→Technical analysis of worm: new section |
|||
Line 292: | Line 292: | ||
::::::For epidemiological reasons the infections found so far in the wild would be completely dominated by the fast reproducing worm. And the researchers know beyond all reasonable doubt how the code was derived; the wanna-crypt type codebase has been around for quite a while but without the EternalBlue attack payload.[[User:GliderMaven|GliderMaven]] ([[User talk:GliderMaven|talk]]) 15:53, 14 May 2017 (UTC) |
::::::For epidemiological reasons the infections found so far in the wild would be completely dominated by the fast reproducing worm. And the researchers know beyond all reasonable doubt how the code was derived; the wanna-crypt type codebase has been around for quite a while but without the EternalBlue attack payload.[[User:GliderMaven|GliderMaven]] ([[User talk:GliderMaven|talk]]) 15:53, 14 May 2017 (UTC) |
||
:::::::You don't seem to understand that EternalBlue is a remote (as in remotely, from far away, exploitable) exploit. 73.61.20.253 is right on both things, you are utterly incompetent and I am way too passive. Anyway, I an done for today but keep in mind that you are the kind of ''contributor'' that makes people believe wikipedia is not a credible source. [[User:Psadm|Psadm]] ([[User talk:Psadm|talk]]) 16:05, 14 May 2017 (UTC) |
|||
:::::GliderMaven, you have an extremely limited familiarity on the subject. Please defer to expert users such as ^. Please also address the plagiarism issues and other egregious WP violations before re-inserting your edits, either here or in ANI. [[Special:Contributions/73.61.20.253|73.61.20.253]] ([[User talk:73.61.20.253|talk]]) 15:35, 14 May 2017 (UTC) |
:::::GliderMaven, you have an extremely limited familiarity on the subject. Please defer to expert users such as ^. Please also address the plagiarism issues and other egregious WP violations before re-inserting your edits, either here or in ANI. [[Special:Contributions/73.61.20.253|73.61.20.253]] ([[User talk:73.61.20.253|talk]]) 15:35, 14 May 2017 (UTC) |
Revision as of 16:05, 14 May 2017
This article is of interest to the following WikiProjects: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Portal listing
I've left a note about the event on the Current Events Portal talkpage. — Sasuke Sarutobi (talk) 16:53, 12 May 2017 (UTC)
Page title
I propose we move the page to WannaCry ransomware attack (2017). This way, we can leave this page open to be used as an article about WannaCry in general. — Gestrid (talk) 18:23, 12 May 2017 (UTC)
- Agreed. Makes sense. Go for it. 109.155.194.215 (talk) 20:12, 12 May 2017 (UTC)
- Done Went ahead and WP:BOLDly moved the page. — Gestrid (talk) 20:48, 12 May 2017 (UTC)
Splitting of attack/ransomware pages
should there be 2 separate pages about Wannacry and the attack respectively, the page about Wannacry would cover the ransomware only and the attack page would cover the 12th May cyber attack and its fallout / reactions. — Popeter45 21:20, 12 May 2017 (UTC)
- That was my reasoning for moving the page, though I'm not sure if there is enough information out there just yet for a standalone article on just the ransomware itself. — Gestrid (talk) 21:25, 12 May 2017 (UTC)
- What about the original phishing mails? How they were worded, etc. They must have been multi-language, and convincing.217.75.18.23 (talk) 08:35, 14 May 2017 (UTC)
Merge proposal
- The following discussion is closed. Please do not modify it. Subsequent comments should be made in a new section. A summary of the conclusions reached follows.
It seems there's another page about this topic. Do we merge its information to this page? — Gestrid (talk) 22:05, 12 May 2017 (UTC)
- Yes, I would go for it. Mz7 (talk) 22:22, 12 May 2017 (UTC)
- No, clearly this contains hoax material, such as the demonstrably false "Many hospitals in Great Britain were closed for months, only treating near-dead patients". Drchriswilliams (talk) 22:35, 12 May 2017 (UTC)
- Please consider your phrasing. It wasn't a hoax, it was simply not correct information. Next time you are welcome to correct errors by editing the article.--Rævhuld (talk) 23:10, 12 May 2017 (UTC)
- There's a reason why {{current event}} says the article may be inaccurate. — Gestrid (talk) 23:11, 12 May 2017 (UTC)
- @Drchriswilliams: Thanks for pointing that out. I removed that bit of unsourced content, then redirected the article here. Looks like one section that could be merged has already been merged. Mz7 (talk) 22:44, 12 May 2017 (UTC)
- Please consider your phrasing. It wasn't a hoax, it was simply not correct information. Next time you are welcome to correct errors by editing the article.--Rævhuld (talk) 23:10, 12 May 2017 (UTC)
- No, clearly this contains hoax material, such as the demonstrably false "Many hospitals in Great Britain were closed for months, only treating near-dead patients". Drchriswilliams (talk) 22:35, 12 May 2017 (UTC)
- Merge complete. Mz7 (talk) 22:44, 12 May 2017 (UTC)
Useful news links
- 79.77.211.89 (talk) 23:04, 12 May 2017 (UTC)
Technical details
Technical details - https://www.symantec.com/connect/blogs/what-you-need-know-about-wannacry-ransomware — Preceding unsigned comment added by Abhishikt (talk • contribs) 00:06, 13 May 2017 (UTC)
Background
We might edit the section title to something more suitable? And if someone please could proof read it? I wrote the section, and I don't know if I got something wrong there?--Rævhuld (talk) 23:06, 12 May 2017 (UTC)
Kaspersky Lab note
Why is this in here, it literally has nothing to do with the content of the article? Sephiroth storm (talk) 02:33, 13 May 2017 (UTC)
- Agreed: the only mentions of the two together that I can find online are quotes from KL on the threat and its remediation, and some news articles saying that they were the first to announce the threat. Conflating that with other political issues to do with Russia is misleading, or WP:Synthesis at best. Uncle Roy (talk) 02:39, 13 May 2017 (UTC)
Stopped the virus spread
'Accidental hero' finds kill switch to stop spread of ransomware cyber-attack https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack Can we place this in the article. Sherenk1 (talk) 04:48, 13 May 2017 (UTC)
- Is now included. Snori (talk) 10:42, 13 May 2017 (UTC)
- Malwarebytes is reporting that the "killswitch" won't work on the many corporate networks that access the internet through a proxy: https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r (There's some debate in the comments though and the original source blog says they haven't tested it in a VM, so it might be fair to wait for confirmation of this.) See also: https://blog.didierstevens.com/2017/05/13/quickpost-wcry-killswitch-check-is-not-proxy-aware/ --Thomas B♘talk 17:09, 13 May 2017 (UTC)
- @Thomas B: We can't use blogs as sources per WP:BLOGS. They generally don't have as much, if any, editorial oversight as news websites do. This is even true for blogs run by news websites such as, for example, Fox News Insider. — Gestrid (talk) 19:56, 13 May 2017 (UTC)
- @Gestrid: Thanks Gestrid. Don't worry, I wasn't recommending we do so. I was adding information to the talk thread that may be of use to those seeking more information while we await more substantial verification. But for the record, you seem to be misstating the policy on blogs, which are sources that should be used with care (just never used for living persons). Remember, "The appropriateness of any source depends on the context." Peer reviewed sources are the best sources, so if multiple independent security researchers comment on each others' work through cross-referenced blog posts with actual code samples that are subject to easy independent verification, then that may merit inclusion. The Guardian's process for verification of a quick moving story on a highly technical subject involves asking a few people at a single point in time, so it may not produce the same level of reliable content. Remember, the goal of WP:SOURCES is reliability and verifiability. The heuristic of preferring journalistic sources over blogs is just a heuristic, and there may be special cases that break that rule. This may be one such case, maybe not. But there is certainly no hard and fast prohibition on blogs, or even blogs run by newssites, which WP:SOURCES even explains how to reference. --Thomas B♘talk 23:05, 13 May 2017 (UTC)
- @Thomas B: We can't use blogs as sources per WP:BLOGS. They generally don't have as much, if any, editorial oversight as news websites do. This is even true for blogs run by news websites such as, for example, Fox News Insider. — Gestrid (talk) 19:56, 13 May 2017 (UTC)
Could you add an explanation why the kill switch {what mean unplugging the comp from power line } is not working. The personal yps devices era designed so the lame victims (aka customer or user ) can not power off they attachments. There is no way to remove the battery and the turn off button is merely pp fake for peace of mind decoration. This was visible by netmonitoring (eg wireshark's taps) years ago where believed turn off devices exchanged to Mbase encrypted packets //and this is so manufactured day to day operation. [knwnxample:= the turn off tv verting spk to mik] — Preceding unsigned comment added by 99.90.196.227 (talk) 09:40, 14 May 2017 (UTC)
Wikileaks?
Someone named Kurt Knutsson who was on Fox Business blamed it on last month's Wikileaks document "dump"--perhaps this should be mentioned in this article, if there is an RS.Zigzig20s (talk) 07:49, 13 May 2017 (UTC)
- No. The KK chap is misinformed. It's surreal and confusing, but attack toolkits from both the CIA and the NSA have been leaked recently. The ones Wikileaks leaked were the CIA's. Snori (talk) 10:38, 13 May 2017 (UTC)
- No. Fox News is not a reliable news agency.--Rævhuld (talk) 12:21, 13 May 2017 (UTC)
- What absolute rubbish. They are as reputable as any other major news network. HammerFilmFan (talk) 04:58, 14 May 2017 (UTC)
- Fox News is citable like any other news agency. Not all commentary meets the criteria to be cited, but please do not spread misinformation. Fox News is cited throughout Wikipedia. Whamper (talk) 14:48, 13 May 2017 (UTC)
"We will have free events for users who are so poor that they couldn't pay in 6 months" ?
What is the significance of that? 80.140.197.186 (talk) 10:34, 13 May 2017 (UTC)
- Blather. If you trust malware authors, and if you can wait 6 months, they *might* give you a decryption key. Not much comfort there. Snori (talk) 10:41, 13 May 2017 (UTC)
- above POV? 6m this is the estimated time the agency need for transfer all users data to central storage and not too overload available links. the spook/zbuk deceive humane. dont be fooled see who designed it in first place. — Preceding unsigned comment added by 99.90.196.227 (talk) 09:54, 14 May 2017 (UTC)
Russian ministries
Just deleted this from the intro. If three Russian ministries avoided being infected by "repulsing" the attack, why is it news? In fact the references (when translated) say that "the servers were not infected because they run 'a different operating system'", and at the Ministry of Internal Affairs the attack, "was localized, no leakage of information occurred" - the same could, and was, said of the NHS. Snori (talk) 19:36, 13 May 2017 (UTC)
Map image
I added this. Feel free to remove it if you feel it doesn't add much to the article. It wasn't much effort to make or upload. Anna Frodesiak (talk) 21:10, 13 May 2017 (UTC)
affected is systems
Is it just Microsoft that is having issues with this, or are apple and ibm and other computer groups experiencing this same issue? Also, is it safe to go online with a Microsoft machine right now? I have mine physically disconnected from the internet line when I am not there to use it with this exact situation in mind, but I have no idea how to check and see if I have the patch needed to keep my machine uninfected. 2600:1011:B018:196E:3925:4863:EC2:A9C8 (talk) 23:42, 13 May 2017 (UTC)
- It's a Windows problem. If Apple or IBM computers are running Windows, they're vulnerable. - Nunh-huh 00:14, 14 May 2017 (UTC)
Rename
To WannCry cyber attack, as most readers are unfamiliar with "ransomware". fgnievinski (talk) 23:38, 13 May 2017 (UTC)
- @Fgnievinski: I've created a redirect at WannaCry cyber attack. If you want to start a move request, take a look at WP:RM. All the instructions are there. Anarchyte (work | talk) 05:53, 14 May 2017 (UTC)
- As no objections had been raised, I conclude the proposal was non-controversial, so I took the liberty of going ahead with it. fgnievinski (talk) 06:48, 14 May 2017 (UTC)
University of Waterloo?
Cite note doesn't work... — Preceding unsigned comment added by 2607:FEA8:4EE0:784:EDF1:D58A:EA07:1855 (talk) 07:53, 14 May 2017 (UTC)
- doesn't work: D0 you mean they didn't send BT yet? — Preceding unsigned comment added by 99.90.196.227 (talk) 09:44, 14 May 2017 (UTC)
Article was seriously fucked up by one particular user
There has been a massive amount of amateurish/incorrect edits made by one user, User:GliderMaven, over the past day. The user made no attempt at talk page discussion nor collaboration, and unfathomably reverted legitimate edits by other users on at least one occasion.
These are examples of edits that blatantly fall under WP:OR or WP:SYNTH:
https://en.wikipedia.org/w/index.php?title=WannaCry_cyber_attack&diff=prev&oldid=780294423
https://en.wikipedia.org/w/index.php?title=WannaCry_cyber_attack&diff=prev&oldid=780317291
https://en.wikipedia.org/w/index.php?title=WannaCry_cyber_attack&diff=prev&oldid=780318804
These edits are factually incorrect or misleading:
https://en.wikipedia.org/w/index.php?title=WannaCry_cyber_attack&diff=prev&oldid=780194041 (this incorrectly identifies one person as "researchers", etc.)
https://en.wikipedia.org/w/index.php?title=WannaCry_cyber_attack&diff=prev&oldid=780294423 (this contains a sheer fabrication)
https://en.wikipedia.org/w/index.php?title=WannaCry_cyber_attack&diff=780317291&oldid=780316995 (would be WP:OR if this is true, but it isn't even true if you actually look at the data)
https://en.wikipedia.org/w/index.php?title=WannaCry_cyber_attack&diff=780321147&oldid=780320163 (these two are overlapping)
https://en.wikipedia.org/w/index.php?title=WannaCry_cyber_attack&diff=780323500&oldid=780323351 (incorrect interpretation of phishing)
https://en.wikipedia.org/w/index.php?title=WannaCry_cyber_attack&diff=prev&oldid=780322912 (the edit summary also makes zero sense)
https://en.wikipedia.org/w/index.php?title=WannaCry_cyber_attack&diff=prev&oldid=780324990 (this is uncited/OR, and is technically confusing, and is probably incorrect, depending on your interpretation. In any case, it's clear he doesn't understand the relationship between phishing attack and antivirus software.)
These are attempts to improve grammar/prose that are grammatically incorrect or very awkward:
https://en.wikipedia.org/w/index.php?title=WannaCry_cyber_attack&diff=prev&oldid=780293149
https://en.wikipedia.org/w/index.php?title=WannaCry_cyber_attack&diff=780338512&oldid=780338198
https://en.wikipedia.org/w/index.php?title=WannaCry_cyber_attack&diff=prev&oldid=780295658 ("registering for a DNS sinkhole" does not make technical sense either)
https://en.wikipedia.org/w/index.php?title=WannaCry_cyber_attack&diff=prev&oldid=780292481 ("may be a bug whose code..." - again, both grammatically and technically incorrect)
These are other edits that are contrary to WP:MoS and usual practice:
https://en.wikipedia.org/w/index.php?title=WannaCry_cyber_attack&diff=prev&oldid=780319655
A number of other edits are attempts to adjust his own copyedit oversights, such as this edit. I haven't included mistakes that had been corrected by himself and other users, but there is a decent number of these, as some other editors can testify.
Finally, the user also made a bizarre attempt to swap a content section with a paragraph in the lede. He then reverted back 5 edits, including his own, and added back some of the content himself It's not clear if this is a good faith attempt followed by bad editorial practice, or if he has an issue with WP:OWN and is trying to camouflage other edits as his own.
Otherwise, this is a clear case of a user with good faith who doesn't meet WP:CIR. The user is not familiar with basic WP:MoS guidelines. The user evidently does not possess the minimum competency to be altering technical information for a front page article. The user is also likely ESL or has poor verbal fluency.
I have painstakingly tried to reverse most of these problematic edits while retaining some legitimate contributions. Please help keep track, and please correct me if I've accidentally removed legitimate changes. 73.61.20.253 (talk) 13:20, 14 May 2017 (UTC)
- Adding a note: while working on reverting these edits, I've noted that the user has basically duplicated three paragraphs and created an extra section with it. This was disguised by a large number of edits (and other users trying to correct/improve on his edits), but the article as-is made zero logical sense. I've made some quick deletions due to how absurd it was. Again, please correct/amend if anything was accidentally removed. 73.61.20.253 (talk) 14:06, 14 May 2017 (UTC)
- The correct thing to do is to follow WP:MoS, and to remove the duplicate section that additionally fringes on unattributed copy-and-pasting (i.e. plagiarism) from a front page article. I've taken this incident to WP:ANI, hopefully someone with more time on their hands can deal with the problem user. You should chime in.
- You're not worried about feeding a troll, you're worried about picking a correct but tedious fight against an incompetent user. Instead you decided to edit war with him on a sourcing issue (that you are completely, and obviously, correct on) while ignoring a number of extremely poor edits he made elsewhere. This is a way too passive approach.73.61.20.253 (talk) 15:27, 14 May 2017 (UTC)
- With all due respect I am a very experienced computer professional, and I do understand the nuances of this, where apparently you don't 73.61.20.253. Where you're claiming OR, I actually read the articles and understood them, whereas you're taking them completely at face value. All of the sources you've read summarise and oversimplify things, whereas I've actually looked at pieces of the code and so forth. The evidence we have is that it's mostly spreading as a worm by the SMB protocol, but it's believed to also spreading via phishing at lower incidences; the code base was modified from a phishing attack, and that code is still believed to be operational; you removed all information about the nature of the attacks from the article, including many, many references.GliderMaven (talk) 15:11, 14 May 2017 (UTC)
- I agree that "it is believed" that the infection may have come from a phishing campaign, although no evidence have been found. It is worth mentioning that this is what some might believe, but wikipedia should remain neutral and not states what some people believe as actual facts. The thing is, in its known form the worm is actually able to infect computer remotely, and I cited several articles showing that the number of vulnerable computers directly facing the internet is in the hundreds of thousands. Let's see what was the initial vector, but from what is known, phishing is the least likely explanation, thus wikipedia should not serve it as a fact. Psadm (talk) 15:20, 14 May 2017 (UTC)
- Except that that's the position of the professionals., and I don't mean me. The point of Wikipedia is to include the opinion of the professionals. Note that the IP who is (essentially) vandalising the article removed even the fact that it's a computer worm. Right?GliderMaven (talk) 15:24, 14 May 2017 (UTC)
- 'A bit rough' is kind of understating it.
- For epidemiological reasons the infections found so far in the wild would be completely dominated by the fast reproducing worm. And the researchers know beyond all reasonable doubt how the code was derived; the wanna-crypt type codebase has been around for quite a while but without the EternalBlue attack payload.GliderMaven (talk) 15:53, 14 May 2017 (UTC)
- You don't seem to understand that EternalBlue is a remote (as in remotely, from far away, exploitable) exploit. 73.61.20.253 is right on both things, you are utterly incompetent and I am way too passive. Anyway, I an done for today but keep in mind that you are the kind of contributor that makes people believe wikipedia is not a credible source. Psadm (talk) 16:05, 14 May 2017 (UTC)
- GliderMaven, you have an extremely limited familiarity on the subject. Please defer to expert users such as ^. Please also address the plagiarism issues and other egregious WP violations before re-inserting your edits, either here or in ANI. 73.61.20.253 (talk) 15:35, 14 May 2017 (UTC)
- Uh huh. Did you even know it's spreading as a worm? You removed that fact from the article? How about you don't make large scale changes to the article like that without confirming that here, and then start swearing at other editors?GliderMaven (talk) 15:53, 14 May 2017 (UTC)
Technical analysis of worm
See The worm that spreads WanaCrypt0r Esowteric+Talk 16:04, 14 May 2017 (UTC)