Three years after the NSA lost control of its tools, the long tail of EternalBlue was everywhere. The underlying Microsoft bugs were no longer zero-days—a Microsoft patch had been available for two years—and yet EternalBlue had become a permanent feature in cyberattacks on American towns, cities, and universities, where local IT administrators oversee tangled, cross-woven networks made up of older, expired software that stopped getting patched long ago. Not a day went by in 2019, Microsoft’s security engineers told me, when they did not encounter the NSA’s cyberweapons in a new attack.
