is new) so someone either upload it, or make a better one. A new one should me made, since in my version the color and the borders of countries are a bit off.
The new map: http://i.imgur.com/OhckwUR.png